Distributed SMB/CIFS Server Management Utility
Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org)
Copyright (C) Tim Potter 2001
+ Copyright (C) 2008 Guenther Deschner
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
+ along with this program. If not, see <http://www.gnu.org/licenses/>. */
#include "includes.h"
#include "utils/net.h"
* @return A shell status integer (0 for success)
*
**/
-int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
+NTSTATUS net_rpc_join_ok(const char *domain, const char *server,
+ struct sockaddr_storage *pss)
{
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+ enum security_types sec;
+ unsigned int conn_flags = NET_FLAGS_PDC;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
+ sec = (enum security_types)lp_security();
+
+ if (sec == SEC_ADS) {
+ /* Connect to IPC$ using machine account's credentials. We don't use anonymous
+ connection here, as it may be denied by server's local policy. */
+ net_use_machine_account();
+
+ } else {
+ /* some servers (e.g. WinNT) don't accept machine-authenticated
+ smb connections */
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
/* Connect to remote machine */
- if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) {
- return -1;
+ ntret = net_make_ipc_connection_ex(domain, server, pss, conn_flags, &cli);
+ if (!NT_STATUS_IS_OK(ntret)) {
+ return ntret;
}
/* Setup the creds as though we're going to do schannel... */
if (!netlogon_pipe) {
if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
cli_shutdown(cli);
- return 0;
+ return NT_STATUS_OK;
} else {
DEBUG(0,("net_rpc_join_ok: failed to get schannel session "
"key from server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
cli_shutdown(cli);
- return -1;
+ return ntret;
}
}
if (!lp_client_schannel()) {
cli_shutdown(cli);
/* We're good... */
- return 0;
+ return ntret;
}
pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
DEBUG(0,("net_rpc_join_ok: failed to open schannel session "
"on netlogon pipe to server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
- cli_shutdown(cli);
- return -1;
+ /*
+ * Note: here, we have:
+ * (pipe_hnd != NULL) if and only if NT_STATUS_IS_OK(ntret)
+ */
}
cli_shutdown(cli);
- return 0;
+ return ntret;
}
/**
struct cli_state *cli;
TALLOC_CTX *mem_ctx;
uint32 acb_info = ACB_WSTRUST;
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0);
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
uint32 sec_channel_type;
struct rpc_pipe_client *pipe_hnd = NULL;
char *clear_trust_password = NULL;
uchar pwbuf[516];
- SAM_USERINFO_CTR ctr;
- SAM_USER_INFO_24 p24;
- SAM_USER_INFO_16 p16;
uchar md4_trust_password[16];
+ union samr_UserInfo set_info;
/* Misc */
NTSTATUS result;
int retval = 1;
- char *domain = NULL;
- uint32 num_rids, *name_types, *user_rids;
- uint32 flags = 0x3e8;
+ const char *domain = NULL;
char *acct_name;
- const char *const_acct_name;
+ struct lsa_String lsa_acct_name;
+ uint32 acct_flags=0;
+ uint32_t access_granted = 0;
+ union lsa_PolicyInformation *info = NULL;
+ struct samr_Ids user_rids;
+ struct samr_Ids name_types;
/* check what type of join */
if (argc >= 0) {
/* Make authenticated connection to remote machine */
- if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC)))
+ result = net_make_ipc_connection(NET_FLAGS_PDC, &cli);
+ if (!NT_STATUS_IS_OK(result)) {
return 1;
+ }
if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) {
DEBUG(0, ("Could not initialise talloc context\n"));
&lsa_pol),
"error opening lsa policy handle");
- CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol,
- 5, &domain, &domain_sid),
+ CHECK_RPC_ERR(rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
+ &lsa_pol,
+ LSA_POLICY_INFO_ACCOUNT_DOMAIN,
+ &info),
"error querying info policy");
+ domain = info->account_domain.name.string;
+ domain_sid = info->account_domain.sid;
+
rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
- cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
+ TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Bail out if domain didn't get set. */
if (!domain) {
goto done;
}
- CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- &sam_pol),
+ CHECK_RPC_ERR(rpccli_samr_Connect2(pipe_hnd, mem_ctx,
+ pipe_hnd->desthost,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ &sam_pol),
"could not connect to SAM database");
-
- CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- domain_sid, &domain_pol),
+
+ CHECK_RPC_ERR(rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
+ &sam_pol,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ domain_sid,
+ &domain_pol),
"could not open domain");
/* Create domain user */
goto done;
}
strlower_m(acct_name);
- const_acct_name = acct_name;
- result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
- acct_name, acb_info,
- 0xe005000b, &user_pol,
- &user_rid);
+ init_lsa_String(&lsa_acct_name, acct_name);
+
+ acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
+ SEC_STD_WRITE_DAC | SEC_STD_DELETE |
+ SAMR_USER_ACCESS_SET_PASSWORD |
+ SAMR_USER_ACCESS_GET_ATTRIBUTES |
+ SAMR_USER_ACCESS_SET_ATTRIBUTES;
+
+ DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
+
+ result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
+ &domain_pol,
+ &lsa_acct_name,
+ acb_info,
+ acct_flags,
+ &user_pol,
+ &access_granted,
+ &user_rid);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
/* We *must* do this.... don't ask... */
if (NT_STATUS_IS_OK(result)) {
- rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
+ rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
}
- CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
- &domain_pol, flags,
- 1, &const_acct_name,
- &num_rids,
- &user_rids, &name_types),
+ CHECK_RPC_ERR_DEBUG(rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
+ &domain_pol,
+ 1,
+ &lsa_acct_name,
+ &user_rids,
+ &name_types),
("error looking up rid for user %s: %s\n",
acct_name, nt_errstr(result)));
- if (name_types[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0]));
+ if (name_types.ids[0] != SID_NAME_USER) {
+ DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
goto done;
}
- user_rid = user_rids[0];
-
+ user_rid = user_rids.ids[0];
+
/* Open handle on user */
CHECK_RPC_ERR_DEBUG(
- rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- user_rid, &user_pol),
+ rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
+ &domain_pol,
+ SEC_RIGHTS_MAXIMUM_ALLOWED,
+ user_rid,
+ &user_pol),
("could not re-open existing user %s: %s\n",
acct_name, nt_errstr(result)));
/* Set password on machine account */
- ZERO_STRUCT(ctr);
- ZERO_STRUCT(p24);
-
- init_sam_user_info24(&p24, (char *)pwbuf,24);
+ init_samr_user_info24(&set_info.info24, pwbuf, 24);
- ctr.switch_value = 24;
- ctr.info.id24 = &p24;
+ SamOEMhashBlob(set_info.info24.password.data, 516,
+ &cli->user_session_key);
- CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 24,
- &cli->user_session_key, &ctr),
+ CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+ &user_pol,
+ 24,
+ &set_info),
"error setting trust account password");
/* Why do we have to try to (re-)set the ACB to be the same as what
seems to cope with either value so don't bomb out if the set
userinfo2 level 0x10 fails. -tpot */
- ZERO_STRUCT(ctr);
- ctr.switch_value = 16;
- ctr.info.id16 = &p16;
-
- init_sam_user_info16(&p16, acb_info);
+ set_info.info16.acct_flags = acb_info;
/* Ignoring the return value is necessary for joining a domain
as a normal user with "Add workstation to domain" privilege. */
- result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16,
- &cli->user_session_key, &ctr);
+ result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
+ &user_pol,
+ 16,
+ &set_info);
- rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
- cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
+ rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
+ TALLOC_FREE(pipe_hnd); /* Done with this pipe */
/* Now check the whole process from top-to-bottom */
goto done;
}
- cli_rpc_pipe_close(netlogon_schannel_pipe);
+ TALLOC_FREE(netlogon_schannel_pipe);
}
- cli_rpc_pipe_close(pipe_hnd);
+ TALLOC_FREE(pipe_hnd);
/* Now store the secret in the secrets database */
- strupper_m(domain);
+ strupper_m(CONST_DISCARD(char *, domain));
if (!secrets_store_domain_sid(domain, domain_sid)) {
DEBUG(0, ("error storing domain sid for %s\n", domain));
}
/* double-check, connection from scratch */
- retval = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ip);
-
+ result = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ss);
+ retval = NT_STATUS_IS_OK(result) ? 0 : -1;
+
done:
/* Display success or failure */
int net_rpc_testjoin(int argc, const char **argv)
{
char *domain = smb_xstrdup(opt_target_workgroup);
+ NTSTATUS nt_status;
/* Display success or failure */
- if (net_rpc_join_ok(domain, NULL, NULL) != 0) {
- fprintf(stderr,"Join to domain '%s' is not valid\n",domain);
+ nt_status = net_rpc_join_ok(domain, NULL, NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
+ domain, nt_errstr(nt_status));
free(domain);
return -1;
}