OK. Smbpasswd -j is DEAD.

This moves the rest of the functionality into the 'net rpc join' code.

Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.

I have also fixed up the smbpasswd -a -m bug in the process.

We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.

With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).

Andrew Bartlett
(This used to be commit 575897e879fc175ba702adf245384033342c903d)

1 files changed, 43 insertions, 141 deletions

diff --git a/source3/rpc_client/cli_trust.c b/source3/rpc_client/cli_trust.c
index c910e2f334..fbb75573cb 100644
--- a/source3/rpc_client/cli_trust.c
+++ b/source3/rpc_client/cli_trust.c
@@ -6,6 +6,7 @@
  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
  *  Copyright (C) Paul Ashton                       1997.
  *  Copyright (C) Jeremy Allison                    1998.
+ *  Copyright (C) Andrew Bartlett                   2001.
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -30,13 +31,13 @@ extern pstring global_myname;
  Change the domain password on the PDC.
 **********************************************************/
 
-static BOOL modify_trust_password( char *domain, char *remote_machine, 
-                          unsigned char orig_trust_passwd_hash[16],
-                          unsigned char new_trust_passwd_hash[16])
+static NTSTATUS modify_trust_password( char *domain, char *remote_machine, 
+				   unsigned char orig_trust_passwd_hash[16])
 {
-  struct cli_state cli;
-  NTSTATUS result;
+  struct cli_state *cli;
   DOM_SID domain_sid;
+  struct in_addr dest_ip;
+  NTSTATUS nt_status;
 
   /*
    * Ensure we have the domain SID for this domain.
@@ -44,150 +45,63 @@ static BOOL modify_trust_password( char *domain, char *remote_machine,
 
   if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
     DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n"));
-    return False;
+    return NT_STATUS_UNSUCCESSFUL;
   }
 
-  ZERO_STRUCT(cli);
-  if(cli_initialise(&cli) == NULL) {
-    DEBUG(0,("modify_trust_password: unable to initialize client connection.\n"));
-    return False;
-  }
-
-  if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
-    DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
-    cli_shutdown(&cli);
-    return False;
-  }
-
-  if (ismyip(cli.dest_ip)) {
-    DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \
-to ourselves.\n", remote_machine));
-    cli_shutdown(&cli);
-    return False;
-  }
-
-  if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
-    DEBUG(0,("modify_trust_password: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-    cli_shutdown(&cli);
-    return False;
+  if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
+	  DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
+	  return NT_STATUS_UNSUCCESSFUL;
   }
   
-  if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
-    DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \
-session request. Error was %s\n", remote_machine, cli_errstr(&cli) ));
-    cli_shutdown(&cli);
-    return False;
-  }
-
-  cli.protocol = PROTOCOL_NT1;
-    
-  if (!cli_negprot(&cli)) {
-    DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-    cli_shutdown(&cli);
-    return False;
+  if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname, remote_machine, 
+					   &dest_ip, 0,
+					   "IPC$", "IPC",  
+					   "", "",
+					   "", 0))) {
+	  DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
+	  return NT_STATUS_UNSUCCESSFUL;
   }
-
-  if (cli.protocol != PROTOCOL_NT1) {
-    DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", 
-            remote_machine));
-    cli_shutdown(&cli);
-    return False;
-  }
-    
-  /*
-   * Do an anonymous session setup.
-   */
-    
-  if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
-    DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-    cli_shutdown(&cli);
-    return False;
-  }
-    
-  if (!(cli.sec_mode & 1)) {
-    DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n",
-          remote_machine));
-    cli_shutdown(&cli);
-    return False;
-  }
-    
-  if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
-    DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
-    cli_shutdown(&cli);
-    return False;
-  }
-
+      
   /*
    * Ok - we have an anonymous connection to the IPC$ share.
    * Now start the NT Domain stuff :-).
    */
 
-  if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
+  if(cli_nt_session_open(cli, PIPE_NETLOGON) == False) {
     DEBUG(0,("modify_trust_password: unable to open the domain client session to \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
-    cli_nt_session_close(&cli);
-    cli_ulogoff(&cli);
-    cli_shutdown(&cli);
-    return False;
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli)));
+    cli_nt_session_close(cli);
+    cli_ulogoff(cli);
+    cli_shutdown(cli);
+    return NT_STATUS_UNSUCCESSFUL;
   } 
-  
-  result = cli_nt_setup_creds(&cli, orig_trust_passwd_hash);
-
-  if (!NT_STATUS_IS_OK(result)) {
-    DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \
-%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result)));
-    cli_nt_session_close(&cli);
-    cli_ulogoff(&cli);
-    cli_shutdown(&cli);
-    return False;
-  } 
-
-  if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) {
-    DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \
-%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, 
-                            cli_errstr(&cli)));
-    cli_close(&cli, cli.nt_pipe_fnum);
-    cli_ulogoff(&cli);
-    cli_shutdown(&cli);
-    return False;
-  }
 
-  cli_nt_session_close(&cli);
-  cli_ulogoff(&cli);
-  cli_shutdown(&cli);
-
-  return True;
+  nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
+					orig_trust_passwd_hash);
+  
+  cli_nt_session_close(cli);
+  cli_ulogoff(cli);
+  cli_shutdown(cli);
+  return nt_status;
 }
 
 /************************************************************************
  Change the trust account password for a domain.
- The user of this function must have locked the trust password file for
- update.
 ************************************************************************/
 
-BOOL change_trust_account_password( char *domain, char *remote_machine_list)
+NTSTATUS change_trust_account_password( char *domain, char *remote_machine_list)
 {
   fstring remote_machine;
   unsigned char old_trust_passwd_hash[16];
-  unsigned char new_trust_passwd_hash[16];
   time_t lct;
-  BOOL res = False;
+  NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
 
   if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
     DEBUG(0,("change_trust_account_password: unable to read the machine \
 account password for domain %s.\n", domain));
-    return False;
+    return NT_STATUS_UNSUCCESSFUL;
   }
 
-  /*
-   * Create the new (random) password.
-   */
-  generate_random_buffer( new_trust_passwd_hash, 16, True);
-
   while(remote_machine_list && 
 	next_token(&remote_machine_list, remote_machine, 
 		   LIST_SEP, sizeof(remote_machine))) {
@@ -215,36 +129,24 @@ account password for domain %s.\n", domain));
         fstring dc_name;
         if(!lookup_dc_name(global_myname, domain, &ip_list[i], dc_name))
           continue;
-        if((res = modify_trust_password( domain, dc_name,
-                                         old_trust_passwd_hash, new_trust_passwd_hash)))
+        if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name,
+                                         old_trust_passwd_hash)))
           break;
       }
 
       SAFE_FREE(ip_list);
 
     } else {
-      res = modify_trust_password( domain, remote_machine,
-                                   old_trust_passwd_hash, new_trust_passwd_hash);
+	    res = modify_trust_password( domain, remote_machine,
+					 old_trust_passwd_hash);
     }
 
-    if(res) {
-      DEBUG(0,("%s : change_trust_account_password: Changed password for \
-domain %s.\n", timestring(False), domain));
-      /*
-       * Return the result of trying to write the new password
-       * back into the trust account file.
-       */
-      res = secrets_store_trust_account_password(domain, new_trust_passwd_hash);
-      memset(new_trust_passwd_hash, 0, 16);
-      memset(old_trust_passwd_hash, 0, 16);
-      return res;
-    }
   }
 
-  memset(new_trust_passwd_hash, 0, 16);
-  memset(old_trust_passwd_hash, 0, 16);
-
-  DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
+  if (!NT_STATUS_IS_OK(res)) {
+	  DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
 domain %s.\n", timestring(False), domain));
-  return False;
+  }
+  
+  return res;
 }