From f43cfdf48aa4405cb7b34a55a3f2fad881b4fd94 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Fri, 13 Aug 2021 14:29:30 +0200 Subject: [PATCH] s3: net: Fix 'net rpc' authentication with machine account The username was set to $@REALM even when kerberos was not specified in command line, resulting in NTLM authentication failure. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14796 Signed-off-by: Samuel Cabrero --- source3/utils/net.c | 3 +-- source3/utils/net_ads.c | 4 ++-- source3/utils/net_proto.h | 2 +- source3/utils/net_util.c | 13 +++++++++++-- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/source3/utils/net.c b/source3/utils/net.c index 4fc19c4a121..aa78b8f3e68 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -1409,8 +1409,7 @@ static void get_credentials_file(struct net_context *c, if (c->opt_machine_pass) { /* it is very useful to be able to make ads queries as the machine account for testing purposes and for domain leave */ - - net_use_krb_machine_account(c); + net_use_machine_account(c, c->opt_kerberos); } if (!c->opt_password) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index c8b18a9c281..41f96c26770 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -1433,7 +1433,7 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) return NT_STATUS_ACCESS_DENIED; } - net_use_krb_machine_account(c); + net_use_machine_account(c, true); get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); @@ -2788,7 +2788,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) return -1; } - net_use_krb_machine_account(c); + net_use_machine_account(c, true); use_in_memory_ccache(); diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h index f49b707338d..b9cba909f75 100644 --- a/source3/utils/net_proto.h +++ b/source3/utils/net_proto.h @@ -402,7 +402,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c, NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, struct rpc_pipe_client **pp_pipe_hnd, const struct ndr_interface_table *table); -int net_use_krb_machine_account(struct net_context *c); +int net_use_machine_account(struct net_context *c, bool use_kerberos); bool net_find_server(struct net_context *c, const char *domain, unsigned flags, diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 6c5321db0fd..9013dd35a1b 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -252,9 +252,10 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, Use the local machine account (krb) and password for this session. ****************************************************************************/ -int net_use_krb_machine_account(struct net_context *c) +int net_use_machine_account(struct net_context *c, bool use_kerberos) { char *user_name = NULL; + int ret; if (!secrets_init()) { d_fprintf(stderr,_("ERROR: Unable to open secrets database\n")); @@ -263,7 +264,15 @@ int net_use_krb_machine_account(struct net_context *c) c->opt_password = secrets_fetch_machine_password( c->opt_target_workgroup, NULL, NULL); - if (asprintf(&user_name, "%s$@%s", lp_netbios_name(), lp_realm()) == -1) { + if (use_kerberos) { + ret = asprintf(&user_name, + "%s$@%s", + lp_netbios_name(), + lp_realm()); + } else { + ret = asprintf(&user_name, "%s$", lp_netbios_name()); + } + if (ret == -1) { return -1; } c->opt_user_name = user_name; -- 2.32.0