diff options
author | Andrew Bartlett <abartlet@samba.org> | 2001-12-05 11:00:26 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2001-12-05 11:00:26 +0000 |
commit | 8ba00d147bbdb705b411e182433632c81a036188 (patch) | |
tree | ebbeb3b46c5cb3a2da025a324b1cc31f8af182ac /source3/rpc_client | |
parent | 0d09562eed608941b2bee29e37d7ea4ba33582c3 (diff) | |
download | samba-8ba00d147bbdb705b411e182433632c81a036188.tar.gz samba-8ba00d147bbdb705b411e182433632c81a036188.tar.bz2 samba-8ba00d147bbdb705b411e182433632c81a036188.zip |
OK. Smbpasswd -j is DEAD.
This moves the rest of the functionality into the 'net rpc join' code.
Futhermore, this moves that entire area over to the libsmb codebase, rather
than the crufty old rpc_client stuff.
I have also fixed up the smbpasswd -a -m bug in the process.
We also have a new 'net rpc changetrustpw' that can be called from a
cron-job to regularly change the trust account password, for sites
that run winbind but not smbd.
With a little more work, we can kill rpc_client from smbd entirly!
(It is mostly the domain auth stuff - which I can rework - and the
spoolss stuff that sombody else will need to look over).
Andrew Bartlett
(This used to be commit 575897e879fc175ba702adf245384033342c903d)
Diffstat (limited to 'source3/rpc_client')
-rw-r--r-- | source3/rpc_client/cli_login.c | 21 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 70 | ||||
-rw-r--r-- | source3/rpc_client/cli_trust.c | 184 |
3 files changed, 43 insertions, 232 deletions
diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c index e5c221690d..be32533541 100644 --- a/source3/rpc_client/cli_login.c +++ b/source3/rpc_client/cli_login.c @@ -79,27 +79,6 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16]) } /**************************************************************************** - Set machine password. - ****************************************************************************/ - -BOOL cli_nt_srv_pwset(struct cli_state *cli, unsigned char *new_hashof_mach_pwd) -{ - unsigned char processed_new_pwd[16]; - - DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__)); - -#ifdef DEBUG_PASSWORD - dump_data(6, (char *)new_hashof_mach_pwd, 16); -#endif - - /* Process the new password. */ - cred_hash3( processed_new_pwd, new_hashof_mach_pwd, cli->sess_key, 1); - - /* send client srv_pwset challenge */ - return cli_net_srv_pwset(cli, processed_new_pwd); -} - -/**************************************************************************** NT login - interactive. *NEVER* use this code. This method of doing a logon (sending the cleartext password equivalents, protected by the session key) is inherently insecure diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index 869de91c80..8a2d8e28cc 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -260,76 +260,6 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_ return valid_chal; } - -/*************************************************************************** -LSA Server Password Set. -****************************************************************************/ - -BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16]) -{ - prs_struct rbuf; - prs_struct buf; - DOM_CRED new_clnt_cred; - NET_Q_SRV_PWSET q_s; - BOOL ok = False; - uint16 sec_chan_type = 2; - - gen_next_creds( cli, &new_clnt_cred); - - prs_init(&buf , 1024, cli->mem_ctx, MARSHALL); - prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL); - - /* create and send a MSRPC command with api NET_SRV_PWSET */ - - DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n", - cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname, - credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time)); - - /* store the parameters */ - init_q_srv_pwset(&q_s, cli->srv_name_slash, - cli->mach_acct, sec_chan_type, global_myname, - &new_clnt_cred, (char *)hashed_mach_pwd); - - /* turn parameters into data stream */ - if(!net_io_q_srv_pwset("", &q_s, &buf, 0)) { - DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n")); - prs_mem_free(&buf); - prs_mem_free(&rbuf); - return False; - } - - /* send the data on \PIPE\ */ - if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf)) - { - NET_R_SRV_PWSET r_s; - - ok = net_io_r_srv_pwset("", &r_s, &rbuf, 0); - - if (ok && !NT_STATUS_IS_OK(r_s.status)) - { - /* report error code */ - DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status))); - ok = False; - } - - /* Update the credentials. */ - if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred))) - { - /* - * Server replied with bad credential. Fail. - */ - DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \ -password ?).\n", cli->desthost )); - ok = False; - } - } - - prs_mem_free(&buf); - prs_mem_free(&rbuf); - - return ok; -} - /*************************************************************************** LSA SAM Logon internal - interactive or network. Does level 2 or 3 but always returns level 3. diff --git a/source3/rpc_client/cli_trust.c b/source3/rpc_client/cli_trust.c index c910e2f334..fbb75573cb 100644 --- a/source3/rpc_client/cli_trust.c +++ b/source3/rpc_client/cli_trust.c @@ -6,6 +6,7 @@ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, * Copyright (C) Paul Ashton 1997. * Copyright (C) Jeremy Allison 1998. + * Copyright (C) Andrew Bartlett 2001. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -30,13 +31,13 @@ extern pstring global_myname; Change the domain password on the PDC. **********************************************************/ -static BOOL modify_trust_password( char *domain, char *remote_machine, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) +static NTSTATUS modify_trust_password( char *domain, char *remote_machine, + unsigned char orig_trust_passwd_hash[16]) { - struct cli_state cli; - NTSTATUS result; + struct cli_state *cli; DOM_SID domain_sid; + struct in_addr dest_ip; + NTSTATUS nt_status; /* * Ensure we have the domain SID for this domain. @@ -44,150 +45,63 @@ static BOOL modify_trust_password( char *domain, char *remote_machine, if (!secrets_fetch_domain_sid(domain, &domain_sid)) { DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n")); - return False; + return NT_STATUS_UNSUCCESSFUL; } - ZERO_STRUCT(cli); - if(cli_initialise(&cli) == NULL) { - DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); - return False; - } - - if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { - DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (ismyip(cli.dest_ip)) { - DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ -to ourselves.\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; + if(!resolve_name( remote_machine, &dest_ip, 0x20)) { + DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); + return NT_STATUS_UNSUCCESSFUL; } - if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ -session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - cli.protocol = PROTOCOL_NT1; - - if (!cli_negprot(&cli)) { - DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; + if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname, remote_machine, + &dest_ip, 0, + "IPC$", "IPC", + "", "", + "", 0))) { + DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine)); + return NT_STATUS_UNSUCCESSFUL; } - - if (cli.protocol != PROTOCOL_NT1) { - DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { - DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (!(cli.sec_mode & 1)) { - DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - + /* * Ok - we have an anonymous connection to the IPC$ share. * Now start the NT Domain stuff :-). */ - if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { + if(cli_nt_session_open(cli, PIPE_NETLOGON) == False) { DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; +machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli))); + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return NT_STATUS_UNSUCCESSFUL; } - - result = cli_nt_setup_creds(&cli, orig_trust_passwd_hash); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { - DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ -%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, - cli_errstr(&cli))); - cli_close(&cli, cli.nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - return True; + nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx, + orig_trust_passwd_hash); + + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return nt_status; } /************************************************************************ Change the trust account password for a domain. - The user of this function must have locked the trust password file for - update. ************************************************************************/ -BOOL change_trust_account_password( char *domain, char *remote_machine_list) +NTSTATUS change_trust_account_password( char *domain, char *remote_machine_list) { fstring remote_machine; unsigned char old_trust_passwd_hash[16]; - unsigned char new_trust_passwd_hash[16]; time_t lct; - BOOL res = False; + NTSTATUS res = NT_STATUS_UNSUCCESSFUL; if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { DEBUG(0,("change_trust_account_password: unable to read the machine \ account password for domain %s.\n", domain)); - return False; + return NT_STATUS_UNSUCCESSFUL; } - /* - * Create the new (random) password. - */ - generate_random_buffer( new_trust_passwd_hash, 16, True); - while(remote_machine_list && next_token(&remote_machine_list, remote_machine, LIST_SEP, sizeof(remote_machine))) { @@ -215,36 +129,24 @@ account password for domain %s.\n", domain)); fstring dc_name; if(!lookup_dc_name(global_myname, domain, &ip_list[i], dc_name)) continue; - if((res = modify_trust_password( domain, dc_name, - old_trust_passwd_hash, new_trust_passwd_hash))) + if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name, + old_trust_passwd_hash))) break; } SAFE_FREE(ip_list); } else { - res = modify_trust_password( domain, remote_machine, - old_trust_passwd_hash, new_trust_passwd_hash); + res = modify_trust_password( domain, remote_machine, + old_trust_passwd_hash); } - if(res) { - DEBUG(0,("%s : change_trust_account_password: Changed password for \ -domain %s.\n", timestring(False), domain)); - /* - * Return the result of trying to write the new password - * back into the trust account file. - */ - res = secrets_store_trust_account_password(domain, new_trust_passwd_hash); - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - return res; - } } - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - - DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ + if (!NT_STATUS_IS_OK(res)) { + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ domain %s.\n", timestring(False), domain)); - return False; + } + + return res; } |