2008-05-08 11:23:38 +02:00
/*
Samba Unix / Linux SMB client library
Distributed SMB / CIFS Server Management Utility
2001-12-04 05:03:03 +00:00
Copyright ( C ) 2001 Andrew Bartlett ( abartlet @ samba . org )
Copyright ( C ) Tim Potter 2001
2008-02-27 19:38:48 +01:00
Copyright ( C ) 2008 Guenther Deschner
2001-12-04 05:03:03 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2001-12-04 05:03:03 +00:00
( at your option ) any later version .
2008-05-08 11:23:38 +02:00
2001-12-04 05:03:03 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2008-05-08 11:23:38 +02:00
2001-12-04 05:03:03 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>. */
2008-05-08 11:23:38 +02:00
2001-12-04 05:03:03 +00:00
# include "includes.h"
2004-10-07 04:01:18 +00:00
# include "utils/net.h"
2009-03-16 21:27:58 +11:00
# include "../libcli/auth/libcli_auth.h"
2009-11-26 18:21:28 +01:00
# include "../librpc/gen_ndr/cli_lsa.h"
# include "../librpc/gen_ndr/cli_samr.h"
2001-12-04 05:03:03 +00:00
/* Macro for checking RPC error codes to make things more readable */
# define CHECK_RPC_ERR(rpc, msg) \
if ( ! NT_STATUS_IS_OK ( result = rpc ) ) { \
2002-03-17 04:36:35 +00:00
DEBUG ( 0 , ( msg " : %s \n " , nt_errstr ( result ) ) ) ; \
2001-12-04 05:03:03 +00:00
goto done ; \
}
# define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
if ( ! NT_STATUS_IS_OK ( result = rpc ) ) { \
DEBUG ( 0 , debug_args ) ; \
goto done ; \
}
2002-08-17 14:45:04 +00:00
/**
* confirm that a domain join is still valid
*
* @ return A shell status integer ( 0 for success )
*
* */
2008-05-09 23:22:12 +02:00
NTSTATUS net_rpc_join_ok ( struct net_context * c , const char * domain ,
const char * server , struct sockaddr_storage * pss )
2002-08-17 14:45:04 +00:00
{
2007-08-29 19:55:13 +00:00
enum security_types sec ;
unsigned int conn_flags = NET_FLAGS_PDC ;
2008-04-02 02:29:48 +02:00
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS ;
2005-09-30 17:13:37 +00:00
struct cli_state * cli = NULL ;
struct rpc_pipe_client * pipe_hnd = NULL ;
2006-02-22 21:18:23 +00:00
struct rpc_pipe_client * netlogon_pipe = NULL ;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL ;
2002-08-17 14:45:04 +00:00
2007-08-29 19:55:13 +00:00
sec = ( enum security_types ) lp_security ( ) ;
if ( sec = = SEC_ADS ) {
/* Connect to IPC$ using machine account's credentials. We don't use anonymous
connection here , as it may be denied by server ' s local policy . */
2009-07-05 09:21:07 +02:00
net_use_machine_account ( c ) ;
2007-08-29 19:55:13 +00:00
} else {
/* some servers (e.g. WinNT) don't accept machine-authenticated
smb connections */
conn_flags | = NET_FLAGS_ANONYMOUS ;
}
2002-08-17 14:45:04 +00:00
/* Connect to remote machine */
2008-05-09 23:22:12 +02:00
ntret = net_make_ipc_connection_ex ( c , domain , server , pss , conn_flags ,
& cli ) ;
2007-09-17 15:11:20 +00:00
if ( ! NT_STATUS_IS_OK ( ntret ) ) {
2007-09-17 15:34:22 +00:00
return ntret ;
2002-08-17 14:45:04 +00:00
}
2006-02-22 21:18:23 +00:00
/* Setup the creds as though we're going to do schannel... */
2008-07-20 16:33:26 +02:00
ntret = get_schannel_session_key ( cli , domain , & neg_flags ,
& netlogon_pipe ) ;
2002-08-17 14:45:04 +00:00
2006-02-22 21:18:23 +00:00
/* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing
to negotiate schannel , but the creds were set up ok . That ' ll have to do . */
2008-07-20 16:33:26 +02:00
if ( ! NT_STATUS_IS_OK ( ntret ) ) {
2006-02-22 21:18:23 +00:00
if ( NT_STATUS_EQUAL ( ntret , NT_STATUS_INVALID_NETWORK_RESPONSE ) ) {
cli_shutdown ( cli ) ;
2007-09-17 15:34:22 +00:00
return NT_STATUS_OK ;
2006-02-22 21:18:23 +00:00
} else {
DEBUG ( 0 , ( " net_rpc_join_ok: failed to get schannel session "
" key from server %s for domain %s. Error was %s \n " ,
cli - > desthost , domain , nt_errstr ( ntret ) ) ) ;
cli_shutdown ( cli ) ;
2007-09-17 15:34:22 +00:00
return ntret ;
2006-02-22 21:18:23 +00:00
}
}
/* Only do the rest of the schannel test if the client is allowed to do this. */
if ( ! lp_client_schannel ( ) ) {
cli_shutdown ( cli ) ;
/* We're good... */
2007-09-17 15:34:22 +00:00
return ntret ;
2002-08-17 14:45:04 +00:00
}
2005-09-30 17:13:37 +00:00
2008-07-20 11:04:31 +02:00
ntret = cli_rpc_pipe_open_schannel_with_key (
2009-09-10 22:32:34 +02:00
cli , & ndr_table_netlogon . syntax_id , NCACN_NP ,
2009-09-14 20:39:54 +02:00
DCERPC_AUTH_LEVEL_PRIVACY ,
2009-04-20 16:50:49 +02:00
domain , & netlogon_pipe - > dc , & pipe_hnd ) ;
2006-02-22 21:18:23 +00:00
2008-07-20 11:04:31 +02:00
if ( ! NT_STATUS_IS_OK ( ntret ) ) {
2006-02-22 21:18:23 +00:00
DEBUG ( 0 , ( " net_rpc_join_ok: failed to open schannel session "
" on netlogon pipe to server %s for domain %s. Error was %s \n " ,
cli - > desthost , domain , nt_errstr ( ntret ) ) ) ;
2007-09-17 15:34:22 +00:00
/*
* Note : here , we have :
* ( pipe_hnd ! = NULL ) if and only if NT_STATUS_IS_OK ( ntret )
*/
2006-02-22 21:18:23 +00:00
}
2002-08-17 14:45:04 +00:00
cli_shutdown ( cli ) ;
2007-09-17 15:34:22 +00:00
return ntret ;
2002-08-17 14:45:04 +00:00
}
2001-12-30 10:54:58 +00:00
/**
* Join a domain using the administrator username and password
*
* @ param argc Standard main ( ) style argc
* @ param argc Standard main ( ) style argv . Initial components are already
* stripped . Currently not used .
* @ return A shell status integer ( 0 for success )
*
* */
2001-12-04 05:03:03 +00:00
2008-05-09 23:22:12 +02:00
int net_rpc_join_newstyle ( struct net_context * c , int argc , const char * * argv )
2001-12-04 05:03:03 +00:00
{
/* libsmb variables */
struct cli_state * cli ;
TALLOC_CTX * mem_ctx ;
2003-04-21 14:09:03 +00:00
uint32 acb_info = ACB_WSTRUST ;
2008-04-02 02:29:48 +02:00
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS ;
2009-10-13 10:15:34 +02:00
enum netr_SchannelType sec_channel_type ;
2005-09-30 17:13:37 +00:00
struct rpc_pipe_client * pipe_hnd = NULL ;
2001-12-04 05:03:03 +00:00
/* rpc variables */
2009-03-18 22:49:41 +01:00
struct policy_handle lsa_pol , sam_pol , domain_pol , user_pol ;
2004-01-15 19:45:36 +00:00
DOM_SID * domain_sid ;
2001-12-04 05:03:03 +00:00
uint32 user_rid ;
/* Password stuff */
char * clear_trust_password = NULL ;
2008-07-30 19:52:56 +02:00
struct samr_CryptPassword crypt_pwd ;
2003-04-21 14:09:03 +00:00
uchar md4_trust_password [ 16 ] ;
2008-02-12 00:51:51 +01:00
union samr_UserInfo set_info ;
2001-12-04 05:03:03 +00:00
/* Misc */
NTSTATUS result ;
int retval = 1 ;
2008-01-15 16:40:02 +01:00
const char * domain = NULL ;
2002-08-17 14:45:04 +00:00
char * acct_name ;
2008-02-01 14:21:54 +01:00
struct lsa_String lsa_acct_name ;
2008-01-23 13:54:02 -08:00
uint32 acct_flags = 0 ;
2008-02-01 14:21:54 +01:00
uint32_t access_granted = 0 ;
2008-02-08 02:12:30 +01:00
union lsa_PolicyInformation * info = NULL ;
2008-02-08 14:49:30 +01:00
struct samr_Ids user_rids ;
struct samr_Ids name_types ;
2003-04-21 14:09:03 +00:00
/* check what type of join */
if ( argc > = 0 ) {
sec_channel_type = get_sec_channel_type ( argv [ 0 ] ) ;
} else {
sec_channel_type = get_sec_channel_type ( NULL ) ;
}
switch ( sec_channel_type ) {
case SEC_CHAN_WKSTA :
acb_info = ACB_WSTRUST ;
2003-04-22 05:32:01 +00:00
break ;
2003-04-21 14:09:03 +00:00
case SEC_CHAN_BDC :
acb_info = ACB_SVRTRUST ;
2003-04-22 05:32:01 +00:00
break ;
2003-04-21 14:09:03 +00:00
#if 0
case SEC_CHAN_DOMAIN :
acb_info = ACB_DOMTRUST ;
2003-04-22 05:32:01 +00:00
break ;
2003-04-21 14:09:03 +00:00
# endif
2009-10-16 01:59:08 +02:00
default :
DEBUG ( 0 , ( " secure channel type %d not yet supported \n " ,
sec_channel_type ) ) ;
break ;
2003-04-21 14:09:03 +00:00
}
2002-08-17 14:45:04 +00:00
2005-09-30 17:13:37 +00:00
/* Make authenticated connection to remote machine */
2001-12-04 05:03:03 +00:00
2008-05-09 23:22:12 +02:00
result = net_make_ipc_connection ( c , NET_FLAGS_PDC , & cli ) ;
2007-09-17 15:11:20 +00:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2001-12-04 05:03:03 +00:00
return 1 ;
2007-09-17 15:11:20 +00:00
}
2001-12-04 05:03:03 +00:00
2002-12-20 20:21:31 +00:00
if ( ! ( mem_ctx = talloc_init ( " net_rpc_join_newstyle " ) ) ) {
2001-12-04 05:03:03 +00:00
DEBUG ( 0 , ( " Could not initialise talloc context \n " ) ) ;
goto done ;
}
/* Fetch domain sid */
2008-07-20 11:04:31 +02:00
result = cli_rpc_pipe_open_noauth ( cli , & ndr_table_lsarpc . syntax_id ,
& pipe_hnd ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2005-09-30 17:13:37 +00:00
DEBUG ( 0 , ( " Error connecting to LSA pipe. Error was %s \n " ,
nt_errstr ( result ) ) ) ;
2001-12-04 05:03:03 +00:00
goto done ;
}
2008-05-12 11:53:23 +02:00
CHECK_RPC_ERR ( rpccli_lsa_open_policy ( pipe_hnd , mem_ctx , true ,
2009-04-15 01:12:13 +02:00
SEC_FLAG_MAXIMUM_ALLOWED ,
2001-12-04 05:03:03 +00:00
& lsa_pol ) ,
" error opening lsa policy handle " ) ;
2008-02-08 02:12:30 +01:00
CHECK_RPC_ERR ( rpccli_lsa_QueryInfoPolicy ( pipe_hnd , mem_ctx ,
& lsa_pol ,
LSA_POLICY_INFO_ACCOUNT_DOMAIN ,
& info ) ,
2001-12-04 05:03:03 +00:00
" error querying info policy " ) ;
2008-02-08 02:12:30 +01:00
domain = info - > account_domain . name . string ;
domain_sid = info - > account_domain . sid ;
2006-09-20 22:49:02 +00:00
rpccli_lsa_Close ( pipe_hnd , mem_ctx , & lsa_pol ) ;
2008-04-20 13:51:46 +02:00
TALLOC_FREE ( pipe_hnd ) ; /* Done with this pipe */
2001-12-04 05:03:03 +00:00
2006-03-09 18:35:57 +00:00
/* Bail out if domain didn't get set. */
if ( ! domain ) {
DEBUG ( 0 , ( " Could not get domain name. \n " ) ) ;
goto done ;
}
2001-12-04 05:03:03 +00:00
/* Create domain user */
2008-07-20 11:04:31 +02:00
result = cli_rpc_pipe_open_noauth ( cli , & ndr_table_samr . syntax_id ,
& pipe_hnd ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2005-09-30 17:13:37 +00:00
DEBUG ( 0 , ( " Error connecting to SAM pipe. Error was %s \n " ,
nt_errstr ( result ) ) ) ;
2001-12-04 05:03:03 +00:00
goto done ;
}
2008-02-04 19:43:07 +01:00
CHECK_RPC_ERR ( rpccli_samr_Connect2 ( pipe_hnd , mem_ctx ,
2008-04-19 21:56:43 +02:00
pipe_hnd - > desthost ,
2009-02-03 14:41:49 +01:00
SAMR_ACCESS_ENUM_DOMAINS
2009-04-15 15:40:00 -07:00
| SAMR_ACCESS_LOOKUP_DOMAIN ,
2008-02-04 19:43:07 +01:00
& sam_pol ) ,
2001-12-04 05:03:03 +00:00
" could not connect to SAM database " ) ;
2008-02-01 11:12:05 +01:00
CHECK_RPC_ERR ( rpccli_samr_OpenDomain ( pipe_hnd , mem_ctx ,
& sam_pol ,
2009-02-03 14:41:49 +01:00
SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
| SAMR_DOMAIN_ACCESS_CREATE_USER
| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT ,
2008-02-01 11:12:05 +01:00
domain_sid ,
& domain_pol ) ,
2001-12-04 05:03:03 +00:00
" could not open domain " ) ;
/* Create domain user */
2006-06-19 19:07:39 +00:00
if ( ( acct_name = talloc_asprintf ( mem_ctx , " %s$ " , global_myname ( ) ) ) = = NULL ) {
result = NT_STATUS_NO_MEMORY ;
goto done ;
}
2003-07-03 19:11:31 +00:00
strlower_m ( acct_name ) ;
2001-12-04 05:03:03 +00:00
2008-02-01 14:21:54 +01:00
init_lsa_String ( & lsa_acct_name , acct_name ) ;
2008-01-25 01:00:51 +01:00
acct_flags = SEC_GENERIC_READ | SEC_GENERIC_WRITE | SEC_GENERIC_EXECUTE |
SEC_STD_WRITE_DAC | SEC_STD_DELETE |
SAMR_USER_ACCESS_SET_PASSWORD |
SAMR_USER_ACCESS_GET_ATTRIBUTES |
SAMR_USER_ACCESS_SET_ATTRIBUTES ;
2008-01-23 13:54:02 -08:00
DEBUG ( 10 , ( " Creating account with flags: %d \n " , acct_flags ) ) ;
2008-01-25 01:00:51 +01:00
2008-02-01 14:21:54 +01:00
result = rpccli_samr_CreateUser2 ( pipe_hnd , mem_ctx ,
& domain_pol ,
& lsa_acct_name ,
acb_info ,
acct_flags ,
& user_pol ,
& access_granted ,
& user_rid ) ;
2001-12-04 05:03:03 +00:00
2009-08-09 16:57:51 +02:00
if ( ! NT_STATUS_IS_OK ( result ) & &
2001-12-11 12:29:03 +00:00
! NT_STATUS_EQUAL ( result , NT_STATUS_USER_EXISTS ) ) {
2009-08-09 16:57:51 +02:00
d_fprintf ( stderr , _ ( " Creation of workstation account failed \n " ) ) ;
2001-12-14 03:55:44 +00:00
/* If NT_STATUS_ACCESS_DENIED then we have a valid
username / password combo but the user does not have
administrator access . */
if ( NT_STATUS_V ( result ) = = NT_STATUS_V ( NT_STATUS_ACCESS_DENIED ) )
2009-08-09 16:57:51 +02:00
d_fprintf ( stderr , _ ( " User specified does not have "
" administrator privileges \n " ) ) ;
2001-12-14 03:55:44 +00:00
2001-12-11 12:29:03 +00:00
goto done ;
}
2001-12-14 02:17:18 +00:00
/* We *must* do this.... don't ask... */
2005-09-30 17:13:37 +00:00
if ( NT_STATUS_IS_OK ( result ) ) {
2008-01-30 12:39:20 +01:00
rpccli_samr_Close ( pipe_hnd , mem_ctx , & user_pol ) ;
2005-09-30 17:13:37 +00:00
}
2001-12-04 05:03:03 +00:00
2008-02-08 14:49:30 +01:00
CHECK_RPC_ERR_DEBUG ( rpccli_samr_LookupNames ( pipe_hnd , mem_ctx ,
& domain_pol ,
1 ,
& lsa_acct_name ,
& user_rids ,
& name_types ) ,
2001-12-11 12:29:03 +00:00
( " error looking up rid for user %s: %s \n " ,
2002-03-17 04:36:35 +00:00
acct_name , nt_errstr ( result ) ) ) ;
2001-12-04 05:03:03 +00:00
2008-02-08 14:49:30 +01:00
if ( name_types . ids [ 0 ] ! = SID_NAME_USER ) {
DEBUG ( 0 , ( " %s is not a user account (type=%d) \n " , acct_name , name_types . ids [ 0 ] ) ) ;
2001-12-04 05:03:03 +00:00
goto done ;
}
2008-02-08 14:49:30 +01:00
user_rid = user_rids . ids [ 0 ] ;
2001-12-11 12:29:03 +00:00
/* Open handle on user */
CHECK_RPC_ERR_DEBUG (
2008-02-01 11:57:53 +01:00
rpccli_samr_OpenUser ( pipe_hnd , mem_ctx ,
& domain_pol ,
2009-04-15 01:12:13 +02:00
SEC_FLAG_MAXIMUM_ALLOWED ,
2008-02-01 11:57:53 +01:00
user_rid ,
& user_pol ) ,
2001-12-11 12:29:03 +00:00
( " could not re-open existing user %s: %s \n " ,
2002-03-17 04:36:35 +00:00
acct_name , nt_errstr ( result ) ) ) ;
2001-12-11 12:29:03 +00:00
2001-12-04 05:03:03 +00:00
/* Create a random machine account password */
2008-10-19 10:05:48 +02:00
clear_trust_password = generate_random_str ( talloc_tos ( ) , DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH ) ;
E_md4hash ( clear_trust_password , md4_trust_password ) ;
2001-12-05 01:59:32 +00:00
2001-12-04 05:03:03 +00:00
/* Set password on machine account */
2008-07-30 19:52:56 +02:00
init_samr_CryptPassword ( clear_trust_password ,
& cli - > user_session_key ,
& crypt_pwd ) ;
2001-12-04 05:03:03 +00:00
2008-12-06 00:28:34 +01:00
set_info . info24 . password = crypt_pwd ;
set_info . info24 . password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON ;
2001-12-04 05:03:03 +00:00
2008-02-12 20:01:36 +01:00
CHECK_RPC_ERR ( rpccli_samr_SetUserInfo2 ( pipe_hnd , mem_ctx ,
& user_pol ,
24 ,
& set_info ) ,
2001-12-04 05:03:03 +00:00
" error setting trust account password " ) ;
/* Why do we have to try to (re-)set the ACB to be the same as what
we passed in the samr_create_dom_user ( ) call ? When a NT
workstation is joined to a domain by an administrator the
acb_info is set to 0x80 . For a normal user with " Add
workstations to the domain " rights the acb_info is 0x84. I'm
not sure whether it is supposed to make a difference or not . NT
seems to cope with either value so don ' t bomb out if the set
userinfo2 level 0x10 fails . - tpot */
2008-02-12 00:51:51 +01:00
set_info . info16 . acct_flags = acb_info ;
2001-12-04 05:03:03 +00:00
/* Ignoring the return value is necessary for joining a domain
as a normal user with " Add workstation to domain " privilege . */
2008-02-12 00:51:51 +01:00
result = rpccli_samr_SetUserInfo ( pipe_hnd , mem_ctx ,
& user_pol ,
16 ,
& set_info ) ;
2003-04-21 14:09:03 +00:00
2008-01-30 12:39:20 +01:00
rpccli_samr_Close ( pipe_hnd , mem_ctx , & user_pol ) ;
2008-04-20 13:51:46 +02:00
TALLOC_FREE ( pipe_hnd ) ; /* Done with this pipe */
2005-09-30 17:13:37 +00:00
2003-04-21 14:09:03 +00:00
/* Now check the whole process from top-to-bottom */
2001-12-04 05:03:03 +00:00
2008-07-20 11:04:31 +02:00
result = cli_rpc_pipe_open_noauth ( cli , & ndr_table_netlogon . syntax_id ,
& pipe_hnd ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2005-09-30 17:13:37 +00:00
DEBUG ( 0 , ( " Error connecting to NETLOGON pipe. Error was %s \n " ,
nt_errstr ( result ) ) ) ;
2003-04-21 14:09:03 +00:00
goto done ;
}
2005-09-30 17:13:37 +00:00
result = rpccli_netlogon_setup_creds ( pipe_hnd ,
2005-11-04 00:03:55 +00:00
cli - > desthost , /* server name */
domain , /* domain */
global_myname ( ) , /* client name */
global_myname ( ) , /* machine account name */
2005-09-30 17:13:37 +00:00
md4_trust_password ,
sec_channel_type ,
& neg_flags ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " Error in domain join verification (credential setup failed): %s \n \n " ,
nt_errstr ( result ) ) ) ;
2003-06-16 15:59:05 +00:00
2005-09-30 17:13:37 +00:00
if ( NT_STATUS_EQUAL ( result , NT_STATUS_ACCESS_DENIED ) & &
( sec_channel_type = = SEC_CHAN_BDC ) ) {
2009-08-09 16:57:51 +02:00
d_fprintf ( stderr , _ ( " Please make sure that no computer "
" account \n named like this machine "
" (%s) exists in the domain \n " ) ,
2005-09-30 17:13:37 +00:00
global_myname ( ) ) ;
}
goto done ;
}
2006-02-22 04:56:53 +00:00
/* We can only check the schannel connection if the client is allowed
to do this and the server supports it . If not , just assume success
( after all the rpccli_netlogon_setup_creds ( ) succeeded , and we ' ll
do the same again ( setup creds ) in net_rpc_join_ok ( ) . JRA . */
if ( lp_client_schannel ( ) & & ( neg_flags & NETLOGON_NEG_SCHANNEL ) ) {
2008-07-20 11:04:31 +02:00
struct rpc_pipe_client * netlogon_schannel_pipe ;
result = cli_rpc_pipe_open_schannel_with_key (
2009-09-10 22:32:34 +02:00
cli , & ndr_table_netlogon . syntax_id , NCACN_NP ,
2009-09-14 20:39:54 +02:00
DCERPC_AUTH_LEVEL_PRIVACY , domain , & pipe_hnd - > dc ,
2008-07-20 11:04:31 +02:00
& netlogon_schannel_pipe ) ;
2003-06-16 15:59:05 +00:00
2006-02-22 04:56:53 +00:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
DEBUG ( 0 , ( " Error in domain join verification (schannel setup failed): %s \n \n " ,
nt_errstr ( result ) ) ) ;
2003-06-16 15:59:05 +00:00
2006-02-22 04:56:53 +00:00
if ( NT_STATUS_EQUAL ( result , NT_STATUS_ACCESS_DENIED ) & &
( sec_channel_type = = SEC_CHAN_BDC ) ) {
2009-08-09 16:57:51 +02:00
d_fprintf ( stderr , _ ( " Please make sure that no "
" computer account \n named "
" like this machine (%s) "
" exists in the domain \n " ) ,
2006-02-22 04:56:53 +00:00
global_myname ( ) ) ;
}
2003-06-16 15:59:05 +00:00
2006-02-22 04:56:53 +00:00
goto done ;
}
2008-04-20 13:51:46 +02:00
TALLOC_FREE ( netlogon_schannel_pipe ) ;
2003-06-16 15:59:05 +00:00
}
2003-06-08 11:39:28 +00:00
2008-04-20 13:51:46 +02:00
TALLOC_FREE ( pipe_hnd ) ;
2005-09-30 17:13:37 +00:00
2001-12-04 05:03:03 +00:00
/* Now store the secret in the secrets database */
2008-01-15 16:40:02 +01:00
strupper_m ( CONST_DISCARD ( char * , domain ) ) ;
2001-12-04 05:03:03 +00:00
2004-01-15 19:45:36 +00:00
if ( ! secrets_store_domain_sid ( domain , domain_sid ) ) {
2001-12-04 05:03:03 +00:00
DEBUG ( 0 , ( " error storing domain sid for %s \n " , domain ) ) ;
goto done ;
}
2007-03-13 20:53:38 +00:00
if ( ! secrets_store_machine_password ( clear_trust_password , domain , sec_channel_type ) ) {
2001-12-04 05:03:03 +00:00
DEBUG ( 0 , ( " error storing plaintext domain secrets for %s \n " , domain ) ) ;
}
2003-04-21 14:09:03 +00:00
/* double-check, connection from scratch */
2008-05-09 23:22:12 +02:00
result = net_rpc_join_ok ( c , domain , cli - > desthost , & cli - > dest_ss ) ;
2007-09-17 15:34:22 +00:00
retval = NT_STATUS_IS_OK ( result ) ? 0 : - 1 ;
2001-12-04 05:03:03 +00:00
done :
/* Display success or failure */
2006-03-09 18:35:57 +00:00
if ( domain ) {
if ( retval ! = 0 ) {
2009-08-09 16:57:51 +02:00
fprintf ( stderr , _ ( " Unable to join domain %s. \n " ) , domain ) ;
2006-03-09 18:35:57 +00:00
} else {
2009-08-09 16:57:51 +02:00
printf ( _ ( " Joined domain %s. \n " ) , domain ) ;
2006-03-09 18:35:57 +00:00
}
2001-12-04 05:03:03 +00:00
}
2008-05-08 11:23:38 +02:00
2001-12-04 05:03:03 +00:00
cli_shutdown ( cli ) ;
2008-10-19 10:05:48 +02:00
TALLOC_FREE ( clear_trust_password ) ;
2001-12-04 05:03:03 +00:00
return retval ;
}
2002-08-17 14:45:04 +00:00
/**
* check that a join is OK
*
* @ return A shell status integer ( 0 for success )
*
* */
2008-05-09 23:22:12 +02:00
int net_rpc_testjoin ( struct net_context * c , int argc , const char * * argv )
2002-08-17 14:45:04 +00:00
{
2007-09-17 15:34:22 +00:00
NTSTATUS nt_status ;
2002-08-17 14:45:04 +00:00
2008-05-21 10:27:59 +02:00
if ( c - > display_usage ) {
2009-08-09 16:57:51 +02:00
d_printf ( _ ( " Usage \n "
" net rpc testjoin \n "
" Test if a join is OK \n " ) ) ;
2008-05-21 10:27:59 +02:00
return 0 ;
}
2002-08-17 14:45:04 +00:00
/* Display success or failure */
2009-02-13 10:11:57 +01:00
nt_status = net_rpc_join_ok ( c , c - > opt_target_workgroup , NULL , NULL ) ;
2007-09-17 15:34:22 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2009-08-09 16:57:51 +02:00
fprintf ( stderr , _ ( " Join to domain '%s' is not valid: %s \n " ) ,
2009-02-13 10:11:57 +01:00
c - > opt_target_workgroup , nt_errstr ( nt_status ) ) ;
2002-08-17 14:45:04 +00:00
return - 1 ;
}
2009-08-09 16:57:51 +02:00
printf ( _ ( " Join to '%s' is OK \n " ) , c - > opt_target_workgroup ) ;
2002-08-17 14:45:04 +00:00
return 0 ;
}