s3-secrets: only include secrets.h when needed.
[samba.git] / source3 / libnet / libnet_join.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  libnet Join Support
4  *  Copyright (C) Gerald (Jerry) Carter 2006
5  *  Copyright (C) Guenther Deschner 2007-2008
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 3 of the License, or
10  *  (at your option) any later version.
11  *
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *
17  *  You should have received a copy of the GNU General Public License
18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20
21 #include "includes.h"
22 #include "ads.h"
23 #include "librpc/gen_ndr/ndr_libnet_join.h"
24 #include "libnet/libnet_join.h"
25 #include "libcli/auth/libcli_auth.h"
26 #include "../librpc/gen_ndr/cli_samr.h"
27 #include "rpc_client/init_samr.h"
28 #include "../librpc/gen_ndr/cli_lsa.h"
29 #include "rpc_client/cli_lsarpc.h"
30 #include "../librpc/gen_ndr/cli_netlogon.h"
31 #include "rpc_client/cli_netlogon.h"
32 #include "lib/smbconf/smbconf.h"
33 #include "lib/smbconf/smbconf_reg.h"
34 #include "../libds/common/flags.h"
35 #include "secrets.h"
36
37 /****************************************************************
38 ****************************************************************/
39
40 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
41         do { \
42                 char *str = NULL; \
43                 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
44                 DEBUG(1,("libnet_Join:\n%s", str)); \
45                 TALLOC_FREE(str); \
46         } while (0)
47
48 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
49         LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
51         LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
52
53 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
54         do { \
55                 char *str = NULL; \
56                 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
57                 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
58                 TALLOC_FREE(str); \
59         } while (0)
60
61 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
62         LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
63 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
64         LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
65
66 /****************************************************************
67 ****************************************************************/
68
69 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
70                                          struct libnet_JoinCtx *r,
71                                          const char *format, ...)
72 {
73         va_list args;
74
75         if (r->out.error_string) {
76                 return;
77         }
78
79         va_start(args, format);
80         r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
81         va_end(args);
82 }
83
84 /****************************************************************
85 ****************************************************************/
86
87 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
88                                            struct libnet_UnjoinCtx *r,
89                                            const char *format, ...)
90 {
91         va_list args;
92
93         if (r->out.error_string) {
94                 return;
95         }
96
97         va_start(args, format);
98         r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
99         va_end(args);
100 }
101
102 #ifdef WITH_ADS
103
104 /****************************************************************
105 ****************************************************************/
106
107 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
108                                      const char *netbios_domain_name,
109                                      const char *dc_name,
110                                      const char *user_name,
111                                      const char *password,
112                                      ADS_STRUCT **ads)
113 {
114         ADS_STATUS status;
115         ADS_STRUCT *my_ads = NULL;
116
117         my_ads = ads_init(dns_domain_name,
118                           netbios_domain_name,
119                           dc_name);
120         if (!my_ads) {
121                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
122         }
123
124         if (user_name) {
125                 SAFE_FREE(my_ads->auth.user_name);
126                 my_ads->auth.user_name = SMB_STRDUP(user_name);
127         }
128
129         if (password) {
130                 SAFE_FREE(my_ads->auth.password);
131                 my_ads->auth.password = SMB_STRDUP(password);
132         }
133
134         status = ads_connect_user_creds(my_ads);
135         if (!ADS_ERR_OK(status)) {
136                 ads_destroy(&my_ads);
137                 return status;
138         }
139
140         *ads = my_ads;
141         return ADS_SUCCESS;
142 }
143
144 /****************************************************************
145 ****************************************************************/
146
147 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
148                                           struct libnet_JoinCtx *r)
149 {
150         ADS_STATUS status;
151
152         status = libnet_connect_ads(r->out.dns_domain_name,
153                                     r->out.netbios_domain_name,
154                                     r->in.dc_name,
155                                     r->in.admin_account,
156                                     r->in.admin_password,
157                                     &r->in.ads);
158         if (!ADS_ERR_OK(status)) {
159                 libnet_join_set_error_string(mem_ctx, r,
160                         "failed to connect to AD: %s",
161                         ads_errstr(status));
162                 return status;
163         }
164
165         if (!r->out.netbios_domain_name) {
166                 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
167                                                            r->in.ads->server.workgroup);
168                 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
169         }
170
171         if (!r->out.dns_domain_name) {
172                 r->out.dns_domain_name = talloc_strdup(mem_ctx,
173                                                        r->in.ads->config.realm);
174                 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
175         }
176
177         r->out.domain_is_ad = true;
178
179         return ADS_SUCCESS;
180 }
181
182 /****************************************************************
183 ****************************************************************/
184
185 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
186                                             struct libnet_UnjoinCtx *r)
187 {
188         ADS_STATUS status;
189
190         status = libnet_connect_ads(r->in.domain_name,
191                                     r->in.domain_name,
192                                     r->in.dc_name,
193                                     r->in.admin_account,
194                                     r->in.admin_password,
195                                     &r->in.ads);
196         if (!ADS_ERR_OK(status)) {
197                 libnet_unjoin_set_error_string(mem_ctx, r,
198                         "failed to connect to AD: %s",
199                         ads_errstr(status));
200         }
201
202         return status;
203 }
204
205 /****************************************************************
206  join a domain using ADS (LDAP mods)
207 ****************************************************************/
208
209 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
210                                                      struct libnet_JoinCtx *r)
211 {
212         ADS_STATUS status;
213         LDAPMessage *res = NULL;
214         const char *attrs[] = { "dn", NULL };
215         bool moved = false;
216
217         status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
218         if (!ADS_ERR_OK(status)) {
219                 return status;
220         }
221
222         status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
223         if (!ADS_ERR_OK(status)) {
224                 return status;
225         }
226
227         if (ads_count_replies(r->in.ads, res) != 1) {
228                 ads_msgfree(r->in.ads, res);
229                 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
230         }
231
232         ads_msgfree(r->in.ads, res);
233
234         /* Attempt to create the machine account and bail if this fails.
235            Assume that the admin wants exactly what they requested */
236
237         status = ads_create_machine_acct(r->in.ads,
238                                          r->in.machine_name,
239                                          r->in.account_ou);
240
241         if (ADS_ERR_OK(status)) {
242                 DEBUG(1,("machine account creation created\n"));
243                 return status;
244         } else  if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
245                     (status.err.rc == LDAP_ALREADY_EXISTS)) {
246                 status = ADS_SUCCESS;
247         }
248
249         if (!ADS_ERR_OK(status)) {
250                 DEBUG(1,("machine account creation failed\n"));
251                 return status;
252         }
253
254         status = ads_move_machine_acct(r->in.ads,
255                                        r->in.machine_name,
256                                        r->in.account_ou,
257                                        &moved);
258         if (!ADS_ERR_OK(status)) {
259                 DEBUG(1,("failure to locate/move pre-existing "
260                         "machine account\n"));
261                 return status;
262         }
263
264         DEBUG(1,("The machine account %s the specified OU.\n",
265                 moved ? "was moved into" : "already exists in"));
266
267         return status;
268 }
269
270 /****************************************************************
271 ****************************************************************/
272
273 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
274                                                     struct libnet_UnjoinCtx *r)
275 {
276         ADS_STATUS status;
277
278         if (!r->in.ads) {
279                 status = libnet_unjoin_connect_ads(mem_ctx, r);
280                 if (!ADS_ERR_OK(status)) {
281                         libnet_unjoin_set_error_string(mem_ctx, r,
282                                 "failed to connect to AD: %s",
283                                 ads_errstr(status));
284                         return status;
285                 }
286         }
287
288         status = ads_leave_realm(r->in.ads, r->in.machine_name);
289         if (!ADS_ERR_OK(status)) {
290                 libnet_unjoin_set_error_string(mem_ctx, r,
291                         "failed to leave realm: %s",
292                         ads_errstr(status));
293                 return status;
294         }
295
296         return ADS_SUCCESS;
297 }
298
299 /****************************************************************
300 ****************************************************************/
301
302 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
303                                                 struct libnet_JoinCtx *r)
304 {
305         ADS_STATUS status;
306         LDAPMessage *res = NULL;
307         char *dn = NULL;
308
309         if (!r->in.machine_name) {
310                 return ADS_ERROR(LDAP_NO_MEMORY);
311         }
312
313         status = ads_find_machine_acct(r->in.ads,
314                                        &res,
315                                        r->in.machine_name);
316         if (!ADS_ERR_OK(status)) {
317                 return status;
318         }
319
320         if (ads_count_replies(r->in.ads, res) != 1) {
321                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
322                 goto done;
323         }
324
325         dn = ads_get_dn(r->in.ads, mem_ctx, res);
326         if (!dn) {
327                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
328                 goto done;
329         }
330
331         r->out.dn = talloc_strdup(mem_ctx, dn);
332         if (!r->out.dn) {
333                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
334                 goto done;
335         }
336
337  done:
338         ads_msgfree(r->in.ads, res);
339         TALLOC_FREE(dn);
340
341         return status;
342 }
343
344 /****************************************************************
345  Set a machines dNSHostName and servicePrincipalName attributes
346 ****************************************************************/
347
348 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
349                                               struct libnet_JoinCtx *r)
350 {
351         ADS_STATUS status;
352         ADS_MODLIST mods;
353         fstring my_fqdn;
354         const char *spn_array[3] = {NULL, NULL, NULL};
355         char *spn = NULL;
356
357         /* Find our DN */
358
359         status = libnet_join_find_machine_acct(mem_ctx, r);
360         if (!ADS_ERR_OK(status)) {
361                 return status;
362         }
363
364         /* Windows only creates HOST/shortname & HOST/fqdn. */
365
366         spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
367         if (!spn) {
368                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
369         }
370         strupper_m(spn);
371         spn_array[0] = spn;
372
373         if (!name_to_fqdn(my_fqdn, r->in.machine_name)
374             || (strchr(my_fqdn, '.') == NULL)) {
375                 fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
376                              r->out.dns_domain_name);
377         }
378
379         strlower_m(my_fqdn);
380
381         if (!strequal(my_fqdn, r->in.machine_name)) {
382                 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
383                 if (!spn) {
384                         return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
385                 }
386                 spn_array[1] = spn;
387         }
388
389         mods = ads_init_mods(mem_ctx);
390         if (!mods) {
391                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
392         }
393
394         /* fields of primary importance */
395
396         status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
397         if (!ADS_ERR_OK(status)) {
398                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
399         }
400
401         status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
402                                  spn_array);
403         if (!ADS_ERR_OK(status)) {
404                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
405         }
406
407         return ads_gen_mod(r->in.ads, r->out.dn, mods);
408 }
409
410 /****************************************************************
411 ****************************************************************/
412
413 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
414                                               struct libnet_JoinCtx *r)
415 {
416         ADS_STATUS status;
417         ADS_MODLIST mods;
418
419         if (!r->in.create_upn) {
420                 return ADS_SUCCESS;
421         }
422
423         /* Find our DN */
424
425         status = libnet_join_find_machine_acct(mem_ctx, r);
426         if (!ADS_ERR_OK(status)) {
427                 return status;
428         }
429
430         if (!r->in.upn) {
431                 r->in.upn = talloc_asprintf(mem_ctx,
432                                             "host/%s@%s",
433                                             r->in.machine_name,
434                                             r->out.dns_domain_name);
435                 if (!r->in.upn) {
436                         return ADS_ERROR(LDAP_NO_MEMORY);
437                 }
438         }
439
440         /* now do the mods */
441
442         mods = ads_init_mods(mem_ctx);
443         if (!mods) {
444                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
445         }
446
447         /* fields of primary importance */
448
449         status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
450         if (!ADS_ERR_OK(status)) {
451                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
452         }
453
454         return ads_gen_mod(r->in.ads, r->out.dn, mods);
455 }
456
457
458 /****************************************************************
459 ****************************************************************/
460
461 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
462                                                 struct libnet_JoinCtx *r)
463 {
464         ADS_STATUS status;
465         ADS_MODLIST mods;
466         char *os_sp = NULL;
467
468         if (!r->in.os_name || !r->in.os_version ) {
469                 return ADS_SUCCESS;
470         }
471
472         /* Find our DN */
473
474         status = libnet_join_find_machine_acct(mem_ctx, r);
475         if (!ADS_ERR_OK(status)) {
476                 return status;
477         }
478
479         /* now do the mods */
480
481         mods = ads_init_mods(mem_ctx);
482         if (!mods) {
483                 return ADS_ERROR(LDAP_NO_MEMORY);
484         }
485
486         os_sp = talloc_asprintf(mem_ctx, "Samba %s", samba_version_string());
487         if (!os_sp) {
488                 return ADS_ERROR(LDAP_NO_MEMORY);
489         }
490
491         /* fields of primary importance */
492
493         status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
494                              r->in.os_name);
495         if (!ADS_ERR_OK(status)) {
496                 return status;
497         }
498
499         status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
500                              r->in.os_version);
501         if (!ADS_ERR_OK(status)) {
502                 return status;
503         }
504
505         status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
506                              os_sp);
507         if (!ADS_ERR_OK(status)) {
508                 return status;
509         }
510
511         return ads_gen_mod(r->in.ads, r->out.dn, mods);
512 }
513
514 /****************************************************************
515 ****************************************************************/
516
517 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
518                                       struct libnet_JoinCtx *r)
519 {
520         if (!USE_SYSTEM_KEYTAB) {
521                 return true;
522         }
523
524         if (ads_keytab_create_default(r->in.ads) != 0) {
525                 return false;
526         }
527
528         return true;
529 }
530
531 /****************************************************************
532 ****************************************************************/
533
534 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
535                                                  struct libnet_JoinCtx *r)
536 {
537         uint32_t domain_func;
538         ADS_STATUS status;
539         const char *salt = NULL;
540         char *std_salt = NULL;
541
542         status = ads_domain_func_level(r->in.ads, &domain_func);
543         if (!ADS_ERR_OK(status)) {
544                 libnet_join_set_error_string(mem_ctx, r,
545                         "failed to determine domain functional level: %s",
546                         ads_errstr(status));
547                 return false;
548         }
549
550         /* go ahead and setup the default salt */
551
552         std_salt = kerberos_standard_des_salt();
553         if (!std_salt) {
554                 libnet_join_set_error_string(mem_ctx, r,
555                         "failed to obtain standard DES salt");
556                 return false;
557         }
558
559         salt = talloc_strdup(mem_ctx, std_salt);
560         if (!salt) {
561                 return false;
562         }
563
564         SAFE_FREE(std_salt);
565
566         /* if it's a Windows functional domain, we have to look for the UPN */
567
568         if (domain_func == DS_DOMAIN_FUNCTION_2000) {
569                 char *upn;
570
571                 upn = ads_get_upn(r->in.ads, mem_ctx,
572                                   r->in.machine_name);
573                 if (upn) {
574                         salt = talloc_strdup(mem_ctx, upn);
575                         if (!salt) {
576                                 return false;
577                         }
578                 }
579         }
580
581         return kerberos_secrets_store_des_salt(salt);
582 }
583
584 /****************************************************************
585 ****************************************************************/
586
587 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
588                                                   struct libnet_JoinCtx *r)
589 {
590         ADS_STATUS status;
591
592         if (!r->in.ads) {
593                 status = libnet_join_connect_ads(mem_ctx, r);
594                 if (!ADS_ERR_OK(status)) {
595                         return status;
596                 }
597         }
598
599         status = libnet_join_set_machine_spn(mem_ctx, r);
600         if (!ADS_ERR_OK(status)) {
601                 libnet_join_set_error_string(mem_ctx, r,
602                         "failed to set machine spn: %s",
603                         ads_errstr(status));
604                 return status;
605         }
606
607         status = libnet_join_set_os_attributes(mem_ctx, r);
608         if (!ADS_ERR_OK(status)) {
609                 libnet_join_set_error_string(mem_ctx, r,
610                         "failed to set machine os attributes: %s",
611                         ads_errstr(status));
612                 return status;
613         }
614
615         status = libnet_join_set_machine_upn(mem_ctx, r);
616         if (!ADS_ERR_OK(status)) {
617                 libnet_join_set_error_string(mem_ctx, r,
618                         "failed to set machine upn: %s",
619                         ads_errstr(status));
620                 return status;
621         }
622
623         if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
624                 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
625         }
626
627         if (!libnet_join_create_keytab(mem_ctx, r)) {
628                 libnet_join_set_error_string(mem_ctx, r,
629                         "failed to create kerberos keytab");
630                 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
631         }
632
633         return ADS_SUCCESS;
634 }
635 #endif /* WITH_ADS */
636
637 /****************************************************************
638  Store the machine password and domain SID
639 ****************************************************************/
640
641 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
642                                                  struct libnet_JoinCtx *r)
643 {
644         if (!secrets_store_domain_sid(r->out.netbios_domain_name,
645                                       r->out.domain_sid))
646         {
647                 DEBUG(1,("Failed to save domain sid\n"));
648                 return false;
649         }
650
651         if (!secrets_store_machine_password(r->in.machine_password,
652                                             r->out.netbios_domain_name,
653                                             r->in.secure_channel_type))
654         {
655                 DEBUG(1,("Failed to save machine password\n"));
656                 return false;
657         }
658
659         return true;
660 }
661
662 /****************************************************************
663  Connect dc's IPC$ share
664 ****************************************************************/
665
666 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
667                                            const char *user,
668                                            const char *pass,
669                                            bool use_kerberos,
670                                            struct cli_state **cli)
671 {
672         int flags = 0;
673
674         if (use_kerberos) {
675                 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
676         }
677
678         if (use_kerberos && pass) {
679                 flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
680         }
681
682         return cli_full_connection(cli, NULL,
683                                    dc,
684                                    NULL, 0,
685                                    "IPC$", "IPC",
686                                    user,
687                                    NULL,
688                                    pass,
689                                    flags,
690                                    Undefined, NULL);
691 }
692
693 /****************************************************************
694  Lookup domain dc's info
695 ****************************************************************/
696
697 static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
698                                           struct libnet_JoinCtx *r,
699                                           struct cli_state **cli)
700 {
701         struct rpc_pipe_client *pipe_hnd = NULL;
702         struct policy_handle lsa_pol;
703         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
704         union lsa_PolicyInformation *info = NULL;
705
706         status = libnet_join_connect_dc_ipc(r->in.dc_name,
707                                             r->in.admin_account,
708                                             r->in.admin_password,
709                                             r->in.use_kerberos,
710                                             cli);
711         if (!NT_STATUS_IS_OK(status)) {
712                 goto done;
713         }
714
715         status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
716                                           &pipe_hnd);
717         if (!NT_STATUS_IS_OK(status)) {
718                 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
719                         nt_errstr(status)));
720                 goto done;
721         }
722
723         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
724                                         SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
725         if (!NT_STATUS_IS_OK(status)) {
726                 goto done;
727         }
728
729         status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
730                                              &lsa_pol,
731                                              LSA_POLICY_INFO_DNS,
732                                              &info);
733         if (NT_STATUS_IS_OK(status)) {
734                 r->out.domain_is_ad = true;
735                 r->out.netbios_domain_name = info->dns.name.string;
736                 r->out.dns_domain_name = info->dns.dns_domain.string;
737                 r->out.forest_name = info->dns.dns_forest.string;
738                 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
739                 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
740         }
741
742         if (!NT_STATUS_IS_OK(status)) {
743                 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
744                                                     &lsa_pol,
745                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
746                                                     &info);
747                 if (!NT_STATUS_IS_OK(status)) {
748                         goto done;
749                 }
750
751                 r->out.netbios_domain_name = info->account_domain.name.string;
752                 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
753                 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
754         }
755
756         rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
757         TALLOC_FREE(pipe_hnd);
758
759  done:
760         return status;
761 }
762
763 /****************************************************************
764  Do the domain join unsecure
765 ****************************************************************/
766
767 static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
768                                                     struct libnet_JoinCtx *r,
769                                                     struct cli_state *cli)
770 {
771         struct rpc_pipe_client *pipe_hnd = NULL;
772         unsigned char orig_trust_passwd_hash[16];
773         unsigned char new_trust_passwd_hash[16];
774         fstring trust_passwd;
775         NTSTATUS status;
776
777         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
778                                           &pipe_hnd);
779         if (!NT_STATUS_IS_OK(status)) {
780                 return status;
781         }
782
783         if (!r->in.machine_password) {
784                 r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
785                 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
786         }
787
788         E_md4hash(r->in.machine_password, new_trust_passwd_hash);
789
790         /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
791         fstrcpy(trust_passwd, r->in.admin_password);
792         strlower_m(trust_passwd);
793
794         /*
795          * Machine names can be 15 characters, but the max length on
796          * a password is 14.  --jerry
797          */
798
799         trust_passwd[14] = '\0';
800
801         E_md4hash(trust_passwd, orig_trust_passwd_hash);
802
803         status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
804                                                     r->in.machine_name,
805                                                     orig_trust_passwd_hash,
806                                                     r->in.machine_password,
807                                                     new_trust_passwd_hash,
808                                                     r->in.secure_channel_type);
809
810         return status;
811 }
812
813 /****************************************************************
814  Do the domain join
815 ****************************************************************/
816
817 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
818                                            struct libnet_JoinCtx *r,
819                                            struct cli_state *cli)
820 {
821         struct rpc_pipe_client *pipe_hnd = NULL;
822         struct policy_handle sam_pol, domain_pol, user_pol;
823         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
824         char *acct_name;
825         struct lsa_String lsa_acct_name;
826         uint32_t user_rid;
827         uint32_t acct_flags = ACB_WSTRUST;
828         struct samr_Ids user_rids;
829         struct samr_Ids name_types;
830         union samr_UserInfo user_info;
831
832         struct samr_CryptPassword crypt_pwd;
833         struct samr_CryptPasswordEx crypt_pwd_ex;
834
835         ZERO_STRUCT(sam_pol);
836         ZERO_STRUCT(domain_pol);
837         ZERO_STRUCT(user_pol);
838
839         switch (r->in.secure_channel_type) {
840         case SEC_CHAN_WKSTA:
841                 acct_flags = ACB_WSTRUST;
842                 break;
843         case SEC_CHAN_BDC:
844                 acct_flags = ACB_SVRTRUST;
845                 break;
846         default:
847                 return NT_STATUS_INVALID_PARAMETER;
848         }
849
850         if (!r->in.machine_password) {
851                 r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
852                 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
853         }
854
855         /* Open the domain */
856
857         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
858                                           &pipe_hnd);
859         if (!NT_STATUS_IS_OK(status)) {
860                 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
861                         nt_errstr(status)));
862                 goto done;
863         }
864
865         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
866                                       pipe_hnd->desthost,
867                                       SAMR_ACCESS_ENUM_DOMAINS
868                                       | SAMR_ACCESS_LOOKUP_DOMAIN,
869                                       &sam_pol);
870         if (!NT_STATUS_IS_OK(status)) {
871                 goto done;
872         }
873
874         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
875                                         &sam_pol,
876                                         SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
877                                         | SAMR_DOMAIN_ACCESS_CREATE_USER
878                                         | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
879                                         r->out.domain_sid,
880                                         &domain_pol);
881         if (!NT_STATUS_IS_OK(status)) {
882                 goto done;
883         }
884
885         /* Create domain user */
886
887         acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
888         strlower_m(acct_name);
889
890         init_lsa_String(&lsa_acct_name, acct_name);
891
892         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
893                 uint32_t access_desired =
894                         SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
895                         SEC_STD_WRITE_DAC | SEC_STD_DELETE |
896                         SAMR_USER_ACCESS_SET_PASSWORD |
897                         SAMR_USER_ACCESS_GET_ATTRIBUTES |
898                         SAMR_USER_ACCESS_SET_ATTRIBUTES;
899                 uint32_t access_granted = 0;
900
901                 DEBUG(10,("Creating account with desired access mask: %d\n",
902                         access_desired));
903
904                 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
905                                                  &domain_pol,
906                                                  &lsa_acct_name,
907                                                  acct_flags,
908                                                  access_desired,
909                                                  &user_pol,
910                                                  &access_granted,
911                                                  &user_rid);
912                 if (!NT_STATUS_IS_OK(status) &&
913                     !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
914
915                         DEBUG(10,("Creation of workstation account failed: %s\n",
916                                 nt_errstr(status)));
917
918                         /* If NT_STATUS_ACCESS_DENIED then we have a valid
919                            username/password combo but the user does not have
920                            administrator access. */
921
922                         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
923                                 libnet_join_set_error_string(mem_ctx, r,
924                                         "User specified does not have "
925                                         "administrator privileges");
926                         }
927
928                         goto done;
929                 }
930
931                 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
932                         if (!(r->in.join_flags &
933                               WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
934                                 goto done;
935                         }
936                 }
937
938                 /* We *must* do this.... don't ask... */
939
940                 if (NT_STATUS_IS_OK(status)) {
941                         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
942                 }
943         }
944
945         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
946                                          &domain_pol,
947                                          1,
948                                          &lsa_acct_name,
949                                          &user_rids,
950                                          &name_types);
951         if (!NT_STATUS_IS_OK(status)) {
952                 goto done;
953         }
954
955         if (name_types.ids[0] != SID_NAME_USER) {
956                 DEBUG(0,("%s is not a user account (type=%d)\n",
957                         acct_name, name_types.ids[0]));
958                 status = NT_STATUS_INVALID_WORKSTATION;
959                 goto done;
960         }
961
962         user_rid = user_rids.ids[0];
963
964         /* Open handle on user */
965
966         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
967                                       &domain_pol,
968                                       SEC_FLAG_MAXIMUM_ALLOWED,
969                                       user_rid,
970                                       &user_pol);
971         if (!NT_STATUS_IS_OK(status)) {
972                 goto done;
973         }
974
975         /* Fill in the additional account flags now */
976
977         acct_flags |= ACB_PWNOEXP;
978         if (r->out.domain_is_ad) {
979 #if !defined(ENCTYPE_ARCFOUR_HMAC)
980                 acct_flags |= ACB_USE_DES_KEY_ONLY;
981 #endif
982                 ;;
983         }
984
985         /* Set account flags on machine account */
986         ZERO_STRUCT(user_info.info16);
987         user_info.info16.acct_flags = acct_flags;
988
989         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
990                                          &user_pol,
991                                          16,
992                                          &user_info);
993
994         if (!NT_STATUS_IS_OK(status)) {
995
996                 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
997                                        &user_pol);
998
999                 libnet_join_set_error_string(mem_ctx, r,
1000                         "Failed to set account flags for machine account (%s)\n",
1001                         nt_errstr(status));
1002                 goto done;
1003         }
1004
1005         /* Set password on machine account - first try level 26 */
1006
1007         init_samr_CryptPasswordEx(r->in.machine_password,
1008                                   &cli->user_session_key,
1009                                   &crypt_pwd_ex);
1010
1011         user_info.info26.password = crypt_pwd_ex;
1012         user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1013
1014         status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
1015                                           &user_pol,
1016                                           26,
1017                                           &user_info);
1018
1019         if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
1020
1021                 /* retry with level 24 */
1022
1023                 init_samr_CryptPassword(r->in.machine_password,
1024                                         &cli->user_session_key,
1025                                         &crypt_pwd);
1026
1027                 user_info.info24.password = crypt_pwd;
1028                 user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1029
1030                 status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
1031                                                   &user_pol,
1032                                                   24,
1033                                                   &user_info);
1034         }
1035
1036         if (!NT_STATUS_IS_OK(status)) {
1037
1038                 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
1039                                        &user_pol);
1040
1041                 libnet_join_set_error_string(mem_ctx, r,
1042                         "Failed to set password for machine account (%s)\n",
1043                         nt_errstr(status));
1044                 goto done;
1045         }
1046
1047         status = NT_STATUS_OK;
1048
1049  done:
1050         if (!pipe_hnd) {
1051                 return status;
1052         }
1053
1054         if (is_valid_policy_hnd(&sam_pol)) {
1055                 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1056         }
1057         if (is_valid_policy_hnd(&domain_pol)) {
1058                 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1059         }
1060         if (is_valid_policy_hnd(&user_pol)) {
1061                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1062         }
1063         TALLOC_FREE(pipe_hnd);
1064
1065         return status;
1066 }
1067
1068 /****************************************************************
1069 ****************************************************************/
1070
1071 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
1072                         const char *machine_name,
1073                         const char *dc_name)
1074 {
1075         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
1076         struct cli_state *cli = NULL;
1077         struct rpc_pipe_client *pipe_hnd = NULL;
1078         struct rpc_pipe_client *netlogon_pipe = NULL;
1079         NTSTATUS status;
1080         char *machine_password = NULL;
1081         char *machine_account = NULL;
1082
1083         if (!dc_name) {
1084                 return NT_STATUS_INVALID_PARAMETER;
1085         }
1086
1087         if (!secrets_init()) {
1088                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1089         }
1090
1091         machine_password = secrets_fetch_machine_password(netbios_domain_name,
1092                                                           NULL, NULL);
1093         if (!machine_password) {
1094                 return NT_STATUS_NO_TRUST_LSA_SECRET;
1095         }
1096
1097         if (asprintf(&machine_account, "%s$", machine_name) == -1) {
1098                 SAFE_FREE(machine_password);
1099                 return NT_STATUS_NO_MEMORY;
1100         }
1101
1102         status = cli_full_connection(&cli, NULL,
1103                                      dc_name,
1104                                      NULL, 0,
1105                                      "IPC$", "IPC",
1106                                      machine_account,
1107                                      NULL,
1108                                      machine_password,
1109                                      0,
1110                                      Undefined, NULL);
1111         free(machine_account);
1112         free(machine_password);
1113
1114         if (!NT_STATUS_IS_OK(status)) {
1115                 status = cli_full_connection(&cli, NULL,
1116                                              dc_name,
1117                                              NULL, 0,
1118                                              "IPC$", "IPC",
1119                                              "",
1120                                              NULL,
1121                                              "",
1122                                              0,
1123                                              Undefined, NULL);
1124         }
1125
1126         if (!NT_STATUS_IS_OK(status)) {
1127                 return status;
1128         }
1129
1130         status = get_schannel_session_key(cli, netbios_domain_name,
1131                                           &neg_flags, &netlogon_pipe);
1132         if (!NT_STATUS_IS_OK(status)) {
1133                 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
1134                         cli_shutdown(cli);
1135                         return NT_STATUS_OK;
1136                 }
1137
1138                 DEBUG(0,("libnet_join_ok: failed to get schannel session "
1139                         "key from server %s for domain %s. Error was %s\n",
1140                 cli->desthost, netbios_domain_name, nt_errstr(status)));
1141                 cli_shutdown(cli);
1142                 return status;
1143         }
1144
1145         if (!lp_client_schannel()) {
1146                 cli_shutdown(cli);
1147                 return NT_STATUS_OK;
1148         }
1149
1150         status = cli_rpc_pipe_open_schannel_with_key(
1151                 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
1152                 DCERPC_AUTH_LEVEL_PRIVACY,
1153                 netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
1154
1155         cli_shutdown(cli);
1156
1157         if (!NT_STATUS_IS_OK(status)) {
1158                 DEBUG(0,("libnet_join_ok: failed to open schannel session "
1159                         "on netlogon pipe to server %s for domain %s. "
1160                         "Error was %s\n",
1161                         cli->desthost, netbios_domain_name, nt_errstr(status)));
1162                 return status;
1163         }
1164
1165         return NT_STATUS_OK;
1166 }
1167
1168 /****************************************************************
1169 ****************************************************************/
1170
1171 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
1172                                       struct libnet_JoinCtx *r)
1173 {
1174         NTSTATUS status;
1175
1176         status = libnet_join_ok(r->out.netbios_domain_name,
1177                                 r->in.machine_name,
1178                                 r->in.dc_name);
1179         if (!NT_STATUS_IS_OK(status)) {
1180                 libnet_join_set_error_string(mem_ctx, r,
1181                         "failed to verify domain membership after joining: %s",
1182                         get_friendly_nt_error_msg(status));
1183                 return WERR_SETUP_NOT_JOINED;
1184         }
1185
1186         return WERR_OK;
1187 }
1188
1189 /****************************************************************
1190 ****************************************************************/
1191
1192 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
1193                                                     struct libnet_UnjoinCtx *r)
1194 {
1195         if (!secrets_delete_machine_password_ex(lp_workgroup())) {
1196                 return false;
1197         }
1198
1199         if (!secrets_delete_domain_sid(lp_workgroup())) {
1200                 return false;
1201         }
1202
1203         return true;
1204 }
1205
1206 /****************************************************************
1207 ****************************************************************/
1208
1209 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
1210                                              struct libnet_UnjoinCtx *r)
1211 {
1212         struct cli_state *cli = NULL;
1213         struct rpc_pipe_client *pipe_hnd = NULL;
1214         struct policy_handle sam_pol, domain_pol, user_pol;
1215         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1216         char *acct_name;
1217         uint32_t user_rid;
1218         struct lsa_String lsa_acct_name;
1219         struct samr_Ids user_rids;
1220         struct samr_Ids name_types;
1221         union samr_UserInfo *info = NULL;
1222
1223         ZERO_STRUCT(sam_pol);
1224         ZERO_STRUCT(domain_pol);
1225         ZERO_STRUCT(user_pol);
1226
1227         status = libnet_join_connect_dc_ipc(r->in.dc_name,
1228                                             r->in.admin_account,
1229                                             r->in.admin_password,
1230                                             r->in.use_kerberos,
1231                                             &cli);
1232         if (!NT_STATUS_IS_OK(status)) {
1233                 goto done;
1234         }
1235
1236         /* Open the domain */
1237
1238         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
1239                                           &pipe_hnd);
1240         if (!NT_STATUS_IS_OK(status)) {
1241                 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1242                         nt_errstr(status)));
1243                 goto done;
1244         }
1245
1246         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1247                                       pipe_hnd->desthost,
1248                                       SEC_FLAG_MAXIMUM_ALLOWED,
1249                                       &sam_pol);
1250         if (!NT_STATUS_IS_OK(status)) {
1251                 goto done;
1252         }
1253
1254         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1255                                         &sam_pol,
1256                                         SEC_FLAG_MAXIMUM_ALLOWED,
1257                                         r->in.domain_sid,
1258                                         &domain_pol);
1259         if (!NT_STATUS_IS_OK(status)) {
1260                 goto done;
1261         }
1262
1263         /* Create domain user */
1264
1265         acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1266         strlower_m(acct_name);
1267
1268         init_lsa_String(&lsa_acct_name, acct_name);
1269
1270         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1271                                          &domain_pol,
1272                                          1,
1273                                          &lsa_acct_name,
1274                                          &user_rids,
1275                                          &name_types);
1276
1277         if (!NT_STATUS_IS_OK(status)) {
1278                 goto done;
1279         }
1280
1281         if (name_types.ids[0] != SID_NAME_USER) {
1282                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1283                         name_types.ids[0]));
1284                 status = NT_STATUS_INVALID_WORKSTATION;
1285                 goto done;
1286         }
1287
1288         user_rid = user_rids.ids[0];
1289
1290         /* Open handle on user */
1291
1292         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1293                                       &domain_pol,
1294                                       SEC_FLAG_MAXIMUM_ALLOWED,
1295                                       user_rid,
1296                                       &user_pol);
1297         if (!NT_STATUS_IS_OK(status)) {
1298                 goto done;
1299         }
1300
1301         /* Get user info */
1302
1303         status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1304                                            &user_pol,
1305                                            16,
1306                                            &info);
1307         if (!NT_STATUS_IS_OK(status)) {
1308                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1309                 goto done;
1310         }
1311
1312         /* now disable and setuser info */
1313
1314         info->info16.acct_flags |= ACB_DISABLED;
1315
1316         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1317                                          &user_pol,
1318                                          16,
1319                                          info);
1320
1321         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1322
1323 done:
1324         if (pipe_hnd) {
1325                 if (is_valid_policy_hnd(&domain_pol)) {
1326                         rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1327                 }
1328                 if (is_valid_policy_hnd(&sam_pol)) {
1329                         rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1330                 }
1331                 TALLOC_FREE(pipe_hnd);
1332         }
1333
1334         if (cli) {
1335                 cli_shutdown(cli);
1336         }
1337
1338         return status;
1339 }
1340
1341 /****************************************************************
1342 ****************************************************************/
1343
1344 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
1345 {
1346         WERROR werr;
1347         struct smbconf_ctx *ctx;
1348
1349         werr = smbconf_init_reg(r, &ctx, NULL);
1350         if (!W_ERROR_IS_OK(werr)) {
1351                 goto done;
1352         }
1353
1354         if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1355
1356                 werr = smbconf_set_global_parameter(ctx, "security", "user");
1357                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1358
1359                 werr = smbconf_set_global_parameter(ctx, "workgroup",
1360                                                     r->in.domain_name);
1361
1362                 smbconf_delete_global_parameter(ctx, "realm");
1363                 goto done;
1364         }
1365
1366         werr = smbconf_set_global_parameter(ctx, "security", "domain");
1367         W_ERROR_NOT_OK_GOTO_DONE(werr);
1368
1369         werr = smbconf_set_global_parameter(ctx, "workgroup",
1370                                             r->out.netbios_domain_name);
1371         W_ERROR_NOT_OK_GOTO_DONE(werr);
1372
1373         if (r->out.domain_is_ad) {
1374                 werr = smbconf_set_global_parameter(ctx, "security", "ads");
1375                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1376
1377                 werr = smbconf_set_global_parameter(ctx, "realm",
1378                                                     r->out.dns_domain_name);
1379                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1380         }
1381
1382  done:
1383         smbconf_shutdown(ctx);
1384         return werr;
1385 }
1386
1387 /****************************************************************
1388 ****************************************************************/
1389
1390 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
1391 {
1392         WERROR werr = WERR_OK;
1393         struct smbconf_ctx *ctx;
1394
1395         werr = smbconf_init_reg(r, &ctx, NULL);
1396         if (!W_ERROR_IS_OK(werr)) {
1397                 goto done;
1398         }
1399
1400         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1401
1402                 werr = smbconf_set_global_parameter(ctx, "security", "user");
1403                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1404
1405                 werr = smbconf_delete_global_parameter(ctx, "workgroup");
1406                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1407
1408                 smbconf_delete_global_parameter(ctx, "realm");
1409         }
1410
1411  done:
1412         smbconf_shutdown(ctx);
1413         return werr;
1414 }
1415
1416 /****************************************************************
1417 ****************************************************************/
1418
1419 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1420 {
1421         WERROR werr;
1422
1423         if (!W_ERROR_IS_OK(r->out.result)) {
1424                 return r->out.result;
1425         }
1426
1427         if (!r->in.modify_config) {
1428                 return WERR_OK;
1429         }
1430
1431         werr = do_join_modify_vals_config(r);
1432         if (!W_ERROR_IS_OK(werr)) {
1433                 return werr;
1434         }
1435
1436         lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1437
1438         r->out.modified_config = true;
1439         r->out.result = werr;
1440
1441         return werr;
1442 }
1443
1444 /****************************************************************
1445 ****************************************************************/
1446
1447 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
1448 {
1449         WERROR werr;
1450
1451         if (!W_ERROR_IS_OK(r->out.result)) {
1452                 return r->out.result;
1453         }
1454
1455         if (!r->in.modify_config) {
1456                 return WERR_OK;
1457         }
1458
1459         werr = do_unjoin_modify_vals_config(r);
1460         if (!W_ERROR_IS_OK(werr)) {
1461                 return werr;
1462         }
1463
1464         lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1465
1466         r->out.modified_config = true;
1467         r->out.result = werr;
1468
1469         return werr;
1470 }
1471
1472 /****************************************************************
1473 ****************************************************************/
1474
1475 static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
1476                                    const char *domain_str,
1477                                    const char **domain_p,
1478                                    const char **dc_p)
1479 {
1480         char *domain = NULL;
1481         char *dc = NULL;
1482         const char *p = NULL;
1483
1484         if (!domain_str || !domain_p || !dc_p) {
1485                 return false;
1486         }
1487
1488         p = strchr_m(domain_str, '\\');
1489
1490         if (p != NULL) {
1491                 domain = talloc_strndup(mem_ctx, domain_str,
1492                                          PTR_DIFF(p, domain_str));
1493                 dc = talloc_strdup(mem_ctx, p+1);
1494                 if (!dc) {
1495                         return false;
1496                 }
1497         } else {
1498                 domain = talloc_strdup(mem_ctx, domain_str);
1499                 dc = NULL;
1500         }
1501         if (!domain) {
1502                 return false;
1503         }
1504
1505         *domain_p = domain;
1506
1507         if (!*dc_p && dc) {
1508                 *dc_p = dc;
1509         }
1510
1511         return true;
1512 }
1513
1514 /****************************************************************
1515 ****************************************************************/
1516
1517 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1518                                          struct libnet_JoinCtx *r)
1519 {
1520         if (!r->in.domain_name) {
1521                 libnet_join_set_error_string(mem_ctx, r,
1522                         "No domain name defined");
1523                 return WERR_INVALID_PARAM;
1524         }
1525
1526         if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
1527                                     &r->in.domain_name,
1528                                     &r->in.dc_name)) {
1529                 libnet_join_set_error_string(mem_ctx, r,
1530                         "Failed to parse domain name");
1531                 return WERR_INVALID_PARAM;
1532         }
1533
1534         if (IS_DC) {
1535                 return WERR_SETUP_DOMAIN_CONTROLLER;
1536         }
1537
1538         if (!secrets_init()) {
1539                 libnet_join_set_error_string(mem_ctx, r,
1540                         "Unable to open secrets database");
1541                 return WERR_CAN_NOT_COMPLETE;
1542         }
1543
1544         return WERR_OK;
1545 }
1546
1547 /****************************************************************
1548 ****************************************************************/
1549
1550 static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
1551 {
1552         NTSTATUS status;
1553
1554         /* Try adding dom admins to builtin\admins. Only log failures. */
1555         status = create_builtin_administrators(domain_sid);
1556         if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1557                 DEBUG(10,("Unable to auto-add domain administrators to "
1558                           "BUILTIN\\Administrators during join because "
1559                           "winbindd must be running."));
1560         } else if (!NT_STATUS_IS_OK(status)) {
1561                 DEBUG(5, ("Failed to auto-add domain administrators to "
1562                           "BUILTIN\\Administrators during join: %s\n",
1563                           nt_errstr(status)));
1564         }
1565
1566         /* Try adding dom users to builtin\users. Only log failures. */
1567         status = create_builtin_users(domain_sid);
1568         if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1569                 DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
1570                           "during join because winbindd must be running."));
1571         } else if (!NT_STATUS_IS_OK(status)) {
1572                 DEBUG(5, ("Failed to auto-add domain administrators to "
1573                           "BUILTIN\\Administrators during join: %s\n",
1574                           nt_errstr(status)));
1575         }
1576 }
1577
1578 /****************************************************************
1579 ****************************************************************/
1580
1581 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1582                                           struct libnet_JoinCtx *r)
1583 {
1584         WERROR werr;
1585
1586         if (!W_ERROR_IS_OK(r->out.result)) {
1587                 return r->out.result;
1588         }
1589
1590         werr = do_JoinConfig(r);
1591         if (!W_ERROR_IS_OK(werr)) {
1592                 return werr;
1593         }
1594
1595         if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1596                 return WERR_OK;
1597         }
1598
1599         saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
1600         if (r->out.dns_domain_name) {
1601                 saf_join_store(r->out.dns_domain_name, r->in.dc_name);
1602         }
1603
1604 #ifdef WITH_ADS
1605         if (r->out.domain_is_ad &&
1606             !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
1607                 ADS_STATUS ads_status;
1608
1609                 ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
1610                 if (!ADS_ERR_OK(ads_status)) {
1611                         return WERR_GENERAL_FAILURE;
1612                 }
1613         }
1614 #endif /* WITH_ADS */
1615
1616         libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
1617
1618         return WERR_OK;
1619 }
1620
1621 /****************************************************************
1622 ****************************************************************/
1623
1624 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1625 {
1626         const char *krb5_cc_env = NULL;
1627
1628         if (r->in.ads) {
1629                 ads_destroy(&r->in.ads);
1630         }
1631
1632         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1633         if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1634                 unsetenv(KRB5_ENV_CCNAME);
1635         }
1636
1637         return 0;
1638 }
1639
1640 /****************************************************************
1641 ****************************************************************/
1642
1643 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1644 {
1645         const char *krb5_cc_env = NULL;
1646
1647         if (r->in.ads) {
1648                 ads_destroy(&r->in.ads);
1649         }
1650
1651         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1652         if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1653                 unsetenv(KRB5_ENV_CCNAME);
1654         }
1655
1656         return 0;
1657 }
1658
1659 /****************************************************************
1660 ****************************************************************/
1661
1662 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1663                            struct libnet_JoinCtx **r)
1664 {
1665         struct libnet_JoinCtx *ctx;
1666         const char *krb5_cc_env = NULL;
1667
1668         ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1669         if (!ctx) {
1670                 return WERR_NOMEM;
1671         }
1672
1673         talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1674
1675         ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1676         W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1677
1678         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1679         if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1680                 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1681                 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1682                 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1683         }
1684
1685         ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
1686
1687         *r = ctx;
1688
1689         return WERR_OK;
1690 }
1691
1692 /****************************************************************
1693 ****************************************************************/
1694
1695 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1696                              struct libnet_UnjoinCtx **r)
1697 {
1698         struct libnet_UnjoinCtx *ctx;
1699         const char *krb5_cc_env = NULL;
1700
1701         ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1702         if (!ctx) {
1703                 return WERR_NOMEM;
1704         }
1705
1706         talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1707
1708         ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1709         W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1710
1711         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1712         if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1713                 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1714                 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1715                 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1716         }
1717
1718         *r = ctx;
1719
1720         return WERR_OK;
1721 }
1722
1723 /****************************************************************
1724 ****************************************************************/
1725
1726 static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
1727                                        struct libnet_JoinCtx *r)
1728 {
1729         bool valid_security = false;
1730         bool valid_workgroup = false;
1731         bool valid_realm = false;
1732
1733         /* check if configuration is already set correctly */
1734
1735         valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
1736
1737         switch (r->out.domain_is_ad) {
1738                 case false:
1739                         valid_security = (lp_security() == SEC_DOMAIN);
1740                         if (valid_workgroup && valid_security) {
1741                                 /* nothing to be done */
1742                                 return WERR_OK;
1743                         }
1744                         break;
1745                 case true:
1746                         valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
1747                         switch (lp_security()) {
1748                         case SEC_DOMAIN:
1749                         case SEC_ADS:
1750                                 valid_security = true;
1751                         }
1752
1753                         if (valid_workgroup && valid_realm && valid_security) {
1754                                 /* nothing to be done */
1755                                 return WERR_OK;
1756                         }
1757                         break;
1758         }
1759
1760         /* check if we are supposed to manipulate configuration */
1761
1762         if (!r->in.modify_config) {
1763
1764                 char *wrong_conf = talloc_strdup(mem_ctx, "");
1765
1766                 if (!valid_workgroup) {
1767                         wrong_conf = talloc_asprintf_append(wrong_conf,
1768                                 "\"workgroup\" set to '%s', should be '%s'",
1769                                 lp_workgroup(), r->out.netbios_domain_name);
1770                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1771                 }
1772
1773                 if (!valid_realm) {
1774                         wrong_conf = talloc_asprintf_append(wrong_conf,
1775                                 "\"realm\" set to '%s', should be '%s'",
1776                                 lp_realm(), r->out.dns_domain_name);
1777                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1778                 }
1779
1780                 if (!valid_security) {
1781                         const char *sec = NULL;
1782                         switch (lp_security()) {
1783                         case SEC_SHARE: sec = "share"; break;
1784                         case SEC_USER:  sec = "user"; break;
1785                         case SEC_DOMAIN: sec = "domain"; break;
1786                         case SEC_ADS: sec = "ads"; break;
1787                         }
1788                         wrong_conf = talloc_asprintf_append(wrong_conf,
1789                                 "\"security\" set to '%s', should be %s",
1790                                 sec, r->out.domain_is_ad ?
1791                                 "either 'domain' or 'ads'" : "'domain'");
1792                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1793                 }
1794
1795                 libnet_join_set_error_string(mem_ctx, r,
1796                         "Invalid configuration (%s) and configuration modification "
1797                         "was not requested", wrong_conf);
1798                 return WERR_CAN_NOT_COMPLETE;
1799         }
1800
1801         /* check if we are able to manipulate configuration */
1802
1803         if (!lp_config_backend_is_registry()) {
1804                 libnet_join_set_error_string(mem_ctx, r,
1805                         "Configuration manipulation requested but not "
1806                         "supported by backend");
1807                 return WERR_NOT_SUPPORTED;
1808         }
1809
1810         return WERR_OK;
1811 }
1812
1813 /****************************************************************
1814 ****************************************************************/
1815
1816 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
1817                                 struct libnet_JoinCtx *r)
1818 {
1819         NTSTATUS status;
1820         WERROR werr;
1821         struct cli_state *cli = NULL;
1822 #ifdef WITH_ADS
1823         ADS_STATUS ads_status;
1824 #endif /* WITH_ADS */
1825
1826         if (!r->in.dc_name) {
1827                 struct netr_DsRGetDCNameInfo *info;
1828                 const char *dc;
1829                 status = dsgetdcname(mem_ctx,
1830                                      r->in.msg_ctx,
1831                                      r->in.domain_name,
1832                                      NULL,
1833                                      NULL,
1834                                      DS_FORCE_REDISCOVERY |
1835                                      DS_DIRECTORY_SERVICE_REQUIRED |
1836                                      DS_WRITABLE_REQUIRED |
1837                                      DS_RETURN_DNS_NAME,
1838                                      &info);
1839                 if (!NT_STATUS_IS_OK(status)) {
1840                         libnet_join_set_error_string(mem_ctx, r,
1841                                 "failed to find DC for domain %s",
1842                                 r->in.domain_name,
1843                                 get_friendly_nt_error_msg(status));
1844                         return WERR_DCNOTFOUND;
1845                 }
1846
1847                 dc = strip_hostname(info->dc_unc);
1848                 r->in.dc_name = talloc_strdup(mem_ctx, dc);
1849                 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1850         }
1851
1852         status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
1853         if (!NT_STATUS_IS_OK(status)) {
1854                 libnet_join_set_error_string(mem_ctx, r,
1855                         "failed to lookup DC info for domain '%s' over rpc: %s",
1856                         r->in.domain_name, get_friendly_nt_error_msg(status));
1857                 return ntstatus_to_werror(status);
1858         }
1859
1860         werr = libnet_join_check_config(mem_ctx, r);
1861         if (!W_ERROR_IS_OK(werr)) {
1862                 goto done;
1863         }
1864
1865 #ifdef WITH_ADS
1866         if (r->out.domain_is_ad && r->in.account_ou &&
1867             !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
1868
1869                 ads_status = libnet_join_connect_ads(mem_ctx, r);
1870                 if (!ADS_ERR_OK(ads_status)) {
1871                         return WERR_DEFAULT_JOIN_REQUIRED;
1872                 }
1873
1874                 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1875                 if (!ADS_ERR_OK(ads_status)) {
1876                         libnet_join_set_error_string(mem_ctx, r,
1877                                 "failed to precreate account in ou %s: %s",
1878                                 r->in.account_ou,
1879                                 ads_errstr(ads_status));
1880                         return WERR_DEFAULT_JOIN_REQUIRED;
1881                 }
1882
1883                 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1884         }
1885 #endif /* WITH_ADS */
1886
1887         if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
1888             (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
1889                 status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
1890         } else {
1891                 status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
1892         }
1893         if (!NT_STATUS_IS_OK(status)) {
1894                 libnet_join_set_error_string(mem_ctx, r,
1895                         "failed to join domain '%s' over rpc: %s",
1896                         r->in.domain_name, get_friendly_nt_error_msg(status));
1897                 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1898                         return WERR_SETUP_ALREADY_JOINED;
1899                 }
1900                 werr = ntstatus_to_werror(status);
1901                 goto done;
1902         }
1903
1904         if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1905                 werr = WERR_SETUP_NOT_JOINED;
1906                 goto done;
1907         }
1908
1909         werr = WERR_OK;
1910
1911  done:
1912         if (cli) {
1913                 cli_shutdown(cli);
1914         }
1915
1916         return werr;
1917 }
1918
1919 /****************************************************************
1920 ****************************************************************/
1921
1922 static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
1923                                    struct libnet_JoinCtx *r)
1924 {
1925         WERROR werr;
1926         struct libnet_UnjoinCtx *u = NULL;
1927
1928         werr = libnet_init_UnjoinCtx(mem_ctx, &u);
1929         if (!W_ERROR_IS_OK(werr)) {
1930                 return werr;
1931         }
1932
1933         u->in.debug             = r->in.debug;
1934         u->in.dc_name           = r->in.dc_name;
1935         u->in.domain_name       = r->in.domain_name;
1936         u->in.admin_account     = r->in.admin_account;
1937         u->in.admin_password    = r->in.admin_password;
1938         u->in.modify_config     = r->in.modify_config;
1939         u->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1940                                   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
1941
1942         werr = libnet_Unjoin(mem_ctx, u);
1943         TALLOC_FREE(u);
1944
1945         return werr;
1946 }
1947
1948 /****************************************************************
1949 ****************************************************************/
1950
1951 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
1952                    struct libnet_JoinCtx *r)
1953 {
1954         WERROR werr;
1955
1956         if (r->in.debug) {
1957                 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1958         }
1959
1960         werr = libnet_join_pre_processing(mem_ctx, r);
1961         if (!W_ERROR_IS_OK(werr)) {
1962                 goto done;
1963         }
1964
1965         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1966                 werr = libnet_DomainJoin(mem_ctx, r);
1967                 if (!W_ERROR_IS_OK(werr)) {
1968                         goto done;
1969                 }
1970         }
1971
1972         werr = libnet_join_post_processing(mem_ctx, r);
1973         if (!W_ERROR_IS_OK(werr)) {
1974                 goto done;
1975         }
1976
1977         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1978                 werr = libnet_join_post_verify(mem_ctx, r);
1979                 if (!W_ERROR_IS_OK(werr)) {
1980                         libnet_join_rollback(mem_ctx, r);
1981                 }
1982         }
1983
1984  done:
1985         r->out.result = werr;
1986
1987         if (r->in.debug) {
1988                 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1989         }
1990         return werr;
1991 }
1992
1993 /****************************************************************
1994 ****************************************************************/
1995
1996 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
1997                                   struct libnet_UnjoinCtx *r)
1998 {
1999         NTSTATUS status;
2000
2001         if (!r->in.domain_sid) {
2002                 struct dom_sid sid;
2003                 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
2004                         libnet_unjoin_set_error_string(mem_ctx, r,
2005                                 "Unable to fetch domain sid: are we joined?");
2006                         return WERR_SETUP_NOT_JOINED;
2007                 }
2008                 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
2009                 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
2010         }
2011
2012         if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) && 
2013             !r->in.delete_machine_account) {
2014                 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2015                 return WERR_OK;
2016         }
2017
2018         if (!r->in.dc_name) {
2019                 struct netr_DsRGetDCNameInfo *info;
2020                 const char *dc;
2021                 status = dsgetdcname(mem_ctx,
2022                                      r->in.msg_ctx,
2023                                      r->in.domain_name,
2024                                      NULL,
2025                                      NULL,
2026                                      DS_DIRECTORY_SERVICE_REQUIRED |
2027                                      DS_WRITABLE_REQUIRED |
2028                                      DS_RETURN_DNS_NAME,
2029                                      &info);
2030                 if (!NT_STATUS_IS_OK(status)) {
2031                         libnet_unjoin_set_error_string(mem_ctx, r,
2032                                 "failed to find DC for domain %s",
2033                                 r->in.domain_name,
2034                                 get_friendly_nt_error_msg(status));
2035                         return WERR_DCNOTFOUND;
2036                 }
2037
2038                 dc = strip_hostname(info->dc_unc);
2039                 r->in.dc_name = talloc_strdup(mem_ctx, dc);
2040                 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
2041         }
2042
2043 #ifdef WITH_ADS
2044         /* for net ads leave, try to delete the account.  If it works, 
2045            no sense in disabling.  If it fails, we can still try to 
2046            disable it. jmcd */
2047            
2048         if (r->in.delete_machine_account) {
2049                 ADS_STATUS ads_status;
2050                 ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
2051                 if (ADS_ERR_OK(ads_status)) {
2052                         /* dirty hack */
2053                         r->out.dns_domain_name = 
2054                                 talloc_strdup(mem_ctx,
2055                                               r->in.ads->server.realm);
2056                         ads_status = 
2057                                 libnet_unjoin_remove_machine_acct(mem_ctx, r);
2058                 }
2059                 if (!ADS_ERR_OK(ads_status)) {
2060                         libnet_unjoin_set_error_string(mem_ctx, r,
2061                                 "failed to remove machine account from AD: %s",
2062                                 ads_errstr(ads_status));
2063                 } else {
2064                         r->out.deleted_machine_account = true;
2065                         W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
2066                         libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2067                         return WERR_OK;
2068                 }
2069         }
2070 #endif /* WITH_ADS */
2071
2072         /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means 
2073            "disable".  */
2074         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
2075                 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
2076                 if (!NT_STATUS_IS_OK(status)) {
2077                         libnet_unjoin_set_error_string(mem_ctx, r,
2078                                 "failed to disable machine account via rpc: %s",
2079                                 get_friendly_nt_error_msg(status));
2080                         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
2081                                 return WERR_SETUP_NOT_JOINED;
2082                         }
2083                         return ntstatus_to_werror(status);
2084                 }
2085                 
2086                 r->out.disabled_machine_account = true;
2087         }
2088
2089         /* If disable succeeded or was not requested at all, we 
2090            should be getting rid of our end of things */
2091
2092         libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2093
2094         return WERR_OK;
2095 }
2096
2097 /****************************************************************
2098 ****************************************************************/
2099
2100 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
2101                                            struct libnet_UnjoinCtx *r)
2102 {
2103         if (!r->in.domain_name) {
2104                 libnet_unjoin_set_error_string(mem_ctx, r,
2105                         "No domain name defined");
2106                 return WERR_INVALID_PARAM;
2107         }
2108
2109         if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2110                                     &r->in.domain_name,
2111                                     &r->in.dc_name)) {
2112                 libnet_unjoin_set_error_string(mem_ctx, r,
2113                         "Failed to parse domain name");
2114                 return WERR_INVALID_PARAM;
2115         }
2116
2117         if (IS_DC) {
2118                 return WERR_SETUP_DOMAIN_CONTROLLER;
2119         }
2120
2121         if (!secrets_init()) {
2122                 libnet_unjoin_set_error_string(mem_ctx, r,
2123                         "Unable to open secrets database");
2124                 return WERR_CAN_NOT_COMPLETE;
2125         }
2126
2127         return WERR_OK;
2128 }
2129
2130 /****************************************************************
2131 ****************************************************************/
2132
2133 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
2134                                             struct libnet_UnjoinCtx *r)
2135 {
2136         saf_delete(r->out.netbios_domain_name);
2137         saf_delete(r->out.dns_domain_name);
2138
2139         return libnet_unjoin_config(r);
2140 }
2141
2142 /****************************************************************
2143 ****************************************************************/
2144
2145 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
2146                      struct libnet_UnjoinCtx *r)
2147 {
2148         WERROR werr;
2149
2150         if (r->in.debug) {
2151                 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
2152         }
2153
2154         werr = libnet_unjoin_pre_processing(mem_ctx, r);
2155         if (!W_ERROR_IS_OK(werr)) {
2156                 goto done;
2157         }
2158
2159         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2160                 werr = libnet_DomainUnjoin(mem_ctx, r);
2161                 if (!W_ERROR_IS_OK(werr)) {
2162                         libnet_unjoin_config(r);
2163                         goto done;
2164                 }
2165         }
2166
2167         werr = libnet_unjoin_post_processing(mem_ctx, r);
2168         if (!W_ERROR_IS_OK(werr)) {
2169                 goto done;
2170         }
2171
2172  done:
2173         r->out.result = werr;
2174
2175         if (r->in.debug) {
2176                 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
2177         }
2178
2179         return werr;
2180 }