static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
struct net_context *net_ctx,
struct cli_state **cli,
struct rpc_pipe_client **pipe_hnd,
struct policy_handle *pol_hnd,
struct dom_data *dom_data)
{
NTSTATUS status;
NTSTATUS result;
status = net_make_ipc_connection_ex(net_ctx, NULL, NULL, NULL,
NET_FLAGS_PDC, cli);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to connect to [%s] with error [%s]\n",
net_ctx->opt_host, nt_errstr(status)));
return status;
}
status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
nt_errstr(status)));
return status;
}
status = dcerpc_lsa_open_policy2((*pipe_hnd)->binding_handle,
mem_ctx,
(*pipe_hnd)->srv_name_slash,
false,
(LSA_POLICY_VIEW_LOCAL_INFORMATION |
LSA_POLICY_TRUST_ADMIN |
LSA_POLICY_CREATE_SECRET),
pol_hnd,
&result);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to open policy handle with error [%s]\n",
nt_errstr(status)));
return status;
}
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0, ("lsa_open_policy2 with error [%s]\n",
nt_errstr(result)));
return result;
}
status = get_domain_info(mem_ctx, (*pipe_hnd)->binding_handle,
pol_hnd, dom_data);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("get_domain_info failed with error [%s].\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
}
/**
* confirm that a domain join is still valid
*
* @return A shell status integer (0 for success)
*
**/
NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
const char *server, struct sockaddr_storage *pss)
{
enum security_types sec;
unsigned int conn_flags = NET_FLAGS_PDC;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
sec = (enum security_types)lp_security();
if (sec == SEC_ADS) {
/* Connect to IPC$ using machine account's credentials. We don't use anonymous
connection here, as it may be denied by server's local policy. */
net_use_machine_account(c);
} else {
/* some servers (e.g. WinNT) don't accept machine-authenticated
smb connections */
conn_flags |= NET_FLAGS_ANONYMOUS;
}
/* Connect to remote machine */
ntret = net_make_ipc_connection_ex(c, domain, server, pss, conn_flags,
&cli);
if (!NT_STATUS_IS_OK(ntret)) {
return ntret;
}
/* Setup the creds as though we're going to do schannel... */
ntret = get_schannel_session_key(cli, domain, &neg_flags,
&netlogon_pipe);
/* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing
to negotiate schannel, but the creds were set up ok. That'll have to do. */
if (!NT_STATUS_IS_OK(ntret)) {
if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
cli_shutdown(cli);
return NT_STATUS_OK;
} else {
DEBUG(0,("net_rpc_join_ok: failed to get schannel session "
"key from server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
cli_shutdown(cli);
return ntret;
}
}
/* Only do the rest of the schannel test if the client is allowed to do this. */
if (!lp_client_schannel()) {
cli_shutdown(cli);
/* We're good... */
return ntret;
}
ntret = cli_rpc_pipe_open_schannel_with_key(
cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
DCERPC_AUTH_LEVEL_PRIVACY,
domain, &netlogon_pipe->dc, &pipe_hnd);
if (!NT_STATUS_IS_OK(ntret)) {
DEBUG(0,("net_rpc_join_ok: failed to open schannel session "
"on netlogon pipe to server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
/*
* Note: here, we have:
* (pipe_hnd != NULL) if and only if NT_STATUS_IS_OK(ntret)
*/
}
cli_shutdown(cli);
return ntret;
}
NTSTATUS net_make_ipc_connection(struct net_context *c, unsigned flags,
struct cli_state **pcli)
{
return net_make_ipc_connection_ex(c, c->opt_workgroup, NULL, NULL, flags, pcli);
}
struct cli_state *net_make_ipc_connection( unsigned flags )
{
return net_make_ipc_connection_ex( NULL, NULL, NULL, flags );
}
static int net_dom_unjoin(struct net_context *c, int argc, const char **argv)
{
const char *server_name = NULL;
const char *account = NULL;
const char *password = NULL;
uint32_t unjoin_flags = NETSETUP_ACCT_DELETE |
NETSETUP_JOIN_DOMAIN |
NETSETUP_IGNORE_UNSUPPORTED_FLAGS;
struct cli_state *cli = NULL;
bool do_reboot = false;
NTSTATUS ntstatus;
NET_API_STATUS status;
int ret = -1;
int i;
if (argc < 1 || c->display_usage) {
return net_dom_usage(c, argc, argv);
}
if (c->opt_host) {
server_name = c->opt_host;
}
for (i=0; i<argc; i++) {
if (strnequal(argv[i], "account", strlen("account"))) {
account = get_string_param(argv[i]);
if (!account) {
return -1;
}
}
if (strnequal(argv[i], "password", strlen("password"))) {
password = get_string_param(argv[i]);
if (!password) {
return -1;
}
}
if (strequal(argv[i], "reboot")) {
do_reboot = true;
}
}
if (do_reboot) {
ntstatus = net_make_ipc_connection_ex(c, c->opt_workgroup,
server_name, NULL, 0,
&cli);
if (!NT_STATUS_IS_OK(ntstatus)) {
return -1;
}
}
status = NetUnjoinDomain(server_name, account, password, unjoin_flags);
if (status != 0) {
printf("Failed to unjoin domain: %s\n",
libnetapi_get_error_string(c->netapi_ctx, status));
goto done;
}
if (do_reboot) {
c->opt_comment = "Shutting down due to a domain membership "
"change";
c->opt_reboot = true;
c->opt_timeout = 30;
ret = run_rpc_command(c, cli,
&ndr_table_initshutdown.syntax_id,
0, rpc_init_shutdown_internals,
argc, argv);
if (ret == 0) {
goto done;
}
ret = run_rpc_command(c, cli, &ndr_table_winreg.syntax_id, 0,
rpc_reg_shutdown_internals,
argc, argv);
goto done;
}
ret = 0;
done:
if (cli) {
cli_shutdown(cli);
}
return ret;
}
NTSTATUS net_make_ipc_connection(unsigned flags, struct cli_state **pcli)
{
return net_make_ipc_connection_ex(NULL, NULL, NULL, flags, pcli);
}
