2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
24 /****************************************************************
25 ****************************************************************/
27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
30 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
31 DEBUG(1,("libnet_Join:\n%s", str)); \
35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
36 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
38 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
43 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
44 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
49 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
51 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
53 static void init_lsa_String(struct lsa_String *name, const char *s)
58 /****************************************************************
59 ****************************************************************/
61 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
62 struct libnet_JoinCtx *r,
63 const char *format, ...)
67 if (r->out.error_string) {
71 va_start(args, format);
72 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
76 /****************************************************************
77 ****************************************************************/
79 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
80 struct libnet_UnjoinCtx *r,
81 const char *format, ...)
85 if (r->out.error_string) {
89 va_start(args, format);
90 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
96 /****************************************************************
97 ****************************************************************/
99 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
100 const char *netbios_domain_name,
102 const char *user_name,
103 const char *password,
107 ADS_STRUCT *my_ads = NULL;
109 my_ads = ads_init(dns_domain_name,
113 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
117 SAFE_FREE(my_ads->auth.user_name);
118 my_ads->auth.user_name = SMB_STRDUP(user_name);
122 SAFE_FREE(my_ads->auth.password);
123 my_ads->auth.password = SMB_STRDUP(password);
126 status = ads_connect(my_ads);
127 if (!ADS_ERR_OK(status)) {
128 ads_destroy(&my_ads);
136 /****************************************************************
137 ****************************************************************/
139 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
140 struct libnet_JoinCtx *r)
144 status = libnet_connect_ads(r->in.domain_name,
148 r->in.admin_password,
150 if (!ADS_ERR_OK(status)) {
151 libnet_join_set_error_string(mem_ctx, r,
152 "failed to connect to AD: %s",
159 /****************************************************************
160 ****************************************************************/
162 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
163 struct libnet_UnjoinCtx *r)
167 status = libnet_connect_ads(r->in.domain_name,
171 r->in.admin_password,
173 if (!ADS_ERR_OK(status)) {
174 libnet_unjoin_set_error_string(mem_ctx, r,
175 "failed to connect to AD: %s",
182 /****************************************************************
183 ****************************************************************/
185 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
186 struct libnet_JoinCtx *r)
189 LDAPMessage *res = NULL;
190 const char *attrs[] = { "dn", NULL };
192 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
193 if (!ADS_ERR_OK(status)) {
197 if (ads_count_replies(r->in.ads, res) != 1) {
198 ads_msgfree(r->in.ads, res);
199 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
202 status = ads_create_machine_acct(r->in.ads,
205 ads_msgfree(r->in.ads, res);
207 if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
208 (status.err.rc == LDAP_ALREADY_EXISTS)) {
209 status = ADS_SUCCESS;
215 /****************************************************************
216 ****************************************************************/
218 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
219 struct libnet_UnjoinCtx *r)
224 status = libnet_unjoin_connect_ads(mem_ctx, r);
225 if (!ADS_ERR_OK(status)) {
230 status = ads_leave_realm(r->in.ads, r->in.machine_name);
231 if (!ADS_ERR_OK(status)) {
232 libnet_unjoin_set_error_string(mem_ctx, r,
233 "failed to leave realm: %s",
241 /****************************************************************
242 ****************************************************************/
244 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
245 struct libnet_JoinCtx *r)
248 LDAPMessage *res = NULL;
251 if (!r->in.machine_name) {
252 return ADS_ERROR(LDAP_NO_MEMORY);
255 status = ads_find_machine_acct(r->in.ads,
258 if (!ADS_ERR_OK(status)) {
262 if (ads_count_replies(r->in.ads, res) != 1) {
263 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
267 dn = ads_get_dn(r->in.ads, res);
269 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
273 r->out.dn = talloc_strdup(mem_ctx, dn);
275 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
280 ads_msgfree(r->in.ads, res);
281 ads_memfree(r->in.ads, dn);
286 /****************************************************************
287 ****************************************************************/
289 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
290 struct libnet_JoinCtx *r)
295 const char *spn_array[3] = {NULL, NULL, NULL};
299 status = libnet_join_connect_ads(mem_ctx, r);
300 if (!ADS_ERR_OK(status)) {
305 status = libnet_join_find_machine_acct(mem_ctx, r);
306 if (!ADS_ERR_OK(status)) {
310 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
312 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
317 if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
318 !strequal(my_fqdn, r->in.machine_name)) {
321 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
323 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
328 mods = ads_init_mods(mem_ctx);
330 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
333 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
334 if (!ADS_ERR_OK(status)) {
335 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
338 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
340 if (!ADS_ERR_OK(status)) {
341 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
344 return ads_gen_mod(r->in.ads, r->out.dn, mods);
347 /****************************************************************
348 ****************************************************************/
350 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
351 struct libnet_JoinCtx *r)
356 if (!r->in.create_upn) {
361 status = libnet_join_connect_ads(mem_ctx, r);
362 if (!ADS_ERR_OK(status)) {
367 status = libnet_join_find_machine_acct(mem_ctx, r);
368 if (!ADS_ERR_OK(status)) {
373 r->in.upn = talloc_asprintf(mem_ctx,
376 r->out.dns_domain_name);
378 return ADS_ERROR(LDAP_NO_MEMORY);
382 mods = ads_init_mods(mem_ctx);
384 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
387 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
388 if (!ADS_ERR_OK(status)) {
389 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
392 return ads_gen_mod(r->in.ads, r->out.dn, mods);
396 /****************************************************************
397 ****************************************************************/
399 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
400 struct libnet_JoinCtx *r)
406 if (!r->in.os_name || !r->in.os_version ) {
411 status = libnet_join_connect_ads(mem_ctx, r);
412 if (!ADS_ERR_OK(status)) {
417 status = libnet_join_find_machine_acct(mem_ctx, r);
418 if (!ADS_ERR_OK(status)) {
422 mods = ads_init_mods(mem_ctx);
424 return ADS_ERROR(LDAP_NO_MEMORY);
427 os_sp = talloc_asprintf(mem_ctx, "Samba %s", SAMBA_VERSION_STRING);
429 return ADS_ERROR(LDAP_NO_MEMORY);
432 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
434 if (!ADS_ERR_OK(status)) {
438 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
440 if (!ADS_ERR_OK(status)) {
444 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
446 if (!ADS_ERR_OK(status)) {
450 return ads_gen_mod(r->in.ads, r->out.dn, mods);
453 /****************************************************************
454 ****************************************************************/
456 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
457 struct libnet_JoinCtx *r)
459 if (!lp_use_kerberos_keytab()) {
463 if (!ads_keytab_create_default(r->in.ads)) {
470 /****************************************************************
471 ****************************************************************/
473 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
474 struct libnet_JoinCtx *r)
476 uint32_t domain_func;
478 const char *salt = NULL;
479 char *std_salt = NULL;
481 status = ads_domain_func_level(r->in.ads, &domain_func);
482 if (!ADS_ERR_OK(status)) {
483 libnet_join_set_error_string(mem_ctx, r,
484 "failed to determine domain functional level: %s",
489 std_salt = kerberos_standard_des_salt();
491 libnet_join_set_error_string(mem_ctx, r,
492 "failed to obtain standard DES salt");
496 salt = talloc_strdup(mem_ctx, std_salt);
503 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
506 upn = ads_get_upn(r->in.ads, mem_ctx,
509 salt = talloc_strdup(mem_ctx, upn);
516 return kerberos_secrets_store_des_salt(salt);
519 /****************************************************************
520 ****************************************************************/
522 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
523 struct libnet_JoinCtx *r)
527 status = libnet_join_set_machine_spn(mem_ctx, r);
528 if (!ADS_ERR_OK(status)) {
529 libnet_join_set_error_string(mem_ctx, r,
530 "failed to set machine spn: %s",
535 status = libnet_join_set_os_attributes(mem_ctx, r);
536 if (!ADS_ERR_OK(status)) {
537 libnet_join_set_error_string(mem_ctx, r,
538 "failed to set machine os attributes: %s",
543 status = libnet_join_set_machine_upn(mem_ctx, r);
544 if (!ADS_ERR_OK(status)) {
545 libnet_join_set_error_string(mem_ctx, r,
546 "failed to set machine upn: %s",
551 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
552 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
555 if (!libnet_join_create_keytab(mem_ctx, r)) {
556 libnet_join_set_error_string(mem_ctx, r,
557 "failed to create kerberos keytab");
558 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
563 #endif /* WITH_ADS */
565 /****************************************************************
566 ****************************************************************/
568 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
569 struct libnet_JoinCtx *r)
571 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
577 if (!secrets_store_machine_password(r->in.machine_password,
578 r->out.netbios_domain_name,
587 /****************************************************************
588 ****************************************************************/
590 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
591 struct libnet_JoinCtx *r)
593 struct cli_state *cli = NULL;
594 struct rpc_pipe_client *pipe_hnd = NULL;
595 POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
596 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
598 struct lsa_String lsa_acct_name;
600 uint32 acb_info = ACB_WSTRUST;
601 uint32 fields_present;
603 SAM_USERINFO_CTR ctr;
604 SAM_USER_INFO_25 p25;
605 const int infolevel = 25;
606 struct MD5Context md5ctx;
608 DATA_BLOB digested_session_key;
609 uchar md4_trust_password[16];
610 union lsa_PolicyInformation *info = NULL;
611 struct samr_Ids user_rids;
612 struct samr_Ids name_types;
614 if (!r->in.machine_password) {
615 r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
616 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
619 status = cli_full_connection(&cli, NULL,
625 r->in.admin_password,
629 if (!NT_STATUS_IS_OK(status)) {
633 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
638 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
639 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
640 if (!NT_STATUS_IS_OK(status)) {
644 status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
648 if (NT_STATUS_IS_OK(status)) {
649 r->out.domain_is_ad = true;
650 r->out.netbios_domain_name = info->dns.name.string;
651 r->out.dns_domain_name = info->dns.dns_domain.string;
652 r->out.domain_sid = info->dns.sid;
655 if (!NT_STATUS_IS_OK(status)) {
656 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
658 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
660 if (!NT_STATUS_IS_OK(status)) {
664 r->out.netbios_domain_name = info->account_domain.name.string;
665 r->out.domain_sid = info->account_domain.sid;
668 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
669 cli_rpc_pipe_close(pipe_hnd);
671 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
676 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
677 pipe_hnd->cli->desthost,
678 SEC_RIGHTS_MAXIMUM_ALLOWED,
680 if (!NT_STATUS_IS_OK(status)) {
684 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
686 SEC_RIGHTS_MAXIMUM_ALLOWED,
689 if (!NT_STATUS_IS_OK(status)) {
693 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
694 strlower_m(acct_name);
696 init_lsa_String(&lsa_acct_name, acct_name);
698 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
699 uint32_t acct_flags =
700 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
701 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
702 SAMR_USER_ACCESS_SET_PASSWORD |
703 SAMR_USER_ACCESS_GET_ATTRIBUTES |
704 SAMR_USER_ACCESS_SET_ATTRIBUTES;
705 uint32_t access_granted = 0;
707 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
715 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
716 if (!(r->in.join_flags &
717 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
722 if (NT_STATUS_IS_OK(status)) {
723 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
727 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
733 if (!NT_STATUS_IS_OK(status)) {
737 if (name_types.ids[0] != SID_NAME_USER) {
738 status = NT_STATUS_INVALID_WORKSTATION;
742 user_rid = user_rids.ids[0];
744 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
746 SEC_RIGHTS_MAXIMUM_ALLOWED,
749 if (!NT_STATUS_IS_OK(status)) {
753 E_md4hash(r->in.machine_password, md4_trust_password);
754 encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
756 generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
757 digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
760 MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
761 MD5Update(&md5ctx, cli->user_session_key.data,
762 cli->user_session_key.length);
763 MD5Final(digested_session_key.data, &md5ctx);
765 SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
766 memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
768 acb_info |= ACB_PWNOEXP;
769 if (r->out.domain_is_ad) {
770 #if !defined(ENCTYPE_ARCFOUR_HMAC)
771 acb_info |= ACB_USE_DES_KEY_ONLY;
779 fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET |
780 SAMR_FIELD_ACCT_FLAGS;
781 init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf);
783 ctr.switch_value = infolevel;
784 ctr.info.id25 = &p25;
786 status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol,
787 infolevel, &cli->user_session_key,
789 if (!NT_STATUS_IS_OK(status)) {
793 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
794 cli_rpc_pipe_close(pipe_hnd);
796 status = NT_STATUS_OK;
805 /****************************************************************
806 ****************************************************************/
808 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
809 struct libnet_UnjoinCtx *r)
811 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
815 if (!secrets_delete_domain_sid(lp_workgroup())) {
822 /****************************************************************
823 ****************************************************************/
825 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
826 struct libnet_UnjoinCtx *r)
828 struct cli_state *cli = NULL;
829 struct rpc_pipe_client *pipe_hnd = NULL;
830 POLICY_HND sam_pol, domain_pol, user_pol;
831 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
834 SAM_USERINFO_CTR ctr;
835 SAM_USER_INFO_16 p16;
836 struct lsa_String lsa_acct_name;
837 struct samr_Ids user_rids;
838 struct samr_Ids name_types;
839 union samr_UserInfo *info = NULL;
841 status = cli_full_connection(&cli, NULL,
847 r->in.admin_password,
850 if (!NT_STATUS_IS_OK(status)) {
854 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
859 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
860 pipe_hnd->cli->desthost,
861 SEC_RIGHTS_MAXIMUM_ALLOWED,
863 if (!NT_STATUS_IS_OK(status)) {
867 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
869 SEC_RIGHTS_MAXIMUM_ALLOWED,
872 if (!NT_STATUS_IS_OK(status)) {
876 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
877 strlower_m(acct_name);
879 init_lsa_String(&lsa_acct_name, acct_name);
881 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
888 if (!NT_STATUS_IS_OK(status)) {
892 if (name_types.ids[0] != SID_NAME_USER) {
893 status = NT_STATUS_INVALID_WORKSTATION;
897 user_rid = user_rids.ids[0];
899 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
901 SEC_RIGHTS_MAXIMUM_ALLOWED,
904 if (!NT_STATUS_IS_OK(status)) {
908 status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
912 if (!NT_STATUS_IS_OK(status)) {
913 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
918 ctr.switch_value = 16;
919 ctr.info.id16 = &p16;
921 p16.acb_info = info->info16.acct_flags | ACB_DISABLED;
923 status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16,
924 &cli->user_session_key, &ctr);
926 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
930 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
931 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
932 cli_rpc_pipe_close(pipe_hnd);
942 /****************************************************************
943 ****************************************************************/
945 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
948 struct libnet_conf_ctx *ctx;
950 werr = libnet_conf_open(r, &ctx);
951 if (!W_ERROR_IS_OK(werr)) {
955 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
957 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
958 if (!W_ERROR_IS_OK(werr)) {
962 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
967 werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
968 if (!W_ERROR_IS_OK(werr)) {
972 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
973 r->out.netbios_domain_name);
974 if (!W_ERROR_IS_OK(werr)) {
978 if (r->out.domain_is_ad) {
979 werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
980 if (!W_ERROR_IS_OK(werr)) {
984 werr = libnet_conf_set_global_parameter(ctx, "realm",
985 r->out.dns_domain_name);
989 libnet_conf_close(ctx);
993 /****************************************************************
994 ****************************************************************/
996 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
998 WERROR werr = WERR_OK;
999 struct libnet_conf_ctx *ctx;
1001 werr = libnet_conf_open(r, &ctx);
1002 if (!W_ERROR_IS_OK(werr)) {
1006 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1008 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
1009 if (!W_ERROR_IS_OK(werr)) {
1014 libnet_conf_delete_global_parameter(ctx, "realm");
1017 libnet_conf_close(ctx);
1021 /****************************************************************
1022 ****************************************************************/
1024 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1028 if (!W_ERROR_IS_OK(r->out.result)) {
1029 return r->out.result;
1032 if (!r->in.modify_config) {
1036 werr = do_join_modify_vals_config(r);
1037 if (!W_ERROR_IS_OK(werr)) {
1041 r->out.modified_config = true;
1042 r->out.result = werr;
1047 /****************************************************************
1048 ****************************************************************/
1050 static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
1054 if (!W_ERROR_IS_OK(r->out.result)) {
1055 return r->out.result;
1058 if (!r->in.modify_config) {
1062 werr = do_unjoin_modify_vals_config(r);
1063 if (!W_ERROR_IS_OK(werr)) {
1067 r->out.modified_config = true;
1068 r->out.result = werr;
1073 /****************************************************************
1074 ****************************************************************/
1076 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1077 struct libnet_JoinCtx *r)
1080 if (!r->in.domain_name) {
1081 return WERR_INVALID_PARAM;
1084 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1085 return WERR_NOT_SUPPORTED;
1089 return WERR_SETUP_DOMAIN_CONTROLLER;
1092 if (!secrets_init()) {
1093 libnet_join_set_error_string(mem_ctx, r,
1094 "Unable to open secrets database");
1095 return WERR_CAN_NOT_COMPLETE;
1101 /****************************************************************
1102 ****************************************************************/
1104 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1105 struct libnet_JoinCtx *r)
1109 if (!W_ERROR_IS_OK(r->out.result)) {
1110 return r->out.result;
1113 werr = do_JoinConfig(r);
1114 if (!W_ERROR_IS_OK(werr)) {
1118 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1119 saf_store(r->in.domain_name, r->in.dc_name);
1125 /****************************************************************
1126 ****************************************************************/
1128 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1131 ads_destroy(&r->in.ads);
1137 /****************************************************************
1138 ****************************************************************/
1140 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1143 ads_destroy(&r->in.ads);
1149 /****************************************************************
1150 ****************************************************************/
1152 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1153 struct libnet_JoinCtx **r)
1155 struct libnet_JoinCtx *ctx;
1157 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1162 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1164 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1165 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1172 /****************************************************************
1173 ****************************************************************/
1175 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1176 struct libnet_UnjoinCtx **r)
1178 struct libnet_UnjoinCtx *ctx;
1180 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1185 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1187 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1188 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1195 /****************************************************************
1196 ****************************************************************/
1198 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
1199 struct libnet_JoinCtx *r)
1203 ADS_STATUS ads_status;
1204 #endif /* WITH_ADS */
1206 if (!r->in.dc_name) {
1207 struct DS_DOMAIN_CONTROLLER_INFO *info;
1208 status = dsgetdcname(mem_ctx,
1212 DS_DIRECTORY_SERVICE_REQUIRED |
1213 DS_WRITABLE_REQUIRED |
1216 if (!NT_STATUS_IS_OK(status)) {
1217 libnet_join_set_error_string(mem_ctx, r,
1218 "failed to find DC for domain %s",
1220 get_friendly_nt_error_msg(status));
1221 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1224 r->in.dc_name = talloc_strdup(mem_ctx,
1225 info->domain_controller_name);
1226 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1230 if (r->in.account_ou) {
1232 ads_status = libnet_join_connect_ads(mem_ctx, r);
1233 if (!ADS_ERR_OK(ads_status)) {
1234 return WERR_DEFAULT_JOIN_REQUIRED;
1237 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1238 if (!ADS_ERR_OK(ads_status)) {
1239 libnet_join_set_error_string(mem_ctx, r,
1240 "failed to precreate account in ou %s: %s",
1242 ads_errstr(ads_status));
1243 return WERR_DEFAULT_JOIN_REQUIRED;
1246 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1248 #endif /* WITH_ADS */
1250 status = libnet_join_joindomain_rpc(mem_ctx, r);
1251 if (!NT_STATUS_IS_OK(status)) {
1252 libnet_join_set_error_string(mem_ctx, r,
1253 "failed to join domain over rpc: %s",
1254 get_friendly_nt_error_msg(status));
1255 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1256 return WERR_SETUP_ALREADY_JOINED;
1258 return ntstatus_to_werror(status);
1261 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1262 return WERR_SETUP_NOT_JOINED;
1266 if (r->out.domain_is_ad) {
1267 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1268 if (!ADS_ERR_OK(ads_status)) {
1269 return WERR_GENERAL_FAILURE;
1272 #endif /* WITH_ADS */
1277 /****************************************************************
1278 ****************************************************************/
1280 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
1281 struct libnet_JoinCtx *r)
1286 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1289 werr = libnet_join_pre_processing(mem_ctx, r);
1290 if (!W_ERROR_IS_OK(werr)) {
1294 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1295 werr = libnet_DomainJoin(mem_ctx, r);
1296 if (!W_ERROR_IS_OK(werr)) {
1301 werr = libnet_join_post_processing(mem_ctx, r);
1302 if (!W_ERROR_IS_OK(werr)) {
1306 r->out.result = werr;
1309 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1314 /****************************************************************
1315 ****************************************************************/
1317 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
1318 struct libnet_UnjoinCtx *r)
1322 if (!r->in.domain_sid) {
1324 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1325 libnet_unjoin_set_error_string(mem_ctx, r,
1326 "Unable to fetch domain sid: are we joined?");
1327 return WERR_SETUP_NOT_JOINED;
1329 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1330 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1333 if (!r->in.dc_name) {
1334 struct DS_DOMAIN_CONTROLLER_INFO *info;
1335 status = dsgetdcname(mem_ctx,
1339 DS_DIRECTORY_SERVICE_REQUIRED |
1340 DS_WRITABLE_REQUIRED |
1343 if (!NT_STATUS_IS_OK(status)) {
1344 libnet_unjoin_set_error_string(mem_ctx, r,
1345 "failed to find DC for domain %s",
1347 get_friendly_nt_error_msg(status));
1348 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1351 r->in.dc_name = talloc_strdup(mem_ctx,
1352 info->domain_controller_name);
1353 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1356 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1357 if (!NT_STATUS_IS_OK(status)) {
1358 libnet_unjoin_set_error_string(mem_ctx, r,
1359 "failed to disable machine account via rpc: %s",
1360 get_friendly_nt_error_msg(status));
1361 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1362 return WERR_SETUP_NOT_JOINED;
1364 return ntstatus_to_werror(status);
1368 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1369 ADS_STATUS ads_status;
1370 libnet_unjoin_connect_ads(mem_ctx, r);
1371 ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
1372 if (!ADS_ERR_OK(ads_status)) {
1373 libnet_unjoin_set_error_string(mem_ctx, r,
1374 "failed to remove machine account from AD: %s",
1375 ads_errstr(ads_status));
1378 #endif /* WITH_ADS */
1380 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1385 /****************************************************************
1386 ****************************************************************/
1388 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
1389 struct libnet_UnjoinCtx *r)
1391 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1392 return WERR_NOT_SUPPORTED;
1395 if (!secrets_init()) {
1396 libnet_unjoin_set_error_string(mem_ctx, r,
1397 "Unable to open secrets database");
1398 return WERR_CAN_NOT_COMPLETE;
1405 /****************************************************************
1406 ****************************************************************/
1408 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
1409 struct libnet_UnjoinCtx *r)
1414 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
1417 werr = libnet_unjoin_pre_processing(mem_ctx, r);
1418 if (!W_ERROR_IS_OK(werr)) {
1422 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1423 werr = libnet_DomainUnjoin(mem_ctx, r);
1424 if (!W_ERROR_IS_OK(werr)) {
1429 werr = do_UnjoinConfig(r);
1430 if (!W_ERROR_IS_OK(werr)) {
1435 r->out.result = werr;
1438 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);