From 1bb220174fdefb36106124736eccd9c0a55d07d7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 16 Jan 2008 10:37:48 +0100 Subject: Avoid use of NDR_PRINT_X_DEBUG (that debugs with level 0) in libnetjoin. Guenther (This used to be commit 357a393b106fe88629bf5f6c634d16c0fc47cee9) --- source3/libnet/libnet_join.c | 41 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index a189a38ea3..49868192e8 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -24,6 +24,35 @@ /**************************************************************** ****************************************************************/ +#define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \ + do { \ + char *str = NULL; \ + str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \ + DEBUG(1,("libnet_Join:\n%s", str)); \ + talloc_free(str); \ + } while (0) + +#define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \ + LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES) +#define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \ + LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT) + +#define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \ + do { \ + char *str = NULL; \ + str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \ + DEBUG(1,("libnet_Unjoin:\n%s", str)); \ + talloc_free(str); \ + } while (0) + +#define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \ + LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES) +#define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \ + LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT) + +/**************************************************************** +****************************************************************/ + static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r, const char *format, ...) @@ -1214,7 +1243,7 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, WERROR werr; if (r->in.debug) { - NDR_PRINT_IN_DEBUG(libnet_JoinCtx, r); + LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r); } werr = libnet_join_pre_processing(mem_ctx, r); @@ -1234,8 +1263,10 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, goto done; } done: + r->out.result = werr; + if (r->in.debug) { - NDR_PRINT_OUT_DEBUG(libnet_JoinCtx, r); + LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r); } return werr; } @@ -1328,7 +1359,7 @@ WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx, WERROR werr; if (r->in.debug) { - NDR_PRINT_IN_DEBUG(libnet_UnjoinCtx, r); + LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r); } werr = libnet_unjoin_pre_processing(mem_ctx, r); @@ -1349,8 +1380,10 @@ WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx, } done: + r->out.result = werr; + if (r->in.debug) { - NDR_PRINT_OUT_DEBUG(libnet_UnjoinCtx, r); + LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r); } return werr; -- cgit From 1311918d177723616a01ac5fa2c61d2f93b431a2 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 16 Jan 2008 10:48:11 +0100 Subject: Nicen some error strings in libnetjoin. Guenther (This used to be commit 05cf1413cc92e15bbe7ba0477df282ad31e40412) --- source3/libnet/libnet_join.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 49868192e8..f699b09b78 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1176,8 +1176,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, &info); if (!NT_STATUS_IS_OK(status)) { libnet_join_set_error_string(mem_ctx, r, - "failed to find DC: %s", - nt_errstr(status)); + "failed to find DC for domain %s", + r->in.domain_name, + get_friendly_nt_error_msg(status)); return WERR_DOMAIN_CONTROLLER_NOT_FOUND; } @@ -1211,7 +1212,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, if (!NT_STATUS_IS_OK(status)) { libnet_join_set_error_string(mem_ctx, r, "failed to join domain over rpc: %s", - nt_errstr(status)); + get_friendly_nt_error_msg(status)); if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { return WERR_SETUP_ALREADY_JOINED; } @@ -1292,8 +1293,9 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, &info); if (!NT_STATUS_IS_OK(status)) { libnet_unjoin_set_error_string(mem_ctx, r, - "failed to find DC: %s", - nt_errstr(status)); + "failed to find DC for domain %s", + r->in.domain_name, + get_friendly_nt_error_msg(status)); return WERR_DOMAIN_CONTROLLER_NOT_FOUND; } @@ -1305,8 +1307,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, status = libnet_join_unjoindomain_rpc(mem_ctx, r); if (!NT_STATUS_IS_OK(status)) { libnet_unjoin_set_error_string(mem_ctx, r, - "failed to unjoin domain: %s", - nt_errstr(status)); + "failed to disable machine account via rpc: %s", + get_friendly_nt_error_msg(status)); if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { return WERR_SETUP_NOT_JOINED; } @@ -1350,6 +1352,7 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, return WERR_OK; } + /**************************************************************** ****************************************************************/ -- cgit From 168e122682debee53041250292da214f88f534fa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 16 Jan 2008 10:56:40 +0100 Subject: Autofetch domain_sid while unjoining in libnetjoin. Guenther (This used to be commit 622109895c56ed7cc02dac006f02cac89424b569) --- source3/libnet/libnet_join.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index f699b09b78..af7f9a6a21 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1280,6 +1280,17 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, { NTSTATUS status; + if (!r->in.domain_sid) { + struct dom_sid sid; + if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) { + libnet_unjoin_set_error_string(mem_ctx, r, + "Unable to fetch domain sid: are we joined?"); + return WERR_SETUP_NOT_JOINED; + } + r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid); + W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid); + } + if (!r->in.dc_name) { struct DS_DOMAIN_CONTROLLER_INFO *info; status = dsgetdcname(mem_ctx, -- cgit From 7bfceba4bc49f5f5c8d2836dfd76e1ec15459631 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Wed, 16 Jan 2008 17:05:38 +0100 Subject: Use lp_config_backend_is_registry() instead of lp_include_registry_globals(). Michael (This used to be commit c5a7d421c512a6221b0300549d7b5de0368d252e) --- source3/libnet/libnet_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index af7f9a6a21..a9978ba4b8 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1041,7 +1041,7 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx, return WERR_INVALID_PARAM; } - if (r->in.modify_config && !lp_include_registry_globals()) { + if (r->in.modify_config && !lp_config_backend_is_registry()) { return WERR_NOT_SUPPORTED; } @@ -1350,7 +1350,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, struct libnet_UnjoinCtx *r) { - if (r->in.modify_config && !lp_include_registry_globals()) { + if (r->in.modify_config && !lp_config_backend_is_registry()) { return WERR_NOT_SUPPORTED; } -- cgit From a0186fb78d05aa997b114eee6afabaf138540ab8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jan 2008 13:54:02 -0800 Subject: Forward ported version of Matt Geddes patch for adding acct_flags to rpccli_samr_create_dom_user(). Jerry please test. Jeremy. (This used to be commit 7d94f97947b7edfcf3ec52f0125e4593d6d54c05) --- source3/libnet/libnet_join.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index a9978ba4b8..538cca7994 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -684,10 +684,15 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, const_acct_name = acct_name; if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) { + uint32 acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | + SAMR_USER_GETATTR | SAMR_USER_SETATTR; + status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, ACB_WSTRUST, - 0xe005000b, &user_pol, + acct_flags, &user_pol, &user_rid); if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { if (!(r->in.join_flags & -- cgit From 92183450f1eedd2892ed8612ccaf97c65098c636 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 01:00:51 +0100 Subject: Trying to avoid defining new SAMR acct creation flags when we already have them with different names. Matt, Jeremy, please check. Guenther (This used to be commit d4a9e46edf7336f673c001c559af96eb0ecf9f6f) --- source3/libnet/libnet_join.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 538cca7994..f83e0fbb60 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -684,10 +684,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, const_acct_name = acct_name; if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) { - uint32 acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | - SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | - SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | - SAMR_USER_GETATTR | SAMR_USER_SETATTR; + uint32_t acct_flags = + SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE | + SEC_STD_WRITE_DAC | SEC_STD_DELETE | + SAMR_USER_ACCESS_SET_PASSWORD | + SAMR_USER_ACCESS_GET_ATTRIBUTES | + SAMR_USER_ACCESS_SET_ATTRIBUTES; status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, -- cgit From 5ab43ae0d8e66a1fd4c877089df52282367be7dd Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 26 Jan 2008 01:39:33 +0100 Subject: Eliminate remote tree of dsgetdcname (which will happen in libnetapi then). Guenther (This used to be commit fd490d236b1fb73a75c457b75128c9b98719418f) --- source3/libnet/libnet_join.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index f83e0fbb60..3c6cea31bb 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1173,7 +1173,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, if (!r->in.dc_name) { struct DS_DOMAIN_CONTROLLER_INFO *info; status = dsgetdcname(mem_ctx, - NULL, r->in.domain_name, NULL, NULL, @@ -1301,7 +1300,6 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, if (!r->in.dc_name) { struct DS_DOMAIN_CONTROLLER_INFO *info; status = dsgetdcname(mem_ctx, - NULL, r->in.domain_name, NULL, NULL, -- cgit From 5334b364c21599fe055b32bbbd1e8cf7488b1fa7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jan 2008 12:39:20 +0100 Subject: Remove rpccli_samr_close and use pidl generated function instead. Guenther (This used to be commit 64f0889401855ab76953bfae5db4fe4df19ad8a5) --- source3/libnet/libnet_join.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 3c6cea31bb..c34afc7cae 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -704,7 +704,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } if (NT_STATUS_IS_OK(status)) { - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); } } @@ -769,7 +769,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); cli_rpc_pipe_close(pipe_hnd); status = NT_STATUS_OK; @@ -877,7 +877,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_query_userinfo(pipe_hnd, mem_ctx, &user_pol, 16, &qctr); if (!NT_STATUS_IS_OK(status)) { - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); goto done; } @@ -890,12 +890,12 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); done: if (pipe_hnd) { - rpccli_samr_close(pipe_hnd, mem_ctx, &domain_pol); - rpccli_samr_close(pipe_hnd, mem_ctx, &sam_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol); cli_rpc_pipe_close(pipe_hnd); } -- cgit From 42960f817a9fd439557d1be2f3ca3603a35489ce Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:12:05 +0100 Subject: Use rpccli_samr_OpenDomain() all over the place. Guenther (This used to be commit e4e9d72724d547e1405b2ed4cec509d50ec88c8d) --- source3/libnet/libnet_join.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index c34afc7cae..cea5ea6d46 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -671,10 +671,11 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - r->out.domain_sid, - &domain_pol); + status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, + &sam_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + r->out.domain_sid, + &domain_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -840,10 +841,11 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - r->in.domain_sid, - &domain_pol); + status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, + &sam_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + r->in.domain_sid, + &domain_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } -- cgit From 37b56c0113263a741c62100cd4b13388cb2a83fa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:57:53 +0100 Subject: Use rpccli_samr_OpenUser() all over the place. Guenther (This used to be commit da90eb7653554d242da83ed98adae35ced3a2938) --- source3/libnet/libnet_join.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index cea5ea6d46..bbbf11adc1 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -724,9 +724,11 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, user_rid = user_rids[0]; - status = rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, - &user_pol); + status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, + &domain_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, + &user_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -869,9 +871,11 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, user_rid = user_rids[0]; - status = rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - user_rid, &user_pol); + status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, + &domain_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, + &user_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } -- cgit From ddbe4ea6b79b511927d4d130cb345b873b12cc0e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 14:21:54 +0100 Subject: Use rpccli_samr_CreateUser2() all over the place. Guenther (This used to be commit 701af69118c9634c7dc0d5c10152ce776787694d) --- source3/libnet/libnet_join.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index bbbf11adc1..737474d807 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -50,6 +50,11 @@ #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \ LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT) +static void init_lsa_String(struct lsa_String *name, const char *s) +{ + name->string = s; +} + /**************************************************************** ****************************************************************/ @@ -591,6 +596,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; const char *const_acct_name; + struct lsa_String lsa_acct_name; uint32 user_rid; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; @@ -684,6 +690,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, strlower_m(acct_name); const_acct_name = acct_name; + init_lsa_String(&lsa_acct_name, acct_name); + if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) { uint32_t acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE | @@ -691,12 +699,16 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, SAMR_USER_ACCESS_SET_PASSWORD | SAMR_USER_ACCESS_GET_ATTRIBUTES | SAMR_USER_ACCESS_SET_ATTRIBUTES; - - status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, - &domain_pol, - acct_name, ACB_WSTRUST, - acct_flags, &user_pol, - &user_rid); + uint32_t access_granted = 0; + + status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx, + &domain_pol, + &lsa_acct_name, + ACB_WSTRUST, + acct_flags, + &user_pol, + &access_granted, + &user_rid); if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) { -- cgit From 270ba9c238400f49d32c57a9a1bbde6ad63bb555 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 19:43:07 +0100 Subject: Use rpccli_samr_Connect2() all over the place. Guenther (This used to be commit bdf8d562621e1a09bf83e2009dec24966e7fdf22) --- source3/libnet/libnet_join.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 737474d807..f855a57f32 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -671,8 +671,10 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_connect(pipe_hnd, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol); + status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, + pipe_hnd->cli->desthost, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &sam_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -849,8 +851,10 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_connect(pipe_hnd, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol); + status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, + pipe_hnd->cli->desthost, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &sam_pol); if (!NT_STATUS_IS_OK(status)) { goto done; } -- cgit From 3783e6af8a8cd4b3cc1d43507704f17e6bb1a9a5 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 01:57:55 +0100 Subject: Use rpccli_lsa_QueryInfoPolicy2 in libnet join. Guenther (This used to be commit ddc2fc16bf18fe3ab8a0fc0021826253d5f4ed32) --- source3/libnet/libnet_join.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index f855a57f32..2f8d3e3085 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -610,6 +610,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, uchar md5buffer[16]; DATA_BLOB digested_session_key; uchar md4_trust_password[16]; + union lsa_PolicyInformation *info = NULL; if (!r->in.machine_password) { r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH)); @@ -641,16 +642,15 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_lsa_query_info_policy2(pipe_hnd, mem_ctx, &lsa_pol, - 12, - &r->out.netbios_domain_name, - &r->out.dns_domain_name, - NULL, - NULL, - &r->out.domain_sid); - + status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx, + &lsa_pol, + LSA_POLICY_INFO_DNS, + &info); if (NT_STATUS_IS_OK(status)) { r->out.domain_is_ad = true; + r->out.netbios_domain_name = info->dns.name.string; + r->out.dns_domain_name = info->dns.dns_domain.string; + r->out.domain_sid = info->dns.sid; } if (!NT_STATUS_IS_OK(status)) { -- cgit From adeb94a9a6444facf330337142997210940c9137 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 10:21:25 +0100 Subject: Use rpccli_lsa_QueryInfoPolicy() in libnet_join. Guenther (This used to be commit 28ef55cbf1662dfe6b64a837ade830f5c864b4b9) --- source3/libnet/libnet_join.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 2f8d3e3085..07d4960ffd 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -654,13 +654,16 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } if (!NT_STATUS_IS_OK(status)) { - status = rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol, - 5, - &r->out.netbios_domain_name, - &r->out.domain_sid); + status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx, + &lsa_pol, + LSA_POLICY_INFO_ACCOUNT_DOMAIN, + &info); if (!NT_STATUS_IS_OK(status)) { goto done; } + + r->out.netbios_domain_name = info->account_domain.name.string; + r->out.domain_sid = info->account_domain.sid; } rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); -- cgit From 210a4ab76f9b576b6834106146fcd86ba73acd22 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 14:48:55 +0100 Subject: Use rpccli_samr_LookupNames() in libnetjoin. Guenther (This used to be commit e62bfd2deea81f188cd4b5274218c3df64782aa7) --- source3/libnet/libnet_join.c | 44 ++++++++++++++++++++++++-------------------- 1 file changed, 24 insertions(+), 20 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 07d4960ffd..6d9cc1fbc4 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -595,11 +595,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, POLICY_HND sam_pol, domain_pol, user_pol, lsa_pol; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; - const char *const_acct_name; struct lsa_String lsa_acct_name; uint32 user_rid; - uint32 num_rids, *name_types, *user_rids; - uint32 flags = 0x3e8; uint32 acb_info = ACB_WSTRUST; uint32 fields_present; uchar pwbuf[532]; @@ -611,6 +608,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, DATA_BLOB digested_session_key; uchar md4_trust_password[16]; union lsa_PolicyInformation *info = NULL; + struct samr_Ids user_rids; + struct samr_Ids name_types; if (!r->in.machine_password) { r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH)); @@ -693,7 +692,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name); strlower_m(acct_name); - const_acct_name = acct_name; init_lsa_String(&lsa_acct_name, acct_name); @@ -726,20 +724,22 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } } - status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx, - &domain_pol, flags, 1, - &const_acct_name, - &num_rids, &user_rids, &name_types); + status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx, + &domain_pol, + 1, + &lsa_acct_name, + &user_rids, + &name_types); if (!NT_STATUS_IS_OK(status)) { goto done; } - if (name_types[0] != SID_NAME_USER) { + if (name_types.ids[0] != SID_NAME_USER) { status = NT_STATUS_INVALID_WORKSTATION; goto done; } - user_rid = user_rids[0]; + user_rid = user_rids.ids[0]; status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, @@ -829,12 +829,12 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, POLICY_HND sam_pol, domain_pol, user_pol; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; - uint32 flags = 0x3e8; - const char *const_acct_name; uint32 user_rid; - uint32 num_rids, *name_types, *user_rids; SAM_USERINFO_CTR ctr, *qctr = NULL; SAM_USER_INFO_16 p16; + struct lsa_String lsa_acct_name; + struct samr_Ids user_rids; + struct samr_Ids name_types; status = cli_full_connection(&cli, NULL, r->in.dc_name, @@ -873,22 +873,26 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name); strlower_m(acct_name); - const_acct_name = acct_name; - status = rpccli_samr_lookup_names(pipe_hnd, mem_ctx, - &domain_pol, flags, 1, - &const_acct_name, - &num_rids, &user_rids, &name_types); + init_lsa_String(&lsa_acct_name, acct_name); + + status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx, + &domain_pol, + 1, + &lsa_acct_name, + &user_rids, + &name_types); + if (!NT_STATUS_IS_OK(status)) { goto done; } - if (name_types[0] != SID_NAME_USER) { + if (name_types.ids[0] != SID_NAME_USER) { status = NT_STATUS_INVALID_WORKSTATION; goto done; } - user_rid = user_rids[0]; + user_rid = user_rids.ids[0]; status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, -- cgit From 90631dd2c27db6480ddfaec5746c84579ec684be Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 00:07:41 +0100 Subject: Removing unused ACCT_-flags. Guenther (This used to be commit d1e5a5a7f9dfb5756398e99cf09a4712d2b42682) --- source3/libnet/libnet_join.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 6d9cc1fbc4..e6fcc76d6c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -776,7 +776,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, ZERO_STRUCT(ctr); ZERO_STRUCT(p25); - fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS; + fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | + SAMR_FIELD_ACCT_FLAGS; init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf); ctr.switch_value = infolevel; -- cgit From b1c6104fa4c7a4e7e5cbbcdfef7c75baebde762d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 18:21:52 +0100 Subject: Use every (This used to be commit d9cec295bf55b3a7e16f548cc4bf64ce474b41e9) --- source3/libnet/libnet_join.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index e6fcc76d6c..996b9e64f9 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -831,11 +831,12 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; uint32 user_rid; - SAM_USERINFO_CTR ctr, *qctr = NULL; + SAM_USERINFO_CTR ctr; SAM_USER_INFO_16 p16; struct lsa_String lsa_acct_name; struct samr_Ids user_rids; struct samr_Ids name_types; + union samr_UserInfo *info = NULL; status = cli_full_connection(&cli, NULL, r->in.dc_name, @@ -904,8 +905,10 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_samr_query_userinfo(pipe_hnd, mem_ctx, - &user_pol, 16, &qctr); + status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx, + &user_pol, + 16, + &info); if (!NT_STATUS_IS_OK(status)) { rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); goto done; @@ -915,7 +918,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, ctr.switch_value = 16; ctr.info.id16 = &p16; - p16.acb_info = qctr->info.id16->acb_info | ACB_DISABLED; + p16.acb_info = info->info16.acct_flags | ACB_DISABLED; status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); -- cgit From bc742a06a2e7ce494446ab3a752fd45d08c25659 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 00:51:51 +0100 Subject: Remove all callers of rpccli_samr_setuserinfo2 and replace with rpccli_samr_SetUserInfo (see the opcode mixup in rpc_samr.h). Guenther (This used to be commit bdc49185036060ebb9c727767dce52e4b01bd8b4) --- source3/libnet/libnet_join.c | 40 ++++++++++++++++------------------------ 1 file changed, 16 insertions(+), 24 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 996b9e64f9..4b8826ac97 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -598,11 +598,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, struct lsa_String lsa_acct_name; uint32 user_rid; uint32 acb_info = ACB_WSTRUST; - uint32 fields_present; uchar pwbuf[532]; - SAM_USERINFO_CTR ctr; - SAM_USER_INFO_25 p25; - const int infolevel = 25; struct MD5Context md5ctx; uchar md5buffer[16]; DATA_BLOB digested_session_key; @@ -610,6 +606,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, union lsa_PolicyInformation *info = NULL; struct samr_Ids user_rids; struct samr_Ids name_types; + union samr_UserInfo user_info; if (!r->in.machine_password) { r->in.machine_password = talloc_strdup(mem_ctx, generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH)); @@ -773,19 +770,18 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, ;; } - ZERO_STRUCT(ctr); - ZERO_STRUCT(p25); + ZERO_STRUCT(user_info.info25); - fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | - SAMR_FIELD_ACCT_FLAGS; - init_sam_user_info25P(&p25, fields_present, acb_info, (char *)pwbuf); + user_info.info25.info.fields_present = ACCT_NT_PWD_SET | + ACCT_LM_PWD_SET | + SAMR_FIELD_ACCT_FLAGS; + user_info.info25.info.acct_flags = acb_info; + memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf)); - ctr.switch_value = infolevel; - ctr.info.id25 = &p25; - - status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, - infolevel, &cli->user_session_key, - &ctr); + status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, + &user_pol, + 25, + &user_info); if (!NT_STATUS_IS_OK(status)) { goto done; } @@ -831,8 +827,6 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; uint32 user_rid; - SAM_USERINFO_CTR ctr; - SAM_USER_INFO_16 p16; struct lsa_String lsa_acct_name; struct samr_Ids user_rids; struct samr_Ids name_types; @@ -914,14 +908,12 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - ZERO_STRUCT(ctr); - ctr.switch_value = 16; - ctr.info.id16 = &p16; - - p16.acb_info = info->info16.acct_flags | ACB_DISABLED; + info->info16.acct_flags |= ACB_DISABLED; - status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, - &cli->user_session_key, &ctr); + status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, + &user_pol, + 16, + info); rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); -- cgit From e2b3aad8174daede0248ce96df624e575867cfd8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 22:05:39 +0100 Subject: Collect all init_lsa_string varients in one place. Guenther (This used to be commit f4581e9f4482566fba9436d5ae058b8d840fa394) --- source3/libnet/libnet_join.c | 5 ----- 1 file changed, 5 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 4b8826ac97..0543ca8474 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -50,11 +50,6 @@ #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \ LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT) -static void init_lsa_String(struct lsa_String *name, const char *s) -{ - name->string = s; -} - /**************************************************************** ****************************************************************/ -- cgit From 97c2dfc52f0f02c2bc605304885128622cf7f750 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:00:50 +0100 Subject: Use W_ERROR_NOT_OK_GOTO_DONE macro in libnetjoin. Guenther (This used to be commit fec230b28f456469bce051a2b26249d2026a48ea) --- source3/libnet/libnet_join.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 0543ca8474..510b9e2e2f 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -50,6 +50,12 @@ #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \ LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT) +#define W_ERROR_NOT_OK_GOTO_DONE(x) do { \ + if (!W_ERROR_IS_OK(x)) {\ + goto done;\ + }\ +} while (0) + /**************************************************************** ****************************************************************/ @@ -942,9 +948,7 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r) if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) { werr = libnet_conf_set_global_parameter(ctx, "security", "user"); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } + W_ERROR_NOT_OK_GOTO_DONE(werr); werr = libnet_conf_set_global_parameter(ctx, "workgroup", r->in.domain_name); @@ -952,27 +956,22 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r) } werr = libnet_conf_set_global_parameter(ctx, "security", "domain"); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } + W_ERROR_NOT_OK_GOTO_DONE(werr); werr = libnet_conf_set_global_parameter(ctx, "workgroup", r->out.netbios_domain_name); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } + W_ERROR_NOT_OK_GOTO_DONE(werr); if (r->out.domain_is_ad) { werr = libnet_conf_set_global_parameter(ctx, "security", "ads"); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } + W_ERROR_NOT_OK_GOTO_DONE(werr); werr = libnet_conf_set_global_parameter(ctx, "realm", r->out.dns_domain_name); + W_ERROR_NOT_OK_GOTO_DONE(werr); } -done: + done: libnet_conf_close(ctx); return werr; } @@ -993,14 +992,11 @@ static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r) if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) { werr = libnet_conf_set_global_parameter(ctx, "security", "user"); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } + W_ERROR_NOT_OK_GOTO_DONE(werr); + libnet_conf_delete_global_parameter(ctx, "realm"); } - libnet_conf_delete_global_parameter(ctx, "realm"); - -done: + done: libnet_conf_close(ctx); return werr; } -- cgit From 39ba91fd8391df61881dc07a04dde7a630f95d39 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:02:01 +0100 Subject: Merge all connect ads calls into libnet_join_post_processing_ads(). Guenther (This used to be commit be96baeffc60d05d8e297034e5253c8b75512ab2) --- source3/libnet/libnet_join.c | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 510b9e2e2f..2d00fb094f 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -296,13 +296,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, const char *spn_array[3] = {NULL, NULL, NULL}; char *spn = NULL; - if (!r->in.ads) { - status = libnet_join_connect_ads(mem_ctx, r); - if (!ADS_ERR_OK(status)) { - return status; - } - } - status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; @@ -358,13 +351,6 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } - if (!r->in.ads) { - status = libnet_join_connect_ads(mem_ctx, r); - if (!ADS_ERR_OK(status)) { - return status; - } - } - status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; @@ -408,13 +394,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } - if (!r->in.ads) { - status = libnet_join_connect_ads(mem_ctx, r); - if (!ADS_ERR_OK(status)) { - return status; - } - } - status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; @@ -525,6 +504,13 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, { ADS_STATUS status; + if (!r->in.ads) { + status = libnet_join_connect_ads(mem_ctx, r); + if (!ADS_ERR_OK(status)) { + return status; + } + } + status = libnet_join_set_machine_spn(mem_ctx, r); if (!ADS_ERR_OK(status)) { libnet_join_set_error_string(mem_ctx, r, -- cgit From 1d807c3c29eaffb512279d3180f088cfcfe980f8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:17:29 +0100 Subject: Add preliminary libnet_join_post_verify call to libnetjoin. Guenther (This used to be commit f0e319a18d86303aeb73c08841024c27c1b135cd) --- source3/libnet/libnet_join.c | 131 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 2d00fb094f..30b38372f1 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -788,6 +788,132 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ +NTSTATUS libnet_join_ok(const char *netbios_domain_name, + const char *machine_name, + const char *dc_name) +{ + uint32_t neg_flags = NETLOGON_NEG_AUTH2_FLAGS | + NETLOGON_NEG_SCHANNEL; + /* FIXME: NETLOGON_NEG_SELECT_AUTH2_FLAGS */ + struct cli_state *cli = NULL; + struct rpc_pipe_client *pipe_hnd = NULL; + struct rpc_pipe_client *netlogon_pipe = NULL; + NTSTATUS status; + char *machine_password = NULL; + char *machine_account = NULL; + + if (!dc_name) { + return NT_STATUS_INVALID_PARAMETER; + } + + if (!secrets_init()) { + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + + machine_password = secrets_fetch_machine_password(netbios_domain_name, + NULL, NULL); + if (!machine_password) { + return NT_STATUS_NO_TRUST_LSA_SECRET; + } + + asprintf(&machine_account, "%s$", machine_name); + if (!machine_account) { + SAFE_FREE(machine_password); + return NT_STATUS_NO_MEMORY; + } + + status = cli_full_connection(&cli, NULL, + dc_name, + NULL, 0, + "IPC$", "IPC", + machine_account, + NULL, + machine_password, + 0, + Undefined, NULL); + free(machine_account); + free(machine_password); + + if (!NT_STATUS_IS_OK(status)) { + status = cli_full_connection(&cli, NULL, + dc_name, + NULL, 0, + "IPC$", "IPC", + "", + NULL, + "", + 0, + Undefined, NULL); + } + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + netlogon_pipe = get_schannel_session_key(cli, + netbios_domain_name, + &neg_flags, &status); + if (!netlogon_pipe) { + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) { + cli_shutdown(cli); + return NT_STATUS_OK; + } + + DEBUG(0,("libnet_join_ok: failed to get schannel session " + "key from server %s for domain %s. Error was %s\n", + cli->desthost, netbios_domain_name, nt_errstr(status))); + cli_shutdown(cli); + return status; + } + + if (!lp_client_schannel()) { + cli_shutdown(cli); + return NT_STATUS_OK; + } + + pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + netbios_domain_name, + netlogon_pipe->dc, + &status); + + cli_shutdown(cli); + + if (!pipe_hnd) { + DEBUG(0,("libnet_join_ok: failed to open schannel session " + "on netlogon pipe to server %s for domain %s. " + "Error was %s\n", + cli->desthost, netbios_domain_name, nt_errstr(status))); + return status; + } + + return NT_STATUS_OK; +} + +/**************************************************************** +****************************************************************/ + +static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) +{ + NTSTATUS status; + + status = libnet_join_ok(r->out.netbios_domain_name, + r->in.machine_name, + r->in.dc_name); + if (!NT_STATUS_IS_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, + "failed to verify domain membership after joining: %s", + get_friendly_nt_error_msg(status)); + return WERR_SETUP_NOT_JOINED; + } + + return WERR_OK; +} + +/**************************************************************** +****************************************************************/ + static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx, struct libnet_UnjoinCtx *r) { @@ -1265,6 +1391,11 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx, if (!W_ERROR_IS_OK(werr)) { goto done; } + + werr = libnet_join_post_verify(mem_ctx, r); + if (!W_ERROR_IS_OK(werr)) { + goto done; + } } werr = libnet_join_post_processing(mem_ctx, r); -- cgit From 09886976f6895dc9e906e62c54408076cd509304 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:19:57 +0100 Subject: Fill in machine account manipulation flags while unjoining in libnetunjoin. Guenther (This used to be commit 23ae67158e6506199318025e3dd5fd5c0b099548) --- source3/libnet/libnet_join.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 30b38372f1..40372611c2 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1464,6 +1464,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, return ntstatus_to_werror(status); } + r->out.disabled_machine_account = true; + #ifdef WITH_ADS if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) { ADS_STATUS ads_status; @@ -1473,6 +1475,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, libnet_unjoin_set_error_string(mem_ctx, r, "failed to remove machine account from AD: %s", ads_errstr(ads_status)); + } else { + r->out.deleted_machine_account = true; + /* dirty hack */ + r->out.dns_domain_name = talloc_strdup(mem_ctx, + r->in.ads->server.realm); + W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name); } } #endif /* WITH_ADS */ -- cgit From 4ba6c04d0a1f229cd75de9e3ea6be07653b34b51 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:23:36 +0100 Subject: Delete affinity cache entries while unjoining with libnetunjoin. Guenther (This used to be commit 0315b8e53dca9a836d6bc2282fb1192f40545601) --- source3/libnet/libnet_join.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 40372611c2..c690cfc0dc 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1142,7 +1142,7 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r) /**************************************************************** ****************************************************************/ -static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r) +static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r) { WERROR werr; @@ -1509,6 +1509,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, return WERR_OK; } +/**************************************************************** +****************************************************************/ + +static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx, + struct libnet_UnjoinCtx *r) +{ + saf_delete(r->out.netbios_domain_name); + saf_delete(r->out.dns_domain_name); + + return libnet_unjoin_config(r); +} /**************************************************************** ****************************************************************/ @@ -1530,11 +1541,12 @@ WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx, if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) { werr = libnet_DomainUnjoin(mem_ctx, r); if (!W_ERROR_IS_OK(werr)) { + libnet_unjoin_config(r); goto done; } } - werr = do_UnjoinConfig(r); + werr = libnet_unjoin_post_processing(mem_ctx, r); if (!W_ERROR_IS_OK(werr)) { goto done; } -- cgit From 46bdaa5d375f8c8f80045212eb7bdb7bbd3f266d Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:26:47 +0100 Subject: Check for mandatory domain name in libnetjoin/unjoin. Guenther (This used to be commit 95bdf2f23c195cad1b317995e362f153695e793a) --- source3/libnet/libnet_join.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index c690cfc0dc..31eec80561 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1171,8 +1171,9 @@ static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r) static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx, struct libnet_JoinCtx *r) { - if (!r->in.domain_name) { + libnet_join_set_error_string(mem_ctx, r, + "No domain name defined"); return WERR_INVALID_PARAM; } @@ -1496,6 +1497,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, struct libnet_UnjoinCtx *r) { + if (!r->in.domain_name) { + libnet_unjoin_set_error_string(mem_ctx, r, + "No domain name defined"); + return WERR_INVALID_PARAM; + } + if (r->in.modify_config && !lp_config_backend_is_registry()) { return WERR_NOT_SUPPORTED; } -- cgit From 7347e1ff4797fea2ab3c463f18dfcd81cdac5a75 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 11:29:56 +0100 Subject: Store domain_is_ad info as early as possible in libnetjoin. Guenther (This used to be commit c4ba68aa94888eace393b91a669e22b27ffaba3e) --- source3/libnet/libnet_join.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 31eec80561..d2242ffb2c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -152,9 +152,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, libnet_join_set_error_string(mem_ctx, r, "failed to connect to AD: %s", ads_errstr(status)); + return status; } - return status; + if (!r->out.netbios_domain_name) { + r->out.netbios_domain_name = talloc_strdup(mem_ctx, + r->in.ads->server.workgroup); + ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name); + } + + if (!r->out.dns_domain_name) { + r->out.dns_domain_name = talloc_strdup(mem_ctx, + r->in.ads->config.realm); + ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name); + } + + r->out.domain_is_ad = true; + + return ADS_SUCCESS; } /**************************************************************** -- cgit From 0d8985f2da43d35d8f940af112ad74a199778dd8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 12:30:18 +0100 Subject: Let dsgetdcname() return a struct netr_DsRGetDCNameInfo. Guenther (This used to be commit b1a4b21f8c35dc23e5c986ebe44d3806055eb39b) --- source3/libnet/libnet_join.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index d2242ffb2c..623ca39f71 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1315,7 +1315,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, #endif /* WITH_ADS */ if (!r->in.dc_name) { - struct DS_DOMAIN_CONTROLLER_INFO *info; + struct netr_DsRGetDCNameInfo *info; status = dsgetdcname(mem_ctx, r->in.domain_name, NULL, @@ -1333,7 +1333,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, } r->in.dc_name = talloc_strdup(mem_ctx, - info->domain_controller_name); + info->dc_unc); W_ERROR_HAVE_NO_MEMORY(r->in.dc_name); } @@ -1447,7 +1447,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } if (!r->in.dc_name) { - struct DS_DOMAIN_CONTROLLER_INFO *info; + struct netr_DsRGetDCNameInfo *info; status = dsgetdcname(mem_ctx, r->in.domain_name, NULL, @@ -1465,7 +1465,7 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, } r->in.dc_name = talloc_strdup(mem_ctx, - info->domain_controller_name); + info->dc_unc); W_ERROR_HAVE_NO_MEMORY(r->in.dc_name); } -- cgit From 15f6e27bd5a9065c8b781fa21f5989ce2c355776 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 17:02:14 +0100 Subject: Add some more error handling in libnetjoin. Guenther (This used to be commit 892b2bc0cf1692c5707d322d0eb711b8245a3a96) --- source3/libnet/libnet_join.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 623ca39f71..97fad95a68 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1193,6 +1193,9 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx, } if (r->in.modify_config && !lp_config_backend_is_registry()) { + libnet_join_set_error_string(mem_ctx, r, + "Configuration manipulation requested but not " + "supported by backend"); return WERR_NOT_SUPPORTED; } @@ -1519,9 +1522,16 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx, } if (r->in.modify_config && !lp_config_backend_is_registry()) { + libnet_unjoin_set_error_string(mem_ctx, r, + "Configuration manipulation requested but not " + "supported by backend"); return WERR_NOT_SUPPORTED; } + if (IS_DC) { + return WERR_SETUP_DOMAIN_CONTROLLER; + } + if (!secrets_init()) { libnet_unjoin_set_error_string(mem_ctx, r, "Unable to open secrets database"); -- cgit From 2306574570332855670f1c53f3c9376b5114b91a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Feb 2008 19:44:34 +0100 Subject: libnetjoin: Merge in comments, debugs and missing code from original join code. Guenther (This used to be commit 09e6010159cb9c2a5d86861889b8c2a07bd39a8d) --- source3/libnet/libnet_join.c | 120 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 117 insertions(+), 3 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 97fad95a68..38d98221b4 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -196,6 +196,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, } /**************************************************************** + join a domain using ADS (LDAP mods) ****************************************************************/ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, @@ -204,6 +205,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, ADS_STATUS status; LDAPMessage *res = NULL; const char *attrs[] = { "dn", NULL }; + bool moved = false; status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs); if (!ADS_ERR_OK(status)) { @@ -215,16 +217,41 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); } + ads_msgfree(r->in.ads, res); + + /* Attempt to create the machine account and bail if this fails. + Assume that the admin wants exactly what they requested */ + status = ads_create_machine_acct(r->in.ads, r->in.machine_name, r->in.account_ou); - ads_msgfree(r->in.ads, res); - if ((status.error_type == ENUM_ADS_ERROR_LDAP) && - (status.err.rc == LDAP_ALREADY_EXISTS)) { + if (ADS_ERR_OK(status)) { + DEBUG(1,("machine account creation created\n")); + return status; + } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) && + (status.err.rc == LDAP_ALREADY_EXISTS)) { status = ADS_SUCCESS; } + if (!ADS_ERR_OK(status)) { + DEBUG(1,("machine account creation failed\n")); + return status; + } + + status = ads_move_machine_acct(r->in.ads, + r->in.machine_name, + r->in.account_ou, + &moved); + if (!ADS_ERR_OK(status)) { + DEBUG(1,("failure to locate/move pre-existing " + "machine account\n")); + return status; + } + + DEBUG(1,("The machine account %s the specified OU.\n", + moved ? "was moved into" : "already exists in")); + return status; } @@ -300,6 +327,7 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx, } /**************************************************************** + Set a machines dNSHostName and servicePrincipalName attributes ****************************************************************/ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, @@ -311,11 +339,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, const char *spn_array[3] = {NULL, NULL, NULL}; char *spn = NULL; + /* Find our DN */ + status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; } + /* Windows only creates HOST/shortname & HOST/fqdn. */ + spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); if (!spn) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); @@ -339,6 +371,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } + /* fields of primary importance */ + status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn); if (!ADS_ERR_OK(status)) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); @@ -366,6 +400,8 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } + /* Find our DN */ + status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; @@ -381,11 +417,15 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx, } } + /* now do the mods */ + mods = ads_init_mods(mem_ctx); if (!mods) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } + /* fields of primary importance */ + status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn); if (!ADS_ERR_OK(status)) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); @@ -409,11 +449,15 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, return ADS_SUCCESS; } + /* Find our DN */ + status = libnet_join_find_machine_acct(mem_ctx, r); if (!ADS_ERR_OK(status)) { return status; } + /* now do the mods */ + mods = ads_init_mods(mem_ctx); if (!mods) { return ADS_ERROR(LDAP_NO_MEMORY); @@ -424,6 +468,8 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, return ADS_ERROR(LDAP_NO_MEMORY); } + /* fields of primary importance */ + status = ads_mod_str(mem_ctx, &mods, "operatingSystem", r->in.os_name); if (!ADS_ERR_OK(status)) { @@ -481,6 +527,8 @@ static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx, return false; } + /* go ahead and setup the default salt */ + std_salt = kerberos_standard_des_salt(); if (!std_salt) { libnet_join_set_error_string(mem_ctx, r, @@ -495,6 +543,8 @@ static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx, SAFE_FREE(std_salt); + /* if it's a Windows functional domain, we have to look for the UPN */ + if (domain_func == DS_DOMAIN_FUNCTION_2000) { char *upn; @@ -565,6 +615,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, #endif /* WITH_ADS */ /**************************************************************** + Store the machine password and domain SID ****************************************************************/ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx, @@ -573,6 +624,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx, if (!secrets_store_domain_sid(r->out.netbios_domain_name, r->out.domain_sid)) { + DEBUG(1,("Failed to save domain sid\n")); return false; } @@ -580,6 +632,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx, r->out.netbios_domain_name, SEC_CHAN_WKSTA)) { + DEBUG(1,("Failed to save machine password\n")); return false; } @@ -587,6 +640,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx, } /**************************************************************** + Do the domain join ****************************************************************/ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, @@ -631,6 +685,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &status); if (!pipe_hnd) { + DEBUG(0,("Error connecting to LSA pipe. Error was %s\n", + nt_errstr(status))); goto done; } @@ -667,8 +723,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); cli_rpc_pipe_close(pipe_hnd); + /* Open the domain */ + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status); if (!pipe_hnd) { + DEBUG(0,("Error connecting to SAM pipe. Error was %s\n", + nt_errstr(status))); goto done; } @@ -689,6 +749,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* Create domain user */ + acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name); strlower_m(acct_name); @@ -703,6 +765,10 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, SAMR_USER_ACCESS_SET_ATTRIBUTES; uint32_t access_granted = 0; + /* Don't try to set any acb_info flags other than ACB_WSTRUST */ + + DEBUG(10,("Creating account with flags: %d\n", acct_flags)); + status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx, &domain_pol, &lsa_acct_name, @@ -711,6 +777,25 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, &user_pol, &access_granted, &user_rid); + if (!NT_STATUS_IS_OK(status) && + !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { + + DEBUG(10,("Creation of workstation account failed: %s\n", + nt_errstr(status))); + + /* If NT_STATUS_ACCESS_DENIED then we have a valid + username/password combo but the user does not have + administrator access. */ + + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + libnet_join_set_error_string(mem_ctx, r, + "User specified does not have " + "administrator privileges"); + } + + return status; + } + if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) { @@ -718,6 +803,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } } + /* We *must* do this.... don't ask... */ + if (NT_STATUS_IS_OK(status)) { rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); } @@ -734,12 +821,16 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, } if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0,("%s is not a user account (type=%d)\n", + acct_name, name_types.ids[0])); status = NT_STATUS_INVALID_WORKSTATION; goto done; } user_rid = user_rids.ids[0]; + /* Open handle on user */ + status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, @@ -749,6 +840,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* Create a random machine account password and generate the hash */ + E_md4hash(r->in.machine_password, md4_trust_password); encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE); @@ -764,6 +857,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key); memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer)); + /* Fill in the additional account flags now */ + acb_info |= ACB_PWNOEXP; if (r->out.domain_is_ad) { #if !defined(ENCTYPE_ARCFOUR_HMAC) @@ -772,6 +867,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, ;; } + /* Set password and account flags on machine account */ + ZERO_STRUCT(user_info.info25); user_info.info25.info.fields_present = ACCT_NT_PWD_SET | @@ -785,6 +882,9 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, 25, &user_info); if (!NT_STATUS_IS_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, + "Failed to set password for machine account (%s)\n", + nt_errstr(status)); goto done; } @@ -973,8 +1073,12 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* Open the domain */ + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &status); if (!pipe_hnd) { + DEBUG(0,("Error connecting to SAM pipe. Error was %s\n", + nt_errstr(status))); goto done; } @@ -995,6 +1099,8 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* Create domain user */ + acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name); strlower_m(acct_name); @@ -1012,12 +1118,16 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, } if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, + name_types.ids[0])); status = NT_STATUS_INVALID_WORKSTATION; goto done; } user_rid = user_rids.ids[0]; + /* Open handle on user */ + status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx, &domain_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, @@ -1027,6 +1137,8 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* Get user info */ + status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx, &user_pol, 16, @@ -1036,6 +1148,8 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } + /* now disable and setuser info */ + info->info16.acct_flags |= ACB_DISABLED; status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, -- cgit From 29222fa551591a6a845cf6619a664a8e3877fa3c Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 29 Feb 2008 01:25:45 +0100 Subject: libnetjoin: Trying to avoid confusion between acct_flags, acb_info and access_desired. Guenther (This used to be commit 63894e5c93ef0663fc58bcc191777cd1aca7e21c) --- source3/libnet/libnet_join.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 38d98221b4..b8572f68b5 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -652,8 +652,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; struct lsa_String lsa_acct_name; - uint32 user_rid; - uint32 acb_info = ACB_WSTRUST; + uint32_t user_rid; + uint32_t acct_flags = ACB_WSTRUST; uchar pwbuf[532]; struct MD5Context md5ctx; uchar md5buffer[16]; @@ -690,7 +690,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, goto done; } - status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True, + status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol); if (!NT_STATUS_IS_OK(status)) { goto done; @@ -757,7 +757,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, init_lsa_String(&lsa_acct_name, acct_name); if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) { - uint32_t acct_flags = + uint32_t access_desired = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE | SEC_STD_WRITE_DAC | SEC_STD_DELETE | SAMR_USER_ACCESS_SET_PASSWORD | @@ -765,15 +765,16 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, SAMR_USER_ACCESS_SET_ATTRIBUTES; uint32_t access_granted = 0; - /* Don't try to set any acb_info flags other than ACB_WSTRUST */ + /* Don't try to set any acct_flags flags other than ACB_WSTRUST */ - DEBUG(10,("Creating account with flags: %d\n", acct_flags)); + DEBUG(10,("Creating account with desired access mask: %d\n", + access_desired)); status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx, &domain_pol, &lsa_acct_name, ACB_WSTRUST, - acct_flags, + access_desired, &user_pol, &access_granted, &user_rid); @@ -845,7 +846,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, E_md4hash(r->in.machine_password, md4_trust_password); encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE); - generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer)); + generate_random_buffer((uint8_t*)md5buffer, sizeof(md5buffer)); digested_session_key = data_blob_talloc(mem_ctx, 0, 16); MD5Init(&md5ctx); @@ -859,10 +860,10 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, /* Fill in the additional account flags now */ - acb_info |= ACB_PWNOEXP; + acct_flags |= ACB_PWNOEXP; if (r->out.domain_is_ad) { #if !defined(ENCTYPE_ARCFOUR_HMAC) - acb_info |= ACB_USE_DES_KEY_ONLY; + acct_flags |= ACB_USE_DES_KEY_ONLY; #endif ;; } @@ -874,7 +875,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, user_info.info25.info.fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | SAMR_FIELD_ACCT_FLAGS; - user_info.info25.info.acct_flags = acb_info; + + user_info.info25.info.acct_flags = acct_flags; memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf)); status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, @@ -1054,7 +1056,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, POLICY_HND sam_pol, domain_pol, user_pol; NTSTATUS status = NT_STATUS_UNSUCCESSFUL; char *acct_name; - uint32 user_rid; + uint32_t user_rid; struct lsa_String lsa_acct_name; struct samr_Ids user_rids; struct samr_Ids name_types; -- cgit From 53d55794dfbce06fcb40e5bdd81ca8a6dc1c4655 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 29 Feb 2008 01:27:52 +0100 Subject: libnetjoin: add fallback to level 24 samr setinfo so that libnet can join NT4. Guenther (This used to be commit bc2d3d51449831146a9faf6e809e7a91d174659c) --- source3/libnet/libnet_join.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'source3/libnet/libnet_join.c') diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index b8572f68b5..1a8486f5b5 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -883,6 +883,25 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, &user_pol, 25, &user_info); + + if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) { + + uchar pwbuf2[516]; + + encode_pw_buffer(pwbuf2, r->in.machine_password, STR_UNICODE); + + /* retry with level 24 */ + init_samr_user_info24(&user_info.info24, pwbuf2, 24); + + SamOEMhashBlob(user_info.info24.password.data, 516, + &cli->user_session_key); + + status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, + &user_pol, + 24, + &user_info); + } + if (!NT_STATUS_IS_OK(status)) { libnet_join_set_error_string(mem_ctx, r, "Failed to set password for machine account (%s)\n", -- cgit