In gcc version 4.3.2 we get warnings for functions declared with
[jra/samba/.git] / source3 / libnet / libnet_join.c
index 737474d8078a13c75caca0cc4f40668e269b2e74..51d979074b65ba99b8594bb004d6ca51bd01a735 100644 (file)
@@ -29,7 +29,7 @@
                char *str = NULL; \
                str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
                DEBUG(1,("libnet_Join:\n%s", str)); \
-               talloc_free(str); \
+               TALLOC_FREE(str); \
        } while (0)
 
 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
@@ -42,7 +42,7 @@
                char *str = NULL; \
                str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
                DEBUG(1,("libnet_Unjoin:\n%s", str)); \
-               talloc_free(str); \
+               TALLOC_FREE(str); \
        } while (0)
 
 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
        LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
 
-static void init_lsa_String(struct lsa_String *name, const char *s)
-{
-       name->string = s;
-}
+#define W_ERROR_NOT_OK_GOTO_DONE(x) do { \
+       if (!W_ERROR_IS_OK(x)) {\
+               goto done;\
+       }\
+} while (0)
 
 /****************************************************************
 ****************************************************************/
@@ -123,7 +124,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
                my_ads->auth.password = SMB_STRDUP(password);
        }
 
-       status = ads_connect(my_ads);
+       status = ads_connect_user_creds(my_ads);
        if (!ADS_ERR_OK(status)) {
                ads_destroy(&my_ads);
                return status;
@@ -141,8 +142,8 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
 {
        ADS_STATUS status;
 
-       status = libnet_connect_ads(r->in.domain_name,
-                                   r->in.domain_name,
+       status = libnet_connect_ads(r->out.dns_domain_name,
+                                   r->out.netbios_domain_name,
                                    r->in.dc_name,
                                    r->in.admin_account,
                                    r->in.admin_password,
@@ -151,9 +152,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
                libnet_join_set_error_string(mem_ctx, r,
                        "failed to connect to AD: %s",
                        ads_errstr(status));
+               return status;
        }
 
-       return status;
+       if (!r->out.netbios_domain_name) {
+               r->out.netbios_domain_name = talloc_strdup(mem_ctx,
+                                                          r->in.ads->server.workgroup);
+               ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
+       }
+
+       if (!r->out.dns_domain_name) {
+               r->out.dns_domain_name = talloc_strdup(mem_ctx,
+                                                      r->in.ads->config.realm);
+               ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+       }
+
+       r->out.domain_is_ad = true;
+
+       return ADS_SUCCESS;
 }
 
 /****************************************************************
@@ -180,6 +196,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
+ join a domain using ADS (LDAP mods)
 ****************************************************************/
 
 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
@@ -188,6 +205,12 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
        ADS_STATUS status;
        LDAPMessage *res = NULL;
        const char *attrs[] = { "dn", NULL };
+       bool moved = false;
+
+       status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
+       if (!ADS_ERR_OK(status)) {
+               return status;
+       }
 
        status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
        if (!ADS_ERR_OK(status)) {
@@ -199,16 +222,41 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
                return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
        }
 
+       ads_msgfree(r->in.ads, res);
+
+       /* Attempt to create the machine account and bail if this fails.
+          Assume that the admin wants exactly what they requested */
+
        status = ads_create_machine_acct(r->in.ads,
                                         r->in.machine_name,
                                         r->in.account_ou);
-       ads_msgfree(r->in.ads, res);
 
-       if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
-           (status.err.rc == LDAP_ALREADY_EXISTS)) {
+       if (ADS_ERR_OK(status)) {
+               DEBUG(1,("machine account creation created\n"));
+               return status;
+       } else  if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
+                   (status.err.rc == LDAP_ALREADY_EXISTS)) {
                status = ADS_SUCCESS;
        }
 
+       if (!ADS_ERR_OK(status)) {
+               DEBUG(1,("machine account creation failed\n"));
+               return status;
+       }
+
+       status = ads_move_machine_acct(r->in.ads,
+                                      r->in.machine_name,
+                                      r->in.account_ou,
+                                      &moved);
+       if (!ADS_ERR_OK(status)) {
+               DEBUG(1,("failure to locate/move pre-existing "
+                       "machine account\n"));
+               return status;
+       }
+
+       DEBUG(1,("The machine account %s the specified OU.\n",
+               moved ? "was moved into" : "already exists in"));
+
        return status;
 }
 
@@ -221,10 +269,7 @@ static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
        ADS_STATUS status;
 
        if (!r->in.ads) {
-               status = libnet_unjoin_connect_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(status)) {
-                       return status;
-               }
+               return libnet_unjoin_connect_ads(mem_ctx, r);
        }
 
        status = ads_leave_realm(r->in.ads, r->in.machine_name);
@@ -284,6 +329,7 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
+ Set a machines dNSHostName and servicePrincipalName attributes
 ****************************************************************/
 
 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
@@ -295,18 +341,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
        const char *spn_array[3] = {NULL, NULL, NULL};
        char *spn = NULL;
 
-       if (!r->in.ads) {
-               status = libnet_join_connect_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(status)) {
-                       return status;
-               }
-       }
+       /* Find our DN */
 
        status = libnet_join_find_machine_acct(mem_ctx, r);
        if (!ADS_ERR_OK(status)) {
                return status;
        }
 
+       /* Windows only creates HOST/shortname & HOST/fqdn. */
+
        spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
        if (!spn) {
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
@@ -314,10 +357,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
        strupper_m(spn);
        spn_array[0] = spn;
 
-       if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
-           !strequal(my_fqdn, r->in.machine_name)) {
+       if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+           || (strchr(my_fqdn, '.') == NULL)) {
+               fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+                            r->out.dns_domain_name);
+       }
+
+       strlower_m(my_fqdn);
 
-               strlower_m(my_fqdn);
+       if (!strequal(my_fqdn, r->in.machine_name)) {
                spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
                if (!spn) {
                        return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
@@ -330,6 +378,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
        }
 
+       /* fields of primary importance */
+
        status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
        if (!ADS_ERR_OK(status)) {
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
@@ -357,12 +407,7 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
                return ADS_SUCCESS;
        }
 
-       if (!r->in.ads) {
-               status = libnet_join_connect_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(status)) {
-                       return status;
-               }
-       }
+       /* Find our DN */
 
        status = libnet_join_find_machine_acct(mem_ctx, r);
        if (!ADS_ERR_OK(status)) {
@@ -379,11 +424,15 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
                }
        }
 
+       /* now do the mods */
+
        mods = ads_init_mods(mem_ctx);
        if (!mods) {
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
        }
 
+       /* fields of primary importance */
+
        status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
        if (!ADS_ERR_OK(status)) {
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
@@ -407,18 +456,15 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
                return ADS_SUCCESS;
        }
 
-       if (!r->in.ads) {
-               status = libnet_join_connect_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(status)) {
-                       return status;
-               }
-       }
+       /* Find our DN */
 
        status = libnet_join_find_machine_acct(mem_ctx, r);
        if (!ADS_ERR_OK(status)) {
                return status;
        }
 
+       /* now do the mods */
+
        mods = ads_init_mods(mem_ctx);
        if (!mods) {
                return ADS_ERROR(LDAP_NO_MEMORY);
@@ -429,6 +475,8 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
                return ADS_ERROR(LDAP_NO_MEMORY);
        }
 
+       /* fields of primary importance */
+
        status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
                             r->in.os_name);
        if (!ADS_ERR_OK(status)) {
@@ -460,7 +508,7 @@ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
                return true;
        }
 
-       if (!ads_keytab_create_default(r->in.ads)) {
+       if (ads_keytab_create_default(r->in.ads) != 0) {
                return false;
        }
 
@@ -486,6 +534,8 @@ static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
                return false;
        }
 
+       /* go ahead and setup the default salt */
+
        std_salt = kerberos_standard_des_salt();
        if (!std_salt) {
                libnet_join_set_error_string(mem_ctx, r,
@@ -500,6 +550,8 @@ static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
 
        SAFE_FREE(std_salt);
 
+       /* if it's a Windows functional domain, we have to look for the UPN */
+
        if (domain_func == DS_DOMAIN_FUNCTION_2000) {
                char *upn;
 
@@ -524,6 +576,13 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
 {
        ADS_STATUS status;
 
+       if (!r->in.ads) {
+               status = libnet_join_connect_ads(mem_ctx, r);
+               if (!ADS_ERR_OK(status)) {
+                       return status;
+               }
+       }
+
        status = libnet_join_set_machine_spn(mem_ctx, r);
        if (!ADS_ERR_OK(status)) {
                libnet_join_set_error_string(mem_ctx, r,
@@ -563,6 +622,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
 #endif /* WITH_ADS */
 
 /****************************************************************
+ Store the machine password and domain SID
 ****************************************************************/
 
 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
@@ -571,13 +631,15 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
        if (!secrets_store_domain_sid(r->out.netbios_domain_name,
                                      r->out.domain_sid))
        {
+               DEBUG(1,("Failed to save domain sid\n"));
                return false;
        }
 
        if (!secrets_store_machine_password(r->in.machine_password,
                                            r->out.netbios_domain_name,
-                                           SEC_CHAN_WKSTA))
+                                           r->in.secure_channel_type))
        {
+               DEBUG(1,("Failed to save machine password\n"));
                return false;
        }
 
@@ -585,94 +647,151 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
+ Connect dc's IPC$ share
 ****************************************************************/
 
-static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
-                                          struct libnet_JoinCtx *r)
+static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
+                                          const char *user,
+                                          const char *pass,
+                                          bool use_kerberos,
+                                          struct cli_state **cli)
 {
-       struct cli_state *cli = NULL;
-       struct rpc_pipe_client *pipe_hnd = NULL;
-       POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
-       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-       char *acct_name;
-       const char *const_acct_name;
-       struct lsa_String lsa_acct_name;
-       uint32 user_rid;
-       uint32 num_rids, *name_types, *user_rids;
-       uint32 flags = 0x3e8;
-       uint32 acb_info = ACB_WSTRUST;
-       uint32 fields_present;
-       uchar pwbuf[532];
-       SAM_USERINFO_CTR ctr;
-       SAM_USER_INFO_25 p25;
-       const int infolevel = 25;
-       struct MD5Context md5ctx;
-       uchar md5buffer[16];
-       DATA_BLOB digested_session_key;
-       uchar md4_trust_password[16];
+       int flags = 0;
 
-       if (!r->in.machine_password) {
-               r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
-               NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+       if (use_kerberos) {
+               flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
        }
 
-       status = cli_full_connection(&cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0,
-                                    Undefined, NULL);
+       if (use_kerberos && pass) {
+               flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+       }
+
+       return cli_full_connection(cli, NULL,
+                                  dc,
+                                  NULL, 0,
+                                  "IPC$", "IPC",
+                                  user,
+                                  NULL,
+                                  pass,
+                                  flags,
+                                  Undefined, NULL);
+}
 
+/****************************************************************
+ Lookup domain dc's info
+****************************************************************/
+
+static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
+                                         struct libnet_JoinCtx *r,
+                                         struct cli_state **cli)
+{
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       POLICY_HND lsa_pol;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       union lsa_PolicyInformation *info = NULL;
+
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
-       if (!pipe_hnd) {
+       status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
+                       nt_errstr(status)));
                goto done;
        }
 
-       status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
+       status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
                                        SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       status = rpccli_lsa_query_info_policy2(pipe_hnd, mem_ctx, &lsa_pol,
-                                              12,
-                                              &r->out.netbios_domain_name,
-                                              &r->out.dns_domain_name,
-                                              NULL,
-                                              NULL,
-                                              &r->out.domain_sid);
-
+       status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
+                                            &lsa_pol,
+                                            LSA_POLICY_INFO_DNS,
+                                            &info);
        if (NT_STATUS_IS_OK(status)) {
                r->out.domain_is_ad = true;
+               r->out.netbios_domain_name = info->dns.name.string;
+               r->out.dns_domain_name = info->dns.dns_domain.string;
+               r->out.forest_name = info->dns.dns_forest.string;
+               r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
+               NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
        }
 
        if (!NT_STATUS_IS_OK(status)) {
-               status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol,
-                                                     5,
-                                                     &r->out.netbios_domain_name,
-                                                     &r->out.domain_sid);
+               status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
+                                                   &lsa_pol,
+                                                   LSA_POLICY_INFO_ACCOUNT_DOMAIN,
+                                                   &info);
                if (!NT_STATUS_IS_OK(status)) {
                        goto done;
                }
+
+               r->out.netbios_domain_name = info->account_domain.name.string;
+               r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
+               NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
        }
 
        rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
-       cli_rpc_pipe_close(pipe_hnd);
+       TALLOC_FREE(pipe_hnd);
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
-       if (!pipe_hnd) {
+ done:
+       return status;
+}
+
+/****************************************************************
+ Do the domain join
+****************************************************************/
+
+static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
+                                          struct libnet_JoinCtx *r,
+                                          struct cli_state *cli)
+{
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       POLICY_HND sam_pol, domain_pol, user_pol;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       char *acct_name;
+       struct lsa_String lsa_acct_name;
+       uint32_t user_rid;
+       uint32_t acct_flags = ACB_WSTRUST;
+       struct samr_Ids user_rids;
+       struct samr_Ids name_types;
+       union samr_UserInfo user_info;
+
+       struct samr_CryptPassword crypt_pwd;
+       struct samr_CryptPasswordEx crypt_pwd_ex;
+
+       ZERO_STRUCT(sam_pol);
+       ZERO_STRUCT(domain_pol);
+       ZERO_STRUCT(user_pol);
+
+       if (!r->in.machine_password) {
+               r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+               NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+       }
+
+       /* Open the domain */
+
+       status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+                       nt_errstr(status)));
                goto done;
        }
 
-       status = rpccli_samr_connect(pipe_hnd, mem_ctx,
-                                    SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol);
+       status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
+                                     pipe_hnd->desthost,
+                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                     &sam_pol);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
@@ -686,14 +805,15 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
+       /* Create domain user */
+
        acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
        strlower_m(acct_name);
-       const_acct_name = acct_name;
 
        init_lsa_String(&lsa_acct_name, acct_name);
 
        if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
-               uint32_t acct_flags =
+               uint32_t access_desired =
                        SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
                        SEC_STD_WRITE_DAC | SEC_STD_DELETE |
                        SAMR_USER_ACCESS_SET_PASSWORD |
@@ -701,14 +821,38 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                        SAMR_USER_ACCESS_SET_ATTRIBUTES;
                uint32_t access_granted = 0;
 
+               /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
+
+               DEBUG(10,("Creating account with desired access mask: %d\n",
+                       access_desired));
+
                status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
                                                 &domain_pol,
                                                 &lsa_acct_name,
                                                 ACB_WSTRUST,
-                                                acct_flags,
+                                                access_desired,
                                                 &user_pol,
                                                 &access_granted,
                                                 &user_rid);
+               if (!NT_STATUS_IS_OK(status) &&
+                   !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
+
+                       DEBUG(10,("Creation of workstation account failed: %s\n",
+                               nt_errstr(status)));
+
+                       /* If NT_STATUS_ACCESS_DENIED then we have a valid
+                          username/password combo but the user does not have
+                          administrator access. */
+
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+                               libnet_join_set_error_string(mem_ctx, r,
+                                       "User specified does not have "
+                                       "administrator privileges");
+                       }
+
+                       goto done;
+               }
+
                if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
                        if (!(r->in.join_flags &
                              WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
@@ -716,25 +860,33 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                        }
                }
 
+               /* We *must* do this.... don't ask... */
+
                if (NT_STATUS_IS_OK(status)) {
                        rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
                }
        }
 
-       status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
-                                         &domain_pol, flags, 1,
-                                         &const_acct_name,
-                                         &num_rids, &user_rids, &name_types);
+       status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
+                                        &domain_pol,
+                                        1,
+                                        &lsa_acct_name,
+                                        &user_rids,
+                                        &name_types);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       if (name_types[0] != SID_NAME_USER) {
+       if (name_types.ids[0] != SID_NAME_USER) {
+               DEBUG(0,("%s is not a user account (type=%d)\n",
+                       acct_name, name_types.ids[0]));
                status = NT_STATUS_INVALID_WORKSTATION;
                goto done;
        }
 
-       user_rid = user_rids[0];
+       user_rid = user_rids.ids[0];
+
+       /* Open handle on user */
 
        status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
                                      &domain_pol,
@@ -745,53 +897,95 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
-       E_md4hash(r->in.machine_password, md4_trust_password);
-       encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
+       /* Fill in the additional account flags now */
 
-       generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
-       digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
-
-       MD5Init(&md5ctx);
-       MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
-       MD5Update(&md5ctx, cli->user_session_key.data,
-                 cli->user_session_key.length);
-       MD5Final(digested_session_key.data, &md5ctx);
-
-       SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
-       memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
-
-       acb_info |= ACB_PWNOEXP;
+       acct_flags |= ACB_PWNOEXP;
        if (r->out.domain_is_ad) {
 #if !defined(ENCTYPE_ARCFOUR_HMAC)
-               acb_info |= ACB_USE_DES_KEY_ONLY;
+               acct_flags |= ACB_USE_DES_KEY_ONLY;
 #endif
                ;;
        }
 
-       ZERO_STRUCT(ctr);
-       ZERO_STRUCT(p25);
-
-       fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS;
-       init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf);
+       /* Set account flags on machine account */
+       ZERO_STRUCT(user_info.info16);
+       user_info.info16.acct_flags = acct_flags;
 
-       ctr.switch_value = infolevel;
-       ctr.info.id25    = &p25;
+       status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
+                                        &user_pol,
+                                        16,
+                                        &user_info);
 
-       status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol,
-                                          infolevel, &cli->user_session_key,
-                                          &ctr);
        if (!NT_STATUS_IS_OK(status)) {
+
+               rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+                                      &user_pol);
+
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Failed to set account flags for machine account (%s)\n",
+                       nt_errstr(status));
                goto done;
        }
 
-       rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
-       cli_rpc_pipe_close(pipe_hnd);
+       /* Set password on machine account - first try level 26 */
+
+       init_samr_CryptPasswordEx(r->in.machine_password,
+                                 &cli->user_session_key,
+                                 &crypt_pwd_ex);
+
+       init_samr_user_info26(&user_info.info26, &crypt_pwd_ex,
+                             PASS_DONT_CHANGE_AT_NEXT_LOGON);
+
+       status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+                                         &user_pol,
+                                         26,
+                                         &user_info);
+
+       if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+
+               /* retry with level 24 */
+
+               init_samr_CryptPassword(r->in.machine_password,
+                                       &cli->user_session_key,
+                                       &crypt_pwd);
+
+               init_samr_user_info24(&user_info.info24, &crypt_pwd,
+                                     PASS_DONT_CHANGE_AT_NEXT_LOGON);
+
+               status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+                                                 &user_pol,
+                                                 24,
+                                                 &user_info);
+       }
+
+       if (!NT_STATUS_IS_OK(status)) {
+
+               rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+                                      &user_pol);
+
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Failed to set password for machine account (%s)\n",
+                       nt_errstr(status));
+               goto done;
+       }
 
        status = NT_STATUS_OK;
+
  done:
-       if (cli) {
-               cli_shutdown(cli);
+       if (!pipe_hnd) {
+               return status;
+       }
+
+       if (is_valid_policy_hnd(&sam_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
+       }
+       if (is_valid_policy_hnd(&domain_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
+       }
+       if (is_valid_policy_hnd(&user_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
        }
+       TALLOC_FREE(pipe_hnd);
 
        return status;
 }
@@ -799,6 +993,126 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
+NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+                       const char *machine_name,
+                       const char *dc_name)
+{
+       uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+       struct cli_state *cli = NULL;
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       struct rpc_pipe_client *netlogon_pipe = NULL;
+       NTSTATUS status;
+       char *machine_password = NULL;
+       char *machine_account = NULL;
+
+       if (!dc_name) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       if (!secrets_init()) {
+               return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+
+       machine_password = secrets_fetch_machine_password(netbios_domain_name,
+                                                         NULL, NULL);
+       if (!machine_password) {
+               return NT_STATUS_NO_TRUST_LSA_SECRET;
+       }
+
+       if (asprintf(&machine_account, "%s$", machine_name) == -1) {
+               SAFE_FREE(machine_password);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       status = cli_full_connection(&cli, NULL,
+                                    dc_name,
+                                    NULL, 0,
+                                    "IPC$", "IPC",
+                                    machine_account,
+                                    NULL,
+                                    machine_password,
+                                    0,
+                                    Undefined, NULL);
+       free(machine_account);
+       free(machine_password);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               status = cli_full_connection(&cli, NULL,
+                                            dc_name,
+                                            NULL, 0,
+                                            "IPC$", "IPC",
+                                            "",
+                                            NULL,
+                                            "",
+                                            0,
+                                            Undefined, NULL);
+       }
+
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       status = get_schannel_session_key(cli, netbios_domain_name,
+                                         &neg_flags, &netlogon_pipe);
+       if (!NT_STATUS_IS_OK(status)) {
+               if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
+                       cli_shutdown(cli);
+                       return NT_STATUS_OK;
+               }
+
+               DEBUG(0,("libnet_join_ok: failed to get schannel session "
+                       "key from server %s for domain %s. Error was %s\n",
+               cli->desthost, netbios_domain_name, nt_errstr(status)));
+               cli_shutdown(cli);
+               return status;
+       }
+
+       if (!lp_client_schannel()) {
+               cli_shutdown(cli);
+               return NT_STATUS_OK;
+       }
+
+       status = cli_rpc_pipe_open_schannel_with_key(
+               cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
+               netbios_domain_name, netlogon_pipe->dc, &pipe_hnd);
+
+       cli_shutdown(cli);
+
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("libnet_join_ok: failed to open schannel session "
+                       "on netlogon pipe to server %s for domain %s. "
+                       "Error was %s\n",
+                       cli->desthost, netbios_domain_name, nt_errstr(status)));
+               return status;
+       }
+
+       return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
+                                     struct libnet_JoinCtx *r)
+{
+       NTSTATUS status;
+
+       status = libnet_join_ok(r->out.netbios_domain_name,
+                               r->in.machine_name,
+                               r->in.dc_name);
+       if (!NT_STATUS_IS_OK(status)) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "failed to verify domain membership after joining: %s",
+                       get_friendly_nt_error_msg(status));
+               return WERR_SETUP_NOT_JOINED;
+       }
+
+       return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
                                                    struct libnet_UnjoinCtx *r)
 {
@@ -824,33 +1138,39 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
        POLICY_HND sam_pol, domain_pol, user_pol;
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
        char *acct_name;
-       uint32 flags = 0x3e8;
-       const char *const_acct_name;
-       uint32 user_rid;
-       uint32 num_rids, *name_types, *user_rids;
-       SAM_USERINFO_CTR ctr, *qctr = NULL;
-       SAM_USER_INFO_16 p16;
-
-       status = cli_full_connection(&cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0, Undefined, NULL);
-
+       uint32_t user_rid;
+       struct lsa_String lsa_acct_name;
+       struct samr_Ids user_rids;
+       struct samr_Ids name_types;
+       union samr_UserInfo *info = NULL;
+
+       ZERO_STRUCT(sam_pol);
+       ZERO_STRUCT(domain_pol);
+       ZERO_STRUCT(user_pol);
+
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           &cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
-       if (!pipe_hnd) {
+       /* Open the domain */
+
+       status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+                       nt_errstr(status)));
                goto done;
        }
 
-       status = rpccli_samr_connect(pipe_hnd, mem_ctx,
-                                    SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol);
+       status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
+                                     pipe_hnd->desthost,
+                                     SEC_RIGHTS_MAXIMUM_ALLOWED,
+                                     &sam_pol);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
@@ -864,24 +1184,34 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
+       /* Create domain user */
+
        acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
        strlower_m(acct_name);
-       const_acct_name = acct_name;
 
-       status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
-                                         &domain_pol, flags, 1,
-                                         &const_acct_name,
-                                         &num_rids, &user_rids, &name_types);
+       init_lsa_String(&lsa_acct_name, acct_name);
+
+       status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
+                                        &domain_pol,
+                                        1,
+                                        &lsa_acct_name,
+                                        &user_rids,
+                                        &name_types);
+
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       if (name_types[0] != SID_NAME_USER) {
+       if (name_types.ids[0] != SID_NAME_USER) {
+               DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
+                       name_types.ids[0]));
                status = NT_STATUS_INVALID_WORKSTATION;
                goto done;
        }
 
-       user_rid = user_rids[0];
+       user_rid = user_rids.ids[0];
+
+       /* Open handle on user */
 
        status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
                                      &domain_pol,
@@ -892,29 +1222,37 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
-       status = rpccli_samr_query_userinfo(pipe_hnd, mem_ctx,
-                                           &user_pol, 16, &qctr);
+       /* Get user info */
+
+       status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
+                                          &user_pol,
+                                          16,
+                                          &info);
        if (!NT_STATUS_IS_OK(status)) {
                rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
                goto done;
        }
 
-       ZERO_STRUCT(ctr);
-       ctr.switch_value = 16;
-       ctr.info.id16 = &p16;
+       /* now disable and setuser info */
 
-       p16.acb_info = qctr->info.id16->acb_info | ACB_DISABLED;
+       info->info16.acct_flags |= ACB_DISABLED;
 
-       status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16,
-                                          &cli->user_session_key, &ctr);
+       status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
+                                        &user_pol,
+                                        16,
+                                        info);
 
        rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
 
 done:
        if (pipe_hnd) {
-               rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
-               rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
-               cli_rpc_pipe_close(pipe_hnd);
+               if (is_valid_policy_hnd(&domain_pol)) {
+                       rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
+               }
+               if (is_valid_policy_hnd(&sam_pol)) {
+                       rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
+               }
+               TALLOC_FREE(pipe_hnd);
        }
 
        if (cli) {
@@ -930,48 +1268,43 @@ done:
 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
 {
        WERROR werr;
-       struct libnet_conf_ctx *ctx;
+       struct smbconf_ctx *ctx;
 
-       werr = libnet_conf_open(r, &ctx);
+       werr = smbconf_init_reg(r, &ctx, NULL);
        if (!W_ERROR_IS_OK(werr)) {
                goto done;
        }
 
        if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
 
-               werr = libnet_conf_set_global_parameter(ctx, "security", "user");
-               if (!W_ERROR_IS_OK(werr)) {
-                       goto done;
-               }
+               werr = smbconf_set_global_parameter(ctx, "security", "user");
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
 
-               werr = libnet_conf_set_global_parameter(ctx, "workgroup",
-                                                       r->in.domain_name);
-               goto done;
-       }
+               werr = smbconf_set_global_parameter(ctx, "workgroup",
+                                                   r->in.domain_name);
 
-       werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
-       if (!W_ERROR_IS_OK(werr)) {
+               smbconf_delete_global_parameter(ctx, "realm");
                goto done;
        }
 
-       werr = libnet_conf_set_global_parameter(ctx, "workgroup",
-                                               r->out.netbios_domain_name);
-       if (!W_ERROR_IS_OK(werr)) {
-               goto done;
-       }
+       werr = smbconf_set_global_parameter(ctx, "security", "domain");
+       W_ERROR_NOT_OK_GOTO_DONE(werr);
+
+       werr = smbconf_set_global_parameter(ctx, "workgroup",
+                                           r->out.netbios_domain_name);
+       W_ERROR_NOT_OK_GOTO_DONE(werr);
 
        if (r->out.domain_is_ad) {
-               werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
-               if (!W_ERROR_IS_OK(werr)) {
-                       goto done;
-               }
+               werr = smbconf_set_global_parameter(ctx, "security", "ads");
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
 
-               werr = libnet_conf_set_global_parameter(ctx, "realm",
-                                                       r->out.dns_domain_name);
+               werr = smbconf_set_global_parameter(ctx, "realm",
+                                                   r->out.dns_domain_name);
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
        }
 
-done:
-       libnet_conf_close(ctx);
+ done:
+       smbconf_shutdown(ctx);
        return werr;
 }
 
@@ -981,25 +1314,26 @@ done:
 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
 {
        WERROR werr = WERR_OK;
-       struct libnet_conf_ctx *ctx;
+       struct smbconf_ctx *ctx;
 
-       werr = libnet_conf_open(r, &ctx);
+       werr = smbconf_init_reg(r, &ctx, NULL);
        if (!W_ERROR_IS_OK(werr)) {
                goto done;
        }
 
        if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
 
-               werr = libnet_conf_set_global_parameter(ctx, "security", "user");
-               if (!W_ERROR_IS_OK(werr)) {
-                       goto done;
-               }
-       }
+               werr = smbconf_set_global_parameter(ctx, "security", "user");
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
 
-       libnet_conf_delete_global_parameter(ctx, "realm");
+               werr = smbconf_delete_global_parameter(ctx, "workgroup");
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
 
-done:
-       libnet_conf_close(ctx);
+               smbconf_delete_global_parameter(ctx, "realm");
+       }
+
+ done:
+       smbconf_shutdown(ctx);
        return werr;
 }
 
@@ -1023,6 +1357,8 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
                return werr;
        }
 
+       lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
        r->out.modified_config = true;
        r->out.result = werr;
 
@@ -1032,7 +1368,7 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
 /****************************************************************
 ****************************************************************/
 
-static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
+static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
 {
        WERROR werr;
 
@@ -1049,6 +1385,8 @@ static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
                return werr;
        }
 
+       lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
        r->out.modified_config = true;
        r->out.result = werr;
 
@@ -1058,16 +1396,63 @@ static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
 /****************************************************************
 ****************************************************************/
 
+static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
+                                  const char *domain_str,
+                                  const char **domain_p,
+                                  const char **dc_p)
+{
+       char *domain = NULL;
+       char *dc = NULL;
+       const char *p = NULL;
+
+       if (!domain_str || !domain_p || !dc_p) {
+               return false;
+       }
+
+       p = strchr_m(domain_str, '\\');
+
+       if (p != NULL) {
+               domain = talloc_strndup(mem_ctx, domain_str,
+                                        PTR_DIFF(p, domain_str));
+               dc = talloc_strdup(mem_ctx, p+1);
+               if (!dc) {
+                       return false;
+               }
+       } else {
+               domain = talloc_strdup(mem_ctx, domain_str);
+               dc = NULL;
+       }
+       if (!domain) {
+               return false;
+       }
+
+       *domain_p = domain;
+
+       if (!*dc_p && dc) {
+               *dc_p = dc;
+       }
+
+       return true;
+}
+
+/****************************************************************
+****************************************************************/
+
 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
                                         struct libnet_JoinCtx *r)
 {
-
        if (!r->in.domain_name) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "No domain name defined");
                return WERR_INVALID_PARAM;
        }
 
-       if (r->in.modify_config && !lp_config_backend_is_registry()) {
-               return WERR_NOT_SUPPORTED;
+       if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
+                                   &r->in.domain_name,
+                                   &r->in.dc_name)) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Failed to parse domain name");
+               return WERR_INVALID_PARAM;
        }
 
        if (IS_DC) {
@@ -1086,6 +1471,37 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
+static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
+{
+       NTSTATUS status;
+
+       /* Try adding dom admins to builtin\admins. Only log failures. */
+       status = create_builtin_administrators(domain_sid);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+               DEBUG(10,("Unable to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join because "
+                         "winbindd must be running."));
+       } else if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(5, ("Failed to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join: %s\n",
+                         nt_errstr(status)));
+       }
+
+       /* Try adding dom users to builtin\users. Only log failures. */
+       status = create_builtin_users(domain_sid);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+               DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
+                         "during join because winbindd must be running."));
+       } else if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(5, ("Failed to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join: %s\n",
+                         nt_errstr(status)));
+       }
+}
+
+/****************************************************************
+****************************************************************/
+
 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
                                          struct libnet_JoinCtx *r)
 {
@@ -1100,9 +1516,27 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
                return werr;
        }
 
-       if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
-               saf_store(r->in.domain_name, r->in.dc_name);
+       if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
+               return WERR_OK;
+       }
+
+       saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
+       if (r->out.dns_domain_name) {
+               saf_join_store(r->out.dns_domain_name, r->in.dc_name);
+       }
+
+#ifdef WITH_ADS
+       if (r->out.domain_is_ad) {
+               ADS_STATUS ads_status;
+
+               ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
+               if (!ADS_ERR_OK(ads_status)) {
+                       return WERR_GENERAL_FAILURE;
+               }
        }
+#endif /* WITH_ADS */
+
+       libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
 
        return WERR_OK;
 }
@@ -1112,10 +1546,17 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
 
 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
 {
+       const char *krb5_cc_env = NULL;
+
        if (r->in.ads) {
                ads_destroy(&r->in.ads);
        }
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
+               unsetenv(KRB5_ENV_CCNAME);
+       }
+
        return 0;
 }
 
@@ -1124,10 +1565,17 @@ static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
 
 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
 {
+       const char *krb5_cc_env = NULL;
+
        if (r->in.ads) {
                ads_destroy(&r->in.ads);
        }
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
+               unsetenv(KRB5_ENV_CCNAME);
+       }
+
        return 0;
 }
 
@@ -1138,6 +1586,7 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
                           struct libnet_JoinCtx **r)
 {
        struct libnet_JoinCtx *ctx;
+       const char *krb5_cc_env = NULL;
 
        ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
        if (!ctx) {
@@ -1149,6 +1598,15 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
        ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
        W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
+               krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
+               W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
+               setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
+       }
+
+       ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
+
        *r = ctx;
 
        return WERR_OK;
@@ -1161,6 +1619,7 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
                             struct libnet_UnjoinCtx **r)
 {
        struct libnet_UnjoinCtx *ctx;
+       const char *krb5_cc_env = NULL;
 
        ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
        if (!ctx) {
@@ -1172,6 +1631,13 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
        ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
        W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
+               krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
+               W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
+               setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
+       }
+
        *r = ctx;
 
        return WERR_OK;
@@ -1180,20 +1646,115 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
+static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
+                                      struct libnet_JoinCtx *r)
+{
+       bool valid_security = false;
+       bool valid_workgroup = false;
+       bool valid_realm = false;
+
+       /* check if configuration is already set correctly */
+
+       valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
+
+       switch (r->out.domain_is_ad) {
+               case false:
+                       valid_security = (lp_security() == SEC_DOMAIN);
+                       if (valid_workgroup && valid_security) {
+                               /* nothing to be done */
+                               return WERR_OK;
+                       }
+                       break;
+               case true:
+                       valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
+                       switch (lp_security()) {
+                       case SEC_DOMAIN:
+                       case SEC_ADS:
+                               valid_security = true;
+                       }
+
+                       if (valid_workgroup && valid_realm && valid_security) {
+                               /* nothing to be done */
+                               return WERR_OK;
+                       }
+                       break;
+       }
+
+       /* check if we are supposed to manipulate configuration */
+
+       if (!r->in.modify_config) {
+
+               char *wrong_conf = talloc_strdup(mem_ctx, "");
+
+               if (!valid_workgroup) {
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"workgroup\" set to '%s', should be '%s'",
+                               lp_workgroup(), r->out.netbios_domain_name);
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               if (!valid_realm) {
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"realm\" set to '%s', should be '%s'",
+                               lp_realm(), r->out.dns_domain_name);
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               if (!valid_security) {
+                       const char *sec = NULL;
+                       switch (lp_security()) {
+                       case SEC_SHARE: sec = "share"; break;
+                       case SEC_USER:  sec = "user"; break;
+                       case SEC_DOMAIN: sec = "domain"; break;
+                       case SEC_ADS: sec = "ads"; break;
+                       }
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"security\" set to '%s', should be %s",
+                               sec, r->out.domain_is_ad ?
+                               "either 'domain' or 'ads'" : "'domain'");
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Invalid configuration (%s) and configuration modification "
+                       "was not requested", wrong_conf);
+               return WERR_CAN_NOT_COMPLETE;
+       }
+
+       /* check if we are able to manipulate configuration */
+
+       if (!lp_config_backend_is_registry()) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Configuration manipulation requested but not "
+                       "supported by backend");
+               return WERR_NOT_SUPPORTED;
+       }
+
+       return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
                                struct libnet_JoinCtx *r)
 {
        NTSTATUS status;
+       WERROR werr;
+       struct cli_state *cli = NULL;
 #ifdef WITH_ADS
        ADS_STATUS ads_status;
 #endif /* WITH_ADS */
 
        if (!r->in.dc_name) {
-               struct DS_DOMAIN_CONTROLLER_INFO *info;
+               struct netr_DsRGetDCNameInfo *info;
+               const char *dc;
                status = dsgetdcname(mem_ctx,
+                                    r->in.msg_ctx,
                                     r->in.domain_name,
                                     NULL,
                                     NULL,
+                                    DS_FORCE_REDISCOVERY |
                                     DS_DIRECTORY_SERVICE_REQUIRED |
                                     DS_WRITABLE_REQUIRED |
                                     DS_RETURN_DNS_NAME,
@@ -1206,13 +1767,26 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
                        return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
                }
 
-               r->in.dc_name = talloc_strdup(mem_ctx,
-                                             info->domain_controller_name);
+               dc = strip_hostname(info->dc_unc);
+               r->in.dc_name = talloc_strdup(mem_ctx, dc);
                W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
        }
 
+       status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
+       if (!NT_STATUS_IS_OK(status)) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "failed to lookup DC info for domain '%s' over rpc: %s",
+                       r->in.domain_name, get_friendly_nt_error_msg(status));
+               return ntstatus_to_werror(status);
+       }
+
+       werr = libnet_join_check_config(mem_ctx, r);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
 #ifdef WITH_ADS
-       if (r->in.account_ou) {
+       if (r->out.domain_is_ad && r->in.account_ou) {
 
                ads_status = libnet_join_connect_ads(mem_ctx, r);
                if (!ADS_ERR_OK(ads_status)) {
@@ -1232,31 +1806,60 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
        }
 #endif /* WITH_ADS */
 
-       status = libnet_join_joindomain_rpc(mem_ctx, r);
+       status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
        if (!NT_STATUS_IS_OK(status)) {
                libnet_join_set_error_string(mem_ctx, r,
-                       "failed to join domain over rpc: %s",
-                       get_friendly_nt_error_msg(status));
+                       "failed to join domain '%s' over rpc: %s",
+                       r->in.domain_name, get_friendly_nt_error_msg(status));
                if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
                        return WERR_SETUP_ALREADY_JOINED;
                }
-               return ntstatus_to_werror(status);
+               werr = ntstatus_to_werror(status);
+               goto done;
        }
 
        if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
-               return WERR_SETUP_NOT_JOINED;
+               werr = WERR_SETUP_NOT_JOINED;
+               goto done;
        }
 
-#ifdef WITH_ADS
-       if (r->out.domain_is_ad) {
-               ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(ads_status)) {
-                       return WERR_GENERAL_FAILURE;
-               }
+       werr = WERR_OK;
+
+ done:
+       if (cli) {
+               cli_shutdown(cli);
        }
-#endif /* WITH_ADS */
 
-       return WERR_OK;
+       return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
+                                  struct libnet_JoinCtx *r)
+{
+       WERROR werr;
+       struct libnet_UnjoinCtx *u = NULL;
+
+       werr = libnet_init_UnjoinCtx(mem_ctx, &u);
+       if (!W_ERROR_IS_OK(werr)) {
+               return werr;
+       }
+
+       u->in.debug             = r->in.debug;
+       u->in.dc_name           = r->in.dc_name;
+       u->in.domain_name       = r->in.domain_name;
+       u->in.admin_account     = r->in.admin_account;
+       u->in.admin_password    = r->in.admin_password;
+       u->in.modify_config     = r->in.modify_config;
+       u->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+                                 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+
+       werr = libnet_Unjoin(mem_ctx, u);
+       TALLOC_FREE(u);
+
+       return werr;
 }
 
 /****************************************************************
@@ -1287,6 +1890,14 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
        if (!W_ERROR_IS_OK(werr)) {
                goto done;
        }
+
+       if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
+               werr = libnet_join_post_verify(mem_ctx, r);
+               if (!W_ERROR_IS_OK(werr)) {
+                       libnet_join_rollback(mem_ctx, r);
+               }
+       }
+
  done:
        r->out.result = werr;
 
@@ -1316,8 +1927,10 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
        }
 
        if (!r->in.dc_name) {
-               struct DS_DOMAIN_CONTROLLER_INFO *info;
+               struct netr_DsRGetDCNameInfo *info;
+               const char *dc;
                status = dsgetdcname(mem_ctx,
+                                    r->in.msg_ctx,
                                     r->in.domain_name,
                                     NULL,
                                     NULL,
@@ -1333,8 +1946,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
                        return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
                }
 
-               r->in.dc_name = talloc_strdup(mem_ctx,
-                                             info->domain_controller_name);
+               dc = strip_hostname(info->dc_unc);
+               r->in.dc_name = talloc_strdup(mem_ctx, dc);
                W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
        }
 
@@ -1349,6 +1962,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
                return ntstatus_to_werror(status);
        }
 
+       r->out.disabled_machine_account = true;
+
 #ifdef WITH_ADS
        if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
                ADS_STATUS ads_status;
@@ -1358,6 +1973,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
                        libnet_unjoin_set_error_string(mem_ctx, r,
                                "failed to remove machine account from AD: %s",
                                ads_errstr(ads_status));
+               } else {
+                       r->out.deleted_machine_account = true;
+                       /* dirty hack */
+                       r->out.dns_domain_name = talloc_strdup(mem_ctx,
+                                                              r->in.ads->server.realm);
+                       W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
                }
        }
 #endif /* WITH_ADS */
@@ -1373,8 +1994,22 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
                                           struct libnet_UnjoinCtx *r)
 {
-       if (r->in.modify_config && !lp_config_backend_is_registry()) {
-               return WERR_NOT_SUPPORTED;
+       if (!r->in.domain_name) {
+               libnet_unjoin_set_error_string(mem_ctx, r,
+                       "No domain name defined");
+               return WERR_INVALID_PARAM;
+       }
+
+       if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
+                                   &r->in.domain_name,
+                                   &r->in.dc_name)) {
+               libnet_unjoin_set_error_string(mem_ctx, r,
+                       "Failed to parse domain name");
+               return WERR_INVALID_PARAM;
+       }
+
+       if (IS_DC) {
+               return WERR_SETUP_DOMAIN_CONTROLLER;
        }
 
        if (!secrets_init()) {
@@ -1386,6 +2021,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
        return WERR_OK;
 }
 
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
+                                           struct libnet_UnjoinCtx *r)
+{
+       saf_delete(r->out.netbios_domain_name);
+       saf_delete(r->out.dns_domain_name);
+
+       return libnet_unjoin_config(r);
+}
 
 /****************************************************************
 ****************************************************************/
@@ -1407,11 +2053,12 @@ WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
        if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
                werr = libnet_DomainUnjoin(mem_ctx, r);
                if (!W_ERROR_IS_OK(werr)) {
+                       libnet_unjoin_config(r);
                        goto done;
                }
        }
 
-       werr = do_UnjoinConfig(r);
+       werr = libnet_unjoin_post_processing(mem_ctx, r);
        if (!W_ERROR_IS_OK(werr)) {
                goto done;
        }