[PATCH] Implement machinepass= in 'net ads join'

Jeremy Allison jra at samba.org
Mon Mar 4 17:43:46 MST 2013


On Mon, Mar 04, 2013 at 04:15:29PM -0800, Jeremy Allison wrote:
> 
> Ok, this causes make test to fail on the "s4member" samba3.wbinfo_s3.(s4member:local)
> test. Reproduce by doing:
> 
> make test TESTS=samba3.wbinfo_s3
> 
> It only seems to be starting the s4 server as a member server, not as a DC
> to authenticate against, so I think this part of the patch should change from:
> 
> +# this test simply confirms that forcing the machine account password in the join command works
> +for env in ["s3member", "s4member"]:
> +    plantestsuite("samba3.blackbox.smbclient_specified_machine_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_specified_machine_auth.sh"), '$DC_SERVER', '$SERVER\$', 'machine$PASSWORD', smbclient3, configuration])
> +
> 
> to:
> 
> +# this test simply confirms that forcing the machine account password in the join command works
> +for env in ["s3member"]:
> +    plantestsuite("samba3.blackbox.smbclient_specified_machine_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_specified_machine_auth.sh"), '$DC_SERVER', '$SERVER\$', 'machine$PASSWORD', smbclient3, configuration])
> +
> 
> Can you confirm (or fix what I don't understand about the breakage :-)
> and re-submit ?

Ok, here's a patchset that passes make test. It includes
the change in the test.py file.

Can you confirm this is ok and I'll push to master ?

Cheers,

	Jeremy.
-------------- next part --------------
From 872a094dd0e6ac41bc5bdfe596dbbfcd090053fb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 28 Feb 2013 22:57:45 +1100
Subject: [PATCH 1/4] selftest: Fix specification of --machinepass to actually
 set a unique password

Because perl does not assert on dereferencing an invalid hash key
we did not notice that the passwords were being set to machine, not
machineloCalMemberPass.

Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
---
 selftest/target/Samba4.pm | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index e9e0037..05541d9 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -881,7 +881,7 @@ sub provision_member($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{password}";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD}";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
@@ -949,7 +949,7 @@ sub provision_rpc_proxy($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{password}";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD}";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
@@ -1036,7 +1036,7 @@ sub provision_promoted_dc($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{password}";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD}";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
@@ -1049,7 +1049,7 @@ sub provision_promoted_dc($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
@@ -1110,7 +1110,7 @@ sub provision_vampire_dc($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
 	$cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
-	$cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
@@ -1175,7 +1175,7 @@ sub provision_subdom_dc($$$)
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
 	$cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
 	$cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
-	$cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+	$cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
 
 	unless (system($cmd) == 0) {
 		warn("Join failed\n$cmd");
-- 
1.8.1.3


From 6ace68492377765f2a38a5206b6e99cd93b5f8bb Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 28 Feb 2013 22:59:48 +1100
Subject: [PATCH 2/4] net ads join: Add support for specifying the machine
 account password

This allows a predictable password to be specified, just like --machinepass does on samba-tool domain join.

Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/manpages/net.8.xml |  7 ++++++-
 source3/utils/net_ads.c     | 11 +++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 01044e1..0cdadea 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -194,7 +194,8 @@ the remote server using <command>/bin/date</command>. </para>
 </refsect2>
 
 <refsect2>
-<title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN] [createcomputer=OU] [options]</title>
+<title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN]
+[createcomputer=OU] [machinepass=PASS] [options]</title>
 
 <para>
 Join a domain.  If the account already exists on the server, and 
@@ -220,6 +221,10 @@ a '/'.  Please note that '\' is used for escape by both the shell
 and ldap, so it may need to be doubled or quadrupled to pass through, 
 and it is not used as a delimiter.
 </para>
+<para>
+[PASS] (ADS only) Set a specific password on the computer account
+being created by the join.
+</para>
 </refsect2>
 
 <refsect2>
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 013884d..5699943 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1315,6 +1315,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv
 		   "                      E.g. \"createcomputer=Computers/Servers/Unix\"\n"
 		   "                      NB: A backslash '\\' is used as escape at multiple levels and may\n"
 		   "                          need to be doubled or even quadrupled.  It is not used as a separator.\n"));
+	d_printf(_("   machinepass=PASS   Set the machine password to a specific value during the join.\n"
+		   "                      The deault password is random.\n"));
 	d_printf(_("   osName=string      Set the operatingSystem attribute during the join.\n"));
 	d_printf(_("   osVer=string       Set the operatingSystemVersion attribute during the join.\n"
 		   "                      NB: osName and osVer must be specified together for either to take effect.\n"
@@ -1421,6 +1423,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
 	WERROR werr = WERR_SETUP_NOT_JOINED;
 	bool createupn = false;
 	const char *machineupn = NULL;
+	const char *machine_password = NULL;
 	const char *create_in_ou = NULL;
 	int i;
 	const char *os_name = NULL;
@@ -1482,6 +1485,13 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
 				goto fail;
 			}
 		}
+		else if ( !strncasecmp_m(argv[i], "machinepass", strlen("machinepass")) ) {
+			if ( (machine_password = get_string_param(argv[i])) == NULL ) {
+				d_fprintf(stderr, _("Please supply a valid password to set as trust account password.\n"));
+				werr = WERR_INVALID_PARAM;
+				goto fail;
+			}
+		}
 		else {
 			domain = argv[i];
 		}
@@ -1511,6 +1521,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
 	r->in.dc_name		= c->opt_host;
 	r->in.admin_account	= c->opt_user_name;
 	r->in.admin_password	= net_prompt_pass(c, c->opt_user_name);
+	r->in.machine_password  = machine_password;
 	r->in.debug		= true;
 	r->in.use_kerberos	= c->opt_kerberos;
 	r->in.modify_config	= modify_config;
-- 
1.8.1.3


From eea969b20d91d924aa7dfa56d5019b84947b329c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 28 Feb 2013 23:00:39 +1100
Subject: [PATCH 3/4] selftest: Show that the --machinepass and machinepass=
 join options work

This proves that the correct password was specified, and a random
password was not chosen instead.

Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
---
 selftest/target/Samba3.pm                          |  2 +-
 .../tests/test_smbclient_specified_machine_auth.sh | 23 ++++++++++++++++++++++
 source3/selftest/tests.py                          |  4 ++++
 3 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100755 source3/script/tests/test_smbclient_specified_machine_auth.sh

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index c71419d..1bffdd7 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -302,7 +302,7 @@ sub setup_admember($$$$)
 	my $cmd = "";
 	$cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
 	$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-	$cmd .= "$net join $ret->{CONFIGURATION}";
+	$cmd .= "$net join machinepass=machine$ret->{PASSWORD} $ret->{CONFIGURATION}";
 	$cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
 
 	if (system($cmd) != 0) {
diff --git a/source3/script/tests/test_smbclient_specified_machine_auth.sh b/source3/script/tests/test_smbclient_specified_machine_auth.sh
new file mode 100755
index 0000000..5709ff5
--- /dev/null
+++ b/source3/script/tests/test_smbclient_specified_machine_auth.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# this runs the file serving tests that are expected to pass with samba3 against shares with various options
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_smbclient_auth.sh SERVER USERNAME PASSWORD SMBCLIENT <smbclient arguments>
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+USERNAME="$2"
+PASSWORD="$3"
+SMBCLIENT="$4"
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+shift 4
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+testit "smbclient //$SERVER/tmp" $SMBCLIENT //$SERVER/tmp $CONFIGURATION -U$USERNAME%$PASSWORD -p 139 -c quit $ADDARGS
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 44efe18..3db54c8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -150,6 +150,10 @@ for env in ["s3dc", "member", "s3member"]:
     plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
     plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) member creds" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER\\\\$USERNAME', '$PASSWORD', smbclient3, configuration])
 
+# this test simply confirms that forcing the machine account password in the join command works
+for env in ["s3member"]:
+    plantestsuite("samba3.blackbox.smbclient_specified_machine_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_specified_machine_auth.sh"), '$DC_SERVER', '$SERVER\$', 'machine$PASSWORD', smbclient3, configuration])
+
     for t in tests:
         plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
 
-- 
1.8.1.3


From 7d1fbb148e1144b751d8e13b70b8792eab9356a0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet at samba.org>
Date: Thu, 28 Feb 2013 23:30:16 +1100
Subject: [PATCH 4/4] docs: Add documentation for osName and osVer

This was previously documented only in the online help.

Andrew Bartlett
Reviewed-by: Jeremy Allison <jra at samba.org>
---
 docs-xml/manpages/net.8.xml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 0cdadea..82849f2 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -195,7 +195,7 @@ the remote server using <command>/bin/date</command>. </para>
 
 <refsect2>
 <title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN]
-[createcomputer=OU] [machinepass=PASS] [options]</title>
+[createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]</title>
 
 <para>
 Join a domain.  If the account already exists on the server, and 
@@ -225,6 +225,11 @@ and it is not used as a delimiter.
 [PASS] (ADS only) Set a specific password on the computer account
 being created by the join.
 </para>
+<para>
+[osName=string osVer=String] (ADS only) Set the operatingSystem and
+operatingSystemVersion attribute during the join.  Both parameters
+must be specified for either to take effect.
+</para>
 </refsect2>
 
 <refsect2>
-- 
1.8.1.3



More information about the samba-technical mailing list