}
/****************************************************************************
- Use the local machine's password for this session.
+ Use the local machine account (upn) and password for this session.
****************************************************************************/
-int net_use_machine_password(void)
+int net_use_upn_machine_account(void)
{
char *user_name = NULL;
exit(1);
}
- user_name = NULL;
opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
if (asprintf(&user_name, "%s$@%s", global_myname(), lp_realm()) == -1) {
return -1;
return 0;
}
+/****************************************************************************
+ Use the machine account name and password for this session.
+****************************************************************************/
+
+int net_use_machine_account(void)
+{
+ char *user_name = NULL;
+
+ if (!secrets_init()) {
+ d_fprintf(stderr, "ERROR: Unable to open secrets database\n");
+ exit(1);
+ }
+
+ opt_password = secrets_fetch_machine_password(opt_target_workgroup, NULL, NULL);
+ if (asprintf(&user_name, "%s$", global_myname()) == -1) {
+ return -1;
+ }
+ opt_user_name = user_name;
+ return 0;
+}
+
BOOL net_find_server(const char *domain, unsigned flags, struct in_addr *server_ip, char **server_name)
{
const char *d = domain ? domain : opt_target_workgroup;
/* it is very useful to be able to make ads queries as the
machine account for testing purposes and for domain leave */
- net_use_machine_password();
+ net_use_upn_machine_account();
}
if (!opt_password) {
return NT_STATUS_ACCESS_DENIED;
}
- net_use_machine_password();
+ net_use_upn_machine_account();
status = ads_startup(True, &ads);
if (!ADS_ERR_OK(status)) {
return -1;
}
- net_use_machine_password();
+ net_use_upn_machine_account();
use_in_memory_ccache();
**/
int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
{
+ enum security_types sec;
+ unsigned int conn_flags = NET_FLAGS_PDC;
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
+ sec = (enum security_types)lp_security();
+
+ if (sec == SEC_ADS) {
+ /* Connect to IPC$ using machine account's credentials. We don't use anonymous
+ connection here, as it may be denied by server's local policy. */
+ net_use_machine_account();
+
+ } else {
+ /* some servers (e.g. WinNT) don't accept machine-authenticated
+ smb connections */
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
/* Connect to remote machine */
- if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
+ if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) {
return -1;
}