diff options
| -rw-r--r-- | source3/utils/net.c | 28 | ||||
| -rw-r--r-- | source3/utils/net_ads.c | 4 | ||||
| -rw-r--r-- | source3/utils/net_rpc_join.c | 17 |
3 files changed, 42 insertions, 7 deletions
diff --git a/source3/utils/net.c b/source3/utils/net.c index 5a4568e033..c37e426d53 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -341,10 +341,10 @@ NTSTATUS connect_dst_pipe(struct cli_state **cli_dst, struct rpc_pipe_client **p } /**************************************************************************** - Use the local machine's password for this session. + Use the local machine account (upn) and password for this session. ****************************************************************************/ -int net_use_machine_password(void) +int net_use_upn_machine_account(void) { char *user_name = NULL; @@ -353,7 +353,6 @@ int net_use_machine_password(void) exit(1); } - user_name = NULL; opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) { return -1; @@ -362,6 +361,27 @@ int net_use_machine_password(void) return 0; } +/**************************************************************************** + Use the machine account name and password for this session. +****************************************************************************/ + +int net_use_machine_account(void) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_fprintf(stderr, "ERROR: Unable to open secrets database\n"); + exit(1); + } + + opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$", global_myname()) == -1) { + return -1; + } + opt_user_name = user_name; + return 0; +} + BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name) { const char *d = domain ? domain : opt_target_workgroup; @@ -1044,7 +1064,7 @@ static struct functable net_func[] = { /* it is very useful to be able to make ads queries as the machine account for testing purposes and for domain leave */ - net_use_machine_password(); + net_use_upn_machine_account(); } if (!opt_password) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index f4fc9470f6..bb7945dbf5 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -882,7 +882,7 @@ static NTSTATUS net_ads_join_ok(void) return NT_STATUS_ACCESS_DENIED; } - net_use_machine_password(); + net_use_upn_machine_account(); status = ads_startup(True, &ads); if (!ADS_ERR_OK(status)) { @@ -2187,7 +2187,7 @@ int net_ads_changetrustpw(int argc, const char **argv) return -1; } - net_use_machine_password(); + net_use_upn_machine_account(); use_in_memory_ccache(); diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 558de8d8b4..1097eb9575 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -42,14 +42,29 @@ **/ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { + enum security_types sec; + unsigned int conn_flags = NET_FLAGS_PDC; uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; + sec = (enum security_types)lp_security(); + + if (sec == SEC_ADS) { + /* Connect to IPC$ using machine account's credentials. We don't use anonymous + connection here, as it may be denied by server's local policy. */ + net_use_machine_account(); + + } else { + /* some servers (e.g. WinNT) don't accept machine-authenticated + smb connections */ + conn_flags |= NET_FLAGS_ANONYMOUS; + } + /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { return -1; } |