21
21
#include "includes.h"
22
#include "libnet/libnet.h"
23
#include "librpc/gen_ndr/ndr_libnet_join.h"
24
#include "libnet/libnet_join.h"
23
25
#include "libcli/auth/libcli_auth.h"
24
#include "../librpc/gen_ndr/cli_samr.h"
25
#include "../librpc/gen_ndr/cli_lsa.h"
26
#include "../librpc/gen_ndr/ndr_samr_c.h"
27
#include "rpc_client/init_samr.h"
28
#include "../librpc/gen_ndr/ndr_lsa_c.h"
29
#include "rpc_client/cli_lsarpc.h"
30
#include "../librpc/gen_ndr/ndr_netlogon.h"
31
#include "rpc_client/cli_netlogon.h"
32
#include "lib/smbconf/smbconf.h"
33
#include "lib/smbconf/smbconf_reg.h"
34
#include "../libds/common/flags.h"
36
#include "rpc_client/init_lsa.h"
37
#include "rpc_client/cli_pipe.h"
38
#include "../libcli/security/security.h"
40
#include "libsmb/libsmb.h"
27
42
/****************************************************************
28
43
****************************************************************/
736
b = pipe_hnd->binding_handle;
720
738
status = rpccli_lsa_open_policy(pipe_hnd, mem_ctx, true,
721
739
SEC_FLAG_MAXIMUM_ALLOWED, &lsa_pol);
722
740
if (!NT_STATUS_IS_OK(status)) {
726
status = rpccli_lsa_QueryInfoPolicy2(pipe_hnd, mem_ctx,
744
status = dcerpc_lsa_QueryInfoPolicy2(b, mem_ctx,
728
746
LSA_POLICY_INFO_DNS,
730
if (NT_STATUS_IS_OK(status)) {
749
if (NT_STATUS_IS_OK(status) && NT_STATUS_IS_OK(result)) {
731
750
r->out.domain_is_ad = true;
732
751
r->out.netbios_domain_name = info->dns.name.string;
733
752
r->out.dns_domain_name = info->dns.dns_domain.string;
734
753
r->out.forest_name = info->dns.dns_forest.string;
735
r->out.domain_sid = sid_dup_talloc(mem_ctx, info->dns.sid);
754
r->out.domain_sid = dom_sid_dup(mem_ctx, info->dns.sid);
736
755
NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
739
758
if (!NT_STATUS_IS_OK(status)) {
740
status = rpccli_lsa_QueryInfoPolicy(pipe_hnd, mem_ctx,
759
status = dcerpc_lsa_QueryInfoPolicy(b, mem_ctx,
742
761
LSA_POLICY_INFO_ACCOUNT_DOMAIN,
744
764
if (!NT_STATUS_IS_OK(status)) {
767
if (!NT_STATUS_IS_OK(result)) {
748
772
r->out.netbios_domain_name = info->account_domain.name.string;
749
r->out.domain_sid = sid_dup_talloc(mem_ctx, info->account_domain.sid);
773
r->out.domain_sid = dom_sid_dup(mem_ctx, info->account_domain.sid);
750
774
NT_STATUS_HAVE_NO_MEMORY(r->out.domain_sid);
753
rpccli_lsa_Close(pipe_hnd, mem_ctx, &lsa_pol);
777
dcerpc_lsa_Close(b, mem_ctx, &lsa_pol, &result);
754
778
TALLOC_FREE(pipe_hnd);
862
status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
887
b = pipe_hnd->binding_handle;
889
status = dcerpc_samr_Connect2(b, mem_ctx,
863
890
pipe_hnd->desthost,
864
891
SAMR_ACCESS_ENUM_DOMAINS
865
892
| SAMR_ACCESS_LOOKUP_DOMAIN,
867
895
if (!NT_STATUS_IS_OK(status)) {
898
if (!NT_STATUS_IS_OK(result)) {
871
status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
903
status = dcerpc_samr_OpenDomain(b, mem_ctx,
873
905
SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
874
906
| SAMR_DOMAIN_ACCESS_CREATE_USER
875
907
| SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
876
908
r->out.domain_sid,
878
911
if (!NT_STATUS_IS_OK(status)) {
914
if (!NT_STATUS_IS_OK(result)) {
882
919
/* Create domain user */
898
935
DEBUG(10,("Creating account with desired access mask: %d\n",
899
936
access_desired));
901
status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
938
status = dcerpc_samr_CreateUser2(b, mem_ctx,
947
if (!NT_STATUS_IS_OK(status)) {
909
952
if (!NT_STATUS_IS_OK(status) &&
910
953
!NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
935
978
/* We *must* do this.... don't ask... */
937
980
if (NT_STATUS_IS_OK(status)) {
938
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
981
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
942
status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
985
status = dcerpc_samr_LookupNames(b, mem_ctx,
948
992
if (!NT_STATUS_IS_OK(status)) {
995
if (!NT_STATUS_IS_OK(result)) {
952
1000
if (name_types.ids[0] != SID_NAME_USER) {
953
1001
DEBUG(0,("%s is not a user account (type=%d)\n",
961
1009
/* Open handle on user */
963
status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1011
status = dcerpc_samr_OpenUser(b, mem_ctx,
965
1013
SEC_FLAG_MAXIMUM_ALLOWED,
968
1017
if (!NT_STATUS_IS_OK(status)) {
1020
if (!NT_STATUS_IS_OK(result)) {
972
1025
/* Fill in the additional account flags now */
974
1027
acct_flags |= ACB_PWNOEXP;
975
if (r->out.domain_is_ad) {
976
#if !defined(ENCTYPE_ARCFOUR_HMAC)
977
acct_flags |= ACB_USE_DES_KEY_ONLY;
982
1029
/* Set account flags on machine account */
983
1030
ZERO_STRUCT(user_info.info16);
984
1031
user_info.info16.acct_flags = acct_flags;
986
status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1033
status = dcerpc_samr_SetUserInfo(b, mem_ctx,
991
1038
if (!NT_STATUS_IS_OK(status)) {
993
rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
1039
dcerpc_samr_DeleteUser(b, mem_ctx,
1043
libnet_join_set_error_string(mem_ctx, r,
1044
"Failed to set account flags for machine account (%s)\n",
1049
if (!NT_STATUS_IS_OK(result)) {
1052
dcerpc_samr_DeleteUser(b, mem_ctx,
996
1056
libnet_join_set_error_string(mem_ctx, r,
997
1057
"Failed to set account flags for machine account (%s)\n",
1008
1068
user_info.info26.password = crypt_pwd_ex;
1009
1069
user_info.info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1011
status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
1071
status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1016
if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
1077
if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
1018
1079
/* retry with level 24 */
1024
1085
user_info.info24.password = crypt_pwd;
1025
1086
user_info.info24.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON;
1027
status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
1088
status = dcerpc_samr_SetUserInfo2(b, mem_ctx,
1033
1095
if (!NT_STATUS_IS_OK(status)) {
1035
rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
1097
dcerpc_samr_DeleteUser(b, mem_ctx,
1101
libnet_join_set_error_string(mem_ctx, r,
1102
"Failed to set password for machine account (%s)\n",
1106
if (!NT_STATUS_IS_OK(result)) {
1109
dcerpc_samr_DeleteUser(b, mem_ctx,
1038
1113
libnet_join_set_error_string(mem_ctx, r,
1039
1114
"Failed to set password for machine account (%s)\n",
1051
1126
if (is_valid_policy_hnd(&sam_pol)) {
1052
rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1127
dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1054
1129
if (is_valid_policy_hnd(&domain_pol)) {
1055
rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1130
dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1057
1132
if (is_valid_policy_hnd(&user_pol)) {
1058
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1133
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1060
1135
TALLOC_FREE(pipe_hnd);
1209
1284
struct cli_state *cli = NULL;
1210
1285
struct rpc_pipe_client *pipe_hnd = NULL;
1211
1286
struct policy_handle sam_pol, domain_pol, user_pol;
1212
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
1287
NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
1213
1288
char *acct_name;
1214
1289
uint32_t user_rid;
1215
1290
struct lsa_String lsa_acct_name;
1216
1291
struct samr_Ids user_rids;
1217
1292
struct samr_Ids name_types;
1218
1293
union samr_UserInfo *info = NULL;
1294
struct dcerpc_binding_handle *b = NULL;
1220
1296
ZERO_STRUCT(sam_pol);
1221
1297
ZERO_STRUCT(domain_pol);
1243
status = rpccli_samr_Connect2(pipe_hnd, mem_ctx,
1319
b = pipe_hnd->binding_handle;
1321
status = dcerpc_samr_Connect2(b, mem_ctx,
1244
1322
pipe_hnd->desthost,
1245
1323
SEC_FLAG_MAXIMUM_ALLOWED,
1247
1326
if (!NT_STATUS_IS_OK(status)) {
1329
if (!NT_STATUS_IS_OK(result)) {
1251
status = rpccli_samr_OpenDomain(pipe_hnd, mem_ctx,
1334
status = dcerpc_samr_OpenDomain(b, mem_ctx,
1253
1336
SEC_FLAG_MAXIMUM_ALLOWED,
1254
1337
r->in.domain_sid,
1256
1340
if (!NT_STATUS_IS_OK(status)) {
1343
if (!NT_STATUS_IS_OK(result)) {
1260
1348
/* Create domain user */
1265
1353
init_lsa_String(&lsa_acct_name, acct_name);
1267
status = rpccli_samr_LookupNames(pipe_hnd, mem_ctx,
1355
status = dcerpc_samr_LookupNames(b, mem_ctx,
1270
1358
&lsa_acct_name,
1274
1363
if (!NT_STATUS_IS_OK(status)) {
1366
if (!NT_STATUS_IS_OK(result)) {
1278
1371
if (name_types.ids[0] != SID_NAME_USER) {
1279
1372
DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
1287
1380
/* Open handle on user */
1289
status = rpccli_samr_OpenUser(pipe_hnd, mem_ctx,
1382
status = dcerpc_samr_OpenUser(b, mem_ctx,
1291
1384
SEC_FLAG_MAXIMUM_ALLOWED,
1294
1388
if (!NT_STATUS_IS_OK(status)) {
1391
if (!NT_STATUS_IS_OK(result)) {
1298
1396
/* Get user info */
1300
status = rpccli_samr_QueryUserInfo(pipe_hnd, mem_ctx,
1398
status = dcerpc_samr_QueryUserInfo(b, mem_ctx,
1304
1403
if (!NT_STATUS_IS_OK(status)) {
1305
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1404
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1407
if (!NT_STATUS_IS_OK(result)) {
1409
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1311
1415
info->info16.acct_flags |= ACB_DISABLED;
1313
status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
1417
status = dcerpc_samr_SetUserInfo(b, mem_ctx,
1318
rpccli_samr_Close(pipe_hnd, mem_ctx, &user_pol);
1422
if (!NT_STATUS_IS_OK(status)) {
1423
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1426
if (!NT_STATUS_IS_OK(result)) {
1428
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1432
dcerpc_samr_Close(b, mem_ctx, &user_pol, &result);
1435
if (pipe_hnd && b) {
1322
1436
if (is_valid_policy_hnd(&domain_pol)) {
1323
rpccli_samr_Close(pipe_hnd, mem_ctx, &domain_pol);
1437
dcerpc_samr_Close(b, mem_ctx, &domain_pol, &result);
1325
1439
if (is_valid_policy_hnd(&sam_pol)) {
1326
rpccli_samr_Close(pipe_hnd, mem_ctx, &sam_pol);
1440
dcerpc_samr_Close(b, mem_ctx, &sam_pol, &result);
1328
1442
TALLOC_FREE(pipe_hnd);
1341
1455
static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
1457
WERROR werr = WERR_OK;
1344
1459
struct smbconf_ctx *ctx;
1346
werr = smbconf_init_reg(r, &ctx, NULL);
1347
if (!W_ERROR_IS_OK(werr)) {
1461
err = smbconf_init_reg(r, &ctx, NULL);
1462
if (!SBC_ERROR_IS_OK(err)) {
1463
werr = WERR_NO_SUCH_SERVICE;
1351
1467
if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
1353
werr = smbconf_set_global_parameter(ctx, "security", "user");
1354
W_ERROR_NOT_OK_GOTO_DONE(werr);
1469
err = smbconf_set_global_parameter(ctx, "security", "user");
1470
if (!SBC_ERROR_IS_OK(err)) {
1471
werr = WERR_NO_SUCH_SERVICE;
1356
werr = smbconf_set_global_parameter(ctx, "workgroup",
1475
err = smbconf_set_global_parameter(ctx, "workgroup",
1477
if (!SBC_ERROR_IS_OK(err)) {
1478
werr = WERR_NO_SUCH_SERVICE;
1359
1482
smbconf_delete_global_parameter(ctx, "realm");
1363
werr = smbconf_set_global_parameter(ctx, "security", "domain");
1364
W_ERROR_NOT_OK_GOTO_DONE(werr);
1486
err = smbconf_set_global_parameter(ctx, "security", "domain");
1487
if (!SBC_ERROR_IS_OK(err)) {
1488
werr = WERR_NO_SUCH_SERVICE;
1366
werr = smbconf_set_global_parameter(ctx, "workgroup",
1367
r->out.netbios_domain_name);
1368
W_ERROR_NOT_OK_GOTO_DONE(werr);
1492
err = smbconf_set_global_parameter(ctx, "workgroup",
1493
r->out.netbios_domain_name);
1494
if (!SBC_ERROR_IS_OK(err)) {
1495
werr = WERR_NO_SUCH_SERVICE;
1370
1499
if (r->out.domain_is_ad) {
1371
werr = smbconf_set_global_parameter(ctx, "security", "ads");
1372
W_ERROR_NOT_OK_GOTO_DONE(werr);
1500
err = smbconf_set_global_parameter(ctx, "security", "ads");
1501
if (!SBC_ERROR_IS_OK(err)) {
1502
werr = WERR_NO_SUCH_SERVICE;
1374
werr = smbconf_set_global_parameter(ctx, "realm",
1375
r->out.dns_domain_name);
1376
W_ERROR_NOT_OK_GOTO_DONE(werr);
1506
err = smbconf_set_global_parameter(ctx, "realm",
1507
r->out.dns_domain_name);
1508
if (!SBC_ERROR_IS_OK(err)) {
1509
werr = WERR_NO_SUCH_SERVICE;
1387
1522
static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
1389
1524
WERROR werr = WERR_OK;
1390
1526
struct smbconf_ctx *ctx;
1392
werr = smbconf_init_reg(r, &ctx, NULL);
1393
if (!W_ERROR_IS_OK(werr)) {
1528
err = smbconf_init_reg(r, &ctx, NULL);
1529
if (!SBC_ERROR_IS_OK(err)) {
1530
werr = WERR_NO_SUCH_SERVICE;
1397
1534
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
1399
werr = smbconf_set_global_parameter(ctx, "security", "user");
1400
W_ERROR_NOT_OK_GOTO_DONE(werr);
1536
err = smbconf_set_global_parameter(ctx, "security", "user");
1537
if (!SBC_ERROR_IS_OK(err)) {
1538
werr = WERR_NO_SUCH_SERVICE;
1402
werr = smbconf_delete_global_parameter(ctx, "workgroup");
1403
W_ERROR_NOT_OK_GOTO_DONE(werr);
1542
err = smbconf_delete_global_parameter(ctx, "workgroup");
1543
if (!SBC_ERROR_IS_OK(err)) {
1544
werr = WERR_NO_SUCH_SERVICE;
1405
1548
smbconf_delete_global_parameter(ctx, "realm");
1672
1800
ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1673
1801
W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1675
krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1676
if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1677
krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1678
W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1679
setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1682
1803
ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
1705
1825
ctx->in.machine_name = talloc_strdup(mem_ctx, global_myname());
1706
1826
W_ERROR_HAVE_NO_MEMORY(ctx->in.machine_name);
1708
krb5_cc_env = getenv(KRB5_ENV_CCNAME);
1709
if (!krb5_cc_env || (strlen(krb5_cc_env) == 0)) {
1710
krb5_cc_env = talloc_strdup(mem_ctx, "MEMORY:libnetjoin");
1711
W_ERROR_HAVE_NO_MEMORY(krb5_cc_env);
1712
setenv(KRB5_ENV_CCNAME, krb5_cc_env, 1);
1717
1830
return WERR_OK;