2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
24 /****************************************************************
25 ****************************************************************/
27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
30 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
31 DEBUG(1,("libnet_Join:\n%s", str)); \
35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
36 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
38 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
43 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
44 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
49 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
51 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
53 static void init_lsa_String(struct lsa_String *name, const char *s)
58 /****************************************************************
59 ****************************************************************/
61 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
62 struct libnet_JoinCtx *r,
63 const char *format, ...)
67 if (r->out.error_string) {
71 va_start(args, format);
72 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
76 /****************************************************************
77 ****************************************************************/
79 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
80 struct libnet_UnjoinCtx *r,
81 const char *format, ...)
85 if (r->out.error_string) {
89 va_start(args, format);
90 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
96 /****************************************************************
97 ****************************************************************/
99 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
100 const char *netbios_domain_name,
102 const char *user_name,
103 const char *password,
107 ADS_STRUCT *my_ads = NULL;
109 my_ads = ads_init(dns_domain_name,
113 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
117 SAFE_FREE(my_ads->auth.user_name);
118 my_ads->auth.user_name = SMB_STRDUP(user_name);
122 SAFE_FREE(my_ads->auth.password);
123 my_ads->auth.password = SMB_STRDUP(password);
126 status = ads_connect(my_ads);
127 if (!ADS_ERR_OK(status)) {
128 ads_destroy(&my_ads);
136 /****************************************************************
137 ****************************************************************/
139 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
140 struct libnet_JoinCtx *r)
144 status = libnet_connect_ads(r->in.domain_name,
148 r->in.admin_password,
150 if (!ADS_ERR_OK(status)) {
151 libnet_join_set_error_string(mem_ctx, r,
152 "failed to connect to AD: %s",
159 /****************************************************************
160 ****************************************************************/
162 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
163 struct libnet_UnjoinCtx *r)
167 status = libnet_connect_ads(r->in.domain_name,
171 r->in.admin_password,
173 if (!ADS_ERR_OK(status)) {
174 libnet_unjoin_set_error_string(mem_ctx, r,
175 "failed to connect to AD: %s",
182 /****************************************************************
183 ****************************************************************/
185 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
186 struct libnet_JoinCtx *r)
189 LDAPMessage *res = NULL;
190 const char *attrs[] = { "dn", NULL };
192 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
193 if (!ADS_ERR_OK(status)) {
197 if (ads_count_replies(r->in.ads, res) != 1) {
198 ads_msgfree(r->in.ads, res);
199 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
202 status = ads_create_machine_acct(r->in.ads,
205 ads_msgfree(r->in.ads, res);
207 if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
208 (status.err.rc == LDAP_ALREADY_EXISTS)) {
209 status = ADS_SUCCESS;
215 /****************************************************************
216 ****************************************************************/
218 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
219 struct libnet_UnjoinCtx *r)
224 status = libnet_unjoin_connect_ads(mem_ctx, r);
225 if (!ADS_ERR_OK(status)) {
230 status = ads_leave_realm(r->in.ads, r->in.machine_name);
231 if (!ADS_ERR_OK(status)) {
232 libnet_unjoin_set_error_string(mem_ctx, r,
233 "failed to leave realm: %s",
241 /****************************************************************
242 ****************************************************************/
244 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
245 struct libnet_JoinCtx *r)
248 LDAPMessage *res = NULL;
251 if (!r->in.machine_name) {
252 return ADS_ERROR(LDAP_NO_MEMORY);
255 status = ads_find_machine_acct(r->in.ads,
258 if (!ADS_ERR_OK(status)) {
262 if (ads_count_replies(r->in.ads, res) != 1) {
263 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
267 dn = ads_get_dn(r->in.ads, res);
269 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
273 r->out.dn = talloc_strdup(mem_ctx, dn);
275 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
280 ads_msgfree(r->in.ads, res);
281 ads_memfree(r->in.ads, dn);
286 /****************************************************************
287 ****************************************************************/
289 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
290 struct libnet_JoinCtx *r)
295 const char *spn_array[3] = {NULL, NULL, NULL};
299 status = libnet_join_connect_ads(mem_ctx, r);
300 if (!ADS_ERR_OK(status)) {
305 status = libnet_join_find_machine_acct(mem_ctx, r);
306 if (!ADS_ERR_OK(status)) {
310 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
312 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
317 if (name_to_fqdn(my_fqdn, r->in.machine_name) &&
318 !strequal(my_fqdn, r->in.machine_name)) {
321 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
323 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
328 mods = ads_init_mods(mem_ctx);
330 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
333 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
334 if (!ADS_ERR_OK(status)) {
335 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
338 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
340 if (!ADS_ERR_OK(status)) {
341 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
344 return ads_gen_mod(r->in.ads, r->out.dn, mods);
347 /****************************************************************
348 ****************************************************************/
350 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
351 struct libnet_JoinCtx *r)
356 if (!r->in.create_upn) {
361 status = libnet_join_connect_ads(mem_ctx, r);
362 if (!ADS_ERR_OK(status)) {
367 status = libnet_join_find_machine_acct(mem_ctx, r);
368 if (!ADS_ERR_OK(status)) {
373 r->in.upn = talloc_asprintf(mem_ctx,
376 r->out.dns_domain_name);
378 return ADS_ERROR(LDAP_NO_MEMORY);
382 mods = ads_init_mods(mem_ctx);
384 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
387 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
388 if (!ADS_ERR_OK(status)) {
389 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
392 return ads_gen_mod(r->in.ads, r->out.dn, mods);
396 /****************************************************************
397 ****************************************************************/
399 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
400 struct libnet_JoinCtx *r)
406 if (!r->in.os_name || !r->in.os_version ) {
411 status = libnet_join_connect_ads(mem_ctx, r);
412 if (!ADS_ERR_OK(status)) {
417 status = libnet_join_find_machine_acct(mem_ctx, r);
418 if (!ADS_ERR_OK(status)) {
422 mods = ads_init_mods(mem_ctx);
424 return ADS_ERROR(LDAP_NO_MEMORY);
427 os_sp = talloc_asprintf(mem_ctx, "Samba %s", SAMBA_VERSION_STRING);
429 return ADS_ERROR(LDAP_NO_MEMORY);
432 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
434 if (!ADS_ERR_OK(status)) {
438 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
440 if (!ADS_ERR_OK(status)) {
444 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
446 if (!ADS_ERR_OK(status)) {
450 return ads_gen_mod(r->in.ads, r->out.dn, mods);
453 /****************************************************************
454 ****************************************************************/
456 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
457 struct libnet_JoinCtx *r)
459 if (!lp_use_kerberos_keytab()) {
463 if (!ads_keytab_create_default(r->in.ads)) {
470 /****************************************************************
471 ****************************************************************/
473 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
474 struct libnet_JoinCtx *r)
476 uint32_t domain_func;
478 const char *salt = NULL;
479 char *std_salt = NULL;
481 status = ads_domain_func_level(r->in.ads, &domain_func);
482 if (!ADS_ERR_OK(status)) {
483 libnet_join_set_error_string(mem_ctx, r,
484 "failed to determine domain functional level: %s",
489 std_salt = kerberos_standard_des_salt();
491 libnet_join_set_error_string(mem_ctx, r,
492 "failed to obtain standard DES salt");
496 salt = talloc_strdup(mem_ctx, std_salt);
503 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
506 upn = ads_get_upn(r->in.ads, mem_ctx,
509 salt = talloc_strdup(mem_ctx, upn);
516 return kerberos_secrets_store_des_salt(salt);
519 /****************************************************************
520 ****************************************************************/
522 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
523 struct libnet_JoinCtx *r)
527 status = libnet_join_set_machine_spn(mem_ctx, r);
528 if (!ADS_ERR_OK(status)) {
529 libnet_join_set_error_string(mem_ctx, r,
530 "failed to set machine spn: %s",
535 status = libnet_join_set_os_attributes(mem_ctx, r);
536 if (!ADS_ERR_OK(status)) {
537 libnet_join_set_error_string(mem_ctx, r,
538 "failed to set machine os attributes: %s",
543 status = libnet_join_set_machine_upn(mem_ctx, r);
544 if (!ADS_ERR_OK(status)) {
545 libnet_join_set_error_string(mem_ctx, r,
546 "failed to set machine upn: %s",
551 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
552 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
555 if (!libnet_join_create_keytab(mem_ctx, r)) {
556 libnet_join_set_error_string(mem_ctx, r,
557 "failed to create kerberos keytab");
558 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
563 #endif /* WITH_ADS */
565 /****************************************************************
566 ****************************************************************/
568 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
569 struct libnet_JoinCtx *r)
571 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
577 if (!secrets_store_machine_password(r->in.machine_password,
578 r->out.netbios_domain_name,
587 /****************************************************************
588 ****************************************************************/
590 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
591 struct libnet_JoinCtx *r)
593 struct cli_state *cli = NULL;
594 struct rpc_pipe_client *pipe_hnd = NULL;
595 POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol;
596 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
598 const char *const_acct_name;
599 struct lsa_String lsa_acct_name;
601 uint32 num_rids, *name_types, *user_rids;
602 uint32 flags = 0x3e8;
603 uint32 acb_info = ACB_WSTRUST;
604 uint32 fields_present;
606 SAM_USERINFO_CTR ctr;
607 SAM_USER_INFO_25 p25;
608 const int infolevel = 25;
609 struct MD5Context md5ctx;
611 DATA_BLOB digested_session_key;
612 uchar md4_trust_password[16];
614 if (!r->in.machine_password) {
615 r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH));
616 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
619 status = cli_full_connection(&cli, NULL,
625 r->in.admin_password,
629 if (!NT_STATUS_IS_OK(status)) {
633 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status);
638 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
639 SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
640 if (!NT_STATUS_IS_OK(status)) {
644 status = rpccli_lsa_query_info_policy2(pipe_hnd, mem_ctx, &lsa_pol,
646 &r->out.netbios_domain_name,
647 &r->out.dns_domain_name,
652 if (NT_STATUS_IS_OK(status)) {
653 r->out.domain_is_ad = true;
656 if (!NT_STATUS_IS_OK(status)) {
657 status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol,
659 &r->out.netbios_domain_name,
661 if (!NT_STATUS_IS_OK(status)) {
666 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
667 cli_rpc_pipe_close(pipe_hnd);
669 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
674 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
675 pipe_hnd->cli->desthost,
676 SEC_RIGHTS_MAXIMUM_ALLOWED,
678 if (!NT_STATUS_IS_OK(status)) {
682 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
684 SEC_RIGHTS_MAXIMUM_ALLOWED,
687 if (!NT_STATUS_IS_OK(status)) {
691 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
692 strlower_m(acct_name);
693 const_acct_name = acct_name;
695 init_lsa_String(&lsa_acct_name, acct_name);
697 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
698 uint32_t acct_flags =
699 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
700 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
701 SAMR_USER_ACCESS_SET_PASSWORD |
702 SAMR_USER_ACCESS_GET_ATTRIBUTES |
703 SAMR_USER_ACCESS_SET_ATTRIBUTES;
704 uint32_t access_granted = 0;
706 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
714 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
715 if (!(r->in.join_flags &
716 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
721 if (NT_STATUS_IS_OK(status)) {
722 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
726 status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
727 &domain_pol, flags, 1,
729 &num_rids, &user_rids, &name_types);
730 if (!NT_STATUS_IS_OK(status)) {
734 if (name_types[0] != SID_NAME_USER) {
735 status = NT_STATUS_INVALID_WORKSTATION;
739 user_rid = user_rids[0];
741 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
743 SEC_RIGHTS_MAXIMUM_ALLOWED,
746 if (!NT_STATUS_IS_OK(status)) {
750 E_md4hash(r->in.machine_password, md4_trust_password);
751 encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
753 generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
754 digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
757 MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
758 MD5Update(&md5ctx, cli->user_session_key.data,
759 cli->user_session_key.length);
760 MD5Final(digested_session_key.data, &md5ctx);
762 SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
763 memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
765 acb_info |= ACB_PWNOEXP;
766 if (r->out.domain_is_ad) {
767 #if !defined(ENCTYPE_ARCFOUR_HMAC)
768 acb_info |= ACB_USE_DES_KEY_ONLY;
776 fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS;
777 init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf);
779 ctr.switch_value = infolevel;
780 ctr.info.id25 = &p25;
782 status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol,
783 infolevel, &cli->user_session_key,
785 if (!NT_STATUS_IS_OK(status)) {
789 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
790 cli_rpc_pipe_close(pipe_hnd);
792 status = NT_STATUS_OK;
801 /****************************************************************
802 ****************************************************************/
804 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
805 struct libnet_UnjoinCtx *r)
807 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
811 if (!secrets_delete_domain_sid(lp_workgroup())) {
818 /****************************************************************
819 ****************************************************************/
821 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
822 struct libnet_UnjoinCtx *r)
824 struct cli_state *cli = NULL;
825 struct rpc_pipe_client *pipe_hnd = NULL;
826 POLICY_HND sam_pol, domain_pol, user_pol;
827 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
829 uint32 flags = 0x3e8;
830 const char *const_acct_name;
832 uint32 num_rids, *name_types, *user_rids;
833 SAM_USERINFO_CTR ctr, *qctr = NULL;
834 SAM_USER_INFO_16 p16;
836 status = cli_full_connection(&cli, NULL,
842 r->in.admin_password,
845 if (!NT_STATUS_IS_OK(status)) {
849 pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status);
854 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
855 pipe_hnd->cli->desthost,
856 SEC_RIGHTS_MAXIMUM_ALLOWED,
858 if (!NT_STATUS_IS_OK(status)) {
862 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
864 SEC_RIGHTS_MAXIMUM_ALLOWED,
867 if (!NT_STATUS_IS_OK(status)) {
871 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
872 strlower_m(acct_name);
873 const_acct_name = acct_name;
875 status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
876 &domain_pol, flags, 1,
878 &num_rids, &user_rids, &name_types);
879 if (!NT_STATUS_IS_OK(status)) {
883 if (name_types[0] != SID_NAME_USER) {
884 status = NT_STATUS_INVALID_WORKSTATION;
888 user_rid = user_rids[0];
890 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
892 SEC_RIGHTS_MAXIMUM_ALLOWED,
895 if (!NT_STATUS_IS_OK(status)) {
899 status = rpccli_samr_query_userinfo(pipe_hnd, mem_ctx,
900 &user_pol, 16, &qctr);
901 if (!NT_STATUS_IS_OK(status)) {
902 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
907 ctr.switch_value = 16;
908 ctr.info.id16 = &p16;
910 p16.acb_info = qctr->info.id16->acb_info | ACB_DISABLED;
912 status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16,
913 &cli->user_session_key, &ctr);
915 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
919 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
920 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
921 cli_rpc_pipe_close(pipe_hnd);
931 /****************************************************************
932 ****************************************************************/
934 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
937 struct libnet_conf_ctx *ctx;
939 werr = libnet_conf_open(r, &ctx);
940 if (!W_ERROR_IS_OK(werr)) {
944 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
946 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
947 if (!W_ERROR_IS_OK(werr)) {
951 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
956 werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
957 if (!W_ERROR_IS_OK(werr)) {
961 werr = libnet_conf_set_global_parameter(ctx, "workgroup",
962 r->out.netbios_domain_name);
963 if (!W_ERROR_IS_OK(werr)) {
967 if (r->out.domain_is_ad) {
968 werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
969 if (!W_ERROR_IS_OK(werr)) {
973 werr = libnet_conf_set_global_parameter(ctx, "realm",
974 r->out.dns_domain_name);
978 libnet_conf_close(ctx);
982 /****************************************************************
983 ****************************************************************/
985 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
987 WERROR werr = WERR_OK;
988 struct libnet_conf_ctx *ctx;
990 werr = libnet_conf_open(r, &ctx);
991 if (!W_ERROR_IS_OK(werr)) {
995 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
997 werr = libnet_conf_set_global_parameter(ctx, "security", "user");
998 if (!W_ERROR_IS_OK(werr)) {
1003 libnet_conf_delete_global_parameter(ctx, "realm");
1006 libnet_conf_close(ctx);
1010 /****************************************************************
1011 ****************************************************************/
1013 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
1017 if (!W_ERROR_IS_OK(r->out.result)) {
1018 return r->out.result;
1021 if (!r->in.modify_config) {
1025 werr = do_join_modify_vals_config(r);
1026 if (!W_ERROR_IS_OK(werr)) {
1030 r->out.modified_config = true;
1031 r->out.result = werr;
1036 /****************************************************************
1037 ****************************************************************/
1039 static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
1043 if (!W_ERROR_IS_OK(r->out.result)) {
1044 return r->out.result;
1047 if (!r->in.modify_config) {
1051 werr = do_unjoin_modify_vals_config(r);
1052 if (!W_ERROR_IS_OK(werr)) {
1056 r->out.modified_config = true;
1057 r->out.result = werr;
1062 /****************************************************************
1063 ****************************************************************/
1065 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
1066 struct libnet_JoinCtx *r)
1069 if (!r->in.domain_name) {
1070 return WERR_INVALID_PARAM;
1073 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1074 return WERR_NOT_SUPPORTED;
1078 return WERR_SETUP_DOMAIN_CONTROLLER;
1081 if (!secrets_init()) {
1082 libnet_join_set_error_string(mem_ctx, r,
1083 "Unable to open secrets database");
1084 return WERR_CAN_NOT_COMPLETE;
1090 /****************************************************************
1091 ****************************************************************/
1093 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
1094 struct libnet_JoinCtx *r)
1098 if (!W_ERROR_IS_OK(r->out.result)) {
1099 return r->out.result;
1102 werr = do_JoinConfig(r);
1103 if (!W_ERROR_IS_OK(werr)) {
1107 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1108 saf_store(r->in.domain_name, r->in.dc_name);
1114 /****************************************************************
1115 ****************************************************************/
1117 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
1120 ads_destroy(&r->in.ads);
1126 /****************************************************************
1127 ****************************************************************/
1129 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
1132 ads_destroy(&r->in.ads);
1138 /****************************************************************
1139 ****************************************************************/
1141 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
1142 struct libnet_JoinCtx **r)
1144 struct libnet_JoinCtx *ctx;
1146 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1151 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1153 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1154 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1161 /****************************************************************
1162 ****************************************************************/
1164 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
1165 struct libnet_UnjoinCtx **r)
1167 struct libnet_UnjoinCtx *ctx;
1169 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1174 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1176 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1177 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1184 /****************************************************************
1185 ****************************************************************/
1187 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
1188 struct libnet_JoinCtx *r)
1192 ADS_STATUS ads_status;
1193 #endif /* WITH_ADS */
1195 if (!r->in.dc_name) {
1196 struct DS_DOMAIN_CONTROLLER_INFO *info;
1197 status = dsgetdcname(mem_ctx,
1201 DS_DIRECTORY_SERVICE_REQUIRED |
1202 DS_WRITABLE_REQUIRED |
1205 if (!NT_STATUS_IS_OK(status)) {
1206 libnet_join_set_error_string(mem_ctx, r,
1207 "failed to find DC for domain %s",
1209 get_friendly_nt_error_msg(status));
1210 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1213 r->in.dc_name = talloc_strdup(mem_ctx,
1214 info->domain_controller_name);
1215 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1219 if (r->in.account_ou) {
1221 ads_status = libnet_join_connect_ads(mem_ctx, r);
1222 if (!ADS_ERR_OK(ads_status)) {
1223 return WERR_DEFAULT_JOIN_REQUIRED;
1226 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1227 if (!ADS_ERR_OK(ads_status)) {
1228 libnet_join_set_error_string(mem_ctx, r,
1229 "failed to precreate account in ou %s: %s",
1231 ads_errstr(ads_status));
1232 return WERR_DEFAULT_JOIN_REQUIRED;
1235 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1237 #endif /* WITH_ADS */
1239 status = libnet_join_joindomain_rpc(mem_ctx, r);
1240 if (!NT_STATUS_IS_OK(status)) {
1241 libnet_join_set_error_string(mem_ctx, r,
1242 "failed to join domain over rpc: %s",
1243 get_friendly_nt_error_msg(status));
1244 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1245 return WERR_SETUP_ALREADY_JOINED;
1247 return ntstatus_to_werror(status);
1250 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1251 return WERR_SETUP_NOT_JOINED;
1255 if (r->out.domain_is_ad) {
1256 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1257 if (!ADS_ERR_OK(ads_status)) {
1258 return WERR_GENERAL_FAILURE;
1261 #endif /* WITH_ADS */
1266 /****************************************************************
1267 ****************************************************************/
1269 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
1270 struct libnet_JoinCtx *r)
1275 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1278 werr = libnet_join_pre_processing(mem_ctx, r);
1279 if (!W_ERROR_IS_OK(werr)) {
1283 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1284 werr = libnet_DomainJoin(mem_ctx, r);
1285 if (!W_ERROR_IS_OK(werr)) {
1290 werr = libnet_join_post_processing(mem_ctx, r);
1291 if (!W_ERROR_IS_OK(werr)) {
1295 r->out.result = werr;
1298 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1303 /****************************************************************
1304 ****************************************************************/
1306 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
1307 struct libnet_UnjoinCtx *r)
1311 if (!r->in.domain_sid) {
1313 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1314 libnet_unjoin_set_error_string(mem_ctx, r,
1315 "Unable to fetch domain sid: are we joined?");
1316 return WERR_SETUP_NOT_JOINED;
1318 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1319 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1322 if (!r->in.dc_name) {
1323 struct DS_DOMAIN_CONTROLLER_INFO *info;
1324 status = dsgetdcname(mem_ctx,
1328 DS_DIRECTORY_SERVICE_REQUIRED |
1329 DS_WRITABLE_REQUIRED |
1332 if (!NT_STATUS_IS_OK(status)) {
1333 libnet_unjoin_set_error_string(mem_ctx, r,
1334 "failed to find DC for domain %s",
1336 get_friendly_nt_error_msg(status));
1337 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1340 r->in.dc_name = talloc_strdup(mem_ctx,
1341 info->domain_controller_name);
1342 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1345 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1346 if (!NT_STATUS_IS_OK(status)) {
1347 libnet_unjoin_set_error_string(mem_ctx, r,
1348 "failed to disable machine account via rpc: %s",
1349 get_friendly_nt_error_msg(status));
1350 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1351 return WERR_SETUP_NOT_JOINED;
1353 return ntstatus_to_werror(status);
1357 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1358 ADS_STATUS ads_status;
1359 libnet_unjoin_connect_ads(mem_ctx, r);
1360 ads_status = libnet_unjoin_remove_machine_acct(mem_ctx, r);
1361 if (!ADS_ERR_OK(ads_status)) {
1362 libnet_unjoin_set_error_string(mem_ctx, r,
1363 "failed to remove machine account from AD: %s",
1364 ads_errstr(ads_status));
1367 #endif /* WITH_ADS */
1369 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1374 /****************************************************************
1375 ****************************************************************/
1377 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
1378 struct libnet_UnjoinCtx *r)
1380 if (r->in.modify_config && !lp_config_backend_is_registry()) {
1381 return WERR_NOT_SUPPORTED;
1384 if (!secrets_init()) {
1385 libnet_unjoin_set_error_string(mem_ctx, r,
1386 "Unable to open secrets database");
1387 return WERR_CAN_NOT_COMPLETE;
1394 /****************************************************************
1395 ****************************************************************/
1397 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
1398 struct libnet_UnjoinCtx *r)
1403 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
1406 werr = libnet_unjoin_pre_processing(mem_ctx, r);
1407 if (!W_ERROR_IS_OK(werr)) {
1411 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1412 werr = libnet_DomainUnjoin(mem_ctx, r);
1413 if (!W_ERROR_IS_OK(werr)) {
1418 werr = do_UnjoinConfig(r);
1419 if (!W_ERROR_IS_OK(werr)) {
1424 r->out.result = werr;
1427 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
git.samba.org / kai / samba.git / blob