[SCM] Samba Shared Repository - branch v3-2-test updated -
initial-v3-2-test-2592-gc4ba68a
Günther Deschner
gd at samba.org
Thu Feb 28 10:40:10 GMT 2008
The branch, v3-2-test has been updated
via c4ba68aa94888eace393b91a669e22b27ffaba3e (commit)
via 95bdf2f23c195cad1b317995e362f153695e793a (commit)
via 0315b8e53dca9a836d6bc2282fb1192f40545601 (commit)
via 23ae67158e6506199318025e3dd5fd5c0b099548 (commit)
via f0e319a18d86303aeb73c08841024c27c1b135cd (commit)
via 5895a03fd600745ec897d987910abca83d79de3e (commit)
via 365943063497c6330ba77914bb01a2be324866f7 (commit)
via be96baeffc60d05d8e297034e5253c8b75512ab2 (commit)
via fec230b28f456469bce051a2b26249d2026a48ea (commit)
via 0d8081499fd211e1225d651ff208a857167ce1db (commit)
via 6f8e83b43085c038bb8fb2500319fed1daf6e4e4 (commit)
from 61b4bc13d0f0cf1cf4139ecdfafc78b9bfff0480 (commit)
http://gitweb.samba.org/?samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit c4ba68aa94888eace393b91a669e22b27ffaba3e
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:29:56 2008 +0100
Store domain_is_ad info as early as possible in libnetjoin.
Guenther
commit 95bdf2f23c195cad1b317995e362f153695e793a
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:26:47 2008 +0100
Check for mandatory domain name in libnetjoin/unjoin.
Guenther
commit 0315b8e53dca9a836d6bc2282fb1192f40545601
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:23:36 2008 +0100
Delete affinity cache entries while unjoining with libnetunjoin.
Guenther
commit 23ae67158e6506199318025e3dd5fd5c0b099548
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:19:57 2008 +0100
Fill in machine account manipulation flags while unjoining in libnetunjoin.
Guenther
commit f0e319a18d86303aeb73c08841024c27c1b135cd
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:17:29 2008 +0100
Add preliminary libnet_join_post_verify call to libnetjoin.
Guenther
commit 5895a03fd600745ec897d987910abca83d79de3e
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:12:33 2008 +0100
Re-run make idl.
Guenther
commit 365943063497c6330ba77914bb01a2be324866f7
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:11:05 2008 +0100
Add disabled_machine_account and deleted_machine_accoutn flags to libnetunjoin.
Guenther
commit be96baeffc60d05d8e297034e5253c8b75512ab2
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:02:01 2008 +0100
Merge all connect ads calls into libnet_join_post_processing_ads().
Guenther
commit fec230b28f456469bce051a2b26249d2026a48ea
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 11:00:50 2008 +0100
Use W_ERROR_NOT_OK_GOTO_DONE macro in libnetjoin.
Guenther
commit 0d8081499fd211e1225d651ff208a857167ce1db
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 10:56:27 2008 +0100
Add noopnum to libnet join/unjoin calls.
Guenther
commit 6f8e83b43085c038bb8fb2500319fed1daf6e4e4
Author: Günther Deschner <gd at samba.org>
Date: Thu Feb 28 10:52:37 2008 +0100
Some cosmetics for net_derive_salting_principal().
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/libnet/libnet_join.c | 243 +++++++++++++++++++++++++------
source/librpc/gen_ndr/libnet_join.h | 2 +
source/librpc/gen_ndr/ndr_libnet_join.c | 2 +
source/librpc/gen_ndr/ndr_libnet_join.h | 6 +-
source/librpc/idl/libnet_join.idl | 8 +-
source/utils/net_ads.c | 4 +-
6 files changed, 210 insertions(+), 55 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index 0543ca8..d2242ff 100644
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -50,6 +50,12 @@
#define LIBNET_UNJOIN_OUT_DUMP_CTX(ctx, r) \
LIBNET_UNJOIN_DUMP_CTX(ctx, r, NDR_OUT)
+#define W_ERROR_NOT_OK_GOTO_DONE(x) do { \
+ if (!W_ERROR_IS_OK(x)) {\
+ goto done;\
+ }\
+} while (0)
+
/****************************************************************
****************************************************************/
@@ -146,9 +152,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
libnet_join_set_error_string(mem_ctx, r,
"failed to connect to AD: %s",
ads_errstr(status));
+ return status;
}
- return status;
+ if (!r->out.netbios_domain_name) {
+ r->out.netbios_domain_name = talloc_strdup(mem_ctx,
+ r->in.ads->server.workgroup);
+ ADS_ERROR_HAVE_NO_MEMORY(r->out.netbios_domain_name);
+ }
+
+ if (!r->out.dns_domain_name) {
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.ads->config.realm);
+ ADS_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
+ }
+
+ r->out.domain_is_ad = true;
+
+ return ADS_SUCCESS;
}
/****************************************************************
@@ -290,13 +311,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
const char *spn_array[3] = {NULL, NULL, NULL};
char *spn = NULL;
- if (!r->in.ads) {
- status = libnet_join_connect_ads(mem_ctx, r);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
- }
-
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
@@ -352,13 +366,6 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
return ADS_SUCCESS;
}
- if (!r->in.ads) {
- status = libnet_join_connect_ads(mem_ctx, r);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
- }
-
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
@@ -402,13 +409,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
return ADS_SUCCESS;
}
- if (!r->in.ads) {
- status = libnet_join_connect_ads(mem_ctx, r);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
- }
-
status = libnet_join_find_machine_acct(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
return status;
@@ -519,6 +519,13 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
{
ADS_STATUS status;
+ if (!r->in.ads) {
+ status = libnet_join_connect_ads(mem_ctx, r);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ }
+
status = libnet_join_set_machine_spn(mem_ctx, r);
if (!ADS_ERR_OK(status)) {
libnet_join_set_error_string(mem_ctx, r,
@@ -796,6 +803,132 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
/****************************************************************
****************************************************************/
+NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ const char *machine_name,
+ const char *dc_name)
+{
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_FLAGS |
+ NETLOGON_NEG_SCHANNEL;
+ /* FIXME: NETLOGON_NEG_SELECT_AUTH2_FLAGS */
+ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *pipe_hnd = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ NTSTATUS status;
+ char *machine_password = NULL;
+ char *machine_account = NULL;
+
+ if (!dc_name) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!secrets_init()) {
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ machine_password = secrets_fetch_machine_password(netbios_domain_name,
+ NULL, NULL);
+ if (!machine_password) {
+ return NT_STATUS_NO_TRUST_LSA_SECRET;
+ }
+
+ asprintf(&machine_account, "%s$", machine_name);
+ if (!machine_account) {
+ SAFE_FREE(machine_password);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = cli_full_connection(&cli, NULL,
+ dc_name,
+ NULL, 0,
+ "IPC$", "IPC",
+ machine_account,
+ NULL,
+ machine_password,
+ 0,
+ Undefined, NULL);
+ free(machine_account);
+ free(machine_password);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ status = cli_full_connection(&cli, NULL,
+ dc_name,
+ NULL, 0,
+ "IPC$", "IPC",
+ "",
+ NULL,
+ "",
+ 0,
+ Undefined, NULL);
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ netlogon_pipe = get_schannel_session_key(cli,
+ netbios_domain_name,
+ &neg_flags, &status);
+ if (!netlogon_pipe) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
+ cli_shutdown(cli);
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(0,("libnet_join_ok: failed to get schannel session "
+ "key from server %s for domain %s. Error was %s\n",
+ cli->desthost, netbios_domain_name, nt_errstr(status)));
+ cli_shutdown(cli);
+ return status;
+ }
+
+ if (!lp_client_schannel()) {
+ cli_shutdown(cli);
+ return NT_STATUS_OK;
+ }
+
+ pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ netbios_domain_name,
+ netlogon_pipe->dc,
+ &status);
+
+ cli_shutdown(cli);
+
+ if (!pipe_hnd) {
+ DEBUG(0,("libnet_join_ok: failed to open schannel session "
+ "on netlogon pipe to server %s for domain %s. "
+ "Error was %s\n",
+ cli->desthost, netbios_domain_name, nt_errstr(status)));
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+{
+ NTSTATUS status;
+
+ status = libnet_join_ok(r->out.netbios_domain_name,
+ r->in.machine_name,
+ r->in.dc_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to verify domain membership after joining: %s",
+ get_friendly_nt_error_msg(status));
+ return WERR_SETUP_NOT_JOINED;
+ }
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
static bool libnet_join_unjoindomain_remove_secrets(TALLOC_CTX *mem_ctx,
struct libnet_UnjoinCtx *r)
{
@@ -942,9 +1075,7 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
if (!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE)) {
werr = libnet_conf_set_global_parameter(ctx, "security", "user");
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
werr = libnet_conf_set_global_parameter(ctx, "workgroup",
r->in.domain_name);
@@ -952,27 +1083,22 @@ static WERROR do_join_modify_vals_config(struct libnet_JoinCtx *r)
}
werr = libnet_conf_set_global_parameter(ctx, "security", "domain");
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
werr = libnet_conf_set_global_parameter(ctx, "workgroup",
r->out.netbios_domain_name);
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
if (r->out.domain_is_ad) {
werr = libnet_conf_set_global_parameter(ctx, "security", "ads");
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
werr = libnet_conf_set_global_parameter(ctx, "realm",
r->out.dns_domain_name);
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
}
-done:
+ done:
libnet_conf_close(ctx);
return werr;
}
@@ -993,14 +1119,11 @@ static WERROR do_unjoin_modify_vals_config(struct libnet_UnjoinCtx *r)
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
werr = libnet_conf_set_global_parameter(ctx, "security", "user");
- if (!W_ERROR_IS_OK(werr)) {
- goto done;
- }
+ W_ERROR_NOT_OK_GOTO_DONE(werr);
+ libnet_conf_delete_global_parameter(ctx, "realm");
}
- libnet_conf_delete_global_parameter(ctx, "realm");
-
-done:
+ done:
libnet_conf_close(ctx);
return werr;
}
@@ -1034,7 +1157,7 @@ static WERROR do_JoinConfig(struct libnet_JoinCtx *r)
/****************************************************************
****************************************************************/
-static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
+static WERROR libnet_unjoin_config(struct libnet_UnjoinCtx *r)
{
WERROR werr;
@@ -1063,8 +1186,9 @@ static WERROR do_UnjoinConfig(struct libnet_UnjoinCtx *r)
static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
-
if (!r->in.domain_name) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "No domain name defined");
return WERR_INVALID_PARAM;
}
@@ -1283,6 +1407,11 @@ WERROR libnet_Join(TALLOC_CTX *mem_ctx,
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
+
+ werr = libnet_join_post_verify(mem_ctx, r);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
}
werr = libnet_join_post_processing(mem_ctx, r);
@@ -1351,6 +1480,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
return ntstatus_to_werror(status);
}
+ r->out.disabled_machine_account = true;
+
#ifdef WITH_ADS
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE) {
ADS_STATUS ads_status;
@@ -1360,6 +1491,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
libnet_unjoin_set_error_string(mem_ctx, r,
"failed to remove machine account from AD: %s",
ads_errstr(ads_status));
+ } else {
+ r->out.deleted_machine_account = true;
+ /* dirty hack */
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.ads->server.realm);
+ W_ERROR_HAVE_NO_MEMORY(r->out.dns_domain_name);
}
}
#endif /* WITH_ADS */
@@ -1375,6 +1512,12 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
struct libnet_UnjoinCtx *r)
{
+ if (!r->in.domain_name) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "No domain name defined");
+ return WERR_INVALID_PARAM;
+ }
+
if (r->in.modify_config && !lp_config_backend_is_registry()) {
return WERR_NOT_SUPPORTED;
}
@@ -1388,6 +1531,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
return WERR_OK;
}
+/****************************************************************
+****************************************************************/
+
+static WERROR libnet_unjoin_post_processing(TALLOC_CTX *mem_ctx,
+ struct libnet_UnjoinCtx *r)
+{
+ saf_delete(r->out.netbios_domain_name);
+ saf_delete(r->out.dns_domain_name);
+
+ return libnet_unjoin_config(r);
+}
/****************************************************************
****************************************************************/
@@ -1409,11 +1563,12 @@ WERROR libnet_Unjoin(TALLOC_CTX *mem_ctx,
if (r->in.unjoin_flags & WKSSVC_JOIN_FLAGS_JOIN_TYPE) {
werr = libnet_DomainUnjoin(mem_ctx, r);
if (!W_ERROR_IS_OK(werr)) {
+ libnet_unjoin_config(r);
goto done;
}
}
- werr = do_UnjoinConfig(r);
+ werr = libnet_unjoin_post_processing(mem_ctx, r);
if (!W_ERROR_IS_OK(werr)) {
goto done;
}
diff --git a/source/librpc/gen_ndr/libnet_join.h b/source/librpc/gen_ndr/libnet_join.h
index 27e66ec..8dbadcf 100644
--- a/source/librpc/gen_ndr/libnet_join.h
+++ b/source/librpc/gen_ndr/libnet_join.h
@@ -63,6 +63,8 @@ struct libnet_UnjoinCtx {
const char * dns_domain_name;
uint8_t modified_config;
const char * error_string;
+ uint8_t disabled_machine_account;
+ uint8_t deleted_machine_account;
WERROR result;
} out;
diff --git a/source/librpc/gen_ndr/ndr_libnet_join.c b/source/librpc/gen_ndr/ndr_libnet_join.c
index 5345bc0..6e65d03 100644
--- a/source/librpc/gen_ndr/ndr_libnet_join.c
+++ b/source/librpc/gen_ndr/ndr_libnet_join.c
@@ -95,6 +95,8 @@ _PUBLIC_ void ndr_print_libnet_UnjoinCtx(struct ndr_print *ndr, const char *name
ndr_print_string(ndr, "dns_domain_name", r->out.dns_domain_name);
ndr_print_uint8(ndr, "modified_config", r->out.modified_config);
ndr_print_string(ndr, "error_string", r->out.error_string);
+ ndr_print_uint8(ndr, "disabled_machine_account", r->out.disabled_machine_account);
+ ndr_print_uint8(ndr, "deleted_machine_account", r->out.deleted_machine_account);
ndr_print_WERROR(ndr, "result", r->out.result);
ndr->depth--;
}
diff --git a/source/librpc/gen_ndr/ndr_libnet_join.h b/source/librpc/gen_ndr/ndr_libnet_join.h
index 4a5fdf0..14c8a86 100644
--- a/source/librpc/gen_ndr/ndr_libnet_join.h
+++ b/source/librpc/gen_ndr/ndr_libnet_join.h
@@ -6,11 +6,7 @@
#ifndef _HEADER_NDR_libnetjoin
#define _HEADER_NDR_libnetjoin
-#define NDR_LIBNET_JOINCTX (0x00)
-
-#define NDR_LIBNET_UNJOINCTX (0x01)
-
-#define NDR_LIBNETJOIN_CALL_COUNT (2)
+#define NDR_LIBNETJOIN_CALL_COUNT (0)
enum ndr_err_code ndr_push_libnet_JoinCtx(struct ndr_push *ndr, int flags, const struct libnet_JoinCtx *r);
enum ndr_err_code ndr_pull_libnet_JoinCtx(struct ndr_pull *ndr, int flags, struct libnet_JoinCtx *r);
void ndr_print_libnet_JoinCtx(struct ndr_print *ndr, const char *name, int flags, const struct libnet_JoinCtx *r);
diff --git a/source/librpc/idl/libnet_join.idl b/source/librpc/idl/libnet_join.idl
index 2741b7b..65d17c9 100644
--- a/source/librpc/idl/libnet_join.idl
+++ b/source/librpc/idl/libnet_join.idl
@@ -13,7 +13,7 @@ interface libnetjoin
{
typedef bitmap wkssvc_joinflags wkssvc_joinflags;
- [nopush,nopull] WERROR libnet_JoinCtx(
+ [nopush,nopull,noopnum] WERROR libnet_JoinCtx(
[in] string dc_name,
[in] string machine_name,
[in,ref] string *domain_name,
@@ -39,7 +39,7 @@ interface libnetjoin
[out] boolean8 domain_is_ad
);
- [nopush,nopull] WERROR libnet_UnjoinCtx(
+ [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx(
[in] string dc_name,
[in] string machine_name,
[in] string domain_name,
@@ -55,6 +55,8 @@ interface libnetjoin
[out] string netbios_domain_name,
[out] string dns_domain_name,
[out] boolean8 modified_config,
- [out] string error_string
+ [out] string error_string,
+ [out] boolean8 disabled_machine_account,
+ [out] boolean8 deleted_machine_account
);
}
diff --git a/source/utils/net_ads.c b/source/utils/net_ads.c
index fb644ba..199804f 100644
--- a/source/utils/net_ads.c
+++ b/source/utils/net_ads.c
@@ -1277,9 +1277,7 @@ static bool net_derive_salting_principal( TALLOC_CTX *ctx, ADS_STRUCT *ads )
/* if it's a Windows functional domain, we have to look for the UPN */
if ( domain_func == DS_DOMAIN_FUNCTION_2000 ) {
- char *upn;
-
- upn = ads_get_upn(ads, ctx, machine_name);
+ char *upn = ads_get_upn(ads, ctx, machine_name);
if ( upn ) {
fstrcpy( salt, upn );
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list