From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 18 Sep 2024 21:48:00 +0000 (+0200)
Subject: s3:utils: let 'net ads testjoin' fail without valid machine credentials
X-Git-Tag: tdb-1.4.13~1197
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab3fc1595c0a2e0aa3719cc2fe4684e9a0a2f9d8;p=thirdparty%2Fsamba.git

s3:utils: let 'net ads testjoin' fail without valid machine credentials

This will allow doing tests and make sure using anonymous credentials
doesn't cause false positive results...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15714

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
---

diff --git a/selftest/knownfail.d/net_ads_testjoin b/selftest/knownfail.d/net_ads_testjoin
new file mode 100644
index 00000000000..4e88d4a9031
--- /dev/null
+++ b/selftest/knownfail.d/net_ads_testjoin
@@ -0,0 +1,4 @@
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_initial.clusteredmember
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_after_sync.clusteredmember
+^samba3.blackbox.update_keytab_clustered.wbinfo_change_secret_after_sync.clusteredmember
+^samba3.blackbox.update_keytab_clustered.net_ads_testjoin_final.clusteredmember
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 577834d96b5..0e5da492faf 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1556,6 +1556,12 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c)
 
 	net_use_krb_machine_account(c);
 
+	if (!cli_credentials_authentication_requested(c->creds)) {
+		DBG_ERR("Failed to get machine credentials\n");
+		TALLOC_FREE(tmp_ctx);
+		return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
+	}
+
 	get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
 
 	status = ads_startup(c, true, tmp_ctx, &ads);