Samba 4 libnet_join and RPC-JOIN torture test
abartlet at samba.org
Sun Sep 11 21:15:17 GMT 2005
On Sun, 2005-09-11 at 12:45 -0600, Brad Henry wrote:
> Andrew Bartlett wrote:
> >Do you change any other flags (such as 'disabled') that may be set, and
> >need clearing? I'm still not sure that remaining in the role is the
> >right behaviour, but perhaps we just need to build up the alternate
> >toolset to show how it 'should' work. (I support a 'net promo', that
> >creates a BDC and does the sync).
> >Andrew Bartlett
> libnet_JoinDomain() attempts an dcerpc_samr_CreateUser2() call. If it
> returns NT_STATUS_USER_EXISTS, the function calls
> dcerpc_samr_LookupNames() and dcerpc_samr_OpenUser() to get information
> like the account RID and user handle for the libnet_JoinDomain struct,
> and then a later test avoids changing any account flags.
What I'm saying is not that we should change the account type (this has
problems anyway, as it really requires moving accounts between
containers). I am saying that we should still try and clear any other
flags, such as 'disabled'.
> What does get changed is the account password, which I don't think is
> bad. If that's not correct, libnet_JoinDomain() keeps the return status
> of the CreateUser2() call throughout, so we could just wrap the
> libnet_SetPassword() call in an 'NT_STATUS_EQUAL(cu_status,
> NT_STATUS_USER_EXISTS)' test. We would then have to retrieve the current
> account password though.
> My concern with having the libnet join routines "upgrade" or "downgrade"
> accounts by default is that it would be very easy to do accidentally. I
> think that the functionality of something like 'net promo' / 'net
> demote' and 'net join' / 'net leave' would be less likely to be misused.
We should not confuse the role of libnet join with the role of 'net' in
calling libnet join. The join routine should handle both cases, but if
we want to make the interfaces easier, then we certainly should have a
'net dcpromo' that calls both libnet_join and libnet_samsync (or later,
dssync when we get that going).
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050912/f1bfacf0/attachment.bin
More information about the samba-technical