From e84781b55d016d75a86c0bffa18b969d621cc97e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Dec 2013 14:59:20 +1300
Subject: [PATCH 1/4] Allow net rpc join against ourself to get a machine trust
 account

This partially reverts 15f6e27bd5a9065c8b781fa21f5989ce2c355776.

Andrew Bartlett

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
Change-Id: I20adc771d8e06df12099327eeb1907bb1a293c72
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 source3/libnet/libnet_join.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index be953ae..e57db2f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1957,10 +1957,6 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 		return WERR_INVALID_PARAM;
 	}
 
-	if (IS_DC) {
-		return WERR_SETUP_DOMAIN_CONTROLLER;
-	}
-
 	if (!r->in.admin_domain) {
 		char *admin_domain = NULL;
 		char *admin_account = NULL;
-- 
2.1.1


From 1ad0f73e4fa5d68ebff2fcd3d056bfce748c7776 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Dec 2013 15:39:38 +1300
Subject: [PATCH 2/4] auth: Allow domain join to itself when we are a PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
Change-Id: I0e5aa9da1824ec76194cc8cc2a5f371a45ae3a4b
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 source3/libnet/libnet_join.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e57db2f..987c632 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2139,7 +2139,9 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
 
 	switch (r->out.domain_is_ad) {
 		case false:
-			valid_security = (lp_security() == SEC_DOMAIN);
+			valid_security = (lp_security() == SEC_DOMAIN)
+				|| (lp_server_role() == ROLE_DOMAIN_PDC)
+				|| (lp_server_role() == ROLE_DOMAIN_BDC);
 			if (valid_workgroup && valid_security) {
 				/* nothing to be done */
 				return WERR_OK;
-- 
2.1.1


From 35fe395e451ba0bfd2c3b9af1d02c151b4e3f726 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 23 Oct 2014 12:28:48 +1300
Subject: [PATCH 3/4] libsmb: Allow change of BDC trust account password

This account is otherwise just like the workstation trust acocunt, so use that code.

Change-Id: I00405368d4000db91ff514e31a9a281043409b70
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/libsmb/trusts_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index bb2e977..7503ef0 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -111,6 +111,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
 
 	switch (sec_channel_type) {
 	case SEC_CHAN_WKSTA:
+	case SEC_CHAN_BDC:
 		pwd = secrets_fetch_machine_password(domain,
 						     &pass_last_set_time,
 						     NULL);
@@ -188,6 +189,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
 	switch (sec_channel_type) {
 
 	case SEC_CHAN_WKSTA:
+	case SEC_CHAN_BDC:
 		if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
 			TALLOC_FREE(frame);
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -206,6 +208,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
 		break;
 
 	default:
+		smb_panic("Unsupported secure channel type");
 		break;
 	}
 
-- 
2.1.1


From 53f70fb50c7c4f961112fc9534d21fee53babf0d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 23 Oct 2014 12:38:15 +1300
Subject: [PATCH 4/4] selftest: Add test for joining a Samba classic DC as a
 BDC

This does not join the DC itself, so as not to pertrub the test environment mid-run, but does confirm
that the join works and the password can be changed.

Change-Id: I3dc004d59b9feaff3722b7d4a89196e90c44e139
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/script/tests/test_net_rpc_join.sh | 25 +++++++++++++++++++++++++
 source3/selftest/tests.py                 |  5 +++++
 2 files changed, 30 insertions(+)
 create mode 100755 source3/script/tests/test_net_rpc_join.sh

diff --git a/source3/script/tests/test_net_rpc_join.sh b/source3/script/tests/test_net_rpc_join.sh
new file mode 100755
index 0000000..a7810a9
--- /dev/null
+++ b/source3/script/tests/test_net_rpc_join.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net_rpc_join.sh  USERNAME PASSWORD SERVER PREFIX
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+SERVER="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+mkdir -p $PREFIX/private
+testit "net_rpc_join" $VALGRIND $BINDIR/net rpc join -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private -U$USERNAME%$PASSWORD $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_testjoin" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 40599c3..a22c4b2 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -411,6 +411,11 @@ for s in signseal_options:
 plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
 								       "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
 
+plantestsuite("samba3.blackbox.net_rpc_join", "s3dc", 
+              [os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"),
+               "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join",
+               configuration])
+
 options_list = ["", "-e"]
 for options in options_list:
     plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local",
-- 
2.1.1