summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/utils/net.c28
-rw-r--r--source3/utils/net_ads.c4
-rw-r--r--source3/utils/net_rpc_join.c17
3 files changed, 42 insertions, 7 deletions
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 5a4568e033..c37e426d53 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -341,10 +341,10 @@ NTSTATUS connect_dst_pipe(struct cli_state **cli_dst, struct rpc_pipe_client **p
}
/****************************************************************************
- Use the local machine's password for this session.
+ Use the local machine account (upn) and password for this session.
****************************************************************************/
-int net_use_machine_password(void)
+int net_use_upn_machine_account(void)
{
char *user_name = NULL;
@@ -353,7 +353,6 @@ int net_use_machine_password(void)
exit(1);
}
- user_name = NULL;
opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) {
return -1;
@@ -362,6 +361,27 @@ int net_use_machine_password(void)
return 0;
}
+/****************************************************************************
+ Use the machine account name and password for this session.
+****************************************************************************/
+
+int net_use_machine_account(void)
+{
+ char *user_name = NULL;
+
+ if (!secrets_init()) {
+ d_fprintf(stderr, "ERROR: Unable to open secrets database\n");
+ exit(1);
+ }
+
+ opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+ if (asprintf(&user_name, "%s$", global_myname()) == -1) {
+ return -1;
+ }
+ opt_user_name = user_name;
+ return 0;
+}
+
BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name)
{
const char *d = domain ? domain : opt_target_workgroup;
@@ -1044,7 +1064,7 @@ static struct functable net_func[] = {
/* it is very useful to be able to make ads queries as the
machine account for testing purposes and for domain leave */
- net_use_machine_password();
+ net_use_upn_machine_account();
}
if (!opt_password) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index f4fc9470f6..bb7945dbf5 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -882,7 +882,7 @@ static NTSTATUS net_ads_join_ok(void)
return NT_STATUS_ACCESS_DENIED;
}
- net_use_machine_password();
+ net_use_upn_machine_account();
status = ads_startup(True, &ads);
if (!ADS_ERR_OK(status)) {
@@ -2187,7 +2187,7 @@ int net_ads_changetrustpw(int argc, const char **argv)
return -1;
}
- net_use_machine_password();
+ net_use_upn_machine_account();
use_in_memory_ccache();
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 558de8d8b4..1097eb9575 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -42,14 +42,29 @@
**/
int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
{
+ enum security_types sec;
+ unsigned int conn_flags = NET_FLAGS_PDC;
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
+ sec = (enum security_types)lp_security();
+
+ if (sec == SEC_ADS) {
+ /* Connect to IPC$ using machine account's credentials. We don't use anonymous
+ connection here, as it may be denied by server's local policy. */
+ net_use_machine_account();
+
+ } else {
+ /* some servers (e.g. WinNT) don't accept machine-authenticated
+ smb connections */
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
/* Connect to remote machine */
- if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
+ if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) {
return -1;
}