Hello, On giving command "net ads leave -k -U administrator", system prompts for password. even though valid kerberos credentials are existing. This is not expected from samba.3.3.4. As in code of net_ads_leave() (utils/net_ads.c) mentioned if -k option is provided, it should use kerberos credentials. but it is not. please do let me know if any action is to be taken. cheers,
Also when I tried option "net ads lerave -k" then as per the code it should use kerberos credentials. I tried to debug it, and I found that, it is reaching to the windows server, obtains the credentials for administrator using kerberos. but after that it throws segmentation fault.
Created attachment 4262 [details] fix net ads leave segfault without -U This should fix the crash of net ads leave when no user is specified.
Looking at the rest of the code, it seems like -k and -U should not be used together or net _will_ ask for a password. After the crash fix is in, net ads leave -k should work for you.
Günther, please check.
I found something which may help you to solve this issue. In the case of "net ads testjoin", it calls function net_ads_testjoin(). This function calls net_ads_join_ok(c). And net_ads_join_ok(c) internally calls function net_use_krb_machine_account() to fetch machine password and store it c->opt_password. This the reason why "net ads testjoin" never prompts for the password. In the case of "net ads leave -k", it calls function net_ads_leave(), now this function internally calls net_prompt_pass() to get password.In net_prompt_pass there is a if statement like. if (c->opt_kerberos && !c->opt_user_specified) { return NULL; } which checks for condition of -k option and user is not specified. in "net ads leave -k" both the condition is satisfied so it enters into 'if' statement and returns null.so r->in.admin_password field of net_ads_leave is NULL. when it send this constructor to libnet_Unjoin() it has NULL password and it throws segmentation fault. Modifying above line of code to following might resolve this issue if (c->opt_kerberos && c->opt_user_specified) { net_use_krb_machine_account(c) } As this will set c->opt_password with SECRETS_MACHINE_PASSWORD for user administrator. Also in this case instead of calling "net ads leave -k" call it with "net ads leave -k -U administrator" will may solve this issue. hope this information helps you... cheers,
(In reply to comment #5) > In the case of "net ads leave -k", it calls function net_ads_leave(), now this > function internally calls net_prompt_pass() to get password.In net_prompt_pass > there is a if statement like. > > if (c->opt_kerberos && !c->opt_user_specified) { > return NULL; > } Yes. That's why I said this seems to be by design. > which checks for condition of -k option and user is not specified. in "net ads > leave -k" both the condition is satisfied so it enters into 'if' statement and > returns null.so r->in.admin_password field of net_ads_leave is NULL. when it > send this constructor to libnet_Unjoin() it has NULL password and it throws > segmentation fault. Actually it doesn't look like it would segfault in libnet_Unjoin(). If it segfaults there for you, can you attach a backtrace? > Modifying above line of code to following might resolve this issue > if (c->opt_kerberos && c->opt_user_specified) { > net_use_krb_machine_account(c) > } > > As this will set c->opt_password with SECRETS_MACHINE_PASSWORD for user > administrator. Also in this case instead of calling "net ads leave -k" call it > with "net ads leave -k -U administrator" will may solve this issue. I don't think this will work. The machine account should not have permissions to modify the AD ldap entries, and administrator doesn't have the machine account password either. I just noticed that my segfault fix of course fails to let you use the kerberos credentials after all, I'll have a new one coming up for you soon. Out of curiosity, do you have the environment variable LOGNAME set?
> I don't think this will work. The machine account should not have permissions > to modify the AD ldap entries, and administrator doesn't have the machine > account password either. > > I just noticed that my segfault fix of course fails to let you use the kerberos > credentials after all, I'll have a new one coming up for you soon. > > Out of curiosity, do you have the environment variable LOGNAME set? > Ya that is correct. But I need to obtain password for administrator. And it is stored in krb5 credential file. so we can make use of krb5 credentials to obtain password, can't we? yes my LOGNAME is set. regards,
Sorry, for wrong info. LOGNAME is not set.
Ok, I've just set up a test system to reproduce your error, and I've come to the following results: if I have a ticket as administrator@MY.AD.REALM and KRB5CCACHE pointing to the cred cache containing that ticket, net ads leave -k -U administrator indeed asks for the password. However, I could not reproduce your crash on net ads leave -k. That worked just fine for me.
Comment on attachment 4262 [details] fix net ads leave segfault without -U That patch is wrong.
(In reply to comment #9) > if I have a ticket as administrator@MY.AD.REALM and KRB5CCACHE pointing to the Make that KRB5CCNAME, thanks Günther.
Ok, after talking to Güther a bit more, I'm now pretty convinced that this is not a bug. net ads leave -k will use the machine's kerberos credentials to leave the domain, if you specify -U the user's credentials will be used. In other words, works as intended. Thank you for reporting the issue, I got to learn about the net ads options. If you're still seeing the crash issue, feel free to reopen this bug.