2 Samba Unix/Linux SMB client library
4 Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
5 Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
6 Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
7 Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "utils/net.h"
27 /* Macro for checking RPC error codes to make things more readable */
29 #define CHECK_RPC_ERR(rpc, msg) \
30 if (!NT_STATUS_IS_OK(result = rpc)) { \
31 DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
35 #define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
36 if (!NT_STATUS_IS_OK(result = rpc)) { \
37 DEBUG(0, debug_args); \
41 /*******************************************************************
42 Leave an AD domain. Windows XP disables the machine account.
43 We'll try the same. The old code would do an LDAP delete.
44 That only worked using the machine creds because added the machine
45 with full control to the computer object's ACL.
46 *******************************************************************/
48 NTSTATUS
netdom_leave_domain( TALLOC_CTX
*mem_ctx
, struct cli_state
*cli
,
51 struct rpc_pipe_client
*pipe_hnd
= NULL
;
52 POLICY_HND sam_pol
, domain_pol
, user_pol
;
53 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
56 const char *const_acct_name
;
58 uint32 num_rids
, *name_types
, *user_rids
;
59 SAM_USERINFO_CTR ctr
, *qctr
= NULL
;
64 if ( (pipe_hnd
= cli_rpc_pipe_open_noauth(cli
, PI_SAMR
, &status
)) == NULL
) {
65 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
70 status
= rpccli_samr_connect(pipe_hnd
, mem_ctx
,
71 SEC_RIGHTS_MAXIMUM_ALLOWED
, &sam_pol
);
72 if ( !NT_STATUS_IS_OK(status
) )
76 status
= rpccli_samr_open_domain(pipe_hnd
, mem_ctx
, &sam_pol
,
77 SEC_RIGHTS_MAXIMUM_ALLOWED
, dom_sid
, &domain_pol
);
78 if ( !NT_STATUS_IS_OK(status
) )
81 /* Create domain user */
83 acct_name
= talloc_asprintf(mem_ctx
, "%s$", global_myname());
84 strlower_m(acct_name
);
85 const_acct_name
= acct_name
;
87 status
= rpccli_samr_lookup_names(pipe_hnd
, mem_ctx
,
88 &domain_pol
, flags
, 1, &const_acct_name
,
89 &num_rids
, &user_rids
, &name_types
);
90 if ( !NT_STATUS_IS_OK(status
) )
93 if ( name_types
[0] != SID_NAME_USER
) {
94 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name
, name_types
[0]));
95 return NT_STATUS_INVALID_WORKSTATION
;
98 user_rid
= user_rids
[0];
100 /* Open handle on user */
102 status
= rpccli_samr_open_user(pipe_hnd
, mem_ctx
, &domain_pol
,
103 SEC_RIGHTS_MAXIMUM_ALLOWED
, user_rid
, &user_pol
);
104 if ( !NT_STATUS_IS_OK(status
) ) {
110 status
= rpccli_samr_query_userinfo(pipe_hnd
, mem_ctx
, &user_pol
, 16, &qctr
);
111 if ( !NT_STATUS_IS_OK(status
) ) {
112 rpccli_samr_close(pipe_hnd
, mem_ctx
, &user_pol
);
116 /* now disable and setuser info */
119 ctr
.switch_value
= 16;
120 ctr
.info
.id16
= &p16
;
122 p16
.acb_info
= qctr
->info
.id16
->acb_info
| ACB_DISABLED
;
124 status
= rpccli_samr_set_userinfo2(pipe_hnd
, mem_ctx
, &user_pol
, 16,
125 &cli
->user_session_key
, &ctr
);
127 rpccli_samr_close(pipe_hnd
, mem_ctx
, &user_pol
);
130 rpccli_samr_close(pipe_hnd
, mem_ctx
, &domain_pol
);
131 rpccli_samr_close(pipe_hnd
, mem_ctx
, &sam_pol
);
133 cli_rpc_pipe_close(pipe_hnd
); /* Done with this pipe */
138 /*******************************************************************
139 Store the machine password and domain SID
140 ********************************************************************/
142 int netdom_store_machine_account( const char *domain
, DOM_SID
*sid
, const char *pw
)
144 if (!secrets_store_domain_sid(domain
, sid
)) {
145 DEBUG(1,("Failed to save domain sid\n"));
149 if (!secrets_store_machine_password(pw
, domain
, SEC_CHAN_WKSTA
)) {
150 DEBUG(1,("Failed to save machine password\n"));
157 /*******************************************************************
158 ********************************************************************/
160 NTSTATUS
netdom_get_domain_sid( TALLOC_CTX
*mem_ctx
, struct cli_state
*cli
,
161 char **domain
, DOM_SID
**sid
)
163 struct rpc_pipe_client
*pipe_hnd
= NULL
;
165 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
167 if ( (pipe_hnd
= cli_rpc_pipe_open_noauth(cli
, PI_LSARPC
, &status
)) == NULL
) {
168 DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
169 nt_errstr(status
) ));
173 status
= rpccli_lsa_open_policy(pipe_hnd
, mem_ctx
, True
,
174 SEC_RIGHTS_MAXIMUM_ALLOWED
, &lsa_pol
);
175 if ( !NT_STATUS_IS_OK(status
) )
178 status
= rpccli_lsa_query_info_policy(pipe_hnd
, mem_ctx
,
179 &lsa_pol
, 5, domain
, sid
);
180 if ( !NT_STATUS_IS_OK(status
) )
183 rpccli_lsa_close(pipe_hnd
, mem_ctx
, &lsa_pol
);
184 cli_rpc_pipe_close(pipe_hnd
); /* Done with this pipe */
186 /* Bail out if domain didn't get set. */
188 DEBUG(0, ("Could not get domain name.\n"));
189 return NT_STATUS_UNSUCCESSFUL
;
195 /*******************************************************************
197 ********************************************************************/
199 NTSTATUS
netdom_join_domain( TALLOC_CTX
*mem_ctx
, struct cli_state
*cli
,
200 DOM_SID
*dom_sid
, const char *clear_pw
,
201 enum netdom_domain_t dom_type
)
203 struct rpc_pipe_client
*pipe_hnd
= NULL
;
204 POLICY_HND sam_pol
, domain_pol
, user_pol
;
205 NTSTATUS status
= NT_STATUS_UNSUCCESSFUL
;
207 const char *const_acct_name
;
209 uint32 num_rids
, *name_types
, *user_rids
;
210 uint32 flags
= 0x3e8;
211 uint32 acb_info
= ACB_WSTRUST
;
213 uint32 fields_present
;
215 SAM_USERINFO_CTR ctr
;
216 SAM_USER_INFO_24 p24
;
217 SAM_USER_INFO_25 p25
;
218 const int infolevel
= 25;
219 struct MD5Context md5ctx
;
221 DATA_BLOB digested_session_key
;
222 uchar md4_trust_password
[16];
224 /* Open the domain */
226 if ( (pipe_hnd
= cli_rpc_pipe_open_noauth(cli
, PI_SAMR
, &status
)) == NULL
) {
227 DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
228 nt_errstr(status
) ));
232 status
= rpccli_samr_connect(pipe_hnd
, mem_ctx
,
233 SEC_RIGHTS_MAXIMUM_ALLOWED
, &sam_pol
);
234 if ( !NT_STATUS_IS_OK(status
) )
238 status
= rpccli_samr_open_domain(pipe_hnd
, mem_ctx
, &sam_pol
,
239 SEC_RIGHTS_MAXIMUM_ALLOWED
, dom_sid
, &domain_pol
);
240 if ( !NT_STATUS_IS_OK(status
) )
243 /* Create domain user */
245 acct_name
= talloc_asprintf(mem_ctx
, "%s$", global_myname());
246 strlower_m(acct_name
);
247 const_acct_name
= acct_name
;
249 /* Don't try to set any acb_info flags other than ACB_WSTRUST */
251 acct_flags
= SAMR_GENERIC_READ
| SAMR_GENERIC_WRITE
|
252 SAMR_GENERIC_EXECUTE
| SAMR_STANDARD_WRITEDAC
|
253 SAMR_STANDARD_DELETE
| SAMR_USER_SETPASS
| SAMR_USER_GETATTR
|
255 DEBUG(10, ("Creating account with flags: %d\n",acct_flags
));
256 status
= rpccli_samr_create_dom_user(pipe_hnd
, mem_ctx
, &domain_pol
,
257 acct_name
, acb_info
, acct_flags
, &user_pol
, &user_rid
);
259 if ( !NT_STATUS_IS_OK(status
)
260 && !NT_STATUS_EQUAL(status
, NT_STATUS_USER_EXISTS
))
262 d_fprintf(stderr
, "Creation of workstation account failed\n");
264 /* If NT_STATUS_ACCESS_DENIED then we have a valid
265 username/password combo but the user does not have
266 administrator access. */
268 if (NT_STATUS_V(status
) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED
))
269 d_fprintf(stderr
, "User specified does not have administrator privileges\n");
274 /* We *must* do this.... don't ask... */
276 if (NT_STATUS_IS_OK(status
)) {
277 rpccli_samr_close(pipe_hnd
, mem_ctx
, &user_pol
);
280 status
= rpccli_samr_lookup_names(pipe_hnd
, mem_ctx
,
281 &domain_pol
, flags
, 1, &const_acct_name
,
282 &num_rids
, &user_rids
, &name_types
);
283 if ( !NT_STATUS_IS_OK(status
) )
286 if ( name_types
[0] != SID_NAME_USER
) {
287 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name
, name_types
[0]));
288 return NT_STATUS_INVALID_WORKSTATION
;
291 user_rid
= user_rids
[0];
293 /* Open handle on user */
295 status
= rpccli_samr_open_user(pipe_hnd
, mem_ctx
, &domain_pol
,
296 SEC_RIGHTS_MAXIMUM_ALLOWED
, user_rid
, &user_pol
);
297 if (!NT_STATUS_IS_OK(status
)) {
301 /* Create a random machine account password and generate the hash */
303 E_md4hash(clear_pw
, md4_trust_password
);
304 encode_pw_buffer(pwbuf
, clear_pw
, STR_UNICODE
);
306 generate_random_buffer((uint8
*)md5buffer
, sizeof(md5buffer
));
307 digested_session_key
= data_blob_talloc(mem_ctx
, 0, 16);
310 MD5Update(&md5ctx
, md5buffer
, sizeof(md5buffer
));
311 MD5Update(&md5ctx
, cli
->user_session_key
.data
, cli
->user_session_key
.length
);
312 MD5Final(digested_session_key
.data
, &md5ctx
);
314 SamOEMhashBlob(pwbuf
, sizeof(pwbuf
), &digested_session_key
);
315 memcpy(&pwbuf
[516], md5buffer
, sizeof(md5buffer
));
317 /* Fill in the additional account flags now */
319 acb_info
|= ACB_PWNOEXP
;
320 if ( dom_type
== ND_TYPE_AD
) {
321 #if !defined(ENCTYPE_ARCFOUR_HMAC)
322 acb_info
|= ACB_USE_DES_KEY_ONLY
;
327 /* Set password and account flags on machine account */
332 fields_present
= ACCT_NT_PWD_SET
| ACCT_LM_PWD_SET
| ACCT_FLAGS
;
333 init_sam_user_info25P(&p25
, fields_present
, acb_info
, (char *)pwbuf
);
335 ctr
.switch_value
= infolevel
;
336 ctr
.info
.id25
= &p25
;
338 status
= rpccli_samr_set_userinfo2(pipe_hnd
, mem_ctx
, &user_pol
,
339 infolevel
, &cli
->user_session_key
, &ctr
);
341 if (NT_STATUS_EQUAL(status
, NT_STATUS(DCERPC_FAULT_INVALID_TAG
))) {
347 encode_pw_buffer(pwbuf2
, clear_pw
, STR_UNICODE
);
349 /* retry with level 24 */
350 init_sam_user_info24(&p24
, (char *)pwbuf2
, 24);
352 ctr
.switch_value
= 24;
353 ctr
.info
.id24
= &p24
;
355 status
= rpccli_samr_set_userinfo(pipe_hnd
, mem_ctx
,
358 &cli
->user_session_key
,
362 if ( !NT_STATUS_IS_OK(status
) ) {
363 d_fprintf( stderr
, "Failed to set password for machine account (%s)\n",
368 rpccli_samr_close(pipe_hnd
, mem_ctx
, &user_pol
);
369 cli_rpc_pipe_close(pipe_hnd
); /* Done with this pipe */