From 2602f5dd0ea159dfe3705e401b9ea86379b94b31 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 19 Sep 2024 00:14:56 +0200
Subject: [PATCH 1/3] s3:test_update_keytab_clustered: add net ads testjoin
 checks in more places

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 690c800c33df4d06d409b9ccfa57e5fa575ab1aa)
---
 .../script/tests/test_update_keytab_clustered.sh | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/source3/script/tests/test_update_keytab_clustered.sh b/source3/script/tests/test_update_keytab_clustered.sh
index a0016139db52..0fc299d041c9 100755
--- a/source3/script/tests/test_update_keytab_clustered.sh
+++ b/source3/script/tests/test_update_keytab_clustered.sh
@@ -25,6 +25,12 @@ keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k"
 keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3"
 keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno"
 
+check_net_ads_testjoin()
+{
+	UID_WRAPPER_ROOT=1 UID_WRAPPER_INITIAL_RUID=0 UID_WRAPPER_INITIAL_EUID=0 $samba_net ads testjoin
+	return $?
+}
+
 # find the biggest vno and store it into global variable vno
 get_biggest_vno()
 {
@@ -133,6 +139,8 @@ global_inject_conf=$(dirname $SMB_CONF_PATH)/global_inject.conf
 echo "sync machine password script = $PREFIX_ABS/clusteredmember/updatekeytab.sh" >$global_inject_conf
 UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
 
+testit "net_ads_testjoin_initial" check_net_ads_testjoin || failed=$((failed + 1))
+
 # To have both old and older password we do one unnecessary password change:
 testit "wbinfo_change_secret_initial" \
 	"$samba_wbinfo" --change-secret --domain="${DOMAIN}" \
@@ -145,12 +153,14 @@ testit "wbinfo_check_secret_initial" \
 # Create/sync all keytabs
 testit "net_ads_keytab_sync" test_keytab_create || failed=$((failed + 1))
 
-testit "wbinfo_change_secret" \
+testit "net_ads_testjoin_after_sync" check_net_ads_testjoin || failed=$((failed + 1))
+
+testit "wbinfo_change_secret_after_sync" \
 	test_pwd_change "wbinfo_changesecret" \
 	"$samba_wbinfo --change-secret --domain=${DOMAIN}" \
 	|| failed=$((failed + 1))
 
-testit "wbinfo_check_secret" \
+testit "wbinfo_check_secret_after_sync" \
 	"$samba_wbinfo" --check-secret --domain="${DOMAIN}" \
 	|| failed=$((failed + 1))
 
@@ -159,6 +169,8 @@ test_smbclient "Test machine login with the changed secret" \
 	--machine-pass ||
 	failed=$((failed + 1))
 
+testit "net_ads_testjoin_final" check_net_ads_testjoin || failed=$((failed + 1))
+
 echo "" >$global_inject_conf
 UID_WRAPPER_ROOT=1 $smbcontrol winbindd reload-config
 
-- 
2.34.1


From da3c07c184d092c9526967bb4160fb327d932c63 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 18 Sep 2024 23:48:00 +0200
Subject: [PATCH 2/3] s3:utils: let 'net ads testjoin' fail without valid
 machine credentials

This will allow doing tests and make sure using anonymous credentials
doesn't cause false positive results...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit ab3fc1595c0a2e0aa3719cc2fe4684e9a0a2f9d8)
---
 selftest/knownfail.d/net_ads_testjoin | 4 ++++
 source3/utils/net_ads.c               | 6 ++++++
 2 files changed, 10 insertions(+)
 create mode 100644 selftest/knownfail.d/net_ads_testjoin

diff --git a/selftest/knownfail.d/net_ads_testjoin b/selftest/knownfail.d/net_ads_testjoin
new file mode 100644
index 000000000000..4e88d4a9031f
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_testjoin
@@ -0,0 +1,4 @@
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_initial.clusteredmember
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_after_sync.clusteredmember
+^samba3.blackbox.update_keytab_clustered.wbinfo_change_secret_after_sync.clusteredmember
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_final.clusteredmember
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 577834d96b5c..0e5da492faf2 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1556,6 +1556,12 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c)
 
 	net_use_krb_machine_account(c);
 
+	if (!cli_credentials_authentication_requested(c->creds)) {
+		DBG_ERR("Failed to get machine credentials\n");
+		TALLOC_FREE(tmp_ctx);
+		return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
+	}
+
 	get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
 
 	status = ads_startup(c, true, tmp_ctx, &ads);
-- 
2.34.1


From 8244cede95ced40e07927c49a376dcdbb5ed7fe4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 Sep 2024 18:21:58 +0200
Subject: [PATCH 3/3] s3:utils: use the correct secrets.tdb in
 net_use_krb_machine_account()

On a cluster we need to use the ctdb controlled database and not
a local secrets.tdb...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Sep 20 05:54:43 UTC 2024 on atb-devel-224

(cherry picked from commit f9ee4db2ba74e4f1f1b6d6f32082e5b0fe60f9b9)
---
 selftest/knownfail.d/net_ads_testjoin | 4 ----
 source3/utils/net_util.c              | 6 +++++-
 2 files changed, 5 insertions(+), 5 deletions(-)
 delete mode 100644 selftest/knownfail.d/net_ads_testjoin

diff --git a/selftest/knownfail.d/net_ads_testjoin b/selftest/knownfail.d/net_ads_testjoin
deleted file mode 100644
index 4e88d4a9031f..000000000000
--- a/selftest/knownfail.d/net_ads_testjoin
+++ /dev/null
@@ -1,4 +0,0 @@
-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_initial.clusteredmember
-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_after_sync.clusteredmember
-^samba3.blackbox.update_keytab_clustered.wbinfo_change_secret_after_sync.clusteredmember
-^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_final.clusteredmember
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index 93e08cafbf11..5039902bc5e9 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -259,12 +259,16 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
 
 int net_use_krb_machine_account(struct net_context *c)
 {
+	struct db_context *db_ctx = NULL;
+
 	if (!secrets_init()) {
 		d_fprintf(stderr,_("ERROR: Unable to open secrets database\n"));
 		exit(1);
 	}
 
-	cli_credentials_set_machine_account(c->creds, c->lp_ctx);
+	db_ctx = secrets_db_ctx();
+
+	cli_credentials_set_machine_account_db_ctx(c->creds, c->lp_ctx, db_ctx);
 	c->explicit_credentials = true;
 	return 0;
 }
-- 
2.34.1