[SCM] Samba Shared Repository - branch v3-2-stable updated - release-3-2-0pre3-85-g7191071

Karolin Seeger kseeger at samba.org
Thu May 15 12:34:15 GMT 2008


The branch, v3-2-stable has been updated
       via  7191071943868d668fae93403e7f86c719afae89 (commit)
      from  73c05bb8b820c42c5fa820d1cdf6591feb19a244 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-stable


- Log -----------------------------------------------------------------
commit 7191071943868d668fae93403e7f86c719afae89
Author: Günther Deschner <gd at samba.org>
Date:   Mon May 5 16:58:24 2008 +0200

    Fix client authentication with -P switch in client tools (Bug 5435).
    
    Guenther
    (cherry picked from commit d077ef64cd1d9bbaeb936566c2c70da508de829f)

-----------------------------------------------------------------------

Summary of changes:
 source/client/client.c       |    5 ++++
 source/include/popt_common.h |    1 +
 source/lib/popt_common.c     |   30 +------------------------
 source/lib/util.c            |   49 +++++++++++++++++++++++++++++++++++++++++-
 source/libsmb/cliconnect.c   |   22 +++++++++++++++++-
 source/rpcclient/rpcclient.c |   15 ++++++++++++-
 source/utils/smbcacls.c      |   14 +++++++++++-
 source/utils/smbcquotas.c    |   15 ++++++++++++-
 source/utils/smbtree.c       |    6 +++++
 9 files changed, 122 insertions(+), 35 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/client/client.c b/source/client/client.c
index 276ffb9..e08fa89 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -4875,6 +4875,11 @@ static int do_message_op(void)
 			argv[0], get_dyn_CONFIGFILE());
 	}
 
+	if (get_cmdline_auth_info_use_machine_account() &&
+	    !set_cmdline_auth_info_machine_account_creds()) {
+		exit(-1);
+	}
+
 	load_interfaces();
 
 	if (service_opt && service) {
diff --git a/source/include/popt_common.h b/source/include/popt_common.h
index 9e5503f..c889d2e 100644
--- a/source/include/popt_common.h
+++ b/source/include/popt_common.h
@@ -50,6 +50,7 @@ struct user_auth_info {
 	bool use_kerberos;
 	int signing_state;
 	bool smb_encrypt;
+	bool use_machine_account;
 };
 
 #endif /* _POPT_COMMON_H */
diff --git a/source/lib/popt_common.c b/source/lib/popt_common.c
index 8f0f7c6..25e41ab 100644
--- a/source/lib/popt_common.c
+++ b/source/lib/popt_common.c
@@ -514,35 +514,7 @@ static void popt_common_credentials_callback(poptContext con,
 		}
 		break;
 	case 'P':
-	        {
-			char *opt_password = NULL;
-			char *pwd = NULL;
-
-			/* it is very useful to be able to make ads queries as the
-			   machine account for testing purposes and for domain leave */
-
-			if (!secrets_init()) {
-				d_printf("ERROR: Unable to open secrets database\n");
-				exit(1);
-			}
-
-			opt_password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
-
-			if (!opt_password) {
-				d_printf("ERROR: Unable to fetch machine password\n");
-				exit(1);
-			}
-			if (asprintf(&pwd, "%s$", global_myname()) < 0) {
-				exit(ENOMEM);
-			}
-			set_cmdline_auth_info_username(pwd);
-			set_cmdline_auth_info_password(opt_password);
-			SAFE_FREE(pwd);
-			SAFE_FREE(opt_password);
-
-			/* machine accounts only work with kerberos */
-			set_cmdline_auth_info_use_krb5_ticket();
-		}
+		set_cmdline_auth_info_use_machine_account();
 		break;
 	case 'N':
 		set_cmdline_auth_info_password("");
diff --git a/source/lib/util.c b/source/lib/util.c
index 953981e..5f95bcc 100644
--- a/source/lib/util.c
+++ b/source/lib/util.c
@@ -291,7 +291,8 @@ static struct user_auth_info cmdline_auth_info = {
 	false,	/* got_pass */
 	false,	/* use_kerberos */
 	Undefined, /* signing state */
-	false	/* smb_encrypt */
+	false,	/* smb_encrypt */
+	false   /* use machine account */
 };
 
 const char *get_cmdline_auth_info_username(void)
@@ -370,6 +371,11 @@ void set_cmdline_auth_info_smb_encrypt(void)
 	cmdline_auth_info.smb_encrypt = true;
 }
 
+void set_cmdline_auth_info_use_machine_account(void)
+{
+	cmdline_auth_info.use_machine_account = true;
+}
+
 bool get_cmdline_auth_info_got_pass(void)
 {
 	return cmdline_auth_info.got_pass;
@@ -380,6 +386,11 @@ bool get_cmdline_auth_info_smb_encrypt(void)
 	return cmdline_auth_info.smb_encrypt;
 }
 
+bool get_cmdline_auth_info_use_machine_account(void)
+{
+	return cmdline_auth_info.use_machine_account;
+}
+
 bool get_cmdline_auth_info_copy(struct user_auth_info *info)
 {
 	*info = cmdline_auth_info;
@@ -392,6 +403,42 @@ bool get_cmdline_auth_info_copy(struct user_auth_info *info)
 	return true;
 }
 
+bool set_cmdline_auth_info_machine_account_creds(void)
+{
+	char *pass = NULL;
+	char *account = NULL;
+
+	if (!get_cmdline_auth_info_use_machine_account()) {
+		return false;
+	}
+
+	if (!secrets_init()) {
+		d_printf("ERROR: Unable to open secrets database\n");
+		return false;
+	}
+
+	if (asprintf(&account, "%s$@%s", global_myname(), lp_realm()) < 0) {
+		return false;
+	}
+
+	pass = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
+	if (!pass) {
+		d_printf("ERROR: Unable to fetch machine password for "
+			"%s in domain %s\n",
+			account, lp_workgroup());
+		SAFE_FREE(account);
+		return false;
+	}
+
+	set_cmdline_auth_info_username(account);
+	set_cmdline_auth_info_password(pass);
+
+	SAFE_FREE(account);
+	SAFE_FREE(pass);
+
+	return true;
+}
+
 /**************************************************************************n
  Find a suitable temporary directory. The result should be copied immediately
  as it may be overwritten by a subsequent call.
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 949bca7..e0c18d8 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -795,6 +795,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 	int i;
 	bool got_kerberos_mechanism = False;
 	DATA_BLOB blob;
+	const char *p = NULL;
+	char *account = NULL;
 
 	DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
 
@@ -925,7 +927,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 
 ntlmssp:
 
-	return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
+	account = talloc_strdup(talloc_tos(), user);
+	ADS_ERROR_HAVE_NO_MEMORY(account);
+
+	/* when falling back to ntlmssp while authenticating with a machine
+	 * account strip off the realm - gd */
+
+	if ((p = strchr_m(user, '@')) != NULL) {
+		account[PTR_DIFF(p,user)] = '\0';
+	}
+
+	return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, account, pass, domain));
 }
 
 /****************************************************************************
@@ -1869,12 +1881,18 @@ struct cli_state *get_ipc_connect(char *server,
 {
         struct cli_state *cli;
 	NTSTATUS nt_status;
+	uint32_t flags = CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK;
+
+	if (user_info->use_kerberos) {
+		flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
+	}
 
 	nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC", 
 					user_info->username ? user_info->username : "",
 					lp_workgroup(),
 					user_info->password ? user_info->password : "",
-					CLI_FULL_CONNECTION_ANONYMOUS_FALLBACK, Undefined, NULL);
+					flags,
+					Undefined, NULL);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		return cli;
diff --git a/source/rpcclient/rpcclient.c b/source/rpcclient/rpcclient.c
index 52dba22..19026fe 100644
--- a/source/rpcclient/rpcclient.c
+++ b/source/rpcclient/rpcclient.c
@@ -734,6 +734,7 @@ out_free:
 	fstring new_workgroup;
 	int result = 0;
 	TALLOC_CTX *frame = talloc_stackframe();
+	uint32_t flags = 0;
 
 	/* make sure the vars that get altered (4th field) are in
 	   a fixed location or certain compilers complain */
@@ -825,6 +826,12 @@ out_free:
 	 * from stdin if necessary
 	 */
 
+	if (get_cmdline_auth_info_use_machine_account() &&
+	    !set_cmdline_auth_info_machine_account_creds()) {
+		result = 1;
+		goto done;
+	}
+
 	if (!get_cmdline_auth_info_got_pass()) {
 		char *pass = getpass("Password:");
 		if (pass) {
@@ -837,13 +844,19 @@ out_free:
 		server += 2;
 	}
 
+	if (get_cmdline_auth_info_use_kerberos()) {
+		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+	}
+
+
 	nt_status = cli_full_connection(&cli, global_myname(), server,
 					opt_ipaddr ? &server_ss : NULL, opt_port,
 					"IPC$", "IPC",
 					get_cmdline_auth_info_username(),
 					lp_workgroup(),
 					get_cmdline_auth_info_password(),
-					get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+					flags,
 					get_cmdline_auth_info_signing_state(),NULL);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbcacls.c b/source/utils/smbcacls.c
index 134f561..97d194a 100644
--- a/source/utils/smbcacls.c
+++ b/source/utils/smbcacls.c
@@ -825,8 +825,20 @@ static struct cli_state *connect_one(const char *server, const char *share)
 	struct cli_state *c = NULL;
 	struct sockaddr_storage ss;
 	NTSTATUS nt_status;
+	uint32_t flags = 0;
+
 	zero_addr(&ss);
 
+	if (get_cmdline_auth_info_use_kerberos()) {
+		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+	}
+
+	if (get_cmdline_auth_info_use_machine_account() &&
+	    !set_cmdline_auth_info_machine_account_creds()) {
+		return NULL;
+	}
+
 	if (!get_cmdline_auth_info_got_pass()) {
 		char *pass = getpass("Password: ");
 		if (pass) {
@@ -840,7 +852,7 @@ static struct cli_state *connect_one(const char *server, const char *share)
 				get_cmdline_auth_info_username(),
 				lp_workgroup(),
 				get_cmdline_auth_info_password(),
-				get_cmdline_auth_info_use_kerberos() ? CLI_FULL_CONNECTION_USE_KERBEROS : 0,
+				flags,
 				get_cmdline_auth_info_signing_state(),
 				NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbcquotas.c b/source/utils/smbcquotas.c
index 508a2dc..a73c3b4 100644
--- a/source/utils/smbcquotas.c
+++ b/source/utils/smbcquotas.c
@@ -371,8 +371,21 @@ static struct cli_state *connect_one(const char *share)
 	struct cli_state *c;
 	struct sockaddr_storage ss;
 	NTSTATUS nt_status;
+	uint32_t flags = 0;
+
 	zero_addr(&ss);
 
+	if (get_cmdline_auth_info_use_machine_account() &&
+	    !set_cmdline_auth_info_machine_account_creds()) {
+		return NULL;
+	}
+
+	if (get_cmdline_auth_info_use_kerberos()) {
+		flags |= CLI_FULL_CONNECTION_USE_KERBEROS |
+			 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+
+	}
+
 	if (!get_cmdline_auth_info_got_pass()) {
 		char *pass = getpass("Password: ");
 		if (pass) {
@@ -386,7 +399,7 @@ static struct cli_state *connect_one(const char *share)
 					    get_cmdline_auth_info_username(),
 					    lp_workgroup(),
 					    get_cmdline_auth_info_password(),
-					    0,
+					    flags,
 					    get_cmdline_auth_info_signing_state(),
 					    NULL);
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/utils/smbtree.c b/source/utils/smbtree.c
index 48eae5a..b070c0e 100644
--- a/source/utils/smbtree.c
+++ b/source/utils/smbtree.c
@@ -302,6 +302,12 @@ static bool print_tree(struct user_auth_info *user_info)
 
 	/* Parse command line args */
 
+	if (get_cmdline_auth_info_use_machine_account() &&
+	    !set_cmdline_auth_info_machine_account_creds()) {
+		TALLOC_FREE(frame);
+		return 1;
+	}
+
 	if (!get_cmdline_auth_info_got_pass()) {
 		char *pass = getpass("Password: ");
 		if (pass) {


-- 
Samba Shared Repository


More information about the samba-cvs mailing list