diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-08-27 19:28:22 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-08-28 07:57:29 +1000 |
commit | 708ce41b32881e5a45c38929be66f9a1392dda8a (patch) | |
tree | 38137ff8707f34fb3d217679259205f38483fc31 /source3 | |
parent | 62373b8a509fb874728c351e8039f94e3a1dd6db (diff) | |
download | samba-708ce41b32881e5a45c38929be66f9a1392dda8a.tar.gz samba-708ce41b32881e5a45c38929be66f9a1392dda8a.tar.bz2 samba-708ce41b32881e5a45c38929be66f9a1392dda8a.zip |
s3-secrets: Add helper function to set machine account password from secrets_tdb_sync
secrets_tdb_sync will be a new ldb module designed to sync secrets.ldb
entries with the secrets.tdb file.
While not ideal to keep two copies of this data, this routine will
assist in allowing the samba-tool domain join code to operate
correctly in most cases where winbindd and smbd are used.
Andrew Bartlett
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/secrets.h | 6 | ||||
-rw-r--r-- | source3/passdb/machine_account_secrets.c | 86 |
2 files changed, 92 insertions, 0 deletions
diff --git a/source3/include/secrets.h b/source3/include/secrets.h index fa215fff8d..57a1be0c3e 100644 --- a/source3/include/secrets.h +++ b/source3/include/secrets.h @@ -126,6 +126,12 @@ void secrets_fetch_ipc_userpass(char **username, char **domain, char **password) bool secrets_store_generic(const char *owner, const char *key, const char *secret); char *secrets_fetch_generic(const char *owner, const char *key); +bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain, + const char *realm, + const char *salting_principal, uint32_t supported_enc_types, + const struct dom_sid *domain_sid, uint32_t last_change_time, + bool delete_join); + /* The following definitions come from passdb/secrets_lsa.c */ NTSTATUS lsa_secret_get(TALLOC_CTX *mem_ctx, const char *secret_name, diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index ebd7b4cc56..1e4111a7c5 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -471,6 +471,92 @@ bool secrets_store_machine_password(const char *pass, const char *domain, return ret; } +/************************************************************************ + Set the machine trust account password, the old pw and last change + time, domain SID and salting principals based on values passed in + (added to supprt the secrets_tdb_sync module on secrets.ldb) +************************************************************************/ + +bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain, + const char *realm, + const char *salting_principal, uint32_t supported_enc_types, + const struct dom_sid *domain_sid, uint32_t last_change_time, + bool delete_join) +{ + bool ret; + uint8_t last_change_time_store[4]; + TALLOC_CTX *frame = talloc_stackframe(); + void *value; + + if (delete_join) { + secrets_delete_machine_password_ex(domain); + secrets_delete_domain_sid(domain); + TALLOC_FREE(frame); + return true; + } + + ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1); + if (!ret) { + TALLOC_FREE(frame); + return ret; + } + + if (oldpass) { + ret = secrets_store(machine_prev_password_keystr(domain), oldpass, strlen(oldpass)+1); + } else { + value = secrets_fetch_prev_machine_password(domain); + if (value) { + SAFE_FREE(value); + ret = secrets_delete_prev_machine_password(domain); + } + } + if (!ret) { + TALLOC_FREE(frame); + return ret; + } + + /* We delete this and instead have the read code fall back to + * a default based on server role, as our caller can't specify + * this with any more certainty */ + value = secrets_fetch(machine_sec_channel_type_keystr(domain), NULL); + if (value) { + SAFE_FREE(value); + ret = secrets_delete(machine_sec_channel_type_keystr(domain)); + if (!ret) { + TALLOC_FREE(frame); + return ret; + } + } + + SIVAL(&last_change_time_store, 0, last_change_time); + ret = secrets_store(machine_last_change_time_keystr(domain), + &last_change_time_store, sizeof(last_change_time)); + + if (!ret) { + TALLOC_FREE(frame); + return ret; + } + + ret = secrets_store_domain_sid(domain, domain_sid); + + if (!ret) { + TALLOC_FREE(frame); + return ret; + } + + if (realm && salting_principal) { + char *key = talloc_asprintf(frame, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL, realm); + if (!key) { + TALLOC_FREE(frame); + return false; + } + ret = secrets_store(key, salting_principal, strlen(salting_principal)+1 ); + } + + TALLOC_FREE(frame); + return ret; +} + /************************************************************************ Routine to fetch the previous plaintext machine account password for a realm |