From 53c8bddb22f00a7b4b986564e65ff3976dc2e48b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Dec 2013 14:59:20 +1300
Subject: [PATCH 1/5] netapi: Move DC check to NetJoinDomain() where it is
 needed.

This partially reverts 15f6e27bd5a9065c8b781fa21f5989ce2c355776.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit b299409410751ff3c8c775bd073e34d914a54efc)
---
 source3/lib/netapi/joindomain.c | 4 ++++
 source3/libnet/libnet_join.c    | 4 ----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index b6fb57a..bc9e2bd 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -115,6 +115,10 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 	DATA_BLOB session_key;
 
+	if (IS_DC) {
+		return WERR_SETUP_DOMAIN_CONTROLLER;
+	}
+
 	werr = libnetapi_open_pipe(ctx, r->in.server,
 				   &ndr_table_wkssvc.syntax_id,
 				   &pipe_cli);
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 9a34e94..43f130e 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1804,10 +1804,6 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 		return WERR_INVALID_PARAM;
 	}
 
-	if (IS_DC) {
-		return WERR_SETUP_DOMAIN_CONTROLLER;
-	}
-
 	if (!secrets_init()) {
 		libnet_join_set_error_string(mem_ctx, r,
 			"Unable to open secrets database");
-- 
2.2.0


From 98a576b2626e353040e1ea2fc0756775f4a4b218 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 11 Dec 2014 16:41:55 +0100
Subject: [PATCH 2/5] selftest: Add 'net dom join' test which fails cause we
 are a DC

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

(cherry picked from commit 6d6c673c6d33ceb1379c66d6b4d78a52077b928a)
---
 source3/script/tests/test_net_dom_join_fail_dc.sh | 22 ++++++++++++++++++++++
 source3/selftest/tests.py                         |  5 +++++
 2 files changed, 27 insertions(+)
 create mode 100755 source3/script/tests/test_net_dom_join_fail_dc.sh

diff --git a/source3/script/tests/test_net_dom_join_fail_dc.sh b/source3/script/tests/test_net_dom_join_fail_dc.sh
new file mode 100755
index 0000000..135e1da
--- /dev/null
+++ b/source3/script/tests/test_net_dom_join_fail_dc.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net_dom_join_fail_dc.sh  USERNAME PASSWORD DOMAIN PREFIX
+EOF
+exit 1;
+fi
+
+DC_USERNAME="$1"
+DC_PASSWORD="$2"
+DOMAIN="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+mkdir -p $PREFIX/private
+testit_expect_failure "net_dom_join_fail_dc" $VALGRIND $BINDIR/net dom join domain=$DOMAIN account=$USERNAME password=$PASSWORD --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 85d67d6..53448d3 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -395,6 +395,11 @@ for s in signseal_options:
                                                                                                                               "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
 
 
+plantestsuite("samba3.blackbox.net_dom_join_fail_dc", "s3dc",
+              [os.path.join(samba3srcdir, "script/tests/test_net_dom_join_fail_dc.sh"),
+               "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_dom_join_fail_dc",
+               configuration])
+
 options_list = ["", "-e"]
 for options in options_list:
     plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local",
-- 
2.2.0


From f6b14c0b907ec61016e4bb80ad799234e830b8d0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 11 Dec 2013 15:39:38 +1300
Subject: [PATCH 3/5] auth: Allow domain join to itself when we are a PDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit c3b5f9cff56defedb0fc1e99fbbb528b1ce22f6d)
---
 source3/libnet/libnet_join.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 43f130e..05fdd54 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1975,7 +1975,9 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
 
 	switch (r->out.domain_is_ad) {
 		case false:
-			valid_security = (lp_security() == SEC_DOMAIN);
+			valid_security = (lp_security() == SEC_DOMAIN)
+				|| (lp_server_role() == ROLE_DOMAIN_PDC)
+				|| (lp_server_role() == ROLE_DOMAIN_BDC);
 			if (valid_workgroup && valid_security) {
 				/* nothing to be done */
 				return WERR_OK;
-- 
2.2.0


From 649dc6b0f3b66d7932712765e74222348665d5c0 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 23 Oct 2014 12:28:48 +1300
Subject: [PATCH 4/5] libsmb: Allow change of BDC trust account password

This account is otherwise just like the workstation trust acocunt, so use that code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit e6ec265a405e76e5d4ea59b8025da0f57b3d3ad1)
---
 source3/libsmb/trusts_util.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 0d039bc..6588b05 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -42,9 +42,20 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 	unsigned char new_trust_passwd_hash[16];
 	char *new_trust_passwd;
 	NTSTATUS nt_status;
+	time_t pass_last_set_time;
+	char *machine_pw;
 
 	switch (sec_channel_type) {
 	case SEC_CHAN_WKSTA:
+	case SEC_CHAN_BDC:
+		machine_pw = secrets_fetch_machine_password(domain,
+						     &pass_last_set_time,
+						     NULL);
+		if (machine_pw == NULL) {
+			return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+		}
+		free(machine_pw);
+		break;
 	case SEC_CHAN_DOMAIN:
 		break;
 	default:
@@ -80,6 +91,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 		switch (sec_channel_type) {
 
 		case SEC_CHAN_WKSTA:
+		case SEC_CHAN_BDC:
 			if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
 				nt_status = NT_STATUS_UNSUCCESSFUL;
 			}
@@ -102,6 +114,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 			break;
 		}
 		default:
+			smb_panic("Unsupported secure channel type");
 			break;
 		}
 	}
-- 
2.2.0


From 42c83dcb0fc42c6d1889435ac6f03e62d78c9cc2 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 23 Oct 2014 12:38:15 +1300
Subject: [PATCH 5/5] selftest: Add test for joining a Samba classic DC as a
 BDC

This does not join the DC itself, so as not to pertrub the test
environment mid-run, but does confirm that the join works and the
password can be changed.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit 0da3ab96739df436b54fcf6c7e138229271b0866)
---
 source3/script/tests/test_net_rpc_join.sh | 25 +++++++++++++++++++++++++
 source3/selftest/tests.py                 |  4 ++++
 2 files changed, 29 insertions(+)
 create mode 100755 source3/script/tests/test_net_rpc_join.sh

diff --git a/source3/script/tests/test_net_rpc_join.sh b/source3/script/tests/test_net_rpc_join.sh
new file mode 100755
index 0000000..a7810a9
--- /dev/null
+++ b/source3/script/tests/test_net_rpc_join.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: test_net_rpc_join.sh  USERNAME PASSWORD SERVER PREFIX
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+SERVER="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+mkdir -p $PREFIX/private
+testit "net_rpc_join" $VALGRIND $BINDIR/net rpc join -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private -U$USERNAME%$PASSWORD $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_testjoin" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 53448d3..27258ac 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -399,6 +399,10 @@ plantestsuite("samba3.blackbox.net_dom_join_fail_dc", "s3dc",
               [os.path.join(samba3srcdir, "script/tests/test_net_dom_join_fail_dc.sh"),
                "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_dom_join_fail_dc",
                configuration])
+plantestsuite("samba3.blackbox.net_rpc_join", "s3dc",
+              [os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"),
+               "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join",
+               configuration])
 
 options_list = ["", "-e"]
 for options in options_list:
-- 
2.2.0