diff options
author | Jeremy Allison <jra@samba.org> | 2002-09-18 00:30:00 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2002-09-18 00:30:00 +0000 |
commit | 8b4bafc76fab88d78b7234c43c34338b61d42656 (patch) | |
tree | b2e505771f8f2d0b37f7e0f4926f57f5fe1faf21 | |
parent | 8b46126a076075aeed31dae1c80eca1ed9f5a251 (diff) | |
download | samba-8b4bafc76fab88d78b7234c43c34338b61d42656.tar.gz samba-8b4bafc76fab88d78b7234c43c34338b61d42656.tar.bz2 samba-8b4bafc76fab88d78b7234c43c34338b61d42656.zip |
We had a race condition when changing a machine acount password as we
were no longer locking the secrets entry. I saw this on a live system.
Jeremy.
(This used to be commit 660dafcbb2d1029831212a32d995891626a0344c)
-rw-r--r-- | source3/passdb/secrets.c | 22 | ||||
-rw-r--r-- | source3/smbd/process.c | 9 |
2 files changed, 30 insertions, 1 deletions
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c index b2bdaf2753..08a0e9c9ac 100644 --- a/source3/passdb/secrets.c +++ b/source3/passdb/secrets.c @@ -206,8 +206,27 @@ char *trustdom_keystr(const char *domain) } /************************************************************************ - Routine to get the machine trust account password for a domain. + Lock the trust password entry. ************************************************************************/ + +BOOL secrets_lock_trust_account_password(char *domain, BOOL dolock) +{ + if (!tdb) + return False; + + if (dolock) + return (tdb_lock_bystring(tdb, trust_keystr(domain)) == 0); + else + tdb_unlock_bystring(tdb, trust_keystr(domain)); + return True; +} + +/************************************************************************ + Routine to get the trust account password for a domain. + The user of this function must have locked the trust password file using + the above call. +************************************************************************/ + BOOL secrets_fetch_trust_account_password(char *domain, uint8 ret_pwd[16], time_t *pass_last_set_time) { @@ -243,6 +262,7 @@ BOOL secrets_fetch_trust_account_password(char *domain, uint8 ret_pwd[16], /************************************************************************ Routine to get account password to trusted domain ************************************************************************/ + BOOL secrets_fetch_trusted_domain_password(char *domain, char** pwd, DOM_SID *sid, time_t *pass_last_set_time) { diff --git a/source3/smbd/process.c b/source3/smbd/process.c index c796797fad..0f7cfd0e9c 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1154,9 +1154,16 @@ static BOOL timeout_processing(int deadtime, int *select_timeout, time_t *last_t * First, open the machine password file with an exclusive lock. */ + if (secrets_lock_trust_account_password(global_myworkgroup, True) == False) { + DEBUG(0,("process: unable to lock the machine account password for \ +machine %s in domain %s.\n", global_myname, global_myworkgroup )); + return True; + } + if(!secrets_fetch_trust_account_password(global_myworkgroup, trust_passwd_hash, &lct)) { DEBUG(0,("process: unable to read the machine account password for \ machine %s in domain %s.\n", global_myname, global_myworkgroup )); + secrets_lock_trust_account_password(global_myworkgroup, False); return True; } @@ -1166,6 +1173,7 @@ machine %s in domain %s.\n", global_myname, global_myworkgroup )); if(t < lct + lp_machine_password_timeout()) { global_machine_password_needs_changing = False; + secrets_lock_trust_account_password(global_myworkgroup, False); return True; } @@ -1173,6 +1181,7 @@ machine %s in domain %s.\n", global_myname, global_myworkgroup )); change_trust_account_password( global_myworkgroup, remote_machine_list); global_machine_password_needs_changing = False; + secrets_lock_trust_account_password(global_myworkgroup, False); } /* |