search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:torture/smb2: add smb2.notify.session-reconnect test
[Samba.git] / source3 / libnet / libnet_join.c
blob9a34e9423d325981c3f5f2ea46522e9f37903f72
1 /*
2 * Unix SMB/CIFS implementation.
3 * libnet Join Support
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "ads.h"
23 #include "librpc/gen_ndr/ndr_libnet_join.h"
24 #include "libnet/libnet_join.h"
25 #include "libcli/auth/libcli_auth.h"
26 #include "../librpc/gen_ndr/ndr_samr_c.h"
27 #include "rpc_client/init_samr.h"
28 #include "../librpc/gen_ndr/ndr_lsa_c.h"
29 #include "rpc_client/cli_lsarpc.h"
30 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
32 #include "lib/smbconf/smbconf.h"
33 #include "lib/smbconf/smbconf_reg.h"
34 #include "../libds/common/flags.h"
35 #include "secrets.h"
36 #include "rpc_client/init_lsa.h"
37 #include "rpc_client/cli_pipe.h"
38 #include "../libcli/security/security.h"
39 #include "passdb.h"
40 #include "libsmb/libsmb.h"
41 #include "../libcli/smb/smbXcli_base.h"
42 #include "lib/param/loadparm.h"
43
44 /****************************************************************
45 ****************************************************************/
46
47 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
48 do { \
49 char *str = NULL; \
50 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
51 DEBUG(1,("libnet_Join:\n%s", str)); \
52 TALLOC_FREE(str); \
53 } while (0)
54
55 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
56 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
57 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
58 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
59
60 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
61 do { \
62 char *str = NULL; \
63 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
64 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
65 TALLOC_FREE(str); \
66 } while (0)
67
68 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
69 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
70 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
71 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
72
73 /****************************************************************
74 ****************************************************************/
75
76 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
77 struct libnet_JoinCtx *r,
78 const char *format, ...)
79 {
80 va_list args;
81
82 if (r->out.error_string) {
83 return;
84 }
85
86 va_start(args, format);
87 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
88 va_end(args);
89 }
90
91 /****************************************************************
92 ****************************************************************/
93
94 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
95 struct libnet_UnjoinCtx *r,
96 const char *format, ...)
97 {
98 va_list args;
99
100 if (r->out.error_string) {
101 return;
102 }
103
104 va_start(args, format);
105 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
106 va_end(args);
107 }
108
109 #ifdef HAVE_ADS
110
111 /****************************************************************
112 ****************************************************************/
113
114 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
115 const char *netbios_domain_name,
116 const char *dc_name,
117 const char *user_name,
118 const char *password,
119 ADS_STRUCT **ads)
120 {
121 ADS_STATUS status;
122 ADS_STRUCT *my_ads = NULL;
123 char *cp;
124
125 my_ads = ads_init(dns_domain_name,
126 netbios_domain_name,
127 dc_name);
128 if (!my_ads) {
129 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
130 }
131
132 if (user_name) {
133 SAFE_FREE(my_ads->auth.user_name);
134 my_ads->auth.user_name = SMB_STRDUP(user_name);
135 if ((cp = strchr_m(my_ads->auth.user_name, '@'))!=0) {
136 *cp++ = '\0';
137 SAFE_FREE(my_ads->auth.realm);
138 my_ads->auth.realm = smb_xstrdup(cp);
139 if (!strupper_m(my_ads->auth.realm)) {
140 ads_destroy(&my_ads);
141 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
142 }
143 }
144 }
145
146 if (password) {
147 SAFE_FREE(my_ads->auth.password);
148 my_ads->auth.password = SMB_STRDUP(password);
149 }
150
151 status = ads_connect_user_creds(my_ads);
152 if (!ADS_ERR_OK(status)) {
153 ads_destroy(&my_ads);
154 return status;
155 }
156
157 *ads = my_ads;
158 return ADS_SUCCESS;
159 }
160
161 /****************************************************************
162 ****************************************************************/
163
164 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
165 struct libnet_JoinCtx *r)
166 {
167 ADS_STATUS status;
168
169 status = libnet_connect_ads(r->out.dns_domain_name,
170 r->out.netbios_domain_name,
171 r->in.dc_name,
172 r->in.admin_account,
173 r->in.admin_password,
174 &r->in.ads);
175 if (!ADS_ERR_OK(status)) {
176 libnet_join_set_error_string(mem_ctx, r,
177 "failed to connect to AD: %s",
178 ads_errstr(status));
179 return status;
180 }
181
182 if (!r->out.netbios_domain_name) {
183 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
184 r->in.ads->server.workgroup);
185 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
186 }
187
188 if (!r->out.dns_domain_name) {
189 r->out.dns_domain_name = talloc_strdup(mem_ctx,
190 r->in.ads->config.realm);
191 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
192 }
193
194 r->out.domain_is_ad = true;
195
196 return ADS_SUCCESS;
197 }
198
199 /****************************************************************
200 ****************************************************************/
201
202 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
203 struct libnet_UnjoinCtx *r)
204 {
205 ADS_STATUS status;
206
207 status = libnet_connect_ads(r->in.domain_name,
208 r->in.domain_name,
209 r->in.dc_name,
210 r->in.admin_account,
211 r->in.admin_password,
212 &r->in.ads);
213 if (!ADS_ERR_OK(status)) {
214 libnet_unjoin_set_error_string(mem_ctx, r,
215 "failed to connect to AD: %s",
216 ads_errstr(status));
217 }
218
219 return status;
220 }
221
222 /****************************************************************
223 join a domain using ADS (LDAP mods)
224 ****************************************************************/
225
226 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
227 struct libnet_JoinCtx *r)
228 {
229 ADS_STATUS status;
230 LDAPMessage *res = NULL;
231 const char *attrs[] = { "dn", NULL };
232 bool moved = false;
233
234 status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
235 if (!ADS_ERR_OK(status)) {
236 return status;
237 }
238
239 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
240 if (!ADS_ERR_OK(status)) {
241 return status;
242 }
243
244 if (ads_count_replies(r->in.ads, res) != 1) {
245 ads_msgfree(r->in.ads, res);
246 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
247 }
248
249 ads_msgfree(r->in.ads, res);
250
251 /* Attempt to create the machine account and bail if this fails.
252 Assume that the admin wants exactly what they requested */
253
254 status = ads_create_machine_acct(r->in.ads,
255 r->in.machine_name,
256 r->in.account_ou);
257
258 if (ADS_ERR_OK(status)) {
259 DEBUG(1,("machine account creation created\n"));
260 return status;
261 } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
262 (status.err.rc == LDAP_ALREADY_EXISTS)) {
263 status = ADS_SUCCESS;
264 }
265
266 if (!ADS_ERR_OK(status)) {
267 DEBUG(1,("machine account creation failed\n"));
268 return status;
269 }
270
271 status = ads_move_machine_acct(r->in.ads,
272 r->in.machine_name,
273 r->in.account_ou,
274 &moved);
275 if (!ADS_ERR_OK(status)) {
276 DEBUG(1,("failure to locate/move pre-existing "
277 "machine account\n"));
278 return status;
279 }
280
281 DEBUG(1,("The machine account %s the specified OU.\n",
282 moved ? "was moved into" : "already exists in"));
283
284 return status;
285 }
286
287 /****************************************************************
288 ****************************************************************/
289
290 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
291 struct libnet_UnjoinCtx *r)
292 {
293 ADS_STATUS status;
294
295 if (!r->in.ads) {
296 status = libnet_unjoin_connect_ads(mem_ctx, r);
297 if (!ADS_ERR_OK(status)) {
298 libnet_unjoin_set_error_string(mem_ctx, r,
299 "failed to connect to AD: %s",
300 ads_errstr(status));
301 return status;
302 }
303 }
304
305 status = ads_leave_realm(r->in.ads, r->in.machine_name);
306 if (!ADS_ERR_OK(status)) {
307 libnet_unjoin_set_error_string(mem_ctx, r,
308 "failed to leave realm: %s",
309 ads_errstr(status));
310 return status;
311 }
312
313 return ADS_SUCCESS;
314 }
315
316 /****************************************************************
317 ****************************************************************/
318
319 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
320 struct libnet_JoinCtx *r)
321 {
322 ADS_STATUS status;
323 LDAPMessage *res = NULL;
324 char *dn = NULL;
325
326 if (!r->in.machine_name) {
327 return ADS_ERROR(LDAP_NO_MEMORY);
328 }
329
330 status = ads_find_machine_acct(r->in.ads,
331 &res,
332 r->in.machine_name);
333 if (!ADS_ERR_OK(status)) {
334 return status;
335 }
336
337 if (ads_count_replies(r->in.ads, res) != 1) {
338 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
339 goto done;
340 }
341
342 dn = ads_get_dn(r->in.ads, mem_ctx, res);
343 if (!dn) {
344 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
345 goto done;
346 }
347
348 r->out.dn = talloc_strdup(mem_ctx, dn);
349 if (!r->out.dn) {
350 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
351 goto done;
352 }
353
354 done:
355 ads_msgfree(r->in.ads, res);
356 TALLOC_FREE(dn);
357
358 return status;
359 }
360
361 static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
362 struct libnet_JoinCtx *r,
363 char ***spn_array,
364 size_t *num_spns)
365 {
366 ADS_STATUS status;
367
368 if (r->in.machine_name == NULL) {
369 return ADS_ERROR_SYSTEM(EINVAL);
370 }
371
372 status = ads_get_service_principal_names(mem_ctx,
373 r->in.ads,
374 r->in.machine_name,
375 spn_array,
376 num_spns);
377
378 return status;
379 }
380
381 /****************************************************************
382 Set a machines dNSHostName and servicePrincipalName attributes
383 ****************************************************************/
384
385 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
386 struct libnet_JoinCtx *r)
387 {
388 ADS_STATUS status;
389 ADS_MODLIST mods;
390 fstring my_fqdn;
391 const char **spn_array = NULL;
392 size_t num_spns = 0;
393 char *spn = NULL;
394 bool ok;
395
396 /* Find our DN */
397
398 status = libnet_join_find_machine_acct(mem_ctx, r);
399 if (!ADS_ERR_OK(status)) {
400 return status;
401 }
402
403 status = libnet_join_get_machine_spns(mem_ctx,
404 r,
405 discard_const_p(char **, &spn_array),
406 &num_spns);
407 if (!ADS_ERR_OK(status)) {
408 DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
409 }
410
411 /* Windows only creates HOST/shortname & HOST/fqdn. */
412
413 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
414 if (!spn) {
415 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
416 }
417 if (!strupper_m(spn)) {
418 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
419 }
420
421 ok = ads_element_in_array(spn_array, num_spns, spn);
422 if (!ok) {
423 ok = add_string_to_array(spn_array, spn,
424 &spn_array, &num_spns);
425 if (!ok) {
426 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
427 }
428 }
429
430 if (!name_to_fqdn(my_fqdn, r->in.machine_name)
431 || (strchr(my_fqdn, '.') == NULL)) {
432 fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
433 r->out.dns_domain_name);
434 }
435
436 if (!strlower_m(my_fqdn)) {
437 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
438 }
439
440 if (!strequal(my_fqdn, r->in.machine_name)) {
441 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
442 if (!spn) {
443 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
444 }
445
446 ok = ads_element_in_array(spn_array, num_spns, spn);
447 if (!ok) {
448 ok = add_string_to_array(spn_array, spn,
449 &spn_array, &num_spns);
450 if (!ok) {
451 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
452 }
453 }
454 }
455
456 /* make sure to NULL terminate the array */
457 spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
458 if (spn_array == NULL) {
459 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
460 }
461 spn_array[num_spns] = NULL;
462
463 mods = ads_init_mods(mem_ctx);
464 if (!mods) {
465 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
466 }
467
468 /* fields of primary importance */
469
470 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
471 if (!ADS_ERR_OK(status)) {
472 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
473 }
474
475 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
476 spn_array);
477 if (!ADS_ERR_OK(status)) {
478 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
479 }
480
481 return ads_gen_mod(r->in.ads, r->out.dn, mods);
482 }
483
484 /****************************************************************
485 ****************************************************************/
486
487 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
488 struct libnet_JoinCtx *r)
489 {
490 ADS_STATUS status;
491 ADS_MODLIST mods;
492
493 if (!r->in.create_upn) {
494 return ADS_SUCCESS;
495 }
496
497 /* Find our DN */
498
499 status = libnet_join_find_machine_acct(mem_ctx, r);
500 if (!ADS_ERR_OK(status)) {
501 return status;
502 }
503
504 if (!r->in.upn) {
505 const char *realm = r->out.dns_domain_name;
506
507 /* in case we are about to generate a keytab during the join
508 * make sure the default upn we create is usable with kinit -k.
509 * gd */
510
511 if (USE_KERBEROS_KEYTAB) {
512 realm = talloc_strdup_upper(mem_ctx,
513 r->out.dns_domain_name);
514 }
515
516 if (!realm) {
517 return ADS_ERROR(LDAP_NO_MEMORY);
518 }
519
520 r->in.upn = talloc_asprintf(mem_ctx,
521 "host/%s@%s",
522 r->in.machine_name,
523 realm);
524 if (!r->in.upn) {
525 return ADS_ERROR(LDAP_NO_MEMORY);
526 }
527 }
528
529 /* now do the mods */
530
531 mods = ads_init_mods(mem_ctx);
532 if (!mods) {
533 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
534 }
535
536 /* fields of primary importance */
537
538 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
539 if (!ADS_ERR_OK(status)) {
540 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
541 }
542
543 return ads_gen_mod(r->in.ads, r->out.dn, mods);
544 }
545
546
547 /****************************************************************
548 ****************************************************************/
549
550 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
551 struct libnet_JoinCtx *r)
552 {
553 ADS_STATUS status;
554 ADS_MODLIST mods;
555 char *os_sp = NULL;
556
557 if (!r->in.os_name || !r->in.os_version ) {
558 return ADS_SUCCESS;
559 }
560
561 /* Find our DN */
562
563 status = libnet_join_find_machine_acct(mem_ctx, r);
564 if (!ADS_ERR_OK(status)) {
565 return status;
566 }
567
568 /* now do the mods */
569
570 mods = ads_init_mods(mem_ctx);
571 if (!mods) {
572 return ADS_ERROR(LDAP_NO_MEMORY);
573 }
574
575 os_sp = talloc_asprintf(mem_ctx, "Samba %s", samba_version_string());
576 if (!os_sp) {
577 return ADS_ERROR(LDAP_NO_MEMORY);
578 }
579
580 /* fields of primary importance */
581
582 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
583 r->in.os_name);
584 if (!ADS_ERR_OK(status)) {
585 return status;
586 }
587
588 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
589 r->in.os_version);
590 if (!ADS_ERR_OK(status)) {
591 return status;
592 }
593
594 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
595 os_sp);
596 if (!ADS_ERR_OK(status)) {
597 return status;
598 }
599
600 return ads_gen_mod(r->in.ads, r->out.dn, mods);
601 }
602
603 /****************************************************************
604 ****************************************************************/
605
606 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
607 struct libnet_JoinCtx *r)
608 {
609 if (!USE_SYSTEM_KEYTAB) {
610 return true;
611 }
612
613 if (ads_keytab_create_default(r->in.ads) != 0) {
614 return false;
615 }
616
617 return true;
618 }
619
620 /****************************************************************
621 ****************************************************************/
622
623 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
624 struct libnet_JoinCtx *r)
625 {
626 uint32_t domain_func;
627 ADS_STATUS status;
628 const char *salt = NULL;
629 char *std_salt = NULL;
630
631 status = ads_domain_func_level(r->in.ads, &domain_func);
632 if (!ADS_ERR_OK(status)) {
633 libnet_join_set_error_string(mem_ctx, r,
634 "failed to determine domain functional level: %s",
635 ads_errstr(status));
636 return false;
637 }
638
639 /* go ahead and setup the default salt */
640
641 std_salt = kerberos_standard_des_salt();
642 if (!std_salt) {
643 libnet_join_set_error_string(mem_ctx, r,
644 "failed to obtain standard DES salt");
645 return false;
646 }
647
648 salt = talloc_strdup(mem_ctx, std_salt);
649 if (!salt) {
650 return false;
651 }
652
653 SAFE_FREE(std_salt);
654
655 /* if it's a Windows functional domain, we have to look for the UPN */
656
657 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
658 char *upn;
659
660 upn = ads_get_upn(r->in.ads, mem_ctx,
661 r->in.machine_name);
662 if (upn) {
663 salt = talloc_strdup(mem_ctx, upn);
664 if (!salt) {
665 return false;
666 }
667 }
668 }
669
670 return kerberos_secrets_store_des_salt(salt);
671 }
672
673 /****************************************************************
674 ****************************************************************/
675
676 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
677 struct libnet_JoinCtx *r)
678 {
679 ADS_STATUS status;
680
681 if (!r->in.ads) {
682 status = libnet_join_connect_ads(mem_ctx, r);
683 if (!ADS_ERR_OK(status)) {
684 return status;
685 }
686 }
687
688 status = libnet_join_set_machine_spn(mem_ctx, r);
689 if (!ADS_ERR_OK(status)) {
690 libnet_join_set_error_string(mem_ctx, r,
691 "failed to set machine spn: %s",
692 ads_errstr(status));
693 return status;
694 }
695
696 status = libnet_join_set_os_attributes(mem_ctx, r);
697 if (!ADS_ERR_OK(status)) {
698 libnet_join_set_error_string(mem_ctx, r,
699 "failed to set machine os attributes: %s",
700 ads_errstr(status));
701 return status;
702 }
703
704 status = libnet_join_set_machine_upn(mem_ctx, r);
705 if (!ADS_ERR_OK(status)) {
706 libnet_join_set_error_string(mem_ctx, r,
707 "failed to set machine upn: %s",
708 ads_errstr(status));
709 return status;
710 }
711
712 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
713 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
714 }
715
716 if (!libnet_join_create_keytab(mem_ctx, r)) {
717 libnet_join_set_error_string(mem_ctx, r,
718 "failed to create kerberos keytab");
719 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
720 }
721
722 return ADS_SUCCESS;
723 }
724 #endif /* HAVE_ADS */
725
726 /****************************************************************
727 Store the machine password and domain SID
728 ****************************************************************/
729
730 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
731 struct libnet_JoinCtx *r)
732 {
733 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
734 r->out.domain_sid))
735 {
736 DEBUG(1,("Failed to save domain sid\n"));
737 return false;
738 }
739
740 if (!secrets_store_machine_password(r->in.machine_password,
741 r->out.netbios_domain_name,
742 r->in.secure_channel_type))
743 {
744 DEBUG(1,("Failed to save machine password\n"));
745 return false;
746 }
747
748 return true;
749 }
750
751 /****************************************************************
752 Connect dc's IPC$ share
753 ****************************************************************/
754
755 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
756 const char *user,
757 const char *pass,
758 bool use_kerberos,
759 struct cli_state **cli)
760 {
761 int flags = 0;
762
763 if (use_kerberos) {
764 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
765 }
766
767 if (use_kerberos && pass) {
768 flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
769 }
770
771 return cli_full_connection(cli, NULL,
772 dc,
773 NULL, 0,
774 "IPC$", "IPC",
775 user,
776 NULL,
777 pass,
778 flags,
779 SMB_SIGNING_DEFAULT);
780 }
781
782 /****************************************************************
783 Lookup domain dc's info
784 ****************************************************************/
785
786 static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
787 struct libnet_JoinCtx *r,
788 struct cli_state **cli)
789 {
790 struct rpc_pipe_client *pipe_hnd = NULL;
791 struct policy_handle lsa_pol;
792 NTSTATUS status, result;
793 union lsa_PolicyInformation *info = NULL;
794 struct dcerpc_binding_handle *b;
795
796 status = libnet_join_connect_dc_ipc(r->in.dc_name,
797 r->in.admin_account,
798 r->in.admin_password,
799 r->in.use_kerberos,
800 cli);
801 if (!NT_STATUS_IS_OK(status)) {
802 goto done;
803 }
804
805 status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
806 &pipe_hnd);
807 if (!NT_STATUS_IS_OK(status)) {
808 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
809 nt_errstr(status)));
810 goto done;
811 }
812
813 b = pipe_hnd->binding_handle;
814
815 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
816 SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
817 if (!NT_STATUS_IS_OK(status)) {
818 goto done;
819 }
820
821 status = dcerpc_lsa_QueryInfoPolicy2(b, mem_ctx,
822 &lsa_pol,
823 LSA_POLICY_INFO_DNS,
824 &info,
825 &result);
826 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
827 r->out.domain_is_ad = true;
828 r->out.netbios_domain_name = info->dns.name.string;
829 r->out.dns_domain_name = info->dns.dns_domain.string;
830 r->out.forest_name = info->dns.dns_forest.string;
831 r->out.domain_sid = dom_sid_dup(mem_ctx, info->dns.sid);
832 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
833 }
834
835 if (!NT_STATUS_IS_OK(status)) {
836 status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
837 &lsa_pol,
838 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
839 &info,
840 &result);
841 if (!NT_STATUS_IS_OK(status)) {
842 goto done;
843 }
844 if (!NT_STATUS_IS_OK(result)) {
845 status = result;
846 goto done;
847 }
848
849 r->out.netbios_domain_name = info->account_domain.name.string;
850 r->out.domain_sid = dom_sid_dup(mem_ctx, info->account_domain.sid);
851 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
852 }
853
854 dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result);
855 TALLOC_FREE(pipe_hnd);
856
857 done:
858 return status;
859 }
860
861 /****************************************************************
862 Do the domain join unsecure
863 ****************************************************************/
864
865 static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
866 struct libnet_JoinCtx *r,
867 struct cli_state *cli)
868 {
869 struct rpc_pipe_client *pipe_hnd = NULL;
870 unsigned char orig_trust_passwd_hash[16];
871 unsigned char new_trust_passwd_hash[16];
872 fstring trust_passwd;
873 NTSTATUS status;
874
875 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
876 &pipe_hnd);
877 if (!NT_STATUS_IS_OK(status)) {
878 return status;
879 }
880
881 if (!r->in.machine_password) {
882 r->in.machine_password = generate_random_password(mem_ctx,
883 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
884 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
885 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
886 }
887
888 E_md4hash(r->in.machine_password, new_trust_passwd_hash);
889
890 /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
891 fstrcpy(trust_passwd, r->in.admin_password);
892 if (!strlower_m(trust_passwd)) {
893 return NT_STATUS_INVALID_PARAMETER;
894 }
895
896 /*
897 * Machine names can be 15 characters, but the max length on
898 * a password is 14. --jerry
899 */
900
901 trust_passwd[14] = '\0';
902
903 E_md4hash(trust_passwd, orig_trust_passwd_hash);
904
905 status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
906 r->in.machine_name,
907 orig_trust_passwd_hash,
908 r->in.machine_password,
909 new_trust_passwd_hash,
910 r->in.secure_channel_type);
911
912 return status;
913 }
914
915 /****************************************************************
916 Do the domain join
917 ****************************************************************/
918
919 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
920 struct libnet_JoinCtx *r,
921 struct cli_state *cli)
922 {
923 struct rpc_pipe_client *pipe_hnd = NULL;
924 struct policy_handle sam_pol, domain_pol, user_pol;
925 NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
926 char *acct_name;
927 struct lsa_String lsa_acct_name;
928 uint32_t user_rid;
929 uint32_t acct_flags = ACB_WSTRUST;
930 struct samr_Ids user_rids;
931 struct samr_Ids name_types;
932 union samr_UserInfo user_info;
933 struct dcerpc_binding_handle *b = NULL;
934 unsigned int old_timeout = 0;
935
936 DATA_BLOB session_key = data_blob_null;
937 struct samr_CryptPassword crypt_pwd;
938 struct samr_CryptPasswordEx crypt_pwd_ex;
939
940 ZERO_STRUCT(sam_pol);
941 ZERO_STRUCT(domain_pol);
942 ZERO_STRUCT(user_pol);
943
944 switch (r->in.secure_channel_type) {
945 case SEC_CHAN_WKSTA:
946 acct_flags = ACB_WSTRUST;
947 break;
948 case SEC_CHAN_BDC:
949 acct_flags = ACB_SVRTRUST;
950 break;
951 default:
952 return NT_STATUS_INVALID_PARAMETER;
953 }
954
955 if (!r->in.machine_password) {
956 r->in.machine_password = generate_random_password(mem_ctx,
957 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
958 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
959 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
960 }
961
962 /* Open the domain */
963
964 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
965 &pipe_hnd);
966 if (!NT_STATUS_IS_OK(status)) {
967 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
968 nt_errstr(status)));
969 goto done;
970 }
971
972 b = pipe_hnd->binding_handle;
973
974 status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key);
975 if (!NT_STATUS_IS_OK(status)) {
976 DEBUG(0,("Error getting session_key of SAM pipe. Error was %s\n",
977 nt_errstr(status)));
978 goto done;
979 }
980
981 status = dcerpc_samr_Connect2(b, mem_ctx,
982 pipe_hnd->desthost,
983 SAMR_ACCESS_ENUM_DOMAINS
984 | SAMR_ACCESS_LOOKUP_DOMAIN,
985 &sam_pol,
986 &result);
987 if (!NT_STATUS_IS_OK(status)) {
988 goto done;
989 }
990 if (!NT_STATUS_IS_OK(result)) {
991 status = result;
992 goto done;
993 }
994
995 status = dcerpc_samr_OpenDomain(b, mem_ctx,
996 &sam_pol,
997 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
998 | SAMR_DOMAIN_ACCESS_CREATE_USER
999 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
1000 r->out.domain_sid,
1001 &domain_pol,
1002 &result);
1003 if (!NT_STATUS_IS_OK(status)) {
1004 goto done;
1005 }
1006 if (!NT_STATUS_IS_OK(result)) {
1007 status = result;
1008 goto done;
1009 }
1010
1011 /* Create domain user */
1012
1013 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1014 if (!strlower_m(acct_name)) {
1015 status = NT_STATUS_INVALID_PARAMETER;
1016 goto done;
1017 }
1018
1019 init_lsa_String(&lsa_acct_name, acct_name);
1020
1021 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
1022 uint32_t access_desired =
1023 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
1024 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
1025 SAMR_USER_ACCESS_SET_PASSWORD |
1026 SAMR_USER_ACCESS_GET_ATTRIBUTES |
1027 SAMR_USER_ACCESS_SET_ATTRIBUTES;
1028 uint32_t access_granted = 0;
1029
1030 DEBUG(10,("Creating account with desired access mask: %d\n",
1031 access_desired));
1032
1033 status = dcerpc_samr_CreateUser2(b, mem_ctx,
1034 &domain_pol,
1035 &lsa_acct_name,
1036 acct_flags,
1037 access_desired,
1038 &user_pol,
1039 &access_granted,
1040 &user_rid,
1041 &result);
1042 if (!NT_STATUS_IS_OK(status)) {
1043 goto done;
1044 }
1045
1046 status = result;
1047 if (!NT_STATUS_IS_OK(status) &&
1048 !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1049
1050 DEBUG(10,("Creation of workstation account failed: %s\n",
1051 nt_errstr(status)));
1052
1053 /* If NT_STATUS_ACCESS_DENIED then we have a valid
1054 username/password combo but the user does not have
1055 administrator access. */
1056
1057 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1058 libnet_join_set_error_string(mem_ctx, r,
1059 "User specified does not have "
1060 "administrator privileges");
1061 }
1062
1063 goto done;
1064 }
1065
1066 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1067 if (!(r->in.join_flags &
1068 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
1069 goto done;
1070 }
1071 }
1072
1073 /* We *must* do this.... don't ask... */
1074
1075 if (NT_STATUS_IS_OK(status)) {
1076 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1077 }
1078 }
1079
1080 status = dcerpc_samr_LookupNames(b, mem_ctx,
1081 &domain_pol,
1082 1,
1083 &lsa_acct_name,
1084 &user_rids,
1085 &name_types,
1086 &result);
1087 if (!NT_STATUS_IS_OK(status)) {
1088 goto done;
1089 }
1090 if (!NT_STATUS_IS_OK(result)) {
1091 status = result;
1092 goto done;
1093 }
1094 if (user_rids.count != 1) {
1095 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1096 goto done;
1097 }
1098 if (name_types.count != 1) {
1099 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1100 goto done;
1101 }
1102
1103 if (name_types.ids[0] != SID_NAME_USER) {
1104 DEBUG(0,("%s is not a user account (type=%d)\n",
1105 acct_name, name_types.ids[0]));
1106 status = NT_STATUS_INVALID_WORKSTATION;
1107 goto done;
1108 }
1109
1110 user_rid = user_rids.ids[0];
1111
1112 /* Open handle on user */
1113
1114 status = dcerpc_samr_OpenUser(b, mem_ctx,
1115 &domain_pol,
1116 SEC_FLAG_MAXIMUM_ALLOWED,
1117 user_rid,
1118 &user_pol,
1119 &result);
1120 if (!NT_STATUS_IS_OK(status)) {
1121 goto done;
1122 }
1123 if (!NT_STATUS_IS_OK(result)) {
1124 status = result;
1125 goto done;
1126 }
1127
1128 /* Fill in the additional account flags now */
1129
1130 acct_flags |= ACB_PWNOEXP;
1131
1132 /* Set account flags on machine account */
1133 ZERO_STRUCT(user_info.info16);
1134 user_info.info16.acct_flags = acct_flags;
1135
1136 status = dcerpc_samr_SetUserInfo(b, mem_ctx,
1137 &user_pol,
1138 16,
1139 &user_info,
1140 &result);
1141 if (!NT_STATUS_IS_OK(status)) {
1142 dcerpc_samr_DeleteUser(b, mem_ctx,
1143 &user_pol,
1144 &result);
1145
1146 libnet_join_set_error_string(mem_ctx, r,
1147 "Failed to set account flags for machine account (%s)\n",
1148 nt_errstr(status));
1149 goto done;
1150 }
1151
1152 if (!NT_STATUS_IS_OK(result)) {
1153 status = result;
1154
1155 dcerpc_samr_DeleteUser(b, mem_ctx,
1156 &user_pol,
1157 &result);
1158
1159 libnet_join_set_error_string(mem_ctx, r,
1160 "Failed to set account flags for machine account (%s)\n",
1161 nt_errstr(status));
1162 goto done;
1163 }
1164
1165 /* Set password on machine account - first try level 26 */
1166
1167 /*
1168 * increase the timeout as password filter modules on the DC
1169 * might delay the operation for a significant amount of time
1170 */
1171 old_timeout = rpccli_set_timeout(pipe_hnd, 600000);
1172
1173 init_samr_CryptPasswordEx(r->in.machine_password,
1174 &session_key,
1175 &crypt_pwd_ex);
1176
1177 user_info.info26.password = crypt_pwd_ex;
1178 user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1179
1180 status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1181 &user_pol,
1182 26,
1183 &user_info,
1184 &result);
1185
1186 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
1187
1188 /* retry with level 24 */
1189
1190 init_samr_CryptPassword(r->in.machine_password,
1191 &session_key,
1192 &crypt_pwd);
1193
1194 user_info.info24.password = crypt_pwd;
1195 user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1196
1197 status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1198 &user_pol,
1199 24,
1200 &user_info,
1201 &result);
1202 }
1203
1204 old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout);
1205
1206 if (!NT_STATUS_IS_OK(status)) {
1207
1208 dcerpc_samr_DeleteUser(b, mem_ctx,
1209 &user_pol,
1210 &result);
1211
1212 libnet_join_set_error_string(mem_ctx, r,
1213 "Failed to set password for machine account (%s)\n",
1214 nt_errstr(status));
1215 goto done;
1216 }
1217 if (!NT_STATUS_IS_OK(result)) {
1218 status = result;
1219
1220 dcerpc_samr_DeleteUser(b, mem_ctx,
1221 &user_pol,
1222 &result);
1223
1224 libnet_join_set_error_string(mem_ctx, r,
1225 "Failed to set password for machine account (%s)\n",
1226 nt_errstr(status));
1227 goto done;
1228 }
1229
1230 status = NT_STATUS_OK;
1231
1232 done:
1233 if (!pipe_hnd) {
1234 return status;
1235 }
1236
1237 data_blob_clear_free(&session_key);
1238
1239 if (is_valid_policy_hnd(&sam_pol)) {
1240 dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1241 }
1242 if (is_valid_policy_hnd(&domain_pol)) {
1243 dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1244 }
1245 if (is_valid_policy_hnd(&user_pol)) {
1246 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1247 }
1248 TALLOC_FREE(pipe_hnd);
1249
1250 return status;
1251 }
1252
1253 /****************************************************************
1254 ****************************************************************/
1255
1256 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
1257 const char *machine_name,
1258 const char *dc_name,
1259 const bool use_kerberos)
1260 {
1261 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
1262 struct cli_state *cli = NULL;
1263 struct rpc_pipe_client *pipe_hnd = NULL;
1264 struct rpc_pipe_client *netlogon_pipe = NULL;
1265 NTSTATUS status;
1266 char *machine_password = NULL;
1267 char *machine_account = NULL;
1268 int flags = 0;
1269
1270 if (!dc_name) {
1271 return NT_STATUS_INVALID_PARAMETER;
1272 }
1273
1274 if (!secrets_init()) {
1275 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1276 }
1277
1278 machine_password = secrets_fetch_machine_password(netbios_domain_name,
1279 NULL, NULL);
1280 if (!machine_password) {
1281 return NT_STATUS_NO_TRUST_LSA_SECRET;
1282 }
1283
1284 if (asprintf(&machine_account, "%s$", machine_name) == -1) {
1285 SAFE_FREE(machine_password);
1286 return NT_STATUS_NO_MEMORY;
1287 }
1288
1289 if (use_kerberos) {
1290 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
1291 }
1292
1293 status = cli_full_connection(&cli, NULL,
1294 dc_name,
1295 NULL, 0,
1296 "IPC$", "IPC",
1297 machine_account,
1298 NULL,
1299 machine_password,
1300 flags,
1301 SMB_SIGNING_DEFAULT);
1302 free(machine_account);
1303 free(machine_password);
1304
1305 if (!NT_STATUS_IS_OK(status)) {
1306 status = cli_full_connection(&cli, NULL,
1307 dc_name,
1308 NULL, 0,
1309 "IPC$", "IPC",
1310 "",
1311 NULL,
1312 "",
1313 0,
1314 SMB_SIGNING_DEFAULT);
1315 }
1316
1317 if (!NT_STATUS_IS_OK(status)) {
1318 return status;
1319 }
1320
1321 status = get_schannel_session_key(cli, netbios_domain_name,
1322 &neg_flags, &netlogon_pipe);
1323 if (!NT_STATUS_IS_OK(status)) {
1324 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
1325 cli_shutdown(cli);
1326 return NT_STATUS_OK;
1327 }
1328
1329 DEBUG(0,("libnet_join_ok: failed to get schannel session "
1330 "key from server %s for domain %s. Error was %s\n",
1331 smbXcli_conn_remote_name(cli->conn),
1332 netbios_domain_name, nt_errstr(status)));
1333 cli_shutdown(cli);
1334 return status;
1335 }
1336
1337 if (!lp_client_schannel()) {
1338 cli_shutdown(cli);
1339 return NT_STATUS_OK;
1340 }
1341
1342 status = cli_rpc_pipe_open_schannel_with_key(
1343 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
1344 DCERPC_AUTH_LEVEL_PRIVACY,
1345 netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
1346
1347 cli_shutdown(cli);
1348
1349 if (!NT_STATUS_IS_OK(status)) {
1350 DEBUG(0,("libnet_join_ok: failed to open schannel session "
1351 "on netlogon pipe to server %s for domain %s. "
1352 "Error was %s\n",
1353 smbXcli_conn_remote_name(cli->conn),
1354 netbios_domain_name, nt_errstr(status)));
1355 return status;
1356 }
1357
1358 return NT_STATUS_OK;
1359 }
1360
1361 /****************************************************************
1362 ****************************************************************/
1363
1364 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
1365 struct libnet_JoinCtx *r)
1366 {
1367 NTSTATUS status;
1368
1369 status = libnet_join_ok(r->out.netbios_domain_name,
1370 r->in.machine_name,
1371 r->in.dc_name,
1372 r->in.use_kerberos);
1373 if (!NT_STATUS_IS_OK(status)) {
1374 libnet_join_set_error_string(mem_ctx, r,
1375 "failed to verify domain membership after joining: %s",
1376 get_friendly_nt_error_msg(status));
1377 return WERR_SETUP_NOT_JOINED;
1378 }
1379
1380 return WERR_OK;
1381 }
1382
1383 /****************************************************************
1384 ****************************************************************/
1385
1386 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
1387 struct libnet_UnjoinCtx *r)
1388 {
1389 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
1390 return false;
1391 }
1392
1393 if (!secrets_delete_domain_sid(lp_workgroup())) {
1394 return false;
1395 }
1396
1397 return true;
1398 }
1399
1400 /****************************************************************
1401 ****************************************************************/
1402
1403 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
1404 struct libnet_UnjoinCtx *r)
1405 {
1406 struct cli_state *cli = NULL;
1407 struct rpc_pipe_client *pipe_hnd = NULL;
1408 struct policy_handle sam_pol, domain_pol, user_pol;
1409 NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
1410 char *acct_name;
1411 uint32_t user_rid;
1412 struct lsa_String lsa_acct_name;
1413 struct samr_Ids user_rids;
1414 struct samr_Ids name_types;
1415 union samr_UserInfo *info = NULL;
1416 struct dcerpc_binding_handle *b = NULL;
1417
1418 ZERO_STRUCT(sam_pol);
1419 ZERO_STRUCT(domain_pol);
1420 ZERO_STRUCT(user_pol);
1421
1422 status = libnet_join_connect_dc_ipc(r->in.dc_name,
1423 r->in.admin_account,
1424 r->in.admin_password,
1425 r->in.use_kerberos,
1426 &cli);
1427 if (!NT_STATUS_IS_OK(status)) {
1428 goto done;
1429 }
1430
1431 /* Open the domain */
1432
1433 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
1434 &pipe_hnd);
1435 if (!NT_STATUS_IS_OK(status)) {
1436 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1437 nt_errstr(status)));
1438 goto done;
1439 }
1440
1441 b = pipe_hnd->binding_handle;
1442
1443 status = dcerpc_samr_Connect2(b, mem_ctx,
1444 pipe_hnd->desthost,
1445 SEC_FLAG_MAXIMUM_ALLOWED,
1446 &sam_pol,
1447 &result);
1448 if (!NT_STATUS_IS_OK(status)) {
1449 goto done;
1450 }
1451 if (!NT_STATUS_IS_OK(result)) {
1452 status = result;
1453 goto done;
1454 }
1455
1456 status = dcerpc_samr_OpenDomain(b, mem_ctx,
1457 &sam_pol,
1458 SEC_FLAG_MAXIMUM_ALLOWED,
1459 r->in.domain_sid,
1460 &domain_pol,
1461 &result);
1462 if (!NT_STATUS_IS_OK(status)) {
1463 goto done;
1464 }
1465 if (!NT_STATUS_IS_OK(result)) {
1466 status = result;
1467 goto done;
1468 }
1469
1470 /* Create domain user */
1471
1472 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1473 if (!strlower_m(acct_name)) {
1474 status = NT_STATUS_INVALID_PARAMETER;
1475 goto done;
1476 }
1477
1478 init_lsa_String(&lsa_acct_name, acct_name);
1479
1480 status = dcerpc_samr_LookupNames(b, mem_ctx,
1481 &domain_pol,
1482 1,
1483 &lsa_acct_name,
1484 &user_rids,
1485 &name_types,
1486 &result);
1487
1488 if (!NT_STATUS_IS_OK(status)) {
1489 goto done;
1490 }
1491 if (!NT_STATUS_IS_OK(result)) {
1492 status = result;
1493 goto done;
1494 }
1495 if (user_rids.count != 1) {
1496 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1497 goto done;
1498 }
1499 if (name_types.count != 1) {
1500 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1501 goto done;
1502 }
1503
1504 if (name_types.ids[0] != SID_NAME_USER) {
1505 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1506 name_types.ids[0]));
1507 status = NT_STATUS_INVALID_WORKSTATION;
1508 goto done;
1509 }
1510
1511 user_rid = user_rids.ids[0];
1512
1513 /* Open handle on user */
1514
1515 status = dcerpc_samr_OpenUser(b, mem_ctx,
1516 &domain_pol,
1517 SEC_FLAG_MAXIMUM_ALLOWED,
1518 user_rid,
1519 &user_pol,
1520 &result);
1521 if (!NT_STATUS_IS_OK(status)) {
1522 goto done;
1523 }
1524 if (!NT_STATUS_IS_OK(result)) {
1525 status = result;
1526 goto done;
1527 }
1528
1529 /* Get user info */
1530
1531 status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1532 &user_pol,
1533 16,
1534 &info,
1535 &result);
1536 if (!NT_STATUS_IS_OK(status)) {
1537 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1538 goto done;
1539 }
1540 if (!NT_STATUS_IS_OK(result)) {
1541 status = result;
1542 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1543 goto done;
1544 }
1545
1546 /* now disable and setuser info */
1547
1548 info->info16.acct_flags |= ACB_DISABLED;
1549
1550 status = dcerpc_samr_SetUserInfo(b, mem_ctx,
1551 &user_pol,
1552 16,
1553 info,
1554 &result);
1555 if (!NT_STATUS_IS_OK(status)) {
1556 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1557 goto done;
1558 }
1559 if (!NT_STATUS_IS_OK(result)) {
1560 status = result;
1561 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1562 goto done;
1563 }
1564 status = result;
1565 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1566
1567 done:
1568 if (pipe_hnd && b) {
1569 if (is_valid_policy_hnd(&domain_pol)) {
1570 dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1571 }
1572 if (is_valid_policy_hnd(&sam_pol)) {
1573 dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1574 }
1575 TALLOC_FREE(pipe_hnd);
1576 }
1577
1578 if (cli) {
1579 cli_shutdown(cli);
1580 }
1581
1582 return status;
1583 }
1584
1585 /****************************************************************
1586 ****************************************************************/
1587
1588 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
1589 {
1590 WERROR werr = WERR_OK;
1591 sbcErr err;
1592 struct smbconf_ctx *ctx;
1593
1594 err = smbconf_init_reg(r, &ctx, NULL);
1595 if (!SBC_ERROR_IS_OK(err)) {
1596 werr = WERR_NO_SUCH_SERVICE;
1597 goto done;
1598 }
1599
1600 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1601
1602 err = smbconf_set_global_parameter(ctx, "security", "user");
1603 if (!SBC_ERROR_IS_OK(err)) {
1604 werr = WERR_NO_SUCH_SERVICE;
1605 goto done;
1606 }
1607
1608 err = smbconf_set_global_parameter(ctx, "workgroup",
1609 r->in.domain_name);
1610 if (!SBC_ERROR_IS_OK(err)) {
1611 werr = WERR_NO_SUCH_SERVICE;
1612 goto done;
1613 }
1614
1615 smbconf_delete_global_parameter(ctx, "realm");
1616 goto done;
1617 }
1618
1619 err = smbconf_set_global_parameter(ctx, "security", "domain");
1620 if (!SBC_ERROR_IS_OK(err)) {
1621 werr = WERR_NO_SUCH_SERVICE;
1622 goto done;
1623 }
1624
1625 err = smbconf_set_global_parameter(ctx, "workgroup",
1626 r->out.netbios_domain_name);
1627 if (!SBC_ERROR_IS_OK(err)) {
1628 werr = WERR_NO_SUCH_SERVICE;
1629 goto done;
1630 }
1631
1632 if (r->out.domain_is_ad) {
1633 err = smbconf_set_global_parameter(ctx, "security", "ads");
1634 if (!SBC_ERROR_IS_OK(err)) {
1635 werr = WERR_NO_SUCH_SERVICE;
1636 goto done;
1637 }
1638
1639 err = smbconf_set_global_parameter(ctx, "realm",
1640 r->out.dns_domain_name);
1641 if (!SBC_ERROR_IS_OK(err)) {
1642 werr = WERR_NO_SUCH_SERVICE;
1643 goto done;
1644 }
1645 }
1646
1647 done:
1648 smbconf_shutdown(ctx);
1649 return werr;
1650 }
1651
1652 /****************************************************************
1653 ****************************************************************/
1654
1655 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
1656 {
1657 WERROR werr = WERR_OK;
1658 sbcErr err;
1659 struct smbconf_ctx *ctx;
1660
1661 err = smbconf_init_reg(r, &ctx, NULL);
1662 if (!SBC_ERROR_IS_OK(err)) {
1663 werr = WERR_NO_SUCH_SERVICE;
1664 goto done;
1665 }
1666
1667 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1668
1669 err = smbconf_set_global_parameter(ctx, "security", "user");
1670 if (!SBC_ERROR_IS_OK(err)) {
1671 werr = WERR_NO_SUCH_SERVICE;
1672 goto done;
1673 }
1674
1675 err = smbconf_delete_global_parameter(ctx, "workgroup");
1676 if (!SBC_ERROR_IS_OK(err)) {
1677 werr = WERR_NO_SUCH_SERVICE;
1678 goto done;
1679 }
1680
1681 smbconf_delete_global_parameter(ctx, "realm");
1682 }
1683
1684 done:
1685 smbconf_shutdown(ctx);
1686 return werr;
1687 }
1688
1689 /****************************************************************
1690 ****************************************************************/
1691
1692 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1693 {
1694 WERROR werr;
1695
1696 if (!W_ERROR_IS_OK(r->out.result)) {
1697 return r->out.result;
1698 }
1699
1700 if (!r->in.modify_config) {
1701 return WERR_OK;
1702 }
1703
1704 werr = do_join_modify_vals_config(r);
1705 if (!W_ERROR_IS_OK(werr)) {
1706 return werr;
1707 }
1708
1709 lp_load_global(get_dyn_CONFIGFILE());
1710
1711 r->out.modified_config = true;
1712 r->out.result = werr;
1713
1714 return werr;
1715 }
1716
1717 /****************************************************************
1718 ****************************************************************/
1719
1720 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
1721 {
1722 WERROR werr;
1723
1724 if (!W_ERROR_IS_OK(r->out.result)) {
1725 return r->out.result;
1726 }
1727
1728 if (!r->in.modify_config) {
1729 return WERR_OK;
1730 }
1731
1732 werr = do_unjoin_modify_vals_config(r);
1733 if (!W_ERROR_IS_OK(werr)) {
1734 return werr;
1735 }
1736
1737 lp_load_global(get_dyn_CONFIGFILE());
1738
1739 r->out.modified_config = true;
1740 r->out.result = werr;
1741
1742 return werr;
1743 }
1744
1745 /****************************************************************
1746 ****************************************************************/
1747
1748 static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
1749 const char *domain_str,
1750 const char **domain_p,
1751 const char **dc_p)
1752 {
1753 char *domain = NULL;
1754 char *dc = NULL;
1755 const char *p = NULL;
1756
1757 if (!domain_str || !domain_p || !dc_p) {
1758 return false;
1759 }
1760
1761 p = strchr_m(domain_str, '\\');
1762
1763 if (p != NULL) {
1764 domain = talloc_strndup(mem_ctx, domain_str,
1765 PTR_DIFF(p, domain_str));
1766 dc = talloc_strdup(mem_ctx, p+1);
1767 if (!dc) {
1768 return false;
1769 }
1770 } else {
1771 domain = talloc_strdup(mem_ctx, domain_str);
1772 dc = NULL;
1773 }
1774 if (!domain) {
1775 return false;
1776 }
1777
1778 *domain_p = domain;
1779
1780 if (!*dc_p && dc) {
1781 *dc_p = dc;
1782 }
1783
1784 return true;
1785 }
1786
1787 /****************************************************************
1788 ****************************************************************/
1789
1790 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1791 struct libnet_JoinCtx *r)
1792 {
1793 if (!r->in.domain_name) {
1794 libnet_join_set_error_string(mem_ctx, r,
1795 "No domain name defined");
1796 return WERR_INVALID_PARAM;
1797 }
1798
1799 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
1800 &r->in.domain_name,
1801 &r->in.dc_name)) {
1802 libnet_join_set_error_string(mem_ctx, r,
1803 "Failed to parse domain name");
1804 return WERR_INVALID_PARAM;
1805 }
1806
1807 if (IS_DC) {
1808 return WERR_SETUP_DOMAIN_CONTROLLER;
1809 }
1810
1811 if (!secrets_init()) {
1812 libnet_join_set_error_string(mem_ctx, r,
1813 "Unable to open secrets database");
1814 return WERR_CAN_NOT_COMPLETE;
1815 }
1816
1817 return WERR_OK;
1818 }
1819
1820 /****************************************************************
1821 ****************************************************************/
1822
1823 static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
1824 {
1825 NTSTATUS status;
1826
1827 /* Try adding dom admins to builtin\admins. Only log failures. */
1828 status = create_builtin_administrators(domain_sid);
1829 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1830 DEBUG(10,("Unable to auto-add domain administrators to "
1831 "BUILTIN\\Administrators during join because "
1832 "winbindd must be running.\n"));
1833 } else if (!NT_STATUS_IS_OK(status)) {
1834 DEBUG(5, ("Failed to auto-add domain administrators to "
1835 "BUILTIN\\Administrators during join: %s\n",
1836 nt_errstr(status)));
1837 }
1838
1839 /* Try adding dom users to builtin\users. Only log failures. */
1840 status = create_builtin_users(domain_sid);
1841 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1842 DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
1843 "during join because winbindd must be running.\n"));
1844 } else if (!NT_STATUS_IS_OK(status)) {
1845 DEBUG(5, ("Failed to auto-add domain administrators to "
1846 "BUILTIN\\Administrators during join: %s\n",
1847 nt_errstr(status)));
1848 }
1849 }
1850
1851 /****************************************************************
1852 ****************************************************************/
1853
1854 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1855 struct libnet_JoinCtx *r)
1856 {
1857 WERROR werr;
1858
1859 if (!W_ERROR_IS_OK(r->out.result)) {
1860 return r->out.result;
1861 }
1862
1863 werr = do_JoinConfig(r);
1864 if (!W_ERROR_IS_OK(werr)) {
1865 return werr;
1866 }
1867
1868 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1869 return WERR_OK;
1870 }
1871
1872 saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
1873 if (r->out.dns_domain_name) {
1874 saf_join_store(r->out.dns_domain_name, r->in.dc_name);
1875 }
1876
1877 #ifdef HAVE_ADS
1878 if (r->out.domain_is_ad &&
1879 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
1880 ADS_STATUS ads_status;
1881
1882 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1883 if (!ADS_ERR_OK(ads_status)) {
1884 return WERR_GENERAL_FAILURE;
1885 }
1886 }
1887 #endif /* HAVE_ADS */
1888
1889 libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
1890
1891 return WERR_OK;
1892 }
1893
1894 /****************************************************************
1895 ****************************************************************/
1896
1897 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1898 {
1899 if (r->in.ads) {
1900 ads_destroy(&r->in.ads);
1901 }
1902
1903 return 0;
1904 }
1905
1906 /****************************************************************
1907 ****************************************************************/
1908
1909 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1910 {
1911 if (r->in.ads) {
1912 ads_destroy(&r->in.ads);
1913 }
1914
1915 return 0;
1916 }
1917
1918 /****************************************************************
1919 ****************************************************************/
1920
1921 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1922 struct libnet_JoinCtx **r)
1923 {
1924 struct libnet_JoinCtx *ctx;
1925
1926 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1927 if (!ctx) {
1928 return WERR_NOMEM;
1929 }
1930
1931 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1932
1933 ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name());
1934 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1935
1936 ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
1937
1938 *r = ctx;
1939
1940 return WERR_OK;
1941 }
1942
1943 /****************************************************************
1944 ****************************************************************/
1945
1946 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1947 struct libnet_UnjoinCtx **r)
1948 {
1949 struct libnet_UnjoinCtx *ctx;
1950
1951 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1952 if (!ctx) {
1953 return WERR_NOMEM;
1954 }
1955
1956 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1957
1958 ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name());
1959 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1960
1961 *r = ctx;
1962
1963 return WERR_OK;
1964 }
1965
1966 /****************************************************************
1967 ****************************************************************/
1968
1969 static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
1970 struct libnet_JoinCtx *r)
1971 {
1972 bool valid_security = false;
1973 bool valid_workgroup = false;
1974 bool valid_realm = false;
1975
1976 /* check if configuration is already set correctly */
1977
1978 valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
1979
1980 switch (r->out.domain_is_ad) {
1981 case false:
1982 valid_security = (lp_security() == SEC_DOMAIN);
1983 if (valid_workgroup && valid_security) {
1984 /* nothing to be done */
1985 return WERR_OK;
1986 }
1987 break;
1988 case true:
1989 valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
1990 switch (lp_security()) {
1991 case SEC_DOMAIN:
1992 case SEC_ADS:
1993 valid_security = true;
1994 }
1995
1996 if (valid_workgroup && valid_realm && valid_security) {
1997 /* nothing to be done */
1998 return WERR_OK;
1999 }
2000 break;
2001 }
2002
2003 /* check if we are supposed to manipulate configuration */
2004
2005 if (!r->in.modify_config) {
2006
2007 char *wrong_conf = talloc_strdup(mem_ctx, "");
2008
2009 if (!valid_workgroup) {
2010 wrong_conf = talloc_asprintf_append(wrong_conf,
2011 "\"workgroup\" set to '%s', should be '%s'",
2012 lp_workgroup(), r->out.netbios_domain_name);
2013 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2014 }
2015
2016 if (!valid_realm) {
2017 wrong_conf = talloc_asprintf_append(wrong_conf,
2018 "\"realm\" set to '%s', should be '%s'",
2019 lp_realm(), r->out.dns_domain_name);
2020 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2021 }
2022
2023 if (!valid_security) {
2024 const char *sec = NULL;
2025 switch (lp_security()) {
2026 case SEC_USER: sec = "user"; break;
2027 case SEC_DOMAIN: sec = "domain"; break;
2028 case SEC_ADS: sec = "ads"; break;
2029 }
2030 wrong_conf = talloc_asprintf_append(wrong_conf,
2031 "\"security\" set to '%s', should be %s",
2032 sec, r->out.domain_is_ad ?
2033 "either 'domain' or 'ads'" : "'domain'");
2034 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2035 }
2036
2037 libnet_join_set_error_string(mem_ctx, r,
2038 "Invalid configuration (%s) and configuration modification "
2039 "was not requested", wrong_conf);
2040 return WERR_CAN_NOT_COMPLETE;
2041 }
2042
2043 /* check if we are able to manipulate configuration */
2044
2045 if (!lp_config_backend_is_registry()) {
2046 libnet_join_set_error_string(mem_ctx, r,
2047 "Configuration manipulation requested but not "
2048 "supported by backend");
2049 return WERR_NOT_SUPPORTED;
2050 }
2051
2052 return WERR_OK;
2053 }
2054
2055 /****************************************************************
2056 ****************************************************************/
2057
2058 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
2059 struct libnet_JoinCtx *r)
2060 {
2061 NTSTATUS status;
2062 WERROR werr;
2063 struct cli_state *cli = NULL;
2064 #ifdef HAVE_ADS
2065 ADS_STATUS ads_status;
2066 #endif /* HAVE_ADS */
2067
2068 if (!r->in.dc_name) {
2069 struct netr_DsRGetDCNameInfo *info;
2070 const char *dc;
2071 status = dsgetdcname(mem_ctx,
2072 r->in.msg_ctx,
2073 r->in.domain_name,
2074 NULL,
2075 NULL,
2076 DS_FORCE_REDISCOVERY |
2077 DS_DIRECTORY_SERVICE_REQUIRED |
2078 DS_WRITABLE_REQUIRED |
2079 DS_RETURN_DNS_NAME,
2080 &info);
2081 if (!NT_STATUS_IS_OK(status)) {
2082 libnet_join_set_error_string(mem_ctx, r,
2083 "failed to find DC for domain %s",
2084 r->in.domain_name,
2085 get_friendly_nt_error_msg(status));
2086 return WERR_DCNOTFOUND;
2087 }
2088
2089 dc = strip_hostname(info->dc_unc);
2090 r->in.dc_name = talloc_strdup(mem_ctx, dc);
2091 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
2092 }
2093
2094 status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
2095 if (!NT_STATUS_IS_OK(status)) {
2096 libnet_join_set_error_string(mem_ctx, r,
2097 "failed to lookup DC info for domain '%s' over rpc: %s",
2098 r->in.domain_name, get_friendly_nt_error_msg(status));
2099 return ntstatus_to_werror(status);
2100 }
2101
2102 werr = libnet_join_check_config(mem_ctx, r);
2103 if (!W_ERROR_IS_OK(werr)) {
2104 goto done;
2105 }
2106
2107 #ifdef HAVE_ADS
2108
2109 create_local_private_krb5_conf_for_domain(
2110 r->out.dns_domain_name, r->out.netbios_domain_name,
2111 NULL, smbXcli_conn_remote_sockaddr(cli->conn),
2112 smbXcli_conn_remote_name(cli->conn));
2113
2114 if (r->out.domain_is_ad && r->in.account_ou &&
2115 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
2116
2117 ads_status = libnet_join_connect_ads(mem_ctx, r);
2118 if (!ADS_ERR_OK(ads_status)) {
2119 return WERR_DEFAULT_JOIN_REQUIRED;
2120 }
2121
2122 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
2123 if (!ADS_ERR_OK(ads_status)) {
2124 libnet_join_set_error_string(mem_ctx, r,
2125 "failed to precreate account in ou %s: %s",
2126 r->in.account_ou,
2127 ads_errstr(ads_status));
2128 return WERR_DEFAULT_JOIN_REQUIRED;
2129 }
2130
2131 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
2132 }
2133 #endif /* HAVE_ADS */
2134
2135 if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
2136 (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
2137 status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
2138 } else {
2139 status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
2140 }
2141 if (!NT_STATUS_IS_OK(status)) {
2142 libnet_join_set_error_string(mem_ctx, r,
2143 "failed to join domain '%s' over rpc: %s",
2144 r->in.domain_name, get_friendly_nt_error_msg(status));
2145 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
2146 return WERR_SETUP_ALREADY_JOINED;
2147 }
2148 werr = ntstatus_to_werror(status);
2149 goto done;
2150 }
2151
2152 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
2153 werr = WERR_SETUP_NOT_JOINED;
2154 goto done;
2155 }
2156
2157 werr = WERR_OK;
2158
2159 done:
2160 if (cli) {
2161 cli_shutdown(cli);
2162 }
2163
2164 return werr;
2165 }
2166
2167 /****************************************************************
2168 ****************************************************************/
2169
2170 static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
2171 struct libnet_JoinCtx *r)
2172 {
2173 WERROR werr;
2174 struct libnet_UnjoinCtx *u = NULL;
2175
2176 werr = libnet_init_UnjoinCtx(mem_ctx, &u);
2177 if (!W_ERROR_IS_OK(werr)) {
2178 return werr;
2179 }
2180
2181 u->in.debug = r->in.debug;
2182 u->in.dc_name = r->in.dc_name;
2183 u->in.domain_name = r->in.domain_name;
2184 u->in.admin_account = r->in.admin_account;
2185 u->in.admin_password = r->in.admin_password;
2186 u->in.modify_config = r->in.modify_config;
2187 u->in.use_kerberos = r->in.use_kerberos;
2188 u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
2189 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
2190
2191 werr = libnet_Unjoin(mem_ctx, u);
2192 TALLOC_FREE(u);
2193
2194 return werr;
2195 }
2196
2197 /****************************************************************
2198 ****************************************************************/
2199
2200 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
2201 struct libnet_JoinCtx *r)
2202 {
2203 WERROR werr;
2204
2205 if (r->in.debug) {
2206 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
2207 }
2208
2209 ZERO_STRUCT(r->out);
2210
2211 werr = libnet_join_pre_processing(mem_ctx, r);
2212 if (!W_ERROR_IS_OK(werr)) {
2213 goto done;
2214 }
2215
2216 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2217 werr = libnet_DomainJoin(mem_ctx, r);
2218 if (!W_ERROR_IS_OK(werr)) {
2219 goto done;
2220 }
2221 }
2222
2223 werr = libnet_join_post_processing(mem_ctx, r);
2224 if (!W_ERROR_IS_OK(werr)) {
2225 goto done;
2226 }
2227
2228 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2229 werr = libnet_join_post_verify(mem_ctx, r);
2230 if (!W_ERROR_IS_OK(werr)) {
2231 libnet_join_rollback(mem_ctx, r);
2232 }
2233 }
2234
2235 done:
2236 r->out.result = werr;
2237
2238 if (r->in.debug) {
2239 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
2240 }
2241 return werr;
2242 }
2243
2244 /****************************************************************
2245 ****************************************************************/
2246
2247 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
2248 struct libnet_UnjoinCtx *r)
2249 {
2250 NTSTATUS status;
2251
2252 if (!r->in.domain_sid) {
2253 struct dom_sid sid;
2254 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
2255 libnet_unjoin_set_error_string(mem_ctx, r,
2256 "Unable to fetch domain sid: are we joined?");
2257 return WERR_SETUP_NOT_JOINED;
2258 }
2259 r->in.domain_sid = dom_sid_dup(mem_ctx, &sid);
2260 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
2261 }
2262
2263 if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
2264 !r->in.delete_machine_account) {
2265 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2266 return WERR_OK;
2267 }
2268
2269 if (!r->in.dc_name) {
2270 struct netr_DsRGetDCNameInfo *info;
2271 const char *dc;
2272 status = dsgetdcname(mem_ctx,
2273 r->in.msg_ctx,
2274 r->in.domain_name,
2275 NULL,
2276 NULL,
2277 DS_DIRECTORY_SERVICE_REQUIRED |
2278 DS_WRITABLE_REQUIRED |
2279 DS_RETURN_DNS_NAME,
2280 &info);
2281 if (!NT_STATUS_IS_OK(status)) {
2282 libnet_unjoin_set_error_string(mem_ctx, r,
2283 "failed to find DC for domain %s",
2284 r->in.domain_name,
2285 get_friendly_nt_error_msg(status));
2286 return WERR_DCNOTFOUND;
2287 }
2288
2289 dc = strip_hostname(info->dc_unc);
2290 r->in.dc_name = talloc_strdup(mem_ctx, dc);
2291 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
2292 }
2293
2294 #ifdef HAVE_ADS
2295 /* for net ads leave, try to delete the account. If it works,
2296 no sense in disabling. If it fails, we can still try to
2297 disable it. jmcd */
2298
2299 if (r->in.delete_machine_account) {
2300 ADS_STATUS ads_status;
2301 ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
2302 if (ADS_ERR_OK(ads_status)) {
2303 /* dirty hack */
2304 r->out.dns_domain_name =
2305 talloc_strdup(mem_ctx,
2306 r->in.ads->server.realm);
2307 ads_status =
2308 libnet_unjoin_remove_machine_acct(mem_ctx, r);
2309 }
2310 if (!ADS_ERR_OK(ads_status)) {
2311 libnet_unjoin_set_error_string(mem_ctx, r,
2312 "failed to remove machine account from AD: %s",
2313 ads_errstr(ads_status));
2314 } else {
2315 r->out.deleted_machine_account = true;
2316 W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
2317 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2318 return WERR_OK;
2319 }
2320 }
2321 #endif /* HAVE_ADS */
2322
2323 /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
2324 "disable". */
2325 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
2326 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
2327 if (!NT_STATUS_IS_OK(status)) {
2328 libnet_unjoin_set_error_string(mem_ctx, r,
2329 "failed to disable machine account via rpc: %s",
2330 get_friendly_nt_error_msg(status));
2331 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2332 return WERR_SETUP_NOT_JOINED;
2333 }
2334 return ntstatus_to_werror(status);
2335 }
2336
2337 r->out.disabled_machine_account = true;
2338 }
2339
2340 /* If disable succeeded or was not requested at all, we
2341 should be getting rid of our end of things */
2342
2343 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2344
2345 return WERR_OK;
2346 }
2347
2348 /****************************************************************
2349 ****************************************************************/
2350
2351 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
2352 struct libnet_UnjoinCtx *r)
2353 {
2354 if (!r->in.domain_name) {
2355 libnet_unjoin_set_error_string(mem_ctx, r,
2356 "No domain name defined");
2357 return WERR_INVALID_PARAM;
2358 }
2359
2360 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2361 &r->in.domain_name,
2362 &r->in.dc_name)) {
2363 libnet_unjoin_set_error_string(mem_ctx, r,
2364 "Failed to parse domain name");
2365 return WERR_INVALID_PARAM;
2366 }
2367
2368 if (IS_DC) {
2369 return WERR_SETUP_DOMAIN_CONTROLLER;
2370 }
2371
2372 if (!secrets_init()) {
2373 libnet_unjoin_set_error_string(mem_ctx, r,
2374 "Unable to open secrets database");
2375 return WERR_CAN_NOT_COMPLETE;
2376 }
2377
2378 return WERR_OK;
2379 }
2380
2381 /****************************************************************
2382 ****************************************************************/
2383
2384 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
2385 struct libnet_UnjoinCtx *r)
2386 {
2387 saf_delete(r->out.netbios_domain_name);
2388 saf_delete(r->out.dns_domain_name);
2389
2390 return libnet_unjoin_config(r);
2391 }
2392
2393 /****************************************************************
2394 ****************************************************************/
2395
2396 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
2397 struct libnet_UnjoinCtx *r)
2398 {
2399 WERROR werr;
2400
2401 if (r->in.debug) {
2402 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
2403 }
2404
2405 werr = libnet_unjoin_pre_processing(mem_ctx, r);
2406 if (!W_ERROR_IS_OK(werr)) {
2407 goto done;
2408 }
2409
2410 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2411 werr = libnet_DomainUnjoin(mem_ctx, r);
2412 if (!W_ERROR_IS_OK(werr)) {
2413 libnet_unjoin_config(r);
2414 goto done;
2415 }
2416 }
2417
2418 werr = libnet_unjoin_post_processing(mem_ctx, r);
2419 if (!W_ERROR_IS_OK(werr)) {
2420 goto done;
2421 }
2422
2423 done:
2424 r->out.result = werr;
2425
2426 if (r->in.debug) {
2427 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
2428 }
2429
2430 return werr;
2431 }
Samba GIT mirror