diff options
| author | Volker Lendecke <vl@samba.org> | 2009-10-04 15:47:33 +0200 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2009-10-05 22:12:20 +0200 |
| commit | 20a8ea91e10af167067cc794a251265aaf489e75 (patch) | |
| tree | 688425cc91fd6497e43483e194f73a10f4295c63 /source3/winbindd | |
| parent | 3fa1d7332c19d0521b8da9f2cd8162260f0ab660 (diff) | |
| download | samba-20a8ea91e10af167067cc794a251265aaf489e75.tar.gz samba-20a8ea91e10af167067cc794a251265aaf489e75.tar.bz2 samba-20a8ea91e10af167067cc794a251265aaf489e75.zip | |
s3: Attempt to fix machine password change
Diffstat (limited to 'source3/winbindd')
| -rw-r--r-- | source3/winbindd/winbindd_cm.c | 2 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_dual.c | 42 |
2 files changed, 35 insertions, 9 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 9a788397a9..029a0210d1 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2470,6 +2470,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE; } + conn->netlogon_pipe->auth_neg_flags = neg_flags; + /* * Try NetSamLogonEx for AD domains */ diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index edf784cc21..546f5f0131 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -30,6 +30,7 @@ #include "includes.h" #include "winbindd.h" #include "../../nsswitch/libwbclient/wbc_async.h" +#include "../libcli/auth/libcli_auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -1061,9 +1062,12 @@ static void machine_password_change_handler(struct event_context *ctx, struct winbindd_child *child = (struct winbindd_child *)private_data; struct rpc_pipe_client *netlogon_pipe = NULL; - TALLOC_CTX *frame; NTSTATUS result; struct timeval next_change; + uint8_t old_trust_passwd_hash[16]; + uint8_t new_trust_passwd_hash[16]; + char *new_trust_passwd; + uint32_t sec_channel_type = 0; DEBUG(10,("machine_password_change_handler called\n")); @@ -1089,22 +1093,42 @@ static void machine_password_change_handler(struct event_context *ctx, return; } - frame = talloc_stackframe(); + if (!secrets_fetch_trust_account_password( + child->domain->name, old_trust_passwd_hash, NULL, + &sec_channel_type)) { + DEBUG(0, ("could not fetch domain secrets for domain %s!\n", + child->domain->name)); + return; + } + + new_trust_passwd = generate_random_str( + talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + if (new_trust_passwd == NULL) { + DEBUG(0, ("talloc_strdup failed\n")); + return; + } - result = trust_pw_find_change_and_store_it(netlogon_pipe, - frame, - child->domain->name); - TALLOC_FREE(frame); + E_md4hash(new_trust_passwd, new_trust_passwd_hash); + + result = rpccli_netlogon_set_trust_password( + netlogon_pipe, talloc_tos(), old_trust_passwd_hash, + new_trust_passwd, new_trust_passwd_hash, sec_channel_type, + netlogon_pipe->auth_neg_flags); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("machine_password_change_handler: " "failed to change machine password: %s\n", nt_errstr(result))); - } else { - DEBUG(10,("machine_password_change_handler: " - "successfully changed machine password\n")); + /* + * Don't try a second time, this will very likely also + * fail. + */ + return; } + DEBUG(3,("machine_password_change_handler: Changed password at %s.\n", + current_timestring(debug_ctx(), False))); + child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL, next_change, machine_password_change_handler, |