Store the type of 'sec channel' that we establish to the DC. If we are a

workstation, we have to use the workstation type, if we have a BDC account,
we must use the BDC type - even if we are pretending to be a workstation
at the moment.

Also actually store and retreive the last change time, so we can do
periodic password changes again (for RPC at least).

And finally, a couple of minor fixes to 'net'.

Andrew Bartlett
(This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2)

2 files changed, 101 insertions, 16 deletions

diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c
index 071af50877..a578ecc711 100644
--- a/source3/passdb/machine_sid.c
+++ b/source3/passdb/machine_sid.c
@@ -78,6 +78,7 @@ static void generate_random_sid(DOM_SID *sid)
 
 static BOOL pdb_generate_sam_sid(void)
 {
+	DOM_SID domain_sid;
 	char *fname = NULL;
 	BOOL is_dc = False;
 
@@ -97,8 +98,14 @@ static BOOL pdb_generate_sam_sid(void)
 		break;
 	}
 
+	if (is_dc) {
+		if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
+			sid_copy(global_sam_sid, &domain_sid);
+			return True;
+		}
+	}
+
 	if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) {
-		DOM_SID domain_sid;
 
 		/* We got our sid. If not a pdc/bdc, we're done. */
 		if (!is_dc)
@@ -117,11 +124,11 @@ static BOOL pdb_generate_sam_sid(void)
 
 		if (!sid_equal(&domain_sid, global_sam_sid)) {
 
-			/* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
+			/* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
 
 			DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
-			if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
-				DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
+			if (!secrets_store_domain_sid(global_myname(), &domain_sid)) {
+				DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
 				return False;
 			}
 			return True;
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 64fedc7284..138a9231fd 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -222,25 +222,40 @@ BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock)
 }
 
 /************************************************************************
+ Routine to get the default secure channel type for trust accounts
+************************************************************************/
+
+uint32 get_default_sec_channel(void) 
+{
+	if (lp_server_role() == ROLE_DOMAIN_BDC || 
+	    lp_server_role() == ROLE_DOMAIN_PDC) {
+		return SEC_CHAN_BDC;
+	} else {
+		return SEC_CHAN_WKSTA;
+	}
+}
+
+/************************************************************************
  Routine to get the trust account password for a domain.
  The user of this function must have locked the trust password file using
  the above call.
 ************************************************************************/
 
 BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
-					  time_t *pass_last_set_time)
+					  time_t *pass_last_set_time,
+					  uint32 *channel)
 {
 	struct machine_acct_pass *pass;
 	char *plaintext;
 	size_t size;
 
-	plaintext = secrets_fetch_machine_password();
+	plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, 
+						   channel);
 	if (plaintext) {
 		/* we have an ADS password - use that */
 		DEBUG(4,("Using ADS machine password\n"));
 		E_md4hash(plaintext, ret_pwd);
 		SAFE_FREE(plaintext);
-		pass_last_set_time = 0;
 		return True;
 	}
 
@@ -257,6 +272,10 @@ BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
 	if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
 	memcpy(ret_pwd, pass->hash, 16);
 	SAFE_FREE(pass);
+
+	if (channel) 
+		*channel = get_default_sec_channel();
+
 	return True;
 }
 
@@ -369,14 +388,42 @@ BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_d
 the password is assumed to be a null terminated ascii string
 ************************************************************************/
 
-BOOL secrets_store_machine_password(const char *pass)
+BOOL secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
 {
-	char *key;
+	char *key = NULL;
 	BOOL ret;
-	asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+	uint32 last_change_time;
+	uint32 sec_channel_type;
+
+	asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
+	if (!key) 
+		return False;
 	strupper(key);
+
 	ret = secrets_store(key, pass, strlen(pass)+1);
-	free(key);
+	SAFE_FREE(key);
+
+	if (!ret)
+		return ret;
+	
+	asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+	if (!key) 
+		return False;
+	strupper(key);
+
+	SIVAL(&last_change_time, 0, time(NULL));
+	ret = secrets_store(key, &last_change_time, sizeof(last_change_time));
+	SAFE_FREE(key);
+
+	asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+	if (!key) 
+		return False;
+	strupper(key);
+
+	SIVAL(&sec_channel_type, 0, sec_channel);
+	ret = secrets_store(key, &sec_channel_type, sizeof(sec_channel_type));
+	SAFE_FREE(key);
+
 	return ret;
 }
 
@@ -385,14 +432,45 @@ BOOL secrets_store_machine_password(const char *pass)
  Routine to fetch the plaintext machine account password for a realm
 the password is assumed to be a null terminated ascii string
 ************************************************************************/
-char *secrets_fetch_machine_password(void)
+char *secrets_fetch_machine_password(const char *domain, 
+				     time_t *pass_last_set_time,
+				     uint32 *channel)
 {
-	char *key;
+	char *key = NULL;
 	char *ret;
-	asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+	asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
 	strupper(key);
 	ret = (char *)secrets_fetch(key, NULL);
-	free(key);
+	SAFE_FREE(key);
+	
+	if (pass_last_set_time) {
+		size_t size;
+		uint32 *last_set_time;
+		asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+		strupper(key);
+		last_set_time = secrets_fetch(key, &size);
+		if (last_set_time) {
+			*pass_last_set_time = IVAL(last_set_time,0);
+		} else {
+			*pass_last_set_time = 0;
+		}
+		SAFE_FREE(key);
+	}
+	
+	if (channel) {
+		size_t size;
+		uint32 *channel_type;
+		asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+		strupper(key);
+		channel_type = secrets_fetch(key, &size);
+		if (channel_type) {
+			*channel = IVAL(channel_type,0);
+		} else {
+			*channel = get_default_sec_channel();
+		}
+		SAFE_FREE(key);
+	}
+	
 	return ret;
 }
 
@@ -637,7 +715,7 @@ BOOL must_use_pdc( const char *domain )
 	time_t  last_change_time;
 	unsigned char	passwd[16];   
 	
-	if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time) )
+	if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time, NULL) )
 		return False;
 		
 	/*