From 4ba89367078d4847ebbd8023fb361cfbfc472527 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Wed, 4 Dec 2002 20:13:29 +0000 Subject: change_trust_account_password() must always use the PDC for rpc password changes. jerry (This used to be commit 974822526f90aee9b43e75fc7fd5d48fe91add99) --- source3/smbd/change_trust_pw.c | 162 ++++++++++++++++++++--------------------- source3/smbd/process.c | 6 +- 2 files changed, 80 insertions(+), 88 deletions(-) diff --git a/source3/smbd/change_trust_pw.c b/source3/smbd/change_trust_pw.c index 28a004eba8..a140978733 100644 --- a/source3/smbd/change_trust_pw.c +++ b/source3/smbd/change_trust_pw.c @@ -31,106 +31,98 @@ static NTSTATUS modify_trust_password( const char *domain, const char *remote_machine, unsigned char orig_trust_passwd_hash[16]) { - struct cli_state *cli; - DOM_SID domain_sid; - NTSTATUS nt_status; + struct cli_state *cli; + DOM_SID domain_sid; + NTSTATUS nt_status; - /* - * Ensure we have the domain SID for this domain. - */ + /* + * Ensure we have the domain SID for this domain. + */ - if (!secrets_fetch_domain_sid(domain, &domain_sid)) { - DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n")); - return NT_STATUS_UNSUCCESSFUL; - } + if (!secrets_fetch_domain_sid(domain, &domain_sid)) { + DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n")); + return NT_STATUS_UNSUCCESSFUL; + } - if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), remote_machine, + if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), remote_machine, NULL, 0, "IPC$", "IPC", "", "", - "", 0, NULL))) { - DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine)); - return NT_STATUS_UNSUCCESSFUL; - } + "", 0, NULL))) + { + DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine)); + return NT_STATUS_UNSUCCESSFUL; + } - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_nt_session_open(cli, PI_NETLOGON) == False) { - DEBUG(0,("modify_trust_password: unable to open the domain client session to \ -machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli))); - cli_nt_session_close(cli); - cli_ulogoff(cli); - cli_shutdown(cli); - return NT_STATUS_UNSUCCESSFUL; - } - - nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx, + /* + * Ok - we have an anonymous connection to the IPC$ share. + * Now start the NT Domain stuff :-). + */ + + if(cli_nt_session_open(cli, PI_NETLOGON) == False) { + DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n", + remote_machine, cli_errstr(cli))); + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + return NT_STATUS_UNSUCCESSFUL; + } + + nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx, orig_trust_passwd_hash); - cli_nt_session_close(cli); - cli_ulogoff(cli); - cli_shutdown(cli); - return nt_status; + cli_nt_session_close(cli); + cli_ulogoff(cli); + cli_shutdown(cli); + + return nt_status; } /************************************************************************ Change the trust account password for a domain. ************************************************************************/ -NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine_list) +NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine) { - fstring remote_machine; - unsigned char old_trust_passwd_hash[16]; - time_t lct; - NTSTATUS res = NT_STATUS_UNSUCCESSFUL; - - if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { - DEBUG(0,("change_trust_account_password: unable to read the machine \ -account password for domain %s.\n", domain)); - return NT_STATUS_UNSUCCESSFUL; - } - - while(remote_machine_list && - next_token(&remote_machine_list, remote_machine, - LIST_SEP, sizeof(remote_machine))) { - strupper(remote_machine); - if(strequal(remote_machine, "*")) { - - /* - * We have been asked to dynamcially determine the IP addresses of the PDC. - */ - - struct in_addr pdc_ip; - fstring dc_name; - - /* Use the PDC *only* for this. */ - if(!get_pdc_ip(domain, &pdc_ip)) - continue; - - /* - * Try and connect to the PDC/BDC list in turn as an IP - * address used as a string. - */ - - if(!lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name)) - continue; - if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name, - old_trust_passwd_hash))) - break; - } else { - res = modify_trust_password( domain, remote_machine, - old_trust_passwd_hash); - } - - } - - if (!NT_STATUS_IS_OK(res)) { - DEBUG(0,("%s : change_trust_account_password: Failed to change password for \ -domain %s.\n", timestring(False), domain)); - } + unsigned char old_trust_passwd_hash[16]; + time_t lct; + NTSTATUS res = NT_STATUS_UNSUCCESSFUL; + struct in_addr pdc_ip; + fstring dc_name; + + + if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) { + DEBUG(0,("change_trust_account_password: unable to read the machine account password for domain %s.\n", + domain)); + return NT_STATUS_UNSUCCESSFUL; + } + + if (remote_machine == NULL || !strcmp(remote_machine, "*")) { + /* Use the PDC *only* for this */ + + if ( !get_pdc_ip(domain, &pdc_ip) ) { + DEBUG(0,("Can't get IP for PDC for domain %s\n", domain)); + goto failed; + } + + if ( !lookup_dc_name(global_myname(), domain, &pdc_ip, dc_name) ) + goto failed; + } + /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */ + else { + fstrcpy( dc_name, remote_machine ); + } + + /* if this next call fails, then give up. We can't do + password changes on BDC's --jerry */ + + res = modify_trust_password(domain, dc_name, old_trust_passwd_hash); + +failed: + if (!NT_STATUS_IS_OK(res)) { + DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n", + timestring(False), domain)); + } - return res; + return res; } diff --git a/source3/smbd/process.c b/source3/smbd/process.c index c46c4c5509..3b0619b7d0 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1175,9 +1175,9 @@ machine %s in domain %s.\n", global_myname(), lp_workgroup() )); return True; } - pstrcpy(remote_machine_list, lp_passwordserver()); - - change_trust_account_password( lp_workgroup(), remote_machine_list); + /* always just contact the PDC here */ + + change_trust_account_password( lp_workgroup(), NULL); global_machine_password_needs_changing = False; secrets_lock_trust_account_password(lp_workgroup(), False); } -- cgit