/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2015 Nexenta Systems, Inc. All rights reserved.
*/
/*
* Utility functions to support the RPC interface library.
*/
#include <stdio.h>
#include <stdarg.h>
#include <strings.h>
#include <unistd.h>
#include <netdb.h>
#include <stdlib.h>
#include <note.h>
#include <syslog.h>
#include <smbsrv/libsmbns.h>
#include <smbsrv/libmlsvc.h>
#include <smbsrv/ntaccess.h>
#include <smbsrv/netrauth.h>
#include <libsmbrdr.h>
#include <lsalib.h>
#include <samlib.h>
#include <mlsvc.h>
static DWORD
char *admin_user, char *admin_pw,
char *machine_name, char *machine_pw);
static DWORD
char *machine_name, char *machine_pw);
{
if (status != 0) {
return (status);
}
if (status != NT_STATUS_SUCCESS) {
"credential chain with DC: %s (%s)", server,
"domain controller does not match the local storage.");
}
(void) netr_close(&netr_handle);
return (status);
}
/*
* Join the specified domain. The method varies depending on whether
* we're using "secure join" (using an administrative account to join)
* or "unsecure join" (using a pre-created machine account). In the
* latter case, the machine account is created "by hand" before this
* machine attempts to join, and we just change the password from the
* (weak) default password for a new machine account to a random one.
*
* Returns NT status codes.
*/
void
{
int rc;
/*
* Domain join support: AD (Kerberos+LDAP) or MS-RPC?
*/
return;
}
/*
* Ensure that any previous membership of this domain has
* been cleared from the environment before we start. This
* will ensure that we don't attempt a NETLOGON_SAMLOGON
* when attempting to find the PDC.
*/
} else {
}
/*
* Tentatively set the idmap domain to the one we're joining,
* so that the DC locator in idmap knows what to look for.
* Ditto the SMB server domain.
*/
if (smb_config_refresh_idmap() != 0)
/* Clear DNS local (ADS) lookup cache. */
/*
* Locate a DC for this domain. Intentionally bypass the
* ddiscover service here because we're still joining.
* This also allows better reporting of any failures.
*/
if (status != NT_STATUS_SUCCESS) {
"smbd: failed to locate AD server for domain %s (%s)",
goto out;
}
/*
* Found a DC. Report what we found along with the return status
* so that admin will know which AD server we were talking to.
*/
/*
* Domain discovery needs to authenticate with the AD server.
* Disconnect any existing connection with the domain controller
* to make sure we won't use any prior authentication context
* our redirector might have.
*/
/*
* Get the domain policy info (domain SID etc).
* Here too, bypass the smb_ddiscover_service.
*/
if (status != NT_STATUS_SUCCESS) {
"smbd: failed getting domain info for %s (%s)",
goto out;
}
/*
* After a successful smbd_ddiscover_main() call
* we should call smb_domain_save() to update the
* data shown by smbadm list. Do that at the end,
* only if all goes well with joining the domain.
*/
/*
* Create or update our machine account on the DC.
* A non-null user means we do "secure join".
*/
/*
* If enabled, try to join using AD Services.
*/
if (ads_enabled) {
}
} else {
/*
* If ADS was disabled, join using RPC.
*/
}
} else {
/*
* Doing "Unsecure join" (pre-created account)
*/
}
if (status != NT_STATUS_SUCCESS)
goto out;
/*
* Make sure we can authenticate using the
* (new, or updated) machine account.
*/
if (rc != 0) {
goto out;
}
/*
* Store the new machine account password, and
* SMB_CI_DOMAIN_MEMB etc.
*/
if (rc != 0) {
"Failed to save machine account password");
goto out;
}
/*
* Update idmap config?
* Already set the domain_name above.
*/
/*
* Save the SMB server config. Sets: SMB_CI_DOMAIN_*
* Should unify SMB vs idmap configs.
*/
status = 0;
out:
if (status != 0) {
/*
* Undo the tentative domain settings.
*/
(void) smb_config_set_idmap_domain("");
(void) smb_config_refresh_idmap();
}
/* Avoid leaving cleartext passwords around. */
}
static DWORD
char *admin_user, char *admin_pw,
char *machine_name, char *machine_pw)
{
int rc;
/* Caller did smb_ipc_set() so we don't need the pw for now. */
if (rc != 0) {
return (RPC_NT_SERVER_UNAVAILABLE);
}
/* have samr_handle */
if (status != NT_STATUS_SUCCESS)
goto out_samr_handle;
/* have domain_handle */
if (status == NT_STATUS_USER_EXISTS) {
machine_name, &ainfo);
if (status != NT_STATUS_SUCCESS)
goto out_domain_handle;
}
if (status != NT_STATUS_SUCCESS) {
"smbd: failed to open machine account (%s)",
goto out_domain_handle;
}
/*
* The account exists, and we have user_handle open
* on that account. Set the password and flags.
*/
if (status != NT_STATUS_SUCCESS) {
"smbd: failed to set machine account password (%s)",
goto out_user_handle;
}
if (status != NT_STATUS_SUCCESS) {
"Set machine account control flags: %s",
goto out_user_handle;
}
(void) samr_close_handle(&user_handle);
(void) samr_close_handle(&domain_handle);
(void) samr_close_handle(&samr_handle);
return (status);
}
/*
* Doing "Unsecure join" (using a pre-created machine account).
* All we need to do is change the password from the default
* to a random string.
*
* Note: this is a work in progres. Nexenta issue 11960
* (allow joining an AD domain using a pre-created computer account)
* It turns out that to change the machine account password,
* we need to use a different RPC call, performed over the
* NetLogon secure channel. (See netr_server_password_set2)
*/
static DWORD
char *machine_name, char *machine_pw)
{
/*
* Compose the current (default) password for the
* pre-created machine account, which is just the
* account name in lower case, truncated to 14
* characters.
*/
return (NT_STATUS_INTERNAL_ERROR);
old_pw, machine_pw);
if (status != NT_STATUS_SUCCESS) {
"Change machine account password: %s",
}
return (status);
}
void
{
}