1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3:utils: Use connection and credentials parser in net util

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2021-01-19 07:49:26 +01:00 committed by Andrew Bartlett
parent 91d20d1d11
commit ea071d278a
12 changed files with 125 additions and 369 deletions

View File

@ -816,7 +816,7 @@ sub provision_ad_member
$cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
$cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" "; $cmd .= "SELFTEST_WINBINDD_SOCKET_DIR=\"$ret->{SELFTEST_WINBINDD_SOCKET_DIR}\" ";
$cmd .= "$net join $ret->{CONFIGURATION}"; $cmd .= "$net join $ret->{CONFIGURATION}";
$cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} -k"; $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD} --use-kerberos=required";
if (system($cmd) != 0) { if (system($cmd) != 0) {
warn("Join failed\n$cmd"); warn("Join failed\n$cmd");

View File

@ -52,6 +52,7 @@
#include "lib/gencache.h" #include "lib/gencache.h"
#include "auth/credentials/credentials.h" #include "auth/credentials/credentials.h"
#include "source3/utils/passwd_proto.h" #include "source3/utils/passwd_proto.h"
#include "auth/gensec/gensec.h"
#ifdef WITH_FAKE_KASERVER #ifdef WITH_FAKE_KASERVER
#include "utils/net_afs.h" #include "utils/net_afs.h"
@ -260,7 +261,6 @@ static int net_changesecretpw(struct net_context *c, int argc,
static int net_setauthuser(struct net_context *c, int argc, const char **argv) static int net_setauthuser(struct net_context *c, int argc, const char **argv)
{ {
const char *password = NULL; const char *password = NULL;
struct cli_credentials *creds = NULL;
bool ok; bool ok;
if (!secrets_init()) { if (!secrets_init()) {
@ -307,14 +307,7 @@ static int net_setauthuser(struct net_context *c, int argc, const char **argv)
return 1; return 1;
} }
creds = net_context_creds(c, c); ok = secrets_store_creds(c->creds);
if (creds == NULL) {
d_fprintf(stderr, _("Failed creating auth credentials\n"));
return 1;
}
ok = secrets_store_creds(creds);
TALLOC_FREE(creds);
if (!ok) { if (!ok) {
d_fprintf(stderr, _("Failed storing auth user credentials\n")); d_fprintf(stderr, _("Failed storing auth user credentials\n"));
return 1; return 1;
@ -919,33 +912,12 @@ static struct functable net_func[] = {
}; };
static void get_credentials_file(struct net_context *c,
const char *file)
{
struct cli_credentials *cred = cli_credentials_init(c);
if (cred == NULL) {
d_printf("ERROR: Unable to allocate memory!\n");
exit(-1);
}
if (!cli_credentials_parse_file(cred, file, CRED_GUESS_FILE)) {
exit(-1);
}
c->opt_user_name = cli_credentials_get_username(cred);
c->opt_user_specified = (c->opt_user_name != NULL);
c->opt_password = cli_credentials_get_password(cred);
c->opt_target_workgroup = cli_credentials_get_domain(cred);
}
/**************************************************************************** /****************************************************************************
main program main program
****************************************************************************/ ****************************************************************************/
int main(int argc, char **argv) int main(int argc, char **argv)
{ {
int opt,i; int opt,i;
char *p;
int rc = 0; int rc = 0;
int argc_new = 0; int argc_new = 0;
const char ** argv_new; const char ** argv_new;
@ -963,27 +935,11 @@ static void get_credentials_file(struct net_context *c,
.val = 'h', .val = 'h',
}, },
{ {
.longName = "workgroup", .longName = "target-workgroup",
.shortName = 'w', .shortName = 'w',
.argInfo = POPT_ARG_STRING, .argInfo = POPT_ARG_STRING,
.arg = &c->opt_target_workgroup, .arg = &c->opt_target_workgroup,
}, },
{
.longName = "user",
.shortName = 'U',
.argInfo = POPT_ARG_STRING,
.arg = &c->opt_user_name,
.val = 'U',
},
{
.longName = "authentication-file",
.shortName = 'A',
.argInfo = POPT_ARG_STRING,
.arg = &c->opt_user_name,
.val = 'A',
.descrip = "Get the credentials from a file",
.argDescrip = "FILE",
},
{ {
.longName = "ipaddress", .longName = "ipaddress",
.shortName = 'I', .shortName = 'I',
@ -999,7 +955,7 @@ static void get_credentials_file(struct net_context *c,
}, },
{ {
.longName = "myname", .longName = "myname",
.shortName = 'n', .shortName = 0,
.argInfo = POPT_ARG_STRING, .argInfo = POPT_ARG_STRING,
.arg = &c->opt_requester_name, .arg = &c->opt_requester_name,
}, },
@ -1009,14 +965,6 @@ static void get_credentials_file(struct net_context *c,
.argInfo = POPT_ARG_STRING, .argInfo = POPT_ARG_STRING,
.arg = &c->opt_host, .arg = &c->opt_host,
}, },
{
.longName = "encrypt",
.shortName = 'e',
.argInfo = POPT_ARG_NONE,
.arg = NULL,
.val = 'e',
.descrip = N_("Encrypt SMB transport"),
},
{ {
.longName = "container", .longName = "container",
.shortName = 'c', .shortName = 'c',
@ -1076,24 +1024,6 @@ static void get_credentials_file(struct net_context *c,
.argInfo = POPT_ARG_INT, .argInfo = POPT_ARG_INT,
.arg = &c->opt_request_timeout, .arg = &c->opt_request_timeout,
}, },
{
.longName = "machine-pass",
.shortName = 'P',
.argInfo = POPT_ARG_NONE,
.arg = &c->opt_machine_pass,
},
{
.longName = "kerberos",
.shortName = 'k',
.argInfo = POPT_ARG_NONE,
.arg = &c->opt_kerberos,
},
{
.longName = "myworkgroup",
.shortName = 'W',
.argInfo = POPT_ARG_STRING,
.arg = &c->opt_workgroup,
},
{ {
.longName = "use-ccache", .longName = "use-ccache",
.shortName = 0, .shortName = 0,
@ -1127,13 +1057,13 @@ static void get_credentials_file(struct net_context *c,
}, },
{ {
.longName = "ntname", .longName = "ntname",
.shortName = 'N', .shortName = 0,
.argInfo = POPT_ARG_STRING, .argInfo = POPT_ARG_STRING,
.arg = &c->opt_newntname, .arg = &c->opt_newntname,
}, },
{ {
.longName = "rid", .longName = "rid",
.shortName = 'R', .shortName = 0,
.argInfo = POPT_ARG_INT, .argInfo = POPT_ARG_INT,
.arg = &c->opt_rid, .arg = &c->opt_rid,
}, },
@ -1283,7 +1213,10 @@ static void get_credentials_file(struct net_context *c,
.descrip = "follow symlinks", .descrip = "follow symlinks",
}, },
POPT_COMMON_SAMBA POPT_COMMON_SAMBA
POPT_COMMON_CONNECTION
POPT_COMMON_CREDENTIALS
POPT_COMMON_VERSION POPT_COMMON_VERSION
POPT_LEGACY_S3
POPT_TABLEEND POPT_TABLEEND
}; };
@ -1330,9 +1263,6 @@ static void get_credentials_file(struct net_context *c,
case 'h': case 'h':
c->display_usage = true; c->display_usage = true;
break; break;
case 'e':
c->smb_encrypt = true;
break;
case 'I': case 'I':
if (!interpret_string_addr(&c->opt_dest_ip, if (!interpret_string_addr(&c->opt_dest_ip,
poptGetOptArg(pc), 0)) { poptGetOptArg(pc), 0)) {
@ -1341,18 +1271,6 @@ static void get_credentials_file(struct net_context *c,
c->opt_have_ip = true; c->opt_have_ip = true;
} }
break; break;
case 'U':
c->opt_user_specified = true;
c->opt_user_name = talloc_strdup(c, c->opt_user_name);
p = strchr(c->opt_user_name,'%');
if (p) {
*p = 0;
c->opt_password = p+1;
}
break;
case 'A':
get_credentials_file(c, c->opt_user_name);
break;
default: default:
d_fprintf(stderr, _("\nInvalid option %s: %s\n"), d_fprintf(stderr, _("\nInvalid option %s: %s\n"),
poptBadOption(pc, 0), poptStrerror(opt)); poptBadOption(pc, 0), poptStrerror(opt));
@ -1361,6 +1279,33 @@ static void get_credentials_file(struct net_context *c,
} }
} }
c->creds = samba_cmdline_get_creds();
c->lp_ctx = samba_cmdline_get_lp_ctx();
{
enum credentials_obtained username_obtained =
CRED_UNINITIALISED;
enum smb_encryption_setting encrypt_state =
cli_credentials_get_smb_encryption(c->creds);
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(c->creds);
uint32_t gensec_features;
c->opt_user_name = cli_credentials_get_username_and_obtained(
c->creds,
&username_obtained);
c->opt_user_specified = (username_obtained == CRED_SPECIFIED);
c->opt_workgroup = cli_credentials_get_domain(c->creds);
c->smb_encrypt = (encrypt_state == SMB_ENCRYPTION_REQUIRED);
c->opt_kerberos = (krb5_state > CRED_USE_KERBEROS_DESIRED);
gensec_features = cli_credentials_get_gensec_features(c->creds);
c->opt_ccache = (gensec_features & GENSEC_FEATURE_NTLM_CCACHE);
}
c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE());
#if defined(HAVE_BIND_TEXTDOMAIN_CODESET) #if defined(HAVE_BIND_TEXTDOMAIN_CODESET)
@ -1391,14 +1336,6 @@ static void get_credentials_file(struct net_context *c,
lp_set_cmdline("netbios name", c->opt_requester_name); lp_set_cmdline("netbios name", c->opt_requester_name);
} }
if (!c->opt_user_name && getenv("LOGNAME")) {
c->opt_user_name = getenv("LOGNAME");
}
if (!c->opt_workgroup) {
c->opt_workgroup = talloc_strdup(c, lp_workgroup());
}
if (!c->opt_target_workgroup) { if (!c->opt_target_workgroup) {
c->opt_target_workgroup = talloc_strdup(c, lp_workgroup()); c->opt_target_workgroup = talloc_strdup(c, lp_workgroup());
} }
@ -1409,17 +1346,6 @@ static void get_credentials_file(struct net_context *c,
that it won't assert because we are not root */ that it won't assert because we are not root */
sec_init(); sec_init();
if (c->opt_machine_pass) {
/* it is very useful to be able to make ads queries as the
machine account for testing purposes and for domain leave */
net_use_krb_machine_account(c);
}
if (!c->opt_password) {
c->opt_password = getenv("PASSWD");
}
samba_cmdline_burn(argc, argv); samba_cmdline_burn(argc, argv);
rc = net_run_function(c, argc_new-1, argv_new+1, "net", net_func); rc = net_run_function(c, argc_new-1, argv_new+1, "net", net_func);

View File

@ -2433,7 +2433,6 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
char *prt_dn, *srv_dn, **srv_cn; char *prt_dn, *srv_dn, **srv_cn;
char *srv_cn_escaped = NULL, *printername_escaped = NULL; char *srv_cn_escaped = NULL, *printername_escaped = NULL;
LDAPMessage *res = NULL; LDAPMessage *res = NULL;
struct cli_credentials *creds = NULL;
bool ok; bool ok;
if (argc < 1 || c->display_usage) { if (argc < 1 || c->display_usage) {
@ -2471,21 +2470,14 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
return -1; return -1;
} }
creds = net_context_creds(c, mem_ctx); cli_credentials_set_kerberos_state(c->creds,
if (creds == NULL) {
d_fprintf(stderr, "net_context_creds() failed\n");
ads_destroy(&ads);
talloc_destroy(mem_ctx);
return -1;
}
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED, CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED); CRED_SPECIFIED);
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername, nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
&server_ss, 0, &server_ss, 0,
"IPC$", "IPC", "IPC$", "IPC",
creds, c->creds,
CLI_FULL_CONNECTION_IPC); CLI_FULL_CONNECTION_IPC);
if (NT_STATUS_IS_ERR(nt_status)) { if (NT_STATUS_IS_ERR(nt_status)) {
@ -2675,8 +2667,8 @@ static int net_ads_printer(struct net_context *c, int argc, const char **argv)
static int net_ads_password(struct net_context *c, int argc, const char **argv) static int net_ads_password(struct net_context *c, int argc, const char **argv)
{ {
ADS_STRUCT *ads; ADS_STRUCT *ads;
const char *auth_principal = c->opt_user_name; const char *auth_principal = cli_credentials_get_username(c->creds);
const char *auth_password = c->opt_password; const char *auth_password = cli_credentials_get_password(c->creds);
const char *realm = NULL; const char *realm = NULL;
const char *new_password = NULL; const char *new_password = NULL;
char *chr, *prompt; char *chr, *prompt;
@ -2693,7 +2685,7 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv)
return 0; return 0;
} }
if (c->opt_user_name == NULL || c->opt_password == NULL) { if (auth_principal == NULL || auth_password == NULL) {
d_fprintf(stderr, _("You must supply an administrator " d_fprintf(stderr, _("You must supply an administrator "
"username/password\n")); "username/password\n"));
return -1; return -1;

View File

@ -340,7 +340,6 @@ static int net_dom_renamecomputer(struct net_context *c, int argc, const char **
int net_dom(struct net_context *c, int argc, const char **argv) int net_dom(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -375,17 +374,12 @@ int net_dom(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }

View File

@ -33,26 +33,63 @@ int net_common_methods_usage(struct net_context *c, int argc, const char**argv)
int net_common_flags_usage(struct net_context *c, int argc, const char **argv) int net_common_flags_usage(struct net_context *c, int argc, const char **argv)
{ {
d_printf(_("Valid targets: choose one (none defaults to localhost)\n")); d_printf(_("Valid targets: choose one (none defaults to localhost)\n"));
d_printf(_("\t-S or --server=<server>\t\tserver name\n")); d_printf(_("\t-S|--server=<server>\t\t\tserver name\n"));
d_printf(_("\t-I or --ipaddress=<ipaddr>\taddress of target server\n")); d_printf(_("\t-I|--ipaddress=<ipaddr>\t\t\taddress of target server\n"));
d_printf(_("\t-w or --workgroup=<wg>\t\ttarget workgroup or domain\n")); d_printf(_("\t-w|--target-workgroup=<wg>\t\ttarget workgroup or domain\n"));
d_printf("\n"); d_printf("\n");
d_printf(_("Valid miscellaneous options are:\n")); /* misc options */ d_printf(_("Valid misc options are:\n")); /* misc options */
d_printf(_("\t-p or --port=<port>\t\tconnection port on target\n")); d_printf(_("\t-p|--port=<port>\t\t\tconnection port on target\n"));
d_printf(_("\t-W or --myworkgroup=<wg>\tclient workgroup\n")); d_printf(_("\t--myname=<name>\t\t\t\tclient name\n"));
d_printf(_("\t-d or --debuglevel=<level>\tdebug level (0-10)\n")); d_printf(_("\t--long\t\t\t\t\tDisplay full information\n"));
d_printf(_("\t-n or --myname=<name>\t\tclient name\n"));
d_printf(_("\t-U or --user=<name>\t\tuser name\n")); d_printf("\n");
d_printf(_("\t-s or --configfile=<path>\tpathname of smb.conf file\n")); d_printf(_("Valid common options are:\n")); /* misc options */
d_printf(_("\t-l or --long\t\t\tDisplay full information\n")); d_printf(_("\t-d|--debuglevel=<level>\t\t\tdebug level (0-10)\n"));
d_printf(_("\t-V or --version\t\t\tPrint samba version information\n")); d_printf(_("\t--debug-stdout\t\t\t\tSend debug output to standard "
d_printf(_("\t-P or --machine-pass\t\tAuthenticate as machine " "output\n"));
"account\n")); d_printf(_("\t--configfile=<path>\t\t\tpathname of smb.conf file\n"));
d_printf(_("\t-e or --encrypt\t\t\tEncrypt SMB transport " d_printf(_("\t--option=name=value\t\t\tSet smb.conf option from "
"(UNIX extended servers only)\n")); "command line\n"));
d_printf(_("\t-k or --kerberos\t\tUse kerberos (active directory) " d_printf(_("\t-l|--log-basename=LOGFILEBASE\t\tBasename for "
"log/debug files\n"));
d_printf(_("\t--leak-report\t\t\t\tenable talloc leak reporting on "
"exit\n"));
d_printf(_("\t--leak-report-full\t\t\tenable full talloc leak "
"reporting on exit\n"));
d_printf(_("\t-V|--version\t\t\t\tPrint samba version information\n"));
d_printf("\n");
d_printf(_("Valid connection options are:\n")); /* misc options */
d_printf(_("\t-R|--name-resolve=NAME-RESOLVE-ORDER\tUse these name "
"resolution services only\n"));
d_printf(_("\t-O|--socket-options=SOCKETOPTIONS\tsocket options to use\n"));
d_printf(_("\t-m|--maxprotocol=MAXPROTOCOL\t\tSet max protocol level\n"));
d_printf(_("\t-n|--netbiosname=NETBIOSNAME\t\tPrimary netbios name\n"));
d_printf(_("\t--netbios-scope=SCOPE\t\t\tUse this Netbios scope\n"));
d_printf(_("\t-W|--workgroup=WORKGROUP\t\tSet the workgroup name\n"));
d_printf(_("\t--realm=REALM\t\t\t\tSet the realm name\n"));
d_printf("\n");
d_printf(_("Valid credential options are:\n")); /* misc options */
d_printf(_("\t-U|--user=[DOMAIN/]USERNAME[%%PASSWORD]\tSet the "
"network username\n"));
d_printf(_("\t-N|--no-pass\t\t\t\tDon't ask for a password\n"));
d_printf(_("\t--password=STRING\t\t\tSet a password\n"));
d_printf(_("\t--pw-nt-hash\t\t\t\tThe supplied password is the NT hash\n"));
d_printf(_("\t-A|--authentication-file=FILE\t\tGet the "
"credentials from a file\n"));
d_printf(_("\t-P|--machine-pass\t\t\tUse stored machine account password\n"));
d_printf(_("\t--simple-bind-dn=DN\t\t\tDN to use for a simple bind\n"));
d_printf(_("\t--use-kerberos=desired|required|off\tUse kerberos "
"authentication\n")); "authentication\n"));
d_printf(_("\t--use-krb5-ccache=CCACHE\t\tCredentials cache location "
"for Kerberos\n"));
d_printf(_("\t--use-winbind-ccache\t\t\tUse the winbind ccache for "
"authentication\n"));
d_printf(_("\t--client-protection=sign|encrypt|off\tConfigure used "
"protection for client connections\n"));
return -1; return -1;
} }

View File

@ -418,9 +418,6 @@ NTSTATUS net_make_ipc_connection_ex(struct net_context *c ,const char *domain,
const struct sockaddr_storage *pss, const struct sockaddr_storage *pss,
unsigned flags, struct cli_state **pcli); unsigned flags, struct cli_state **pcli);
const char *net_prompt_pass(struct net_context *c, const char *user); const char *net_prompt_pass(struct net_context *c, const char *user);
struct cli_credentials;
struct cli_credentials *net_context_creds(struct net_context *c,
TALLOC_CTX *mem_ctx);
int net_run_function(struct net_context *c, int argc, const char **argv, int net_run_function(struct net_context *c, int argc, const char **argv,
const char *whoami, struct functable *table); const char *whoami, struct functable *table);
void net_display_usage_from_functable(struct functable *table); void net_display_usage_from_functable(struct functable *table);

View File

@ -207,15 +207,6 @@ int run_rpc_command(struct net_context *c,
} }
} else { } else {
if (conn_flags & NET_FLAGS_SEAL) { if (conn_flags & NET_FLAGS_SEAL) {
struct cli_credentials *creds = NULL;
creds = net_context_creds(c, mem_ctx);
if (creds == NULL) {
DBG_ERR("net_rpc_ntlm_creds() failed\n");
nt_status = NT_STATUS_INTERNAL_ERROR;
goto fail;
}
nt_status = cli_rpc_pipe_open_with_creds( nt_status = cli_rpc_pipe_open_with_creds(
cli, table, cli, table,
(conn_flags & NET_FLAGS_TCP) ? (conn_flags & NET_FLAGS_TCP) ?
@ -223,7 +214,7 @@ int run_rpc_command(struct net_context *c,
DCERPC_AUTH_TYPE_NTLMSSP, DCERPC_AUTH_TYPE_NTLMSSP,
DCERPC_AUTH_LEVEL_PRIVACY, DCERPC_AUTH_LEVEL_PRIVACY,
smbXcli_conn_remote_name(cli->conn), smbXcli_conn_remote_name(cli->conn),
creds, &pipe_hnd); c->creds, &pipe_hnd);
} else { } else {
nt_status = cli_rpc_pipe_open_noauth( nt_status = cli_rpc_pipe_open_noauth(
cli, table, cli, table,
@ -1256,7 +1247,6 @@ static int rpc_user_list(struct net_context *c, int argc, const char **argv)
int net_rpc_user(struct net_context *c, int argc, const char **argv) int net_rpc_user(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -1310,17 +1300,12 @@ int net_rpc_user(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
@ -3447,7 +3432,6 @@ static int rpc_group_rename(struct net_context *c, int argc, const char **argv)
int net_rpc_group(struct net_context *c, int argc, const char **argv) int net_rpc_group(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -3509,17 +3493,12 @@ int net_rpc_group(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
@ -5440,7 +5419,6 @@ int net_usersidlist_usage(struct net_context *c, int argc, const char **argv)
int net_rpc_share(struct net_context *c, int argc, const char **argv) int net_rpc_share(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -5486,17 +5464,12 @@ int net_rpc_share(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
@ -5743,7 +5716,6 @@ static int rpc_file_user(struct net_context *c, int argc, const char **argv)
int net_rpc_file(struct net_context *c, int argc, const char **argv) int net_rpc_file(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -5775,17 +5747,12 @@ int net_rpc_file(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
@ -8201,7 +8168,6 @@ int net_rpc_printer(struct net_context *c, int argc, const char **argv)
int net_rpc(struct net_context *c, int argc, const char **argv) int net_rpc(struct net_context *c, int argc, const char **argv)
{ {
NET_API_STATUS status; NET_API_STATUS status;
struct cli_credentials *creds = NULL;
struct functable func[] = { struct functable func[] = {
{ {
@ -8392,17 +8358,12 @@ int net_rpc(struct net_context *c, int argc, const char **argv)
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
status = libnetapi_net_init(&c->netapi_ctx); status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }
status = libnetapi_set_creds(c->netapi_ctx, creds); status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (status != 0) { if (status != 0) {
return -1; return -1;
} }

View File

@ -222,7 +222,6 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv)
NTSTATUS status; NTSTATUS status;
struct rpc_sh_ctx *ctx; struct rpc_sh_ctx *ctx;
struct dom_sid_buf buf; struct dom_sid_buf buf;
struct cli_credentials *creds = NULL;
NET_API_STATUS net_api_status; NET_API_STATUS net_api_status;
if (argc != 0 || c->display_usage) { if (argc != 0 || c->display_usage) {
@ -230,16 +229,11 @@ int net_rpc_shell(struct net_context *c, int argc, const char **argv)
return -1; return -1;
} }
creds = net_context_creds(c, c);
if (creds == NULL) {
return -1;
}
if (libnetapi_net_init(&c->netapi_ctx) != 0) { if (libnetapi_net_init(&c->netapi_ctx) != 0) {
return -1; return -1;
} }
net_api_status = libnetapi_set_creds(c->netapi_ctx, creds); net_api_status = libnetapi_set_creds(c->netapi_ctx, c->creds);
if (net_api_status != 0) { if (net_api_status != 0) {
return -1; return -1;
} }

View File

@ -31,6 +31,7 @@
#include "libsmb/libsmb.h" #include "libsmb/libsmb.h"
#include "lib/param/param.h" #include "lib/param/param.h"
#include "auth/gensec/gensec.h" #include "auth/gensec/gensec.h"
#include "lib/cmdline/cmdline.h"
NTSTATUS net_rpc_lookup_name(struct net_context *c, NTSTATUS net_rpc_lookup_name(struct net_context *c,
TALLOC_CTX *mem_ctx, struct cli_state *cli, TALLOC_CTX *mem_ctx, struct cli_state *cli,
@ -108,15 +109,8 @@ NTSTATUS connect_to_service(struct net_context *c,
const char *service_type) const char *service_type)
{ {
NTSTATUS nt_status; NTSTATUS nt_status;
struct cli_credentials *creds = NULL;
int flags = 0; int flags = 0;
creds = net_context_creds(c, c);
if (creds == NULL) {
d_fprintf(stderr, "net_context_creds() failed.\n");
return NT_STATUS_INTERNAL_ERROR;
}
if (strequal(service_type, "IPC")) { if (strequal(service_type, "IPC")) {
flags |= CLI_FULL_CONNECTION_IPC; flags |= CLI_FULL_CONNECTION_IPC;
} }
@ -124,7 +118,7 @@ NTSTATUS connect_to_service(struct net_context *c,
nt_status = cli_full_connection_creds(cli_ctx, NULL, server_name, nt_status = cli_full_connection_creds(cli_ctx, NULL, server_name,
server_ss, c->opt_port, server_ss, c->opt_port,
service_name, service_type, service_name, service_type,
creds, c->creds,
flags); flags);
if (!NT_STATUS_IS_OK(nt_status)) { if (!NT_STATUS_IS_OK(nt_status)) {
d_fprintf(stderr, _("Could not connect to server %s\n"), d_fprintf(stderr, _("Could not connect to server %s\n"),
@ -268,6 +262,8 @@ int net_use_krb_machine_account(struct net_context *c)
} }
c->opt_user_name = user_name; c->opt_user_name = user_name;
c->opt_user_specified = true; c->opt_user_specified = true;
cli_credentials_set_machine_account(c->creds, c->lp_ctx);
return 0; return 0;
} }
@ -434,157 +430,16 @@ done:
/**************************************************************************** /****************************************************************************
****************************************************************************/ ****************************************************************************/
/* TODO FIXME: Pass cli_creds via net_context and get rid of this function. */
const char *net_prompt_pass(struct net_context *c, const char *user) const char *net_prompt_pass(struct net_context *c, const char *user)
{ {
char *prompt = NULL; struct cli_credentials *creds = samba_cmdline_get_creds();
char pwd[256] = {0};
int rc;
if (c->opt_password) { if (c->opt_password == NULL) {
return c->opt_password; c->opt_password = cli_credentials_get_password(creds);
} }
if (c->opt_machine_pass) { return c->opt_password;
return NULL;
}
if (c->opt_kerberos && !c->opt_user_specified) {
return NULL;
}
if (c->opt_ccache) {
return NULL;
}
if (asprintf(&prompt, _("Enter %s's password:"), user) == -1) {
return NULL;
}
rc = samba_getpass(prompt, pwd, sizeof(pwd), false, false);
SAFE_FREE(prompt);
if (rc < 0) {
return NULL;
}
return SMB_STRDUP(pwd);
}
struct cli_credentials *net_context_creds(struct net_context *c,
TALLOC_CTX *mem_ctx)
{
struct cli_credentials *creds = NULL;
struct loadparm_context *lp_ctx = NULL;
/*
* Do not query the password if we defined we want to use the
* machine account.
*/
if (c->opt_machine_pass) {
c->opt_password = net_prompt_pass(c, c->opt_user_name);
}
creds = cli_credentials_init(mem_ctx);
if (creds == NULL) {
d_printf("ERROR: Unable to allocate memory!\n");
exit(-1);
}
lp_ctx = loadparm_init_s3(creds, loadparm_s3_helpers());
if (lp_ctx == NULL) {
d_printf("loadparm_init_s3 failed\n");
exit(-1);
}
cli_credentials_guess(creds, lp_ctx);
if (c->opt_kerberos && c->opt_user_specified) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DESIRED,
CRED_SPECIFIED);
} else if (c->opt_kerberos) {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SPECIFIED);
}
if (c->opt_ccache) {
uint32_t features;
features = cli_credentials_get_gensec_features(creds);
features |= GENSEC_FEATURE_NTLM_CCACHE;
cli_credentials_set_gensec_features(creds,
features,
CRED_SPECIFIED);
if (c->opt_password != NULL && strlen(c->opt_password) == 0) {
/*
* some callers pass "" as no password
*
* GENSEC_FEATURE_NTLM_CCACHE only handles
* NULL as no password.
*/
c->opt_password = NULL;
}
}
if (c->opt_user_specified) {
const char *default_domain =
cli_credentials_get_domain(creds);
char *username = NULL;
const char *domain = NULL;
char *tmp = NULL;
char *p = NULL;
bool is_default;
tmp = talloc_strdup(creds, c->opt_user_name);
if (tmp == NULL) {
exit(-1);
}
username = tmp;
/* allow for workgroups as part of the username */
if ((p = strchr_m(tmp, '\\')) ||
(p = strchr_m(tmp, '/')) ||
(p = strchr_m(tmp, *lp_winbind_separator()))) {
*p = 0;
username = p + 1;
domain = tmp;
}
if (domain == NULL) {
domain = c->opt_workgroup;
}
/*
* Don't overwrite the value from cli_credentials_guess()
* with CRED_SPECIFIED, unless we have to.
*/
is_default = strequal_m(domain, default_domain);
if (!is_default) {
cli_credentials_set_domain(creds,
domain,
CRED_SPECIFIED);
}
cli_credentials_set_username(creds,
username,
CRED_SPECIFIED);
cli_credentials_set_password(creds,
c->opt_password,
CRED_SPECIFIED);
}
if (c->smb_encrypt) {
cli_credentials_set_smb_encryption(creds,
SMB_ENCRYPTION_REQUIRED,
CRED_SPECIFIED);
}
return creds;
} }
int net_run_function(struct net_context *c, int argc, const char **argv, int net_run_function(struct net_context *c, int argc, const char **argv,

View File

@ -48,9 +48,9 @@ net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=securi
pcap_file=$BASEDIR/$WORKDIR/test.pcap pcap_file=$BASEDIR/$WORKDIR/test.pcap
export SOCKET_WRAPPER_PCAP_FILE=$pcap_file export SOCKET_WRAPPER_PCAP_FILE=$pcap_file
testit "join" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1`
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
#The leave command does not use the locally-generated #The leave command does not use the locally-generated
#krb5.conf #krb5.conf

View File

@ -51,7 +51,7 @@ fi
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
@ -81,7 +81,7 @@ testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || fail
dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]')
@ -179,15 +179,15 @@ fi
rm -f $dedicated_keytab_file rm -f $dedicated_keytab_file
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "join+kerberos" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1`
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
testit "leave+kerberos" $VALGRIND $net_tool ads leave -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "leave+kerberos" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --use-kerberos=required || failed=`expr $failed + 1`
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1` testit "join+server" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD -S$DC_SERVER || failed=`expr $failed + 1`

View File

@ -30,13 +30,13 @@ net_tool="$BINDIR/net --configfile=$BASEDIR/$WORKDIR/client.conf --option=securi
. `dirname $0`/subunit.sh . `dirname $0`/subunit.sh
# This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode). # This make sure we are able to join AD in FIPS mode with Kerberos (NTLM doesn't work in FIPS mode).
testit "join" $VALGRIND $net_tool ads join -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "join" $VALGRIND $net_tool ads join --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
testit "leave" $VALGRIND $net_tool ads leave -k -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` testit "leave" $VALGRIND $net_tool ads leave --use-kerberos=required -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
rm -rf $BASEDIR/$WORKDIR rm -rf $BASEDIR/$WORKDIR