Bug 15728 - net ads testjoin 'succeeds' when no machine account locally available
Summary: net ads testjoin 'succeeds' when no machine account locally available
Status: RESOLVED DUPLICATE of bug 15714
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Noel Power
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-30 11:30 UTC by Noel Power
Modified: 2024-09-30 14:27 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Noel Power 2024-09-30 11:30:30 UTC
This is a regression,
With < samba-4.21

after a successful 'net ads leave'


samba < 4.21

tw2024:~ # net --version
Version 4.20.4-git.356.d4a5fa2a818SUSE-oS16.9-x86_64
tw2024:~ # net ads testjoin
Join to domain is not valid: NT code 0xfffffff6

samba 4.21

tw2024:~/4-21-samba # ./bin/net --version
Version 4.21.0
tw2024:~/4-21-samba # ./bin/net ads testjoin
Join is OK


even though there is no local machine account in this instance 'net' falls back to Anonymous authentication and manages to set up a connection to the ads

in the older versions there was an override which would manually use the machine name as user (and a null password) in the same scenario.

The ads connection has been rewritten and afaic we can no longer pass those credentials via struct net_context

e.g. (in samba 4.20) see net_use_krb_machine_account

seems to me we can detect this situation early and instead of even trying to call ads_startup (which would fail due to lack of machine password) in the old case just exit early with the same error
Comment 1 Stefan Metzmacher 2024-09-30 14:27:28 UTC

*** This bug has been marked as a duplicate of bug 15714 ***