svn commit: samba r10098 - in branches/tmp/RPCREWRITE/source/utils: .

Fri Sep 9 01:10:40 GMT 2005

Author: jra
Date: 2005-09-09 01:10:40 +0000 (Fri, 09 Sep 2005)
New Revision: 10098

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10098

Log:
Convert domain join to new style.
Jeremy

Modified:
   branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c


Changeset:
Modified: branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c
===================================================================

--- branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c	2005-09-09 00:42:18 UTC (rev 10097)
+++ branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c	2005-09-09 01:10:40 UTC (rev 10098)
@@ -45,6 +45,7 @@
 {
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
+	int retval = 1;
 	NTSTATUS ret;
 
 	/* Connect to remote machine */
@@ -87,7 +88,10 @@
 	struct cli_state *cli;
 	TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
+	uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
 	uint32 sec_channel_type;
+	struct rpc_pipe_client *pipe_hnd = NULL;
+	struct rpc_pipe_client *netlogon_schannel_pipe = NULL;
 
 	/* rpc variables */
 
@@ -135,7 +139,7 @@
 #endif
 	}
 
-	/* Connect to remote machine */
+	/* Make authenticated connection to remote machine */
 
 	if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) 
 		return 1;
@@ -147,38 +151,41 @@
 
 	/* Fetch domain sid */
 
-	if (!cli_nt_session_open(cli, PI_LSARPC)) {
-		DEBUG(0, ("Error connecting to LSA pipe\n"));
+	pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
+	if (!pipe_hnd) {
+		DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
+			nt_errstr(result) ));
 		goto done;
 	}
 
 
-	CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True,
+	CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
 					  SEC_RIGHTS_MAXIMUM_ALLOWED,
 					  &lsa_pol),
 		      "error opening lsa policy handle");
 
-	CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol,
+	CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol,
 						5, &domain, &domain_sid),
 		      "error querying info policy");
 
-	cli_lsa_close(cli, mem_ctx, &lsa_pol);
+	rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol);
+	cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
 
-	cli_nt_session_close(cli); /* Done with this pipe */
-
 	/* Create domain user */
-	if (!cli_nt_session_open(cli, PI_SAMR)) {
-		DEBUG(0, ("Error connecting to SAM pipe\n"));
+	pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result);
+	if (!pipe_hnd) {
+		DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
+			nt_errstr(result) ));
 		goto done;
 	}
 
-	CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx, 
+	CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx, 
 				       SEC_RIGHTS_MAXIMUM_ALLOWED,
 				       &sam_pol),
 		      "could not connect to SAM database");
 
 	
-	CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol,
+	CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol,
 					   SEC_RIGHTS_MAXIMUM_ALLOWED,
 					   domain_sid, &domain_pol),
 		      "could not open domain");
@@ -188,7 +195,7 @@
 	strlower_m(acct_name);
 	const_acct_name = acct_name;
 
-	result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
+	result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
 					  acct_name, acb_info,
 					  0xe005000b, &user_pol, 
 					  &user_rid);
@@ -209,10 +216,11 @@
 
 	/* We *must* do this.... don't ask... */
 
-	if (NT_STATUS_IS_OK(result))
-		cli_samr_close(cli, mem_ctx, &user_pol);
+	if (NT_STATUS_IS_OK(result)) {
+		rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
+	}
 
-	CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx,
+	CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
 						  &domain_pol, flags,
 						  1, &const_acct_name, 
 						  &num_rids,
@@ -230,7 +238,7 @@
 	/* Open handle on user */
 
 	CHECK_RPC_ERR_DEBUG(
-		cli_samr_open_user(cli, mem_ctx, &domain_pol,
+		rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
 				   SEC_RIGHTS_MAXIMUM_ALLOWED,
 				   user_rid, &user_pol),
 		("could not re-open existing user %s: %s\n",
@@ -257,7 +265,7 @@
 	ctr.switch_value = 24;
 	ctr.info.id24 = &p24;
 
-	CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, 
+	CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 24, 
 					    &cli->user_session_key, &ctr),
 		      "error setting trust account password");
 
@@ -279,26 +287,52 @@
 	/* Ignoring the return value is necessary for joining a domain
 	   as a normal user with "Add workstation to domain" privilege. */
 
-	result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 16, 
+	result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, 
 					&cli->user_session_key, &ctr);
 
+	rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
+	cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
+
 	/* Now check the whole process from top-to-bottom */
-	cli_samr_close(cli, mem_ctx, &user_pol);
-	cli_nt_session_close(cli); /* Done with this pipe */
 
-	if (!cli_nt_session_open(cli, PI_NETLOGON)) {
-		DEBUG(0,("Error connecting to NETLOGON pipe\n"));
+	pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result);
+	if (!pipe_hnd) {
+		DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
+			nt_errstr(result) ));
 		goto done;
 	}
 
-	/* ensure that schannel uses the right domain */
-	fstrcpy(cli->domain, domain);
+	result = rpccli_netlogon_setup_creds(pipe_hnd,
+					cli->desthost,
+					domain,
+					global_myname(),
+                                        md4_trust_password,
+                                        sec_channel_type,
+                                        &neg_flags);
 
-	result = cli_nt_establish_netlogon(cli, sec_channel_type, 
-					   md4_trust_password);
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(0, ("Error in domain join verification (credential setup failed): %s\n\n",
+			  nt_errstr(result)));
 
+		if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
+		     (sec_channel_type == SEC_CHAN_BDC) ) {
+			d_printf("Please make sure that no computer account\n"
+				 "named like this machine (%s) exists in the domain\n",
+				 global_myname());
+		}
+
+		goto done;
+	}
+
+	netlogon_schannel_pipe = cli_rpc_pipe_open_schannel_with_key(cli,
+							PI_NETLOGON,
+							PIPE_AUTH_LEVEL_PRIVACY,
+							domain,
+							pipe_hnd->dc,
+							&result);
+
 	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0, ("Error domain join verification (reused connection): %s\n\n",
+		DEBUG(0, ("Error in domain join verification (schannel setup failed): %s\n\n",
 			  nt_errstr(result)));
 
 		if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
@@ -311,6 +345,9 @@
 		goto done;
 	}
 
+	cli_rpc_pipe_close(pipe_hnd);
+	cli_rpc_pipe_close(netlogon_schannel_pipe);
+
 	/* Now store the secret in the secrets database */
 
 	strupper_m(domain);
@@ -328,11 +365,7 @@
 	retval = net_rpc_join_ok(domain);
 	
 done:
-	/* Close down pipe - this will clean up open policy handles */
 
-	if (cli->pipes[cli->pipe_idx].fnum)
-		cli_nt_session_close(cli);
-
 	/* Display success or failure */
 
 	if (retval != 0) {
@@ -348,7 +381,6 @@
 	return retval;
 }
 
-
 /**
  * check that a join is OK
  *

