summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/rpc_client/cli_netlogon.c218
-rw-r--r--source3/rpc_client/cli_trust.c245
3 files changed, 246 insertions, 219 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index c635f97f1c..dbbf4b717d 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -151,7 +151,7 @@ RPC_CLIENT_OBJ = rpc_client/cli_netlogon.o rpc_client/cli_pipe.o \
rpc_client/cli_lsarpc.o rpc_client/cli_connect.o \
rpc_client/cli_use.o rpc_client/cli_login.o \
rpc_client/cli_spoolss_notify.o rpc_client/ncacn_np_use.o \
- lib/util_list.o
+ lib/util_list.o rpc_client/cli_trust.o
LOCKING_OBJ = locking/locking.o locking/brlock.o locking/posix.o
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index cc79425eed..2c9d38166d 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -550,221 +550,3 @@ password ?).\n", cli->desthost ));
return ok;
}
-
-/*********************************************************
- Change the domain password on the PDC.
-**********************************************************/
-
-static BOOL modify_trust_password( char *domain, char *remote_machine,
- unsigned char orig_trust_passwd_hash[16],
- unsigned char new_trust_passwd_hash[16])
-{
- struct cli_state cli;
-
- ZERO_STRUCT(cli);
- if(cli_initialise(&cli) == False) {
- DEBUG(0,("modify_trust_password: unable to initialize client connection.\n"));
- return False;
- }
-
- if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
- DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (ismyip(cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \
-to ourselves.\n", remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: unable to connect to SMB server on \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \
-session request. Error was %s\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- cli.protocol = PROTOCOL_NT1;
-
- if (!cli_negprot(&cli)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- if (cli.protocol != PROTOCOL_NT1) {
- DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n",
- remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- /*
- * Do an anonymous session setup.
- */
-
- if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
- DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!(cli.sec_mode & 1)) {
- DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n",
- remote_machine));
- cli_shutdown(&cli);
- return False;
- }
-
- if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
- DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \
-Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
- cli_shutdown(&cli);
- return False;
- }
-
- /*
- * Ok - we have an anonymous connection to the IPC$ share.
- * Now start the NT Domain stuff :-).
- */
-
- if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) {
- DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
-
- if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
- DEBUG(0,("modify_trust_password: unable to open the domain client session to \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
-
- if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) {
- DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \
-%s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
-
- if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) {
- DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \
-%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine,
- cli_errstr(&cli)));
- cli_close(&cli, cli.nt_pipe_fnum);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
- return False;
- }
-
- cli_nt_session_close(&cli);
- cli_ulogoff(&cli);
- cli_shutdown(&cli);
-
- return True;
-}
-
-/************************************************************************
- Change the trust account password for a domain.
- The user of this function must have locked the trust password file for
- update.
-************************************************************************/
-
-BOOL change_trust_account_password( char *domain, char *remote_machine_list)
-{
- fstring remote_machine;
- unsigned char old_trust_passwd_hash[16];
- unsigned char new_trust_passwd_hash[16];
- time_t lct;
- BOOL res = False;
-
- if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
- DEBUG(0,("change_trust_account_password: unable to read the machine \
-account password for domain %s.\n", domain));
- return False;
- }
-
- /*
- * Create the new (random) password.
- */
- generate_random_buffer( new_trust_passwd_hash, 16, True);
-
- while(remote_machine_list &&
- next_token(&remote_machine_list, remote_machine,
- LIST_SEP, sizeof(remote_machine))) {
- strupper(remote_machine);
- if(strequal(remote_machine, "*")) {
-
- /*
- * We have been asked to dynamcially determine the IP addresses of the PDC.
- */
-
- struct in_addr *ip_list = NULL;
- int count = 0;
- int i;
-
- /* Use the PDC *only* for this. */
- if(!get_dc_list(True, domain, &ip_list, &count))
- continue;
-
- /*
- * Try and connect to the PDC/BDC list in turn as an IP
- * address used as a string.
- */
-
- for(i = 0; i < count; i++) {
- fstring dc_name;
- if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name))
- continue;
- if((res = modify_trust_password( domain, dc_name,
- old_trust_passwd_hash, new_trust_passwd_hash)))
- break;
- }
-
- if(ip_list != NULL)
- free((char *)ip_list);
-
- } else {
- res = modify_trust_password( domain, remote_machine,
- old_trust_passwd_hash, new_trust_passwd_hash);
- }
-
- if(res) {
- DEBUG(0,("%s : change_trust_account_password: Changed password for \
-domain %s.\n", timestring(False), domain));
- /*
- * Return the result of trying to write the new password
- * back into the trust account file.
- */
- res = secrets_store_trust_account_password(domain, new_trust_passwd_hash);
- memset(new_trust_passwd_hash, 0, 16);
- memset(old_trust_passwd_hash, 0, 16);
- return res;
- }
- }
-
- memset(new_trust_passwd_hash, 0, 16);
- memset(old_trust_passwd_hash, 0, 16);
-
- DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
-domain %s.\n", timestring(False), domain));
- return False;
-}
diff --git a/source3/rpc_client/cli_trust.c b/source3/rpc_client/cli_trust.c
new file mode 100644
index 0000000000..49cd1b1723
--- /dev/null
+++ b/source3/rpc_client/cli_trust.c
@@ -0,0 +1,245 @@
+/*
+ * Unix SMB/Netbios implementation.
+ * Version 1.9.
+ * RPC Pipe client / server routines
+ * Copyright (C) Andrew Tridgell 1992-1997,
+ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
+ * Copyright (C) Paul Ashton 1997.
+ * Copyright (C) Jeremy Allison 1998.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+extern pstring global_myname;
+
+/*********************************************************
+ Change the domain password on the PDC.
+**********************************************************/
+
+static BOOL modify_trust_password( char *domain, char *remote_machine,
+ unsigned char orig_trust_passwd_hash[16],
+ unsigned char new_trust_passwd_hash[16])
+{
+ struct cli_state cli;
+
+ ZERO_STRUCT(cli);
+ if(cli_initialise(&cli) == False) {
+ DEBUG(0,("modify_trust_password: unable to initialize client connection.\n"));
+ return False;
+ }
+
+ if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
+ DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (ismyip(cli.dest_ip)) {
+ DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \
+to ourselves.\n", remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
+ DEBUG(0,("modify_trust_password: unable to connect to SMB server on \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
+ DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \
+session request. Error was %s\n", remote_machine, cli_errstr(&cli) ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ cli.protocol = PROTOCOL_NT1;
+
+ if (!cli_negprot(&cli)) {
+ DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \
+Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (cli.protocol != PROTOCOL_NT1) {
+ DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n",
+ remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ /*
+ * Do an anonymous session setup.
+ */
+
+ if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
+ DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \
+Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!(cli.sec_mode & 1)) {
+ DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n",
+ remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
+ DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \
+Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ /*
+ * Ok - we have an anonymous connection to the IPC$ share.
+ * Now start the NT Domain stuff :-).
+ */
+
+ if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) {
+ DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
+ DEBUG(0,("modify_trust_password: unable to open the domain client session to \
+machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) {
+ DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \
+%s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) {
+ DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \
+%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine,
+ cli_errstr(&cli)));
+ cli_close(&cli, cli.nt_pipe_fnum);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ cli_nt_session_close(&cli);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+
+ return True;
+}
+
+/************************************************************************
+ Change the trust account password for a domain.
+ The user of this function must have locked the trust password file for
+ update.
+************************************************************************/
+
+BOOL change_trust_account_password( char *domain, char *remote_machine_list)
+{
+ fstring remote_machine;
+ unsigned char old_trust_passwd_hash[16];
+ unsigned char new_trust_passwd_hash[16];
+ time_t lct;
+ BOOL res = False;
+
+ if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
+ DEBUG(0,("change_trust_account_password: unable to read the machine \
+account password for domain %s.\n", domain));
+ return False;
+ }
+
+ /*
+ * Create the new (random) password.
+ */
+ generate_random_buffer( new_trust_passwd_hash, 16, True);
+
+ while(remote_machine_list &&
+ next_token(&remote_machine_list, remote_machine,
+ LIST_SEP, sizeof(remote_machine))) {
+ strupper(remote_machine);
+ if(strequal(remote_machine, "*")) {
+
+ /*
+ * We have been asked to dynamcially determine the IP addresses of the PDC.
+ */
+
+ struct in_addr *ip_list = NULL;
+ int count = 0;
+ int i;
+
+ /* Use the PDC *only* for this. */
+ if(!get_dc_list(True, domain, &ip_list, &count))
+ continue;
+
+ /*
+ * Try and connect to the PDC/BDC list in turn as an IP
+ * address used as a string.
+ */
+
+ for(i = 0; i < count; i++) {
+ fstring dc_name;
+ if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name))
+ continue;
+ if((res = modify_trust_password( domain, dc_name,
+ old_trust_passwd_hash, new_trust_passwd_hash)))
+ break;
+ }
+
+ if(ip_list != NULL)
+ free((char *)ip_list);
+
+ } else {
+ res = modify_trust_password( domain, remote_machine,
+ old_trust_passwd_hash, new_trust_passwd_hash);
+ }
+
+ if(res) {
+ DEBUG(0,("%s : change_trust_account_password: Changed password for \
+domain %s.\n", timestring(False), domain));
+ /*
+ * Return the result of trying to write the new password
+ * back into the trust account file.
+ */
+ res = secrets_store_trust_account_password(domain, new_trust_passwd_hash);
+ memset(new_trust_passwd_hash, 0, 16);
+ memset(old_trust_passwd_hash, 0, 16);
+ return res;
+ }
+ }
+
+ memset(new_trust_passwd_hash, 0, 16);
+ memset(old_trust_passwd_hash, 0, 16);
+
+ DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
+domain %s.\n", timestring(False), domain));
+ return False;
+}