Export logic of get_trust_pw() to new function get_trust_pw_clear().

get_trust_pw() just now computes the md4 hash of the result of
get_trust_pw_clear() if that was successful. As a last resort,
in the non-trusted-domain-situation, get_trust_pw() now tries to
directly obtain the hashed version of the password out of secrets.tdb.

Michael
(This used to be commit 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7)

1 files changed, 58 insertions, 16 deletions

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index f9b972da9b..488458fc85 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -1521,58 +1521,100 @@ bool pdb_increment_bad_password_count(struct samu *sampass)
 	return True;
 }
 
+bool is_trusted_domain_situation(const char *domain_name)
+{
+	return IS_DC &&
+		lp_allow_trusted_domains() &&
+		!strequal(domain_name, lp_workgroup());
+}
 
 /*******************************************************************
- Wrapper around retrieving the trust account password.
+ Wrapper around retrieving the clear text trust account password.
  appropriate account name is stored in account_name.
+ Caller must free password, but not account_name.
 *******************************************************************/
 
-bool get_trust_pw(const char *domain, uint8 ret_pwd[16],
-		  const char **account_name, uint32 *channel)
+bool get_trust_pw_clear(const char *domain, char **ret_pwd,
+			const char **account_name, uint32 *channel)
 {
 	DOM_SID sid;
 	char *pwd;
 	time_t last_set_time;
 
 	/* if we are a DC and this is not our domain, then lookup an account
-		for the domain trust */
+	 * for the domain trust */
 
-	if (IS_DC && !strequal(domain, lp_workgroup()) &&
-	    lp_allow_trusted_domains())
-	{
-		if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time))
+	if (is_trusted_domain_situation(domain)) {
+		if (!pdb_get_trusteddom_pw(domain, ret_pwd, &sid,
+					   &last_set_time))
 		{
 			DEBUG(0, ("get_trust_pw: could not fetch trust "
 				"account password for trusted domain %s\n",
 				domain));
-			return False;
+			return false;
 		}
 
 		*channel = SEC_CHAN_DOMAIN;
-		E_md4hash(pwd, ret_pwd);
-		SAFE_FREE(pwd);
 
 		if (account_name != NULL) {
 			*account_name = lp_workgroup();
 		}
 
-		return True;
+		return true;
 	}
 
 	/* Just get the account for the requested domain. In the future this
 	 * might also cover to be member of more than one domain. */
 
-	if (secrets_fetch_trust_account_password(domain, ret_pwd,
-						&last_set_time, channel))
+	pwd = secrets_fetch_machine_password(domain, &last_set_time, channel);
+
+	if (pwd != NULL) {
+		*ret_pwd = pwd;
+		if (account_name != NULL) {
+			*account_name = global_myname();
+		}
+
+		return true;
+	}
+
+	DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust "
+		  "account password for domain %s\n", domain));
+	return false;
+}
+
+/*******************************************************************
+ Wrapper around retrieving the trust account password.
+ appropriate account name is stored in account_name.
+*******************************************************************/
+
+bool get_trust_pw(const char *domain, uint8 ret_pwd[16],
+		  const char **account_name, uint32 *channel)
+{
+	char *pwd = NULL;
+	time_t last_set_time;
+
+	if (get_trust_pw_clear(domain, &pwd, account_name, channel)) {
+		E_md4hash(pwd, ret_pwd);
+		SAFE_FREE(pwd);
+		return true;
+	} else if (is_trusted_domain_situation(domain)) {
+		return false;
+	}
+
+	/* as a fallback, try to get the hashed pwd directly from the tdb... */
+
+	if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
+							&last_set_time,
+							channel))
 	{
 		if (account_name != NULL) {
 			*account_name = global_myname();
 		}
 
-		return True;
+		return true;
 	}
 
-	DEBUG(5, ("get_trust_pw: could not fetch trust account "
+	DEBUG(5, ("get_trust_pw_hash: could not fetch trust account "
 		"password for domain %s\n", domain));
 	return False;
 }