8297172a5859be199548df898619b992707e1f56
[ira/wip.git] / source / libnet / libnet_join.c
1 /* 
2    Unix SMB/CIFS implementation.
3    
4    Copyright (C) Stefan Metzmacher      2004
5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6    Copyright (C) Brad Henry 2005
7  
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12    
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17    
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "libnet/libnet.h"
24 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "lib/ldb/include/ldb_errors.h"
27 #include "param/secrets.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "ldb_wrap.h"
30 #include "util/util_ldb.h"
31 #include "libcli/security/security.h"
32 #include "auth/credentials/credentials.h"
33 #include "auth/credentials/credentials_krb5.h"
34 #include "librpc/gen_ndr/ndr_samr_c.h"
35 #include "param/param.h"
36
37 /*
38  * complete a domain join, when joining to a AD domain:
39  * 1.) connect and bind to the DRSUAPI pipe
40  * 2.) do a DsCrackNames() to find the machine account dn
41  * 3.) connect to LDAP
42  * 4.) do an ldap search to find the "msDS-KeyVersionNumber" of the machine account
43  * 5.) set the servicePrincipalName's of the machine account via LDAP, (maybe we should use DsWriteAccountSpn()...)
44  * 6.) do a DsCrackNames() to find the domain dn
45  * 7.) find out Site specific stuff, look at libnet_JoinSite() for details
46  */
47 static NTSTATUS libnet_JoinADSDomain(struct libnet_context *ctx, struct libnet_JoinDomain *r)
48 {
49         NTSTATUS status;
50
51         TALLOC_CTX *tmp_ctx;
52
53         const char *realm = r->out.realm;
54
55         struct dcerpc_binding *samr_binding = r->out.samr_binding;
56
57         struct dcerpc_pipe *drsuapi_pipe;
58         struct dcerpc_binding *drsuapi_binding;
59         struct drsuapi_DsBind r_drsuapi_bind;
60         struct drsuapi_DsCrackNames r_crack_names;
61         struct drsuapi_DsNameString names[1];
62         struct policy_handle drsuapi_bind_handle;
63         struct GUID drsuapi_bind_guid;
64
65         struct ldb_context *remote_ldb;
66         struct ldb_dn *account_dn;
67         const char *account_dn_str;
68         const char *remote_ldb_url;
69         struct ldb_result *res;
70         struct ldb_message *msg;
71
72         int ret, rtn;
73
74         const char * const attrs[] = {
75                 "msDS-KeyVersionNumber",
76                 "servicePrincipalName",
77                 "dNSHostName",
78                 "objectGUID",
79                 NULL,
80         };
81
82         r->out.error_string = NULL;
83         
84         /* We need to convert between a samAccountName and domain to a
85          * DN in the directory.  The correct way to do this is with
86          * DRSUAPI CrackNames */
87
88         /* Fiddle with the bindings, so get to DRSUAPI on
89          * NCACN_IP_TCP, sealed */
90         tmp_ctx = talloc_named(r, 0, "libnet_JoinADSDomain temp context");  
91         if (!tmp_ctx) {
92                 r->out.error_string = NULL;
93                 return NT_STATUS_NO_MEMORY;
94         }
95                                                    
96         drsuapi_binding = talloc(tmp_ctx, struct dcerpc_binding);
97         if (!drsuapi_binding) {
98                 r->out.error_string = NULL;
99                 talloc_free(tmp_ctx);
100                 return NT_STATUS_NO_MEMORY;
101         }
102         
103         *drsuapi_binding = *samr_binding;
104
105         /* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
106         if (drsuapi_binding->transport != NCALRPC) {
107                 drsuapi_binding->transport = NCACN_IP_TCP;
108         }
109         drsuapi_binding->endpoint = NULL;
110         drsuapi_binding->flags |= DCERPC_SEAL;
111
112         status = dcerpc_pipe_connect_b(tmp_ctx, 
113                                        &drsuapi_pipe,
114                                        drsuapi_binding,
115                                        &ndr_table_drsuapi,
116                                        ctx->cred, 
117                                        ctx->event_ctx,
118                                        ctx->lp_ctx);
119         if (!NT_STATUS_IS_OK(status)) {
120                 r->out.error_string = talloc_asprintf(r,
121                                         "Connection to DRSUAPI pipe of PDC of domain '%s' failed: %s",
122                                         r->out.domain_name,
123                                         nt_errstr(status));
124                 talloc_free(tmp_ctx);
125                 return status;
126         }
127
128         /* get a DRSUAPI pipe handle */
129         GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
130
131         r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
132         r_drsuapi_bind.in.bind_info = NULL;
133         r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
134
135         status = dcerpc_drsuapi_DsBind(drsuapi_pipe, tmp_ctx, &r_drsuapi_bind);
136         if (!NT_STATUS_IS_OK(status)) {
137                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
138                         r->out.error_string
139                                 = talloc_asprintf(r,
140                                                   "dcerpc_drsuapi_DsBind failed - %s", 
141                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
142                         talloc_free(tmp_ctx);
143                         return status;
144                 } else {
145                         r->out.error_string
146                                 = talloc_asprintf(r,
147                                                   "dcerpc_drsuapi_DsBind failed - %s", 
148                                                   nt_errstr(status));
149                         talloc_free(tmp_ctx);
150                         return status;
151                 }
152         } else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
153                 r->out.error_string
154                                 = talloc_asprintf(r,
155                                                   "DsBind failed - %s", 
156                                                   win_errstr(r_drsuapi_bind.out.result));
157                         talloc_free(tmp_ctx);
158                 return NT_STATUS_UNSUCCESSFUL;
159         }
160
161         /* Actually 'crack' the names */
162         ZERO_STRUCT(r_crack_names);
163         r_crack_names.in.bind_handle            = &drsuapi_bind_handle;
164         r_crack_names.in.level                  = 1;
165         r_crack_names.in.req.req1.codepage      = 1252; /* western european */
166         r_crack_names.in.req.req1.language      = 0x00000407; /* german */
167         r_crack_names.in.req.req1.count         = 1;
168         r_crack_names.in.req.req1.names         = names;
169         r_crack_names.in.req.req1.format_flags  = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
170         r_crack_names.in.req.req1.format_offered= DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
171         r_crack_names.in.req.req1.format_desired= DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
172         names[0].str = dom_sid_string(tmp_ctx, r->out.account_sid);
173         if (!names[0].str) {
174                 r->out.error_string = NULL;
175                 talloc_free(tmp_ctx);
176                 return NT_STATUS_NO_MEMORY;
177         }
178
179         status = dcerpc_drsuapi_DsCrackNames(drsuapi_pipe, tmp_ctx, &r_crack_names);
180         if (!NT_STATUS_IS_OK(status)) {
181                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
182                         r->out.error_string
183                                 = talloc_asprintf(r,
184                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
185                                                   names[0].str,
186                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
187                         talloc_free(tmp_ctx);
188                         return status;
189                 } else {
190                         r->out.error_string
191                                 = talloc_asprintf(r,
192                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
193                                                   names[0].str,
194                                                   nt_errstr(status));
195                         talloc_free(tmp_ctx);
196                         return status;
197                 }
198         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
199                 r->out.error_string
200                                 = talloc_asprintf(r,
201                                                   "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
202                 talloc_free(tmp_ctx);
203                 return NT_STATUS_UNSUCCESSFUL;
204         } else if (r_crack_names.out.level != 1 
205                    || !r_crack_names.out.ctr.ctr1 
206                    || r_crack_names.out.ctr.ctr1->count != 1) {
207                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
208                 talloc_free(tmp_ctx);
209                 return NT_STATUS_INVALID_PARAMETER;
210         } else if (r_crack_names.out.ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
211                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: %d", r_crack_names.out.ctr.ctr1->array[0].status);
212                 talloc_free(tmp_ctx);
213                 return NT_STATUS_UNSUCCESSFUL;
214         } else if (r_crack_names.out.ctr.ctr1->array[0].result_name == NULL) {
215                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: no result name");
216                 talloc_free(tmp_ctx);
217                 return NT_STATUS_INVALID_PARAMETER;
218         }
219
220         /* Store the DN of our machine account. */
221         account_dn_str = r_crack_names.out.ctr.ctr1->array[0].result_name;
222
223         /* Now we know the user's DN, open with LDAP, read and modify a few things */
224
225         remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s", 
226                                          drsuapi_binding->target_hostname);
227         if (!remote_ldb_url) {
228                 r->out.error_string = NULL;
229                 talloc_free(tmp_ctx);
230                 return NT_STATUS_NO_MEMORY;
231         }
232
233         remote_ldb = ldb_wrap_connect(tmp_ctx, ctx->lp_ctx, 
234                                       remote_ldb_url, 
235                                       NULL, ctx->cred, 0, NULL);
236         if (!remote_ldb) {
237                 r->out.error_string = NULL;
238                 talloc_free(tmp_ctx);
239                 return NT_STATUS_UNSUCCESSFUL;
240         }
241
242         account_dn = ldb_dn_new(tmp_ctx, remote_ldb, account_dn_str);
243         if (! ldb_dn_validate(account_dn)) {
244                 r->out.error_string = talloc_asprintf(r, "Invalid account dn: %s",
245                                                       account_dn_str);
246                 talloc_free(tmp_ctx);
247                 return NT_STATUS_UNSUCCESSFUL;
248         }
249
250         /* search for the user's record */
251         ret = ldb_search(remote_ldb, account_dn, LDB_SCOPE_BASE, 
252                          NULL, attrs, &res);
253         if (ret != LDB_SUCCESS) {
254                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - %s",
255                                                       account_dn_str, ldb_errstring(remote_ldb));
256                 talloc_free(tmp_ctx);
257                 return NT_STATUS_UNSUCCESSFUL;
258         }
259
260         talloc_steal(tmp_ctx, res);
261
262         if (res->count != 1) {
263                 r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - found %d entries",
264                                                       account_dn_str, res->count);
265                 talloc_free(tmp_ctx);
266                 return NT_STATUS_UNSUCCESSFUL;
267         }
268
269         /* Prepare a new message, for the modify */
270         msg = ldb_msg_new(tmp_ctx);
271         if (!msg) {
272                 r->out.error_string = NULL;
273                 talloc_free(tmp_ctx);
274                 return NT_STATUS_NO_MEMORY;
275         }
276         msg->dn = res->msgs[0]->dn;
277
278         {
279                 int i;
280                 const char *service_principal_name[6];
281                 const char *dns_host_name = strlower_talloc(tmp_ctx, 
282                                                             talloc_asprintf(tmp_ctx, 
283                                                                             "%s.%s", 
284                                                                             r->in.netbios_name, 
285                                                                             realm));
286
287                 if (!dns_host_name) {
288                         r->out.error_string = NULL;
289                         talloc_free(tmp_ctx);
290                         return NT_STATUS_NO_MEMORY;
291                 }
292
293                 service_principal_name[0] = talloc_asprintf(tmp_ctx, "host/%s", dns_host_name);
294                 service_principal_name[1] = talloc_asprintf(tmp_ctx, "host/%s", strlower_talloc(tmp_ctx, r->in.netbios_name));
295                 service_principal_name[2] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, realm);
296                 service_principal_name[3] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), realm);
297                 service_principal_name[4] = talloc_asprintf(tmp_ctx, "host/%s/%s", dns_host_name, r->out.domain_name);
298                 service_principal_name[5] = talloc_asprintf(tmp_ctx, "host/%s/%s", strlower_talloc(tmp_ctx, r->in.netbios_name), r->out.domain_name);
299                 
300                 for (i=0; i < ARRAY_SIZE(service_principal_name); i++) {
301                         if (!service_principal_name[i]) {
302                                 r->out.error_string = NULL;
303                                 talloc_free(tmp_ctx);
304                                 return NT_STATUS_NO_MEMORY;
305                         }
306                         rtn = samdb_msg_add_string(remote_ldb, tmp_ctx, msg, "servicePrincipalName", service_principal_name[i]);
307                         if (rtn == -1) {
308                                 r->out.error_string = NULL;
309                                 talloc_free(tmp_ctx);
310                                 return NT_STATUS_NO_MEMORY;
311                         }
312                 }
313
314                 rtn = samdb_msg_add_string(remote_ldb, tmp_ctx, msg, "dNSHostName", dns_host_name);
315                 if (rtn == -1) {
316                         r->out.error_string = NULL;
317                         talloc_free(tmp_ctx);
318                         return NT_STATUS_NO_MEMORY;
319                 }
320
321                 rtn = samdb_replace(remote_ldb, tmp_ctx, msg);
322                 if (rtn != 0) {
323                         r->out.error_string
324                                 = talloc_asprintf(r, 
325                                                   "Failed to replace entries on %s", 
326                                                   ldb_dn_get_linearized(msg->dn));
327                         talloc_free(tmp_ctx);
328                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
329                 }
330         }
331                                 
332         /* DsCrackNames to find out the DN of the domain. */
333         r_crack_names.in.req.req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
334         r_crack_names.in.req.req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
335         names[0].str = talloc_asprintf(tmp_ctx, "%s\\", r->out.domain_name);
336         if (!names[0].str) {
337                 r->out.error_string = NULL;
338                 talloc_free(tmp_ctx);
339                 return NT_STATUS_NO_MEMORY;
340         }
341
342         status = dcerpc_drsuapi_DsCrackNames(drsuapi_pipe, tmp_ctx, &r_crack_names);
343         if (!NT_STATUS_IS_OK(status)) {
344                 if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
345                         r->out.error_string
346                                 = talloc_asprintf(r,
347                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
348                                                   r->in.domain_name, 
349                                                   dcerpc_errstr(tmp_ctx, drsuapi_pipe->last_fault_code));
350                         talloc_free(tmp_ctx);
351                         return status;
352                 } else {
353                         r->out.error_string
354                                 = talloc_asprintf(r,
355                                                   "dcerpc_drsuapi_DsCrackNames for [%s] failed - %s", 
356                                                   r->in.domain_name, 
357                                                   nt_errstr(status));
358                         talloc_free(tmp_ctx);
359                         return status;
360                 }
361         } else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
362                 r->out.error_string
363                         = talloc_asprintf(r,
364                                           "DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
365                 talloc_free(tmp_ctx);
366                 return NT_STATUS_UNSUCCESSFUL;
367         } else if (r_crack_names.out.level != 1 
368                    || !r_crack_names.out.ctr.ctr1 
369                    || r_crack_names.out.ctr.ctr1->count != 1
370                    || !r_crack_names.out.ctr.ctr1->array[0].result_name           
371                    || r_crack_names.out.ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
372                 r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
373                 talloc_free(tmp_ctx);
374                 return NT_STATUS_UNSUCCESSFUL;
375         }
376
377         /* Store the account DN. */
378         r->out.account_dn_str = account_dn_str;
379         talloc_steal(r, account_dn_str);
380
381         /* Store the domain DN. */
382         r->out.domain_dn_str = r_crack_names.out.ctr.ctr1->array[0].result_name;
383         talloc_steal(r, r_crack_names.out.ctr.ctr1->array[0].result_name);
384
385         /* Store the KVNO of the account, critical for some kerberos
386          * operations */
387         r->out.kvno = ldb_msg_find_attr_as_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
388
389         /* Store the account GUID. */
390         r->out.account_guid = samdb_result_guid(res->msgs[0], "objectGUID");
391
392         if (r->in.acct_type == ACB_SVRTRUST) {
393                 status = libnet_JoinSite(ctx, remote_ldb, r);
394         }
395         talloc_free(tmp_ctx);
396
397         return status;
398 }
399
400 /*
401  * do a domain join using DCERPC/SAMR calls
402  * - connect to the LSA pipe, to try and find out information about the domain
403  * - create a secondary connection to SAMR pipe
404  * - do a samr_Connect to get a policy handle
405  * - do a samr_LookupDomain to get the domain sid
406  * - do a samr_OpenDomain to get a domain handle
407  * - do a samr_CreateAccount to try and get a new account 
408  * 
409  * If that fails, do:
410  * - do a samr_LookupNames to get the users rid
411  * - do a samr_OpenUser to get a user handle
412  * - potentially delete and recreate the user
413  * - assert the account is of the right type with samrQueryUserInfo
414  * 
415  * - call libnet_SetPassword_samr_handle to set the password,
416  *   and pass a samr_UserInfo21 struct to set full_name and the account flags
417  *
418  * - do some ADS specific things when we join as Domain Controller,
419  *    look at libnet_joinADSDomain() for the details
420  */
421 NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_JoinDomain *r)
422 {
423         TALLOC_CTX *tmp_ctx;
424
425         NTSTATUS status, cu_status;
426
427         struct libnet_RpcConnect *connect_with_info;
428         struct dcerpc_pipe *samr_pipe;
429
430         struct samr_Connect sc;
431         struct policy_handle p_handle;
432         struct samr_OpenDomain od;
433         struct policy_handle d_handle;
434         struct samr_LookupNames ln;
435         struct samr_OpenUser ou;
436         struct samr_CreateUser2 cu;
437         struct policy_handle *u_handle = NULL;
438         struct samr_QueryUserInfo qui;
439         struct samr_UserInfo21 u_info21;
440         union libnet_SetPassword r2;
441         struct samr_GetUserPwInfo pwp;
442         struct lsa_String samr_account_name;
443         
444         uint32_t acct_flags, old_acct_flags;
445         uint32_t rid, access_granted;
446         int policy_min_pw_len = 0;
447
448         struct dom_sid *account_sid = NULL;
449         const char *password_str = NULL;
450         
451         r->out.error_string = NULL;
452         r2.samr_handle.out.error_string = NULL;
453         
454         tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
455         if (!tmp_ctx) {
456                 r->out.error_string = NULL;
457                 return NT_STATUS_NO_MEMORY;
458         }
459         
460         u_handle = talloc(tmp_ctx, struct policy_handle);
461         if (!u_handle) {
462                 r->out.error_string = NULL;
463                 talloc_free(tmp_ctx);
464                 return NT_STATUS_NO_MEMORY;
465         }
466         
467         connect_with_info = talloc(tmp_ctx, struct libnet_RpcConnect);
468         if (!connect_with_info) {
469                 r->out.error_string = NULL;
470                 talloc_free(tmp_ctx);
471                 return NT_STATUS_NO_MEMORY;
472         }
473
474         /* prepare connect to the SAMR pipe of PDC */
475         if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
476                 connect_with_info->in.binding = NULL;
477                 connect_with_info->in.name    = r->in.domain_name;
478         } else {
479                 connect_with_info->in.binding = r->in.binding;
480                 connect_with_info->in.name    = NULL;
481         }
482
483         /* This level makes a connection to the LSA pipe on the way,
484          * to get some useful bits of information about the domain */
485         connect_with_info->level              = LIBNET_RPC_CONNECT_DC_INFO;
486         connect_with_info->in.dcerpc_iface    = &ndr_table_samr;
487
488         /*
489           establish the SAMR connection
490         */
491         status = libnet_RpcConnect(ctx, tmp_ctx, connect_with_info);
492         if (!NT_STATUS_IS_OK(status)) {
493                 if (r->in.binding) {
494                         r->out.error_string = talloc_asprintf(mem_ctx,
495                                                               "Connection to SAMR pipe of DC %s failed: %s",
496                                                               r->in.binding, connect_with_info->out.error_string);
497                 } else {
498                         r->out.error_string = talloc_asprintf(mem_ctx,
499                                                               "Connection to SAMR pipe of PDC for %s failed: %s",
500                                                               r->in.domain_name, connect_with_info->out.error_string);
501                 }
502                 talloc_free(tmp_ctx);
503                 return status;
504         }
505
506         samr_pipe = connect_with_info->out.dcerpc_pipe;
507
508         status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
509                                   connect_with_info->out.dcerpc_pipe->binding, 
510                                   &ndr_table_samr, ctx->cred, ctx->lp_ctx);
511         if (!NT_STATUS_IS_OK(status)) {
512                 r->out.error_string = talloc_asprintf(mem_ctx,
513                                                 "SAMR bind failed: %s",
514                                                 nt_errstr(status));
515                 talloc_free(tmp_ctx);
516                 return status;
517         }
518
519         /* prepare samr_Connect */
520         ZERO_STRUCT(p_handle);
521         sc.in.system_name = NULL;
522         sc.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
523         sc.out.connect_handle = &p_handle;
524
525         /* 2. do a samr_Connect to get a policy handle */
526         status = dcerpc_samr_Connect(samr_pipe, tmp_ctx, &sc);
527         if (!NT_STATUS_IS_OK(status)) {
528                 r->out.error_string = talloc_asprintf(mem_ctx,
529                                                 "samr_Connect failed: %s",
530                                                 nt_errstr(status));
531                 talloc_free(tmp_ctx);
532                 return status;
533         }
534
535         /* If this is a connection on ncacn_ip_tcp to Win2k3 SP1, we don't get back this useful info */
536         if (!connect_with_info->out.domain_name) {
537                 if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
538                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, r->in.domain_name);
539                 } else {
540                         /* Bugger, we just lost our way to automaticly find the domain name */
541                         connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, lp_workgroup(ctx->lp_ctx));
542                         connect_with_info->out.realm = talloc_strdup(tmp_ctx, lp_realm(ctx->lp_ctx));
543                 }
544         }
545
546         /* Perhaps we didn't get a SID above, because we are against ncacn_ip_tcp */
547         if (!connect_with_info->out.domain_sid) {
548                 struct lsa_String name;
549                 struct samr_LookupDomain l;
550                 name.string = connect_with_info->out.domain_name;
551                 l.in.connect_handle = &p_handle;
552                 l.in.domain_name = &name;
553                 
554                 status = dcerpc_samr_LookupDomain(samr_pipe, tmp_ctx, &l);
555                 if (!NT_STATUS_IS_OK(status)) {
556                         r->out.error_string = talloc_asprintf(mem_ctx,
557                                                               "SAMR LookupDomain failed: %s",
558                                                               nt_errstr(status));
559                         talloc_free(tmp_ctx);
560                         return status;
561                 }
562                 connect_with_info->out.domain_sid = l.out.sid;
563         }
564
565         /* prepare samr_OpenDomain */
566         ZERO_STRUCT(d_handle);
567         od.in.connect_handle = &p_handle;
568         od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
569         od.in.sid = connect_with_info->out.domain_sid;
570         od.out.domain_handle = &d_handle;
571
572         /* do a samr_OpenDomain to get a domain handle */
573         status = dcerpc_samr_OpenDomain(samr_pipe, tmp_ctx, &od);                       
574         if (!NT_STATUS_IS_OK(status)) {
575                 r->out.error_string = talloc_asprintf(mem_ctx,
576                                                       "samr_OpenDomain for [%s] failed: %s",
577                                                       dom_sid_string(tmp_ctx, connect_with_info->out.domain_sid),
578                                                       nt_errstr(status));
579                 talloc_free(tmp_ctx);
580                 return status;
581         }
582         
583         /* prepare samr_CreateUser2 */
584         ZERO_STRUCTP(u_handle);
585         cu.in.domain_handle  = &d_handle;
586         cu.in.access_mask     = SEC_FLAG_MAXIMUM_ALLOWED;
587         samr_account_name.string = r->in.account_name;
588         cu.in.account_name    = &samr_account_name;
589         cu.in.acct_flags      = r->in.acct_type;
590         cu.out.user_handle    = u_handle;
591         cu.out.rid            = &rid;
592         cu.out.access_granted = &access_granted;
593
594         /* do a samr_CreateUser2 to get an account handle, or an error */
595         cu_status = dcerpc_samr_CreateUser2(samr_pipe, tmp_ctx, &cu);                   
596         status = cu_status;
597         if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
598                 /* prepare samr_LookupNames */
599                 ln.in.domain_handle = &d_handle;
600                 ln.in.num_names = 1;
601                 ln.in.names = talloc_array(tmp_ctx, struct lsa_String, 1);
602                 if (!ln.in.names) {
603                         r->out.error_string = NULL;
604                         talloc_free(tmp_ctx);
605                         return NT_STATUS_NO_MEMORY;
606                 }
607                 ln.in.names[0].string = r->in.account_name;
608                 
609                 /* 5. do a samr_LookupNames to get the users rid */
610                 status = dcerpc_samr_LookupNames(samr_pipe, tmp_ctx, &ln);
611                 if (!NT_STATUS_IS_OK(status)) {
612                         r->out.error_string = talloc_asprintf(mem_ctx,
613                                                 "samr_LookupNames for [%s] failed: %s",
614                                                 r->in.account_name,
615                                                 nt_errstr(status));
616                         talloc_free(tmp_ctx);
617                         return status;
618                 }
619                 
620                 /* check if we got one RID for the user */
621                 if (ln.out.rids.count != 1) {
622                         r->out.error_string = talloc_asprintf(mem_ctx,
623                                                               "samr_LookupNames for [%s] returns %d RIDs",
624                                                               r->in.account_name, ln.out.rids.count);
625                         talloc_free(tmp_ctx);
626                         return NT_STATUS_INVALID_PARAMETER;
627                 }
628                 
629                 /* prepare samr_OpenUser */
630                 ZERO_STRUCTP(u_handle);
631                 ou.in.domain_handle = &d_handle;
632                 ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
633                 ou.in.rid = ln.out.rids.ids[0];
634                 rid = ou.in.rid;
635                 ou.out.user_handle = u_handle;
636                 
637                 /* 6. do a samr_OpenUser to get a user handle */
638                 status = dcerpc_samr_OpenUser(samr_pipe, tmp_ctx, &ou); 
639                 if (!NT_STATUS_IS_OK(status)) {
640                         r->out.error_string = talloc_asprintf(mem_ctx,
641                                                         "samr_OpenUser for [%s] failed: %s",
642                                                         r->in.account_name,
643                                                         nt_errstr(status));
644                         talloc_free(tmp_ctx);
645                         return status;
646                 }
647
648                 if (r->in.recreate_account) {
649                         struct samr_DeleteUser d;
650                         d.in.user_handle = u_handle;
651                         d.out.user_handle = u_handle;
652                         status = dcerpc_samr_DeleteUser(samr_pipe, mem_ctx, &d);
653                         if (!NT_STATUS_IS_OK(status)) {
654                                 r->out.error_string = talloc_asprintf(mem_ctx,
655                                                                       "samr_DeleteUser (for recreate) of [%s] failed: %s",
656                                                                       r->in.account_name,
657                                                                       nt_errstr(status));
658                                 talloc_free(tmp_ctx);
659                                 return status;
660                         }
661
662                         /* We want to recreate, so delete and another samr_CreateUser2 */
663                         
664                         /* &cu filled in above */
665                         status = dcerpc_samr_CreateUser2(samr_pipe, tmp_ctx, &cu);                      
666                         if (!NT_STATUS_IS_OK(status)) {
667                                 r->out.error_string = talloc_asprintf(mem_ctx,
668                                                                       "samr_CreateUser2 (recreate) for [%s] failed: %s",
669                                                                       r->in.account_name, nt_errstr(status));
670                                 talloc_free(tmp_ctx);
671                                 return status;
672                         }
673                 }
674         } else if (!NT_STATUS_IS_OK(status)) {
675                 r->out.error_string = talloc_asprintf(mem_ctx,
676                                                       "samr_CreateUser2 for [%s] failed: %s",
677                                                       r->in.account_name, nt_errstr(status));
678                 talloc_free(tmp_ctx);
679                 return status;
680         }
681
682         /* prepare samr_QueryUserInfo (get flags) */
683         qui.in.user_handle = u_handle;
684         qui.in.level = 16;
685         
686         status = dcerpc_samr_QueryUserInfo(samr_pipe, tmp_ctx, &qui);
687         if (!NT_STATUS_IS_OK(status)) {
688                 r->out.error_string = talloc_asprintf(mem_ctx,
689                                                 "samr_QueryUserInfo for [%s] failed: %s",
690                                                 r->in.account_name,
691                                                 nt_errstr(status));
692                 talloc_free(tmp_ctx);
693                 return status;
694         }
695         
696         if (!qui.out.info) {
697                 status = NT_STATUS_INVALID_PARAMETER;
698                 r->out.error_string
699                         = talloc_asprintf(mem_ctx,
700                                           "samr_QueryUserInfo failed to return qui.out.info for [%s]: %s",
701                                           r->in.account_name, nt_errstr(status));
702                 talloc_free(tmp_ctx);
703                 return status;
704         }
705
706         old_acct_flags = (qui.out.info->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST));
707         /* Possibly bail if the account is of the wrong type */
708         if (old_acct_flags
709             != r->in.acct_type) {
710                 const char *old_account_type, *new_account_type;
711                 switch (old_acct_flags) {
712                 case ACB_WSTRUST:
713                         old_account_type = "domain member (member)";
714                         break;
715                 case ACB_SVRTRUST:
716                         old_account_type = "domain controller (bdc)";
717                         break;
718                 case ACB_DOMTRUST:
719                         old_account_type = "trusted domain";
720                         break;
721                 default:
722                         return NT_STATUS_INVALID_PARAMETER;
723                 }
724                 switch (r->in.acct_type) {
725                 case ACB_WSTRUST:
726                         new_account_type = "domain member (member)";
727                         break;
728                 case ACB_SVRTRUST:
729                         new_account_type = "domain controller (bdc)";
730                         break;
731                 case ACB_DOMTRUST:
732                         new_account_type = "trusted domain";
733                         break;
734                 default:
735                         return NT_STATUS_INVALID_PARAMETER;
736                 }
737
738                 if (!NT_STATUS_EQUAL(cu_status, NT_STATUS_USER_EXISTS)) {
739                         /* We created a new user, but they didn't come out the right type?!? */
740                         r->out.error_string
741                                 = talloc_asprintf(mem_ctx,
742                                                   "We asked to create a new machine account (%s) of type %s, "
743                                                   "but we got an account of type %s.  This is unexpected.  "
744                                                   "Perhaps delete the account and try again.",
745                                                   r->in.account_name, new_account_type, old_account_type);
746                         talloc_free(tmp_ctx);
747                         return NT_STATUS_INVALID_PARAMETER;
748                 } else {
749                         /* The account is of the wrong type, so bail */
750
751                         /* TODO: We should allow a --force option to override, and redo this from the top setting r.in.recreate_account */
752                         r->out.error_string
753                                 = talloc_asprintf(mem_ctx,
754                                                   "The machine account (%s) already exists in the domain %s, "
755                                                   "but is a %s.  You asked to join as a %s.  Please delete "
756                                                   "the account and try again.",
757                                                   r->in.account_name, connect_with_info->out.domain_name, old_account_type, new_account_type);
758                         talloc_free(tmp_ctx);
759                         return NT_STATUS_USER_EXISTS;
760                 }
761         } else {
762                 acct_flags = qui.out.info->info16.acct_flags;
763         }
764         
765         acct_flags = (acct_flags & ~(ACB_DISABLED|ACB_PWNOTREQ));
766
767         /* Find out what password policy this user has */
768         pwp.in.user_handle = u_handle;
769
770         status = dcerpc_samr_GetUserPwInfo(samr_pipe, tmp_ctx, &pwp);                           
771         if (NT_STATUS_IS_OK(status)) {
772                 policy_min_pw_len = pwp.out.info.min_password_length;
773         }
774         
775         /* Grab a password of that minimum length */
776         
777         password_str = generate_random_str(tmp_ctx, MAX(8, policy_min_pw_len)); 
778
779         /* set full_name and reset flags */
780         ZERO_STRUCT(u_info21);
781         u_info21.full_name.string       = r->in.account_name;
782         u_info21.acct_flags             = acct_flags;
783         u_info21.fields_present         = SAMR_FIELD_FULL_NAME | SAMR_FIELD_ACCT_FLAGS;
784
785         r2.samr_handle.level            = LIBNET_SET_PASSWORD_SAMR_HANDLE;
786         r2.samr_handle.in.account_name  = r->in.account_name;
787         r2.samr_handle.in.newpassword   = password_str;
788         r2.samr_handle.in.user_handle   = u_handle;
789         r2.samr_handle.in.dcerpc_pipe   = samr_pipe;
790         r2.samr_handle.in.info21        = &u_info21;
791
792         status = libnet_SetPassword(ctx, tmp_ctx, &r2); 
793         if (!NT_STATUS_IS_OK(status)) {
794                 r->out.error_string = talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
795                 talloc_free(tmp_ctx);
796                 return status;
797         }
798
799         account_sid = dom_sid_add_rid(mem_ctx, connect_with_info->out.domain_sid, rid);
800         if (!account_sid) {
801                 r->out.error_string = NULL;
802                 talloc_free(tmp_ctx);
803                 return NT_STATUS_NO_MEMORY;
804         }
805
806         /* Finish out by pushing various bits of status data out for the caller to use */
807         r->out.join_password = password_str;
808         talloc_steal(mem_ctx, r->out.join_password);
809
810         r->out.domain_sid = connect_with_info->out.domain_sid;
811         talloc_steal(mem_ctx, r->out.domain_sid);
812
813         r->out.account_sid = account_sid;
814         talloc_steal(mem_ctx, r->out.account_sid);
815
816         r->out.domain_name = connect_with_info->out.domain_name;
817         talloc_steal(mem_ctx, r->out.domain_name);
818         r->out.realm = connect_with_info->out.realm;
819         talloc_steal(mem_ctx, r->out.realm);
820         r->out.samr_pipe = samr_pipe;
821         talloc_steal(mem_ctx, samr_pipe);
822         r->out.samr_binding = samr_pipe->binding;
823         talloc_steal(mem_ctx, r->out.samr_binding);
824         r->out.user_handle = u_handle;
825         talloc_steal(mem_ctx, u_handle);
826         r->out.error_string = r2.samr_handle.out.error_string;
827         talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
828         r->out.kvno = 0;
829         r->out.server_dn_str = NULL;
830         talloc_free(tmp_ctx); 
831
832         /* Now, if it was AD, then we want to start looking changing a
833          * few more things.  Otherwise, we are done. */
834         if (r->out.realm) {
835                 status = libnet_JoinADSDomain(ctx, r);
836                 return status;
837         }
838
839         return status;
840 }
841
842 static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx, 
843                                            TALLOC_CTX *mem_ctx, 
844                                            struct libnet_Join *r)
845 {
846         NTSTATUS status;
847         TALLOC_CTX *tmp_mem;
848         struct libnet_JoinDomain *r2;
849         int ret, rtn;
850         struct ldb_context *ldb;
851         struct ldb_dn *base_dn;
852         struct ldb_message **msgs, *msg;
853         const char *sct;
854         const char * const attrs[] = {
855                 "whenChanged",
856                 "secret",
857                 "priorSecret",
858                 "priorChanged",
859                 "krb5Keytab",
860                 "privateKeytab",
861                 NULL
862         };
863         uint32_t acct_type = 0;
864         const char *account_name;
865         const char *netbios_name;
866         
867         r->out.error_string = NULL;
868
869         tmp_mem = talloc_new(mem_ctx);
870         if (!tmp_mem) {
871                 return NT_STATUS_NO_MEMORY;
872         }
873
874         r2 = talloc(tmp_mem, struct libnet_JoinDomain);
875         if (!r2) {
876                 r->out.error_string = NULL;
877                 talloc_free(tmp_mem);
878                 return NT_STATUS_NO_MEMORY;
879         }
880         
881         if (r->in.join_type == SEC_CHAN_BDC) {
882                 acct_type = ACB_SVRTRUST;
883         } else if (r->in.join_type == SEC_CHAN_WKSTA) {
884                 acct_type = ACB_WSTRUST;
885         } else {
886                 r->out.error_string = NULL;
887                 talloc_free(tmp_mem);   
888                 return NT_STATUS_INVALID_PARAMETER;
889         }
890
891         if (r->in.netbios_name != NULL) {
892                 netbios_name = r->in.netbios_name;
893         } else {
894                 netbios_name = talloc_reference(tmp_mem, lp_netbios_name(ctx->lp_ctx));
895                 if (!netbios_name) {
896                         r->out.error_string = NULL;
897                         talloc_free(tmp_mem);
898                         return NT_STATUS_NO_MEMORY;
899                 }
900         }
901
902         account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
903         if (!account_name) {
904                 r->out.error_string = NULL;
905                 talloc_free(tmp_mem);
906                 return NT_STATUS_NO_MEMORY;
907         }
908         
909         /*
910          * Local secrets are stored in secrets.ldb 
911          * open it to make sure we can write the info into it after the join
912          */
913         ldb = secrets_db_connect(tmp_mem, ctx->lp_ctx);
914         if (!ldb) {
915                 r->out.error_string
916                         = talloc_asprintf(mem_ctx, 
917                                           "Could not open secrets database");
918                 talloc_free(tmp_mem);
919                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
920         }
921
922         /*
923          * join the domain
924          */
925         ZERO_STRUCTP(r2);
926         r2->in.domain_name      = r->in.domain_name;
927         r2->in.account_name     = account_name;
928         r2->in.netbios_name     = netbios_name;
929         r2->in.level            = LIBNET_JOINDOMAIN_AUTOMATIC;
930         r2->in.acct_type        = acct_type;
931         r2->in.recreate_account = false;
932         status = libnet_JoinDomain(ctx, r2, r2);
933         if (!NT_STATUS_IS_OK(status)) {
934                 r->out.error_string = talloc_steal(mem_ctx, r2->out.error_string);
935                 talloc_free(tmp_mem);
936                 return status;
937         }
938         
939         /*
940          * now prepare the record for secrets.ldb
941          */
942         sct = talloc_asprintf(tmp_mem, "%d", r->in.join_type); 
943         if (!sct) {
944                 r->out.error_string = NULL;
945                 talloc_free(tmp_mem);
946                 return NT_STATUS_NO_MEMORY;
947         }
948         
949         msg = ldb_msg_new(tmp_mem);
950         if (!msg) {
951                 r->out.error_string = NULL;
952                 talloc_free(tmp_mem);
953                 return NT_STATUS_NO_MEMORY;
954         }
955
956         base_dn = ldb_dn_new(tmp_mem, ldb, "cn=Primary Domains");
957         if (!base_dn) {
958                 r->out.error_string = NULL;
959                 talloc_free(tmp_mem);
960                 return NT_STATUS_NO_MEMORY;
961         }
962
963         msg->dn = ldb_dn_copy(tmp_mem, base_dn);
964         if ( ! ldb_dn_add_child_fmt(msg->dn, "flatname=%s", r2->out.domain_name)) {
965                 r->out.error_string = NULL;
966                 talloc_free(tmp_mem);
967                 return NT_STATUS_NO_MEMORY;
968         }
969         
970         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "flatname", r2->out.domain_name);
971         if (rtn == -1) {
972                 r->out.error_string = NULL;
973                 talloc_free(tmp_mem);
974                 return NT_STATUS_NO_MEMORY;
975         }
976
977         if (r2->out.realm) {
978                 rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "realm", r2->out.realm);
979                 if (rtn == -1) {
980                         r->out.error_string = NULL;
981                         talloc_free(tmp_mem);
982                         return NT_STATUS_NO_MEMORY;
983                 }
984
985                 rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
986                 if (rtn == -1) {
987                         r->out.error_string = NULL;
988                         talloc_free(tmp_mem);
989                         return NT_STATUS_NO_MEMORY;
990                 }
991         }
992
993         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "objectClass", "primaryDomain");
994         if (rtn == -1) {
995                 r->out.error_string = NULL;
996                 talloc_free(tmp_mem);
997                 return NT_STATUS_NO_MEMORY;
998         }
999
1000         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secret", r2->out.join_password);
1001         if (rtn == -1) {
1002                 r->out.error_string = NULL;
1003                 talloc_free(tmp_mem);
1004                 return NT_STATUS_NO_MEMORY;
1005         }
1006
1007         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "samAccountName", r2->in.account_name);
1008         if (rtn == -1) {
1009                 r->out.error_string = NULL;
1010                 talloc_free(tmp_mem);
1011                 return NT_STATUS_NO_MEMORY;
1012         }
1013
1014         rtn = samdb_msg_add_string(ldb, tmp_mem, msg, "secureChannelType", sct);
1015         if (rtn == -1) {
1016                 r->out.error_string = NULL;
1017                 talloc_free(tmp_mem);
1018                 return NT_STATUS_NO_MEMORY;
1019         }
1020
1021         if (r2->out.kvno) {
1022                 rtn = samdb_msg_add_uint(ldb, tmp_mem, msg, "msDS-KeyVersionNumber",
1023                                          r2->out.kvno);
1024                 if (rtn == -1) {
1025                         r->out.error_string = NULL;
1026                         talloc_free(tmp_mem);
1027                         return NT_STATUS_NO_MEMORY;
1028                 }
1029         }
1030
1031         if (r2->out.domain_sid) {
1032                 rtn = samdb_msg_add_dom_sid(ldb, tmp_mem, msg, "objectSid",
1033                                             r2->out.domain_sid);
1034                 if (rtn == -1) {
1035                         r->out.error_string = NULL;
1036                         talloc_free(tmp_mem);
1037                         return NT_STATUS_NO_MEMORY;
1038                 }
1039         }
1040
1041         /* 
1042          * search for the secret record
1043          * - remove the records we find
1044          * - and fetch the old secret and store it under priorSecret
1045          */
1046         ret = gendb_search(ldb,
1047                            tmp_mem, base_dn,
1048                            &msgs, attrs,
1049                            "(|" SECRETS_PRIMARY_DOMAIN_FILTER "(realm=%s))",
1050                            r2->out.domain_name, r2->out.realm);
1051         if (ret == 0) {
1052                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secretsKeytab", "secrets.keytab");
1053                 if (rtn == -1) {
1054                         r->out.error_string = NULL;
1055                         talloc_free(tmp_mem);
1056                         return NT_STATUS_NO_MEMORY;
1057                 }
1058         } else if (ret == -1) {
1059                 r->out.error_string
1060                         = talloc_asprintf(mem_ctx, 
1061                                           "Search for domain: %s and realm: %s failed: %s", 
1062                                           r2->out.domain_name, r2->out.realm, ldb_errstring(ldb));
1063                 talloc_free(tmp_mem);
1064                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1065         } else {
1066                 const struct ldb_val *private_keytab;
1067                 const struct ldb_val *krb5_keytab;
1068                 const struct ldb_val *prior_secret;
1069                 const struct ldb_val *prior_modified_time;
1070                 int i;
1071
1072                 for (i = 0; i < ret; i++) {
1073                         ldb_delete(ldb, msgs[i]->dn);
1074                 }
1075
1076                 prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
1077                 if (prior_secret) {
1078                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorSecret", prior_secret);
1079                         if (rtn == -1) {
1080                                 r->out.error_string = NULL;
1081                                 talloc_free(tmp_mem);
1082                                 return NT_STATUS_NO_MEMORY;
1083                         }
1084                 }
1085                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secret", r2->out.join_password);
1086                 if (rtn == -1) {
1087                         r->out.error_string = NULL;
1088                         talloc_free(tmp_mem);
1089                         return NT_STATUS_NO_MEMORY;
1090                 }
1091
1092                 prior_modified_time = ldb_msg_find_ldb_val(msgs[0], 
1093                                                            "whenChanged");
1094                 if (prior_modified_time) {
1095                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "priorWhenChanged", 
1096                                                   prior_modified_time);
1097                         if (rtn == -1) {
1098                                 r->out.error_string = NULL;
1099                                 talloc_free(tmp_mem);
1100                                 return NT_STATUS_NO_MEMORY;
1101                         }
1102                 }
1103
1104                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "samAccountName", r2->in.account_name);
1105                 if (rtn == -1) {
1106                         r->out.error_string = NULL;
1107                         talloc_free(tmp_mem);
1108                         return NT_STATUS_NO_MEMORY;
1109                 }
1110
1111                 rtn = samdb_msg_set_string(ldb, tmp_mem, msg, "secureChannelType", sct);
1112                 if (rtn == -1) {
1113                         r->out.error_string = NULL;
1114                         talloc_free(tmp_mem);
1115                         return NT_STATUS_NO_MEMORY;
1116                 }
1117
1118                 /* We will want to keep the keytab names */
1119                 private_keytab = ldb_msg_find_ldb_val(msgs[0], "privateKeytab");
1120                 if (private_keytab) {
1121                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "privateKeytab", private_keytab);
1122                         if (rtn == -1) {
1123                                 r->out.error_string = NULL;
1124                                 talloc_free(tmp_mem);
1125                                 return NT_STATUS_NO_MEMORY;
1126                         }
1127                 }
1128                 krb5_keytab = ldb_msg_find_ldb_val(msgs[0], "krb5Keytab");
1129                 if (krb5_keytab) {
1130                         rtn = samdb_msg_set_value(ldb, tmp_mem, msg, "krb5Keytab", krb5_keytab);
1131                         if (rtn == -1) {
1132                                 r->out.error_string = NULL;
1133                                 talloc_free(tmp_mem);
1134                                 return NT_STATUS_NO_MEMORY;
1135                         }
1136                 }
1137         }
1138
1139         /* create the secret */
1140         ret = ldb_add(ldb, msg);
1141         if (ret != 0) {
1142                 r->out.error_string = talloc_asprintf(mem_ctx, "Failed to create secret record %s", 
1143                                                       ldb_dn_get_linearized(msg->dn));
1144                 talloc_free(tmp_mem);
1145                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
1146         }
1147
1148         /* move all out parameter to the callers TALLOC_CTX */
1149         r->out.error_string     = NULL;
1150         r->out.join_password    = r2->out.join_password;
1151         talloc_steal(mem_ctx, r2->out.join_password);
1152         r->out.domain_sid       = r2->out.domain_sid;
1153         talloc_steal(mem_ctx, r2->out.domain_sid);
1154         r->out.domain_name      = r2->out.domain_name;
1155         talloc_steal(mem_ctx, r2->out.domain_name);
1156         talloc_free(tmp_mem);
1157         return NT_STATUS_OK;
1158 }
1159
1160 NTSTATUS libnet_Join(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_Join *r)
1161 {
1162         switch (r->in.join_type) {
1163                 case SEC_CHAN_WKSTA:
1164                         return libnet_Join_primary_domain(ctx, mem_ctx, r);
1165                 case SEC_CHAN_BDC:
1166                         return libnet_Join_primary_domain(ctx, mem_ctx, r);
1167                 case SEC_CHAN_DOMAIN:
1168                         break;
1169         }
1170
1171         r->out.error_string = talloc_asprintf(mem_ctx,
1172                                               "Invalid join type specified (%08X) attempting to join domain %s",
1173                                               r->in.join_type, r->in.domain_name);
1174         return NT_STATUS_INVALID_PARAMETER;
1175 }