From 5f32f14ef58df1e43df87acb952a367cbab9122d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 11 Mar 2024 17:45:43 +0100
Subject: [PATCH] s3:net_ads: require kerberos if we use
 ads_krb5_set_password() in ads_user_add()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/utils/net_ads.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 5fc8a4d1f96..b4b474d7c3a 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -977,6 +977,20 @@ static int ads_user_add(struct net_context *c, int argc, const char **argv)
 		return net_ads_user_usage(c, argc, argv);
 	}
 
+	if (argc > 1) {
+		/*
+		 * We rely on ads_krb5_set_password() to
+		 * set the password below.
+		 *
+		 * We could pass the password to
+		 * ads_add_user_acct()
+		 * and set the unicodePwd attribute there...
+		 */
+		cli_credentials_set_kerberos_state(c->creds,
+						   CRED_USE_KERBEROS_REQUIRED,
+						   CRED_SPECIFIED);
+	}
+
 	status = ads_startup(c, false, tmp_ctx, &ads);
 	if (!ADS_ERR_OK(status)) {
 		goto done;