summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-08-14 01:08:00 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-08-14 01:08:00 +0000
commit172766eea7a374e910ea91c857fcce45996783a2 (patch)
treef666ba3739092714c6175f8e1adf834fa68f0f00 /source3
parent1eb7fe8eaf9306e9ef1447a6b47a5b91df8584cb (diff)
downloadsamba-172766eea7a374e910ea91c857fcce45996783a2.tar.gz
samba-172766eea7a374e910ea91c857fcce45996783a2.tar.bz2
samba-172766eea7a374e910ea91c857fcce45996783a2.zip
Change Samba to always use extended security for it's guest logins, (ie,
NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to all of Samba's clients. When connecting to an Active Directory DC, you must initiate the CIFS level session setup with Kerberos, not a guest login. If you don't, your machine account is demoted to NT4. Andrew Bartlett (This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
Diffstat (limited to 'source3')
-rw-r--r--source3/Makefile.in35
-rw-r--r--source3/lib/popt_common.c30
-rw-r--r--source3/libsmb/cliconnect.c72
-rw-r--r--source3/libsmb/clikrb5.c12
-rw-r--r--source3/libsmb/ntlmssp.c14
-rw-r--r--source3/libsmb/ntlmssp_parse.c3
-rw-r--r--source3/libsmb/smbencrypt.c2
-rw-r--r--source3/rpc_client/cli_pipe.c2
-rw-r--r--source3/rpcclient/cmd_netlogon.c2
-rw-r--r--source3/rpcclient/rpcclient.c6
10 files changed, 90 insertions, 88 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 40f506c807..ed98f391ef 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -397,18 +397,20 @@ SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \
STATUS_OBJ = utils/status.o $(LOCKING_OBJ) $(PARAM_OBJ) \
$(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) $(POPT_LIB_OBJ) \
- lib/dummyroot.o libsmb/errormap.o
+ $(SECRETS_OBJ) $(LIBSAMBA_OBJ) lib/dummyroot.o libsmb/errormap.o
SMBCONTROL_OBJ = utils/smbcontrol.o $(LOCKING_OBJ) $(PARAM_OBJ) \
$(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) $(POPT_LIB_OBJ) \
+ $(SECRETS_OBJ) $(LIBSAMBA_OBJ) \
printing/notify.o printing/printing_db.o lib/dummyroot.o libsmb/errormap.o
SMBTREE_OBJ = utils/smbtree.o $(LOCKING_OBJ) $(PARAM_OBJ) \
$(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) $(LIBSMB_OBJ) \
- $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ)
+ $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ)
TESTPARM_OBJ = utils/testparm.o \
- $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) $(POPT_LIB_OBJ)
+ $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) $(POPT_LIB_OBJ) \
+ $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \
$(LIB_OBJ)
@@ -470,7 +472,7 @@ CLIENT_OBJ1 = client/client.o client/clitar.o
CLIENT_OBJ = $(CLIENT_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
$(LIB_OBJ) $(KRBCLIENT_OBJ) \
- $(READLINE_OBJ) $(POPT_LIB_OBJ)
+ $(READLINE_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ)
NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_ads_cldap.o utils/net_help.o \
utils/net_rap.o utils/net_rpc.o utils/net_rpc_samsync.o \
@@ -485,7 +487,7 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
$(SMBLDAP_OBJ) $(DCUTIL_OBJ) lib/dummyroot.o lib/server_mutex.o
CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
- $(LIB_OBJ) $(KRBCLIENT_OBJ)
+ $(LIB_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ)
MOUNT_OBJ = client/smbmount.o \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
@@ -495,13 +497,13 @@ MNT_OBJ = client/smbmnt.o
UMOUNT_OBJ = client/smbumount.o
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBNMB_OBJ) \
- $(LIB_OBJ) $(POPT_LIB_OBJ)
+ $(LIB_OBJ) $(POPT_LIB_OBJ) $(SECRETS_OBJ) $(LIBSAMBA_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
torture/denytest.o torture/mangle_test.o
SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) $(PARAM_OBJ) \
- $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+ $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) $(SECRETS_OBJ)
MASKTEST_OBJ = torture/masktest.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(KRBCLIENT_OBJ) \
$(UBIQX_OBJ) $(LIB_OBJ)
@@ -617,7 +619,7 @@ POPT_OBJS=popt/findme.o popt/popt.o popt/poptconfig.o \
TDBBACKUP_OBJ = tdb/tdbbackup.o tdb/tdbback.o $(TDBBASE_OBJ)
-NTLM_AUTH_OBJ = utils/ntlm_auth.o $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
+NTLM_AUTH_OBJ = utils/ntlm_auth.o $(SECRETS_OBJ) $(LIBSAMBA_OBJ) $(POPT_LIB_OBJ) \
libsmb/asn1.o libsmb/spnego.o libsmb/clikrb5.o libads/kerberos.o
######################################################################
@@ -792,19 +794,22 @@ bin/testprns@EXEEXT@: $(TESTPRNS_OBJ) bin/.dummy
bin/smbstatus@EXEEXT@: $(STATUS_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(STATUS_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@
+ @$(CC) $(FLAGS) -o $@ $(STATUS_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) \
+ @POPTLIBS@
bin/smbcontrol@EXEEXT@: $(SMBCONTROL_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) -DUSING_SMBCONTROL $(FLAGS) -o $@ $(SMBCONTROL_OBJ) $(DYNEXP) $(LDFLAGS) $(LIBS) @POPTLIBS@
+ @$(CC) -DUSING_SMBCONTROL $(FLAGS) -o $@ $(SMBCONTROL_OBJ) $(DYNEXP) \
+ $(LDFLAGS) $(LIBS) \
+ @POPTLIBS@
bin/smbtree@EXEEXT@: $(SMBTREE_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBTREE_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
+ @$(CC) $(FLAGS) -o $@ $(SMBTREE_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) @POPTLIBS@ $(KRB5LIBS) $(LDAPLIBS)
bin/smbpasswd@EXEEXT@: $(SMBPASSWD_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+ @$(CC) $(FLAGS) -o $@ $(SMBPASSWD_OBJ) $(PASSDBLIBS) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
bin/pdbedit@EXEEXT@: $(PDBEDIT_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
@@ -820,7 +825,7 @@ bin/nmblookup@EXEEXT@: $(NMBLOOKUP_OBJ) @BUILD_POPT@ bin/.dummy
bin/smbtorture@EXEEXT@: $(SMBTORTURE_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(SMBTORTURE_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+ @$(CC) $(FLAGS) -o $@ $(SMBTORTURE_OBJ) $(LDFLAGS) $(DYNEXP) $(LIBS) $(KRB5LIBS) $(LDAPLIBS) $(SECRETS_OBJ)
bin/talloctort@EXEEXT@: $(TALLOCTORT_OBJ) bin/.dummy
@echo Linking $@
@@ -828,11 +833,11 @@ bin/talloctort@EXEEXT@: $(TALLOCTORT_OBJ) bin/.dummy
bin/masktest@EXEEXT@: $(MASKTEST_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(MASKTEST_OBJ) $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+ @$(CC) $(FLAGS) -o $@ $(MASKTEST_OBJ) $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS) $(SECRETS_OBJ)
bin/msgtest@EXEEXT@: $(MSGTEST_OBJ) bin/.dummy
@echo Linking $@
- @$(CC) $(FLAGS) -o $@ $(MSGTEST_OBJ) $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
+ @$(CC) $(FLAGS) -o $@ $(MSGTEST_OBJ) $(LDFLAGS) $(LIBS) $(KRB5LIBS) $(LDAPLIBS)
bin/smbcacls@EXEEXT@: $(SMBCACLS_OBJ) @BUILD_POPT@ bin/.dummy
@echo Linking $@
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index c120651550..95a9a58b34 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -119,6 +119,7 @@ struct poptOption popt_common_connection[] = {
{ "netbiosname", 'n', POPT_ARG_STRING, NULL, 'n', "Primary netbios name", "NETBIOSNAME" },
{ "workgroup", 'W', POPT_ARG_STRING, NULL, 'W', "Set the workgroup name", "WORKGROUP" },
{ "scope", 'i', POPT_ARG_STRING, NULL, 'i', "Use this Netbios scope", "SCOPE" },
+
POPT_TABLEEND
};
@@ -259,6 +260,7 @@ static void get_credentials_file(const char *file, struct user_auth_info *info)
* -k,--use-kerberos
* -N,--no-pass
* -S,--signing
+ * -P --machine-pass
*/
@@ -346,6 +348,33 @@ static void popt_common_credentials_callback(poptContext con,
}
}
break;
+ case 'P':
+ {
+ char *opt_password = NULL;
+ /* it is very useful to be able to make ads queries as the
+ machine account for testing purposes and for domain leave */
+
+ if (!secrets_init()) {
+ d_printf("ERROR: Unable to open secrets database\n");
+ exit(1);
+ }
+
+ opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+
+ if (!opt_password) {
+ d_printf("ERROR: Unable to fetch machine password\n");
+ exit(1);
+ }
+ pstr_sprintf(cmdline_auth_info.username, "%s$",
+ global_myname());
+ pstrcpy(cmdline_auth_info.password,opt_password);
+ SAFE_FREE(opt_password);
+
+ /* machine accounts only work with kerberos */
+ cmdline_auth_info.use_kerberos = True;
+ cmdline_auth_info.got_pass = True;
+ }
+ break;
}
}
@@ -358,5 +387,6 @@ struct poptOption popt_common_credentials[] = {
{ "kerberos", 'k', POPT_ARG_NONE, &cmdline_auth_info.use_kerberos, 'k', "Use kerberos (active directory) authentication" },
{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
+ {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
POPT_TABLEEND
};
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 82d6fc7cef..010aa4d1bb 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -131,55 +131,6 @@ static uint32 cli_session_setup_capabilities(struct cli_state *cli)
}
/****************************************************************************
- Do a NT1 guest session setup.
-****************************************************************************/
-
-static BOOL cli_session_setup_guest(struct cli_state *cli)
-{
- char *p;
- uint32 capabilities = cli_session_setup_capabilities(cli);
-
- set_message(cli->outbuf,13,0,True);
- SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
- cli_setup_packet(cli);
-
- SCVAL(cli->outbuf,smb_vwv0,0xFF);
- SSVAL(cli->outbuf,smb_vwv2,CLI_BUFFER_SIZE);
- SSVAL(cli->outbuf,smb_vwv3,2);
- SSVAL(cli->outbuf,smb_vwv4,cli->pid);
- SIVAL(cli->outbuf,smb_vwv5,cli->sesskey);
- SSVAL(cli->outbuf,smb_vwv7,0);
- SSVAL(cli->outbuf,smb_vwv8,0);
- SIVAL(cli->outbuf,smb_vwv11,capabilities);
- p = smb_buf(cli->outbuf);
- p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* username */
- p += clistr_push(cli, p, "", -1, STR_TERMINATE); /* workgroup */
- p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
- p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
- cli_setup_bcc(cli, p);
-
- cli_send_smb(cli);
- if (!cli_receive_smb(cli))
- return False;
-
- show_msg(cli->inbuf);
-
- if (cli_is_error(cli))
- return False;
-
- cli->vuid = SVAL(cli->inbuf,smb_uid);
-
- p = smb_buf(cli->inbuf);
- p += clistr_pull(cli, cli->server_os, p, sizeof(fstring), -1, STR_TERMINATE);
- p += clistr_pull(cli, cli->server_type, p, sizeof(fstring), -1, STR_TERMINATE);
- p += clistr_pull(cli, cli->server_domain, p, sizeof(fstring), -1, STR_TERMINATE);
-
- fstrcpy(cli->user_name, "");
-
- return True;
-}
-
-/****************************************************************************
Do a NT1 plaintext session setup.
****************************************************************************/
@@ -267,7 +218,9 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
BOOL ret = False;
char *p;
- if (passlen != 24) {
+ if (passlen == 0) {
+ /* do nothing - guest login */
+ } else if (passlen != 24) {
if ((cli->capabilities & CAP_EXTENDED_SECURITY) && lp_client_ntlmv2_auth()) {
DATA_BLOB server_chal;
DATA_BLOB names_blob;
@@ -678,7 +631,7 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user,
* and do not store results */
if (got_kerberos_mechanism && cli->use_kerberos) {
- if (*pass) {
+ if (pass && *pass) {
int ret;
use_in_memory_ccache();
@@ -751,12 +704,6 @@ BOOL cli_session_setup(struct cli_state *cli,
return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup);
}
- /* if no user is supplied then we have to do an anonymous connection.
- passwords are ignored */
-
- if (!user || !*user)
- return cli_session_setup_guest(cli);
-
/* if the server is share level then send a plaintext null
password at this point. The password is sent in the tree
connect */
@@ -764,6 +711,17 @@ BOOL cli_session_setup(struct cli_state *cli,
if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0)
return cli_session_setup_plaintext(cli, user, "", workgroup);
+ /* if no user is supplied then we have to do an anonymous connection.
+ passwords are ignored */
+
+ if (!user || !*user) {
+ user = "";
+ pass = NULL;
+ ntpass = NULL;
+ passlen = 0;
+ ntpasslen = 0;
+ }
+
/* if the server doesn't support encryption then we have to use
plaintext. The second password is ignored */
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 3fe6d6457a..a18852a691 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -369,29 +369,27 @@ failed:
BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote)
{
-#ifdef ENCTYPE_ARCFOUR_HMAC
krb5_keyblock *skey;
krb5_error_code err;
-#endif
BOOL ret = False;
memset(session_key, 0, 16);
-#ifdef ENCTYPE_ARCFOUR_HMAC
if (remote)
err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
else
err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
if (err == 0 && skey != NULL) {
- if (KRB5_KEY_TYPE(skey) ==
- ENCTYPE_ARCFOUR_HMAC
- && KRB5_KEY_LENGTH(skey) == 16) {
+ DEBUG(10, ("Got KRB5 session key of length %d\n", KRB5_KEY_LENGTH(skey)));
+ if (KRB5_KEY_LENGTH(skey) == 16) {
memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+ dump_data_pw("KRB5 Session Key:\n", session_key, 16);
ret = True;
}
krb5_free_keyblock(context, skey);
+ } else {
+ DEBUG(10, ("KRB5 error getting session key %d\n", err));
}
-#endif /* ENCTYPE_ARCFOUR_HMAC */
return ret;
}
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index 47e283dc51..43c3464bd2 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -551,7 +551,9 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_client_state *ntlmssp_st
return NT_STATUS_INVALID_PARAMETER;
}
- if (ntlmssp_state->use_ntlmv2) {
+ if (!ntlmssp_state->password) {
+ /* do nothing - blobs are zero length */
+ } else if (ntlmssp_state->use_ntlmv2) {
if (!struct_blob.length) {
/* be lazy, match win2k - we can't do NTLMv2 without it */
@@ -749,9 +751,13 @@ NTSTATUS ntlmssp_set_username(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *u
NTSTATUS ntlmssp_set_password(NTLMSSP_CLIENT_STATE *ntlmssp_state, const char *password)
{
- ntlmssp_state->password = talloc_strdup(ntlmssp_state->mem_ctx, password);
- if (!ntlmssp_state->password) {
- return NT_STATUS_NO_MEMORY;
+ if (!password) {
+ ntlmssp_state->password = NULL;
+ } else {
+ ntlmssp_state->password = talloc_strdup(ntlmssp_state->mem_ctx, password);
+ if (!ntlmssp_state->password) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
return NT_STATUS_OK;
}
diff --git a/source3/libsmb/ntlmssp_parse.c b/source3/libsmb/ntlmssp_parse.c
index 3c6da349e4..60cb4ab04a 100644
--- a/source3/libsmb/ntlmssp_parse.c
+++ b/source3/libsmb/ntlmssp_parse.c
@@ -153,7 +153,8 @@ BOOL msrpc_gen(DATA_BLOB *blob,
SSVAL(blob->data, head_ofs, n); head_ofs += 2;
SSVAL(blob->data, head_ofs, n); head_ofs += 2;
SIVAL(blob->data, head_ofs, data_ofs); head_ofs += 4;
- memcpy(blob->data+data_ofs, b, n);
+ if (n && b) /* don't follow null pointers... */
+ memcpy(blob->data+data_ofs, b, n);
data_ofs += n;
break;
case 'd':
diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c
index 7a1a2d7d18..ada6a423f2 100644
--- a/source3/libsmb/smbencrypt.c
+++ b/source3/libsmb/smbencrypt.c
@@ -247,7 +247,7 @@ BOOL make_oem_passwd_hash(char data[516], const char *passwd, uchar old_pw_hash[
return True;
}
-/* Does the md5 encryption from the NT hash for NTLMv2. */
+/* Does the md5 encryption from the Key Response for NTLMv2. */
void SMBOWFencrypt_ntv2(const uchar kr[16],
const DATA_BLOB *srv_chal,
const DATA_BLOB *cli_chal,
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 5467c022f2..52395b39c9 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1586,7 +1586,7 @@ NTSTATUS cli_nt_setup_netsec(struct cli_state *cli, int sec_chan,
const uchar trust_password[16])
{
NTSTATUS result;
- uint32 neg_flags = 0x000001ff;
+ uint32 neg_flags = 0x000701ff;
cli->pipe_auth_flags = 0;
if (lp_client_schannel() == False) {
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 0ec78a0673..e7d5f7f118 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -308,6 +308,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
result = cli_netlogon_sam_logon(cli, mem_ctx, &ret_creds, username, password, logon_type);
+ clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
+
if (!NT_STATUS_IS_OK(result))
goto done;
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 831d2beaa4..abdedc8f96 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -725,8 +725,10 @@ out_free:
nt_status = cli_full_connection(&cli, global_myname(), server,
opt_ipaddr ? &server_ip : NULL, 0,
"IPC$", "IPC",
- cmdline_auth_info.username, lp_workgroup(),
- cmdline_auth_info.password, 0,
+ cmdline_auth_info.username,
+ lp_workgroup(),
+ cmdline_auth_info.password,
+ cmdline_auth_info.use_kerberos ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
cmdline_auth_info.signing_state,NULL);
if (!NT_STATUS_IS_OK(nt_status)) {