From 3e076e585ca166aaa0f5f432b96b4adea4fb97b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 6 Jun 2023 11:14:01 +0200
Subject: [PATCH] s3-net: no secrets access required when processing a ODJ
 provisioning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It should be possible to call "net offlinejoin provision" as non-root,
no access to secrets.tdb required in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15414

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Jul  5 09:23:22 UTC 2023 on atb-devel-224

(cherry picked from commit bf7fbf7e2b675145e25ce7bffc29abbf44c35540)
---
 source3/libnet/libnet_join.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 3bff7ec1412..b60eb112d0a 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2369,6 +2369,14 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 		r->in.admin_account = admin_account;
 	}
 
+	if (r->in.provision_computer_account_only) {
+		/*
+		 * When in the "provision_computer_account_only" path we do not
+		 * need to have access to secrets.tdb at all - gd
+		 */
+		return WERR_OK;
+	}
+
 	if (!secrets_init()) {
 		libnet_join_set_error_string(mem_ctx, r,
 			"Unable to open secrets database");
-- 
2.41.0