From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 10 Apr 2017 04:10:00 +0000 (+1200)
Subject: join.py: Do not expose the old machine password over NTLM if -k yes was set
X-Git-Tag: ldb-1.1.31~111
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00de59a478301a00a33b420524cd52caf481854f;p=thirdparty%2Fsamba.git

join.py: Do not expose the old machine password over NTLM if -k yes was set

This makes the test for a valid machine account stricter (as a kerberos error could
cause this to fail and so skip the validation), but we never wish to use NTLM
if the administrator disabled it on the command line

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---

diff --git a/python/samba/join.py b/python/samba/join.py
index 6a924359407..3e70db08d2a 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -209,6 +209,7 @@ class dc_join(object):
         creds.guess(ctx.lp)
         try:
             creds.set_machine_account(ctx.lp)
+            creds.set_kerberos_state(ctx.creds.get_kerberos_state())
             machine_samdb = SamDB(url="ldap://%s" % ctx.server,
                                   session_info=system_session(),
                                 credentials=creds, lp=ctx.lp)