root/source3/libnet/libnet_join.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. libnet_join_set_error_string
  2. libnet_unjoin_set_error_string
  3. libnet_connect_ads
  4. libnet_join_connect_ads
  5. libnet_unjoin_connect_ads
  6. libnet_join_precreate_machine_acct
  7. libnet_unjoin_remove_machine_acct
  8. libnet_join_find_machine_acct
  9. libnet_join_set_machine_spn
  10. libnet_join_set_machine_upn
  11. libnet_join_set_os_attributes
  12. libnet_join_create_keytab
  13. libnet_join_derive_salting_principal
  14. libnet_join_post_processing_ads
  15. libnet_join_joindomain_store_secrets
  16. libnet_join_connect_dc_ipc
  17. libnet_join_lookup_dc_rpc
  18. libnet_join_joindomain_rpc
  19. libnet_join_ok
  20. libnet_join_post_verify
  21. libnet_join_unjoindomain_remove_secrets
  22. libnet_join_unjoindomain_rpc
  23. do_join_modify_vals_config
  24. do_unjoin_modify_vals_config
  25. do_JoinConfig
  26. libnet_unjoin_config
  27. libnet_parse_domain_dc
  28. libnet_join_pre_processing
  29. libnet_join_add_dom_rids_to_builtins
  30. libnet_join_post_processing
  31. libnet_destroy_JoinCtx
  32. libnet_destroy_UnjoinCtx
  33. libnet_init_JoinCtx
  34. libnet_init_UnjoinCtx
  35. libnet_join_check_config
  36. libnet_DomainJoin
  37. libnet_join_rollback
  38. libnet_Join
  39. libnet_DomainUnjoin
  40. libnet_unjoin_pre_processing
  41. libnet_unjoin_post_processing
  42. libnet_Unjoin

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  libnet Join Support
   4  *  Copyright (C) Gerald (Jerry) Carter 2006
   5  *  Copyright (C) Guenther Deschner 2007-2008
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20 
  21 #include "includes.h"
  22 #include "libnet/libnet.h"
  23 
  24 /****************************************************************
  25 ****************************************************************/
  26 
  27 #define LIBNET_JOIN_DUMP_CTX(ctx, r, f) \
  28         do { \
  29                 char *str = NULL; \
  30                 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_JoinCtx, f, r); \
  31                 DEBUG(1,("libnet_Join:\n%s", str)); \
  32                 TALLOC_FREE(str); \
  33         } while (0)
  34 
  35 #define LIBNET_JOIN_IN_DUMP_CTX(ctx, r) \
  36         LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
  37 #define LIBNET_JOIN_OUT_DUMP_CTX(ctx, r) \
  38         LIBNET_JOIN_DUMP_CTX(ctx, r, NDR_OUT)
  39 
  40 #define LIBNET_UNJOIN_DUMP_CTX(ctx, r, f) \
  41         do { \
  42                 char *str = NULL; \
  43                 str = NDR_PRINT_FUNCTION_STRING(ctx, libnet_UnjoinCtx, f, r); \
  44                 DEBUG(1,("libnet_Unjoin:\n%s", str)); \
  45                 TALLOC_FREE(str); \
  46         } while (0)
  47 
  48 #define LIBNET_UNJOIN_IN_DUMP_CTX(ctx, r) \
  49         LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_IN | NDR_SET_VALUES)
  50 #define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
  51         LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
  52 
  53 /****************************************************************
  54 ****************************************************************/
  55 
  56 static void libnet_join_set_error_string(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
  57                                          struct libnet_JoinCtx *r,
  58                                          const char *format, ...)
  59 {
  60         va_list args;
  61 
  62         if (r->out.error_string) {
  63                 return;
  64         }
  65 
  66         va_start(args, format);
  67         r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
  68         va_end(args);
  69 }
  70 
  71 /****************************************************************
  72 ****************************************************************/
  73 
  74 static void libnet_unjoin_set_error_string(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
  75                                            struct libnet_UnjoinCtx *r,
  76                                            const char *format, ...)
  77 {
  78         va_list args;
  79 
  80         if (r->out.error_string) {
  81                 return;
  82         }
  83 
  84         va_start(args, format);
  85         r->out.error_string = talloc_vasprintf(mem_ctx, format, args);
  86         va_end(args);
  87 }
  88 
  89 #ifdef WITH_ADS
  90 
  91 /****************************************************************
  92 ****************************************************************/
  93 
  94 static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
     /* [<][>][^][v][top][bottom][index][help] */
  95                                      const char *netbios_domain_name,
  96                                      const char *dc_name,
  97                                      const char *user_name,
  98                                      const char *password,
  99                                      ADS_STRUCT **ads)
 100 {
 101         ADS_STATUS status;
 102         ADS_STRUCT *my_ads = NULL;
 103 
 104         my_ads = ads_init(dns_domain_name,
 105                           netbios_domain_name,
 106                           dc_name);
 107         if (!my_ads) {
 108                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 109         }
 110 
 111         if (user_name) {
 112                 SAFE_FREE(my_ads->auth.user_name);
 113                 my_ads->auth.user_name = SMB_STRDUP(user_name);
 114         }
 115 
 116         if (password) {
 117                 SAFE_FREE(my_ads->auth.password);
 118                 my_ads->auth.password = SMB_STRDUP(password);
 119         }
 120 
 121         status = ads_connect_user_creds(my_ads);
 122         if (!ADS_ERR_OK(status)) {
 123                 ads_destroy(&my_ads);
 124                 return status;
 125         }
 126 
 127         *ads = my_ads;
 128         return ADS_SUCCESS;
 129 }
 130 
 131 /****************************************************************
 132 ****************************************************************/
 133 
 134 static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 135                                           struct libnet_JoinCtx *r)
 136 {
 137         ADS_STATUS status;
 138 
 139         status = libnet_connect_ads(r->out.dns_domain_name,
 140                                     r->out.netbios_domain_name,
 141                                     r->in.dc_name,
 142                                     r->in.admin_account,
 143                                     r->in.admin_password,
 144                                     &r->in.ads);
 145         if (!ADS_ERR_OK(status)) {
 146                 libnet_join_set_error_string(mem_ctx, r,
 147                         "failed to connect to AD: %s",
 148                         ads_errstr(status));
 149                 return status;
 150         }
 151 
 152         if (!r->out.netbios_domain_name) {
 153                 r->out.netbios_domain_name = talloc_strdup(mem_ctx,
 154                                                            r->in.ads->server.workgroup);
 155                 ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
 156         }
 157 
 158         if (!r->out.dns_domain_name) {
 159                 r->out.dns_domain_name = talloc_strdup(mem_ctx,
 160                                                        r->in.ads->config.realm);
 161                 ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
 162         }
 163 
 164         r->out.domain_is_ad = true;
 165 
 166         return ADS_SUCCESS;
 167 }
 168 
 169 /****************************************************************
 170 ****************************************************************/
 171 
 172 static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 173                                             struct libnet_UnjoinCtx *r)
 174 {
 175         ADS_STATUS status;
 176 
 177         status = libnet_connect_ads(r->in.domain_name,
 178                                     r->in.domain_name,
 179                                     r->in.dc_name,
 180                                     r->in.admin_account,
 181                                     r->in.admin_password,
 182                                     &r->in.ads);
 183         if (!ADS_ERR_OK(status)) {
 184                 libnet_unjoin_set_error_string(mem_ctx, r,
 185                         "failed to connect to AD: %s",
 186                         ads_errstr(status));
 187         }
 188 
 189         return status;
 190 }
 191 
 192 /****************************************************************
 193  join a domain using ADS (LDAP mods)
 194 ****************************************************************/
 195 
 196 static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 197                                                      struct libnet_JoinCtx *r)
 198 {
 199         ADS_STATUS status;
 200         LDAPMessage *res = NULL;
 201         const char *attrs[] = { "dn", NULL };
 202         bool moved = false;
 203 
 204         status = ads_check_ou_dn(mem_ctx, r->in.ads, &r->in.account_ou);
 205         if (!ADS_ERR_OK(status)) {
 206                 return status;
 207         }
 208 
 209         status = ads_search_dn(r->in.ads, &res, r->in.account_ou, attrs);
 210         if (!ADS_ERR_OK(status)) {
 211                 return status;
 212         }
 213 
 214         if (ads_count_replies(r->in.ads, res) != 1) {
 215                 ads_msgfree(r->in.ads, res);
 216                 return ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT);
 217         }
 218 
 219         ads_msgfree(r->in.ads, res);
 220 
 221         /* Attempt to create the machine account and bail if this fails.
 222            Assume that the admin wants exactly what they requested */
 223 
 224         status = ads_create_machine_acct(r->in.ads,
 225                                          r->in.machine_name,
 226                                          r->in.account_ou);
 227 
 228         if (ADS_ERR_OK(status)) {
 229                 DEBUG(1,("machine account creation created\n"));
 230                 return status;
 231         } else  if ((status.error_type == ENUM_ADS_ERROR_LDAP) &&
 232                     (status.err.rc == LDAP_ALREADY_EXISTS)) {
 233                 status = ADS_SUCCESS;
 234         }
 235 
 236         if (!ADS_ERR_OK(status)) {
 237                 DEBUG(1,("machine account creation failed\n"));
 238                 return status;
 239         }
 240 
 241         status = ads_move_machine_acct(r->in.ads,
 242                                        r->in.machine_name,
 243                                        r->in.account_ou,
 244                                        &moved);
 245         if (!ADS_ERR_OK(status)) {
 246                 DEBUG(1,("failure to locate/move pre-existing "
 247                         "machine account\n"));
 248                 return status;
 249         }
 250 
 251         DEBUG(1,("The machine account %s the specified OU.\n",
 252                 moved ? "was moved into" : "already exists in"));
 253 
 254         return status;
 255 }
 256 
 257 /****************************************************************
 258 ****************************************************************/
 259 
 260 static ADS_STATUS libnet_unjoin_remove_machine_acct(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 261                                                     struct libnet_UnjoinCtx *r)
 262 {
 263         ADS_STATUS status;
 264 
 265         if (!r->in.ads) {
 266                 return libnet_unjoin_connect_ads(mem_ctx, r);
 267         }
 268 
 269         status = ads_leave_realm(r->in.ads, r->in.machine_name);
 270         if (!ADS_ERR_OK(status)) {
 271                 libnet_unjoin_set_error_string(mem_ctx, r,
 272                         "failed to leave realm: %s",
 273                         ads_errstr(status));
 274                 return status;
 275         }
 276 
 277         return ADS_SUCCESS;
 278 }
 279 
 280 /****************************************************************
 281 ****************************************************************/
 282 
 283 static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 284                                                 struct libnet_JoinCtx *r)
 285 {
 286         ADS_STATUS status;
 287         LDAPMessage *res = NULL;
 288         char *dn = NULL;
 289 
 290         if (!r->in.machine_name) {
 291                 return ADS_ERROR(LDAP_NO_MEMORY);
 292         }
 293 
 294         status = ads_find_machine_acct(r->in.ads,
 295                                        &res,
 296                                        r->in.machine_name);
 297         if (!ADS_ERR_OK(status)) {
 298                 return status;
 299         }
 300 
 301         if (ads_count_replies(r->in.ads, res) != 1) {
 302                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 303                 goto done;
 304         }
 305 
 306         dn = ads_get_dn(r->in.ads, mem_ctx, res);
 307         if (!dn) {
 308                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 309                 goto done;
 310         }
 311 
 312         r->out.dn = talloc_strdup(mem_ctx, dn);
 313         if (!r->out.dn) {
 314                 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 315                 goto done;
 316         }
 317 
 318  done:
 319         ads_msgfree(r->in.ads, res);
 320         TALLOC_FREE(dn);
 321 
 322         return status;
 323 }
 324 
 325 /****************************************************************
 326  Set a machines dNSHostName and servicePrincipalName attributes
 327 ****************************************************************/
 328 
 329 static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 330                                               struct libnet_JoinCtx *r)
 331 {
 332         ADS_STATUS status;
 333         ADS_MODLIST mods;
 334         fstring my_fqdn;
 335         const char *spn_array[3] = {NULL, NULL, NULL};
 336         char *spn = NULL;
 337 
 338         /* Find our DN */
 339 
 340         status = libnet_join_find_machine_acct(mem_ctx, r);
 341         if (!ADS_ERR_OK(status)) {
 342                 return status;
 343         }
 344 
 345         /* Windows only creates HOST/shortname & HOST/fqdn. */
 346 
 347         spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
 348         if (!spn) {
 349                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 350         }
 351         strupper_m(spn);
 352         spn_array[0] = spn;
 353 
 354         if (!name_to_fqdn(my_fqdn, r->in.machine_name)
 355             || (strchr(my_fqdn, '.') == NULL)) {
 356                 fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name,
 357                              r->out.dns_domain_name);
 358         }
 359 
 360         strlower_m(my_fqdn);
 361 
 362         if (!strequal(my_fqdn, r->in.machine_name)) {
 363                 spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn);
 364                 if (!spn) {
 365                         return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 366                 }
 367                 spn_array[1] = spn;
 368         }
 369 
 370         mods = ads_init_mods(mem_ctx);
 371         if (!mods) {
 372                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 373         }
 374 
 375         /* fields of primary importance */
 376 
 377         status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn);
 378         if (!ADS_ERR_OK(status)) {
 379                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 380         }
 381 
 382         status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName",
 383                                  spn_array);
 384         if (!ADS_ERR_OK(status)) {
 385                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 386         }
 387 
 388         return ads_gen_mod(r->in.ads, r->out.dn, mods);
 389 }
 390 
 391 /****************************************************************
 392 ****************************************************************/
 393 
 394 static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 395                                               struct libnet_JoinCtx *r)
 396 {
 397         ADS_STATUS status;
 398         ADS_MODLIST mods;
 399 
 400         if (!r->in.create_upn) {
 401                 return ADS_SUCCESS;
 402         }
 403 
 404         /* Find our DN */
 405 
 406         status = libnet_join_find_machine_acct(mem_ctx, r);
 407         if (!ADS_ERR_OK(status)) {
 408                 return status;
 409         }
 410 
 411         if (!r->in.upn) {
 412                 r->in.upn = talloc_asprintf(mem_ctx,
 413                                             "host/%s@%s",
 414                                             r->in.machine_name,
 415                                             r->out.dns_domain_name);
 416                 if (!r->in.upn) {
 417                         return ADS_ERROR(LDAP_NO_MEMORY);
 418                 }
 419         }
 420 
 421         /* now do the mods */
 422 
 423         mods = ads_init_mods(mem_ctx);
 424         if (!mods) {
 425                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 426         }
 427 
 428         /* fields of primary importance */
 429 
 430         status = ads_mod_str(mem_ctx, &mods, "userPrincipalName", r->in.upn);
 431         if (!ADS_ERR_OK(status)) {
 432                 return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 433         }
 434 
 435         return ads_gen_mod(r->in.ads, r->out.dn, mods);
 436 }
 437 
 438 
 439 /****************************************************************
 440 ****************************************************************/
 441 
 442 static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 443                                                 struct libnet_JoinCtx *r)
 444 {
 445         ADS_STATUS status;
 446         ADS_MODLIST mods;
 447         char *os_sp = NULL;
 448 
 449         if (!r->in.os_name || !r->in.os_version ) {
 450                 return ADS_SUCCESS;
 451         }
 452 
 453         /* Find our DN */
 454 
 455         status = libnet_join_find_machine_acct(mem_ctx, r);
 456         if (!ADS_ERR_OK(status)) {
 457                 return status;
 458         }
 459 
 460         /* now do the mods */
 461 
 462         mods = ads_init_mods(mem_ctx);
 463         if (!mods) {
 464                 return ADS_ERROR(LDAP_NO_MEMORY);
 465         }
 466 
 467         os_sp = talloc_asprintf(mem_ctx, "Samba %s", samba_version_string());
 468         if (!os_sp) {
 469                 return ADS_ERROR(LDAP_NO_MEMORY);
 470         }
 471 
 472         /* fields of primary importance */
 473 
 474         status = ads_mod_str(mem_ctx, &mods, "operatingSystem",
 475                              r->in.os_name);
 476         if (!ADS_ERR_OK(status)) {
 477                 return status;
 478         }
 479 
 480         status = ads_mod_str(mem_ctx, &mods, "operatingSystemVersion",
 481                              r->in.os_version);
 482         if (!ADS_ERR_OK(status)) {
 483                 return status;
 484         }
 485 
 486         status = ads_mod_str(mem_ctx, &mods, "operatingSystemServicePack",
 487                              os_sp);
 488         if (!ADS_ERR_OK(status)) {
 489                 return status;
 490         }
 491 
 492         return ads_gen_mod(r->in.ads, r->out.dn, mods);
 493 }
 494 
 495 /****************************************************************
 496 ****************************************************************/
 497 
 498 static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 499                                       struct libnet_JoinCtx *r)
 500 {
 501         if (!USE_SYSTEM_KEYTAB) {
 502                 return true;
 503         }
 504 
 505         if (ads_keytab_create_default(r->in.ads) != 0) {
 506                 return false;
 507         }
 508 
 509         return true;
 510 }
 511 
 512 /****************************************************************
 513 ****************************************************************/
 514 
 515 static bool libnet_join_derive_salting_principal(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 516                                                  struct libnet_JoinCtx *r)
 517 {
 518         uint32_t domain_func;
 519         ADS_STATUS status;
 520         const char *salt = NULL;
 521         char *std_salt = NULL;
 522 
 523         status = ads_domain_func_level(r->in.ads, &domain_func);
 524         if (!ADS_ERR_OK(status)) {
 525                 libnet_join_set_error_string(mem_ctx, r,
 526                         "failed to determine domain functional level: %s",
 527                         ads_errstr(status));
 528                 return false;
 529         }
 530 
 531         /* go ahead and setup the default salt */
 532 
 533         std_salt = kerberos_standard_des_salt();
 534         if (!std_salt) {
 535                 libnet_join_set_error_string(mem_ctx, r,
 536                         "failed to obtain standard DES salt");
 537                 return false;
 538         }
 539 
 540         salt = talloc_strdup(mem_ctx, std_salt);
 541         if (!salt) {
 542                 return false;
 543         }
 544 
 545         SAFE_FREE(std_salt);
 546 
 547         /* if it's a Windows functional domain, we have to look for the UPN */
 548 
 549         if (domain_func == DS_DOMAIN_FUNCTION_2000) {
 550                 char *upn;
 551 
 552                 upn = ads_get_upn(r->in.ads, mem_ctx,
 553                                   r->in.machine_name);
 554                 if (upn) {
 555                         salt = talloc_strdup(mem_ctx, upn);
 556                         if (!salt) {
 557                                 return false;
 558                         }
 559                 }
 560         }
 561 
 562         return kerberos_secrets_store_des_salt(salt);
 563 }
 564 
 565 /****************************************************************
 566 ****************************************************************/
 567 
 568 static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 569                                                   struct libnet_JoinCtx *r)
 570 {
 571         ADS_STATUS status;
 572 
 573         if (!r->in.ads) {
 574                 status = libnet_join_connect_ads(mem_ctx, r);
 575                 if (!ADS_ERR_OK(status)) {
 576                         return status;
 577                 }
 578         }
 579 
 580         status = libnet_join_set_machine_spn(mem_ctx, r);
 581         if (!ADS_ERR_OK(status)) {
 582                 libnet_join_set_error_string(mem_ctx, r,
 583                         "failed to set machine spn: %s",
 584                         ads_errstr(status));
 585                 return status;
 586         }
 587 
 588         status = libnet_join_set_os_attributes(mem_ctx, r);
 589         if (!ADS_ERR_OK(status)) {
 590                 libnet_join_set_error_string(mem_ctx, r,
 591                         "failed to set machine os attributes: %s",
 592                         ads_errstr(status));
 593                 return status;
 594         }
 595 
 596         status = libnet_join_set_machine_upn(mem_ctx, r);
 597         if (!ADS_ERR_OK(status)) {
 598                 libnet_join_set_error_string(mem_ctx, r,
 599                         "failed to set machine upn: %s",
 600                         ads_errstr(status));
 601                 return status;
 602         }
 603 
 604         if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
 605                 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
 606         }
 607 
 608         if (!libnet_join_create_keytab(mem_ctx, r)) {
 609                 libnet_join_set_error_string(mem_ctx, r,
 610                         "failed to create kerberos keytab");
 611                 return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
 612         }
 613 
 614         return ADS_SUCCESS;
 615 }
 616 #endif /* WITH_ADS */
 617 
 618 /****************************************************************
 619  Store the machine password and domain SID
 620 ****************************************************************/
 621 
 622 static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 623                                                  struct libnet_JoinCtx *r)
 624 {
 625         if (!secrets_store_domain_sid(r->out.netbios_domain_name,
 626                                       r->out.domain_sid))
 627         {
 628                 DEBUG(1,("Failed to save domain sid\n"));
 629                 return false;
 630         }
 631 
 632         if (!secrets_store_machine_password(r->in.machine_password,
 633                                             r->out.netbios_domain_name,
 634                                             r->in.secure_channel_type))
 635         {
 636                 DEBUG(1,("Failed to save machine password\n"));
 637                 return false;
 638         }
 639 
 640         return true;
 641 }
 642 
 643 /****************************************************************
 644  Connect dc's IPC$ share
 645 ****************************************************************/
 646 
 647 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
     /* [<][>][^][v][top][bottom][index][help] */
 648                                            const char *user,
 649                                            const char *pass,
 650                                            bool use_kerberos,
 651                                            struct cli_state **cli)
 652 {
 653         int flags = 0;
 654 
 655         if (use_kerberos) {
 656                 flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
 657         }
 658 
 659         if (use_kerberos && pass) {
 660                 flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
 661         }
 662 
 663         return cli_full_connection(cli, NULL,
 664                                    dc,
 665                                    NULL, 0,
 666                                    "IPC$", "IPC",
 667                                    user,
 668                                    NULL,
 669                                    pass,
 670                                    flags,
 671                                    Undefined, NULL);
 672 }
 673 
 674 /****************************************************************
 675  Lookup domain dc's info
 676 ****************************************************************/
 677 
 678 static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 679                                           struct libnet_JoinCtx *r,
 680                                           struct cli_state **cli)
 681 {
 682         struct rpc_pipe_client *pipe_hnd = NULL;
 683         struct policy_handle lsa_pol;
 684         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 685         union lsa_PolicyInformation *info = NULL;
 686 
 687         status = libnet_join_connect_dc_ipc(r->in.dc_name,
 688                                             r->in.admin_account,
 689                                             r->in.admin_password,
 690                                             r->in.use_kerberos,
 691                                             cli);
 692         if (!NT_STATUS_IS_OK(status)) {
 693                 goto done;
 694         }
 695 
 696         status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
 697                                           &pipe_hnd);
 698         if (!NT_STATUS_IS_OK(status)) {
 699                 DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
 700                         nt_errstr(status)));
 701                 goto done;
 702         }
 703 
 704         status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
 705                                         SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
 706         if (!NT_STATUS_IS_OK(status)) {
 707                 goto done;
 708         }
 709 
 710         status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
 711                                              &lsa_pol,
 712                                              LSA_POLICY_INFO_DNS,
 713                                              &info);
 714         if (NT_STATUS_IS_OK(status)) {
 715                 r->out.domain_is_ad = true;
 716                 r->out.netbios_domain_name = info->dns.name.string;
 717                 r->out.dns_domain_name = info->dns.dns_domain.string;
 718                 r->out.forest_name = info->dns.dns_forest.string;
 719                 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
 720                 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
 721         }
 722 
 723         if (!NT_STATUS_IS_OK(status)) {
 724                 status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
 725                                                     &lsa_pol,
 726                                                     LSA_POLICY_INFO_ACCOUNT_DOMAIN,
 727                                                     &info);
 728                 if (!NT_STATUS_IS_OK(status)) {
 729                         goto done;
 730                 }
 731 
 732                 r->out.netbios_domain_name = info->account_domain.name.string;
 733                 r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
 734                 NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
 735         }
 736 
 737         rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
 738         TALLOC_FREE(pipe_hnd);
 739 
 740  done:
 741         return status;
 742 }
 743 
 744 /****************************************************************
 745  Do the domain join
 746 ****************************************************************/
 747 
 748 static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 749                                            struct libnet_JoinCtx *r,
 750                                            struct cli_state *cli)
 751 {
 752         struct rpc_pipe_client *pipe_hnd = NULL;
 753         struct policy_handle sam_pol, domain_pol, user_pol;
 754         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 755         char *acct_name;
 756         struct lsa_String lsa_acct_name;
 757         uint32_t user_rid;
 758         uint32_t acct_flags = ACB_WSTRUST;
 759         struct samr_Ids user_rids;
 760         struct samr_Ids name_types;
 761         union samr_UserInfo user_info;
 762 
 763         struct samr_CryptPassword crypt_pwd;
 764         struct samr_CryptPasswordEx crypt_pwd_ex;
 765 
 766         ZERO_STRUCT(sam_pol);
 767         ZERO_STRUCT(domain_pol);
 768         ZERO_STRUCT(user_pol);
 769 
 770         if (!r->in.machine_password) {
 771                 r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
 772                 NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
 773         }
 774 
 775         /* Open the domain */
 776 
 777         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
 778                                           &pipe_hnd);
 779         if (!NT_STATUS_IS_OK(status)) {
 780                 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
 781                         nt_errstr(status)));
 782                 goto done;
 783         }
 784 
 785         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
 786                                       pipe_hnd->desthost,
 787                                       SAMR_ACCESS_ENUM_DOMAINS
 788                                       | SAMR_ACCESS_LOOKUP_DOMAIN,
 789                                       &sam_pol);
 790         if (!NT_STATUS_IS_OK(status)) {
 791                 goto done;
 792         }
 793 
 794         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
 795                                         &sam_pol,
 796                                         SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
 797                                         | SAMR_DOMAIN_ACCESS_CREATE_USER
 798                                         | SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
 799                                         r->out.domain_sid,
 800                                         &domain_pol);
 801         if (!NT_STATUS_IS_OK(status)) {
 802                 goto done;
 803         }
 804 
 805         /* Create domain user */
 806 
 807         acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
 808         strlower_m(acct_name);
 809 
 810         init_lsa_String(&lsa_acct_name, acct_name);
 811 
 812         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) {
 813                 uint32_t access_desired =
 814                         SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
 815                         SEC_STD_WRITE_DAC | SEC_STD_DELETE |
 816                         SAMR_USER_ACCESS_SET_PASSWORD |
 817                         SAMR_USER_ACCESS_GET_ATTRIBUTES |
 818                         SAMR_USER_ACCESS_SET_ATTRIBUTES;
 819                 uint32_t access_granted = 0;
 820 
 821                 /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
 822 
 823                 DEBUG(10,("Creating account with desired access mask: %d\n",
 824                         access_desired));
 825 
 826                 status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
 827                                                  &domain_pol,
 828                                                  &lsa_acct_name,
 829                                                  ACB_WSTRUST,
 830                                                  access_desired,
 831                                                  &user_pol,
 832                                                  &access_granted,
 833                                                  &user_rid);
 834                 if (!NT_STATUS_IS_OK(status) &&
 835                     !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
 836 
 837                         DEBUG(10,("Creation of workstation account failed: %s\n",
 838                                 nt_errstr(status)));
 839 
 840                         /* If NT_STATUS_ACCESS_DENIED then we have a valid
 841                            username/password combo but the user does not have
 842                            administrator access. */
 843 
 844                         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 845                                 libnet_join_set_error_string(mem_ctx, r,
 846                                         "User specified does not have "
 847                                         "administrator privileges");
 848                         }
 849 
 850                         goto done;
 851                 }
 852 
 853                 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
 854                         if (!(r->in.join_flags &
 855                               WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED)) {
 856                                 goto done;
 857                         }
 858                 }
 859 
 860                 /* We *must* do this.... don't ask... */
 861 
 862                 if (NT_STATUS_IS_OK(status)) {
 863                         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
 864                 }
 865         }
 866 
 867         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
 868                                          &domain_pol,
 869                                          1,
 870                                          &lsa_acct_name,
 871                                          &user_rids,
 872                                          &name_types);
 873         if (!NT_STATUS_IS_OK(status)) {
 874                 goto done;
 875         }
 876 
 877         if (name_types.ids[0] != SID_NAME_USER) {
 878                 DEBUG(0,("%s is not a user account (type=%d)\n",
 879                         acct_name, name_types.ids[0]));
 880                 status = NT_STATUS_INVALID_WORKSTATION;
 881                 goto done;
 882         }
 883 
 884         user_rid = user_rids.ids[0];
 885 
 886         /* Open handle on user */
 887 
 888         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
 889                                       &domain_pol,
 890                                       SEC_FLAG_MAXIMUM_ALLOWED,
 891                                       user_rid,
 892                                       &user_pol);
 893         if (!NT_STATUS_IS_OK(status)) {
 894                 goto done;
 895         }
 896 
 897         /* Fill in the additional account flags now */
 898 
 899         acct_flags |= ACB_PWNOEXP;
 900         if (r->out.domain_is_ad) {
 901 #if !defined(ENCTYPE_ARCFOUR_HMAC)
 902                 acct_flags |= ACB_USE_DES_KEY_ONLY;
 903 #endif
 904                 ;;
 905         }
 906 
 907         /* Set account flags on machine account */
 908         ZERO_STRUCT(user_info.info16);
 909         user_info.info16.acct_flags = acct_flags;
 910 
 911         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
 912                                          &user_pol,
 913                                          16,
 914                                          &user_info);
 915 
 916         if (!NT_STATUS_IS_OK(status)) {
 917 
 918                 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
 919                                        &user_pol);
 920 
 921                 libnet_join_set_error_string(mem_ctx, r,
 922                         "Failed to set account flags for machine account (%s)\n",
 923                         nt_errstr(status));
 924                 goto done;
 925         }
 926 
 927         /* Set password on machine account - first try level 26 */
 928 
 929         init_samr_CryptPasswordEx(r->in.machine_password,
 930                                   &cli->user_session_key,
 931                                   &crypt_pwd_ex);
 932 
 933         user_info.info26.password = crypt_pwd_ex;
 934         user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
 935 
 936         status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 937                                           &user_pol,
 938                                           26,
 939                                           &user_info);
 940 
 941         if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
 942 
 943                 /* retry with level 24 */
 944 
 945                 init_samr_CryptPassword(r->in.machine_password,
 946                                         &cli->user_session_key,
 947                                         &crypt_pwd);
 948 
 949                 user_info.info24.password = crypt_pwd;
 950                 user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
 951 
 952                 status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 953                                                   &user_pol,
 954                                                   24,
 955                                                   &user_info);
 956         }
 957 
 958         if (!NT_STATUS_IS_OK(status)) {
 959 
 960                 rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
 961                                        &user_pol);
 962 
 963                 libnet_join_set_error_string(mem_ctx, r,
 964                         "Failed to set password for machine account (%s)\n",
 965                         nt_errstr(status));
 966                 goto done;
 967         }
 968 
 969         status = NT_STATUS_OK;
 970 
 971  done:
 972         if (!pipe_hnd) {
 973                 return status;
 974         }
 975 
 976         if (is_valid_policy_hnd(&sam_pol)) {
 977                 rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
 978         }
 979         if (is_valid_policy_hnd(&domain_pol)) {
 980                 rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
 981         }
 982         if (is_valid_policy_hnd(&user_pol)) {
 983                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
 984         }
 985         TALLOC_FREE(pipe_hnd);
 986 
 987         return status;
 988 }
 989 
 990 /****************************************************************
 991 ****************************************************************/
 992 
 993 NTSTATUS libnet_join_ok(const char *netbios_domain_name,
     /* [<][>][^][v][top][bottom][index][help] */
 994                         const char *machine_name,
 995                         const char *dc_name)
 996 {
 997         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 998         struct cli_state *cli = NULL;
 999         struct rpc_pipe_client *pipe_hnd = NULL;
1000         struct rpc_pipe_client *netlogon_pipe = NULL;
1001         NTSTATUS status;
1002         char *machine_password = NULL;
1003         char *machine_account = NULL;
1004 
1005         if (!dc_name) {
1006                 return NT_STATUS_INVALID_PARAMETER;
1007         }
1008 
1009         if (!secrets_init()) {
1010                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1011         }
1012 
1013         machine_password = secrets_fetch_machine_password(netbios_domain_name,
1014                                                           NULL, NULL);
1015         if (!machine_password) {
1016                 return NT_STATUS_NO_TRUST_LSA_SECRET;
1017         }
1018 
1019         if (asprintf(&machine_account, "%s$", machine_name) == -1) {
1020                 SAFE_FREE(machine_password);
1021                 return NT_STATUS_NO_MEMORY;
1022         }
1023 
1024         status = cli_full_connection(&cli, NULL,
1025                                      dc_name,
1026                                      NULL, 0,
1027                                      "IPC$", "IPC",
1028                                      machine_account,
1029                                      NULL,
1030                                      machine_password,
1031                                      0,
1032                                      Undefined, NULL);
1033         free(machine_account);
1034         free(machine_password);
1035 
1036         if (!NT_STATUS_IS_OK(status)) {
1037                 status = cli_full_connection(&cli, NULL,
1038                                              dc_name,
1039                                              NULL, 0,
1040                                              "IPC$", "IPC",
1041                                              "",
1042                                              NULL,
1043                                              "",
1044                                              0,
1045                                              Undefined, NULL);
1046         }
1047 
1048         if (!NT_STATUS_IS_OK(status)) {
1049                 return status;
1050         }
1051 
1052         status = get_schannel_session_key(cli, netbios_domain_name,
1053                                           &neg_flags, &netlogon_pipe);
1054         if (!NT_STATUS_IS_OK(status)) {
1055                 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
1056                         cli_shutdown(cli);
1057                         return NT_STATUS_OK;
1058                 }
1059 
1060                 DEBUG(0,("libnet_join_ok: failed to get schannel session "
1061                         "key from server %s for domain %s. Error was %s\n",
1062                 cli->desthost, netbios_domain_name, nt_errstr(status)));
1063                 cli_shutdown(cli);
1064                 return status;
1065         }
1066 
1067         if (!lp_client_schannel()) {
1068                 cli_shutdown(cli);
1069                 return NT_STATUS_OK;
1070         }
1071 
1072         status = cli_rpc_pipe_open_schannel_with_key(
1073                 cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
1074                 PIPE_AUTH_LEVEL_PRIVACY,
1075                 netbios_domain_name, netlogon_pipe->dc, &pipe_hnd);
1076 
1077         cli_shutdown(cli);
1078 
1079         if (!NT_STATUS_IS_OK(status)) {
1080                 DEBUG(0,("libnet_join_ok: failed to open schannel session "
1081                         "on netlogon pipe to server %s for domain %s. "
1082                         "Error was %s\n",
1083                         cli->desthost, netbios_domain_name, nt_errstr(status)));
1084                 return status;
1085         }
1086 
1087         return NT_STATUS_OK;
1088 }
1089 
1090 /****************************************************************
1091 ****************************************************************/
1092 
1093 static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1094                                       struct libnet_JoinCtx *r)
1095 {
1096         NTSTATUS status;
1097 
1098         status = libnet_join_ok(r->out.netbios_domain_name,
1099                                 r->in.machine_name,
1100                                 r->in.dc_name);
1101         if (!NT_STATUS_IS_OK(status)) {
1102                 libnet_join_set_error_string(mem_ctx, r,
1103                         "failed to verify domain membership after joining: %s",
1104                         get_friendly_nt_error_msg(status));
1105                 return WERR_SETUP_NOT_JOINED;
1106         }
1107 
1108         return WERR_OK;
1109 }
1110 
1111 /****************************************************************
1112 ****************************************************************/
1113 
1114 static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1115                                                     struct libnet_UnjoinCtx *r)
1116 {
1117         if (!secrets_delete_machine_password_ex(lp_workgroup())) {
1118                 return false;
1119         }
1120 
1121         if (!secrets_delete_domain_sid(lp_workgroup())) {
1122                 return false;
1123         }
1124 
1125         return true;
1126 }
1127 
1128 /****************************************************************
1129 ****************************************************************/
1130 
1131 static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1132                                              struct libnet_UnjoinCtx *r)
1133 {
1134         struct cli_state *cli = NULL;
1135         struct rpc_pipe_client *pipe_hnd = NULL;
1136         struct policy_handle sam_pol, domain_pol, user_pol;
1137         NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1138         char *acct_name;
1139         uint32_t user_rid;
1140         struct lsa_String lsa_acct_name;
1141         struct samr_Ids user_rids;
1142         struct samr_Ids name_types;
1143         union samr_UserInfo *info = NULL;
1144 
1145         ZERO_STRUCT(sam_pol);
1146         ZERO_STRUCT(domain_pol);
1147         ZERO_STRUCT(user_pol);
1148 
1149         status = libnet_join_connect_dc_ipc(r->in.dc_name,
1150                                             r->in.admin_account,
1151                                             r->in.admin_password,
1152                                             r->in.use_kerberos,
1153                                             &cli);
1154         if (!NT_STATUS_IS_OK(status)) {
1155                 goto done;
1156         }
1157 
1158         /* Open the domain */
1159 
1160         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
1161                                           &pipe_hnd);
1162         if (!NT_STATUS_IS_OK(status)) {
1163                 DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
1164                         nt_errstr(status)));
1165                 goto done;
1166         }
1167 
1168         status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1169                                       pipe_hnd->desthost,
1170                                       SEC_FLAG_MAXIMUM_ALLOWED,
1171                                       &sam_pol);
1172         if (!NT_STATUS_IS_OK(status)) {
1173                 goto done;
1174         }
1175 
1176         status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1177                                         &sam_pol,
1178                                         SEC_FLAG_MAXIMUM_ALLOWED,
1179                                         r->in.domain_sid,
1180                                         &domain_pol);
1181         if (!NT_STATUS_IS_OK(status)) {
1182                 goto done;
1183         }
1184 
1185         /* Create domain user */
1186 
1187         acct_name = talloc_asprintf(mem_ctx, "%s$", r->in.machine_name);
1188         strlower_m(acct_name);
1189 
1190         init_lsa_String(&lsa_acct_name, acct_name);
1191 
1192         status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1193                                          &domain_pol,
1194                                          1,
1195                                          &lsa_acct_name,
1196                                          &user_rids,
1197                                          &name_types);
1198 
1199         if (!NT_STATUS_IS_OK(status)) {
1200                 goto done;
1201         }
1202 
1203         if (name_types.ids[0] != SID_NAME_USER) {
1204                 DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1205                         name_types.ids[0]));
1206                 status = NT_STATUS_INVALID_WORKSTATION;
1207                 goto done;
1208         }
1209 
1210         user_rid = user_rids.ids[0];
1211 
1212         /* Open handle on user */
1213 
1214         status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1215                                       &domain_pol,
1216                                       SEC_FLAG_MAXIMUM_ALLOWED,
1217                                       user_rid,
1218                                       &user_pol);
1219         if (!NT_STATUS_IS_OK(status)) {
1220                 goto done;
1221         }
1222 
1223         /* Get user info */
1224 
1225         status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1226                                            &user_pol,
1227                                            16,
1228                                            &info);
1229         if (!NT_STATUS_IS_OK(status)) {
1230                 rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1231                 goto done;
1232         }
1233 
1234         /* now disable and setuser info */
1235 
1236         info->info16.acct_flags |= ACB_DISABLED;
1237 
1238         status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1239                                          &user_pol,
1240                                          16,
1241                                          info);
1242 
1243         rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1244 
1245 done:
1246         if (pipe_hnd) {
1247                 if (is_valid_policy_hnd(&domain_pol)) {
1248                         rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1249                 }
1250                 if (is_valid_policy_hnd(&sam_pol)) {
1251                         rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1252                 }
1253                 TALLOC_FREE(pipe_hnd);
1254         }
1255 
1256         if (cli) {
1257                 cli_shutdown(cli);
1258         }
1259 
1260         return status;
1261 }
1262 
1263 /****************************************************************
1264 ****************************************************************/
1265 
1266 static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1267 {
1268         WERROR werr;
1269         struct smbconf_ctx *ctx;
1270 
1271         werr = smbconf_init_reg(r, &ctx, NULL);
1272         if (!W_ERROR_IS_OK(werr)) {
1273                 goto done;
1274         }
1275 
1276         if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1277 
1278                 werr = smbconf_set_global_parameter(ctx, "security", "user");
1279                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1280 
1281                 werr = smbconf_set_global_parameter(ctx, "workgroup",
1282                                                     r->in.domain_name);
1283 
1284                 smbconf_delete_global_parameter(ctx, "realm");
1285                 goto done;
1286         }
1287 
1288         werr = smbconf_set_global_parameter(ctx, "security", "domain");
1289         W_ERROR_NOT_OK_GOTO_DONE(werr);
1290 
1291         werr = smbconf_set_global_parameter(ctx, "workgroup",
1292                                             r->out.netbios_domain_name);
1293         W_ERROR_NOT_OK_GOTO_DONE(werr);
1294 
1295         if (r->out.domain_is_ad) {
1296                 werr = smbconf_set_global_parameter(ctx, "security", "ads");
1297                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1298 
1299                 werr = smbconf_set_global_parameter(ctx, "realm",
1300                                                     r->out.dns_domain_name);
1301                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1302         }
1303 
1304  done:
1305         smbconf_shutdown(ctx);
1306         return werr;
1307 }
1308 
1309 /****************************************************************
1310 ****************************************************************/
1311 
1312 static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1313 {
1314         WERROR werr = WERR_OK;
1315         struct smbconf_ctx *ctx;
1316 
1317         werr = smbconf_init_reg(r, &ctx, NULL);
1318         if (!W_ERROR_IS_OK(werr)) {
1319                 goto done;
1320         }
1321 
1322         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1323 
1324                 werr = smbconf_set_global_parameter(ctx, "security", "user");
1325                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1326 
1327                 werr = smbconf_delete_global_parameter(ctx, "workgroup");
1328                 W_ERROR_NOT_OK_GOTO_DONE(werr);
1329 
1330                 smbconf_delete_global_parameter(ctx, "realm");
1331         }
1332 
1333  done:
1334         smbconf_shutdown(ctx);
1335         return werr;
1336 }
1337 
1338 /****************************************************************
1339 ****************************************************************/
1340 
1341 static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1342 {
1343         WERROR werr;
1344 
1345         if (!W_ERROR_IS_OK(r->out.result)) {
1346                 return r->out.result;
1347         }
1348 
1349         if (!r->in.modify_config) {
1350                 return WERR_OK;
1351         }
1352 
1353         werr = do_join_modify_vals_config(r);
1354         if (!W_ERROR_IS_OK(werr)) {
1355                 return werr;
1356         }
1357 
1358         lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1359 
1360         r->out.modified_config = true;
1361         r->out.result = werr;
1362 
1363         return werr;
1364 }
1365 
1366 /****************************************************************
1367 ****************************************************************/
1368 
1369 static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1370 {
1371         WERROR werr;
1372 
1373         if (!W_ERROR_IS_OK(r->out.result)) {
1374                 return r->out.result;
1375         }
1376 
1377         if (!r->in.modify_config) {
1378                 return WERR_OK;
1379         }
1380 
1381         werr = do_unjoin_modify_vals_config(r);
1382         if (!W_ERROR_IS_OK(werr)) {
1383                 return werr;
1384         }
1385 
1386         lp_load(get_dyn_CONFIGFILE(),true,false,false,true);
1387 
1388         r->out.modified_config = true;
1389         r->out.result = werr;
1390 
1391         return werr;
1392 }
1393 
1394 /****************************************************************
1395 ****************************************************************/
1396 
1397 static bool libnet_parse_domain_dc(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1398                                    const char *domain_str,
1399                                    const char **domain_p,
1400                                    const char **dc_p)
1401 {
1402         char *domain = NULL;
1403         char *dc = NULL;
1404         const char *p = NULL;
1405 
1406         if (!domain_str || !domain_p || !dc_p) {
1407                 return false;
1408         }
1409 
1410         p = strchr_m(domain_str, '\\');
1411 
1412         if (p != NULL) {
1413                 domain = talloc_strndup(mem_ctx, domain_str,
1414                                          PTR_DIFF(p, domain_str));
1415                 dc = talloc_strdup(mem_ctx, p+1);
1416                 if (!dc) {
1417                         return false;
1418                 }
1419         } else {
1420                 domain = talloc_strdup(mem_ctx, domain_str);
1421                 dc = NULL;
1422         }
1423         if (!domain) {
1424                 return false;
1425         }
1426 
1427         *domain_p = domain;
1428 
1429         if (!*dc_p && dc) {
1430                 *dc_p = dc;
1431         }
1432 
1433         return true;
1434 }
1435 
1436 /****************************************************************
1437 ****************************************************************/
1438 
1439 static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1440                                          struct libnet_JoinCtx *r)
1441 {
1442         if (!r->in.domain_name) {
1443                 libnet_join_set_error_string(mem_ctx, r,
1444                         "No domain name defined");
1445                 return WERR_INVALID_PARAM;
1446         }
1447 
1448         if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
1449                                     &r->in.domain_name,
1450                                     &r->in.dc_name)) {
1451                 libnet_join_set_error_string(mem_ctx, r,
1452                         "Failed to parse domain name");
1453                 return WERR_INVALID_PARAM;
1454         }
1455 
1456         if (IS_DC) {
1457                 return WERR_SETUP_DOMAIN_CONTROLLER;
1458         }
1459 
1460         if (!secrets_init()) {
1461                 libnet_join_set_error_string(mem_ctx, r,
1462                         "Unable to open secrets database");
1463                 return WERR_CAN_NOT_COMPLETE;
1464         }
1465 
1466         return WERR_OK;
1467 }
1468 
1469 /****************************************************************
1470 ****************************************************************/
1471 
1472 static void libnet_join_add_dom_rids_to_builtins(struct dom_sid *domain_sid)
     /* [<][>][^][v][top][bottom][index][help] */
1473 {
1474         NTSTATUS status;
1475 
1476         /* Try adding dom admins to builtin\admins. Only log failures. */
1477         status = create_builtin_administrators(domain_sid);
1478         if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1479                 DEBUG(10,("Unable to auto-add domain administrators to "
1480                           "BUILTIN\\Administrators during join because "
1481                           "winbindd must be running."));
1482         } else if (!NT_STATUS_IS_OK(status)) {
1483                 DEBUG(5, ("Failed to auto-add domain administrators to "
1484                           "BUILTIN\\Administrators during join: %s\n",
1485                           nt_errstr(status)));
1486         }
1487 
1488         /* Try adding dom users to builtin\users. Only log failures. */
1489         status = create_builtin_users(domain_sid);
1490         if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
1491                 DEBUG(10,("Unable to auto-add domain users to BUILTIN\\users "
1492                           "during join because winbindd must be running."));
1493         } else if (!NT_STATUS_IS_OK(status)) {
1494                 DEBUG(5, ("Failed to auto-add domain administrators to "
1495                           "BUILTIN\\Administrators during join: %s\n",
1496                           nt_errstr(status)));
1497         }
1498 }
1499 
1500 /****************************************************************
1501 ****************************************************************/
1502 
1503 static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1504                                           struct libnet_JoinCtx *r)
1505 {
1506         WERROR werr;
1507 
1508         if (!W_ERROR_IS_OK(r->out.result)) {
1509                 return r->out.result;
1510         }
1511 
1512         werr = do_JoinConfig(r);
1513         if (!W_ERROR_IS_OK(werr)) {
1514                 return werr;
1515         }
1516 
1517         if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1518                 return WERR_OK;
1519         }
1520 
1521         saf_join_store(r->out.netbios_domain_name, r->in.dc_name);
1522         if (r->out.dns_domain_name) {
1523                 saf_join_store(r->out.dns_domain_name, r->in.dc_name);
1524         }
1525 
1526 #ifdef WITH_ADS
1527         if (r->out.domain_is_ad) {
1528                 ADS_STATUS ads_status;
1529 
1530                 ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
1531                 if (!ADS_ERR_OK(ads_status)) {
1532                         return WERR_GENERAL_FAILURE;
1533                 }
1534         }
1535 #endif /* WITH_ADS */
1536 
1537         libnet_join_add_dom_rids_to_builtins(r->out.domain_sid);
1538 
1539         return WERR_OK;
1540 }
1541 
1542 /****************************************************************
1543 ****************************************************************/
1544 
1545 static int libnet_destroy_JoinCtx(struct libnet_JoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1546 {
1547         const char *krb5_cc_env = NULL;
1548 
1549         if (r->in.ads) {
1550                 ads_destroy(&r->in.ads);
1551         }
1552 
1553         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1554         if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1555                 unsetenv(KRB5_ENV_CCNAME);
1556         }
1557 
1558         return 0;
1559 }
1560 
1561 /****************************************************************
1562 ****************************************************************/
1563 
1564 static int libnet_destroy_UnjoinCtx(struct libnet_UnjoinCtx *r)
     /* [<][>][^][v][top][bottom][index][help] */
1565 {
1566         const char *krb5_cc_env = NULL;
1567 
1568         if (r->in.ads) {
1569                 ads_destroy(&r->in.ads);
1570         }
1571 
1572         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1573         if (krb5_cc_env && StrCaseCmp(krb5_cc_env, "MEMORY:libnetjoin")) {
1574                 unsetenv(KRB5_ENV_CCNAME);
1575         }
1576 
1577         return 0;
1578 }
1579 
1580 /****************************************************************
1581 ****************************************************************/
1582 
1583 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1584                            struct libnet_JoinCtx **r)
1585 {
1586         struct libnet_JoinCtx *ctx;
1587         const char *krb5_cc_env = NULL;
1588 
1589         ctx = talloc_zero(mem_ctx, struct libnet_JoinCtx);
1590         if (!ctx) {
1591                 return WERR_NOMEM;
1592         }
1593 
1594         talloc_set_destructor(ctx, libnet_destroy_JoinCtx);
1595 
1596         ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1597         W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1598 
1599         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1600         if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1601                 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1602                 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1603                 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1604         }
1605 
1606         ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
1607 
1608         *r = ctx;
1609 
1610         return WERR_OK;
1611 }
1612 
1613 /****************************************************************
1614 ****************************************************************/
1615 
1616 WERROR libnet_init_UnjoinCtx(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1617                              struct libnet_UnjoinCtx **r)
1618 {
1619         struct libnet_UnjoinCtx *ctx;
1620         const char *krb5_cc_env = NULL;
1621 
1622         ctx = talloc_zero(mem_ctx, struct libnet_UnjoinCtx);
1623         if (!ctx) {
1624                 return WERR_NOMEM;
1625         }
1626 
1627         talloc_set_destructor(ctx, libnet_destroy_UnjoinCtx);
1628 
1629         ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1630         W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1631 
1632         krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1633         if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1634                 krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1635                 W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1636                 setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1637         }
1638 
1639         *r = ctx;
1640 
1641         return WERR_OK;
1642 }
1643 
1644 /****************************************************************
1645 ****************************************************************/
1646 
1647 static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1648                                        struct libnet_JoinCtx *r)
1649 {
1650         bool valid_security = false;
1651         bool valid_workgroup = false;
1652         bool valid_realm = false;
1653 
1654         /* check if configuration is already set correctly */
1655 
1656         valid_workgroup = strequal(lp_workgroup(), r->out.netbios_domain_name);
1657 
1658         switch (r->out.domain_is_ad) {
1659                 case false:
1660                         valid_security = (lp_security() == SEC_DOMAIN);
1661                         if (valid_workgroup && valid_security) {
1662                                 /* nothing to be done */
1663                                 return WERR_OK;
1664                         }
1665                         break;
1666                 case true:
1667                         valid_realm = strequal(lp_realm(), r->out.dns_domain_name);
1668                         switch (lp_security()) {
1669                         case SEC_DOMAIN:
1670                         case SEC_ADS:
1671                                 valid_security = true;
1672                         }
1673 
1674                         if (valid_workgroup && valid_realm && valid_security) {
1675                                 /* nothing to be done */
1676                                 return WERR_OK;
1677                         }
1678                         break;
1679         }
1680 
1681         /* check if we are supposed to manipulate configuration */
1682 
1683         if (!r->in.modify_config) {
1684 
1685                 char *wrong_conf = talloc_strdup(mem_ctx, "");
1686 
1687                 if (!valid_workgroup) {
1688                         wrong_conf = talloc_asprintf_append(wrong_conf,
1689                                 "\"workgroup\" set to '%s', should be '%s'",
1690                                 lp_workgroup(), r->out.netbios_domain_name);
1691                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1692                 }
1693 
1694                 if (!valid_realm) {
1695                         wrong_conf = talloc_asprintf_append(wrong_conf,
1696                                 "\"realm\" set to '%s', should be '%s'",
1697                                 lp_realm(), r->out.dns_domain_name);
1698                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1699                 }
1700 
1701                 if (!valid_security) {
1702                         const char *sec = NULL;
1703                         switch (lp_security()) {
1704                         case SEC_SHARE: sec = "share"; break;
1705                         case SEC_USER:  sec = "user"; break;
1706                         case SEC_DOMAIN: sec = "domain"; break;
1707                         case SEC_ADS: sec = "ads"; break;
1708                         }
1709                         wrong_conf = talloc_asprintf_append(wrong_conf,
1710                                 "\"security\" set to '%s', should be %s",
1711                                 sec, r->out.domain_is_ad ?
1712                                 "either 'domain' or 'ads'" : "'domain'");
1713                         W_ERROR_HAVE_NO_MEMORY(wrong_conf);
1714                 }
1715 
1716                 libnet_join_set_error_string(mem_ctx, r,
1717                         "Invalid configuration (%s) and configuration modification "
1718                         "was not requested", wrong_conf);
1719                 return WERR_CAN_NOT_COMPLETE;
1720         }
1721 
1722         /* check if we are able to manipulate configuration */
1723 
1724         if (!lp_config_backend_is_registry()) {
1725                 libnet_join_set_error_string(mem_ctx, r,
1726                         "Configuration manipulation requested but not "
1727                         "supported by backend");
1728                 return WERR_NOT_SUPPORTED;
1729         }
1730 
1731         return WERR_OK;
1732 }
1733 
1734 /****************************************************************
1735 ****************************************************************/
1736 
1737 static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1738                                 struct libnet_JoinCtx *r)
1739 {
1740         NTSTATUS status;
1741         WERROR werr;
1742         struct cli_state *cli = NULL;
1743 #ifdef WITH_ADS
1744         ADS_STATUS ads_status;
1745 #endif /* WITH_ADS */
1746 
1747         if (!r->in.dc_name) {
1748                 struct netr_DsRGetDCNameInfo *info;
1749                 const char *dc;
1750                 status = dsgetdcname(mem_ctx,
1751                                      r->in.msg_ctx,
1752                                      r->in.domain_name,
1753                                      NULL,
1754                                      NULL,
1755                                      DS_FORCE_REDISCOVERY |
1756                                      DS_DIRECTORY_SERVICE_REQUIRED |
1757                                      DS_WRITABLE_REQUIRED |
1758                                      DS_RETURN_DNS_NAME,
1759                                      &info);
1760                 if (!NT_STATUS_IS_OK(status)) {
1761                         libnet_join_set_error_string(mem_ctx, r,
1762                                 "failed to find DC for domain %s",
1763                                 r->in.domain_name,
1764                                 get_friendly_nt_error_msg(status));
1765                         return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1766                 }
1767 
1768                 dc = strip_hostname(info->dc_unc);
1769                 r->in.dc_name = talloc_strdup(mem_ctx, dc);
1770                 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1771         }
1772 
1773         status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
1774         if (!NT_STATUS_IS_OK(status)) {
1775                 libnet_join_set_error_string(mem_ctx, r,
1776                         "failed to lookup DC info for domain '%s' over rpc: %s",
1777                         r->in.domain_name, get_friendly_nt_error_msg(status));
1778                 return ntstatus_to_werror(status);
1779         }
1780 
1781         werr = libnet_join_check_config(mem_ctx, r);
1782         if (!W_ERROR_IS_OK(werr)) {
1783                 goto done;
1784         }
1785 
1786 #ifdef WITH_ADS
1787         if (r->out.domain_is_ad && r->in.account_ou) {
1788 
1789                 ads_status = libnet_join_connect_ads(mem_ctx, r);
1790                 if (!ADS_ERR_OK(ads_status)) {
1791                         return WERR_DEFAULT_JOIN_REQUIRED;
1792                 }
1793 
1794                 ads_status = libnet_join_precreate_machine_acct(mem_ctx, r);
1795                 if (!ADS_ERR_OK(ads_status)) {
1796                         libnet_join_set_error_string(mem_ctx, r,
1797                                 "failed to precreate account in ou %s: %s",
1798                                 r->in.account_ou,
1799                                 ads_errstr(ads_status));
1800                         return WERR_DEFAULT_JOIN_REQUIRED;
1801                 }
1802 
1803                 r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE;
1804         }
1805 #endif /* WITH_ADS */
1806 
1807         status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
1808         if (!NT_STATUS_IS_OK(status)) {
1809                 libnet_join_set_error_string(mem_ctx, r,
1810                         "failed to join domain '%s' over rpc: %s",
1811                         r->in.domain_name, get_friendly_nt_error_msg(status));
1812                 if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
1813                         return WERR_SETUP_ALREADY_JOINED;
1814                 }
1815                 werr = ntstatus_to_werror(status);
1816                 goto done;
1817         }
1818 
1819         if (!libnet_join_joindomain_store_secrets(mem_ctx, r)) {
1820                 werr = WERR_SETUP_NOT_JOINED;
1821                 goto done;
1822         }
1823 
1824         werr = WERR_OK;
1825 
1826  done:
1827         if (cli) {
1828                 cli_shutdown(cli);
1829         }
1830 
1831         return werr;
1832 }
1833 
1834 /****************************************************************
1835 ****************************************************************/
1836 
1837 static WERROR libnet_join_rollback(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1838                                    struct libnet_JoinCtx *r)
1839 {
1840         WERROR werr;
1841         struct libnet_UnjoinCtx *u = NULL;
1842 
1843         werr = libnet_init_UnjoinCtx(mem_ctx, &u);
1844         if (!W_ERROR_IS_OK(werr)) {
1845                 return werr;
1846         }
1847 
1848         u->in.debug             = r->in.debug;
1849         u->in.dc_name           = r->in.dc_name;
1850         u->in.domain_name       = r->in.domain_name;
1851         u->in.admin_account     = r->in.admin_account;
1852         u->in.admin_password    = r->in.admin_password;
1853         u->in.modify_config     = r->in.modify_config;
1854         u->in.unjoin_flags      = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
1855                                   WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
1856 
1857         werr = libnet_Unjoin(mem_ctx, u);
1858         TALLOC_FREE(u);
1859 
1860         return werr;
1861 }
1862 
1863 /****************************************************************
1864 ****************************************************************/
1865 
1866 WERROR libnet_Join(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1867                    struct libnet_JoinCtx *r)
1868 {
1869         WERROR werr;
1870 
1871         if (r->in.debug) {
1872                 LIBNET_JOIN_IN_DUMP_CTX(mem_ctx, r);
1873         }
1874 
1875         werr = libnet_join_pre_processing(mem_ctx, r);
1876         if (!W_ERROR_IS_OK(werr)) {
1877                 goto done;
1878         }
1879 
1880         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1881                 werr = libnet_DomainJoin(mem_ctx, r);
1882                 if (!W_ERROR_IS_OK(werr)) {
1883                         goto done;
1884                 }
1885         }
1886 
1887         werr = libnet_join_post_processing(mem_ctx, r);
1888         if (!W_ERROR_IS_OK(werr)) {
1889                 goto done;
1890         }
1891 
1892         if (r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1893                 werr = libnet_join_post_verify(mem_ctx, r);
1894                 if (!W_ERROR_IS_OK(werr)) {
1895                         libnet_join_rollback(mem_ctx, r);
1896                 }
1897         }
1898 
1899  done:
1900         r->out.result = werr;
1901 
1902         if (r->in.debug) {
1903                 LIBNET_JOIN_OUT_DUMP_CTX(mem_ctx, r);
1904         }
1905         return werr;
1906 }
1907 
1908 /****************************************************************
1909 ****************************************************************/
1910 
1911 static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1912                                   struct libnet_UnjoinCtx *r)
1913 {
1914         NTSTATUS status;
1915 
1916         if (!r->in.domain_sid) {
1917                 struct dom_sid sid;
1918                 if (!secrets_fetch_domain_sid(lp_workgroup(), &sid)) {
1919                         libnet_unjoin_set_error_string(mem_ctx, r,
1920                                 "Unable to fetch domain sid: are we joined?");
1921                         return WERR_SETUP_NOT_JOINED;
1922                 }
1923                 r->in.domain_sid = sid_dup_talloc(mem_ctx, &sid);
1924                 W_ERROR_HAVE_NO_MEMORY(r->in.domain_sid);
1925         }
1926 
1927         if (!(r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) &&
1928             !r->in.delete_machine_account) {
1929                 libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1930                 return WERR_OK;
1931         }
1932 
1933         if (!r->in.dc_name) {
1934                 struct netr_DsRGetDCNameInfo *info;
1935                 const char *dc;
1936                 status = dsgetdcname(mem_ctx,
1937                                      r->in.msg_ctx,
1938                                      r->in.domain_name,
1939                                      NULL,
1940                                      NULL,
1941                                      DS_DIRECTORY_SERVICE_REQUIRED |
1942                                      DS_WRITABLE_REQUIRED |
1943                                      DS_RETURN_DNS_NAME,
1944                                      &info);
1945                 if (!NT_STATUS_IS_OK(status)) {
1946                         libnet_unjoin_set_error_string(mem_ctx, r,
1947                                 "failed to find DC for domain %s",
1948                                 r->in.domain_name,
1949                                 get_friendly_nt_error_msg(status));
1950                         return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1951                 }
1952 
1953                 dc = strip_hostname(info->dc_unc);
1954                 r->in.dc_name = talloc_strdup(mem_ctx, dc);
1955                 W_ERROR_HAVE_NO_MEMORY(r->in.dc_name);
1956         }
1957 
1958 #ifdef WITH_ADS
1959         /* for net ads leave, try to delete the account.  If it works,
1960            no sense in disabling.  If it fails, we can still try to
1961            disable it. jmcd */
1962 
1963         if (r->in.delete_machine_account) {
1964                 ADS_STATUS ads_status;
1965                 ads_status = libnet_unjoin_connect_ads(mem_ctx, r);
1966                 if (ADS_ERR_OK(ads_status)) {
1967                         /* dirty hack */
1968                         r->out.dns_domain_name =
1969                                 talloc_strdup(mem_ctx,
1970                                               r->in.ads->server.realm);
1971                         ads_status =
1972                                 libnet_unjoin_remove_machine_acct(mem_ctx, r);
1973                 }
1974                 if (!ADS_ERR_OK(ads_status)) {
1975                         libnet_unjoin_set_error_string(mem_ctx, r,
1976                                 "failed to remove machine account from AD: %s",
1977                                 ads_errstr(ads_status));
1978                 } else {
1979                         r->out.deleted_machine_account = true;
1980                         W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
1981                         libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
1982                         return WERR_OK;
1983                 }
1984         }
1985 #endif /* WITH_ADS */
1986 
1987         /* The WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE flag really means
1988            "disable".  */
1989         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
1990                 status = libnet_join_unjoindomain_rpc(mem_ctx, r);
1991                 if (!NT_STATUS_IS_OK(status)) {
1992                         libnet_unjoin_set_error_string(mem_ctx, r,
1993                                 "failed to disable machine account via rpc: %s",
1994                                 get_friendly_nt_error_msg(status));
1995                         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
1996                                 return WERR_SETUP_NOT_JOINED;
1997                         }
1998                         return ntstatus_to_werror(status);
1999                 }
2000 
2001                 r->out.disabled_machine_account = true;
2002         }
2003 
2004         /* If disable succeeded or was not requested at all, we
2005            should be getting rid of our end of things */
2006 
2007         libnet_join_unjoindomain_remove_secrets(mem_ctx, r);
2008 
2009         return WERR_OK;
2010 }
2011 
2012 /****************************************************************
2013 ****************************************************************/
2014 
2015 static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
2016                                            struct libnet_UnjoinCtx *r)
2017 {
2018         if (!r->in.domain_name) {
2019                 libnet_unjoin_set_error_string(mem_ctx, r,
2020                         "No domain name defined");
2021                 return WERR_INVALID_PARAM;
2022         }
2023 
2024         if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
2025                                     &r->in.domain_name,
2026                                     &r->in.dc_name)) {
2027                 libnet_unjoin_set_error_string(mem_ctx, r,
2028                         "Failed to parse domain name");
2029                 return WERR_INVALID_PARAM;
2030         }
2031 
2032         if (IS_DC) {
2033                 return WERR_SETUP_DOMAIN_CONTROLLER;
2034         }
2035 
2036         if (!secrets_init()) {
2037                 libnet_unjoin_set_error_string(mem_ctx, r,
2038                         "Unable to open secrets database");
2039                 return WERR_CAN_NOT_COMPLETE;
2040         }
2041 
2042         return WERR_OK;
2043 }
2044 
2045 /****************************************************************
2046 ****************************************************************/
2047 
2048 static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
2049                                             struct libnet_UnjoinCtx *r)
2050 {
2051         saf_delete(r->out.netbios_domain_name);
2052         saf_delete(r->out.dns_domain_name);
2053 
2054         return libnet_unjoin_config(r);
2055 }
2056 
2057 /****************************************************************
2058 ****************************************************************/
2059 
2060 WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
2061                      struct libnet_UnjoinCtx *r)
2062 {
2063         WERROR werr;
2064 
2065         if (r->in.debug) {
2066                 LIBNET_UNJOIN_IN_DUMP_CTX(mem_ctx, r);
2067         }
2068 
2069         werr = libnet_unjoin_pre_processing(mem_ctx, r);
2070         if (!W_ERROR_IS_OK(werr)) {
2071                 goto done;
2072         }
2073 
2074         if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
2075                 werr = libnet_DomainUnjoin(mem_ctx, r);
2076                 if (!W_ERROR_IS_OK(werr)) {
2077                         libnet_unjoin_config(r);
2078                         goto done;
2079                 }
2080         }
2081 
2082         werr = libnet_unjoin_post_processing(mem_ctx, r);
2083         if (!W_ERROR_IS_OK(werr)) {
2084                 goto done;
2085         }
2086 
2087  done:
2088         r->out.result = werr;
2089 
2090         if (r->in.debug) {
2091                 LIBNET_UNJOIN_OUT_DUMP_CTX(mem_ctx, r);
2092         }
2093 
2094         return werr;
2095 }

/* [<][>][^][v][top][bottom][index][help] */