s4:torture:smb2: remove an unused variable from torture_smb2_setinfo()
[samba.git] / source4 / libnet / libnet_join.c
1 /* 
2    Unix SMB/CIFS implementation.
3    
4    Copyright (C) Stefan Metzmacher      2004
5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6    Copyright (C) Brad Henry 2005
7  
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libnet/libnet.h"
24 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
25 #include <ldb.h>
26 #include <ldb_errors.h>
27 #include "dsdb/samdb/samdb.h"
28 #include "ldb_wrap.h"
29 #include "libcli/security/security.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/credentials/credentials_krb5.h"
32 #include "librpc/gen_ndr/ndr_samr_c.h"
33 #include "param/param.h"
34 #include "param/provision.h"
35 #include "system/kerberos.h"
36 #include "auth/kerberos/kerberos.h"
37
38 /*
39  * complete a domain join, when joining to a AD domain:
40  * 1.) connect and bind to the DRSUAPI pipe
41  * 2.) do a DsCrackNames() to find the machine account dn
42  * 3.) connect to LDAP
43  * 4.) do an ldap search to find the "msDS-KeyVersionNumber" of the machine account
44  * 5.) set the servicePrincipalName's of the machine account via LDAP, (maybe we should use DsWriteAccountSpn()...)
45  * 6.) do a DsCrackNames() to find the domain dn
46  * 7.) find out Site specific stuff, look at libnet_JoinSite() for details
47  */
48 static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_JoinDomain *r)
49 {
50         NTSTATUS status;
51
52         TALLOC_CTX *tmp_ctx;
53
54         const char *realm = r->out.realm;
55
56         struct dcerpc_binding *samr_binding = r->out.samr_binding;
57
58         struct dcerpc_pipe *drsuapi_pipe;
59         struct dcerpc_binding *drsuapi_binding;
60         struct drsuapi_DsBind r_drsuapi_bind;
61         struct drsuapi_DsCrackNames r_crack_names;
62         struct drsuapi_DsNameString names[1];
63         struct policy_handle drsuapi_bind_handle;
64         struct GUID drsuapi_bind_guid;
65
66         struct ldb_context *remote_ldb;
67         struct ldb_dn *account_dn;
68         const char *account_dn_str;
69         const char *remote_ldb_url;
70         struct ldb_result *res;
71         struct ldb_message *msg;
72
73         int ret, rtn;
74
75         const char * const attrs[] = {
76                 "msDS-KeyVersionNumber",
77                 "servicePrincipalName",
78                 "dNSHostName",
79                 "objectGUID",
80                 NULL,
81         };
82
83         r->out.error_string = NULL;
84         
85         /* We need to convert between a samAccountName and domain to a
86          * DN in the directory.  The correct way to do this is with
87          * DRSUAPI CrackNames */
88
89         /* Fiddle with the bindings, so get to DRSUAPI on
90          * NCACN_IP_TCP, sealed */
91         tmp_ctx = talloc_named(r, 0, "libnet_JoinADSDomain temp context");  
92         if (!tmp_ctx) {
93                 r->out.error_string = NULL;
94                 return NT_STATUS_NO_MEMORY;
95         }
96                                                    
97         drsuapi_binding = talloc_zero(tmp_ctx, struct dcerpc_binding);
98         if (!drsuapi_binding) {
99                 r->out.error_string = NULL;
100                 talloc_free(tmp_ctx);
101                 return NT_STATUS_NO_MEMORY;
102         }
103         
104         *drsuapi_binding = *samr_binding;
105
106         /* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
107         if (drsuapi_binding->transport != NCALRPC) {
108                 drsuapi_binding->transport = NCACN_IP_TCP;
109         }
110         drsuapi_binding->endpoint = NULL;
111         drsuapi_binding->flags |= DCERPC_SEAL;
112
113         status = dcerpc_pipe_connect_b(tmp_ctx, 
114                                        &drsuapi_pipe,
115                                        drsuapi_binding,
116                                        &ndr_table_drsuapi,
117                                        ctx->cred, 
118                                        ctx->event_ctx,
119                                        ctx->lp_ctx);
120         if (!NT_STATUS_IS_OK(status)) {
121                 r->out.error_string = talloc_asprintf(r,
122                                         "Connection to DRSUAPI pipe of PDC of domain '%s' failed: %s",
123                                         r->out.domain_name,
124                                         nt_errstr(status));
125                 talloc_free(tmp_ctx);
126                 return status;
127         }
128
129         /* get a DRSUAPI pipe handle */
130         GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
131
132         r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
133         r_drsuapi_bind.in.bind_info = NULL;
134         r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
135
136         status = dcerpc_drsuapi_DsBind_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_drsuapi_bind);
137         if (!NT_STATUS_IS_OK(status)) {
138                 r->out.error_string
139                         = talloc_asprintf(r,
140                                           "dcerpc_drsuapi_DsBind failed - %s",
141                                           nt_errstr(status));
142                 talloc_free(tmp_ctx);
143                 return status;
144         } else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
145                 r->out.error_string
146                                 = talloc_asprintf(r,
147                                                   "DsBind failed - %s", 
148                                                   win_errstr(r_drsuapi_bind.out.result));
149                         talloc_free(tmp_ctx);
150                 return NT_STATUS_UNSUCCESSFUL;
151         }
152
153         /* Actually 'crack' the names */
154         ZERO_STRUCT(r_crack_names);
155         r_crack_names.in.bind_handle            = &drsuapi_bind_handle;
156         r_crack_names.in.level                  = 1;
157         r_crack_names.in.req                    = talloc(r, union drsuapi_DsNameRequest);
158         if (!r_crack_names.in.req) {
159                 r->out.error_string = NULL;
160                 talloc_free(tmp_ctx);
161                 return NT_STATUS_NO_MEMORY;
162         }
163         r_crack_names.in.req->req1.codepage     = 1252; /* western european */
164         r_crack_names.in.req->req1.language     = 0x00000407; /* german */
165         r_crack_names.in.req->req1.count        = 1;
166         r_crack_names.in.req->req1.names        = names;
167         r_crack_names.in.req->req1.format_flags = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
168         r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
169         r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
170         names[0].str = dom_sid_string(tmp_ctx, r->out.account_sid);
171         if (!names[0].str) {
172                 r->out.error_string = NULL;
173                 talloc_free(tmp_ctx);
174                 return NT_STATUS_NO_MEMORY;
175         }
176
177         r_crack_names.out.ctr                   = talloc(r, union drsuapi_DsNameCtr);
178         r_crack_names.out.level_out             = talloc(r, uint32_t);
179         if (!r_crack_names.out.ctr || !r_crack_names.out.level_out) {
180                 r->out.error_string = NULL;
181                 talloc_free(tmp_ctx);
182                 return NT_STATUS_NO_MEMORY;
183         }
184
185         status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
186         if (!NT_STATUS_IS_OK(status)) {
187                 r->out.error_string
188                         = talloc_asprintf(r,
189                                           "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
190                                           names[0].str,
191                                           nt_errstr(status));
192                 talloc_free(tmp_ctx);
193                 return status;
194         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
195                 r->out.error_string
196                                 = talloc_asprintf(r,
197                                                   "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
198                 talloc_free(tmp_ctx);
199                 return NT_STATUS_UNSUCCESSFUL;
200         } else if (*r_crack_names.out.level_out != 1
201                    || !r_crack_names.out.ctr->ctr1
202                    || r_crack_names.out.ctr->ctr1->count != 1) {
203                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
204                 talloc_free(tmp_ctx);
205                 return NT_STATUS_INVALID_PARAMETER;
206         } else if (r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
207                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: %d", r_crack_names.out.ctr->ctr1->array[0].status);
208                 talloc_free(tmp_ctx);
209                 return NT_STATUS_UNSUCCESSFUL;
210         } else if (r_crack_names.out.ctr->ctr1->array[0].result_name == NULL) {
211                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: no result name");
212                 talloc_free(tmp_ctx);
213                 return NT_STATUS_INVALID_PARAMETER;
214         }
215
216         /* Store the DN of our machine account. */
217         account_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
218
219         /* Now we know the user's DN, open with LDAP, read and modify a few things */
220
221         remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s", 
222                                          drsuapi_binding->target_hostname);
223         if (!remote_ldb_url) {
224                 r->out.error_string = NULL;
225                 talloc_free(tmp_ctx);
226                 return NT_STATUS_NO_MEMORY;
227         }
228
229         remote_ldb = ldb_wrap_connect(tmp_ctx, ctx->event_ctx, ctx->lp_ctx,
230                                       remote_ldb_url, 
231                                       NULL, ctx->cred, 0);
232         if (!remote_ldb) {
233                 r->out.error_string = NULL;
234                 talloc_free(tmp_ctx);
235                 return NT_STATUS_UNSUCCESSFUL;
236         }
237
238         account_dn = ldb_dn_new(tmp_ctx, remote_ldb, account_dn_str);
239         if (account_dn == NULL) {
240                 r->out.error_string = talloc_asprintf(r, "Invalid account dn: %s",
241                                                       account_dn_str);
242                 talloc_free(tmp_ctx);
243                 return NT_STATUS_UNSUCCESSFUL;
244         }
245
246         /* search for the user's record */
247         ret = ldb_search(remote_ldb, tmp_ctx, &res,
248                          account_dn, LDB_SCOPE_BASE, attrs, NULL);
249         if (ret != LDB_SUCCESS) {
250                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - %s",
251                                                       account_dn_str, ldb_errstring(remote_ldb));
252                 talloc_free(tmp_ctx);
253                 return NT_STATUS_UNSUCCESSFUL;
254         }
255
256         if (res->count != 1) {
257                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - found %d entries",
258                                                       account_dn_str, res->count);
259                 talloc_free(tmp_ctx);
260                 return NT_STATUS_UNSUCCESSFUL;
261         }
262
263         /* Prepare a new message, for the modify */
264         msg = ldb_msg_new(tmp_ctx);
265         if (!msg) {
266                 r->out.error_string = NULL;
267                 talloc_free(tmp_ctx);
268                 return NT_STATUS_NO_MEMORY;
269         }
270         msg->dn = res->msgs[0]->dn;
271
272         {
273                 unsigned int i;
274                 const char *service_principal_name[2];
275                 const char *dns_host_name = strlower_talloc(msg,
276                                                             talloc_asprintf(msg, 
277                                                                             "%s.%s", 
278                                                                             r->in.netbios_name, 
279                                                                             realm));
280
281                 if (!dns_host_name) {
282                         r->out.error_string = NULL;
283                         talloc_free(tmp_ctx);
284                         return NT_STATUS_NO_MEMORY;
285                 }
286
287                 service_principal_name[0] = talloc_asprintf(msg, "HOST/%s",
288                                                             dns_host_name);
289                 service_principal_name[1] = talloc_asprintf(msg, "HOST/%s",
290                                                             r->in.netbios_name);
291                 
292                 for (i=0; i < ARRAY_SIZE(service_principal_name); i++) {
293                         if (!service_principal_name[i]) {
294                                 r->out.error_string = NULL;
295                                 talloc_free(tmp_ctx);
296                                 return NT_STATUS_NO_MEMORY;
297                         }
298                         rtn = ldb_msg_add_string(msg, "servicePrincipalName",
299                                                  service_principal_name[i]);
300                         if (rtn != LDB_SUCCESS) {
301                                 r->out.error_string = NULL;
302                                 talloc_free(tmp_ctx);
303                                 return NT_STATUS_NO_MEMORY;
304                         }
305                 }
306
307                 rtn = ldb_msg_add_string(msg, "dNSHostName", dns_host_name);
308                 if (rtn != LDB_SUCCESS) {
309                         r->out.error_string = NULL;
310                         talloc_free(tmp_ctx);
311                         return NT_STATUS_NO_MEMORY;
312                 }
313
314                 rtn = dsdb_replace(remote_ldb, msg, 0);
315                 if (rtn != LDB_SUCCESS) {
316                         r->out.error_string
317                                 = talloc_asprintf(r, 
318                                                   "Failed to replace entries on %s", 
319                                                   ldb_dn_get_linearized(msg->dn));
320                         talloc_free(tmp_ctx);
321                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
322                 }
323         }
324                                 
325         msg = ldb_msg_new(tmp_ctx);
326         if (!msg) {
327                 r->out.error_string = NULL;
328                 talloc_free(tmp_ctx);
329                 return NT_STATUS_NO_MEMORY;
330         }
331         msg->dn = res->msgs[0]->dn;
332
333         rtn = samdb_msg_add_uint(remote_ldb, msg, msg,
334                                  "msDS-SupportedEncryptionTypes", ENC_ALL_TYPES);
335         if (rtn != LDB_SUCCESS) {
336                 r->out.error_string = NULL;
337                 talloc_free(tmp_ctx);
338                 return NT_STATUS_NO_MEMORY;
339         }
340
341         rtn = dsdb_replace(remote_ldb, msg, 0);
342         /* The remote server may not support this attribute, if it
343          * isn't a modern schema */
344         if (rtn != LDB_SUCCESS && rtn != LDB_ERR_NO_SUCH_ATTRIBUTE) {
345                 r->out.error_string
346                         = talloc_asprintf(r,
347                                           "Failed to replace msDS-SupportedEncryptionTypes on %s",
348                                           ldb_dn_get_linearized(msg->dn));
349                 talloc_free(tmp_ctx);
350                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
351         }
352
353         /* DsCrackNames to find out the DN of the domain. */
354         r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
355         r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
356         names[0].str = talloc_asprintf(tmp_ctx, "%s\\", r->out.domain_name);
357         if (!names[0].str) {
358                 r->out.error_string = NULL;
359                 talloc_free(tmp_ctx);
360                 return NT_STATUS_NO_MEMORY;
361         }
362
363         status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
364         if (!NT_STATUS_IS_OK(status)) {
365                 r->out.error_string
366                         = talloc_asprintf(r,
367                                           "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
368                                           r->in.domain_name,
369                                           nt_errstr(status));
370                 talloc_free(tmp_ctx);
371                 return status;
372         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
373                 r->out.error_string
374                         = talloc_asprintf(r,
375                                           "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
376                 talloc_free(tmp_ctx);
377                 return NT_STATUS_UNSUCCESSFUL;
378         } else if (*r_crack_names.out.level_out != 1
379                    || !r_crack_names.out.ctr->ctr1
380                    || r_crack_names.out.ctr->ctr1->count != 1
381                    || !r_crack_names.out.ctr->ctr1->array[0].result_name
382                    || r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
383                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
384                 talloc_free(tmp_ctx);
385                 return NT_STATUS_UNSUCCESSFUL;
386         }
387
388         /* Store the account DN. */
389         r->out.account_dn_str = account_dn_str;
390         talloc_steal(r, account_dn_str);
391
392         /* Store the domain DN. */
393         r->out.domain_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
394         talloc_steal(r, r_crack_names.out.ctr->ctr1->array[0].result_name);
395
396         /* Store the KVNO of the account, critical for some kerberos
397          * operations */
398         r->out.kvno = ldb_msg_find_attr_as_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
399
400         /* Store the account GUID. */
401         r->out.account_guid = samdb_result_guid(res->msgs[0], "objectGUID");
402
403         if (r->in.acct_type == ACB_SVRTRUST) {
404                 status = libnet_JoinSite(ctx, remote_ldb, r);
405         }
406         talloc_free(tmp_ctx);
407
408         return status;
409 }
410
411 /*
412  * do a domain join using DCERPC/SAMR calls
413  * - connect to the LSA pipe, to try and find out information about the domain
414  * - create a secondary connection to SAMR pipe
415  * - do a samr_Connect to get a policy handle
416  * - do a samr_LookupDomain to get the domain sid
417  * - do a samr_OpenDomain to get a domain handle
418  * - do a samr_CreateAccount to try and get a new account 
419  * 
420  * If that fails, do:
421  * - do a samr_LookupNames to get the users rid
422  * - do a samr_OpenUser to get a user handle
423  * - potentially delete and recreate the user
424  * - assert the account is of the right type with samrQueryUserInfo
425  * 
426  * - call libnet_SetPassword_samr_handle to set the password,
427  *   and pass a samr_UserInfo21 struct to set full_name and the account flags
428  *
429  * - do some ADS specific things when we join as Domain Controller,
430  *    look at libnet_joinADSDomain() for the details
431  */
432 NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_JoinDomain *r)
433 {
434         TALLOC_CTX *tmp_ctx;
435
436         NTSTATUS status, cu_status;
437
438         struct libnet_RpcConnect *connect_with_info;
439         struct dcerpc_pipe *samr_pipe;
440
441         struct samr_Connect sc;
442         struct policy_handle p_handle;
443         struct samr_OpenDomain od;
444         struct policy_handle d_handle;
445         struct samr_LookupNames ln;
446         struct samr_Ids rids, types;
447         struct samr_OpenUser ou;
448         struct samr_CreateUser2 cu;
449         struct policy_handle *u_handle = NULL;
450         struct samr_QueryUserInfo qui;
451         union samr_UserInfo *uinfo;
452         struct samr_UserInfo21 u_info21;
453         union libnet_SetPassword r2;
454         struct samr_GetUserPwInfo pwp;
455         struct samr_PwInfo info;
456         struct lsa_String samr_account_name;
457         
458         uint32_t acct_flags, old_acct_flags;
459         uint32_t rid, access_granted;
460         int policy_min_pw_len = 0;
461
462         struct dom_sid *account_sid = NULL;
463         const char *password_str = NULL;
464         
465         r->out.error_string = NULL;
466         r2.samr_handle.out.error_string = NULL;
467         
468         tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
469         if (!tmp_ctx) {
470                 r->out.error_string = NULL;
471                 return NT_STATUS_NO_MEMORY;
472         }
473         
474         u_handle = talloc(tmp_ctx, struct policy_handle);
475         if (!u_handle) {
476                 r->out.error_string = NULL;
477                 talloc_free(tmp_ctx);
478                 return NT_STATUS_NO_MEMORY;
479         }
480         
481         connect_with_info = talloc_zero(tmp_ctx, struct libnet_RpcConnect);
482         if (!connect_with_info) {
483                 r->out.error_string = NULL;
484                 talloc_free(tmp_ctx);
485                 return NT_STATUS_NO_MEMORY;
486         }
487
488         /* prepare connect to the SAMR pipe of PDC */
489         if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
490                 connect_with_info->in.binding = NULL;
491                 connect_with_info->in.name    = r->in.domain_name;
492         } else {
493                 connect_with_info->in.binding = r->in.binding;
494                 connect_with_info->in.name    = NULL;
495         }
496
497         /* This level makes a connection to the LSA pipe on the way,
498          * to get some useful bits of information about the domain */
499         connect_with_info->level              = LIBNET_RPC_CONNECT_DC_INFO;
500         connect_with_info->in.dcerpc_iface    = &ndr_table_samr;
501
502         /*
503           establish the SAMR connection
504         */
505         status = libnet_RpcConnect(ctx, tmp_ctx, connect_with_info);
506         if (!NT_STATUS_IS_OK(status)) {
507                 if (r->in.binding) {
508                         r->out.error_string = talloc_asprintf(mem_ctx,
509                                                               "Connection to SAMR pipe of DC %s failed: %s",
510                                                               r->in.binding, connect_with_info->out.error_string);
511                 } else {
512                         r->out.error_string = talloc_asprintf(mem_ctx,
513                                                               "Connection to SAMR pipe of PDC for %s failed: %s",
514                                                               r->in.domain_name, connect_with_info->out.error_string);
515                 }
516                 talloc_free(tmp_ctx);
517                 return status;
518         }
519
520         samr_pipe = connect_with_info->out.dcerpc_pipe;
521
522         status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
523                                   connect_with_info->out.dcerpc_pipe->binding, 
524                                   &ndr_table_samr, ctx->cred, ctx->lp_ctx);
525         if (!NT_STATUS_IS_OK(status)) {
526                 r->out.error_string = talloc_asprintf(mem_ctx,
527                                                 "SAMR bind failed: %s",
528                                                 nt_errstr(status));
529                 talloc_free(tmp_ctx);
530                 return status;
531         }
532
533         /* prepare samr_Connect */
534         ZERO_STRUCT(p_handle);
535         sc.in.system_name = NULL;
536         sc.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
537         sc.out.connect_handle = &p_handle;
538
539         /* 2. do a samr_Connect to get a policy handle */
540         status = dcerpc_samr_Connect_r(samr_pipe->binding_handle, tmp_ctx, &sc);
541         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(sc.out.result)) {
542                 status = sc.out.result;
543         }
544         if (!NT_STATUS_IS_OK(status)) {
545                 r->out.error_string = talloc_asprintf(mem_ctx,
546                                                 "samr_Connect failed: %s",
547                                                 nt_errstr(status));
548                 talloc_free(tmp_ctx);
549                 return status;
550         }
551
552         /* If this is a connection on ncacn_ip_tcp to Win2k3 SP1, we don't get back this useful info */
553         if (!connect_with_info->out.domain_name) {
554                 if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
555                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, r->in.domain_name);
556                 } else {
557                         /* Bugger, we just lost our way to automatically find the domain name */
558                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, lpcfg_workgroup(ctx->lp_ctx));
559                         connect_with_info->out.realm = talloc_strdup(tmp_ctx, lpcfg_realm(ctx->lp_ctx));
560                 }
561         }
562
563         /* Perhaps we didn't get a SID above, because we are against ncacn_ip_tcp */
564         if (!connect_with_info->out.domain_sid) {
565                 struct lsa_String name;
566                 struct samr_LookupDomain l;
567                 struct dom_sid2 *sid = NULL;
568                 name.string = connect_with_info->out.domain_name;
569                 l.in.connect_handle = &p_handle;
570                 l.in.domain_name = &name;
571                 l.out.sid = &sid;
572                 
573                 status = dcerpc_samr_LookupDomain_r(samr_pipe->binding_handle, tmp_ctx, &l);
574                 if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(l.out.result)) {
575                         status = l.out.result;
576                 }
577                 if (!NT_STATUS_IS_OK(status)) {
578                         r->out.error_string = talloc_asprintf(mem_ctx,
579                                                               "SAMR LookupDomain failed: %s",
580                                                               nt_errstr(status));
581                         talloc_free(tmp_ctx);
582                         return status;
583                 }
584                 connect_with_info->out.domain_sid = *l.out.sid;
585         }
586
587         /* prepare samr_OpenDomain */
588         ZERO_STRUCT(d_handle);
589         od.in.connect_handle = &p_handle;
590         od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
591         od.in.sid = connect_with_info->out.domain_sid;
592         od.out.domain_handle = &d_handle;
593
594         /* do a samr_OpenDomain to get a domain handle */
595         status = dcerpc_samr_OpenDomain_r(samr_pipe->binding_handle, tmp_ctx, &od);
596         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(od.out.result)) {
597                 status = od.out.result;
598         }
599         if (!NT_STATUS_IS_OK(status)) {
600                 r->out.error_string = talloc_asprintf(mem_ctx,
601                                                       "samr_OpenDomain for [%s] failed: %s",
602                                                       dom_sid_string(tmp_ctx, connect_with_info->out.domain_sid),
603                                                       nt_errstr(status));
604                 talloc_free(tmp_ctx);
605                 return status;
606         }
607         
608         /* prepare samr_CreateUser2 */
609         ZERO_STRUCTP(u_handle);
610         cu.in.domain_handle  = &d_handle;
611         cu.in.access_mask     = SEC_FLAG_MAXIMUM_ALLOWED;
612         samr_account_name.string = r->in.account_name;
613         cu.in.account_name    = &samr_account_name;
614         cu.in.acct_flags      = r->in.acct_type;
615         cu.out.user_handle    = u_handle;
616         cu.out.rid            = &rid;
617         cu.out.access_granted = &access_granted;
618
619         /* do a samr_CreateUser2 to get an account handle, or an error */
620         cu_status = dcerpc_samr_CreateUser2_r(samr_pipe->binding_handle, tmp_ctx, &cu);
621         if (NT_STATUS_IS_OK(cu_status) && !NT_STATUS_IS_OK(cu.out.result)) {
622                 cu_status = cu.out.result;
623         }
624         status = cu_status;
625         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
626                 /* prepare samr_LookupNames */
627                 ln.in.domain_handle = &d_handle;
628                 ln.in.num_names = 1;
629                 ln.in.names = talloc_array(tmp_ctx, struct lsa_String, 1);
630                 ln.out.rids = &rids;
631                 ln.out.types = &types;
632                 if (!ln.in.names) {
633                         r->out.error_string = NULL;
634                         talloc_free(tmp_ctx);
635                         return NT_STATUS_NO_MEMORY;
636                 }
637                 ln.in.names[0].string = r->in.account_name;
638                 
639                 /* 5. do a samr_LookupNames to get the users rid */
640                 status = dcerpc_samr_LookupNames_r(samr_pipe->binding_handle, tmp_ctx, &ln);
641                 if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(ln.out.result)) {
642                         status = ln.out.result;
643                 }
644                 if (!NT_STATUS_IS_OK(status)) {
645                         r->out.error_string = talloc_asprintf(mem_ctx,
646                                                 "samr_LookupNames for [%s] failed: %s",
647                                                 r->in.account_name,
648                                                 nt_errstr(status));
649                         talloc_free(tmp_ctx);
650                         return status;
651                 }
652                 
653                 /* check if we got one RID for the user */
654                 if (ln.out.rids->count != 1) {
655                         r->out.error_string = talloc_asprintf(mem_ctx,
656                                                               "samr_LookupNames for [%s] returns %d RIDs",
657                                                               r->in.account_name, ln.out.rids->count);
658                         talloc_free(tmp_ctx);
659                         return NT_STATUS_INVALID_PARAMETER;
660                 }
661                 
662                 /* prepare samr_OpenUser */
663                 ZERO_STRUCTP(u_handle);
664                 ou.in.domain_handle = &d_handle;
665                 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
666                 ou.in.rid = ln.out.rids->ids[0];
667                 rid = ou.in.rid;
668                 ou.out.user_handle = u_handle;
669                 
670                 /* 6. do a samr_OpenUser to get a user handle */
671                 status = dcerpc_samr_OpenUser_r(samr_pipe->binding_handle, tmp_ctx, &ou);
672                 if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(ou.out.result)) {
673                         status = ou.out.result;
674                 }
675                 if (!NT_STATUS_IS_OK(status)) {
676                         r->out.error_string = talloc_asprintf(mem_ctx,
677                                                         "samr_OpenUser for [%s] failed: %s",
678                                                         r->in.account_name,
679                                                         nt_errstr(status));
680                         talloc_free(tmp_ctx);
681                         return status;
682                 }
683
684                 if (r->in.recreate_account) {
685                         struct samr_DeleteUser d;
686                         d.in.user_handle = u_handle;
687                         d.out.user_handle = u_handle;
688                         status = dcerpc_samr_DeleteUser_r(samr_pipe->binding_handle, mem_ctx, &d);
689                         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(d.out.result)) {
690                                 status = d.out.result;
691                         }
692                         if (!NT_STATUS_IS_OK(status)) {
693                                 r->out.error_string = talloc_asprintf(mem_ctx,
694                                                                       "samr_DeleteUser (for recreate) of [%s] failed: %s",
695                                                                       r->in.account_name,
696                                                                       nt_errstr(status));
697                                 talloc_free(tmp_ctx);
698                                 return status;
699                         }
700
701                         /* We want to recreate, so delete and another samr_CreateUser2 */
702                         
703                         /* &cu filled in above */
704                         status = dcerpc_samr_CreateUser2_r(samr_pipe->binding_handle, tmp_ctx, &cu);
705                         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(cu.out.result)) {
706                                 status = cu.out.result;
707                         }
708                         if (!NT_STATUS_IS_OK(status)) {
709                                 r->out.error_string = talloc_asprintf(mem_ctx,
710                                                                       "samr_CreateUser2 (recreate) for [%s] failed: %s",
711                                                                       r->in.account_name, nt_errstr(status));
712                                 talloc_free(tmp_ctx);
713                                 return status;
714                         }
715                 }
716         } else if (!NT_STATUS_IS_OK(status)) {
717                 r->out.error_string = talloc_asprintf(mem_ctx,
718                                                       "samr_CreateUser2 for [%s] failed: %s",
719                                                       r->in.account_name, nt_errstr(status));
720                 talloc_free(tmp_ctx);
721                 return status;
722         }
723
724         /* prepare samr_QueryUserInfo (get flags) */
725         qui.in.user_handle = u_handle;
726         qui.in.level = 16;
727         qui.out.info = &uinfo;
728         
729         status = dcerpc_samr_QueryUserInfo_r(samr_pipe->binding_handle, tmp_ctx, &qui);
730         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(qui.out.result)) {
731                 status = qui.out.result;
732         }
733         if (!NT_STATUS_IS_OK(status)) {
734                 r->out.error_string = talloc_asprintf(mem_ctx,
735                                                 "samr_QueryUserInfo for [%s] failed: %s",
736                                                 r->in.account_name,
737                                                 nt_errstr(status));
738                 talloc_free(tmp_ctx);
739                 return status;
740         }
741         
742         if (!uinfo) {
743                 status = NT_STATUS_INVALID_PARAMETER;
744                 r->out.error_string
745                         = talloc_asprintf(mem_ctx,
746                                           "samr_QueryUserInfo failed to return qui.out.info for [%s]: %s",
747                                           r->in.account_name, nt_errstr(status));
748                 talloc_free(tmp_ctx);
749                 return status;
750         }
751
752         old_acct_flags = (uinfo->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST));
753         /* Possibly bail if the account is of the wrong type */
754         if (old_acct_flags
755             != r->in.acct_type) {
756                 const char *old_account_type, *new_account_type;
757                 switch (old_acct_flags) {
758                 case ACB_WSTRUST:
759                         old_account_type = "domain member (member)";
760                         break;
761                 case ACB_SVRTRUST:
762                         old_account_type = "domain controller (bdc)";
763                         break;
764                 case ACB_DOMTRUST:
765                         old_account_type = "trusted domain";
766                         break;
767                 default:
768                         return NT_STATUS_INVALID_PARAMETER;
769                 }
770                 switch (r->in.acct_type) {
771                 case ACB_WSTRUST:
772                         new_account_type = "domain member (member)";
773                         break;
774                 case ACB_SVRTRUST:
775                         new_account_type = "domain controller (bdc)";
776                         break;
777                 case ACB_DOMTRUST:
778                         new_account_type = "trusted domain";
779                         break;
780                 default:
781                         return NT_STATUS_INVALID_PARAMETER;
782                 }
783
784                 if (!NT_STATUS_EQUAL(cu_status, NT_STATUS_USER_EXISTS)) {
785                         /* We created a new user, but they didn't come out the right type?!? */
786                         r->out.error_string
787                                 = talloc_asprintf(mem_ctx,
788                                                   "We asked to create a new machine account (%s) of type %s, "
789                                                   "but we got an account of type %s.  This is unexpected.  "
790                                                   "Perhaps delete the account and try again.",
791                                                   r->in.account_name, new_account_type, old_account_type);
792                         talloc_free(tmp_ctx);
793                         return NT_STATUS_INVALID_PARAMETER;
794                 } else {
795                         /* The account is of the wrong type, so bail */
796
797                         /* TODO: We should allow a --force option to override, and redo this from the top setting r.in.recreate_account */
798                         r->out.error_string
799                                 = talloc_asprintf(mem_ctx,
800                                                   "The machine account (%s) already exists in the domain %s, "
801                                                   "but is a %s.  You asked to join as a %s.  Please delete "
802                                                   "the account and try again.",
803                                                   r->in.account_name, connect_with_info->out.domain_name, old_account_type, new_account_type);
804                         talloc_free(tmp_ctx);
805                         return NT_STATUS_USER_EXISTS;
806                 }
807         } else {
808                 acct_flags = uinfo->info16.acct_flags;
809         }
810         
811         acct_flags = (acct_flags & ~(ACB_DISABLED|ACB_PWNOTREQ));
812
813         /* Find out what password policy this user has */
814         pwp.in.user_handle = u_handle;
815         pwp.out.info = &info;
816
817         status = dcerpc_samr_GetUserPwInfo_r(samr_pipe->binding_handle, tmp_ctx, &pwp);
818         if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(pwp.out.result)) {
819                 status = pwp.out.result;
820         }
821         if (NT_STATUS_IS_OK(status)) {
822                 policy_min_pw_len = pwp.out.info->min_password_length;
823         }
824
825         if (r->in.account_pass != NULL) {
826                 password_str = talloc_strdup(tmp_ctx, r->in.account_pass);
827         } else {
828                 /* Grab a password of that minimum length */
829                 password_str = generate_random_password(tmp_ctx,
830                                         MAX(8, policy_min_pw_len), 255);
831         }
832         if (!password_str) {
833                 r->out.error_string = NULL;
834                 talloc_free(tmp_ctx);
835                 return NT_STATUS_NO_MEMORY;
836         }
837
838         /* set full_name and reset flags */
839         ZERO_STRUCT(u_info21);
840         u_info21.full_name.string       = r->in.account_name;
841         u_info21.acct_flags             = acct_flags;
842         u_info21.fields_present         = SAMR_FIELD_FULL_NAME | SAMR_FIELD_ACCT_FLAGS;
843
844         r2.samr_handle.level            = LIBNET_SET_PASSWORD_SAMR_HANDLE;
845         r2.samr_handle.in.account_name  = r->in.account_name;
846         r2.samr_handle.in.newpassword   = password_str;
847         r2.samr_handle.in.user_handle   = u_handle;
848         r2.samr_handle.in.dcerpc_pipe   = samr_pipe;
849         r2.samr_handle.in.info21        = &u_info21;
850
851         status = libnet_SetPassword(ctx, tmp_ctx, &r2); 
852         if (!NT_STATUS_IS_OK(status)) {
853                 r->out.error_string = talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
854                 talloc_free(tmp_ctx);
855                 return status;
856         }
857
858         account_sid = dom_sid_add_rid(mem_ctx, connect_with_info->out.domain_sid, rid);
859         if (!account_sid) {
860                 r->out.error_string = NULL;
861                 talloc_free(tmp_ctx);
862                 return NT_STATUS_NO_MEMORY;
863         }
864
865         /* Finish out by pushing various bits of status data out for the caller to use */
866         r->out.join_password = password_str;
867         talloc_steal(mem_ctx, r->out.join_password);
868
869         r->out.domain_sid = connect_with_info->out.domain_sid;
870         talloc_steal(mem_ctx, r->out.domain_sid);
871
872         r->out.account_sid = account_sid;
873         talloc_steal(mem_ctx, r->out.account_sid);
874
875         r->out.domain_name = connect_with_info->out.domain_name;
876         talloc_steal(mem_ctx, r->out.domain_name);
877         r->out.realm = connect_with_info->out.realm;
878         talloc_steal(mem_ctx, r->out.realm);
879         r->out.samr_pipe = samr_pipe;
880         talloc_reparent(tmp_ctx, mem_ctx, samr_pipe);
881         r->out.samr_binding = samr_pipe->binding;
882         talloc_steal(mem_ctx, r->out.samr_binding);
883         r->out.user_handle = u_handle;
884         talloc_steal(mem_ctx, u_handle);
885         r->out.error_string = r2.samr_handle.out.error_string;
886         talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
887         r->out.kvno = 0;
888         r->out.server_dn_str = NULL;
889         talloc_free(tmp_ctx); 
890
891         /* Now, if it was AD, then we want to start looking changing a
892          * few more things.  Otherwise, we are done. */
893         if (r->out.realm) {
894                 status = libnet_JoinADSDomain(ctx, r);
895                 return status;
896         }
897
898         return status;
899 }
900
901 NTSTATUS libnet_Join_member(struct libnet_context *ctx,
902                             TALLOC_CTX *mem_ctx,
903                             struct libnet_Join_member *r)
904 {
905         NTSTATUS status;
906         TALLOC_CTX *tmp_mem;
907         struct libnet_JoinDomain *r2;
908         struct provision_store_self_join_settings *set_secrets;
909         uint32_t acct_type = 0;
910         const char *account_name;
911         const char *netbios_name;
912         const char *error_string;
913
914         r->out.error_string = NULL;
915
916         tmp_mem = talloc_new(mem_ctx);
917         if (!tmp_mem) {
918                 return NT_STATUS_NO_MEMORY;
919         }
920
921         r2 = talloc_zero(tmp_mem, struct libnet_JoinDomain);
922         if (!r2) {
923                 r->out.error_string = NULL;
924                 talloc_free(tmp_mem);
925                 return NT_STATUS_NO_MEMORY;
926         }
927         
928         acct_type = ACB_WSTRUST;
929
930         if (r->in.netbios_name != NULL) {
931                 netbios_name = r->in.netbios_name;
932         } else {
933                 netbios_name = talloc_strdup(tmp_mem, lpcfg_netbios_name(ctx->lp_ctx));
934                 if (!netbios_name) {
935                         r->out.error_string = NULL;
936                         talloc_free(tmp_mem);
937                         return NT_STATUS_NO_MEMORY;
938                 }
939         }
940
941         account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
942         if (!account_name) {
943                 r->out.error_string = NULL;
944                 talloc_free(tmp_mem);
945                 return NT_STATUS_NO_MEMORY;
946         }
947         
948         /*
949          * join the domain
950          */
951         r2->in.domain_name      = r->in.domain_name;
952         r2->in.account_name     = account_name;
953         r2->in.netbios_name     = netbios_name;
954         r2->in.level            = LIBNET_JOINDOMAIN_AUTOMATIC;
955         r2->in.acct_type        = acct_type;
956         r2->in.recreate_account = false;
957         r2->in.account_pass     = r->in.account_pass;
958         status = libnet_JoinDomain(ctx, r2, r2);
959         if (!NT_STATUS_IS_OK(status)) {
960                 r->out.error_string = talloc_steal(mem_ctx, r2->out.error_string);
961                 talloc_free(tmp_mem);
962                 return status;
963         }
964
965         set_secrets = talloc(tmp_mem, struct provision_store_self_join_settings);
966         if (!set_secrets) {
967                 r->out.error_string = NULL;
968                 talloc_free(tmp_mem);
969                 return NT_STATUS_NO_MEMORY;
970         }
971         
972         ZERO_STRUCTP(set_secrets);
973         set_secrets->domain_name = r2->out.domain_name;
974         set_secrets->realm = r2->out.realm;
975         set_secrets->netbios_name = netbios_name;
976         set_secrets->secure_channel_type = SEC_CHAN_WKSTA;
977         set_secrets->machine_password = r2->out.join_password;
978         set_secrets->key_version_number = r2->out.kvno;
979         set_secrets->domain_sid = r2->out.domain_sid;
980         
981         status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
982         if (!NT_STATUS_IS_OK(status)) {
983                 r->out.error_string = talloc_steal(mem_ctx, error_string);
984                 talloc_free(tmp_mem);
985                 return status;
986         }
987
988         /* move all out parameter to the callers TALLOC_CTX */
989         r->out.error_string     = NULL;
990         r->out.join_password    = r2->out.join_password;
991         talloc_reparent(r2, mem_ctx, r2->out.join_password);
992         r->out.domain_sid       = r2->out.domain_sid;
993         talloc_reparent(r2, mem_ctx, r2->out.domain_sid);
994         r->out.domain_name      = r2->out.domain_name;
995         talloc_reparent(r2, mem_ctx, r2->out.domain_name);
996         talloc_free(tmp_mem);
997         return NT_STATUS_OK;
998 }
999