diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 84d3fd362ec..f1d1482c292 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -816,7 +816,7 @@ sub provision_ad_member $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; $cmd .= "$net join $ret->{CONFIGURATION}"; - $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} -k"; + $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} --use-kerberos=required"; if (system($cmd) != 0) { warn("Join failed\n$cmd"); diff --git a/source3/utils/net.c b/source3/utils/net.c index e9797690ac4..fc3d21f304a 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -52,6 +52,7 @@ #include "lib/gencache.h" #include "auth/credentials/credentials.h" #include "source3/utils/passwd_proto.h" +#include "auth/gensec/gensec.h" #ifdef WITH_FAKE_KASERVER #include "utils/net_afs.h" @@ -260,7 +261,6 @@ static int net_changesecretpw(struct net_context *c, int argc, static int net_setauthuser(struct net_context *c, int argc, const char **argv) { const char *password = NULL; - struct cli_credentials *creds = NULL; bool ok; if (!secrets_init()) { @@ -307,14 +307,7 @@ static int net_setauthuser(struct net_context *c, int argc, const char **argv) return 1; } - creds = net_context_creds(c, c); - if (creds == NULL) { - d_fprintf(stderr, _("Failed creating auth credentials\n")); - return 1; - } - - ok = secrets_store_creds(creds); - TALLOC_FREE(creds); + ok = secrets_store_creds(c->creds); if (!ok) { d_fprintf(stderr, _("Failed storing auth user credentials\n")); return 1; @@ -919,33 +912,12 @@ static struct functable net_func[] = { }; -static void get_credentials_file(struct net_context *c, - const char *file) -{ - struct cli_credentials *cred = cli_credentials_init(c); - - if (cred == NULL) { - d_printf("ERROR: Unable to allocate memory!\n"); - exit(-1); - } - - if (!cli_credentials_parse_file(cred, file, CRED_GUESS_FILE)) { - exit(-1); - } - - c->opt_user_name = cli_credentials_get_username(cred); - c->opt_user_specified = (c->opt_user_name != NULL); - c->opt_password = cli_credentials_get_password(cred); - c->opt_target_workgroup = cli_credentials_get_domain(cred); -} - /**************************************************************************** main program ****************************************************************************/ int main(int argc, char **argv) { int opt,i; - char *p; int rc = 0; int argc_new = 0; const char ** argv_new; @@ -963,27 +935,11 @@ static void get_credentials_file(struct net_context *c, .val = 'h', }, { - .longName = "workgroup", + .longName = "target-workgroup", .shortName = 'w', .argInfo = POPT_ARG_STRING, .arg = &c->opt_target_workgroup, }, - { - .longName = "user", - .shortName = 'U', - .argInfo = POPT_ARG_STRING, - .arg = &c->opt_user_name, - .val = 'U', - }, - { - .longName = "authentication-file", - .shortName = 'A', - .argInfo = POPT_ARG_STRING, - .arg = &c->opt_user_name, - .val = 'A', - .descrip = "Get the credentials from a file", - .argDescrip = "FILE", - }, { .longName = "ipaddress", .shortName = 'I', @@ -999,7 +955,7 @@ static void get_credentials_file(struct net_context *c, }, { .longName = "myname", - .shortName = 'n', + .shortName = 0, .argInfo = POPT_ARG_STRING, .arg = &c->opt_requester_name, }, @@ -1009,14 +965,6 @@ static void get_credentials_file(struct net_context *c, .argInfo = POPT_ARG_STRING, .arg = &c->opt_host, }, - { - .longName = "encrypt", - .shortName = 'e', - .argInfo = POPT_ARG_NONE, - .arg = NULL, - .val = 'e', - .descrip = N_("Encrypt SMB transport"), - }, { .longName = "container", .shortName = 'c', @@ -1076,24 +1024,6 @@ static void get_credentials_file(struct net_context *c, .argInfo = POPT_ARG_INT, .arg = &c->opt_request_timeout, }, - { - .longName = "machine-pass", - .shortName = 'P', - .argInfo = POPT_ARG_NONE, - .arg = &c->opt_machine_pass, - }, - { - .longName = "kerberos", - .shortName = 'k', - .argInfo = POPT_ARG_NONE, - .arg = &c->opt_kerberos, - }, - { - .longName = "myworkgroup", - .shortName = 'W', - .argInfo = POPT_ARG_STRING, - .arg = &c->opt_workgroup, - }, { .longName = "use-ccache", .shortName = 0, @@ -1127,13 +1057,13 @@ static void get_credentials_file(struct net_context *c, }, { .longName = "ntname", - .shortName = 'N', + .shortName = 0, .argInfo = POPT_ARG_STRING, .arg = &c->opt_newntname, }, { .longName = "rid", - .shortName = 'R', + .shortName = 0, .argInfo = POPT_ARG_INT, .arg = &c->opt_rid, }, @@ -1283,7 +1213,10 @@ static void get_credentials_file(struct net_context *c, .descrip = "follow symlinks", }, POPT_COMMON_SAMBA + POPT_COMMON_CONNECTION + POPT_COMMON_CREDENTIALS POPT_COMMON_VERSION + POPT_LEGACY_S3 POPT_TABLEEND }; @@ -1330,9 +1263,6 @@ static void get_credentials_file(struct net_context *c, case 'h': c->display_usage = true; break; - case 'e': - c->smb_encrypt = true; - break; case 'I': if (!interpret_string_addr(&c->opt_dest_ip, poptGetOptArg(pc), 0)) { @@ -1341,18 +1271,6 @@ static void get_credentials_file(struct net_context *c, c->opt_have_ip = true; } break; - case 'U': - c->opt_user_specified = true; - c->opt_user_name = talloc_strdup(c, c->opt_user_name); - p = strchr(c->opt_user_name,'%'); - if (p) { - *p = 0; - c->opt_password = p+1; - } - break; - case 'A': - get_credentials_file(c, c->opt_user_name); - break; default: d_fprintf(stderr, _("\nInvalid option %s: %s\n"), poptBadOption(pc, 0), poptStrerror(opt)); @@ -1361,6 +1279,33 @@ static void get_credentials_file(struct net_context *c, } } + c->creds = samba_cmdline_get_creds(); + c->lp_ctx = samba_cmdline_get_lp_ctx(); + + { + enum credentials_obtained username_obtained = + CRED_UNINITIALISED; + enum smb_encryption_setting encrypt_state = + cli_credentials_get_smb_encryption(c->creds); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(c->creds); + uint32_t gensec_features; + + c->opt_user_name = cli_credentials_get_username_and_obtained( + c->creds, + &username_obtained); + c->opt_user_specified = (username_obtained == CRED_SPECIFIED); + + c->opt_workgroup = cli_credentials_get_domain(c->creds); + + c->smb_encrypt = (encrypt_state == SMB_ENCRYPTION_REQUIRED); + + c->opt_kerberos = (krb5_state > CRED_USE_KERBEROS_DESIRED); + + gensec_features = cli_credentials_get_gensec_features(c->creds); + c->opt_ccache = (gensec_features & GENSEC_FEATURE_NTLM_CCACHE); + } + c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); #if defined(HAVE_BIND_TEXTDOMAIN_CODESET) @@ -1391,14 +1336,6 @@ static void get_credentials_file(struct net_context *c, lp_set_cmdline("netbios name", c->opt_requester_name); } - if (!c->opt_user_name && getenv("LOGNAME")) { - c->opt_user_name = getenv("LOGNAME"); - } - - if (!c->opt_workgroup) { - c->opt_workgroup = talloc_strdup(c, lp_workgroup()); - } - if (!c->opt_target_workgroup) { c->opt_target_workgroup = talloc_strdup(c, lp_workgroup()); } @@ -1409,17 +1346,6 @@ static void get_credentials_file(struct net_context *c, that it won't assert because we are not root */ sec_init(); - if (c->opt_machine_pass) { - /* it is very useful to be able to make ads queries as the - machine account for testing purposes and for domain leave */ - - net_use_krb_machine_account(c); - } - - if (!c->opt_password) { - c->opt_password = getenv("PASSWD"); - } - samba_cmdline_burn(argc, argv); rc = net_run_function(c, argc_new-1, argv_new+1, "net", net_func); diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index fbafa51cbb8..6ab4a0096b1 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2433,7 +2433,6 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * char *prt_dn, *srv_dn, **srv_cn; char *srv_cn_escaped = NULL, *printername_escaped = NULL; LDAPMessage *res = NULL; - struct cli_credentials *creds = NULL; bool ok; if (argc < 1 || c->display_usage) { @@ -2471,21 +2470,14 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * return -1; } - creds = net_context_creds(c, mem_ctx); - if (creds == NULL) { - d_fprintf(stderr, "net_context_creds() failed\n"); - ads_destroy(&ads); - talloc_destroy(mem_ctx); - return -1; - } - cli_credentials_set_kerberos_state(creds, + cli_credentials_set_kerberos_state(c->creds, CRED_USE_KERBEROS_REQUIRED, CRED_SPECIFIED); nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername, &server_ss, 0, "IPC$", "IPC", - creds, + c->creds, CLI_FULL_CONNECTION_IPC); if (NT_STATUS_IS_ERR(nt_status)) { @@ -2675,8 +2667,8 @@ static int net_ads_printer(struct net_context *c, int argc, const char **argv) static int net_ads_password(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; - const char *auth_principal = c->opt_user_name; - const char *auth_password = c->opt_password; + const char *auth_principal = cli_credentials_get_username(c->creds); + const char *auth_password = cli_credentials_get_password(c->creds); const char *realm = NULL; const char *new_password = NULL; char *chr, *prompt; @@ -2693,7 +2685,7 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) return 0; } - if (c->opt_user_name == NULL || c->opt_password == NULL) { + if (auth_principal == NULL || auth_password == NULL) { d_fprintf(stderr, _("You must supply an administrator " "username/password\n")); return -1; diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c index 25bf30736df..13e65a93314 100644 --- a/source3/utils/net_dom.c +++ b/source3/utils/net_dom.c @@ -340,7 +340,6 @@ static int net_dom_renamecomputer(struct net_context *c, int argc, const char ** int net_dom(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -375,17 +374,12 @@ int net_dom(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } diff --git a/source3/utils/net_help_common.c b/source3/utils/net_help_common.c index ded9279e61c..fc6ce913f6d 100644 --- a/source3/utils/net_help_common.c +++ b/source3/utils/net_help_common.c @@ -33,26 +33,63 @@ int net_common_methods_usage(struct net_context *c, int argc, const char**argv) int net_common_flags_usage(struct net_context *c, int argc, const char **argv) { d_printf(_("Valid targets: choose one (none defaults to localhost)\n")); - d_printf(_("\t-S or --server=\t\tserver name\n")); - d_printf(_("\t-I or --ipaddress=\taddress of target server\n")); - d_printf(_("\t-w or --workgroup=\t\ttarget workgroup or domain\n")); + d_printf(_("\t-S|--server=\t\t\tserver name\n")); + d_printf(_("\t-I|--ipaddress=\t\t\taddress of target server\n")); + d_printf(_("\t-w|--target-workgroup=\t\ttarget workgroup or domain\n")); d_printf("\n"); - d_printf(_("Valid miscellaneous options are:\n")); /* misc options */ - d_printf(_("\t-p or --port=\t\tconnection port on target\n")); - d_printf(_("\t-W or --myworkgroup=\tclient workgroup\n")); - d_printf(_("\t-d or --debuglevel=\tdebug level (0-10)\n")); - d_printf(_("\t-n or --myname=\t\tclient name\n")); - d_printf(_("\t-U or --user=\t\tuser name\n")); - d_printf(_("\t-s or --configfile=\tpathname of smb.conf file\n")); - d_printf(_("\t-l or --long\t\t\tDisplay full information\n")); - d_printf(_("\t-V or --version\t\t\tPrint samba version information\n")); - d_printf(_("\t-P or --machine-pass\t\tAuthenticate as machine " - "account\n")); - d_printf(_("\t-e or --encrypt\t\t\tEncrypt SMB transport " - "(UNIX extended servers only)\n")); - d_printf(_("\t-k or --kerberos\t\tUse kerberos (active directory) " + d_printf(_("Valid misc options are:\n")); /* misc options */ + d_printf(_("\t-p|--port=\t\t\tconnection port on target\n")); + d_printf(_("\t--myname=\t\t\t\tclient name\n")); + d_printf(_("\t--long\t\t\t\t\tDisplay full information\n")); + + d_printf("\n"); + d_printf(_("Valid common options are:\n")); /* misc options */ + d_printf(_("\t-d|--debuglevel=\t\t\tdebug level (0-10)\n")); + d_printf(_("\t--debug-stdout\t\t\t\tSend debug output to standard " + "output\n")); + d_printf(_("\t--configfile=\t\t\tpathname of smb.conf file\n")); + d_printf(_("\t--option=name=value\t\t\tSet smb.conf option from " + "command line\n")); + d_printf(_("\t-l|--log-basename=LOGFILEBASE\t\tBasename for " + "log/debug files\n")); + d_printf(_("\t--leak-report\t\t\t\tenable talloc leak reporting on " + "exit\n")); + d_printf(_("\t--leak-report-full\t\t\tenable full talloc leak " + "reporting on exit\n")); + d_printf(_("\t-V|--version\t\t\t\tPrint samba version information\n")); + + d_printf("\n"); + d_printf(_("Valid connection options are:\n")); /* misc options */ + d_printf(_("\t-R|--name-resolve=NAME-RESOLVE-ORDER\tUse these name " + "resolution services only\n")); + d_printf(_("\t-O|--socket-options=SOCKETOPTIONS\tsocket options to use\n")); + d_printf(_("\t-m|--maxprotocol=MAXPROTOCOL\t\tSet max protocol level\n")); + d_printf(_("\t-n|--netbiosname=NETBIOSNAME\t\tPrimary netbios name\n")); + d_printf(_("\t--netbios-scope=SCOPE\t\t\tUse this Netbios scope\n")); + d_printf(_("\t-W|--workgroup=WORKGROUP\t\tSet the workgroup name\n")); + d_printf(_("\t--realm=REALM\t\t\t\tSet the realm name\n")); + + d_printf("\n"); + d_printf(_("Valid credential options are:\n")); /* misc options */ + d_printf(_("\t-U|--user=[DOMAIN/]USERNAME[%%PASSWORD]\tSet the " + "network username\n")); + d_printf(_("\t-N|--no-pass\t\t\t\tDon't ask for a password\n")); + d_printf(_("\t--password=STRING\t\t\tSet a password\n")); + d_printf(_("\t--pw-nt-hash\t\t\t\tThe supplied password is the NT hash\n")); + d_printf(_("\t-A|--authentication-file=FILE\t\tGet the " + "credentials from a file\n")); + d_printf(_("\t-P|--machine-pass\t\t\tUse stored machine account password\n")); + d_printf(_("\t--simple-bind-dn=DN\t\t\tDN to use for a simple bind\n")); + d_printf(_("\t--use-kerberos=desired|required|off\tUse kerberos " "authentication\n")); + d_printf(_("\t--use-krb5-ccache=CCACHE\t\tCredentials cache location " + "for Kerberos\n")); + d_printf(_("\t--use-winbind-ccache\t\t\tUse the winbind ccache for " + "authentication\n")); + d_printf(_("\t--client-protection=sign|encrypt|off\tConfigure used " + "protection for client connections\n")); + return -1; } diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h index f49b707338d..d04df553e01 100644 --- a/source3/utils/net_proto.h +++ b/source3/utils/net_proto.h @@ -418,9 +418,6 @@ NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain, const struct sockaddr_storage *pss, unsigned flags, struct cli_state **pcli); const char *net_prompt_pass(struct net_context *c, const char *user); -struct cli_credentials; -struct cli_credentials *net_context_creds(struct net_context *c, - TALLOC_CTX *mem_ctx); int net_run_function(struct net_context *c, int argc, const char **argv, const char *whoami, struct functable *table); void net_display_usage_from_functable(struct functable *table); diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 46d35e6a90f..1306dccd5a6 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -207,15 +207,6 @@ int run_rpc_command(struct net_context *c, } } else { if (conn_flags & NET_FLAGS_SEAL) { - struct cli_credentials *creds = NULL; - - creds = net_context_creds(c, mem_ctx); - if (creds == NULL) { - DBG_ERR("net_rpc_ntlm_creds() failed\n"); - nt_status = NT_STATUS_INTERNAL_ERROR; - goto fail; - } - nt_status = cli_rpc_pipe_open_with_creds( cli, table, (conn_flags & NET_FLAGS_TCP) ? @@ -223,7 +214,7 @@ int run_rpc_command(struct net_context *c, DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, smbXcli_conn_remote_name(cli->conn), - creds, &pipe_hnd); + c->creds, &pipe_hnd); } else { nt_status = cli_rpc_pipe_open_noauth( cli, table, @@ -1256,7 +1247,6 @@ static int rpc_user_list(struct net_context *c, int argc, const char **argv) int net_rpc_user(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -1310,17 +1300,12 @@ int net_rpc_user(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } @@ -3447,7 +3432,6 @@ static int rpc_group_rename(struct net_context *c, int argc, const char **argv) int net_rpc_group(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -3509,17 +3493,12 @@ int net_rpc_group(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } @@ -5440,7 +5419,6 @@ int net_usersidlist_usage(struct net_context *c, int argc, const char **argv) int net_rpc_share(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -5486,17 +5464,12 @@ int net_rpc_share(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } @@ -5743,7 +5716,6 @@ static int rpc_file_user(struct net_context *c, int argc, const char **argv) int net_rpc_file(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -5775,17 +5747,12 @@ int net_rpc_file(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } @@ -8201,7 +8168,6 @@ int net_rpc_printer(struct net_context *c, int argc, const char **argv) int net_rpc(struct net_context *c, int argc, const char **argv) { NET_API_STATUS status; - struct cli_credentials *creds = NULL; struct functable func[] = { { @@ -8392,17 +8358,12 @@ int net_rpc(struct net_context *c, int argc, const char **argv) {NULL, NULL, 0, NULL, NULL} }; - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - status = libnetapi_net_init(&c->netapi_ctx); if (status != 0) { return -1; } - status = libnetapi_set_creds(c->netapi_ctx, creds); + status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (status != 0) { return -1; } diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c index ab7df7ef463..634c5b5248a 100644 --- a/source3/utils/net_rpc_shell.c +++ b/source3/utils/net_rpc_shell.c @@ -222,7 +222,6 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv) NTSTATUS status; struct rpc_sh_ctx *ctx; struct dom_sid_buf buf; - struct cli_credentials *creds = NULL; NET_API_STATUS net_api_status; if (argc != 0 || c->display_usage) { @@ -230,16 +229,11 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv) return -1; } - creds = net_context_creds(c, c); - if (creds == NULL) { - return -1; - } - if (libnetapi_net_init(&c->netapi_ctx) != 0) { return -1; } - net_api_status = libnetapi_set_creds(c->netapi_ctx, creds); + net_api_status = libnetapi_set_creds(c->netapi_ctx, c->creds); if (net_api_status != 0) { return -1; } diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index f0b670a3f96..298d9a64dc0 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -31,6 +31,7 @@ #include "libsmb/libsmb.h" #include "lib/param/param.h" #include "auth/gensec/gensec.h" +#include "lib/cmdline/cmdline.h" NTSTATUS net_rpc_lookup_name(struct net_context *c, TALLOC_CTX *mem_ctx, struct cli_state *cli, @@ -108,15 +109,8 @@ NTSTATUS connect_to_service(struct net_context *c, const char *service_type) { NTSTATUS nt_status; - struct cli_credentials *creds = NULL; int flags = 0; - creds = net_context_creds(c, c); - if (creds == NULL) { - d_fprintf(stderr, "net_context_creds() failed.\n"); - return NT_STATUS_INTERNAL_ERROR; - } - if (strequal(service_type, "IPC")) { flags |= CLI_FULL_CONNECTION_IPC; } @@ -124,7 +118,7 @@ NTSTATUS connect_to_service(struct net_context *c, nt_status = cli_full_connection_creds(cli_ctx, NULL, server_name, server_ss, c->opt_port, service_name, service_type, - creds, + c->creds, flags); if (!NT_STATUS_IS_OK(nt_status)) { d_fprintf(stderr, _("Could not connect to server %s\n"), @@ -268,6 +262,8 @@ int net_use_krb_machine_account(struct net_context *c) } c->opt_user_name = user_name; c->opt_user_specified = true; + + cli_credentials_set_machine_account(c->creds, c->lp_ctx); return 0; } @@ -434,157 +430,16 @@ done: /**************************************************************************** ****************************************************************************/ +/* TODO FIXME: Pass cli_creds via net_context and get rid of this function. */ const char *net_prompt_pass(struct net_context *c, const char *user) { - char *prompt = NULL; - char pwd[256] = {0}; - int rc; + struct cli_credentials *creds = samba_cmdline_get_creds(); - if (c->opt_password) { - return c->opt_password; + if (c->opt_password == NULL) { + c->opt_password = cli_credentials_get_password(creds); } - if (c->opt_machine_pass) { - return NULL; - } - - if (c->opt_kerberos && !c->opt_user_specified) { - return NULL; - } - - if (c->opt_ccache) { - return NULL; - } - - if (asprintf(&prompt, _("Enter %s's password:"), user) == -1) { - return NULL; - } - - rc = samba_getpass(prompt, pwd, sizeof(pwd), false, false); - SAFE_FREE(prompt); - if (rc < 0) { - return NULL; - } - - return SMB_STRDUP(pwd); -} - -struct cli_credentials *net_context_creds(struct net_context *c, - TALLOC_CTX *mem_ctx) -{ - struct cli_credentials *creds = NULL; - struct loadparm_context *lp_ctx = NULL; - - /* - * Do not query the password if we defined we want to use the - * machine account. - */ - if (c->opt_machine_pass) { - c->opt_password = net_prompt_pass(c, c->opt_user_name); - } - - creds = cli_credentials_init(mem_ctx); - if (creds == NULL) { - d_printf("ERROR: Unable to allocate memory!\n"); - exit(-1); - } - - lp_ctx = loadparm_init_s3(creds, loadparm_s3_helpers()); - if (lp_ctx == NULL) { - d_printf("loadparm_init_s3 failed\n"); - exit(-1); - } - - cli_credentials_guess(creds, lp_ctx); - - if (c->opt_kerberos && c->opt_user_specified) { - cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DESIRED, - CRED_SPECIFIED); - } else if (c->opt_kerberos) { - cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED, - CRED_SPECIFIED); - } else { - cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED, - CRED_SPECIFIED); - } - - if (c->opt_ccache) { - uint32_t features; - - features = cli_credentials_get_gensec_features(creds); - features |= GENSEC_FEATURE_NTLM_CCACHE; - cli_credentials_set_gensec_features(creds, - features, - CRED_SPECIFIED); - - if (c->opt_password != NULL && strlen(c->opt_password) == 0) { - /* - * some callers pass "" as no password - * - * GENSEC_FEATURE_NTLM_CCACHE only handles - * NULL as no password. - */ - c->opt_password = NULL; - } - } - - if (c->opt_user_specified) { - const char *default_domain = - cli_credentials_get_domain(creds); - char *username = NULL; - const char *domain = NULL; - char *tmp = NULL; - char *p = NULL; - bool is_default; - - tmp = talloc_strdup(creds, c->opt_user_name); - if (tmp == NULL) { - exit(-1); - } - username = tmp; - - /* allow for workgroups as part of the username */ - if ((p = strchr_m(tmp, '\\')) || - (p = strchr_m(tmp, '/')) || - (p = strchr_m(tmp, *lp_winbind_separator()))) { - *p = 0; - username = p + 1; - domain = tmp; - } - - if (domain == NULL) { - domain = c->opt_workgroup; - } - - /* - * Don't overwrite the value from cli_credentials_guess() - * with CRED_SPECIFIED, unless we have to. - */ - is_default = strequal_m(domain, default_domain); - if (!is_default) { - cli_credentials_set_domain(creds, - domain, - CRED_SPECIFIED); - } - - cli_credentials_set_username(creds, - username, - CRED_SPECIFIED); - cli_credentials_set_password(creds, - c->opt_password, - CRED_SPECIFIED); - } - - if (c->smb_encrypt) { - cli_credentials_set_smb_encryption(creds, - SMB_ENCRYPTION_REQUIRED, - CRED_SPECIFIED); - } - - return creds; + return c->opt_password; } int net_run_function(struct net_context *c, int argc, const char **argv, diff --git a/testprogs/blackbox/test_client_etypes.sh b/testprogs/blackbox/test_client_etypes.sh index 1c2006f22b7..020df804075 100755 --- a/testprogs/blackbox/test_client_etypes.sh +++ b/testprogs/blackbox/test_client_etypes.sh @@ -48,9 +48,9 @@ net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=securi pcap_file=$BASEDIR/$WORKDIR/test.pcap export SOCKET_WRAPPER_PCAP_FILE=$pcap_file -testit "join" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` -testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` #The leave command does not use the locally-generated #krb5.conf diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh index c63382c60c7..76b394b10a9 100755 --- a/testprogs/blackbox/test_net_ads.sh +++ b/testprogs/blackbox/test_net_ads.sh @@ -51,7 +51,7 @@ fi testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') @@ -81,7 +81,7 @@ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || fail dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` -testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') @@ -179,15 +179,15 @@ fi rm -f $dedicated_keytab_file -testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` -testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` -testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` -testit "leave+kerberos" $VALGRIND $net_tool ads leave -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1` -testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` diff --git a/testprogs/blackbox/test_net_ads_fips.sh b/testprogs/blackbox/test_net_ads_fips.sh index 4e2c1fda22f..57df650eadd 100755 --- a/testprogs/blackbox/test_net_ads_fips.sh +++ b/testprogs/blackbox/test_net_ads_fips.sh @@ -30,13 +30,13 @@ net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=securi . `dirname $0`/subunit.sh # This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode). -testit "join" $VALGRIND $net_tool ads join -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` -testit "leave" $VALGRIND $net_tool ads leave -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` rm -rf $BASEDIR/$WORKDIR