source/utils/net_domain.c

   1 /*
   2    Samba Unix/Linux SMB client library
   3    net ads commands
   4    Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
   5    Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
   6    Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
   7    Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "utils/net.h"
  26
  27 /* Macro for checking RPC error codes to make things more readable */
  28
  29 #define CHECK_RPC_ERR(rpc, msg) \
  30         if (!NT_STATUS_IS_OK(result = rpc)) { \
  31                 DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
  32                 goto done; \
  33         }
  34
  35 #define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
  36         if (!NT_STATUS_IS_OK(result = rpc)) { \
  37                 DEBUG(0, debug_args); \
  38                 goto done; \
  39         }
  40
  41 /*******************************************************************
  42  Leave an AD domain.  Windows XP disables the machine account.
  43  We'll try the same.  The old code would do an LDAP delete.
  44  That only worked using the machine creds because added the machine
  45  with full control to the computer object's ACL.
  46 *******************************************************************/
  47
  48 NTSTATUS netdom_leave_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli,
  49                          DOM_SID *dom_sid )
  50 {
  51         struct rpc_pipe_client *pipe_hnd = NULL;
  52         POLICY_HND sam_pol, domain_pol, user_pol;
  53         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
  54         char *acct_name;
  55         uint32 flags = 0x3e8;
  56         const char *const_acct_name;
  57         uint32 user_rid;
  58         uint32 num_rids, *name_types, *user_rids;
  59         SAM_USERINFO_CTR ctr, *qctr = NULL;
  60         SAM_USER_INFO_16 p16;
  61
  62         /* Open the domain */
  63
  64         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
  65                 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
  66                         nt_errstr(status) ));
  67                 return status;
  68         }
  69
  70         status = rpccli_samr_connect(pipe_hnd, mem_ctx,
  71                         SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol);
  72         if ( !NT_STATUS_IS_OK(status) )
  73                 return status;
  74
  75
  76         status = rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol,
  77                         SEC_RIGHTS_MAXIMUM_ALLOWED, dom_sid, &domain_pol);
  78         if ( !NT_STATUS_IS_OK(status) )
  79                 return status;
  80
  81         /* Create domain user */
  82
  83         acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
  84         strlower_m(acct_name);
  85         const_acct_name = acct_name;
  86
  87         status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
  88                         &domain_pol, flags, 1, &const_acct_name,
  89                         &num_rids, &user_rids, &name_types);
  90         if ( !NT_STATUS_IS_OK(status) )
  91                 return status;
  92
  93         if ( name_types[0] != SID_NAME_USER) {
  94                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0]));
  95                 return NT_STATUS_INVALID_WORKSTATION;
  96         }
  97
  98         user_rid = user_rids[0];
  99
 100         /* Open handle on user */
 101
 102         status = rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
 103                         SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol);
 104         if ( !NT_STATUS_IS_OK(status) ) {
 105                 goto done;
 106         }
 107
 108         /* Get user info */
 109
 110         status = rpccli_samr_query_userinfo(pipe_hnd, mem_ctx, &user_pol, 16, &qctr);
 111         if ( !NT_STATUS_IS_OK(status) ) {
 112                 rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
 113                 goto done;
 114         }
 115
 116         /* now disable and setuser info */
 117
 118         ZERO_STRUCT(ctr);
 119         ctr.switch_value = 16;
 120         ctr.info.id16 = &p16;
 121
 122         p16.acb_info = qctr->info.id16->acb_info | ACB_DISABLED;
 123
 124         status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16,
 125                                         &cli->user_session_key, &ctr);
 126
 127         rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
 128
 129 done:
 130         rpccli_samr_close(pipe_hnd, mem_ctx, &domain_pol);
 131         rpccli_samr_close(pipe_hnd, mem_ctx, &sam_pol);
 132
 133         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
 134
 135         return status;
 136 }
 137
 138 /*******************************************************************
 139  Store the machine password and domain SID
 140  ********************************************************************/
 141
 142 int netdom_store_machine_account( const char *domain, DOM_SID *sid, const char *pw )
 143 {
 144         if (!secrets_store_domain_sid(domain, sid)) {
 145                 DEBUG(1,("Failed to save domain sid\n"));
 146                 return -1;
 147         }
 148
 149         if (!secrets_store_machine_password(pw, domain, SEC_CHAN_WKSTA)) {
 150                 DEBUG(1,("Failed to save machine password\n"));
 151                 return -1;
 152         }
 153
 154         return 0;
 155 }
 156
 157 /*******************************************************************
 158  ********************************************************************/
 159
 160 NTSTATUS netdom_get_domain_sid( TALLOC_CTX *mem_ctx, struct cli_state *cli,
 161                                 char **domain, DOM_SID **sid )
 162 {
 163         struct rpc_pipe_client *pipe_hnd = NULL;
 164         POLICY_HND lsa_pol;
 165         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 166
 167         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status)) == NULL ) {
 168                 DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
 169                         nt_errstr(status) ));
 170                 return status;
 171         }
 172
 173         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
 174                         SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
 175         if ( !NT_STATUS_IS_OK(status) )
 176                 return status;
 177
 178         status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx,
 179                         &lsa_pol, 5, domain, sid);
 180         if ( !NT_STATUS_IS_OK(status) )
 181                 return status;
 182
 183         rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
 184         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
 185
 186         /* Bail out if domain didn't get set. */
 187         if (!domain) {
 188                 DEBUG(0, ("Could not get domain name.\n"));
 189                 return NT_STATUS_UNSUCCESSFUL;
 190         }
 191
 192         return NT_STATUS_OK;
 193 }
 194
 195 /*******************************************************************
 196  Do the domain join
 197  ********************************************************************/
 198
 199 NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli,
 200                            DOM_SID *dom_sid, const char *clear_pw,
 201                            enum netdom_domain_t dom_type )
 202 {
 203         struct rpc_pipe_client *pipe_hnd = NULL;
 204         POLICY_HND sam_pol, domain_pol, user_pol;
 205         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 206         char *acct_name;
 207         const char *const_acct_name;
 208         uint32 user_rid;
 209         uint32 num_rids, *name_types, *user_rids;
 210         uint32 flags = 0x3e8;
 211         uint32 acb_info = ACB_WSTRUST;
 212         uint32 fields_present;
 213         uchar pwbuf[532];
 214         SAM_USERINFO_CTR ctr;
 215         SAM_USER_INFO_25 p25;
 216         const int infolevel = 25;
 217         struct MD5Context md5ctx;
 218         uchar md5buffer[16];
 219         DATA_BLOB digested_session_key;
 220         uchar md4_trust_password[16];
 221
 222         /* Open the domain */
 223
 224         if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
 225                 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
 226                         nt_errstr(status) ));
 227                 return status;
 228         }
 229
 230         status = rpccli_samr_connect(pipe_hnd, mem_ctx,
 231                         SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol);
 232         if ( !NT_STATUS_IS_OK(status) )
 233                 return status;
 234
 235
 236         status = rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol,
 237                         SEC_RIGHTS_MAXIMUM_ALLOWED, dom_sid, &domain_pol);
 238         if ( !NT_STATUS_IS_OK(status) )
 239                 return status;
 240
 241         /* Create domain user */
 242
 243         acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
 244         strlower_m(acct_name);
 245         const_acct_name = acct_name;
 246
 247         /* Don't try to set any acb_info flags other than ACB_WSTRUST */
 248
 249         status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
 250                         acct_name, acb_info, 0xe005000b, &user_pol, &user_rid);
 251
 252         if ( !NT_STATUS_IS_OK(status)
 253                 && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS))
 254         {
 255                 d_fprintf(stderr, "Creation of workstation account failed\n");
 256
 257                 /* If NT_STATUS_ACCESS_DENIED then we have a valid
 258                    username/password combo but the user does not have
 259                    administrator access. */
 260
 261                 if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
 262                         d_fprintf(stderr, "User specified does not have administrator privileges\n");
 263
 264                 return status;
 265         }
 266
 267         /* We *must* do this.... don't ask... */
 268
 269         if (NT_STATUS_IS_OK(status)) {
 270                 rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
 271         }
 272
 273         status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
 274                         &domain_pol, flags, 1, &const_acct_name,
 275                         &num_rids, &user_rids, &name_types);
 276         if ( !NT_STATUS_IS_OK(status) )
 277                 return status;
 278
 279         if ( name_types[0] != SID_NAME_USER) {
 280                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0]));
 281                 return NT_STATUS_INVALID_WORKSTATION;
 282         }
 283
 284         user_rid = user_rids[0];
 285
 286         /* Open handle on user */
 287
 288         status = rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
 289                         SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol);
 290         if (!NT_STATUS_IS_OK(status)) {
 291                 return status;
 292         }
 293
 294         /* Create a random machine account password and generate the hash */
 295
 296         E_md4hash(clear_pw, md4_trust_password);
 297         encode_pw_buffer(pwbuf, clear_pw, STR_UNICODE);
 298
 299         generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
 300         digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
 301
 302         MD5Init(&md5ctx);
 303         MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
 304         MD5Update(&md5ctx, cli->user_session_key.data, cli->user_session_key.length);
 305         MD5Final(digested_session_key.data, &md5ctx);
 306
 307         SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
 308         memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
 309
 310         /* Fill in the additional account flags now */
 311
 312         acb_info |= ACB_PWNOEXP;
 313         if ( dom_type == ND_TYPE_AD ) {
 314 #if !defined(ENCTYPE_ARCFOUR_HMAC)
 315                 acb_info |= ACB_USE_DES_KEY_ONLY;
 316 #endif
 317                 ;;
 318         }
 319
 320         /* Set password and account flags on machine account */
 321
 322         ZERO_STRUCT(ctr);
 323         ZERO_STRUCT(p25);
 324
 325         fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS;
 326         init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf);
 327
 328         ctr.switch_value = infolevel;
 329         ctr.info.id25    = &p25;
 330
 331         status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol,
 332                                            infolevel, &cli->user_session_key, &ctr);
 333
 334         if ( !NT_STATUS_IS_OK(status) ) {
 335                 d_fprintf( stderr, "Failed to set password for machine account (%s)\n",
 336                         nt_errstr(status));
 337                 return status;
 338         }
 339
 340         rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
 341         cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
 342
 343         return status;
 344 }
 345