2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
24 /****************************************************************
25 ****************************************************************/
27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
30 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
31 DEBUG(1,("libnet_Join:\n%s", str)); \
35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
36 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
38 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
43 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
44 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
49 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
51 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
53 static void init_lsa_String(struct lsa_String *name, const char *s)
58 /****************************************************************
59 ****************************************************************/
61 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
62 struct libnet_JoinCtx *r,
63 const char *format, ...)
67 if (r->out.error_string) {
71 va_start(args, format);
72 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
76 /****************************************************************
77 ****************************************************************/
79 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
80 struct libnet_UnjoinCtx *r,
81 const char *format, ...)
85 if (r->out.error_string) {
89 va_start(args, format);
90 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
96 /****************************************************************
97 ****************************************************************/
99 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
100 const char *netbios_domain_name,
102 const char *user_name,
103 const char *password,
107 ADS_STRUCT *my_ads = NULL;
109 my_ads = ads_init(dns_domain_name,
113 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
117 SAFE_FREE(my_ads->auth.user_name);
118 my_ads->auth.user_name = SMB_STRDUP(user_name);
122 SAFE_FREE(my_ads->auth.password);
123 my_ads->auth.password = SMB_STRDUP(password);
126 status = ads_connect(my_ads);
127 if (!ADS_ERR_OK(status)) {
128 ads_destroy(&my_ads);
136 /****************************************************************
137 ****************************************************************/
139 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
140 struct libnet_JoinCtx *r)
144 status = libnet_connect_ads(r->in.domain_name,
148 r->in.admin_password,
150 if (!ADS_ERR_OK(status)) {
151 libnet_join_set_error_string(mem_ctx, r,
152 "failed to connect to AD: %s",
159 /****************************************************************
160 ****************************************************************/
162 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
163 struct libnet_UnjoinCtx *r)
167 status = libnet_connect_ads(r->in.domain_name,
171 r->in.admin_password,
173 if (!ADS_ERR_OK(status)) {
174 libnet_unjoin_set_error_string(mem_ctx, r,
175 "failed to connect to AD: %s",
182 /****************************************************************
183 ****************************************************************/
185 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
186 struct libnet_JoinCtx *r)
189 LDAPMessage *res = NULL;
190 const char *attrs[] = { "dn", NULL };
192 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
193 if (!ADS_ERR_OK(status)) {
197 if (ads_count_replies(r->in.ads, res) != 1) {
198 ads_msgfree(r->in.ads, res);
199 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
202 status = ads_create_machine_acct(r->in.ads,
205 ads_msgfree(r->in.ads, res);
207 if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
208 (status.err.rc == LDAP_ALREADY_EXISTS)) {
209 status = ADS_SUCCESS;
215 /****************************************************************
216 ****************************************************************/
218 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
219 struct libnet_UnjoinCtx *r)
224 status = libnet_unjoin_connect_ads(mem_ctx, r);
225 if (!ADS_ERR_OK(status)) {
230 status = ads_leave_realm(r->in.ads, r->in.machine_name);
231 if (!ADS_ERR_OK(status)) {
232 libnet_unjoin_set_error_string(mem_ctx, r,
233 "failed to leave realm: %s",
241 /****************************************************************
242 ****************************************************************/
244 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
245 struct libnet_JoinCtx *r)
248 LDAPMessage *res = NULL;
251 if (!r->in.machine_name) {
252 return ADS_ERROR(LDAP_NO_MEMORY);
255 status = ads_find_machine_acct(r->in.ads,
258 if (!ADS_ERR_OK(status)) {
262 if (ads_count_replies(r->in.ads, res) != 1) {
263 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
267 dn = ads_get_dn(r->in.ads, res);
269 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
273 r->out.dn = talloc_strdup(mem_ctx, dn);
275 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
280 ads_msgfree(r->in.ads, res);
281 ads_memfree(r->in.ads, dn);
286 /****************************************************************
287 ****************************************************************/
289 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
290 struct libnet_JoinCtx *r)
295 const char *spn_array[3] = {NULL, NULL, NULL};
299 status = libnet_join_connect_ads(mem_ctx, r);
300 if (!ADS_ERR_OK(status)) {
305 status = libnet_join_find_machine_acct(mem_ctx, r);
306 if (!ADS_ERR_OK(status)) {
310 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
312 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
317 if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
318 !strequal(my_fqdn, r->in.machine_name)) {
321 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
323 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
328 mods = ads_init_mods(mem_ctx);
330 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
333 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
334 if (!ADS_ERR_OK(status)) {
335 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
338 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
340 if (!ADS_ERR_OK(status)) {
341 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
344 return ads_gen_mod(r->in.ads, r->out.dn, mods);
347 /****************************************************************
348 ****************************************************************/
350 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
351 struct libnet_JoinCtx *r)
356 if (!r->in.create_upn) {
361 status = libnet_join_connect_ads(mem_ctx, r);
362 if (!ADS_ERR_OK(status)) {
367 status = libnet_join_find_machine_acct(mem_ctx, r);
368 if (!ADS_ERR_OK(status)) {
373 r->in.upn = talloc_asprintf(mem_ctx,
376 r->out.dns_domain_name);
378 return ADS_ERROR(LDAP_NO_MEMORY);
382 mods = ads_init_mods(mem_ctx);
384 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
387 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
388 if (!ADS_ERR_OK(status)) {
389 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
392 return ads_gen_mod(r->in.ads, r->out.dn, mods);
396 /****************************************************************
397 ****************************************************************/
399 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
400 struct libnet_JoinCtx *r)
406 if (!r->in.os_name || !r->in.os_version ) {
411 status = libnet_join_connect_ads(mem_ctx, r);
412 if (!ADS_ERR_OK(status)) {
417 status = libnet_join_find_machine_acct(mem_ctx, r);
418 if (!ADS_ERR_OK(status)) {
422 mods = ads_init_mods(mem_ctx);
424 return ADS_ERROR(LDAP_NO_MEMORY);
427 os_sp = talloc_asprintf(mem_ctx, "Samba %s", SAMBA_VERSION_STRING);
429 return ADS_ERROR(LDAP_NO_MEMORY);
432 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
434 if (!ADS_ERR_OK(status)) {
438 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
440 if (!ADS_ERR_OK(status)) {
444 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
446 if (!ADS_ERR_OK(status)) {
450 return ads_gen_mod(r->in.ads, r->out.dn, mods);
453 /****************************************************************
454 ****************************************************************/
456 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
457 struct libnet_JoinCtx *r)
459 if (!lp_use_kerberos_keytab()) {
463 if (!ads_keytab_create_default(r->in.ads)) {
470 /****************************************************************
471 ****************************************************************/
473 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
474 struct libnet_JoinCtx *r)
476 uint32_t domain_func;
478 const char *salt = NULL;
479 char *std_salt = NULL;
481 status = ads_domain_func_level(r->in.ads, &domain_func);
482 if (!ADS_ERR_OK(status)) {
483 libnet_join_set_error_string(mem_ctx, r,
484 "failed to determine domain functional level: %s",
489 std_salt = kerberos_standard_des_salt();
491 libnet_join_set_error_string(mem_ctx, r,
492 "failed to obtain standard DES salt");
496 salt = talloc_strdup(mem_ctx, std_salt);
503 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
506 upn = ads_get_upn(r->in.ads, mem_ctx,
509 salt = talloc_strdup(mem_ctx, upn);
516 return kerberos_secrets_store_des_salt(salt);
519 /****************************************************************
520 ****************************************************************/
522 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
523 struct libnet_JoinCtx *r)
527 status = libnet_join_set_machine_spn(mem_ctx, r);
528 if (!ADS_ERR_OK(status)) {
529 libnet_join_set_error_string(mem_ctx, r,
530 "failed to set machine spn: %s",
535 status = libnet_join_set_os_attributes(mem_ctx, r);
536 if (!ADS_ERR_OK(status)) {
537 libnet_join_set_error_string(mem_ctx, r,
538 "failed to set machine os attributes: %s",
543 status = libnet_join_set_machine_upn(mem_ctx, r);
544 if (!ADS_ERR_OK(status)) {
545 libnet_join_set_error_string(mem_ctx, r,
546 "failed to set machine upn: %s",
551 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
552 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
555 if (!libnet_join_create_keytab(mem_ctx, r)) {
556 libnet_join_set_error_string(mem_ctx, r,
557 "failed to create kerberos keytab");
558 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
563 #endif /* WITH_ADS */
565 /****************************************************************
566 ****************************************************************/
568 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
569 struct libnet_JoinCtx *r)
571 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
577 if (!secrets_store_machine_password(r->in.machine_password,
578 r->out.netbios_domain_name,
587 /****************************************************************
588 ****************************************************************/
590 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
591 struct libnet_JoinCtx *r)
593 struct cli_state *cli = NULL;
594 struct rpc_pipe_client *pipe_hnd = NULL;
595 POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
596 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
598 struct lsa_String lsa_acct_name;
600 uint32 acb_info = ACB_WSTRUST;
602 struct MD5Context md5ctx;
604 DATA_BLOB digested_session_key;
605 uchar md4_trust_password[16];
606 union lsa_PolicyInformation *info = NULL;
607 struct samr_Ids user_rids;
608 struct samr_Ids name_types;
609 union samr_UserInfo user_info;
611 if (!r->in.machine_password) {
612 r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
613 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
616 status = cli_full_connection(&cli, NULL,
622 r->in.admin_password,
626 if (!NT_STATUS_IS_OK(status)) {
630 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
635 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
636 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
637 if (!NT_STATUS_IS_OK(status)) {
641 status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
645 if (NT_STATUS_IS_OK(status)) {
646 r->out.domain_is_ad = true;
647 r->out.netbios_domain_name = info->dns.name.string;
648 r->out.dns_domain_name = info->dns.dns_domain.string;
649 r->out.domain_sid = info->dns.sid;
652 if (!NT_STATUS_IS_OK(status)) {
653 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
655 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
657 if (!NT_STATUS_IS_OK(status)) {
661 r->out.netbios_domain_name = info->account_domain.name.string;
662 r->out.domain_sid = info->account_domain.sid;
665 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
666 cli_rpc_pipe_close(pipe_hnd);
668 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
673 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
674 pipe_hnd->cli->desthost,
675 SEC_RIGHTS_MAXIMUM_ALLOWED,
677 if (!NT_STATUS_IS_OK(status)) {
681 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
683 SEC_RIGHTS_MAXIMUM_ALLOWED,
686 if (!NT_STATUS_IS_OK(status)) {
690 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
691 strlower_m(acct_name);
693 init_lsa_String(&lsa_acct_name, acct_name);
695 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
696 uint32_t acct_flags =
697 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
698 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
699 SAMR_USER_ACCESS_SET_PASSWORD |
700 SAMR_USER_ACCESS_GET_ATTRIBUTES |
701 SAMR_USER_ACCESS_SET_ATTRIBUTES;
702 uint32_t access_granted = 0;
704 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
712 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
713 if (!(r->in.join_flags &
714 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
719 if (NT_STATUS_IS_OK(status)) {
720 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
724 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
730 if (!NT_STATUS_IS_OK(status)) {
734 if (name_types.ids[0] != SID_NAME_USER) {
735 status = NT_STATUS_INVALID_WORKSTATION;
739 user_rid = user_rids.ids[0];
741 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
743 SEC_RIGHTS_MAXIMUM_ALLOWED,
746 if (!NT_STATUS_IS_OK(status)) {
750 E_md4hash(r->in.machine_password, md4_trust_password);
751 encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
753 generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
754 digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
757 MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
758 MD5Update(&md5ctx, cli->user_session_key.data,
759 cli->user_session_key.length);
760 MD5Final(digested_session_key.data, &md5ctx);
762 SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
763 memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
765 acb_info |= ACB_PWNOEXP;
766 if (r->out.domain_is_ad) {
767 #if !defined(ENCTYPE_ARCFOUR_HMAC)
768 acb_info |= ACB_USE_DES_KEY_ONLY;
773 ZERO_STRUCT(user_info.info25);
775 user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
777 SAMR_FIELD_ACCT_FLAGS;
778 user_info.info25.info.acct_flags = acb_info;
779 memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
781 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
785 if (!NT_STATUS_IS_OK(status)) {
789 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
790 cli_rpc_pipe_close(pipe_hnd);
792 status = NT_STATUS_OK;
801 /****************************************************************
802 ****************************************************************/
804 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
805 struct libnet_UnjoinCtx *r)
807 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
811 if (!secrets_delete_domain_sid(lp_workgroup())) {
818 /****************************************************************
819 ****************************************************************/
821 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
822 struct libnet_UnjoinCtx *r)
824 struct cli_state *cli = NULL;
825 struct rpc_pipe_client *pipe_hnd = NULL;
826 POLICY_HND sam_pol, domain_pol, user_pol;
827 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
830 struct lsa_String lsa_acct_name;
831 struct samr_Ids user_rids;
832 struct samr_Ids name_types;
833 union samr_UserInfo *info = NULL;
835 status = cli_full_connection(&cli, NULL,
841 r->in.admin_password,
844 if (!NT_STATUS_IS_OK(status)) {
848 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
853 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
854 pipe_hnd->cli->desthost,
855 SEC_RIGHTS_MAXIMUM_ALLOWED,
857 if (!NT_STATUS_IS_OK(status)) {
861 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
863 SEC_RIGHTS_MAXIMUM_ALLOWED,
866 if (!NT_STATUS_IS_OK(status)) {
870 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
871 strlower_m(acct_name);
873 init_lsa_String(&lsa_acct_name, acct_name);
875 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
882 if (!NT_STATUS_IS_OK(status)) {
886 if (name_types.ids[0] != SID_NAME_USER) {
887 status = NT_STATUS_INVALID_WORKSTATION;
891 user_rid = user_rids.ids[0];
893 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
895 SEC_RIGHTS_MAXIMUM_ALLOWED,
898 if (!NT_STATUS_IS_OK(status)) {
902 status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
906 if (!NT_STATUS_IS_OK(status)) {
907 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
911 info->info16.acct_flags |= ACB_DISABLED;
913 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
918 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
922 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
923 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
924 cli_rpc_pipe_close(pipe_hnd);
934 /****************************************************************
935 ****************************************************************/
937 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
940 struct libnet_conf_ctx *ctx;
942 werr = libnet_conf_open(r, &ctx);
943 if (!W_ERROR_IS_OK(werr)) {
947 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
949 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
950 if (!W_ERROR_IS_OK(werr)) {
954 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
959 werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
960 if (!W_ERROR_IS_OK(werr)) {
964 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
965 r->out.netbios_domain_name);
966 if (!W_ERROR_IS_OK(werr)) {
970 if (r->out.domain_is_ad) {
971 werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
972 if (!W_ERROR_IS_OK(werr)) {
976 werr = libnet_conf_set_global_parameter(ctx, "realm",
977 r->out.dns_domain_name);
981 libnet_conf_close(ctx);
985 /****************************************************************
986 ****************************************************************/
988 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
990 WERROR werr = WERR_OK;
991 struct libnet_conf_ctx *ctx;
993 werr = libnet_conf_open(r, &ctx);
994 if (!W_ERROR_IS_OK(werr)) {
998 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1000 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
1001 if (!W_ERROR_IS_OK(werr)) {
1006 libnet_conf_delete_global_parameter(ctx, "realm");
1009 libnet_conf_close(ctx);
1013 /****************************************************************
1014 ****************************************************************/
1016 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1020 if (!W_ERROR_IS_OK(r->out.result)) {
1021 return r->out.result;
1024 if (!r->in.modify_config) {
1028 werr = do_join_modify_vals_config(r);
1029 if (!W_ERROR_IS_OK(werr)) {
1033 r->out.modified_config = true;
1034 r->out.result = werr;
1039 /****************************************************************
1040 ****************************************************************/
1042 static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
1046 if (!W_ERROR_IS_OK(r->out.result)) {
1047 return r->out.result;
1050 if (!r->in.modify_config) {
1054 werr = do_unjoin_modify_vals_config(r);
1055 if (!W_ERROR_IS_OK(werr)) {
1059 r->out.modified_config = true;
1060 r->out.result = werr;
1065 /****************************************************************
1066 ****************************************************************/
1068 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1069 struct libnet_JoinCtx *r)
1072 if (!r->in.domain_name) {
1073 return WERR_INVALID_PARAM;
1076 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1077 return WERR_NOT_SUPPORTED;
1081 return WERR_SETUP_DOMAIN_CONTROLLER;
1084 if (!secrets_init()) {
1085 libnet_join_set_error_string(mem_ctx, r,
1086 "Unable to open secrets database");
1087 return WERR_CAN_NOT_COMPLETE;
1093 /****************************************************************
1094 ****************************************************************/
1096 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1097 struct libnet_JoinCtx *r)
1101 if (!W_ERROR_IS_OK(r->out.result)) {
1102 return r->out.result;
1105 werr = do_JoinConfig(r);
1106 if (!W_ERROR_IS_OK(werr)) {
1110 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1111 saf_store(r->in.domain_name, r->in.dc_name);
1117 /****************************************************************
1118 ****************************************************************/
1120 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1123 ads_destroy(&r->in.ads);
1129 /****************************************************************
1130 ****************************************************************/
1132 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1135 ads_destroy(&r->in.ads);
1141 /****************************************************************
1142 ****************************************************************/
1144 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1145 struct libnet_JoinCtx **r)
1147 struct libnet_JoinCtx *ctx;
1149 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1154 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1156 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1157 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1164 /****************************************************************
1165 ****************************************************************/
1167 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1168 struct libnet_UnjoinCtx **r)
1170 struct libnet_UnjoinCtx *ctx;
1172 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1177 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1179 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1180 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1187 /****************************************************************
1188 ****************************************************************/
1190 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
1191 struct libnet_JoinCtx *r)
1195 ADS_STATUS ads_status;
1196 #endif /* WITH_ADS */
1198 if (!r->in.dc_name) {
1199 struct DS_DOMAIN_CONTROLLER_INFO *info;
1200 status = dsgetdcname(mem_ctx,
1204 DS_DIRECTORY_SERVICE_REQUIRED |
1205 DS_WRITABLE_REQUIRED |
1208 if (!NT_STATUS_IS_OK(status)) {
1209 libnet_join_set_error_string(mem_ctx, r,
1210 "failed to find DC for domain %s",
1212 get_friendly_nt_error_msg(status));
1213 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1216 r->in.dc_name = talloc_strdup(mem_ctx,
1217 info->domain_controller_name);
1218 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1222 if (r->in.account_ou) {
1224 ads_status = libnet_join_connect_ads(mem_ctx, r);
1225 if (!ADS_ERR_OK(ads_status)) {
1226 return WERR_DEFAULT_JOIN_REQUIRED;
1229 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1230 if (!ADS_ERR_OK(ads_status)) {
1231 libnet_join_set_error_string(mem_ctx, r,
1232 "failed to precreate account in ou %s: %s",
1234 ads_errstr(ads_status));
1235 return WERR_DEFAULT_JOIN_REQUIRED;
1238 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1240 #endif /* WITH_ADS */
1242 status = libnet_join_joindomain_rpc(mem_ctx, r);
1243 if (!NT_STATUS_IS_OK(status)) {
1244 libnet_join_set_error_string(mem_ctx, r,
1245 "failed to join domain over rpc: %s",
1246 get_friendly_nt_error_msg(status));
1247 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1248 return WERR_SETUP_ALREADY_JOINED;
1250 return ntstatus_to_werror(status);
1253 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1254 return WERR_SETUP_NOT_JOINED;
1258 if (r->out.domain_is_ad) {
1259 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1260 if (!ADS_ERR_OK(ads_status)) {
1261 return WERR_GENERAL_FAILURE;
1264 #endif /* WITH_ADS */
1269 /****************************************************************
1270 ****************************************************************/
1272 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
1273 struct libnet_JoinCtx *r)
1278 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1281 werr = libnet_join_pre_processing(mem_ctx, r);
1282 if (!W_ERROR_IS_OK(werr)) {
1286 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1287 werr = libnet_DomainJoin(mem_ctx, r);
1288 if (!W_ERROR_IS_OK(werr)) {
1293 werr = libnet_join_post_processing(mem_ctx, r);
1294 if (!W_ERROR_IS_OK(werr)) {
1298 r->out.result = werr;
1301 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1306 /****************************************************************
1307 ****************************************************************/
1309 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
1310 struct libnet_UnjoinCtx *r)
1314 if (!r->in.domain_sid) {
1316 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1317 libnet_unjoin_set_error_string(mem_ctx, r,
1318 "Unable to fetch domain sid: are we joined?");
1319 return WERR_SETUP_NOT_JOINED;
1321 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1322 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1325 if (!r->in.dc_name) {
1326 struct DS_DOMAIN_CONTROLLER_INFO *info;
1327 status = dsgetdcname(mem_ctx,
1331 DS_DIRECTORY_SERVICE_REQUIRED |
1332 DS_WRITABLE_REQUIRED |
1335 if (!NT_STATUS_IS_OK(status)) {
1336 libnet_unjoin_set_error_string(mem_ctx, r,
1337 "failed to find DC for domain %s",
1339 get_friendly_nt_error_msg(status));
1340 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1343 r->in.dc_name = talloc_strdup(mem_ctx,
1344 info->domain_controller_name);
1345 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1348 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1349 if (!NT_STATUS_IS_OK(status)) {
1350 libnet_unjoin_set_error_string(mem_ctx, r,
1351 "failed to disable machine account via rpc: %s",
1352 get_friendly_nt_error_msg(status));
1353 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1354 return WERR_SETUP_NOT_JOINED;
1356 return ntstatus_to_werror(status);
1360 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1361 ADS_STATUS ads_status;
1362 libnet_unjoin_connect_ads(mem_ctx, r);
1363 ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
1364 if (!ADS_ERR_OK(ads_status)) {
1365 libnet_unjoin_set_error_string(mem_ctx, r,
1366 "failed to remove machine account from AD: %s",
1367 ads_errstr(ads_status));
1370 #endif /* WITH_ADS */
1372 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1377 /****************************************************************
1378 ****************************************************************/
1380 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
1381 struct libnet_UnjoinCtx *r)
1383 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1384 return WERR_NOT_SUPPORTED;
1387 if (!secrets_init()) {
1388 libnet_unjoin_set_error_string(mem_ctx, r,
1389 "Unable to open secrets database");
1390 return WERR_CAN_NOT_COMPLETE;
1397 /****************************************************************
1398 ****************************************************************/
1400 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
1401 struct libnet_UnjoinCtx *r)
1406 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
1409 werr = libnet_unjoin_pre_processing(mem_ctx, r);
1410 if (!W_ERROR_IS_OK(werr)) {
1414 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1415 werr = libnet_DomainUnjoin(mem_ctx, r);
1416 if (!W_ERROR_IS_OK(werr)) {
1421 werr = do_UnjoinConfig(r);
1422 if (!W_ERROR_IS_OK(werr)) {
1427 r->out.result = werr;
1430 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);