From 3b5191700d9b2ec6bf2c3d5a3a297f934c4b44d6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 5 Apr 2023 16:45:21 +0200
Subject: [PATCH 1/2] testprogs/blackbox: add test_net_ads_search_server.sh

This reproduces a regression with
'net ads search -P --server server.of.trusted.domain'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3b585f9e8cc320841fab4cd5c3be53788d0a87ac)
---
 .../samba4.blackbox.net_ads_search_server_P   |  1 +
 source4/selftest/tests.py                     | 11 ++++++
 .../blackbox/test_net_ads_search_server.sh    | 37 +++++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P
 create mode 100755 testprogs/blackbox/test_net_ads_search_server.sh

diff --git a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P
new file mode 100644
index 000000000000..7f06e3fe7386
--- /dev/null
+++ b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P
@@ -0,0 +1 @@
+^samba4.blackbox.net_ads_search_server_P.trust
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 052058383f72..823ada7a5dcc 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -666,6 +666,17 @@ plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:clien
 plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD'])
 plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID'])
 
+env = "ad_member:local"
+plantestsuite("samba4.blackbox.net_ads_search_server_P.primary", env,
+              [os.path.join(bbdir, "test_net_ads_search_server.sh"),
+              '$DC_SERVER', '$REALM'])
+plantestsuite("samba4.blackbox.net_ads_search_server_P.trust_e_both", env,
+              [os.path.join(bbdir, "test_net_ads_search_server.sh"),
+              '$TRUST_E_BOTH_SERVER', '$TRUST_E_BOTH_REALM'])
+plantestsuite("samba4.blackbox.net_ads_search_server_P.trust_f_both", env,
+              [os.path.join(bbdir, "test_net_ads_search_server.sh"),
+              '$TRUST_F_BOTH_SERVER', '$TRUST_F_BOTH_REALM'])
+
 if have_gnutls_fips_mode_support:
     plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
     plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
diff --git a/testprogs/blackbox/test_net_ads_search_server.sh b/testprogs/blackbox/test_net_ads_search_server.sh
new file mode 100755
index 000000000000..f8350c9a97aa
--- /dev/null
+++ b/testprogs/blackbox/test_net_ads_search_server.sh
@@ -0,0 +1,37 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 SERVER REALM
+EOF
+exit 1;
+fi
+
+SERVER=$1
+REALM=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_net="$BINDIR/net"
+
+DN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]' | sed -e 's!^!DC=!' -e 's!\.!,DC=!g')
+testit_grep_count \
+	"net_ads_search.ntlmssp" \
+	"distinguishedName: ${DN}" \
+	1 \
+	$samba_net ads search --use-kerberos=off -P \
+	--server "${SERVER}.${REALM}" \
+	'(objectClass=domain)' distinguishedName || \
+	failed=$((failed + 1))
+testit_grep_count \
+	"net_ads_search.krb5" \
+	"distinguishedName: ${DN}" \
+	1 \
+	$samba_net ads search --use-kerberos=required -P \
+	--server "${SERVER}.${REALM}" \
+	'(objectClass=domain)' distinguishedName || \
+	failed=$((failed + 1))
+
+exit $failed
-- 
2.34.1


From 8736ae7adf2d4b05dbfc4e7e1cf809b0480f3be8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 2 Mar 2023 14:46:25 +0100
Subject: [PATCH 2/2] net_ads: fill ads->auth.realm from c->creds

We get the realm we use for authentication needs to
the realm belonging to the username we use.

We derive the username from c->creds, so we need to
do the same for the realm.

Otherwise we try to authenticate as the wrong user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15323

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0ef53b948e13eb36b536228cccd89aa4c2adbb90)
---
 .../samba4.blackbox.net_ads_search_server_P            |  1 -
 source3/utils/net_ads.c                                | 10 +++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)
 delete mode 100644 selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P

diff --git a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P b/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P
deleted file mode 100644
index 7f06e3fe7386..000000000000
--- a/selftest/knownfail.d/samba4.blackbox.net_ads_search_server_P
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.net_ads_search_server_P.trust
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 4bca90d5c8c0..9ec884394eb0 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -710,7 +710,15 @@ retry:
 			TALLOC_FREE(ads);
 			return ADS_ERROR(LDAP_NO_MEMORY);
 		}
-       }
+	} else if (ads->auth.realm == NULL) {
+		const char *c_realm = cli_credentials_get_realm(c->creds);
+
+		ads->auth.realm = talloc_strdup(ads, c_realm);
+		if (ads->auth.realm == NULL) {
+			TALLOC_FREE(ads);
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+	}
 
 	status = ads_connect(ads);
 
-- 
2.34.1