X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=source3%2Flibnet%2Flibnet_join.c;h=c549b586cb5a544cf3afad909deddc497b8de3a0;hp=8c3030711bf55d012066f68fe941cd381a24494e;hb=4f6f4ea93c83fa5154f450e2e43649467e4c2b32;hpb=d9994a604bd51949a9869927bdc2cb512fba9171 diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 8c3030711bf..c549b586cb5 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -19,8 +19,26 @@ */ #include "includes.h" -#include "libnet/libnet.h" +#include "ads.h" +#include "librpc/gen_ndr/ndr_libnet_join.h" +#include "libnet/libnet_join.h" #include "libcli/auth/libcli_auth.h" +#include "../librpc/gen_ndr/ndr_samr_c.h" +#include "rpc_client/init_samr.h" +#include "../librpc/gen_ndr/ndr_lsa_c.h" +#include "rpc_client/cli_lsarpc.h" +#include "../librpc/gen_ndr/ndr_netlogon.h" +#include "rpc_client/cli_netlogon.h" +#include "lib/smbconf/smbconf.h" +#include "lib/smbconf/smbconf_reg.h" +#include "../libds/common/flags.h" +#include "secrets.h" +#include "rpc_client/init_lsa.h" +#include "rpc_client/cli_pipe.h" +#include "../libcli/security/security.h" +#include "passdb.h" +#include "libsmb/libsmb.h" +#include "../libcli/smb/smbXcli_base.h" /**************************************************************** ****************************************************************/ @@ -87,7 +105,7 @@ static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx, va_end(args); } -#ifdef WITH_ADS +#ifdef HAVE_ADS /**************************************************************** ****************************************************************/ @@ -101,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, { ADS_STATUS status; ADS_STRUCT *my_ads = NULL; + char *cp; my_ads = ads_init(dns_domain_name, netbios_domain_name, @@ -112,6 +131,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, if (user_name) { SAFE_FREE(my_ads->auth.user_name); my_ads->auth.user_name = SMB_STRDUP(user_name); + if ((cp = strchr_m(my_ads->auth.user_name, '@'))!=0) { + *cp++ = '\0'; + SAFE_FREE(my_ads->auth.realm); + my_ads->auth.realm = smb_xstrdup(cp); + strupper_m(my_ads->auth.realm); + } } if (password) { @@ -620,7 +645,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } -#endif /* WITH_ADS */ +#endif /* HAVE_ADS */ /**************************************************************** Store the machine password and domain SID @@ -675,7 +700,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc, NULL, pass, flags, - Undefined, NULL); + SMB_SIGNING_DEFAULT); } /**************************************************************** @@ -688,8 +713,9 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, { struct rpc_pipe_client *pipe_hnd = NULL; struct policy_handle lsa_pol; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS status, result; union lsa_PolicyInformation *info = NULL; + struct dcerpc_binding_handle *b; status = libnet_join_connect_dc_ipc(r->in.dc_name, r->in.admin_account, @@ -708,40 +734,48 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx, goto done; } + b = pipe_hnd->binding_handle; + status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } - status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx, + status = dcerpc_lsa_QueryInfoPolicy2(b, mem_ctx, &lsa_pol, LSA_POLICY_INFO_DNS, - &info); - if (NT_STATUS_IS_OK(status)) { + &info, + &result); + if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) { r->out.domain_is_ad = true; r->out.netbios_domain_name = info->dns.name.string; r->out.dns_domain_name = info->dns.dns_domain.string; r->out.forest_name = info->dns.dns_forest.string; - r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid); + r->out.domain_sid = dom_sid_dup(mem_ctx, info->dns.sid); NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid); } if (!NT_STATUS_IS_OK(status)) { - status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx, + status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx, &lsa_pol, LSA_POLICY_INFO_ACCOUNT_DOMAIN, - &info); + &info, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } r->out.netbios_domain_name = info->account_domain.name.string; - r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid); + r->out.domain_sid = dom_sid_dup(mem_ctx, info->account_domain.sid); NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid); } - rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); + dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result); TALLOC_FREE(pipe_hnd); done: @@ -789,6 +823,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, E_md4hash(trust_passwd, orig_trust_passwd_hash); status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx, + r->in.machine_name, orig_trust_passwd_hash, r->in.machine_password, new_trust_passwd_hash, @@ -807,7 +842,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, { struct rpc_pipe_client *pipe_hnd = NULL; struct policy_handle sam_pol, domain_pol, user_pol; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result; char *acct_name; struct lsa_String lsa_acct_name; uint32_t user_rid; @@ -815,6 +850,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, struct samr_Ids user_rids; struct samr_Ids name_types; union samr_UserInfo user_info; + struct dcerpc_binding_handle *b = NULL; struct samr_CryptPassword crypt_pwd; struct samr_CryptPasswordEx crypt_pwd_ex; @@ -849,25 +885,37 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, + b = pipe_hnd->binding_handle; + + status = dcerpc_samr_Connect2(b, mem_ctx, pipe_hnd->desthost, SAMR_ACCESS_ENUM_DOMAINS | SAMR_ACCESS_LOOKUP_DOMAIN, - &sam_pol); + &sam_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } - status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, + status = dcerpc_samr_OpenDomain(b, mem_ctx, &sam_pol, SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 | SAMR_DOMAIN_ACCESS_CREATE_USER | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, r->out.domain_sid, - &domain_pol); + &domain_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } /* Create domain user */ @@ -888,14 +936,20 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, DEBUG(10,("Creating account with desired access mask: %d\n", access_desired)); - status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx, + status = dcerpc_samr_CreateUser2(b, mem_ctx, &domain_pol, &lsa_acct_name, acct_flags, access_desired, &user_pol, &access_granted, - &user_rid); + &user_rid, + &result); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + + status = result; if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { @@ -925,19 +979,24 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, /* We *must* do this.... don't ask... */ if (NT_STATUS_IS_OK(status)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); } } - status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx, + status = dcerpc_samr_LookupNames(b, mem_ctx, &domain_pol, 1, &lsa_acct_name, &user_rids, - &name_types); + &name_types, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } if (name_types.ids[0] != SID_NAME_USER) { DEBUG(0,("%s is not a user account (type=%d)\n", @@ -950,38 +1009,50 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, /* Open handle on user */ - status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, + status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, SEC_FLAG_MAXIMUM_ALLOWED, user_rid, - &user_pol); + &user_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } /* Fill in the additional account flags now */ acct_flags |= ACB_PWNOEXP; - if (r->out.domain_is_ad) { -#if !defined(ENCTYPE_ARCFOUR_HMAC) - acct_flags |= ACB_USE_DES_KEY_ONLY; -#endif - ;; - } /* Set account flags on machine account */ ZERO_STRUCT(user_info.info16); user_info.info16.acct_flags = acct_flags; - status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, + status = dcerpc_samr_SetUserInfo(b, mem_ctx, &user_pol, 16, - &user_info); - + &user_info, + &result); if (!NT_STATUS_IS_OK(status)) { + dcerpc_samr_DeleteUser(b, mem_ctx, + &user_pol, + &result); - rpccli_samr_DeleteUser(pipe_hnd, mem_ctx, - &user_pol); + libnet_join_set_error_string(mem_ctx, r, + "Failed to set account flags for machine account (%s)\n", + nt_errstr(status)); + goto done; + } + + if (!NT_STATUS_IS_OK(result)) { + status = result; + + dcerpc_samr_DeleteUser(b, mem_ctx, + &user_pol, + &result); libnet_join_set_error_string(mem_ctx, r, "Failed to set account flags for machine account (%s)\n", @@ -998,12 +1069,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, user_info.info26.password = crypt_pwd_ex; user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; - status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, + status = dcerpc_samr_SetUserInfo2(b, mem_ctx, &user_pol, 26, - &user_info); + &user_info, + &result); - if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) { + if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) { /* retry with level 24 */ @@ -1014,16 +1086,30 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, user_info.info24.password = crypt_pwd; user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; - status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, + status = dcerpc_samr_SetUserInfo2(b, mem_ctx, &user_pol, 24, - &user_info); + &user_info, + &result); } if (!NT_STATUS_IS_OK(status)) { - rpccli_samr_DeleteUser(pipe_hnd, mem_ctx, - &user_pol); + dcerpc_samr_DeleteUser(b, mem_ctx, + &user_pol, + &result); + + libnet_join_set_error_string(mem_ctx, r, + "Failed to set password for machine account (%s)\n", + nt_errstr(status)); + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + + dcerpc_samr_DeleteUser(b, mem_ctx, + &user_pol, + &result); libnet_join_set_error_string(mem_ctx, r, "Failed to set password for machine account (%s)\n", @@ -1039,13 +1125,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } if (is_valid_policy_hnd(&sam_pol)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol); + dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result); } if (is_valid_policy_hnd(&domain_pol)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol); + dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result); } if (is_valid_policy_hnd(&user_pol)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); } TALLOC_FREE(pipe_hnd); @@ -1094,7 +1180,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, NULL, machine_password, 0, - Undefined, NULL); + SMB_SIGNING_DEFAULT); free(machine_account); free(machine_password); @@ -1107,7 +1193,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, NULL, "", 0, - Undefined, NULL); + SMB_SIGNING_DEFAULT); } if (!NT_STATUS_IS_OK(status)) { @@ -1124,7 +1210,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, DEBUG(0,("libnet_join_ok: failed to get schannel session " "key from server %s for domain %s. Error was %s\n", - cli->desthost, netbios_domain_name, nt_errstr(status))); + smbXcli_conn_remote_name(cli->conn), + netbios_domain_name, nt_errstr(status))); cli_shutdown(cli); return status; } @@ -1145,7 +1232,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name, DEBUG(0,("libnet_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. " "Error was %s\n", - cli->desthost, netbios_domain_name, nt_errstr(status))); + smbXcli_conn_remote_name(cli->conn), + netbios_domain_name, nt_errstr(status))); return status; } @@ -1199,13 +1287,14 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct policy_handle sam_pol, domain_pol, user_pol; - NTSTATUS status = NT_STATUS_UNSUCCESSFUL; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result; char *acct_name; uint32_t user_rid; struct lsa_String lsa_acct_name; struct samr_Ids user_rids; struct samr_Ids name_types; union samr_UserInfo *info = NULL; + struct dcerpc_binding_handle *b = NULL; ZERO_STRUCT(sam_pol); ZERO_STRUCT(domain_pol); @@ -1230,22 +1319,34 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, + b = pipe_hnd->binding_handle; + + status = dcerpc_samr_Connect2(b, mem_ctx, pipe_hnd->desthost, SEC_FLAG_MAXIMUM_ALLOWED, - &sam_pol); + &sam_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } - status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, + status = dcerpc_samr_OpenDomain(b, mem_ctx, &sam_pol, SEC_FLAG_MAXIMUM_ALLOWED, r->in.domain_sid, - &domain_pol); + &domain_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } /* Create domain user */ @@ -1254,16 +1355,21 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, init_lsa_String(&lsa_acct_name, acct_name); - status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx, + status = dcerpc_samr_LookupNames(b, mem_ctx, &domain_pol, 1, &lsa_acct_name, &user_rids, - &name_types); + &name_types, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } if (name_types.ids[0] != SID_NAME_USER) { DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, @@ -1276,23 +1382,34 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, /* Open handle on user */ - status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, + status = dcerpc_samr_OpenUser(b, mem_ctx, &domain_pol, SEC_FLAG_MAXIMUM_ALLOWED, user_rid, - &user_pol); + &user_pol, + &result); if (!NT_STATUS_IS_OK(status)) { goto done; } + if (!NT_STATUS_IS_OK(result)) { + status = result; + goto done; + } /* Get user info */ - status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx, + status = dcerpc_samr_QueryUserInfo(b, mem_ctx, &user_pol, 16, - &info); + &info, + &result); if (!NT_STATUS_IS_OK(status)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); goto done; } @@ -1300,20 +1417,30 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, info->info16.acct_flags |= ACB_DISABLED; - status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, + status = dcerpc_samr_SetUserInfo(b, mem_ctx, &user_pol, 16, - info); - - rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); + info, + &result); + if (!NT_STATUS_IS_OK(status)) { + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); + goto done; + } + if (!NT_STATUS_IS_OK(result)) { + status = result; + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); + goto done; + } + status = result; + dcerpc_samr_Close(b, mem_ctx, &user_pol, &result); done: - if (pipe_hnd) { + if (pipe_hnd && b) { if (is_valid_policy_hnd(&domain_pol)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol); + dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result); } if (is_valid_policy_hnd(&sam_pol)) { - rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol); + dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result); } TALLOC_FREE(pipe_hnd); } @@ -1330,40 +1457,61 @@ done: static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r) { - WERROR werr; + WERROR werr = WERR_OK; + sbcErr err; struct smbconf_ctx *ctx; - werr = smbconf_init_reg(r, &ctx, NULL); - if (!W_ERROR_IS_OK(werr)) { + err = smbconf_init_reg(r, &ctx, NULL); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; goto done; } if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) { - werr = smbconf_set_global_parameter(ctx, "security", "user"); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "security", "user"); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } - werr = smbconf_set_global_parameter(ctx, "workgroup", - r->in.domain_name); + err = smbconf_set_global_parameter(ctx, "workgroup", + r->in.domain_name); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } smbconf_delete_global_parameter(ctx, "realm"); goto done; } - werr = smbconf_set_global_parameter(ctx, "security", "domain"); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "security", "domain"); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } - werr = smbconf_set_global_parameter(ctx, "workgroup", - r->out.netbios_domain_name); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "workgroup", + r->out.netbios_domain_name); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } if (r->out.domain_is_ad) { - werr = smbconf_set_global_parameter(ctx, "security", "ads"); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "security", "ads"); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } - werr = smbconf_set_global_parameter(ctx, "realm", - r->out.dns_domain_name); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "realm", + r->out.dns_domain_name); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } } done: @@ -1377,20 +1525,28 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r) static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r) { WERROR werr = WERR_OK; + sbcErr err; struct smbconf_ctx *ctx; - werr = smbconf_init_reg(r, &ctx, NULL); - if (!W_ERROR_IS_OK(werr)) { + err = smbconf_init_reg(r, &ctx, NULL); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; goto done; } if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) { - werr = smbconf_set_global_parameter(ctx, "security", "user"); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_set_global_parameter(ctx, "security", "user"); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } - werr = smbconf_delete_global_parameter(ctx, "workgroup"); - W_ERROR_NOT_OK_GOTO_DONE(werr); + err = smbconf_delete_global_parameter(ctx, "workgroup"); + if (!SBC_ERROR_IS_OK(err)) { + werr = WERR_NO_SUCH_SERVICE; + goto done; + } smbconf_delete_global_parameter(ctx, "realm"); } @@ -1420,7 +1576,7 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r) return werr; } - lp_load(get_dyn_CONFIGFILE(),true,false,false,true); + lp_load_global(get_dyn_CONFIGFILE()); r->out.modified_config = true; r->out.result = werr; @@ -1448,7 +1604,7 @@ static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r) return werr; } - lp_load(get_dyn_CONFIGFILE(),true,false,false,true); + lp_load_global(get_dyn_CONFIGFILE()); r->out.modified_config = true; r->out.result = werr; @@ -1543,7 +1699,7 @@ static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid) if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { DEBUG(10,("Unable to auto-add domain administrators to " "BUILTIN\\Administrators during join because " - "winbindd must be running.")); + "winbindd must be running.\n")); } else if (!NT_STATUS_IS_OK(status)) { DEBUG(5, ("Failed to auto-add domain administrators to " "BUILTIN\\Administrators during join: %s\n", @@ -1554,7 +1710,7 @@ static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid) status = create_builtin_users(domain_sid); if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users " - "during join because winbindd must be running.")); + "during join because winbindd must be running.\n")); } else if (!NT_STATUS_IS_OK(status)) { DEBUG(5, ("Failed to auto-add domain administrators to " "BUILTIN\\Administrators during join: %s\n", @@ -1588,7 +1744,7 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx, saf_join_store(r->out.dns_domain_name, r->in.dc_name); } -#ifdef WITH_ADS +#ifdef HAVE_ADS if (r->out.domain_is_ad && !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { ADS_STATUS ads_status; @@ -1598,7 +1754,7 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx, return WERR_GENERAL_FAILURE; } } -#endif /* WITH_ADS */ +#endif /* HAVE_ADS */ libnet_join_add_dom_rids_to_builtins(r->out.domain_sid); @@ -1610,17 +1766,10 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx, static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r) { - const char *krb5_cc_env = NULL; - if (r->in.ads) { ads_destroy(&r->in.ads); } - krb5_cc_env = getenv(KRB5_ENV_CCNAME); - if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) { - unsetenv(KRB5_ENV_CCNAME); - } - return 0; } @@ -1629,17 +1778,10 @@ static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r) static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r) { - const char *krb5_cc_env = NULL; - if (r->in.ads) { ads_destroy(&r->in.ads); } - krb5_cc_env = getenv(KRB5_ENV_CCNAME); - if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) { - unsetenv(KRB5_ENV_CCNAME); - } - return 0; } @@ -1650,7 +1792,6 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx **r) { struct libnet_JoinCtx *ctx; - const char *krb5_cc_env = NULL; ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx); if (!ctx) { @@ -1659,16 +1800,9 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, talloc_set_destructor(ctx, libnet_destroy_JoinCtx); - ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname()); + ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name()); W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name); - krb5_cc_env = getenv(KRB5_ENV_CCNAME); - if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) { - krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin"); - W_ERROR_HAVE_NO_MEMORY(krb5_cc_env); - setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1); - } - ctx->in.secure_channel_type = SEC_CHAN_WKSTA; *r = ctx; @@ -1683,7 +1817,6 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx, struct libnet_UnjoinCtx **r) { struct libnet_UnjoinCtx *ctx; - const char *krb5_cc_env = NULL; ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx); if (!ctx) { @@ -1692,16 +1825,9 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx, talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx); - ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname()); + ctx->in.machine_name = talloc_strdup(mem_ctx, lp_netbios_name()); W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name); - krb5_cc_env = getenv(KRB5_ENV_CCNAME); - if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) { - krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin"); - W_ERROR_HAVE_NO_MEMORY(krb5_cc_env); - setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1); - } - *r = ctx; return WERR_OK; @@ -1767,7 +1893,6 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, if (!valid_security) { const char *sec = NULL; switch (lp_security()) { - case SEC_SHARE: sec = "share"; break; case SEC_USER: sec = "user"; break; case SEC_DOMAIN: sec = "domain"; break; case SEC_ADS: sec = "ads"; break; @@ -1806,9 +1931,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, NTSTATUS status; WERROR werr; struct cli_state *cli = NULL; -#ifdef WITH_ADS +#ifdef HAVE_ADS ADS_STATUS ads_status; -#endif /* WITH_ADS */ +#endif /* HAVE_ADS */ if (!r->in.dc_name) { struct netr_DsRGetDCNameInfo *info; @@ -1849,7 +1974,13 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, goto done; } -#ifdef WITH_ADS +#ifdef HAVE_ADS + + create_local_private_krb5_conf_for_domain( + r->out.dns_domain_name, r->out.netbios_domain_name, + NULL, smbXcli_conn_remote_sockaddr(cli->conn), + smbXcli_conn_remote_name(cli->conn)); + if (r->out.domain_is_ad && r->in.account_ou && !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { @@ -1869,7 +2000,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; } -#endif /* WITH_ADS */ +#endif /* HAVE_ADS */ if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { @@ -1944,6 +2075,8 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r); } + ZERO_STRUCT(r->out); + werr = libnet_join_pre_processing(mem_ctx, r); if (!W_ERROR_IS_OK(werr)) { goto done; @@ -1992,7 +2125,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, "Unable to fetch domain sid: are we joined?"); return WERR_SETUP_NOT_JOINED; } - r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid); + r->in.domain_sid = dom_sid_dup(mem_ctx, &sid); W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); } @@ -2027,11 +2160,11 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, W_ERROR_HAVE_NO_MEMORY(r->in.dc_name); } -#ifdef WITH_ADS +#ifdef HAVE_ADS /* for net ads leave, try to delete the account. If it works, no sense in disabling. If it fails, we can still try to disable it. jmcd */ - + if (r->in.delete_machine_account) { ADS_STATUS ads_status; ads_status = libnet_unjoin_connect_ads(mem_ctx, r); @@ -2054,7 +2187,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, return WERR_OK; } } -#endif /* WITH_ADS */ +#endif /* HAVE_ADS */ /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means "disable". */ @@ -2069,7 +2202,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } return ntstatus_to_werror(status); } - + r->out.disabled_machine_account = true; }