argv[0], get_dyn_CONFIGFILE());
}
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ exit(-1);
+ }
+
load_interfaces();
if (service_opt && service) {
bool use_kerberos;
int signing_state;
bool smb_encrypt;
+ bool use_machine_account;
};
#endif /* _POPT_COMMON_H */
}
break;
case 'P':
- {
- char *opt_password = NULL;
- char *pwd = NULL;
-
- /* it is very useful to be able to make ads queries as the
- machine account for testing purposes and for domain leave */
-
- if (!secrets_init()) {
- d_printf("ERROR: Unable to open secrets database\n");
- exit(1);
- }
-
- opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
- if (!opt_password) {
- d_printf("ERROR: Unable to fetch machine password\n");
- exit(1);
- }
- if (asprintf(&pwd, "%s$", global_myname()) < 0) {
- exit(ENOMEM);
- }
- set_cmdline_auth_info_username(pwd);
- set_cmdline_auth_info_password(opt_password);
- SAFE_FREE(pwd);
- SAFE_FREE(opt_password);
-
- /* machine accounts only work with kerberos */
- set_cmdline_auth_info_use_krb5_ticket();
- }
+ set_cmdline_auth_info_use_machine_account();
break;
case 'N':
set_cmdline_auth_info_password("");
false, /* got_pass */
false, /* use_kerberos */
Undefined, /* signing state */
- false /* smb_encrypt */
+ false, /* smb_encrypt */
+ false /* use machine account */
};
const char *get_cmdline_auth_info_username(void)
cmdline_auth_info.smb_encrypt = true;
}
+void set_cmdline_auth_info_use_machine_account(void)
+{
+ cmdline_auth_info.use_machine_account = true;
+}
+
bool get_cmdline_auth_info_got_pass(void)
{
return cmdline_auth_info.got_pass;
return cmdline_auth_info.smb_encrypt;
}
+bool get_cmdline_auth_info_use_machine_account(void)
+{
+ return cmdline_auth_info.use_machine_account;
+}
+
bool get_cmdline_auth_info_copy(struct user_auth_info *info)
{
*info = cmdline_auth_info;
return true;
}
+bool set_cmdline_auth_info_machine_account_creds(void)
+{
+ char *pass = NULL;
+ char *account = NULL;
+
+ if (!get_cmdline_auth_info_use_machine_account()) {
+ return false;
+ }
+
+ if (!secrets_init()) {
+ d_printf("ERROR: Unable to open secrets database\n");
+ return false;
+ }
+
+ if (asprintf(&account, "%s$@%s", global_myname(), lp_realm()) < 0) {
+ return false;
+ }
+
+ pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (!pass) {
+ d_printf("ERROR: Unable to fetch machine password for "
+ "%s in domain %s\n",
+ account, lp_workgroup());
+ SAFE_FREE(account);
+ return false;
+ }
+
+ set_cmdline_auth_info_username(account);
+ set_cmdline_auth_info_password(pass);
+
+ SAFE_FREE(account);
+ SAFE_FREE(pass);
+
+ return true;
+}
+
/**************************************************************************n
Find a suitable temporary directory. The result should be copied immediately
as it may be overwritten by a subsequent call.
int i;
bool got_kerberos_mechanism = False;
DATA_BLOB blob;
+ const char *p = NULL;
+ char *account = NULL;
DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
ntlmssp:
- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
+ account = talloc_strdup(talloc_tos(), user);
+ ADS_ERROR_HAVE_NO_MEMORY(account);
+
+ /* when falling back to ntlmssp while authenticating with a machine
+ * account strip off the realm - gd */
+
+ if ((p = strchr_m(user, '@')) != NULL) {
+ account[PTR_DIFF(p,user)] = '\0';
+ }
+
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain));
}
/****************************************************************************
{
struct cli_state *cli;
NTSTATUS nt_status;
+ uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
+
+ if (user_info->use_kerberos) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ }
nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
user_info->username ? user_info->username : "",
lp_workgroup(),
user_info->password ? user_info->password : "",
- CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL);
+ flags,
+ Undefined, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
return cli;
fstring new_workgroup;
int result = 0;
TALLOC_CTX *frame = talloc_stackframe();
+ uint32_t flags = 0;
/* make sure the vars that get altered (4th field) are in
a fixed location or certain compilers complain */
* from stdin if necessary
*/
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ result = 1;
+ goto done;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password:");
if (pass) {
server += 2;
}
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+
nt_status = cli_full_connection(&cli, global_myname(), server,
opt_ipaddr ? &server_ss : NULL, opt_port,
"IPC$", "IPC",
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
struct cli_state *c = NULL;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
struct cli_state *c;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
/* Parse command line args */
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ TALLOC_FREE(frame);
+ return 1;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {