summaryrefslogtreecommitdiff
path: root/source3/libsmb/clienttrust.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libsmb/clienttrust.c')
-rw-r--r--source3/libsmb/clienttrust.c211
1 files changed, 211 insertions, 0 deletions
diff --git a/source3/libsmb/clienttrust.c b/source3/libsmb/clienttrust.c
new file mode 100644
index 0000000000..1a2d7a7faa
--- /dev/null
+++ b/source3/libsmb/clienttrust.c
@@ -0,0 +1,211 @@
+/*
+ * Unix SMB/Netbios implementation.
+ * Version 1.9.
+ * RPC Pipe client / server routines
+ * Copyright (C) Andrew Tridgell 1992-1997,
+ * Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
+ * Copyright (C) Paul Ashton 1997.
+ * Copyright (C) Jeremy Allison 1998.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+
+#ifdef SYSLOG
+#undef SYSLOG
+#endif
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+extern pstring scope;
+extern pstring global_myname;
+
+/*********************************************************
+ Change the domain password on the PDC.
+**********************************************************/
+
+static BOOL modify_trust_password( char *domain, char *remote_machine,
+ unsigned char orig_trust_passwd_hash[16],
+ unsigned char new_trust_passwd_hash[16],
+ uint16 sec_chan)
+{
+ uint16 nt_pipe_fnum;
+ struct cli_state cli;
+ struct nmb_name calling, called;
+
+ make_nmb_name(&calling, global_myname , 0x0 , scope);
+ make_nmb_name(&called , remote_machine, 0x20, scope);
+
+ ZERO_STRUCT(cli);
+ if(cli_initialise(&cli) == NULL)
+ {
+ DEBUG(0,("modify_trust_password: unable to initialize client \
+connection.\n"));
+ return False;
+ }
+
+ if(!resolve_name( remote_machine, &cli.dest_ip, 0x20))
+ {
+ DEBUG(0,("modify_trust_password: Can't resolve address for \
+%s\n", remote_machine));
+ return False;
+ }
+
+ if (ismyip(cli.dest_ip))
+ {
+ DEBUG(0,("modify_trust_password: Machine %s is one of our \
+addresses. Cannot add to ourselves.\n", remote_machine));
+ return False;
+ }
+
+ cli.protocol = PROTOCOL_NT1;
+
+ pwd_set_nullpwd(&cli.pwd);
+
+ if (!cli_establish_connection(&cli, remote_machine, &cli.dest_ip,
+ &calling, &called,
+ "IPC$", "IPC", False, True))
+ {
+ fstring errstr;
+ cli_safe_errstr(&cli, errstr, sizeof(errstr));
+ DEBUG(0,("modify_trust_password: machine %s rejected the SMB \
+session. Error was : %s.\n", remote_machine, errstr ));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+
+ if (cli.protocol != PROTOCOL_NT1)
+ {
+ DEBUG(0,("modify_trust_password: machine %s didn't negotiate \
+NT protocol.\n", remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!(IS_BITS_SET_ALL(cli.sec_mode, 1)))
+ {
+ DEBUG(0,("modify_trust_password: machine %s isn't in user \
+level security mode\n", remote_machine));
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ /*
+ * Ok - we have an anonymous connection to the IPC$ share.
+ * Now start the NT Domain stuff :-).
+ */
+
+ if (!cli_nt_session_open(&cli, PIPE_NETLOGON, &nt_pipe_fnum))
+ {
+ fstring errstr;
+ cli_safe_errstr(&cli, errstr, sizeof(errstr));
+ DEBUG(0,("modify_trust_password: unable to open the domain \
+client session to server %s. Error was : %s.\n", remote_machine, errstr ));
+ cli_nt_session_close(&cli, nt_pipe_fnum);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (cli_nt_setup_creds(&cli, nt_pipe_fnum,
+ cli.mach_acct, global_myname,
+ orig_trust_passwd_hash, sec_chan) != 0x0)
+ {
+ fstring errstr;
+ cli_safe_errstr(&cli, errstr, sizeof(errstr));
+ DEBUG(0,("modify_trust_password: unable to setup the PDC \
+credentials to server %s. Error was : %s.\n", remote_machine, errstr ));
+ cli_nt_session_close(&cli, nt_pipe_fnum);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ if (!cli_nt_srv_pwset( &cli, nt_pipe_fnum, new_trust_passwd_hash,
+ sec_chan ) )
+ {
+ fstring errstr;
+ cli_safe_errstr(&cli, errstr, sizeof(errstr));
+ DEBUG(0,("modify_trust_password: unable to change password for \
+workstation %s in domain %s to Domain controller %s. Error was %s.\n",
+ global_myname, domain, remote_machine, errstr ));
+ cli_nt_session_close(&cli, nt_pipe_fnum);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+ return False;
+ }
+
+ cli_nt_session_close(&cli, nt_pipe_fnum);
+ cli_ulogoff(&cli);
+ cli_shutdown(&cli);
+
+ return True;
+}
+
+/************************************************************************
+ Change the trust account password for a domain.
+ The user of this function must have locked the trust password file for
+ update.
+************************************************************************/
+
+BOOL change_trust_account_password(char *domain, char *remote_machine_list,
+ uint16 sec_chan)
+{
+ fstring remote_machine;
+ unsigned char old_trust_passwd_hash[16];
+ unsigned char new_trust_passwd_hash[16];
+ time_t lct;
+ BOOL res;
+
+ if(!get_trust_account_password( old_trust_passwd_hash, &lct)) {
+ DEBUG(0,("change_trust_account_password: unable to read the machine \
+account password for domain %s.\n", domain));
+ return False;
+ }
+
+ /*
+ * Create the new (random) password.
+ */
+ generate_random_buffer( new_trust_passwd_hash, 16, True);
+
+ while(remote_machine_list &&
+ next_token(&remote_machine_list, remote_machine,
+ LIST_SEP, sizeof(remote_machine))) {
+ strupper(remote_machine);
+ if(modify_trust_password( domain, remote_machine,
+ old_trust_passwd_hash, new_trust_passwd_hash, sec_chan)) {
+ DEBUG(0,("%s : change_trust_account_password: Changed password for \
+domain %s.\n", timestring(), domain));
+ /*
+ * Return the result of trying to write the new password
+ * back into the trust account file.
+ */
+ res = set_trust_account_password(new_trust_passwd_hash);
+ memset(new_trust_passwd_hash, 0, 16);
+ memset(old_trust_passwd_hash, 0, 16);
+ return res;
+ }
+ }
+
+ memset(new_trust_passwd_hash, 0, 16);
+ memset(old_trust_passwd_hash, 0, 16);
+
+ DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
+domain %s.\n", timestring(), domain));
+ return False;
+}
+