From 172766eea7a374e910ea91c857fcce45996783a2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 14 Aug 2003 01:08:00 +0000
Subject: Change Samba to always use extended security for it's guest logins,
 (ie, NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
 all of Samba's clients.

When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login.  If you don't, your machine
account is demoted to NT4.

Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)
---
 source3/lib/popt_common.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'source3/lib/popt_common.c')

diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index c120651550..95a9a58b34 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -119,6 +119,7 @@ struct poptOption popt_common_connection[] = {
 	{ "netbiosname", 'n', POPT_ARG_STRING, NULL, 'n', "Primary netbios name", "NETBIOSNAME" },
 	{ "workgroup", 'W', POPT_ARG_STRING, NULL, 'W', "Set the workgroup name", "WORKGROUP" },
 	{ "scope", 'i', POPT_ARG_STRING, NULL, 'i', "Use this Netbios scope", "SCOPE" },
+
 	POPT_TABLEEND
 };
 
@@ -259,6 +260,7 @@ static void get_credentials_file(const char *file, struct user_auth_info *info)
  *		-k,--use-kerberos
  *		-N,--no-pass
  *		-S,--signing
+ *              -P --machine-pass
  */
 
 
@@ -346,6 +348,33 @@ static void popt_common_credentials_callback(poptContext con,
 			}
 		}
 		break;
+	case 'P':
+	        {
+			char *opt_password = NULL;
+			/* it is very useful to be able to make ads queries as the
+			   machine account for testing purposes and for domain leave */
+			
+			if (!secrets_init()) {
+				d_printf("ERROR: Unable to open secrets database\n");
+				exit(1);
+			}
+			
+			opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+			
+			if (!opt_password) {
+				d_printf("ERROR: Unable to fetch machine password\n");
+				exit(1);
+			}
+			pstr_sprintf(cmdline_auth_info.username, "%s$", 
+				     global_myname());
+			pstrcpy(cmdline_auth_info.password,opt_password);
+			SAFE_FREE(opt_password);
+
+			/* machine accounts only work with kerberos */
+			cmdline_auth_info.use_kerberos = True;
+			cmdline_auth_info.got_pass = True;
+		}
+		break;
 	}
 }
 
@@ -358,5 +387,6 @@ struct poptOption popt_common_credentials[] = {
 	{ "kerberos", 'k', POPT_ARG_NONE, &cmdline_auth_info.use_kerberos, 'k', "Use kerberos (active directory) authentication" },
 	{ "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" },
 	{ "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" },
+	{"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" },
 	POPT_TABLEEND
 };
-- 
cgit