2004-06-06 11:14:10 +04:00
/*
Unix SMB / CIFS implementation .
utility code to join / leave a domain
Copyright ( C ) Andrew Tridgell 2004
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2004-06-06 11:14:10 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2004-06-06 11:14:10 +04:00
*/
/*
this code is used by other torture modules to join / leave a domain
as either a member , bdc or thru a trust relationship
*/
# include "includes.h"
2005-03-18 06:16:53 +03:00
# include "system/time.h"
2008-09-24 17:30:23 +04:00
# include "../lib/crypto/crypto.h"
2005-09-25 16:26:07 +04:00
# include "libnet/libnet.h"
# include "lib/cmdline/popt_common.h"
2006-03-15 02:35:30 +03:00
# include "librpc/gen_ndr/ndr_samr_c.h"
2005-09-25 16:26:07 +04:00
2006-03-14 18:02:05 +03:00
# include "libcli/auth/libcli_auth.h"
# include "torture/rpc/rpc.h"
2006-04-02 16:02:01 +04:00
# include "libcli/security/security.h"
2007-09-08 16:42:09 +04:00
# include "param/param.h"
2004-06-06 11:14:10 +04:00
struct test_join {
struct dcerpc_pipe * p ;
2004-09-21 07:51:38 +04:00
struct policy_handle user_handle ;
2005-09-25 16:26:07 +04:00
struct libnet_JoinDomain * libnet_r ;
2006-02-13 03:02:31 +03:00
struct dom_sid * dom_sid ;
2006-12-07 18:27:18 +03:00
const char * dom_netbios_name ;
const char * dom_dns_name ;
2006-02-13 03:02:31 +03:00
struct dom_sid * user_sid ;
2006-12-12 02:59:03 +03:00
struct GUID user_guid ;
const char * netbios_name ;
2004-06-06 11:14:10 +04:00
} ;
static NTSTATUS DeleteUser_byname ( struct dcerpc_pipe * p , TALLOC_CTX * mem_ctx ,
struct policy_handle * handle , const char * name )
{
NTSTATUS status ;
struct samr_DeleteUser d ;
2004-09-21 07:51:38 +04:00
struct policy_handle user_handle ;
2004-06-06 11:14:10 +04:00
uint32_t rid ;
struct samr_LookupNames n ;
2008-11-05 16:28:17 +03:00
struct samr_Ids rids , types ;
2005-07-08 12:09:02 +04:00
struct lsa_String sname ;
2004-06-06 11:14:10 +04:00
struct samr_OpenUser r ;
2004-11-13 16:45:41 +03:00
sname . string = name ;
2004-06-06 11:14:10 +04:00
2004-09-21 07:51:38 +04:00
n . in . domain_handle = handle ;
2004-06-06 11:14:10 +04:00
n . in . num_names = 1 ;
n . in . names = & sname ;
2008-11-05 16:28:17 +03:00
n . out . rids = & rids ;
n . out . types = & types ;
2004-06-06 11:14:10 +04:00
status = dcerpc_samr_LookupNames ( p , mem_ctx , & n ) ;
if ( NT_STATUS_IS_OK ( status ) ) {
2008-11-05 16:28:17 +03:00
rid = n . out . rids - > ids [ 0 ] ;
2004-06-06 11:14:10 +04:00
} else {
return status ;
}
2004-09-21 07:51:38 +04:00
r . in . domain_handle = handle ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-06-06 11:14:10 +04:00
r . in . rid = rid ;
2004-09-21 07:51:38 +04:00
r . out . user_handle = & user_handle ;
2004-06-06 11:14:10 +04:00
status = dcerpc_samr_OpenUser ( p , mem_ctx , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " OpenUser(%s) failed - %s \n " , name , nt_errstr ( status ) ) ;
return status ;
}
2004-09-21 07:51:38 +04:00
d . in . user_handle = & user_handle ;
d . out . user_handle = & user_handle ;
2004-06-06 11:14:10 +04:00
status = dcerpc_samr_DeleteUser ( p , mem_ctx , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
return NT_STATUS_OK ;
}
/*
2005-03-18 06:16:53 +03:00
create a test user in the domain
2004-06-06 11:14:10 +04:00
an opaque pointer is returned . Pass it to torture_leave_domain ( )
when finished
*/
2005-03-18 06:16:53 +03:00
2007-08-28 16:54:27 +04:00
struct test_join * torture_create_testuser ( struct torture_context * torture ,
const char * username ,
2005-03-18 06:16:53 +03:00
const char * domain ,
uint16_t acct_type ,
const char * * random_password )
2004-06-06 11:14:10 +04:00
{
NTSTATUS status ;
struct samr_Connect c ;
struct samr_CreateUser2 r ;
struct samr_OpenDomain o ;
struct samr_LookupDomain l ;
2008-11-07 04:42:45 +03:00
struct dom_sid2 * sid = NULL ;
2004-06-06 11:14:10 +04:00
struct samr_GetUserPwInfo pwp ;
2008-11-05 03:28:49 +03:00
struct samr_PwInfo info ;
2004-06-06 11:14:10 +04:00
struct samr_SetUserInfo s ;
union samr_UserInfo u ;
struct policy_handle handle ;
struct policy_handle domain_handle ;
uint32_t access_granted ;
uint32_t rid ;
DATA_BLOB session_key ;
2005-07-08 12:09:02 +04:00
struct lsa_String name ;
2005-03-18 06:16:53 +03:00
2004-06-06 11:14:10 +04:00
int policy_min_pw_len = 0 ;
struct test_join * join ;
2005-03-18 06:16:53 +03:00
char * random_pw ;
2007-12-03 02:28:22 +03:00
const char * dc_binding = torture_setting_string ( torture , " dc_binding " , NULL ) ;
2004-06-06 11:14:10 +04:00
2005-01-27 10:08:20 +03:00
join = talloc ( NULL , struct test_join ) ;
2004-06-06 11:14:10 +04:00
if ( join = = NULL ) {
return NULL ;
}
ZERO_STRUCTP ( join ) ;
2004-09-09 18:34:58 +04:00
printf ( " Connecting to SAMR \n " ) ;
2006-12-12 10:53:12 +03:00
if ( dc_binding ) {
status = dcerpc_pipe_connect ( join ,
& join - > p ,
dc_binding ,
2007-08-20 01:23:03 +04:00
& ndr_table_samr ,
2007-12-07 04:37:04 +03:00
cmdline_credentials , NULL , torture - > lp_ctx ) ;
2006-12-12 10:53:12 +03:00
} else {
2007-08-28 16:54:27 +04:00
status = torture_rpc_connection ( torture ,
2006-12-12 10:53:12 +03:00
& join - > p ,
2007-08-20 01:23:03 +04:00
& ndr_table_samr ) ;
2006-12-12 10:53:12 +03:00
}
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-09-28 06:58:53 +04:00
return NULL ;
2004-06-06 11:14:10 +04:00
}
c . in . system_name = NULL ;
2004-12-02 07:37:36 +03:00
c . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-09-21 07:51:38 +04:00
c . out . connect_handle = & handle ;
2004-06-06 11:14:10 +04:00
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_Connect ( join - > p , join , & c ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-08-20 19:00:22 +04:00
const char * errstr = nt_errstr ( status ) ;
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NET_WRITE_FAULT ) ) {
2004-10-30 15:37:17 +04:00
errstr = dcerpc_errstr ( join , join - > p - > last_fault_code ) ;
2004-08-20 19:00:22 +04:00
}
printf ( " samr_Connect failed - %s \n " , errstr ) ;
2005-09-28 06:58:53 +04:00
return NULL ;
2004-06-06 11:14:10 +04:00
}
printf ( " Opening domain %s \n " , domain ) ;
2004-11-13 16:45:41 +03:00
name . string = domain ;
2004-09-21 07:51:38 +04:00
l . in . connect_handle = & handle ;
2005-02-13 03:26:43 +03:00
l . in . domain_name = & name ;
2008-11-07 04:42:45 +03:00
l . out . sid = & sid ;
2004-06-06 11:14:10 +04:00
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_LookupDomain ( join - > p , join , & l ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " LookupDomain failed - %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2008-11-07 04:42:45 +03:00
talloc_steal ( join , * l . out . sid ) ;
join - > dom_sid = * l . out . sid ;
2006-12-07 18:27:18 +03:00
join - > dom_netbios_name = talloc_strdup ( join , domain ) ;
if ( ! join - > dom_netbios_name ) goto failed ;
2005-04-13 09:07:04 +04:00
2004-09-21 07:51:38 +04:00
o . in . connect_handle = & handle ;
2004-12-02 07:37:36 +03:00
o . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2008-11-07 04:42:45 +03:00
o . in . sid = * l . out . sid ;
2004-06-06 11:14:10 +04:00
o . out . domain_handle = & domain_handle ;
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_OpenDomain ( join - > p , join , & o ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " OpenDomain failed - %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2005-03-18 06:16:53 +03:00
printf ( " Creating account %s \n " , username ) ;
2004-06-06 11:14:10 +04:00
again :
2005-03-18 06:16:53 +03:00
name . string = username ;
2004-09-21 07:51:38 +04:00
r . in . domain_handle = & domain_handle ;
2004-06-06 11:14:10 +04:00
r . in . account_name = & name ;
2005-03-18 06:16:53 +03:00
r . in . acct_flags = acct_type ;
2004-12-02 07:37:36 +03:00
r . in . access_mask = SEC_FLAG_MAXIMUM_ALLOWED ;
2004-09-21 07:51:38 +04:00
r . out . user_handle = & join - > user_handle ;
2004-06-06 11:14:10 +04:00
r . out . access_granted = & access_granted ;
r . out . rid = & rid ;
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_CreateUser2 ( join - > p , join , & r ) ;
2004-06-06 11:14:10 +04:00
if ( NT_STATUS_EQUAL ( status , NT_STATUS_USER_EXISTS ) ) {
2004-11-13 16:45:41 +03:00
status = DeleteUser_byname ( join - > p , join , & domain_handle , name . string ) ;
2004-06-06 11:14:10 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
goto again ;
}
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " CreateUser2 failed - %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2006-02-13 03:02:31 +03:00
join - > user_sid = dom_sid_add_rid ( join , join - > dom_sid , rid ) ;
2004-09-21 07:51:38 +04:00
pwp . in . user_handle = & join - > user_handle ;
2008-11-05 03:28:49 +03:00
pwp . out . info = & info ;
2004-06-06 11:14:10 +04:00
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_GetUserPwInfo ( join - > p , join , & pwp ) ;
2004-06-06 11:14:10 +04:00
if ( NT_STATUS_IS_OK ( status ) ) {
2008-11-05 03:28:49 +03:00
policy_min_pw_len = pwp . out . info - > min_password_length ;
2004-06-06 11:14:10 +04:00
}
2010-02-24 17:12:17 +03:00
random_pw = generate_random_password ( join , MAX ( 8 , policy_min_pw_len ) , 255 ) ;
2004-06-06 11:14:10 +04:00
2005-03-18 06:16:53 +03:00
printf ( " Setting account password '%s' \n " , random_pw ) ;
2004-06-06 11:14:10 +04:00
2007-07-30 12:58:39 +04:00
ZERO_STRUCT ( u ) ;
2004-09-21 07:51:38 +04:00
s . in . user_handle = & join - > user_handle ;
2004-06-06 11:14:10 +04:00
s . in . info = & u ;
s . in . level = 24 ;
2005-03-18 06:16:53 +03:00
encode_pw_buffer ( u . info24 . password . data , random_pw , STR_UNICODE ) ;
2008-11-27 19:45:01 +03:00
u . info24 . password_expired = 0 ;
2004-06-06 11:14:10 +04:00
status = dcerpc_fetch_session_key ( join - > p , & session_key ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " SetUserInfo level %u - no session key - %s \n " ,
s . in . level , nt_errstr ( status ) ) ;
2008-06-14 19:24:17 +04:00
torture_leave_domain ( torture , join ) ;
2004-06-06 11:14:10 +04:00
goto failed ;
}
arcfour_crypt_blob ( u . info24 . password . data , 516 , & session_key ) ;
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_SetUserInfo ( join - > p , join , & s ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " SetUserInfo failed - %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2005-03-18 06:16:53 +03:00
ZERO_STRUCT ( u ) ;
2004-09-21 07:51:38 +04:00
s . in . user_handle = & join - > user_handle ;
2004-06-06 11:14:10 +04:00
s . in . info = & u ;
2005-03-18 06:16:53 +03:00
s . in . level = 21 ;
2004-06-06 11:14:10 +04:00
2007-05-18 05:15:50 +04:00
u . info21 . acct_flags = acct_type | ACB_PWNOEXP ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
u . info21 . fields_present = SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME ;
2004-06-06 11:14:10 +04:00
2005-10-31 06:00:36 +03:00
u . info21 . comment . string = talloc_asprintf ( join ,
" Tortured by Samba4: %s " ,
timestring ( join , time ( NULL ) ) ) ;
u . info21 . full_name . string = talloc_asprintf ( join ,
" Torture account for Samba4: %s " ,
timestring ( join , time ( NULL ) ) ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
u . info21 . description . string = talloc_asprintf ( join ,
" Samba4 torture account created by host %s: %s " ,
2007-12-03 02:28:22 +03:00
lp_netbios_name ( torture - > lp_ctx ) ,
2007-09-28 05:17:46 +04:00
timestring ( join , time ( NULL ) ) ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 11:34:43 +03:00
2005-03-18 06:16:53 +03:00
printf ( " Resetting ACB flags, force pw change time \n " ) ;
2004-06-06 11:14:10 +04:00
2004-10-30 15:37:17 +04:00
status = dcerpc_samr_SetUserInfo ( join - > p , join , & s ) ;
2004-06-06 11:14:10 +04:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " SetUserInfo failed - %s \n " , nt_errstr ( status ) ) ;
goto failed ;
}
2005-03-18 06:16:53 +03:00
if ( random_password ) {
* random_password = random_pw ;
2004-11-11 07:32:01 +03:00
}
2004-11-13 16:45:41 +03:00
2004-06-06 11:14:10 +04:00
return join ;
failed :
2008-06-14 19:24:17 +04:00
torture_leave_domain ( torture , join ) ;
2004-06-06 11:14:10 +04:00
return NULL ;
}
2005-03-18 06:16:53 +03:00
2007-12-03 17:53:17 +03:00
_PUBLIC_ struct test_join * torture_join_domain ( struct torture_context * tctx ,
const char * machine_name ,
2005-09-25 16:26:07 +04:00
uint32_t acct_flags ,
2005-10-04 03:46:21 +04:00
struct cli_credentials * * machine_credentials )
2005-03-18 06:16:53 +03:00
{
2005-09-25 16:26:07 +04:00
NTSTATUS status ;
struct libnet_context * libnet_ctx ;
struct libnet_JoinDomain * libnet_r ;
struct test_join * tj ;
2005-09-28 06:58:53 +04:00
struct samr_SetUserInfo s ;
union samr_UserInfo u ;
2005-09-25 16:26:07 +04:00
2008-04-14 20:43:37 +04:00
tj = talloc ( tctx , struct test_join ) ;
2005-09-25 16:26:07 +04:00
if ( ! tj ) return NULL ;
libnet_r = talloc ( tj , struct libnet_JoinDomain ) ;
if ( ! libnet_r ) {
talloc_free ( tj ) ;
return NULL ;
}
2008-04-14 20:43:37 +04:00
libnet_ctx = libnet_context_init ( tctx - > ev , tctx - > lp_ctx ) ;
2005-09-25 16:26:07 +04:00
if ( ! libnet_ctx ) {
talloc_free ( tj ) ;
return NULL ;
}
tj - > libnet_r = libnet_r ;
libnet_ctx - > cred = cmdline_credentials ;
2007-12-03 17:53:17 +03:00
libnet_r - > in . binding = torture_setting_string ( tctx , " binding " , NULL ) ;
2005-10-04 03:46:21 +04:00
if ( ! libnet_r - > in . binding ) {
2007-12-03 17:53:17 +03:00
libnet_r - > in . binding = talloc_asprintf ( libnet_r , " ncacn_np:%s " , torture_setting_string ( tctx , " host " , NULL ) ) ;
2005-10-04 03:46:21 +04:00
}
2005-09-25 16:26:07 +04:00
libnet_r - > in . level = LIBNET_JOINDOMAIN_SPECIFIED ;
libnet_r - > in . netbios_name = machine_name ;
libnet_r - > in . account_name = talloc_asprintf ( libnet_r , " %s$ " , machine_name ) ;
if ( ! libnet_r - > in . account_name ) {
talloc_free ( tj ) ;
return NULL ;
}
libnet_r - > in . acct_type = acct_flags ;
2007-10-07 02:28:14 +04:00
libnet_r - > in . recreate_account = true ;
2005-09-25 16:26:07 +04:00
status = libnet_JoinDomain ( libnet_ctx , libnet_r , libnet_r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-10-04 03:46:21 +04:00
if ( libnet_r - > out . error_string ) {
2006-08-31 12:15:23 +04:00
DEBUG ( 0 , ( " Domain join failed - %s \n " , libnet_r - > out . error_string ) ) ;
2005-10-04 03:46:21 +04:00
} else {
2006-08-31 12:15:23 +04:00
DEBUG ( 0 , ( " Domain join failed - %s \n " , nt_errstr ( status ) ) ) ;
2005-10-04 03:46:21 +04:00
}
2005-09-25 16:26:07 +04:00
talloc_free ( tj ) ;
return NULL ;
}
tj - > p = libnet_r - > out . samr_pipe ;
tj - > user_handle = * libnet_r - > out . user_handle ;
2006-02-13 03:02:31 +03:00
tj - > dom_sid = libnet_r - > out . domain_sid ;
talloc_steal ( tj , libnet_r - > out . domain_sid ) ;
2006-12-07 18:27:18 +03:00
tj - > dom_netbios_name = libnet_r - > out . domain_name ;
talloc_steal ( tj , libnet_r - > out . domain_name ) ;
tj - > dom_dns_name = libnet_r - > out . realm ;
talloc_steal ( tj , libnet_r - > out . realm ) ;
2006-12-12 02:59:03 +03:00
tj - > user_guid = libnet_r - > out . account_guid ;
tj - > netbios_name = talloc_strdup ( tj , machine_name ) ;
if ( ! tj - > netbios_name ) {
talloc_free ( tj ) ;
return NULL ;
}
2005-09-25 16:26:07 +04:00
2005-09-28 06:58:53 +04:00
ZERO_STRUCT ( u ) ;
s . in . user_handle = & tj - > user_handle ;
s . in . info = & u ;
s . in . level = 21 ;
u . info21 . fields_present = SAMR_FIELD_DESCRIPTION | SAMR_FIELD_COMMENT | SAMR_FIELD_FULL_NAME ;
2005-10-31 06:00:36 +03:00
u . info21 . comment . string = talloc_asprintf ( tj ,
" Tortured by Samba4: %s " ,
timestring ( tj , time ( NULL ) ) ) ;
u . info21 . full_name . string = talloc_asprintf ( tj ,
" Torture account for Samba4: %s " ,
timestring ( tj , time ( NULL ) ) ) ;
2005-09-28 06:58:53 +04:00
u . info21 . description . string = talloc_asprintf ( tj ,
" Samba4 torture account created by host %s: %s " ,
2007-12-03 17:53:17 +03:00
lp_netbios_name ( tctx - > lp_ctx ) , timestring ( tj , time ( NULL ) ) ) ;
2005-09-28 06:58:53 +04:00
status = dcerpc_samr_SetUserInfo ( tj - > p , tj , & s ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
printf ( " SetUserInfo (non-critical) failed - %s \n " , nt_errstr ( status ) ) ;
}
2005-10-04 03:46:21 +04:00
* machine_credentials = cli_credentials_init ( tj ) ;
2007-12-03 17:53:17 +03:00
cli_credentials_set_conf ( * machine_credentials , tctx - > lp_ctx ) ;
2005-10-04 03:46:21 +04:00
cli_credentials_set_workstation ( * machine_credentials , machine_name , CRED_SPECIFIED ) ;
cli_credentials_set_domain ( * machine_credentials , libnet_r - > out . domain_name , CRED_SPECIFIED ) ;
if ( libnet_r - > out . realm ) {
cli_credentials_set_realm ( * machine_credentials , libnet_r - > out . realm , CRED_SPECIFIED ) ;
}
cli_credentials_set_username ( * machine_credentials , libnet_r - > in . account_name , CRED_SPECIFIED ) ;
cli_credentials_set_password ( * machine_credentials , libnet_r - > out . join_password , CRED_SPECIFIED ) ;
2008-08-27 15:36:27 +04:00
cli_credentials_set_kvno ( * machine_credentials , libnet_r - > out . kvno ) ;
2005-10-04 03:46:21 +04:00
if ( acct_flags & ACB_SVRTRUST ) {
cli_credentials_set_secure_channel_type ( * machine_credentials ,
2005-10-07 08:00:11 +04:00
SEC_CHAN_BDC ) ;
2005-10-04 03:46:21 +04:00
} else if ( acct_flags & ACB_WSTRUST ) {
cli_credentials_set_secure_channel_type ( * machine_credentials ,
2005-10-07 08:00:11 +04:00
SEC_CHAN_WKSTA ) ;
2005-10-04 03:46:21 +04:00
} else {
DEBUG ( 0 , ( " Invalid account type specificed to torture_join_domain \n " ) ) ;
talloc_free ( * machine_credentials ) ;
return NULL ;
}
2005-03-18 06:16:53 +03:00
return tj ;
}
2004-11-13 16:45:41 +03:00
struct dcerpc_pipe * torture_join_samr_pipe ( struct test_join * join )
{
return join - > p ;
}
2004-06-06 11:14:10 +04:00
2005-03-18 06:16:53 +03:00
struct policy_handle * torture_join_samr_user_policy ( struct test_join * join )
{
return & join - > user_handle ;
}
2008-06-14 19:24:17 +04:00
static NTSTATUS torture_leave_ads_domain ( struct torture_context * torture ,
TALLOC_CTX * mem_ctx ,
struct libnet_JoinDomain * libnet_r )
2005-09-25 16:26:07 +04:00
{
int rtn ;
TALLOC_CTX * tmp_ctx ;
struct ldb_dn * server_dn ;
struct ldb_context * ldb_ctx ;
char * remote_ldb_url ;
/* Check if we are a domain controller. If not, exit. */
if ( ! libnet_r - > out . server_dn_str ) {
return NT_STATUS_OK ;
}
tmp_ctx = talloc_named ( mem_ctx , 0 , " torture_leave temporary context " ) ;
if ( ! tmp_ctx ) {
libnet_r - > out . error_string = NULL ;
return NT_STATUS_NO_MEMORY ;
}
2008-06-14 19:24:17 +04:00
ldb_ctx = ldb_init ( tmp_ctx , torture - > ev ) ;
2005-09-25 16:26:07 +04:00
if ( ! ldb_ctx ) {
libnet_r - > out . error_string = NULL ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
/* Remove CN=Servers,... entry from the AD. */
2006-11-22 03:59:34 +03:00
server_dn = ldb_dn_new ( tmp_ctx , ldb_ctx , libnet_r - > out . server_dn_str ) ;
if ( ! ldb_dn_validate ( server_dn ) ) {
2005-09-25 16:26:07 +04:00
libnet_r - > out . error_string = NULL ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
remote_ldb_url = talloc_asprintf ( tmp_ctx , " ldap://%s " , libnet_r - > out . samr_binding - > host ) ;
if ( ! remote_ldb_url ) {
libnet_r - > out . error_string = NULL ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
2006-11-09 01:28:28 +03:00
ldb_set_opaque ( ldb_ctx , " credentials " , cmdline_credentials ) ;
2008-09-30 08:59:50 +04:00
ldb_set_opaque ( ldb_ctx , " loadparm " , cmdline_lp_ctx ) ;
2006-11-09 01:28:28 +03:00
2005-09-25 16:26:07 +04:00
rtn = ldb_connect ( ldb_ctx , remote_ldb_url , 0 , NULL ) ;
if ( rtn ! = 0 ) {
libnet_r - > out . error_string = NULL ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
rtn = ldb_delete ( ldb_ctx , server_dn ) ;
if ( rtn ! = 0 ) {
libnet_r - > out . error_string = NULL ;
talloc_free ( tmp_ctx ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
DEBUG ( 0 , ( " %s removed successfully. \n " , libnet_r - > out . server_dn_str ) ) ;
talloc_free ( tmp_ctx ) ;
2005-10-31 06:00:36 +03:00
return NT_STATUS_OK ;
2005-09-25 16:26:07 +04:00
}
2004-06-06 11:14:10 +04:00
/*
leave the domain , deleting the machine acct
*/
2005-09-25 16:26:07 +04:00
2008-06-14 19:24:17 +04:00
_PUBLIC_ void torture_leave_domain ( struct torture_context * torture , struct test_join * join )
2004-06-06 11:14:10 +04:00
{
struct samr_DeleteUser d ;
NTSTATUS status ;
2005-09-28 06:37:03 +04:00
if ( ! join ) {
return ;
}
2005-09-25 16:26:07 +04:00
d . in . user_handle = & join - > user_handle ;
d . out . user_handle = & join - > user_handle ;
2008-06-14 19:24:17 +04:00
/* Delete machine account */
2005-09-25 16:26:07 +04:00
status = dcerpc_samr_DeleteUser ( join - > p , join , & d ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2008-05-16 17:38:16 +04:00
printf ( " Delete of machine account %s failed \n " ,
join - > netbios_name ) ;
2005-09-25 16:26:07 +04:00
} else {
2008-05-16 17:38:16 +04:00
printf ( " Delete of machine account %s was successful. \n " ,
join - > netbios_name ) ;
2004-06-06 11:14:10 +04:00
}
2005-09-25 16:26:07 +04:00
if ( join - > libnet_r ) {
2008-06-14 19:24:17 +04:00
status = torture_leave_ads_domain ( torture , join , join - > libnet_r ) ;
2005-09-25 16:26:07 +04:00
}
2004-10-30 15:37:17 +04:00
talloc_free ( join ) ;
2004-06-06 11:14:10 +04:00
}
2004-11-06 13:07:08 +03:00
2005-04-13 09:07:04 +04:00
/*
return the dom sid for a test join
*/
2006-10-29 20:40:19 +03:00
_PUBLIC_ const struct dom_sid * torture_join_sid ( struct test_join * join )
2005-04-13 09:07:04 +04:00
{
return join - > dom_sid ;
}
2006-02-18 02:51:43 +03:00
const struct dom_sid * torture_join_user_sid ( struct test_join * join )
{
return join - > user_sid ;
}
2006-12-12 02:59:03 +03:00
const char * torture_join_netbios_name ( struct test_join * join )
{
return join - > netbios_name ;
}
const struct GUID * torture_join_user_guid ( struct test_join * join )
{
return & join - > user_guid ;
}
2006-12-07 18:27:18 +03:00
const char * torture_join_dom_netbios_name ( struct test_join * join )
{
return join - > dom_netbios_name ;
}
const char * torture_join_dom_dns_name ( struct test_join * join )
{
return join - > dom_dns_name ;
}
2008-04-04 05:55:45 +04:00
const char * torture_join_server_dn_str ( struct test_join * join )
{
if ( join - > libnet_r ) {
return join - > libnet_r - > out . server_dn_str ;
}
return NULL ;
}
2004-11-06 13:07:08 +03:00
2007-07-10 17:41:00 +04:00
#if 0 /* Left as the documentation of the join process, but see new implementation in libnet_become_dc.c */
2004-11-06 13:07:08 +03:00
struct test_join_ads_dc {
struct test_join * join ;
} ;
2004-11-11 07:32:01 +03:00
struct test_join_ads_dc * torture_join_domain_ads_dc ( const char * machine_name ,
const char * domain ,
2005-10-04 03:46:21 +04:00
struct cli_credentials * * machine_credentials )
2004-11-06 13:07:08 +03:00
{
struct test_join_ads_dc * join ;
2005-01-27 10:08:20 +03:00
join = talloc ( NULL , struct test_join_ads_dc ) ;
2004-11-06 13:07:08 +03:00
if ( join = = NULL ) {
return NULL ;
}
2005-09-25 16:26:07 +04:00
join - > join = torture_join_domain ( machine_name ,
2004-11-06 13:07:08 +03:00
ACB_SVRTRUST ,
2005-10-04 03:46:21 +04:00
machine_credentials ) ;
2004-11-06 13:07:08 +03:00
if ( ! join - > join ) {
return NULL ;
}
2006-11-30 16:34:17 +03:00
/* W2K: */
2006-11-30 14:43:05 +03:00
/* W2K: modify userAccountControl from 4096 to 532480 */
2004-11-06 13:07:08 +03:00
2006-11-30 14:43:05 +03:00
/* W2K: modify RDN to OU=Domain Controllers and skip the $ from server name */
2004-11-06 13:07:08 +03:00
/* ask objectVersion of Schema Partition */
/* ask rIDManagerReferenz of the Domain Partition */
/* ask fsMORoleOwner of the RID-Manager$ object
* returns CN = NTDS Settings , CN = < DC > , CN = Servers , CN = Default - First - Site - Name , . . .
*/
/* ask for dnsHostName of CN=<DC>,CN=Servers,CN=Default-First-Site-Name, ... */
/* ask for objectGUID of CN=NTDS Settings,CN=<DC>,CN=Servers,CN=Default-First-Site-Name, ... */
/* ask for * of CN=Default-First-Site-Name, ... */
/* search (&(|(objectClass=user)(objectClass=computer))(sAMAccountName=<machine_name>$)) in Domain Partition
* attributes : distinguishedName , userAccountControl
*/
/* ask * for CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name,...
* should fail with noSuchObject
*/
/* add CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name,...
*
* objectClass = server
* systemFlags = 50000000
* serverReferenz = CN = < machine_name > , OU = Domain Controllers , . . .
*/
/* ask for * of CN=NTDS Settings,CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name, ...
* should fail with noSuchObject
*/
/* search for (ncname=<domain_nc>) in CN=Partitions,CN=Configuration,...
* attributes : ncName , dnsRoot
*/
/* modify add CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name,...
* serverReferenz = CN = < machine_name > , OU = Domain Controllers , . . .
* should fail with attributeOrValueExists
*/
/* modify replace CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name,...
* serverReferenz = CN = < machine_name > , OU = Domain Controllers , . . .
*/
2006-11-30 16:34:17 +03:00
/* DsAddEntry to create the CN=NTDS Settings,CN=<machine_name>,CN=Servers,CN=Default-First-Site-Name, ...
*
*/
/* replicate CN=Schema,CN=Configuration,...
* using DRSUAPI_DS_BIND_GUID_W2K ( " 6abec3d1-3054-41c8-a362-5a0c5b7d5d71 " )
*
*/
/* replicate CN=Configuration,...
* using DRSUAPI_DS_BIND_GUID_W2K ( " 6abec3d1-3054-41c8-a362-5a0c5b7d5d71 " )
*
*/
/* replicate Domain Partition
* using DRSUAPI_DS_BIND_GUID_W2K ( " 6abec3d1-3054-41c8-a362-5a0c5b7d5d71 " )
*
*/
/* call DsReplicaUpdateRefs() for all partitions like this:
* req1 : struct drsuapi_DsReplicaUpdateRefsRequest1
* naming_context : *
* naming_context : struct drsuapi_DsReplicaObjectIdentifier
* __ndr_size : 0x000000ae ( 174 )
* __ndr_size_sid : 0x00000000 ( 0 )
* guid : 00000000 - 0000 - 0000 - 0000 - 000000000000
* sid : S - 0 - 0
* dn : ' CN = Schema , CN = Configuration , DC = w2k3 , DC = vmnet1 , DC = vm , DC = base '
* dest_dsa_dns_name : *
* dest_dsa_dns_name : ' 4 a0df188 - a0b8 - 47 ea - bbe5 - e614723f16dd . _msdcs . w2k3 . vmnet1 . vm . base '
* dest_dsa_guid : 4 a0df188 - a0b8 - 47 ea - bbe5 - e614723f16dd
* options : 0x0000001c ( 28 )
* 0 : DRSUAPI_DS_REPLICA_UPDATE_ASYNCHRONOUS_OPERATION
* 0 : DRSUAPI_DS_REPLICA_UPDATE_WRITEABLE
* 1 : DRSUAPI_DS_REPLICA_UPDATE_ADD_REFERENCE
* 1 : DRSUAPI_DS_REPLICA_UPDATE_DELETE_REFERENCE
* 1 : DRSUAPI_DS_REPLICA_UPDATE_0x00000010
*
* 4 a0df188 - a0b8 - 47 ea - bbe5 - e614723f16dd is the objectGUID the DsAddEntry ( ) returned for the
* CN = NTDS Settings , CN = < machine_name > , CN = Servers , CN = Default - First - Site - Name , . . .
*/
2007-03-13 18:41:25 +03:00
/* W2K3: see libnet/libnet_become_dc.c */
2004-11-06 13:07:08 +03:00
return join ;
}
2007-07-10 17:41:00 +04:00
# endif
