From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 30 Sep 2005 17:13:37 +0000
Subject: r10656: BIG merge from trunk.  Features not copied over

* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
---
 source3/libsmb/passchange.c | 66 +++++++++++++++++++++++++--------------------
 1 file changed, 37 insertions(+), 29 deletions(-)

(limited to 'source3/libsmb/passchange.c')

diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 8bce9c86a1..b104a4678d 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -21,16 +21,17 @@
 #include "includes.h"
 
 /*************************************************************
-change a password on a remote machine using IPC calls
+ Change a password on a remote machine using IPC calls.
 *************************************************************/
+
 BOOL remote_password_change(const char *remote_machine, const char *user_name, 
 			    const char *old_passwd, const char *new_passwd,
 			    char *err_str, size_t err_str_len)
 {
 	struct nmb_name calling, called;
 	struct cli_state cli;
+	struct rpc_pipe_client *pipe_hnd;
 	struct in_addr ip;
-	struct ntuser_creds creds;
 
 	NTSTATUS result;
 
@@ -85,11 +86,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 			return False;
 		}
 
-		init_creds(&creds, "", "", NULL);
-		cli_init_creds(&cli, &creds);
+		cli_init_creds(&cli, "", "", NULL);
 	} else {
-		init_creds(&creds, user_name, "", old_passwd);
-		cli_init_creds(&cli, &creds);
+		cli_init_creds(&cli, user_name, "", old_passwd);
 	}
 
 	if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
@@ -99,14 +98,19 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 		return False;
 	}
 
-	/* Try not to give the password away to easily */
+	/* Try not to give the password away too easily */
 
-	cli.pipe_auth_flags = AUTH_PIPE_NTLMSSP;
-	cli.pipe_auth_flags |= AUTH_PIPE_SIGN;
-	cli.pipe_auth_flags |= AUTH_PIPE_SEAL;
-	
-	if ( !cli_nt_session_open( &cli, PI_SAMR ) ) {
+	pipe_hnd = cli_rpc_pipe_open_ntlmssp(&cli,
+						PI_SAMR,
+						PIPE_AUTH_LEVEL_PRIVACY,
+						"", /* what domain... ? */
+						user_name,
+						old_passwd,
+						&result);
+
+	if (!pipe_hnd) {
 		if (lp_client_lanman_auth()) {
+			/* Use the old RAP method. */
 			if (!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
 				slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
 					 remote_machine, cli_errstr(&cli) );
@@ -114,14 +118,16 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 				return False;
 			}
 		} else {
-			slprintf(err_str, err_str_len-1, "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
-				 remote_machine);
+			slprintf(err_str, err_str_len-1,
+				"SAMR connection to machine %s failed. Error was %s, "
+				"but LANMAN password changed are disabled\n",
+				nt_errstr(result), remote_machine);
 			cli_shutdown(&cli);
 			return False;
 		}
 	}
 
-	if (NT_STATUS_IS_OK(result = cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name, 
+	if (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd, cli.mem_ctx, user_name, 
 							     new_passwd, old_passwd))) {
 		/* Great - it all worked! */
 		cli_shutdown(&cli);
@@ -138,25 +144,25 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 	}
 
 	/* OK, that failed, so try again... */
-	cli_nt_session_close(&cli);
+	cli_rpc_pipe_close(pipe_hnd);
 	
 	/* Try anonymous NTLMSSP... */
-	init_creds(&creds, "", "", NULL);
-	cli_init_creds(&cli, &creds);
+	cli_init_creds(&cli, "", "", NULL);
 	
-	cli.pipe_auth_flags = 0;
-
 	result = NT_STATUS_UNSUCCESSFUL;
 	
-	/* OK, this is ugly, but... */
-	if ( cli_nt_session_open( &cli, PI_SAMR ) 
-	     && NT_STATUS_IS_OK(result
-				= cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name, 
-							  new_passwd, old_passwd))) {
+	/* OK, this is ugly, but... try an anonymous pipe. */
+	pipe_hnd = cli_rpc_pipe_open_noauth(&cli, PI_SAMR, &result);
+
+	if ( pipe_hnd &&
+		(NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd,
+						cli.mem_ctx,
+						user_name, 
+						new_passwd,
+						old_passwd)))) {
 		/* Great - it all worked! */
 		cli_shutdown(&cli);
 		return True;
-
 	} else {
 		if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) 
 		      || NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -173,6 +179,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 		   just might not support SAMR password changes, so fall back */
 		
 		if (lp_client_lanman_auth()) {
+			/* Use the old RAP method. */
 			if (cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
 				/* SAMR failed, but the old LanMan protocol worked! */
 
@@ -185,9 +192,10 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
 			cli_shutdown(&cli);
 			return False;
 		} else {
-			slprintf(err_str, err_str_len-1, 
-				 "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
-				 remote_machine);
+			slprintf(err_str, err_str_len-1,
+				"SAMR connection to machine %s failed. Error was %s, "
+				"but LANMAN password changed are disabled\n",
+				nt_errstr(result), remote_machine);
 			cli_shutdown(&cli);
 			return False;
 		}
-- 
cgit