40debc63dc6be32f838c56264ef84304537ff295
[gd/samba-autobuild/.git] / source4 / libnet / libnet_join.c
1 /* 
2    Unix SMB/CIFS implementation.
3    
4    Copyright (C) Stefan Metzmacher      2004
5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6    Copyright (C) Brad Henry 2005
7  
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libnet/libnet.h"
24 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "lib/ldb/include/ldb_errors.h"
27 #include "param/secrets.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "db_wrap.h"
30 #include "libcli/security/security.h"
31 #include "auth/credentials/credentials.h"
32 #include "auth/credentials/credentials_krb5.h"
33 #include "librpc/gen_ndr/ndr_samr_c.h"
34
35 /*
36  * complete a domain join, when joining to a AD domain:
37  * 1.) connect and bind to the DRSUAPI pipe
38  * 2.) do a DsCrackNames() to find the machine account dn
39  * 3.) connect to LDAP
40  * 4.) do an ldap search to find the "msDS-KeyVersionNumber" of the machine account
41  * 5.) set the servicePrincipalName's of the machine account via LDAP, (maybe we should use DsWriteAccountSpn()...)
42  * 6.) do a DsCrackNames() to find the domain dn
43  * 7.) find out Site specific stuff, look at libnet_JoinSite() for details
44  */
45 static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_JoinDomain *r)
46 {
47         NTSTATUS status;
48
49         TALLOC_CTX *tmp_ctx;
50
51         const char *realm = r->out.realm;
52
53         struct dcerpc_binding *samr_binding = r->out.samr_binding;
54
55         struct dcerpc_pipe *drsuapi_pipe;
56         struct dcerpc_binding *drsuapi_binding;
57         struct drsuapi_DsBind r_drsuapi_bind;
58         struct drsuapi_DsCrackNames r_crack_names;
59         struct drsuapi_DsNameString names[1];
60         struct policy_handle drsuapi_bind_handle;
61         struct GUID drsuapi_bind_guid;
62
63         struct ldb_context *remote_ldb;
64         struct ldb_dn *account_dn;
65         const char *account_dn_str;
66         const char *remote_ldb_url;
67         struct ldb_result *res;
68         struct ldb_message *msg;
69
70         int ret, rtn;
71
72         const char * const attrs[] = {
73                 "msDS-KeyVersionNumber",
74                 "servicePrincipalName",
75                 "dNSHostName",
76                 "objectGUID",
77                 NULL,
78         };
79
80         r->out.error_string = NULL;
81         
82         /* We need to convert between a samAccountName and domain to a
83          * DN in the directory.  The correct way to do this is with
84          * DRSUAPI CrackNames */
85
86         /* Fiddle with the bindings, so get to DRSUAPI on
87          * NCACN_IP_TCP, sealed */
88         tmp_ctx = talloc_named(r, 0, "libnet_JoinADSDomain temp context");  
89         if (!tmp_ctx) {
90                 r->out.error_string = NULL;
91                 return NT_STATUS_NO_MEMORY;
92         }
93                                                    
94         drsuapi_binding = talloc(tmp_ctx, struct dcerpc_binding);
95         if (!drsuapi_binding) {
96                 r->out.error_string = NULL;
97                 talloc_free(tmp_ctx);
98                 return NT_STATUS_NO_MEMORY;
99         }
100         
101         *drsuapi_binding = *samr_binding;
102
103         /* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
104         if (drsuapi_binding->transport != NCALRPC) {
105                 drsuapi_binding->transport = NCACN_IP_TCP;
106         }
107         drsuapi_binding->endpoint = NULL;
108         drsuapi_binding->flags |= DCERPC_SEAL;
109
110         status = dcerpc_pipe_connect_b(tmp_ctx, 
111                                        &drsuapi_pipe,
112                                        drsuapi_binding,
113                                        &ndr_table_drsuapi,
114                                        ctx->cred, 
115                                        ctx->event_ctx);
116         if (!NT_STATUS_IS_OK(status)) {
117                 r->out.error_string = talloc_asprintf(r,
118                                         "Connection to DRSUAPI pipe of PDC of domain '%s' failed: %s",
119                                         r->out.domain_name,
120                                         nt_errstr(status));
121                 talloc_free(tmp_ctx);
122                 return status;
123         }
124
125         /* get a DRSUAPI pipe handle */
126         GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
127
128         r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
129         r_drsuapi_bind.in.bind_info = NULL;
130         r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
131
132         status = dcerpc_drsuapi_DsBind(drsuapi_pipe, tmp_ctx, &r_drsuapi_bind);
133         if (!NT_STATUS_IS_OK(status)) {
134                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
135                         r->out.error_string
136                                 = talloc_asprintf(r,
137                                                   "dcerpc_drsuapi_DsBind failed - %s", 
138                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
139                         talloc_free(tmp_ctx);
140                         return status;
141                 } else {
142                         r->out.error_string
143                                 = talloc_asprintf(r,
144                                                   "dcerpc_drsuapi_DsBind failed - %s", 
145                                                   nt_errstr(status));
146                         talloc_free(tmp_ctx);
147                         return status;
148                 }
149         } else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
150                 r->out.error_string
151                                 = talloc_asprintf(r,
152                                                   "DsBind failed - %s", 
153                                                   win_errstr(r_drsuapi_bind.out.result));
154                         talloc_free(tmp_ctx);
155                 return NT_STATUS_UNSUCCESSFUL;
156         }
157
158         /* Actually 'crack' the names */
159         ZERO_STRUCT(r_crack_names);
160         r_crack_names.in.bind_handle            = &drsuapi_bind_handle;
161         r_crack_names.in.level                  = 1;
162         r_crack_names.in.req.req1.codepage      = 1252; /* western european */
163         r_crack_names.in.req.req1.language      = 0x00000407; /* german */
164         r_crack_names.in.req.req1.count         = 1;
165         r_crack_names.in.req.req1.names         = names;
166         r_crack_names.in.req.req1.format_flags  = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
167         r_crack_names.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
168         r_crack_names.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
169         names[0].str = dom_sid_string(tmp_ctx, r->out.account_sid);
170         if (!names[0].str) {
171                 r->out.error_string = NULL;
172                 talloc_free(tmp_ctx);
173                 return NT_STATUS_NO_MEMORY;
174         }
175
176         status = dcerpc_drsuapi_DsCrackNames(drsuapi_pipe, tmp_ctx, &r_crack_names);
177         if (!NT_STATUS_IS_OK(status)) {
178                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
179                         r->out.error_string
180                                 = talloc_asprintf(r,
181                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
182                                                   names[0].str,
183                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
184                         talloc_free(tmp_ctx);
185                         return status;
186                 } else {
187                         r->out.error_string
188                                 = talloc_asprintf(r,
189                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
190                                                   names[0].str,
191                                                   nt_errstr(status));
192                         talloc_free(tmp_ctx);
193                         return status;
194                 }
195         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
196                 r->out.error_string
197                                 = talloc_asprintf(r,
198                                                   "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
199                 talloc_free(tmp_ctx);
200                 return NT_STATUS_UNSUCCESSFUL;
201         } else if (r_crack_names.out.level != 1 
202                    || !r_crack_names.out.ctr.ctr1 
203                    || r_crack_names.out.ctr.ctr1->count != 1) {
204                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
205                 talloc_free(tmp_ctx);
206                 return NT_STATUS_INVALID_PARAMETER;
207         } else if (r_crack_names.out.ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
208                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: %d", r_crack_names.out.ctr.ctr1->array[0].status);
209                 talloc_free(tmp_ctx);
210                 return NT_STATUS_UNSUCCESSFUL;
211         } else if (r_crack_names.out.ctr.ctr1->array[0].result_name == NULL) {
212                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: no result name");
213                 talloc_free(tmp_ctx);
214                 return NT_STATUS_INVALID_PARAMETER;
215         }
216
217         /* Store the DN of our machine account. */
218         account_dn_str = r_crack_names.out.ctr.ctr1->array[0].result_name;
219
220         /* Now we know the user's DN, open with LDAP, read and modify a few things */
221
222         remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s", 
223                                          drsuapi_binding->target_hostname);
224         if (!remote_ldb_url) {
225                 r->out.error_string = NULL;
226                 talloc_free(tmp_ctx);
227                 return NT_STATUS_NO_MEMORY;
228         }
229
230         remote_ldb = ldb_wrap_connect(tmp_ctx, remote_ldb_url, 
231                                       NULL, ctx->cred, 0, NULL);
232         if (!remote_ldb) {
233                 r->out.error_string = NULL;
234                 talloc_free(tmp_ctx);
235                 return NT_STATUS_UNSUCCESSFUL;
236         }
237
238         account_dn = ldb_dn_new(tmp_ctx, remote_ldb, account_dn_str);
239         if (! ldb_dn_validate(account_dn)) {
240                 r->out.error_string = talloc_asprintf(r, "Invalid account dn: %s",
241                                                       account_dn_str);
242                 talloc_free(tmp_ctx);
243                 return NT_STATUS_UNSUCCESSFUL;
244         }
245
246         /* search for the user's record */
247         ret = ldb_search(remote_ldb, account_dn, LDB_SCOPE_BASE, 
248                          NULL, attrs, &res);
249         if (ret != LDB_SUCCESS) {
250                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - %s",
251                                                       account_dn_str, ldb_errstring(remote_ldb));
252                 talloc_free(tmp_ctx);
253                 return NT_STATUS_UNSUCCESSFUL;
254         }
255
256         talloc_steal(tmp_ctx, res);
257
258         if (res->count != 1) {
259                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - found %d entries",
260                                                       account_dn_str, res->count);
261                 talloc_free(tmp_ctx);
262                 return NT_STATUS_UNSUCCESSFUL;
263         }
264
265         /* Prepare a new message, for the modify */
266         msg = ldb_msg_new(tmp_ctx);
267         if (!msg) {
268                 r->out.error_string = NULL;
269                 talloc_free(tmp_ctx);
270                 return NT_STATUS_NO_MEMORY;
271         }
272         msg->dn = res->msgs[0]->dn;
273
274         {
275                 int i;
276                 const char *service_principal_name[6];
277                 const char *dns_host_name = strlower_talloc(tmp_ctx, 
278                                                             talloc_asprintf(tmp_ctx, 
279                                                                             "%s.%s", 
280                                                                             r->in.netbios_name, 
281                                                                             realm));
282
283                 if (!dns_host_name) {
284                         r->out.error_string = NULL;
285                         talloc_free(tmp_ctx);
286                         return NT_STATUS_NO_MEMORY;
287                 }
288
289                 service_principal_name[0] = talloc_asprintf(tmp_ctx, "host/%s", dns_host_name);
290                 service_principal_name[1] = talloc_asprintf(tmp_ctx, "host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
291                 service_principal_name[2] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, realm);
292                 service_principal_name[3] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
293                 service_principal_name[4] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, r->out.domain_name);
294                 service_principal_name[5] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), r->out.domain_name);
295                 
296                 for (i=0; i < ARRAY_SIZE(service_principal_name); i++) {
297                         if (!service_principal_name[i]) {
298                                 r->out.error_string = NULL;
299                                 talloc_free(tmp_ctx);
300                                 return NT_STATUS_NO_MEMORY;
301                         }
302                         rtn = samdb_msg_add_string(remote_ldb, tmp_ctx, msg, "servicePrincipalName", service_principal_name[i]);
303                         if (rtn == -1) {
304                                 r->out.error_string = NULL;
305                                 talloc_free(tmp_ctx);
306                                 return NT_STATUS_NO_MEMORY;
307                         }
308                 }
309
310                 rtn = samdb_msg_add_string(remote_ldb, tmp_ctx, msg, "dNSHostName", dns_host_name);
311                 if (rtn == -1) {
312                         r->out.error_string = NULL;
313                         talloc_free(tmp_ctx);
314                         return NT_STATUS_NO_MEMORY;
315                 }
316
317                 rtn = samdb_replace(remote_ldb, tmp_ctx, msg);
318                 if (rtn != 0) {
319                         r->out.error_string
320                                 = talloc_asprintf(r, 
321                                                   "Failed to replace entries on %s", 
322                                                   ldb_dn_get_linearized(msg->dn));
323                         talloc_free(tmp_ctx);
324                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
325                 }
326         }
327                                 
328         /* DsCrackNames to find out the DN of the domain. */
329         r_crack_names.in.req.req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
330         r_crack_names.in.req.req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
331         names[0].str = talloc_asprintf(tmp_ctx, "%s\\", r->out.domain_name);
332         if (!names[0].str) {
333                 r->out.error_string = NULL;
334                 talloc_free(tmp_ctx);
335                 return NT_STATUS_NO_MEMORY;
336         }
337
338         status = dcerpc_drsuapi_DsCrackNames(drsuapi_pipe, tmp_ctx, &r_crack_names);
339         if (!NT_STATUS_IS_OK(status)) {
340                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
341                         r->out.error_string
342                                 = talloc_asprintf(r,
343                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
344                                                   r->in.domain_name, 
345                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
346                         talloc_free(tmp_ctx);
347                         return status;
348                 } else {
349                         r->out.error_string
350                                 = talloc_asprintf(r,
351                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
352                                                   r->in.domain_name, 
353                                                   nt_errstr(status));
354                         talloc_free(tmp_ctx);
355                         return status;
356                 }
357         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
358                 r->out.error_string
359                         = talloc_asprintf(r,
360                                           "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
361                 talloc_free(tmp_ctx);
362                 return NT_STATUS_UNSUCCESSFUL;
363         } else if (r_crack_names.out.level != 1 
364                    || !r_crack_names.out.ctr.ctr1 
365                    || r_crack_names.out.ctr.ctr1->count != 1
366                    || !r_crack_names.out.ctr.ctr1->array[0].result_name           
367                    || r_crack_names.out.ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
368                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
369                 talloc_free(tmp_ctx);
370                 return NT_STATUS_UNSUCCESSFUL;
371         }
372
373         /* Store the account DN. */
374         r->out.account_dn_str = account_dn_str;
375         talloc_steal(r, account_dn_str);
376
377         /* Store the domain DN. */
378         r->out.domain_dn_str = r_crack_names.out.ctr.ctr1->array[0].result_name;
379         talloc_steal(r, r_crack_names.out.ctr.ctr1->array[0].result_name);
380
381         /* Store the KVNO of the account, critical for some kerberos
382          * operations */
383         r->out.kvno = ldb_msg_find_attr_as_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
384
385         /* Store the account GUID. */
386         r->out.account_guid = samdb_result_guid(res->msgs[0], "objectGUID");
387
388         if (r->in.acct_type == ACB_SVRTRUST) {
389                 status = libnet_JoinSite(remote_ldb, r);
390         }
391         talloc_free(tmp_ctx);
392
393         return status;
394 }
395
396 /*
397  * do a domain join using DCERPC/SAMR calls
398  * - connect to the LSA pipe, to try and find out information about the domain
399  * - create a secondary connection to SAMR pipe
400  * - do a samr_Connect to get a policy handle
401  * - do a samr_LookupDomain to get the domain sid
402  * - do a samr_OpenDomain to get a domain handle
403  * - do a samr_CreateAccount to try and get a new account 
404  * 
405  * If that fails, do:
406  * - do a samr_LookupNames to get the users rid
407  * - do a samr_OpenUser to get a user handle
408  * - potentially delete and recreate the user
409  * - assert the account is of the right type with samrQueryUserInfo
410  * 
411  * - call libnet_SetPassword_samr_handle to set the password,
412  *   and pass a samr_UserInfo21 struct to set full_name and the account flags
413  *
414  * - do some ADS specific things when we join as Domain Controller,
415  *    look at libnet_joinADSDomain() for the details
416  */
417 NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_JoinDomain *r)
418 {
419         TALLOC_CTX *tmp_ctx;
420
421         NTSTATUS status, cu_status;
422
423         struct libnet_RpcConnect *connect_with_info;
424         struct dcerpc_pipe *samr_pipe;
425
426         struct samr_Connect sc;
427         struct policy_handle p_handle;
428         struct samr_OpenDomain od;
429         struct policy_handle d_handle;
430         struct samr_LookupNames ln;
431         struct samr_OpenUser ou;
432         struct samr_CreateUser2 cu;
433         struct policy_handle *u_handle = NULL;
434         struct samr_QueryUserInfo qui;
435         struct samr_UserInfo21 u_info21;
436         union libnet_SetPassword r2;
437         struct samr_GetUserPwInfo pwp;
438         struct lsa_String samr_account_name;
439         
440         uint32_t acct_flags, old_acct_flags;
441         uint32_t rid, access_granted;
442         int policy_min_pw_len = 0;
443
444         struct dom_sid *account_sid = NULL;
445         const char *password_str = NULL;
446         
447         r->out.error_string = NULL;
448         r2.samr_handle.out.error_string = NULL;
449         
450         tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
451         if (!tmp_ctx) {
452                 r->out.error_string = NULL;
453                 return NT_STATUS_NO_MEMORY;
454         }
455         
456         u_handle = talloc(tmp_ctx, struct policy_handle);
457         if (!u_handle) {
458                 r->out.error_string = NULL;
459                 talloc_free(tmp_ctx);
460                 return NT_STATUS_NO_MEMORY;
461         }
462         
463         connect_with_info = talloc(tmp_ctx, struct libnet_RpcConnect);
464         if (!connect_with_info) {
465                 r->out.error_string = NULL;
466                 talloc_free(tmp_ctx);
467                 return NT_STATUS_NO_MEMORY;
468         }
469
470         /* prepare connect to the SAMR pipe of PDC */
471         if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
472                 connect_with_info->in.binding = NULL;
473                 connect_with_info->in.name    = r->in.domain_name;
474         } else {
475                 connect_with_info->in.binding = r->in.binding;
476                 connect_with_info->in.name    = NULL;
477         }
478
479         /* This level makes a connection to the LSA pipe on the way,
480          * to get some useful bits of information about the domain */
481         connect_with_info->level              = LIBNET_RPC_CONNECT_DC_INFO;
482         connect_with_info->in.dcerpc_iface    = &ndr_table_samr;
483
484         /*
485           establish the SAMR connection
486         */
487         status = libnet_RpcConnect(ctx, tmp_ctx, connect_with_info);
488         if (!NT_STATUS_IS_OK(status)) {
489                 if (r->in.binding) {
490                         r->out.error_string = talloc_asprintf(mem_ctx,
491                                                               "Connection to SAMR pipe of DC %s failed: %s",
492                                                               r->in.binding, connect_with_info->out.error_string);
493                 } else {
494                         r->out.error_string = talloc_asprintf(mem_ctx,
495                                                               "Connection to SAMR pipe of PDC for %s failed: %s",
496                                                               r->in.domain_name, connect_with_info->out.error_string);
497                 }
498                 talloc_free(tmp_ctx);
499                 return status;
500         }
501
502         samr_pipe = connect_with_info->out.dcerpc_pipe;
503
504         status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
505                                   connect_with_info->out.dcerpc_pipe->binding, 
506                                   &ndr_table_samr, ctx->cred);
507         if (!NT_STATUS_IS_OK(status)) {
508                 r->out.error_string = talloc_asprintf(mem_ctx,
509                                                 "SAMR bind failed: %s",
510                                                 nt_errstr(status));
511                 talloc_free(tmp_ctx);
512                 return status;
513         }
514
515         /* prepare samr_Connect */
516         ZERO_STRUCT(p_handle);
517         sc.in.system_name = NULL;
518         sc.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
519         sc.out.connect_handle = &p_handle;
520
521         /* 2. do a samr_Connect to get a policy handle */
522         status = dcerpc_samr_Connect(samr_pipe, tmp_ctx, &sc);
523         if (!NT_STATUS_IS_OK(status)) {
524                 r->out.error_string = talloc_asprintf(mem_ctx,
525                                                 "samr_Connect failed: %s",
526                                                 nt_errstr(status));
527                 talloc_free(tmp_ctx);
528                 return status;
529         }
530
531         /* If this is a connection on ncacn_ip_tcp to Win2k3 SP1, we don't get back this useful info */
532         if (!connect_with_info->out.domain_name) {
533                 if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
534                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, r->in.domain_name);
535                 } else {
536                         /* Bugger, we just lost our way to automaticly find the domain name */
537                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, lp_workgroup());
538                         connect_with_info->out.realm = talloc_strdup(tmp_ctx, lp_realm());
539                 }
540         }
541
542         /* Perhaps we didn't get a SID above, because we are against ncacn_ip_tcp */
543         if (!connect_with_info->out.domain_sid) {
544                 struct lsa_String name;
545                 struct samr_LookupDomain l;
546                 name.string = connect_with_info->out.domain_name;
547                 l.in.connect_handle = &p_handle;
548                 l.in.domain_name = &name;
549                 
550                 status = dcerpc_samr_LookupDomain(samr_pipe, tmp_ctx, &l);
551                 if (!NT_STATUS_IS_OK(status)) {
552                         r->out.error_string = talloc_asprintf(mem_ctx,
553                                                               "SAMR LookupDomain failed: %s",
554                                                               nt_errstr(status));
555                         talloc_free(tmp_ctx);
556                         return status;
557                 }
558                 connect_with_info->out.domain_sid = l.out.sid;
559         }
560
561         /* prepare samr_OpenDomain */
562         ZERO_STRUCT(d_handle);
563         od.in.connect_handle = &p_handle;
564         od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
565         od.in.sid = connect_with_info->out.domain_sid;
566         od.out.domain_handle = &d_handle;
567
568         /* do a samr_OpenDomain to get a domain handle */
569         status = dcerpc_samr_OpenDomain(samr_pipe, tmp_ctx, &od);                       
570         if (!NT_STATUS_IS_OK(status)) {
571                 r->out.error_string = talloc_asprintf(mem_ctx,
572                                                       "samr_OpenDomain for [%s] failed: %s",
573                                                       dom_sid_string(tmp_ctx, connect_with_info->out.domain_sid),
574                                                       nt_errstr(status));
575                 talloc_free(tmp_ctx);
576                 return status;
577         }
578         
579         /* prepare samr_CreateUser2 */
580         ZERO_STRUCTP(u_handle);
581         cu.in.domain_handle  = &d_handle;
582         cu.in.access_mask     = SEC_FLAG_MAXIMUM_ALLOWED;
583         samr_account_name.string = r->in.account_name;
584         cu.in.account_name    = &samr_account_name;
585         cu.in.acct_flags      = r->in.acct_type;
586         cu.out.user_handle    = u_handle;
587         cu.out.rid            = &rid;
588         cu.out.access_granted = &access_granted;
589
590         /* do a samr_CreateUser2 to get an account handle, or an error */
591         cu_status = dcerpc_samr_CreateUser2(samr_pipe, tmp_ctx, &cu);                   
592         status = cu_status;
593         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
594                 /* prepare samr_LookupNames */
595                 ln.in.domain_handle = &d_handle;
596                 ln.in.num_names = 1;
597                 ln.in.names = talloc_array(tmp_ctx, struct lsa_String, 1);
598                 if (!ln.in.names) {
599                         r->out.error_string = NULL;
600                         talloc_free(tmp_ctx);
601                         return NT_STATUS_NO_MEMORY;
602                 }
603                 ln.in.names[0].string = r->in.account_name;
604                 
605                 /* 5. do a samr_LookupNames to get the users rid */
606                 status = dcerpc_samr_LookupNames(samr_pipe, tmp_ctx, &ln);
607                 if (!NT_STATUS_IS_OK(status)) {
608                         r->out.error_string = talloc_asprintf(mem_ctx,
609                                                 "samr_LookupNames for [%s] failed: %s",
610                                                 r->in.account_name,
611                                                 nt_errstr(status));
612                         talloc_free(tmp_ctx);
613                         return status;
614                 }
615                 
616                 /* check if we got one RID for the user */
617                 if (ln.out.rids.count != 1) {
618                         r->out.error_string = talloc_asprintf(mem_ctx,
619                                                               "samr_LookupNames for [%s] returns %d RIDs",
620                                                               r->in.account_name, ln.out.rids.count);
621                         talloc_free(tmp_ctx);
622                         return NT_STATUS_INVALID_PARAMETER;
623                 }
624                 
625                 /* prepare samr_OpenUser */
626                 ZERO_STRUCTP(u_handle);
627                 ou.in.domain_handle = &d_handle;
628                 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
629                 ou.in.rid = ln.out.rids.ids[0];
630                 rid = ou.in.rid;
631                 ou.out.user_handle = u_handle;
632                 
633                 /* 6. do a samr_OpenUser to get a user handle */
634                 status = dcerpc_samr_OpenUser(samr_pipe, tmp_ctx, &ou); 
635                 if (!NT_STATUS_IS_OK(status)) {
636                         r->out.error_string = talloc_asprintf(mem_ctx,
637                                                         "samr_OpenUser for [%s] failed: %s",
638                                                         r->in.account_name,
639                                                         nt_errstr(status));
640                         talloc_free(tmp_ctx);
641                         return status;
642                 }
643
644                 if (r->in.recreate_account) {
645                         struct samr_DeleteUser d;
646                         d.in.user_handle = u_handle;
647                         d.out.user_handle = u_handle;
648                         status = dcerpc_samr_DeleteUser(samr_pipe, mem_ctx, &d);
649                         if (!NT_STATUS_IS_OK(status)) {
650                                 r->out.error_string = talloc_asprintf(mem_ctx,
651                                                                       "samr_DeleteUser (for recreate) of [%s] failed: %s",
652                                                                       r->in.account_name,
653                                                                       nt_errstr(status));
654                                 talloc_free(tmp_ctx);
655                                 return status;
656                         }
657
658                         /* We want to recreate, so delete and another samr_CreateUser2 */
659                         
660                         /* &cu filled in above */
661                         status = dcerpc_samr_CreateUser2(samr_pipe, tmp_ctx, &cu);                      
662                         if (!NT_STATUS_IS_OK(status)) {
663                                 r->out.error_string = talloc_asprintf(mem_ctx,
664                                                                       "samr_CreateUser2 (recreate) for [%s] failed: %s",
665                                                                       r->in.account_name, nt_errstr(status));
666                                 talloc_free(tmp_ctx);
667                                 return status;
668                         }
669                 }
670         } else if (!NT_STATUS_IS_OK(status)) {
671                 r->out.error_string = talloc_asprintf(mem_ctx,
672                                                       "samr_CreateUser2 for [%s] failed: %s",
673                                                       r->in.account_name, nt_errstr(status));
674                 talloc_free(tmp_ctx);
675                 return status;
676         }
677
678         /* prepare samr_QueryUserInfo (get flags) */
679         qui.in.user_handle = u_handle;
680         qui.in.level = 16;
681         
682         status = dcerpc_samr_QueryUserInfo(samr_pipe, tmp_ctx, &qui);
683         if (!NT_STATUS_IS_OK(status)) {
684                 r->out.error_string = talloc_asprintf(mem_ctx,
685                                                 "samr_QueryUserInfo for [%s] failed: %s",
686                                                 r->in.account_name,
687                                                 nt_errstr(status));
688                 talloc_free(tmp_ctx);
689                 return status;
690         }
691         
692         if (!qui.out.info) {
693                 status = NT_STATUS_INVALID_PARAMETER;
694                 r->out.error_string
695                         = talloc_asprintf(mem_ctx,
696                                           "samr_QueryUserInfo failed to return qui.out.info for [%s]: %s",
697                                           r->in.account_name, nt_errstr(status));
698                 talloc_free(tmp_ctx);
699                 return status;
700         }
701
702         old_acct_flags = (qui.out.info->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST));
703         /* Possibly bail if the account is of the wrong type */
704         if (old_acct_flags
705             != r->in.acct_type) {
706                 const char *old_account_type, *new_account_type;
707                 switch (old_acct_flags) {
708                 case ACB_WSTRUST:
709                         old_account_type = "domain member (member)";
710                         break;
711                 case ACB_SVRTRUST:
712                         old_account_type = "domain controller (bdc)";
713                         break;
714                 case ACB_DOMTRUST:
715                         old_account_type = "trusted domain";
716                         break;
717                 default:
718                         return NT_STATUS_INVALID_PARAMETER;
719                 }
720                 switch (r->in.acct_type) {
721                 case ACB_WSTRUST:
722                         new_account_type = "domain member (member)";
723                         break;
724                 case ACB_SVRTRUST:
725                         new_account_type = "domain controller (bdc)";
726                         break;
727                 case ACB_DOMTRUST:
728                         new_account_type = "trusted domain";
729                         break;
730                 default:
731                         return NT_STATUS_INVALID_PARAMETER;
732                 }
733
734                 if (!NT_STATUS_EQUAL(cu_status, NT_STATUS_USER_EXISTS)) {
735                         /* We created a new user, but they didn't come out the right type?!? */
736                         r->out.error_string
737                                 = talloc_asprintf(mem_ctx,
738                                                   "We asked to create a new machine account (%s) of type %s, "
739                                                   "but we got an account of type %s.  This is unexpected.  "
740                                                   "Perhaps delete the account and try again.",
741                                                   r->in.account_name, new_account_type, old_account_type);
742                         talloc_free(tmp_ctx);
743                         return NT_STATUS_INVALID_PARAMETER;
744                 } else {
745                         /* The account is of the wrong type, so bail */
746
747                         /* TODO: We should allow a --force option to override, and redo this from the top setting r.in.recreate_account */
748                         r->out.error_string
749                                 = talloc_asprintf(mem_ctx,
750                                                   "The machine account (%s) already exists in the domain %s, "
751                                                   "but is a %s.  You asked to join as a %s.  Please delete "
752                                                   "the account and try again.",
753                                                   r->in.account_name, connect_with_info->out.domain_name, old_account_type, new_account_type);
754                         talloc_free(tmp_ctx);
755                         return NT_STATUS_USER_EXISTS;
756                 }
757         } else {
758                 acct_flags = qui.out.info->info16.acct_flags;
759         }
760         
761         acct_flags = (acct_flags & ~(ACB_DISABLED|ACB_PWNOTREQ));
762
763         /* Find out what password policy this user has */
764         pwp.in.user_handle = u_handle;
765
766         status = dcerpc_samr_GetUserPwInfo(samr_pipe, tmp_ctx, &pwp);                           
767         if (NT_STATUS_IS_OK(status)) {
768                 policy_min_pw_len = pwp.out.info.min_password_length;
769         }
770         
771         /* Grab a password of that minimum length */
772         
773         password_str = generate_random_str(tmp_ctx, MAX(8, policy_min_pw_len)); 
774
775         /* set full_name and reset flags */
776         ZERO_STRUCT(u_info21);
777         u_info21.full_name.string       = r->in.account_name;
778         u_info21.acct_flags             = acct_flags;
779         u_info21.fields_present         = SAMR_FIELD_FULL_NAME | SAMR_FIELD_ACCT_FLAGS;
780
781         r2.samr_handle.level            = LIBNET_SET_PASSWORD_SAMR_HANDLE;
782         r2.samr_handle.in.account_name  = r->in.account_name;
783         r2.samr_handle.in.newpassword   = password_str;
784         r2.samr_handle.in.user_handle   = u_handle;
785         r2.samr_handle.in.dcerpc_pipe   = samr_pipe;
786         r2.samr_handle.in.info21        = &u_info21;
787
788         status = libnet_SetPassword(ctx, tmp_ctx, &r2); 
789         if (!NT_STATUS_IS_OK(status)) {
790                 r->out.error_string = talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
791                 talloc_free(tmp_ctx);
792                 return status;
793         }
794
795         account_sid = dom_sid_add_rid(mem_ctx, connect_with_info->out.domain_sid, rid);
796         if (!account_sid) {
797                 r->out.error_string = NULL;
798                 talloc_free(tmp_ctx);
799                 return NT_STATUS_NO_MEMORY;
800         }
801
802         /* Finish out by pushing various bits of status data out for the caller to use */
803         r->out.join_password = password_str;
804         talloc_steal(mem_ctx, r->out.join_password);
805
806         r->out.domain_sid = connect_with_info->out.domain_sid;
807         talloc_steal(mem_ctx, r->out.domain_sid);
808
809         r->out.account_sid = account_sid;
810         talloc_steal(mem_ctx, r->out.account_sid);
811
812         r->out.domain_name = connect_with_info->out.domain_name;
813         talloc_steal(mem_ctx, r->out.domain_name);
814         r->out.realm = connect_with_info->out.realm;
815         talloc_steal(mem_ctx, r->out.realm);
816         r->out.samr_pipe = samr_pipe;
817         talloc_steal(mem_ctx, samr_pipe);
818         r->out.samr_binding = samr_pipe->binding;
819         talloc_steal(mem_ctx, r->out.samr_binding);
820         r->out.user_handle = u_handle;
821         talloc_steal(mem_ctx, u_handle);
822         r->out.error_string = r2.samr_handle.out.error_string;
823         talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
824         r->out.kvno = 0;
825         r->out.server_dn_str = NULL;
826         talloc_free(tmp_ctx); 
827
828         /* Now, if it was AD, then we want to start looking changing a
829          * few more things.  Otherwise, we are done. */
830         if (r->out.realm) {
831                 status = libnet_JoinADSDomain(ctx, r);
832                 return status;
833         }
834
835         return status;
836 }
837
838 static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx, 
839                                            TALLOC_CTX *mem_ctx, 
840                                            struct libnet_Join *r)
841 {
842         NTSTATUS status;
843         TALLOC_CTX *tmp_mem;
844         struct libnet_JoinDomain *r2;
845         int ret, rtn;
846         struct ldb_context *ldb;
847         struct ldb_dn *base_dn;
848         struct ldb_message **msgs, *msg;
849         const char *sct;
850         const char * const attrs[] = {
851                 "whenChanged",
852                 "secret",
853                 "priorSecret",
854                 "priorChanged",
855                 "krb5Keytab",
856                 "privateKeytab",
857                 NULL
858         };
859         uint32_t acct_type = 0;
860         const char *account_name;
861         const char *netbios_name;
862         
863         r->out.error_string = NULL;
864
865         tmp_mem = talloc_new(mem_ctx);
866         if (!tmp_mem) {
867                 return NT_STATUS_NO_MEMORY;
868         }
869
870         r2 = talloc(tmp_mem, struct libnet_JoinDomain);
871         if (!r2) {
872                 r->out.error_string = NULL;
873                 talloc_free(tmp_mem);
874                 return NT_STATUS_NO_MEMORY;
875         }
876         
877         if (r->in.join_type == SEC_CHAN_BDC) {
878                 acct_type = ACB_SVRTRUST;
879         } else if (r->in.join_type == SEC_CHAN_WKSTA) {
880                 acct_type = ACB_WSTRUST;
881         } else {
882                 r->out.error_string = NULL;
883                 talloc_free(tmp_mem);   
884                 return NT_STATUS_INVALID_PARAMETER;
885         }
886
887         if (r->in.netbios_name != NULL) {
888                 netbios_name = r->in.netbios_name;
889         } else {
890                 netbios_name = talloc_reference(tmp_mem, lp_netbios_name());
891                 if (!netbios_name) {
892                         r->out.error_string = NULL;
893                         talloc_free(tmp_mem);
894                         return NT_STATUS_NO_MEMORY;
895                 }
896         }
897
898         account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
899         if (!account_name) {
900                 r->out.error_string = NULL;
901                 talloc_free(tmp_mem);
902                 return NT_STATUS_NO_MEMORY;
903         }
904         
905         /*
906          * Local secrets are stored in secrets.ldb 
907          * open it to make sure we can write the info into it after the join
908          */
909         ldb = secrets_db_connect(tmp_mem);
910         if (!ldb) {
911                 r->out.error_string
912                         = talloc_asprintf(mem_ctx, 
913                                           "Could not open secrets database");
914                 talloc_free(tmp_mem);
915                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
916         }
917
918         /*
919          * join the domain
920          */
921         ZERO_STRUCTP(r2);
922         r2->in.domain_name      = r->in.domain_name;
923         r2->in.account_name     = account_name;
924         r2->in.netbios_name     = netbios_name;
925         r2->in.level            = LIBNET_JOINDOMAIN_AUTOMATIC;
926         r2->in.acct_type        = acct_type;
927         r2->in.recreate_account = False;
928         status = libnet_JoinDomain(ctx, r2, r2);
929         if (!NT_STATUS_IS_OK(status)) {
930                 r->out.error_string = talloc_steal(mem_ctx, r2->out.error_string);
931                 talloc_free(tmp_mem);
932                 return status;
933         }
934         
935         /*
936          * now prepare the record for secrets.ldb
937          */
938         sct = talloc_asprintf(tmp_mem, "%d", r->in.join_type); 
939         if (!sct) {
940                 r->out.error_string = NULL;
941                 talloc_free(tmp_mem);
942                 return NT_STATUS_NO_MEMORY;
943         }
944         
945         msg = ldb_msg_new(tmp_mem);
946         if (!msg) {
947                 r->out.error_string = NULL;
948                 talloc_free(tmp_mem);
949                 return NT_STATUS_NO_MEMORY;
950         }
951
952         base_dn = ldb_dn_new(tmp_mem, ldb, "cn=Primary Domains");
953         if (!base_dn) {
954                 r->out.error_string = NULL;
955                 talloc_free(tmp_mem);
956                 return NT_STATUS_NO_MEMORY;
957         }
958
959         msg->dn = ldb_dn_copy(tmp_mem, base_dn);
960         if ( ! ldb_dn_add_child_fmt(msg->dn, "flatname=%s", r2->out.domain_name)) {
961                 r->out.error_string = NULL;
962                 talloc_free(tmp_mem);
963                 return NT_STATUS_NO_MEMORY;
964         }
965         
966         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "flatname", r2->out.domain_name);
967         if (rtn == -1) {
968                 r->out.error_string = NULL;
969                 talloc_free(tmp_mem);
970                 return NT_STATUS_NO_MEMORY;
971         }
972
973         if (r2->out.realm) {
974                 rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "realm", r2->out.realm);
975                 if (rtn == -1) {
976                         r->out.error_string = NULL;
977                         talloc_free(tmp_mem);
978                         return NT_STATUS_NO_MEMORY;
979                 }
980
981                 rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
982                 if (rtn == -1) {
983                         r->out.error_string = NULL;
984                         talloc_free(tmp_mem);
985                         return NT_STATUS_NO_MEMORY;
986                 }
987         }
988
989         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
990         if (rtn == -1) {
991                 r->out.error_string = NULL;
992                 talloc_free(tmp_mem);
993                 return NT_STATUS_NO_MEMORY;
994         }
995
996         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secret", r2->out.join_password);
997         if (rtn == -1) {
998                 r->out.error_string = NULL;
999                 talloc_free(tmp_mem);
1000                 return NT_STATUS_NO_MEMORY;
1001         }
1002
1003         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "samAccountName", r2->in.account_name);
1004         if (rtn == -1) {
1005                 r->out.error_string = NULL;
1006                 talloc_free(tmp_mem);
1007                 return NT_STATUS_NO_MEMORY;
1008         }
1009
1010         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secureChannelType", sct);
1011         if (rtn == -1) {
1012                 r->out.error_string = NULL;
1013                 talloc_free(tmp_mem);
1014                 return NT_STATUS_NO_MEMORY;
1015         }
1016
1017         if (r2->out.kvno) {
1018                 rtn = samdb_msg_add_uint(ldb, tmp_mem, msg, "msDS-KeyVersionNumber",
1019                                          r2->out.kvno);
1020                 if (rtn == -1) {
1021                         r->out.error_string = NULL;
1022                         talloc_free(tmp_mem);
1023                         return NT_STATUS_NO_MEMORY;
1024                 }
1025         }
1026
1027         if (r2->out.domain_sid) {
1028                 rtn = samdb_msg_add_dom_sid(ldb, tmp_mem, msg, "objectSid",
1029                                             r2->out.domain_sid);
1030                 if (rtn == -1) {
1031                         r->out.error_string = NULL;
1032                         talloc_free(tmp_mem);
1033                         return NT_STATUS_NO_MEMORY;
1034                 }
1035         }
1036
1037         /* 
1038          * search for the secret record
1039          * - remove the records we find
1040          * - and fetch the old secret and store it under priorSecret
1041          */
1042         ret = gendb_search(ldb,
1043                            tmp_mem, base_dn,
1044                            &msgs, attrs,
1045                            "(|" SECRETS_PRIMARY_DOMAIN_FILTER "(realm=%s))",
1046                            r2->out.domain_name, r2->out.realm);
1047         if (ret == 0) {
1048                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secretsKeytab", "secrets.keytab");
1049                 if (rtn == -1) {
1050                         r->out.error_string = NULL;
1051                         talloc_free(tmp_mem);
1052                         return NT_STATUS_NO_MEMORY;
1053                 }
1054         } else if (ret == -1) {
1055                 r->out.error_string
1056                         = talloc_asprintf(mem_ctx, 
1057                                           "Search for domain: %s and realm: %s failed: %s", 
1058                                           r2->out.domain_name, r2->out.realm, ldb_errstring(ldb));
1059                 talloc_free(tmp_mem);
1060                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1061         } else {
1062                 const struct ldb_val *private_keytab;
1063                 const struct ldb_val *krb5_keytab;
1064                 const struct ldb_val *prior_secret;
1065                 const struct ldb_val *prior_modified_time;
1066                 int i;
1067
1068                 for (i = 0; i < ret; i++) {
1069                         ldb_delete(ldb, msgs[i]->dn);
1070                 }
1071
1072                 prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
1073                 if (prior_secret) {
1074                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorSecret", prior_secret);
1075                         if (rtn == -1) {
1076                                 r->out.error_string = NULL;
1077                                 talloc_free(tmp_mem);
1078                                 return NT_STATUS_NO_MEMORY;
1079                         }
1080                 }
1081                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secret", r2->out.join_password);
1082                 if (rtn == -1) {
1083                         r->out.error_string = NULL;
1084                         talloc_free(tmp_mem);
1085                         return NT_STATUS_NO_MEMORY;
1086                 }
1087
1088                 prior_modified_time = ldb_msg_find_ldb_val(msgs[0], 
1089                                                            "whenChanged");
1090                 if (prior_modified_time) {
1091                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorWhenChanged", 
1092                                                   prior_modified_time);
1093                         if (rtn == -1) {
1094                                 r->out.error_string = NULL;
1095                                 talloc_free(tmp_mem);
1096                                 return NT_STATUS_NO_MEMORY;
1097                         }
1098                 }
1099
1100                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "samAccountName", r2->in.account_name);
1101                 if (rtn == -1) {
1102                         r->out.error_string = NULL;
1103                         talloc_free(tmp_mem);
1104                         return NT_STATUS_NO_MEMORY;
1105                 }
1106
1107                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secureChannelType", sct);
1108                 if (rtn == -1) {
1109                         r->out.error_string = NULL;
1110                         talloc_free(tmp_mem);
1111                         return NT_STATUS_NO_MEMORY;
1112                 }
1113
1114                 /* We will want to keep the keytab names */
1115                 private_keytab = ldb_msg_find_ldb_val(msgs[0], "privateKeytab");
1116                 if (private_keytab) {
1117                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "privateKeytab", private_keytab);
1118                         if (rtn == -1) {
1119                                 r->out.error_string = NULL;
1120                                 talloc_free(tmp_mem);
1121                                 return NT_STATUS_NO_MEMORY;
1122                         }
1123                 }
1124                 krb5_keytab = ldb_msg_find_ldb_val(msgs[0], "krb5Keytab");
1125                 if (krb5_keytab) {
1126                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "krb5Keytab", krb5_keytab);
1127                         if (rtn == -1) {
1128                                 r->out.error_string = NULL;
1129                                 talloc_free(tmp_mem);
1130                                 return NT_STATUS_NO_MEMORY;
1131                         }
1132                 }
1133         }
1134
1135         /* create the secret */
1136         ret = samdb_add(ldb, tmp_mem, msg);
1137         if (ret != 0) {
1138                 r->out.error_string = talloc_asprintf(mem_ctx, "Failed to create secret record %s", 
1139                                                       ldb_dn_get_linearized(msg->dn));
1140                 talloc_free(tmp_mem);
1141                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1142         }
1143
1144         /* move all out parameter to the callers TALLOC_CTX */
1145         r->out.error_string     = NULL;
1146         r->out.join_password    = r2->out.join_password;
1147         talloc_steal(mem_ctx, r2->out.join_password);
1148         r->out.domain_sid       = r2->out.domain_sid;
1149         talloc_steal(mem_ctx, r2->out.domain_sid);
1150         r->out.domain_name      = r2->out.domain_name;
1151         talloc_steal(mem_ctx, r2->out.domain_name);
1152         talloc_free(tmp_mem);
1153         return NT_STATUS_OK;
1154 }
1155
1156 NTSTATUS libnet_Join(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_Join *r)
1157 {
1158         switch (r->in.join_type) {
1159                 case SEC_CHAN_WKSTA:
1160                         return libnet_Join_primary_domain(ctx, mem_ctx, r);
1161                 case SEC_CHAN_BDC:
1162                         return libnet_Join_primary_domain(ctx, mem_ctx, r);
1163                 case SEC_CHAN_DOMAIN:
1164                         break;
1165         }
1166
1167         r->out.error_string = talloc_asprintf(mem_ctx,
1168                                               "Invalid join type specified (%08X) attempting to join domain %s",
1169                                               r->in.join_type, r->in.domain_name);
1170         return NT_STATUS_INVALID_PARAMETER;
1171 }