Samba 4 libnet_join and RPC-JOIN torture test

Andrew Bartlett abartlet at samba.org
Sun Sep 11 21:15:17 GMT 2005 

On Sun, 2005-09-11 at 12:45 -0600, Brad Henry wrote:
> Andrew Bartlett wrote:

> >Do you change any other flags (such as 'disabled') that may be set, and
> >need clearing?  I'm still not sure that remaining in the role is the
> >right behaviour, but perhaps we just need to build up the alternate
> >toolset to show how it 'should' work.  (I support a 'net promo', that
> >creates a BDC and does the sync).
> >
> >Andrew Bartlett
> >
> >  
> >
> 
> libnet_JoinDomain() attempts an dcerpc_samr_CreateUser2() call. If it 
> returns NT_STATUS_USER_EXISTS, the function calls 
> dcerpc_samr_LookupNames() and dcerpc_samr_OpenUser() to get information 
> like the account RID and user handle for the libnet_JoinDomain struct, 
> and then a later test avoids changing any account flags.

What I'm saying is not that we should change the account type (this has
problems anyway, as it really requires moving accounts between
containers).  I am saying that we should still try and clear any other
flags, such as 'disabled'.

> What does get changed is the account password, which I don't think is 
> bad. If that's not correct, libnet_JoinDomain() keeps the return status 
> of the CreateUser2() call throughout, so we could just wrap the 
> libnet_SetPassword() call in an 'NT_STATUS_EQUAL(cu_status, 
> NT_STATUS_USER_EXISTS)' test. We would then have to retrieve the current 
> account password though.
> 
> My concern with having the libnet join routines "upgrade" or "downgrade" 
> accounts by default is that it would be very easy to do accidentally. I 
> think that the functionality of something like 'net promo' / 'net 
> demote' and 'net join' / 'net leave' would be less likely to be misused.

We should not confuse the role of libnet join with the role of 'net' in
calling libnet join.  The join routine should handle both cases, but if
we want to make the interfaces easier, then we certainly should have a
'net dcpromo' that calls both libnet_join and libnet_samsync (or later,
dssync when we get that going).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050912/f1bfacf0/attachment.bin

More information about the samba-technical mailing list