From 2c029a8b96ae476f1d5c2abe14ee25f98a1513d8 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 12 May 2006 15:17:35 +0000
Subject: r15543: New implementation of 'net ads join' to be more like Windows
 XP. The motivating factor is to not require more privileges for the user
 account than Windows does when joining a domain.

The points of interest are

* net_ads_join() uses same rpc mechanisms as net_rpc_join()
* Enable CLDAP queries for filling in the majority of the
  ADS_STRUCT->config information
* Remove ldap_initialized() from sam/idmap_ad.c and
  libads/ldap.c
* Remove some unnecessary fields from ADS_STRUCT
* Manually set the dNSHostName and servicePrincipalName attribute
  using the machine account after the join

Thanks to Guenther and Simo for the review.

Still to do:

* Fix the userAccountControl for DES only systems
* Set the userPrincipalName in order to support things like
  'kinit -k' (although we might be able to just use the sAMAccountName
  instead)
* Re-add support for pre-creating the machine account in
  a specific OU
(This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
---
 source3/libsmb/namequery.c | 97 +++++++++++++++++++++-------------------------
 1 file changed, 44 insertions(+), 53 deletions(-)

(limited to 'source3/libsmb/namequery.c')

diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c
index 99a2e7ebdb..1033a375c5 100644
--- a/source3/libsmb/namequery.c
+++ b/source3/libsmb/namequery.c
@@ -1024,70 +1024,62 @@ static BOOL resolve_hosts(const char *name, int name_type,
 static BOOL resolve_ads(const char *name, int name_type,
                          struct ip_service **return_iplist, int *return_count)
 {
-#ifdef HAVE_ADS
-	if ( name_type == 0x1c ) {
-		int 			count, i = 0;
-		NTSTATUS  		status;
-		TALLOC_CTX		*ctx;
-		struct dns_rr_srv	*dcs = NULL;
-		int			numdcs = 0;
+	int 			count, i = 0;
+	NTSTATUS  		status;
+	TALLOC_CTX		*ctx;
+	struct dns_rr_srv	*dcs = NULL;
+	int			numdcs = 0;
+
+	if ( name_type != 0x1c )
+		return False;
 		
-		/* try to lookup the _ldap._tcp.<domain> if we are using ADS */
-		if ( lp_security() != SEC_ADS )
-			return False;
+	DEBUG(5,("resolve_hosts: Attempting to resolve DC's for %s using DNS\n",
+		name));
 			
-		DEBUG(5,("resolve_hosts: Attempting to resolve DC's for %s using DNS\n",
-			name));
-			
-		if ( (ctx = talloc_init("resolve_ads")) == NULL ) {
-			DEBUG(0,("resolve_ads: talloc_init() failed!\n"));
-			return False;
-		}
+	if ( (ctx = talloc_init("resolve_ads")) == NULL ) {
+		DEBUG(0,("resolve_ads: talloc_init() failed!\n"));
+		return False;
+	}
 		
-		status = ads_dns_query_dcs( ctx, name, &dcs, &numdcs );
-		if ( !NT_STATUS_IS_OK( status ) ) {
-			return False;
-		}
+	status = ads_dns_query_dcs( ctx, name, &dcs, &numdcs );
+	if ( !NT_STATUS_IS_OK( status ) ) {
+		return False;
+	}
 		
-		if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, numdcs)) == NULL ) {
-			DEBUG(0,("resolve_ads: malloc failed for %d entries\n", count ));
-			return False;
-		}
+	if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, numdcs)) == NULL ) {
+		DEBUG(0,("resolve_ads: malloc failed for %d entries\n", count ));
+		return False;
+	}
 
-		i = 0;
-		while ( i < numdcs ) {
+	i = 0;
+	while ( i < numdcs ) {
 
-			/* use the IP address from the SRV structure if we have one */
-			if ( is_zero_ip( dcs[i].ip ) )
-				(*return_iplist)[i].ip   = *interpret_addr2(dcs[i].hostname);
-			else
-				(*return_iplist)[i].ip = dcs[i].ip;
+		/* use the IP address from the SRV structure if we have one */
+		if ( is_zero_ip( dcs[i].ip ) )
+			(*return_iplist)[i].ip   = *interpret_addr2(dcs[i].hostname);
+		else
+			(*return_iplist)[i].ip = dcs[i].ip;
 
-			(*return_iplist)[i].port = dcs[i].port;
+		(*return_iplist)[i].port = dcs[i].port;
 			
-			/* make sure it is a valid IP.  I considered checking the negative
-			   connection cache, but this is the wrong place for it.  Maybe only
-			   as a hac.  After think about it, if all of the IP addresses retuend
-			   from DNS are dead, what hope does a netbios name lookup have?
-			   The standard reason for falling back to netbios lookups is that 
-			   our DNS server doesn't know anything about the DC's   -- jerry */	
+		/* make sure it is a valid IP.  I considered checking the negative
+		   connection cache, but this is the wrong place for it.  Maybe only
+		   as a hac.  After think about it, if all of the IP addresses retuend
+		   from DNS are dead, what hope does a netbios name lookup have?
+		   The standard reason for falling back to netbios lookups is that 
+		   our DNS server doesn't know anything about the DC's   -- jerry */	
 			   
-			if ( is_zero_ip((*return_iplist)[i].ip) )
-				continue;		
+		if ( is_zero_ip((*return_iplist)[i].ip) )
+			continue;		
 
-			i++;
-		}
+		i++;
+	}
 		
-		TALLOC_FREE( dcs );
+	TALLOC_FREE( dcs );
 		
-		*return_count = i;
+	*return_count = i;
 				
-		return True;
-	} else 
-#endif 	/* HAVE_ADS */
-	{ 
-		return False;
-	}
+	return True;
 }
 
 /*******************************************************************
@@ -1178,8 +1170,7 @@ BOOL internal_resolve_name(const char *name, int name_type,
 				}
 			} else if(strequal( tok, "ads")) {
 				/* deal with 0x1c names here.  This will result in a
-					SRV record lookup for _ldap._tcp.<domain> if we
-					are using 'security = ads' */
+					SRV record lookup */
 				if (resolve_ads(name, name_type, return_iplist, return_count)) {
 					result = True;
 					goto done;
-- 
cgit