r4762: Store the results of a 'net join' in the LDB.

Like Samba3, the storage of the primary domain password is keyed off the domain name, so we can join multiple domains, and just swap 'workgroup =' around. Andrew Bartlett (This used to be commit 54a231780e028c6433cac296f2fbc64e39632dfd)
author: Andrew Bartlett <abartlet@samba.org> 2005-01-15 22:13:18 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:08:51 -0500
commit: 8799d6b44c15a5e11c1e3528092fbca236561253 (patch)
tree: a15319faa56787080f1ab1a889f3d06b84c3d51b
parent: a7bbb190d9845a74c21369ca32eb8446982477db (diff)
download: samba-8799d6b44c15a5e11c1e3528092fbca236561253.tar.gz
samba-8799d6b44c15a5e11c1e3528092fbca236561253.tar.bz2
samba-8799d6b44c15a5e11c1e3528092fbca236561253.zip
3 files changed, 255 insertions, 42 deletions
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 871e5c5e24..6d1003078d 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -23,6 +23,7 @@
 #include "libnet/libnet.h"
 #include "librpc/gen_ndr/ndr_samr.h"
 #include "lib/crypto/crypto.h"
+#include "lib/ldb/include/ldb.h"
 
 /*
  * do a domain join using DCERPC/SAMR calls
@@ -41,7 +42,8 @@
  *
  * 7. do a samrSetUserInfo to set the account flags
  */
-static NTSTATUS libnet_JoinDomain_samr(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_JoinDomain *r)
+static NTSTATUS libnet_JoinDomain_samr(struct libnet_context *ctx, 
+				       TALLOC_CTX *mem_ctx, union libnet_JoinDomain *r)
 {
 	NTSTATUS status;
 	union libnet_rpc_connect c;
@@ -55,12 +57,14 @@ static NTSTATUS libnet_JoinDomain_samr(struct libnet_context *ctx, TALLOC_CTX *m
 	struct samr_OpenUser ou;
 	struct samr_CreateUser2 cu;
 	struct policy_handle u_handle;
+	struct samr_QueryUserInfo qui;
 	struct samr_SetUserInfo sui;
 	union samr_UserInfo u_info;
 	union libnet_SetPassword r2;
 	struct samr_GetUserPwInfo pwp;
 	struct samr_String samr_account_name;
 
+	uint32 acct_flags;
 	uint32 rid, access_granted;
 	int policy_min_pw_len = 0;
 
@@ -233,14 +237,53 @@ static NTSTATUS libnet_JoinDomain_samr(struct libnet_context *ctx, TALLOC_CTX *m
 	}
 
 	/* prepare samr_SetUserInfo level 23 */
-	ZERO_STRUCT(u_info);
-	u_info.info16.acct_flags = r->samr.in.acct_type;
-
-	sui.in.user_handle = &u_handle;
-	sui.in.info = &u_info;
-	sui.in.level = 16;
+	qui.in.user_handle = &u_handle;
+	qui.in.level = 16;
+	
+	status = dcerpc_samr_QueryUserInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &qui);
+	if (!NT_STATUS_IS_OK(status)) {
+		r->samr.out.error_string
+			= talloc_asprintf(mem_ctx,
+					  "samr_QueryUserInfo for [%s] failed: %s\n",
+					  r->samr.in.account_name, nt_errstr(status));
+		goto disconnect;
+	}
+	if (!qui.out.info) {
+		status = NT_STATUS_INVALID_PARAMETER;
+		r->samr.out.error_string
+			= talloc_asprintf(mem_ctx,
+					  "samr_QueryUserInfo failed to return qui.out.info for [%s]: %s\n",
+					  r->samr.in.account_name, nt_errstr(status));
+		goto disconnect;
+	}
 	
-	dcerpc_samr_SetUserInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &sui);
+	if ((qui.out.info->info16.acct_flags & (ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST)) 
+	    != r->samr.in.acct_type) {
+		acct_flags = (qui.out.info->info16.acct_flags & ~(ACB_WSTRUST | ACB_SVRTRUST | ACB_DOMTRUST))
+			      | r->samr.in.acct_type;
+	} else {
+		acct_flags = qui.out.info->info16.acct_flags;
+	}
+	
+	acct_flags = (acct_flags & ~ACB_DISABLED);
+
+	if (acct_flags != qui.out.info->info16.acct_flags) {
+		ZERO_STRUCT(u_info);
+		u_info.info16.acct_flags = acct_flags;
+
+		sui.in.user_handle = &u_handle;
+		sui.in.info = &u_info;
+		sui.in.level = 16;
+		
+		dcerpc_samr_SetUserInfo(c.pdc.out.dcerpc_pipe, mem_ctx, &sui);
+		if (!NT_STATUS_IS_OK(status)) {
+			r->samr.out.error_string
+				= talloc_asprintf(mem_ctx,
+						  "samr_SetUserInfo for [%s] failed to remove ACB_DISABLED flag: %s\n",
+						  r->samr.in.account_name, nt_errstr(status));
+			goto disconnect;
+		}
+	}
 
 disconnect:
 	/* close connection */
@@ -262,6 +305,7 @@ static NTSTATUS libnet_JoinDomain_generic(struct libnet_context *ctx, TALLOC_CTX
 	status = libnet_JoinDomain(ctx, mem_ctx, &r2);
 
 	r->generic.out.error_string = r2.samr.out.error_string;
+	r->generic.out.join_password = r2.samr.out.join_password;
 
 	return status;
 }
@@ -277,3 +321,150 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, unio
 
 	return NT_STATUS_INVALID_LEVEL;
 }
+
+
+static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx, 
+					   TALLOC_CTX *mem_ctx, 
+					   union libnet_Join *r)
+{
+	NTSTATUS status;
+	int ret;
+
+	struct ldb_wrap *ldb;
+	union libnet_JoinDomain r2;
+	const char *base_dn = "cn=Primary Domains";
+	const struct ldb_val *prior_secret;
+	const char *prior_modified_time;
+	struct ldb_message **msgs, *msg;
+	char *sct;
+	const char *attrs[] = {
+		"whenChanged",
+		"secret",
+		"priorSecret"
+		"priorChanged",
+		NULL
+	};
+
+	r2.generic.level = LIBNET_JOIN_DOMAIN_GENERIC;
+
+	if (r->generic.in.secure_channel_type == SEC_CHAN_BDC) {
+		r2.generic.in.acct_type = ACB_SVRTRUST;
+	} else if (r->generic.in.secure_channel_type == SEC_CHAN_WKSTA) {
+		r2.generic.in.acct_type = ACB_WSTRUST;
+	}
+	r2.generic.in.domain_name  = r->generic.in.domain_name;
+
+	r2.generic.in.account_name = talloc_asprintf(mem_ctx, "%s$", lp_netbios_name());
+
+	/* Local secrets are stored in secrets.ldb */
+	ldb = secrets_db_connect(mem_ctx);
+
+	/* join domain */
+	status = libnet_JoinDomain(ctx, mem_ctx, &r2);
+
+	r->generic.out.error_string = r2.generic.out.error_string;
+
+	/* store in secrets.ldb or samdb.ldb, depending on secret type */
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	sct = talloc_asprintf(mem_ctx, "%d", r->generic.in.secure_channel_type);
+	msg = ldb_msg_new(mem_ctx);
+
+	/* search for the secret record */
+	ret = samdb_search(ldb,
+			   mem_ctx, base_dn, &msgs, attrs,
+			   "(&(cn=%s)(objectclass=primaryDomain))", 
+			   r->generic.in.domain_name);
+	if (ret == 0) {
+		msg->dn = talloc_asprintf(mem_ctx, "cn=%s,%s", 
+					  r->generic.in.domain_name,
+					  base_dn);
+		
+		samdb_msg_add_string(ldb, mem_ctx, msg, "cn", r->generic.in.domain_name);
+		samdb_msg_add_string(ldb, mem_ctx, msg, "objectClass", "primaryDomain");
+		samdb_msg_add_string(ldb, mem_ctx, msg, "secret", r2.generic.out.join_password);
+
+		samdb_msg_add_string(ldb, mem_ctx, msg, "accountName", r2.generic.in.account_name);
+
+		samdb_msg_add_string(ldb, mem_ctx, msg, "secureChannelType", sct);
+
+		/* create the secret */
+		ret = samdb_add(ldb, mem_ctx, msg);
+		if (ret != 0) {
+			r->generic.out.error_string
+				= talloc_asprintf(mem_ctx, 
+						  "Failed to create secret record %s\n", 
+						  msg->dn);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		return NT_STATUS_OK;
+	} else if (ret != 1) {
+		r->generic.out.error_string
+			= talloc_asprintf(mem_ctx, 
+					  "Found %d records matching cn=%s under DN %s\n", ret, 
+					  r->generic.in.domain_name, base_dn);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	msg->dn = msgs[0]->dn;
+
+	prior_secret = ldb_msg_find_ldb_val(msgs[0], "secret");
+	if (prior_secret) {
+		samdb_msg_set_value(ldb, mem_ctx, msg, "priorSecret", prior_secret);
+	}
+	samdb_msg_set_string(ldb, mem_ctx, msg, "secret", r2.generic.out.join_password);
+	
+	prior_modified_time = ldb_msg_find_string(msgs[0], 
+						 "whenChanged", NULL);
+	if (prior_modified_time) {
+		samdb_msg_set_string(ldb, mem_ctx, msg, "priorWhenChanged", 
+				     prior_modified_time);
+	}
+	
+	samdb_msg_set_string(ldb, mem_ctx, msg, "accountName", r2.generic.in.account_name);
+	samdb_msg_set_string(ldb, mem_ctx, msg, "secureChannelType", sct);
+
+	/* update the secret */
+	ret = samdb_replace(ldb, mem_ctx, msg);
+	if (ret != 0) {
+		DEBUG(0,("Failed to create secret record %s\n", msg->dn));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	return NT_STATUS_OK;
+}
+
+NTSTATUS libnet_Join_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_Join *r)
+{
+	NTSTATUS nt_status;
+	union libnet_Join r2;
+	r2.generic.in.secure_channel_type = r->generic.in.secure_channel_type;
+	r2.generic.in.domain_name = r->generic.in.domain_name;
+	
+	if ((r->generic.in.secure_channel_type == SEC_CHAN_WKSTA)
+	    || (r->generic.in.secure_channel_type == SEC_CHAN_BDC)) {
+		r2.generic.level = LIBNET_JOIN_PRIMARY;
+		nt_status = libnet_Join(ctx, mem_ctx, &r2);
+	} else {
+		r->generic.out.error_string
+			= talloc_asprintf(mem_ctx, "Invalid secure channel type specified (%08X) attempting to join domain %s",
+					 r->generic.in.secure_channel_type, r->generic.in.domain_name);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	r->generic.out.error_string = r2.generic.out.error_string;
+	return nt_status;
+}
+
+NTSTATUS libnet_Join(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_Join *r)
+{
+	switch (r->generic.level) {
+	case LIBNET_JOIN_GENERIC:
+		return libnet_Join_generic(ctx, mem_ctx, r);
+	case LIBNET_JOIN_PRIMARY:
+		return libnet_Join_primary_domain(ctx, mem_ctx, r);
+	}
+
+	return NT_STATUS_INVALID_LEVEL;
+}
+
diff --git a/source4/libnet/libnet_join.h b/source4/libnet/libnet_join.h
index 8788016e8e..830599929b 100644
--- a/source4/libnet/libnet_join.h
+++ b/source4/libnet/libnet_join.h
@@ -19,6 +19,8 @@
    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 */
 
+#include "librpc/gen_ndr/ndr_netlogon.h"
+
 /* struct and enum for doing a remote domain join */
 enum libnet_JoinDomain_level {
 	LIBNET_JOIN_DOMAIN_GENERIC,
@@ -49,3 +51,30 @@ union libnet_JoinDomain {
 
 };
 
+/* struct and enum for doing a remote domain join */
+enum libnet_Join_level {
+	LIBNET_JOIN_GENERIC,
+	LIBNET_JOIN_PRIMARY,
+};
+
+union libnet_Join {
+	struct {
+		enum libnet_Join_level level;
+
+		struct _libnet_Join_in {
+			const char *domain_name;
+			enum netr_SchannelType secure_channel_type;
+		} in;
+
+		struct _libnet_Join_out {
+			const char *error_string;
+		} out;
+	} generic;
+
+	struct {
+		enum libnet_Join_level level;
+		struct _libnet_Join_in in;
+		struct _libnet_Join_out out;
+	} ldb;
+};
+
diff --git a/source4/utils/net/net_join.c b/source4/utils/net/net_join.c
index 81e795a3ce..b88c11023e 100644
--- a/source4/utils/net/net_join.c
+++ b/source4/utils/net/net_join.c
@@ -2,7 +2,8 @@
    Samba Unix/Linux SMB client library 
    Distributed SMB/CIFS Server Management Utility 
 
-   Copyright (C) 2004 Stefan Metzmacher (metze@samba.org)
+   Copyright (C) 2004 Stefan Metzmacher <metze@samba.org>
+   Copyright (C) 2005 Andrew Bartlett <abartlet@samba.org>
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -24,13 +25,15 @@
 #include "libnet/libnet.h"
 #include "librpc/gen_ndr/ndr_samr.h"
 
-static int net_join_domain(struct net_context *ctx, int argc, const char **argv)
+int net_join(struct net_context *ctx, int argc, const char **argv) 
 {
+	
 	NTSTATUS status;
 	struct libnet_context *libnetctx;
-	union libnet_JoinDomain r;
+	union libnet_Join r;
 	char *tmp;
 	const char *domain_name;
+	enum netr_SchannelType secure_channel_type = SEC_CHAN_WKSTA;
 
 	switch (argc) {
 		case 0: /* no args -> fail */
@@ -39,8 +42,19 @@ static int net_join_domain(struct net_context *ctx, int argc, const char **argv)
 		case 1: /* only DOMAIN */
 			tmp = talloc_strdup(ctx->mem_ctx, argv[0]);
 			break;
-		default: /* too mayn args -> fail */
-			DEBUG(0,("net_join_domain: too many args [%d]\n",argc));
+		case 2: /* DOMAIN and role */
+			tmp = talloc_strdup(ctx->mem_ctx, argv[0]);
+			if (strcasecmp(argv[1], "BDC") == 0) {
+				secure_channel_type = SEC_CHAN_BDC;
+			} else if (strcasecmp(argv[1], "MEMBER") == 0) {
+				secure_channel_type = SEC_CHAN_WKSTA;
+			} else {
+				DEBUG(0, ("net_join: 2nd argument must be MEMBER or BDC\n"));
+				return -1;
+			}
+			break;
+		default: /* too many args -> fail */
+			DEBUG(0,("net_join: too many args [%d]\n",argc));
 			return -1;
 	}
 
@@ -55,15 +69,17 @@ static int net_join_domain(struct net_context *ctx, int argc, const char **argv)
 	libnetctx->user.password	= ctx->user.password;
 
 	/* prepare password change */
-	r.generic.level			= LIBNET_JOIN_DOMAIN_GENERIC;
-	r.generic.in.domain_name	= domain_name;
-	r.generic.in.account_name       = talloc_asprintf(ctx->mem_ctx, "%s$", lp_netbios_name());
-	r.generic.in.acct_type          = ACB_SVRTRUST;
+	r.generic.level			 = LIBNET_JOIN_GENERIC;
+	r.generic.in.domain_name	 = domain_name;
+	r.generic.in.secure_channel_type = secure_channel_type;
+	r.generic.out.error_string       = NULL;
 
 	/* do the domain join */
-	status = libnet_JoinDomain(libnetctx, ctx->mem_ctx, &r);
+	status = libnet_Join(libnetctx, ctx->mem_ctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("net_join_domain: %s\n",r.generic.out.error_string));
+		DEBUG(0,("libnet_Join returned %s: %s\n",
+			 nt_errstr(status),
+			 r.generic.out.error_string));
 		return -1;
 	}
 
@@ -72,29 +88,6 @@ static int net_join_domain(struct net_context *ctx, int argc, const char **argv)
 	return 0;
 }
 
-static int net_join_domain_usage(struct net_context *ctx, int argc, const char **argv)
-{
-	d_printf("net_join_domain_usage: TODO\n");
-	return 0;	
-}
-
-static int net_join_domain_help(struct net_context *ctx, int argc, const char **argv)
-{
-	d_printf("net_join_domain_help: TODO\n");
-	return 0;	
-}
-
-static const struct net_functable net_password_functable[] = {
-	{"domain", net_join_domain, net_join_domain_usage,  net_join_domain_help},
-	{NULL, NULL}
-};
-
-int net_join(struct net_context *ctx, int argc, const char **argv) 
-{
-	
-	return net_run_function(ctx, argc, argv, net_password_functable, net_password_usage);
-}
-
 int net_join_usage(struct net_context *ctx, int argc, const char **argv)
 {
 	d_printf("net_password_usage: TODO\n");
author	Andrew Bartlett <abartlet@samba.org>	2005-01-15 22:13:18 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:08:51 -0500
commit	8799d6b44c15a5e11c1e3528092fbca236561253 (patch)
tree	a15319faa56787080f1ab1a889f3d06b84c3d51b
parent	a7bbb190d9845a74c21369ca32eb8446982477db (diff)
download	samba-8799d6b44c15a5e11c1e3528092fbca236561253.tar.gz samba-8799d6b44c15a5e11c1e3528092fbca236561253.tar.bz2 samba-8799d6b44c15a5e11c1e3528092fbca236561253.zip