char *str = NULL; \
str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
DEBUG(1,("libnet_Join:\n%s", str)); \
- talloc_free(str); \
+ TALLOC_FREE(str); \
} while (0)
#define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
char *str = NULL; \
str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
DEBUG(1,("libnet_Unjoin:\n%s", str)); \
- talloc_free(str); \
+ TALLOC_FREE(str); \
} while (0)
#define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
}
/****************************************************************
+ join a domain using ADS (LDAP mods)
****************************************************************/
static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
ADS_STATUS status;
LDAPMessage *res = NULL;
const char *attrs[] = { "dn", NULL };
+ bool moved = false;
+
+ status = ads_check_ou_dn(mem_ctx, r->in.ads, r->in.account_ou);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
if (!ADS_ERR_OK(status)) {
return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
}
+ ads_msgfree(r->in.ads, res);
+
+ /* Attempt to create the machine account and bail if this fails.
+ Assume that the admin wants exactly what they requested */
+
status = ads_create_machine_acct(r->in.ads,
r->in.machine_name,
r->in.account_ou);
- ads_msgfree(r->in.ads, res);
- if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
- (status.err.rc == LDAP_ALREADY_EXISTS)) {
+ if (ADS_ERR_OK(status)) {
+ DEBUG(1,("machine account creation created\n"));
+ return status;
+ } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+ (status.err.rc == LDAP_ALREADY_EXISTS)) {
status = ADS_SUCCESS;
}
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("machine account creation failed\n"));
+ return status;
+ }
+
+ status = ads_move_machine_acct(r->in.ads,
+ r->in.machine_name,
+ r->in.account_ou,
+ &moved);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("failure to locate/move pre-existing "
+ "machine account\n"));
+ return status;
+ }
+
+ DEBUG(1,("The machine account %s the specified OU.\n",
+ moved ? "was moved into" : "already exists in"));
+
return status;
}
ADS_STATUS status;
if (!r->in.ads) {
- status = libnet_unjoin_connect_ads(mem_ctx, r);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
+ return libnet_unjoin_connect_ads(mem_ctx, r);
}
status = ads_leave_realm(r->in.ads, r->in.machine_name);
}
/****************************************************************
+ Set a machines dNSHostName and servicePrincipalName attributes
****************************************************************/
static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
const char *spn_array[3] = {NULL, NULL, NULL};
char *spn = NULL;
+ /* Find our DN */
+
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
}
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
if (!spn) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ /* fields of primary importance */
+
status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
if (!ADS_ERR_OK(status)) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
return ADS_SUCCESS;
}
+ /* Find our DN */
+
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
}
}
+ /* now do the mods */
+
mods = ads_init_mods(mem_ctx);
if (!mods) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ /* fields of primary importance */
+
status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
if (!ADS_ERR_OK(status)) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
return ADS_SUCCESS;
}
+ /* Find our DN */
+
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
}
+ /* now do the mods */
+
mods = ads_init_mods(mem_ctx);
if (!mods) {
return ADS_ERROR(LDAP_NO_MEMORY);
return ADS_ERROR(LDAP_NO_MEMORY);
}
+ /* fields of primary importance */
+
status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
r->in.os_name);
if (!ADS_ERR_OK(status)) {
return false;
}
+ /* go ahead and setup the default salt */
+
std_salt = kerberos_standard_des_salt();
if (!std_salt) {
libnet_join_set_error_string(mem_ctx, r,
SAFE_FREE(std_salt);
+ /* if it's a Windows functional domain, we have to look for the UPN */
+
if (domain_func == DS_DOMAIN_FUNCTION_2000) {
char *upn;
#endif /* WITH_ADS */
/****************************************************************
+ Store the machine password and domain SID
****************************************************************/
static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
if (!secrets_store_domain_sid(r->out.netbios_domain_name,
r->out.domain_sid))
{
+ DEBUG(1,("Failed to save domain sid\n"));
return false;
}
if (!secrets_store_machine_password(r->in.machine_password,
r->out.netbios_domain_name,
- SEC_CHAN_WKSTA))
+ r->in.secure_channel_type))
{
+ DEBUG(1,("Failed to save machine password\n"));
return false;
}
}
/****************************************************************
+ Do the domain join
****************************************************************/
static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
char *acct_name;
struct lsa_String lsa_acct_name;
- uint32 user_rid;
- uint32 acb_info = ACB_WSTRUST;
+ uint32_t user_rid;
+ uint32_t acct_flags = ACB_WSTRUST;
uchar pwbuf[532];
struct MD5Context md5ctx;
uchar md5buffer[16];
pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
if (!pipe_hnd) {
+ DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
+ nt_errstr(status)));
goto done;
}
- status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
+ status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
if (!NT_STATUS_IS_OK(status)) {
goto done;
rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
cli_rpc_pipe_close(pipe_hnd);
+ /* Open the domain */
+
pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
if (!pipe_hnd) {
+ DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+ nt_errstr(status)));
goto done;
}
goto done;
}
+ /* Create domain user */
+
acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
strlower_m(acct_name);
init_lsa_String(&lsa_acct_name, acct_name);
if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
- uint32_t acct_flags =
+ uint32_t access_desired =
SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
SEC_STD_WRITE_DAC | SEC_STD_DELETE |
SAMR_USER_ACCESS_SET_PASSWORD |
SAMR_USER_ACCESS_SET_ATTRIBUTES;
uint32_t access_granted = 0;
+ /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
+
+ DEBUG(10,("Creating account with desired access mask: %d\n",
+ access_desired));
+
status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
&domain_pol,
&lsa_acct_name,
ACB_WSTRUST,
- acct_flags,
+ access_desired,
&user_pol,
&access_granted,
&user_rid);
+ if (!NT_STATUS_IS_OK(status) &&
+ !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
+
+ DEBUG(10,("Creation of workstation account failed: %s\n",
+ nt_errstr(status)));
+
+ /* If NT_STATUS_ACCESS_DENIED then we have a valid
+ username/password combo but the user does not have
+ administrator access. */
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "User specified does not have "
+ "administrator privileges");
+ }
+
+ return status;
+ }
+
if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
if (!(r->in.join_flags &
WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
}
}
+ /* We *must* do this.... don't ask... */
+
if (NT_STATUS_IS_OK(status)) {
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
}
}
if (name_types.ids[0] != SID_NAME_USER) {
+ DEBUG(0,("%s is not a user account (type=%d)\n",
+ acct_name, name_types.ids[0]));
status = NT_STATUS_INVALID_WORKSTATION;
goto done;
}
user_rid = user_rids.ids[0];
+ /* Open handle on user */
+
status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
&domain_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
goto done;
}
+ /* Create a random machine account password and generate the hash */
+
E_md4hash(r->in.machine_password, md4_trust_password);
encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
- generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
+ generate_random_buffer((uint8_t*)md5buffer, sizeof(md5buffer));
digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
MD5Init(&md5ctx);
SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
- acb_info |= ACB_PWNOEXP;
+ /* Fill in the additional account flags now */
+
+ acct_flags |= ACB_PWNOEXP;
if (r->out.domain_is_ad) {
#if !defined(ENCTYPE_ARCFOUR_HMAC)
- acb_info |= ACB_USE_DES_KEY_ONLY;
+ acct_flags |= ACB_USE_DES_KEY_ONLY;
#endif
;;
}
+ /* Set password and account flags on machine account */
+
ZERO_STRUCT(user_info.info25);
user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
ACCT_LM_PWD_SET |
SAMR_FIELD_ACCT_FLAGS;
- user_info.info25.info.acct_flags = acb_info;
+
+ user_info.info25.info.acct_flags = acct_flags;
memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
&user_pol,
25,
&user_info);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+
+ uchar pwbuf2[516];
+
+ encode_pw_buffer(pwbuf2, r->in.machine_password, STR_UNICODE);
+
+ /* retry with level 24 */
+ init_samr_user_info24(&user_info.info24, pwbuf2, 24);
+
+ SamOEMhashBlob(user_info.info24.password.data, 516,
+ &cli->user_session_key);
+
+ status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+ &user_pol,
+ 24,
+ &user_info);
+ }
+
if (!NT_STATUS_IS_OK(status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "Failed to set password for machine account (%s)\n",
+ nt_errstr(status));
goto done;
}
const char *machine_name,
const char *dc_name)
{
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_FLAGS |
+ uint32_t neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS |
NETLOGON_NEG_SCHANNEL;
- /* FIXME: NETLOGON_NEG_SELECT_AUTH2_FLAGS */
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
POLICY_HND sam_pol, domain_pol, user_pol;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
char *acct_name;
- uint32 user_rid;
+ uint32_t user_rid;
struct lsa_String lsa_acct_name;
struct samr_Ids user_rids;
struct samr_Ids name_types;
goto done;
}
+ /* Open the domain */
+
pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
if (!pipe_hnd) {
+ DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+ nt_errstr(status)));
goto done;
}
goto done;
}
+ /* Create domain user */
+
acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
strlower_m(acct_name);
}
if (name_types.ids[0] != SID_NAME_USER) {
+ DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
+ name_types.ids[0]));
status = NT_STATUS_INVALID_WORKSTATION;
goto done;
}
user_rid = user_rids.ids[0];
+ /* Open handle on user */
+
status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
&domain_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED,
goto done;
}
+ /* Get user info */
+
status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
&user_pol,
16,
goto done;
}
+ /* now disable and setuser info */
+
info->info16.acct_flags |= ACB_DISABLED;
status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
{
WERROR werr;
- struct libnet_conf_ctx *ctx;
+ struct smbconf_ctx *ctx;
- werr = libnet_conf_open(r, &ctx);
+ werr = smbconf_init_reg(r, &ctx, NULL);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
- werr = libnet_conf_set_global_parameter(ctx, "security", "user");
+ werr = smbconf_set_global_parameter(ctx, "security", "user");
W_ERROR_NOT_OK_GOTO_DONE(werr);
- werr = libnet_conf_set_global_parameter(ctx, "workgroup",
- r->in.domain_name);
+ werr = smbconf_set_global_parameter(ctx, "workgroup",
+ r->in.domain_name);
goto done;
}
- werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
+ werr = smbconf_set_global_parameter(ctx, "security", "domain");
W_ERROR_NOT_OK_GOTO_DONE(werr);
- werr = libnet_conf_set_global_parameter(ctx, "workgroup",
- r->out.netbios_domain_name);
+ werr = smbconf_set_global_parameter(ctx, "workgroup",
+ r->out.netbios_domain_name);
W_ERROR_NOT_OK_GOTO_DONE(werr);
if (r->out.domain_is_ad) {
- werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
+ werr = smbconf_set_global_parameter(ctx, "security", "ads");
W_ERROR_NOT_OK_GOTO_DONE(werr);
- werr = libnet_conf_set_global_parameter(ctx, "realm",
- r->out.dns_domain_name);
+ werr = smbconf_set_global_parameter(ctx, "realm",
+ r->out.dns_domain_name);
W_ERROR_NOT_OK_GOTO_DONE(werr);
}
done:
- libnet_conf_close(ctx);
+ smbconf_shutdown(ctx);
return werr;
}
static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
{
WERROR werr = WERR_OK;
- struct libnet_conf_ctx *ctx;
+ struct smbconf_ctx *ctx;
- werr = libnet_conf_open(r, &ctx);
+ werr = smbconf_init_reg(r, &ctx, NULL);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
- werr = libnet_conf_set_global_parameter(ctx, "security", "user");
+ werr = smbconf_set_global_parameter(ctx, "security", "user");
W_ERROR_NOT_OK_GOTO_DONE(werr);
- libnet_conf_delete_global_parameter(ctx, "realm");
+ smbconf_delete_global_parameter(ctx, "realm");
}
done:
- libnet_conf_close(ctx);
+ smbconf_shutdown(ctx);
return werr;
}
/****************************************************************
****************************************************************/
+static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
+ const char *domain_str,
+ const char **domain_p,
+ const char **dc_p)
+{
+ char *domain = NULL;
+ char *dc = NULL;
+ const char *p = NULL;
+
+ if (!domain_str || !domain_p || !dc_p) {
+ return false;
+ }
+
+ p = strchr_m(domain_str, '\\');
+
+ if (p != NULL) {
+ domain = talloc_strndup(mem_ctx, domain_str,
+ PTR_DIFF(p, domain_str));
+ dc = talloc_strdup(mem_ctx, p+1);
+ if (!dc) {
+ return false;
+ }
+ } else {
+ domain = talloc_strdup(mem_ctx, domain_str);
+ dc = NULL;
+ }
+ if (!domain) {
+ return false;
+ }
+
+ *domain_p = domain;
+
+ if (!*dc_p && dc) {
+ *dc_p = dc;
+ }
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
return WERR_INVALID_PARAM;
}
+ if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
+ &r->in.domain_name,
+ &r->in.dc_name)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "Failed to parse domain name");
+ return WERR_INVALID_PARAM;
+ }
+
if (r->in.modify_config && !lp_config_backend_is_registry()) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "Configuration manipulation requested but not "
+ "supported by backend");
return WERR_NOT_SUPPORTED;
}
ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
+ ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
+
*r = ctx;
return WERR_OK;
#endif /* WITH_ADS */
if (!r->in.dc_name) {
- struct DS_DOMAIN_CONTROLLER_INFO *info;
+ struct netr_DsRGetDCNameInfo *info;
status = dsgetdcname(mem_ctx,
r->in.domain_name,
NULL,
}
r->in.dc_name = talloc_strdup(mem_ctx,
- info->domain_controller_name);
+ info->dc_unc);
W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
}
}
if (!r->in.dc_name) {
- struct DS_DOMAIN_CONTROLLER_INFO *info;
+ struct netr_DsRGetDCNameInfo *info;
status = dsgetdcname(mem_ctx,
r->in.domain_name,
NULL,
}
r->in.dc_name = talloc_strdup(mem_ctx,
- info->domain_controller_name);
+ info->dc_unc);
W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
}
return WERR_INVALID_PARAM;
}
+ if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
+ &r->in.domain_name,
+ &r->in.dc_name)) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "Failed to parse domain name");
+ return WERR_INVALID_PARAM;
+ }
+
if (r->in.modify_config && !lp_config_backend_is_registry()) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "Configuration manipulation requested but not "
+ "supported by backend");
return WERR_NOT_SUPPORTED;
}
+ if (IS_DC) {
+ return WERR_SETUP_DOMAIN_CONTROLLER;
+ }
+
if (!secrets_init()) {
libnet_unjoin_set_error_string(mem_ctx, r,
"Unable to open secrets database");
git.samba.org / ira / wip.git / blobdiff