summaryrefslogtreecommitdiff
path: root/source3/rpc_client
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2001-12-05 11:00:26 +0000
committerAndrew Bartlett <abartlet@samba.org>2001-12-05 11:00:26 +0000
commit8ba00d147bbdb705b411e182433632c81a036188 (patch)
treeebbeb3b46c5cb3a2da025a324b1cc31f8af182ac /source3/rpc_client
parent0d09562eed608941b2bee29e37d7ea4ba33582c3 (diff)
downloadsamba-8ba00d147bbdb705b411e182433632c81a036188.tar.gz
samba-8ba00d147bbdb705b411e182433632c81a036188.tar.bz2
samba-8ba00d147bbdb705b411e182433632c81a036188.zip
OK. Smbpasswd -j is DEAD.
This moves the rest of the functionality into the 'net rpc join' code. Futhermore, this moves that entire area over to the libsmb codebase, rather than the crufty old rpc_client stuff. I have also fixed up the smbpasswd -a -m bug in the process. We also have a new 'net rpc changetrustpw' that can be called from a cron-job to regularly change the trust account password, for sites that run winbind but not smbd. With a little more work, we can kill rpc_client from smbd entirly! (It is mostly the domain auth stuff - which I can rework - and the spoolss stuff that sombody else will need to look over). Andrew Bartlett (This used to be commit 575897e879fc175ba702adf245384033342c903d)
Diffstat (limited to 'source3/rpc_client')
-rw-r--r--source3/rpc_client/cli_login.c21
-rw-r--r--source3/rpc_client/cli_netlogon.c70
-rw-r--r--source3/rpc_client/cli_trust.c184
3 files changed, 43 insertions, 232 deletions
diff --git a/source3/rpc_client/cli_login.c b/source3/rpc_client/cli_login.c
index e5c221690d..be32533541 100644
--- a/source3/rpc_client/cli_login.c
+++ b/source3/rpc_client/cli_login.c
@@ -79,27 +79,6 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli, unsigned char mach_pwd[16])
}
/****************************************************************************
- Set machine password.
- ****************************************************************************/
-
-BOOL cli_nt_srv_pwset(struct cli_state *cli, unsigned char *new_hashof_mach_pwd)
-{
- unsigned char processed_new_pwd[16];
-
- DEBUG(5,("cli_nt_srv_pwset: %d\n", __LINE__));
-
-#ifdef DEBUG_PASSWORD
- dump_data(6, (char *)new_hashof_mach_pwd, 16);
-#endif
-
- /* Process the new password. */
- cred_hash3( processed_new_pwd, new_hashof_mach_pwd, cli->sess_key, 1);
-
- /* send client srv_pwset challenge */
- return cli_net_srv_pwset(cli, processed_new_pwd);
-}
-
-/****************************************************************************
NT login - interactive.
*NEVER* use this code. This method of doing a logon (sending the cleartext
password equivalents, protected by the session key) is inherently insecure
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 869de91c80..8a2d8e28cc 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -260,76 +260,6 @@ BOOL cli_net_req_chal(struct cli_state *cli, DOM_CHAL *clnt_chal, DOM_CHAL *srv_
return valid_chal;
}
-
-/***************************************************************************
-LSA Server Password Set.
-****************************************************************************/
-
-BOOL cli_net_srv_pwset(struct cli_state *cli, uint8 hashed_mach_pwd[16])
-{
- prs_struct rbuf;
- prs_struct buf;
- DOM_CRED new_clnt_cred;
- NET_Q_SRV_PWSET q_s;
- BOOL ok = False;
- uint16 sec_chan_type = 2;
-
- gen_next_creds( cli, &new_clnt_cred);
-
- prs_init(&buf , 1024, cli->mem_ctx, MARSHALL);
- prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
-
- /* create and send a MSRPC command with api NET_SRV_PWSET */
-
- DEBUG(4,("cli_net_srv_pwset: srv:%s acct:%s sc: %d mc: %s clnt %s %x\n",
- cli->srv_name_slash, cli->mach_acct, sec_chan_type, global_myname,
- credstr(new_clnt_cred.challenge.data), new_clnt_cred.timestamp.time));
-
- /* store the parameters */
- init_q_srv_pwset(&q_s, cli->srv_name_slash,
- cli->mach_acct, sec_chan_type, global_myname,
- &new_clnt_cred, (char *)hashed_mach_pwd);
-
- /* turn parameters into data stream */
- if(!net_io_q_srv_pwset("", &q_s, &buf, 0)) {
- DEBUG(0,("cli_net_srv_pwset: Error : failed to marshall NET_Q_SRV_PWSET struct.\n"));
- prs_mem_free(&buf);
- prs_mem_free(&rbuf);
- return False;
- }
-
- /* send the data on \PIPE\ */
- if (rpc_api_pipe_req(cli, NET_SRVPWSET, &buf, &rbuf))
- {
- NET_R_SRV_PWSET r_s;
-
- ok = net_io_r_srv_pwset("", &r_s, &rbuf, 0);
-
- if (ok && !NT_STATUS_IS_OK(r_s.status))
- {
- /* report error code */
- DEBUG(0,("cli_net_srv_pwset: %s\n", get_nt_error_msg(r_s.status)));
- ok = False;
- }
-
- /* Update the credentials. */
- if (ok && !clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &(r_s.srv_cred)))
- {
- /*
- * Server replied with bad credential. Fail.
- */
- DEBUG(0,("cli_net_srv_pwset: server %s replied with bad credential (bad machine \
-password ?).\n", cli->desthost ));
- ok = False;
- }
- }
-
- prs_mem_free(&buf);
- prs_mem_free(&rbuf);
-
- return ok;
-}
-
/***************************************************************************
LSA SAM Logon internal - interactive or network. Does level 2 or 3 but always
returns level 3.
diff --git a/source3/rpc_client/cli_trust.c b/source3/rpc_client/cli_trust.c
index c910e2f334..fbb75573cb 100644
--- a/source3/rpc_client/cli_trust.c
+++ b/source3/rpc_client/cli_trust.c
@@ -6,6 +6,7 @@
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
* Copyright (C) Paul Ashton 1997.
* Copyright (C) Jeremy Allison 1998.
+ * Copyright (C) Andrew Bartlett 2001.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -30,13 +31,13 @@ extern pstring global_myname;
Change the domain password on the PDC.
**********************************************************/
-static BOOL modify_trust_password( char *domain, char *remote_machine,
- unsigned char orig_trust_passwd_hash[16],
- unsigned char new_trust_passwd_hash[16])
+static NTSTATUS modify_trust_password( char *domain, char *remote_machine,
+ unsigned char orig_trust_passwd_hash[16])
{
- struct cli_state cli;
- NTSTATUS result;
+ struct cli_state *cli;
DOM_SID domain_sid;
+ struct in_addr dest_ip;
+ NTSTATUS nt_status;
/*
* Ensure we have the domain SID for this domain.
@@ -44,150 +45,63 @@ static BOOL modify_trust_password( char *domain, char *remote_machine,
if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n"));
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
- ZERO_STRUCT(cli);
- if(cli_initialise(&cli) == NULL) {
- DEBUG(0,("modify_trust_password: unable to initialize client connection.\n"));
- return False;
- }
-
- if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
- DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (ismyip(cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \
-to ourselves.\n", remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
+ if(!resolve_name( remote_machine, &dest_ip, 0x20)) {
+ DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
+ return NT_STATUS_UNSUCCESSFUL;
}
- if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \
-session request. Error was %s\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- cli.protocol = PROTOCOL_NT1;
-
- if (!cli_negprot(&cli)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
+ if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname, remote_machine,
+ &dest_ip, 0,
+ "IPC$", "IPC",
+ "", "",
+ "", 0))) {
+ DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- if (cli.protocol != PROTOCOL_NT1) {
- DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n",
- remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- /*
- * Do an anonymous session setup.
- */
-
- if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
- DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!(cli.sec_mode & 1)) {
- DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n",
- remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
+
/*
* Ok - we have an anonymous connection to the IPC$ share.
* Now start the NT Domain stuff :-).
*/
- if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
+ if(cli_nt_session_open(cli, PIPE_NETLOGON) == False) {
DEBUG(0,("modify_trust_password: unable to open the domain client session to \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli)));
+ cli_nt_session_close(cli);
+ cli_ulogoff(cli);
+ cli_shutdown(cli);
+ return NT_STATUS_UNSUCCESSFUL;
}
-
- result = cli_nt_setup_creds(&cli, orig_trust_passwd_hash);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \
-%s. Error was : %s.\n", remote_machine, get_nt_error_msg(result)));
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
-
- if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) {
- DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \
-%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine,
- cli_errstr(&cli)));
- cli_close(&cli, cli.nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
-
- return True;
+ nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
+ orig_trust_passwd_hash);
+
+ cli_nt_session_close(cli);
+ cli_ulogoff(cli);
+ cli_shutdown(cli);
+ return nt_status;
}
/************************************************************************
Change the trust account password for a domain.
- The user of this function must have locked the trust password file for
- update.
************************************************************************/
-BOOL change_trust_account_password( char *domain, char *remote_machine_list)
+NTSTATUS change_trust_account_password( char *domain, char *remote_machine_list)
{
fstring remote_machine;
unsigned char old_trust_passwd_hash[16];
- unsigned char new_trust_passwd_hash[16];
time_t lct;
- BOOL res = False;
+ NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
DEBUG(0,("change_trust_account_password: unable to read the machine \
account password for domain %s.\n", domain));
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
}
- /*
- * Create the new (random) password.
- */
- generate_random_buffer( new_trust_passwd_hash, 16, True);
-
while(remote_machine_list &&
next_token(&remote_machine_list, remote_machine,
LIST_SEP, sizeof(remote_machine))) {
@@ -215,36 +129,24 @@ account password for domain %s.\n", domain));
fstring dc_name;
if(!lookup_dc_name(global_myname, domain, &ip_list[i], dc_name))
continue;
- if((res = modify_trust_password( domain, dc_name,
- old_trust_passwd_hash, new_trust_passwd_hash)))
+ if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name,
+ old_trust_passwd_hash)))
break;
}
SAFE_FREE(ip_list);
} else {
- res = modify_trust_password( domain, remote_machine,
- old_trust_passwd_hash, new_trust_passwd_hash);
+ res = modify_trust_password( domain, remote_machine,
+ old_trust_passwd_hash);
}
- if(res) {
- DEBUG(0,("%s : change_trust_account_password: Changed password for \
-domain %s.\n", timestring(False), domain));
- /*
- * Return the result of trying to write the new password
- * back into the trust account file.
- */
- res = secrets_store_trust_account_password(domain, new_trust_passwd_hash);
- memset(new_trust_passwd_hash, 0, 16);
- memset(old_trust_passwd_hash, 0, 16);
- return res;
- }
}
- memset(new_trust_passwd_hash, 0, 16);
- memset(old_trust_passwd_hash, 0, 16);
-
- DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
+ if (!NT_STATUS_IS_OK(res)) {
+ DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
domain %s.\n", timestring(False), domain));
- return False;
+ }
+
+ return res;
}