samba-cvs.cvs
[Top] [All Lists]

svn commit: samba r10098 - in branches/tmp/RPCREWRITE/source/utils: .

Subject: svn commit: samba r10098 - in branches/tmp/RPCREWRITE/source/utils: .
From:
Date: Fri, 9 Sep 2005 01:10:40 +0000 GMT
Author: jra
Date: 2005-09-09 01:10:40 +0000 (Fri, 09 Sep 2005)
New Revision: 10098

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=10098

Log:
Convert domain join to new style.
Jeremy

Modified:
   branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c


Changeset:
Modified: branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c
===================================================================
--- branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c 2005-09-09 00:42:18 UTC 
(rev 10097)
+++ branches/tmp/RPCREWRITE/source/utils/net_rpc_join.c 2005-09-09 01:10:40 UTC 
(rev 10098)
@@ -45,6 +45,7 @@
 {
        struct cli_state *cli = NULL;
        struct rpc_pipe_client *pipe_hnd = NULL;
+       int retval = 1;
        NTSTATUS ret;
 
        /* Connect to remote machine */
@@ -87,7 +88,10 @@
        struct cli_state *cli;
        TALLOC_CTX *mem_ctx;
         uint32 acb_info = ACB_WSTRUST;
+       uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
        uint32 sec_channel_type;
+       struct rpc_pipe_client *pipe_hnd = NULL;
+       struct rpc_pipe_client *netlogon_schannel_pipe = NULL;
 
        /* rpc variables */
 
@@ -135,7 +139,7 @@
 #endif
        }
 
-       /* Connect to remote machine */
+       /* Make authenticated connection to remote machine */
 
        if (!(cli = net_make_ipc_connection(NET_FLAGS_PDC))) 
                return 1;
@@ -147,38 +151,41 @@
 
        /* Fetch domain sid */
 
-       if (!cli_nt_session_open(cli, PI_LSARPC)) {
-               DEBUG(0, ("Error connecting to LSA pipe\n"));
+       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_LSARPC, &result);
+       if (!pipe_hnd) {
+               DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
+                       nt_errstr(result) ));
                goto done;
        }
 
 
-       CHECK_RPC_ERR(cli_lsa_open_policy(cli, mem_ctx, True,
+       CHECK_RPC_ERR(rpccli_lsa_open_policy(pipe_hnd, mem_ctx, True,
                                          SEC_RIGHTS_MAXIMUM_ALLOWED,
                                          &lsa_pol),
                      "error opening lsa policy handle");
 
-       CHECK_RPC_ERR(cli_lsa_query_info_policy(cli, mem_ctx, &lsa_pol,
+       CHECK_RPC_ERR(rpccli_lsa_query_info_policy(pipe_hnd, mem_ctx, &lsa_pol,
                                                5, &domain, &domain_sid),
                      "error querying info policy");
 
-       cli_lsa_close(cli, mem_ctx, &lsa_pol);
+       rpccli_lsa_close(pipe_hnd, mem_ctx, &lsa_pol);
+       cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
 
-       cli_nt_session_close(cli); /* Done with this pipe */
-
        /* Create domain user */
-       if (!cli_nt_session_open(cli, PI_SAMR)) {
-               DEBUG(0, ("Error connecting to SAM pipe\n"));
+       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_SAMR, &result);
+       if (!pipe_hnd) {
+               DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
+                       nt_errstr(result) ));
                goto done;
        }
 
-       CHECK_RPC_ERR(cli_samr_connect(cli, mem_ctx, 
+       CHECK_RPC_ERR(rpccli_samr_connect(pipe_hnd, mem_ctx, 
                                       SEC_RIGHTS_MAXIMUM_ALLOWED,
                                       &sam_pol),
                      "could not connect to SAM database");
 
        
-       CHECK_RPC_ERR(cli_samr_open_domain(cli, mem_ctx, &sam_pol,
+       CHECK_RPC_ERR(rpccli_samr_open_domain(pipe_hnd, mem_ctx, &sam_pol,
                                           SEC_RIGHTS_MAXIMUM_ALLOWED,
                                           domain_sid, &domain_pol),
                      "could not open domain");
@@ -188,7 +195,7 @@
        strlower_m(acct_name);
        const_acct_name = acct_name;
 
-       result = cli_samr_create_dom_user(cli, mem_ctx, &domain_pol,
+       result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol,
                                          acct_name, acb_info,
                                          0xe005000b, &user_pol, 
                                          &user_rid);
@@ -209,10 +216,11 @@
 
        /* We *must* do this.... don't ask... */
 
-       if (NT_STATUS_IS_OK(result))
-               cli_samr_close(cli, mem_ctx, &user_pol);
+       if (NT_STATUS_IS_OK(result)) {
+               rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
+       }
 
-       CHECK_RPC_ERR_DEBUG(cli_samr_lookup_names(cli, mem_ctx,
+       CHECK_RPC_ERR_DEBUG(rpccli_samr_lookup_names(pipe_hnd, mem_ctx,
                                                  &domain_pol, flags,
                                                  1, &const_acct_name, 
                                                  &num_rids,
@@ -230,7 +238,7 @@
        /* Open handle on user */
 
        CHECK_RPC_ERR_DEBUG(
-               cli_samr_open_user(cli, mem_ctx, &domain_pol,
+               rpccli_samr_open_user(pipe_hnd, mem_ctx, &domain_pol,
                                   SEC_RIGHTS_MAXIMUM_ALLOWED,
                                   user_rid, &user_pol),
                ("could not re-open existing user %s: %s\n",
@@ -257,7 +265,7 @@
        ctr.switch_value = 24;
        ctr.info.id24 = &p24;
 
-       CHECK_RPC_ERR(cli_samr_set_userinfo(cli, mem_ctx, &user_pol, 24, 
+       CHECK_RPC_ERR(rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, &user_pol, 
24, 
                                            &cli->user_session_key, &ctr),
                      "error setting trust account password");
 
@@ -279,26 +287,52 @@
        /* Ignoring the return value is necessary for joining a domain
           as a normal user with "Add workstation to domain" privilege. */
 
-       result = cli_samr_set_userinfo2(cli, mem_ctx, &user_pol, 16, 
+       result = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, &user_pol, 16, 
                                        &cli->user_session_key, &ctr);
 
+       rpccli_samr_close(pipe_hnd, mem_ctx, &user_pol);
+       cli_rpc_pipe_close(pipe_hnd); /* Done with this pipe */
+
        /* Now check the whole process from top-to-bottom */
-       cli_samr_close(cli, mem_ctx, &user_pol);
-       cli_nt_session_close(cli); /* Done with this pipe */
 
-       if (!cli_nt_session_open(cli, PI_NETLOGON)) {
-               DEBUG(0,("Error connecting to NETLOGON pipe\n"));
+       pipe_hnd = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, &result);
+       if (!pipe_hnd) {
+               DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
+                       nt_errstr(result) ));
                goto done;
        }
 
-       /* ensure that schannel uses the right domain */
-       fstrcpy(cli->domain, domain);
+       result = rpccli_netlogon_setup_creds(pipe_hnd,
+                                       cli->desthost,
+                                       domain,
+                                       global_myname(),
+                                        md4_trust_password,
+                                        sec_channel_type,
+                                        &neg_flags);
 
-       result = cli_nt_establish_netlogon(cli, sec_channel_type, 
-                                          md4_trust_password);
+       if (!NT_STATUS_IS_OK(result)) {
+               DEBUG(0, ("Error in domain join verification (credential setup 
failed): %s\n\n",
+                         nt_errstr(result)));
 
+               if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
+                    (sec_channel_type == SEC_CHAN_BDC) ) {
+                       d_printf("Please make sure that no computer account\n"
+                                "named like this machine (%s) exists in the 
domain\n",
+                                global_myname());
+               }
+
+               goto done;
+       }
+
+       netlogon_schannel_pipe = cli_rpc_pipe_open_schannel_with_key(cli,
+                                                       PI_NETLOGON,
+                                                       PIPE_AUTH_LEVEL_PRIVACY,
+                                                       domain,
+                                                       pipe_hnd->dc,
+                                                       &result);
+
        if (!NT_STATUS_IS_OK(result)) {
-               DEBUG(0, ("Error domain join verification (reused connection): 
%s\n\n",
+               DEBUG(0, ("Error in domain join verification (schannel setup 
failed): %s\n\n",
                          nt_errstr(result)));
 
                if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) &&
@@ -311,6 +345,9 @@
                goto done;
        }
 
+       cli_rpc_pipe_close(pipe_hnd);
+       cli_rpc_pipe_close(netlogon_schannel_pipe);
+
        /* Now store the secret in the secrets database */
 
        strupper_m(domain);
@@ -328,11 +365,7 @@
        retval = net_rpc_join_ok(domain);
        
 done:
-       /* Close down pipe - this will clean up open policy handles */
 
-       if (cli->pipes[cli->pipe_idx].fnum)
-               cli_nt_session_close(cli);
-
        /* Display success or failure */
 
        if (retval != 0) {
@@ -348,7 +381,6 @@
        return retval;
 }
 
-
 /**
  * check that a join is OK
  *

<Prev in Thread] Current Thread [Next in Thread>
  • svn commit: samba r10098 - in branches/tmp/RPCREWRITE/source/utils: ., jra <=