2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
24 /****************************************************************
25 ****************************************************************/
27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
30 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
31 DEBUG(1,("libnet_Join:\n%s", str)); \
35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
36 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
38 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
43 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
44 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
49 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
51 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
53 #define W_ERROR_NOT_OK_GOTO_DONE(x) do { \
54 if (!W_ERROR_IS_OK(x)) {\
59 /****************************************************************
60 ****************************************************************/
62 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
63 struct libnet_JoinCtx *r,
64 const char *format, ...)
68 if (r->out.error_string) {
72 va_start(args, format);
73 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
77 /****************************************************************
78 ****************************************************************/
80 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
81 struct libnet_UnjoinCtx *r,
82 const char *format, ...)
86 if (r->out.error_string) {
90 va_start(args, format);
91 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
97 /****************************************************************
98 ****************************************************************/
100 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
101 const char *netbios_domain_name,
103 const char *user_name,
104 const char *password,
108 ADS_STRUCT *my_ads = NULL;
110 my_ads = ads_init(dns_domain_name,
114 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
118 SAFE_FREE(my_ads->auth.user_name);
119 my_ads->auth.user_name = SMB_STRDUP(user_name);
123 SAFE_FREE(my_ads->auth.password);
124 my_ads->auth.password = SMB_STRDUP(password);
127 status = ads_connect(my_ads);
128 if (!ADS_ERR_OK(status)) {
129 ads_destroy(&my_ads);
137 /****************************************************************
138 ****************************************************************/
140 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
141 struct libnet_JoinCtx *r)
145 status = libnet_connect_ads(r->in.domain_name,
149 r->in.admin_password,
151 if (!ADS_ERR_OK(status)) {
152 libnet_join_set_error_string(mem_ctx, r,
153 "failed to connect to AD: %s",
158 if (!r->out.netbios_domain_name) {
159 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
160 r->in.ads->server.workgroup);
161 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
164 if (!r->out.dns_domain_name) {
165 r->out.dns_domain_name = talloc_strdup(mem_ctx,
166 r->in.ads->config.realm);
167 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
170 r->out.domain_is_ad = true;
175 /****************************************************************
176 ****************************************************************/
178 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
179 struct libnet_UnjoinCtx *r)
183 status = libnet_connect_ads(r->in.domain_name,
187 r->in.admin_password,
189 if (!ADS_ERR_OK(status)) {
190 libnet_unjoin_set_error_string(mem_ctx, r,
191 "failed to connect to AD: %s",
198 /****************************************************************
199 ****************************************************************/
201 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
202 struct libnet_JoinCtx *r)
205 LDAPMessage *res = NULL;
206 const char *attrs[] = { "dn", NULL };
208 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
209 if (!ADS_ERR_OK(status)) {
213 if (ads_count_replies(r->in.ads, res) != 1) {
214 ads_msgfree(r->in.ads, res);
215 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
218 status = ads_create_machine_acct(r->in.ads,
221 ads_msgfree(r->in.ads, res);
223 if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
224 (status.err.rc == LDAP_ALREADY_EXISTS)) {
225 status = ADS_SUCCESS;
231 /****************************************************************
232 ****************************************************************/
234 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
235 struct libnet_UnjoinCtx *r)
240 status = libnet_unjoin_connect_ads(mem_ctx, r);
241 if (!ADS_ERR_OK(status)) {
246 status = ads_leave_realm(r->in.ads, r->in.machine_name);
247 if (!ADS_ERR_OK(status)) {
248 libnet_unjoin_set_error_string(mem_ctx, r,
249 "failed to leave realm: %s",
257 /****************************************************************
258 ****************************************************************/
260 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
261 struct libnet_JoinCtx *r)
264 LDAPMessage *res = NULL;
267 if (!r->in.machine_name) {
268 return ADS_ERROR(LDAP_NO_MEMORY);
271 status = ads_find_machine_acct(r->in.ads,
274 if (!ADS_ERR_OK(status)) {
278 if (ads_count_replies(r->in.ads, res) != 1) {
279 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
283 dn = ads_get_dn(r->in.ads, res);
285 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
289 r->out.dn = talloc_strdup(mem_ctx, dn);
291 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
296 ads_msgfree(r->in.ads, res);
297 ads_memfree(r->in.ads, dn);
302 /****************************************************************
303 ****************************************************************/
305 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
306 struct libnet_JoinCtx *r)
311 const char *spn_array[3] = {NULL, NULL, NULL};
314 status = libnet_join_find_machine_acct(mem_ctx, r);
315 if (!ADS_ERR_OK(status)) {
319 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
321 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
326 if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
327 !strequal(my_fqdn, r->in.machine_name)) {
330 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
332 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
337 mods = ads_init_mods(mem_ctx);
339 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
342 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
343 if (!ADS_ERR_OK(status)) {
344 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
347 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
349 if (!ADS_ERR_OK(status)) {
350 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
353 return ads_gen_mod(r->in.ads, r->out.dn, mods);
356 /****************************************************************
357 ****************************************************************/
359 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
360 struct libnet_JoinCtx *r)
365 if (!r->in.create_upn) {
369 status = libnet_join_find_machine_acct(mem_ctx, r);
370 if (!ADS_ERR_OK(status)) {
375 r->in.upn = talloc_asprintf(mem_ctx,
378 r->out.dns_domain_name);
380 return ADS_ERROR(LDAP_NO_MEMORY);
384 mods = ads_init_mods(mem_ctx);
386 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
389 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
390 if (!ADS_ERR_OK(status)) {
391 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
394 return ads_gen_mod(r->in.ads, r->out.dn, mods);
398 /****************************************************************
399 ****************************************************************/
401 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
402 struct libnet_JoinCtx *r)
408 if (!r->in.os_name || !r->in.os_version ) {
412 status = libnet_join_find_machine_acct(mem_ctx, r);
413 if (!ADS_ERR_OK(status)) {
417 mods = ads_init_mods(mem_ctx);
419 return ADS_ERROR(LDAP_NO_MEMORY);
422 os_sp = talloc_asprintf(mem_ctx, "Samba %s", SAMBA_VERSION_STRING);
424 return ADS_ERROR(LDAP_NO_MEMORY);
427 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
429 if (!ADS_ERR_OK(status)) {
433 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
435 if (!ADS_ERR_OK(status)) {
439 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
441 if (!ADS_ERR_OK(status)) {
445 return ads_gen_mod(r->in.ads, r->out.dn, mods);
448 /****************************************************************
449 ****************************************************************/
451 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
452 struct libnet_JoinCtx *r)
454 if (!lp_use_kerberos_keytab()) {
458 if (!ads_keytab_create_default(r->in.ads)) {
465 /****************************************************************
466 ****************************************************************/
468 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
469 struct libnet_JoinCtx *r)
471 uint32_t domain_func;
473 const char *salt = NULL;
474 char *std_salt = NULL;
476 status = ads_domain_func_level(r->in.ads, &domain_func);
477 if (!ADS_ERR_OK(status)) {
478 libnet_join_set_error_string(mem_ctx, r,
479 "failed to determine domain functional level: %s",
484 std_salt = kerberos_standard_des_salt();
486 libnet_join_set_error_string(mem_ctx, r,
487 "failed to obtain standard DES salt");
491 salt = talloc_strdup(mem_ctx, std_salt);
498 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
501 upn = ads_get_upn(r->in.ads, mem_ctx,
504 salt = talloc_strdup(mem_ctx, upn);
511 return kerberos_secrets_store_des_salt(salt);
514 /****************************************************************
515 ****************************************************************/
517 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
518 struct libnet_JoinCtx *r)
523 status = libnet_join_connect_ads(mem_ctx, r);
524 if (!ADS_ERR_OK(status)) {
529 status = libnet_join_set_machine_spn(mem_ctx, r);
530 if (!ADS_ERR_OK(status)) {
531 libnet_join_set_error_string(mem_ctx, r,
532 "failed to set machine spn: %s",
537 status = libnet_join_set_os_attributes(mem_ctx, r);
538 if (!ADS_ERR_OK(status)) {
539 libnet_join_set_error_string(mem_ctx, r,
540 "failed to set machine os attributes: %s",
545 status = libnet_join_set_machine_upn(mem_ctx, r);
546 if (!ADS_ERR_OK(status)) {
547 libnet_join_set_error_string(mem_ctx, r,
548 "failed to set machine upn: %s",
553 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
554 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
557 if (!libnet_join_create_keytab(mem_ctx, r)) {
558 libnet_join_set_error_string(mem_ctx, r,
559 "failed to create kerberos keytab");
560 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
565 #endif /* WITH_ADS */
567 /****************************************************************
568 ****************************************************************/
570 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
571 struct libnet_JoinCtx *r)
573 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
579 if (!secrets_store_machine_password(r->in.machine_password,
580 r->out.netbios_domain_name,
589 /****************************************************************
590 ****************************************************************/
592 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
593 struct libnet_JoinCtx *r)
595 struct cli_state *cli = NULL;
596 struct rpc_pipe_client *pipe_hnd = NULL;
597 POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
598 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
600 struct lsa_String lsa_acct_name;
602 uint32 acb_info = ACB_WSTRUST;
604 struct MD5Context md5ctx;
606 DATA_BLOB digested_session_key;
607 uchar md4_trust_password[16];
608 union lsa_PolicyInformation *info = NULL;
609 struct samr_Ids user_rids;
610 struct samr_Ids name_types;
611 union samr_UserInfo user_info;
613 if (!r->in.machine_password) {
614 r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
615 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
618 status = cli_full_connection(&cli, NULL,
624 r->in.admin_password,
628 if (!NT_STATUS_IS_OK(status)) {
632 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
637 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
638 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
639 if (!NT_STATUS_IS_OK(status)) {
643 status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
647 if (NT_STATUS_IS_OK(status)) {
648 r->out.domain_is_ad = true;
649 r->out.netbios_domain_name = info->dns.name.string;
650 r->out.dns_domain_name = info->dns.dns_domain.string;
651 r->out.domain_sid = info->dns.sid;
654 if (!NT_STATUS_IS_OK(status)) {
655 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
657 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
659 if (!NT_STATUS_IS_OK(status)) {
663 r->out.netbios_domain_name = info->account_domain.name.string;
664 r->out.domain_sid = info->account_domain.sid;
667 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
668 cli_rpc_pipe_close(pipe_hnd);
670 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
675 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
676 pipe_hnd->cli->desthost,
677 SEC_RIGHTS_MAXIMUM_ALLOWED,
679 if (!NT_STATUS_IS_OK(status)) {
683 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
685 SEC_RIGHTS_MAXIMUM_ALLOWED,
688 if (!NT_STATUS_IS_OK(status)) {
692 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
693 strlower_m(acct_name);
695 init_lsa_String(&lsa_acct_name, acct_name);
697 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
698 uint32_t acct_flags =
699 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
700 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
701 SAMR_USER_ACCESS_SET_PASSWORD |
702 SAMR_USER_ACCESS_GET_ATTRIBUTES |
703 SAMR_USER_ACCESS_SET_ATTRIBUTES;
704 uint32_t access_granted = 0;
706 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
714 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
715 if (!(r->in.join_flags &
716 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
721 if (NT_STATUS_IS_OK(status)) {
722 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
726 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
732 if (!NT_STATUS_IS_OK(status)) {
736 if (name_types.ids[0] != SID_NAME_USER) {
737 status = NT_STATUS_INVALID_WORKSTATION;
741 user_rid = user_rids.ids[0];
743 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
745 SEC_RIGHTS_MAXIMUM_ALLOWED,
748 if (!NT_STATUS_IS_OK(status)) {
752 E_md4hash(r->in.machine_password, md4_trust_password);
753 encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
755 generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
756 digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
759 MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
760 MD5Update(&md5ctx, cli->user_session_key.data,
761 cli->user_session_key.length);
762 MD5Final(digested_session_key.data, &md5ctx);
764 SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
765 memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
767 acb_info |= ACB_PWNOEXP;
768 if (r->out.domain_is_ad) {
769 #if !defined(ENCTYPE_ARCFOUR_HMAC)
770 acb_info |= ACB_USE_DES_KEY_ONLY;
775 ZERO_STRUCT(user_info.info25);
777 user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
779 SAMR_FIELD_ACCT_FLAGS;
780 user_info.info25.info.acct_flags = acb_info;
781 memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
783 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
787 if (!NT_STATUS_IS_OK(status)) {
791 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
792 cli_rpc_pipe_close(pipe_hnd);
794 status = NT_STATUS_OK;
803 /****************************************************************
804 ****************************************************************/
806 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
807 const char *machine_name,
810 uint32_t neg_flags = NETLOGON_NEG_AUTH2_FLAGS |
811 NETLOGON_NEG_SCHANNEL;
812 /* FIXME: NETLOGON_NEG_SELECT_AUTH2_FLAGS */
813 struct cli_state *cli = NULL;
814 struct rpc_pipe_client *pipe_hnd = NULL;
815 struct rpc_pipe_client *netlogon_pipe = NULL;
817 char *machine_password = NULL;
818 char *machine_account = NULL;
821 return NT_STATUS_INVALID_PARAMETER;
824 if (!secrets_init()) {
825 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
828 machine_password = secrets_fetch_machine_password(netbios_domain_name,
830 if (!machine_password) {
831 return NT_STATUS_NO_TRUST_LSA_SECRET;
834 asprintf(&machine_account, "%s$", machine_name);
835 if (!machine_account) {
836 SAFE_FREE(machine_password);
837 return NT_STATUS_NO_MEMORY;
840 status = cli_full_connection(&cli, NULL,
849 free(machine_account);
850 free(machine_password);
852 if (!NT_STATUS_IS_OK(status)) {
853 status = cli_full_connection(&cli, NULL,
864 if (!NT_STATUS_IS_OK(status)) {
868 netlogon_pipe = get_schannel_session_key(cli,
870 &neg_flags, &status);
871 if (!netlogon_pipe) {
872 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
877 DEBUG(0,("libnet_join_ok: failed to get schannel session "
878 "key from server %s for domain %s. Error was %s\n",
879 cli->desthost, netbios_domain_name, nt_errstr(status)));
884 if (!lp_client_schannel()) {
889 pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
890 PIPE_AUTH_LEVEL_PRIVACY,
898 DEBUG(0,("libnet_join_ok: failed to open schannel session "
899 "on netlogon pipe to server %s for domain %s. "
901 cli->desthost, netbios_domain_name, nt_errstr(status)));
908 /****************************************************************
909 ****************************************************************/
911 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
912 struct libnet_JoinCtx *r)
916 status = libnet_join_ok(r->out.netbios_domain_name,
919 if (!NT_STATUS_IS_OK(status)) {
920 libnet_join_set_error_string(mem_ctx, r,
921 "failed to verify domain membership after joining: %s",
922 get_friendly_nt_error_msg(status));
923 return WERR_SETUP_NOT_JOINED;
929 /****************************************************************
930 ****************************************************************/
932 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
933 struct libnet_UnjoinCtx *r)
935 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
939 if (!secrets_delete_domain_sid(lp_workgroup())) {
946 /****************************************************************
947 ****************************************************************/
949 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
950 struct libnet_UnjoinCtx *r)
952 struct cli_state *cli = NULL;
953 struct rpc_pipe_client *pipe_hnd = NULL;
954 POLICY_HND sam_pol, domain_pol, user_pol;
955 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
958 struct lsa_String lsa_acct_name;
959 struct samr_Ids user_rids;
960 struct samr_Ids name_types;
961 union samr_UserInfo *info = NULL;
963 status = cli_full_connection(&cli, NULL,
969 r->in.admin_password,
972 if (!NT_STATUS_IS_OK(status)) {
976 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
981 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
982 pipe_hnd->cli->desthost,
983 SEC_RIGHTS_MAXIMUM_ALLOWED,
985 if (!NT_STATUS_IS_OK(status)) {
989 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
991 SEC_RIGHTS_MAXIMUM_ALLOWED,
994 if (!NT_STATUS_IS_OK(status)) {
998 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
999 strlower_m(acct_name);
1001 init_lsa_String(&lsa_acct_name, acct_name);
1003 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1010 if (!NT_STATUS_IS_OK(status)) {
1014 if (name_types.ids[0] != SID_NAME_USER) {
1015 status = NT_STATUS_INVALID_WORKSTATION;
1019 user_rid = user_rids.ids[0];
1021 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1023 SEC_RIGHTS_MAXIMUM_ALLOWED,
1026 if (!NT_STATUS_IS_OK(status)) {
1030 status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1034 if (!NT_STATUS_IS_OK(status)) {
1035 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1039 info->info16.acct_flags |= ACB_DISABLED;
1041 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1046 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1050 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1051 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1052 cli_rpc_pipe_close(pipe_hnd);
1062 /****************************************************************
1063 ****************************************************************/
1065 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
1068 struct libnet_conf_ctx *ctx;
1070 werr = libnet_conf_open(r, &ctx);
1071 if (!W_ERROR_IS_OK(werr)) {
1075 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1077 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
1078 W_ERROR_NOT_OK_GOTO_DONE(werr);
1080 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
1085 werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
1086 W_ERROR_NOT_OK_GOTO_DONE(werr);
1088 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
1089 r->out.netbios_domain_name);
1090 W_ERROR_NOT_OK_GOTO_DONE(werr);
1092 if (r->out.domain_is_ad) {
1093 werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
1094 W_ERROR_NOT_OK_GOTO_DONE(werr);
1096 werr = libnet_conf_set_global_parameter(ctx, "realm",
1097 r->out.dns_domain_name);
1098 W_ERROR_NOT_OK_GOTO_DONE(werr);
1102 libnet_conf_close(ctx);
1106 /****************************************************************
1107 ****************************************************************/
1109 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
1111 WERROR werr = WERR_OK;
1112 struct libnet_conf_ctx *ctx;
1114 werr = libnet_conf_open(r, &ctx);
1115 if (!W_ERROR_IS_OK(werr)) {
1119 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1121 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
1122 W_ERROR_NOT_OK_GOTO_DONE(werr);
1123 libnet_conf_delete_global_parameter(ctx, "realm");
1127 libnet_conf_close(ctx);
1131 /****************************************************************
1132 ****************************************************************/
1134 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1138 if (!W_ERROR_IS_OK(r->out.result)) {
1139 return r->out.result;
1142 if (!r->in.modify_config) {
1146 werr = do_join_modify_vals_config(r);
1147 if (!W_ERROR_IS_OK(werr)) {
1151 r->out.modified_config = true;
1152 r->out.result = werr;
1157 /****************************************************************
1158 ****************************************************************/
1160 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
1164 if (!W_ERROR_IS_OK(r->out.result)) {
1165 return r->out.result;
1168 if (!r->in.modify_config) {
1172 werr = do_unjoin_modify_vals_config(r);
1173 if (!W_ERROR_IS_OK(werr)) {
1177 r->out.modified_config = true;
1178 r->out.result = werr;
1183 /****************************************************************
1184 ****************************************************************/
1186 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1187 struct libnet_JoinCtx *r)
1189 if (!r->in.domain_name) {
1190 libnet_join_set_error_string(mem_ctx, r,
1191 "No domain name defined");
1192 return WERR_INVALID_PARAM;
1195 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1196 return WERR_NOT_SUPPORTED;
1200 return WERR_SETUP_DOMAIN_CONTROLLER;
1203 if (!secrets_init()) {
1204 libnet_join_set_error_string(mem_ctx, r,
1205 "Unable to open secrets database");
1206 return WERR_CAN_NOT_COMPLETE;
1212 /****************************************************************
1213 ****************************************************************/
1215 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1216 struct libnet_JoinCtx *r)
1220 if (!W_ERROR_IS_OK(r->out.result)) {
1221 return r->out.result;
1224 werr = do_JoinConfig(r);
1225 if (!W_ERROR_IS_OK(werr)) {
1229 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1230 saf_store(r->in.domain_name, r->in.dc_name);
1236 /****************************************************************
1237 ****************************************************************/
1239 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1242 ads_destroy(&r->in.ads);
1248 /****************************************************************
1249 ****************************************************************/
1251 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1254 ads_destroy(&r->in.ads);
1260 /****************************************************************
1261 ****************************************************************/
1263 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1264 struct libnet_JoinCtx **r)
1266 struct libnet_JoinCtx *ctx;
1268 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1273 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1275 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1276 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1283 /****************************************************************
1284 ****************************************************************/
1286 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1287 struct libnet_UnjoinCtx **r)
1289 struct libnet_UnjoinCtx *ctx;
1291 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1296 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1298 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1299 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1306 /****************************************************************
1307 ****************************************************************/
1309 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
1310 struct libnet_JoinCtx *r)
1314 ADS_STATUS ads_status;
1315 #endif /* WITH_ADS */
1317 if (!r->in.dc_name) {
1318 struct netr_DsRGetDCNameInfo *info;
1319 status = dsgetdcname(mem_ctx,
1323 DS_DIRECTORY_SERVICE_REQUIRED |
1324 DS_WRITABLE_REQUIRED |
1327 if (!NT_STATUS_IS_OK(status)) {
1328 libnet_join_set_error_string(mem_ctx, r,
1329 "failed to find DC for domain %s",
1331 get_friendly_nt_error_msg(status));
1332 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1335 r->in.dc_name = talloc_strdup(mem_ctx,
1337 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1341 if (r->in.account_ou) {
1343 ads_status = libnet_join_connect_ads(mem_ctx, r);
1344 if (!ADS_ERR_OK(ads_status)) {
1345 return WERR_DEFAULT_JOIN_REQUIRED;
1348 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1349 if (!ADS_ERR_OK(ads_status)) {
1350 libnet_join_set_error_string(mem_ctx, r,
1351 "failed to precreate account in ou %s: %s",
1353 ads_errstr(ads_status));
1354 return WERR_DEFAULT_JOIN_REQUIRED;
1357 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1359 #endif /* WITH_ADS */
1361 status = libnet_join_joindomain_rpc(mem_ctx, r);
1362 if (!NT_STATUS_IS_OK(status)) {
1363 libnet_join_set_error_string(mem_ctx, r,
1364 "failed to join domain over rpc: %s",
1365 get_friendly_nt_error_msg(status));
1366 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1367 return WERR_SETUP_ALREADY_JOINED;
1369 return ntstatus_to_werror(status);
1372 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1373 return WERR_SETUP_NOT_JOINED;
1377 if (r->out.domain_is_ad) {
1378 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1379 if (!ADS_ERR_OK(ads_status)) {
1380 return WERR_GENERAL_FAILURE;
1383 #endif /* WITH_ADS */
1388 /****************************************************************
1389 ****************************************************************/
1391 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
1392 struct libnet_JoinCtx *r)
1397 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1400 werr = libnet_join_pre_processing(mem_ctx, r);
1401 if (!W_ERROR_IS_OK(werr)) {
1405 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1406 werr = libnet_DomainJoin(mem_ctx, r);
1407 if (!W_ERROR_IS_OK(werr)) {
1411 werr = libnet_join_post_verify(mem_ctx, r);
1412 if (!W_ERROR_IS_OK(werr)) {
1417 werr = libnet_join_post_processing(mem_ctx, r);
1418 if (!W_ERROR_IS_OK(werr)) {
1422 r->out.result = werr;
1425 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1430 /****************************************************************
1431 ****************************************************************/
1433 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
1434 struct libnet_UnjoinCtx *r)
1438 if (!r->in.domain_sid) {
1440 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1441 libnet_unjoin_set_error_string(mem_ctx, r,
1442 "Unable to fetch domain sid: are we joined?");
1443 return WERR_SETUP_NOT_JOINED;
1445 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1446 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1449 if (!r->in.dc_name) {
1450 struct netr_DsRGetDCNameInfo *info;
1451 status = dsgetdcname(mem_ctx,
1455 DS_DIRECTORY_SERVICE_REQUIRED |
1456 DS_WRITABLE_REQUIRED |
1459 if (!NT_STATUS_IS_OK(status)) {
1460 libnet_unjoin_set_error_string(mem_ctx, r,
1461 "failed to find DC for domain %s",
1463 get_friendly_nt_error_msg(status));
1464 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1467 r->in.dc_name = talloc_strdup(mem_ctx,
1469 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1472 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1473 if (!NT_STATUS_IS_OK(status)) {
1474 libnet_unjoin_set_error_string(mem_ctx, r,
1475 "failed to disable machine account via rpc: %s",
1476 get_friendly_nt_error_msg(status));
1477 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1478 return WERR_SETUP_NOT_JOINED;
1480 return ntstatus_to_werror(status);
1483 r->out.disabled_machine_account = true;
1486 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1487 ADS_STATUS ads_status;
1488 libnet_unjoin_connect_ads(mem_ctx, r);
1489 ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
1490 if (!ADS_ERR_OK(ads_status)) {
1491 libnet_unjoin_set_error_string(mem_ctx, r,
1492 "failed to remove machine account from AD: %s",
1493 ads_errstr(ads_status));
1495 r->out.deleted_machine_account = true;
1497 r->out.dns_domain_name = talloc_strdup(mem_ctx,
1498 r->in.ads->server.realm);
1499 W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
1502 #endif /* WITH_ADS */
1504 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1509 /****************************************************************
1510 ****************************************************************/
1512 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
1513 struct libnet_UnjoinCtx *r)
1515 if (!r->in.domain_name) {
1516 libnet_unjoin_set_error_string(mem_ctx, r,
1517 "No domain name defined");
1518 return WERR_INVALID_PARAM;
1521 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1522 return WERR_NOT_SUPPORTED;
1525 if (!secrets_init()) {
1526 libnet_unjoin_set_error_string(mem_ctx, r,
1527 "Unable to open secrets database");
1528 return WERR_CAN_NOT_COMPLETE;
1534 /****************************************************************
1535 ****************************************************************/
1537 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
1538 struct libnet_UnjoinCtx *r)
1540 saf_delete(r->out.netbios_domain_name);
1541 saf_delete(r->out.dns_domain_name);
1543 return libnet_unjoin_config(r);
1546 /****************************************************************
1547 ****************************************************************/
1549 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
1550 struct libnet_UnjoinCtx *r)
1555 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
1558 werr = libnet_unjoin_pre_processing(mem_ctx, r);
1559 if (!W_ERROR_IS_OK(werr)) {
1563 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1564 werr = libnet_DomainUnjoin(mem_ctx, r);
1565 if (!W_ERROR_IS_OK(werr)) {
1566 libnet_unjoin_config(r);
1571 werr = libnet_unjoin_post_processing(mem_ctx, r);
1572 if (!W_ERROR_IS_OK(werr)) {
1577 r->out.result = werr;
1580 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);