- Make 'net' use a single funciton for setting the 'use machine account' code.

 - Make winbindd try to use kerberos for connections to DCs, so that it can
   access RA=2 servers, particularly for netlogon.
 - Make rpcclient follow the new flags for the NETLOGON pipe
 - Make all the code that uses schannel use the centralised functions for doing so.

Andrew Bartlett
(This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf)

2 files changed, 46 insertions, 31 deletions

diff --git a/source3/utils/net.c b/source3/utils/net.c
index 8f6b09a3fa..c49c77dd50 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -181,6 +181,27 @@ NTSTATUS connect_to_ipc_anonymous(struct cli_state **c,
 	}
 }
 
+/****************************************************************************
+ Use the local machine's password for this session
+****************************************************************************/
+int net_use_machine_password(void) 
+{
+	char *user_name = NULL;
+
+	if (!secrets_init()) {
+		d_printf("ERROR: Unable to open secrets database\n");
+		exit(1);
+	}
+
+	user_name = NULL;
+	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+	if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) {
+		return -1;
+	}
+	opt_user_name = user_name;
+	return 0;
+}
+
 BOOL net_find_server(unsigned flags, struct in_addr *server_ip, char **server_name)
 {
 
@@ -321,7 +342,7 @@ static int net_join(int argc, const char **argv)
 		if (net_ads_join(argc, argv) == 0)
 			return 0;
 		else
-			d_printf("ADS join did not work, trying RPC...\n");
+			d_printf("ADS join did not work, falling back to RPC...\n");
 	}
 	return net_rpc_join(argc, argv);
 }
@@ -649,23 +670,10 @@ static struct functable net_func[] = {
 	sec_init();
 
 	if (opt_machine_pass) {
-		char *user = NULL;
 		/* it is very useful to be able to make ads queries as the
 		   machine account for testing purposes and for domain leave */
 
-		if (!secrets_init()) {
-			d_printf("ERROR: Unable to open secrets database\n");
-			exit(1);
-		}
-
-		opt_password = secrets_fetch_machine_password(opt_workgroup, NULL, NULL);
-
-		asprintf(&user,"%s$", global_myname());
-		opt_user_name = user;
-		if (!opt_password) {
-			d_printf("ERROR: Unable to fetch machine password\n");
-			exit(1);
-		}
+		net_use_machine_password();
 	}
 
 	if (!opt_password) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 631e235127..352431a938 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -579,10 +579,7 @@ static int net_ads_leave(int argc, const char **argv)
 	}
 
 	if (!opt_password) {
-		char *user_name;
-		asprintf(&user_name, "%s$", global_myname());
-		opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
-		opt_user_name = user_name;
+		net_use_machine_password();
 	}
 
 	if (!(ads = ads_startup())) {
@@ -603,7 +600,6 @@ static int net_ads_leave(int argc, const char **argv)
 
 static int net_ads_join_ok(void)
 {
-	char *user_name;
 	ADS_STRUCT *ads = NULL;
 
 	if (!secrets_init()) {
@@ -611,9 +607,7 @@ static int net_ads_join_ok(void)
 		return -1;
 	}
 
-	asprintf(&user_name, "%s$", global_myname());
-	opt_user_name = user_name;
-	opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+	net_use_machine_password();
 
 	if (!(ads = ads_startup())) {
 		return -1;
@@ -648,6 +642,7 @@ int net_ads_join(int argc, const char **argv)
 	ADS_STRUCT *ads;
 	ADS_STATUS rc;
 	char *password;
+	char *machine_account = NULL;
 	char *tmp_password;
 	const char *org_unit = "Computers";
 	char *dn;
@@ -669,6 +664,16 @@ int net_ads_join(int argc, const char **argv)
 
 	if (!(ads = ads_startup())) return -1;
 
+	if (!*lp_realm()) {
+		d_printf("realm must be set in in smb.conf for ADS join to succeed.\n");
+		return -1;
+	}
+
+	if (strcmp(ads->config.realm, lp_realm()) != 0) {
+		d_printf("realm of remote server (%s) and realm in smb.conf (%s) DO NOT match.  Aborting join\n", ads->config.realm, lp_realm());
+		return -1;
+	}
+
 	ou_str = ads_ou_string(org_unit);
 	asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path);
 	free(ou_str);
@@ -696,11 +701,16 @@ int net_ads_join(int argc, const char **argv)
 
 	rc = ads_domain_sid(ads, &dom_sid);
 	if (!ADS_ERR_OK(rc)) {
-		d_printf("ads_domain_sid: %s\n", ads_errstr(rc));
+		d_printf("ads_domain_sid: %s\n", ads_errstr(rc));	
+	return -1;
+	}
+
+	if (asprintf(&machine_account, "%s$", global_myname()) == -1) {
+		d_printf("asprintf failed\n");
 		return -1;
 	}
 
-	rc = ads_set_machine_password(ads, global_myname(), password);
+	rc = ads_set_machine_password(ads, machine_account, password);
 	if (!ADS_ERR_OK(rc)) {
 		d_printf("ads_set_machine_password: %s\n", ads_errstr(rc));
 		return -1;
@@ -718,7 +728,8 @@ int net_ads_join(int argc, const char **argv)
 
 	d_printf("Joined '%s' to realm '%s'\n", global_myname(), ads->config.realm);
 
-	free(password);
+	SAFE_FREE(password);
+	SAFE_FREE(machine_account);
 
 	return 0;
 }
@@ -1020,17 +1031,13 @@ int net_ads_changetrustpw(int argc, const char **argv)
     char *host_principal;
     char *hostname;
     ADS_STATUS ret;
-    char *user_name;
 
     if (!secrets_init()) {
 	    DEBUG(1,("Failed to initialise secrets database\n"));
 	    return -1;
     }
 
-    asprintf(&user_name, "%s$", global_myname());
-    opt_user_name = user_name;
-
-    opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+    net_use_machine_password();
 
     use_in_memory_ccache();