We had a race condition when changing a machine acount password as we

were no longer locking the secrets entry. I saw this on a live system.
Jeremy.
(This used to be commit 660dafcbb2d1029831212a32d995891626a0344c)

1 files changed, 21 insertions, 1 deletions

diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index b2bdaf2753..08a0e9c9ac 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -206,8 +206,27 @@ char *trustdom_keystr(const char *domain)
 }
 
 /************************************************************************
- Routine to get the machine trust account password for a domain.
+ Lock the trust password entry.
 ************************************************************************/
+
+BOOL secrets_lock_trust_account_password(char *domain, BOOL dolock)
+{
+	if (!tdb)
+		return False;
+
+	if (dolock)
+		return (tdb_lock_bystring(tdb, trust_keystr(domain)) == 0);
+	else
+		tdb_unlock_bystring(tdb, trust_keystr(domain));
+	return True;
+}
+
+/************************************************************************
+ Routine to get the trust account password for a domain.
+ The user of this function must have locked the trust password file using
+ the above call.
+************************************************************************/
+
 BOOL secrets_fetch_trust_account_password(char *domain, uint8 ret_pwd[16],
 					  time_t *pass_last_set_time)
 {
@@ -243,6 +262,7 @@ BOOL secrets_fetch_trust_account_password(char *domain, uint8 ret_pwd[16],
 /************************************************************************
  Routine to get account password to trusted domain
 ************************************************************************/
+
 BOOL secrets_fetch_trusted_domain_password(char *domain, char** pwd,
 					   DOM_SID *sid, time_t *pass_last_set_time)
 {