libnetjoin: support kerberized joining/unjoing (fix #5416).

Guenther

diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index 2f2c71dfce62a890896f0e1ae937ec3562623467..b7a15c558b3124492cbb1b80f2701f33f4b71947 100644 (file)
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -641,6 +641,37 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
        return true;
 }
 
+/****************************************************************
+ Connect dc's IPC$ share
+****************************************************************/
+
+static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
+                                          const char *user,
+                                          const char *pass,
+                                          bool use_kerberos,
+                                          struct cli_state **cli)
+{
+       int flags = 0;
+
+       if (use_kerberos) {
+               flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+       }
+
+       if (use_kerberos && pass) {
+               flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+       }
+
+       return cli_full_connection(cli, NULL,
+                                  dc,
+                                  NULL, 0,
+                                  "IPC$", "IPC",
+                                  user,
+                                  NULL,
+                                  pass,
+                                  flags,
+                                  Undefined, NULL);
+}
+
 /****************************************************************
  Lookup domain dc's info
 ****************************************************************/
@@ -654,16 +685,11 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
        union lsa_PolicyInformation *info = NULL;
 
-       status = cli_full_connection(cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0,
-                                    Undefined, NULL);
-
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
@@ -1109,15 +1135,11 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
        ZERO_STRUCT(domain_pol);
        ZERO_STRUCT(user_pol);
 
-       status = cli_full_connection(&cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0, Undefined, NULL);
-
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           &cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }

diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c
index 934ac1da1ed6eb4c5a8f0190783e4a488e501595..7dbe518c3dd0ee521ff7586dd6d75c8de98ada8e 100644 (file)
--- a/source/utils/net_ads.c
+++ b/source/utils/net_ads.c
@@ -879,7 +879,9 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
                return -1;
        }
 
-       use_in_memory_ccache();
+       if (!c->opt_kerberos) {
+               use_in_memory_ccache();
+       }
 
        werr = libnet_init_UnjoinCtx(ctx, &r);
        if (!W_ERROR_IS_OK(werr)) {
@@ -888,6 +890,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
        }
 
        r->in.debug             = true;
+       r->in.use_kerberos      = c->opt_kerberos;
        r->in.dc_name           = c->opt_host;
        r->in.domain_name       = lp_realm();
        r->in.admin_account     = c->opt_user_name;
@@ -1192,7 +1195,9 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
                goto fail;
        }
 
-       use_in_memory_ccache();
+       if (!c->opt_kerberos) {
+               use_in_memory_ccache();
+       }
 
        werr = libnet_init_JoinCtx(ctx, &r);
        if (!W_ERROR_IS_OK(werr)) {
@@ -1250,6 +1255,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
        r->in.admin_account     = c->opt_user_name;
        r->in.admin_password    = net_prompt_pass(c, c->opt_user_name);
        r->in.debug             = true;
+       r->in.use_kerberos      = c->opt_kerberos;
        r->in.modify_config     = modify_config;
        r->in.join_flags        = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
                                  WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |