diff options
Diffstat (limited to 'source3/libsmb/clienttrust.c')
-rw-r--r-- | source3/libsmb/clienttrust.c | 211 |
1 files changed, 211 insertions, 0 deletions
diff --git a/source3/libsmb/clienttrust.c b/source3/libsmb/clienttrust.c new file mode 100644 index 0000000000..1a2d7a7faa --- /dev/null +++ b/source3/libsmb/clienttrust.c @@ -0,0 +1,211 @@ +/* + * Unix SMB/Netbios implementation. + * Version 1.9. + * RPC Pipe client / server routines + * Copyright (C) Andrew Tridgell 1992-1997, + * Copyright (C) Luke Kenneth Casson Leighton 1996-1997, + * Copyright (C) Paul Ashton 1997. + * Copyright (C) Jeremy Allison 1998. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + + +#ifdef SYSLOG +#undef SYSLOG +#endif + +#include "includes.h" + +extern int DEBUGLEVEL; +extern pstring scope; +extern pstring global_myname; + +/********************************************************* + Change the domain password on the PDC. +**********************************************************/ + +static BOOL modify_trust_password( char *domain, char *remote_machine, + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16], + uint16 sec_chan) +{ + uint16 nt_pipe_fnum; + struct cli_state cli; + struct nmb_name calling, called; + + make_nmb_name(&calling, global_myname , 0x0 , scope); + make_nmb_name(&called , remote_machine, 0x20, scope); + + ZERO_STRUCT(cli); + if(cli_initialise(&cli) == NULL) + { + DEBUG(0,("modify_trust_password: unable to initialize client \ +connection.\n")); + return False; + } + + if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) + { + DEBUG(0,("modify_trust_password: Can't resolve address for \ +%s\n", remote_machine)); + return False; + } + + if (ismyip(cli.dest_ip)) + { + DEBUG(0,("modify_trust_password: Machine %s is one of our \ +addresses. Cannot add to ourselves.\n", remote_machine)); + return False; + } + + cli.protocol = PROTOCOL_NT1; + + pwd_set_nullpwd(&cli.pwd); + + if (!cli_establish_connection(&cli, remote_machine, &cli.dest_ip, + &calling, &called, + "IPC$", "IPC", False, True)) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: machine %s rejected the SMB \ +session. Error was : %s.\n", remote_machine, errstr )); + cli_shutdown(&cli); + return False; + } + + + if (cli.protocol != PROTOCOL_NT1) + { + DEBUG(0,("modify_trust_password: machine %s didn't negotiate \ +NT protocol.\n", remote_machine)); + cli_shutdown(&cli); + return False; + } + + if (!(IS_BITS_SET_ALL(cli.sec_mode, 1))) + { + DEBUG(0,("modify_trust_password: machine %s isn't in user \ +level security mode\n", remote_machine)); + cli_shutdown(&cli); + return False; + } + + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if (!cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum)) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to open the domain \ +client session to server %s. Error was : %s.\n", remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if (cli_nt_setup_creds(&cli, nt_pipe_fnum, + cli.mach_acct, global_myname, + orig_trust_passwd_hash, sec_chan) != 0x0) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to setup the PDC \ +credentials to server %s. Error was : %s.\n", remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + if (!cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash, + sec_chan ) ) + { + fstring errstr; + cli_safe_errstr(&cli, errstr, sizeof(errstr)); + DEBUG(0,("modify_trust_password: unable to change password for \ +workstation %s in domain %s to Domain controller %s. Error was %s.\n", + global_myname, domain, remote_machine, errstr )); + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + return False; + } + + cli_nt_session_close(&cli, nt_pipe_fnum); + cli_ulogoff(&cli); + cli_shutdown(&cli); + + return True; +} + +/************************************************************************ + Change the trust account password for a domain. + The user of this function must have locked the trust password file for + update. +************************************************************************/ + +BOOL change_trust_account_password(char *domain, char *remote_machine_list, + uint16 sec_chan) +{ + fstring remote_machine; + unsigned char old_trust_passwd_hash[16]; + unsigned char new_trust_passwd_hash[16]; + time_t lct; + BOOL res; + + if(!get_trust_account_password( old_trust_passwd_hash, &lct)) { + DEBUG(0,("change_trust_account_password: unable to read the machine \ +account password for domain %s.\n", domain)); + return False; + } + + /* + * Create the new (random) password. + */ + generate_random_buffer( new_trust_passwd_hash, 16, True); + + while(remote_machine_list && + next_token(&remote_machine_list, remote_machine, + LIST_SEP, sizeof(remote_machine))) { + strupper(remote_machine); + if(modify_trust_password( domain, remote_machine, + old_trust_passwd_hash, new_trust_passwd_hash, sec_chan)) { + DEBUG(0,("%s : change_trust_account_password: Changed password for \ +domain %s.\n", timestring(), domain)); + /* + * Return the result of trying to write the new password + * back into the trust account file. + */ + res = set_trust_account_password(new_trust_passwd_hash); + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + return res; + } + } + + memset(new_trust_passwd_hash, 0, 16); + memset(old_trust_passwd_hash, 0, 16); + + DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ +domain %s.\n", timestring(), domain)); + return False; +} + |