diff options
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/include/client.h | 1 | ||||
| -rw-r--r-- | source3/include/proto.h | 9 | ||||
| -rw-r--r-- | source3/libnet/libnet_join.c | 9 | ||||
| -rw-r--r-- | source3/libsmb/trusts_util.c | 8 | ||||
| -rw-r--r-- | source3/rpc_client/cli_netlogon.c | 51 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_cm.c | 2 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_dual.c | 42 |
7 files changed, 37 insertions, 85 deletions
diff --git a/source3/include/client.h b/source3/include/client.h index ba3a4e782c..82d94b055f 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -147,7 +147,6 @@ struct rpc_pipe_client { /* The following is only non-null on a netlogon client pipe. */ struct netlogon_creds_CredentialState *dc; - uint32_t auth_neg_flags; /* Used by internal rpc_pipe_client */ pipes_struct *pipes_struct; diff --git a/source3/include/proto.h b/source3/include/proto.h index a9768ba256..c8e4fe1916 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -5240,14 +5240,7 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, const unsigned char orig_trust_passwd_hash[16], const char *new_trust_pwd_cleartext, const unsigned char new_trust_passwd_hash[16], - uint32_t sec_channel_type, - uint32_t neg_flags); -NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const unsigned char orig_trust_passwd_hash[16], - const char *new_trust_pwd_cleartext, - const unsigned char new_trust_passwd_hash[16], - uint32_t sec_channel_type); + uint32_t sec_channel_type); /* The following definitions come from rpc_client/cli_pipe.c */ diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 70b28e3988..8c3030711b 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -788,10 +788,11 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx, E_md4hash(trust_passwd, orig_trust_passwd_hash); - status = rpccli_netlogon_auth_set_trust_password( - pipe_hnd, mem_ctx, orig_trust_passwd_hash, - r->in.machine_password, new_trust_passwd_hash, - r->in.secure_channel_type); + status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx, + orig_trust_passwd_hash, + r->in.machine_password, + new_trust_passwd_hash, + r->in.secure_channel_type); return status; } diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index d9b75704e3..adf1525812 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m E_md4hash(new_trust_passwd, new_trust_passwd_hash); - nt_status = rpccli_netlogon_auth_set_trust_password( - cli, mem_ctx, orig_trust_passwd_hash, new_trust_passwd, - new_trust_passwd_hash, sec_channel_type); + nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx, + orig_trust_passwd_hash, + new_trust_passwd, + new_trust_passwd_hash, + sec_channel_type); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index db7d1357c7..911a50f393 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -512,12 +512,27 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, const unsigned char orig_trust_passwd_hash[16], const char *new_trust_pwd_cleartext, const unsigned char new_trust_passwd_hash[16], - uint32_t sec_channel_type, - uint32_t neg_flags) + uint32_t sec_channel_type) { NTSTATUS result; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; struct netr_Authenticator clnt_creds, srv_cred; + result = rpccli_netlogon_setup_creds(cli, + cli->desthost, /* server name */ + lp_workgroup(), /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ + orig_trust_passwd_hash, + sec_channel_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n", + nt_errstr(result))); + return result; + } + netlogon_creds_client_authenticator(cli->dc, &clnt_creds); if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) { @@ -571,35 +586,3 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, return result; } -NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli, - TALLOC_CTX *mem_ctx, - const unsigned char orig_trust_passwd_hash[16], - const char *new_trust_pwd_cleartext, - const unsigned char new_trust_passwd_hash[16], - uint32_t sec_channel_type) -{ - NTSTATUS result; - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; - - result = rpccli_netlogon_setup_creds(cli, - cli->desthost, /* server name */ - lp_workgroup(), /* domain */ - global_myname(), /* client name */ - global_myname(), /* machine account name */ - orig_trust_passwd_hash, - sec_channel_type, - &neg_flags); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n", - nt_errstr(result))); - return result; - } - - return rpccli_netlogon_set_trust_password(cli, mem_ctx, - orig_trust_passwd_hash, - new_trust_pwd_cleartext, - new_trust_passwd_hash, - sec_channel_type, - neg_flags); -} diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 029a0210d1..9a788397a9 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2470,8 +2470,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, return !NT_STATUS_IS_OK(result) ? result : NT_STATUS_PIPE_NOT_AVAILABLE; } - conn->netlogon_pipe->auth_neg_flags = neg_flags; - /* * Try NetSamLogonEx for AD domains */ diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 546f5f0131..edf784cc21 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -30,7 +30,6 @@ #include "includes.h" #include "winbindd.h" #include "../../nsswitch/libwbclient/wbc_async.h" -#include "../libcli/auth/libcli_auth.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -1062,12 +1061,9 @@ static void machine_password_change_handler(struct event_context *ctx, struct winbindd_child *child = (struct winbindd_child *)private_data; struct rpc_pipe_client *netlogon_pipe = NULL; + TALLOC_CTX *frame; NTSTATUS result; struct timeval next_change; - uint8_t old_trust_passwd_hash[16]; - uint8_t new_trust_passwd_hash[16]; - char *new_trust_passwd; - uint32_t sec_channel_type = 0; DEBUG(10,("machine_password_change_handler called\n")); @@ -1093,42 +1089,22 @@ static void machine_password_change_handler(struct event_context *ctx, return; } - if (!secrets_fetch_trust_account_password( - child->domain->name, old_trust_passwd_hash, NULL, - &sec_channel_type)) { - DEBUG(0, ("could not fetch domain secrets for domain %s!\n", - child->domain->name)); - return; - } - - new_trust_passwd = generate_random_str( - talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - if (new_trust_passwd == NULL) { - DEBUG(0, ("talloc_strdup failed\n")); - return; - } + frame = talloc_stackframe(); - E_md4hash(new_trust_passwd, new_trust_passwd_hash); - - result = rpccli_netlogon_set_trust_password( - netlogon_pipe, talloc_tos(), old_trust_passwd_hash, - new_trust_passwd, new_trust_passwd_hash, sec_channel_type, - netlogon_pipe->auth_neg_flags); + result = trust_pw_find_change_and_store_it(netlogon_pipe, + frame, + child->domain->name); + TALLOC_FREE(frame); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("machine_password_change_handler: " "failed to change machine password: %s\n", nt_errstr(result))); - /* - * Don't try a second time, this will very likely also - * fail. - */ - return; + } else { + DEBUG(10,("machine_password_change_handler: " + "successfully changed machine password\n")); } - DEBUG(3,("machine_password_change_handler: Changed password at %s.\n", - current_timestring(debug_ctx(), False))); - child->machine_password_change_event = event_add_timed(winbind_event_context(), NULL, next_change, machine_password_change_handler, |