Context Navigation

source: vendor/3.6.24/source4/libnet/libnet_join.c

Visit:

Last change on this file was 860, checked in by Silvan Scherrer, 11 years ago
Samba 3.6: updated vendor to latest version
File size: 32.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3
4	Copyright (C) Stefan Metzmacher 2004
5	Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
6	Copyright (C) Brad Henry 2005
7
8	This program is free software; you can redistribute it and/or modify
9	it under the terms of the GNU General Public License as published by
10	the Free Software Foundation; either version 3 of the License, or
11	(at your option) any later version.
12
13	This program is distributed in the hope that it will be useful,
14	but WITHOUT ANY WARRANTY; without even the implied warranty of
15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16	GNU General Public License for more details.
17
18	You should have received a copy of the GNU General Public License
19	along with this program. If not, see <http://www.gnu.org/licenses/>.
20	*/
21
22	#include "includes.h"
23	#include "libnet/libnet.h"
24	#include "librpc/gen_ndr/ndr_drsuapi_c.h"
25	#include <ldb.h>
26	#include <ldb_errors.h>
27	#include "dsdb/samdb/samdb.h"
28	#include "ldb_wrap.h"
29	#include "libcli/security/security.h"
30	#include "auth/credentials/credentials.h"
31	#include "auth/credentials/credentials_krb5.h"
32	#include "librpc/gen_ndr/ndr_samr_c.h"
33	#include "param/param.h"
34	#include "param/provision.h"
35	#include "system/kerberos.h"
36	#include "auth/kerberos/kerberos.h"
37
38	/*
39	* complete a domain join, when joining to a AD domain:
40	* 1.) connect and bind to the DRSUAPI pipe
41	* 2.) do a DsCrackNames() to find the machine account dn
42	* 3.) connect to LDAP
43	* 4.) do an ldap search to find the "msDS-KeyVersionNumber" of the machine account
44	* 5.) set the servicePrincipalName's of the machine account via LDAP, (maybe we should use DsWriteAccountSpn()...)
45	* 6.) do a DsCrackNames() to find the domain dn
46	* 7.) find out Site specific stuff, look at libnet_JoinSite() for details
47	*/
48	static NTSTATUS libnet_JoinADSDomain(struct libnet_context ctx, struct libnet_JoinDomain r)
49	{
50	NTSTATUS status;
51
52	TALLOC_CTX *tmp_ctx;
53
54	const char *realm = r->out.realm;
55
56	struct dcerpc_binding *samr_binding = r->out.samr_binding;
57
58	struct dcerpc_pipe *drsuapi_pipe;
59	struct dcerpc_binding *drsuapi_binding;
60	struct drsuapi_DsBind r_drsuapi_bind;
61	struct drsuapi_DsCrackNames r_crack_names;
62	struct drsuapi_DsNameString names[1];
63	struct policy_handle drsuapi_bind_handle;
64	struct GUID drsuapi_bind_guid;
65
66	struct ldb_context *remote_ldb;
67	struct ldb_dn *account_dn;
68	const char *account_dn_str;
69	const char *remote_ldb_url;
70	struct ldb_result *res;
71	struct ldb_message *msg;
72
73	int ret, rtn;
74
75	const char * const attrs[] = {
76	"msDS-KeyVersionNumber",
77	"servicePrincipalName",
78	"dNSHostName",
79	"objectGUID",
80	NULL,
81	};
82
83	r->out.error_string = NULL;
84
85	/* We need to convert between a samAccountName and domain to a
86	* DN in the directory. The correct way to do this is with
87	* DRSUAPI CrackNames */
88
89	/* Fiddle with the bindings, so get to DRSUAPI on
90	* NCACN_IP_TCP, sealed */
91	tmp_ctx = talloc_named(r, 0, "libnet_JoinADSDomain temp context");
92	if (!tmp_ctx) {
93	r->out.error_string = NULL;
94	return NT_STATUS_NO_MEMORY;
95	}
96
97	drsuapi_binding = talloc_zero(tmp_ctx, struct dcerpc_binding);
98	if (!drsuapi_binding) {
99	r->out.error_string = NULL;
100	talloc_free(tmp_ctx);
101	return NT_STATUS_NO_MEMORY;
102	}
103
104	drsuapi_binding = samr_binding;
105
106	/* DRSUAPI is only available on IP_TCP, and locally on NCALRPC */
107	if (drsuapi_binding->transport != NCALRPC) {
108	drsuapi_binding->transport = NCACN_IP_TCP;
109	}
110	drsuapi_binding->endpoint = NULL;
111	drsuapi_binding->flags \|= DCERPC_SEAL;
112
113	status = dcerpc_pipe_connect_b(tmp_ctx,
114	&drsuapi_pipe,
115	drsuapi_binding,
116	&ndr_table_drsuapi,
117	ctx->cred,
118	ctx->event_ctx,
119	ctx->lp_ctx);
120	if (!NT_STATUS_IS_OK(status)) {
121	r->out.error_string = talloc_asprintf(r,
122	"Connection to DRSUAPI pipe of PDC of domain '%s' failed: %s",
123	r->out.domain_name,
124	nt_errstr(status));
125	talloc_free(tmp_ctx);
126	return status;
127	}
128
129	/* get a DRSUAPI pipe handle */
130	GUID_from_string(DRSUAPI_DS_BIND_GUID, &drsuapi_bind_guid);
131
132	r_drsuapi_bind.in.bind_guid = &drsuapi_bind_guid;
133	r_drsuapi_bind.in.bind_info = NULL;
134	r_drsuapi_bind.out.bind_handle = &drsuapi_bind_handle;
135
136	status = dcerpc_drsuapi_DsBind_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_drsuapi_bind);
137	if (!NT_STATUS_IS_OK(status)) {
138	r->out.error_string
139	= talloc_asprintf(r,
140	"dcerpc_drsuapi_DsBind failed - %s",
141	nt_errstr(status));
142	talloc_free(tmp_ctx);
143	return status;
144	} else if (!W_ERROR_IS_OK(r_drsuapi_bind.out.result)) {
145	r->out.error_string
146	= talloc_asprintf(r,
147	"DsBind failed - %s",
148	win_errstr(r_drsuapi_bind.out.result));
149	talloc_free(tmp_ctx);
150	return NT_STATUS_UNSUCCESSFUL;
151	}
152
153	/* Actually 'crack' the names */
154	ZERO_STRUCT(r_crack_names);
155	r_crack_names.in.bind_handle = &drsuapi_bind_handle;
156	r_crack_names.in.level = 1;
157	r_crack_names.in.req = talloc(r, union drsuapi_DsNameRequest);
158	if (!r_crack_names.in.req) {
159	r->out.error_string = NULL;
160	talloc_free(tmp_ctx);
161	return NT_STATUS_NO_MEMORY;
162	}
163	r_crack_names.in.req->req1.codepage = 1252; /* western european */
164	r_crack_names.in.req->req1.language = 0x00000407; /* german */
165	r_crack_names.in.req->req1.count = 1;
166	r_crack_names.in.req->req1.names = names;
167	r_crack_names.in.req->req1.format_flags = DRSUAPI_DS_NAME_FLAG_NO_FLAGS;
168	r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_SID_OR_SID_HISTORY;
169	r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
170	names[0].str = dom_sid_string(tmp_ctx, r->out.account_sid);
171	if (!names[0].str) {
172	r->out.error_string = NULL;
173	talloc_free(tmp_ctx);
174	return NT_STATUS_NO_MEMORY;
175	}
176
177	r_crack_names.out.ctr = talloc(r, union drsuapi_DsNameCtr);
178	r_crack_names.out.level_out = talloc(r, uint32_t);
179	if (!r_crack_names.out.ctr \|\| !r_crack_names.out.level_out) {
180	r->out.error_string = NULL;
181	talloc_free(tmp_ctx);
182	return NT_STATUS_NO_MEMORY;
183	}
184
185	status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
186	if (!NT_STATUS_IS_OK(status)) {
187	r->out.error_string
188	= talloc_asprintf(r,
189	"dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
190	names[0].str,
191	nt_errstr(status));
192	talloc_free(tmp_ctx);
193	return status;
194	} else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
195	r->out.error_string
196	= talloc_asprintf(r,
197	"DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
198	talloc_free(tmp_ctx);
199	return NT_STATUS_UNSUCCESSFUL;
200	} else if (*r_crack_names.out.level_out != 1
201	\|\| !r_crack_names.out.ctr->ctr1
202	\|\| r_crack_names.out.ctr->ctr1->count != 1) {
203	r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
204	talloc_free(tmp_ctx);
205	return NT_STATUS_INVALID_PARAMETER;
206	} else if (r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
207	r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: %d", r_crack_names.out.ctr->ctr1->array[0].status);
208	talloc_free(tmp_ctx);
209	return NT_STATUS_UNSUCCESSFUL;
210	} else if (r_crack_names.out.ctr->ctr1->array[0].result_name == NULL) {
211	r->out.error_string = talloc_asprintf(r, "DsCrackNames failed: no result name");
212	talloc_free(tmp_ctx);
213	return NT_STATUS_INVALID_PARAMETER;
214	}
215
216	/* Store the DN of our machine account. */
217	account_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
218
219	/* Now we know the user's DN, open with LDAP, read and modify a few things */
220
221	remote_ldb_url = talloc_asprintf(tmp_ctx, "ldap://%s",
222	drsuapi_binding->target_hostname);
223	if (!remote_ldb_url) {
224	r->out.error_string = NULL;
225	talloc_free(tmp_ctx);
226	return NT_STATUS_NO_MEMORY;
227	}
228
229	remote_ldb = ldb_wrap_connect(tmp_ctx, ctx->event_ctx, ctx->lp_ctx,
230	remote_ldb_url,
231	NULL, ctx->cred, 0);
232	if (!remote_ldb) {
233	r->out.error_string = NULL;
234	talloc_free(tmp_ctx);
235	return NT_STATUS_UNSUCCESSFUL;
236	}
237
238	account_dn = ldb_dn_new(tmp_ctx, remote_ldb, account_dn_str);
239	if (account_dn == NULL) {
240	r->out.error_string = talloc_asprintf(r, "Invalid account dn: %s",
241	account_dn_str);
242	talloc_free(tmp_ctx);
243	return NT_STATUS_UNSUCCESSFUL;
244	}
245
246	/* search for the user's record */
247	ret = ldb_search(remote_ldb, tmp_ctx, &res,
248	account_dn, LDB_SCOPE_BASE, attrs, NULL);
249	if (ret != LDB_SUCCESS) {
250	r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - %s",
251	account_dn_str, ldb_errstring(remote_ldb));
252	talloc_free(tmp_ctx);
253	return NT_STATUS_UNSUCCESSFUL;
254	}
255
256	if (res->count != 1) {
257	r->out.error_string = talloc_asprintf(r, "ldb_search for %s failed - found %d entries",
258	account_dn_str, res->count);
259	talloc_free(tmp_ctx);
260	return NT_STATUS_UNSUCCESSFUL;
261	}
262
263	/* Prepare a new message, for the modify */
264	msg = ldb_msg_new(tmp_ctx);
265	if (!msg) {
266	r->out.error_string = NULL;
267	talloc_free(tmp_ctx);
268	return NT_STATUS_NO_MEMORY;
269	}
270	msg->dn = res->msgs[0]->dn;
271
272	{
273	unsigned int i;
274	const char *service_principal_name[2];
275	const char *dns_host_name = strlower_talloc(msg,
276	talloc_asprintf(msg,
277	"%s.%s",
278	r->in.netbios_name,
279	realm));
280
281	if (!dns_host_name) {
282	r->out.error_string = NULL;
283	talloc_free(tmp_ctx);
284	return NT_STATUS_NO_MEMORY;
285	}
286
287	service_principal_name[0] = talloc_asprintf(msg, "HOST/%s",
288	dns_host_name);
289	service_principal_name[1] = talloc_asprintf(msg, "HOST/%s",
290	r->in.netbios_name);
291
292	for (i=0; i < ARRAY_SIZE(service_principal_name); i++) {
293	if (!service_principal_name[i]) {
294	r->out.error_string = NULL;
295	talloc_free(tmp_ctx);
296	return NT_STATUS_NO_MEMORY;
297	}
298	rtn = ldb_msg_add_string(msg, "servicePrincipalName",
299	service_principal_name[i]);
300	if (rtn != LDB_SUCCESS) {
301	r->out.error_string = NULL;
302	talloc_free(tmp_ctx);
303	return NT_STATUS_NO_MEMORY;
304	}
305	}
306
307	rtn = ldb_msg_add_string(msg, "dNSHostName", dns_host_name);
308	if (rtn != LDB_SUCCESS) {
309	r->out.error_string = NULL;
310	talloc_free(tmp_ctx);
311	return NT_STATUS_NO_MEMORY;
312	}
313
314	rtn = dsdb_replace(remote_ldb, msg, 0);
315	if (rtn != LDB_SUCCESS) {
316	r->out.error_string
317	= talloc_asprintf(r,
318	"Failed to replace entries on %s",
319	ldb_dn_get_linearized(msg->dn));
320	talloc_free(tmp_ctx);
321	return NT_STATUS_INTERNAL_DB_CORRUPTION;
322	}
323	}
324
325	msg = ldb_msg_new(tmp_ctx);
326	if (!msg) {
327	r->out.error_string = NULL;
328	talloc_free(tmp_ctx);
329	return NT_STATUS_NO_MEMORY;
330	}
331	msg->dn = res->msgs[0]->dn;
332
333	rtn = samdb_msg_add_uint(remote_ldb, msg, msg,
334	"msDS-SupportedEncryptionTypes", ENC_ALL_TYPES);
335	if (rtn != LDB_SUCCESS) {
336	r->out.error_string = NULL;
337	talloc_free(tmp_ctx);
338	return NT_STATUS_NO_MEMORY;
339	}
340
341	rtn = dsdb_replace(remote_ldb, msg, 0);
342	/* The remote server may not support this attribute, if it
343	* isn't a modern schema */
344	if (rtn != LDB_SUCCESS && rtn != LDB_ERR_NO_SUCH_ATTRIBUTE) {
345	r->out.error_string
346	= talloc_asprintf(r,
347	"Failed to replace msDS-SupportedEncryptionTypes on %s",
348	ldb_dn_get_linearized(msg->dn));
349	talloc_free(tmp_ctx);
350	return NT_STATUS_INTERNAL_DB_CORRUPTION;
351	}
352
353	/* DsCrackNames to find out the DN of the domain. */
354	r_crack_names.in.req->req1.format_offered = DRSUAPI_DS_NAME_FORMAT_NT4_ACCOUNT;
355	r_crack_names.in.req->req1.format_desired = DRSUAPI_DS_NAME_FORMAT_FQDN_1779;
356	names[0].str = talloc_asprintf(tmp_ctx, "%s\\", r->out.domain_name);
357	if (!names[0].str) {
358	r->out.error_string = NULL;
359	talloc_free(tmp_ctx);
360	return NT_STATUS_NO_MEMORY;
361	}
362
363	status = dcerpc_drsuapi_DsCrackNames_r(drsuapi_pipe->binding_handle, tmp_ctx, &r_crack_names);
364	if (!NT_STATUS_IS_OK(status)) {
365	r->out.error_string
366	= talloc_asprintf(r,
367	"dcerpc_drsuapi_DsCrackNames for [%s] failed - %s",
368	r->in.domain_name,
369	nt_errstr(status));
370	talloc_free(tmp_ctx);
371	return status;
372	} else if (!W_ERROR_IS_OK(r_crack_names.out.result)) {
373	r->out.error_string
374	= talloc_asprintf(r,
375	"DsCrackNames failed - %s", win_errstr(r_crack_names.out.result));
376	talloc_free(tmp_ctx);
377	return NT_STATUS_UNSUCCESSFUL;
378	} else if (*r_crack_names.out.level_out != 1
379	\|\| !r_crack_names.out.ctr->ctr1
380	\|\| r_crack_names.out.ctr->ctr1->count != 1
381	\|\| !r_crack_names.out.ctr->ctr1->array[0].result_name
382	\|\| r_crack_names.out.ctr->ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) {
383	r->out.error_string = talloc_asprintf(r, "DsCrackNames failed");
384	talloc_free(tmp_ctx);
385	return NT_STATUS_UNSUCCESSFUL;
386	}
387
388	/* Store the account DN. */
389	r->out.account_dn_str = account_dn_str;
390	talloc_steal(r, account_dn_str);
391
392	/* Store the domain DN. */
393	r->out.domain_dn_str = r_crack_names.out.ctr->ctr1->array[0].result_name;
394	talloc_steal(r, r_crack_names.out.ctr->ctr1->array[0].result_name);
395
396	/* Store the KVNO of the account, critical for some kerberos
397	* operations */
398	r->out.kvno = ldb_msg_find_attr_as_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
399
400	/* Store the account GUID. */
401	r->out.account_guid = samdb_result_guid(res->msgs[0], "objectGUID");
402
403	if (r->in.acct_type == ACB_SVRTRUST) {
404	status = libnet_JoinSite(ctx, remote_ldb, r);
405	}
406	talloc_free(tmp_ctx);
407
408	return status;
409	}
410
411	/*
412	* do a domain join using DCERPC/SAMR calls
413	* - connect to the LSA pipe, to try and find out information about the domain
414	* - create a secondary connection to SAMR pipe
415	* - do a samr_Connect to get a policy handle
416	* - do a samr_LookupDomain to get the domain sid
417	* - do a samr_OpenDomain to get a domain handle
418	* - do a samr_CreateAccount to try and get a new account
419	*
420	* If that fails, do:
421	* - do a samr_LookupNames to get the users rid
422	* - do a samr_OpenUser to get a user handle
423	* - potentially delete and recreate the user
424	* - assert the account is of the right type with samrQueryUserInfo
425	*
426	* - call libnet_SetPassword_samr_handle to set the password,
427	* and pass a samr_UserInfo21 struct to set full_name and the account flags
428	*
429	* - do some ADS specific things when we join as Domain Controller,
430	* look at libnet_joinADSDomain() for the details
431	*/
432	NTSTATUS libnet_JoinDomain(struct libnet_context ctx, TALLOC_CTX mem_ctx, struct libnet_JoinDomain *r)
433	{
434	TALLOC_CTX *tmp_ctx;
435
436	NTSTATUS status, cu_status;
437
438	struct libnet_RpcConnect *connect_with_info;
439	struct dcerpc_pipe *samr_pipe;
440
441	struct samr_Connect sc;
442	struct policy_handle p_handle;
443	struct samr_OpenDomain od;
444	struct policy_handle d_handle;
445	struct samr_LookupNames ln;
446	struct samr_Ids rids, types;
447	struct samr_OpenUser ou;
448	struct samr_CreateUser2 cu;
449	struct policy_handle *u_handle = NULL;
450	struct samr_QueryUserInfo qui;
451	union samr_UserInfo *uinfo;
452	struct samr_UserInfo21 u_info21;
453	union libnet_SetPassword r2;
454	struct samr_GetUserPwInfo pwp;
455	struct samr_PwInfo info;
456	struct lsa_String samr_account_name;
457
458	uint32_t acct_flags, old_acct_flags;
459	uint32_t rid, access_granted;
460	int policy_min_pw_len = 0;
461
462	struct dom_sid *account_sid = NULL;
463	const char *password_str = NULL;
464
465	r->out.error_string = NULL;
466	r2.samr_handle.out.error_string = NULL;
467
468	tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
469	if (!tmp_ctx) {
470	r->out.error_string = NULL;
471	return NT_STATUS_NO_MEMORY;
472	}
473
474	u_handle = talloc(tmp_ctx, struct policy_handle);
475	if (!u_handle) {
476	r->out.error_string = NULL;
477	talloc_free(tmp_ctx);
478	return NT_STATUS_NO_MEMORY;
479	}
480
481	connect_with_info = talloc_zero(tmp_ctx, struct libnet_RpcConnect);
482	if (!connect_with_info) {
483	r->out.error_string = NULL;
484	talloc_free(tmp_ctx);
485	return NT_STATUS_NO_MEMORY;
486	}
487
488	/* prepare connect to the SAMR pipe of PDC */
489	if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
490	connect_with_info->in.binding = NULL;
491	connect_with_info->in.name = r->in.domain_name;
492	} else {
493	connect_with_info->in.binding = r->in.binding;
494	connect_with_info->in.name = NULL;
495	}
496
497	/* This level makes a connection to the LSA pipe on the way,
498	* to get some useful bits of information about the domain */
499	connect_with_info->level = LIBNET_RPC_CONNECT_DC_INFO;
500	connect_with_info->in.dcerpc_iface = &ndr_table_samr;
501
502	/*
503	establish the SAMR connection
504	*/
505	status = libnet_RpcConnect(ctx, tmp_ctx, connect_with_info);
506	if (!NT_STATUS_IS_OK(status)) {
507	if (r->in.binding) {
508	r->out.error_string = talloc_asprintf(mem_ctx,
509	"Connection to SAMR pipe of DC %s failed: %s",
510	r->in.binding, connect_with_info->out.error_string);
511	} else {
512	r->out.error_string = talloc_asprintf(mem_ctx,
513	"Connection to SAMR pipe of PDC for %s failed: %s",
514	r->in.domain_name, connect_with_info->out.error_string);
515	}
516	talloc_free(tmp_ctx);
517	return status;
518	}
519
520	samr_pipe = connect_with_info->out.dcerpc_pipe;
521
522	status = dcerpc_pipe_auth(tmp_ctx, &samr_pipe,
523	connect_with_info->out.dcerpc_pipe->binding,
524	&ndr_table_samr, ctx->cred, ctx->lp_ctx);
525	if (!NT_STATUS_IS_OK(status)) {
526	r->out.error_string = talloc_asprintf(mem_ctx,
527	"SAMR bind failed: %s",
528	nt_errstr(status));
529	talloc_free(tmp_ctx);
530	return status;
531	}
532
533	/* prepare samr_Connect */
534	ZERO_STRUCT(p_handle);
535	sc.in.system_name = NULL;
536	sc.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
537	sc.out.connect_handle = &p_handle;
538
539	/* 2. do a samr_Connect to get a policy handle */
540	status = dcerpc_samr_Connect_r(samr_pipe->binding_handle, tmp_ctx, &sc);
541	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(sc.out.result)) {
542	status = sc.out.result;
543	}
544	if (!NT_STATUS_IS_OK(status)) {
545	r->out.error_string = talloc_asprintf(mem_ctx,
546	"samr_Connect failed: %s",
547	nt_errstr(status));
548	talloc_free(tmp_ctx);
549	return status;
550	}
551
552	/* If this is a connection on ncacn_ip_tcp to Win2k3 SP1, we don't get back this useful info */
553	if (!connect_with_info->out.domain_name) {
554	if (r->in.level == LIBNET_JOINDOMAIN_AUTOMATIC) {
555	connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, r->in.domain_name);
556	} else {
557	/* Bugger, we just lost our way to automatically find the domain name */
558	connect_with_info->out.domain_name = talloc_strdup(tmp_ctx, lpcfg_workgroup(ctx->lp_ctx));
559	connect_with_info->out.realm = talloc_strdup(tmp_ctx, lpcfg_realm(ctx->lp_ctx));
560	}
561	}
562
563	/* Perhaps we didn't get a SID above, because we are against ncacn_ip_tcp */
564	if (!connect_with_info->out.domain_sid) {
565	struct lsa_String name;
566	struct samr_LookupDomain l;
567	struct dom_sid2 *sid = NULL;
568	name.string = connect_with_info->out.domain_name;
569	l.in.connect_handle = &p_handle;
570	l.in.domain_name = &name;
571	l.out.sid = &sid;
572
573	status = dcerpc_samr_LookupDomain_r(samr_pipe->binding_handle, tmp_ctx, &l);
574	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(l.out.result)) {
575	status = l.out.result;
576	}
577	if (!NT_STATUS_IS_OK(status)) {
578	r->out.error_string = talloc_asprintf(mem_ctx,
579	"SAMR LookupDomain failed: %s",
580	nt_errstr(status));
581	talloc_free(tmp_ctx);
582	return status;
583	}
584	connect_with_info->out.domain_sid = *l.out.sid;
585	}
586
587	/* prepare samr_OpenDomain */
588	ZERO_STRUCT(d_handle);
589	od.in.connect_handle = &p_handle;
590	od.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
591	od.in.sid = connect_with_info->out.domain_sid;
592	od.out.domain_handle = &d_handle;
593
594	/* do a samr_OpenDomain to get a domain handle */
595	status = dcerpc_samr_OpenDomain_r(samr_pipe->binding_handle, tmp_ctx, &od);
596	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(od.out.result)) {
597	status = od.out.result;
598	}
599	if (!NT_STATUS_IS_OK(status)) {
600	r->out.error_string = talloc_asprintf(mem_ctx,
601	"samr_OpenDomain for [%s] failed: %s",
602	dom_sid_string(tmp_ctx, connect_with_info->out.domain_sid),
603	nt_errstr(status));
604	talloc_free(tmp_ctx);
605	return status;
606	}
607
608	/* prepare samr_CreateUser2 */
609	ZERO_STRUCTP(u_handle);
610	cu.in.domain_handle = &d_handle;
611	cu.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
612	samr_account_name.string = r->in.account_name;
613	cu.in.account_name = &samr_account_name;
614	cu.in.acct_flags = r->in.acct_type;
615	cu.out.user_handle = u_handle;
616	cu.out.rid = &rid;
617	cu.out.access_granted = &access_granted;
618
619	/* do a samr_CreateUser2 to get an account handle, or an error */
620	cu_status = dcerpc_samr_CreateUser2_r(samr_pipe->binding_handle, tmp_ctx, &cu);
621	if (NT_STATUS_IS_OK(cu_status) && !NT_STATUS_IS_OK(cu.out.result)) {
622	cu_status = cu.out.result;
623	}
624	status = cu_status;
625	if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) {
626	/* prepare samr_LookupNames */
627	ln.in.domain_handle = &d_handle;
628	ln.in.num_names = 1;
629	ln.in.names = talloc_array(tmp_ctx, struct lsa_String, 1);
630	ln.out.rids = &rids;
631	ln.out.types = &types;
632	if (!ln.in.names) {
633	r->out.error_string = NULL;
634	talloc_free(tmp_ctx);
635	return NT_STATUS_NO_MEMORY;
636	}
637	ln.in.names[0].string = r->in.account_name;
638
639	/* 5. do a samr_LookupNames to get the users rid */
640	status = dcerpc_samr_LookupNames_r(samr_pipe->binding_handle, tmp_ctx, &ln);
641	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(ln.out.result)) {
642	status = ln.out.result;
643	}
644	if (!NT_STATUS_IS_OK(status)) {
645	r->out.error_string = talloc_asprintf(mem_ctx,
646	"samr_LookupNames for [%s] failed: %s",
647	r->in.account_name,
648	nt_errstr(status));
649	talloc_free(tmp_ctx);
650	return status;
651	}
652
653	/* check if we got one RID for the user */
654	if (ln.out.rids->count != 1) {
655	r->out.error_string = talloc_asprintf(mem_ctx,
656	"samr_LookupNames for [%s] returns %d RIDs",
657	r->in.account_name, ln.out.rids->count);
658	talloc_free(tmp_ctx);
659	return NT_STATUS_INVALID_NETWORK_RESPONSE;
660	}
661
662	if (ln.out.types->count != 1) {
663	r->out.error_string = talloc_asprintf(mem_ctx,
664	"samr_LookupNames for [%s] returns %d RID TYPEs",
665	r->in.account_name, ln.out.types->count);
666	talloc_free(tmp_ctx);
667	return NT_STATUS_INVALID_NETWORK_RESPONSE;
668	}
669
670	/* prepare samr_OpenUser */
671	ZERO_STRUCTP(u_handle);
672	ou.in.domain_handle = &d_handle;
673	ou.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
674	ou.in.rid = ln.out.rids->ids[0];
675	rid = ou.in.rid;
676	ou.out.user_handle = u_handle;
677
678	/* 6. do a samr_OpenUser to get a user handle */
679	status = dcerpc_samr_OpenUser_r(samr_pipe->binding_handle, tmp_ctx, &ou);
680	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(ou.out.result)) {
681	status = ou.out.result;
682	}
683	if (!NT_STATUS_IS_OK(status)) {
684	r->out.error_string = talloc_asprintf(mem_ctx,
685	"samr_OpenUser for [%s] failed: %s",
686	r->in.account_name,
687	nt_errstr(status));
688	talloc_free(tmp_ctx);
689	return status;
690	}
691
692	if (r->in.recreate_account) {
693	struct samr_DeleteUser d;
694	d.in.user_handle = u_handle;
695	d.out.user_handle = u_handle;
696	status = dcerpc_samr_DeleteUser_r(samr_pipe->binding_handle, mem_ctx, &d);
697	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(d.out.result)) {
698	status = d.out.result;
699	}
700	if (!NT_STATUS_IS_OK(status)) {
701	r->out.error_string = talloc_asprintf(mem_ctx,
702	"samr_DeleteUser (for recreate) of [%s] failed: %s",
703	r->in.account_name,
704	nt_errstr(status));
705	talloc_free(tmp_ctx);
706	return status;
707	}
708
709	/* We want to recreate, so delete and another samr_CreateUser2 */
710
711	/* &cu filled in above */
712	status = dcerpc_samr_CreateUser2_r(samr_pipe->binding_handle, tmp_ctx, &cu);
713	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(cu.out.result)) {
714	status = cu.out.result;
715	}
716	if (!NT_STATUS_IS_OK(status)) {
717	r->out.error_string = talloc_asprintf(mem_ctx,
718	"samr_CreateUser2 (recreate) for [%s] failed: %s",
719	r->in.account_name, nt_errstr(status));
720	talloc_free(tmp_ctx);
721	return status;
722	}
723	}
724	} else if (!NT_STATUS_IS_OK(status)) {
725	r->out.error_string = talloc_asprintf(mem_ctx,
726	"samr_CreateUser2 for [%s] failed: %s",
727	r->in.account_name, nt_errstr(status));
728	talloc_free(tmp_ctx);
729	return status;
730	}
731
732	/* prepare samr_QueryUserInfo (get flags) */
733	qui.in.user_handle = u_handle;
734	qui.in.level = 16;
735	qui.out.info = &uinfo;
736
737	status = dcerpc_samr_QueryUserInfo_r(samr_pipe->binding_handle, tmp_ctx, &qui);
738	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(qui.out.result)) {
739	status = qui.out.result;
740	}
741	if (!NT_STATUS_IS_OK(status)) {
742	r->out.error_string = talloc_asprintf(mem_ctx,
743	"samr_QueryUserInfo for [%s] failed: %s",
744	r->in.account_name,
745	nt_errstr(status));
746	talloc_free(tmp_ctx);
747	return status;
748	}
749
750	if (!uinfo) {
751	status = NT_STATUS_INVALID_PARAMETER;
752	r->out.error_string
753	= talloc_asprintf(mem_ctx,
754	"samr_QueryUserInfo failed to return qui.out.info for [%s]: %s",
755	r->in.account_name, nt_errstr(status));
756	talloc_free(tmp_ctx);
757	return status;
758	}
759
760	old_acct_flags = (uinfo->info16.acct_flags & (ACB_WSTRUST \| ACB_SVRTRUST \| ACB_DOMTRUST));
761	/* Possibly bail if the account is of the wrong type */
762	if (old_acct_flags
763	!= r->in.acct_type) {
764	const char old_account_type, new_account_type;
765	switch (old_acct_flags) {
766	case ACB_WSTRUST:
767	old_account_type = "domain member (member)";
768	break;
769	case ACB_SVRTRUST:
770	old_account_type = "domain controller (bdc)";
771	break;
772	case ACB_DOMTRUST:
773	old_account_type = "trusted domain";
774	break;
775	default:
776	return NT_STATUS_INVALID_PARAMETER;
777	}
778	switch (r->in.acct_type) {
779	case ACB_WSTRUST:
780	new_account_type = "domain member (member)";
781	break;
782	case ACB_SVRTRUST:
783	new_account_type = "domain controller (bdc)";
784	break;
785	case ACB_DOMTRUST:
786	new_account_type = "trusted domain";
787	break;
788	default:
789	return NT_STATUS_INVALID_PARAMETER;
790	}
791
792	if (!NT_STATUS_EQUAL(cu_status, NT_STATUS_USER_EXISTS)) {
793	/* We created a new user, but they didn't come out the right type?!? */
794	r->out.error_string
795	= talloc_asprintf(mem_ctx,
796	"We asked to create a new machine account (%s) of type %s, "
797	"but we got an account of type %s. This is unexpected. "
798	"Perhaps delete the account and try again.",
799	r->in.account_name, new_account_type, old_account_type);
800	talloc_free(tmp_ctx);
801	return NT_STATUS_INVALID_PARAMETER;
802	} else {
803	/* The account is of the wrong type, so bail */
804
805	/* TODO: We should allow a --force option to override, and redo this from the top setting r.in.recreate_account */
806	r->out.error_string
807	= talloc_asprintf(mem_ctx,
808	"The machine account (%s) already exists in the domain %s, "
809	"but is a %s. You asked to join as a %s. Please delete "
810	"the account and try again.",
811	r->in.account_name, connect_with_info->out.domain_name, old_account_type, new_account_type);
812	talloc_free(tmp_ctx);
813	return NT_STATUS_USER_EXISTS;
814	}
815	} else {
816	acct_flags = uinfo->info16.acct_flags;
817	}
818
819	acct_flags = (acct_flags & ~(ACB_DISABLED\|ACB_PWNOTREQ));
820
821	/* Find out what password policy this user has */
822	pwp.in.user_handle = u_handle;
823	pwp.out.info = &info;
824
825	status = dcerpc_samr_GetUserPwInfo_r(samr_pipe->binding_handle, tmp_ctx, &pwp);
826	if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(pwp.out.result)) {
827	status = pwp.out.result;
828	}
829	if (NT_STATUS_IS_OK(status)) {
830	policy_min_pw_len = pwp.out.info->min_password_length;
831	}
832
833	/* Grab a password of that minimum length */
834
835	password_str = generate_random_password(tmp_ctx, MAX(8, policy_min_pw_len), 255);
836
837	/* set full_name and reset flags */
838	ZERO_STRUCT(u_info21);
839	u_info21.full_name.string = r->in.account_name;
840	u_info21.acct_flags = acct_flags;
841	u_info21.fields_present = SAMR_FIELD_FULL_NAME \| SAMR_FIELD_ACCT_FLAGS;
842
843	r2.samr_handle.level = LIBNET_SET_PASSWORD_SAMR_HANDLE;
844	r2.samr_handle.in.account_name = r->in.account_name;
845	r2.samr_handle.in.newpassword = password_str;
846	r2.samr_handle.in.user_handle = u_handle;
847	r2.samr_handle.in.dcerpc_pipe = samr_pipe;
848	r2.samr_handle.in.info21 = &u_info21;
849
850	status = libnet_SetPassword(ctx, tmp_ctx, &r2);
851	if (!NT_STATUS_IS_OK(status)) {
852	r->out.error_string = talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
853	talloc_free(tmp_ctx);
854	return status;
855	}
856
857	account_sid = dom_sid_add_rid(mem_ctx, connect_with_info->out.domain_sid, rid);
858	if (!account_sid) {
859	r->out.error_string = NULL;
860	talloc_free(tmp_ctx);
861	return NT_STATUS_NO_MEMORY;
862	}
863
864	/* Finish out by pushing various bits of status data out for the caller to use */
865	r->out.join_password = password_str;
866	talloc_steal(mem_ctx, r->out.join_password);
867
868	r->out.domain_sid = connect_with_info->out.domain_sid;
869	talloc_steal(mem_ctx, r->out.domain_sid);
870
871	r->out.account_sid = account_sid;
872	talloc_steal(mem_ctx, r->out.account_sid);
873
874	r->out.domain_name = connect_with_info->out.domain_name;
875	talloc_steal(mem_ctx, r->out.domain_name);
876	r->out.realm = connect_with_info->out.realm;
877	talloc_steal(mem_ctx, r->out.realm);
878	r->out.samr_pipe = samr_pipe;
879	talloc_reparent(tmp_ctx, mem_ctx, samr_pipe);
880	r->out.samr_binding = samr_pipe->binding;
881	talloc_steal(mem_ctx, r->out.samr_binding);
882	r->out.user_handle = u_handle;
883	talloc_steal(mem_ctx, u_handle);
884	r->out.error_string = r2.samr_handle.out.error_string;
885	talloc_steal(mem_ctx, r2.samr_handle.out.error_string);
886	r->out.kvno = 0;
887	r->out.server_dn_str = NULL;
888	talloc_free(tmp_ctx);
889
890	/* Now, if it was AD, then we want to start looking changing a
891	* few more things. Otherwise, we are done. */
892	if (r->out.realm) {
893	status = libnet_JoinADSDomain(ctx, r);
894	return status;
895	}
896
897	return status;
898	}
899
900	static NTSTATUS libnet_Join_primary_domain(struct libnet_context *ctx,
901	TALLOC_CTX *mem_ctx,
902	struct libnet_Join *r)
903	{
904	NTSTATUS status;
905	TALLOC_CTX *tmp_mem;
906	struct libnet_JoinDomain *r2;
907	struct provision_store_self_join_settings *set_secrets;
908	uint32_t acct_type = 0;
909	const char *account_name;
910	const char *netbios_name;
911	const char *error_string;
912
913	r->out.error_string = NULL;
914
915	tmp_mem = talloc_new(mem_ctx);
916	if (!tmp_mem) {
917	return NT_STATUS_NO_MEMORY;
918	}
919
920	r2 = talloc(tmp_mem, struct libnet_JoinDomain);
921	if (!r2) {
922	r->out.error_string = NULL;
923	talloc_free(tmp_mem);
924	return NT_STATUS_NO_MEMORY;
925	}
926
927	if (r->in.join_type == SEC_CHAN_BDC) {
928	acct_type = ACB_SVRTRUST;
929	} else if (r->in.join_type == SEC_CHAN_WKSTA) {
930	acct_type = ACB_WSTRUST;
931	} else {
932	r->out.error_string = NULL;
933	talloc_free(tmp_mem);
934	return NT_STATUS_INVALID_PARAMETER;
935	}
936
937	if (r->in.netbios_name != NULL) {
938	netbios_name = r->in.netbios_name;
939	} else {
940	netbios_name = talloc_strdup(tmp_mem, lpcfg_netbios_name(ctx->lp_ctx));
941	if (!netbios_name) {
942	r->out.error_string = NULL;
943	talloc_free(tmp_mem);
944	return NT_STATUS_NO_MEMORY;
945	}
946	}
947
948	account_name = talloc_asprintf(tmp_mem, "%s$", netbios_name);
949	if (!account_name) {
950	r->out.error_string = NULL;
951	talloc_free(tmp_mem);
952	return NT_STATUS_NO_MEMORY;
953	}
954
955	/*
956	* join the domain
957	*/
958	ZERO_STRUCTP(r2);
959	r2->in.domain_name = r->in.domain_name;
960	r2->in.account_name = account_name;
961	r2->in.netbios_name = netbios_name;
962	r2->in.level = LIBNET_JOINDOMAIN_AUTOMATIC;
963	r2->in.acct_type = acct_type;
964	r2->in.recreate_account = false;
965	status = libnet_JoinDomain(ctx, r2, r2);
966	if (!NT_STATUS_IS_OK(status)) {
967	r->out.error_string = talloc_steal(mem_ctx, r2->out.error_string);
968	talloc_free(tmp_mem);
969	return status;
970	}
971
972	set_secrets = talloc(tmp_mem, struct provision_store_self_join_settings);
973	if (!set_secrets) {
974	r->out.error_string = NULL;
975	talloc_free(tmp_mem);
976	return NT_STATUS_NO_MEMORY;
977	}
978
979	ZERO_STRUCTP(set_secrets);
980	set_secrets->domain_name = r2->out.domain_name;
981	set_secrets->realm = r2->out.realm;
982	set_secrets->netbios_name = netbios_name;
983	set_secrets->secure_channel_type = r->in.join_type;
984	set_secrets->machine_password = r2->out.join_password;
985	set_secrets->key_version_number = r2->out.kvno;
986	set_secrets->domain_sid = r2->out.domain_sid;
987
988	status = provision_store_self_join(ctx, ctx->lp_ctx, ctx->event_ctx, set_secrets, &error_string);
989	if (!NT_STATUS_IS_OK(status)) {
990	r->out.error_string = talloc_steal(mem_ctx, error_string);
991	talloc_free(tmp_mem);
992	return status;
993	}
994
995	/* move all out parameter to the callers TALLOC_CTX */
996	r->out.error_string = NULL;
997	r->out.join_password = r2->out.join_password;
998	talloc_reparent(r2, mem_ctx, r2->out.join_password);
999	r->out.domain_sid = r2->out.domain_sid;
1000	talloc_reparent(r2, mem_ctx, r2->out.domain_sid);
1001	r->out.domain_name = r2->out.domain_name;
1002	talloc_reparent(r2, mem_ctx, r2->out.domain_name);
1003	talloc_free(tmp_mem);
1004	return NT_STATUS_OK;
1005	}
1006
1007	NTSTATUS libnet_Join(struct libnet_context ctx, TALLOC_CTX mem_ctx, struct libnet_Join *r)
1008	{
1009	switch (r->in.join_type) {
1010	case SEC_CHAN_WKSTA:
1011	return libnet_Join_primary_domain(ctx, mem_ctx, r);
1012	case SEC_CHAN_BDC:
1013	return libnet_Join_primary_domain(ctx, mem_ctx, r);
1014	case SEC_CHAN_DOMAIN:
1015	case SEC_CHAN_DNS_DOMAIN:
1016	case SEC_CHAN_NULL:
1017	break;
1018	}
1019
1020	r->out.error_string = talloc_asprintf(mem_ctx,
1021	"Invalid join type specified (%08X) attempting to join domain %s",
1022	r->in.join_type, r->in.domain_name);
1023	return NT_STATUS_INVALID_PARAMETER;
1024	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: