Revert "s3: Attempt to fix machine password change"

This reverts commit 20a8ea91e10af167067cc794a251265aaf489e75.

Ooops, this should not have been committed.

7 files changed, 37 insertions, 85 deletions

diff --git a/source3/include/client.h b/source3/include/client.h
index ba3a4e782c..82d94b055f 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -147,7 +147,6 @@ struct rpc_pipe_client {
 
 	/* The following is only non-null on a netlogon client pipe. */
 	struct netlogon_creds_CredentialState *dc;
-	uint32_t auth_neg_flags;
 
 	/* Used by internal rpc_pipe_client */
 	pipes_struct *pipes_struct;
diff --git a/source3/include/proto.h b/source3/include/proto.h
index a9768ba256..c8e4fe1916 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5240,14 +5240,7 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 					    const unsigned char orig_trust_passwd_hash[16],
 					    const char *new_trust_pwd_cleartext,
 					    const unsigned char new_trust_passwd_hash[16],
-					    uint32_t sec_channel_type,
-					    uint32_t neg_flags);
-NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli,
-						 TALLOC_CTX *mem_ctx,
-						 const unsigned char orig_trust_passwd_hash[16],
-						 const char *new_trust_pwd_cleartext,
-						 const unsigned char new_trust_passwd_hash[16],
-						 uint32_t sec_channel_type);
+					    uint32_t sec_channel_type);
 
 /* The following definitions come from rpc_client/cli_pipe.c  */
 
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 70b28e3988..8c3030711b 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -788,10 +788,11 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 
 	E_md4hash(trust_passwd, orig_trust_passwd_hash);
 
-	status = rpccli_netlogon_auth_set_trust_password(
-		pipe_hnd, mem_ctx, orig_trust_passwd_hash,
-		r->in.machine_password, new_trust_passwd_hash,
-		r->in.secure_channel_type);
+	status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
+						    orig_trust_passwd_hash,
+						    r->in.machine_password,
+						    new_trust_passwd_hash,
+						    r->in.secure_channel_type);
 
 	return status;
 }
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index d9b75704e3..adf1525812 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 
 	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
 
-	nt_status = rpccli_netlogon_auth_set_trust_password(
-		cli, mem_ctx, orig_trust_passwd_hash, new_trust_passwd,
-		new_trust_passwd_hash, sec_channel_type);
+	nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
+						       orig_trust_passwd_hash,
+						       new_trust_passwd,
+						       new_trust_passwd_hash,
+						       sec_channel_type);
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index db7d1357c7..911a50f393 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -512,12 +512,27 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 					    const unsigned char orig_trust_passwd_hash[16],
 					    const char *new_trust_pwd_cleartext,
 					    const unsigned char new_trust_passwd_hash[16],
-					    uint32_t sec_channel_type,
-					    uint32_t neg_flags)
+					    uint32_t sec_channel_type)
 {
 	NTSTATUS result;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	struct netr_Authenticator clnt_creds, srv_cred;
 
+	result = rpccli_netlogon_setup_creds(cli,
+					     cli->desthost, /* server name */
+					     lp_workgroup(), /* domain */
+					     global_myname(), /* client name */
+					     global_myname(), /* machine account name */
+					     orig_trust_passwd_hash,
+					     sec_channel_type,
+					     &neg_flags);
+
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
+			 nt_errstr(result)));
+		return result;
+	}
+
 	netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
 
 	if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
@@ -571,35 +586,3 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 	return result;
 }
 
-NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli,
-						 TALLOC_CTX *mem_ctx,
-						 const unsigned char orig_trust_passwd_hash[16],
-						 const char *new_trust_pwd_cleartext,
-						 const unsigned char new_trust_passwd_hash[16],
-						 uint32_t sec_channel_type)
-{
-	NTSTATUS result;
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
-	result = rpccli_netlogon_setup_creds(cli,
-					     cli->desthost, /* server name */
-					     lp_workgroup(), /* domain */
-					     global_myname(), /* client name */
-					     global_myname(), /* machine account name */
-					     orig_trust_passwd_hash,
-					     sec_channel_type,
-					     &neg_flags);
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
-			 nt_errstr(result)));
-		return result;
-	}
-
-	return rpccli_netlogon_set_trust_password(cli, mem_ctx,
-						  orig_trust_passwd_hash,
-						  new_trust_pwd_cleartext,
-						  new_trust_passwd_hash,
-						  sec_channel_type,
-						  neg_flags);
-}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 029a0210d1..9a788397a9 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2470,8 +2470,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE;
 	}
 
-	conn->netlogon_pipe->auth_neg_flags = neg_flags;
-
 	/*
 	 * Try NetSamLogonEx for AD domains
 	 */
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 546f5f0131..edf784cc21 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -30,7 +30,6 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "../../nsswitch/libwbclient/wbc_async.h"
-#include "../libcli/auth/libcli_auth.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -1062,12 +1061,9 @@ static void machine_password_change_handler(struct event_context *ctx,
 	struct winbindd_child *child =
 		(struct winbindd_child *)private_data;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
+	TALLOC_CTX *frame;
 	NTSTATUS result;
 	struct timeval next_change;
-	uint8_t old_trust_passwd_hash[16];
-	uint8_t new_trust_passwd_hash[16];
-	char *new_trust_passwd;
-	uint32_t sec_channel_type = 0;
 
 	DEBUG(10,("machine_password_change_handler called\n"));
 
@@ -1093,42 +1089,22 @@ static void machine_password_change_handler(struct event_context *ctx,
 		return;
 	}
 
-	if (!secrets_fetch_trust_account_password(
-		    child->domain->name, old_trust_passwd_hash, NULL,
-		    &sec_channel_type)) {
-		DEBUG(0, ("could not fetch domain secrets for domain %s!\n",
-			  child->domain->name));
-		return;
-	}
-
-	new_trust_passwd = generate_random_str(
-		talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-	if (new_trust_passwd == NULL) {
-		DEBUG(0, ("talloc_strdup failed\n"));
-		return;
-	}
+	frame = talloc_stackframe();
 
-	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
-
-	result = rpccli_netlogon_set_trust_password(
-		netlogon_pipe, talloc_tos(), old_trust_passwd_hash,
-		new_trust_passwd, new_trust_passwd_hash, sec_channel_type,
-		netlogon_pipe->auth_neg_flags);
+	result = trust_pw_find_change_and_store_it(netlogon_pipe,
+						   frame,
+						   child->domain->name);
+	TALLOC_FREE(frame);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(10,("machine_password_change_handler: "
 			"failed to change machine password: %s\n",
 			 nt_errstr(result)));
-		/*
-		 * Don't try a second time, this will very likely also
-		 * fail.
-		 */
-		return;
+	} else {
+		DEBUG(10,("machine_password_change_handler: "
+			"successfully changed machine password\n"));
 	}
 
-	DEBUG(3,("machine_password_change_handler: Changed password at %s.\n",
-		 current_timestring(debug_ctx(), False)));
-
 	child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL,
 							      next_change,
 							      machine_password_change_handler,