summaryrefslogtreecommitdiff
path: root/source3/passdb/smbpassfile.c
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2000-05-08 10:42:21 +0000
committerAndrew Tridgell <tridge@samba.org>2000-05-08 10:42:21 +0000
commit2958dfcdf87d5169fe1152806be6ad03acb04d88 (patch)
tree3eb5efae1375bb736cd7b73655ea7a1cb5503ad8 /source3/passdb/smbpassfile.c
parent722a4bfa9feed9f58d9b032d951ee62c81611086 (diff)
downloadsamba-2958dfcdf87d5169fe1152806be6ad03acb04d88.tar.gz
samba-2958dfcdf87d5169fe1152806be6ad03acb04d88.tar.bz2
samba-2958dfcdf87d5169fe1152806be6ad03acb04d88.zip
added secrets.tdb and changed storage of trust account password to use
it (This used to be commit 88ad00b82acc4636ab57dfe710af08ea85b82ff1)
Diffstat (limited to 'source3/passdb/smbpassfile.c')
-rw-r--r--source3/passdb/smbpassfile.c241
1 files changed, 22 insertions, 219 deletions
diff --git a/source3/passdb/smbpassfile.c b/source3/passdb/smbpassfile.c
index bbe24131b8..035da2a4cf 100644
--- a/source3/passdb/smbpassfile.c
+++ b/source3/passdb/smbpassfile.c
@@ -19,14 +19,11 @@
#include "includes.h"
-extern int DEBUGLEVEL;
-
BOOL global_machine_password_needs_changing = False;
/***************************************************************
Lock an fd. Abandon after waitsecs seconds.
****************************************************************/
-
BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth)
{
if (fd < 0)
@@ -48,7 +45,6 @@ BOOL pw_file_lock(int fd, int type, int secs, int *plock_depth)
/***************************************************************
Unlock an fd. Abandon after waitsecs seconds.
****************************************************************/
-
BOOL pw_file_unlock(int fd, int *plock_depth)
{
BOOL ret=True;
@@ -65,247 +61,54 @@ BOOL pw_file_unlock(int fd, int *plock_depth)
return ret;
}
-static int mach_passwd_lock_depth;
-static FILE *mach_passwd_fp;
-
/************************************************************************
- Routine to get the name for a trust account file.
+form a key for fetching a domain trust password
************************************************************************/
-
-static void get_trust_account_file_name( char *domain, char *name, char *mac_file)
+static char *trust_keystr(char *domain)
{
- unsigned int mac_file_len;
- char *p;
-
- pstrcpy(mac_file, lp_smb_passwd_file());
- p = strrchr(mac_file, '/');
- if(p != NULL)
- *++p = '\0';
-
- mac_file_len = strlen(mac_file);
-
- if ((int)(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) < 0)
- {
- DEBUG(0,("trust_password_lock: path %s too long to add trust details.\n",
- mac_file));
- return;
- }
-
- pstrcat(mac_file, domain);
- pstrcat(mac_file, ".");
- pstrcat(mac_file, name);
- pstrcat(mac_file, ".mac");
-}
-
-/************************************************************************
- Routine to lock the trust account password file for a domain.
-************************************************************************/
-
-BOOL trust_password_lock( char *domain, char *name, BOOL update)
-{
- pstring mac_file;
-
- if(mach_passwd_lock_depth == 0) {
-
- get_trust_account_file_name( domain, name, mac_file);
-
- if((mach_passwd_fp = sys_fopen(mac_file, "r+b")) == NULL) {
- if(errno == ENOENT && update) {
- mach_passwd_fp = sys_fopen(mac_file, "w+b");
- }
-
- if(mach_passwd_fp == NULL) {
- DEBUG(0,("trust_password_lock: cannot open file %s - Error was %s.\n",
- mac_file, strerror(errno) ));
- return False;
- }
- }
-
- chmod(mac_file, 0600);
-
- if(!pw_file_lock(fileno(mach_passwd_fp), (update ? F_WRLCK : F_RDLCK),
- 60, &mach_passwd_lock_depth))
- {
- DEBUG(0,("trust_password_lock: cannot lock file %s\n", mac_file));
- fclose(mach_passwd_fp);
- return False;
- }
-
- }
-
- return True;
+ static fstring keystr;
+ slprintf(keystr,sizeof(keystr),"%s/%s", SECRETS_MACHINE_ACCT_PASS, domain);
+ return keystr;
}
-/************************************************************************
- Routine to unlock the trust account password file for a domain.
-************************************************************************/
-
-BOOL trust_password_unlock(void)
-{
- BOOL ret = pw_file_unlock(fileno(mach_passwd_fp), &mach_passwd_lock_depth);
- if(mach_passwd_lock_depth == 0)
- fclose(mach_passwd_fp);
- return ret;
-}
/************************************************************************
Routine to delete the trust account password file for a domain.
************************************************************************/
-
-BOOL trust_password_delete( char *domain, char *name )
+BOOL trust_password_delete(char *domain)
{
- pstring mac_file;
-
- get_trust_account_file_name( domain, name, mac_file);
- return (unlink( mac_file ) == 0);
+ return secrets_delete(trust_keystr(domain));
}
/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file.
************************************************************************/
-
-BOOL get_trust_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time)
+BOOL get_trust_account_password(char *domain, unsigned char *ret_pwd, time_t *pass_last_set_time)
{
- char linebuf[256];
- char *p;
- int i;
+ struct machine_acct_pass *pass;
+ size_t size;
- linebuf[0] = '\0';
+ if (!(pass = secrets_fetch(trust_keystr(domain), &size)) ||
+ size != sizeof(*pass)) return False;
- *pass_last_set_time = (time_t)0;
- memset(ret_pwd, '\0', 16);
-
- if(sys_fseek( mach_passwd_fp, (SMB_OFF_T)0, SEEK_SET) == -1) {
- DEBUG(0,("get_trust_account_password: Failed to seek to start of file. Error was %s.\n",
- strerror(errno) ));
- return False;
- }
-
- fgets(linebuf, sizeof(linebuf), mach_passwd_fp);
- if(ferror(mach_passwd_fp)) {
- DEBUG(0,("get_trust_account_password: Failed to read password. Error was %s.\n",
- strerror(errno) ));
- return False;
- }
-
- if(linebuf[strlen(linebuf)-1] == '\n')
- linebuf[strlen(linebuf)-1] = '\0';
-
- /*
- * The length of the line read
- * must be 45 bytes ( <---XXXX 32 bytes-->:TLC-12345678
- */
-
- if(strlen(linebuf) != 45) {
- DEBUG(0,("get_trust_account_password: Malformed trust password file (wrong length \
-- was %d, should be 45).\n", (int)strlen(linebuf)));
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
-#endif
- return False;
- }
-
- /*
- * Get the hex password.
- */
-
- if (!pdb_gethexpwd((char *)linebuf, ret_pwd) || linebuf[32] != ':' ||
- strncmp(&linebuf[33], "TLC-", 4)) {
- DEBUG(0,("get_trust_account_password: Malformed trust password file (incorrect format).\n"));
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
-#endif
- return False;
- }
-
- /*
- * Get the last changed time.
- */
- p = &linebuf[37];
-
- for(i = 0; i < 8; i++) {
- if(p[i] == '\0' || !isxdigit((int)p[i])) {
- DEBUG(0,("get_trust_account_password: Malformed trust password file (no timestamp).\n"));
-#ifdef DEBUG_PASSWORD
- DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
-#endif
- return False;
- }
- }
-
- /*
- * p points at 8 characters of hex digits -
- * read into a time_t as the seconds since
- * 1970 that the password was last changed.
- */
-
- *pass_last_set_time = (time_t)strtol(p, NULL, 16);
-
- return True;
+ if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
+ memcpy(ret_pwd, pass->hash, 16);
+ free(pass);
+ return True;
}
+
/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file.
************************************************************************/
-
-BOOL set_trust_account_password( unsigned char *md4_new_pwd)
+BOOL set_trust_account_password(char *domain, unsigned char *md4_new_pwd)
{
- char linebuf[64];
- int i;
+ struct machine_acct_pass pass;
- if(sys_fseek( mach_passwd_fp, (SMB_OFF_T)0, SEEK_SET) == -1) {
- DEBUG(0,("set_trust_account_password: Failed to seek to start of file. Error was %s.\n",
- strerror(errno) ));
- return False;
- }
+ pass.mod_time = time(NULL);
+ memcpy(pass.hash, md4_new_pwd, 16);
- for (i = 0; i < 16; i++)
- slprintf(&linebuf[(i*2)], sizeof(linebuf) - (i*2) - 1, "%02X", md4_new_pwd[i]);
-
- slprintf(&linebuf[32], 32, ":TLC-%08X\n", (unsigned)time(NULL));
-
- if(fwrite( linebuf, 1, 46, mach_passwd_fp)!= 46) {
- DEBUG(0,("set_trust_account_password: Failed to write file. Warning - the trust \
-account is now invalid. Please recreate. Error was %s.\n", strerror(errno) ));
- return False;
- }
-
- fflush(mach_passwd_fp);
- return True;
-}
-
-BOOL trust_get_passwd( unsigned char trust_passwd[16], char *domain, char *myname)
-{
- time_t lct;
-
- /*
- * Get the machine account password.
- */
- if(!trust_password_lock( domain, myname, False)) {
- DEBUG(0,("domain_client_validate: unable to open the machine account password file for \
-machine %s in domain %s.\n", myname, domain ));
- return False;
- }
-
- if(get_trust_account_password( trust_passwd, &lct) == False) {
- DEBUG(0,("domain_client_validate: unable to read the machine account password for \
-machine %s in domain %s.\n", myname, domain ));
- trust_password_unlock();
- return False;
- }
-
- trust_password_unlock();
-
- /*
- * Here we check the last change time to see if the machine
- * password needs changing. JRA.
- */
-
- if(time(NULL) > lct + lp_machine_password_timeout())
- {
- global_machine_password_needs_changing = True;
- }
- return True;
+ return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));
}