summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/machine_sid.c15
-rw-r--r--source3/passdb/secrets.c102
2 files changed, 101 insertions, 16 deletions
diff --git a/source3/passdb/machine_sid.c b/source3/passdb/machine_sid.c
index 071af50877..a578ecc711 100644
--- a/source3/passdb/machine_sid.c
+++ b/source3/passdb/machine_sid.c
@@ -78,6 +78,7 @@ static void generate_random_sid(DOM_SID *sid)
static BOOL pdb_generate_sam_sid(void)
{
+ DOM_SID domain_sid;
char *fname = NULL;
BOOL is_dc = False;
@@ -97,8 +98,14 @@ static BOOL pdb_generate_sam_sid(void)
break;
}
+ if (is_dc) {
+ if (secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
+ sid_copy(global_sam_sid, &domain_sid);
+ return True;
+ }
+ }
+
if (secrets_fetch_domain_sid(global_myname(), global_sam_sid)) {
- DOM_SID domain_sid;
/* We got our sid. If not a pdc/bdc, we're done. */
if (!is_dc)
@@ -117,11 +124,11 @@ static BOOL pdb_generate_sam_sid(void)
if (!sid_equal(&domain_sid, global_sam_sid)) {
- /* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
+ /* Domain name sid doesn't match global sam sid. Re-store domain sid as 'local' sid. */
DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
- if (!secrets_store_domain_sid(lp_workgroup(), global_sam_sid)) {
- DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
+ if (!secrets_store_domain_sid(global_myname(), &domain_sid)) {
+ DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID for local sid as PDC/BDC.\n"));
return False;
}
return True;
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index db08d02714..63e67aa16a 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -222,25 +222,40 @@ BOOL secrets_lock_trust_account_password(const char *domain, BOOL dolock)
}
/************************************************************************
+ Routine to get the default secure channel type for trust accounts
+************************************************************************/
+
+uint32 get_default_sec_channel(void)
+{
+ if (lp_server_role() == ROLE_DOMAIN_BDC ||
+ lp_server_role() == ROLE_DOMAIN_PDC) {
+ return SEC_CHAN_BDC;
+ } else {
+ return SEC_CHAN_WKSTA;
+ }
+}
+
+/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file using
the above call.
************************************************************************/
BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
- time_t *pass_last_set_time)
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
struct machine_acct_pass *pass;
char *plaintext;
size_t size;
- plaintext = secrets_fetch_machine_password();
+ plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
+ channel);
if (plaintext) {
/* we have an ADS password - use that */
DEBUG(4,("Using ADS machine password\n"));
E_md4hash(plaintext, ret_pwd);
SAFE_FREE(plaintext);
- pass_last_set_time = 0;
return True;
}
@@ -257,6 +272,10 @@ BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16],
if (pass_last_set_time) *pass_last_set_time = pass->mod_time;
memcpy(ret_pwd, pass->hash, 16);
SAFE_FREE(pass);
+
+ if (channel)
+ *channel = get_default_sec_channel();
+
return True;
}
@@ -356,14 +375,42 @@ BOOL secrets_store_trusted_domain_password(const char* domain, smb_ucs2_t *uni_d
the password is assumed to be a null terminated ascii string
************************************************************************/
-BOOL secrets_store_machine_password(const char *pass)
+BOOL secrets_store_machine_password(const char *pass, const char *domain, uint32 sec_channel)
{
- char *key;
+ char *key = NULL;
BOOL ret;
- asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ uint32 last_change_time;
+ uint32 sec_channel_type;
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
+ if (!key)
+ return False;
strupper(key);
+
ret = secrets_store(key, pass, strlen(pass)+1);
- free(key);
+ SAFE_FREE(key);
+
+ if (!ret)
+ return ret;
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+ if (!key)
+ return False;
+ strupper(key);
+
+ SIVAL(&last_change_time, 0, time(NULL));
+ ret = secrets_store(key, &last_change_time, sizeof(last_change_time));
+ SAFE_FREE(key);
+
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+ if (!key)
+ return False;
+ strupper(key);
+
+ SIVAL(&sec_channel_type, 0, sec_channel);
+ ret = secrets_store(key, &sec_channel_type, sizeof(sec_channel_type));
+ SAFE_FREE(key);
+
return ret;
}
@@ -372,14 +419,45 @@ BOOL secrets_store_machine_password(const char *pass)
Routine to fetch the plaintext machine account password for a realm
the password is assumed to be a null terminated ascii string
************************************************************************/
-char *secrets_fetch_machine_password(void)
+char *secrets_fetch_machine_password(const char *domain,
+ time_t *pass_last_set_time,
+ uint32 *channel)
{
- char *key;
+ char *key = NULL;
char *ret;
- asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, lp_workgroup());
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_PASSWORD, domain);
strupper(key);
ret = (char *)secrets_fetch(key, NULL);
- free(key);
+ SAFE_FREE(key);
+
+ if (pass_last_set_time) {
+ size_t size;
+ uint32 *last_set_time;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME, domain);
+ strupper(key);
+ last_set_time = secrets_fetch(key, &size);
+ if (last_set_time) {
+ *pass_last_set_time = IVAL(last_set_time,0);
+ } else {
+ *pass_last_set_time = 0;
+ }
+ SAFE_FREE(key);
+ }
+
+ if (channel) {
+ size_t size;
+ uint32 *channel_type;
+ asprintf(&key, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE, domain);
+ strupper(key);
+ channel_type = secrets_fetch(key, &size);
+ if (channel_type) {
+ *channel = IVAL(channel_type,0);
+ } else {
+ *channel = get_default_sec_channel();
+ }
+ SAFE_FREE(key);
+ }
+
return ret;
}
@@ -623,7 +701,7 @@ BOOL must_use_pdc( const char *domain )
time_t last_change_time;
unsigned char passwd[16];
- if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time) )
+ if ( !secrets_fetch_trust_account_password(domain, passwd, &last_change_time, NULL) )
return False;
/*