[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-1272-ge28071f
Günther Deschner
gd at samba.org
Fri Apr 24 12:48:22 GMT 2009
The branch, master has been updated
via e28071f79a68bd01627d603c1a407aa913577f50 (commit)
via 37f491e5e38ea4fee1475b7347e57883225d3bd9 (commit)
from 16b2f4b55a80314aa733dd7f23543c1c3926223c (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e28071f79a68bd01627d603c1a407aa913577f50
Author: Günther Deschner <gd at samba.org>
Date: Tue Feb 3 20:03:42 2009 +0100
s3-libnetjoin: make acct_flags dependent on secure channel type.
Guenther
commit 37f491e5e38ea4fee1475b7347e57883225d3bd9
Author: Günther Deschner <gd at samba.org>
Date: Thu Nov 6 12:26:24 2008 +0100
s3-libnetjoin: add support for WKSSVC_JOIN_FLAGS_JOIN_UNSECURE.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source3/libnet/libnet_join.c | 77 ++++++++++++++++++++++++++++++++++++++---
1 files changed, 71 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 81990df..de92094 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -743,6 +743,55 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
}
/****************************************************************
+ Do the domain join unsecure
+****************************************************************/
+
+static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r,
+ struct cli_state *cli)
+{
+ struct rpc_pipe_client *pipe_hnd = NULL;
+ unsigned char orig_trust_passwd_hash[16];
+ unsigned char new_trust_passwd_hash[16];
+ fstring trust_passwd;
+ NTSTATUS status;
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (!r->in.machine_password) {
+ r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+ }
+
+ E_md4hash(r->in.machine_password, new_trust_passwd_hash);
+
+ /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
+ fstrcpy(trust_passwd, r->in.admin_password);
+ strlower_m(trust_passwd);
+
+ /*
+ * Machine names can be 15 characters, but the max length on
+ * a password is 14. --jerry
+ */
+
+ trust_passwd[14] = '\0';
+
+ E_md4hash(trust_passwd, orig_trust_passwd_hash);
+
+ status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
+ orig_trust_passwd_hash,
+ r->in.machine_password,
+ new_trust_passwd_hash,
+ r->in.secure_channel_type);
+
+ return status;
+}
+
+/****************************************************************
Do the domain join
****************************************************************/
@@ -768,6 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(domain_pol);
ZERO_STRUCT(user_pol);
+ switch (r->in.secure_channel_type) {
+ case SEC_CHAN_WKSTA:
+ acct_flags = ACB_WSTRUST;
+ break;
+ case SEC_CHAN_BDC:
+ acct_flags = ACB_SVRTRUST;
+ break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (!r->in.machine_password) {
r->in.machine_password = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
@@ -819,15 +879,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
SAMR_USER_ACCESS_SET_ATTRIBUTES;
uint32_t access_granted = 0;
- /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
-
DEBUG(10,("Creating account with desired access mask: %d\n",
access_desired));
status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
&domain_pol,
&lsa_acct_name,
- ACB_WSTRUST,
+ acct_flags,
access_desired,
&user_pol,
&access_granted,
@@ -1524,7 +1582,8 @@ static WERROR libnet_join_post_processing(TALLOC_CTX *mem_ctx,
}
#ifdef WITH_ADS
- if (r->out.domain_is_ad) {
+ if (r->out.domain_is_ad &&
+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
ADS_STATUS ads_status;
ads_status = libnet_join_post_processing_ads(mem_ctx, r);
@@ -1784,7 +1843,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
#ifdef WITH_ADS
- if (r->out.domain_is_ad && r->in.account_ou) {
+ if (r->out.domain_is_ad && r->in.account_ou &&
+ !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
ads_status = libnet_join_connect_ads(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
@@ -1804,7 +1864,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
#endif /* WITH_ADS */
- status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
+ if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) &&
+ (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) {
+ status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli);
+ } else {
+ status = libnet_join_joindomain_rpc(mem_ctx, r, cli);
+ }
if (!NT_STATUS_IS_OK(status)) {
libnet_join_set_error_string(mem_ctx, r,
"failed to join domain '%s' over rpc: %s",
--
Samba Shared Repository
More information about the samba-cvs
mailing list