samba.git/source3/utils/net.c, branch master Unnamed repository; edit this file 'description' to name the repository. s3:utils: 'net ads kerberos kinit' should use also default ccache name from krb5.conf 2026-02-05T19:59:36+00:00 Pavel Filipenský pfilipensky@samba.org 2026-02-03T11:53:10+00:00 4cc6a13590434f6a3aa1add663728188970d727e This is re-introducing the behavior from samba-4.20 where both these commands operated on the same ccache (default_ccache_name in [libdefaults] section of krb5.conf) 'net ads kerberos kinit -P' 'klist' With samba-4.21 it no longer works, 'net ads kerberos kinit -P' fallbacks to 'MEMORY:net' (which is of a very limited use, ticket cannot be used by other process) and klist finds no ticket. The order is changed from: --use-krb5-ccache env "KRB5CCNAME" "MEMORY:net" to ("MEMORY:net" is removed): --use-krb5-ccache env "KRB5CCNAME" default_ccache_name '--use-krb5-ccache=MEMORY:net' can be used to validate the credentials. Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name() because of commit: 1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
This is re-introducing the behavior from samba-4.20 where both these
commands operated on the same ccache (default_ccache_name in
[libdefaults] section of krb5.conf)

 'net ads kerberos kinit -P'
 'klist'

 With samba-4.21 it no longer works, 'net ads kerberos kinit -P'
 fallbacks to 'MEMORY:net' (which is of a very limited use, ticket
 cannot be used by other process) and klist finds no ticket.

 The order is changed from:

    --use-krb5-ccache
    env "KRB5CCNAME"
    "MEMORY:net"

to ("MEMORY:net" is removed):

    --use-krb5-ccache
    env "KRB5CCNAME"
    default_ccache_name

'--use-krb5-ccache=MEMORY:net' can be used to validate the credentials.

Use smb_force_krb5_cc_default_name() instead of krb5_cc_default_name()
because of commit:
1ca6fb5 make sure krb5_cc_default[_name]() is no longer used directly

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 s3-net: properly setup krb5 ccache name via --use-krb5-ccache 2026-01-05T14:35:43+00:00 Günther Deschner gd@samba.org 2025-12-02T15:56:44+00:00 ca70b7433ad7a661f4795764e34c183d19a76cca BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
s3:net: Pass down the server from cmdline to sync_pw2keytabs() 2025-09-05T13:38:33+00:00 Andreas Schneider asn@samba.org 2025-07-28T08:43:36+00:00 5d1d3a8b568b5a07ed1ed537d20aa93820cecc14 This makes sure that during 'net ads join' the keytab create code - sync_pw2keytabs() talks to the same DC at what the machine account was created. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905 Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> Autobuild-Date(master): Fri Sep 5 13:38:33 UTC 2025 on atb-devel-224 
This makes sure that during 'net ads join' the keytab create code
- sync_pw2keytabs() talks to the same DC at what the machine account
was created.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15905

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Pair-Programmed-With: Pavel Filipenský <pfilipensky@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Fri Sep  5 13:38:33 UTC 2025 on atb-devel-224
s3-net: fix "net ads kerberos" krb5ccname handling 2025-07-24T17:31:14+00:00 Günther Deschner gd@samba.org 2025-07-20T16:00:22+00:00 8a97afdae788e8d10a51035f8b287dc00293f90d We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is not available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Günther Deschner <gd@samba.org> Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224 
We can only rely on KRB5CCNAME being set, --use-krb5-ccname content is
not available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Jul 24 17:31:14 UTC 2025 on atb-devel-224
sync machine password to keytab: handle FreeIPA use case 2024-09-13T13:16:09+00:00 Alexander Bokovoy ab@samba.org 2024-09-03T05:48:24+00:00 4f577c7b6894132be4842944f2f950b087312b16 FreeIPA uses own procedure to retrieve keytabs and during the setup of Samba on FreeIPA client the keytab is already present, only machine account needs to be set in the secrets database. 'sync machine password to keytab' option handling broke this use case by always attempting to contact a domain controller and failing to do so (Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199). The original synchronizing machine account password to keytab feature did not have a mechanism to disable its logic at all. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> Autobuild-User(master): Alexander Bokovoy <ab@samba.org> Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224 
FreeIPA uses own procedure to retrieve keytabs and during the setup of
Samba on FreeIPA client the keytab is already present, only machine
account needs to be set in the secrets database.

'sync machine password to keytab' option handling broke this use case by
always attempting to contact a domain controller and failing to do so
(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199).

The original synchronizing machine account password to keytab feature
did not have a mechanism to disable its logic at all.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
s3: Sync machine account password in secrets_{prepare,finish}_password_change 2024-07-26T17:12:36+00:00 Pavel Filipenský pfilipensky@samba.org 2023-12-21T12:57:38+00:00 683f6eec40f2efbb122329800ebb2f5d2f518746 BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 lib: Use cli_credentials_add_gensec_features in a few places 2024-06-04T07:11:35+00:00 Volker Lendecke vl@samba.org 2024-05-28T10:38:18+00:00 df30ec83c961d8333d76ed13aa1944a2e93f9050 Capture a common pattern Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Capture a common pattern

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s3:net: finally remove net_context->opt_{user_specified,user_name,password} 2024-05-14T10:18:31+00:00 Stefan Metzmacher metze@samba.org 2024-03-07T13:56:45+00:00 25806314daef8d2958b63bc429c9973c2755a865 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
s3:net: remove unused net_context->smb_encrypt 2024-05-14T10:18:31+00:00 Stefan Metzmacher metze@samba.org 2024-03-07T12:50:39+00:00 a1ab1c8620c907a6cced8d1d1cd9686746b59717 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
s3:net: remove unused net_context->opt_kerberos 2024-05-14T10:18:31+00:00 Stefan Metzmacher metze@samba.org 2024-03-07T12:44:53+00:00 9620d2ecc188799798fbef31b6934b861f3bbe33 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>