From: Stefan Metzmacher Date: Thu, 28 Apr 2022 15:59:00 +0000 (+0200) Subject: s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin... X-Git-Tag: tdb-1.4.11~747 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f4f31236c4aac21e4e6e96fd507ea3ba1b6d3fef;p=thirdparty%2Fsamba.git s3:libnet_join: pass down cli_credentials *admin_credentials to libnet_{Join,Unjoin}Ctx() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c index f57f441d301..2b9d26fbaca 100644 --- a/source3/lib/netapi/joindomain.c +++ b/source3/lib/netapi/joindomain.c @@ -83,14 +83,24 @@ WERROR NetJoinDomain_l(struct libnetapi_ctx *mem_ctx, W_ERROR_HAVE_NO_MEMORY(j->in.account_ou); } - if (r->in.account) { - j->in.admin_account = talloc_strdup(mem_ctx, r->in.account); - W_ERROR_HAVE_NO_MEMORY(j->in.admin_account); - } + if (r->in.account != NULL) { + NTSTATUS status; - if (r->in.password) { - j->in.admin_password = talloc_strdup(mem_ctx, r->in.password); - W_ERROR_HAVE_NO_MEMORY(j->in.admin_password); + status = ads_simple_creds(j, + r->in.domain, + r->in.account, + r->in.password, + &j->in.admin_credentials); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(j); + return WERR_NERR_BADUSERNAME; + } + } else { + libnetapi_get_creds(mem_ctx, &j->in.admin_credentials); + if (j->in.admin_credentials == NULL) { + TALLOC_FREE(j); + return WERR_NERR_BADUSERNAME; + } } j->in.join_flags = r->in.join_flags; @@ -228,14 +238,24 @@ WERROR NetUnjoinDomain_l(struct libnetapi_ctx *mem_ctx, u->in.domain_name = domain; } - if (r->in.account) { - u->in.admin_account = talloc_strdup(mem_ctx, r->in.account); - W_ERROR_HAVE_NO_MEMORY(u->in.admin_account); - } + if (r->in.account != NULL) { + NTSTATUS status; - if (r->in.password) { - u->in.admin_password = talloc_strdup(mem_ctx, r->in.password); - W_ERROR_HAVE_NO_MEMORY(u->in.admin_password); + status = ads_simple_creds(u, + domain, + r->in.account, + r->in.password, + &u->in.admin_credentials); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(u); + return WERR_NERR_BADUSERNAME; + } + } else { + libnetapi_get_creds(mem_ctx, &u->in.admin_credentials); + if (u->in.admin_credentials == NULL) { + TALLOC_FREE(u); + return WERR_NERR_BADUSERNAME; + } } u->in.domain_name = domain; @@ -613,8 +633,6 @@ static WERROR NetProvisionComputerAccount_backend(struct libnetapi_ctx *ctx, { WERROR werr; struct libnet_JoinCtx *j = NULL; - int use_kerberos = 0; - const char *username = NULL; werr = libnet_init_JoinCtx(mem_ctx, &j); if (!W_ERROR_IS_OK(werr)) { @@ -650,35 +668,12 @@ static WERROR NetProvisionComputerAccount_backend(struct libnetapi_ctx *ctx, } } - libnetapi_get_username(ctx, &username); - if (username == NULL) { + libnetapi_get_creds(ctx, &j->in.admin_credentials); + if (j->in.admin_credentials == NULL) { talloc_free(j); return WERR_NERR_BADUSERNAME; } - j->in.admin_account = talloc_strdup(j, username); - if (j->in.admin_account == NULL) { - talloc_free(j); - return WERR_NOT_ENOUGH_MEMORY; - } - - libnetapi_get_use_kerberos(ctx, &use_kerberos); - if (!use_kerberos) { - const char *password = NULL; - - libnetapi_get_password(ctx, &password); - if (password == NULL) { - talloc_free(j); - return WERR_NERR_BADPASSWORD; - } - j->in.admin_password = talloc_strdup(j, password); - if (j->in.admin_password == NULL) { - talloc_free(j); - return WERR_NOT_ENOUGH_MEMORY; - } - } - - j->in.use_kerberos = use_kerberos; j->in.debug = true; j->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 89e5239fd9e..18f27b1e4a8 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -131,17 +131,13 @@ static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx, static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, const char *netbios_domain_name, const char *dc_name, - const char *user_name, - const char *password, - const char *ccname, + struct cli_credentials *creds, TALLOC_CTX *mem_ctx, ADS_STRUCT **ads) { TALLOC_CTX *tmp_ctx = talloc_stackframe(); ADS_STATUS status; ADS_STRUCT *my_ads = NULL; - char *cp; - enum credentials_use_kerberos krb5_state; my_ads = ads_init(tmp_ctx, dns_domain_name, @@ -153,61 +149,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, goto out; } - /* In FIPS mode, client use kerberos is forced to required. */ - krb5_state = lp_client_use_kerberos(); - switch (krb5_state) { - case CRED_USE_KERBEROS_REQUIRED: - my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; - my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; - break; - case CRED_USE_KERBEROS_DESIRED: - my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; - my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; - break; - case CRED_USE_KERBEROS_DISABLED: - my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; - my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; - break; - } - - if (user_name) { - ADS_TALLOC_CONST_FREE(my_ads->auth.user_name); - my_ads->auth.user_name = talloc_strdup(my_ads, user_name); - if (my_ads->auth.user_name == NULL) { - status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto out; - } - if ((cp = strchr_m(my_ads->auth.user_name, '@'))!=0) { - *cp++ = '\0'; - ADS_TALLOC_CONST_FREE(my_ads->auth.realm); - my_ads->auth.realm = talloc_asprintf_strupper_m(my_ads, "%s", cp); - if (my_ads->auth.realm == NULL) { - status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); - goto out; - } - } - } - - if (password) { - ADS_TALLOC_CONST_FREE(my_ads->auth.password); - my_ads->auth.password = talloc_strdup(my_ads, password); - if (my_ads->auth.password == NULL) { - status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto out; - } - } - - if (ccname != NULL) { - ADS_TALLOC_CONST_FREE(my_ads->auth.ccache_name); - my_ads->auth.ccache_name = talloc_strdup(my_ads, ccname); - if (my_ads->auth.ccache_name == NULL) { - status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto out; - } - setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1); - } - - status = ads_connect_user_creds(my_ads); + status = ads_connect_creds(my_ads, creds); if (!ADS_ERR_OK(status)) { goto out; } @@ -228,54 +170,47 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, bool use_machine_creds) { ADS_STATUS status; - const char *username; - const char *password; - const char *ccname = NULL; + struct cli_credentials *creds = NULL; if (use_machine_creds) { + const char *username = NULL; + NTSTATUS ntstatus; + if (r->in.machine_name == NULL || r->in.machine_password == NULL) { return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - username = talloc_asprintf(mem_ctx, "%s$", - r->in.machine_name); - if (username == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - password = r->in.machine_password; - ccname = "MEMORY:libnet_join_machine_creds"; - } else { - char *p = NULL; - - username = r->in.admin_account; - - p = strchr(r->in.admin_account, '@'); - if (p == NULL) { - username = talloc_asprintf(mem_ctx, "%s@%s", - r->in.admin_account, - r->in.admin_domain); - } - if (username == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); + if (r->out.dns_domain_name != NULL) { + username = talloc_asprintf(mem_ctx, "%s$@%s", + r->in.machine_name, + r->out.dns_domain_name); + if (username == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + } else { + username = talloc_asprintf(mem_ctx, "%s$", + r->in.machine_name); + if (username == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } } - password = r->in.admin_password; - - /* - * when r->in.use_kerberos is set to allow "net ads join -k" we - * may not override the provided credential cache - gd - */ - if (!r->in.use_kerberos) { - ccname = "MEMORY:libnet_join_user_creds"; + ntstatus = ads_simple_creds(mem_ctx, + r->out.netbios_domain_name, + username, + r->in.machine_password, + &creds); + if (!NT_STATUS_IS_OK(ntstatus)) { + return ADS_ERROR_NT(ntstatus); } + } else { + creds = r->in.admin_credentials; } status = libnet_connect_ads(r->out.dns_domain_name, r->out.netbios_domain_name, r->in.dc_name, - username, - password, - ccname, + creds, r, &r->in.ads); if (!ADS_ERR_OK(status)) { @@ -331,9 +266,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, status = libnet_connect_ads(r->in.domain_name, r->in.domain_name, r->in.dc_name, - r->in.admin_account, - r->in.admin_password, - NULL, + r->in.admin_credentials, r, &r->in.ads); if (!ADS_ERR_OK(status)) { @@ -1043,11 +976,6 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx, * to update msDS-SupportedEncryptionTypes reliable */ - if (r->in.ads->auth.ccache_name != NULL) { - ads_kdestroy(r->in.ads->auth.ccache_name); - ADS_TALLOC_CONST_FREE(r->in.ads->auth.ccache_name); - } - TALLOC_FREE(r->in.ads); status = libnet_join_connect_ads_machine(mem_ctx, r); @@ -1112,38 +1040,12 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx, static NTSTATUS libnet_join_connect_dc_ipc(TALLOC_CTX *mem_ctx, const char *dc, - const char *user, - const char *domain, - const char *pass, - bool use_kerberos, + struct cli_credentials *creds, struct cli_state **cli) { - TALLOC_CTX *frame = talloc_stackframe(); - bool fallback_after_kerberos = false; - bool use_ccache = false; - bool pw_nt_hash = false; - struct cli_credentials *creds = NULL; int flags = CLI_FULL_CONNECTION_IPC; NTSTATUS status; - if (use_kerberos && pass) { - fallback_after_kerberos = true; - } - - creds = cli_session_creds_init(frame, - user, - domain, - NULL, /* realm (use default) */ - pass, - use_kerberos, - fallback_after_kerberos, - use_ccache, - pw_nt_hash); - if (creds == NULL) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } - status = cli_full_connection_creds(mem_ctx, cli, NULL, @@ -1153,11 +1055,9 @@ static NTSTATUS libnet_join_connect_dc_ipc(TALLOC_CTX *mem_ctx, creds, flags); if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(frame); return status; } - TALLOC_FREE(frame); return NT_STATUS_OK; } @@ -1169,29 +1069,27 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r, struct cli_state **cli) { + TALLOC_CTX *frame = talloc_stackframe(); struct rpc_pipe_client *pipe_hnd = NULL; struct policy_handle lsa_pol; NTSTATUS status, result; union lsa_PolicyInformation *info = NULL; + struct cli_credentials *creds = NULL; struct dcerpc_binding_handle *b; - const char *account = r->in.admin_account; - const char *domain = r->in.admin_domain; - const char *password = r->in.admin_password; - bool use_kerberos = r->in.use_kerberos; if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) { - account = ""; - domain = ""; - password = NULL; - use_kerberos = false; + creds = cli_credentials_init_anon(frame); + if (creds == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + } else { + creds = r->in.admin_credentials; } status = libnet_join_connect_dc_ipc(mem_ctx, r->in.dc_name, - account, - domain, - password, - use_kerberos, + creds, cli); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -1251,6 +1149,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, TALLOC_FREE(pipe_hnd); done: + TALLOC_FREE(frame); return status; } @@ -1308,7 +1207,8 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, r->in.secure_channel_type); /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */ - cli_credentials_set_password(cli_creds, r->in.admin_password, + cli_credentials_set_password(cli_creds, + r->in.passed_machine_password, CRED_SPECIFIED); status = rpccli_create_netlogon_creds_ctx( @@ -1736,7 +1636,7 @@ error: NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, const char *netbios_domain_name, const char *dc_name, - const bool use_kerberos) + enum credentials_use_kerberos kerberos_state) { TALLOC_CTX *frame = talloc_stackframe(); struct cli_state *cli = NULL; @@ -1770,11 +1670,9 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, /* we don't want any old password */ cli_credentials_set_old_password(cli_creds, NULL, CRED_SPECIFIED); - if (use_kerberos) { - cli_credentials_set_kerberos_state(cli_creds, - CRED_USE_KERBEROS_REQUIRED, - CRED_SPECIFIED); - } + cli_credentials_set_kerberos_state(cli_creds, + kerberos_state, + CRED_SPECIFIED); status = cli_full_connection_creds(frame, &cli, @@ -1887,11 +1785,17 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { NTSTATUS status; + enum credentials_use_kerberos kerberos_state = CRED_USE_KERBEROS_DESIRED; + + if (r->in.admin_credentials != NULL) { + kerberos_state = cli_credentials_get_kerberos_state( + r->in.admin_credentials); + } status = libnet_join_ok(r->in.msg_ctx, r->out.netbios_domain_name, r->in.dc_name, - r->in.use_kerberos); + kerberos_state); if (!NT_STATUS_IS_OK(status)) { libnet_join_set_error_string(mem_ctx, r, "failed to verify domain membership after joining: %s", @@ -1938,10 +1842,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = libnet_join_connect_dc_ipc(mem_ctx, r->in.dc_name, - r->in.admin_account, - r->in.admin_domain, - r->in.admin_password, - r->in.use_kerberos, + r->in.admin_credentials, &cli); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -2355,27 +2256,6 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx, return WERR_OK; } - if (!r->in.admin_domain) { - char *admin_domain = NULL; - char *admin_account = NULL; - bool ok; - - ok = split_domain_user(mem_ctx, - r->in.admin_account, - &admin_domain, - &admin_account); - if (!ok) { - return WERR_NOT_ENOUGH_MEMORY; - } - - if (admin_domain != NULL) { - r->in.admin_domain = admin_domain; - } else { - r->in.admin_domain = r->in.domain_name; - } - r->in.admin_account = admin_account; - } - if (r->in.provision_computer_account_only) { /* * When in the "provision_computer_account_only" path we do not @@ -2720,8 +2600,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, /* Before contacting a DC, we can securely know * the realm only if the user specifies it. */ - if (r->in.use_kerberos && - r->in.domain_name_type == JoinDomNameTypeDNS) { + if (r->in.domain_name_type == JoinDomNameTypeDNS) { pre_connect_realm = r->in.domain_name; } @@ -3004,10 +2883,8 @@ static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx, u->in.debug = r->in.debug; u->in.dc_name = r->in.dc_name; u->in.domain_name = r->in.domain_name; - u->in.admin_account = r->in.admin_account; - u->in.admin_password = r->in.admin_password; + u->in.admin_credentials = r->in.admin_credentials; u->in.modify_config = r->in.modify_config; - u->in.use_kerberos = r->in.use_kerberos; u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; @@ -3213,27 +3090,6 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, return WERR_NERR_SETUPDOMAINCONTROLLER; } - if (!r->in.admin_domain) { - char *admin_domain = NULL; - char *admin_account = NULL; - bool ok; - - ok = split_domain_user(mem_ctx, - r->in.admin_account, - &admin_domain, - &admin_account); - if (!ok) { - return WERR_NOT_ENOUGH_MEMORY; - } - - if (admin_domain != NULL) { - r->in.admin_domain = admin_domain; - } else { - r->in.admin_domain = r->in.domain_name; - } - r->in.admin_account = admin_account; - } - if (!secrets_init()) { libnet_unjoin_set_error_string(mem_ctx, r, "Unable to open secrets database"); diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h index b7e2f0b1fb6..f8fd51fae94 100644 --- a/source3/libnet/libnet_join.h +++ b/source3/libnet/libnet_join.h @@ -27,7 +27,7 @@ struct messaging_context; NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, const char *netbios_domain_name, const char *dc_name, - const bool use_kerberos); + enum credentials_use_kerberos kerberos_state); WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx **r); WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx, diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl index 4c8e65805e8..93d621b4560 100644 --- a/source3/librpc/idl/libnet_join.idl +++ b/source3/librpc/idl/libnet_join.idl @@ -26,10 +26,9 @@ interface libnetjoin [in,ref] string *domain_name, [in] libnetjoin_JoinDomNameType domain_name_type, [in] string account_ou, - [in] string admin_account, - [in] string admin_domain, - [in,noprint] string admin_password, - [in] string machine_password, + [in,ignore] cli_credentials *admin_credentials, + [in,flag(NDR_SECRET)] string passed_machine_password, + [in,flag(NDR_SECRET)] string machine_password, [in] wkssvc_joinflags join_flags, [in] string os_version, [in] string os_name, @@ -40,7 +39,6 @@ interface libnetjoin [in] boolean8 modify_config, [in,unique] ads_struct *ads, [in] boolean8 debug, - [in] boolean8 use_kerberos, [in] netr_SchannelType secure_channel_type, [in,noprint] messaging_context *msg_ctx, [in] uint32 desired_encryption_types, @@ -68,18 +66,14 @@ interface libnetjoin [in] string machine_name, [in] string domain_name, [in] string account_ou, - [in] string admin_account, - [in] string admin_domain, - [in,noprint] string admin_password, - [in] string machine_password, + [in,ignore] cli_credentials *admin_credentials, [in] wkssvc_joinflags unjoin_flags, [in] boolean8 delete_machine_account, [in] boolean8 modify_config, [in] dom_sid *domain_sid, [in,unique] ads_struct *ads, [in] boolean8 debug, - [in] boolean8 use_kerberos, - [in,noprint] messaging_context *msg_ctx, + [in,ignore] messaging_context *msg_ctx, [out] string netbios_domain_name, [out] string dns_domain_name, [out] string forest_name, diff --git a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c index ed16278b9fc..ed4b5a2df0e 100644 --- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c +++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c @@ -35,6 +35,7 @@ #include "smbd/smbd.h" #include "auth.h" #include "krb5_env.h" +#include "ads.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -772,19 +773,24 @@ WERROR _wkssvc_NetrJoinDomain2(struct pipes_struct *p, return werr; } + status = ads_simple_creds(j, + admin_domain, + admin_account, + cleartext_pwd, + &j->in.admin_credentials); + if (!NT_STATUS_IS_OK(status)) { + return WERR_NERR_BADUSERNAME; + } + j->in.domain_name = r->in.domain_name; j->in.account_ou = r->in.account_ou; j->in.join_flags = r->in.join_flags; - j->in.admin_account = admin_account; - j->in.admin_password = cleartext_pwd; j->in.debug = true; j->in.modify_config = lp_config_backend_is_registry(); j->in.msg_ctx = p->msg_ctx; become_root(); - setenv(KRB5_ENV_CCNAME, "MEMORY:_wkssvc_NetrJoinDomain2", 1); werr = libnet_Join(p->mem_ctx, j); - unsetenv(KRB5_ENV_CCNAME); unbecome_root(); if (!W_ERROR_IS_OK(werr)) { @@ -858,19 +864,24 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct pipes_struct *p, return werr; } + status = ads_simple_creds(u, + admin_domain, + admin_account, + cleartext_pwd, + &u->in.admin_credentials); + if (!NT_STATUS_IS_OK(status)) { + return WERR_NERR_BADUSERNAME; + } + u->in.domain_name = lp_realm(); u->in.unjoin_flags = r->in.unjoin_flags | WKSSVC_JOIN_FLAGS_JOIN_TYPE; - u->in.admin_account = admin_account; - u->in.admin_password = cleartext_pwd; u->in.debug = true; u->in.modify_config = lp_config_backend_is_registry(); u->in.msg_ctx = p->msg_ctx; become_root(); - setenv(KRB5_ENV_CCNAME, "MEMORY:_wkssvc_NetrUnjoinDomain2", 1); werr = libnet_Unjoin(p->mem_ctx, u); - unsetenv(KRB5_ENV_CCNAME); unbecome_root(); if (!W_ERROR_IS_OK(werr)) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index d7ddef60e39..614de0f0c5f 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -1546,11 +1546,9 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) } r->in.debug = true; - r->in.use_kerberos = c->opt_kerberos; r->in.dc_name = c->opt_host; r->in.domain_name = lp_realm(); - r->in.admin_account = c->opt_user_name; - r->in.admin_password = net_prompt_pass(c, c->opt_user_name); + r->in.admin_credentials = c->creds; r->in.modify_config = lp_config_backend_is_registry(); /* Try to delete it, but if that fails, disable it. The @@ -1845,11 +1843,9 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) r->in.os_version = os_version; r->in.os_servicepack = os_servicepack; r->in.dc_name = c->opt_host; - r->in.admin_account = c->opt_user_name; - r->in.admin_password = net_prompt_pass(c, c->opt_user_name); + r->in.admin_credentials = c->creds; r->in.machine_password = machine_password; r->in.debug = true; - r->in.use_kerberos = c->opt_kerberos; r->in.modify_config = modify_config; r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE | diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index ee186c944c6..2b904fb5533 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -410,9 +410,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) r->in.domain_name = domain; r->in.secure_channel_type = sec_chan_type; r->in.dc_name = c->opt_host; - r->in.admin_account = ""; - r->in.admin_password = strlower_talloc(r, pw); - if (r->in.admin_password == NULL) { + r->in.passed_machine_password = strlower_talloc(r, pw); + if (r->in.passed_machine_password == NULL) { werr = WERR_NOT_ENOUGH_MEMORY; goto fail; } @@ -484,6 +483,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) TALLOC_CTX *mem_ctx; const char *domain = c->opt_target_workgroup; const char *dc = c->opt_host; + enum credentials_use_kerberos kerberos_state = + cli_credentials_get_kerberos_state(c->creds); if (c->display_usage) { d_printf("Usage\n" @@ -528,7 +529,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) status = libnet_join_ok(c->msg_ctx, c->opt_workgroup, dc, - c->opt_kerberos); + kerberos_state); if (!NT_STATUS_IS_OK(status)) { fprintf(stderr,"Join to domain '%s' is not valid: %s\n", domain, nt_errstr(status)); @@ -601,10 +602,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a r->in.domain_name = domain; r->in.secure_channel_type = sec_chan_type; r->in.dc_name = c->opt_host; - r->in.admin_account = c->opt_user_name; - r->in.admin_password = net_prompt_pass(c, c->opt_user_name); + r->in.admin_credentials = c->creds; r->in.debug = true; - r->in.use_kerberos = c->opt_kerberos; r->in.modify_config = modify_config; r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE | diff --git a/source3/utils/py_net.c b/source3/utils/py_net.c index 5e81b8f5fdb..86c210fd4ee 100644 --- a/source3/utils/py_net.c +++ b/source3/utils/py_net.c @@ -118,18 +118,18 @@ static PyObject *py_net_join_member(py_net_Object *self, PyObject *args, PyObjec r->in.domain_name_type = JoinDomNameTypeDNS; r->in.create_upn = r->in.upn != NULL ? true : false; r->in.dc_name = self->server_address; - r->in.admin_account = cli_credentials_get_username(self->creds); - r->in.admin_password = cli_credentials_get_password(self->creds); - r->in.use_kerberos = cli_credentials_get_kerberos_state(self->creds); + r->in.admin_credentials = self->creds; r->in.modify_config = modify_config; r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE | WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED; r->in.msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); r->in.debug = debug; - c->opt_user_name = r->in.admin_account; - c->opt_password = r->in.admin_password; - c->opt_kerberos = r->in.use_kerberos; + + c->creds = self->creds; + c->opt_user_name = cli_credentials_get_username(self->creds); + c->opt_password = cli_credentials_get_password(self->creds); + c->opt_kerberos = cli_credentials_get_kerberos_state(self->creds); werr = libnet_Join(mem_ctx, r); if (W_ERROR_EQUAL(werr, WERR_NERR_DCNOTFOUND)) { @@ -214,11 +214,9 @@ static PyObject *py_net_leave(py_net_Object *self, PyObject *args, PyObject *kwa return NULL; } - r->in.use_kerberos = cli_credentials_get_kerberos_state(self->creds); r->in.dc_name = self->server_address; r->in.domain_name = lpcfg_realm(self->lp_ctx); - r->in.admin_account = cli_credentials_get_username(self->creds); - r->in.admin_password = cli_credentials_get_password(self->creds); + r->in.admin_credentials = self->creds; r->in.modify_config = lp_config_backend_is_registry(); r->in.debug = debug;