summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2008-02-28 19:54:35 +0100
committerGünther Deschner <gd@samba.org>2008-02-28 19:54:35 +0100
commit27310f0768f734f68f4c48d6b2c2cc441a0a434c (patch)
treeced250cbaf6573b777407a993bbd9af6c32febc0
parent2306574570332855670f1c53f3c9376b5114b91a (diff)
downloadsamba-27310f0768f734f68f4c48d6b2c2cc441a0a434c.tar.gz
samba-27310f0768f734f68f4c48d6b2c2cc441a0a434c.tar.bz2
samba-27310f0768f734f68f4c48d6b2c2cc441a0a434c.zip
Remove original copy of now redundant join code.
Jerry, I checked this very carefully that nothing got lost. The only thing I need to re-add still is the normalized DN handling for account precreation in "net ads join". Guenther (This used to be commit a5c6347644f2aa138a8e67ffe6c167847df941d0)
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/utils/net_ads.c330
-rw-r--r--source3/utils/net_domain.c387
3 files changed, 1 insertions, 718 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index d20cea2d16..63328ec86e 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -805,7 +805,7 @@ LIBNET_CONF_OBJ = libnet/libnet_conf.o
LIBNET_OBJ = $(LIBNET_CONF_OBJ) libnet/libnet_join.o \
librpc/gen_ndr/ndr_libnet_join.o
-NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
+NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_help.o \
utils/net_rap.o utils/net_rpc.o utils/net_rpc_samsync.o \
utils/net_rpc_join.o utils/net_time.o utils/net_lookup.o \
utils/net_cache.o utils/net_groupmap.o utils/net_idmap.o \
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 345665d62e..9358a4f184 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -948,336 +948,6 @@ static NTSTATUS check_ads_config( void )
}
/*******************************************************************
- Do the domain join
- ********************************************************************/
-
-static NTSTATUS net_join_domain(TALLOC_CTX *ctx, const char *servername,
- struct sockaddr_storage *pss,
- const char **domain,
- DOM_SID **dom_sid,
- const char *password)
-{
- NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
- struct cli_state *cli = NULL;
-
- ret = connect_to_ipc_krb5(&cli, pss, servername);
- if ( !NT_STATUS_IS_OK(ret) ) {
- goto done;
- }
-
- ret = netdom_get_domain_sid( ctx, cli, domain, dom_sid );
- if ( !NT_STATUS_IS_OK(ret) ) {
- goto done;
- }
-
- /* cli->server_domain is not filled in when using krb5
- session setups */
-
- saf_store( *domain, cli->desthost );
-
- ret = netdom_join_domain( ctx, cli, *dom_sid, password, ND_TYPE_AD );
-
-done:
- if ( cli )
- cli_shutdown(cli);
-
- return ret;
-}
-
-/*******************************************************************
- Set a machines dNSHostName and servicePrincipalName attributes
- ********************************************************************/
-
-static ADS_STATUS net_set_machine_spn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s )
-{
- ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN);
- char *new_dn;
- ADS_MODLIST mods;
- const char *servicePrincipalName[3] = {NULL, NULL, NULL};
- char *psp;
- fstring my_fqdn;
- LDAPMessage *res = NULL;
- char *dn_string = NULL;
- const char *machine_name = global_myname();
- int count;
-
- if ( !machine_name ) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* Find our DN */
-
- status = ads_find_machine_acct(ads_s, &res, machine_name);
- if (!ADS_ERR_OK(status))
- return status;
-
- if ( (count = ads_count_replies(ads_s, res)) != 1 ) {
- DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count));
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) {
- DEBUG(1, ("ads_add_machine_acct: ads_get_dn returned NULL (malloc failure?)\n"));
- goto done;
- }
-
- new_dn = talloc_strdup(ctx, dn_string);
- ads_memfree(ads_s, dn_string);
- if (!new_dn) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* Windows only creates HOST/shortname & HOST/fqdn. */
-
- if ( !(psp = talloc_asprintf(ctx, "HOST/%s", machine_name)) )
- goto done;
- strupper_m(psp);
- servicePrincipalName[0] = psp;
-
- name_to_fqdn(my_fqdn, machine_name);
- strlower_m(my_fqdn);
- if ( !(psp = talloc_asprintf(ctx, "HOST/%s", my_fqdn)) )
- goto done;
- servicePrincipalName[1] = psp;
-
- if (!(mods = ads_init_mods(ctx))) {
- goto done;
- }
-
- /* fields of primary importance */
-
- ads_mod_str(ctx, &mods, "dNSHostName", my_fqdn);
- ads_mod_strlist(ctx, &mods, "servicePrincipalName", servicePrincipalName);
-
- status = ads_gen_mod(ads_s, new_dn, mods);
-
-done:
- ads_msgfree(ads_s, res);
-
- return status;
-}
-
-/*******************************************************************
- Set a machines dNSHostName and servicePrincipalName attributes
- ********************************************************************/
-
-static ADS_STATUS net_set_machine_upn(TALLOC_CTX *ctx, ADS_STRUCT *ads_s, const char *upn )
-{
- ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN);
- char *new_dn;
- ADS_MODLIST mods;
- LDAPMessage *res = NULL;
- char *dn_string = NULL;
- const char *machine_name = global_myname();
- int count;
-
- if ( !machine_name ) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* Find our DN */
-
- status = ads_find_machine_acct(ads_s, &res, machine_name);
- if (!ADS_ERR_OK(status))
- return status;
-
- if ( (count = ads_count_replies(ads_s, res)) != 1 ) {
- DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count));
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) {
- DEBUG(1, ("ads_add_machine_acct: ads_get_dn returned NULL (malloc failure?)\n"));
- goto done;
- }
-
- new_dn = talloc_strdup(ctx, dn_string);
- ads_memfree(ads_s, dn_string);
- if (!new_dn) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* now do the mods */
-
- if (!(mods = ads_init_mods(ctx))) {
- goto done;
- }
-
- /* fields of primary importance */
-
- ads_mod_str(ctx, &mods, "userPrincipalName", upn);
-
- status = ads_gen_mod(ads_s, new_dn, mods);
-
-done:
- ads_msgfree(ads_s, res);
-
- return status;
-}
-
-/*******************************************************************
- Set a machines dNSHostName and servicePrincipalName attributes
- ********************************************************************/
-
-static ADS_STATUS net_set_os_attributes(TALLOC_CTX *ctx, ADS_STRUCT *ads_s,
- const char *os_name, const char *os_version )
-{
- ADS_STATUS status = ADS_ERROR(LDAP_SERVER_DOWN);
- char *new_dn;
- ADS_MODLIST mods;
- LDAPMessage *res = NULL;
- char *dn_string = NULL;
- const char *machine_name = global_myname();
- int count;
- char *os_sp = NULL;
-
- if ( !os_name || !os_version ) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* Find our DN */
-
- status = ads_find_machine_acct(ads_s, &res, machine_name);
- if (!ADS_ERR_OK(status))
- return status;
-
- if ( (count = ads_count_replies(ads_s, res)) != 1 ) {
- DEBUG(1,("net_set_machine_spn: %d entries returned!\n", count));
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- if ( (dn_string = ads_get_dn(ads_s, res)) == NULL ) {
- DEBUG(1, ("ads_add_machine_acct: ads_get_dn returned NULL (malloc failure?)\n"));
- goto done;
- }
-
- new_dn = talloc_strdup(ctx, dn_string);
- ads_memfree(ads_s, dn_string);
- if (!new_dn) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
- /* now do the mods */
-
- if (!(mods = ads_init_mods(ctx))) {
- goto done;
- }
-
- os_sp = talloc_asprintf( ctx, "Samba %s", SAMBA_VERSION_STRING );
-
- /* fields of primary importance */
-
- ads_mod_str(ctx, &mods, "operatingSystem", os_name);
- ads_mod_str(ctx, &mods, "operatingSystemVersion", os_version);
- if ( os_sp )
- ads_mod_str(ctx, &mods, "operatingSystemServicePack", os_sp);
-
- status = ads_gen_mod(ads_s, new_dn, mods);
-
-done:
- ads_msgfree(ads_s, res);
- TALLOC_FREE( os_sp );
-
- return status;
-}
-
-/*******************************************************************
- join a domain using ADS (LDAP mods)
- ********************************************************************/
-
-static ADS_STATUS net_precreate_machine_acct( ADS_STRUCT *ads, const char *ou )
-{
- ADS_STATUS rc = ADS_ERROR(LDAP_SERVER_DOWN);
- char *ou_str = NULL;
- char *dn = NULL;
- LDAPMessage *res = NULL;
- bool moved;
-
- ou_str = ads_ou_string(ads, ou);
- if (asprintf(&dn, "%s,%s", ou_str, ads->config.bind_path) == -1) {
- rc = ADS_ERROR(LDAP_NO_MEMORY);
- goto done;
- }
-
- rc = ads_search_dn(ads, &res, dn, NULL);
- if (!ADS_ERR_OK(rc)) {
- d_fprintf(stderr, "The specified OU does not exist.\n");
- goto done;
- }
-
- /* Attempt to create the machine account and bail if this fails.
- Assume that the admin wants exactly what they requested */
-
- rc = ads_create_machine_acct( ads, global_myname(), dn );
- if (ADS_ERR_OK(rc)) {
- DEBUG(1, ("machine account created\n"));
- goto done;
- }
- if ( !(rc.error_type == ENUM_ADS_ERROR_LDAP && rc.err.rc == LDAP_ALREADY_EXISTS) ) {
- DEBUG(1, ("machine account creation failed\n"));
- goto done;
- }
-
- rc = ads_move_machine_acct(ads, global_myname(), dn, &moved);
- if (!ADS_ERR_OK(rc)) {
- DEBUG(1, ("failure to locate/move pre-existing machine account\n"));
- goto done;
- }
-
- if (moved) {
- d_printf("The machine account was moved into the specified OU.\n");
- } else {
- d_printf("The machine account already exists in the specified OU.\n");
- }
-
-done:
- ads_msgfree(ads, res);
- SAFE_FREE( ou_str );
- SAFE_FREE( dn );
-
- return rc;
-}
-
-/************************************************************************
- ************************************************************************/
-
-static bool net_derive_salting_principal( TALLOC_CTX *ctx, ADS_STRUCT *ads )
-{
- uint32 domain_func;
- ADS_STATUS status;
- fstring salt;
- char *std_salt;
- const char *machine_name = global_myname();
-
- status = ads_domain_func_level( ads, &domain_func );
- if ( !ADS_ERR_OK(status) ) {
- DEBUG(2,("Failed to determine domain functional level!\n"));
- return False;
- }
-
- /* go ahead and setup the default salt */
-
- if ( (std_salt = kerberos_standard_des_salt()) == NULL ) {
- d_fprintf(stderr, "net_derive_salting_principal: failed to obtain stanard DES salt\n");
- return False;
- }
-
- fstrcpy( salt, std_salt );
- SAFE_FREE( std_salt );
-
- /* if it's a Windows functional domain, we have to look for the UPN */
-
- if ( domain_func == DS_DOMAIN_FUNCTION_2000 ) {
- char *upn = ads_get_upn(ads, ctx, machine_name);
- if ( upn ) {
- fstrcpy( salt, upn );
- }
- }
-
- return kerberos_secrets_store_des_salt( salt );
-}
-
-/*******************************************************************
Send a DNS update request
*******************************************************************/
diff --git a/source3/utils/net_domain.c b/source3/utils/net_domain.c
deleted file mode 100644
index 1a84c6cbc6..0000000000
--- a/source3/utils/net_domain.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/*
- Samba Unix/Linux SMB client library
- net ads commands
- Copyright (C) 2001 Andrew Tridgell (tridge@samba.org)
- Copyright (C) 2001 Remus Koos (remuskoos@yahoo.com)
- Copyright (C) 2002 Jim McDonough (jmcd@us.ibm.com)
- Copyright (C) 2006 Gerald (Jerry) Carter (jerry@samba.org)
- Copyright (C) 2008 Guenther Deschner (gd@samba.org)
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "utils/net.h"
-
-/* Macro for checking RPC error codes to make things more readable */
-
-#define CHECK_RPC_ERR(rpc, msg) \
- if (!NT_STATUS_IS_OK(result = rpc)) { \
- DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
- goto done; \
- }
-
-#define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
- if (!NT_STATUS_IS_OK(result = rpc)) { \
- DEBUG(0, debug_args); \
- goto done; \
- }
-
-/*******************************************************************
- Leave an AD domain. Windows XP disables the machine account.
- We'll try the same. The old code would do an LDAP delete.
- That only worked using the machine creds because added the machine
- with full control to the computer object's ACL.
-*******************************************************************/
-
-NTSTATUS netdom_leave_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli,
- DOM_SID *dom_sid )
-{
- struct rpc_pipe_client *pipe_hnd = NULL;
- POLICY_HND sam_pol, domain_pol, user_pol;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- char *acct_name;
- uint32 user_rid;
- struct lsa_String lsa_acct_name;
- struct samr_Ids user_rids;
- struct samr_Ids name_types;
- union samr_UserInfo *info = NULL;
-
- /* Open the domain */
-
- if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
- DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
- nt_errstr(status) ));
- return status;
- }
-
- status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
- pipe_hnd->cli->desthost,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- &sam_pol);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
-
- status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
- &sam_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- dom_sid,
- &domain_pol);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- /* Create domain user */
-
- acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
- strlower_m(acct_name);
-
- init_lsa_String(&lsa_acct_name, acct_name);
-
- status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
- &domain_pol,
- 1,
- &lsa_acct_name,
- &user_rids,
- &name_types);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- if ( name_types.ids[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
- return NT_STATUS_INVALID_WORKSTATION;
- }
-
- user_rid = user_rids.ids[0];
-
- /* Open handle on user */
-
- status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
- &domain_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- user_rid,
- &user_pol);
- if ( !NT_STATUS_IS_OK(status) ) {
- goto done;
- }
-
- /* Get user info */
-
- status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
- &user_pol,
- 16,
- &info);
- if ( !NT_STATUS_IS_OK(status) ) {
- rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
- goto done;
- }
-
- /* now disable and setuser info */
-
- info->info16.acct_flags |= ACB_DISABLED;
-
- status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
- &user_pol,
- 16,
- info);
-
- rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
-
-done:
- rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
- rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
-
- cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
-
- return status;
-}
-
-/*******************************************************************
- Store the machine password and domain SID
- ********************************************************************/
-
-int netdom_store_machine_account( const char *domain, DOM_SID *sid, const char *pw )
-{
- if (!secrets_store_domain_sid(domain, sid)) {
- DEBUG(1,("Failed to save domain sid\n"));
- return -1;
- }
-
- if (!secrets_store_machine_password(pw, domain, SEC_CHAN_WKSTA)) {
- DEBUG(1,("Failed to save machine password\n"));
- return -1;
- }
-
- return 0;
-}
-
-/*******************************************************************
- ********************************************************************/
-
-NTSTATUS netdom_get_domain_sid( TALLOC_CTX *mem_ctx, struct cli_state *cli,
- const char **domain, DOM_SID **sid )
-{
- struct rpc_pipe_client *pipe_hnd = NULL;
- POLICY_HND lsa_pol;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- union lsa_PolicyInformation *info = NULL;
-
- if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status)) == NULL ) {
- DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
- nt_errstr(status) ));
- return status;
- }
-
- status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
- SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
- &lsa_pol,
- LSA_POLICY_INFO_ACCOUNT_DOMAIN,
- &info);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- *domain = info->account_domain.name.string;
- *sid = info->account_domain.sid;
-
- rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
- cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
-
- /* Bail out if domain didn't get set. */
- if (!domain) {
- DEBUG(0, ("Could not get domain name.\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
- Do the domain join
- ********************************************************************/
-
-NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli,
- DOM_SID *dom_sid, const char *clear_pw,
- enum netdom_domain_t dom_type )
-{
- struct rpc_pipe_client *pipe_hnd = NULL;
- POLICY_HND sam_pol, domain_pol, user_pol;
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
- char *acct_name;
- struct lsa_String lsa_acct_name;
- uint32 user_rid;
- uint32 acb_info = ACB_WSTRUST;
- uint32 acct_flags;
- uchar pwbuf[532];
- struct MD5Context md5ctx;
- uchar md5buffer[16];
- DATA_BLOB digested_session_key;
- uchar md4_trust_password[16];
- uint32_t access_granted = 0;
- struct samr_Ids user_rids;
- struct samr_Ids name_types;
- union samr_UserInfo info;
-
- /* Open the domain */
-
- if ( (pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status)) == NULL ) {
- DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
- nt_errstr(status) ));
- return status;
- }
-
- status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
- pipe_hnd->cli->desthost,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- &sam_pol);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
-
- status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
- &sam_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- dom_sid,
- &domain_pol);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- /* Create domain user */
-
- acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname());
- strlower_m(acct_name);
-
- init_lsa_String(&lsa_acct_name, acct_name);
-
- /* Don't try to set any acb_info flags other than ACB_WSTRUST */
- acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
- SEC_STD_WRITE_DAC | SEC_STD_DELETE |
- SAMR_USER_ACCESS_SET_PASSWORD |
- SAMR_USER_ACCESS_GET_ATTRIBUTES |
- SAMR_USER_ACCESS_SET_ATTRIBUTES;
-
- DEBUG(10, ("Creating account with flags: %d\n",acct_flags));
-
- status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
- &domain_pol,
- &lsa_acct_name,
- acb_info,
- acct_flags,
- &user_pol,
- &access_granted,
- &user_rid);
-
- if ( !NT_STATUS_IS_OK(status)
- && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS))
- {
- d_fprintf(stderr, "Creation of workstation account failed\n");
-
- /* If NT_STATUS_ACCESS_DENIED then we have a valid
- username/password combo but the user does not have
- administrator access. */
-
- if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED))
- d_fprintf(stderr, "User specified does not have administrator privileges\n");
-
- return status;
- }
-
- /* We *must* do this.... don't ask... */
-
- if (NT_STATUS_IS_OK(status)) {
- rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
- }
-
- status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
- &domain_pol,
- 1,
- &lsa_acct_name,
- &user_rids,
- &name_types);
- if ( !NT_STATUS_IS_OK(status) )
- return status;
-
- if ( name_types.ids[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
- return NT_STATUS_INVALID_WORKSTATION;
- }
-
- user_rid = user_rids.ids[0];
-
- /* Open handle on user */
-
- status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
- &domain_pol,
- SEC_RIGHTS_MAXIMUM_ALLOWED,
- user_rid,
- &user_pol);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- /* Create a random machine account password and generate the hash */
-
- E_md4hash(clear_pw, md4_trust_password);
- encode_pw_buffer(pwbuf, clear_pw, STR_UNICODE);
-
- generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
- digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
-
- MD5Init(&md5ctx);
- MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
- MD5Update(&md5ctx, cli->user_session_key.data, cli->user_session_key.length);
- MD5Final(digested_session_key.data, &md5ctx);
-
- SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
- memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
-
- /* Fill in the additional account flags now */
-
- acb_info |= ACB_PWNOEXP;
- if ( dom_type == ND_TYPE_AD ) {
-#if !defined(ENCTYPE_ARCFOUR_HMAC)
- acb_info |= ACB_USE_DES_KEY_ONLY;
-#endif
- ;;
- }
-
- /* Set password and account flags on machine account */
- ZERO_STRUCT(info.info25);
- info.info25.info.fields_present = ACCT_NT_PWD_SET |
- ACCT_LM_PWD_SET |
- SAMR_FIELD_ACCT_FLAGS;
- info.info25.info.acct_flags = acb_info;
- memcpy(&info.info25.password.data, pwbuf, sizeof(pwbuf));
-
-
- status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
- &user_pol,
- 25,
- &info);
-
- if ( !NT_STATUS_IS_OK(status) ) {
- d_fprintf( stderr, "Failed to set password for machine account (%s)\n",
- nt_errstr(status));
- return status;
- }
-
- rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
- cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
-
- return status;
-}
-