diff options
| -rw-r--r-- | source3/client/client.c | 5 | ||||
| -rw-r--r-- | source3/include/popt_common.h | 1 | ||||
| -rw-r--r-- | source3/lib/popt_common.c | 30 | ||||
| -rw-r--r-- | source3/lib/util.c | 49 | ||||
| -rw-r--r-- | source3/libsmb/cliconnect.c | 22 | ||||
| -rw-r--r-- | source3/rpcclient/rpcclient.c | 15 | ||||
| -rw-r--r-- | source3/utils/smbcacls.c | 14 | ||||
| -rw-r--r-- | source3/utils/smbcquotas.c | 15 | ||||
| -rw-r--r-- | source3/utils/smbtree.c | 6 |
9 files changed, 122 insertions, 35 deletions
diff --git a/source3/client/client.c b/source3/client/client.c index b4e1985a83..cc0da18d4d 100644 --- a/source3/client/client.c +++ b/source3/client/client.c @@ -4875,6 +4875,11 @@ static int do_message_op(void) argv[0], get_dyn_CONFIGFILE()); } + if (get_cmdline_auth_info_use_machine_account() && + !set_cmdline_auth_info_machine_account_creds()) { + exit(-1); + } + load_interfaces(); if (service_opt && service) { diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h index 9e5503f270..c889d2e6e6 100644 --- a/source3/include/popt_common.h +++ b/source3/include/popt_common.h @@ -50,6 +50,7 @@ struct user_auth_info { bool use_kerberos; int signing_state; bool smb_encrypt; + bool use_machine_account; }; #endif /* _POPT_COMMON_H */ diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c index 8f0f7c62bb..25e41ab5f3 100644 --- a/source3/lib/popt_common.c +++ b/source3/lib/popt_common.c @@ -514,35 +514,7 @@ static void popt_common_credentials_callback(poptContext con, } break; case 'P': - { - char *opt_password = NULL; - char *pwd = NULL; - - /* it is very useful to be able to make ads queries as the - machine account for testing purposes and for domain leave */ - - if (!secrets_init()) { - d_printf("ERROR: Unable to open secrets database\n"); - exit(1); - } - - opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); - - if (!opt_password) { - d_printf("ERROR: Unable to fetch machine password\n"); - exit(1); - } - if (asprintf(&pwd, "%s$", global_myname()) < 0) { - exit(ENOMEM); - } - set_cmdline_auth_info_username(pwd); - set_cmdline_auth_info_password(opt_password); - SAFE_FREE(pwd); - SAFE_FREE(opt_password); - - /* machine accounts only work with kerberos */ - set_cmdline_auth_info_use_krb5_ticket(); - } + set_cmdline_auth_info_use_machine_account(); break; case 'N': set_cmdline_auth_info_password(""); diff --git a/source3/lib/util.c b/source3/lib/util.c index 953981e82a..5f95bcc558 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -291,7 +291,8 @@ static struct user_auth_info cmdline_auth_info = { false, /* got_pass */ false, /* use_kerberos */ Undefined, /* signing state */ - false /* smb_encrypt */ + false, /* smb_encrypt */ + false /* use machine account */ }; const char *get_cmdline_auth_info_username(void) @@ -370,6 +371,11 @@ void set_cmdline_auth_info_smb_encrypt(void) cmdline_auth_info.smb_encrypt = true; } +void set_cmdline_auth_info_use_machine_account(void) +{ + cmdline_auth_info.use_machine_account = true; +} + bool get_cmdline_auth_info_got_pass(void) { return cmdline_auth_info.got_pass; @@ -380,6 +386,11 @@ bool get_cmdline_auth_info_smb_encrypt(void) return cmdline_auth_info.smb_encrypt; } +bool get_cmdline_auth_info_use_machine_account(void) +{ + return cmdline_auth_info.use_machine_account; +} + bool get_cmdline_auth_info_copy(struct user_auth_info *info) { *info = cmdline_auth_info; @@ -392,6 +403,42 @@ bool get_cmdline_auth_info_copy(struct user_auth_info *info) return true; } +bool set_cmdline_auth_info_machine_account_creds(void) +{ + char *pass = NULL; + char *account = NULL; + + if (!get_cmdline_auth_info_use_machine_account()) { + return false; + } + + if (!secrets_init()) { + d_printf("ERROR: Unable to open secrets database\n"); + return false; + } + + if (asprintf(&account, "%s$@%s", global_myname(), lp_realm()) < 0) { + return false; + } + + pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); + if (!pass) { + d_printf("ERROR: Unable to fetch machine password for " + "%s in domain %s\n", + account, lp_workgroup()); + SAFE_FREE(account); + return false; + } + + set_cmdline_auth_info_username(account); + set_cmdline_auth_info_password(pass); + + SAFE_FREE(account); + SAFE_FREE(pass); + + return true; +} + /**************************************************************************n Find a suitable temporary directory. The result should be copied immediately as it may be overwritten by a subsequent call. diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7d3d246da5..671f0e7bc5 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -795,6 +795,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, int i; bool got_kerberos_mechanism = False; DATA_BLOB blob; + const char *p = NULL; + char *account = NULL; DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length)); @@ -925,7 +927,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); + account = talloc_strdup(talloc_tos(), user); + ADS_ERROR_HAVE_NO_MEMORY(account); + + /* when falling back to ntlmssp while authenticating with a machine + * account strip off the realm - gd */ + + if ((p = strchr_m(user, '@')) != NULL) { + account[PTR_DIFF(p,user)] = '\0'; + } + + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain)); } /**************************************************************************** @@ -1867,12 +1879,18 @@ struct cli_state *get_ipc_connect(char *server, { struct cli_state *cli; NTSTATUS nt_status; + uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK; + + if (user_info->use_kerberos) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS; + } nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC", user_info->username ? user_info->username : "", lp_workgroup(), user_info->password ? user_info->password : "", - CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL); + flags, + Undefined, NULL); if (NT_STATUS_IS_OK(nt_status)) { return cli; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 10a1741207..c4be970ac3 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -736,6 +736,7 @@ out_free: fstring new_workgroup; int result = 0; TALLOC_CTX *frame = talloc_stackframe(); + uint32_t flags = 0; /* make sure the vars that get altered (4th field) are in a fixed location or certain compilers complain */ @@ -827,6 +828,12 @@ out_free: * from stdin if necessary */ + if (get_cmdline_auth_info_use_machine_account() && + !set_cmdline_auth_info_machine_account_creds()) { + result = 1; + goto done; + } + if (!get_cmdline_auth_info_got_pass()) { char *pass = getpass("Password:"); if (pass) { @@ -839,13 +846,19 @@ out_free: server += 2; } + if (get_cmdline_auth_info_use_kerberos()) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS | + CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; + } + + nt_status = cli_full_connection(&cli, global_myname(), server, opt_ipaddr ? &server_ss : NULL, opt_port, "IPC$", "IPC", get_cmdline_auth_info_username(), lp_workgroup(), get_cmdline_auth_info_password(), - get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0, + flags, get_cmdline_auth_info_signing_state(),NULL); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c index af14c622dc..95ef6190e8 100644 --- a/source3/utils/smbcacls.c +++ b/source3/utils/smbcacls.c @@ -821,8 +821,20 @@ static struct cli_state *connect_one(const char *server, const char *share) struct cli_state *c = NULL; struct sockaddr_storage ss; NTSTATUS nt_status; + uint32_t flags = 0; + zero_addr(&ss); + if (get_cmdline_auth_info_use_kerberos()) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS | + CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; + } + + if (get_cmdline_auth_info_use_machine_account() && + !set_cmdline_auth_info_machine_account_creds()) { + return NULL; + } + if (!get_cmdline_auth_info_got_pass()) { char *pass = getpass("Password: "); if (pass) { @@ -836,7 +848,7 @@ static struct cli_state *connect_one(const char *server, const char *share) get_cmdline_auth_info_username(), lp_workgroup(), get_cmdline_auth_info_password(), - get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0, + flags, get_cmdline_auth_info_signing_state(), NULL); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c index 508a2dc8ca..a73c3b49df 100644 --- a/source3/utils/smbcquotas.c +++ b/source3/utils/smbcquotas.c @@ -371,8 +371,21 @@ static struct cli_state *connect_one(const char *share) struct cli_state *c; struct sockaddr_storage ss; NTSTATUS nt_status; + uint32_t flags = 0; + zero_addr(&ss); + if (get_cmdline_auth_info_use_machine_account() && + !set_cmdline_auth_info_machine_account_creds()) { + return NULL; + } + + if (get_cmdline_auth_info_use_kerberos()) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS | + CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; + + } + if (!get_cmdline_auth_info_got_pass()) { char *pass = getpass("Password: "); if (pass) { @@ -386,7 +399,7 @@ static struct cli_state *connect_one(const char *share) get_cmdline_auth_info_username(), lp_workgroup(), get_cmdline_auth_info_password(), - 0, + flags, get_cmdline_auth_info_signing_state(), NULL); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c index c2b364d1e9..e975a1c8a2 100644 --- a/source3/utils/smbtree.c +++ b/source3/utils/smbtree.c @@ -302,6 +302,12 @@ static bool print_tree(struct user_auth_info *user_info) /* Parse command line args */ + if (get_cmdline_auth_info_use_machine_account() && + !set_cmdline_auth_info_machine_account_creds()) { + TALLOC_FREE(frame); + return 1; + } + if (!get_cmdline_auth_info_got_pass()) { char *pass = getpass("Password: "); if (pass) { |