Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enable

users w/o full administrative access on computer accounts to join a
computer into AD domain.

The patch and detailed changelog is available at:
http://www.itcollege.ee/~aandreim/samba

This is a list of changes in general:

1. When creating machine account do not fail if SD cannot be changed.
   setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
   machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
   kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
   username is specified (-U). Initial TGT will be requested in this case.

I've modified the patch to share the kinit code, rather than copying it,
and updated it to current CVS.  The other change included in the original patch
(local realms) has been left out for now.

Andrew Bartlett
(This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)

2 files changed, 44 insertions, 6 deletions

diff --git a/source3/client/client.c b/source3/client/client.c
index 4761b0ae5c..e5a9592fcc 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -41,6 +41,7 @@ static pstring password;
 static pstring username;
 static pstring workgroup;
 static char *cmdstr;
+static BOOL got_user;
 static BOOL got_pass;
 static int io_bufsize = 64512;
 static BOOL use_kerberos;
@@ -2889,6 +2890,8 @@ static void remember_query_host(const char *arg,
 		case 'U':
 			{
 				char *lp;
+
+				got_user = True;
 				pstrcpy(username,optarg);
 				if ((lp=strchr_m(username,'%'))) {
 					*lp = 0;
@@ -2985,7 +2988,6 @@ static void remember_query_host(const char *arg,
 		case 'k':
 #ifdef HAVE_KRB5
 			use_kerberos = True;
-			got_pass = True;
 #else
 			d_printf("No kerberos support compiled in\n");
 			exit(1);
@@ -2997,6 +2999,9 @@ static void remember_query_host(const char *arg,
 		}
 	}
 
+	if (use_kerberos && !got_user)
+			got_pass = True;
+
 	init_names();
 
 	if(*new_name_resolve_order)
diff --git a/source3/client/smbmount.c b/source3/client/smbmount.c
index 508521bedc..e2372d02b4 100644
--- a/source3/client/smbmount.c
+++ b/source3/client/smbmount.c
@@ -41,12 +41,16 @@ static pstring options;
 static struct in_addr dest_ip;
 static BOOL have_ip;
 static int smb_port = 0;
+static BOOL got_user;
 static BOOL got_pass;
 static uid_t mount_uid;
 static gid_t mount_gid;
 static int mount_ro;
 static unsigned mount_fmask;
 static unsigned mount_dmask;
+static BOOL use_kerberos;
+/* TODO: Add code to detect smbfs version in kernel */
+static BOOL status32_smbfs = False;
 
 static void usage(void);
 
@@ -155,11 +159,15 @@ static struct cli_state *do_connection(char *the_service)
 	}
 
 	/* SPNEGO doesn't work till we get NTSTATUS error support */
-	c->use_spnego = False;
+	/* But it is REQUIRED for kerberos authentication */
+	if(!use_kerberos) c->use_spnego = False;
 
 	/* The kernel doesn't yet know how to sign it's packets */
 	c->sign_info.allow_smb_signing = False;
 
+	/* Use kerberos authentication if specified */
+	c->use_kerberos = use_kerberos;
+
 	if (!cli_session_request(c, &calling, &called)) {
 		char *p;
 		DEBUG(0,("%d: session request to %s failed (%s)\n", 
@@ -193,9 +201,17 @@ static struct cli_state *do_connection(char *the_service)
 
 	/* This should be right for current smbfs. Future versions will support
 	  large files as well as unicode and oplocks. */
-	c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
-				CAP_NT_FIND | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS);
-	c->force_dos_errors = True;
+	if (status32_smbfs) {
+	    c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+                                 CAP_NT_FIND | CAP_LEVEL_II_OPLOCKS);
+	}
+	else {
+	    c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+				 CAP_NT_FIND | CAP_STATUS32 |
+				 CAP_LEVEL_II_OPLOCKS);
+	    c->force_dos_errors = True;
+	}
+
 	if (!cli_session_setup(c, username, 
 			       password, strlen(password),
 			       password, strlen(password),
@@ -629,8 +645,9 @@ static void read_credentials_file(char *filename)
 			pstrcpy(password, val);
 			got_pass = True;
 		}
-		else if (strwicmp("username", param) == 0)
+		else if (strwicmp("username", param) == 0) {
 			pstrcpy(username, val);
+		}
 
 		memset(buf, 0, sizeof(buf));
 	}
@@ -652,6 +669,7 @@ static void usage(void)
       username=<arg>                  SMB username\n\
       password=<arg>                  SMB password\n\
       credentials=<filename>          file with username/password\n\
+      krb                             use kerberos (active directory)\n\
       netbiosname=<arg>               source NetBIOS name\n\
       uid=<arg>                       mount uid or username\n\
       gid=<arg>                       mount gid or groupname\n\
@@ -738,6 +756,7 @@ static void parse_mount_smb(int argc, char **argv)
                         if (!strcmp(opts, "username") || 
 			    !strcmp(opts, "logon")) {
 				char *lp;
+				got_user = True;
 				pstrcpy(username,opteq+1);
 				if ((lp=strchr_m(username,'%'))) {
 					*lp = 0;
@@ -795,6 +814,16 @@ static void parse_mount_smb(int argc, char **argv)
 			} else if(!strcmp(opts, "guest")) {
 				*password = '\0';
 				got_pass = True;
+			} else if(!strcmp(opts, "krb")) {
+#ifdef HAVE_KRB5
+
+				use_kerberos = True;
+				if(!status32_smbfs)
+					fprintf(stderr, "Warning: kerberos support will only work for samba servers\n");
+#else
+				fprintf(stderr,"No kerberos support compiled in\n");
+				exit(1);
+#endif
 			} else if(!strcmp(opts, "rw")) {
 				mount_ro = 0;
 			} else if(!strcmp(opts, "ro")) {
@@ -879,6 +908,10 @@ static void parse_mount_smb(int argc, char **argv)
 
 	parse_mount_smb(argc, argv);
 
+	if (use_kerberos && !got_user) {
+		got_pass = True;
+	}
+
 	if (*credentials != 0) {
 		read_credentials_file(credentials);
 	}