summaryrefslogtreecommitdiff
path: root/source3/client
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-02-15 00:29:21 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-02-15 00:29:21 +0000
commite4202a9fe70785a0a5b47c90df696a880294d310 (patch)
tree452600615827b27c95820d184ee495e476f57618 /source3/client
parent3b2693f1ae3b1e06d3015843d2933177fcb97a87 (diff)
downloadsamba-e4202a9fe70785a0a5b47c90df696a880294d310.tar.gz
samba-e4202a9fe70785a0a5b47c90df696a880294d310.tar.bz2
samba-e4202a9fe70785a0a5b47c90df696a880294d310.zip
Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enable
users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett (This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
Diffstat (limited to 'source3/client')
-rw-r--r--source3/client/client.c7
-rw-r--r--source3/client/smbmount.c43
2 files changed, 44 insertions, 6 deletions
diff --git a/source3/client/client.c b/source3/client/client.c
index 4761b0ae5c..e5a9592fcc 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -41,6 +41,7 @@ static pstring password;
static pstring username;
static pstring workgroup;
static char *cmdstr;
+static BOOL got_user;
static BOOL got_pass;
static int io_bufsize = 64512;
static BOOL use_kerberos;
@@ -2889,6 +2890,8 @@ static void remember_query_host(const char *arg,
case 'U':
{
char *lp;
+
+ got_user = True;
pstrcpy(username,optarg);
if ((lp=strchr_m(username,'%'))) {
*lp = 0;
@@ -2985,7 +2988,6 @@ static void remember_query_host(const char *arg,
case 'k':
#ifdef HAVE_KRB5
use_kerberos = True;
- got_pass = True;
#else
d_printf("No kerberos support compiled in\n");
exit(1);
@@ -2997,6 +2999,9 @@ static void remember_query_host(const char *arg,
}
}
+ if (use_kerberos && !got_user)
+ got_pass = True;
+
init_names();
if(*new_name_resolve_order)
diff --git a/source3/client/smbmount.c b/source3/client/smbmount.c
index 508521bedc..e2372d02b4 100644
--- a/source3/client/smbmount.c
+++ b/source3/client/smbmount.c
@@ -41,12 +41,16 @@ static pstring options;
static struct in_addr dest_ip;
static BOOL have_ip;
static int smb_port = 0;
+static BOOL got_user;
static BOOL got_pass;
static uid_t mount_uid;
static gid_t mount_gid;
static int mount_ro;
static unsigned mount_fmask;
static unsigned mount_dmask;
+static BOOL use_kerberos;
+/* TODO: Add code to detect smbfs version in kernel */
+static BOOL status32_smbfs = False;
static void usage(void);
@@ -155,11 +159,15 @@ static struct cli_state *do_connection(char *the_service)
}
/* SPNEGO doesn't work till we get NTSTATUS error support */
- c->use_spnego = False;
+ /* But it is REQUIRED for kerberos authentication */
+ if(!use_kerberos) c->use_spnego = False;
/* The kernel doesn't yet know how to sign it's packets */
c->sign_info.allow_smb_signing = False;
+ /* Use kerberos authentication if specified */
+ c->use_kerberos = use_kerberos;
+
if (!cli_session_request(c, &calling, &called)) {
char *p;
DEBUG(0,("%d: session request to %s failed (%s)\n",
@@ -193,9 +201,17 @@ static struct cli_state *do_connection(char *the_service)
/* This should be right for current smbfs. Future versions will support
large files as well as unicode and oplocks. */
- c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
- CAP_NT_FIND | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS);
- c->force_dos_errors = True;
+ if (status32_smbfs) {
+ c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+ CAP_NT_FIND | CAP_LEVEL_II_OPLOCKS);
+ }
+ else {
+ c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+ CAP_NT_FIND | CAP_STATUS32 |
+ CAP_LEVEL_II_OPLOCKS);
+ c->force_dos_errors = True;
+ }
+
if (!cli_session_setup(c, username,
password, strlen(password),
password, strlen(password),
@@ -629,8 +645,9 @@ static void read_credentials_file(char *filename)
pstrcpy(password, val);
got_pass = True;
}
- else if (strwicmp("username", param) == 0)
+ else if (strwicmp("username", param) == 0) {
pstrcpy(username, val);
+ }
memset(buf, 0, sizeof(buf));
}
@@ -652,6 +669,7 @@ static void usage(void)
username=<arg> SMB username\n\
password=<arg> SMB password\n\
credentials=<filename> file with username/password\n\
+ krb use kerberos (active directory)\n\
netbiosname=<arg> source NetBIOS name\n\
uid=<arg> mount uid or username\n\
gid=<arg> mount gid or groupname\n\
@@ -738,6 +756,7 @@ static void parse_mount_smb(int argc, char **argv)
if (!strcmp(opts, "username") ||
!strcmp(opts, "logon")) {
char *lp;
+ got_user = True;
pstrcpy(username,opteq+1);
if ((lp=strchr_m(username,'%'))) {
*lp = 0;
@@ -795,6 +814,16 @@ static void parse_mount_smb(int argc, char **argv)
} else if(!strcmp(opts, "guest")) {
*password = '\0';
got_pass = True;
+ } else if(!strcmp(opts, "krb")) {
+#ifdef HAVE_KRB5
+
+ use_kerberos = True;
+ if(!status32_smbfs)
+ fprintf(stderr, "Warning: kerberos support will only work for samba servers\n");
+#else
+ fprintf(stderr,"No kerberos support compiled in\n");
+ exit(1);
+#endif
} else if(!strcmp(opts, "rw")) {
mount_ro = 0;
} else if(!strcmp(opts, "ro")) {
@@ -879,6 +908,10 @@ static void parse_mount_smb(int argc, char **argv)
parse_mount_smb(argc, argv);
+ if (use_kerberos && !got_user) {
+ got_pass = True;
+ }
+
if (*credentials != 0) {
read_credentials_file(credentials);
}