From e4202a9fe70785a0a5b47c90df696a880294d310 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Feb 2003 00:29:21 +0000 Subject: Antti Andreimann has done some changes to enable users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett (This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43) --- source3/utils/net_ads.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/utils') diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 867252c95f..d508320423 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -110,6 +110,11 @@ static int net_ads_info(int argc, const char **argv) return 0; } +static void use_in_memory_ccache() { + /* Use in-memory credentials cache so we do not interfere with + * existing credentials */ + setenv(KRB5_ENV_CCNAME, "MEMORY:net_ads", 1); +} static ADS_STRUCT *ads_startup(void) { @@ -124,8 +129,10 @@ static ADS_STRUCT *ads_startup(void) opt_user_name = "administrator"; } - if (opt_user_specified) + if (opt_user_specified) { need_password = True; + use_in_memory_ccache(); + } retry: if (!opt_password && need_password) { @@ -601,6 +608,8 @@ static int net_ads_join_ok(void) */ int net_ads_testjoin(int argc, const char **argv) { + use_in_memory_ccache(); + /* Display success or failure */ if (net_ads_join_ok() != 0) { fprintf(stderr,"Join to domain is not valid\n"); @@ -878,7 +887,8 @@ static int net_ads_password(int argc, const char **argv) (strchr(argv[0], '@') == NULL)) { return net_ads_usage(argc, argv); } - + + use_in_memory_ccache(); c = strchr(auth_principal, '@'); realm = ++c; @@ -925,6 +935,8 @@ static int net_ads_change_localhost_pass(int argc, const char **argv) opt_password = secrets_fetch_machine_password(); + use_in_memory_ccache(); + if (!(ads = ads_startup())) { return -1; } -- cgit