From 13c528e6ce9011e8363c5f954ac45f993d68d452 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 30 Sep 2024 12:43:43 +0100
Subject: [PATCH] s3/utils: Adjust 'net' testjoin to fail early if no machine
 password

4.21 has introduced a regression where testjoin succeeds even after
as successful invocation of 'net ads leave'

Previously even though krb credentials fell back to Anonymous the
credentialse used in struct net_context were used instead (and failed)
because the machine account password was not available.

This fix avoids calling ads_startup if we detect Anonymous credentials
fallback (meaning we didn't manage to find the machine account password)
and returns the same error as before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15728
Signed-off-by: Noel Power <noel.power@suse.com>
---
 source3/utils/net_ads.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 0e5da492faf2..975a26d8a974 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1562,6 +1562,15 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c)
 		return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
 	}
 
+	if (cli_credentials_is_anonymous(c->creds)) {
+		/*
+		 * anonymous is the fallback for when we can't get a machine
+		 * account password so just fail here
+		 */
+		status = ADS_ERROR(LDAP_NO_MEMORY);
+		goto out;
+	}
+
 	get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
 
 	status = ads_startup(c, true, tmp_ctx, &ads);
-- 
GitLab