Merge from HEAD - save the type of channel used to contact the DC.

This allows us to join as a BDC, without appearing on the network as one
until we have the database replicated, and the admin changes the configuration.

This also change the SID retreval order from secrets.tdb, so we no longer
require a 'net rpc getsid' - the sid fetch during the domain join is sufficient.
Also minor fixes to 'net'.

Andrew Bartlett
(This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)

3 files changed, 11 insertions, 7 deletions

diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index 6a50137400..35d429ca2a 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -53,7 +53,7 @@ NTSTATUS ads_verify_ticket(ADS_STRUCT *ads, const DATA_BLOB *ticket,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	password_s = secrets_fetch_machine_password();
+	password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
 	if (!password_s) {
 		DEBUG(1,("failed to fetch machine password\n"));
 		return NT_STATUS_LOGON_FAILURE;
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index baedfb28db..3ce80975da 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1024,6 +1024,7 @@ char *ads_ou_string(const char *org_unit)
   add a machine account to the ADS server
 */
 static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname, 
+				       uint32 account_type,
 				       const char *org_unit)
 {
 	ADS_STATUS ret, status;
@@ -1073,7 +1074,7 @@ static ADS_STATUS ads_add_machine_acct(ADS_STRUCT *ads, const char *hostname,
 	if (!(samAccountName = talloc_asprintf(ctx, "%s$", hostname)))
 		goto done;
 
-	acct_control = UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD;
+	acct_control = account_type | UF_DONT_EXPIRE_PASSWD;
 #ifndef ENCTYPE_ARCFOUR_HMAC
 	acct_control |= UF_USE_DES_KEY_ONLY;
 #endif
@@ -1335,7 +1336,8 @@ int ads_count_replies(ADS_STRUCT *ads, void *res)
  * @param org_unit Organizational unit to place machine in
  * @return status of join
  **/
-ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org_unit)
+ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, 
+			  uint32 account_type, const char *org_unit)
 {
 	ADS_STATUS status;
 	LDAPMessage *res;
@@ -1356,7 +1358,7 @@ ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *hostname, const char *org
 		}
 	}
 
-	status = ads_add_machine_acct(ads, host, org_unit);
+	status = ads_add_machine_acct(ads, host, account_type, org_unit);
 	if (!ADS_ERR_OK(status)) {
 		DEBUG(0, ("ads_add_machine_acct: %s\n", ads_errstr(status)));
 		return status;
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 335cabc952..9912a7ba83 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -29,21 +29,23 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_princip
     char *new_password;
     char *service_principal;
     ADS_STATUS ret;
-
-    if ((password = secrets_fetch_machine_password()) == NULL) {
+    uint32 sec_channel_type;
+    
+    if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) {
 	DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
 	return ADS_ERROR_SYSTEM(ENOENT);
     }
 
     tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
     new_password = strdup(tmp_password);
+    
     asprintf(&service_principal, "HOST/%s", host_principal);
 
     ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
 
     if (!ADS_ERR_OK(ret)) goto failed;
 
-    if (!secrets_store_machine_password(new_password)) {
+    if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) {
 	    DEBUG(1,("Failed to save machine password\n"));
 	    return ADS_ERROR_SYSTEM(EACCES);
     }