samba/backport-0005-CVE-2022-38023.patch

From 140007bfe1795e5bc5bca43238b6be03e0693f9e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Mar 2021 13:16:28 +0200
Subject: [PATCH] s3:utils: The 'net ads keytab' commands should use machine
 credentials
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the user doesn't specify a username/password on the command line, we
should use the machine credentials to connect to AD. This is how it is
used by default and we should be able to retrieve SPNs.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph B枚hme <slow@samba.org>
Autobuild-Date(master): Tue Mar 30 06:48:18 UTC 2021 on sn-devel-184

Conflict: NA
Reference: https://gitlab.com/samba-team/samba/-/commit/140007bfe1795e5bc5bca43238b6be03e0693f9e.patch
---
 source3/utils/net_ads.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 19ac9e4..651531d 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2968,6 +2968,10 @@ static int net_ads_keytab_flush(struct net_context *c, int argc, const char **ar
 		return 0;
 	}
 
+	if (!c->opt_user_specified && c->opt_password == NULL) {
+		net_use_krb_machine_account(c);
+	}
+
 	if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
 		return -1;
 	}
@@ -2996,6 +3000,11 @@ static int net_ads_keytab_add(struct net_context *c,
 	}
 
 	d_printf(_("Processing principals to add...\n"));
+
+	if (!c->opt_user_specified && c->opt_password == NULL) {
+		net_use_krb_machine_account(c);
+	}
+
 	if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
 		return -1;
 	}
@@ -3034,6 +3043,10 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
 		return 0;
 	}
 
+	if (!c->opt_user_specified && c->opt_password == NULL) {
+		net_use_krb_machine_account(c);
+	}
+
 	if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
 		return -1;
 	}
-- 
2.27.0