Bug 6453 - net ads leave -k -U administrator prompts for the password
net ads leave -k -U administrator prompts for the password
Status: RESOLVED INVALID
Product: Samba 3.3
Classification: Unclassified
Component: Client tools
3.3.4
Other Linux
: P3 major
: ---
Assigned To: Kai Blin
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-08 09:53 UTC by priyank
Modified: 2009-06-09 09:59 UTC (History)
2 users (show)

See Also:


Attachments
fix net ads leave segfault without -U (913 bytes, patch)
2009-06-08 14:07 UTC, Kai Blin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description priyank 2009-06-08 09:53:36 UTC
Hello,

On giving command "net ads leave -k -U administrator", system prompts for password. even though valid kerberos credentials are existing. This is not expected from samba.3.3.4. As in code of net_ads_leave() (utils/net_ads.c) mentioned if -k option is provided, it should use kerberos credentials. but it is not. please do let me know if any action is to be taken.

cheers,
Comment 1 priyank 2009-06-08 11:23:26 UTC
Also when I tried option "net ads lerave -k" then as per the code it should use kerberos credentials. I tried to debug it, and I found that, it is reaching to the windows server, obtains the credentials for administrator using kerberos. but after that it throws segmentation fault.

Comment 2 Kai Blin 2009-06-08 14:07:28 UTC
Created attachment 4262 [details]
fix net ads leave segfault without -U

This should fix the crash of net ads leave when no user is specified.
Comment 3 Kai Blin 2009-06-08 14:43:50 UTC
Looking at the rest of the code, it seems like -k and -U should not be used together or net _will_ ask for a password. After the crash fix is in, net ads leave -k should work for you.
Comment 4 Kai Blin 2009-06-08 14:44:19 UTC
Günther, please check.
Comment 5 priyank 2009-06-09 05:20:00 UTC
I found something which may help you to solve this issue.

  In the case of "net ads testjoin", it calls function net_ads_testjoin(). This function calls net_ads_join_ok(c). And net_ads_join_ok(c) internally calls function net_use_krb_machine_account() to fetch machine password and store it c->opt_password. This the reason why "net ads testjoin" never prompts for the password.

In the case of "net ads leave -k", it calls function net_ads_leave(), now this function internally calls net_prompt_pass() to get password.In net_prompt_pass there is a if statement like.

 if (c->opt_kerberos && !c->opt_user_specified) {
                return NULL;
        }

which checks for condition of -k option and user is not specified. in "net ads leave -k" both the condition is satisfied so it enters into 'if' statement and returns null.so  r->in.admin_password  field of net_ads_leave is NULL. when it send this constructor to libnet_Unjoin() it has NULL password and it throws segmentation fault. 

Modifying above line of code to following might resolve this issue
 if (c->opt_kerberos && c->opt_user_specified) {
            net_use_krb_machine_account(c)
        }

As this will set c->opt_password with SECRETS_MACHINE_PASSWORD for user administrator. Also in this case instead of calling "net ads leave -k" call it with "net ads leave -k -U administrator" will may solve this issue.


hope this information helps you...

cheers,
Comment 6 Kai Blin 2009-06-09 06:00:40 UTC
(In reply to comment #5)

> In the case of "net ads leave -k", it calls function net_ads_leave(), now this
> function internally calls net_prompt_pass() to get password.In net_prompt_pass
> there is a if statement like.
> 
>  if (c->opt_kerberos && !c->opt_user_specified) {
>                 return NULL;
>         }

Yes. That's why I said this seems to be by design.

> which checks for condition of -k option and user is not specified. in "net ads
> leave -k" both the condition is satisfied so it enters into 'if' statement and
> returns null.so  r->in.admin_password  field of net_ads_leave is NULL. when it
> send this constructor to libnet_Unjoin() it has NULL password and it throws
> segmentation fault. 

Actually it doesn't look like it would segfault in libnet_Unjoin(). If it segfaults there for you, can you attach a backtrace?


> Modifying above line of code to following might resolve this issue
>  if (c->opt_kerberos && c->opt_user_specified) {
>             net_use_krb_machine_account(c)
>         }
> 
> As this will set c->opt_password with SECRETS_MACHINE_PASSWORD for user
> administrator. Also in this case instead of calling "net ads leave -k" call it
> with "net ads leave -k -U administrator" will may solve this issue.

I don't think this will work. The machine account should not have permissions to modify the AD ldap entries, and administrator doesn't have the machine account password either.

I just noticed that my segfault fix of course fails to let you use the kerberos credentials after all, I'll have a new one coming up for you soon.

Out of curiosity, do you have the environment variable LOGNAME set?
Comment 7 priyank 2009-06-09 06:23:44 UTC
> I don't think this will work. The machine account should not have permissions
> to modify the AD ldap entries, and administrator doesn't have the machine
> account password either.
> 
> I just noticed that my segfault fix of course fails to let you use the kerberos
> credentials after all, I'll have a new one coming up for you soon.
> 
> Out of curiosity, do you have the environment variable LOGNAME set?
> 

Ya that is correct. But I need to obtain password for administrator. And it is stored in krb5 credential file. so we can make use of krb5 credentials to obtain password, can't we? 

yes my LOGNAME is set. 

regards,
Comment 8 priyank 2009-06-09 06:29:42 UTC
Sorry, for wrong info. LOGNAME is not set.



Comment 9 Kai Blin 2009-06-09 09:35:44 UTC
Ok, I've just set up a test system to reproduce your error, and I've come to the following results:

if I have a ticket as administrator@MY.AD.REALM and KRB5CCACHE pointing to the cred cache containing that ticket, net ads leave -k -U administrator indeed asks for the password. However, I could not reproduce your crash on net ads leave -k. That worked just fine for me.
Comment 10 Kai Blin 2009-06-09 09:36:01 UTC
Comment on attachment 4262 [details]
fix net ads leave segfault without -U

That patch is wrong.
Comment 11 Kai Blin 2009-06-09 09:37:59 UTC
(In reply to comment #9)

> if I have a ticket as administrator@MY.AD.REALM and KRB5CCACHE pointing to the

Make that KRB5CCNAME, thanks Günther.
Comment 12 Kai Blin 2009-06-09 09:59:14 UTC
Ok, after talking to Güther a bit more, I'm now pretty convinced that this is not a bug. net ads leave -k will use the machine's kerberos credentials to leave the domain, if you specify -U the user's credentials will be used.
In other words, works as intended.

Thank you for reporting the issue, I got to learn about the net ads options. If you're still seeing the crash issue, feel free to reopen this bug.