From 77b0358c663300035b4c034b6146aa6b185fc52f Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Wed, 10 Jun 2009 13:08:40 +0200 Subject: [PATCH] Revert "net: Use samba default command line arguments." This reverts commit c039bc15ba597d955d0ccbf5642388b0a03ba40b and dependent commits 33c6ba805756739b7b4395bedb66ae00797cbcb1 and ce18ba7e24b5578672d2f2ffaab97ef708421067. While it certainly would be a nice to have feature, this has caused more hassle than reasonable, e.g. in net commands that need to use the machine account like net (ads|rpc) testjoin. This un-fixes bug #6305. --- WHATSNEW.txt | 39 -------------- source3/utils/net.c | 43 ++++++++++++---- source3/utils/net.h | 9 +++- source3/utils/net_ads.c | 82 +++++++++++++++--------------- source3/utils/net_dom.c | 8 +-- source3/utils/net_help.c | 1 - source3/utils/net_proto.h | 3 + source3/utils/net_rpc.c | 74 +++++++++----------------- source3/utils/net_rpc_join.c | 3 +- source3/utils/net_rpc_samsync.c | 4 +- source3/utils/net_rpc_shell.c | 9 +-- source3/utils/net_util.c | 109 ++++++++++++++++++++++++++++++++------ 12 files changed, 209 insertions(+), 175 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 35e52c5..830d57c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -35,9 +35,6 @@ o The code has been cleaned up and the major basic interfaces are shared with Samba4 now. o An asynchronous API has been added. -net Command Changes: -o Parameter syntax made more consistent. - Configuration changes ===================== @@ -120,38 +117,6 @@ these two versions. An asynchronous API has been added. -net Command Changes -=================== - -The net command now accepts the common command line parameters most other Samba -command line utilities use, with a couple of remaining differences: - --l still gives long output for net commands supporting the --long flag. This was -more useful than the common --log-base parameter. - --i still tells net to read data from stdin (like --stdin) instead of toggling -the common --scope flag. - --S still tells net the server to connect to (like --server) instead of -negotiating the common --signing flag. As -S is probably used by most scripts -doing net rpc commands, this would have been a high-impact change for little -gain. - -This change was mainly done to unify the authentification options. Here, one -flag changed it's meaning and one useful flag was added. - --N used to be the short version of --ntname. It now matches the Samba default of ---no-pass. Use this to stop net from prompting for a password if you want -anonymous authentication. - --A --authentication-file now takes an authentication file with the username and -password you want net to use, avoiding a password prompt as with plain -U user -or having to give a password on the command line as in -U user%pass. - -Last but not least net now always falls back to your local unix username if no --U is specified and a username is needed. net rpc commands will now prompt for a -password unless one is specified using either -U user%pass or -A auth_file - ###################################################################### Changes ####### @@ -272,10 +237,6 @@ o Michael Adam * Fix linking with --disable-shared-libs. -o Kai Blin - * BUG #6357: Use Samba default command line arguments in 'net'. - - o Steven Danneman * Fix issue with missing entries when enumerating directories. * Map NULL domains to our global sam name. diff --git a/source3/utils/net.c b/source3/utils/net.c index 2033082..d58858c 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -618,6 +618,7 @@ static struct functable net_func[] = { int main(int argc, const char **argv) { int opt,i; + char *p; int rc = 0; int argc_new = 0; const char ** argv_new; @@ -628,10 +629,12 @@ static struct functable net_func[] = { struct poptOption long_options[] = { {"help", 'h', POPT_ARG_NONE, 0, 'h'}, {"workgroup", 'w', POPT_ARG_STRING, &c->opt_target_workgroup}, + {"user", 'U', POPT_ARG_STRING, &c->opt_user_name, 'U'}, {"ipaddress", 'I', POPT_ARG_STRING, 0,'I'}, {"port", 'p', POPT_ARG_INT, &c->opt_port}, {"myname", 'n', POPT_ARG_STRING, &c->opt_requester_name}, {"server", 'S', POPT_ARG_STRING, &c->opt_host}, + {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport (UNIX extended servers only)" }, {"container", 'c', POPT_ARG_STRING, &c->opt_container}, {"comment", 'C', POPT_ARG_STRING, &c->opt_comment}, {"maxusers", 'M', POPT_ARG_INT, &c->opt_maxusers}, @@ -642,13 +645,15 @@ static struct functable net_func[] = { {"stdin", 'i', POPT_ARG_NONE, &c->opt_stdin}, {"timeout", 't', POPT_ARG_INT, &c->opt_timeout}, {"request-timeout",0,POPT_ARG_INT, &c->opt_request_timeout}, + {"machine-pass",'P', POPT_ARG_NONE, &c->opt_machine_pass}, + {"kerberos", 'k', POPT_ARG_NONE, &c->opt_kerberos}, {"myworkgroup", 'W', POPT_ARG_STRING, &c->opt_workgroup}, {"verbose", 'v', POPT_ARG_NONE, &c->opt_verbose}, {"test", 'T', POPT_ARG_NONE, &c->opt_testmode}, /* Options for 'net groupmap set' */ {"local", 'L', POPT_ARG_NONE, &c->opt_localgroup}, {"domain", 'D', POPT_ARG_NONE, &c->opt_domaingroup}, - {"ntname", 0, POPT_ARG_STRING, &c->opt_newntname}, + {"ntname", 'N', POPT_ARG_STRING, &c->opt_newntname}, {"rid", 'R', POPT_ARG_INT, &c->opt_rid}, /* Options for 'net rpc share migrate' */ {"acls", 0, POPT_ARG_NONE, &c->opt_acls}, @@ -663,7 +668,6 @@ static struct functable net_func[] = { {"clean-old-entries", 0, POPT_ARG_NONE, &c->opt_clean_old_entries}, POPT_COMMON_SAMBA - POPT_COMMON_CREDENTIALS { 0, 0, 0, 0} }; @@ -677,13 +681,6 @@ static struct functable net_func[] = { dbf = x_stderr; c->private_data = net_func; - c->auth_info = user_auth_info_init(frame); - if (c->auth_info == NULL) { - d_fprintf(stderr, "\nOut of memory!\n"); - exit(1); - } - popt_common_set_auth_info(c->auth_info); - pc = poptGetContext(NULL, argc, (const char **) argv, long_options, POPT_CONTEXT_KEEP_FIRST); @@ -691,7 +688,9 @@ static struct functable net_func[] = { switch (opt) { case 'h': c->display_usage = true; - set_cmdline_auth_info_password(c->auth_info, ""); + break; + case 'e': + c->smb_encrypt = true; break; case 'I': if (!interpret_string_addr(&c->opt_dest_ip, @@ -701,6 +700,15 @@ static struct functable net_func[] = { c->opt_have_ip = true; } break; + case 'U': + c->opt_user_specified = true; + c->opt_user_name = SMB_STRDUP(c->opt_user_name); + p = strchr(c->opt_user_name,'%'); + if (p) { + *p = 0; + c->opt_password = p+1; + } + break; default: d_fprintf(stderr, "\nInvalid option %s: %s\n", poptBadOption(pc, 0), poptStrerror(opt)); @@ -734,6 +742,10 @@ static struct functable net_func[] = { set_global_myname(c->opt_requester_name); } + if (!c->opt_user_name && getenv("LOGNAME")) { + c->opt_user_name = getenv("LOGNAME"); + } + if (!c->opt_workgroup) { c->opt_workgroup = smb_xstrdup(lp_workgroup()); } @@ -751,6 +763,17 @@ static struct functable net_func[] = { that it won't assert becouse we are not root */ sec_init(); + if (c->opt_machine_pass) { + /* it is very useful to be able to make ads queries as the + machine account for testing purposes and for domain leave */ + + net_use_krb_machine_account(c); + } + + if (!c->opt_password) { + c->opt_password = getenv("PASSWD"); + } + rc = net_run_function(c, argc_new-1, argv_new+1, "net", net_func); DEBUG(2,("return code = %d\n", rc)); diff --git a/source3/utils/net.h b/source3/utils/net.h index f604d96..d88f962 100644 --- a/source3/utils/net.h +++ b/source3/utils/net.h @@ -28,8 +28,11 @@ struct net_context { const char *opt_requester_name; const char *opt_host; - int opt_long_list_entries; + const char *opt_password; + const char *opt_user_name; + bool opt_user_specified; const char *opt_workgroup; + int opt_long_list_entries; int opt_reboot; int opt_force; int opt_stdin; @@ -42,6 +45,7 @@ struct net_context { int opt_timeout; int opt_request_timeout; const char *opt_target_workgroup; + int opt_machine_pass; int opt_localgroup; int opt_domaingroup; int do_talloc_report; @@ -53,14 +57,15 @@ struct net_context { const char *opt_exclude; const char *opt_destination; int opt_testmode; + bool opt_kerberos; int opt_force_full_repl; int opt_single_obj_repl; int opt_clean_old_entries; int opt_have_ip; struct sockaddr_storage opt_dest_ip; + bool smb_encrypt; struct libnetapi_ctx *netapi_ctx; - struct user_auth_info *auth_info; bool display_usage; void *private_data; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 588f57f..8e927be 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -231,22 +231,32 @@ retry_connect: ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); + if (!c->opt_user_name) { + c->opt_user_name = "administrator"; + } + + if (c->opt_user_specified) { + need_password = true; + } + retry: - if (need_password) { - set_cmdline_auth_info_getpass(c->auth_info); + if (!c->opt_password && need_password && !c->opt_machine_pass) { + c->opt_password = net_prompt_pass(c, c->opt_user_name); + if (!c->opt_password) { + ads_destroy(&ads); + return ADS_ERROR(LDAP_NO_MEMORY); + } } - if (get_cmdline_auth_info_got_pass(c->auth_info)) { + if (c->opt_password) { use_in_memory_ccache(); SAFE_FREE(ads->auth.password); - ads->auth.password = smb_xstrdup( - get_cmdline_auth_info_password(c->auth_info)); + ads->auth.password = smb_xstrdup(c->opt_password); } ads->auth.flags |= auth_flags; SAFE_FREE(ads->auth.user_name); - ads->auth.user_name = smb_xstrdup( - get_cmdline_auth_info_username(c->auth_info)); + ads->auth.user_name = smb_xstrdup(c->opt_user_name); /* * If the username is of the form "name@realm", @@ -865,7 +875,6 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) TALLOC_CTX *ctx; struct libnet_UnjoinCtx *r = NULL; WERROR werr; - struct user_auth_info *ai = c->auth_info; if (c->display_usage) { d_printf("Usage:\n" @@ -884,7 +893,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) return -1; } - if (!get_cmdline_auth_info_use_kerberos(ai)) { + if (!c->opt_kerberos) { use_in_memory_ccache(); } @@ -894,14 +903,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) return -1; } - set_cmdline_auth_info_getpass(ai); - r->in.debug = true; - r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai); + r->in.use_kerberos = c->opt_kerberos; r->in.dc_name = c->opt_host; r->in.domain_name = lp_realm(); - r->in.admin_account = get_cmdline_auth_info_username(ai); - r->in.admin_password = get_cmdline_auth_info_password(ai); + r->in.admin_account = c->opt_user_name; + r->in.admin_password = net_prompt_pass(c, c->opt_user_name); r->in.modify_config = lp_config_backend_is_registry(); r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; @@ -952,8 +959,7 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) return NT_STATUS_ACCESS_DENIED; } - set_cmdline_auth_info_use_machine_account(c->auth_info); - set_cmdline_auth_info_machine_account_creds(c->auth_info); + net_use_krb_machine_account(c); status = ads_startup(c, true, &ads); if (!ADS_ERR_OK(status)) { @@ -1184,7 +1190,6 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) const char *os_name = NULL; const char *os_version = NULL; bool modify_config = lp_config_backend_is_registry(); - struct user_auth_info *ai = c->auth_info;; if (c->display_usage) return net_ads_join_usage(c, argc, argv); @@ -1204,7 +1209,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) goto fail; } - if (!get_cmdline_auth_info_use_kerberos(ai)) { + if (!c->opt_kerberos) { use_in_memory_ccache(); } @@ -1254,8 +1259,6 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) /* Do the domain join here */ - set_cmdline_auth_info_getpass(ai); - r->in.domain_name = domain; r->in.create_upn = createupn; r->in.upn = machineupn; @@ -1263,10 +1266,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) r->in.os_name = os_name; r->in.os_version = os_version; r->in.dc_name = c->opt_host; - r->in.admin_account = get_cmdline_auth_info_username(ai); - r->in.admin_password = get_cmdline_auth_info_password(ai); + r->in.admin_account = c->opt_user_name; + r->in.admin_password = net_prompt_pass(c, c->opt_user_name); r->in.debug = true; - r->in.use_kerberos = get_cmdline_auth_info_use_kerberos(ai); + r->in.use_kerberos = c->opt_kerberos; r->in.modify_config = modify_config; r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE | @@ -1577,7 +1580,6 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * char *prt_dn, *srv_dn, **srv_cn; char *srv_cn_escaped = NULL, *printername_escaped = NULL; LDAPMessage *res = NULL; - struct user_auth_info *ai = c->auth_info; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" @@ -1609,9 +1611,8 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * nt_status = cli_full_connection(&cli, global_myname(), servername, &server_ss, 0, "IPC$", "IPC", - get_cmdline_auth_info_username(ai), - c->opt_workgroup, - get_cmdline_auth_info_password(ai), + c->opt_user_name, c->opt_workgroup, + c->opt_password ? c->opt_password : "", CLI_FULL_CONNECTION_USE_KERBEROS, Undefined, NULL); @@ -1799,8 +1800,8 @@ static int net_ads_printer(struct net_context *c, int argc, const char **argv) static int net_ads_password(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; - const char *auth_principal; - const char *auth_password; + const char *auth_principal = c->opt_user_name; + const char *auth_password = c->opt_password; char *realm = NULL; char *new_password = NULL; char *chr, *prompt; @@ -1815,9 +1816,10 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) return 0; } - auth_principal = get_cmdline_auth_info_username(c->auth_info); - set_cmdline_auth_info_getpass(c->auth_info); - auth_password = get_cmdline_auth_info_password(c->auth_info); + if (c->opt_user_name == NULL || c->opt_password == NULL) { + d_fprintf(stderr, "You must supply an administrator username/password\n"); + return -1; + } if (argc < 1) { d_fprintf(stderr, "ERROR: You must say which username to change password for\n"); @@ -1899,7 +1901,7 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) return -1; } - set_cmdline_auth_info_use_machine_account(c->auth_info); + net_use_krb_machine_account(c); use_in_memory_ccache(); @@ -2281,7 +2283,6 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; int ret = -1; - struct user_auth_info *ai = c->auth_info; if (c->display_usage) { d_printf("Usage:\n" @@ -2295,11 +2296,11 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar goto out; } - set_cmdline_auth_info_getpass(ai); + c->opt_password = net_prompt_pass(c, c->opt_user_name); status = kerberos_return_pac(mem_ctx, - get_cmdline_auth_info_username(ai), - get_cmdline_auth_info_password(ai), + c->opt_user_name, + c->opt_password, 0, NULL, NULL, @@ -2332,7 +2333,6 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** TALLOC_CTX *mem_ctx = NULL; int ret = -1; NTSTATUS status; - struct user_auth_info *ai = c->auth_info; if (c->display_usage) { d_printf("Usage:\n" @@ -2346,10 +2346,10 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** goto out; } - set_cmdline_auth_info_getpass(ai); + c->opt_password = net_prompt_pass(c, c->opt_user_name); - ret = kerberos_kinit_password_ext(get_cmdline_auth_info_username(ai), - get_cmdline_auth_info_password(ai), + ret = kerberos_kinit_password_ext(c->opt_user_name, + c->opt_password, 0, NULL, NULL, diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c index a13f52c..4010797 100644 --- a/source3/utils/net_dom.c +++ b/source3/utils/net_dom.c @@ -368,11 +368,9 @@ int net_dom(struct net_context *c, int argc, const char **argv) return -1; } - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } diff --git a/source3/utils/net_help.c b/source3/utils/net_help.c index 5a17079..0502373 100644 --- a/source3/utils/net_help.c +++ b/source3/utils/net_help.c @@ -65,6 +65,5 @@ int net_help(struct net_context *c, int argc, const char **argv) } c->display_usage = true; - set_cmdline_auth_info_password(c->auth_info, ""); return net_run_function(c, argc, argv, "net help", func); } diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h index 8a09147..75ac032 100644 --- a/source3/utils/net_proto.h +++ b/source3/utils/net_proto.h @@ -459,6 +459,8 @@ NTSTATUS connect_to_ipc_krb5(struct net_context *c, NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, struct rpc_pipe_client **pp_pipe_hnd, const struct ndr_syntax_id *interface); +int net_use_krb_machine_account(struct net_context *c); +int net_use_machine_account(struct net_context *c); bool net_find_server(struct net_context *c, const char *domain, unsigned flags, @@ -473,6 +475,7 @@ NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain, const char *server, struct sockaddr_storage *pss, unsigned flags, struct cli_state **pcli); +const char *net_prompt_pass(struct net_context *c, const char *user); int net_run_function(struct net_context *c, int argc, const char **argv, const char *whoami, struct functable *table); void net_display_usage_from_functable(struct functable *table); diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index fab83da..3a1aeb0 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -24,8 +24,7 @@ #include "utils/net.h" static int net_mode_share; -static bool sync_files(struct copy_clistate *cp_clistate, const char *mask, - const struct user_auth_info *auth_info); +static bool sync_files(struct copy_clistate *cp_clistate, const char *mask); /** * @file net_rpc.c @@ -122,7 +121,6 @@ int run_rpc_command(struct net_context *c, DOM_SID *domain_sid; const char *domain_name; int ret = -1; - struct user_auth_info *ai = c->auth_info; /* make use of cli_state handed over as an argument, if possible */ if (!cli_arg) { @@ -172,10 +170,8 @@ int run_rpc_command(struct net_context *c, nt_status = cli_rpc_pipe_open_ntlmssp( cli, interface, PIPE_AUTH_LEVEL_PRIVACY, - lp_workgroup(), - get_cmdline_auth_info_username(ai), - get_cmdline_auth_info_password(ai), - &pipe_hnd); + lp_workgroup(), c->opt_user_name, + c->opt_password, &pipe_hnd); } else { nt_status = cli_rpc_pipe_open_noauth( cli, interface, @@ -943,12 +939,9 @@ int net_rpc_user(struct net_context *c, int argc, const char **argv) if (status != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } @@ -2762,12 +2755,9 @@ int net_rpc_group(struct net_context *c, int argc, const char **argv) if (status != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } @@ -3254,7 +3244,7 @@ static void copy_fn(const char *mnt, file_info *f, old_dir = local_state->cwd; local_state->cwd = dir; - if (!sync_files(local_state, new_mask, c->auth_info)) + if (!sync_files(local_state, new_mask)) printf("could not handle files\n"); local_state->cwd = old_dir; @@ -3301,18 +3291,15 @@ static void copy_fn(const char *mnt, file_info *f, * * @return Boolean result **/ -static bool sync_files(struct copy_clistate *cp_clistate, const char *mask, - const struct user_auth_info *auth_info) +static bool sync_files(struct copy_clistate *cp_clistate, const char *mask) { struct cli_state *targetcli; char *targetpath = NULL; DEBUG(3,("calling cli_list with mask: %s\n", mask)); - - if ( !cli_resolve_path(talloc_tos(), "", auth_info, - cp_clistate->cli_share_src, mask, &targetcli, - &targetpath ) ) { + if ( !cli_resolve_path(talloc_tos(), "", NULL, cp_clistate->cli_share_src, + mask, &targetcli, &targetpath ) ) { d_fprintf(stderr, "cli_resolve_path %s failed with error: %s\n", mask, cli_errstr(cp_clistate->cli_share_src)); return false; @@ -3475,7 +3462,7 @@ static NTSTATUS rpc_share_migrate_files_internals(struct net_context *c, goto done; } - if (!sync_files(&cp_clistate, mask, c->auth_info)) { + if (!sync_files(&cp_clistate, mask)) { d_fprintf(stderr, "could not handle files for share: %s\n", info502.name); nt_status = NT_STATUS_UNSUCCESSFUL; goto done; @@ -4577,12 +4564,9 @@ int net_rpc_share(struct net_context *c, int argc, const char **argv) if (status != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } @@ -4855,12 +4839,9 @@ int net_rpc_file(struct net_context *c, int argc, const char **argv) if (status != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } @@ -5550,7 +5531,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, c->opt_workgroup = smb_xstrdup(domain_name); }; - set_cmdline_auth_info_username(c->auth_info, acct_name); + c->opt_user_name = acct_name; /* find the domain controller */ if (!net_find_pdc(&server_ss, pdc_name, domain_name)) { @@ -5647,9 +5628,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, * Store the password in secrets db */ - if (!pdb_set_trusteddom_pw(domain_name, - get_cmdline_auth_info_password(c->auth_info), - domain_sid)) { + if (!pdb_set_trusteddom_pw(domain_name, c->opt_password, domain_sid)) { DEBUG(0, ("Storing password for trusted domain failed.\n")); cli_shutdown(cli); talloc_destroy(mem_ctx); @@ -7209,12 +7188,9 @@ int net_rpc(struct net_context *c, int argc, const char **argv) if (status != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index a11a7bb..f0e6fe7 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -57,8 +57,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, if (sec == SEC_ADS) { /* Connect to IPC$ using machine account's credentials. We don't use anonymous connection here, as it may be denied by server's local policy. */ - set_cmdline_auth_info_use_machine_account(c->auth_info); - set_cmdline_auth_info_machine_account_creds(c->auth_info); + net_use_machine_account(c); } else { /* some servers (e.g. WinNT) don't accept machine-authenticated diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index bd5047c..6b23db7 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -379,8 +379,8 @@ NTSTATUS rpc_vampire_keytab_internals(struct net_context *c, ctx->cli = pipe_hnd; ctx->ops = &libnet_samsync_keytab_ops; ctx->domain_name = domain_name; - ctx->username = get_cmdline_auth_info_username(c->auth_info); - ctx->password = get_cmdline_auth_info_password(c->auth_info); + ctx->username = c->opt_user_name; + ctx->password = c->opt_password; ctx->force_full_replication = c->opt_force_full_repl ? true : false; ctx->clean_old_entries = c->opt_clean_old_entries ? true : false; diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c index dc13e91..3aaed1e 100644 --- a/source3/utils/net_rpc_shell.c +++ b/source3/utils/net_rpc_shell.c @@ -220,12 +220,9 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv) if (libnetapi_init(&c->netapi_ctx) != 0) { return -1; } - set_cmdline_auth_info_getpass(c->auth_info); - libnetapi_set_username(c->netapi_ctx, - get_cmdline_auth_info_username(c->auth_info)); - libnetapi_set_password(c->netapi_ctx, - get_cmdline_auth_info_password(c->auth_info)); - if (get_cmdline_auth_info_use_kerberos(c->auth_info)) { + libnetapi_set_username(c->netapi_ctx, c->opt_user_name); + libnetapi_set_password(c->netapi_ctx, c->opt_password); + if (c->opt_kerberos) { libnetapi_set_use_kerberos(c->netapi_ctx); } diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 50f3c1d..8bf9aac 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -96,22 +96,22 @@ NTSTATUS connect_to_service(struct net_context *c, { NTSTATUS nt_status; int flags = 0; - struct user_auth_info *ai = c->auth_info; - set_cmdline_auth_info_getpass(ai); + c->opt_password = net_prompt_pass(c, c->opt_user_name); - if (get_cmdline_auth_info_use_kerberos(ai)) { - flags |= CLI_FULL_CONNECTION_USE_KERBEROS | - CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; + if (c->opt_kerberos) { + flags |= CLI_FULL_CONNECTION_USE_KERBEROS; + } + + if (c->opt_kerberos && c->opt_password) { + flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; } nt_status = cli_full_connection(cli_ctx, NULL, server_name, server_ss, c->opt_port, service_name, service_type, - get_cmdline_auth_info_username(ai), - c->opt_workgroup, - get_cmdline_auth_info_password(ai), - flags, Undefined, NULL); + c->opt_user_name, c->opt_workgroup, + c->opt_password, flags, Undefined, NULL); if (!NT_STATUS_IS_OK(nt_status)) { d_fprintf(stderr, "Could not connect to server %s\n", server_name); @@ -131,10 +131,10 @@ NTSTATUS connect_to_service(struct net_context *c, return nt_status; } - if (get_cmdline_auth_info_smb_encrypt(ai)) { + if (c->smb_encrypt) { nt_status = cli_force_encryption(*cli_ctx, - get_cmdline_auth_info_username(ai), - get_cmdline_auth_info_password(ai), + c->opt_user_name, + c->opt_password, c->opt_workgroup); if (NT_STATUS_EQUAL(nt_status,NT_STATUS_NOT_SUPPORTED)) { @@ -234,12 +234,14 @@ NTSTATUS connect_to_ipc_krb5(struct net_context *c, { NTSTATUS nt_status; char *user_and_realm = NULL; - struct user_auth_info *ai = c->auth_info; /* FIXME: Should get existing kerberos ticket if possible. */ - set_cmdline_auth_info_getpass(ai); + c->opt_password = net_prompt_pass(c, c->opt_user_name); + if (!c->opt_password) { + return NT_STATUS_NO_MEMORY; + } - user_and_realm = get_user_and_realm(get_cmdline_auth_info_username(ai)); + user_and_realm = get_user_and_realm(c->opt_user_name); if (!user_and_realm) { return NT_STATUS_NO_MEMORY; } @@ -248,7 +250,7 @@ NTSTATUS connect_to_ipc_krb5(struct net_context *c, server_ss, c->opt_port, "IPC$", "IPC", user_and_realm, c->opt_workgroup, - get_cmdline_auth_info_password(ai), + c->opt_password, CLI_FULL_CONNECTION_USE_KERBEROS, Undefined, NULL); @@ -259,10 +261,10 @@ NTSTATUS connect_to_ipc_krb5(struct net_context *c, return nt_status; } - if (get_cmdline_auth_info_smb_encrypt(ai)) { + if (c->smb_encrypt) { nt_status = cli_cm_force_encryption(*cli_ctx, user_and_realm, - get_cmdline_auth_info_password(ai), + c->opt_password, c->opt_workgroup, "IPC$"); if (!NT_STATUS_IS_OK(nt_status)) { @@ -326,6 +328,50 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst, return nt_status; } +/**************************************************************************** + Use the local machine account (krb) and password for this session. +****************************************************************************/ + +int net_use_krb_machine_account(struct net_context *c) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_fprintf(stderr, "ERROR: Unable to open secrets database\n"); + exit(1); + } + + c->opt_password = secrets_fetch_machine_password( + c->opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) { + return -1; + } + c->opt_user_name = user_name; + return 0; +} + +/**************************************************************************** + Use the machine account name and password for this session. +****************************************************************************/ + +int net_use_machine_account(struct net_context *c) +{ + char *user_name = NULL; + + if (!secrets_init()) { + d_fprintf(stderr, "ERROR: Unable to open secrets database\n"); + exit(1); + } + + c->opt_password = secrets_fetch_machine_password( + c->opt_target_workgroup, NULL, NULL); + if (asprintf(&user_name, "%s$", global_myname()) == -1) { + return -1; + } + c->opt_user_name = user_name; + return 0; +} + bool net_find_server(struct net_context *c, const char *domain, unsigned flags, @@ -489,6 +535,33 @@ done: /**************************************************************************** ****************************************************************************/ +const char *net_prompt_pass(struct net_context *c, const char *user) +{ + char *prompt = NULL; + const char *pass = NULL; + + if (c->opt_password) { + return c->opt_password; + } + + if (c->opt_machine_pass) { + return NULL; + } + + if (c->opt_kerberos && !c->opt_user_specified) { + return NULL; + } + + if (asprintf(&prompt, "Enter %s's password:", user) == -1) { + return NULL; + } + + pass = getpass(prompt); + SAFE_FREE(prompt); + + return pass; +} + int net_run_function(struct net_context *c, int argc, const char **argv, const char *whoami, struct functable *table) { -- 1.5.4.3