diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:20:00 +0000 |
commit | 8daa83a594a2e98f39d764422bfbdbc62c9efd44 (patch) | |
tree | 4099e8021376c7d8c05bdf8503093d80e9c7bad0 /source3/utils/net_offlinejoin.c | |
parent | Initial commit. (diff) | |
download | samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.tar.xz samba-8daa83a594a2e98f39d764422bfbdbc62c9efd44.zip |
Adding upstream version 2:4.20.0+dfsg.upstream/2%4.20.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source3/utils/net_offlinejoin.c | 600 |
1 files changed, 600 insertions, 0 deletions
diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c new file mode 100644 index 0000000..3ec5c97 --- /dev/null +++ b/source3/utils/net_offlinejoin.c @@ -0,0 +1,600 @@ +/* + Samba Unix/Linux SMB client library + net join commands + Copyright (C) 2021 Guenther Deschner (gd@samba.org) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "utils/net.h" +#include <netapi.h> +#include "netapi/netapi_net.h" +#include "libcli/registry/util_reg.h" +#include "libcli/security/dom_sid.h" +#include "lib/cmdline/cmdline.h" + +int net_offlinejoin_usage(struct net_context *c, int argc, const char **argv) +{ + d_printf(_("\nnet offlinejoin [misc. options]\n" + "\tjoins a computer to a domain\n")); + d_printf(_("Valid commands:\n")); + d_printf(_("\tprovision\t\t\tProvision machine account in AD\n")); + d_printf(_("\trequestodj\t\t\tRequest offline domain join\n")); + d_printf(_("\tcomposeodj\t\t\tCompose offline domain join blob\n")); + net_common_flags_usage(c, argc, argv); + return -1; +} + +int net_offlinejoin(struct net_context *c, int argc, const char **argv) +{ + int ret; + NET_API_STATUS status; + + if ((argc > 0) && (strcasecmp_m(argv[0], "HELP") == 0)) { + net_offlinejoin_usage(c, argc, argv); + return 0; + } + + if (argc == 0) { + net_offlinejoin_usage(c, argc, argv); + return -1; + } + + net_warn_member_options(); + + status = libnetapi_net_init(&c->netapi_ctx, c->lp_ctx, c->creds); + if (status != 0) { + return -1; + } + + if (c->opt_kerberos) { + libnetapi_set_use_kerberos(c->netapi_ctx); + } + + if (strcasecmp_m(argv[0], "provision") == 0) { + ret = net_offlinejoin_provision(c, argc, argv); + if (ret != 0) { + return ret; + } + } + + if (strcasecmp_m(argv[0], "requestodj") == 0) { + ret = net_offlinejoin_requestodj(c, argc, argv); + if (ret != 0) { + return ret; + } + } + + if (strcasecmp_m(argv[0], "composeodj") == 0) { + ret = net_offlinejoin_composeodj(c, argc, argv); + if (ret != 0) { + return ret; + } + } + + return 0; +} + +static int net_offlinejoin_provision_usage(struct net_context *c, int argc, const char **argv) +{ + d_printf(_("\nnet offlinejoin provision [misc. options]\n" + "\tProvisions machine account in AD\n")); + d_printf(_("Valid options:\n")); + d_printf(_("\tdomain=<DOMAIN>\t\t\t\tDefines AD Domain to join\n")); + d_printf(_("\tmachine_name=<MACHINE_NAME>\t\tDefines the machine account name\n")); + d_printf(_("\tmachine_account_ou=<OU>\t\t\tDefines the machine account organizational unit DN\n")); + d_printf(_("\tdcname=<DCNAME>\t\t\t\tSpecify a Domain Controller to join to\n")); + d_printf(_("\tdefpwd\t\t\t\t\tUse default machine account password\n")); + d_printf(_("\treuse\t\t\t\t\tReuse existing machine account in AD\n")); + d_printf(_("\tsavefile=<FILENAME>\t\t\tFile to store the ODJ data\n")); + d_printf(_("\tprintblob\t\t\t\tPrint the base64 encoded ODJ data on stdout\n")); + net_common_flags_usage(c, argc, argv); + return -1; +} + +int net_offlinejoin_provision(struct net_context *c, + int argc, const char **argv) +{ + NET_API_STATUS status; + const char *dcname = NULL; + const char *domain = NULL; + const char *machine_name = NULL; + const char *machine_account_ou = NULL; + const char *provision_text_data = NULL; + uint32_t options = 0; + const char *savefile = NULL; + bool printblob = false; + int i; + + if (c->display_usage || argc == 1) { + return net_offlinejoin_provision_usage(c, argc, argv); + } + + /* process additional command line args */ + + for (i = 0; i < argc; i++) { + + if (strnequal(argv[i], "domain", strlen("domain"))) { + domain = get_string_param(argv[i]); + if (domain == NULL) { + return -1; + } + } + if (strnequal(argv[i], "machine_name", strlen("machine_name"))) { + machine_name = get_string_param(argv[i]); + if (machine_name == NULL) { + return -1; + } + } + if (strnequal(argv[i], "machine_account_ou", strlen("machine_account_ou"))) { + machine_account_ou = get_string_param(argv[i]); + if (machine_account_ou == NULL) { + return -1; + } + } + if (strnequal(argv[i], "dcname", strlen("dcname"))) { + dcname = get_string_param(argv[i]); + if (dcname == NULL) { + return -1; + } + } + if (strnequal(argv[i], "defpwd", strlen("defpwd"))) { + options |= NETSETUP_PROVISION_USE_DEFAULT_PASSWORD; + } + if (strnequal(argv[i], "reuse", strlen("reuse"))) { + options |= NETSETUP_PROVISION_REUSE_ACCOUNT; + } + if (strnequal(argv[i], "savefile", strlen("savefile"))) { + savefile = get_string_param(argv[i]); + if (savefile == NULL) { + return -1; + } + } + if (strnequal(argv[i], "printblob", strlen("printblob"))) { + printblob = true; + } + } + + if (domain == NULL) { + d_printf("Failed to provision computer account: %s\n", + libnetapi_errstr(W_ERROR_V(WERR_INVALID_DOMAINNAME))); + return -1; + } + + if (machine_name == NULL) { + d_printf("Failed to provision computer account: %s\n", + libnetapi_errstr(W_ERROR_V(WERR_INVALID_COMPUTERNAME))); + return -1; + } + + status = NetProvisionComputerAccount(domain, + machine_name, + machine_account_ou, + dcname, + options, + NULL, + 0, + &provision_text_data); + if (status != 0) { + d_printf("Failed to provision computer account: %s\n", + libnetapi_get_error_string(c->netapi_ctx, status)); + return status; + } + + if (savefile != NULL) { + + DATA_BLOB ucs2_blob, blob; + bool ok; + + /* + * Windows produces and consumes UTF16/UCS2 encoded blobs + * so we also do it for compatibility. Someone may provision an + * account for a Windows machine with samba. + */ + ok = push_reg_sz(c, &ucs2_blob, provision_text_data); + if (!ok) { + return -1; + } + + /* Add the unicode BOM mark */ + blob = data_blob_talloc(c, NULL, ucs2_blob.length + 2); + if (blob.data == NULL) { + d_printf("Failed to allocate blob: %s\n", + strerror(errno)); + return -1; + } + + blob.data[0] = 0xff; + blob.data[1] = 0xfe; + + memcpy(blob.data + 2, ucs2_blob.data, ucs2_blob.length); + + ok = file_save(savefile, blob.data, blob.length); + if (!ok) { + d_printf("Failed to save %s: %s\n", savefile, + strerror(errno)); + return -1; + } + } + + d_printf("Successfully provisioned computer '%s' in domain '%s'\n", + machine_name, domain); + + if (printblob) { + printf("%s\n", provision_text_data); + } + + return 0; +} + +static int net_offlinejoin_requestodj_usage(struct net_context *c, int argc, const char **argv) +{ + d_printf(_("\nnet offlinejoin requestodj [misc. options]\n" + "\tRequests offline domain join\n")); + d_printf(_("Valid options:\n")); + d_printf(_("\t-i\t\t\t\t\tRead ODJ data from STDIN\n")); + d_printf(_("\tloadfile=<FILENAME>\t\t\tFile that provides the ODJ data\n")); + /*d_printf(_("\tlocalos\t\t\t\t\tModify the local machine\n"));*/ + net_common_flags_usage(c, argc, argv); + return -1; +} + +int net_offlinejoin_requestodj(struct net_context *c, + int argc, const char **argv) +{ + NET_API_STATUS status; + uint8_t *provision_bin_data = NULL; + size_t provision_bin_data_size = 0; + uint32_t options = NETSETUP_PROVISION_ONLINE_CALLER; + const char *windows_path = NULL; + int i; + + if (c->display_usage) { + return net_offlinejoin_requestodj_usage(c, argc, argv); + } + + /* process additional command line args */ + + for (i = 0; i < argc; i++) { + + if (strnequal(argv[i], "loadfile", strlen("loadfile"))) { + const char *loadfile = NULL; + + loadfile = get_string_param(argv[i]); + if (loadfile == NULL) { + return -1; + } + + provision_bin_data = + (uint8_t *)file_load(loadfile, + &provision_bin_data_size, + 0, + c); + if (provision_bin_data == NULL) { + d_printf("Failed to read loadfile: %s\n", + loadfile); + return -1; + } + } +#if 0 + if (strnequal(argv[i], "localos", strlen("localos"))) { + options |= NETSETUP_PROVISION_ONLINE_CALLER; + } +#endif + } + + if (c->opt_stdin) { + if (isatty(STDIN_FILENO) == 1) { + d_fprintf(stderr, + "hint: stdin waiting for ODJ blob, end " + "with <crtl-D>.\n"); + } + provision_bin_data = + (uint8_t *)fd_load(STDIN_FILENO, + &provision_bin_data_size, 0, c); + if (provision_bin_data == NULL) { + d_printf("Failed to read ODJ blob from stdin\n"); + return -1; + } + + /* Strip last newline */ + if (provision_bin_data[provision_bin_data_size - 1] == '\n') { + provision_bin_data[provision_bin_data_size - 1] = '\0'; + } + } + + if (provision_bin_data == NULL || provision_bin_data_size == 0) { + d_printf("Please provide provision data either from file " + "(using loadfile parameter) or from stdin (-i)\n"); + return -1; + } + if (provision_bin_data_size > UINT32_MAX) { + d_printf("provision binary data size too big: %zu\n", + provision_bin_data_size); + return -1; + } + + status = NetRequestOfflineDomainJoin(provision_bin_data, + provision_bin_data_size, + options, + windows_path); + if (status != 0 && status != 0x00000a99) { + /* NERR_JoinPerformedMustRestart */ + printf("Failed to call NetRequestOfflineDomainJoin: %s\n", + libnetapi_get_error_string(c->netapi_ctx, status)); + return -1; + } + + d_printf("Successfully requested Offline Domain Join\n"); + + return 0; +} + +static int net_offlinejoin_composeodj_usage(struct net_context *c, + int argc, + const char **argv) +{ + d_printf(_("\nnet offlinejoin composeodj [misc. options]\n" + "\tComposes offline domain join blob\n")); + d_printf(_("Valid options:\n")); + d_printf(_("\tdomain_sid=<SID>\t\t\tThe domain SID\n")); + d_printf(_("\tdomain_guid=<GUID>\t\t\tThe domain GUID\n")); + d_printf(_("\tforest_name=<NAME>\t\t\tThe forest name\n")); + d_printf(_("\tdomain_is_nt4\t\t\t\tThe domain not AD but NT4\n")); + d_printf(_("\tsavefile=<FILENAME>\t\t\tFile to store the ODJ data\n")); + d_printf(_("\tprintblob\t\t\t\tPrint the base64 encoded ODJ data on stdout\n")); + net_common_flags_usage(c, argc, argv); + d_printf(_("Example:\n")); + d_printf("\tnet offlinejoin composeodj --realm=<realm> " + "--workgroup=<domain> domain_sid=<sid> domain_guid=<guid> " + "forest_name=<name> -S <dc name> -I <dc address> " + "--password=<password> printblob\n"); + return -1; +} + +int net_offlinejoin_composeodj(struct net_context *c, + int argc, + const char **argv) +{ + struct cli_credentials *creds = samba_cmdline_get_creds(); + NET_API_STATUS status; + const char *dns_domain_name = NULL; + const char *netbios_domain_name = NULL; + const char *machine_account_name = NULL; + const char *machine_account_password = NULL; + const char *domain_sid_str = NULL; + const char *domain_guid_str = NULL; + struct dom_sid domain_sid; + struct GUID domain_guid; + const char *forest_name = NULL; + const char *dc_name = NULL; + char dc_address[INET6_ADDRSTRLEN] = { 0 }; + bool domain_is_ad = true; + const char *provision_text_data = NULL; + const char *savefile = NULL; + bool printblob = false; + enum credentials_obtained obtained; + bool ok; + NTSTATUS ntstatus; + int i; + + if (c->display_usage || argc < 4) { + return net_offlinejoin_composeodj_usage(c, argc, argv); + } + + dns_domain_name = cli_credentials_get_realm(creds); + netbios_domain_name = cli_credentials_get_domain(creds); + + machine_account_name = cli_credentials_get_username_and_obtained(creds, &obtained); + if (obtained < CRED_CALLBACK_RESULT) { + const char *netbios_name = cli_credentials_get_workstation(creds); + cli_credentials_set_username( + creds, + talloc_asprintf(c, "%s$", netbios_name), + CRED_SPECIFIED); + } + + machine_account_name = cli_credentials_get_username(creds); + machine_account_password = cli_credentials_get_password(creds); + dc_name = c->opt_host; + + if (c->opt_have_ip) { + struct sockaddr_in *in4 = NULL; + struct sockaddr_in6 *in6 = NULL; + const char *p = NULL; + + switch(c->opt_dest_ip.ss_family) { + case AF_INET: + in4 = (struct sockaddr_in *)&c->opt_dest_ip; + p = inet_ntop(AF_INET, &in4->sin_addr, dc_address, sizeof(dc_address)); + break; + case AF_INET6: + in6 = (struct sockaddr_in6 *)&c->opt_dest_ip; + p = inet_ntop(AF_INET6, &in6->sin6_addr, dc_address, sizeof(dc_address)); + break; + default: + d_printf("Unknown IP address family\n"); + return -1; + } + + if (p == NULL) { + d_fprintf(stderr, "Failed to parse IP address: %s\n", strerror(errno)); + return -1; + } + } + + /* process additional command line args */ + + for (i = 0; i < argc; i++) { + if (strnequal(argv[i], "domain_sid", strlen("domain_sid"))) { + domain_sid_str = get_string_param(argv[i]); + if (domain_sid_str == NULL) { + return -1; + } + } + + if (strnequal(argv[i], "domain_guid", strlen("domain_guid"))) { + domain_guid_str = get_string_param(argv[i]); + if (domain_guid_str == NULL) { + return -1; + } + } + + if (strnequal(argv[i], "forest_name", strlen("forest_name"))) { + forest_name = get_string_param(argv[i]); + if (forest_name == NULL) { + return -1; + } + } + + if (strnequal(argv[i], "savefile", strlen("savefile"))) { + savefile = get_string_param(argv[i]); + if (savefile == NULL) { + return -1; + } + } + + if (strnequal(argv[i], "printblob", strlen("printblob"))) { + printblob = true; + } + + if (strnequal(argv[i], "domain_is_nt4", strlen("domain_is_nt4"))) { + domain_is_ad = false; + } + } + + /* Check command line arguments */ + + if (savefile == NULL && !printblob) { + d_printf("Choose either save the blob to a file or print it\n"); + return -1; + } + + if (dns_domain_name == NULL) { + d_printf("Please provide a valid realm parameter (--realm)\n"); + return -1; + } + + if (netbios_domain_name == NULL) { + d_printf("Please provide a valid domain parameter (--workgroup)\n"); + return -1; + } + + if (dc_name == NULL) { + d_printf("Please provide a valid DC name parameter (-S)\n"); + return -1; + } + + if (strlen(dc_address) == 0) { + d_printf("Please provide a valid domain controller address parameter (-I)\n"); + return -1; + } + + if (machine_account_name == NULL) { + d_printf("Please provide a valid netbios name parameter\n"); + return -1; + } + + if (machine_account_password == NULL) { + d_printf("Please provide a valid password parameter\n"); + return -1; + } + + if (domain_sid_str == NULL) { + d_printf("Please provide a valid <domain_sid> parameter\n"); + return -1; + } + + if (domain_guid_str == NULL) { + d_printf("Please provide a valid <domain_guid> parameter\n"); + return -1; + } + + if (forest_name == NULL) { + d_printf("Please provide a valid <forest_name> parameter\n"); + return -1; + } + + ok = dom_sid_parse(domain_sid_str, &domain_sid); + if (!ok) { + d_fprintf(stderr, _("Failed to parse domain SID\n")); + return -1; + } + + ntstatus = GUID_from_string(domain_guid_str, &domain_guid); + if (NT_STATUS_IS_ERR(ntstatus)) { + d_fprintf(stderr, _("Failed to parse domain GUID\n")); + return -1; + } + + status = NetComposeOfflineDomainJoin(dns_domain_name, + netbios_domain_name, + (struct domsid *)&domain_sid, + &domain_guid, + forest_name, + machine_account_name, + machine_account_password, + dc_name, + dc_address, + domain_is_ad, + NULL, + 0, + &provision_text_data); + if (status != 0) { + d_printf("Failed to compose offline domain join blob: %s\n", + libnetapi_get_error_string(c->netapi_ctx, status)); + return status; + } + + if (savefile != NULL) { + DATA_BLOB ucs2_blob, blob; + + /* + * Windows produces and consumes UTF16/UCS2 encoded blobs + * so we also do it for compatibility. Someone may provision an + * account for a Windows machine with samba. + */ + ok = push_reg_sz(c, &ucs2_blob, provision_text_data); + if (!ok) { + return -1; + } + + /* Add the unicode BOM mark */ + blob = data_blob_talloc(c, NULL, ucs2_blob.length + 2); + if (blob.data == NULL) { + d_printf("Failed to allocate blob: %s\n", + strerror(errno)); + return -1; + } + + blob.data[0] = 0xff; + blob.data[1] = 0xfe; + + memcpy(blob.data + 2, ucs2_blob.data, ucs2_blob.length); + + ok = file_save(savefile, blob.data, blob.length); + if (!ok) { + d_printf("Failed to save %s: %s\n", savefile, + strerror(errno)); + return -1; + } + } + + if (printblob) { + printf("%s\n", provision_text_data); + } + + return 0; +} |