Samba 4 libnet_join and RPC-JOIN torture test

Brad Henry j0j0 at riod.ca
Mon Sep 12 00:22:58 GMT 2005 

Andrew Bartlett wrote:

>On Sun, 2005-09-11 at 12:45 -0600, Brad Henry wrote:
>  
>
>>Andrew Bartlett wrote:
>>    
>>
>
>  
>
>>>Do you change any other flags (such as 'disabled') that may be set, and
>>>need clearing?  I'm still not sure that remaining in the role is the
>>>right behaviour, but perhaps we just need to build up the alternate
>>>toolset to show how it 'should' work.  (I support a 'net promo', that
>>>creates a BDC and does the sync).
>>>
>>>Andrew Bartlett
>>>
>>> 
>>>
>>>      
>>>
>>libnet_JoinDomain() attempts an dcerpc_samr_CreateUser2() call. If it 
>>returns NT_STATUS_USER_EXISTS, the function calls 
>>dcerpc_samr_LookupNames() and dcerpc_samr_OpenUser() to get information 
>>like the account RID and user handle for the libnet_JoinDomain struct, 
>>and then a later test avoids changing any account flags.
>>    
>>
>
>What I'm saying is not that we should change the account type (this has
>problems anyway, as it really requires moving accounts between
>containers).  I am saying that we should still try and clear any other
>flags, such as 'disabled'.
>
>  
>
The included patch fixes this. It does not change the account type if 
the account exists, but does try to reset the disabled flag if it is set.

>>What does get changed is the account password, which I don't think is 
>>bad. If that's not correct, libnet_JoinDomain() keeps the return status 
>>of the CreateUser2() call throughout, so we could just wrap the 
>>libnet_SetPassword() call in an 'NT_STATUS_EQUAL(cu_status, 
>>NT_STATUS_USER_EXISTS)' test. We would then have to retrieve the current 
>>account password though.
>>
>>My concern with having the libnet join routines "upgrade" or "downgrade" 
>>accounts by default is that it would be very easy to do accidentally. I 
>>think that the functionality of something like 'net promo' / 'net 
>>demote' and 'net join' / 'net leave' would be less likely to be misused.
>>    
>>
>
>We should not confuse the role of libnet join with the role of 'net' in
>calling libnet join.  The join routine should handle both cases, but if
>we want to make the interfaces easier, then we certainly should have a
>'net dcpromo' that calls both libnet_join and libnet_samsync (or later,
>dssync when we get that going).
>
>Andrew Bartlett
>
>  
>
I agree, I wanted to make it clear that I think that the join and 
promote cases should be handled individually.

Thanks,
Brad


-------------- next part --------------
A non-text attachment was scrubbed...
Name: SAMBA_4_0-join.diff
Type: text/x-patch
Size: 49370 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20050911/b5a12f9b/SAMBA_4_0-join.bin

More information about the samba-technical mailing list