search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pidl: Fix array range checks in python output
[Samba.git] / source3 / libnet / libnet_join.c
blob4d00ef654132823f77a9135e54d7b0ffdc0d98e5
1 /*
2 * Unix SMB/CIFS implementation.
3 * libnet Join Support
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "ads.h"
23 #include "librpc/gen_ndr/ndr_libnet_join.h"
24 #include "libnet/libnet_join.h"
25 #include "libcli/auth/libcli_auth.h"
26 #include "../librpc/gen_ndr/ndr_samr_c.h"
27 #include "rpc_client/init_samr.h"
28 #include "../librpc/gen_ndr/ndr_lsa_c.h"
29 #include "rpc_client/cli_lsarpc.h"
30 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
32 #include "lib/smbconf/smbconf.h"
33 #include "lib/smbconf/smbconf_reg.h"
34 #include "../libds/common/flags.h"
35 #include "secrets.h"
36 #include "rpc_client/init_lsa.h"
37 #include "rpc_client/cli_pipe.h"
38 #include "../libcli/security/security.h"
39 #include "passdb.h"
40 #include "libsmb/libsmb.h"
41 #include "../libcli/smb/smbXcli_base.h"
42 #include "lib/param/loadparm.h"
43 #include "libcli/auth/netlogon_creds_cli.h"
44 #include "auth/credentials/credentials.h"
45 #include "krb5_env.h"
46
47 /****************************************************************
48 ****************************************************************/
49
50 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
51 do { \
52 char *str = NULL; \
53 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
54 DEBUG(1,("libnet_Join:\n%s", str)); \
55 TALLOC_FREE(str); \
56 } while (0)
57
58 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
59 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
60 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
61 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
62
63 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
64 do { \
65 char *str = NULL; \
66 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
67 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
68 TALLOC_FREE(str); \
69 } while (0)
70
71 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
72 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
73 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
74 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
75
76 /****************************************************************
77 ****************************************************************/
78
79 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
80 struct libnet_JoinCtx *r,
81 const char *format, ...)
82 PRINTF_ATTRIBUTE(3,4);
83
84 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
85 struct libnet_JoinCtx *r,
86 const char *format, ...)
87 {
88 va_list args;
89
90 if (r->out.error_string) {
91 return;
92 }
93
94 va_start(args, format);
95 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
96 va_end(args);
97 }
98
99 /****************************************************************
100 ****************************************************************/
101
102 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
103 struct libnet_UnjoinCtx *r,
104 const char *format, ...)
105 PRINTF_ATTRIBUTE(3,4);
106
107 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
108 struct libnet_UnjoinCtx *r,
109 const char *format, ...)
110 {
111 va_list args;
112
113 if (r->out.error_string) {
114 return;
115 }
116
117 va_start(args, format);
118 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
119 va_end(args);
120 }
121
122 #ifdef HAVE_ADS
123
124 /****************************************************************
125 ****************************************************************/
126
127 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
128 const char *netbios_domain_name,
129 const char *dc_name,
130 const char *user_name,
131 const char *password,
132 const char *ccname,
133 ADS_STRUCT **ads)
134 {
135 ADS_STATUS status;
136 ADS_STRUCT *my_ads = NULL;
137 char *cp;
138
139 my_ads = ads_init(dns_domain_name,
140 netbios_domain_name,
141 dc_name);
142 if (!my_ads) {
143 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
144 }
145
146 if (user_name) {
147 SAFE_FREE(my_ads->auth.user_name);
148 my_ads->auth.user_name = SMB_STRDUP(user_name);
149 if ((cp = strchr_m(my_ads->auth.user_name, '@'))!=0) {
150 *cp++ = '\0';
151 SAFE_FREE(my_ads->auth.realm);
152 my_ads->auth.realm = smb_xstrdup(cp);
153 if (!strupper_m(my_ads->auth.realm)) {
154 ads_destroy(&my_ads);
155 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
156 }
157 }
158 }
159
160 if (password) {
161 SAFE_FREE(my_ads->auth.password);
162 my_ads->auth.password = SMB_STRDUP(password);
163 }
164
165 if (ccname != NULL) {
166 SAFE_FREE(my_ads->auth.ccache_name);
167 my_ads->auth.ccache_name = SMB_STRDUP(ccname);
168 setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1);
169 }
170
171 status = ads_connect_user_creds(my_ads);
172 if (!ADS_ERR_OK(status)) {
173 ads_destroy(&my_ads);
174 return status;
175 }
176
177 *ads = my_ads;
178 return ADS_SUCCESS;
179 }
180
181 /****************************************************************
182 ****************************************************************/
183
184 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
185 struct libnet_JoinCtx *r,
186 bool use_machine_creds)
187 {
188 ADS_STATUS status;
189 const char *username;
190 const char *password;
191 const char *ccname = NULL;
192
193 if (use_machine_creds) {
194 if (r->in.machine_name == NULL ||
195 r->in.machine_password == NULL) {
196 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
197 }
198 username = talloc_strdup(mem_ctx, r->in.machine_name);
199 if (username == NULL) {
200 return ADS_ERROR(LDAP_NO_MEMORY);
201 }
202 if (username[strlen(username)] != '$') {
203 username = talloc_asprintf(username, "%s$", username);
204 if (username == NULL) {
205 return ADS_ERROR(LDAP_NO_MEMORY);
206 }
207 }
208 password = r->in.machine_password;
209 ccname = "MEMORY:libnet_join_machine_creds";
210 } else {
211 username = r->in.admin_account;
212 password = r->in.admin_password;
213
214 /*
215 * when r->in.use_kerberos is set to allow "net ads join -k" we
216 * may not override the provided credential cache - gd
217 */
218
219 if (!r->in.use_kerberos) {
220 ccname = "MEMORY:libnet_join_user_creds";
221 }
222 }
223
224 status = libnet_connect_ads(r->out.dns_domain_name,
225 r->out.netbios_domain_name,
226 r->in.dc_name,
227 username,
228 password,
229 ccname,
230 &r->in.ads);
231 if (!ADS_ERR_OK(status)) {
232 libnet_join_set_error_string(mem_ctx, r,
233 "failed to connect to AD: %s",
234 ads_errstr(status));
235 return status;
236 }
237
238 if (!r->out.netbios_domain_name) {
239 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
240 r->in.ads->server.workgroup);
241 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
242 }
243
244 if (!r->out.dns_domain_name) {
245 r->out.dns_domain_name = talloc_strdup(mem_ctx,
246 r->in.ads->config.realm);
247 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
248 }
249
250 r->out.domain_is_ad = true;
251
252 return ADS_SUCCESS;
253 }
254
255 /****************************************************************
256 ****************************************************************/
257
258 static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx,
259 struct libnet_JoinCtx *r)
260 {
261 return libnet_join_connect_ads(mem_ctx, r, false);
262 }
263
264 /****************************************************************
265 ****************************************************************/
266
267 static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx,
268 struct libnet_JoinCtx *r)
269 {
270 return libnet_join_connect_ads(mem_ctx, r, true);
271 }
272
273 /****************************************************************
274 ****************************************************************/
275
276 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
277 struct libnet_UnjoinCtx *r)
278 {
279 ADS_STATUS status;
280
281 status = libnet_connect_ads(r->in.domain_name,
282 r->in.domain_name,
283 r->in.dc_name,
284 r->in.admin_account,
285 r->in.admin_password,
286 NULL,
287 &r->in.ads);
288 if (!ADS_ERR_OK(status)) {
289 libnet_unjoin_set_error_string(mem_ctx, r,
290 "failed to connect to AD: %s",
291 ads_errstr(status));
292 }
293
294 return status;
295 }
296
297 /****************************************************************
298 join a domain using ADS (LDAP mods)
299 ****************************************************************/
300
301 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
302 struct libnet_JoinCtx *r)
303 {
304 ADS_STATUS status;
305 LDAPMessage *res = NULL;
306 const char *attrs[] = { "dn", NULL };
307 bool moved = false;
308
309 status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
310 if (!ADS_ERR_OK(status)) {
311 return status;
312 }
313
314 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
315 if (!ADS_ERR_OK(status)) {
316 return status;
317 }
318
319 if (ads_count_replies(r->in.ads, res) != 1) {
320 ads_msgfree(r->in.ads, res);
321 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
322 }
323
324 ads_msgfree(r->in.ads, res);
325
326 /* Attempt to create the machine account and bail if this fails.
327 Assume that the admin wants exactly what they requested */
328
329 status = ads_create_machine_acct(r->in.ads,
330 r->in.machine_name,
331 r->in.account_ou,
332 r->in.desired_encryption_types);
333
334 if (ADS_ERR_OK(status)) {
335 DEBUG(1,("machine account creation created\n"));
336 return status;
337 } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
338 (status.err.rc == LDAP_ALREADY_EXISTS)) {
339 status = ADS_SUCCESS;
340 }
341
342 if (!ADS_ERR_OK(status)) {
343 DEBUG(1,("machine account creation failed\n"));
344 return status;
345 }
346
347 status = ads_move_machine_acct(r->in.ads,
348 r->in.machine_name,
349 r->in.account_ou,
350 &moved);
351 if (!ADS_ERR_OK(status)) {
352 DEBUG(1,("failure to locate/move pre-existing "
353 "machine account\n"));
354 return status;
355 }
356
357 DEBUG(1,("The machine account %s the specified OU.\n",
358 moved ? "was moved into" : "already exists in"));
359
360 return status;
361 }
362
363 /****************************************************************
364 ****************************************************************/
365
366 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
367 struct libnet_UnjoinCtx *r)
368 {
369 ADS_STATUS status;
370
371 if (!r->in.ads) {
372 status = libnet_unjoin_connect_ads(mem_ctx, r);
373 if (!ADS_ERR_OK(status)) {
374 libnet_unjoin_set_error_string(mem_ctx, r,
375 "failed to connect to AD: %s",
376 ads_errstr(status));
377 return status;
378 }
379 }
380
381 status = ads_leave_realm(r->in.ads, r->in.machine_name);
382 if (!ADS_ERR_OK(status)) {
383 libnet_unjoin_set_error_string(mem_ctx, r,
384 "failed to leave realm: %s",
385 ads_errstr(status));
386 return status;
387 }
388
389 return ADS_SUCCESS;
390 }
391
392 /****************************************************************
393 ****************************************************************/
394
395 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
396 struct libnet_JoinCtx *r)
397 {
398 ADS_STATUS status;
399 LDAPMessage *res = NULL;
400 char *dn = NULL;
401
402 if (!r->in.machine_name) {
403 return ADS_ERROR(LDAP_NO_MEMORY);
404 }
405
406 status = ads_find_machine_acct(r->in.ads,
407 &res,
408 r->in.machine_name);
409 if (!ADS_ERR_OK(status)) {
410 return status;
411 }
412
413 if (ads_count_replies(r->in.ads, res) != 1) {
414 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
415 goto done;
416 }
417
418 dn = ads_get_dn(r->in.ads, mem_ctx, res);
419 if (!dn) {
420 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
421 goto done;
422 }
423
424 r->out.dn = talloc_strdup(mem_ctx, dn);
425 if (!r->out.dn) {
426 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
427 goto done;
428 }
429
430 if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes",
431 &r->out.set_encryption_types)) {
432 r->out.set_encryption_types = 0;
433 }
434
435 done:
436 ads_msgfree(r->in.ads, res);
437 TALLOC_FREE(dn);
438
439 return status;
440 }
441
442 static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
443 struct libnet_JoinCtx *r,
444 char ***spn_array,
445 size_t *num_spns)
446 {
447 ADS_STATUS status;
448
449 if (r->in.machine_name == NULL) {
450 return ADS_ERROR_SYSTEM(EINVAL);
451 }
452
453 status = ads_get_service_principal_names(mem_ctx,
454 r->in.ads,
455 r->in.machine_name,
456 spn_array,
457 num_spns);
458
459 return status;
460 }
461
462 /****************************************************************
463 Set a machines dNSHostName and servicePrincipalName attributes
464 ****************************************************************/
465
466 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
467 struct libnet_JoinCtx *r)
468 {
469 ADS_STATUS status;
470 ADS_MODLIST mods;
471 fstring my_fqdn;
472 const char **spn_array = NULL;
473 size_t num_spns = 0;
474 char *spn = NULL;
475 bool ok;
476 const char **netbios_aliases = NULL;
477
478 /* Find our DN */
479
480 status = libnet_join_find_machine_acct(mem_ctx, r);
481 if (!ADS_ERR_OK(status)) {
482 return status;
483 }
484
485 status = libnet_join_get_machine_spns(mem_ctx,
486 r,
487 discard_const_p(char **, &spn_array),
488 &num_spns);
489 if (!ADS_ERR_OK(status)) {
490 DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
491 }
492
493 /* Windows only creates HOST/shortname & HOST/fqdn. */
494
495 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
496 if (!spn) {
497 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
498 }
499 if (!strupper_m(spn)) {
500 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
501 }
502
503 ok = ads_element_in_array(spn_array, num_spns, spn);
504 if (!ok) {
505 ok = add_string_to_array(spn_array, spn,
506 &spn_array, &num_spns);
507 if (!ok) {
508 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
509 }
510 }
511
512 if (!name_to_fqdn(my_fqdn, r->in.machine_name)
513 || (strchr(my_fqdn, '.') == NULL)) {
514 fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
515 r->out.dns_domain_name);
516 }
517
518 if (!strlower_m(my_fqdn)) {
519 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
520 }
521
522 if (!strequal(my_fqdn, r->in.machine_name)) {
523 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
524 if (!spn) {
525 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
526 }
527
528 ok = ads_element_in_array(spn_array, num_spns, spn);
529 if (!ok) {
530 ok = add_string_to_array(spn_array, spn,
531 &spn_array, &num_spns);
532 if (!ok) {
533 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
534 }
535 }
536 }
537
538 netbios_aliases = lp_netbios_aliases();
539 if (netbios_aliases != NULL) {
540 for (; *netbios_aliases != NULL; netbios_aliases++) {
541 /*
542 * Add HOST/NETBIOSNAME
543 */
544 spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases);
545 if (spn == NULL) {
546 TALLOC_FREE(spn);
547 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
548 }
549 if (!strupper_m(spn)) {
550 TALLOC_FREE(spn);
551 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
552 }
553
554 ok = ads_element_in_array(spn_array, num_spns, spn);
555 if (ok) {
556 TALLOC_FREE(spn);
557 continue;
558 }
559 ok = add_string_to_array(spn_array, spn,
560 &spn_array, &num_spns);
561 if (!ok) {
562 TALLOC_FREE(spn);
563 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
564 }
565 TALLOC_FREE(spn);
566
567 /*
568 * Add HOST/netbiosname.domainname
569 */
570 if (r->out.dns_domain_name == NULL) {
571 continue;
572 }
573 fstr_sprintf(my_fqdn, "%s.%s",
574 *netbios_aliases,
575 r->out.dns_domain_name);
576
577 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
578 if (spn == NULL) {
579 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
580 }
581
582 ok = ads_element_in_array(spn_array, num_spns, spn);
583 if (ok) {
584 TALLOC_FREE(spn);
585 continue;
586 }
587 ok = add_string_to_array(spn_array, spn,
588 &spn_array, &num_spns);
589 if (!ok) {
590 TALLOC_FREE(spn);
591 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
592 }
593 TALLOC_FREE(spn);
594 }
595 }
596
597 /* make sure to NULL terminate the array */
598 spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
599 if (spn_array == NULL) {
600 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
601 }
602 spn_array[num_spns] = NULL;
603
604 mods = ads_init_mods(mem_ctx);
605 if (!mods) {
606 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
607 }
608
609 /* fields of primary importance */
610
611 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
612 if (!ADS_ERR_OK(status)) {
613 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
614 }
615
616 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
617 spn_array);
618 if (!ADS_ERR_OK(status)) {
619 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
620 }
621
622 return ads_gen_mod(r->in.ads, r->out.dn, mods);
623 }
624
625 /****************************************************************
626 ****************************************************************/
627
628 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
629 struct libnet_JoinCtx *r)
630 {
631 ADS_STATUS status;
632 ADS_MODLIST mods;
633
634 if (!r->in.create_upn) {
635 return ADS_SUCCESS;
636 }
637
638 /* Find our DN */
639
640 status = libnet_join_find_machine_acct(mem_ctx, r);
641 if (!ADS_ERR_OK(status)) {
642 return status;
643 }
644
645 if (!r->in.upn) {
646 const char *realm = r->out.dns_domain_name;
647
648 /* in case we are about to generate a keytab during the join
649 * make sure the default upn we create is usable with kinit -k.
650 * gd */
651
652 if (USE_KERBEROS_KEYTAB) {
653 realm = talloc_strdup_upper(mem_ctx,
654 r->out.dns_domain_name);
655 }
656
657 if (!realm) {
658 return ADS_ERROR(LDAP_NO_MEMORY);
659 }
660
661 r->in.upn = talloc_asprintf(mem_ctx,
662 "host/%s@%s",
663 r->in.machine_name,
664 realm);
665 if (!r->in.upn) {
666 return ADS_ERROR(LDAP_NO_MEMORY);
667 }
668 }
669
670 /* now do the mods */
671
672 mods = ads_init_mods(mem_ctx);
673 if (!mods) {
674 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
675 }
676
677 /* fields of primary importance */
678
679 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
680 if (!ADS_ERR_OK(status)) {
681 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
682 }
683
684 return ads_gen_mod(r->in.ads, r->out.dn, mods);
685 }
686
687
688 /****************************************************************
689 ****************************************************************/
690
691 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
692 struct libnet_JoinCtx *r)
693 {
694 ADS_STATUS status;
695 ADS_MODLIST mods;
696 char *os_sp = NULL;
697
698 if (!r->in.os_name || !r->in.os_version ) {
699 return ADS_SUCCESS;
700 }
701
702 /* Find our DN */
703
704 status = libnet_join_find_machine_acct(mem_ctx, r);
705 if (!ADS_ERR_OK(status)) {
706 return status;
707 }
708
709 /* now do the mods */
710
711 mods = ads_init_mods(mem_ctx);
712 if (!mods) {
713 return ADS_ERROR(LDAP_NO_MEMORY);
714 }
715
716 if (r->in.os_servicepack) {
717 /*
718 * if blank string then leave os_sp equal to NULL to force
719 * attribute delete (LDAP_MOD_DELETE)
720 */
721 if (!strequal(r->in.os_servicepack,"")) {
722 os_sp = talloc_strdup(mem_ctx, r->in.os_servicepack);
723 }
724 } else {
725 os_sp = talloc_asprintf(mem_ctx, "Samba %s",
726 samba_version_string());
727 }
728 if (!os_sp && !strequal(r->in.os_servicepack,"")) {
729 return ADS_ERROR(LDAP_NO_MEMORY);
730 }
731
732 /* fields of primary importance */
733
734 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
735 r->in.os_name);
736 if (!ADS_ERR_OK(status)) {
737 return status;
738 }
739
740 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
741 r->in.os_version);
742 if (!ADS_ERR_OK(status)) {
743 return status;
744 }
745
746 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
747 os_sp);
748 if (!ADS_ERR_OK(status)) {
749 return status;
750 }
751
752 return ads_gen_mod(r->in.ads, r->out.dn, mods);
753 }
754
755 /****************************************************************
756 ****************************************************************/
757
758 static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
759 struct libnet_JoinCtx *r)
760 {
761 ADS_STATUS status;
762 ADS_MODLIST mods;
763 const char *etype_list_str;
764
765 etype_list_str = talloc_asprintf(mem_ctx, "%d",
766 r->in.desired_encryption_types);
767 if (!etype_list_str) {
768 return ADS_ERROR(LDAP_NO_MEMORY);
769 }
770
771 /* Find our DN */
772
773 status = libnet_join_find_machine_acct(mem_ctx, r);
774 if (!ADS_ERR_OK(status)) {
775 return status;
776 }
777
778 if (r->in.desired_encryption_types == r->out.set_encryption_types) {
779 return ADS_SUCCESS;
780 }
781
782 /* now do the mods */
783
784 mods = ads_init_mods(mem_ctx);
785 if (!mods) {
786 return ADS_ERROR(LDAP_NO_MEMORY);
787 }
788
789 status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
790 etype_list_str);
791 if (!ADS_ERR_OK(status)) {
792 return status;
793 }
794
795 status = ads_gen_mod(r->in.ads, r->out.dn, mods);
796 if (!ADS_ERR_OK(status)) {
797 return status;
798 }
799
800 r->out.set_encryption_types = r->in.desired_encryption_types;
801
802 return ADS_SUCCESS;
803 }
804
805 /****************************************************************
806 ****************************************************************/
807
808 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
809 struct libnet_JoinCtx *r)
810 {
811 if (!USE_SYSTEM_KEYTAB) {
812 return true;
813 }
814
815 if (ads_keytab_create_default(r->in.ads) != 0) {
816 return false;
817 }
818
819 return true;
820 }
821
822 /****************************************************************
823 ****************************************************************/
824
825 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
826 struct libnet_JoinCtx *r)
827 {
828 uint32_t domain_func;
829 ADS_STATUS status;
830 const char *salt = NULL;
831 char *std_salt = NULL;
832
833 status = ads_domain_func_level(r->in.ads, &domain_func);
834 if (!ADS_ERR_OK(status)) {
835 libnet_join_set_error_string(mem_ctx, r,
836 "failed to determine domain functional level: %s",
837 ads_errstr(status));
838 return false;
839 }
840
841 /* go ahead and setup the default salt */
842
843 std_salt = kerberos_standard_des_salt();
844 if (!std_salt) {
845 libnet_join_set_error_string(mem_ctx, r,
846 "failed to obtain standard DES salt");
847 return false;
848 }
849
850 salt = talloc_strdup(mem_ctx, std_salt);
851 if (!salt) {
852 return false;
853 }
854
855 SAFE_FREE(std_salt);
856
857 /* if it's a Windows functional domain, we have to look for the UPN */
858
859 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
860 char *upn;
861
862 upn = ads_get_upn(r->in.ads, mem_ctx,
863 r->in.machine_name);
864 if (upn) {
865 salt = talloc_strdup(mem_ctx, upn);
866 if (!salt) {
867 return false;
868 }
869 }
870 }
871
872 return kerberos_secrets_store_des_salt(salt);
873 }
874
875 /****************************************************************
876 ****************************************************************/
877
878 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
879 struct libnet_JoinCtx *r)
880 {
881 ADS_STATUS status;
882 bool need_etype_update = false;
883
884 if (!r->in.ads) {
885 status = libnet_join_connect_ads_user(mem_ctx, r);
886 if (!ADS_ERR_OK(status)) {
887 return status;
888 }
889 }
890
891 status = libnet_join_set_machine_spn(mem_ctx, r);
892 if (!ADS_ERR_OK(status)) {
893 libnet_join_set_error_string(mem_ctx, r,
894 "Failed to set machine spn: %s\n"
895 "Do you have sufficient permissions to create machine "
896 "accounts?",
897 ads_errstr(status));
898 return status;
899 }
900
901 status = libnet_join_set_os_attributes(mem_ctx, r);
902 if (!ADS_ERR_OK(status)) {
903 libnet_join_set_error_string(mem_ctx, r,
904 "failed to set machine os attributes: %s",
905 ads_errstr(status));
906 return status;
907 }
908
909 status = libnet_join_set_machine_upn(mem_ctx, r);
910 if (!ADS_ERR_OK(status)) {
911 libnet_join_set_error_string(mem_ctx, r,
912 "failed to set machine upn: %s",
913 ads_errstr(status));
914 return status;
915 }
916
917 status = libnet_join_find_machine_acct(mem_ctx, r);
918 if (!ADS_ERR_OK(status)) {
919 return status;
920 }
921
922 if (r->in.desired_encryption_types != r->out.set_encryption_types) {
923 uint32_t func_level = 0;
924
925 status = ads_domain_func_level(r->in.ads, &func_level);
926 if (!ADS_ERR_OK(status)) {
927 libnet_join_set_error_string(mem_ctx, r,
928 "failed to query domain controller functional level: %s",
929 ads_errstr(status));
930 return status;
931 }
932
933 if (func_level >= DS_DOMAIN_FUNCTION_2008) {
934 need_etype_update = true;
935 }
936 }
937
938 if (need_etype_update) {
939 /*
940 * We need to reconnect as machine account in order
941 * to update msDS-SupportedEncryptionTypes reliable
942 */
943
944 if (r->in.ads->auth.ccache_name != NULL) {
945 ads_kdestroy(r->in.ads->auth.ccache_name);
946 }
947
948 ads_destroy(&r->in.ads);
949
950 status = libnet_join_connect_ads_machine(mem_ctx, r);
951 if (!ADS_ERR_OK(status)) {
952 libnet_join_set_error_string(mem_ctx, r,
953 "Failed to connect as machine account: %s",
954 ads_errstr(status));
955 return status;
956 }
957
958 status = libnet_join_set_etypes(mem_ctx, r);
959 if (!ADS_ERR_OK(status)) {
960 libnet_join_set_error_string(mem_ctx, r,
961 "failed to set machine kerberos encryption types: %s",
962 ads_errstr(status));
963 return status;
964 }
965 }
966
967 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
968 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
969 }
970
971 if (!libnet_join_create_keytab(mem_ctx, r)) {
972 libnet_join_set_error_string(mem_ctx, r,
973 "failed to create kerberos keytab");
974 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
975 }
976
977 return ADS_SUCCESS;
978 }
979 #endif /* HAVE_ADS */
980
981 /****************************************************************
982 Store the machine password and domain SID
983 ****************************************************************/
984
985 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
986 struct libnet_JoinCtx *r)
987 {
988 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
989 r->out.domain_sid))
990 {
991 DEBUG(1,("Failed to save domain sid\n"));
992 return false;
993 }
994
995 if (!secrets_store_machine_password(r->in.machine_password,
996 r->out.netbios_domain_name,
997 r->in.secure_channel_type))
998 {
999 DEBUG(1,("Failed to save machine password\n"));
1000 return false;
1001 }
1002
1003 return true;
1004 }
1005
1006 /****************************************************************
1007 Connect dc's IPC$ share
1008 ****************************************************************/
1009
1010 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
1011 const char *user,
1012 const char *domain,
1013 const char *pass,
1014 bool use_kerberos,
1015 struct cli_state **cli)
1016 {
1017 int flags = 0;
1018
1019 if (use_kerberos) {
1020 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
1021 }
1022
1023 if (use_kerberos && pass) {
1024 flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
1025 }
1026
1027 return cli_full_connection(cli, NULL,
1028 dc,
1029 NULL, 0,
1030 "IPC$", "IPC",
1031 user,
1032 domain,
1033 pass,
1034 flags,
1035 SMB_SIGNING_IPC_DEFAULT);
1036 }
1037
1038 /****************************************************************
1039 Lookup domain dc's info
1040 ****************************************************************/
1041
1042 static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
1043 struct libnet_JoinCtx *r,
1044 struct cli_state **cli)
1045 {
1046 struct rpc_pipe_client *pipe_hnd = NULL;
1047 struct policy_handle lsa_pol;
1048 NTSTATUS status, result;
1049 union lsa_PolicyInformation *info = NULL;
1050 struct dcerpc_binding_handle *b;
1051
1052 status = libnet_join_connect_dc_ipc(r->in.dc_name,
1053 r->in.admin_account,
1054 r->in.admin_domain,
1055 r->in.admin_password,
1056 r->in.use_kerberos,
1057 cli);
1058 if (!NT_STATUS_IS_OK(status)) {
1059 goto done;
1060 }
1061
1062 status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
1063 &pipe_hnd);
1064 if (!NT_STATUS_IS_OK(status)) {
1065 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
1066 nt_errstr(status)));
1067 goto done;
1068 }
1069
1070 b = pipe_hnd->binding_handle;
1071
1072 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
1073 SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
1074 if (!NT_STATUS_IS_OK(status)) {
1075 goto done;
1076 }
1077
1078 status = dcerpc_lsa_QueryInfoPolicy2(b, mem_ctx,
1079 &lsa_pol,
1080 LSA_POLICY_INFO_DNS,
1081 &info,
1082 &result);
1083 if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
1084 r->out.domain_is_ad = true;
1085 r->out.netbios_domain_name = info->dns.name.string;
1086 r->out.dns_domain_name = info->dns.dns_domain.string;
1087 r->out.forest_name = info->dns.dns_forest.string;
1088 r->out.domain_sid = dom_sid_dup(mem_ctx, info->dns.sid);
1089 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
1090 }
1091
1092 if (!NT_STATUS_IS_OK(status)) {
1093 status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
1094 &lsa_pol,
1095 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
1096 &info,
1097 &result);
1098 if (!NT_STATUS_IS_OK(status)) {
1099 goto done;
1100 }
1101 if (!NT_STATUS_IS_OK(result)) {
1102 status = result;
1103 goto done;
1104 }
1105
1106 r->out.netbios_domain_name = info->account_domain.name.string;
1107 r->out.domain_sid = dom_sid_dup(mem_ctx, info->account_domain.sid);
1108 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
1109 }
1110
1111 dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result);
1112 TALLOC_FREE(pipe_hnd);
1113
1114 done:
1115 return status;
1116 }
1117
1118 /****************************************************************
1119 Do the domain join unsecure
1120 ****************************************************************/
1121
1122 static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
1123 struct libnet_JoinCtx *r,
1124 struct cli_state *cli)
1125 {
1126 TALLOC_CTX *frame = talloc_stackframe();
1127 struct rpc_pipe_client *netlogon_pipe = NULL;
1128 struct netlogon_creds_cli_context *netlogon_creds = NULL;
1129 struct samr_Password current_nt_hash;
1130 const char *account_name = NULL;
1131 NTSTATUS status;
1132
1133 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
1134 &netlogon_pipe);
1135 if (!NT_STATUS_IS_OK(status)) {
1136 TALLOC_FREE(frame);
1137 return status;
1138 }
1139
1140 if (!r->in.machine_password) {
1141 int security = r->in.ads ? SEC_ADS : SEC_DOMAIN;
1142
1143 r->in.machine_password = trust_pw_new_value(mem_ctx,
1144 r->in.secure_channel_type,
1145 security);
1146 if (r->in.machine_password == NULL) {
1147 TALLOC_FREE(frame);
1148 return NT_STATUS_NO_MEMORY;
1149 }
1150 }
1151
1152 /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
1153 E_md4hash(r->in.admin_password, current_nt_hash.hash);
1154
1155 account_name = talloc_asprintf(frame, "%s$",
1156 r->in.machine_name);
1157 if (account_name == NULL) {
1158 TALLOC_FREE(frame);
1159 return NT_STATUS_NO_MEMORY;
1160 }
1161
1162 status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
1163 r->in.domain_name,
1164 account_name,
1165 r->in.secure_channel_type,
1166 r->in.msg_ctx,
1167 frame,
1168 &netlogon_creds);
1169 if (!NT_STATUS_IS_OK(status)) {
1170 TALLOC_FREE(frame);
1171 return status;
1172 }
1173
1174 status = rpccli_setup_netlogon_creds(cli, NCACN_NP,
1175 netlogon_creds,
1176 true, /* force_reauth */
1177 current_nt_hash,
1178 NULL); /* previous_nt_hash */
1179 if (!NT_STATUS_IS_OK(status)) {
1180 TALLOC_FREE(frame);
1181 return status;
1182 }
1183
1184 status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
1185 netlogon_pipe->binding_handle,
1186 r->in.machine_password,
1187 NULL); /* new_version */
1188 if (!NT_STATUS_IS_OK(status)) {
1189 TALLOC_FREE(frame);
1190 return status;
1191 }
1192
1193 TALLOC_FREE(frame);
1194 return NT_STATUS_OK;
1195 }
1196
1197 /****************************************************************
1198 Do the domain join
1199 ****************************************************************/
1200
1201 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
1202 struct libnet_JoinCtx *r,
1203 struct cli_state *cli)
1204 {
1205 struct rpc_pipe_client *pipe_hnd = NULL;
1206 struct policy_handle sam_pol, domain_pol, user_pol;
1207 NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
1208 char *acct_name;
1209 struct lsa_String lsa_acct_name;
1210 uint32_t user_rid;
1211 uint32_t acct_flags = ACB_WSTRUST;
1212 struct samr_Ids user_rids;
1213 struct samr_Ids name_types;
1214 union samr_UserInfo user_info;
1215 struct dcerpc_binding_handle *b = NULL;
1216 unsigned int old_timeout = 0;
1217
1218 DATA_BLOB session_key = data_blob_null;
1219 struct samr_CryptPassword crypt_pwd;
1220 struct samr_CryptPasswordEx crypt_pwd_ex;
1221
1222 ZERO_STRUCT(sam_pol);
1223 ZERO_STRUCT(domain_pol);
1224 ZERO_STRUCT(user_pol);
1225
1226 switch (r->in.secure_channel_type) {
1227 case SEC_CHAN_WKSTA:
1228 acct_flags = ACB_WSTRUST;
1229 break;
1230 case SEC_CHAN_BDC:
1231 acct_flags = ACB_SVRTRUST;
1232 break;
1233 default:
1234 return NT_STATUS_INVALID_PARAMETER;
1235 }
1236
1237 if (!r->in.machine_password) {
1238 int security = r->in.ads ? SEC_ADS : SEC_DOMAIN;
1239
1240 r->in.machine_password = trust_pw_new_value(mem_ctx,
1241 r->in.secure_channel_type,
1242 security);
1243 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
1244 }
1245
1246 /* Open the domain */
1247
1248 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
1249 &pipe_hnd);
1250 if (!NT_STATUS_IS_OK(status)) {
1251 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1252 nt_errstr(status)));
1253 goto done;
1254 }
1255
1256 b = pipe_hnd->binding_handle;
1257
1258 status = cli_get_session_key(mem_ctx, pipe_hnd, &session_key);
1259 if (!NT_STATUS_IS_OK(status)) {
1260 DEBUG(0,("Error getting session_key of SAM pipe. Error was %s\n",
1261 nt_errstr(status)));
1262 goto done;
1263 }
1264
1265 status = dcerpc_samr_Connect2(b, mem_ctx,
1266 pipe_hnd->desthost,
1267 SAMR_ACCESS_ENUM_DOMAINS
1268 | SAMR_ACCESS_LOOKUP_DOMAIN,
1269 &sam_pol,
1270 &result);
1271 if (!NT_STATUS_IS_OK(status)) {
1272 goto done;
1273 }
1274 if (!NT_STATUS_IS_OK(result)) {
1275 status = result;
1276 goto done;
1277 }
1278
1279 status = dcerpc_samr_OpenDomain(b, mem_ctx,
1280 &sam_pol,
1281 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
1282 | SAMR_DOMAIN_ACCESS_CREATE_USER
1283 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
1284 r->out.domain_sid,
1285 &domain_pol,
1286 &result);
1287 if (!NT_STATUS_IS_OK(status)) {
1288 goto done;
1289 }
1290 if (!NT_STATUS_IS_OK(result)) {
1291 status = result;
1292 goto done;
1293 }
1294
1295 /* Create domain user */
1296
1297 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1298 if (!strlower_m(acct_name)) {
1299 status = NT_STATUS_INVALID_PARAMETER;
1300 goto done;
1301 }
1302
1303 init_lsa_String(&lsa_acct_name, acct_name);
1304
1305 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
1306 uint32_t access_desired =
1307 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
1308 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
1309 SAMR_USER_ACCESS_SET_PASSWORD |
1310 SAMR_USER_ACCESS_GET_ATTRIBUTES |
1311 SAMR_USER_ACCESS_SET_ATTRIBUTES;
1312 uint32_t access_granted = 0;
1313
1314 DEBUG(10,("Creating account with desired access mask: %d\n",
1315 access_desired));
1316
1317 status = dcerpc_samr_CreateUser2(b, mem_ctx,
1318 &domain_pol,
1319 &lsa_acct_name,
1320 acct_flags,
1321 access_desired,
1322 &user_pol,
1323 &access_granted,
1324 &user_rid,
1325 &result);
1326 if (!NT_STATUS_IS_OK(status)) {
1327 goto done;
1328 }
1329
1330 status = result;
1331 if (!NT_STATUS_IS_OK(status) &&
1332 !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1333
1334 DEBUG(10,("Creation of workstation account failed: %s\n",
1335 nt_errstr(status)));
1336
1337 /* If NT_STATUS_ACCESS_DENIED then we have a valid
1338 username/password combo but the user does not have
1339 administrator access. */
1340
1341 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
1342 libnet_join_set_error_string(mem_ctx, r,
1343 "User specified does not have "
1344 "administrator privileges");
1345 }
1346
1347 goto done;
1348 }
1349
1350 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1351 if (!(r->in.join_flags &
1352 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
1353 goto done;
1354 }
1355 }
1356
1357 /* We *must* do this.... don't ask... */
1358
1359 if (NT_STATUS_IS_OK(status)) {
1360 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1361 }
1362 }
1363
1364 status = dcerpc_samr_LookupNames(b, mem_ctx,
1365 &domain_pol,
1366 1,
1367 &lsa_acct_name,
1368 &user_rids,
1369 &name_types,
1370 &result);
1371 if (!NT_STATUS_IS_OK(status)) {
1372 goto done;
1373 }
1374 if (!NT_STATUS_IS_OK(result)) {
1375 status = result;
1376 goto done;
1377 }
1378 if (user_rids.count != 1) {
1379 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1380 goto done;
1381 }
1382 if (name_types.count != 1) {
1383 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1384 goto done;
1385 }
1386
1387 if (name_types.ids[0] != SID_NAME_USER) {
1388 DEBUG(0,("%s is not a user account (type=%d)\n",
1389 acct_name, name_types.ids[0]));
1390 status = NT_STATUS_INVALID_WORKSTATION;
1391 goto done;
1392 }
1393
1394 user_rid = user_rids.ids[0];
1395
1396 /* Open handle on user */
1397
1398 status = dcerpc_samr_OpenUser(b, mem_ctx,
1399 &domain_pol,
1400 SEC_FLAG_MAXIMUM_ALLOWED,
1401 user_rid,
1402 &user_pol,
1403 &result);
1404 if (!NT_STATUS_IS_OK(status)) {
1405 goto done;
1406 }
1407 if (!NT_STATUS_IS_OK(result)) {
1408 status = result;
1409 goto done;
1410 }
1411
1412 /* Fill in the additional account flags now */
1413
1414 acct_flags |= ACB_PWNOEXP;
1415
1416 /* Set account flags on machine account */
1417 ZERO_STRUCT(user_info.info16);
1418 user_info.info16.acct_flags = acct_flags;
1419
1420 status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1421 &user_pol,
1422 UserControlInformation,
1423 &user_info,
1424 &result);
1425 if (!NT_STATUS_IS_OK(status)) {
1426 dcerpc_samr_DeleteUser(b, mem_ctx,
1427 &user_pol,
1428 &result);
1429
1430 libnet_join_set_error_string(mem_ctx, r,
1431 "Failed to set account flags for machine account (%s)\n",
1432 nt_errstr(status));
1433 goto done;
1434 }
1435
1436 if (!NT_STATUS_IS_OK(result)) {
1437 status = result;
1438
1439 dcerpc_samr_DeleteUser(b, mem_ctx,
1440 &user_pol,
1441 &result);
1442
1443 libnet_join_set_error_string(mem_ctx, r,
1444 "Failed to set account flags for machine account (%s)\n",
1445 nt_errstr(status));
1446 goto done;
1447 }
1448
1449 /* Set password on machine account - first try level 26 */
1450
1451 /*
1452 * increase the timeout as password filter modules on the DC
1453 * might delay the operation for a significant amount of time
1454 */
1455 old_timeout = rpccli_set_timeout(pipe_hnd, 600000);
1456
1457 init_samr_CryptPasswordEx(r->in.machine_password,
1458 &session_key,
1459 &crypt_pwd_ex);
1460
1461 user_info.info26.password = crypt_pwd_ex;
1462 user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1463
1464 status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1465 &user_pol,
1466 UserInternal5InformationNew,
1467 &user_info,
1468 &result);
1469
1470 if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
1471
1472 /* retry with level 24 */
1473
1474 init_samr_CryptPassword(r->in.machine_password,
1475 &session_key,
1476 &crypt_pwd);
1477
1478 user_info.info24.password = crypt_pwd;
1479 user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1480
1481 status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1482 &user_pol,
1483 UserInternal5Information,
1484 &user_info,
1485 &result);
1486 }
1487
1488 old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout);
1489
1490 if (!NT_STATUS_IS_OK(status)) {
1491
1492 dcerpc_samr_DeleteUser(b, mem_ctx,
1493 &user_pol,
1494 &result);
1495
1496 libnet_join_set_error_string(mem_ctx, r,
1497 "Failed to set password for machine account (%s)\n",
1498 nt_errstr(status));
1499 goto done;
1500 }
1501 if (!NT_STATUS_IS_OK(result)) {
1502 status = result;
1503
1504 dcerpc_samr_DeleteUser(b, mem_ctx,
1505 &user_pol,
1506 &result);
1507
1508 libnet_join_set_error_string(mem_ctx, r,
1509 "Failed to set password for machine account (%s)\n",
1510 nt_errstr(status));
1511 goto done;
1512 }
1513
1514 status = NT_STATUS_OK;
1515
1516 done:
1517 if (!pipe_hnd) {
1518 return status;
1519 }
1520
1521 data_blob_clear_free(&session_key);
1522
1523 if (is_valid_policy_hnd(&sam_pol)) {
1524 dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1525 }
1526 if (is_valid_policy_hnd(&domain_pol)) {
1527 dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1528 }
1529 if (is_valid_policy_hnd(&user_pol)) {
1530 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1531 }
1532 TALLOC_FREE(pipe_hnd);
1533
1534 return status;
1535 }
1536
1537 /****************************************************************
1538 ****************************************************************/
1539
1540 NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
1541 const char *netbios_domain_name,
1542 const char *dc_name,
1543 const bool use_kerberos)
1544 {
1545 TALLOC_CTX *frame = talloc_stackframe();
1546 struct cli_state *cli = NULL;
1547 struct rpc_pipe_client *netlogon_pipe = NULL;
1548 struct cli_credentials *cli_creds = NULL;
1549 struct netlogon_creds_cli_context *netlogon_creds = NULL;
1550 struct netlogon_creds_CredentialState *creds = NULL;
1551 uint32_t netlogon_flags = 0;
1552 NTSTATUS status;
1553 int flags = 0;
1554
1555 if (!dc_name) {
1556 TALLOC_FREE(frame);
1557 return NT_STATUS_INVALID_PARAMETER;
1558 }
1559
1560 if (!secrets_init()) {
1561 TALLOC_FREE(frame);
1562 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1563 }
1564
1565 status = pdb_get_trust_credentials(netbios_domain_name, NULL,
1566 frame, &cli_creds);
1567 if (!NT_STATUS_IS_OK(status)) {
1568 TALLOC_FREE(frame);
1569 return status;
1570 }
1571
1572 /* we don't want any old password */
1573 cli_credentials_set_old_password(cli_creds, NULL, CRED_SPECIFIED);
1574
1575 if (use_kerberos) {
1576 cli_credentials_set_kerberos_state(cli_creds,
1577 CRED_MUST_USE_KERBEROS);
1578 }
1579
1580 status = cli_full_connection_creds(&cli, NULL,
1581 dc_name,
1582 NULL, 0,
1583 "IPC$", "IPC",
1584 cli_creds,
1585 flags,
1586 SMB_SIGNING_IPC_DEFAULT);
1587
1588 if (!NT_STATUS_IS_OK(status)) {
1589 status = cli_full_connection(&cli, NULL,
1590 dc_name,
1591 NULL, 0,
1592 "IPC$", "IPC",
1593 "",
1594 NULL,
1595 "",
1596 0,
1597 SMB_SIGNING_IPC_DEFAULT);
1598 }
1599
1600 if (!NT_STATUS_IS_OK(status)) {
1601 TALLOC_FREE(frame);
1602 return status;
1603 }
1604
1605 status = rpccli_create_netlogon_creds_with_creds(cli_creds,
1606 dc_name,
1607 msg_ctx,
1608 frame,
1609 &netlogon_creds);
1610 if (!NT_STATUS_IS_OK(status)) {
1611 cli_shutdown(cli);
1612 TALLOC_FREE(frame);
1613 return status;
1614 }
1615
1616 status = rpccli_setup_netlogon_creds_with_creds(cli, NCACN_NP,
1617 netlogon_creds,
1618 true, /* force_reauth */
1619 cli_creds);
1620 if (!NT_STATUS_IS_OK(status)) {
1621 DEBUG(0,("connect_to_domain_password_server: "
1622 "unable to open the domain client session to "
1623 "machine %s. Flags[0x%08X] Error was : %s.\n",
1624 dc_name, (unsigned)netlogon_flags,
1625 nt_errstr(status)));
1626 cli_shutdown(cli);
1627 TALLOC_FREE(frame);
1628 return status;
1629 }
1630
1631 status = netlogon_creds_cli_get(netlogon_creds,
1632 talloc_tos(),
1633 &creds);
1634 if (!NT_STATUS_IS_OK(status)) {
1635 cli_shutdown(cli);
1636 TALLOC_FREE(frame);
1637 return status;
1638 }
1639 netlogon_flags = creds->negotiate_flags;
1640 TALLOC_FREE(creds);
1641
1642 if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1643 cli_shutdown(cli);
1644 TALLOC_FREE(frame);
1645 return NT_STATUS_OK;
1646 }
1647
1648 status = cli_rpc_pipe_open_schannel_with_creds(
1649 cli, &ndr_table_netlogon, NCACN_NP,
1650 cli_creds,
1651 netlogon_creds, &netlogon_pipe);
1652
1653 TALLOC_FREE(netlogon_pipe);
1654
1655 if (!NT_STATUS_IS_OK(status)) {
1656 DEBUG(0,("libnet_join_ok: failed to open schannel session "
1657 "on netlogon pipe to server %s for domain %s. "
1658 "Error was %s\n",
1659 smbXcli_conn_remote_name(cli->conn),
1660 netbios_domain_name, nt_errstr(status)));
1661 cli_shutdown(cli);
1662 TALLOC_FREE(frame);
1663 return status;
1664 }
1665
1666 cli_shutdown(cli);
1667 TALLOC_FREE(frame);
1668 return NT_STATUS_OK;
1669 }
1670
1671 /****************************************************************
1672 ****************************************************************/
1673
1674 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
1675 struct libnet_JoinCtx *r)
1676 {
1677 NTSTATUS status;
1678
1679 status = libnet_join_ok(r->in.msg_ctx,
1680 r->out.netbios_domain_name,
1681 r->in.dc_name,
1682 r->in.use_kerberos);
1683 if (!NT_STATUS_IS_OK(status)) {
1684 libnet_join_set_error_string(mem_ctx, r,
1685 "failed to verify domain membership after joining: %s",
1686 get_friendly_nt_error_msg(status));
1687 return WERR_NERR_SETUPNOTJOINED;
1688 }
1689
1690 return WERR_OK;
1691 }
1692
1693 /****************************************************************
1694 ****************************************************************/
1695
1696 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
1697 struct libnet_UnjoinCtx *r)
1698 {
1699 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
1700 return false;
1701 }
1702
1703 if (!secrets_delete_domain_sid(lp_workgroup())) {
1704 return false;
1705 }
1706
1707 return true;
1708 }
1709
1710 /****************************************************************
1711 ****************************************************************/
1712
1713 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
1714 struct libnet_UnjoinCtx *r)
1715 {
1716 struct cli_state *cli = NULL;
1717 struct rpc_pipe_client *pipe_hnd = NULL;
1718 struct policy_handle sam_pol, domain_pol, user_pol;
1719 NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
1720 char *acct_name;
1721 uint32_t user_rid;
1722 struct lsa_String lsa_acct_name;
1723 struct samr_Ids user_rids;
1724 struct samr_Ids name_types;
1725 union samr_UserInfo *info = NULL;
1726 struct dcerpc_binding_handle *b = NULL;
1727
1728 ZERO_STRUCT(sam_pol);
1729 ZERO_STRUCT(domain_pol);
1730 ZERO_STRUCT(user_pol);
1731
1732 status = libnet_join_connect_dc_ipc(r->in.dc_name,
1733 r->in.admin_account,
1734 r->in.admin_domain,
1735 r->in.admin_password,
1736 r->in.use_kerberos,
1737 &cli);
1738 if (!NT_STATUS_IS_OK(status)) {
1739 goto done;
1740 }
1741
1742 /* Open the domain */
1743
1744 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
1745 &pipe_hnd);
1746 if (!NT_STATUS_IS_OK(status)) {
1747 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1748 nt_errstr(status)));
1749 goto done;
1750 }
1751
1752 b = pipe_hnd->binding_handle;
1753
1754 status = dcerpc_samr_Connect2(b, mem_ctx,
1755 pipe_hnd->desthost,
1756 SEC_FLAG_MAXIMUM_ALLOWED,
1757 &sam_pol,
1758 &result);
1759 if (!NT_STATUS_IS_OK(status)) {
1760 goto done;
1761 }
1762 if (!NT_STATUS_IS_OK(result)) {
1763 status = result;
1764 goto done;
1765 }
1766
1767 status = dcerpc_samr_OpenDomain(b, mem_ctx,
1768 &sam_pol,
1769 SEC_FLAG_MAXIMUM_ALLOWED,
1770 r->in.domain_sid,
1771 &domain_pol,
1772 &result);
1773 if (!NT_STATUS_IS_OK(status)) {
1774 goto done;
1775 }
1776 if (!NT_STATUS_IS_OK(result)) {
1777 status = result;
1778 goto done;
1779 }
1780
1781 /* Create domain user */
1782
1783 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1784 if (!strlower_m(acct_name)) {
1785 status = NT_STATUS_INVALID_PARAMETER;
1786 goto done;
1787 }
1788
1789 init_lsa_String(&lsa_acct_name, acct_name);
1790
1791 status = dcerpc_samr_LookupNames(b, mem_ctx,
1792 &domain_pol,
1793 1,
1794 &lsa_acct_name,
1795 &user_rids,
1796 &name_types,
1797 &result);
1798
1799 if (!NT_STATUS_IS_OK(status)) {
1800 goto done;
1801 }
1802 if (!NT_STATUS_IS_OK(result)) {
1803 status = result;
1804 goto done;
1805 }
1806 if (user_rids.count != 1) {
1807 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1808 goto done;
1809 }
1810 if (name_types.count != 1) {
1811 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
1812 goto done;
1813 }
1814
1815 if (name_types.ids[0] != SID_NAME_USER) {
1816 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1817 name_types.ids[0]));
1818 status = NT_STATUS_INVALID_WORKSTATION;
1819 goto done;
1820 }
1821
1822 user_rid = user_rids.ids[0];
1823
1824 /* Open handle on user */
1825
1826 status = dcerpc_samr_OpenUser(b, mem_ctx,
1827 &domain_pol,
1828 SEC_FLAG_MAXIMUM_ALLOWED,
1829 user_rid,
1830 &user_pol,
1831 &result);
1832 if (!NT_STATUS_IS_OK(status)) {
1833 goto done;
1834 }
1835 if (!NT_STATUS_IS_OK(result)) {
1836 status = result;
1837 goto done;
1838 }
1839
1840 /* Get user info */
1841
1842 status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1843 &user_pol,
1844 16,
1845 &info,
1846 &result);
1847 if (!NT_STATUS_IS_OK(status)) {
1848 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1849 goto done;
1850 }
1851 if (!NT_STATUS_IS_OK(result)) {
1852 status = result;
1853 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1854 goto done;
1855 }
1856
1857 /* now disable and setuser info */
1858
1859 info->info16.acct_flags |= ACB_DISABLED;
1860
1861 status = dcerpc_samr_SetUserInfo(b, mem_ctx,
1862 &user_pol,
1863 16,
1864 info,
1865 &result);
1866 if (!NT_STATUS_IS_OK(status)) {
1867 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1868 goto done;
1869 }
1870 if (!NT_STATUS_IS_OK(result)) {
1871 status = result;
1872 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1873 goto done;
1874 }
1875 status = result;
1876 dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1877
1878 done:
1879 if (pipe_hnd && b) {
1880 if (is_valid_policy_hnd(&domain_pol)) {
1881 dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1882 }
1883 if (is_valid_policy_hnd(&sam_pol)) {
1884 dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1885 }
1886 TALLOC_FREE(pipe_hnd);
1887 }
1888
1889 if (cli) {
1890 cli_shutdown(cli);
1891 }
1892
1893 return status;
1894 }
1895
1896 /****************************************************************
1897 ****************************************************************/
1898
1899 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
1900 {
1901 WERROR werr = WERR_OK;
1902 sbcErr err;
1903 struct smbconf_ctx *ctx;
1904
1905 err = smbconf_init_reg(r, &ctx, NULL);
1906 if (!SBC_ERROR_IS_OK(err)) {
1907 werr = WERR_SERVICE_DOES_NOT_EXIST;
1908 goto done;
1909 }
1910
1911 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1912
1913 err = smbconf_set_global_parameter(ctx, "security", "user");
1914 if (!SBC_ERROR_IS_OK(err)) {
1915 werr = WERR_SERVICE_DOES_NOT_EXIST;
1916 goto done;
1917 }
1918
1919 err = smbconf_set_global_parameter(ctx, "workgroup",
1920 r->in.domain_name);
1921 if (!SBC_ERROR_IS_OK(err)) {
1922 werr = WERR_SERVICE_DOES_NOT_EXIST;
1923 goto done;
1924 }
1925
1926 smbconf_delete_global_parameter(ctx, "realm");
1927 goto done;
1928 }
1929
1930 err = smbconf_set_global_parameter(ctx, "security", "domain");
1931 if (!SBC_ERROR_IS_OK(err)) {
1932 werr = WERR_SERVICE_DOES_NOT_EXIST;
1933 goto done;
1934 }
1935
1936 err = smbconf_set_global_parameter(ctx, "workgroup",
1937 r->out.netbios_domain_name);
1938 if (!SBC_ERROR_IS_OK(err)) {
1939 werr = WERR_SERVICE_DOES_NOT_EXIST;
1940 goto done;
1941 }
1942
1943 if (r->out.domain_is_ad) {
1944 err = smbconf_set_global_parameter(ctx, "security", "ads");
1945 if (!SBC_ERROR_IS_OK(err)) {
1946 werr = WERR_SERVICE_DOES_NOT_EXIST;
1947 goto done;
1948 }
1949
1950 err = smbconf_set_global_parameter(ctx, "realm",
1951 r->out.dns_domain_name);
1952 if (!SBC_ERROR_IS_OK(err)) {
1953 werr = WERR_SERVICE_DOES_NOT_EXIST;
1954 goto done;
1955 }
1956 }
1957
1958 done:
1959 smbconf_shutdown(ctx);
1960 return werr;
1961 }
1962
1963 /****************************************************************
1964 ****************************************************************/
1965
1966 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
1967 {
1968 WERROR werr = WERR_OK;
1969 sbcErr err;
1970 struct smbconf_ctx *ctx;
1971
1972 err = smbconf_init_reg(r, &ctx, NULL);
1973 if (!SBC_ERROR_IS_OK(err)) {
1974 werr = WERR_SERVICE_DOES_NOT_EXIST;
1975 goto done;
1976 }
1977
1978 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1979
1980 err = smbconf_set_global_parameter(ctx, "security", "user");
1981 if (!SBC_ERROR_IS_OK(err)) {
1982 werr = WERR_SERVICE_DOES_NOT_EXIST;
1983 goto done;
1984 }
1985
1986 err = smbconf_delete_global_parameter(ctx, "workgroup");
1987 if (!SBC_ERROR_IS_OK(err)) {
1988 werr = WERR_SERVICE_DOES_NOT_EXIST;
1989 goto done;
1990 }
1991
1992 smbconf_delete_global_parameter(ctx, "realm");
1993 }
1994
1995 done:
1996 smbconf_shutdown(ctx);
1997 return werr;
1998 }
1999
2000 /****************************************************************
2001 ****************************************************************/
2002
2003 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
2004 {
2005 WERROR werr;
2006
2007 if (!W_ERROR_IS_OK(r->out.result)) {
2008 return r->out.result;
2009 }
2010
2011 if (!r->in.modify_config) {
2012 return WERR_OK;
2013 }
2014
2015 werr = do_join_modify_vals_config(r);
2016 if (!W_ERROR_IS_OK(werr)) {
2017 return werr;
2018 }
2019
2020 lp_load_global(get_dyn_CONFIGFILE());
2021
2022 r->out.modified_config = true;
2023 r->out.result = werr;
2024
2025 return werr;
2026 }
2027
2028 /****************************************************************
2029 ****************************************************************/
2030
2031 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
2032 {
2033 WERROR werr;
2034
2035 if (!W_ERROR_IS_OK(r->out.result)) {
2036 return r->out.result;
2037 }
2038
2039 if (!r->in.modify_config) {
2040 return WERR_OK;
2041 }
2042
2043 werr = do_unjoin_modify_vals_config(r);
2044 if (!W_ERROR_IS_OK(werr)) {
2045 return werr;
2046 }
2047
2048 lp_load_global(get_dyn_CONFIGFILE());
2049
2050 r->out.modified_config = true;
2051 r->out.result = werr;
2052
2053 return werr;
2054 }
2055
2056 /****************************************************************
2057 ****************************************************************/
2058
2059 static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
2060 const char *domain_str,
2061 const char **domain_p,
2062 const char **dc_p)
2063 {
2064 char *domain = NULL;
2065 char *dc = NULL;
2066 const char *p = NULL;
2067
2068 if (!domain_str || !domain_p || !dc_p) {
2069 return false;
2070 }
2071
2072 p = strchr_m(domain_str, '\\');
2073
2074 if (p != NULL) {
2075 domain = talloc_strndup(mem_ctx, domain_str,
2076 PTR_DIFF(p, domain_str));
2077 dc = talloc_strdup(mem_ctx, p+1);
2078 if (!dc) {
2079 return false;
2080 }
2081 } else {
2082 domain = talloc_strdup(mem_ctx, domain_str);
2083 dc = NULL;
2084 }
2085 if (!domain) {
2086 return false;
2087 }
2088
2089 *domain_p = domain;
2090
2091 if (!*dc_p && dc) {
2092 *dc_p = dc;
2093 }
2094
2095 return true;
2096 }
2097
2098 /****************************************************************
2099 ****************************************************************/
2100
2101 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
2102 struct libnet_JoinCtx *r)
2103 {
2104 if (!r->in.domain_name) {
2105 libnet_join_set_error_string(mem_ctx, r,
2106 "No domain name defined");
2107 return WERR_INVALID_PARAMETER;
2108 }
2109
2110 if (strlen(r->in.machine_name) > 15) {
2111 libnet_join_set_error_string(mem_ctx, r,
2112 "Our netbios name can be at most 15 chars long, "
2113 "\"%s\" is %u chars long\n",
2114 r->in.machine_name,
2115 (unsigned int)strlen(r->in.machine_name));
2116 return WERR_INVALID_PARAMETER;
2117 }
2118
2119 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2120 &r->in.domain_name,
2121 &r->in.dc_name)) {
2122 libnet_join_set_error_string(mem_ctx, r,
2123 "Failed to parse domain name");
2124 return WERR_INVALID_PARAMETER;
2125 }
2126
2127 if (!r->in.admin_domain) {
2128 char *admin_domain = NULL;
2129 char *admin_account = NULL;
2130 bool ok;
2131
2132 ok = split_domain_user(mem_ctx,
2133 r->in.admin_account,
2134 &admin_domain,
2135 &admin_account);
2136 if (!ok) {
2137 return WERR_NOT_ENOUGH_MEMORY;
2138 }
2139
2140 if (admin_domain != NULL) {
2141 r->in.admin_domain = admin_domain;
2142 } else {
2143 r->in.admin_domain = r->in.domain_name;
2144 }
2145 r->in.admin_account = admin_account;
2146 }
2147
2148 if (!secrets_init()) {
2149 libnet_join_set_error_string(mem_ctx, r,
2150 "Unable to open secrets database");
2151 return WERR_CAN_NOT_COMPLETE;
2152 }
2153
2154 return WERR_OK;
2155 }
2156
2157 /****************************************************************
2158 ****************************************************************/
2159
2160 static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
2161 {
2162 NTSTATUS status;
2163
2164 /* Try adding dom admins to builtin\admins. Only log failures. */
2165 status = create_builtin_administrators(domain_sid);
2166 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
2167 DEBUG(10,("Unable to auto-add domain administrators to "
2168 "BUILTIN\\Administrators during join because "
2169 "winbindd must be running.\n"));
2170 } else if (!NT_STATUS_IS_OK(status)) {
2171 DEBUG(5, ("Failed to auto-add domain administrators to "
2172 "BUILTIN\\Administrators during join: %s\n",
2173 nt_errstr(status)));
2174 }
2175
2176 /* Try adding dom users to builtin\users. Only log failures. */
2177 status = create_builtin_users(domain_sid);
2178 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
2179 DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
2180 "during join because winbindd must be running.\n"));
2181 } else if (!NT_STATUS_IS_OK(status)) {
2182 DEBUG(5, ("Failed to auto-add domain administrators to "
2183 "BUILTIN\\Administrators during join: %s\n",
2184 nt_errstr(status)));
2185 }
2186 }
2187
2188 /****************************************************************
2189 ****************************************************************/
2190
2191 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
2192 struct libnet_JoinCtx *r)
2193 {
2194 WERROR werr;
2195
2196 if (!W_ERROR_IS_OK(r->out.result)) {
2197 return r->out.result;
2198 }
2199
2200 werr = do_JoinConfig(r);
2201 if (!W_ERROR_IS_OK(werr)) {
2202 return werr;
2203 }
2204
2205 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
2206 return WERR_OK;
2207 }
2208
2209 saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
2210 if (r->out.dns_domain_name) {
2211 saf_join_store(r->out.dns_domain_name, r->in.dc_name);
2212 }
2213
2214 #ifdef HAVE_ADS
2215 if (r->out.domain_is_ad &&
2216 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
2217 ADS_STATUS ads_status;
2218
2219 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
2220 if (!ADS_ERR_OK(ads_status)) {
2221 return WERR_GEN_FAILURE;
2222 }
2223 }
2224 #endif /* HAVE_ADS */
2225
2226 libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
2227
2228 return WERR_OK;
2229 }
2230
2231 /****************************************************************
2232 ****************************************************************/
2233
2234 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
2235 {
2236 if (r->in.ads) {
2237 ads_destroy(&r->in.ads);
2238 }
2239
2240 return 0;
2241 }
2242
2243 /****************************************************************
2244 ****************************************************************/
2245
2246 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
2247 {
2248 if (r->in.ads) {
2249 ads_destroy(&r->in.ads);
2250 }
2251
2252 return 0;
2253 }
2254
2255 /****************************************************************
2256 ****************************************************************/
2257
2258 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
2259 struct libnet_JoinCtx **r)
2260 {
2261 struct libnet_JoinCtx *ctx;
2262
2263 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
2264 if (!ctx) {
2265 return WERR_NOT_ENOUGH_MEMORY;
2266 }
2267
2268 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
2269
2270 ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name());
2271 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
2272
2273 ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
2274
2275 ctx->in.desired_encryption_types = ENC_CRC32 |
2276 ENC_RSA_MD5 |
2277 ENC_RC4_HMAC_MD5;
2278 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
2279 ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
2280 #endif
2281 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
2282 ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
2283 #endif
2284
2285 *r = ctx;
2286
2287 return WERR_OK;
2288 }
2289
2290 /****************************************************************
2291 ****************************************************************/
2292
2293 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
2294 struct libnet_UnjoinCtx **r)
2295 {
2296 struct libnet_UnjoinCtx *ctx;
2297
2298 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
2299 if (!ctx) {
2300 return WERR_NOT_ENOUGH_MEMORY;
2301 }
2302
2303 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
2304
2305 ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name());
2306 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
2307
2308 *r = ctx;
2309
2310 return WERR_OK;
2311 }
2312
2313 /****************************************************************
2314 ****************************************************************/
2315
2316 static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
2317 struct libnet_JoinCtx *r)
2318 {
2319 bool valid_security = false;
2320 bool valid_workgroup = false;
2321 bool valid_realm = false;
2322 bool ignored_realm = false;
2323
2324 /* check if configuration is already set correctly */
2325
2326 valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
2327
2328 switch (r->out.domain_is_ad) {
2329 case false:
2330 valid_security = (lp_security() == SEC_DOMAIN)
2331 || (lp_server_role() == ROLE_DOMAIN_PDC)
2332 || (lp_server_role() == ROLE_DOMAIN_BDC);
2333 if (valid_workgroup && valid_security) {
2334 /* nothing to be done */
2335 return WERR_OK;
2336 }
2337 break;
2338 case true:
2339 valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
2340 switch (lp_security()) {
2341 case SEC_DOMAIN:
2342 if (!valid_realm && lp_winbind_rpc_only()) {
2343 valid_realm = true;
2344 ignored_realm = true;
2345 }
2346 /* FALL THROUGH */
2347 case SEC_ADS:
2348 valid_security = true;
2349 }
2350
2351 if (valid_workgroup && valid_realm && valid_security) {
2352 if (ignored_realm && !r->in.modify_config)
2353 {
2354 libnet_join_set_error_string(mem_ctx, r,
2355 "Warning: ignoring realm when "
2356 "joining AD domain with "
2357 "'security=domain' and "
2358 "'winbind rpc only = yes'. "
2359 "(realm set to '%s', "
2360 "should be '%s').", lp_realm(),
2361 r->out.dns_domain_name);
2362 }
2363 /* nothing to be done */
2364 return WERR_OK;
2365 }
2366 break;
2367 }
2368
2369 /* check if we are supposed to manipulate configuration */
2370
2371 if (!r->in.modify_config) {
2372
2373 char *wrong_conf = talloc_strdup(mem_ctx, "");
2374
2375 if (!valid_workgroup) {
2376 wrong_conf = talloc_asprintf_append(wrong_conf,
2377 "\"workgroup\" set to '%s', should be '%s'",
2378 lp_workgroup(), r->out.netbios_domain_name);
2379 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2380 }
2381
2382 if (!valid_realm) {
2383 wrong_conf = talloc_asprintf_append(wrong_conf,
2384 "\"realm\" set to '%s', should be '%s'",
2385 lp_realm(), r->out.dns_domain_name);
2386 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2387 }
2388
2389 if (!valid_security) {
2390 const char *sec = NULL;
2391 switch (lp_security()) {
2392 case SEC_USER: sec = "user"; break;
2393 case SEC_DOMAIN: sec = "domain"; break;
2394 case SEC_ADS: sec = "ads"; break;
2395 }
2396 wrong_conf = talloc_asprintf_append(wrong_conf,
2397 "\"security\" set to '%s', should be %s",
2398 sec, r->out.domain_is_ad ?
2399 "either 'domain' or 'ads'" : "'domain'");
2400 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
2401 }
2402
2403 libnet_join_set_error_string(mem_ctx, r,
2404 "Invalid configuration (%s) and configuration modification "
2405 "was not requested", wrong_conf);
2406 return WERR_CAN_NOT_COMPLETE;
2407 }
2408
2409 /* check if we are able to manipulate configuration */
2410
2411 if (!lp_config_backend_is_registry()) {
2412 libnet_join_set_error_string(mem_ctx, r,
2413 "Configuration manipulation requested but not "
2414 "supported by backend");
2415 return WERR_NOT_SUPPORTED;
2416 }
2417
2418 return WERR_OK;
2419 }
2420
2421 /****************************************************************
2422 ****************************************************************/
2423
2424 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
2425 struct libnet_JoinCtx *r)
2426 {
2427 NTSTATUS status;
2428 WERROR werr;
2429 struct cli_state *cli = NULL;
2430 #ifdef HAVE_ADS
2431 ADS_STATUS ads_status;
2432 #endif /* HAVE_ADS */
2433 const char *pre_connect_realm = NULL;
2434 const char *numeric_dcip = NULL;
2435 const char *sitename = NULL;
2436
2437 /* Before contacting a DC, we can securely know
2438 * the realm only if the user specifies it.
2439 */
2440 if (r->in.use_kerberos &&
2441 r->in.domain_name_type == JoinDomNameTypeDNS) {
2442 pre_connect_realm = r->in.domain_name;
2443 }
2444
2445 if (!r->in.dc_name) {
2446 struct netr_DsRGetDCNameInfo *info;
2447 const char *dc;
2448 uint32_t name_type_flags = 0;
2449 if (r->in.domain_name_type == JoinDomNameTypeDNS) {
2450 name_type_flags = DS_IS_DNS_NAME;
2451 } else if (r->in.domain_name_type == JoinDomNameTypeNBT) {
2452 name_type_flags = DS_IS_FLAT_NAME;
2453 }
2454 status = dsgetdcname(mem_ctx,
2455 r->in.msg_ctx,
2456 r->in.domain_name,
2457 NULL,
2458 NULL,
2459 DS_FORCE_REDISCOVERY |
2460 DS_DIRECTORY_SERVICE_REQUIRED |
2461 DS_WRITABLE_REQUIRED |
2462 DS_RETURN_DNS_NAME |
2463 name_type_flags,
2464 &info);
2465 if (!NT_STATUS_IS_OK(status)) {
2466 libnet_join_set_error_string(mem_ctx, r,
2467 "failed to find DC for domain %s - %s",
2468 r->in.domain_name,
2469 get_friendly_nt_error_msg(status));
2470 return WERR_NERR_DCNOTFOUND;
2471 }
2472
2473 dc = strip_hostname(info->dc_unc);
2474 r->in.dc_name = talloc_strdup(mem_ctx, dc);
2475 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
2476
2477 if (info->dc_address == NULL || info->dc_address[0] != '\\' ||
2478 info->dc_address[1] != '\\') {
2479 DBG_ERR("ill-formed DC address '%s'\n",
2480 info->dc_address);
2481 return WERR_NERR_DCNOTFOUND;
2482 }
2483
2484 numeric_dcip = info->dc_address + 2;
2485 sitename = info->dc_site_name;
2486 /* info goes out of scope but the memory stays
2487 allocated on the talloc context */
2488 }
2489
2490 if (pre_connect_realm != NULL) {
2491 struct sockaddr_storage ss = {0};
2492
2493 if (numeric_dcip != NULL) {
2494 if (!interpret_string_addr(&ss, numeric_dcip,
2495 AI_NUMERICHOST)) {
2496 DBG_ERR(
2497 "cannot parse IP address '%s' of DC '%s'\n",
2498 numeric_dcip, r->in.dc_name);
2499 return WERR_NERR_DCNOTFOUND;
2500 }
2501 } else {
2502 if (!interpret_string_addr(&ss, r->in.dc_name, 0)) {
2503 DBG_WARNING(
2504 "cannot resolve IP address of DC '%s'\n",
2505 r->in.dc_name);
2506 return WERR_NERR_DCNOTFOUND;
2507 }
2508 }
2509
2510 /* The domain parameter is only used as modifier
2511 * to krb5.conf file name. .JOIN is is not a valid
2512 * NetBIOS name so it cannot clash with another domain
2513 * -- Uri.
2514 */
2515 create_local_private_krb5_conf_for_domain(
2516 pre_connect_realm, ".JOIN", sitename, &ss);
2517 }
2518
2519 status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
2520 if (!NT_STATUS_IS_OK(status)) {
2521 libnet_join_set_error_string(mem_ctx, r,
2522 "failed to lookup DC info for domain '%s' over rpc: %s",
2523 r->in.domain_name, get_friendly_nt_error_msg(status));
2524 return ntstatus_to_werror(status);
2525 }
2526
2527 werr = libnet_join_check_config(mem_ctx, r);
2528 if (!W_ERROR_IS_OK(werr)) {
2529 goto done;
2530 }
2531
2532 #ifdef HAVE_ADS
2533
2534 if (r->out.domain_is_ad) {
2535 create_local_private_krb5_conf_for_domain(
2536 r->out.dns_domain_name, r->out.netbios_domain_name,
2537 sitename, smbXcli_conn_remote_sockaddr(cli->conn));
2538 }
2539
2540 if (r->out.domain_is_ad &&
2541 !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
2542
2543 const char *initial_account_ou = r->in.account_ou;
2544
2545 /*
2546 * we want to create the msDS-SupportedEncryptionTypes attribute
2547 * as early as possible so always try an LDAP create as the user
2548 * first. We copy r->in.account_ou because it may be changed
2549 * during the machine pre-creation.
2550 */
2551
2552 ads_status = libnet_join_connect_ads_user(mem_ctx, r);
2553 if (!ADS_ERR_OK(ads_status)) {
2554 return WERR_NERR_DEFAULTJOINREQUIRED;
2555 }
2556
2557 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
2558 if (ADS_ERR_OK(ads_status)) {
2559
2560 /*
2561 * LDAP object create succeeded, now go to the rpc
2562 * password set routines
2563 */
2564
2565 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
2566 goto rpc_join;
2567 }
2568
2569 if (initial_account_ou != NULL) {
2570 libnet_join_set_error_string(mem_ctx, r,
2571 "failed to precreate account in ou %s: %s",
2572 r->in.account_ou,
2573 ads_errstr(ads_status));
2574 return WERR_NERR_DEFAULTJOINREQUIRED;
2575 }
2576
2577 DEBUG(5, ("failed to precreate account in ou %s: %s",
2578 r->in.account_ou, ads_errstr(ads_status)));
2579 }
2580 #endif /* HAVE_ADS */
2581
2582 rpc_join:
2583 if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
2584 (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
2585 status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
2586 } else {
2587 status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
2588 }
2589 if (!NT_STATUS_IS_OK(status)) {
2590 libnet_join_set_error_string(mem_ctx, r,
2591 "failed to join domain '%s' over rpc: %s",
2592 r->in.domain_name, get_friendly_nt_error_msg(status));
2593 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
2594 return WERR_NERR_SETUPALREADYJOINED;
2595 }
2596 werr = ntstatus_to_werror(status);
2597 goto done;
2598 }
2599
2600 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
2601 werr = WERR_NERR_SETUPNOTJOINED;
2602 goto done;
2603 }
2604
2605 werr = WERR_OK;
2606
2607 done:
2608 if (cli) {
2609 cli_shutdown(cli);
2610 }
2611
2612 return werr;
2613 }
2614
2615 /****************************************************************
2616 ****************************************************************/
2617
2618 static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
2619 struct libnet_JoinCtx *r)
2620 {
2621 WERROR werr;
2622 struct libnet_UnjoinCtx *u = NULL;
2623
2624 werr = libnet_init_UnjoinCtx(mem_ctx, &u);
2625 if (!W_ERROR_IS_OK(werr)) {
2626 return werr;
2627 }
2628
2629 u->in.debug = r->in.debug;
2630 u->in.dc_name = r->in.dc_name;
2631 u->in.domain_name = r->in.domain_name;
2632 u->in.admin_account = r->in.admin_account;
2633 u->in.admin_password = r->in.admin_password;
2634 u->in.modify_config = r->in.modify_config;
2635 u->in.use_kerberos = r->in.use_kerberos;
2636 u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
2637 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
2638
2639 werr = libnet_Unjoin(mem_ctx, u);
2640 TALLOC_FREE(u);
2641
2642 return werr;
2643 }
2644
2645 /****************************************************************
2646 ****************************************************************/
2647
2648 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
2649 struct libnet_JoinCtx *r)
2650 {
2651 WERROR werr;
2652
2653 if (r->in.debug) {
2654 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
2655 }
2656
2657 ZERO_STRUCT(r->out);
2658
2659 werr = libnet_join_pre_processing(mem_ctx, r);
2660 if (!W_ERROR_IS_OK(werr)) {
2661 goto done;
2662 }
2663
2664 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2665 werr = libnet_DomainJoin(mem_ctx, r);
2666 if (!W_ERROR_IS_OK(werr)) {
2667 goto done;
2668 }
2669 }
2670
2671 werr = libnet_join_post_processing(mem_ctx, r);
2672 if (!W_ERROR_IS_OK(werr)) {
2673 goto done;
2674 }
2675
2676 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2677 werr = libnet_join_post_verify(mem_ctx, r);
2678 if (!W_ERROR_IS_OK(werr)) {
2679 libnet_join_rollback(mem_ctx, r);
2680 }
2681 }
2682
2683 done:
2684 r->out.result = werr;
2685
2686 if (r->in.debug) {
2687 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
2688 }
2689 return werr;
2690 }
2691
2692 /****************************************************************
2693 ****************************************************************/
2694
2695 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
2696 struct libnet_UnjoinCtx *r)
2697 {
2698 NTSTATUS status;
2699
2700 if (!r->in.domain_sid) {
2701 struct dom_sid sid;
2702 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
2703 libnet_unjoin_set_error_string(mem_ctx, r,
2704 "Unable to fetch domain sid: are we joined?");
2705 return WERR_NERR_SETUPNOTJOINED;
2706 }
2707 r->in.domain_sid = dom_sid_dup(mem_ctx, &sid);
2708 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
2709 }
2710
2711 if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
2712 !r->in.delete_machine_account) {
2713 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2714 return WERR_OK;
2715 }
2716
2717 if (!r->in.dc_name) {
2718 struct netr_DsRGetDCNameInfo *info;
2719 const char *dc;
2720 status = dsgetdcname(mem_ctx,
2721 r->in.msg_ctx,
2722 r->in.domain_name,
2723 NULL,
2724 NULL,
2725 DS_DIRECTORY_SERVICE_REQUIRED |
2726 DS_WRITABLE_REQUIRED |
2727 DS_RETURN_DNS_NAME,
2728 &info);
2729 if (!NT_STATUS_IS_OK(status)) {
2730 libnet_unjoin_set_error_string(mem_ctx, r,
2731 "failed to find DC for domain %s - %s",
2732 r->in.domain_name,
2733 get_friendly_nt_error_msg(status));
2734 return WERR_NERR_DCNOTFOUND;
2735 }
2736
2737 dc = strip_hostname(info->dc_unc);
2738 r->in.dc_name = talloc_strdup(mem_ctx, dc);
2739 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
2740 }
2741
2742 #ifdef HAVE_ADS
2743 /* for net ads leave, try to delete the account. If it works,
2744 no sense in disabling. If it fails, we can still try to
2745 disable it. jmcd */
2746
2747 if (r->in.delete_machine_account) {
2748 ADS_STATUS ads_status;
2749 ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
2750 if (ADS_ERR_OK(ads_status)) {
2751 /* dirty hack */
2752 r->out.dns_domain_name =
2753 talloc_strdup(mem_ctx,
2754 r->in.ads->server.realm);
2755 ads_status =
2756 libnet_unjoin_remove_machine_acct(mem_ctx, r);
2757 }
2758 if (!ADS_ERR_OK(ads_status)) {
2759 libnet_unjoin_set_error_string(mem_ctx, r,
2760 "failed to remove machine account from AD: %s",
2761 ads_errstr(ads_status));
2762 } else {
2763 r->out.deleted_machine_account = true;
2764 W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
2765 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2766 return WERR_OK;
2767 }
2768 }
2769 #endif /* HAVE_ADS */
2770
2771 /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
2772 "disable". */
2773 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
2774 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
2775 if (!NT_STATUS_IS_OK(status)) {
2776 libnet_unjoin_set_error_string(mem_ctx, r,
2777 "failed to disable machine account via rpc: %s",
2778 get_friendly_nt_error_msg(status));
2779 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2780 return WERR_NERR_SETUPNOTJOINED;
2781 }
2782 return ntstatus_to_werror(status);
2783 }
2784
2785 r->out.disabled_machine_account = true;
2786 }
2787
2788 /* If disable succeeded or was not requested at all, we
2789 should be getting rid of our end of things */
2790
2791 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2792
2793 return WERR_OK;
2794 }
2795
2796 /****************************************************************
2797 ****************************************************************/
2798
2799 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
2800 struct libnet_UnjoinCtx *r)
2801 {
2802 if (!r->in.domain_name) {
2803 libnet_unjoin_set_error_string(mem_ctx, r,
2804 "No domain name defined");
2805 return WERR_INVALID_PARAMETER;
2806 }
2807
2808 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2809 &r->in.domain_name,
2810 &r->in.dc_name)) {
2811 libnet_unjoin_set_error_string(mem_ctx, r,
2812 "Failed to parse domain name");
2813 return WERR_INVALID_PARAMETER;
2814 }
2815
2816 if (IS_DC) {
2817 return WERR_NERR_SETUPDOMAINCONTROLLER;
2818 }
2819
2820 if (!r->in.admin_domain) {
2821 char *admin_domain = NULL;
2822 char *admin_account = NULL;
2823 bool ok;
2824
2825 ok = split_domain_user(mem_ctx,
2826 r->in.admin_account,
2827 &admin_domain,
2828 &admin_account);
2829 if (!ok) {
2830 return WERR_NOT_ENOUGH_MEMORY;
2831 }
2832
2833 if (admin_domain != NULL) {
2834 r->in.admin_domain = admin_domain;
2835 } else {
2836 r->in.admin_domain = r->in.domain_name;
2837 }
2838 r->in.admin_account = admin_account;
2839 }
2840
2841 if (!secrets_init()) {
2842 libnet_unjoin_set_error_string(mem_ctx, r,
2843 "Unable to open secrets database");
2844 return WERR_CAN_NOT_COMPLETE;
2845 }
2846
2847 return WERR_OK;
2848 }
2849
2850 /****************************************************************
2851 ****************************************************************/
2852
2853 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
2854 struct libnet_UnjoinCtx *r)
2855 {
2856 saf_delete(r->out.netbios_domain_name);
2857 saf_delete(r->out.dns_domain_name);
2858
2859 return libnet_unjoin_config(r);
2860 }
2861
2862 /****************************************************************
2863 ****************************************************************/
2864
2865 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
2866 struct libnet_UnjoinCtx *r)
2867 {
2868 WERROR werr;
2869
2870 if (r->in.debug) {
2871 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
2872 }
2873
2874 werr = libnet_unjoin_pre_processing(mem_ctx, r);
2875 if (!W_ERROR_IS_OK(werr)) {
2876 goto done;
2877 }
2878
2879 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2880 werr = libnet_DomainUnjoin(mem_ctx, r);
2881 if (!W_ERROR_IS_OK(werr)) {
2882 libnet_unjoin_config(r);
2883 goto done;
2884 }
2885 }
2886
2887 werr = libnet_unjoin_post_processing(mem_ctx, r);
2888 if (!W_ERROR_IS_OK(werr)) {
2889 goto done;
2890 }
2891
2892 done:
2893 r->out.result = werr;
2894
2895 if (r->in.debug) {
2896 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
2897 }
2898
2899 return werr;
2900 }
Samba GIT mirror