net: fix joining w2k domains in "security = ads".

This repairs the join verification code which needs to try an anonymous
connection (as an authenticated connection will always fail with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT).

Guenther

diff --git a/source/utils/net.c b/source/utils/net.c
index 5a81edb0f0aa918e372e1d2a1b6403d1ca3dbee4..d8ea462e43b523269691d0899a0826584dd75603 100644 (file)
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -181,27 +181,30 @@ NTSTATUS connect_to_service(struct cli_state **c, struct in_addr *server_ip,
                                        opt_user_name, opt_workgroup,
                                        opt_password, 0, Undefined, NULL);
 
-       if (NT_STATUS_IS_OK(nt_status)) {
+       if (NT_STATUS_IS_OK(nt_status) ||
+           NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) ||
+           NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT) ||
+           NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
                return nt_status;
-       } else {
-               d_fprintf(stderr, "Could not connect to server %s\n", server_name);
+       }
 
-               /* Display a nicer message depending on the result */
+       d_fprintf(stderr, "Could not connect to server %s\n", server_name);
 
-               if (NT_STATUS_V(nt_status) == 
-                   NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
-                       d_fprintf(stderr, "The username or password was not correct.\n");
+       /* Display a nicer message depending on the result */
 
-               if (NT_STATUS_V(nt_status) == 
-                   NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
-                       d_fprintf(stderr, "The account was locked out.\n");
+       if (NT_STATUS_V(nt_status) ==
+           NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
+               d_fprintf(stderr, "The username or password was not correct.\n");
 
-               if (NT_STATUS_V(nt_status) == 
-                   NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
-                       d_fprintf(stderr, "The account was disabled.\n");
+       if (NT_STATUS_V(nt_status) ==
+           NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
+               d_fprintf(stderr, "The account was locked out.\n");
 
-               return nt_status;
-       }
+       if (NT_STATUS_V(nt_status) ==
+           NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
+               d_fprintf(stderr, "The account was disabled.\n");
+
+       return nt_status;
 }
 
 
@@ -481,7 +484,7 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
        char *server_name = NULL;
        struct in_addr server_ip;
        struct cli_state *cli = NULL;
-       NTSTATUS nt_status;
+       NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 
        if ( !server || !ip ) {
                if (!net_find_server(domain, flags, &server_ip, &server_name)) {
@@ -493,25 +496,31 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
                server_ip = *ip;
        }
 
+       if (opt_user_name && opt_password) {
+               nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+               if (NT_STATUS_IS_OK(nt_status)) {
+                       goto connected;
+               }
+       }
        if (flags & NET_FLAGS_ANONYMOUS) {
                nt_status = connect_to_ipc_anonymous(&cli, &server_ip, server_name);
-       } else {
-               nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+               if (NT_STATUS_IS_OK(nt_status)) {
+                       goto connected;
+               }
        }
 
+       SAFE_FREE(server_name);
+       d_fprintf(stderr, "Connection failed: %s\n",
+                 nt_errstr(nt_status));
+       return NULL;
+
+ connected:
        /* store the server in the affinity cache if it was a PDC */
 
        if ( (flags & NET_FLAGS_PDC) && NT_STATUS_IS_OK(nt_status) )
                saf_store( cli->server_domain, cli->desthost );
 
-       SAFE_FREE(server_name);
-       if (NT_STATUS_IS_OK(nt_status)) {
-               return cli;
-       } else {
-               d_fprintf(stderr, "Connection failed: %s\n",
-                         nt_errstr(nt_status));
-               return NULL;
-       }
+       return cli;
 }
 
 static int net_user(int argc, const char **argv)

diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index 63e77b3ef50b9081cec50ce011491c00b3e54b78..361a319c04cd83c711eaab8b6229804080f1b3d4 100644 (file)
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -45,7 +45,7 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
        uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        enum security_types sec;
-       unsigned int conn_flags = NET_FLAGS_PDC;
+       unsigned int conn_flags = NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS;
        struct cli_state *cli = NULL;
        struct rpc_pipe_client *pipe_hnd = NULL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -58,10 +58,6 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
                   connection here, as it may be denied by server's local policy. */
                net_use_machine_account();
 
-       } else {
-               /* some servers (e.g. WinNT) don't accept machine-authenticated
-                  smb connections */
-               conn_flags |= NET_FLAGS_ANONYMOUS;
        }
 
        /* Connect to remote machine */