/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- libnet_join_set_error_string
- libnet_unjoin_set_error_string
- libnet_connect_ads
- libnet_join_connect_ads
- libnet_unjoin_connect_ads
- libnet_join_precreate_machine_acct
- libnet_unjoin_remove_machine_acct
- libnet_join_find_machine_acct
- libnet_join_set_machine_spn
- libnet_join_set_machine_upn
- libnet_join_set_os_attributes
- libnet_join_create_keytab
- libnet_join_derive_salting_principal
- libnet_join_post_processing_ads
- libnet_join_joindomain_store_secrets
- libnet_join_connect_dc_ipc
- libnet_join_lookup_dc_rpc
- libnet_join_joindomain_rpc
- libnet_join_ok
- libnet_join_post_verify
- libnet_join_unjoindomain_remove_secrets
- libnet_join_unjoindomain_rpc
- do_join_modify_vals_config
- do_unjoin_modify_vals_config
- do_JoinConfig
- libnet_unjoin_config
- libnet_parse_domain_dc
- libnet_join_pre_processing
- libnet_join_add_dom_rids_to_builtins
- libnet_join_post_processing
- libnet_destroy_JoinCtx
- libnet_destroy_UnjoinCtx
- libnet_init_JoinCtx
- libnet_init_UnjoinCtx
- libnet_join_check_config
- libnet_DomainJoin
- libnet_join_rollback
- libnet_Join
- libnet_DomainUnjoin
- libnet_unjoin_pre_processing
- libnet_unjoin_post_processing
- libnet_Unjoin
1 /*
2 * Unix SMB/CIFS implementation.
3 * libnet Join Support
4 * Copyright (C) Gerald (Jerry) Carter 2006
5 * Copyright (C) Guenther Deschner 2007-2008
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "libnet/libnet.h"
23
24 /****************************************************************
25 ****************************************************************/
26
27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
28 do { \
29 char *str = NULL; \
30 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
31 DEBUG(1,("libnet_Join:\n%s", str)); \
32 TALLOC_FREE(str); \
33 } while (0)
34
35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
36 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
38 LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
39
40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
41 do { \
42 char *str = NULL; \
43 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
44 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
45 TALLOC_FREE(str); \
46 } while (0)
47
48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
49 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
51 LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
52
53 /****************************************************************
54 ****************************************************************/
55
56 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
57 struct libnet_JoinCtx *r,
58 const char *format, ...)
59 {
60 va_list args;
61
62 if (r->out.error_string) {
63 return;
64 }
65
66 va_start(args, format);
67 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
68 va_end(args);
69 }
70
71 /****************************************************************
72 ****************************************************************/
73
74 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
75 struct libnet_UnjoinCtx *r,
76 const char *format, ...)
77 {
78 va_list args;
79
80 if (r->out.error_string) {
81 return;
82 }
83
84 va_start(args, format);
85 r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
86 va_end(args);
87 }
88
89 #ifdef WITH_ADS
90
91 /****************************************************************
92 ****************************************************************/
93
94 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
/* [<][>][^][v][top][bottom][index][help] */
95 const char *netbios_domain_name,
96 const char *dc_name,
97 const char *user_name,
98 const char *password,
99 ADS_STRUCT **ads)
100 {
101 ADS_STATUS status;
102 ADS_STRUCT *my_ads = NULL;
103
104 my_ads = ads_init(dns_domain_name,
105 netbios_domain_name,
106 dc_name);
107 if (!my_ads) {
108 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
109 }
110
111 if (user_name) {
112 SAFE_FREE(my_ads->auth.user_name);
113 my_ads->auth.user_name = SMB_STRDUP(user_name);
114 }
115
116 if (password) {
117 SAFE_FREE(my_ads->auth.password);
118 my_ads->auth.password = SMB_STRDUP(password);
119 }
120
121 status = ads_connect_user_creds(my_ads);
122 if (!ADS_ERR_OK(status)) {
123 ads_destroy(&my_ads);
124 return status;
125 }
126
127 *ads = my_ads;
128 return ADS_SUCCESS;
129 }
130
131 /****************************************************************
132 ****************************************************************/
133
134 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
135 struct libnet_JoinCtx *r)
136 {
137 ADS_STATUS status;
138
139 status = libnet_connect_ads(r->out.dns_domain_name,
140 r->out.netbios_domain_name,
141 r->in.dc_name,
142 r->in.admin_account,
143 r->in.admin_password,
144 &r->in.ads);
145 if (!ADS_ERR_OK(status)) {
146 libnet_join_set_error_string(mem_ctx, r,
147 "failed to connect to AD: %s",
148 ads_errstr(status));
149 return status;
150 }
151
152 if (!r->out.netbios_domain_name) {
153 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
154 r->in.ads->server.workgroup);
155 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
156 }
157
158 if (!r->out.dns_domain_name) {
159 r->out.dns_domain_name = talloc_strdup(mem_ctx,
160 r->in.ads->config.realm);
161 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
162 }
163
164 r->out.domain_is_ad = true;
165
166 return ADS_SUCCESS;
167 }
168
169 /****************************************************************
170 ****************************************************************/
171
172 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
173 struct libnet_UnjoinCtx *r)
174 {
175 ADS_STATUS status;
176
177 status = libnet_connect_ads(r->in.domain_name,
178 r->in.domain_name,
179 r->in.dc_name,
180 r->in.admin_account,
181 r->in.admin_password,
182 &r->in.ads);
183 if (!ADS_ERR_OK(status)) {
184 libnet_unjoin_set_error_string(mem_ctx, r,
185 "failed to connect to AD: %s",
186 ads_errstr(status));
187 }
188
189 return status;
190 }
191
192 /****************************************************************
193 join a domain using ADS (LDAP mods)
194 ****************************************************************/
195
196 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
197 struct libnet_JoinCtx *r)
198 {
199 ADS_STATUS status;
200 LDAPMessage *res = NULL;
201 const char *attrs[] = { "dn", NULL };
202 bool moved = false;
203
204 status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
205 if (!ADS_ERR_OK(status)) {
206 return status;
207 }
208
209 status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
210 if (!ADS_ERR_OK(status)) {
211 return status;
212 }
213
214 if (ads_count_replies(r->in.ads, res) != 1) {
215 ads_msgfree(r->in.ads, res);
216 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
217 }
218
219 ads_msgfree(r->in.ads, res);
220
221 /* Attempt to create the machine account and bail if this fails.
222 Assume that the admin wants exactly what they requested */
223
224 status = ads_create_machine_acct(r->in.ads,
225 r->in.machine_name,
226 r->in.account_ou);
227
228 if (ADS_ERR_OK(status)) {
229 DEBUG(1,("machine account creation created\n"));
230 return status;
231 } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
232 (status.err.rc == LDAP_ALREADY_EXISTS)) {
233 status = ADS_SUCCESS;
234 }
235
236 if (!ADS_ERR_OK(status)) {
237 DEBUG(1,("machine account creation failed\n"));
238 return status;
239 }
240
241 status = ads_move_machine_acct(r->in.ads,
242 r->in.machine_name,
243 r->in.account_ou,
244 &moved);
245 if (!ADS_ERR_OK(status)) {
246 DEBUG(1,("failure to locate/move pre-existing "
247 "machine account\n"));
248 return status;
249 }
250
251 DEBUG(1,("The machine account %s the specified OU.\n",
252 moved ? "was moved into" : "already exists in"));
253
254 return status;
255 }
256
257 /****************************************************************
258 ****************************************************************/
259
260 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
261 struct libnet_UnjoinCtx *r)
262 {
263 ADS_STATUS status;
264
265 if (!r->in.ads) {
266 return libnet_unjoin_connect_ads(mem_ctx, r);
267 }
268
269 status = ads_leave_realm(r->in.ads, r->in.machine_name);
270 if (!ADS_ERR_OK(status)) {
271 libnet_unjoin_set_error_string(mem_ctx, r,
272 "failed to leave realm: %s",
273 ads_errstr(status));
274 return status;
275 }
276
277 return ADS_SUCCESS;
278 }
279
280 /****************************************************************
281 ****************************************************************/
282
283 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
284 struct libnet_JoinCtx *r)
285 {
286 ADS_STATUS status;
287 LDAPMessage *res = NULL;
288 char *dn = NULL;
289
290 if (!r->in.machine_name) {
291 return ADS_ERROR(LDAP_NO_MEMORY);
292 }
293
294 status = ads_find_machine_acct(r->in.ads,
295 &res,
296 r->in.machine_name);
297 if (!ADS_ERR_OK(status)) {
298 return status;
299 }
300
301 if (ads_count_replies(r->in.ads, res) != 1) {
302 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
303 goto done;
304 }
305
306 dn = ads_get_dn(r->in.ads, mem_ctx, res);
307 if (!dn) {
308 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
309 goto done;
310 }
311
312 r->out.dn = talloc_strdup(mem_ctx, dn);
313 if (!r->out.dn) {
314 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
315 goto done;
316 }
317
318 done:
319 ads_msgfree(r->in.ads, res);
320 TALLOC_FREE(dn);
321
322 return status;
323 }
324
325 /****************************************************************
326 Set a machines dNSHostName and servicePrincipalName attributes
327 ****************************************************************/
328
329 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
330 struct libnet_JoinCtx *r)
331 {
332 ADS_STATUS status;
333 ADS_MODLIST mods;
334 fstring my_fqdn;
335 const char *spn_array[3] = {NULL, NULL, NULL};
336 char *spn = NULL;
337
338 /* Find our DN */
339
340 status = libnet_join_find_machine_acct(mem_ctx, r);
341 if (!ADS_ERR_OK(status)) {
342 return status;
343 }
344
345 /* Windows only creates HOST/shortname & HOST/fqdn. */
346
347 spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
348 if (!spn) {
349 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
350 }
351 strupper_m(spn);
352 spn_array[0] = spn;
353
354 if (!name_to_fqdn(my_fqdn, r->in.machine_name)
355 || (strchr(my_fqdn, '.') == NULL)) {
356 fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
357 r->out.dns_domain_name);
358 }
359
360 strlower_m(my_fqdn);
361
362 if (!strequal(my_fqdn, r->in.machine_name)) {
363 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
364 if (!spn) {
365 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
366 }
367 spn_array[1] = spn;
368 }
369
370 mods = ads_init_mods(mem_ctx);
371 if (!mods) {
372 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
373 }
374
375 /* fields of primary importance */
376
377 status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
378 if (!ADS_ERR_OK(status)) {
379 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
380 }
381
382 status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
383 spn_array);
384 if (!ADS_ERR_OK(status)) {
385 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
386 }
387
388 return ads_gen_mod(r->in.ads, r->out.dn, mods);
389 }
390
391 /****************************************************************
392 ****************************************************************/
393
394 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
395 struct libnet_JoinCtx *r)
396 {
397 ADS_STATUS status;
398 ADS_MODLIST mods;
399
400 if (!r->in.create_upn) {
401 return ADS_SUCCESS;
402 }
403
404 /* Find our DN */
405
406 status = libnet_join_find_machine_acct(mem_ctx, r);
407 if (!ADS_ERR_OK(status)) {
408 return status;
409 }
410
411 if (!r->in.upn) {
412 r->in.upn = talloc_asprintf(mem_ctx,
413 "host/%s@%s",
414 r->in.machine_name,
415 r->out.dns_domain_name);
416 if (!r->in.upn) {
417 return ADS_ERROR(LDAP_NO_MEMORY);
418 }
419 }
420
421 /* now do the mods */
422
423 mods = ads_init_mods(mem_ctx);
424 if (!mods) {
425 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
426 }
427
428 /* fields of primary importance */
429
430 status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
431 if (!ADS_ERR_OK(status)) {
432 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
433 }
434
435 return ads_gen_mod(r->in.ads, r->out.dn, mods);
436 }
437
438
439 /****************************************************************
440 ****************************************************************/
441
442 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
443 struct libnet_JoinCtx *r)
444 {
445 ADS_STATUS status;
446 ADS_MODLIST mods;
447 char *os_sp = NULL;
448
449 if (!r->in.os_name || !r->in.os_version ) {
450 return ADS_SUCCESS;
451 }
452
453 /* Find our DN */
454
455 status = libnet_join_find_machine_acct(mem_ctx, r);
456 if (!ADS_ERR_OK(status)) {
457 return status;
458 }
459
460 /* now do the mods */
461
462 mods = ads_init_mods(mem_ctx);
463 if (!mods) {
464 return ADS_ERROR(LDAP_NO_MEMORY);
465 }
466
467 os_sp = talloc_asprintf(mem_ctx, "Samba %s", samba_version_string());
468 if (!os_sp) {
469 return ADS_ERROR(LDAP_NO_MEMORY);
470 }
471
472 /* fields of primary importance */
473
474 status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
475 r->in.os_name);
476 if (!ADS_ERR_OK(status)) {
477 return status;
478 }
479
480 status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
481 r->in.os_version);
482 if (!ADS_ERR_OK(status)) {
483 return status;
484 }
485
486 status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
487 os_sp);
488 if (!ADS_ERR_OK(status)) {
489 return status;
490 }
491
492 return ads_gen_mod(r->in.ads, r->out.dn, mods);
493 }
494
495 /****************************************************************
496 ****************************************************************/
497
498 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
499 struct libnet_JoinCtx *r)
500 {
501 if (!USE_SYSTEM_KEYTAB) {
502 return true;
503 }
504
505 if (ads_keytab_create_default(r->in.ads) != 0) {
506 return false;
507 }
508
509 return true;
510 }
511
512 /****************************************************************
513 ****************************************************************/
514
515 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
516 struct libnet_JoinCtx *r)
517 {
518 uint32_t domain_func;
519 ADS_STATUS status;
520 const char *salt = NULL;
521 char *std_salt = NULL;
522
523 status = ads_domain_func_level(r->in.ads, &domain_func);
524 if (!ADS_ERR_OK(status)) {
525 libnet_join_set_error_string(mem_ctx, r,
526 "failed to determine domain functional level: %s",
527 ads_errstr(status));
528 return false;
529 }
530
531 /* go ahead and setup the default salt */
532
533 std_salt = kerberos_standard_des_salt();
534 if (!std_salt) {
535 libnet_join_set_error_string(mem_ctx, r,
536 "failed to obtain standard DES salt");
537 return false;
538 }
539
540 salt = talloc_strdup(mem_ctx, std_salt);
541 if (!salt) {
542 return false;
543 }
544
545 SAFE_FREE(std_salt);
546
547 /* if it's a Windows functional domain, we have to look for the UPN */
548
549 if (domain_func == DS_DOMAIN_FUNCTION_2000) {
550 char *upn;
551
552 upn = ads_get_upn(r->in.ads, mem_ctx,
553 r->in.machine_name);
554 if (upn) {
555 salt = talloc_strdup(mem_ctx, upn);
556 if (!salt) {
557 return false;
558 }
559 }
560 }
561
562 return kerberos_secrets_store_des_salt(salt);
563 }
564
565 /****************************************************************
566 ****************************************************************/
567
568 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
569 struct libnet_JoinCtx *r)
570 {
571 ADS_STATUS status;
572
573 if (!r->in.ads) {
574 status = libnet_join_connect_ads(mem_ctx, r);
575 if (!ADS_ERR_OK(status)) {
576 return status;
577 }
578 }
579
580 status = libnet_join_set_machine_spn(mem_ctx, r);
581 if (!ADS_ERR_OK(status)) {
582 libnet_join_set_error_string(mem_ctx, r,
583 "failed to set machine spn: %s",
584 ads_errstr(status));
585 return status;
586 }
587
588 status = libnet_join_set_os_attributes(mem_ctx, r);
589 if (!ADS_ERR_OK(status)) {
590 libnet_join_set_error_string(mem_ctx, r,
591 "failed to set machine os attributes: %s",
592 ads_errstr(status));
593 return status;
594 }
595
596 status = libnet_join_set_machine_upn(mem_ctx, r);
597 if (!ADS_ERR_OK(status)) {
598 libnet_join_set_error_string(mem_ctx, r,
599 "failed to set machine upn: %s",
600 ads_errstr(status));
601 return status;
602 }
603
604 if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
605 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
606 }
607
608 if (!libnet_join_create_keytab(mem_ctx, r)) {
609 libnet_join_set_error_string(mem_ctx, r,
610 "failed to create kerberos keytab");
611 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
612 }
613
614 return ADS_SUCCESS;
615 }
616 #endif /* WITH_ADS */
617
618 /****************************************************************
619 Store the machine password and domain SID
620 ****************************************************************/
621
622 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
623 struct libnet_JoinCtx *r)
624 {
625 if (!secrets_store_domain_sid(r->out.netbios_domain_name,
626 r->out.domain_sid))
627 {
628 DEBUG(1,("Failed to save domain sid\n"));
629 return false;
630 }
631
632 if (!secrets_store_machine_password(r->in.machine_password,
633 r->out.netbios_domain_name,
634 r->in.secure_channel_type))
635 {
636 DEBUG(1,("Failed to save machine password\n"));
637 return false;
638 }
639
640 return true;
641 }
642
643 /****************************************************************
644 Connect dc's IPC$ share
645 ****************************************************************/
646
647 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
/* [<][>][^][v][top][bottom][index][help] */
648 const char *user,
649 const char *pass,
650 bool use_kerberos,
651 struct cli_state **cli)
652 {
653 int flags = 0;
654
655 if (use_kerberos) {
656 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
657 }
658
659 if (use_kerberos && pass) {
660 flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
661 }
662
663 return cli_full_connection(cli, NULL,
664 dc,
665 NULL, 0,
666 "IPC$", "IPC",
667 user,
668 NULL,
669 pass,
670 flags,
671 Undefined, NULL);
672 }
673
674 /****************************************************************
675 Lookup domain dc's info
676 ****************************************************************/
677
678 static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
679 struct libnet_JoinCtx *r,
680 struct cli_state **cli)
681 {
682 struct rpc_pipe_client *pipe_hnd = NULL;
683 struct policy_handle lsa_pol;
684 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
685 union lsa_PolicyInformation *info = NULL;
686
687 status = libnet_join_connect_dc_ipc(r->in.dc_name,
688 r->in.admin_account,
689 r->in.admin_password,
690 r->in.use_kerberos,
691 cli);
692 if (!NT_STATUS_IS_OK(status)) {
693 goto done;
694 }
695
696 status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
697 &pipe_hnd);
698 if (!NT_STATUS_IS_OK(status)) {
699 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
700 nt_errstr(status)));
701 goto done;
702 }
703
704 status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
705 SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
706 if (!NT_STATUS_IS_OK(status)) {
707 goto done;
708 }
709
710 status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
711 &lsa_pol,
712 LSA_POLICY_INFO_DNS,
713 &info);
714 if (NT_STATUS_IS_OK(status)) {
715 r->out.domain_is_ad = true;
716 r->out.netbios_domain_name = info->dns.name.string;
717 r->out.dns_domain_name = info->dns.dns_domain.string;
718 r->out.forest_name = info->dns.dns_forest.string;
719 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
720 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
721 }
722
723 if (!NT_STATUS_IS_OK(status)) {
724 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
725 &lsa_pol,
726 LSA_POLICY_INFO_ACCOUNT_DOMAIN,
727 &info);
728 if (!NT_STATUS_IS_OK(status)) {
729 goto done;
730 }
731
732 r->out.netbios_domain_name = info->account_domain.name.string;
733 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
734 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
735 }
736
737 rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
738 TALLOC_FREE(pipe_hnd);
739
740 done:
741 return status;
742 }
743
744 /****************************************************************
745 Do the domain join
746 ****************************************************************/
747
748 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
749 struct libnet_JoinCtx *r,
750 struct cli_state *cli)
751 {
752 struct rpc_pipe_client *pipe_hnd = NULL;
753 struct policy_handle sam_pol, domain_pol, user_pol;
754 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
755 char *acct_name;
756 struct lsa_String lsa_acct_name;
757 uint32_t user_rid;
758 uint32_t acct_flags = ACB_WSTRUST;
759 struct samr_Ids user_rids;
760 struct samr_Ids name_types;
761 union samr_UserInfo user_info;
762
763 struct samr_CryptPassword crypt_pwd;
764 struct samr_CryptPasswordEx crypt_pwd_ex;
765
766 ZERO_STRUCT(sam_pol);
767 ZERO_STRUCT(domain_pol);
768 ZERO_STRUCT(user_pol);
769
770 if (!r->in.machine_password) {
771 r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
772 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
773 }
774
775 /* Open the domain */
776
777 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
778 &pipe_hnd);
779 if (!NT_STATUS_IS_OK(status)) {
780 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
781 nt_errstr(status)));
782 goto done;
783 }
784
785 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
786 pipe_hnd->desthost,
787 SAMR_ACCESS_ENUM_DOMAINS
788 | SAMR_ACCESS_LOOKUP_DOMAIN,
789 &sam_pol);
790 if (!NT_STATUS_IS_OK(status)) {
791 goto done;
792 }
793
794 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
795 &sam_pol,
796 SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
797 | SAMR_DOMAIN_ACCESS_CREATE_USER
798 | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
799 r->out.domain_sid,
800 &domain_pol);
801 if (!NT_STATUS_IS_OK(status)) {
802 goto done;
803 }
804
805 /* Create domain user */
806
807 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
808 strlower_m(acct_name);
809
810 init_lsa_String(&lsa_acct_name, acct_name);
811
812 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
813 uint32_t access_desired =
814 SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
815 SEC_STD_WRITE_DAC | SEC_STD_DELETE |
816 SAMR_USER_ACCESS_SET_PASSWORD |
817 SAMR_USER_ACCESS_GET_ATTRIBUTES |
818 SAMR_USER_ACCESS_SET_ATTRIBUTES;
819 uint32_t access_granted = 0;
820
821 /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
822
823 DEBUG(10,("Creating account with desired access mask: %d\n",
824 access_desired));
825
826 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
827 &domain_pol,
828 &lsa_acct_name,
829 ACB_WSTRUST,
830 access_desired,
831 &user_pol,
832 &access_granted,
833 &user_rid);
834 if (!NT_STATUS_IS_OK(status) &&
835 !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
836
837 DEBUG(10,("Creation of workstation account failed: %s\n",
838 nt_errstr(status)));
839
840 /* If NT_STATUS_ACCESS_DENIED then we have a valid
841 username/password combo but the user does not have
842 administrator access. */
843
844 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
845 libnet_join_set_error_string(mem_ctx, r,
846 "User specified does not have "
847 "administrator privileges");
848 }
849
850 goto done;
851 }
852
853 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
854 if (!(r->in.join_flags &
855 WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
856 goto done;
857 }
858 }
859
860 /* We *must* do this.... don't ask... */
861
862 if (NT_STATUS_IS_OK(status)) {
863 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
864 }
865 }
866
867 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
868 &domain_pol,
869 1,
870 &lsa_acct_name,
871 &user_rids,
872 &name_types);
873 if (!NT_STATUS_IS_OK(status)) {
874 goto done;
875 }
876
877 if (name_types.ids[0] != SID_NAME_USER) {
878 DEBUG(0,("%s is not a user account (type=%d)\n",
879 acct_name, name_types.ids[0]));
880 status = NT_STATUS_INVALID_WORKSTATION;
881 goto done;
882 }
883
884 user_rid = user_rids.ids[0];
885
886 /* Open handle on user */
887
888 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
889 &domain_pol,
890 SEC_FLAG_MAXIMUM_ALLOWED,
891 user_rid,
892 &user_pol);
893 if (!NT_STATUS_IS_OK(status)) {
894 goto done;
895 }
896
897 /* Fill in the additional account flags now */
898
899 acct_flags |= ACB_PWNOEXP;
900 if (r->out.domain_is_ad) {
901 #if !defined(ENCTYPE_ARCFOUR_HMAC)
902 acct_flags |= ACB_USE_DES_KEY_ONLY;
903 #endif
904 ;;
905 }
906
907 /* Set account flags on machine account */
908 ZERO_STRUCT(user_info.info16);
909 user_info.info16.acct_flags = acct_flags;
910
911 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
912 &user_pol,
913 16,
914 &user_info);
915
916 if (!NT_STATUS_IS_OK(status)) {
917
918 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
919 &user_pol);
920
921 libnet_join_set_error_string(mem_ctx, r,
922 "Failed to set account flags for machine account (%s)\n",
923 nt_errstr(status));
924 goto done;
925 }
926
927 /* Set password on machine account - first try level 26 */
928
929 init_samr_CryptPasswordEx(r->in.machine_password,
930 &cli->user_session_key,
931 &crypt_pwd_ex);
932
933 user_info.info26.password = crypt_pwd_ex;
934 user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
935
936 status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
937 &user_pol,
938 26,
939 &user_info);
940
941 if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
942
943 /* retry with level 24 */
944
945 init_samr_CryptPassword(r->in.machine_password,
946 &cli->user_session_key,
947 &crypt_pwd);
948
949 user_info.info24.password = crypt_pwd;
950 user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
951
952 status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
953 &user_pol,
954 24,
955 &user_info);
956 }
957
958 if (!NT_STATUS_IS_OK(status)) {
959
960 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
961 &user_pol);
962
963 libnet_join_set_error_string(mem_ctx, r,
964 "Failed to set password for machine account (%s)\n",
965 nt_errstr(status));
966 goto done;
967 }
968
969 status = NT_STATUS_OK;
970
971 done:
972 if (!pipe_hnd) {
973 return status;
974 }
975
976 if (is_valid_policy_hnd(&sam_pol)) {
977 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
978 }
979 if (is_valid_policy_hnd(&domain_pol)) {
980 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
981 }
982 if (is_valid_policy_hnd(&user_pol)) {
983 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
984 }
985 TALLOC_FREE(pipe_hnd);
986
987 return status;
988 }
989
990 /****************************************************************
991 ****************************************************************/
992
993 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
/* [<][>][^][v][top][bottom][index][help] */
994 const char *machine_name,
995 const char *dc_name)
996 {
997 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
998 struct cli_state *cli = NULL;
999 struct rpc_pipe_client *pipe_hnd = NULL;
1000 struct rpc_pipe_client *netlogon_pipe = NULL;
1001 NTSTATUS status;
1002 char *machine_password = NULL;
1003 char *machine_account = NULL;
1004
1005 if (!dc_name) {
1006 return NT_STATUS_INVALID_PARAMETER;
1007 }
1008
1009 if (!secrets_init()) {
1010 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1011 }
1012
1013 machine_password = secrets_fetch_machine_password(netbios_domain_name,
1014 NULL, NULL);
1015 if (!machine_password) {
1016 return NT_STATUS_NO_TRUST_LSA_SECRET;
1017 }
1018
1019 if (asprintf(&machine_account, "%s$", machine_name) == -1) {
1020 SAFE_FREE(machine_password);
1021 return NT_STATUS_NO_MEMORY;
1022 }
1023
1024 status = cli_full_connection(&cli, NULL,
1025 dc_name,
1026 NULL, 0,
1027 "IPC$", "IPC",
1028 machine_account,
1029 NULL,
1030 machine_password,
1031 0,
1032 Undefined, NULL);
1033 free(machine_account);
1034 free(machine_password);
1035
1036 if (!NT_STATUS_IS_OK(status)) {
1037 status = cli_full_connection(&cli, NULL,
1038 dc_name,
1039 NULL, 0,
1040 "IPC$", "IPC",
1041 "",
1042 NULL,
1043 "",
1044 0,
1045 Undefined, NULL);
1046 }
1047
1048 if (!NT_STATUS_IS_OK(status)) {
1049 return status;
1050 }
1051
1052 status = get_schannel_session_key(cli, netbios_domain_name,
1053 &neg_flags, &netlogon_pipe);
1054 if (!NT_STATUS_IS_OK(status)) {
1055 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
1056 cli_shutdown(cli);
1057 return NT_STATUS_OK;
1058 }
1059
1060 DEBUG(0,("libnet_join_ok: failed to get schannel session "
1061 "key from server %s for domain %s. Error was %s\n",
1062 cli->desthost, netbios_domain_name, nt_errstr(status)));
1063 cli_shutdown(cli);
1064 return status;
1065 }
1066
1067 if (!lp_client_schannel()) {
1068 cli_shutdown(cli);
1069 return NT_STATUS_OK;
1070 }
1071
1072 status = cli_rpc_pipe_open_schannel_with_key(
1073 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
1074 PIPE_AUTH_LEVEL_PRIVACY,
1075 netbios_domain_name, netlogon_pipe->dc, &pipe_hnd);
1076
1077 cli_shutdown(cli);
1078
1079 if (!NT_STATUS_IS_OK(status)) {
1080 DEBUG(0,("libnet_join_ok: failed to open schannel session "
1081 "on netlogon pipe to server %s for domain %s. "
1082 "Error was %s\n",
1083 cli->desthost, netbios_domain_name, nt_errstr(status)));
1084 return status;
1085 }
1086
1087 return NT_STATUS_OK;
1088 }
1089
1090 /****************************************************************
1091 ****************************************************************/
1092
1093 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1094 struct libnet_JoinCtx *r)
1095 {
1096 NTSTATUS status;
1097
1098 status = libnet_join_ok(r->out.netbios_domain_name,
1099 r->in.machine_name,
1100 r->in.dc_name);
1101 if (!NT_STATUS_IS_OK(status)) {
1102 libnet_join_set_error_string(mem_ctx, r,
1103 "failed to verify domain membership after joining: %s",
1104 get_friendly_nt_error_msg(status));
1105 return WERR_SETUP_NOT_JOINED;
1106 }
1107
1108 return WERR_OK;
1109 }
1110
1111 /****************************************************************
1112 ****************************************************************/
1113
1114 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1115 struct libnet_UnjoinCtx *r)
1116 {
1117 if (!secrets_delete_machine_password_ex(lp_workgroup())) {
1118 return false;
1119 }
1120
1121 if (!secrets_delete_domain_sid(lp_workgroup())) {
1122 return false;
1123 }
1124
1125 return true;
1126 }
1127
1128 /****************************************************************
1129 ****************************************************************/
1130
1131 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1132 struct libnet_UnjoinCtx *r)
1133 {
1134 struct cli_state *cli = NULL;
1135 struct rpc_pipe_client *pipe_hnd = NULL;
1136 struct policy_handle sam_pol, domain_pol, user_pol;
1137 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1138 char *acct_name;
1139 uint32_t user_rid;
1140 struct lsa_String lsa_acct_name;
1141 struct samr_Ids user_rids;
1142 struct samr_Ids name_types;
1143 union samr_UserInfo *info = NULL;
1144
1145 ZERO_STRUCT(sam_pol);
1146 ZERO_STRUCT(domain_pol);
1147 ZERO_STRUCT(user_pol);
1148
1149 status = libnet_join_connect_dc_ipc(r->in.dc_name,
1150 r->in.admin_account,
1151 r->in.admin_password,
1152 r->in.use_kerberos,
1153 &cli);
1154 if (!NT_STATUS_IS_OK(status)) {
1155 goto done;
1156 }
1157
1158 /* Open the domain */
1159
1160 status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
1161 &pipe_hnd);
1162 if (!NT_STATUS_IS_OK(status)) {
1163 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1164 nt_errstr(status)));
1165 goto done;
1166 }
1167
1168 status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1169 pipe_hnd->desthost,
1170 SEC_FLAG_MAXIMUM_ALLOWED,
1171 &sam_pol);
1172 if (!NT_STATUS_IS_OK(status)) {
1173 goto done;
1174 }
1175
1176 status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1177 &sam_pol,
1178 SEC_FLAG_MAXIMUM_ALLOWED,
1179 r->in.domain_sid,
1180 &domain_pol);
1181 if (!NT_STATUS_IS_OK(status)) {
1182 goto done;
1183 }
1184
1185 /* Create domain user */
1186
1187 acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1188 strlower_m(acct_name);
1189
1190 init_lsa_String(&lsa_acct_name, acct_name);
1191
1192 status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1193 &domain_pol,
1194 1,
1195 &lsa_acct_name,
1196 &user_rids,
1197 &name_types);
1198
1199 if (!NT_STATUS_IS_OK(status)) {
1200 goto done;
1201 }
1202
1203 if (name_types.ids[0] != SID_NAME_USER) {
1204 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1205 name_types.ids[0]));
1206 status = NT_STATUS_INVALID_WORKSTATION;
1207 goto done;
1208 }
1209
1210 user_rid = user_rids.ids[0];
1211
1212 /* Open handle on user */
1213
1214 status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1215 &domain_pol,
1216 SEC_FLAG_MAXIMUM_ALLOWED,
1217 user_rid,
1218 &user_pol);
1219 if (!NT_STATUS_IS_OK(status)) {
1220 goto done;
1221 }
1222
1223 /* Get user info */
1224
1225 status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1226 &user_pol,
1227 16,
1228 &info);
1229 if (!NT_STATUS_IS_OK(status)) {
1230 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1231 goto done;
1232 }
1233
1234 /* now disable and setuser info */
1235
1236 info->info16.acct_flags |= ACB_DISABLED;
1237
1238 status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1239 &user_pol,
1240 16,
1241 info);
1242
1243 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1244
1245 done:
1246 if (pipe_hnd) {
1247 if (is_valid_policy_hnd(&domain_pol)) {
1248 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1249 }
1250 if (is_valid_policy_hnd(&sam_pol)) {
1251 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1252 }
1253 TALLOC_FREE(pipe_hnd);
1254 }
1255
1256 if (cli) {
1257 cli_shutdown(cli);
1258 }
1259
1260 return status;
1261 }
1262
1263 /****************************************************************
1264 ****************************************************************/
1265
1266 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1267 {
1268 WERROR werr;
1269 struct smbconf_ctx *ctx;
1270
1271 werr = smbconf_init_reg(r, &ctx, NULL);
1272 if (!W_ERROR_IS_OK(werr)) {
1273 goto done;
1274 }
1275
1276 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1277
1278 werr = smbconf_set_global_parameter(ctx, "security", "user");
1279 W_ERROR_NOT_OK_GOTO_DONE(werr);
1280
1281 werr = smbconf_set_global_parameter(ctx, "workgroup",
1282 r->in.domain_name);
1283
1284 smbconf_delete_global_parameter(ctx, "realm");
1285 goto done;
1286 }
1287
1288 werr = smbconf_set_global_parameter(ctx, "security", "domain");
1289 W_ERROR_NOT_OK_GOTO_DONE(werr);
1290
1291 werr = smbconf_set_global_parameter(ctx, "workgroup",
1292 r->out.netbios_domain_name);
1293 W_ERROR_NOT_OK_GOTO_DONE(werr);
1294
1295 if (r->out.domain_is_ad) {
1296 werr = smbconf_set_global_parameter(ctx, "security", "ads");
1297 W_ERROR_NOT_OK_GOTO_DONE(werr);
1298
1299 werr = smbconf_set_global_parameter(ctx, "realm",
1300 r->out.dns_domain_name);
1301 W_ERROR_NOT_OK_GOTO_DONE(werr);
1302 }
1303
1304 done:
1305 smbconf_shutdown(ctx);
1306 return werr;
1307 }
1308
1309 /****************************************************************
1310 ****************************************************************/
1311
1312 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1313 {
1314 WERROR werr = WERR_OK;
1315 struct smbconf_ctx *ctx;
1316
1317 werr = smbconf_init_reg(r, &ctx, NULL);
1318 if (!W_ERROR_IS_OK(werr)) {
1319 goto done;
1320 }
1321
1322 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1323
1324 werr = smbconf_set_global_parameter(ctx, "security", "user");
1325 W_ERROR_NOT_OK_GOTO_DONE(werr);
1326
1327 werr = smbconf_delete_global_parameter(ctx, "workgroup");
1328 W_ERROR_NOT_OK_GOTO_DONE(werr);
1329
1330 smbconf_delete_global_parameter(ctx, "realm");
1331 }
1332
1333 done:
1334 smbconf_shutdown(ctx);
1335 return werr;
1336 }
1337
1338 /****************************************************************
1339 ****************************************************************/
1340
1341 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1342 {
1343 WERROR werr;
1344
1345 if (!W_ERROR_IS_OK(r->out.result)) {
1346 return r->out.result;
1347 }
1348
1349 if (!r->in.modify_config) {
1350 return WERR_OK;
1351 }
1352
1353 werr = do_join_modify_vals_config(r);
1354 if (!W_ERROR_IS_OK(werr)) {
1355 return werr;
1356 }
1357
1358 lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1359
1360 r->out.modified_config = true;
1361 r->out.result = werr;
1362
1363 return werr;
1364 }
1365
1366 /****************************************************************
1367 ****************************************************************/
1368
1369 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1370 {
1371 WERROR werr;
1372
1373 if (!W_ERROR_IS_OK(r->out.result)) {
1374 return r->out.result;
1375 }
1376
1377 if (!r->in.modify_config) {
1378 return WERR_OK;
1379 }
1380
1381 werr = do_unjoin_modify_vals_config(r);
1382 if (!W_ERROR_IS_OK(werr)) {
1383 return werr;
1384 }
1385
1386 lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1387
1388 r->out.modified_config = true;
1389 r->out.result = werr;
1390
1391 return werr;
1392 }
1393
1394 /****************************************************************
1395 ****************************************************************/
1396
1397 static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1398 const char *domain_str,
1399 const char **domain_p,
1400 const char **dc_p)
1401 {
1402 char *domain = NULL;
1403 char *dc = NULL;
1404 const char *p = NULL;
1405
1406 if (!domain_str || !domain_p || !dc_p) {
1407 return false;
1408 }
1409
1410 p = strchr_m(domain_str, '\\');
1411
1412 if (p != NULL) {
1413 domain = talloc_strndup(mem_ctx, domain_str,
1414 PTR_DIFF(p, domain_str));
1415 dc = talloc_strdup(mem_ctx, p+1);
1416 if (!dc) {
1417 return false;
1418 }
1419 } else {
1420 domain = talloc_strdup(mem_ctx, domain_str);
1421 dc = NULL;
1422 }
1423 if (!domain) {
1424 return false;
1425 }
1426
1427 *domain_p = domain;
1428
1429 if (!*dc_p && dc) {
1430 *dc_p = dc;
1431 }
1432
1433 return true;
1434 }
1435
1436 /****************************************************************
1437 ****************************************************************/
1438
1439 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1440 struct libnet_JoinCtx *r)
1441 {
1442 if (!r->in.domain_name) {
1443 libnet_join_set_error_string(mem_ctx, r,
1444 "No domain name defined");
1445 return WERR_INVALID_PARAM;
1446 }
1447
1448 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
1449 &r->in.domain_name,
1450 &r->in.dc_name)) {
1451 libnet_join_set_error_string(mem_ctx, r,
1452 "Failed to parse domain name");
1453 return WERR_INVALID_PARAM;
1454 }
1455
1456 if (IS_DC) {
1457 return WERR_SETUP_DOMAIN_CONTROLLER;
1458 }
1459
1460 if (!secrets_init()) {
1461 libnet_join_set_error_string(mem_ctx, r,
1462 "Unable to open secrets database");
1463 return WERR_CAN_NOT_COMPLETE;
1464 }
1465
1466 return WERR_OK;
1467 }
1468
1469 /****************************************************************
1470 ****************************************************************/
1471
1472 static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
/* [<][>][^][v][top][bottom][index][help] */
1473 {
1474 NTSTATUS status;
1475
1476 /* Try adding dom admins to builtin\admins. Only log failures. */
1477 status = create_builtin_administrators(domain_sid);
1478 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1479 DEBUG(10,("Unable to auto-add domain administrators to "
1480 "BUILTIN\\Administrators during join because "
1481 "winbindd must be running."));
1482 } else if (!NT_STATUS_IS_OK(status)) {
1483 DEBUG(5, ("Failed to auto-add domain administrators to "
1484 "BUILTIN\\Administrators during join: %s\n",
1485 nt_errstr(status)));
1486 }
1487
1488 /* Try adding dom users to builtin\users. Only log failures. */
1489 status = create_builtin_users(domain_sid);
1490 if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1491 DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
1492 "during join because winbindd must be running."));
1493 } else if (!NT_STATUS_IS_OK(status)) {
1494 DEBUG(5, ("Failed to auto-add domain administrators to "
1495 "BUILTIN\\Administrators during join: %s\n",
1496 nt_errstr(status)));
1497 }
1498 }
1499
1500 /****************************************************************
1501 ****************************************************************/
1502
1503 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1504 struct libnet_JoinCtx *r)
1505 {
1506 WERROR werr;
1507
1508 if (!W_ERROR_IS_OK(r->out.result)) {
1509 return r->out.result;
1510 }
1511
1512 werr = do_JoinConfig(r);
1513 if (!W_ERROR_IS_OK(werr)) {
1514 return werr;
1515 }
1516
1517 if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1518 return WERR_OK;
1519 }
1520
1521 saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
1522 if (r->out.dns_domain_name) {
1523 saf_join_store(r->out.dns_domain_name, r->in.dc_name);
1524 }
1525
1526 #ifdef WITH_ADS
1527 if (r->out.domain_is_ad) {
1528 ADS_STATUS ads_status;
1529
1530 ads_status = libnet_join_post_processing_ads(mem_ctx, r);
1531 if (!ADS_ERR_OK(ads_status)) {
1532 return WERR_GENERAL_FAILURE;
1533 }
1534 }
1535 #endif /* WITH_ADS */
1536
1537 libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
1538
1539 return WERR_OK;
1540 }
1541
1542 /****************************************************************
1543 ****************************************************************/
1544
1545 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1546 {
1547 const char *krb5_cc_env = NULL;
1548
1549 if (r->in.ads) {
1550 ads_destroy(&r->in.ads);
1551 }
1552
1553 krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1554 if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1555 unsetenv(KRB5_ENV_CCNAME);
1556 }
1557
1558 return 0;
1559 }
1560
1561 /****************************************************************
1562 ****************************************************************/
1563
1564 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
/* [<][>][^][v][top][bottom][index][help] */
1565 {
1566 const char *krb5_cc_env = NULL;
1567
1568 if (r->in.ads) {
1569 ads_destroy(&r->in.ads);
1570 }
1571
1572 krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1573 if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1574 unsetenv(KRB5_ENV_CCNAME);
1575 }
1576
1577 return 0;
1578 }
1579
1580 /****************************************************************
1581 ****************************************************************/
1582
1583 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1584 struct libnet_JoinCtx **r)
1585 {
1586 struct libnet_JoinCtx *ctx;
1587 const char *krb5_cc_env = NULL;
1588
1589 ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1590 if (!ctx) {
1591 return WERR_NOMEM;
1592 }
1593
1594 talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1595
1596 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1597 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1598
1599 krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1600 if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1601 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1602 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1603 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1604 }
1605
1606 ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
1607
1608 *r = ctx;
1609
1610 return WERR_OK;
1611 }
1612
1613 /****************************************************************
1614 ****************************************************************/
1615
1616 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1617 struct libnet_UnjoinCtx **r)
1618 {
1619 struct libnet_UnjoinCtx *ctx;
1620 const char *krb5_cc_env = NULL;
1621
1622 ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1623 if (!ctx) {
1624 return WERR_NOMEM;
1625 }
1626
1627 talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1628
1629 ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1630 W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1631
1632 krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1633 if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1634 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1635 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1636 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1637 }
1638
1639 *r = ctx;
1640
1641 return WERR_OK;
1642 }
1643
1644 /****************************************************************
1645 ****************************************************************/
1646
1647 static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1648 struct libnet_JoinCtx *r)
1649 {
1650 bool valid_security = false;
1651 bool valid_workgroup = false;
1652 bool valid_realm = false;
1653
1654 /* check if configuration is already set correctly */
1655
1656 valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
1657
1658 switch (r->out.domain_is_ad) {
1659 case false:
1660 valid_security = (lp_security() == SEC_DOMAIN);
1661 if (valid_workgroup && valid_security) {
1662 /* nothing to be done */
1663 return WERR_OK;
1664 }
1665 break;
1666 case true:
1667 valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
1668 switch (lp_security()) {
1669 case SEC_DOMAIN:
1670 case SEC_ADS:
1671 valid_security = true;
1672 }
1673
1674 if (valid_workgroup && valid_realm && valid_security) {
1675 /* nothing to be done */
1676 return WERR_OK;
1677 }
1678 break;
1679 }
1680
1681 /* check if we are supposed to manipulate configuration */
1682
1683 if (!r->in.modify_config) {
1684
1685 char *wrong_conf = talloc_strdup(mem_ctx, "");
1686
1687 if (!valid_workgroup) {
1688 wrong_conf = talloc_asprintf_append(wrong_conf,
1689 "\"workgroup\" set to '%s', should be '%s'",
1690 lp_workgroup(), r->out.netbios_domain_name);
1691 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1692 }
1693
1694 if (!valid_realm) {
1695 wrong_conf = talloc_asprintf_append(wrong_conf,
1696 "\"realm\" set to '%s', should be '%s'",
1697 lp_realm(), r->out.dns_domain_name);
1698 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1699 }
1700
1701 if (!valid_security) {
1702 const char *sec = NULL;
1703 switch (lp_security()) {
1704 case SEC_SHARE: sec = "share"; break;
1705 case SEC_USER: sec = "user"; break;
1706 case SEC_DOMAIN: sec = "domain"; break;
1707 case SEC_ADS: sec = "ads"; break;
1708 }
1709 wrong_conf = talloc_asprintf_append(wrong_conf,
1710 "\"security\" set to '%s', should be %s",
1711 sec, r->out.domain_is_ad ?
1712 "either 'domain' or 'ads'" : "'domain'");
1713 W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1714 }
1715
1716 libnet_join_set_error_string(mem_ctx, r,
1717 "Invalid configuration (%s) and configuration modification "
1718 "was not requested", wrong_conf);
1719 return WERR_CAN_NOT_COMPLETE;
1720 }
1721
1722 /* check if we are able to manipulate configuration */
1723
1724 if (!lp_config_backend_is_registry()) {
1725 libnet_join_set_error_string(mem_ctx, r,
1726 "Configuration manipulation requested but not "
1727 "supported by backend");
1728 return WERR_NOT_SUPPORTED;
1729 }
1730
1731 return WERR_OK;
1732 }
1733
1734 /****************************************************************
1735 ****************************************************************/
1736
1737 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1738 struct libnet_JoinCtx *r)
1739 {
1740 NTSTATUS status;
1741 WERROR werr;
1742 struct cli_state *cli = NULL;
1743 #ifdef WITH_ADS
1744 ADS_STATUS ads_status;
1745 #endif /* WITH_ADS */
1746
1747 if (!r->in.dc_name) {
1748 struct netr_DsRGetDCNameInfo *info;
1749 const char *dc;
1750 status = dsgetdcname(mem_ctx,
1751 r->in.msg_ctx,
1752 r->in.domain_name,
1753 NULL,
1754 NULL,
1755 DS_FORCE_REDISCOVERY |
1756 DS_DIRECTORY_SERVICE_REQUIRED |
1757 DS_WRITABLE_REQUIRED |
1758 DS_RETURN_DNS_NAME,
1759 &info);
1760 if (!NT_STATUS_IS_OK(status)) {
1761 libnet_join_set_error_string(mem_ctx, r,
1762 "failed to find DC for domain %s",
1763 r->in.domain_name,
1764 get_friendly_nt_error_msg(status));
1765 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1766 }
1767
1768 dc = strip_hostname(info->dc_unc);
1769 r->in.dc_name = talloc_strdup(mem_ctx, dc);
1770 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1771 }
1772
1773 status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
1774 if (!NT_STATUS_IS_OK(status)) {
1775 libnet_join_set_error_string(mem_ctx, r,
1776 "failed to lookup DC info for domain '%s' over rpc: %s",
1777 r->in.domain_name, get_friendly_nt_error_msg(status));
1778 return ntstatus_to_werror(status);
1779 }
1780
1781 werr = libnet_join_check_config(mem_ctx, r);
1782 if (!W_ERROR_IS_OK(werr)) {
1783 goto done;
1784 }
1785
1786 #ifdef WITH_ADS
1787 if (r->out.domain_is_ad && r->in.account_ou) {
1788
1789 ads_status = libnet_join_connect_ads(mem_ctx, r);
1790 if (!ADS_ERR_OK(ads_status)) {
1791 return WERR_DEFAULT_JOIN_REQUIRED;
1792 }
1793
1794 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1795 if (!ADS_ERR_OK(ads_status)) {
1796 libnet_join_set_error_string(mem_ctx, r,
1797 "failed to precreate account in ou %s: %s",
1798 r->in.account_ou,
1799 ads_errstr(ads_status));
1800 return WERR_DEFAULT_JOIN_REQUIRED;
1801 }
1802
1803 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1804 }
1805 #endif /* WITH_ADS */
1806
1807 status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
1808 if (!NT_STATUS_IS_OK(status)) {
1809 libnet_join_set_error_string(mem_ctx, r,
1810 "failed to join domain '%s' over rpc: %s",
1811 r->in.domain_name, get_friendly_nt_error_msg(status));
1812 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1813 return WERR_SETUP_ALREADY_JOINED;
1814 }
1815 werr = ntstatus_to_werror(status);
1816 goto done;
1817 }
1818
1819 if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1820 werr = WERR_SETUP_NOT_JOINED;
1821 goto done;
1822 }
1823
1824 werr = WERR_OK;
1825
1826 done:
1827 if (cli) {
1828 cli_shutdown(cli);
1829 }
1830
1831 return werr;
1832 }
1833
1834 /****************************************************************
1835 ****************************************************************/
1836
1837 static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1838 struct libnet_JoinCtx *r)
1839 {
1840 WERROR werr;
1841 struct libnet_UnjoinCtx *u = NULL;
1842
1843 werr = libnet_init_UnjoinCtx(mem_ctx, &u);
1844 if (!W_ERROR_IS_OK(werr)) {
1845 return werr;
1846 }
1847
1848 u->in.debug = r->in.debug;
1849 u->in.dc_name = r->in.dc_name;
1850 u->in.domain_name = r->in.domain_name;
1851 u->in.admin_account = r->in.admin_account;
1852 u->in.admin_password = r->in.admin_password;
1853 u->in.modify_config = r->in.modify_config;
1854 u->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1855 WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
1856
1857 werr = libnet_Unjoin(mem_ctx, u);
1858 TALLOC_FREE(u);
1859
1860 return werr;
1861 }
1862
1863 /****************************************************************
1864 ****************************************************************/
1865
1866 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1867 struct libnet_JoinCtx *r)
1868 {
1869 WERROR werr;
1870
1871 if (r->in.debug) {
1872 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1873 }
1874
1875 werr = libnet_join_pre_processing(mem_ctx, r);
1876 if (!W_ERROR_IS_OK(werr)) {
1877 goto done;
1878 }
1879
1880 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1881 werr = libnet_DomainJoin(mem_ctx, r);
1882 if (!W_ERROR_IS_OK(werr)) {
1883 goto done;
1884 }
1885 }
1886
1887 werr = libnet_join_post_processing(mem_ctx, r);
1888 if (!W_ERROR_IS_OK(werr)) {
1889 goto done;
1890 }
1891
1892 if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1893 werr = libnet_join_post_verify(mem_ctx, r);
1894 if (!W_ERROR_IS_OK(werr)) {
1895 libnet_join_rollback(mem_ctx, r);
1896 }
1897 }
1898
1899 done:
1900 r->out.result = werr;
1901
1902 if (r->in.debug) {
1903 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1904 }
1905 return werr;
1906 }
1907
1908 /****************************************************************
1909 ****************************************************************/
1910
1911 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1912 struct libnet_UnjoinCtx *r)
1913 {
1914 NTSTATUS status;
1915
1916 if (!r->in.domain_sid) {
1917 struct dom_sid sid;
1918 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1919 libnet_unjoin_set_error_string(mem_ctx, r,
1920 "Unable to fetch domain sid: are we joined?");
1921 return WERR_SETUP_NOT_JOINED;
1922 }
1923 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1924 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1925 }
1926
1927 if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
1928 !r->in.delete_machine_account) {
1929 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1930 return WERR_OK;
1931 }
1932
1933 if (!r->in.dc_name) {
1934 struct netr_DsRGetDCNameInfo *info;
1935 const char *dc;
1936 status = dsgetdcname(mem_ctx,
1937 r->in.msg_ctx,
1938 r->in.domain_name,
1939 NULL,
1940 NULL,
1941 DS_DIRECTORY_SERVICE_REQUIRED |
1942 DS_WRITABLE_REQUIRED |
1943 DS_RETURN_DNS_NAME,
1944 &info);
1945 if (!NT_STATUS_IS_OK(status)) {
1946 libnet_unjoin_set_error_string(mem_ctx, r,
1947 "failed to find DC for domain %s",
1948 r->in.domain_name,
1949 get_friendly_nt_error_msg(status));
1950 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1951 }
1952
1953 dc = strip_hostname(info->dc_unc);
1954 r->in.dc_name = talloc_strdup(mem_ctx, dc);
1955 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1956 }
1957
1958 #ifdef WITH_ADS
1959 /* for net ads leave, try to delete the account. If it works,
1960 no sense in disabling. If it fails, we can still try to
1961 disable it. jmcd */
1962
1963 if (r->in.delete_machine_account) {
1964 ADS_STATUS ads_status;
1965 ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
1966 if (ADS_ERR_OK(ads_status)) {
1967 /* dirty hack */
1968 r->out.dns_domain_name =
1969 talloc_strdup(mem_ctx,
1970 r->in.ads->server.realm);
1971 ads_status =
1972 libnet_unjoin_remove_machine_acct(mem_ctx, r);
1973 }
1974 if (!ADS_ERR_OK(ads_status)) {
1975 libnet_unjoin_set_error_string(mem_ctx, r,
1976 "failed to remove machine account from AD: %s",
1977 ads_errstr(ads_status));
1978 } else {
1979 r->out.deleted_machine_account = true;
1980 W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
1981 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1982 return WERR_OK;
1983 }
1984 }
1985 #endif /* WITH_ADS */
1986
1987 /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
1988 "disable". */
1989 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1990 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1991 if (!NT_STATUS_IS_OK(status)) {
1992 libnet_unjoin_set_error_string(mem_ctx, r,
1993 "failed to disable machine account via rpc: %s",
1994 get_friendly_nt_error_msg(status));
1995 if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1996 return WERR_SETUP_NOT_JOINED;
1997 }
1998 return ntstatus_to_werror(status);
1999 }
2000
2001 r->out.disabled_machine_account = true;
2002 }
2003
2004 /* If disable succeeded or was not requested at all, we
2005 should be getting rid of our end of things */
2006
2007 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2008
2009 return WERR_OK;
2010 }
2011
2012 /****************************************************************
2013 ****************************************************************/
2014
2015 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
2016 struct libnet_UnjoinCtx *r)
2017 {
2018 if (!r->in.domain_name) {
2019 libnet_unjoin_set_error_string(mem_ctx, r,
2020 "No domain name defined");
2021 return WERR_INVALID_PARAM;
2022 }
2023
2024 if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2025 &r->in.domain_name,
2026 &r->in.dc_name)) {
2027 libnet_unjoin_set_error_string(mem_ctx, r,
2028 "Failed to parse domain name");
2029 return WERR_INVALID_PARAM;
2030 }
2031
2032 if (IS_DC) {
2033 return WERR_SETUP_DOMAIN_CONTROLLER;
2034 }
2035
2036 if (!secrets_init()) {
2037 libnet_unjoin_set_error_string(mem_ctx, r,
2038 "Unable to open secrets database");
2039 return WERR_CAN_NOT_COMPLETE;
2040 }
2041
2042 return WERR_OK;
2043 }
2044
2045 /****************************************************************
2046 ****************************************************************/
2047
2048 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
2049 struct libnet_UnjoinCtx *r)
2050 {
2051 saf_delete(r->out.netbios_domain_name);
2052 saf_delete(r->out.dns_domain_name);
2053
2054 return libnet_unjoin_config(r);
2055 }
2056
2057 /****************************************************************
2058 ****************************************************************/
2059
2060 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
2061 struct libnet_UnjoinCtx *r)
2062 {
2063 WERROR werr;
2064
2065 if (r->in.debug) {
2066 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
2067 }
2068
2069 werr = libnet_unjoin_pre_processing(mem_ctx, r);
2070 if (!W_ERROR_IS_OK(werr)) {
2071 goto done;
2072 }
2073
2074 if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2075 werr = libnet_DomainUnjoin(mem_ctx, r);
2076 if (!W_ERROR_IS_OK(werr)) {
2077 libnet_unjoin_config(r);
2078 goto done;
2079 }
2080 }
2081
2082 werr = libnet_unjoin_post_processing(mem_ctx, r);
2083 if (!W_ERROR_IS_OK(werr)) {
2084 goto done;
2085 }
2086
2087 done:
2088 r->out.result = werr;
2089
2090 if (r->in.debug) {
2091 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
2092 }
2093
2094 return werr;
2095 }