summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/change_trust_pw.c162
-rw-r--r--source3/smbd/process.c6
2 files changed, 80 insertions, 88 deletions
diff --git a/source3/smbd/change_trust_pw.c b/source3/smbd/change_trust_pw.c
index 28a004eba8..a140978733 100644
--- a/source3/smbd/change_trust_pw.c
+++ b/source3/smbd/change_trust_pw.c
@@ -31,106 +31,98 @@
static NTSTATUS modify_trust_password( const char *domain, const char *remote_machine,
unsigned char orig_trust_passwd_hash[16])
{
- struct cli_state *cli;
- DOM_SID domain_sid;
- NTSTATUS nt_status;
+ struct cli_state *cli;
+ DOM_SID domain_sid;
+ NTSTATUS nt_status;
- /*
- * Ensure we have the domain SID for this domain.
- */
+ /*
+ * Ensure we have the domain SID for this domain.
+ */
- if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
- DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n"));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
+ DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n"));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), remote_machine,
+ if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), remote_machine,
NULL, 0,
"IPC$", "IPC",
"", "",
- "", 0, NULL))) {
- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
- return NT_STATUS_UNSUCCESSFUL;
- }
+ "", 0, NULL)))
+ {
+ DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
- /*
- * Ok - we have an anonymous connection to the IPC$ share.
- * Now start the NT Domain stuff :-).
- */
-
- if(cli_nt_session_open(cli, PI_NETLOGON) == False) {
- DEBUG(0,("modify_trust_password: unable to open the domain client session to \
-machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli)));
- cli_nt_session_close(cli);
- cli_ulogoff(cli);
- cli_shutdown(cli);
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
+ /*
+ * Ok - we have an anonymous connection to the IPC$ share.
+ * Now start the NT Domain stuff :-).
+ */
+
+ if(cli_nt_session_open(cli, PI_NETLOGON) == False) {
+ DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
+ remote_machine, cli_errstr(cli)));
+ cli_nt_session_close(cli);
+ cli_ulogoff(cli);
+ cli_shutdown(cli);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
orig_trust_passwd_hash);
- cli_nt_session_close(cli);
- cli_ulogoff(cli);
- cli_shutdown(cli);
- return nt_status;
+ cli_nt_session_close(cli);
+ cli_ulogoff(cli);
+ cli_shutdown(cli);
+
+ return nt_status;
}
/************************************************************************
Change the trust account password for a domain.
************************************************************************/
-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine_list)
+NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
{
- fstring remote_machine;
- unsigned char old_trust_passwd_hash[16];
- time_t lct;
- NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
-
- if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
- DEBUG(0,("change_trust_account_password: unable to read the machine \
-account password for domain %s.\n", domain));
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- while(remote_machine_list &&
- next_token(&remote_machine_list, remote_machine,
- LIST_SEP, sizeof(remote_machine))) {
- strupper(remote_machine);
- if(strequal(remote_machine, "*")) {
-
- /*
- * We have been asked to dynamcially determine the IP addresses of the PDC.
- */
-
- struct in_addr pdc_ip;
- fstring dc_name;
-
- /* Use the PDC *only* for this. */
- if(!get_pdc_ip(domain, &pdc_ip))
- continue;
-
- /*
- * Try and connect to the PDC/BDC list in turn as an IP
- * address used as a string.
- */
-
- if(!lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name))
- continue;
- if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name,
- old_trust_passwd_hash)))
- break;
- } else {
- res = modify_trust_password( domain, remote_machine,
- old_trust_passwd_hash);
- }
-
- }
-
- if (!NT_STATUS_IS_OK(res)) {
- DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
-domain %s.\n", timestring(False), domain));
- }
+ unsigned char old_trust_passwd_hash[16];
+ time_t lct;
+ NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
+ struct in_addr pdc_ip;
+ fstring dc_name;
+
+
+ if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
+ DEBUG(0,("change_trust_account_password: unable to read the machine account password for domain %s.\n",
+ domain));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
+ /* Use the PDC *only* for this */
+
+ if ( !get_pdc_ip(domain, &pdc_ip) ) {
+ DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
+ goto failed;
+ }
+
+ if ( !lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name) )
+ goto failed;
+ }
+ /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
+ else {
+ fstrcpy( dc_name, remote_machine );
+ }
+
+ /* if this next call fails, then give up. We can't do
+ password changes on BDC's --jerry */
+
+ res = modify_trust_password(domain, dc_name, old_trust_passwd_hash);
+
+failed:
+ if (!NT_STATUS_IS_OK(res)) {
+ DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
+ timestring(False), domain));
+ }
- return res;
+ return res;
}
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index c46c4c5509..3b0619b7d0 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1175,9 +1175,9 @@ machine %s in domain %s.\n", global_myname(), lp_workgroup() ));
return True;
}
- pstrcpy(remote_machine_list, lp_passwordserver());
-
- change_trust_account_password( lp_workgroup(), remote_machine_list);
+ /* always just contact the PDC here */
+
+ change_trust_account_password( lp_workgroup(), NULL);
global_machine_password_needs_changing = False;
secrets_lock_trust_account_password(lp_workgroup(), False);
}