static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx, struct net_context *net_ctx, struct cli_state **cli, struct rpc_pipe_client **pipe_hnd, struct policy_handle *pol_hnd, struct dom_data *dom_data) { NTSTATUS status; NTSTATUS result; status = net_make_ipc_connection_ex(net_ctx, NULL, NULL, NULL, NET_FLAGS_PDC, cli); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to connect to [%s] with error [%s]\n", net_ctx->opt_host, nt_errstr(status))); return status; } status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n", nt_errstr(status))); return status; } status = dcerpc_lsa_open_policy2((*pipe_hnd)->binding_handle, mem_ctx, (*pipe_hnd)->srv_name_slash, false, (LSA_POLICY_VIEW_LOCAL_INFORMATION | LSA_POLICY_TRUST_ADMIN | LSA_POLICY_CREATE_SECRET), pol_hnd, &result); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to open policy handle with error [%s]\n", nt_errstr(status))); return status; } if (!NT_STATUS_IS_OK(result)) { DEBUG(0, ("lsa_open_policy2 with error [%s]\n", nt_errstr(result))); return result; } status = get_domain_info(mem_ctx, (*pipe_hnd)->binding_handle, pol_hnd, dom_data); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("get_domain_info failed with error [%s].\n", nt_errstr(status))); return status; } return NT_STATUS_OK; }
/** * confirm that a domain join is still valid * * @return A shell status integer (0 for success) * **/ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain, const char *server, struct sockaddr_storage *pss) { enum security_types sec; unsigned int conn_flags = NET_FLAGS_PDC; uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; sec = (enum security_types)lp_security(); if (sec == SEC_ADS) { /* Connect to IPC$ using machine account's credentials. We don't use anonymous connection here, as it may be denied by server's local policy. */ net_use_machine_account(c); } else { /* some servers (e.g. WinNT) don't accept machine-authenticated smb connections */ conn_flags |= NET_FLAGS_ANONYMOUS; } /* Connect to remote machine */ ntret = net_make_ipc_connection_ex(c, domain, server, pss, conn_flags, &cli); if (!NT_STATUS_IS_OK(ntret)) { return ntret; } /* Setup the creds as though we're going to do schannel... */ ntret = get_schannel_session_key(cli, domain, &neg_flags, &netlogon_pipe); /* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing to negotiate schannel, but the creds were set up ok. That'll have to do. */ if (!NT_STATUS_IS_OK(ntret)) { if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) { cli_shutdown(cli); return NT_STATUS_OK; } else { DEBUG(0,("net_rpc_join_ok: failed to get schannel session " "key from server %s for domain %s. Error was %s\n", cli->desthost, domain, nt_errstr(ntret) )); cli_shutdown(cli); return ntret; } } /* Only do the rest of the schannel test if the client is allowed to do this. */ if (!lp_client_schannel()) { cli_shutdown(cli); /* We're good... */ return ntret; } ntret = cli_rpc_pipe_open_schannel_with_key( cli, &ndr_table_netlogon.syntax_id, NCACN_NP, DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe->dc, &pipe_hnd); if (!NT_STATUS_IS_OK(ntret)) { DEBUG(0,("net_rpc_join_ok: failed to open schannel session " "on netlogon pipe to server %s for domain %s. Error was %s\n", cli->desthost, domain, nt_errstr(ntret) )); /* * Note: here, we have: * (pipe_hnd != NULL) if and only if NT_STATUS_IS_OK(ntret) */ } cli_shutdown(cli); return ntret; }
NTSTATUS net_make_ipc_connection(struct net_context *c, unsigned flags, struct cli_state **pcli) { return net_make_ipc_connection_ex(c, c->opt_workgroup, NULL, NULL, flags, pcli); }
struct cli_state *net_make_ipc_connection( unsigned flags ) { return net_make_ipc_connection_ex( NULL, NULL, NULL, flags ); }
static int net_dom_unjoin(struct net_context *c, int argc, const char **argv) { const char *server_name = NULL; const char *account = NULL; const char *password = NULL; uint32_t unjoin_flags = NETSETUP_ACCT_DELETE | NETSETUP_JOIN_DOMAIN | NETSETUP_IGNORE_UNSUPPORTED_FLAGS; struct cli_state *cli = NULL; bool do_reboot = false; NTSTATUS ntstatus; NET_API_STATUS status; int ret = -1; int i; if (argc < 1 || c->display_usage) { return net_dom_usage(c, argc, argv); } if (c->opt_host) { server_name = c->opt_host; } for (i=0; i<argc; i++) { if (strnequal(argv[i], "account", strlen("account"))) { account = get_string_param(argv[i]); if (!account) { return -1; } } if (strnequal(argv[i], "password", strlen("password"))) { password = get_string_param(argv[i]); if (!password) { return -1; } } if (strequal(argv[i], "reboot")) { do_reboot = true; } } if (do_reboot) { ntstatus = net_make_ipc_connection_ex(c, c->opt_workgroup, server_name, NULL, 0, &cli); if (!NT_STATUS_IS_OK(ntstatus)) { return -1; } } status = NetUnjoinDomain(server_name, account, password, unjoin_flags); if (status != 0) { printf("Failed to unjoin domain: %s\n", libnetapi_get_error_string(c->netapi_ctx, status)); goto done; } if (do_reboot) { c->opt_comment = "Shutting down due to a domain membership " "change"; c->opt_reboot = true; c->opt_timeout = 30; ret = run_rpc_command(c, cli, &ndr_table_initshutdown.syntax_id, 0, rpc_init_shutdown_internals, argc, argv); if (ret == 0) { goto done; } ret = run_rpc_command(c, cli, &ndr_table_winreg.syntax_id, 0, rpc_reg_shutdown_internals, argc, argv); goto done; } ret = 0; done: if (cli) { cli_shutdown(cli); } return ret; }
NTSTATUS net_make_ipc_connection(unsigned flags, struct cli_state **pcli) { return net_make_ipc_connection_ex(NULL, NULL, NULL, flags, pcli); }