From 3bc87626ae7894269535333aadb45ec786f3908d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Dec 2001 05:03:03 +0000 Subject: Add 'net rpc join' to match the ADS equiv. This kills off the offending code in smbpasswd -j -Uab%c In the process we have changed from unsing compelatly random passwords to random, 15 char ascii strings. While this does produce a decrese in entropy, it is still vastly greater than we need, considering the application. In the meantime this allows us to actually *type* the machine account password duruign debugging. This code also adds a 'check' step to the join, confirming that the stored password does indeed do somthing of value :-) Andrew Bartlett (This used to be commit c0b7ee6ee547dc7ff798eaf8cb63fbe344073029) --- source3/utils/net_rpc_join.c | 311 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 311 insertions(+) create mode 100644 source3/utils/net_rpc_join.c (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c new file mode 100644 index 0000000000..11e878fdf4 --- /dev/null +++ b/source3/utils/net_rpc_join.c @@ -0,0 +1,311 @@ +/* + Samba Unix/Linux SMB client library + Version 3.0 + Distributed SMB/CIFS Server Management Utility + Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org) + Copyright (C) Tim Potter 2001 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ + +#include "includes.h" +#include "../utils/net.h" + +/* Macro for checking RPC error codes to make things more readable */ + +#define CHECK_RPC_ERR(rpc, msg) \ + if (!NT_STATUS_IS_OK(result = rpc)) { \ + DEBUG(0, (msg ": %s\n", get_nt_error_msg(result))); \ + goto done; \ + } + +#define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \ + if (!NT_STATUS_IS_OK(result = rpc)) { \ + DEBUG(0, debug_args); \ + goto done; \ + } + +/********************************************************* +Join a domain using the administrator username and password +**********************************************************/ + +int net_rpc_join(int argc, const char **argv) +{ + + extern pstring global_myname; + + /* libsmb variables */ + + struct cli_state *cli; + fstring acct_name; + TALLOC_CTX *mem_ctx; + uint32 acb_info; + + /* rpc variables */ + + POLICY_HND lsa_pol, sam_pol, domain_pol, user_pol; + DOM_SID domain_sid; + uint32 user_rid; + + /* Password stuff */ + + char *clear_trust_password = NULL; + fstring ucs2_trust_password; + int ucs2_pw_len; + uchar stored_md4_trust_password[16]; + uchar pwbuf[516], sess_key[16]; + SAM_USERINFO_CTR ctr; + SAM_USER_INFO_24 p24; + SAM_USER_INFO_10 p10; + + /* Misc */ + + NTSTATUS result; + int retval = 1; + fstring domain; + + /* Connect to remote machine */ + + if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) + return 1; + + if (!(mem_ctx = talloc_init())) { + DEBUG(0, ("Could not initialise talloc context\n")); + goto done; + } + + /* Fetch domain sid */ + + if (!cli_nt_session_open(cli, PIPE_LSARPC)) { + DEBUG(0, ("Error connecting to SAM pipe\n")); + goto done; + } + + + CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &lsa_pol), + "error opening lsa policy handle"); + + CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol, + 5, domain, &domain_sid), + "error querying info policy"); + + cli_lsa_close(cli, mem_ctx, &lsa_pol); + + cli_nt_session_close(cli); /* Done with this pipe */ + + /* Create domain user */ + + if (!cli_nt_session_open(cli, PIPE_SAMR)) { + DEBUG(0, ("Error connecting to SAM pipe\n")); + goto done; + } + + CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &sam_pol), + "could not connect to SAM database"); + + + CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &domain_sid, &domain_pol), + "could not open domain"); + + /* Create domain user */ + + fstrcpy(acct_name, global_myname); + fstrcat(acct_name, "$"); + + strlower(acct_name); + + acb_info = (lp_server_role() == ROLE_DOMAIN_BDC) ? ACB_SVRTRUST : + ACB_WSTRUST; + + { + uint32 unknown = 0xe005000b; + + result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, + acct_name, acb_info, + unknown, &user_pol, + &user_rid); + + /* We *must* do this.... don't ask... */ + + CHECK_RPC_ERR_DEBUG(cli_samr_close(cli, mem_ctx, &user_pol), ("error closing user policy")); + result = NT_STATUS_USER_EXISTS; + } + + if (NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { + uint32 num_rids, *name_types, *user_rids; + uint32 flags = 0x3e8; + char *names; + + /* Look up existing rid */ + + names = (char *)&acct_name[0]; + + CHECK_RPC_ERR_DEBUG( + cli_samr_lookup_names(cli, mem_ctx, + &domain_pol, flags, + 1, &names, &num_rids, + &user_rids, &name_types), + ("error looking up rid for user %s: %s\n", + acct_name, get_nt_error_msg(result))); + + if (name_types[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account\n", acct_name)); + goto done; + } + + user_rid = user_rids[0]; + + /* Open handle on user */ + + CHECK_RPC_ERR_DEBUG( + cli_samr_open_user(cli, mem_ctx, &domain_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, &user_pol), + ("could not re-open existing user %s: %s\n", + acct_name, get_nt_error_msg(result))); + + } else if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("error creating domain user: %s\n", + get_nt_error_msg(result))); + goto done; + } + + /* Create a random machine account password */ + + clear_trust_password = generate_random_str(15); + clear_trust_password = strdup("samba2"); + + ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, + clear_trust_password, + sizeof(ucs2_trust_password), 0); + +#if DEBUG_PASSWORD + DEBUG(100, ("machine password is being set to:\n")); + dump_data(100, clear_trust_password, 6); + + DEBUG(100, ("machine password unicode is (len %d):\n", ucs2_pw_len)); + dump_data(100, ucs2_trust_password, ucs2_pw_len); + +#endif + + encode_pw_buffer((char *)pwbuf, ucs2_trust_password, + ucs2_pw_len); + + /* Set password on machine account */ + + ZERO_STRUCT(ctr); + ZERO_STRUCT(p24); + + init_sam_user_info24(&p24, (char *)pwbuf,24); + + ctr.switch_value = 24; + ctr.info.id24 = &p24; + + /* I don't think this is quite the right place for this + calculation. It should be moved somewhere where the credentials + are calculated. )-: */ + + mdfour(sess_key, cli->pwd.smb_nt_pwd, 16); + + CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, + sess_key, &ctr), + "error setting trust account password"); + + /* Why do we have to try to (re-)set the ACB to be the same as what + we passed in the samr_create_dom_user() call? When a NT + workstation is joined to a domain by an administrator the + acb_info is set to 0x80. For a normal user with "Add + workstations to the domain" rights the acb_info is 0x84. I'm + not sure whether it is supposed to make a difference or not. NT + seems to cope with either value so don't bomb out if the set + userinfo2 level 0x10 fails. -tpot */ + + ZERO_STRUCT(ctr); + ctr.switch_value = 0x10; + ctr.info.id10 = &p10; + + init_sam_user_info10(&p10, acb_info); + + /* Ignoring the return value is necessary for joining a domain + as a normal user with "Add workstation to domain" privilege. */ + + result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 0x10, + sess_key, &ctr); + + /* Now store the secret in the secrets database */ + + strupper(domain); + + secrets_init(); + + if (!secrets_store_domain_sid(domain, &domain_sid)) { + DEBUG(0, ("error storing domain sid for %s\n", domain)); + goto done; + } + + if (!secrets_store_machine_password(clear_trust_password)) { + DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain)); + } + + /* Now check the whole process from top-to-bottom */ + + cli_samr_close(cli, mem_ctx, &user_pol); + + cli_nt_session_close(cli); /* Done with this pipe */ + + if (!cli_nt_session_open(cli, PIPE_NETLOGON)) { + DEBUG(0, ("Error connecting to NETLOGON pipe\n")); + goto done; + } + + if (!secrets_fetch_trust_account_password(domain, + stored_md4_trust_password, NULL)) { + DEBUG(0, ("Could not reterive secrets we just stored!")); + goto done; + } + + CHECK_RPC_ERR(cli_nt_setup_creds(cli, stored_md4_trust_password), + "error in domain join verification"); + + retval = 0; /* Success! */ + +done: + /* Close down pipe - this will clean up open policy handles */ + + if (cli->nt_pipe_fnum) + cli_nt_session_close(cli); + + /* Display success or failure */ + + if (retval != 0) { + trust_password_delete(domain); + fprintf(stderr,"Unable to join domain %s.\n",domain); + } else { + printf("Joined domain %s.\n",domain); + } + + cli_shutdown(cli); + + SAFE_FREE(clear_trust_password); + + return retval; +} + + -- cgit From c75ef67f9741d0acdd8b6be91b710fab6bd0b8e7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 4 Dec 2001 06:56:58 +0000 Subject: allow for passwords other than "samba2" :) (This used to be commit cee58f10974b55ead68362166d12285568feeb23) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 11e878fdf4..f9b3c94bfb 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -190,7 +190,7 @@ int net_rpc_join(int argc, const char **argv) /* Create a random machine account password */ clear_trust_password = generate_random_str(15); - clear_trust_password = strdup("samba2"); + clear_trust_password = strdup(clear_trust_password); ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, clear_trust_password, -- cgit From 241a32b436f8995ade7af2a717b30704f237da11 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 5 Dec 2001 01:59:32 +0000 Subject: Follow herb's suggestion and don't strdup a string to itself (This used to be commit d00f461f43558c8ef942df305bcc2c89060b4800) --- source3/utils/net_rpc_join.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f9b3c94bfb..463de61b05 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -189,9 +189,12 @@ int net_rpc_join(int argc, const char **argv) /* Create a random machine account password */ - clear_trust_password = generate_random_str(15); - clear_trust_password = strdup(clear_trust_password); - + { + char *str; + str = generate_random_str(15); + clear_trust_password = strdup(str); + } + ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, clear_trust_password, sizeof(ucs2_trust_password), 0); -- cgit From 8ba00d147bbdb705b411e182433632c81a036188 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 5 Dec 2001 11:00:26 +0000 Subject: OK. Smbpasswd -j is DEAD. This moves the rest of the functionality into the 'net rpc join' code. Futhermore, this moves that entire area over to the libsmb codebase, rather than the crufty old rpc_client stuff. I have also fixed up the smbpasswd -a -m bug in the process. We also have a new 'net rpc changetrustpw' that can be called from a cron-job to regularly change the trust account password, for sites that run winbind but not smbd. With a little more work, we can kill rpc_client from smbd entirly! (It is mostly the domain auth stuff - which I can rework - and the spoolss stuff that sombody else will need to look over). Andrew Bartlett (This used to be commit 575897e879fc175ba702adf245384033342c903d) --- source3/utils/net_rpc_join.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 463de61b05..2b73117c38 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -191,7 +191,7 @@ int net_rpc_join(int argc, const char **argv) { char *str; - str = generate_random_str(15); + str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); clear_trust_password = strdup(str); } @@ -256,8 +256,6 @@ int net_rpc_join(int argc, const char **argv) strupper(domain); - secrets_init(); - if (!secrets_store_domain_sid(domain, &domain_sid)) { DEBUG(0, ("error storing domain sid for %s\n", domain)); goto done; @@ -284,7 +282,7 @@ int net_rpc_join(int argc, const char **argv) goto done; } - CHECK_RPC_ERR(cli_nt_setup_creds(cli, stored_md4_trust_password), + CHECK_RPC_ERR(new_cli_nt_setup_creds(cli, stored_md4_trust_password), "error in domain join verification"); retval = 0; /* Success! */ -- cgit From 331fa95b7ae3d3d6833a3024f6fe2156790fd879 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 11 Dec 2001 12:29:03 +0000 Subject: allow join of already joined domain (This used to be commit 784a3f295176dc87c8befd76d5f2dc9ef1e9e383) --- source3/utils/net_rpc_join.c | 95 ++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 60 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2b73117c38..73ec2e593d 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -74,6 +74,9 @@ int net_rpc_join(int argc, const char **argv) NTSTATUS result; int retval = 1; fstring domain; + uint32 num_rids, *name_types, *user_rids; + uint32 flags = 0x3e8; + char *names; /* Connect to remote machine */ @@ -107,7 +110,6 @@ int net_rpc_join(int argc, const char **argv) cli_nt_session_close(cli); /* Done with this pipe */ /* Create domain user */ - if (!cli_nt_session_open(cli, PIPE_SAMR)) { DEBUG(0, ("Error connecting to SAM pipe\n")); goto done; @@ -125,68 +127,50 @@ int net_rpc_join(int argc, const char **argv) "could not open domain"); /* Create domain user */ - fstrcpy(acct_name, global_myname); fstrcat(acct_name, "$"); - strlower(acct_name); - acb_info = (lp_server_role() == ROLE_DOMAIN_BDC) ? ACB_SVRTRUST : - ACB_WSTRUST; + acb_info = (lp_server_role() == ROLE_DOMAIN_BDC) ? ACB_SVRTRUST : ACB_WSTRUST; - { - uint32 unknown = 0xe005000b; + result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, + acct_name, acb_info, + 0xe005000b, &user_pol, + &user_rid); - result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, - acct_name, acb_info, - unknown, &user_pol, - &user_rid); + /* We *must* do this.... don't ask... */ + if (!NT_STATUS_IS_OK(result) && + !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { + d_printf("Create of workstation account failed\n"); + goto done; + } + cli_samr_close(cli, mem_ctx, &user_pol); - /* We *must* do this.... don't ask... */ + names = (char *)&acct_name[0]; - CHECK_RPC_ERR_DEBUG(cli_samr_close(cli, mem_ctx, &user_pol), ("error closing user policy")); - result = NT_STATUS_USER_EXISTS; - } + CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx, + &domain_pol, flags, + 1, &names, &num_rids, + &user_rids, &name_types), + ("error looking up rid for user %s: %s\n", + acct_name, get_nt_error_msg(result))); - if (NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - uint32 num_rids, *name_types, *user_rids; - uint32 flags = 0x3e8; - char *names; - - /* Look up existing rid */ - - names = (char *)&acct_name[0]; - - CHECK_RPC_ERR_DEBUG( - cli_samr_lookup_names(cli, mem_ctx, - &domain_pol, flags, - 1, &names, &num_rids, - &user_rids, &name_types), - ("error looking up rid for user %s: %s\n", - acct_name, get_nt_error_msg(result))); - - if (name_types[0] != SID_NAME_USER) { - DEBUG(0, ("%s is not a user account\n", acct_name)); - goto done; - } - - user_rid = user_rids[0]; - - /* Open handle on user */ - - CHECK_RPC_ERR_DEBUG( - cli_samr_open_user(cli, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - user_rid, &user_pol), - ("could not re-open existing user %s: %s\n", - acct_name, get_nt_error_msg(result))); - - } else if (!NT_STATUS_IS_OK(result)) { - DEBUG(0, ("error creating domain user: %s\n", - get_nt_error_msg(result))); + if (name_types[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account\n", acct_name)); goto done; } + user_rid = user_rids[0]; + + /* Open handle on user */ + + CHECK_RPC_ERR_DEBUG( + cli_samr_open_user(cli, mem_ctx, &domain_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, &user_pol), + ("could not re-open existing user %s: %s\n", + acct_name, get_nt_error_msg(result))); + /* Create a random machine account password */ { @@ -199,15 +183,6 @@ int net_rpc_join(int argc, const char **argv) clear_trust_password, sizeof(ucs2_trust_password), 0); -#if DEBUG_PASSWORD - DEBUG(100, ("machine password is being set to:\n")); - dump_data(100, clear_trust_password, 6); - - DEBUG(100, ("machine password unicode is (len %d):\n", ucs2_pw_len)); - dump_data(100, ucs2_trust_password, ucs2_pw_len); - -#endif - encode_pw_buffer((char *)pwbuf, ucs2_trust_password, ucs2_pw_len); -- cgit From c5564c55fcf65060b4a4b098d6ccf9f0a61a402f Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 14 Dec 2001 02:17:18 +0000 Subject: Merge from 2.2 to allow net rpc join -U to complete even if the workstation account already exists. # net rpc join --user=Administrator%password It's kind of weird seeing the mix of NET.EXE style of options (net command subcommand /arg:value) with the GNU-style long options. I think it works. (This used to be commit 3789c8c707acd9a4078d656c8de9ce1f4be9e388) --- source3/utils/net_rpc_join.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 73ec2e593d..c9fa52a734 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -138,13 +138,16 @@ int net_rpc_join(int argc, const char **argv) 0xe005000b, &user_pol, &user_rid); - /* We *must* do this.... don't ask... */ if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { d_printf("Create of workstation account failed\n"); goto done; } - cli_samr_close(cli, mem_ctx, &user_pol); + + /* We *must* do this.... don't ask... */ + + if (NT_STATUS_IS_OK(result)) + cli_samr_close(cli, mem_ctx, &user_pol); names = (char *)&acct_name[0]; -- cgit From f46eb148065e25f6de5addbd9c58940f49a35aca Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 14 Dec 2001 03:55:44 +0000 Subject: Display a nice error message if the user%password specified for net rpc join does not have administrator privileges. (This used to be commit af24b1036c8ceaa37e6b68ac988401846c5c7fe4) --- source3/utils/net_rpc_join.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c9fa52a734..16b0ccbaa8 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -141,6 +141,14 @@ int net_rpc_join(int argc, const char **argv) if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { d_printf("Create of workstation account failed\n"); + + /* If NT_STATUS_ACCESS_DENIED then we have a valid + username/password combo but the user does not have + administrator access. */ + + if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) + d_printf("User specified does not have administrator privileges\n"); + goto done; } @@ -286,5 +294,3 @@ done: return retval; } - - -- cgit From f6e6c678ad5338264496de43e9e1ab2fe4a28e64 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 30 Dec 2001 10:54:58 +0000 Subject: Add a pile of doxygen style comments to various parts of Samba. Many of these probably will never actually be genearted, but I like the style in any case. Also fix a segfault in 'net rpc' when the login failed and a small memory leak on failure in the auth_info.c code. Andrew Bartlett (This used to be commit 2efae7cc522651c22fb120835bc800645559b63e) --- source3/utils/net_rpc_join.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 16b0ccbaa8..5f5117c9bc 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -36,9 +36,15 @@ goto done; \ } -/********************************************************* -Join a domain using the administrator username and password -**********************************************************/ +/** + * Join a domain using the administrator username and password + * + * @param argc Standard main() style argc + * @param argc Standard main() style argv. Initial components are already + * stripped. Currently not used. + * @return A shell status integer (0 for success) + * + **/ int net_rpc_join(int argc, const char **argv) { -- cgit From cd68afe31256ad60748b34f7318a180cfc2127cc Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Wed, 30 Jan 2002 06:08:46 +0000 Subject: Removed version number from file header. Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa) --- source3/utils/net_rpc_join.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 5f5117c9bc..2fde6291c2 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -1,6 +1,5 @@ /* Samba Unix/Linux SMB client library - Version 3.0 Distributed SMB/CIFS Server Management Utility Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org) Copyright (C) Tim Potter 2001 -- cgit From 81b2d66c970c0df94823ad96f50b992fff0c8b94 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Mar 2002 08:25:44 +0000 Subject: Allow Samba to trust NT4 Domains. This commit builds on the auth subsystem to give Samba support for trusting NT4 domains. It is off by default, but is enabled by adding 'trustdomain' to the 'auth methods' smb.conf paramater. Tested against NT4 only - there are still some issues with the join code for Win2k servers (spnego stuff). The main work TODO involves enumerating the trusted domains (including the RPC calls to match), and getting winbind to run on the PDC correctly. Similarly, work remains on getting NT4 to trust Samba domains. Andrew Bartlett (This used to be commit ac8c24a9a888a3f916e8b40238b936e6ad743ef7) --- source3/utils/net_rpc_join.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2fde6291c2..86a00eb9af 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -273,7 +273,9 @@ int net_rpc_join(int argc, const char **argv) goto done; } - CHECK_RPC_ERR(new_cli_nt_setup_creds(cli, stored_md4_trust_password), + CHECK_RPC_ERR(new_cli_nt_setup_creds(cli, + (acb_info & ACB_SVRTRUST) ? SEC_CHAN_BDC : SEC_CHAN_WKSTA, + stored_md4_trust_password), "error in domain join verification"); retval = 0; /* Success! */ -- cgit From a60033e42d41040a5dbde2ee6f01cbb97d1a1524 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Fri, 15 Mar 2002 22:10:19 +0000 Subject: Change new style join function name for clarity in net_rpc.c (This used to be commit 539d0cc03035c126e2de82523a07ed91997100b8) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 86a00eb9af..a88292492a 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -45,7 +45,7 @@ * **/ -int net_rpc_join(int argc, const char **argv) +int net_rpc_join_newstyle(int argc, const char **argv) { extern pstring global_myname; -- cgit From ab13654dc9ac23872e4d1384e1c54e336f113009 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Sun, 17 Mar 2002 04:36:35 +0000 Subject: Renamed get_nt_error_msg() to nt_errstr(). (This used to be commit 1f007d3ed41c1b71a89fa6be7d173e67e927c302) --- source3/utils/net_rpc_join.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index a88292492a..a2c0614a50 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -25,7 +25,7 @@ #define CHECK_RPC_ERR(rpc, msg) \ if (!NT_STATUS_IS_OK(result = rpc)) { \ - DEBUG(0, (msg ": %s\n", get_nt_error_msg(result))); \ + DEBUG(0, (msg ": %s\n", nt_errstr(result))); \ goto done; \ } @@ -169,7 +169,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) 1, &names, &num_rids, &user_rids, &name_types), ("error looking up rid for user %s: %s\n", - acct_name, get_nt_error_msg(result))); + acct_name, nt_errstr(result))); if (name_types[0] != SID_NAME_USER) { DEBUG(0, ("%s is not a user account\n", acct_name)); @@ -185,7 +185,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol), ("could not re-open existing user %s: %s\n", - acct_name, get_nt_error_msg(result))); + acct_name, nt_errstr(result))); /* Create a random machine account password */ -- cgit From 26588248cda26c6c8216a9b49008cb6d0e7f3bce Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 23 Mar 2002 08:03:55 +0000 Subject: Join as a server trust account if the server role is either PDC or BDC. (This used to be commit 0784ab67addb3422a2d17363b4c3328d2e4b1008) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index a2c0614a50..c4558ea10b 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -136,7 +136,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) fstrcat(acct_name, "$"); strlower(acct_name); - acb_info = (lp_server_role() == ROLE_DOMAIN_BDC) ? ACB_SVRTRUST : ACB_WSTRUST; + acb_info = ((lp_server_role() == ROLE_DOMAIN_BDC) || lp_server_role() == ROLE_DOMAIN_PDC) ? ACB_SVRTRUST : ACB_WSTRUST; result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, acct_name, acb_info, -- cgit From e90b65284812aaa5ff9e9935ce9bbad7791cbbcd Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 15 Jul 2002 10:35:28 +0000 Subject: updated the 3.0 branch from the head branch - ready for alpha18 (This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce) --- source3/utils/net_rpc_join.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c4558ea10b..cc1a203ca1 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -53,7 +53,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* libsmb variables */ struct cli_state *cli; - fstring acct_name; TALLOC_CTX *mem_ctx; uint32 acb_info; @@ -81,7 +80,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) fstring domain; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; - char *names; + const char *acct_name; /* Connect to remote machine */ @@ -132,8 +131,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) "could not open domain"); /* Create domain user */ - fstrcpy(acct_name, global_myname); - fstrcat(acct_name, "$"); + acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname); strlower(acct_name); acb_info = ((lp_server_role() == ROLE_DOMAIN_BDC) || lp_server_role() == ROLE_DOMAIN_PDC) ? ACB_SVRTRUST : ACB_WSTRUST; @@ -162,11 +160,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (NT_STATUS_IS_OK(result)) cli_samr_close(cli, mem_ctx, &user_pol); - names = (char *)&acct_name[0]; - CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx, &domain_pol, flags, - 1, &names, &num_rids, + 1, &acct_name, &num_rids, &user_rids, &name_types), ("error looking up rid for user %s: %s\n", acct_name, nt_errstr(result))); -- cgit From f0255b38bc17f4da9a63b2be4c3ce505688e933e Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sat, 17 Aug 2002 14:45:04 +0000 Subject: sync 3.0 branch with HEAD (This used to be commit 1b83b78e332b9d28914eff155530e81cf2073a58) --- source3/utils/net_rpc_join.c | 110 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 87 insertions(+), 23 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index cc1a203ca1..c8be93c39c 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -35,6 +35,61 @@ goto done; \ } + +/** + * confirm that a domain join is still valid + * + * @return A shell status integer (0 for success) + * + **/ +int net_rpc_join_ok(const char *domain) +{ + struct cli_state *cli; + uchar stored_md4_trust_password[16]; + int retval = 1; + uint32 channel; + NTSTATUS result; + + /* Connect to remote machine */ + if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { + return 1; + } + + if (!cli_nt_session_open(cli, PIPE_NETLOGON)) { + DEBUG(0,("Error connecting to NETLOGON pipe\n")); + goto done; + } + + if (!secrets_fetch_trust_account_password(domain, + stored_md4_trust_password, NULL)) { + DEBUG(0,("Could not reterive domain trust secret")); + goto done; + } + + if (lp_server_role() == ROLE_DOMAIN_BDC || + lp_server_role() == ROLE_DOMAIN_PDC) { + channel = SEC_CHAN_BDC; + } else { + channel = SEC_CHAN_WKSTA; + } + + CHECK_RPC_ERR(cli_nt_setup_creds(cli, + channel, + stored_md4_trust_password), + "error in domain join verification"); + + retval = 0; /* Success! */ + +done: + /* Close down pipe - this will clean up open policy handles */ + if (cli->nt_pipe_fnum) + cli_nt_session_close(cli); + + cli_shutdown(cli); + + return retval; +} + /** * Join a domain using the administrator username and password * @@ -67,7 +122,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) char *clear_trust_password = NULL; fstring ucs2_trust_password; int ucs2_pw_len; - uchar stored_md4_trust_password[16]; uchar pwbuf[516], sess_key[16]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; @@ -80,8 +134,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) fstring domain; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; - const char *acct_name; - + char *acct_name; + const char *const_acct_name; + /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) @@ -133,6 +188,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Create domain user */ acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname); strlower(acct_name); + const_acct_name = acct_name; acb_info = ((lp_server_role() == ROLE_DOMAIN_BDC) || lp_server_role() == ROLE_DOMAIN_PDC) ? ACB_SVRTRUST : ACB_WSTRUST; @@ -162,7 +218,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx, &domain_pol, flags, - 1, &acct_name, &num_rids, + 1, &const_acct_name, + &num_rids, &user_rids, &name_types), ("error looking up rid for user %s: %s\n", acct_name, nt_errstr(result))); @@ -253,28 +310,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) } /* Now check the whole process from top-to-bottom */ - cli_samr_close(cli, mem_ctx, &user_pol); - cli_nt_session_close(cli); /* Done with this pipe */ - if (!cli_nt_session_open(cli, PIPE_NETLOGON)) { - DEBUG(0, ("Error connecting to NETLOGON pipe\n")); - goto done; - } - - if (!secrets_fetch_trust_account_password(domain, - stored_md4_trust_password, NULL)) { - DEBUG(0, ("Could not reterive secrets we just stored!")); - goto done; - } - - CHECK_RPC_ERR(new_cli_nt_setup_creds(cli, - (acb_info & ACB_SVRTRUST) ? SEC_CHAN_BDC : SEC_CHAN_WKSTA, - stored_md4_trust_password), - "error in domain join verification"); - - retval = 0; /* Success! */ + retval = net_rpc_join_ok(domain); done: /* Close down pipe - this will clean up open policy handles */ @@ -297,3 +336,28 @@ done: return retval; } + + +/** + * check that a join is OK + * + * @return A shell status integer (0 for success) + * + **/ +int net_rpc_testjoin(int argc, const char **argv) +{ + char *domain = lp_workgroup(); + + domain = smb_xstrdup(domain); + + /* Display success or failure */ + if (net_rpc_join_ok(domain) != 0) { + fprintf(stderr,"Join to domain '%s' is not valid\n",domain); + free(domain); + return -1; + } + + printf("Join to '%s' is OK\n",domain); + free(domain); + return 0; +} -- cgit From a834a73e341059be154426390304a42e4a011f72 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 25 Sep 2002 15:19:00 +0000 Subject: sync'ing up for 3.0alpha20 release (This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139) --- source3/utils/net_rpc_join.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c8be93c39c..b08095f1cc 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -49,6 +49,7 @@ int net_rpc_join_ok(const char *domain) int retval = 1; uint32 channel; NTSTATUS result; + uint32 neg_flags = 0x000001ff; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { @@ -75,7 +76,7 @@ int net_rpc_join_ok(const char *domain) CHECK_RPC_ERR(cli_nt_setup_creds(cli, channel, - stored_md4_trust_password), + stored_md4_trust_password, &neg_flags, 2), "error in domain join verification"); retval = 0; /* Success! */ -- cgit From 36ef82a52953384acedbd51f54ded9357fa8ca3e Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 4 Oct 2002 04:10:23 +0000 Subject: merge of new client side support the Win2k LSARPC UUID in rpcbind from APP_HEAD (This used to be commit 1cfd2ee433305e91e87804dd55d10e025d30a69e) --- source3/utils/net_rpc_join.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b08095f1cc..c209886ef1 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -56,7 +56,7 @@ int net_rpc_join_ok(const char *domain) return 1; } - if (!cli_nt_session_open(cli, PIPE_NETLOGON)) { + if (!cli_nt_session_open(cli, PI_NETLOGON)) { DEBUG(0,("Error connecting to NETLOGON pipe\n")); goto done; } @@ -150,7 +150,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Fetch domain sid */ - if (!cli_nt_session_open(cli, PIPE_LSARPC)) { + if (!cli_nt_session_open(cli, PI_LSARPC)) { DEBUG(0, ("Error connecting to SAM pipe\n")); goto done; } @@ -170,7 +170,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) cli_nt_session_close(cli); /* Done with this pipe */ /* Create domain user */ - if (!cli_nt_session_open(cli, PIPE_SAMR)) { + if (!cli_nt_session_open(cli, PI_SAMR)) { DEBUG(0, ("Error connecting to SAM pipe\n")); goto done; } -- cgit From 2f194322d419350f35a48dff750066894d68eccf Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 12 Nov 2002 23:20:50 +0000 Subject: Removed global_myworkgroup, global_myname, global_myscope. Added liberal dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89) --- source3/utils/net_rpc_join.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c209886ef1..4b78b7d283 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -104,8 +104,6 @@ done: int net_rpc_join_newstyle(int argc, const char **argv) { - extern pstring global_myname; - /* libsmb variables */ struct cli_state *cli; @@ -187,7 +185,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) "could not open domain"); /* Create domain user */ - acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname); + acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); strlower(acct_name); const_acct_name = acct_name; @@ -347,9 +345,7 @@ done: **/ int net_rpc_testjoin(int argc, const char **argv) { - char *domain = lp_workgroup(); - - domain = smb_xstrdup(domain); + char *domain = smb_xstrdup(lp_workgroup()); /* Display success or failure */ if (net_rpc_join_ok(domain) != 0) { -- cgit From ef8bd7c4f7ae8192ea05db070962ecf0ff3615f3 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 20 Dec 2002 20:21:31 +0000 Subject: Forward port the change to talloc_init() to make all talloc contexts named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 4b78b7d283..1b711f7b43 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -141,7 +141,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) return 1; - if (!(mem_ctx = talloc_init())) { + if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) { DEBUG(0, ("Could not initialise talloc context\n")); goto done; } -- cgit From d1221c9b6c369113a531063737890b58d89bf6fe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 02:55:00 +0000 Subject: Merge from HEAD client-side authentication changes: - new kerberos code, allowing the account to change it's own password without special SD settings required - NTLMSSP client code, now seperated from cliconnect.c - NTLMv2 client code - SMB signing fixes Andrew Bartlett (This used to be commit 837680ca517982f2e5944730581a83012d4181ae) --- source3/utils/net_rpc_join.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 1b711f7b43..b0eb335986 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -264,14 +264,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) ctr.switch_value = 24; ctr.info.id24 = &p24; - /* I don't think this is quite the right place for this - calculation. It should be moved somewhere where the credentials - are calculated. )-: */ - - mdfour(sess_key, cli->pwd.smb_nt_pwd, 16); - CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, - sess_key, &ctr), + cli->user_session_key, &ctr), "error setting trust account password"); /* Why do we have to try to (re-)set the ACB to be the same as what -- cgit From b0f49fcd538e28d27fa69a778cf04f4d78755481 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Mon, 14 Apr 2003 04:00:37 +0000 Subject: Merge of Jelmer's usage updates for net. (This used to be commit 6a5b88c95b3fd17431cda79e9aa2a593fef85100) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b0eb335986..e2fd9aa434 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -63,7 +63,7 @@ int net_rpc_join_ok(const char *domain) if (!secrets_fetch_trust_account_password(domain, stored_md4_trust_password, NULL)) { - DEBUG(0,("Could not reterive domain trust secret")); + DEBUG(0,("Could not retreive domain trust secret")); goto done; } -- cgit From f071020f5e49837154581c97c5af5f84d0e2de89 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 21 Apr 2003 14:09:03 +0000 Subject: Merge from HEAD - save the type of channel used to contact the DC. This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a) --- source3/utils/net_rpc_join.c | 62 ++++++++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 19 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index e2fd9aa434..35564b1e10 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -62,18 +62,12 @@ int net_rpc_join_ok(const char *domain) } if (!secrets_fetch_trust_account_password(domain, - stored_md4_trust_password, NULL)) { + stored_md4_trust_password, + NULL, &channel)) { DEBUG(0,("Could not retreive domain trust secret")); goto done; } - if (lp_server_role() == ROLE_DOMAIN_BDC || - lp_server_role() == ROLE_DOMAIN_PDC) { - channel = SEC_CHAN_BDC; - } else { - channel = SEC_CHAN_WKSTA; - } - CHECK_RPC_ERR(cli_nt_setup_creds(cli, channel, stored_md4_trust_password, &neg_flags, 2), @@ -108,7 +102,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; - uint32 acb_info; + uint32 acb_info = ACB_WSTRUST; + uint32 sec_channel_type; /* rpc variables */ @@ -121,10 +116,11 @@ int net_rpc_join_newstyle(int argc, const char **argv) char *clear_trust_password = NULL; fstring ucs2_trust_password; int ucs2_pw_len; - uchar pwbuf[516], sess_key[16]; + uchar pwbuf[516]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; SAM_USER_INFO_10 p10; + uchar md4_trust_password[16]; /* Misc */ @@ -135,6 +131,25 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; + uint32 neg_flags = 0x000001ff; + + /* check what type of join */ + if (argc >= 0) { + sec_channel_type = get_sec_channel_type(argv[0]); + } else { + sec_channel_type = get_sec_channel_type(NULL); + } + + switch (sec_channel_type) { + case SEC_CHAN_WKSTA: + acb_info = ACB_WSTRUST; + case SEC_CHAN_BDC: + acb_info = ACB_SVRTRUST; +#if 0 + case SEC_CHAN_DOMAIN: + acb_info = ACB_DOMTRUST; +#endif + } /* Connect to remote machine */ @@ -189,8 +204,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower(acct_name); const_acct_name = acct_name; - acb_info = ((lp_server_role() == ROLE_DOMAIN_BDC) || lp_server_role() == ROLE_DOMAIN_PDC) ? ACB_SVRTRUST : ACB_WSTRUST; - result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, acct_name, acb_info, 0xe005000b, &user_pol, @@ -245,6 +258,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) char *str; str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); clear_trust_password = strdup(str); + E_md4hash(clear_trust_password, md4_trust_password); } ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, @@ -287,8 +301,22 @@ int net_rpc_join_newstyle(int argc, const char **argv) as a normal user with "Add workstation to domain" privilege. */ result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 0x10, - sess_key, &ctr); + cli->user_session_key, &ctr); + + /* Now check the whole process from top-to-bottom */ + cli_samr_close(cli, mem_ctx, &user_pol); + cli_nt_session_close(cli); /* Done with this pipe */ + if (!cli_nt_session_open(cli, PI_NETLOGON)) { + DEBUG(0,("Error connecting to NETLOGON pipe\n")); + goto done; + } + + CHECK_RPC_ERR(cli_nt_setup_creds(cli, + sec_channel_type, + md4_trust_password, &neg_flags, 2), + "error in domain join verification"); + /* Now store the secret in the secrets database */ strupper(domain); @@ -298,14 +326,11 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - if (!secrets_store_machine_password(clear_trust_password)) { + if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) { DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain)); } - /* Now check the whole process from top-to-bottom */ - cli_samr_close(cli, mem_ctx, &user_pol); - cli_nt_session_close(cli); /* Done with this pipe */ - + /* double-check, connection from scratch */ retval = net_rpc_join_ok(domain); done: @@ -317,7 +342,6 @@ done: /* Display success or failure */ if (retval != 0) { - trust_password_delete(domain); fprintf(stderr,"Unable to join domain %s.\n",domain); } else { printf("Joined domain %s.\n",domain); -- cgit From 96e1202f23177d07097eef09c36cf4eef22ae000 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 22 Apr 2003 05:32:01 +0000 Subject: Fix up bugs in the new 'store sec_channel type' code - we were always joining as a BDC. Andrew Bartlett (This used to be commit f35674e7552dcfece342e7bece10bbfb0e81cbf8) --- source3/utils/net_rpc_join.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 35564b1e10..e389cf8ef8 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -143,11 +143,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) switch (sec_channel_type) { case SEC_CHAN_WKSTA: acb_info = ACB_WSTRUST; + break; case SEC_CHAN_BDC: acb_info = ACB_SVRTRUST; + break; #if 0 case SEC_CHAN_DOMAIN: acb_info = ACB_DOMTRUST; + break; #endif } -- cgit From 850554084c32025c04f93cf5b9cf31088b93e68e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 Jun 2003 11:39:28 +0000 Subject: Make sure that we use schannel (if configured) when checking for a valid join to the DC. Andrew Bartlett (This used to be commit af526fa9b39ab1f8483d5cee66321bc12f78ac05) --- source3/utils/net_rpc_join.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index e389cf8ef8..fdb979a0e4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -49,7 +49,6 @@ int net_rpc_join_ok(const char *domain) int retval = 1; uint32 channel; NTSTATUS result; - uint32 neg_flags = 0x000001ff; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { @@ -68,10 +67,12 @@ int net_rpc_join_ok(const char *domain) goto done; } - CHECK_RPC_ERR(cli_nt_setup_creds(cli, - channel, - stored_md4_trust_password, &neg_flags, 2), - "error in domain join verification"); + /* ensure that schannel uses the right domain */ + fstrcpy(cli->domain, domain); + if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) { + DEBUG(0,("Error in domain join verfication\n")); + goto done; + } retval = 0; /* Success! */ @@ -131,7 +132,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; - uint32 neg_flags = 0x000001ff; /* check what type of join */ if (argc >= 0) { @@ -315,11 +315,12 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - CHECK_RPC_ERR(cli_nt_setup_creds(cli, - sec_channel_type, - md4_trust_password, &neg_flags, 2), - "error in domain join verification"); - + /* ensure that schannel uses the right domain */ + fstrcpy(cli->domain, domain); + CHECK_RPC_ERR(cli_nt_establish_netlogon(cli, sec_channel_type, + md4_trust_password), + "Error in domain join verfication\n"); + /* Now store the secret in the secrets database */ strupper(domain); @@ -366,7 +367,7 @@ done: **/ int net_rpc_testjoin(int argc, const char **argv) { - char *domain = smb_xstrdup(lp_workgroup()); + char *domain = smb_xstrdup(opt_target_workgroup); /* Display success or failure */ if (net_rpc_join_ok(domain) != 0) { -- cgit From 12096155041830a72ef765625f47b82c6d5f5ad7 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 16 Jun 2003 01:13:17 +0000 Subject: another improved debug statement (This used to be commit ac69b9c83cde306f89143fe43038adff876dd0b0) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index fdb979a0e4..76b86fd8da 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -240,7 +240,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) acct_name, nt_errstr(result))); if (name_types[0] != SID_NAME_USER) { - DEBUG(0, ("%s is not a user account\n", acct_name)); + DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0])); goto done; } -- cgit From e2cda4a24ef1ce969eec897bddd4cc5e35737677 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 16 Jun 2003 10:10:37 +0000 Subject: Fix misleading debug message. Volker (This used to be commit a4f76f2520515d820eb4a320036b998c88c596a8) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 76b86fd8da..ebb0b4dceb 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -167,7 +167,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Fetch domain sid */ if (!cli_nt_session_open(cli, PI_LSARPC)) { - DEBUG(0, ("Error connecting to SAM pipe\n")); + DEBUG(0, ("Error connecting to LSA pipe\n")); goto done; } -- cgit From 979c447060387254375ad35a52f58a91027368fb Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 16 Jun 2003 15:59:05 +0000 Subject: This glosses over John's problem at SambaXP 2003. When we want to join a NT4 domain as a BDC with an existing workstation account (existing bdc is fine), we fail. Print a friendly error message in this case. The correct solution would probably be to delete the account and try again. But even this makes us better than NT: NT4 fails in this situation with an empty warning message box and an unusable BDC. It has unsuccessfully tried to suck down the domain database, and thus has no administrator account to log in after reboot.... Volker (This used to be commit 1ddeea2179b11cedccf205c7ffea523ee6750b24) --- source3/utils/net_rpc_join.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ebb0b4dceb..e8fa39ec92 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -317,9 +317,23 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* ensure that schannel uses the right domain */ fstrcpy(cli->domain, domain); - CHECK_RPC_ERR(cli_nt_establish_netlogon(cli, sec_channel_type, - md4_trust_password), - "Error in domain join verfication\n"); + + result = cli_nt_establish_netlogon(cli, sec_channel_type, + md4_trust_password); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("Error domain join verification: %s\n\n", + nt_errstr(result))); + + if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && + (sec_channel_type == SEC_CHAN_BDC) ) { + d_printf("Please make sure that no computer account\n" + "named like this machine (%s) exists in the domain\n", + global_myname()); + } + + goto done; + } /* Now store the secret in the secrets database */ -- cgit From ce72beb2b558d86fb49063c6b1fa00e07952ce56 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jul 2003 19:11:31 +0000 Subject: Removed strupper/strlower macros that automatically map to strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index e8fa39ec92..22ed49c74f 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -204,7 +204,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Create domain user */ acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); - strlower(acct_name); + strlower_m(acct_name); const_acct_name = acct_name; result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, @@ -337,7 +337,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Now store the secret in the secrets database */ - strupper(domain); + strupper_m(domain); if (!secrets_store_domain_sid(domain, &domain_sid)) { DEBUG(0, ("error storing domain sid for %s\n", domain)); -- cgit From 78404434d055ff86177d7c659358c23f12a27a77 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 22 Nov 2003 23:38:41 +0000 Subject: Add support for variable-length session keys in our client code. This means that we now support 'net rpc join' with KRB5 (des based) logins. Now, you need to hack 'net' to do that, but the principal is important... When we add kerberos to 'net rpc', it should be possible to still do user management and the like over RPC. (server-side support to follow shortly) Andrew Bartlett (This used to be commit 9ecf9408d98639186b283f1acf0fac46417547d0) --- source3/utils/net_rpc_join.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 22ed49c74f..96943468ad 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -70,7 +70,7 @@ int net_rpc_join_ok(const char *domain) /* ensure that schannel uses the right domain */ fstrcpy(cli->domain, domain); if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) { - DEBUG(0,("Error in domain join verfication\n")); + DEBUG(0,("Error in domain join verfication (fresh connection)\n")); goto done; } @@ -282,7 +282,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) ctr.info.id24 = &p24; CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, - cli->user_session_key, &ctr), + &cli->user_session_key, &ctr), "error setting trust account password"); /* Why do we have to try to (re-)set the ACB to be the same as what @@ -304,7 +304,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) as a normal user with "Add workstation to domain" privilege. */ result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 0x10, - cli->user_session_key, &ctr); + &cli->user_session_key, &ctr); /* Now check the whole process from top-to-bottom */ cli_samr_close(cli, mem_ctx, &user_pol); @@ -322,7 +322,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) md4_trust_password); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0, ("Error domain join verification: %s\n\n", + DEBUG(0, ("Error domain join verification (reused connection): %s\n\n", nt_errstr(result))); if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && -- cgit From 8083486dee6b487647745accd810f7514bbb7f0e Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 15 Jan 2004 19:45:36 +0000 Subject: Fix net rpc join (at least newstyle) after it was broken by changing the parms to cli_lsa_query_info_policy without changing them here... (This used to be commit a885df7635a9230bc6cca88e7e8fb1420c74c7fb) --- source3/utils/net_rpc_join.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 96943468ad..eb91a7df61 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -109,7 +109,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* rpc variables */ POLICY_HND lsa_pol, sam_pol, domain_pol, user_pol; - DOM_SID domain_sid; + DOM_SID *domain_sid; uint32 user_rid; /* Password stuff */ @@ -127,7 +127,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) NTSTATUS result; int retval = 1; - fstring domain; + char *domain; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; char *acct_name; @@ -178,7 +178,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) "error opening lsa policy handle"); CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol, - 5, domain, &domain_sid), + 5, &domain, &domain_sid), "error querying info policy"); cli_lsa_close(cli, mem_ctx, &lsa_pol); @@ -199,7 +199,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, - &domain_sid, &domain_pol), + domain_sid, &domain_pol), "could not open domain"); /* Create domain user */ @@ -339,7 +339,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) strupper_m(domain); - if (!secrets_store_domain_sid(domain, &domain_sid)) { + if (!secrets_store_domain_sid(domain, domain_sid)) { DEBUG(0, ("error storing domain sid for %s\n", domain)); goto done; } -- cgit From 784b05c4895fa8d7f5215d4444bc74e91a918114 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 26 Jan 2004 08:45:02 +0000 Subject: This adds client-side support for the unicode/SAMR password change scheme. As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e) --- source3/utils/net_rpc_join.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index eb91a7df61..6bfeedc8a0 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -115,8 +115,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Password stuff */ char *clear_trust_password = NULL; - fstring ucs2_trust_password; - int ucs2_pw_len; uchar pwbuf[516]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; @@ -264,12 +262,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) E_md4hash(clear_trust_password, md4_trust_password); } - ucs2_pw_len = push_ucs2(NULL, ucs2_trust_password, - clear_trust_password, - sizeof(ucs2_trust_password), 0); - - encode_pw_buffer((char *)pwbuf, ucs2_trust_password, - ucs2_pw_len); + encode_pw_buffer(pwbuf, clear_trust_password, STR_UNICODE); /* Set password on machine account */ -- cgit From d198c5587774808823aa09e997ff492826738c51 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 Feb 2004 08:38:42 +0000 Subject: Make more functions static, and remove duplication in the use of functions in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c (These should perhaps be pulled back out to smbpasswd.c, but that can occour later). Andrew Bartlett (This used to be commit fcdc5efb1e245c8fa95cd031f67ec56093b9056e) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6bfeedc8a0..52e295949e 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -42,7 +42,7 @@ * @return A shell status integer (0 for success) * **/ -int net_rpc_join_ok(const char *domain) +static int net_rpc_join_ok(const char *domain) { struct cli_state *cli; uchar stored_md4_trust_password[16]; -- cgit From b4cf9e95059071df49b34ff8574e48cb96f42da1 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Thu, 7 Oct 2004 04:01:18 +0000 Subject: r2835: Since we always have -I. and -I$(srcdir) in CFLAGS, we can get rid of '..' from all #include preprocessor commands. This fixes bugzilla #1880 where OpenVMS gets confused about the '.' characters. (This used to be commit 7f161702fa4916979602cc0295919b541912acd6) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 52e295949e..cb8a5ee4d4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -19,7 +19,7 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ #include "includes.h" -#include "../utils/net.h" +#include "utils/net.h" /* Macro for checking RPC error codes to make things more readable */ -- cgit From acf9d61421faa6c0055d57fdee7db300dc5431aa Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Dec 2004 18:25:53 +0000 Subject: r4088: Get medieval on our ass about malloc.... :-). Take control of all our allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index cb8a5ee4d4..79c632f831 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -258,7 +258,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) { char *str; str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - clear_trust_password = strdup(str); + clear_trust_password = SMB_STRDUP(str); E_md4hash(clear_trust_password, md4_trust_password); } -- cgit From c85d9e735c8294088203f1656ae07a4b0835292c Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 6 Jan 2005 15:35:02 +0000 Subject: r4570: Replace cli->nt_pipe_fnum with an array of NT file numbers, one for each supported pipe. Netlogon is still special, as we open that twice, one to do the auth2, the other one with schannel. The client interface is completely unchanged for those who only use a single pie. cli->pipe_idx is used as the index for everything except the "real" client rpc calls, which have been explicitly converted in my last commit. Next step is to get winbind to just use a single smb connection for multiple pipes. Volker (This used to be commit dc294c52e0216424236057ca6cd35e1ebf51d0da) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 79c632f831..f1a41c7c99 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -78,7 +78,7 @@ static int net_rpc_join_ok(const char *domain) done: /* Close down pipe - this will clean up open policy handles */ - if (cli->nt_pipe_fnum) + if (cli->nt_pipe_fnum[cli->pipe_idx]) cli_nt_session_close(cli); cli_shutdown(cli); @@ -347,7 +347,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) done: /* Close down pipe - this will clean up open policy handles */ - if (cli->nt_pipe_fnum) + if (cli->nt_pipe_fnum[cli->pipe_idx]) cli_nt_session_close(cli); /* Display success or failure */ -- cgit From a84bb6d1ec0316a39c8b730c40c9215d9d7f959a Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 3 Feb 2005 15:14:54 +0000 Subject: r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts (This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f1a41c7c99..ed196de6c1 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -212,7 +212,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - d_printf("Create of workstation account failed\n"); + d_printf("Creation of workstation account failed\n"); /* If NT_STATUS_ACCESS_DENIED then we have a valid username/password combo but the user does not have -- cgit From 70490aae0ca36608e4b230a03faa4d8aba36d91d Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Fri, 13 May 2005 07:46:29 +0000 Subject: r6769: Fix bugzilla #2538 and #2527. Unused variables found by Jason Mader. (This used to be commit 68b1c1f533e5c91634f5da21659c8e5793cb77f7) --- source3/utils/net_rpc_join.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ed196de6c1..2f2393ca7a 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -48,7 +48,6 @@ static int net_rpc_join_ok(const char *domain) uchar stored_md4_trust_password[16]; int retval = 1; uint32 channel; - NTSTATUS result; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { @@ -69,7 +68,7 @@ static int net_rpc_join_ok(const char *domain) /* ensure that schannel uses the right domain */ fstrcpy(cli->domain, domain); - if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) { + if (! NT_STATUS_IS_OK(cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) { DEBUG(0,("Error in domain join verfication (fresh connection)\n")); goto done; } -- cgit From fed660877c16562265327c6093ea645cf4176b5c Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 8 Jun 2005 22:10:34 +0000 Subject: r7415: * big change -- volker's new async winbindd from trunk (This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2f2393ca7a..6888076a14 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -77,7 +77,7 @@ static int net_rpc_join_ok(const char *domain) done: /* Close down pipe - this will clean up open policy handles */ - if (cli->nt_pipe_fnum[cli->pipe_idx]) + if (cli->pipes[cli->pipe_idx].fnum) cli_nt_session_close(cli); cli_shutdown(cli); @@ -346,7 +346,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) done: /* Close down pipe - this will clean up open policy handles */ - if (cli->nt_pipe_fnum[cli->pipe_idx]) + if (cli->pipes[cli->pipe_idx].fnum) cli_nt_session_close(cli); /* Display success or failure */ -- cgit From 263a51cd62815b568d0d2053ee29cdd77428ba31 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 19 Jul 2005 00:59:25 +0000 Subject: r8564: Sometimes we're too dumb to live... Fix samr calls where we were using USER_INFO_XX structs and functions where XX was sometimes in hex and sometimes in decimal. Now it's all in decimal (should be no functionality change). Jeremy. (This used to be commit 84651aca04cbcbf50ab2e78333cc9d9e49dd92f5) --- source3/utils/net_rpc_join.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6888076a14..8d19ad888f 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -117,7 +117,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) uchar pwbuf[516]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; - SAM_USER_INFO_10 p10; + SAM_USER_INFO_16 p16; uchar md4_trust_password[16]; /* Misc */ @@ -287,15 +287,15 @@ int net_rpc_join_newstyle(int argc, const char **argv) userinfo2 level 0x10 fails. -tpot */ ZERO_STRUCT(ctr); - ctr.switch_value = 0x10; - ctr.info.id10 = &p10; + ctr.switch_value = 16; + ctr.info.id16 = &p16; - init_sam_user_info10(&p10, acb_info); + init_sam_user_info16(&p16, acb_info); /* Ignoring the return value is necessary for joining a domain as a normal user with "Add workstation to domain" privilege. */ - result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 0x10, + result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); /* Now check the whole process from top-to-bottom */ -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/utils/net_rpc_join.c | 130 ++++++++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 57 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 8d19ad888f..6b762563b3 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -35,7 +35,6 @@ goto done; \ } - /** * confirm that a domain join is still valid * @@ -44,44 +43,30 @@ **/ static int net_rpc_join_ok(const char *domain) { - struct cli_state *cli; - uchar stored_md4_trust_password[16]; + struct cli_state *cli = NULL; + struct rpc_pipe_client *pipe_hnd = NULL; int retval = 1; - uint32 channel; + NTSTATUS ret; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { return 1; } - if (!cli_nt_session_open(cli, PI_NETLOGON)) { - DEBUG(0,("Error connecting to NETLOGON pipe\n")); - goto done; - } + pipe_hnd = cli_rpc_pipe_open_schannel(cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + domain, &ret); - if (!secrets_fetch_trust_account_password(domain, - stored_md4_trust_password, - NULL, &channel)) { - DEBUG(0,("Could not retreive domain trust secret")); + if (!pipe_hnd) { + DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(ret) )); goto done; } - - /* ensure that schannel uses the right domain */ - fstrcpy(cli->domain, domain); - if (! NT_STATUS_IS_OK(cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) { - DEBUG(0,("Error in domain join verfication (fresh connection)\n")); - goto done; - } - + retval = 0; /* Success! */ done: - /* Close down pipe - this will clean up open policy handles */ - if (cli->pipes[cli->pipe_idx].fnum) - cli_nt_session_close(cli); cli_shutdown(cli); - return retval; } @@ -103,7 +88,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; uint32 sec_channel_type; + struct rpc_pipe_client *pipe_hnd = NULL; + struct rpc_pipe_client *netlogon_schannel_pipe = NULL; /* rpc variables */ @@ -151,7 +139,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) #endif } - /* Connect to remote machine */ + /* Make authenticated connection to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) return 1; @@ -163,38 +151,41 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Fetch domain sid */ - if (!cli_nt_session_open(cli, PI_LSARPC)) { - DEBUG(0, ("Error connecting to LSA pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result); + if (!pipe_hnd) { + DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True, + CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True, SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol), "error opening lsa policy handle"); - CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol, + CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol, 5, &domain, &domain_sid), "error querying info policy"); - cli_lsa_close(cli, mem_ctx, &lsa_pol); - - cli_nt_session_close(cli); /* Done with this pipe */ + rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol); + cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ /* Create domain user */ - if (!cli_nt_session_open(cli, PI_SAMR)) { - DEBUG(0, ("Error connecting to SAM pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result); + if (!pipe_hnd) { + DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx, + CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx, SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol), "could not connect to SAM database"); - CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol, + CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, domain_sid, &domain_pol), "could not open domain"); @@ -204,7 +195,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; - result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol, + result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, 0xe005000b, &user_pol, &user_rid); @@ -225,10 +216,11 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* We *must* do this.... don't ask... */ - if (NT_STATUS_IS_OK(result)) - cli_samr_close(cli, mem_ctx, &user_pol); + if (NT_STATUS_IS_OK(result)) { + rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + } - CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx, + CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx, &domain_pol, flags, 1, &const_acct_name, &num_rids, @@ -246,7 +238,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Open handle on user */ CHECK_RPC_ERR_DEBUG( - cli_samr_open_user(cli, mem_ctx, &domain_pol, + rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol, SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, &user_pol), ("could not re-open existing user %s: %s\n", @@ -273,7 +265,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) ctr.switch_value = 24; ctr.info.id24 = &p24; - CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, + CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 24, &cli->user_session_key, &ctr), "error setting trust account password"); @@ -295,26 +287,52 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Ignoring the return value is necessary for joining a domain as a normal user with "Add workstation to domain" privilege. */ - result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 16, + result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); + rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ + /* Now check the whole process from top-to-bottom */ - cli_samr_close(cli, mem_ctx, &user_pol); - cli_nt_session_close(cli); /* Done with this pipe */ - if (!cli_nt_session_open(cli, PI_NETLOGON)) { - DEBUG(0,("Error connecting to NETLOGON pipe\n")); + pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result); + if (!pipe_hnd) { + DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", + nt_errstr(result) )); goto done; } - /* ensure that schannel uses the right domain */ - fstrcpy(cli->domain, domain); + result = rpccli_netlogon_setup_creds(pipe_hnd, + cli->desthost, + domain, + global_myname(), + md4_trust_password, + sec_channel_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n", + nt_errstr(result))); - result = cli_nt_establish_netlogon(cli, sec_channel_type, - md4_trust_password); + if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && + (sec_channel_type == SEC_CHAN_BDC) ) { + d_printf("Please make sure that no computer account\n" + "named like this machine (%s) exists in the domain\n", + global_myname()); + } + + goto done; + } + + netlogon_schannel_pipe = cli_rpc_pipe_open_schannel_with_key(cli, + PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + domain, + pipe_hnd->dc, + &result); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0, ("Error domain join verification (reused connection): %s\n\n", + DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n", nt_errstr(result))); if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && @@ -327,6 +345,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } + cli_rpc_pipe_close(pipe_hnd); + cli_rpc_pipe_close(netlogon_schannel_pipe); + /* Now store the secret in the secrets database */ strupper_m(domain); @@ -344,10 +365,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) retval = net_rpc_join_ok(domain); done: - /* Close down pipe - this will clean up open policy handles */ - - if (cli->pipes[cli->pipe_idx].fnum) - cli_nt_session_close(cli); /* Display success or failure */ @@ -364,7 +381,6 @@ done: return retval; } - /** * check that a join is OK * -- cgit From 5678e4abb04e546735bff4907854ca32094a5b71 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Nov 2005 00:03:55 +0000 Subject: r11492: Fix bug #3224 (I hope). Correctly use machine_account_name and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb) --- source3/utils/net_rpc_join.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6b762563b3..12e51a85d1 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -303,9 +303,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) } result = rpccli_netlogon_setup_creds(pipe_hnd, - cli->desthost, - domain, - global_myname(), + cli->desthost, /* server name */ + domain, /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ md4_trust_password, sec_channel_type, &neg_flags); -- cgit From c42be9fd38556a1cc2e16c8d763a592beb863806 Mon Sep 17 00:00:00 2001 From: Lars Müller Date: Tue, 17 Jan 2006 21:22:00 +0000 Subject: r12986: Use d_fprintf(stderr, ...) for any error message in net. All 'usage' messages are still printed to stdout. Fix some compiler warnings for system() calls where we didn't used the return code. Add appropriate error messages and return with the error code we got from system() or NT_STATUS_UNSUCCESSFUL. (This used to be commit f650e3bdafc4c6bcd7eb4bcf8b6b885b979919eb) --- source3/utils/net_rpc_join.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 12e51a85d1..6a5a7559c3 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -202,14 +202,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - d_printf("Creation of workstation account failed\n"); + d_fprintf(stderr, "Creation of workstation account failed\n"); /* If NT_STATUS_ACCESS_DENIED then we have a valid username/password combo but the user does not have administrator access. */ if (NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) - d_printf("User specified does not have administrator privileges\n"); + d_fprintf(stderr, "User specified does not have administrator privileges\n"); goto done; } @@ -317,7 +317,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && (sec_channel_type == SEC_CHAN_BDC) ) { - d_printf("Please make sure that no computer account\n" + d_fprintf(stderr, "Please make sure that no computer account\n" "named like this machine (%s) exists in the domain\n", global_myname()); } @@ -338,7 +338,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && (sec_channel_type == SEC_CHAN_BDC) ) { - d_printf("Please make sure that no computer account\n" + d_fprintf(stderr, "Please make sure that no computer account\n" "named like this machine (%s) exists in the domain\n", global_myname()); } -- cgit From 0d7f6d650dd3d2c77711d00ffb41e829bb49905f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 22 Feb 2006 04:56:53 +0000 Subject: r13614: First part of the bugfix for #3510 - net join fails against server with schannel disabled. Second part will come tomorrow (fixing net_rpc_join_ok()). Jeremy. (This used to be commit 7de1ee18619bf99c5db45692e085d0646e52378f) --- source3/utils/net_rpc_join.c | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6a5a7559c3..29a27d8f64 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -88,10 +88,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; - struct rpc_pipe_client *netlogon_schannel_pipe = NULL; /* rpc variables */ @@ -325,29 +324,37 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - netlogon_schannel_pipe = cli_rpc_pipe_open_schannel_with_key(cli, + /* We can only check the schannel connection if the client is allowed + to do this and the server supports it. If not, just assume success + (after all the rpccli_netlogon_setup_creds() succeeded, and we'll + do the same again (setup creds) in net_rpc_join_ok(). JRA. */ + + if (lp_client_schannel() && (neg_flags & NETLOGON_NEG_SCHANNEL)) { + struct rpc_pipe_client *netlogon_schannel_pipe = + cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc, &result); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n", - nt_errstr(result))); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n", + nt_errstr(result))); - if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && - (sec_channel_type == SEC_CHAN_BDC) ) { - d_fprintf(stderr, "Please make sure that no computer account\n" - "named like this machine (%s) exists in the domain\n", - global_myname()); - } + if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && + (sec_channel_type == SEC_CHAN_BDC) ) { + d_fprintf(stderr, "Please make sure that no computer account\n" + "named like this machine (%s) exists in the domain\n", + global_myname()); + } - goto done; + goto done; + } + cli_rpc_pipe_close(netlogon_schannel_pipe); } cli_rpc_pipe_close(pipe_hnd); - cli_rpc_pipe_close(netlogon_schannel_pipe); /* Now store the secret in the secrets database */ -- cgit From 202bc164ca11539a62a7e894330265df90319828 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 22 Feb 2006 21:18:23 +0000 Subject: r13641: Finish fix for #3510. Don't use client schannel when told not to, cope with a server that doesn't offer schannel also. Jeremy (This used to be commit 68005f6bdb70883eace0d9067c76c3360a803023) --- source3/utils/net_rpc_join.c | 52 +++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 13 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 29a27d8f64..1f68da0d75 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -43,31 +43,57 @@ **/ static int net_rpc_join_ok(const char *domain) { + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; - int retval = 1; - NTSTATUS ret; + struct rpc_pipe_client *netlogon_pipe = NULL; + NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { - return 1; + return -1; } - pipe_hnd = cli_rpc_pipe_open_schannel(cli, PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, - domain, &ret); + /* Setup the creds as though we're going to do schannel... */ + netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, &ntret); + + /* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing + to negotiate schannel, but the creds were set up ok. That'll have to do. */ + + if (!netlogon_pipe) { + if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) { + cli_shutdown(cli); + return 0; + } else { + DEBUG(0,("net_rpc_join_ok: failed to get schannel session " + "key from server %s for domain %s. Error was %s\n", + cli->desthost, domain, nt_errstr(ntret) )); + cli_shutdown(cli); + return -1; + } + } - if (!pipe_hnd) { - DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(ret) )); - goto done; + /* Only do the rest of the schannel test if the client is allowed to do this. */ + if (!lp_client_schannel()) { + cli_shutdown(cli); + /* We're good... */ + return 0; } - retval = 0; /* Success! */ - -done: + pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + domain, netlogon_pipe->dc, &ntret); + + if (!pipe_hnd) { + DEBUG(0,("net_rpc_join_ok: failed to open schannel session " + "on netlogon pipe to server %s for domain %s. Error was %s\n", + cli->desthost, domain, nt_errstr(ntret) )); + cli_shutdown(cli); + return -1; + } cli_shutdown(cli); - return retval; + return 0; } /** -- cgit From cc7b53f67384d3ca2176323b9bff827f17997821 Mon Sep 17 00:00:00 2001 From: Jim McDonough Date: Thu, 9 Mar 2006 18:03:54 +0000 Subject: r14085: Fix coverity bg #152, uninit'ed var. (This used to be commit d8e69c18e0d34c99525080b3afaf2778be3a5ec2) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 1f68da0d75..ddd1623d8b 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -137,7 +137,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) NTSTATUS result; int retval = 1; - char *domain; + char *domain = NULL; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; char *acct_name; -- cgit From 485714ac6ba2f3c6dcacd116e055d4beb648492d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 9 Mar 2006 18:35:57 +0000 Subject: r14087: Protect against domain being NULL. Finish Coverity #152. Jeremy. (This used to be commit 88dd4ab48127bb08fdeb0b5c236020e0b910f0d8) --- source3/utils/net_rpc_join.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ddd1623d8b..d611940e65 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -196,6 +196,12 @@ int net_rpc_join_newstyle(int argc, const char **argv) rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol); cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ + /* Bail out if domain didn't get set. */ + if (!domain) { + DEBUG(0, ("Could not get domain name.\n")); + goto done; + } + /* Create domain user */ pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result); if (!pipe_hnd) { @@ -402,10 +408,12 @@ done: /* Display success or failure */ - if (retval != 0) { - fprintf(stderr,"Unable to join domain %s.\n",domain); - } else { - printf("Joined domain %s.\n",domain); + if (domain) { + if (retval != 0) { + fprintf(stderr,"Unable to join domain %s.\n",domain); + } else { + printf("Joined domain %s.\n",domain); + } } cli_shutdown(cli); -- cgit From 2c029a8b96ae476f1d5c2abe14ee25f98a1513d8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 12 May 2006 15:17:35 +0000 Subject: r15543: New implementation of 'net ads join' to be more like Windows XP. The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b) --- source3/utils/net_rpc_join.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index d611940e65..2c55b0e946 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -41,7 +41,7 @@ * @return A shell status integer (0 for success) * **/ -static int net_rpc_join_ok(const char *domain) +int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; @@ -50,7 +50,7 @@ static int net_rpc_join_ok(const char *domain) NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { return -1; } @@ -402,7 +402,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) } /* double-check, connection from scratch */ - retval = net_rpc_join_ok(domain); + retval = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ip); done: @@ -434,7 +434,7 @@ int net_rpc_testjoin(int argc, const char **argv) char *domain = smb_xstrdup(opt_target_workgroup); /* Display success or failure */ - if (net_rpc_join_ok(domain) != 0) { + if (net_rpc_join_ok(domain, NULL, NULL) != 0) { fprintf(stderr,"Join to domain '%s' is not valid\n",domain); free(domain); return -1; -- cgit From e7fc37cf0f4bd2c0f25865fb07d1bff27b239130 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 19 Jun 2006 19:07:39 +0000 Subject: r16360: Fix Klocwork ID 136 520 521 522 523 542 574 575 576 607 in net_rpc.c: 715 716 732 734 735 736 737 738 739 749 in net_rpc_audit.c: 754 755 756 in net_rpc_join.c: 757 in net_rpc_registry: 766 767 in net_rpc_samsync.c: 771 773 in net_sam.c: 797 798 Volker (This used to be commit 3df0bf7d6050fd7c9ace72487d4f74d92e30a584) --- source3/utils/net_rpc_join.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2c55b0e946..d23bd76751 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -222,7 +222,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) "could not open domain"); /* Create domain user */ - acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname()); + if ((acct_name = talloc_asprintf(mem_ctx, "%s$", global_myname())) == NULL) { + result = NT_STATUS_NO_MEMORY; + goto done; + } strlower_m(acct_name); const_acct_name = acct_name; -- cgit From 05ba38f7549f91670761928f1c959b65eb4bcec1 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 20 Sep 2006 22:49:02 +0000 Subject: r18747: replace rpccli_lsa_close() with rpccli_lsa_Close() (This used to be commit 50d74ce0488a9bd0980cdc6d523a210f6238ef74) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index d23bd76751..ba3c619012 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -193,7 +193,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) 5, &domain, &domain_sid), "error querying info policy"); - rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol); + rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ /* Bail out if domain didn't get set. */ -- cgit From aa6055debd078504f6a7ed861443b02672fc9067 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 13 Mar 2007 16:13:24 +0000 Subject: r21823: Let secrets_store_machine_password() also store the account name. Not used yet, the next step will be a secrets_fetch_machine_account() function that also pulls the account name to be used in the appropriate places. Volker (This used to be commit f94e5af72e282f70ca5454cdf3aed510b747eb93) --- source3/utils/net_rpc_join.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ba3c619012..01973d2635 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -400,7 +400,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) { + if (!secrets_store_machine_password(clear_trust_password, + global_myname(), domain, + sec_channel_type)) { DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain)); } -- cgit From f56da0890f645c4cecac7c60f67573e1f609fd4f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 13 Mar 2007 20:53:38 +0000 Subject: r21831: Back out r21823 for a while, this is going into a bzr tree first. Volker (This used to be commit fd0ee6722ddfcb64b5cc9c699375524ae3d8709b) --- source3/utils/net_rpc_join.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 01973d2635..ba3c619012 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -400,9 +400,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - if (!secrets_store_machine_password(clear_trust_password, - global_myname(), domain, - sec_channel_type)) { + if (!secrets_store_machine_password(clear_trust_password, domain, sec_channel_type)) { DEBUG(0, ("error storing plaintext domain secrets for %s\n", domain)); } -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ba3c619012..2f04d3951a 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -6,7 +6,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, -- cgit From 5e54558c6dea67b56bbfaba5698f3a434d3dffb6 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 00:52:41 +0000 Subject: r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text (This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07) --- source3/utils/net_rpc_join.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2f04d3951a..558de8d8b4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -15,8 +15,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ + along with this program. If not, see . */ #include "includes.h" #include "utils/net.h" -- cgit From 48853f0badc92b86c18ed3daad3d45f8d74c5cac Mon Sep 17 00:00:00 2001 From: Rafal Szczesniak Date: Wed, 29 Aug 2007 19:55:13 +0000 Subject: r24789: Add implementation of machine-authenticated connection to netlogon pipe used when connecting to win2k and newer domain controllers. The server may be configured to deny anonymous netlogon connections which would stop domain join verification step. Still, winnt domains require such smb sessions not to be authenticated using machine credentials. Creds employed in smb session cannot have a username in upn form, so provide the separate function to use machine account. rafal (This used to be commit 30d99d8ac3379caadc5bdb353977149d1ee16403) --- source3/utils/net_rpc_join.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 558de8d8b4..1097eb9575 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -42,14 +42,29 @@ **/ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) { + enum security_types sec; + unsigned int conn_flags = NET_FLAGS_PDC; uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; + sec = (enum security_types)lp_security(); + + if (sec == SEC_ADS) { + /* Connect to IPC$ using machine account's credentials. We don't use anonymous + connection here, as it may be denied by server's local policy. */ + net_use_machine_account(); + + } else { + /* some servers (e.g. WinNT) don't accept machine-authenticated + smb connections */ + conn_flags |= NET_FLAGS_ANONYMOUS; + } + /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, (NET_FLAGS_ANONYMOUS|NET_FLAGS_PDC)))) { + if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { return -1; } -- cgit From 1130482add933d6a3e0b7f13717e0ae72588c6a2 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 17 Sep 2007 15:11:20 +0000 Subject: r25197: Change net_make_ipc_connection() and net_make_ipc_connection_ex() to return NTSTATUS to allow for better error propagation. Michael (This used to be commit 46093004a788dae83a4ddb888ca5d72f555c236c) --- source3/utils/net_rpc_join.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 1097eb9575..571d8016b9 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -64,7 +64,8 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) } /* Connect to remote machine */ - if (!(cli = net_make_ipc_connection_ex(domain, server, ip, conn_flags))) { + ntret = net_make_ipc_connection_ex(domain, server, ip, conn_flags, &cli); + if (!NT_STATUS_IS_OK(ntret)) { return -1; } @@ -180,8 +181,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Make authenticated connection to remote machine */ - if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) + result = net_make_ipc_connection(NET_FLAGS_PDC, &cli); + if (!NT_STATUS_IS_OK(result)) { return 1; + } if (!(mem_ctx = talloc_init("net_rpc_join_newstyle"))) { DEBUG(0, ("Could not initialise talloc context\n")); -- cgit From 4dc265d6a0fe799006ac5be79114a145b3a114c5 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 17 Sep 2007 15:34:22 +0000 Subject: r25198: Change net_rpc_join_ok() to return NTSTATUS for better error propagation. Michael (This used to be commit 5a16da2185f07d1f48fabd93a7a6b8f2d6b91089) --- source3/utils/net_rpc_join.c | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 571d8016b9..b32fa27284 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -40,7 +40,8 @@ * @return A shell status integer (0 for success) * **/ -int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) +NTSTATUS net_rpc_join_ok(const char *domain, const char *server, + struct in_addr *ip) { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; @@ -66,7 +67,7 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) /* Connect to remote machine */ ntret = net_make_ipc_connection_ex(domain, server, ip, conn_flags, &cli); if (!NT_STATUS_IS_OK(ntret)) { - return -1; + return ntret; } /* Setup the creds as though we're going to do schannel... */ @@ -78,13 +79,13 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) if (!netlogon_pipe) { if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) { cli_shutdown(cli); - return 0; + return NT_STATUS_OK; } else { DEBUG(0,("net_rpc_join_ok: failed to get schannel session " "key from server %s for domain %s. Error was %s\n", cli->desthost, domain, nt_errstr(ntret) )); cli_shutdown(cli); - return -1; + return ntret; } } @@ -92,7 +93,7 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) if (!lp_client_schannel()) { cli_shutdown(cli); /* We're good... */ - return 0; + return ntret; } pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, @@ -103,12 +104,14 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip ) DEBUG(0,("net_rpc_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. Error was %s\n", cli->desthost, domain, nt_errstr(ntret) )); - cli_shutdown(cli); - return -1; + /* + * Note: here, we have: + * (pipe_hnd != NULL) if and only if NT_STATUS_IS_OK(ntret) + */ } cli_shutdown(cli); - return 0; + return ntret; } /** @@ -422,8 +425,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) } /* double-check, connection from scratch */ - retval = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ip); - + result = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ip); + retval = NT_STATUS_IS_OK(result) ? 0 : -1; + done: /* Display success or failure */ @@ -452,10 +456,13 @@ done: int net_rpc_testjoin(int argc, const char **argv) { char *domain = smb_xstrdup(opt_target_workgroup); + NTSTATUS nt_status; /* Display success or failure */ - if (net_rpc_join_ok(domain, NULL, NULL) != 0) { - fprintf(stderr,"Join to domain '%s' is not valid\n",domain); + nt_status = net_rpc_join_ok(domain, NULL, NULL); + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr,"Join to domain '%s' is not valid: %s\n", + nt_errstr(nt_status), domain); free(domain); return -1; } -- cgit From 3529156971e17c7ec13f6a6243f7b613e4666cdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:54:42 +0000 Subject: r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags, and client fixes. Patch from Todd Stetcher . (This used to be commit 8304ccba7346597425307e260e88647e49081f68) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b32fa27284..0561548c8f 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -132,7 +132,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; -- cgit From 5221ebb299081da6a806362212c6a8ceb9cc70a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 18:15:34 +0000 Subject: r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree. The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 0561548c8f..b32fa27284 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -132,7 +132,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/utils/net_rpc_join.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b32fa27284..0c25a53365 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -41,7 +41,7 @@ * **/ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, - struct in_addr *ip) + struct sockaddr_storage *pss) { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; @@ -65,7 +65,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, } /* Connect to remote machine */ - ntret = net_make_ipc_connection_ex(domain, server, ip, conn_flags, &cli); + ntret = net_make_ipc_connection_ex(domain, server, pss, conn_flags, &cli); if (!NT_STATUS_IS_OK(ntret)) { return ntret; } @@ -425,7 +425,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) } /* double-check, connection from scratch */ - result = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ip); + result = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ss); retval = NT_STATUS_IS_OK(result) ? 0 : -1; done: -- cgit From c920764b1960f86482a24d4b4462664b07d4f1a9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 15 Jan 2008 16:40:02 +0100 Subject: Apply const to rpccli_lsa_query_info_policy() and rpccli_lsa_query_info_policy2(). Guenther (This used to be commit 7a3fe68bef7acde9d9f8a7a44ce7e9432f3c5a95) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 0c25a53365..6e37f3c84c 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -155,7 +155,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) NTSTATUS result; int retval = 1; - char *domain = NULL; + const char *domain = NULL; uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; char *acct_name; @@ -413,7 +413,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Now store the secret in the secrets database */ - strupper_m(domain); + strupper_m(CONST_DISCARD(char *, domain)); if (!secrets_store_domain_sid(domain, domain_sid)) { DEBUG(0, ("error storing domain sid for %s\n", domain)); -- cgit From a0186fb78d05aa997b114eee6afabaf138540ab8 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jan 2008 13:54:02 -0800 Subject: Forward ported version of Matt Geddes patch for adding acct_flags to rpccli_samr_create_dom_user(). Jerry please test. Jeremy. (This used to be commit 7d94f97947b7edfcf3ec52f0125e4593d6d54c05) --- source3/utils/net_rpc_join.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6e37f3c84c..de8ea743b4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -160,6 +160,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; + uint32 acct_flags=0; /* check what type of join */ if (argc >= 0) { @@ -249,9 +250,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, - 0xe005000b, &user_pol, + acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result) && -- cgit From 691c4b1a4175e3d4a073c396a2a7d8d315cd42bd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 10:11:11 +0100 Subject: Windows 2008 (Longhorn) auth2 flag fixes. Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index de8ea743b4..5c3fb2b2ff 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -45,7 +45,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -132,7 +132,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; -- cgit From 92183450f1eedd2892ed8612ccaf97c65098c636 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 25 Jan 2008 01:00:51 +0100 Subject: Trying to avoid defining new SAMR acct creation flags when we already have them with different names. Matt, Jeremy, please check. Guenther (This used to be commit d4a9e46edf7336f673c001c559af96eb0ecf9f6f) --- source3/utils/net_rpc_join.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 5c3fb2b2ff..271219938e 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -250,11 +250,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; - acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | - SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | - SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | - SAMR_USER_SETATTR; + acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE | + SEC_STD_WRITE_DAC | SEC_STD_DELETE | + SAMR_USER_ACCESS_SET_PASSWORD | + SAMR_USER_ACCESS_GET_ATTRIBUTES | + SAMR_USER_ACCESS_SET_ATTRIBUTES; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); + result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, acct_flags, &user_pol, -- cgit From 5334b364c21599fe055b32bbbd1e8cf7488b1fa7 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jan 2008 12:39:20 +0100 Subject: Remove rpccli_samr_close and use pidl generated function instead. Guenther (This used to be commit 64f0889401855ab76953bfae5db4fe4df19ad8a5) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 271219938e..de8661b0df 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -280,7 +280,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* We *must* do this.... don't ask... */ if (NT_STATUS_IS_OK(result)) { - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); } CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx, @@ -353,7 +353,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, &cli->user_session_key, &ctr); - rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol); + rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ /* Now check the whole process from top-to-bottom */ -- cgit From 42960f817a9fd439557d1be2f3ca3603a35489ce Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:12:05 +0100 Subject: Use rpccli_samr_OpenDomain() all over the place. Guenther (This used to be commit e4e9d72724d547e1405b2ed4cec509d50ec88c8d) --- source3/utils/net_rpc_join.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index de8661b0df..41ee4f2c36 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -236,10 +236,12 @@ int net_rpc_join_newstyle(int argc, const char **argv) &sam_pol), "could not connect to SAM database"); - - CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - domain_sid, &domain_pol), + + CHECK_RPC_ERR(rpccli_samr_OpenDomain(pipe_hnd, mem_ctx, + &sam_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + domain_sid, + &domain_pol), "could not open domain"); /* Create domain user */ -- cgit From 37b56c0113263a741c62100cd4b13388cb2a83fa Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 11:57:53 +0100 Subject: Use rpccli_samr_OpenUser() all over the place. Guenther (This used to be commit da90eb7653554d242da83ed98adae35ced3a2938) --- source3/utils/net_rpc_join.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 41ee4f2c36..dbce7e9a43 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -303,9 +303,11 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Open handle on user */ CHECK_RPC_ERR_DEBUG( - rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol, - SEC_RIGHTS_MAXIMUM_ALLOWED, - user_rid, &user_pol), + rpccli_samr_OpenUser(pipe_hnd, mem_ctx, + &domain_pol, + SEC_RIGHTS_MAXIMUM_ALLOWED, + user_rid, + &user_pol), ("could not re-open existing user %s: %s\n", acct_name, nt_errstr(result))); -- cgit From ddbe4ea6b79b511927d4d130cb345b873b12cc0e Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 1 Feb 2008 14:21:54 +0100 Subject: Use rpccli_samr_CreateUser2() all over the place. Guenther (This used to be commit 701af69118c9634c7dc0d5c10152ce776787694d) --- source3/utils/net_rpc_join.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index dbce7e9a43..27819bb6ab 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -34,6 +34,12 @@ goto done; \ } +static void init_lsa_String(struct lsa_String *name, const char *s) +{ + name->string = s; +} + + /** * confirm that a domain join is still valid * @@ -160,7 +166,9 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; + struct lsa_String lsa_acct_name; uint32 acct_flags=0; + uint32_t access_granted = 0; /* check what type of join */ if (argc >= 0) { @@ -252,6 +260,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; + init_lsa_String(&lsa_acct_name, acct_name); + acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE | SEC_STD_WRITE_DAC | SEC_STD_DELETE | SAMR_USER_ACCESS_SET_PASSWORD | @@ -260,10 +270,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); - result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, - acct_flags, &user_pol, - &user_rid); + result = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx, + &domain_pol, + &lsa_acct_name, + acb_info, + acct_flags, + &user_pol, + &access_granted, + &user_rid); if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { -- cgit From 270ba9c238400f49d32c57a9a1bbde6ad63bb555 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 4 Feb 2008 19:43:07 +0100 Subject: Use rpccli_samr_Connect2() all over the place. Guenther (This used to be commit bdf8d562621e1a09bf83e2009dec24966e7fdf22) --- source3/utils/net_rpc_join.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 27819bb6ab..d678029c46 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -239,9 +239,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx, - SEC_RIGHTS_MAXIMUM_ALLOWED, - &sam_pol), + CHECK_RPC_ERR(rpccli_samr_Connect2(pipe_hnd, mem_ctx, + pipe_hnd->cli->desthost, + SEC_RIGHTS_MAXIMUM_ALLOWED, + &sam_pol), "could not connect to SAM database"); -- cgit From 7520439dcac47bc60a8d5526f4acb834f177fec9 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 02:12:30 +0100 Subject: Use rpccli_lsa_QueryInfoPolicy() all over the place. Guenther (This used to be commit ce22abcea3446e4ad42e8e04654b9855b173c5a1) --- source3/utils/net_rpc_join.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index d678029c46..939a7246f7 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -169,6 +169,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct lsa_String lsa_acct_name; uint32 acct_flags=0; uint32_t access_granted = 0; + union lsa_PolicyInformation *info = NULL; /* check what type of join */ if (argc >= 0) { @@ -218,10 +219,15 @@ int net_rpc_join_newstyle(int argc, const char **argv) &lsa_pol), "error opening lsa policy handle"); - CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol, - 5, &domain, &domain_sid), + CHECK_RPC_ERR(rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx, + &lsa_pol, + LSA_POLICY_INFO_ACCOUNT_DOMAIN, + &info), "error querying info policy"); + domain = info->account_domain.name.string; + domain_sid = info->account_domain.sid; + rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ -- cgit From 084e28d8851abeef0023159911eb7d101732be35 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 8 Feb 2008 14:49:30 +0100 Subject: Use rpccli_samr_LookupNames() in net. Guenther (This used to be commit a513ae630c9dc0b81215e5513c19f45f18cbc1f1) --- source3/utils/net_rpc_join.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 939a7246f7..0e9e603e23 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -162,14 +162,13 @@ int net_rpc_join_newstyle(int argc, const char **argv) NTSTATUS result; int retval = 1; const char *domain = NULL; - uint32 num_rids, *name_types, *user_rids; - uint32 flags = 0x3e8; char *acct_name; - const char *const_acct_name; struct lsa_String lsa_acct_name; uint32 acct_flags=0; uint32_t access_granted = 0; union lsa_PolicyInformation *info = NULL; + struct samr_Ids user_rids; + struct samr_Ids name_types; /* check what type of join */ if (argc >= 0) { @@ -265,7 +264,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } strlower_m(acct_name); - const_acct_name = acct_name; init_lsa_String(&lsa_acct_name, acct_name); @@ -306,21 +304,22 @@ int net_rpc_join_newstyle(int argc, const char **argv) rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); } - CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx, - &domain_pol, flags, - 1, &const_acct_name, - &num_rids, - &user_rids, &name_types), + CHECK_RPC_ERR_DEBUG(rpccli_samr_LookupNames(pipe_hnd, mem_ctx, + &domain_pol, + 1, + &lsa_acct_name, + &user_rids, + &name_types), ("error looking up rid for user %s: %s\n", acct_name, nt_errstr(result))); - if (name_types[0] != SID_NAME_USER) { - DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types[0])); + if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0])); goto done; } - user_rid = user_rids[0]; - + user_rid = user_rids.ids[0]; + /* Open handle on user */ CHECK_RPC_ERR_DEBUG( -- cgit From bc742a06a2e7ce494446ab3a752fd45d08c25659 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 00:51:51 +0100 Subject: Remove all callers of rpccli_samr_setuserinfo2 and replace with rpccli_samr_SetUserInfo (see the opcode mixup in rpc_samr.h). Guenther (This used to be commit bdc49185036060ebb9c727767dce52e4b01bd8b4) --- source3/utils/net_rpc_join.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 0e9e603e23..f94e08edef 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -154,8 +154,8 @@ int net_rpc_join_newstyle(int argc, const char **argv) uchar pwbuf[516]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; - SAM_USER_INFO_16 p16; uchar md4_trust_password[16]; + union samr_UserInfo set_info; /* Misc */ @@ -365,17 +365,15 @@ int net_rpc_join_newstyle(int argc, const char **argv) seems to cope with either value so don't bomb out if the set userinfo2 level 0x10 fails. -tpot */ - ZERO_STRUCT(ctr); - ctr.switch_value = 16; - ctr.info.id16 = &p16; - - init_sam_user_info16(&p16, acb_info); + set_info.info16.acct_flags = acb_info; /* Ignoring the return value is necessary for joining a domain as a normal user with "Add workstation to domain" privilege. */ - result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, - &cli->user_session_key, &ctr); + result = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx, + &user_pol, + 16, + &set_info); rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ -- cgit From 68855a99d0206889e5af018d956a2ea5cd33d264 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 20:01:36 +0100 Subject: Use rpccli_samr_SetUserInfo2() in place of rpccli_samr_set_userinfo(). Guenther (This used to be commit 1b48b9d73d971ef18b8a2ea240e48902b703b74b) --- source3/utils/net_rpc_join.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f94e08edef..a20dc9a0c4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -152,8 +152,6 @@ int net_rpc_join_newstyle(int argc, const char **argv) char *clear_trust_password = NULL; uchar pwbuf[516]; - SAM_USERINFO_CTR ctr; - SAM_USER_INFO_24 p24; uchar md4_trust_password[16]; union samr_UserInfo set_info; @@ -344,16 +342,15 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Set password on machine account */ - ZERO_STRUCT(ctr); - ZERO_STRUCT(p24); + init_samr_user_info24(&set_info.info24, pwbuf, 24); - init_sam_user_info24(&p24, (char *)pwbuf,24); + SamOEMhashBlob(set_info.info24.password.data, 516, + &cli->user_session_key); - ctr.switch_value = 24; - ctr.info.id24 = &p24; - - CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 24, - &cli->user_session_key, &ctr), + CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, + &user_pol, + 24, + &set_info), "error setting trust account password"); /* Why do we have to try to (re-)set the ACB to be the same as what -- cgit From e2b3aad8174daede0248ce96df624e575867cfd8 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 12 Feb 2008 22:05:39 +0100 Subject: Collect all init_lsa_string varients in one place. Guenther (This used to be commit f4581e9f4482566fba9436d5ae058b8d840fa394) --- source3/utils/net_rpc_join.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index a20dc9a0c4..f08dc66d3c 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -34,12 +34,6 @@ goto done; \ } -static void init_lsa_String(struct lsa_String *name, const char *s) -{ - name->string = s; -} - - /** * confirm that a domain join is still valid * -- cgit From 7269a504fdd06fbbe24c2df8e084b41382d71269 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 19:38:48 +0100 Subject: Add my copyright. Guenther (This used to be commit d078a8757182d84dfd3307a2e1b751cf173aaa97) --- source3/utils/net_rpc_join.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f08dc66d3c..8259ec46e6 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -3,6 +3,7 @@ Distributed SMB/CIFS Server Management Utility Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org) Copyright (C) Tim Potter 2001 + Copyright (C) 2008 Guenther Deschner This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -- cgit From 0bdba8d59abf3de7919f77073ab3534cab69995a Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 15 Mar 2008 12:55:17 +0100 Subject: Fix typo. Guenther (This used to be commit e12721f73db72b99aa0e4be35c51aa8636eb3f59) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 8259ec46e6..45c0fe5097 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -485,7 +485,7 @@ int net_rpc_testjoin(int argc, const char **argv) nt_status = net_rpc_join_ok(domain, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr,"Join to domain '%s' is not valid: %s\n", - nt_errstr(nt_status), domain); + domain, nt_errstr(nt_status)); free(domain); return -1; } -- cgit From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Apr 2008 02:29:48 +0200 Subject: Fix NETLOGON credential chain with Windows 2008 all over the place. In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0) --- source3/utils/net_rpc_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 45c0fe5097..ea3bb10c22 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -46,7 +46,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; @@ -133,7 +133,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) struct cli_state *cli; TALLOC_CTX *mem_ctx; uint32 acb_info = ACB_WSTRUST; - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|(lp_client_schannel() ? NETLOGON_NEG_SCHANNEL : 0); + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; uint32 sec_channel_type; struct rpc_pipe_client *pipe_hnd = NULL; -- cgit From 2a2188591b5ed922d09dc723adcf10f8b8f5e5a0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 19 Apr 2008 21:56:43 +0200 Subject: Add "desthost" to rpc_pipe_client This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index ea3bb10c22..b868ea824f 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -238,7 +238,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) } CHECK_RPC_ERR(rpccli_samr_Connect2(pipe_hnd, mem_ctx, - pipe_hnd->cli->desthost, + pipe_hnd->desthost, SEC_RIGHTS_MAXIMUM_ALLOWED, &sam_pol), "could not connect to SAM database"); -- cgit From e73e8297f5484b6c7f525917679414c09a145cf0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Apr 2008 13:51:46 +0200 Subject: Replace cli_rpc_pipe_close by a talloc destructor on rpc_pipe_struct (This used to be commit 99fc3283c4ecc791f5a242bd1983b4352ce3e6cf) --- source3/utils/net_rpc_join.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b868ea824f..c94e9d1a40 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -221,7 +221,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) domain_sid = info->account_domain.sid; rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol); - cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ + TALLOC_FREE(pipe_hnd); /* Done with this pipe */ /* Bail out if domain didn't get set. */ if (!domain) { @@ -368,7 +368,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) &set_info); rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol); - cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */ + TALLOC_FREE(pipe_hnd); /* Done with this pipe */ /* Now check the whole process from top-to-bottom */ @@ -429,10 +429,10 @@ int net_rpc_join_newstyle(int argc, const char **argv) goto done; } - cli_rpc_pipe_close(netlogon_schannel_pipe); + TALLOC_FREE(netlogon_schannel_pipe); } - cli_rpc_pipe_close(pipe_hnd); + TALLOC_FREE(pipe_hnd); /* Now store the secret in the secrets database */ -- cgit From f5769109447d8da0f09b102d444a816ad97a00dc Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Fri, 9 May 2008 23:22:12 +0200 Subject: net: Remove globals (This used to be commit 1e9319cf88b65a2a8d4f5099a1fe5297e405ed2e) --- source3/utils/net_rpc_join.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index c94e9d1a40..2777324e81 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -41,8 +41,8 @@ * @return A shell status integer (0 for success) * **/ -NTSTATUS net_rpc_join_ok(const char *domain, const char *server, - struct sockaddr_storage *pss) +NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, + const char *server, struct sockaddr_storage *pss) { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; @@ -57,7 +57,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, if (sec == SEC_ADS) { /* Connect to IPC$ using machine account's credentials. We don't use anonymous connection here, as it may be denied by server's local policy. */ - net_use_machine_account(); + net_use_machine_account(c); } else { /* some servers (e.g. WinNT) don't accept machine-authenticated @@ -66,7 +66,8 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, } /* Connect to remote machine */ - ntret = net_make_ipc_connection_ex(domain, server, pss, conn_flags, &cli); + ntret = net_make_ipc_connection_ex(c, domain, server, pss, conn_flags, + &cli); if (!NT_STATUS_IS_OK(ntret)) { return ntret; } @@ -125,7 +126,7 @@ NTSTATUS net_rpc_join_ok(const char *domain, const char *server, * **/ -int net_rpc_join_newstyle(int argc, const char **argv) +int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) { /* libsmb variables */ @@ -186,7 +187,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) /* Make authenticated connection to remote machine */ - result = net_make_ipc_connection(NET_FLAGS_PDC, &cli); + result = net_make_ipc_connection(c, NET_FLAGS_PDC, &cli); if (!NT_STATUS_IS_OK(result)) { return 1; } @@ -448,7 +449,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) } /* double-check, connection from scratch */ - result = net_rpc_join_ok(domain, cli->desthost, &cli->dest_ss); + result = net_rpc_join_ok(c, domain, cli->desthost, &cli->dest_ss); retval = NT_STATUS_IS_OK(result) ? 0 : -1; done: @@ -476,13 +477,13 @@ done: * @return A shell status integer (0 for success) * **/ -int net_rpc_testjoin(int argc, const char **argv) +int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) { - char *domain = smb_xstrdup(opt_target_workgroup); + char *domain = smb_xstrdup(c->opt_target_workgroup); NTSTATUS nt_status; /* Display success or failure */ - nt_status = net_rpc_join_ok(domain, NULL, NULL); + nt_status = net_rpc_join_ok(c, domain, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr,"Join to domain '%s' is not valid: %s\n", domain, nt_errstr(nt_status)); -- cgit From 4206d9754486d2c1e18217cbcdbaad8f31f5244b Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Thu, 8 May 2008 11:23:38 +0200 Subject: net: more whitespace cleanup (This used to be commit ef0184d580500734fc7af51e1c790b075180a3d0) --- source3/utils/net_rpc_join.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2777324e81..87a90550fa 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -1,6 +1,6 @@ -/* - Samba Unix/Linux SMB client library - Distributed SMB/CIFS Server Management Utility +/* + Samba Unix/Linux SMB client library + Distributed SMB/CIFS Server Management Utility Copyright (C) 2001 Andrew Bartlett (abartlet@samba.org) Copyright (C) Tim Potter 2001 Copyright (C) 2008 Guenther Deschner @@ -9,15 +9,15 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see . */ - + #include "includes.h" #include "utils/net.h" @@ -463,7 +463,7 @@ done: printf("Joined domain %s.\n",domain); } } - + cli_shutdown(cli); SAFE_FREE(clear_trust_password); -- cgit From 16938883e6fcae7601eb6343177aa2d56dd2136e Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Mon, 12 May 2008 11:53:23 +0200 Subject: net: Use true/false instead of True/False. (This used to be commit a8b567aac3b0e39cfe67fb97167b10312ca5e73a) --- source3/utils/net_rpc_join.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 87a90550fa..b037e9c612 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -207,7 +207,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) } - CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True, + CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true, SEC_RIGHTS_MAXIMUM_ALLOWED, &lsa_pol), "error opening lsa policy handle"); -- cgit From c51ca559c1f0f243a7dd56d138aff6a86f31738d Mon Sep 17 00:00:00 2001 From: Kai Blin Date: Wed, 21 May 2008 10:27:59 +0200 Subject: net: Make "net rpc" use functable3 (This used to be commit 428b56863c3963ecd041b8398d5683c92fa64307) --- source3/utils/net_rpc_join.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index b037e9c612..5b31e6e100 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -482,6 +482,13 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) char *domain = smb_xstrdup(c->opt_target_workgroup); NTSTATUS nt_status; + if (c->display_usage) { + d_printf("Usage\n" + "net rpc testjoin\n" + " Test if a join is OK\n"); + return 0; + } + /* Display success or failure */ nt_status = net_rpc_join_ok(c, domain, NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { -- cgit From 1335da2a7cc639310e5d389e8e8dbe67c4e7ca25 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_noauth Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779) --- source3/utils/net_rpc_join.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 5b31e6e100..609068e3d0 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -199,8 +199,9 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) /* Fetch domain sid */ - pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result); - if (!pipe_hnd) { + result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, + &pipe_hnd); + if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n", nt_errstr(result) )); goto done; @@ -231,8 +232,9 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) } /* Create domain user */ - pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result); - if (!pipe_hnd) { + result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id, + &pipe_hnd); + if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n", nt_errstr(result) )); goto done; @@ -373,8 +375,9 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) /* Now check the whole process from top-to-bottom */ - pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result); - if (!pipe_hnd) { + result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id, + &pipe_hnd); + if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(result) )); goto done; -- cgit From b8fc15be950072846d23e3836d4d0289c10156f2 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 16:33:26 +0200 Subject: Refactoring: Make get_schannel_session_key return NTSTATUS (This used to be commit a0793cc853d3bd43df2fc49df193a5fead6b01ab) --- source3/utils/net_rpc_join.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 609068e3d0..2599c28e9c 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -73,12 +73,13 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, } /* Setup the creds as though we're going to do schannel... */ - netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, &ntret); + ntret = get_schannel_session_key(cli, domain, &neg_flags, + &netlogon_pipe); /* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing to negotiate schannel, but the creds were set up ok. That'll have to do. */ - if (!netlogon_pipe) { + if (!NT_STATUS_IS_OK(ntret)) { if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) { cli_shutdown(cli); return NT_STATUS_OK; -- cgit From ba2cb35ca5b335a8f33e012255b43b9cf9a04ecf Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_schannel_with_key Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 78e9c937ff2d2e1b70cfed4121e17feb6efafda1) --- source3/utils/net_rpc_join.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 2599c28e9c..f63cb14b7e 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -99,11 +99,11 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, return ntret; } - pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, - domain, netlogon_pipe->dc, &ntret); + ntret = cli_rpc_pipe_open_schannel_with_key( + cli, &ndr_table_netlogon.syntax_id, PIPE_AUTH_LEVEL_PRIVACY, + domain, netlogon_pipe->dc, &pipe_hnd); - if (!pipe_hnd) { + if (!NT_STATUS_IS_OK(ntret)) { DEBUG(0,("net_rpc_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. Error was %s\n", cli->desthost, domain, nt_errstr(ntret) )); @@ -413,13 +413,12 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) do the same again (setup creds) in net_rpc_join_ok(). JRA. */ if (lp_client_schannel() && (neg_flags & NETLOGON_NEG_SCHANNEL)) { - struct rpc_pipe_client *netlogon_schannel_pipe = - cli_rpc_pipe_open_schannel_with_key(cli, - PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, - domain, - pipe_hnd->dc, - &result); + struct rpc_pipe_client *netlogon_schannel_pipe; + + result = cli_rpc_pipe_open_schannel_with_key( + cli, &ndr_table_netlogon.syntax_id, + PIPE_AUTH_LEVEL_PRIVACY, domain, pipe_hnd->dc, + &netlogon_schannel_pipe); if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n", -- cgit From 9294303943c1f28df4afeef729689331d53cc242 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 30 Jul 2008 19:52:56 +0200 Subject: rpc_client: use init_samr_CryptPassword(Ex) in client tools. Guenther (This used to be commit 97f7f9f21f17e8414de15953cf4eaa9959dc6f75) --- source3/utils/net_rpc_join.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source3/utils/net_rpc_join.c') diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f63cb14b7e..5bc38f979f 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -148,7 +148,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) /* Password stuff */ char *clear_trust_password = NULL; - uchar pwbuf[516]; + struct samr_CryptPassword crypt_pwd; uchar md4_trust_password[16]; union samr_UserInfo set_info; @@ -337,14 +337,13 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) E_md4hash(clear_trust_password, md4_trust_password); } - encode_pw_buffer(pwbuf, clear_trust_password, STR_UNICODE); - /* Set password on machine account */ - init_samr_user_info24(&set_info.info24, pwbuf, 24); + init_samr_CryptPassword(clear_trust_password, + &cli->user_session_key, + &crypt_pwd); - SamOEMhashBlob(set_info.info24.password.data, 516, - &cli->user_session_key); + init_samr_user_info24(&set_info.info24, crypt_pwd.data, 24); CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx, &user_pol, -- cgit