In gcc version 4.3.2 we get warnings for functions declared with
[jra/samba/.git] / source3 / libnet / libnet_join.c
index 90e1b5941e52c176397521663daa03ab95235196..51d979074b65ba99b8594bb004d6ca51bd01a735 100644 (file)
@@ -124,7 +124,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
                my_ads->auth.password = SMB_STRDUP(password);
        }
 
-       status = ads_connect(my_ads);
+       status = ads_connect_user_creds(my_ads);
        if (!ADS_ERR_OK(status)) {
                ads_destroy(&my_ads);
                return status;
@@ -142,8 +142,8 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
 {
        ADS_STATUS status;
 
-       status = libnet_connect_ads(r->in.domain_name,
-                                   r->in.domain_name,
+       status = libnet_connect_ads(r->out.dns_domain_name,
+                                   r->out.netbios_domain_name,
                                    r->in.dc_name,
                                    r->in.admin_account,
                                    r->in.admin_password,
@@ -207,7 +207,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
        const char *attrs[] = { "dn", NULL };
        bool moved = false;
 
-       status = ads_check_ou_dn(mem_ctx, r->in.ads, r->in.account_ou);
+       status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
        if (!ADS_ERR_OK(status)) {
                return status;
        }
@@ -357,10 +357,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
        strupper_m(spn);
        spn_array[0] = spn;
 
-       if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
-           !strequal(my_fqdn, r->in.machine_name)) {
+       if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+           || (strchr(my_fqdn, '.') == NULL)) {
+               fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
+                            r->out.dns_domain_name);
+       }
 
-               strlower_m(my_fqdn);
+       strlower_m(my_fqdn);
+
+       if (!strequal(my_fqdn, r->in.machine_name)) {
                spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
                if (!spn) {
                        return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
@@ -503,7 +508,7 @@ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
                return true;
        }
 
-       if (!ads_keytab_create_default(r->in.ads)) {
+       if (ads_keytab_create_default(r->in.ads) != 0) {
                return false;
        }
 
@@ -642,51 +647,61 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
- Do the domain join
+ Connect dc's IPC$ share
 ****************************************************************/
 
-static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
-                                          struct libnet_JoinCtx *r)
+static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
+                                          const char *user,
+                                          const char *pass,
+                                          bool use_kerberos,
+                                          struct cli_state **cli)
 {
-       struct cli_state *cli = NULL;
-       struct rpc_pipe_client *pipe_hnd = NULL;
-       POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
-       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-       char *acct_name;
-       struct lsa_String lsa_acct_name;
-       uint32_t user_rid;
-       uint32_t acct_flags = ACB_WSTRUST;
-       uchar pwbuf[532];
-       struct MD5Context md5ctx;
-       uchar md5buffer[16];
-       DATA_BLOB digested_session_key;
-       uchar md4_trust_password[16];
-       union lsa_PolicyInformation *info = NULL;
-       struct samr_Ids user_rids;
-       struct samr_Ids name_types;
-       union samr_UserInfo user_info;
+       int flags = 0;
 
-       if (!r->in.machine_password) {
-               r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
-               NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+       if (use_kerberos) {
+               flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
        }
 
-       status = cli_full_connection(&cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0,
-                                    Undefined, NULL);
+       if (use_kerberos && pass) {
+               flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
+       }
+
+       return cli_full_connection(cli, NULL,
+                                  dc,
+                                  NULL, 0,
+                                  "IPC$", "IPC",
+                                  user,
+                                  NULL,
+                                  pass,
+                                  flags,
+                                  Undefined, NULL);
+}
+
+/****************************************************************
+ Lookup domain dc's info
+****************************************************************/
+
+static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
+                                         struct libnet_JoinCtx *r,
+                                         struct cli_state **cli)
+{
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       POLICY_HND lsa_pol;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       union lsa_PolicyInformation *info = NULL;
 
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
-       if (!pipe_hnd) {
+       status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
                        nt_errstr(status)));
                goto done;
@@ -706,7 +721,9 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                r->out.domain_is_ad = true;
                r->out.netbios_domain_name = info->dns.name.string;
                r->out.dns_domain_name = info->dns.dns_domain.string;
-               r->out.domain_sid = info->dns.sid;
+               r->out.forest_name = info->dns.dns_forest.string;
+               r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
+               NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
        }
 
        if (!NT_STATUS_IS_OK(status)) {
@@ -719,23 +736,60 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                }
 
                r->out.netbios_domain_name = info->account_domain.name.string;
-               r->out.domain_sid = info->account_domain.sid;
+               r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
+               NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
        }
 
        rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
-       cli_rpc_pipe_close(pipe_hnd);
+       TALLOC_FREE(pipe_hnd);
+
+ done:
+       return status;
+}
+
+/****************************************************************
+ Do the domain join
+****************************************************************/
+
+static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
+                                          struct libnet_JoinCtx *r,
+                                          struct cli_state *cli)
+{
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       POLICY_HND sam_pol, domain_pol, user_pol;
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+       char *acct_name;
+       struct lsa_String lsa_acct_name;
+       uint32_t user_rid;
+       uint32_t acct_flags = ACB_WSTRUST;
+       struct samr_Ids user_rids;
+       struct samr_Ids name_types;
+       union samr_UserInfo user_info;
+
+       struct samr_CryptPassword crypt_pwd;
+       struct samr_CryptPasswordEx crypt_pwd_ex;
+
+       ZERO_STRUCT(sam_pol);
+       ZERO_STRUCT(domain_pol);
+       ZERO_STRUCT(user_pol);
+
+       if (!r->in.machine_password) {
+               r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+               NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+       }
 
        /* Open the domain */
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
-       if (!pipe_hnd) {
+       status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
                        nt_errstr(status)));
                goto done;
        }
 
        status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
-                                     pipe_hnd->cli->desthost,
+                                     pipe_hnd->desthost,
                                      SEC_RIGHTS_MAXIMUM_ALLOWED,
                                      &sam_pol);
        if (!NT_STATUS_IS_OK(status)) {
@@ -796,7 +850,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                                        "administrator privileges");
                        }
 
-                       return status;
+                       goto done;
                }
 
                if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
@@ -843,23 +897,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                goto done;
        }
 
-       /* Create a random machine account password and generate the hash */
-
-       E_md4hash(r->in.machine_password, md4_trust_password);
-       encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
-
-       generate_random_buffer((uint8_t*)md5buffer, sizeof(md5buffer));
-       digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
-
-       MD5Init(&md5ctx);
-       MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
-       MD5Update(&md5ctx, cli->user_session_key.data,
-                 cli->user_session_key.length);
-       MD5Final(digested_session_key.data, &md5ctx);
-
-       SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
-       memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
-
        /* Fill in the additional account flags now */
 
        acct_flags |= ACB_PWNOEXP;
@@ -870,33 +907,50 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
                ;;
        }
 
-       /* Set password and account flags on machine account */
-
-       ZERO_STRUCT(user_info.info25);
-
-       user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
-                                              ACCT_LM_PWD_SET |
-                                              SAMR_FIELD_ACCT_FLAGS;
-
-       user_info.info25.info.acct_flags = acct_flags;
-       memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
+       /* Set account flags on machine account */
+       ZERO_STRUCT(user_info.info16);
+       user_info.info16.acct_flags = acct_flags;
 
        status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
                                         &user_pol,
-                                        25,
+                                        16,
                                         &user_info);
 
-       if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+       if (!NT_STATUS_IS_OK(status)) {
+
+               rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+                                      &user_pol);
+
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Failed to set account flags for machine account (%s)\n",
+                       nt_errstr(status));
+               goto done;
+       }
+
+       /* Set password on machine account - first try level 26 */
+
+       init_samr_CryptPasswordEx(r->in.machine_password,
+                                 &cli->user_session_key,
+                                 &crypt_pwd_ex);
 
-               uchar pwbuf2[516];
+       init_samr_user_info26(&user_info.info26, &crypt_pwd_ex,
+                             PASS_DONT_CHANGE_AT_NEXT_LOGON);
 
-               encode_pw_buffer(pwbuf2, r->in.machine_password, STR_UNICODE);
+       status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+                                         &user_pol,
+                                         26,
+                                         &user_info);
+
+       if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
 
                /* retry with level 24 */
-               init_samr_user_info24(&user_info.info24, pwbuf2, 24);
 
-               SamOEMhashBlob(user_info.info24.password.data, 516,
-                              &cli->user_session_key);
+               init_samr_CryptPassword(r->in.machine_password,
+                                       &cli->user_session_key,
+                                       &crypt_pwd);
+
+               init_samr_user_info24(&user_info.info24, &crypt_pwd,
+                                     PASS_DONT_CHANGE_AT_NEXT_LOGON);
 
                status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
                                                  &user_pol,
@@ -905,21 +959,34 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
        }
 
        if (!NT_STATUS_IS_OK(status)) {
+
+               rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+                                      &user_pol);
+
                libnet_join_set_error_string(mem_ctx, r,
                        "Failed to set password for machine account (%s)\n",
                        nt_errstr(status));
                goto done;
        }
 
-       rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
-       cli_rpc_pipe_close(pipe_hnd);
-
        status = NT_STATUS_OK;
+
  done:
-       if (cli) {
-               cli_shutdown(cli);
+       if (!pipe_hnd) {
+               return status;
        }
 
+       if (is_valid_policy_hnd(&sam_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
+       }
+       if (is_valid_policy_hnd(&domain_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
+       }
+       if (is_valid_policy_hnd(&user_pol)) {
+               rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
+       }
+       TALLOC_FREE(pipe_hnd);
+
        return status;
 }
 
@@ -930,8 +997,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                        const char *machine_name,
                        const char *dc_name)
 {
-       uint32_t neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS |
-                            NETLOGON_NEG_SCHANNEL;
+       uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        struct cli_state *cli = NULL;
        struct rpc_pipe_client *pipe_hnd = NULL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -953,8 +1019,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                return NT_STATUS_NO_TRUST_LSA_SECRET;
        }
 
-       asprintf(&machine_account, "%s$", machine_name);
-       if (!machine_account) {
+       if (asprintf(&machine_account, "%s$", machine_name) == -1) {
                SAFE_FREE(machine_password);
                return NT_STATUS_NO_MEMORY;
        }
@@ -987,10 +1052,9 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                return status;
        }
 
-       netlogon_pipe = get_schannel_session_key(cli,
-                                                netbios_domain_name,
-                                                &neg_flags, &status);
-       if (!netlogon_pipe) {
+       status = get_schannel_session_key(cli, netbios_domain_name,
+                                         &neg_flags, &netlogon_pipe);
+       if (!NT_STATUS_IS_OK(status)) {
                if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
                        cli_shutdown(cli);
                        return NT_STATUS_OK;
@@ -1008,15 +1072,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
                return NT_STATUS_OK;
        }
 
-       pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
-                                                      PIPE_AUTH_LEVEL_PRIVACY,
-                                                      netbios_domain_name,
-                                                      netlogon_pipe->dc,
-                                                      &status);
+       status = cli_rpc_pipe_open_schannel_with_key(
+               cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY,
+               netbios_domain_name, netlogon_pipe->dc, &pipe_hnd);
 
        cli_shutdown(cli);
 
-       if (!pipe_hnd) {
+       if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("libnet_join_ok: failed to open schannel session "
                        "on netlogon pipe to server %s for domain %s. "
                        "Error was %s\n",
@@ -1082,30 +1144,31 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
        struct samr_Ids name_types;
        union samr_UserInfo *info = NULL;
 
-       status = cli_full_connection(&cli, NULL,
-                                    r->in.dc_name,
-                                    NULL, 0,
-                                    "IPC$", "IPC",
-                                    r->in.admin_account,
-                                    NULL,
-                                    r->in.admin_password,
-                                    0, Undefined, NULL);
+       ZERO_STRUCT(sam_pol);
+       ZERO_STRUCT(domain_pol);
+       ZERO_STRUCT(user_pol);
 
+       status = libnet_join_connect_dc_ipc(r->in.dc_name,
+                                           r->in.admin_account,
+                                           r->in.admin_password,
+                                           r->in.use_kerberos,
+                                           &cli);
        if (!NT_STATUS_IS_OK(status)) {
                goto done;
        }
 
        /* Open the domain */
 
-       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
-       if (!pipe_hnd) {
+       status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+                                         &pipe_hnd);
+       if (!NT_STATUS_IS_OK(status)) {
                DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
                        nt_errstr(status)));
                goto done;
        }
 
        status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
-                                     pipe_hnd->cli->desthost,
+                                     pipe_hnd->desthost,
                                      SEC_RIGHTS_MAXIMUM_ALLOWED,
                                      &sam_pol);
        if (!NT_STATUS_IS_OK(status)) {
@@ -1183,9 +1246,13 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
 
 done:
        if (pipe_hnd) {
-               rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
-               rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
-               cli_rpc_pipe_close(pipe_hnd);
+               if (is_valid_policy_hnd(&domain_pol)) {
+                       rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
+               }
+               if (is_valid_policy_hnd(&sam_pol)) {
+                       rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
+               }
+               TALLOC_FREE(pipe_hnd);
        }
 
        if (cli) {
@@ -1215,6 +1282,8 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
 
                werr = smbconf_set_global_parameter(ctx, "workgroup",
                                                    r->in.domain_name);
+
+               smbconf_delete_global_parameter(ctx, "realm");
                goto done;
        }
 
@@ -1256,6 +1325,10 @@ static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
 
                werr = smbconf_set_global_parameter(ctx, "security", "user");
                W_ERROR_NOT_OK_GOTO_DONE(werr);
+
+               werr = smbconf_delete_global_parameter(ctx, "workgroup");
+               W_ERROR_NOT_OK_GOTO_DONE(werr);
+
                smbconf_delete_global_parameter(ctx, "realm");
        }
 
@@ -1284,6 +1357,8 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
                return werr;
        }
 
+       lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
        r->out.modified_config = true;
        r->out.result = werr;
 
@@ -1310,6 +1385,8 @@ static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
                return werr;
        }
 
+       lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
+
        r->out.modified_config = true;
        r->out.result = werr;
 
@@ -1378,13 +1455,6 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
                return WERR_INVALID_PARAM;
        }
 
-       if (r->in.modify_config && !lp_config_backend_is_registry()) {
-               libnet_join_set_error_string(mem_ctx, r,
-                       "Configuration manipulation requested but not "
-                       "supported by backend");
-               return WERR_NOT_SUPPORTED;
-       }
-
        if (IS_DC) {
                return WERR_SETUP_DOMAIN_CONTROLLER;
        }
@@ -1401,6 +1471,37 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
+static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
+{
+       NTSTATUS status;
+
+       /* Try adding dom admins to builtin\admins. Only log failures. */
+       status = create_builtin_administrators(domain_sid);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+               DEBUG(10,("Unable to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join because "
+                         "winbindd must be running."));
+       } else if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(5, ("Failed to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join: %s\n",
+                         nt_errstr(status)));
+       }
+
+       /* Try adding dom users to builtin\users. Only log failures. */
+       status = create_builtin_users(domain_sid);
+       if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+               DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
+                         "during join because winbindd must be running."));
+       } else if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(5, ("Failed to auto-add domain administrators to "
+                         "BUILTIN\\Administrators during join: %s\n",
+                         nt_errstr(status)));
+       }
+}
+
+/****************************************************************
+****************************************************************/
+
 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
                                          struct libnet_JoinCtx *r)
 {
@@ -1415,9 +1516,27 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
                return werr;
        }
 
-       if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
-               saf_store(r->in.domain_name, r->in.dc_name);
+       if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
+               return WERR_OK;
+       }
+
+       saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
+       if (r->out.dns_domain_name) {
+               saf_join_store(r->out.dns_domain_name, r->in.dc_name);
+       }
+
+#ifdef WITH_ADS
+       if (r->out.domain_is_ad) {
+               ADS_STATUS ads_status;
+
+               ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
+               if (!ADS_ERR_OK(ads_status)) {
+                       return WERR_GENERAL_FAILURE;
+               }
        }
+#endif /* WITH_ADS */
+
+       libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
 
        return WERR_OK;
 }
@@ -1427,10 +1546,17 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
 
 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
 {
+       const char *krb5_cc_env = NULL;
+
        if (r->in.ads) {
                ads_destroy(&r->in.ads);
        }
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
+               unsetenv(KRB5_ENV_CCNAME);
+       }
+
        return 0;
 }
 
@@ -1439,10 +1565,17 @@ static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
 
 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
 {
+       const char *krb5_cc_env = NULL;
+
        if (r->in.ads) {
                ads_destroy(&r->in.ads);
        }
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
+               unsetenv(KRB5_ENV_CCNAME);
+       }
+
        return 0;
 }
 
@@ -1453,6 +1586,7 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
                           struct libnet_JoinCtx **r)
 {
        struct libnet_JoinCtx *ctx;
+       const char *krb5_cc_env = NULL;
 
        ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
        if (!ctx) {
@@ -1464,6 +1598,13 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
        ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
        W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
+               krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
+               W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
+               setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
+       }
+
        ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
 
        *r = ctx;
@@ -1478,6 +1619,7 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
                             struct libnet_UnjoinCtx **r)
 {
        struct libnet_UnjoinCtx *ctx;
+       const char *krb5_cc_env = NULL;
 
        ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
        if (!ctx) {
@@ -1489,6 +1631,13 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
        ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
        W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
 
+       krb5_cc_env = getenv(KRB5_ENV_CCNAME);
+       if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
+               krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
+               W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
+               setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
+       }
+
        *r = ctx;
 
        return WERR_OK;
@@ -1497,20 +1646,115 @@ WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
+static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
+                                      struct libnet_JoinCtx *r)
+{
+       bool valid_security = false;
+       bool valid_workgroup = false;
+       bool valid_realm = false;
+
+       /* check if configuration is already set correctly */
+
+       valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
+
+       switch (r->out.domain_is_ad) {
+               case false:
+                       valid_security = (lp_security() == SEC_DOMAIN);
+                       if (valid_workgroup && valid_security) {
+                               /* nothing to be done */
+                               return WERR_OK;
+                       }
+                       break;
+               case true:
+                       valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
+                       switch (lp_security()) {
+                       case SEC_DOMAIN:
+                       case SEC_ADS:
+                               valid_security = true;
+                       }
+
+                       if (valid_workgroup && valid_realm && valid_security) {
+                               /* nothing to be done */
+                               return WERR_OK;
+                       }
+                       break;
+       }
+
+       /* check if we are supposed to manipulate configuration */
+
+       if (!r->in.modify_config) {
+
+               char *wrong_conf = talloc_strdup(mem_ctx, "");
+
+               if (!valid_workgroup) {
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"workgroup\" set to '%s', should be '%s'",
+                               lp_workgroup(), r->out.netbios_domain_name);
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               if (!valid_realm) {
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"realm\" set to '%s', should be '%s'",
+                               lp_realm(), r->out.dns_domain_name);
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               if (!valid_security) {
+                       const char *sec = NULL;
+                       switch (lp_security()) {
+                       case SEC_SHARE: sec = "share"; break;
+                       case SEC_USER:  sec = "user"; break;
+                       case SEC_DOMAIN: sec = "domain"; break;
+                       case SEC_ADS: sec = "ads"; break;
+                       }
+                       wrong_conf = talloc_asprintf_append(wrong_conf,
+                               "\"security\" set to '%s', should be %s",
+                               sec, r->out.domain_is_ad ?
+                               "either 'domain' or 'ads'" : "'domain'");
+                       W_ERROR_HAVE_NO_MEMORY(wrong_conf);
+               }
+
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Invalid configuration (%s) and configuration modification "
+                       "was not requested", wrong_conf);
+               return WERR_CAN_NOT_COMPLETE;
+       }
+
+       /* check if we are able to manipulate configuration */
+
+       if (!lp_config_backend_is_registry()) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "Configuration manipulation requested but not "
+                       "supported by backend");
+               return WERR_NOT_SUPPORTED;
+       }
+
+       return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
                                struct libnet_JoinCtx *r)
 {
        NTSTATUS status;
+       WERROR werr;
+       struct cli_state *cli = NULL;
 #ifdef WITH_ADS
        ADS_STATUS ads_status;
 #endif /* WITH_ADS */
 
        if (!r->in.dc_name) {
                struct netr_DsRGetDCNameInfo *info;
+               const char *dc;
                status = dsgetdcname(mem_ctx,
+                                    r->in.msg_ctx,
                                     r->in.domain_name,
                                     NULL,
                                     NULL,
+                                    DS_FORCE_REDISCOVERY |
                                     DS_DIRECTORY_SERVICE_REQUIRED |
                                     DS_WRITABLE_REQUIRED |
                                     DS_RETURN_DNS_NAME,
@@ -1523,13 +1767,26 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
                        return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
                }
 
-               r->in.dc_name = talloc_strdup(mem_ctx,
-                                             info->dc_unc);
+               dc = strip_hostname(info->dc_unc);
+               r->in.dc_name = talloc_strdup(mem_ctx, dc);
                W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
        }
 
+       status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
+       if (!NT_STATUS_IS_OK(status)) {
+               libnet_join_set_error_string(mem_ctx, r,
+                       "failed to lookup DC info for domain '%s' over rpc: %s",
+                       r->in.domain_name, get_friendly_nt_error_msg(status));
+               return ntstatus_to_werror(status);
+       }
+
+       werr = libnet_join_check_config(mem_ctx, r);
+       if (!W_ERROR_IS_OK(werr)) {
+               goto done;
+       }
+
 #ifdef WITH_ADS
-       if (r->in.account_ou) {
+       if (r->out.domain_is_ad && r->in.account_ou) {
 
                ads_status = libnet_join_connect_ads(mem_ctx, r);
                if (!ADS_ERR_OK(ads_status)) {
@@ -1549,31 +1806,60 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
        }
 #endif /* WITH_ADS */
 
-       status = libnet_join_joindomain_rpc(mem_ctx, r);
+       status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
        if (!NT_STATUS_IS_OK(status)) {
                libnet_join_set_error_string(mem_ctx, r,
-                       "failed to join domain over rpc: %s",
-                       get_friendly_nt_error_msg(status));
+                       "failed to join domain '%s' over rpc: %s",
+                       r->in.domain_name, get_friendly_nt_error_msg(status));
                if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
                        return WERR_SETUP_ALREADY_JOINED;
                }
-               return ntstatus_to_werror(status);
+               werr = ntstatus_to_werror(status);
+               goto done;
        }
 
        if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
-               return WERR_SETUP_NOT_JOINED;
+               werr = WERR_SETUP_NOT_JOINED;
+               goto done;
        }
 
-#ifdef WITH_ADS
-       if (r->out.domain_is_ad) {
-               ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
-               if (!ADS_ERR_OK(ads_status)) {
-                       return WERR_GENERAL_FAILURE;
-               }
+       werr = WERR_OK;
+
+ done:
+       if (cli) {
+               cli_shutdown(cli);
        }
-#endif /* WITH_ADS */
 
-       return WERR_OK;
+       return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
+                                  struct libnet_JoinCtx *r)
+{
+       WERROR werr;
+       struct libnet_UnjoinCtx *u = NULL;
+
+       werr = libnet_init_UnjoinCtx(mem_ctx, &u);
+       if (!W_ERROR_IS_OK(werr)) {
+               return werr;
+       }
+
+       u->in.debug             = r->in.debug;
+       u->in.dc_name           = r->in.dc_name;
+       u->in.domain_name       = r->in.domain_name;
+       u->in.admin_account     = r->in.admin_account;
+       u->in.admin_password    = r->in.admin_password;
+       u->in.modify_config     = r->in.modify_config;
+       u->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+                                 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
+
+       werr = libnet_Unjoin(mem_ctx, u);
+       TALLOC_FREE(u);
+
+       return werr;
 }
 
 /****************************************************************
@@ -1598,17 +1884,20 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
                if (!W_ERROR_IS_OK(werr)) {
                        goto done;
                }
-
-               werr = libnet_join_post_verify(mem_ctx, r);
-               if (!W_ERROR_IS_OK(werr)) {
-                       goto done;
-               }
        }
 
        werr = libnet_join_post_processing(mem_ctx, r);
        if (!W_ERROR_IS_OK(werr)) {
                goto done;
        }
+
+       if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
+               werr = libnet_join_post_verify(mem_ctx, r);
+               if (!W_ERROR_IS_OK(werr)) {
+                       libnet_join_rollback(mem_ctx, r);
+               }
+       }
+
  done:
        r->out.result = werr;
 
@@ -1639,7 +1928,9 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
 
        if (!r->in.dc_name) {
                struct netr_DsRGetDCNameInfo *info;
+               const char *dc;
                status = dsgetdcname(mem_ctx,
+                                    r->in.msg_ctx,
                                     r->in.domain_name,
                                     NULL,
                                     NULL,
@@ -1655,8 +1946,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
                        return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
                }
 
-               r->in.dc_name = talloc_strdup(mem_ctx,
-                                             info->dc_unc);
+               dc = strip_hostname(info->dc_unc);
+               r->in.dc_name = talloc_strdup(mem_ctx, dc);
                W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
        }
 
@@ -1717,13 +2008,6 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
                return WERR_INVALID_PARAM;
        }
 
-       if (r->in.modify_config && !lp_config_backend_is_registry()) {
-               libnet_unjoin_set_error_string(mem_ctx, r,
-                       "Configuration manipulation requested but not "
-                       "supported by backend");
-               return WERR_NOT_SUPPORTED;
-       }
-
        if (IS_DC) {
                return WERR_SETUP_DOMAIN_CONTROLLER;
        }