diff options
-rw-r--r-- | source3/Makefile.in | 2 | ||||
-rw-r--r-- | source3/rpc_client/cli_netlogon.c | 218 | ||||
-rw-r--r-- | source3/rpc_client/cli_trust.c | 245 |
3 files changed, 246 insertions, 219 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index c635f97f1c..dbbf4b717d 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -151,7 +151,7 @@ RPC_CLIENT_OBJ = rpc_client/cli_netlogon.o rpc_client/cli_pipe.o \ rpc_client/cli_lsarpc.o rpc_client/cli_connect.o \ rpc_client/cli_use.o rpc_client/cli_login.o \ rpc_client/cli_spoolss_notify.o rpc_client/ncacn_np_use.o \ - lib/util_list.o + lib/util_list.o rpc_client/cli_trust.o LOCKING_OBJ = locking/locking.o locking/brlock.o locking/posix.o diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index cc79425eed..2c9d38166d 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -550,221 +550,3 @@ password ?).\n", cli->desthost )); return ok; } - -/********************************************************* - Change the domain password on the PDC. -**********************************************************/ - -static BOOL modify_trust_password( char *domain, char *remote_machine, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) -{ - struct cli_state cli; - - ZERO_STRUCT(cli); - if(cli_initialise(&cli) == False) { - DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); - return False; - } - - if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { - DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (ismyip(cli.dest_ip)) { - DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ -to ourselves.\n", remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { - DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ -session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - cli.protocol = PROTOCOL_NT1; - - if (!cli_negprot(&cli)) { - DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (cli.protocol != PROTOCOL_NT1) { - DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { - DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - if (!(cli.sec_mode & 1)) { - DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", - remote_machine)); - cli_shutdown(&cli); - return False; - } - - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", remote_machine, cli_errstr(&cli) )); - cli_shutdown(&cli); - return False; - } - - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) { - DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { - DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { - DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { - DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ -%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, - cli_errstr(&cli))); - cli_close(&cli, cli.nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return False; - } - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - return True; -} - -/************************************************************************ - Change the trust account password for a domain. - The user of this function must have locked the trust password file for - update. -************************************************************************/ - -BOOL change_trust_account_password( char *domain, char *remote_machine_list) -{ - fstring remote_machine; - unsigned char old_trust_passwd_hash[16]; - unsigned char new_trust_passwd_hash[16]; - time_t lct; - BOOL res = False; - - if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { - DEBUG(0,("change_trust_account_password: unable to read the machine \ -account password for domain %s.\n", domain)); - return False; - } - - /* - * Create the new (random) password. - */ - generate_random_buffer( new_trust_passwd_hash, 16, True); - - while(remote_machine_list && - next_token(&remote_machine_list, remote_machine, - LIST_SEP, sizeof(remote_machine))) { - strupper(remote_machine); - if(strequal(remote_machine, "*")) { - - /* - * We have been asked to dynamcially determine the IP addresses of the PDC. - */ - - struct in_addr *ip_list = NULL; - int count = 0; - int i; - - /* Use the PDC *only* for this. */ - if(!get_dc_list(True, domain, &ip_list, &count)) - continue; - - /* - * Try and connect to the PDC/BDC list in turn as an IP - * address used as a string. - */ - - for(i = 0; i < count; i++) { - fstring dc_name; - if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name)) - continue; - if((res = modify_trust_password( domain, dc_name, - old_trust_passwd_hash, new_trust_passwd_hash))) - break; - } - - if(ip_list != NULL) - free((char *)ip_list); - - } else { - res = modify_trust_password( domain, remote_machine, - old_trust_passwd_hash, new_trust_passwd_hash); - } - - if(res) { - DEBUG(0,("%s : change_trust_account_password: Changed password for \ -domain %s.\n", timestring(False), domain)); - /* - * Return the result of trying to write the new password - * back into the trust account file. - */ - res = secrets_store_trust_account_password(domain, new_trust_passwd_hash); - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - return res; - } - } - - memset(new_trust_passwd_hash, 0, 16); - memset(old_trust_passwd_hash, 0, 16); - - DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ -domain %s.\n", timestring(False), domain)); - return False; -} diff --git a/source3/rpc_client/cli_trust.c b/source3/rpc_client/cli_trust.c new file mode 100644 index 0000000000..49cd1b1723 --- /dev/null +++ b/source3/rpc_client/cli_trust.c @@ -0,0 +1,245 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1997, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, + * Copyright (C) Paul Ashton 1997. + * Copyright (C) Jeremy Allison 1998. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +extern pstring global_myname; + +/********************************************************* + Change the domain password on the PDC. +**********************************************************/ + +static BOOL modify_trust_password( char *domain, char *remote_machine, + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16]) +{ + struct cli_state cli; + + ZERO_STRUCT(cli); + if(cli_initialise(&cli) == False) { + DEBUG(0,("modify_trust_password: unable to initialize client connection.\n")); + return False; + } + + if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) { + DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (ismyip(cli.dest_ip)) { + DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \ +to ourselves.\n", remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) { + DEBUG(0,("modify_trust_password: unable to connect to SMB server on \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) { + DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \ +session request. Error was %s\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + cli.protocol = PROTOCOL_NT1; + + if (!cli_negprot(&cli)) { + DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (cli.protocol != PROTOCOL_NT1) { + DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + /* + * Do an anonymous session setup. + */ + + if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { + DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + if (!(cli.sec_mode & 1)) { + DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n", + remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { + DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \ +Error was : %s.\n", remote_machine, cli_errstr(&cli) )); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) { + DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) { + DEBUG(0,("modify_trust_password: unable to open the domain client session to \ +machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { + DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \ +%s. Error was : %s.\n", remote_machine, cli_errstr(&cli))); + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { + DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \ +%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine, + cli_errstr(&cli))); + cli_close(&cli, cli.nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + cli_nt_session_close(&cli); + cli_ulogoff(&cli); + cli_shutdown(&cli); + + return True; +} + +/************************************************************************ + Change the trust account password for a domain. + The user of this function must have locked the trust password file for + update. +************************************************************************/ + +BOOL change_trust_account_password( char *domain, char *remote_machine_list) +{ + fstring remote_machine; + unsigned char old_trust_passwd_hash[16]; + unsigned char new_trust_passwd_hash[16]; + time_t lct; + BOOL res = False; + + if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { + DEBUG(0,("change_trust_account_password: unable to read the machine \ +account password for domain %s.\n", domain)); + return False; + } + + /* + * Create the new (random) password. + */ + generate_random_buffer( new_trust_passwd_hash, 16, True); + + while(remote_machine_list && + next_token(&remote_machine_list, remote_machine, + LIST_SEP, sizeof(remote_machine))) { + strupper(remote_machine); + if(strequal(remote_machine, "*")) { + + /* + * We have been asked to dynamcially determine the IP addresses of the PDC. + */ + + struct in_addr *ip_list = NULL; + int count = 0; + int i; + + /* Use the PDC *only* for this. */ + if(!get_dc_list(True, domain, &ip_list, &count)) + continue; + + /* + * Try and connect to the PDC/BDC list in turn as an IP + * address used as a string. + */ + + for(i = 0; i < count; i++) { + fstring dc_name; + if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name)) + continue; + if((res = modify_trust_password( domain, dc_name, + old_trust_passwd_hash, new_trust_passwd_hash))) + break; + } + + if(ip_list != NULL) + free((char *)ip_list); + + } else { + res = modify_trust_password( domain, remote_machine, + old_trust_passwd_hash, new_trust_passwd_hash); + } + + if(res) { + DEBUG(0,("%s : change_trust_account_password: Changed password for \ +domain %s.\n", timestring(False), domain)); + /* + * Return the result of trying to write the new password + * back into the trust account file. + */ + res = secrets_store_trust_account_password(domain, new_trust_passwd_hash); + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + return res; + } + } + + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ +domain %s.\n", timestring(False), domain)); + return False; +} |