The Samba-Bugzilla – Attachment 16735 Details for
Bug 14796
Authentication with machine account does not work for "net rpc"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-13-test and v4-14-test
0001-s3-net-Fix-net-rpc-authentication-with-machine-accou.patch (text/plain), 3.58 KB, created by
Samuel Cabrero
on 2021-08-13 12:53:34 UTC
(
hide
)
Description:
Patch for v4-13-test and v4-14-test
Filename:
MIME Type:
Creator:
Samuel Cabrero
Created:
2021-08-13 12:53:34 UTC
Size:
3.58 KB
patch
obsolete
>From f43cfdf48aa4405cb7b34a55a3f2fad881b4fd94 Mon Sep 17 00:00:00 2001 >From: Samuel Cabrero <scabrero@samba.org> >Date: Fri, 13 Aug 2021 14:29:30 +0200 >Subject: [PATCH] s3: net: Fix 'net rpc' authentication with machine account > >The username was set to <machine netbios name>$@REALM even when kerberos >was not specified in command line, resulting in NTLM authentication >failure. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14796 > >Signed-off-by: Samuel Cabrero <scabrero@samba.org> >--- > source3/utils/net.c | 3 +-- > source3/utils/net_ads.c | 4 ++-- > source3/utils/net_proto.h | 2 +- > source3/utils/net_util.c | 13 +++++++++++-- > 4 files changed, 15 insertions(+), 7 deletions(-) > >diff --git a/source3/utils/net.c b/source3/utils/net.c >index 4fc19c4a121..aa78b8f3e68 100644 >--- a/source3/utils/net.c >+++ b/source3/utils/net.c >@@ -1409,8 +1409,7 @@ static void get_credentials_file(struct net_context *c, > if (c->opt_machine_pass) { > /* it is very useful to be able to make ads queries as the > machine account for testing purposes and for domain leave */ >- >- net_use_krb_machine_account(c); >+ net_use_machine_account(c, c->opt_kerberos); > } > > if (!c->opt_password) { >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index c8b18a9c281..41f96c26770 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -1433,7 +1433,7 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) > return NT_STATUS_ACCESS_DENIED; > } > >- net_use_krb_machine_account(c); >+ net_use_machine_account(c, true); > > get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); > >@@ -2788,7 +2788,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) > return -1; > } > >- net_use_krb_machine_account(c); >+ net_use_machine_account(c, true); > > use_in_memory_ccache(); > >diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h >index f49b707338d..b9cba909f75 100644 >--- a/source3/utils/net_proto.h >+++ b/source3/utils/net_proto.h >@@ -402,7 +402,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c, > NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, > struct rpc_pipe_client **pp_pipe_hnd, > const struct ndr_interface_table *table); >-int net_use_krb_machine_account(struct net_context *c); >+int net_use_machine_account(struct net_context *c, bool use_kerberos); > bool net_find_server(struct net_context *c, > const char *domain, > unsigned flags, >diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c >index 6c5321db0fd..9013dd35a1b 100644 >--- a/source3/utils/net_util.c >+++ b/source3/utils/net_util.c >@@ -252,9 +252,10 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, > Use the local machine account (krb) and password for this session. > ****************************************************************************/ > >-int net_use_krb_machine_account(struct net_context *c) >+int net_use_machine_account(struct net_context *c, bool use_kerberos) > { > char *user_name = NULL; >+ int ret; > > if (!secrets_init()) { > d_fprintf(stderr,_("ERROR: Unable to open secrets database\n")); >@@ -263,7 +264,15 @@ int net_use_krb_machine_account(struct net_context *c) > > c->opt_password = secrets_fetch_machine_password( > c->opt_target_workgroup, NULL, NULL); >- if (asprintf(&user_name, "%s$@%s", lp_netbios_name(), lp_realm()) == -1) { >+ if (use_kerberos) { >+ ret = asprintf(&user_name, >+ "%s$@%s", >+ lp_netbios_name(), >+ lp_realm()); >+ } else { >+ ret = asprintf(&user_name, "%s$", lp_netbios_name()); >+ } >+ if (ret == -1) { > return -1; > } > c->opt_user_name = user_name; >-- >2.32.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16735">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14796
: 16735