summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/client/client.c5
-rw-r--r--source3/include/popt_common.h1
-rw-r--r--source3/lib/popt_common.c30
-rw-r--r--source3/lib/util.c49
-rw-r--r--source3/libsmb/cliconnect.c22
-rw-r--r--source3/rpcclient/rpcclient.c15
-rw-r--r--source3/utils/smbcacls.c14
-rw-r--r--source3/utils/smbcquotas.c15
-rw-r--r--source3/utils/smbtree.c6
9 files changed, 122 insertions, 35 deletions
diff --git a/source3/client/client.c b/source3/client/client.c
index b4e1985a83..cc0da18d4d 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -4875,6 +4875,11 @@ static int do_message_op(void)
argv[0], get_dyn_CONFIGFILE());
}
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ exit(-1);
+ }
+
load_interfaces();
if (service_opt && service) {
diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h
index 9e5503f270..c889d2e6e6 100644
--- a/source3/include/popt_common.h
+++ b/source3/include/popt_common.h
@@ -50,6 +50,7 @@ struct user_auth_info {
bool use_kerberos;
int signing_state;
bool smb_encrypt;
+ bool use_machine_account;
};
#endif /* _POPT_COMMON_H */
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 8f0f7c62bb..25e41ab5f3 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -514,35 +514,7 @@ static void popt_common_credentials_callback(poptContext con,
}
break;
case 'P':
- {
- char *opt_password = NULL;
- char *pwd = NULL;
-
- /* it is very useful to be able to make ads queries as the
- machine account for testing purposes and for domain leave */
-
- if (!secrets_init()) {
- d_printf("ERROR: Unable to open secrets database\n");
- exit(1);
- }
-
- opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
- if (!opt_password) {
- d_printf("ERROR: Unable to fetch machine password\n");
- exit(1);
- }
- if (asprintf(&pwd, "%s$", global_myname()) < 0) {
- exit(ENOMEM);
- }
- set_cmdline_auth_info_username(pwd);
- set_cmdline_auth_info_password(opt_password);
- SAFE_FREE(pwd);
- SAFE_FREE(opt_password);
-
- /* machine accounts only work with kerberos */
- set_cmdline_auth_info_use_krb5_ticket();
- }
+ set_cmdline_auth_info_use_machine_account();
break;
case 'N':
set_cmdline_auth_info_password("");
diff --git a/source3/lib/util.c b/source3/lib/util.c
index 953981e82a..5f95bcc558 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -291,7 +291,8 @@ static struct user_auth_info cmdline_auth_info = {
false, /* got_pass */
false, /* use_kerberos */
Undefined, /* signing state */
- false /* smb_encrypt */
+ false, /* smb_encrypt */
+ false /* use machine account */
};
const char *get_cmdline_auth_info_username(void)
@@ -370,6 +371,11 @@ void set_cmdline_auth_info_smb_encrypt(void)
cmdline_auth_info.smb_encrypt = true;
}
+void set_cmdline_auth_info_use_machine_account(void)
+{
+ cmdline_auth_info.use_machine_account = true;
+}
+
bool get_cmdline_auth_info_got_pass(void)
{
return cmdline_auth_info.got_pass;
@@ -380,6 +386,11 @@ bool get_cmdline_auth_info_smb_encrypt(void)
return cmdline_auth_info.smb_encrypt;
}
+bool get_cmdline_auth_info_use_machine_account(void)
+{
+ return cmdline_auth_info.use_machine_account;
+}
+
bool get_cmdline_auth_info_copy(struct user_auth_info *info)
{
*info = cmdline_auth_info;
@@ -392,6 +403,42 @@ bool get_cmdline_auth_info_copy(struct user_auth_info *info)
return true;
}
+bool set_cmdline_auth_info_machine_account_creds(void)
+{
+ char *pass = NULL;
+ char *account = NULL;
+
+ if (!get_cmdline_auth_info_use_machine_account()) {
+ return false;
+ }
+
+ if (!secrets_init()) {
+ d_printf("ERROR: Unable to open secrets database\n");
+ return false;
+ }
+
+ if (asprintf(&account, "%s$@%s", global_myname(), lp_realm()) < 0) {
+ return false;
+ }
+
+ pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (!pass) {
+ d_printf("ERROR: Unable to fetch machine password for "
+ "%s in domain %s\n",
+ account, lp_workgroup());
+ SAFE_FREE(account);
+ return false;
+ }
+
+ set_cmdline_auth_info_username(account);
+ set_cmdline_auth_info_password(pass);
+
+ SAFE_FREE(account);
+ SAFE_FREE(pass);
+
+ return true;
+}
+
/**************************************************************************n
Find a suitable temporary directory. The result should be copied immediately
as it may be overwritten by a subsequent call.
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 7d3d246da5..671f0e7bc5 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -795,6 +795,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
int i;
bool got_kerberos_mechanism = False;
DATA_BLOB blob;
+ const char *p = NULL;
+ char *account = NULL;
DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
@@ -925,7 +927,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
ntlmssp:
- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
+ account = talloc_strdup(talloc_tos(), user);
+ ADS_ERROR_HAVE_NO_MEMORY(account);
+
+ /* when falling back to ntlmssp while authenticating with a machine
+ * account strip off the realm - gd */
+
+ if ((p = strchr_m(user, '@')) != NULL) {
+ account[PTR_DIFF(p,user)] = '\0';
+ }
+
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain));
}
/****************************************************************************
@@ -1867,12 +1879,18 @@ struct cli_state *get_ipc_connect(char *server,
{
struct cli_state *cli;
NTSTATUS nt_status;
+ uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
+
+ if (user_info->use_kerberos) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ }
nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
user_info->username ? user_info->username : "",
lp_workgroup(),
user_info->password ? user_info->password : "",
- CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL);
+ flags,
+ Undefined, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
return cli;
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 10a1741207..c4be970ac3 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -736,6 +736,7 @@ out_free:
fstring new_workgroup;
int result = 0;
TALLOC_CTX *frame = talloc_stackframe();
+ uint32_t flags = 0;
/* make sure the vars that get altered (4th field) are in
a fixed location or certain compilers complain */
@@ -827,6 +828,12 @@ out_free:
* from stdin if necessary
*/
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ result = 1;
+ goto done;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password:");
if (pass) {
@@ -839,13 +846,19 @@ out_free:
server += 2;
}
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+
nt_status = cli_full_connection(&cli, global_myname(), server,
opt_ipaddr ? &server_ss : NULL, opt_port,
"IPC$", "IPC",
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index af14c622dc..95ef6190e8 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -821,8 +821,20 @@ static struct cli_state *connect_one(const char *server, const char *share)
struct cli_state *c = NULL;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
@@ -836,7 +848,7 @@ static struct cli_state *connect_one(const char *server, const char *share)
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
index 508a2dc8ca..a73c3b49df 100644
--- a/source3/utils/smbcquotas.c
+++ b/source3/utils/smbcquotas.c
@@ -371,8 +371,21 @@ static struct cli_state *connect_one(const char *share)
struct cli_state *c;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
@@ -386,7 +399,7 @@ static struct cli_state *connect_one(const char *share)
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
index c2b364d1e9..e975a1c8a2 100644
--- a/source3/utils/smbtree.c
+++ b/source3/utils/smbtree.c
@@ -302,6 +302,12 @@ static bool print_tree(struct user_auth_info *user_info)
/* Parse command line args */
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ TALLOC_FREE(frame);
+ return 1;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {