join.py: Do not expose the old machine password over NTLM if -k yes was set

This makes the test for a valid machine account stricter (as a kerberos error could
cause this to fail and so skip the validation), but we never wish to use NTLM
if the administrator disabled it on the command line

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>

diff --git a/python/samba/join.py b/python/samba/join.py
index 6a924359407c41097f33ccf917c575a4c6005ad0..3e70db08d2ad826deaa92b2e89fb214cbf5f72f5 100644 (file)
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -209,6 +209,7 @@ class dc_join(object):
         creds.guess(ctx.lp)
         try:
             creds.set_machine_account(ctx.lp)
+            creds.set_kerberos_state(ctx.creds.get_kerberos_state())
             machine_samdb = SamDB(url="ldap://%s" % ctx.server,
                                   session_info=system_session(),
                                 credentials=creds, lp=ctx.lp)