svn commit: samba r17149 - in branches: SAMBA_3_0/source/utils SAMBA_3_0_23/source/utils

jerry at samba.org jerry at samba.org
Wed Jul 19 20:56:23 GMT 2006


Author: jerry
Date: 2006-07-19 20:56:11 +0000 (Wed, 19 Jul 2006)
New Revision: 17149

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17149

Log:
Fail the join if we cannot set any SPNs for the machine account.
Disable the one we created and whine.


Modified:
   branches/SAMBA_3_0/source/utils/net_ads.c
   branches/SAMBA_3_0_23/source/utils/net_ads.c


Changeset:
Modified: branches/SAMBA_3_0/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_0/source/utils/net_ads.c	2006-07-19 20:54:39 UTC (rev 17148)
+++ branches/SAMBA_3_0/source/utils/net_ads.c	2006-07-19 20:56:11 UTC (rev 17149)
@@ -24,22 +24,6 @@
 #include "includes.h"
 #include "utils/net.h"
 
-/* Macro for checking RPC error codes to make things more readable */
-
-#if 0
-#define CHECK_RPC_ERR(rpc, msg) \
-        if (!NT_STATUS_IS_OK(result = rpc)) { \
-                DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
-                goto done; \
-        }
-
-#define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
-        if (!NT_STATUS_IS_OK(result = rpc)) { \
-                DEBUG(0, debug_args); \
-                goto done; \
-        }
-
-#endif
 #ifdef HAVE_ADS
 
 int net_ads_usage(int argc, const char **argv)
@@ -1208,11 +1192,24 @@
 	
 	status = net_set_machine_spn( ctx, ads );
 	if ( !ADS_ERR_OK(status) )  {
-		d_fprintf(stderr, "Failed to set servicePrincipalNames. Only NTLM authentication will be possible.\n");
-		d_fprintf(stderr, "Please ensure that the DNS domain of this server matches the AD domain,\n");
-		d_fprintf(stderr, "Or rejoin with using Domain Admin credentials.\n");
 
-		/* don't fail */
+		d_fprintf(stderr, "Failed to set servicePrincipalNames. Please ensure that\n");
+		d_fprintf(stderr, "the DNS domain of this server matches the AD domain,\n");
+		d_fprintf(stderr, "Or rejoin with using Domain Admin credentials.\n");
+		
+		/* Disable the machine account in AD.  Better to fail than to leave 
+		   a confused admin.  */
+		
+		if ( net_ads_leave( 0, NULL ) != 0 ) {
+			d_fprintf( stderr, "Failed to disable machine account in AD.  Please do so manually.\n");
+		}
+		
+		/* clear out the machine password */
+		
+		netdom_store_machine_account( lp_workgroup(), domain_sid, "" ); 
+		netdom_store_machine_account( short_domain_name, domain_sid, "" );
+		
+		return -1;
 	}
 
 	if ( !net_derive_salting_principal( ctx, ads ) ) {
@@ -1891,15 +1888,12 @@
 		{"GROUP", net_ads_group_usage},
 		{"PRINTER", net_ads_printer_usage},
 		{"SEARCH", net_ads_search_usage},
-#if 0
 		{"INFO", net_ads_info},
 		{"JOIN", net_ads_join},
-		{"JOIN2", net_ads_join2},
 		{"LEAVE", net_ads_leave},
 		{"STATUS", net_ads_status},
 		{"PASSWORD", net_ads_password},
 		{"CHANGETRUSTPW", net_ads_changetrustpw},
-#endif
 		{NULL, NULL}
 	};
 
@@ -1991,4 +1985,4 @@
 	return net_ads_usage(argc, argv);
 }
 
-#endif
+#endif	/* WITH_ADS */

Modified: branches/SAMBA_3_0_23/source/utils/net_ads.c
===================================================================
--- branches/SAMBA_3_0_23/source/utils/net_ads.c	2006-07-19 20:54:39 UTC (rev 17148)
+++ branches/SAMBA_3_0_23/source/utils/net_ads.c	2006-07-19 20:56:11 UTC (rev 17149)
@@ -24,22 +24,6 @@
 #include "includes.h"
 #include "utils/net.h"
 
-/* Macro for checking RPC error codes to make things more readable */
-
-#if 0
-#define CHECK_RPC_ERR(rpc, msg) \
-        if (!NT_STATUS_IS_OK(result = rpc)) { \
-                DEBUG(0, (msg ": %s\n", nt_errstr(result))); \
-                goto done; \
-        }
-
-#define CHECK_RPC_ERR_DEBUG(rpc, debug_args) \
-        if (!NT_STATUS_IS_OK(result = rpc)) { \
-                DEBUG(0, debug_args); \
-                goto done; \
-        }
-
-#endif
 #ifdef HAVE_ADS
 
 int net_ads_usage(int argc, const char **argv)
@@ -1208,11 +1192,24 @@
 	
 	status = net_set_machine_spn( ctx, ads );
 	if ( !ADS_ERR_OK(status) )  {
-		d_fprintf(stderr, "Failed to set servicePrincipalNames. Only NTLM authentication will be possible.\n");
-		d_fprintf(stderr, "Please ensure that the DNS domain of this server matches the AD domain,\n");
-		d_fprintf(stderr, "Or rejoin with using Domain Admin credentials.\n");
 
-		/* don't fail */
+		d_fprintf(stderr, "Failed to set servicePrincipalNames. Please ensure that\n");
+		d_fprintf(stderr, "the DNS domain of this server matches the AD domain,\n");
+		d_fprintf(stderr, "Or rejoin with using Domain Admin credentials.\n");
+		
+		/* Disable the machine account in AD.  Better to fail than to leave 
+		   a confused admin.  */
+		
+		if ( net_ads_leave( 0, NULL ) != 0 ) {
+			d_fprintf( stderr, "Failed to disable machine account in AD.  Please do so manually.\n");
+		}
+		
+		/* clear out the machine password */
+		
+		netdom_store_machine_account( lp_workgroup(), domain_sid, "" ); 
+		netdom_store_machine_account( short_domain_name, domain_sid, "" );
+		
+		return -1;
 	}
 
 	if ( !net_derive_salting_principal( ctx, ads ) ) {
@@ -1891,15 +1888,12 @@
 		{"GROUP", net_ads_group_usage},
 		{"PRINTER", net_ads_printer_usage},
 		{"SEARCH", net_ads_search_usage},
-#if 0
 		{"INFO", net_ads_info},
 		{"JOIN", net_ads_join},
-		{"JOIN2", net_ads_join2},
 		{"LEAVE", net_ads_leave},
 		{"STATUS", net_ads_status},
 		{"PASSWORD", net_ads_password},
 		{"CHANGETRUSTPW", net_ads_changetrustpw},
-#endif
 		{NULL, NULL}
 	};
 
@@ -1991,4 +1985,4 @@
 	return net_ads_usage(argc, argv);
 }
 
-#endif
+#endif	/* WITH_ADS */



More information about the samba-cvs mailing list