2 Unix SMB/CIFS implementation.
4 Copyright (C) Stefan Metzmacher 2004
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #include "libnet/libnet.h"
24 #include "librpc/gen_ndr/ndr_samr.h"
25 #include "lib/crypto/crypto.h"
26 #include "lib/ldb/include/ldb.h"
29 * do a domain join using DCERPC/SAMR calls
30 * 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation)
31 * is it correct to contact the the pdc of the domain of the user who's password should be set?
32 * 2. do a samr_Connect to get a policy handle
33 * 3. do a samr_LookupDomain to get the domain sid
34 * 4. do a samr_OpenDomain to get a domain handle
35 * 5. do a samr_CreateAccount to try and get a new account
38 * 5.1. do a samr_LookupNames to get the users rid
39 * 5.2. do a samr_OpenUser to get a user handle
41 * 6. call libnet_SetPassword_samr_handle to set the password
43 * 7. do a samrSetUserInfo to set the account flags
45 static NTSTATUS libnet_JoinDomain_samr(struct libnet_context *ctx,
46 TALLOC_CTX *mem_ctx, union libnet_JoinDomain *r)
49 union libnet_rpc_connect c;
50 struct samr_Connect sc;
51 struct policy_handle p_handle;
52 struct samr_LookupDomain ld;
53 struct samr_String d_name;
54 struct samr_OpenDomain od;
55 struct policy_handle d_handle;
56 struct samr_LookupNames ln;
57 struct samr_OpenUser ou;
58 struct samr_CreateUser2 cu;
59 struct policy_handle u_handle;
60 struct samr_QueryUserInfo qui;
61 struct samr_SetUserInfo sui;
62 union samr_UserInfo u_info;
63 union libnet_SetPassword r2;
64 struct samr_GetUserPwInfo pwp;
65 struct samr_String samr_account_name;
68 uint32_t rid, access_granted;
69 int policy_min_pw_len = 0;
71 /* prepare connect to the SAMR pipe of users domain PDC */
72 c.pdc.level = LIBNET_RPC_CONNECT_PDC;
73 c.pdc.in.domain_name = r->samr.in.domain_name;
74 c.pdc.in.dcerpc_iface_name = DCERPC_SAMR_NAME;
75 c.pdc.in.dcerpc_iface_uuid = DCERPC_SAMR_UUID;
76 c.pdc.in.dcerpc_iface_version = DCERPC_SAMR_VERSION;
78 /* 1. connect to the SAMR pipe of users domain PDC (maybe a standalone server or workstation) */
79 status = libnet_rpc_connect(ctx, mem_ctx, &c);
80 if (!NT_STATUS_IS_OK(status)) {
81 r->samr.out.error_string = talloc_asprintf(mem_ctx,
82 "Connection to SAMR pipe of PDC of domain '%s' failed: %s\n",
83 r->samr.in.domain_name, nt_errstr(status));
87 /* prepare samr_Connect */
88 ZERO_STRUCT(p_handle);
89 sc.in.system_name = NULL;
90 sc.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
91 sc.out.connect_handle = &p_handle;
93 /* 2. do a samr_Connect to get a policy handle */
94 status = dcerpc_samr_Connect(c.pdc.out.dcerpc_pipe, mem_ctx, &sc);
95 if (!NT_STATUS_IS_OK(status)) {
96 r->samr.out.error_string = talloc_asprintf(mem_ctx,
97 "samr_Connect failed: %s\n",
102 /* check result of samr_Connect */
103 if (!NT_STATUS_IS_OK(sc.out.result)) {
104 r->samr.out.error_string = talloc_asprintf(mem_ctx,
105 "samr_Connect failed: %s\n",
106 nt_errstr(sc.out.result));
107 status = sc.out.result;
111 /* prepare samr_LookupDomain */
112 d_name.string = r->samr.in.domain_name;
113 ld.in.connect_handle = &p_handle;
114 ld.in.domain_name = &d_name;
116 /* 3. do a samr_LookupDomain to get the domain sid */
117 status = dcerpc_samr_LookupDomain(c.pdc.out.dcerpc_pipe, mem_ctx, &ld);
118 if (!NT_STATUS_IS_OK(status)) {
119 r->samr.out.error_string = talloc_asprintf(mem_ctx,
120 "samr_LookupDomain for [%s] failed: %s\n",
121 r->samr.in.domain_name, nt_errstr(status));
125 /* check result of samr_LookupDomain */
126 if (!NT_STATUS_IS_OK(ld.out.result)) {
127 r->samr.out.error_string = talloc_asprintf(mem_ctx,
128 "samr_LookupDomain for [%s] failed: %s\n",
129 r->samr.in.domain_name, nt_errstr(ld.out.result));
130 status = ld.out.result;
134 /* prepare samr_OpenDomain */
135 ZERO_STRUCT(d_handle);
136 od.in.connect_handle = &p_handle;
137 od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
138 od.in.sid = ld.out.sid;
139 od.out.domain_handle = &d_handle;
141 /* 4. do a samr_OpenDomain to get a domain handle */
142 status = dcerpc_samr_OpenDomain(c.pdc.out.dcerpc_pipe, mem_ctx, &od);
143 if (!NT_STATUS_IS_OK(status)) {
144 r->samr.out.error_string = talloc_asprintf(mem_ctx,
145 "samr_OpenDomain for [%s] failed: %s\n",
146 r->samr.in.domain_name, nt_errstr(status));
150 /* prepare samr_CreateUser2 */
151 ZERO_STRUCT(u_handle);
152 cu.in.domain_handle = &d_handle;
153 cu.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
154 samr_account_name.string = r->samr.in.account_name;
155 cu.in.account_name = &samr_account_name;
156 cu.in.acct_flags = r->samr.in.acct_type;
157 cu.out.user_handle = &u_handle;
159 cu.out.access_granted = &access_granted;
161 /* 4. do a samr_CreateUser2 to get an account handle, or an error */
162 status = dcerpc_samr_CreateUser2(c.pdc.out.dcerpc_pipe, mem_ctx, &cu);
163 if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
164 r->samr.out.error_string = talloc_asprintf(mem_ctx,
165 "samr_CreateUser2 for [%s] failed: %s\n",
166 r->samr.in.domain_name, nt_errstr(status));
169 } else if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
170 /* prepare samr_LookupNames */
171 ln.in.domain_handle = &d_handle;
173 ln.in.names = talloc_array(mem_ctx, struct samr_String, 1);
175 r->samr.out.error_string = "Out of Memory";
176 return NT_STATUS_NO_MEMORY;
178 ln.in.names[0].string = r->samr.in.account_name;
180 /* 5. do a samr_LookupNames to get the users rid */
181 status = dcerpc_samr_LookupNames(c.pdc.out.dcerpc_pipe, mem_ctx, &ln);
182 if (!NT_STATUS_IS_OK(status)) {
183 r->samr.out.error_string = talloc_asprintf(mem_ctx,
184 "samr_LookupNames for [%s] failed: %s\n",
185 r->samr.in.account_name, nt_errstr(status));
190 /* check if we got one RID for the user */
191 if (ln.out.rids.count != 1) {
192 r->samr.out.error_string = talloc_asprintf(mem_ctx,
193 "samr_LookupNames for [%s] returns %d RIDs\n",
194 r->samr.in.account_name, ln.out.rids.count);
195 status = NT_STATUS_INVALID_PARAMETER;
199 /* prepare samr_OpenUser */
200 ZERO_STRUCT(u_handle);
201 ou.in.domain_handle = &d_handle;
202 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
203 ou.in.rid = ln.out.rids.ids[0];
204 ou.out.user_handle = &u_handle;
206 /* 6. do a samr_OpenUser to get a user handle */
207 status = dcerpc_samr_OpenUser(c.pdc.out.dcerpc_pipe, mem_ctx, &ou);
208 if (!NT_STATUS_IS_OK(status)) {
209 r->samr.out.error_string = talloc_asprintf(mem_ctx,
210 "samr_OpenUser for [%s] failed: %s\n",
211 r->samr.in.account_name, nt_errstr(status));
216 pwp.in.user_handle = &u_handle;
218 status = dcerpc_samr_GetUserPwInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &pwp);
219 if (NT_STATUS_IS_OK(status)) {
220 policy_min_pw_len = pwp.out.info.min_password_length;
223 r->samr.out.join_password = generate_random_str(mem_ctx, MAX(8, policy_min_pw_len));
225 r2.samr_handle.level = LIBNET_SET_PASSWORD_SAMR_HANDLE;
226 r2.samr_handle.in.account_name = r->samr.in.account_name;
227 r2.samr_handle.in.newpassword = r->samr.out.join_password;
228 r2.samr_handle.in.user_handle = &u_handle;
229 r2.samr_handle.in.dcerpc_pipe = c.pdc.out.dcerpc_pipe;
231 status = libnet_SetPassword(ctx, mem_ctx, &r2);
233 r->samr.out.error_string = r2.samr_handle.out.error_string;
235 if (!NT_STATUS_IS_OK(status)) {
239 /* prepare samr_SetUserInfo level 23 */
240 qui.in.user_handle = &u_handle;
243 status = dcerpc_samr_QueryUserInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &qui);
244 if (!NT_STATUS_IS_OK(status)) {
245 r->samr.out.error_string
246 = talloc_asprintf(mem_ctx,
247 "samr_QueryUserInfo for [%s] failed: %s\n",
248 r->samr.in.account_name, nt_errstr(status));
252 status = NT_STATUS_INVALID_PARAMETER;
253 r->samr.out.error_string
254 = talloc_asprintf(mem_ctx,
255 "samr_QueryUserInfo failed to return qui.out.info for [%s]: %s\n",
256 r->samr.in.account_name, nt_errstr(status));
260 if ((qui.out.info->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST))
261 != r->samr.in.acct_type) {
262 acct_flags = (qui.out.info->info16.acct_flags & ~(ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST))
263 | r->samr.in.acct_type;
265 acct_flags = qui.out.info->info16.acct_flags;
268 acct_flags = (acct_flags & ~ACB_DISABLED);
270 if (acct_flags != qui.out.info->info16.acct_flags) {
272 u_info.info16.acct_flags = acct_flags;
274 sui.in.user_handle = &u_handle;
275 sui.in.info = &u_info;
278 dcerpc_samr_SetUserInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &sui);
279 if (!NT_STATUS_IS_OK(status)) {
280 r->samr.out.error_string
281 = talloc_asprintf(mem_ctx,
282 "samr_SetUserInfo for [%s] failed to remove ACB_DISABLED flag: %s\n",
283 r->samr.in.account_name, nt_errstr(status));
289 /* close connection */
290 talloc_free(c.pdc.out.dcerpc_pipe);
295 static NTSTATUS libnet_JoinDomain_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_JoinDomain *r)
298 union libnet_JoinDomain r2;
300 r2.samr.level = LIBNET_JOIN_DOMAIN_SAMR;
301 r2.samr.in.account_name = r->generic.in.account_name;
302 r2.samr.in.domain_name = r->generic.in.domain_name;
303 r2.samr.in.acct_type = r->generic.in.acct_type;
305 status = libnet_JoinDomain(ctx, mem_ctx, &r2);
307 r->generic.out.error_string = r2.samr.out.error_string;
308 r->generic.out.join_password = r2.samr.out.join_password;
313 NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_JoinDomain *r)
315 switch (r->generic.level) {
316 case LIBNET_JOIN_DOMAIN_GENERIC:
317 return libnet_JoinDomain_generic(ctx, mem_ctx, r);
318 case LIBNET_JOIN_DOMAIN_SAMR:
319 return libnet_JoinDomain_samr(ctx, mem_ctx, r);
322 return NT_STATUS_INVALID_LEVEL;
326 static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
328 union libnet_Join *r)
333 struct ldb_context *ldb;
334 union libnet_JoinDomain r2;
335 const char *base_dn = "cn=Primary Domains";
336 const struct ldb_val *prior_secret;
337 const char *prior_modified_time;
338 struct ldb_message **msgs, *msg;
340 const char *attrs[] = {
348 r2.generic.level = LIBNET_JOIN_DOMAIN_GENERIC;
350 if (r->generic.in.secure_channel_type == SEC_CHAN_BDC) {
351 r2.generic.in.acct_type = ACB_SVRTRUST;
352 } else if (r->generic.in.secure_channel_type == SEC_CHAN_WKSTA) {
353 r2.generic.in.acct_type = ACB_WSTRUST;
355 r2.generic.in.domain_name = r->generic.in.domain_name;
357 r2.generic.in.account_name = talloc_asprintf(mem_ctx, "%s$", lp_netbios_name());
359 /* Local secrets are stored in secrets.ldb */
360 ldb = secrets_db_connect(mem_ctx);
363 status = libnet_JoinDomain(ctx, mem_ctx, &r2);
365 r->generic.out.error_string = r2.generic.out.error_string;
367 /* store in secrets.ldb or samdb.ldb, depending on secret type */
368 if (!NT_STATUS_IS_OK(status)) {
372 sct = talloc_asprintf(mem_ctx, "%d", r->generic.in.secure_channel_type);
373 msg = ldb_msg_new(mem_ctx);
375 /* search for the secret record */
376 ret = samdb_search(ldb,
377 mem_ctx, base_dn, &msgs, attrs,
378 "(&(flatname=%s)(objectclass=primaryDomain))",
379 r->generic.in.domain_name);
381 msg->dn = talloc_asprintf(mem_ctx, "flatname=%s,%s",
382 r->generic.in.domain_name,
385 samdb_msg_add_string(ldb, mem_ctx, msg, "flatname", r->generic.in.domain_name);
386 samdb_msg_add_string(ldb, mem_ctx, msg, "objectClass", "primaryDomain");
387 samdb_msg_add_string(ldb, mem_ctx, msg, "secret", r2.generic.out.join_password);
389 samdb_msg_add_string(ldb, mem_ctx, msg, "accountName", r2.generic.in.account_name);
391 samdb_msg_add_string(ldb, mem_ctx, msg, "secureChannelType", sct);
393 /* create the secret */
394 ret = samdb_add(ldb, mem_ctx, msg);
396 r->generic.out.error_string
397 = talloc_asprintf(mem_ctx,
398 "Failed to create secret record %s\n",
400 return NT_STATUS_INTERNAL_DB_CORRUPTION;
403 } else if (ret != 1) {
404 r->generic.out.error_string
405 = talloc_asprintf(mem_ctx,
406 "Found %d records matching cn=%s under DN %s\n", ret,
407 r->generic.in.domain_name, base_dn);
408 return NT_STATUS_INTERNAL_DB_CORRUPTION;
411 msg->dn = msgs[0]->dn;
413 prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
415 samdb_msg_set_value(ldb, mem_ctx, msg, "priorSecret", prior_secret);
417 samdb_msg_set_string(ldb, mem_ctx, msg, "secret", r2.generic.out.join_password);
419 prior_modified_time = ldb_msg_find_string(msgs[0],
420 "whenChanged", NULL);
421 if (prior_modified_time) {
422 samdb_msg_set_string(ldb, mem_ctx, msg, "priorWhenChanged",
423 prior_modified_time);
426 samdb_msg_set_string(ldb, mem_ctx, msg, "accountName", r2.generic.in.account_name);
427 samdb_msg_set_string(ldb, mem_ctx, msg, "secureChannelType", sct);
429 /* update the secret */
430 ret = samdb_replace(ldb, mem_ctx, msg);
432 DEBUG(0,("Failed to create secret record %s\n", msg->dn));
433 return NT_STATUS_INTERNAL_DB_CORRUPTION;
438 NTSTATUS libnet_Join_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_Join *r)
441 union libnet_Join r2;
442 r2.generic.in.secure_channel_type = r->generic.in.secure_channel_type;
443 r2.generic.in.domain_name = r->generic.in.domain_name;
445 if ((r->generic.in.secure_channel_type == SEC_CHAN_WKSTA)
446 || (r->generic.in.secure_channel_type == SEC_CHAN_BDC)) {
447 r2.generic.level = LIBNET_JOIN_PRIMARY;
448 nt_status = libnet_Join(ctx, mem_ctx, &r2);
450 r->generic.out.error_string
451 = talloc_asprintf(mem_ctx, "Invalid secure channel type specified (%08X) attempting to join domain %s",
452 r->generic.in.secure_channel_type, r->generic.in.domain_name);
453 return NT_STATUS_INVALID_PARAMETER;
455 r->generic.out.error_string = r2.generic.out.error_string;
459 NTSTATUS libnet_Join(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_Join *r)
461 switch (r->generic.level) {
462 case LIBNET_JOIN_GENERIC:
463 return libnet_Join_generic(ctx, mem_ctx, r);
464 case LIBNET_JOIN_PRIMARY:
465 return libnet_Join_primary_domain(ctx, mem_ctx, r);
468 return NT_STATUS_INVALID_LEVEL;