[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha7-1272-ge28071f

Günther Deschner gd at samba.org
Fri Apr 24 12:48:22 GMT 2009 

The branch, master has been updated
       via  e28071f79a68bd01627d603c1a407aa913577f50 (commit)
       via  37f491e5e38ea4fee1475b7347e57883225d3bd9 (commit)
      from  16b2f4b55a80314aa733dd7f23543c1c3926223c (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit e28071f79a68bd01627d603c1a407aa913577f50
Author: Günther Deschner <gd at samba.org>
Date:   Tue Feb 3 20:03:42 2009 +0100

    s3-libnetjoin: make acct_flags dependent on secure channel type.
    
    Guenther

commit 37f491e5e38ea4fee1475b7347e57883225d3bd9
Author: Günther Deschner <gd at samba.org>
Date:   Thu Nov 6 12:26:24 2008 +0100

    s3-libnetjoin: add support for WKSSVC_JOIN_FLAGS_JOIN_UNSECURE.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/libnet/libnet_join.c |   77 ++++++++++++++++++++++++++++++++++++++---
 1 files changed, 71 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 81990df..de92094 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -743,6 +743,55 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
+ Do the domain join unsecure
+****************************************************************/
+
+static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+						    struct libnet_JoinCtx *r,
+						    struct cli_state *cli)
+{
+	struct rpc_pipe_client *pipe_hnd = NULL;
+	unsigned char orig_trust_passwd_hash[16];
+	unsigned char new_trust_passwd_hash[16];
+	fstring trust_passwd;
+	NTSTATUS status;
+
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+					  &pipe_hnd);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	if (!r->in.machine_password) {
+		r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+		NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+	}
+
+	E_md4hash(r->in.machine_password, new_trust_passwd_hash);
+
+	/* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
+	fstrcpy(trust_passwd, r->in.admin_password);
+	strlower_m(trust_passwd);
+
+	/*
+	 * Machine names can be 15 characters, but the max length on
+	 * a password is 14.  --jerry
+	 */
+
+	trust_passwd[14] = '\0';
+
+	E_md4hash(trust_passwd, orig_trust_passwd_hash);
+
+	status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
+						    orig_trust_passwd_hash,
+						    r->in.machine_password,
+						    new_trust_passwd_hash,
+						    r->in.secure_channel_type);
+
+	return status;
+}
+
+/****************************************************************
  Do the domain join
 ****************************************************************/
 
@@ -768,6 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 	ZERO_STRUCT(domain_pol);
 	ZERO_STRUCT(user_pol);
 
+	switch (r->in.secure_channel_type) {
+	case SEC_CHAN_WKSTA:
+		acct_flags = ACB_WSTRUST;
+		break;
+	case SEC_CHAN_BDC:
+		acct_flags = ACB_SVRTRUST;
+		break;
+	default:
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	if (!r->in.machine_password) {
 		r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
 		NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
@@ -819,15 +879,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 			SAMR_USER_ACCESS_SET_ATTRIBUTES;
 		uint32_t access_granted = 0;
 
-		/* Don't try to set any acct_flags flags other than ACB_WSTRUST */
-
 		DEBUG(10,("Creating account with desired access mask: %d\n",
 			access_desired));
 
 		status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
 						 &domain_pol,
 						 &lsa_acct_name,
-						 ACB_WSTRUST,
+						 acct_flags,
 						 access_desired,
 						 &user_pol,
 						 &access_granted,
@@ -1524,7 +1582,8 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
 	}
 
 #ifdef WITH_ADS
-	if (r->out.domain_is_ad) {
+	if (r->out.domain_is_ad &&
+	    !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
 		ADS_STATUS ads_status;
 
 		ads_status  = libnet_join_post_processing_ads(mem_ctx, r);
@@ -1784,7 +1843,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
 	}
 
 #ifdef WITH_ADS
-	if (r->out.domain_is_ad && r->in.account_ou) {
+	if (r->out.domain_is_ad && r->in.account_ou &&
+	    !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
 
 		ads_status = libnet_join_connect_ads(mem_ctx, r);
 		if (!ADS_ERR_OK(ads_status)) {
@@ -1804,7 +1864,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
 	}
 #endif /* WITH_ADS */
 
-	status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
+	if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+	    (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
+		status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
+	} else {
+		status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
+	}
 	if (!NT_STATUS_IS_OK(status)) {
 		libnet_join_set_error_string(mem_ctx, r,
 			"failed to join domain '%s' over rpc: %s",


-- 
Samba Shared Repository

More information about the samba-cvs mailing list