From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 8 Aug 2019 14:35:38 +0200 Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh There are missing ` at the end of the line. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37) --- testprogs/blackbox/test_net_ads.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh index d3c4de5b741..512aa9d2952 100755 --- a/testprogs/blackbox/test_net_ads.sh +++ b/testprogs/blackbox/test_net_ads.sh @@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte # SPN parser is very basic but does detect some illegal combination windows_spn="$spn_service/$spn_host:" -testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` windows_spn="$spn_service/$spn_host/" -testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 +testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` -- 2.23.0 From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Aug 2019 17:06:58 +0200 Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add() ldap_add_s() is marked as deprecated. Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64) --- source3/libads/ldap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 8d13a7cf18c..d409d4ab78e 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) /* make sure the end of the list is NULL */ mods[i] = NULL; - ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); + ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL); ads_print_error(ret, ads->ldap.ld); TALLOC_FREE(utf8_dn); return ADS_ERROR(ret); -- 2.23.0 From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Aug 2019 17:41:40 +0200 Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for joining Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f) --- libgpo/pygpo.c | 2 +- source3/lib/netapi/joindomain.c | 5 ++++- source3/libads/ads_proto.h | 9 ++++++++- source3/libads/ads_struct.c | 14 +++++++++++++- source3/libads/ldap.c | 4 ++-- source3/libnet/libnet_join.c | 3 ++- source3/libsmb/namequery_dc.c | 2 +- source3/printing/nt_printing_ads.c | 6 +++--- source3/utils/net_ads.c | 13 +++++++++---- source3/winbindd/winbindd_ads.c | 5 ++++- source3/winbindd/winbindd_cm.c | 5 ++++- 11 files changed, 51 insertions(+), 17 deletions(-) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index cd107318860..4db8cad7ca4 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) return -1; } - self->ads_ptr = ads_init(realm, workgroup, ldap_server); + self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); if (self->ads_ptr == NULL) { return -1; } diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c index ff2154ba803..8d0752f4531 100644 --- a/source3/lib/netapi/joindomain.c +++ b/source3/lib/netapi/joindomain.c @@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, dc = strip_hostname(info->dc_unc); - ads = ads_init(info->domain_name, info->domain_name, dc); + ads = ads_init(info->domain_name, + info->domain_name, + dc, + ADS_SASL_PLAIN); if (!ads) { return WERR_GEN_FAILURE; } diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 154bf67f964..92bb3a22cdb 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -32,6 +32,12 @@ #ifndef _LIBADS_ADS_PROTO_H_ #define _LIBADS_ADS_PROTO_H_ +enum ads_sasl_state_e { + ADS_SASL_PLAIN = 0, + ADS_SASL_SIGN, + ADS_SASL_SEAL, +}; + /* The following definitions come from libads/ads_struct.c */ char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); @@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); char *ads_build_domain(const char *dn); ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server); + const char *ldap_server, + enum ads_sasl_state_e sasl_state); bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); void ads_destroy(ADS_STRUCT **ads); diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c index 3ab682c0e38..043a1b21247 100644 --- a/source3/libads/ads_struct.c +++ b/source3/libads/ads_struct.c @@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) */ ADS_STRUCT *ads_init(const char *realm, const char *workgroup, - const char *ldap_server) + const char *ldap_server, + enum ads_sasl_state_e sasl_state) { ADS_STRUCT *ads; int wrap_flags; @@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, wrap_flags = 0; } + switch (sasl_state) { + case ADS_SASL_PLAIN: + break; + case ADS_SASL_SIGN: + wrap_flags |= ADS_AUTH_SASL_SIGN; + break; + case ADS_SASL_SEAL: + wrap_flags |= ADS_AUTH_SASL_SEAL; + break; + } + ads->auth.flags = wrap_flags; /* Start with the configured page size when the connection is new, diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index d409d4ab78e..7bdda4b1768 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) if ( !ads->ldap.ld ) { if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, - ads->server.ldap_server )) == NULL ) + ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) { status = ADS_ERROR(LDAP_NO_MEMORY); goto done; @@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) if ( !ads->ldap.ld ) { if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, - ads->server.ldap_server )) == NULL ) + ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) { status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); goto done; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index b876d7ea89f..a512afc238a 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, my_ads = ads_init(dns_domain_name, netbios_domain_name, - dc_name); + dc_name, + ADS_SASL_SEAL); if (!my_ads) { return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c index 4ee5b5278e4..f63dde61603 100644 --- a/source3/libsmb/namequery_dc.c +++ b/source3/libsmb/namequery_dc.c @@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain, /* Try this 3 times then give up. */ for( i =0 ; i < 3; i++) { - ads = ads_init(realm, domain, NULL); + ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN); if (!ads) { TALLOC_FREE(sitename); return False; diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c index 2588e1de7e7..a82f1361fc8 100644 --- a/source3/printing/nt_printing_ads.c +++ b/source3/printing/nt_printing_ads.c @@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, return WERR_NOT_ENOUGH_MEMORY; } - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (ads == NULL) { result = WERR_RPC_S_SERVER_UNAVAILABLE; goto out; @@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, TALLOC_FREE(sinfo2); - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (!ads) { DEBUG(3, ("ads_init() failed\n")); win_rc = WERR_RPC_S_SERVER_UNAVAILABLE; @@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY; - ads = ads_init(lp_realm(), lp_workgroup(), NULL); + ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); if (!ads) { DEBUG(3, ("ads_init() failed\n")); return WERR_RPC_S_SERVER_UNAVAILABLE; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index d33031a0dbd..07a22098fb1 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -620,7 +620,10 @@ retry_connect: realm = assume_own_realm(c); } - ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); + ads = ads_init(realm, + c->opt_target_workgroup, + c->opt_host, + ADS_SASL_PLAIN); if (!c->opt_user_name) { c->opt_user_name = "administrator"; @@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha ADS_STRUCT *ads; ADS_STATUS status; - if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { + ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN); + if (ads == NULL ) { return -1; } @@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st * kinit with the machine password to do dns update. */ - ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name); + ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN); if (ads_dns == NULL) { d_fprintf(stderr, _("DNS update failed: out of memory!\n")); @@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) /* use the realm so we can eventually change passwords for users in realms other than default */ - if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) { + ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN); + if (ads == NULL) { return -1; } diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index 922ca43764b..556b4523866 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, /* we don't want this to affect the users ccache */ setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); - ads = ads_init(target_realm, target_dom_name, ldap_server); + ads = ads_init(target_realm, + target_dom_name, + ldap_server, + ADS_SASL_SEAL); if (!ads) { DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); return ADS_ERROR(LDAP_NO_MEMORY); diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 22d3dcaa92b..4bd03ed8b7a 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, print_sockaddr(addr, sizeof(addr), pss); - ads = ads_init(domain->alt_name, domain->name, addr); + ads = ads_init(domain->alt_name, + domain->name, + addr, + ADS_SASL_PLAIN); ads->auth.flags |= ADS_AUTH_NO_BIND; ads->config.flags |= request_flags; ads->server.no_fallback = true; -- 2.23.0 From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Aug 2019 16:30:07 +0200 Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in ads_create_machine_acct() Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a) --- source3/libads/ldap.c | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 7bdda4b1768..e492d0688a5 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, uint32_t etype_list) { ADS_STATUS ret; - char *samAccountName, *controlstr; - TALLOC_CTX *ctx; + char *samAccountName = NULL; + char *controlstr = NULL; + TALLOC_CTX *ctx = NULL; ADS_MODLIST mods; char *machine_escaped = NULL; - char *new_dn; + char *new_dn = NULL; const char *objectClass[] = {"top", "person", "organizationalPerson", "user", "computer", NULL}; LDAPMessage *res = NULL; @@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, return ret; } - if (!(ctx = talloc_init("ads_add_machine_acct"))) + ctx = talloc_init("ads_add_machine_acct"); + if (ctx == NULL) { return ADS_ERROR(LDAP_NO_MEMORY); - - ret = ADS_ERROR(LDAP_NO_MEMORY); + } machine_escaped = escape_rdn_val_string_alloc(machine_name); - if (!machine_escaped) { + if (machine_escaped == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } @@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, ads_msgfree(ads, res); new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); + if (new_dn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } - if ( !new_dn || !samAccountName ) { + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); + if (samAccountName == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } - if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) { + controlstr = talloc_asprintf(ctx, "%u", acct_control); + if (controlstr == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } - if (!(mods = ads_init_mods(ctx))) { + mods = ads_init_mods(ctx); + if (mods == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } @@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); if (etype_list_str == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", -- 2.23.0 From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 21 Aug 2019 12:22:32 +0200 Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in ads_find_machine_acct() Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357) --- source3/libads/ldap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index e492d0688a5..3bc9a2a06aa 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn) ADS_STATUS status; char *expr; const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; + TALLOC_CTX *frame = talloc_stackframe(); *res = NULL; /* the easiest way to find a machine account anywhere in the tree is to look for hostname$ */ - if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) { - DEBUG(1, ("asprintf failed!\n")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine); + if (expr == NULL) { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; } status = ads_search(ads, res, expr, attrs); - SAFE_FREE(expr); + +done: + TALLOC_FREE(frame); return status; } -- 2.23.0 From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 14 Aug 2019 13:01:19 +0200 Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in ads_find_machine_count() Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d) --- source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++-------- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 3bc9a2a06aa..ec6ad61a55c 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn) { ADS_STATUS status; char *expr; - const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; + const char *attrs[] = { + /* This is how Windows checks for machine accounts */ + "objectClass", + "SamAccountName", + "userAccountControl", + "DnsHostName", + "ServicePrincipalName", + "unicodePwd", + + /* Additional attributes Samba checks */ + "msDS-SupportedEncryptionTypes", + "nTSecurityDescriptor", + + NULL + }; TALLOC_CTX *frame = talloc_stackframe(); *res = NULL; @@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn) } status = ads_search(ads, res, expr, attrs); + if (ADS_ERR_OK(status)) { + if (ads_count_replies(ads, *res) != 1) { + status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); + } + } done: TALLOC_FREE(frame); @@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin char *dn_string = NULL; ret = ads_find_machine_acct(ads, &res, machine_name); - if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { + if (!ADS_ERR_OK(ret)) { DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name)); ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + return ret; } DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name)); @@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char **servicePrincipalName = spns; ret = ads_find_machine_acct(ads, &res, machine_name); - if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { + if (!ADS_ERR_OK(ret)) { DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n")); ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + return ret; } DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name)); @@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, } ret = ads_find_machine_acct(ads, &res, machine_escaped); - if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { + if (ADS_ERR_OK(ret)) { DBG_DEBUG("Host account for %s already exists.\n", machine_escaped); ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); @@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) TALLOC_FREE(hostnameDN); status = ads_find_machine_acct(ads, &res, host); - if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { + if ((status.error_type == ENUM_ADS_ERROR_LDAP) && + (status.err.rc != LDAP_NO_SUCH_OBJECT)) { DEBUG(3, ("Failed to remove host account.\n")); SAFE_FREE(host); return status; } SAFE_FREE(host); - return status; + return ADS_SUCCESS; } /** -- 2.23.0 From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 14 Aug 2019 12:17:20 +0200 Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during account creation This is already handled by libnet_join_post_processing_ads_modify() which calls libnet_join_set_etypes() if encrytion types should be set. Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38) --- source3/libads/ldap.c | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index ec6ad61a55c..8fbd97e25e2 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ UF_DONT_EXPIRE_PASSWD |\ UF_ACCOUNTDISABLE ); - uint32_t func_level = 0; - - ret = ads_domain_func_level(ads, &func_level); - if (!ADS_ERR_OK(ret)) { - return ret; - } ctx = talloc_init("ads_add_machine_acct"); if (ctx == NULL) { @@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, ads_mod_strlist(ctx, &mods, "objectClass", objectClass); ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - if (func_level >= DS_DOMAIN_FUNCTION_2008) { - const char *etype_list_str; - - etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); - if (etype_list_str == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", - etype_list_str); - } - ret = ads_gen_add(ads, new_dn, mods); done: -- 2.23.0 From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Aug 2019 16:34:34 +0200 Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP This implements the same behaviour as Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Pair-Programmed-With: Guenther Deschner Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292) --- source3/libads/ads_proto.h | 4 +- source3/libads/ldap.c | 118 +++++++++++++++++++++++++++++++---- source3/libnet/libnet_join.c | 23 ++++--- 3 files changed, 124 insertions(+), 21 deletions(-) diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h index 92bb3a22cdb..495ef5d3325 100644 --- a/source3/libads/ads_proto.h +++ b/source3/libads/ads_proto.h @@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_ const char **spns); ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *machine_password, const char *org_unit, - uint32_t etype_list); + uint32_t etype_list, + const char *dns_domain_name); ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, const char *org_unit, bool *moved); int ads_count_replies(ADS_STRUCT *ads, void *res); diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 8fbd97e25e2..81efda0cf30 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, name, (const void **) vals); } -#if 0 /** * Add a single ber-encoded value to a mod list * @param ctx An initialized TALLOC_CTX @@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, name, (const void **) values); } -#endif static void ads_print_error(int ret, LDAP *ld) { @@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *machine_password, const char *org_unit, - uint32_t etype_list) + uint32_t etype_list, + const char *dns_domain_name) { ADS_STATUS ret; char *samAccountName = NULL; @@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, TALLOC_CTX *ctx = NULL; ADS_MODLIST mods; char *machine_escaped = NULL; + char *dns_hostname = NULL; char *new_dn = NULL; - const char *objectClass[] = {"top", "person", "organizationalPerson", - "user", "computer", NULL}; + char *utf8_pw = NULL; + size_t utf8_pw_len = 0; + char *utf16_pw = NULL; + size_t utf16_pw_len = 0; + struct berval machine_pw_val; + bool ok; + const char **spn_array = NULL; + size_t num_spns = 0; + const char *spn_prefix[] = { + "HOST", + "RestrictedKrbHost", + }; + size_t i; LDAPMessage *res = NULL; - uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ - UF_DONT_EXPIRE_PASSWD |\ - UF_ACCOUNTDISABLE ); + uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT; ctx = talloc_init("ads_add_machine_acct"); if (ctx == NULL) { @@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, goto done; } + /* Check if the machine account already exists. */ ret = ads_find_machine_acct(ads, &res, machine_escaped); if (ADS_ERR_OK(ret)) { - DBG_DEBUG("Host account for %s already exists.\n", - machine_escaped); ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); ads_msgfree(ads, res); goto done; @@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, goto done; } + /* Create machine account */ + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); if (samAccountName == NULL) { ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } + dns_hostname = talloc_asprintf(ctx, + "%s.%s", + machine_name, + dns_domain_name); + if (dns_hostname == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + /* Add dns_hostname SPNs */ + for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { + char *spn = talloc_asprintf(ctx, + "%s/%s", + spn_prefix[i], + dns_hostname); + if (spn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ok = add_string_to_array(spn_array, + spn, + &spn_array, + &num_spns); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + } + + /* Add machine_name SPNs */ + for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { + char *spn = talloc_asprintf(ctx, + "%s/%s", + spn_prefix[i], + machine_name); + if (spn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + ok = add_string_to_array(spn_array, + spn, + &spn_array, + &num_spns); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + } + + /* Make sure to NULL terminate the array */ + spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + spn_array[num_spns] = NULL; + controlstr = talloc_asprintf(ctx, "%u", acct_control); if (controlstr == NULL) { ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } + utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); + if (utf8_pw == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + utf8_pw_len = strlen(utf8_pw); + + ok = convert_string_talloc(ctx, + CH_UTF8, CH_UTF16MUNGED, + utf8_pw, utf8_pw_len, + (void *)&utf16_pw, &utf16_pw_len); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + machine_pw_val = (struct berval) { + .bv_val = utf16_pw, + .bv_len = utf16_pw_len, + }; + mods = ads_init_mods(ctx); if (mods == NULL) { ret = ADS_ERROR(LDAP_NO_MEMORY); goto done; } - ads_mod_str(ctx, &mods, "cn", machine_name); - ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); - ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "objectClass", "Computer"); + ads_mod_str(ctx, &mods, "SamAccountName", samAccountName); ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname); + ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array); + ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val); ret = ads_gen_add(ads, new_dn, mods); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index a512afc238a..d5c8599beee 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, /* Attempt to create the machine account and bail if this fails. Assume that the admin wants exactly what they requested */ + if (r->in.machine_password == NULL) { + r->in.machine_password = + trust_pw_new_value(mem_ctx, + r->in.secure_channel_type, + SEC_ADS); + if (r->in.machine_password == NULL) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + } + status = ads_create_machine_acct(r->in.ads, r->in.machine_name, + r->in.machine_password, r->in.account_ou, - r->in.desired_encryption_types); + r->in.desired_encryption_types, + r->out.dns_domain_name); if (ADS_ERR_OK(status)) { DEBUG(1,("machine account creation created\n")); @@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, if (ADS_ERR_OK(ads_status)) { /* - * LDAP object create succeeded, now go to the rpc - * password set routines + * LDAP object creation succeeded. */ - r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; - goto rpc_join; + + return WERR_OK; } if (initial_account_ou != NULL) { @@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, DBG_INFO("Failed to pre-create account in OU %s: %s\n", r->in.account_ou, ads_errstr(ads_status)); } - rpc_join: - #endif /* HAVE_ADS */ if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && -- 2.23.0 From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 14 Aug 2019 10:15:19 +0200 Subject: [PATCH 09/11] s3:libnet: Improve debug messages Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94) --- source3/libnet/libnet_join.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index d5c8599beee..31d1d221ed3 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, r->out.dns_domain_name); if (ADS_ERR_OK(status)) { - DEBUG(1,("machine account creation created\n")); + DBG_WARNING("Machine account successfully created\n"); return status; } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) && (status.err.rc == LDAP_ALREADY_EXISTS)) { @@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, } if (!ADS_ERR_OK(status)) { - DEBUG(1,("machine account creation failed\n")); + DBG_WARNING("Failed to create machine account\n"); return status; } -- 2.23.0 From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 8 Aug 2019 14:40:04 +0200 Subject: [PATCH 10/11] s3:libads: Just change the machine password if account already exists BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 Pair-Programmed-With: Guenther Deschner Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy (cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521) --- source3/libads/ldap.c | 167 ++++++++++++++++++++++++++++++----- source3/libnet/libnet_join.c | 1 + 2 files changed, 146 insertions(+), 22 deletions(-) diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index 81efda0cf30..afae46d2e79 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, return ret; } +static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads, + LDAPMessage *msg) +{ + uint32_t acct_ctrl = 0; + bool ok; + + ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl); + if (!ok) { + return 0; + } + + return acct_ctrl; +} + +static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads, + LDAPMessage *msg, + const struct berval *machine_pw_val) +{ + ADS_MODLIST mods; + ADS_STATUS ret; + TALLOC_CTX *frame = talloc_stackframe(); + uint32_t acct_control; + char *control_str = NULL; + const char *attrs[] = { + "objectSid", + NULL + }; + LDAPMessage *res = NULL; + char *dn = NULL; + + dn = ads_get_dn(ads, frame, msg); + if (dn == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + acct_control = ads_get_acct_ctrl(ads, msg); + if (acct_control == 0) { + ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); + goto done; + } + + /* + * Changing the password, disables the account. So we need to change the + * userAccountControl flags to enable it again. + */ + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + + /* + * To activate the account, we need to disable and enable it. + */ + acct_control |= UF_ACCOUNTDISABLE; + + control_str = talloc_asprintf(frame, "%u", acct_control); + if (control_str == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_str(frame, &mods, "userAccountControl", control_str); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + TALLOC_FREE(control_str); + + /* + * Enable the account again. + */ + acct_control &= ~UF_ACCOUNTDISABLE; + + control_str = talloc_asprintf(frame, "%u", acct_control); + if (control_str == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + mods = ads_init_mods(frame); + if (mods == NULL) { + ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; + } + + ads_mod_str(frame, &mods, "userAccountControl", control_str); + + ret = ads_gen_mod(ads, dn, mods); + if (!ADS_ERR_OK(ret)) { + goto done; + } + TALLOC_FREE(mods); + TALLOC_FREE(control_str); + + ret = ads_search_dn(ads, &res, dn, attrs); + ads_msgfree(ads, res); + +done: + talloc_free(frame); + + return ret; +} + /** * adds a machine account to the ADS server * @param ads An intialized ADS_STRUCT @@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, goto done; } + utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); + if (utf8_pw == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + utf8_pw_len = strlen(utf8_pw); + + ok = convert_string_talloc(ctx, + CH_UTF8, CH_UTF16MUNGED, + utf8_pw, utf8_pw_len, + (void *)&utf16_pw, &utf16_pw_len); + if (!ok) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + + machine_pw_val = (struct berval) { + .bv_val = utf16_pw, + .bv_len = utf16_pw_len, + }; + /* Check if the machine account already exists. */ ret = ads_find_machine_acct(ads, &res, machine_escaped); if (ADS_ERR_OK(ret)) { - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); + /* Change the machine account password */ + ret = ads_change_machine_acct(ads, res, &machine_pw_val); ads_msgfree(ads, res); + goto done; } ads_msgfree(ads, res); @@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, goto done; } - utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); - if (utf8_pw == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - utf8_pw_len = strlen(utf8_pw); - - ok = convert_string_talloc(ctx, - CH_UTF8, CH_UTF16MUNGED, - utf8_pw, utf8_pw_len, - (void *)&utf16_pw, &utf16_pw_len); - if (!ok) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - - machine_pw_val = (struct berval) { - .bv_val = utf16_pw, - .bv_len = utf16_pw_len, - }; - mods = ads_init_mods(ctx); if (mods == NULL) { ret = ADS_ERROR(LDAP_NO_MEMORY); diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 31d1d221ed3..1052afde641 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx, if (r->in.ads->auth.ccache_name != NULL) { ads_kdestroy(r->in.ads->auth.ccache_name); + r->in.ads->auth.ccache_name = NULL; } ads_destroy(&r->in.ads); -- 2.23.0 From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 22 Aug 2019 16:31:30 +0200 Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer=' Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184 (cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f) --- testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh index 512aa9d2952..cc8345c4624 100755 --- a/testprogs/blackbox/test_net_ads.sh +++ b/testprogs/blackbox/test_net_ads.sh @@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then ldbsearch="$BINDIR/ldbsearch" fi +ldbadd="ldbadd" +if [ -x "$BINDIR/ldbadd" ]; then + ldbadd="$BINDIR/ldbadd" +fi + +ldbdel="ldbdel" +if [ -x "$BINDIR/ldbdel" ]; then + ldbdel="$BINDIR/ldbdel" +fi + # Load test functions . `dirname $0`/subunit.sh @@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME% testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` -computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com" -testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1` +base_dn="DC=addom,DC=samba,DC=example,DC=com" +computers_dn="CN=Computers,$base_dn" +testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` @@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` ##Goodbye... testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +# +# Test createcomputer option of 'net ads join' +# +testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER <