The branch, v3-2-stable has been updated
via 7191071943868d668fae93403e7f86c719afae89 (commit)
from 73c05bb8b820c42c5fa820d1cdf6591feb19a244 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable
- Log -----------------------------------------------------------------
commit 7191071943868d668fae93403e7f86c719afae89
Author: Günther Deschner <[EMAIL PROTECTED]>
Date: Mon May 5 16:58:24 2008 +0200
Fix client authentication with -P switch in client tools (Bug 5435).
Guenther
(cherry picked from commit d077ef64cd1d9bbaeb936566c2c70da508de829f)
-----------------------------------------------------------------------
Summary of changes:
source/client/client.c | 5 ++++
source/include/popt_common.h | 1 +
source/lib/popt_common.c | 30 +------------------------
source/lib/util.c | 49 +++++++++++++++++++++++++++++++++++++++++-
source/libsmb/cliconnect.c | 22 +++++++++++++++++-
source/rpcclient/rpcclient.c | 15 ++++++++++++-
source/utils/smbcacls.c | 14 +++++++++++-
source/utils/smbcquotas.c | 15 ++++++++++++-
source/utils/smbtree.c | 6 +++++
9 files changed, 122 insertions(+), 35 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/client/client.c b/source/client/client.c
index 276ffb9..e08fa89 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -4875,6 +4875,11 @@ static int do_message_op(void)
argv[0], get_dyn_CONFIGFILE());
}
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ exit(-1);
+ }
+
load_interfaces();
if (service_opt && service) {
diff --git a/source/include/popt_common.h b/source/include/popt_common.h
index 9e5503f..c889d2e 100644
--- a/source/include/popt_common.h
+++ b/source/include/popt_common.h
@@ -50,6 +50,7 @@ struct user_auth_info {
bool use_kerberos;
int signing_state;
bool smb_encrypt;
+ bool use_machine_account;
};
#endif /* _POPT_COMMON_H */
diff --git a/source/lib/popt_common.c b/source/lib/popt_common.c
index 8f0f7c6..25e41ab 100644
--- a/source/lib/popt_common.c
+++ b/source/lib/popt_common.c
@@ -514,35 +514,7 @@ static void popt_common_credentials_callback(poptContext
con,
}
break;
case 'P':
- {
- char *opt_password = NULL;
- char *pwd = NULL;
-
- /* it is very useful to be able to make ads queries as
the
- machine account for testing purposes and for domain
leave */
-
- if (!secrets_init()) {
- d_printf("ERROR: Unable to open secrets
database\n");
- exit(1);
- }
-
- opt_password =
secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
- if (!opt_password) {
- d_printf("ERROR: Unable to fetch machine
password\n");
- exit(1);
- }
- if (asprintf(&pwd, "%s$", global_myname()) < 0) {
- exit(ENOMEM);
- }
- set_cmdline_auth_info_username(pwd);
- set_cmdline_auth_info_password(opt_password);
- SAFE_FREE(pwd);
- SAFE_FREE(opt_password);
-
- /* machine accounts only work with kerberos */
- set_cmdline_auth_info_use_krb5_ticket();
- }
+ set_cmdline_auth_info_use_machine_account();
break;
case 'N':
set_cmdline_auth_info_password("");
diff --git a/source/lib/util.c b/source/lib/util.c
index 953981e..5f95bcc 100644
--- a/source/lib/util.c
+++ b/source/lib/util.c
@@ -291,7 +291,8 @@ static struct user_auth_info cmdline_auth_info = {
false, /* got_pass */
false, /* use_kerberos */
Undefined, /* signing state */
- false /* smb_encrypt */
+ false, /* smb_encrypt */
+ false /* use machine account */
};
const char *get_cmdline_auth_info_username(void)
@@ -370,6 +371,11 @@ void set_cmdline_auth_info_smb_encrypt(void)
cmdline_auth_info.smb_encrypt = true;
}
+void set_cmdline_auth_info_use_machine_account(void)
+{
+ cmdline_auth_info.use_machine_account = true;
+}
+
bool get_cmdline_auth_info_got_pass(void)
{
return cmdline_auth_info.got_pass;
@@ -380,6 +386,11 @@ bool get_cmdline_auth_info_smb_encrypt(void)
return cmdline_auth_info.smb_encrypt;
}
+bool get_cmdline_auth_info_use_machine_account(void)
+{
+ return cmdline_auth_info.use_machine_account;
+}
+
bool get_cmdline_auth_info_copy(struct user_auth_info *info)
{
*info = cmdline_auth_info;
@@ -392,6 +403,42 @@ bool get_cmdline_auth_info_copy(struct user_auth_info
*info)
return true;
}
+bool set_cmdline_auth_info_machine_account_creds(void)
+{
+ char *pass = NULL;
+ char *account = NULL;
+
+ if (!get_cmdline_auth_info_use_machine_account()) {
+ return false;
+ }
+
+ if (!secrets_init()) {
+ d_printf("ERROR: Unable to open secrets database\n");
+ return false;
+ }
+
+ if (asprintf(&account, "[EMAIL PROTECTED]", global_myname(),
lp_realm()) < 0) {
+ return false;
+ }
+
+ pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+ if (!pass) {
+ d_printf("ERROR: Unable to fetch machine password for "
+ "%s in domain %s\n",
+ account, lp_workgroup());
+ SAFE_FREE(account);
+ return false;
+ }
+
+ set_cmdline_auth_info_username(account);
+ set_cmdline_auth_info_password(pass);
+
+ SAFE_FREE(account);
+ SAFE_FREE(pass);
+
+ return true;
+}
+
/**************************************************************************n
Find a suitable temporary directory. The result should be copied immediately
as it may be overwritten by a subsequent call.
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 949bca7..e0c18d8 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -795,6 +795,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
int i;
bool got_kerberos_mechanism = False;
DATA_BLOB blob;
+ const char *p = NULL;
+ char *account = NULL;
DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned
long)cli->secblob.length));
@@ -925,7 +927,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli,
const char *user,
ntlmssp:
- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
+ account = talloc_strdup(talloc_tos(), user);
+ ADS_ERROR_HAVE_NO_MEMORY(account);
+
+ /* when falling back to ntlmssp while authenticating with a machine
+ * account strip off the realm - gd */
+
+ if ((p = strchr_m(user, '@')) != NULL) {
+ account[PTR_DIFF(p,user)] = '\0';
+ }
+
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass,
domain));
}
/****************************************************************************
@@ -1869,12 +1881,18 @@ struct cli_state *get_ipc_connect(char *server,
{
struct cli_state *cli;
NTSTATUS nt_status;
+ uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
+
+ if (user_info->use_kerberos) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+ }
nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0,
"IPC$", "IPC",
user_info->username ?
user_info->username : "",
lp_workgroup(),
user_info->password ?
user_info->password : "",
- CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK,
Undefined, NULL);
+ flags,
+ Undefined, NULL);
if (NT_STATUS_IS_OK(nt_status)) {
return cli;
diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c
index 52dba22..19026fe 100644
--- a/source/rpcclient/rpcclient.c
+++ b/source/rpcclient/rpcclient.c
@@ -734,6 +734,7 @@ out_free:
fstring new_workgroup;
int result = 0;
TALLOC_CTX *frame = talloc_stackframe();
+ uint32_t flags = 0;
/* make sure the vars that get altered (4th field) are in
a fixed location or certain compilers complain */
@@ -825,6 +826,12 @@ out_free:
* from stdin if necessary
*/
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ result = 1;
+ goto done;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password:");
if (pass) {
@@ -837,13 +844,19 @@ out_free:
server += 2;
}
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+
nt_status = cli_full_connection(&cli, global_myname(), server,
opt_ipaddr ? &server_ss : NULL,
opt_port,
"IPC$", "IPC",
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ?
CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbcacls.c b/source/utils/smbcacls.c
index 134f561..97d194a 100644
--- a/source/utils/smbcacls.c
+++ b/source/utils/smbcacls.c
@@ -825,8 +825,20 @@ static struct cli_state *connect_one(const char *server,
const char *share)
struct cli_state *c = NULL;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+ }
+
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
@@ -840,7 +852,7 @@ static struct cli_state *connect_one(const char *server,
const char *share)
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- get_cmdline_auth_info_use_kerberos() ?
CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbcquotas.c b/source/utils/smbcquotas.c
index 508a2dc..a73c3b4 100644
--- a/source/utils/smbcquotas.c
+++ b/source/utils/smbcquotas.c
@@ -371,8 +371,21 @@ static struct cli_state *connect_one(const char *share)
struct cli_state *c;
struct sockaddr_storage ss;
NTSTATUS nt_status;
+ uint32_t flags = 0;
+
zero_addr(&ss);
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ return NULL;
+ }
+
+ if (get_cmdline_auth_info_use_kerberos()) {
+ flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
@@ -386,7 +399,7 @@ static struct cli_state *connect_one(const char *share)
get_cmdline_auth_info_username(),
lp_workgroup(),
get_cmdline_auth_info_password(),
- 0,
+ flags,
get_cmdline_auth_info_signing_state(),
NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbtree.c b/source/utils/smbtree.c
index 48eae5a..b070c0e 100644
--- a/source/utils/smbtree.c
+++ b/source/utils/smbtree.c
@@ -302,6 +302,12 @@ static bool print_tree(struct user_auth_info *user_info)
/* Parse command line args */
+ if (get_cmdline_auth_info_use_machine_account() &&
+ !set_cmdline_auth_info_machine_account_creds()) {
+ TALLOC_FREE(frame);
+ return 1;
+ }
+
if (!get_cmdline_auth_info_got_pass()) {
char *pass = getpass("Password: ");
if (pass) {
--
Samba Shared Repository
