[SCM] Samba Shared Repository - branch master updated
Ralph Böhme
slow at samba.org
Tue Mar 30 06:49:02 UTC 2021
The branch, master has been updated
via 140007bfe17 s3:utils: The 'net ads keytab' commands should use machine credentials
via db95414c1de s3:utils: Use secrets_store_creds() in net utility
via 2cab43cfca0 s3:passdb: Add secrets_store_creds()
via 2bfe37e069f s3:utils: Use libnetapi_set_creds() in net_dom
via ccfb682f666 s3:utils: Use libnetapi_set_creds() in net_rpc_shell
via 29f5372ffcc s3:utils: Use libnetapi_set_creds() in net_rpc
via c8e477edc0f s3:utils: Fix net_context_creds() with machine password
via dc05cdb1928 s3:libnetapi: Remove unused header file
from d1c47d0c830 rpc/idl dnsserver s/DNS_RPC_DATA/DNS_RPC_RECORD_DATA/
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 140007bfe1795e5bc5bca43238b6be03e0693f9e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Mar 29 13:16:28 2021 +0200
s3:utils: The 'net ads keytab' commands should use machine credentials
If the user doesn't specify a username/password on the command line, we
should use the machine credentials to connect to AD. This is how it is
used by default and we should be able to retrieve SPNs.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Tue Mar 30 06:48:18 UTC 2021 on sn-devel-184
commit db95414c1decda8ce3a4878cb765da8c73e7079a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 24 10:08:04 2021 +0100
s3:utils: Use secrets_store_creds() in net utility
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2cab43cfca094c21899daddadfcb84469c0e2a02
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 24 10:06:18 2021 +0100
s3:passdb: Add secrets_store_creds()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2bfe37e069fd267ced946d63cf97dc20fbb34f49
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 25 11:39:22 2021 +0100
s3:utils: Use libnetapi_set_creds() in net_dom
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ccfb682f666acd4e2baaed5598d0e1ac37b0156e
Author: Andreas Schneider <asn at samba.org>
Date: Wed Mar 24 14:37:26 2021 +0100
s3:utils: Use libnetapi_set_creds() in net_rpc_shell
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 29f5372ffccfe722a6a1f0aaad4dcb4484511b51
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 25 11:44:36 2021 +0100
s3:utils: Use libnetapi_set_creds() in net_rpc
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c8e477edc0fc05c97c0ed9e26103fed278ee2890
Author: Andreas Schneider <asn at samba.org>
Date: Thu Mar 25 12:03:22 2021 +0100
s3:utils: Fix net_context_creds() with machine password
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit dc05cdb192852abaeb70e46c3b4d851c4ab51971
Author: Andreas Schneider <asn at samba.org>
Date: Fri Mar 26 09:56:11 2021 +0100
s3:libnetapi: Remove unused header file
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/include/secrets.h | 3 ++
source3/lib/netapi/cm.c | 1 -
source3/passdb/secrets.c | 44 +++++++++++++++++++++++++
source3/utils/net.c | 21 ++++++------
source3/utils/net_ads.c | 13 ++++++++
source3/utils/net_dom.c | 13 +++++---
source3/utils/net_rpc.c | 74 +++++++++++++++++++++++++++++--------------
source3/utils/net_rpc_shell.c | 15 ++++++---
source3/utils/net_util.c | 8 ++++-
source3/wscript_build | 1 +
10 files changed, 148 insertions(+), 45 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 24ae5bd0664..2478561cee7 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -56,6 +56,8 @@
#define SECRETS_AUTH_DOMAIN "SECRETS/AUTH_DOMAIN"
#define SECRETS_AUTH_PASSWORD "SECRETS/AUTH_PASSWORD"
+struct cli_credentials;
+
/* structure for storing machine account password
(ie. when samba server is member of a domain */
struct machine_acct_pass {
@@ -89,6 +91,7 @@ struct db_context *secrets_db_ctx(void);
void secrets_shutdown(void);
void *secrets_fetch(const char *key, size_t *size);
bool secrets_store(const char *key, const void *data, size_t size);
+bool secrets_store_creds(struct cli_credentials *creds);
bool secrets_delete_entry(const char *key);
bool secrets_delete(const char *key);
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index a2468de4ccc..d6b7c868c22 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -18,7 +18,6 @@
*/
#include "includes.h"
-#include "auth_info.h"
#include "lib/netapi/netapi.h"
#include "lib/netapi/netapi_private.h"
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 2b2206070e2..be9cc0039d3 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -31,6 +31,7 @@
#include "dbwrap/dbwrap_open.h"
#include "../libcli/security/security.h"
#include "util_tdb.h"
+#include "auth/credentials/credentials.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_PASSDB
@@ -143,6 +144,49 @@ bool secrets_store(const char *key, const void *data, size_t size)
return NT_STATUS_IS_OK(status);
}
+bool secrets_store_creds(struct cli_credentials *creds)
+{
+ const char *p = NULL;
+ bool ok;
+
+ p = cli_credentials_get_username(creds);
+ if (p == NULL) {
+ return false;
+ }
+
+ ok = secrets_store(SECRETS_AUTH_USER, p, strlen(p) + 1);
+ if (!ok) {
+ DBG_ERR("Failed storing auth user name\n");
+ return false;
+ }
+
+
+ p = cli_credentials_get_domain(creds);
+ if (p == NULL) {
+ return false;
+ }
+
+ ok = secrets_store(SECRETS_AUTH_DOMAIN, p, strlen(p) + 1);
+ if (!ok) {
+ DBG_ERR("Failed storing auth domain name\n");
+ return 1;
+ }
+
+
+ p = cli_credentials_get_password(creds);
+ if (p == NULL) {
+ return false;
+ }
+
+ ok = secrets_store(SECRETS_AUTH_PASSWORD, p, strlen(p) + 1);
+ if (!ok) {
+ DBG_ERR("Failed storing auth password\n");
+ return false;
+ }
+
+ return true;
+}
+
/* delete a secets database entry
*/
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 17d9a61ed87..585b79fcfcf 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -260,6 +260,8 @@ static int net_changesecretpw(struct net_context *c, int argc,
static int net_setauthuser(struct net_context *c, int argc, const char **argv)
{
const char *password = NULL;
+ struct cli_credentials *creds = NULL;
+ bool ok;
if (!secrets_init()) {
d_fprintf(stderr, _("Failed to open secrets.tdb.\n"));
@@ -305,21 +307,16 @@ static int net_setauthuser(struct net_context *c, int argc, const char **argv)
return 1;
}
- if (!secrets_store(SECRETS_AUTH_USER, c->opt_user_name,
- strlen(c->opt_user_name) + 1)) {
- d_fprintf(stderr, _("error storing auth user name\n"));
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ d_fprintf(stderr, _("Failed creating auth credentials\n"));
return 1;
}
- if (!secrets_store(SECRETS_AUTH_DOMAIN, c->opt_workgroup,
- strlen(c->opt_workgroup) + 1)) {
- d_fprintf(stderr, _("error storing auth user domain\n"));
- return 1;
- }
-
- if (!secrets_store(SECRETS_AUTH_PASSWORD, password,
- strlen(password) + 1)) {
- d_fprintf(stderr, _("error storing auth user password\n"));
+ ok = secrets_store_creds(creds);
+ TALLOC_FREE(creds);
+ if (!ok) {
+ d_fprintf(stderr, _("Failed storing auth user credentials\n"));
return 1;
}
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index bc42ddda9cb..5300dfbef80 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3030,6 +3030,10 @@ static int net_ads_keytab_flush(struct net_context *c, int argc, const char **ar
return 0;
}
+ if (!c->opt_user_specified && c->opt_password == NULL) {
+ net_use_krb_machine_account(c);
+ }
+
if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
return -1;
}
@@ -3058,6 +3062,11 @@ static int net_ads_keytab_add(struct net_context *c,
}
d_printf(_("Processing principals to add...\n"));
+
+ if (!c->opt_user_specified && c->opt_password == NULL) {
+ net_use_krb_machine_account(c);
+ }
+
if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
return -1;
}
@@ -3096,6 +3105,10 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
return 0;
}
+ if (!c->opt_user_specified && c->opt_password == NULL) {
+ net_use_krb_machine_account(c);
+ }
+
if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
return -1;
}
diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c
index 1e45c59220c..25bf30736df 100644
--- a/source3/utils/net_dom.c
+++ b/source3/utils/net_dom.c
@@ -340,6 +340,7 @@ static int net_dom_renamecomputer(struct net_context *c, int argc, const char **
int net_dom(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -374,15 +375,19 @@ int net_dom(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
return net_run_function(c, argc, argv, "net dom", func);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index da1d904305b..46d35e6a90f 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -1256,6 +1256,7 @@ static int rpc_user_list(struct net_context *c, int argc, const char **argv)
int net_rpc_user(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -1309,14 +1310,19 @@ int net_rpc_user(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
if (argc == 0) {
@@ -3441,6 +3447,7 @@ static int rpc_group_rename(struct net_context *c, int argc, const char **argv)
int net_rpc_group(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -3502,14 +3509,19 @@ int net_rpc_group(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
if (argc == 0) {
@@ -5428,6 +5440,7 @@ int net_usersidlist_usage(struct net_context *c, int argc, const char **argv)
int net_rpc_share(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -5473,16 +5486,22 @@ int net_rpc_share(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
+
if (argc == 0) {
if (c->display_usage) {
d_printf("%s\n%s",
@@ -5724,6 +5743,7 @@ static int rpc_file_user(struct net_context *c, int argc, const char **argv)
int net_rpc_file(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -5755,14 +5775,19 @@ int net_rpc_file(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
if (argc == 0) {
@@ -8176,6 +8201,7 @@ int net_rpc_printer(struct net_context *c, int argc, const char **argv)
int net_rpc(struct net_context *c, int argc, const char **argv)
{
NET_API_STATUS status;
+ struct cli_credentials *creds = NULL;
struct functable func[] = {
{
@@ -8366,17 +8392,19 @@ int net_rpc(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL}
};
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
- }
- if (c->opt_ccache) {
- libnetapi_set_use_ccache(c->netapi_ctx);
+
+ status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (status != 0) {
+ return -1;
}
return net_run_function(c, argc, argv, "net rpc", func);
diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
index 2569bb06869..ab7df7ef463 100644
--- a/source3/utils/net_rpc_shell.c
+++ b/source3/utils/net_rpc_shell.c
@@ -222,19 +222,26 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv)
NTSTATUS status;
struct rpc_sh_ctx *ctx;
struct dom_sid_buf buf;
+ struct cli_credentials *creds = NULL;
+ NET_API_STATUS net_api_status;
if (argc != 0 || c->display_usage) {
d_printf("%s\nnet rpc shell\n", _("Usage:"));
return -1;
}
+ creds = net_context_creds(c, c);
+ if (creds == NULL) {
+ return -1;
+ }
+
if (libnetapi_net_init(&c->netapi_ctx) != 0) {
return -1;
}
- libnetapi_set_username(c->netapi_ctx, c->opt_user_name);
- libnetapi_set_password(c->netapi_ctx, c->opt_password);
- if (c->opt_kerberos) {
- libnetapi_set_use_kerberos(c->netapi_ctx);
+
+ net_api_status = libnetapi_set_creds(c->netapi_ctx, creds);
+ if (net_api_status != 0) {
+ return -1;
}
ctx = talloc(NULL, struct rpc_sh_ctx);
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index 6c5321db0fd..7383d593f53 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -475,7 +475,13 @@ struct cli_credentials *net_context_creds(struct net_context *c,
struct cli_credentials *creds = NULL;
struct loadparm_context *lp_ctx = NULL;
- c->opt_password = net_prompt_pass(c, c->opt_user_name);
+ /*
+ * Do not query the password if we defined we want to use the
+ * machine account.
+ */
+ if (c->opt_machine_pass) {
+ c->opt_password = net_prompt_pass(c, c->opt_user_name);
+ }
creds = cli_credentials_init(mem_ctx);
if (creds == NULL) {
diff --git a/source3/wscript_build b/source3/wscript_build
index 9cd351b2b5d..ff7bfdfd5e7 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -490,6 +490,7 @@ bld.SAMBA3_LIBRARY('secrets3',
dbwrap
krb5samba
LIBCLI_AUTH
+ samba-credentials
''',
private_library=True)
--
Samba Shared Repository
More information about the samba-cvs
mailing list