/*
* sam_delete_account
*
* Attempt to remove an account from the SAM database on the specified
* server.
*
* Returns NT status codes.
*/
DWORD
sam_delete_account(char *server, char *domain_name, char *account_name)
{
mlsvc_handle_t samr_handle;
mlsvc_handle_t domain_handle;
mlsvc_handle_t user_handle;
smb_account_t ainfo;
smb_sid_t *sid;
DWORD access_mask;
DWORD status;
int rc;
char user[SMB_USERNAME_MAXLEN];
smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
&samr_handle);
if (rc != 0)
return (NT_STATUS_CANT_ACCESS_DOMAIN_INFO);
sid = samr_lookup_domain(&samr_handle, domain_name);
if (sid == NULL) {
status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
goto out_samr_hdl;
}
status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION,
(struct samr_sid *)sid, &domain_handle);
if (status != NT_STATUS_SUCCESS)
goto out_sid_ptr;
status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
if (status != NT_STATUS_SUCCESS)
goto out_dom_hdl;
access_mask = STANDARD_RIGHTS_EXECUTE | DELETE;
status = samr_open_user(&domain_handle, access_mask,
ainfo.a_rid, &user_handle);
if (status != NT_STATUS_SUCCESS)
goto out_dom_hdl;
status = samr_delete_user(&user_handle);
(void) samr_close_handle(&user_handle);
out_dom_hdl:
(void) samr_close_handle(&domain_handle);
out_sid_ptr:
free(sid);
out_samr_hdl:
(void) samr_close_handle(&samr_handle);
return (status);
}
/*
* sam_check_user
*
* Check to see if user have permission to access computer account.
* The user being checked is the specified user for joining the Solaris
* host to the domain.
*/
DWORD
sam_check_user(char *server, char *domain_name, char *account_name)
{
mlsvc_handle_t samr_handle;
mlsvc_handle_t domain_handle;
mlsvc_handle_t user_handle;
smb_account_t ainfo;
struct samr_sid *sid;
DWORD access_mask;
DWORD status;
int rc;
char user[SMB_USERNAME_MAXLEN];
smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
&samr_handle);
if (rc != 0)
return (NT_STATUS_OPEN_FAILED);
sid = sam_get_domain_sid(&samr_handle, server, domain_name);
status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
&domain_handle);
free(sid);
if (status != NT_STATUS_SUCCESS) {
(void) samr_close_handle(&samr_handle);
return (status);
}
status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
if (status == NT_STATUS_SUCCESS) {
/*
* Win2000 client uses this access mask. The
* following SAMR user specific rights bits are
* set: set password, set attributes, and get
* attributes.
*/
access_mask = 0xb0;
status = samr_open_user(&domain_handle,
access_mask, ainfo.a_rid, &user_handle);
if (status == NT_STATUS_SUCCESS)
(void) samr_close_handle(&user_handle);
}
(void) samr_close_handle(&domain_handle);
(void) samr_close_handle(&samr_handle);
return (status);
}
/*
* sam_delete_account
*
* Attempt to remove an account from the SAM database on the specified
* server.
*
* Returns NT status codes.
*/
DWORD
sam_delete_account(char *server, char *domain_name, char *account_name)
{
mlsvc_handle_t samr_handle;
mlsvc_handle_t domain_handle;
mlsvc_handle_t user_handle;
smb_account_t ainfo;
struct samr_sid *sid;
DWORD access_mask;
DWORD status;
int rc;
char user[SMB_USERNAME_MAXLEN];
smb_ipc_get_user(user, SMB_USERNAME_MAXLEN);
rc = samr_open(server, domain_name, user, SAM_LOOKUP_INFORMATION,
&samr_handle);
if (rc != 0)
return (NT_STATUS_OPEN_FAILED);
sid = sam_get_domain_sid(&samr_handle, server, domain_name);
status = samr_open_domain(&samr_handle, SAM_LOOKUP_INFORMATION, sid,
&domain_handle);
free(sid);
if (status != NT_STATUS_SUCCESS) {
(void) samr_close_handle(&samr_handle);
return (status);
}
status = samr_lookup_domain_names(&domain_handle, account_name, &ainfo);
if (status == NT_STATUS_SUCCESS) {
access_mask = STANDARD_RIGHTS_EXECUTE | DELETE;
status = samr_open_user(&domain_handle, access_mask,
ainfo.a_rid, &user_handle);
if (status == NT_STATUS_SUCCESS) {
if (samr_delete_user(&user_handle) != 0)
(void) samr_close_handle(&user_handle);
}
}
(void) samr_close_handle(&domain_handle);
(void) samr_close_handle(&samr_handle);
return (status);
}
static DWORD
mlsvc_join_rpc(smb_domainex_t *dxi,
char *admin_user, char *admin_pw,
char *machine_name, char *machine_pw)
{
mlsvc_handle_t samr_handle;
mlsvc_handle_t domain_handle;
mlsvc_handle_t user_handle;
smb_account_t ainfo;
char *server = dxi->d_dci.dc_name;
smb_domain_t *di = &dxi->d_primary;
DWORD account_flags;
DWORD rid;
DWORD status;
int rc;
/* Caller did smb_ipc_set() so we don't need the pw for now. */
_NOTE(ARGUNUSED(admin_pw));
rc = samr_open(server, di->di_nbname, admin_user,
MAXIMUM_ALLOWED, &samr_handle);
if (rc != 0) {
syslog(LOG_NOTICE, "sam_connect to server %s failed", server);
return (RPC_NT_SERVER_UNAVAILABLE);
}
/* have samr_handle */
status = samr_open_domain(&samr_handle, MAXIMUM_ALLOWED,
(struct samr_sid *)di->di_binsid, &domain_handle);
if (status != NT_STATUS_SUCCESS)
goto out_samr_handle;
/* have domain_handle */
account_flags = SAMR_AF_WORKSTATION_TRUST_ACCOUNT;
status = samr_create_user(&domain_handle, machine_name,
account_flags, &rid, &user_handle);
if (status == NT_STATUS_USER_EXISTS) {
status = samr_lookup_domain_names(&domain_handle,
machine_name, &ainfo);
if (status != NT_STATUS_SUCCESS)
goto out_domain_handle;
status = samr_open_user(&domain_handle, MAXIMUM_ALLOWED,
ainfo.a_rid, &user_handle);
}
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"smbd: failed to open machine account (%s)",
xlate_nt_status(status));
goto out_domain_handle;
}
/*
* The account exists, and we have user_handle open
* on that account. Set the password and flags.
*/
status = netr_set_user_password(&user_handle, machine_pw);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"smbd: failed to set machine account password (%s)",
xlate_nt_status(status));
goto out_user_handle;
}
account_flags |= SAMR_AF_DONT_EXPIRE_PASSWD;
status = netr_set_user_control(&user_handle, account_flags);
if (status != NT_STATUS_SUCCESS) {
syslog(LOG_NOTICE,
"Set machine account control flags: %s",
xlate_nt_status(status));
goto out_user_handle;
}
out_user_handle:
(void) samr_close_handle(&user_handle);
out_domain_handle:
(void) samr_close_handle(&domain_handle);
out_samr_handle:
(void) samr_close_handle(&samr_handle);
return (status);
}
