From 33c8a6779d490bd1aa722231a59a3b68343dbc17 Mon Sep 17 00:00:00 2001 From: Rafal Szczesniak Date: Fri, 14 Mar 2003 17:05:13 +0000 Subject: /tmp/newfun.msg (This used to be commit 3f4cb7b2c4d9b54b41bcc184ccfd00032e2b021b) --- source3/libsmb/trusts_util.c | 174 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 source3/libsmb/trusts_util.c (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c new file mode 100644 index 0000000000..055851f6b7 --- /dev/null +++ b/source3/libsmb/trusts_util.c @@ -0,0 +1,174 @@ +/* + * Unix SMB/CIFS implementation. + * Routines to operate on various trust relationships + * Copyright (C) Andrew Bartlett 2001 + * Copyright (C) Rafal Szczesniak 2003 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +/********************************************************* + Change the domain password on the PDC. + + Just changes the password betwen the two values specified. + + Caller must have the cli connected to the netlogon pipe + already. +**********************************************************/ +static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx, + unsigned char orig_trust_passwd_hash[16], + unsigned char new_trust_passwd_hash[16]) +{ + NTSTATUS result; + uint32 neg_flags = 0x000001ff; + + result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n", + nt_errstr(result))); + return result; + } + + result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(0,("just_change_the_password: unable to change password (%s)!\n", + nt_errstr(result))); + } + return result; +} + +/********************************************************* + Change the domain password on the PDC. + Store the password ourselves, but use the supplied password + Caller must have already setup the connection to the NETLOGON pipe +**********************************************************/ + +NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, + unsigned char orig_trust_passwd_hash[16]) +{ + unsigned char new_trust_passwd_hash[16]; + char *new_trust_passwd; + char *str; + NTSTATUS nt_status; + + /* Create a random machine account password */ + str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + new_trust_passwd = talloc_strdup(mem_ctx, str); + + E_md4hash(new_trust_passwd, new_trust_passwd_hash); + + nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash, + new_trust_passwd_hash); + + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", + timestring(False))); + /* + * Return the result of trying to write the new password + * back into the trust account file. + */ + if (!secrets_store_machine_password(new_trust_passwd)) { + nt_status = NT_STATUS_UNSUCCESSFUL; + } + } + + return nt_status; +} + +/********************************************************* + Change the domain password on the PDC. + Do most of the legwork ourselfs. Caller must have + already setup the connection to the NETLOGON pipe +**********************************************************/ + +NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, + const char *domain) +{ + unsigned char old_trust_passwd_hash[16]; + char *up_domain; + + up_domain = talloc_strdup(mem_ctx, domain); + + if (!secrets_fetch_trust_account_password(domain, + old_trust_passwd_hash, + NULL)) { + DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain)); + return NT_STATUS_UNSUCCESSFUL; + } + + return trust_pw_change_and_store_it(cli, mem_ctx, old_trust_passwd_hash); + +} + + +/** + * Verify whether or not given domain is trusted. + * + * @param domain_name name of the domain to be verified + * @return true if domain is one of the trusted once or + * false if otherwise + **/ + +BOOL is_trusted_domain(const char* dom_name) +{ + int enum_ctx = 0; + const int trustdom_size = 10; + int num_domains, i; + TRUSTDOM **domains; + NTSTATUS result; + fstring trustdom_name; + DOM_SID trustdom_sid; + TALLOC_CTX *mem_ctx; + + /* + * Query the secrets db as an ultimate source of information + * about trusted domain names. This is PDC or BDC case. + */ + mem_ctx = talloc_init("is_trusted_domain"); + + do { + result = secrets_get_trusted_domains(mem_ctx, &enum_ctx, trustdom_size, + &num_domains, &domains); + /* compare each returned entry against incoming connection's domain */ + for (i = 0; i < num_domains; i++) { + pull_ucs2_fstring(trustdom_name, domains[i]->name); + if (strequal(trustdom_name, dom_name)) { + talloc_destroy(mem_ctx); + return True; + } + } + } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); + + /* + * Query the trustdom_cache updated periodically. The only + * way for domain member server. + */ + if (trustdom_cache_enable() && + trustdom_cache_fetch(dom_name, &trustdom_sid)) { + trustdom_cache_shutdown(); + return True; + } + + /* + * if nothing's been found, then give up here, although + * the last resort might be to query the PDC. + */ + return False; +} + -- cgit From 02704f973347f05af5ebcb0d4a494a6102199536 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 15 Mar 2003 08:18:29 +0000 Subject: Minor fixes. - signed/unsigned - quieten warning about assignment as truth value - whitespace Andrew Bartlett (This used to be commit a13ce0df4b4a776fa635a1fb804dd00d195f58d0) --- source3/libsmb/trusts_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 055851f6b7..f7b2c2e3a6 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -152,9 +152,9 @@ BOOL is_trusted_domain(const char* dom_name) talloc_destroy(mem_ctx); return True; } - } + } } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); - + /* * Query the trustdom_cache updated periodically. The only * way for domain member server. -- cgit From 0ab29d6186135bd66c4154b545ac8323232a6f2e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Mar 2003 04:42:57 +0000 Subject: Fix a memory leak - 'smbcontrol smbd pool-usage' is your freind! Andrew Bartlett (This used to be commit a12e8524997e329a4f4cd766d6371e384698795a) --- source3/libsmb/trusts_util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index f7b2c2e3a6..b8f84ba890 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -155,6 +155,8 @@ BOOL is_trusted_domain(const char* dom_name) } } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); + talloc_destroy(mem_ctx); + /* * Query the trustdom_cache updated periodically. The only * way for domain member server. -- cgit From 2cb0b91ed19c0fbbc3bfb1b5a35c6af2acf5b5d7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 16 Apr 2003 10:20:14 +0000 Subject: Store the type of 'sec channel' that we establish to the DC. If we are a workstation, we have to use the workstation type, if we have a BDC account, we must use the BDC type - even if we are pretending to be a workstation at the moment. Also actually store and retreive the last change time, so we can do periodic password changes again (for RPC at least). And finally, a couple of minor fixes to 'net'. Andrew Bartlett (This used to be commit 6e6b7b79edae3efd0197651e9a8ce6775c001cf2) --- source3/libsmb/trusts_util.c | 65 ++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 36 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index b8f84ba890..d5a02bb625 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -31,12 +31,13 @@ **********************************************************/ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx, unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) + unsigned char new_trust_passwd_hash[16], + uint32 sec_channel_type) { NTSTATUS result; uint32 neg_flags = 0x000001ff; - result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2); + result = cli_nt_setup_creds(cli, sec_channel_type, orig_trust_passwd_hash, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n", @@ -60,7 +61,9 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ **********************************************************/ NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, - unsigned char orig_trust_passwd_hash[16]) + const char *domain, + unsigned char orig_trust_passwd_hash[16], + uint32 sec_channel_type) { unsigned char new_trust_passwd_hash[16]; char *new_trust_passwd; @@ -74,7 +77,7 @@ NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx E_md4hash(new_trust_passwd, new_trust_passwd_hash); nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash, - new_trust_passwd_hash); + new_trust_passwd_hash, sec_channel_type); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", @@ -83,7 +86,7 @@ NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx * Return the result of trying to write the new password * back into the trust account file. */ - if (!secrets_store_machine_password(new_trust_passwd)) { + if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) { nt_status = NT_STATUS_UNSUCCESSFUL; } } @@ -97,22 +100,26 @@ NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx already setup the connection to the NETLOGON pipe **********************************************************/ -NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, + TALLOC_CTX *mem_ctx, const char *domain) { unsigned char old_trust_passwd_hash[16]; char *up_domain; - + uint32 sec_channel_type = 0; + up_domain = talloc_strdup(mem_ctx, domain); if (!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, - NULL)) { + NULL, &sec_channel_type)) { DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain)); return NT_STATUS_UNSUCCESSFUL; } - return trust_pw_change_and_store_it(cli, mem_ctx, old_trust_passwd_hash); + return trust_pw_change_and_store_it(cli, mem_ctx, domain, + old_trust_passwd_hash, + sec_channel_type); } @@ -127,35 +134,21 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *me BOOL is_trusted_domain(const char* dom_name) { - int enum_ctx = 0; - const int trustdom_size = 10; - int num_domains, i; - TRUSTDOM **domains; - NTSTATUS result; - fstring trustdom_name; DOM_SID trustdom_sid; - TALLOC_CTX *mem_ctx; - - /* - * Query the secrets db as an ultimate source of information - * about trusted domain names. This is PDC or BDC case. - */ - mem_ctx = talloc_init("is_trusted_domain"); - - do { - result = secrets_get_trusted_domains(mem_ctx, &enum_ctx, trustdom_size, - &num_domains, &domains); - /* compare each returned entry against incoming connection's domain */ - for (i = 0; i < num_domains; i++) { - pull_ucs2_fstring(trustdom_name, domains[i]->name); - if (strequal(trustdom_name, dom_name)) { - talloc_destroy(mem_ctx); - return True; - } - } - } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES)); + char *pass = NULL; + time_t lct; + BOOL ret; - talloc_destroy(mem_ctx); + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + /* + * Query the secrets db as an ultimate source of information + * about trusted domain names. This is PDC or BDC case. + */ + ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); + SAFE_FREE(pass); + if (ret) + return ret; + } /* * Query the trustdom_cache updated periodically. The only -- cgit From aa79f23d9ba93e976781ae484639a321268c8705 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 May 2003 02:51:49 +0000 Subject: Turn down some DEBUG()s and remove some duplicate code spotted by dfenwick. Andrew Bartlett (This used to be commit 542a8b1817d3930e03e08e16e9711cacceb6df61) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index d5a02bb625..6244c844f2 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ result = cli_nt_setup_creds(cli, sec_channel_type, orig_trust_passwd_hash, &neg_flags, 2); if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n", + DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", nt_errstr(result))); return result; } -- cgit From 46d106f2eb03e88b29e33e15d103b5e01ee3ff7e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 8 Jun 2003 12:51:31 +0000 Subject: Fix some memory leaks and extra cache startups/shutdowns from the trusted domains lookup code. Andrew Bartlett (This used to be commit 0ec1b1207041a3b6050046ba6d7b466dd4fcf341) --- source3/libsmb/trusts_util.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 6244c844f2..e0c5e79595 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -154,9 +154,7 @@ BOOL is_trusted_domain(const char* dom_name) * Query the trustdom_cache updated periodically. The only * way for domain member server. */ - if (trustdom_cache_enable() && - trustdom_cache_fetch(dom_name, &trustdom_sid)) { - trustdom_cache_shutdown(); + if (trustdom_cache_fetch(dom_name, &trustdom_sid)) { return True; } -- cgit From e359dbcedb53b03df79140c30ecfdfdbcb904595 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 30 Jun 2003 20:45:14 +0000 Subject: * cleanup more DC name resolution issues in check_*domain_security() * is_trusted_domain() is broken without winbind. Still working on this. * get_global_sam_name() should return the workgroup name unless we are a standalone server (verified by volker) * Get_Pwnam() should always fall back to the username (minus domain name) even if it is not our workgroup so that TRUSTEDOMAIN\user can logon if 'user' exists in the local list of accounts (on domain members w/o winbind) Tested using Samba PDC with trusts (running winbindd) and a Samba 3.0 domain member not running winbindd. notes: make_user_info_map() is slightly broken now due to the fact that is_trusted_domain() only works with winbindd. disabled checks temporarily until I can sort this out. (This used to be commit e1d6094d066d4c16ab73075caba40a1ae6c56b1e) --- source3/libsmb/trusts_util.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e0c5e79595..569b0521be 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -153,8 +153,16 @@ BOOL is_trusted_domain(const char* dom_name) /* * Query the trustdom_cache updated periodically. The only * way for domain member server. + * + * Sure...it's all fun and games until someone gets hurt... + * This call cannot work without winbindd running since it + * is the only process updating the cache currently. + * + * FIXME!!! make this always true for now until I figure + * out what to do --jerry */ - if (trustdom_cache_fetch(dom_name, &trustdom_sid)) { + + if (True || trustdom_cache_fetch(dom_name, &trustdom_sid)) { return True; } -- cgit From db6ce132e360a42ea6843c81429be194662fce39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 03:49:41 +0000 Subject: * fix the trustdom_cache to work when winbindd is not running. smbd will update the trustdom_cache periodically after locking the timestamp key (This used to be commit 7bc4b65b91f98271089335cc301146d5f0c76c3a) --- source3/libsmb/trusts_util.c | 100 +++++++++++++++++++++++++++++++++---------- 1 file changed, 78 insertions(+), 22 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 569b0521be..464a3324c1 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -123,6 +123,71 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, } +/********************************************************************* + Enumerate the list of trusted domains from a DC +*********************************************************************/ + +BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, + char ***domain_names, uint32 *num_domains, + DOM_SID **sids ) +{ + POLICY_HND pol; + NTSTATUS result = NT_STATUS_UNSUCCESSFUL; + fstring dc_name; + struct in_addr dc_ip; + uint32 enum_ctx = 0; + struct cli_state *cli = NULL; + BOOL retry; + + *domain_names = NULL; + *num_domains = 0; + *sids = NULL; + + /* lookup a DC first */ + + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { + DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n", + domain)); + return False; + } + + /* setup the anonymous connection */ + + result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", + "", "", "", 0, &retry); + if ( !NT_STATUS_IS_OK(result) ) + goto done; + + /* open the LSARPC_PIPE */ + + if ( !cli_nt_session_open( cli, PI_LSARPC ) ) { + result = NT_STATUS_UNSUCCESSFUL; + goto done; + } + + /* get a handle */ + + result = cli_lsa_open_policy(cli, mem_ctx, True, + POLICY_VIEW_LOCAL_INFORMATION, &pol); + if ( !NT_STATUS_IS_OK(result) ) + goto done; + + /* Lookup list of trusted domains */ + + result = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, + num_domains, domain_names, sids); + if ( !NT_STATUS_IS_OK(result) ) + goto done; + +done: + /* cleanup */ + + cli_nt_session_close( cli ); + cli_shutdown( cli ); + + return NT_STATUS_IS_OK(result); +} + /** * Verify whether or not given domain is trusted. @@ -139,37 +204,28 @@ BOOL is_trusted_domain(const char* dom_name) time_t lct; BOOL ret; + /* if we are a DC, then check for a direct trust relationships */ + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { - /* - * Query the secrets db as an ultimate source of information - * about trusted domain names. This is PDC or BDC case. - */ ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); SAFE_FREE(pass); if (ret) - return ret; + return True; } + + /* if winbindd is not up then we need to update the trustdom_cache ourselves */ - /* - * Query the trustdom_cache updated periodically. The only - * way for domain member server. - * - * Sure...it's all fun and games until someone gets hurt... - * This call cannot work without winbindd running since it - * is the only process updating the cache currently. - * - * FIXME!!! make this always true for now until I figure - * out what to do --jerry - */ - - if (True || trustdom_cache_fetch(dom_name, &trustdom_sid)) { + if ( !winbind_ping() ) + update_trustdom_cache(); + + /* now the trustdom cache should be available a DC could still + * have a transitive trust so fall back to the cache of trusted + * domains (like a domain member would use */ + + if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { return True; } - /* - * if nothing's been found, then give up here, although - * the last resort might be to query the PDC. - */ return False; } -- cgit From 814968d41b04fd6a3e889039d227ed6abb429ae2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Tue, 1 Jul 2003 17:51:52 +0000 Subject: * fixed volker's wbinfo -a lockup again. This one was my fault. It was caused by the winbind_ping() call in is_trusted_domain() o if we are a DC then we check our own direct trust relationships we have to rely on winbindd to update the truatdom_cache o if we are a domain member, then we can update the trustdom_cache ourselves if winbindd is not there (This used to be commit 22dfcafb37f7109dc455f4fb6323a25ba4f097bc) --- source3/libsmb/trusts_util.c | 79 +++++++++++--------------------------------- 1 file changed, 19 insertions(+), 60 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 464a3324c1..77e63709aa 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -1,4 +1,4 @@ -/* +/* * Unix SMB/CIFS implementation. * Routines to operate on various trust relationships * Copyright (C) Andrew Bartlett 2001 @@ -127,8 +127,8 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, Enumerate the list of trusted domains from a DC *********************************************************************/ -BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, - char ***domain_names, uint32 *num_domains, +BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, + char ***domain_names, uint32 *num_domains, DOM_SID **sids ) { POLICY_HND pol; @@ -138,36 +138,36 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, uint32 enum_ctx = 0; struct cli_state *cli = NULL; BOOL retry; - + *domain_names = NULL; *num_domains = 0; *sids = NULL; - + /* lookup a DC first */ - + if ( !get_dc_name(domain, dc_name, &dc_ip) ) { DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n", domain)); return False; } - + /* setup the anonymous connection */ - - result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", + + result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", "", "", "", 0, &retry); if ( !NT_STATUS_IS_OK(result) ) goto done; - + /* open the LSARPC_PIPE */ - + if ( !cli_nt_session_open( cli, PI_LSARPC ) ) { result = NT_STATUS_UNSUCCESSFUL; goto done; } - + /* get a handle */ - - result = cli_lsa_open_policy(cli, mem_ctx, True, + + result = cli_lsa_open_policy(cli, mem_ctx, True, POLICY_VIEW_LOCAL_INFORMATION, &pol); if ( !NT_STATUS_IS_OK(result) ) goto done; @@ -176,56 +176,15 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, result = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, num_domains, domain_names, sids); - if ( !NT_STATUS_IS_OK(result) ) + if ( !NT_STATUS_IS_OK(result) ) goto done; - -done: + +done: /* cleanup */ - + cli_nt_session_close( cli ); cli_shutdown( cli ); - - return NT_STATUS_IS_OK(result); -} - - -/** - * Verify whether or not given domain is trusted. - * - * @param domain_name name of the domain to be verified - * @return true if domain is one of the trusted once or - * false if otherwise - **/ - -BOOL is_trusted_domain(const char* dom_name) -{ - DOM_SID trustdom_sid; - char *pass = NULL; - time_t lct; - BOOL ret; - /* if we are a DC, then check for a direct trust relationships */ - - if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { - ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct); - SAFE_FREE(pass); - if (ret) - return True; - } - - /* if winbindd is not up then we need to update the trustdom_cache ourselves */ - - if ( !winbind_ping() ) - update_trustdom_cache(); - - /* now the trustdom cache should be available a DC could still - * have a transitive trust so fall back to the cache of trusted - * domains (like a domain member would use */ - - if ( trustdom_cache_fetch(dom_name, &trustdom_sid) ) { - return True; - } - - return False; + return NT_STATUS_IS_OK(result); } -- cgit From 29ca70cd34d3ba927ea1a9915ebd247f64965bd5 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 30 Jul 2003 23:49:29 +0000 Subject: Add a command line option (-S on|off|required) to enable signing on client connections. Overrides smb.conf parameter if set. Jeremy. (This used to be commit 879309671df6b530e0bff69559422a417da4a307) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 77e63709aa..610f4b3c03 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -154,7 +154,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* setup the anonymous connection */ result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", - "", "", "", 0, &retry); + "", "", "", 0, Undefined, &retry); if ( !NT_STATUS_IS_OK(result) ) goto done; -- cgit From f1be3a5c5defc2df94550b90b7dd2ed4ab0cb1f2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 19 Aug 2003 22:47:10 +0000 Subject: - Make 'net' use a single funciton for setting the 'use machine account' code. - Make winbindd try to use kerberos for connections to DCs, so that it can access RA=2 servers, particularly for netlogon. - Make rpcclient follow the new flags for the NETLOGON pipe - Make all the code that uses schannel use the centralised functions for doing so. Andrew Bartlett (This used to be commit 96b4187963cedcfe158ff02868929b8cf81c6ebf) --- source3/libsmb/trusts_util.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 610f4b3c03..4e02b29f92 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -35,16 +35,15 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ uint32 sec_channel_type) { NTSTATUS result; - uint32 neg_flags = 0x000001ff; - result = cli_nt_setup_creds(cli, sec_channel_type, orig_trust_passwd_hash, &neg_flags, 2); - - if (!NT_STATUS_IS_OK(result)) { + /* ensure that schannel uses the right domain */ + fstrcpy(cli->domain, lp_workgroup()); + if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, sec_channel_type, orig_trust_passwd_hash))) { DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", nt_errstr(result))); return result; } - + result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); if (!NT_STATUS_IS_OK(result)) { -- cgit From eb268003f4282849bc03dae4f6fc27a9bec852ba Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 16 Sep 2003 03:54:42 +0000 Subject: Applied Steve Langasek's patch for bug #450. (This used to be commit e3cb0cd0d60d90a76e5f74d5bda702148584ab30) --- source3/libsmb/trusts_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 4e02b29f92..c18641bc84 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -180,9 +180,10 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, done: /* cleanup */ - - cli_nt_session_close( cli ); - cli_shutdown( cli ); + if (cli) { + cli_nt_session_close( cli ); + cli_shutdown( cli ); + } return NT_STATUS_IS_OK(result); } -- cgit From 4f65a3bd0356dfbf295418790b795f1774d6c520 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sat, 22 Nov 2003 06:15:28 +0000 Subject: adding a useful debug (This used to be commit e374ce779efaec001c1476e0710ceaa9c3b84e8d) --- source3/libsmb/trusts_util.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index c18641bc84..2c6eb1b55a 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -181,6 +181,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, done: /* cleanup */ if (cli) { + DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n")); cli_nt_session_close( cli ); cli_shutdown( cli ); } -- cgit From 5dff713735627288d69b55afeb540582a5b33d1a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 28 Dec 2003 09:57:29 +0000 Subject: Shutting down the connection closes outstanding sessions, so we don't need to do it twice... Amdrew Bartlett (This used to be commit 8f9a069c59cbd357cbef8814764c10f6d8b6e6e8) --- source3/libsmb/trusts_util.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 2c6eb1b55a..7c1000b9a5 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -182,7 +182,6 @@ done: /* cleanup */ if (cli) { DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n")); - cli_nt_session_close( cli ); cli_shutdown( cli ); } -- cgit From a7f8c26d24b78dc6a0f829cf7b53112e5ddbdeda Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 5 Jan 2004 04:10:28 +0000 Subject: Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 7c1000b9a5..b420e4fa08 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -144,7 +144,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* lookup a DC first */ - if ( !get_dc_name(domain, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n", domain)); return False; -- cgit From 1d08b9013a67184b0ecfe8b013926128719b68a6 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Tue, 19 Apr 2005 19:23:49 +0000 Subject: r6392: - Fixes bug 2564: when smbc_opendir() was called with a file rather than a directory, the errno returned could end up as ENOENT rather than ENOTDIR. - Fixes some compiler warnings which showed up on IRIX, as reported by James Peach. (This used to be commit 615a62b21f8d2f7f97bde2f166ddd6849d39b95c) --- source3/libsmb/trusts_util.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index b420e4fa08..aab0d7d151 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -104,11 +104,8 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, const char *domain) { unsigned char old_trust_passwd_hash[16]; - char *up_domain; uint32 sec_channel_type = 0; - up_domain = talloc_strdup(mem_ctx, domain); - if (!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, NULL, &sec_channel_type)) { -- cgit From 54abd2aa66069e6baf7769c496f46d9dba18db39 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 30 Sep 2005 17:13:37 +0000 Subject: r10656: BIG merge from trunk. Features not copied over * \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3) --- source3/libsmb/trusts_util.c | 47 ++++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 17 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index aab0d7d151..50fa613e72 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -29,22 +29,36 @@ Caller must have the cli connected to the netlogon pipe already. **********************************************************/ -static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx, + +static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, unsigned char orig_trust_passwd_hash[16], unsigned char new_trust_passwd_hash[16], uint32 sec_channel_type) { NTSTATUS result; - /* ensure that schannel uses the right domain */ - fstrcpy(cli->domain, lp_workgroup()); - if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, sec_channel_type, orig_trust_passwd_hash))) { - DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", - nt_errstr(result))); - return result; + /* Check if the netlogon pipe is open using schannel. If so we + already have valid creds. If not we must set them up. */ + + if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + + result = rpccli_netlogon_setup_creds(cli, + cli->cli->desthost, + lp_workgroup(), + global_myname(), + orig_trust_passwd_hash, + sec_channel_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", + nt_errstr(result))); + return result; + } } - - result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); + + result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("just_change_the_password: unable to change password (%s)!\n", @@ -59,7 +73,7 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ Caller must have already setup the connection to the NETLOGON pipe **********************************************************/ -NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *domain, unsigned char orig_trust_passwd_hash[16], uint32 sec_channel_type) @@ -99,7 +113,7 @@ NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx already setup the connection to the NETLOGON pipe **********************************************************/ -NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, +NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const char *domain) { @@ -116,7 +130,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, return trust_pw_change_and_store_it(cli, mem_ctx, domain, old_trust_passwd_hash, sec_channel_type); - } /********************************************************************* @@ -133,6 +146,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, struct in_addr dc_ip; uint32 enum_ctx = 0; struct cli_state *cli = NULL; + struct rpc_pipe_client *lsa_pipe; BOOL retry; *domain_names = NULL; @@ -156,21 +170,21 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* open the LSARPC_PIPE */ - if ( !cli_nt_session_open( cli, PI_LSARPC ) ) { - result = NT_STATUS_UNSUCCESSFUL; + lsa_pipe = cli_rpc_pipe_open_noauth( cli, PI_LSARPC, &result ); + if ( !lsa_pipe) { goto done; } /* get a handle */ - result = cli_lsa_open_policy(cli, mem_ctx, True, + result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True, POLICY_VIEW_LOCAL_INFORMATION, &pol); if ( !NT_STATUS_IS_OK(result) ) goto done; /* Lookup list of trusted domains */ - result = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx, + result = rpccli_lsa_enum_trust_dom(lsa_pipe, mem_ctx, &pol, &enum_ctx, num_domains, domain_names, sids); if ( !NT_STATUS_IS_OK(result) ) goto done; @@ -184,4 +198,3 @@ done: return NT_STATUS_IS_OK(result); } - -- cgit From 8d7c88667190fe286971ac4fffb64ee5bd9eeeb0 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Oct 2005 03:24:00 +0000 Subject: r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4 x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208) --- source3/libsmb/trusts_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 50fa613e72..87d20107fa 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -31,8 +31,8 @@ **********************************************************/ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16], + const unsigned char orig_trust_passwd_hash[16], + const unsigned char new_trust_passwd_hash[16], uint32 sec_channel_type) { NTSTATUS result; -- cgit From 5678e4abb04e546735bff4907854ca32094a5b71 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 4 Nov 2005 00:03:55 +0000 Subject: r11492: Fix bug #3224 (I hope). Correctly use machine_account_name and client_name when doing netlogon credential setup. Jeremy. (This used to be commit 37e6ef9389041f58eada167239fd022f01c5fecb) --- source3/libsmb/trusts_util.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 87d20107fa..9d94c1d00a 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -44,9 +44,10 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, - cli->cli->desthost, - lp_workgroup(), - global_myname(), + cli->cli->desthost, /* server name */ + lp_workgroup(), /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ orig_trust_passwd_hash, sec_channel_type, &neg_flags); -- cgit From 3d672717e084f7a26ef60321d614a686dd803dbd Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 19 Jun 2006 20:00:51 +0000 Subject: r16363: Fix Klocwork ID 981 1652 Volker (This used to be commit ce1d8423ef7cd86fc64200002fde707bca621d44) --- source3/libsmb/trusts_util.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 9d94c1d00a..55108bf72f 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -86,7 +86,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m /* Create a random machine account password */ str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); - new_trust_passwd = talloc_strdup(mem_ctx, str); + + if ((new_trust_passwd = talloc_strdup(mem_ctx, str)) == NULL) { + DEBUG(0, ("talloc_strdup failed\n")); + return NT_STATUS_NO_MEMORY; + } E_md4hash(new_trust_passwd, new_trust_passwd_hash); -- cgit From fbdcf2663b56007a438ac4f0d8d82436b1bfe688 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 11 Jul 2006 18:01:26 +0000 Subject: r16945: Sync trunk -> 3.0 for 3.0.24 code. Still need to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 55108bf72f..e4061883eb 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -99,7 +99,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", - timestring(False))); + current_timestring(False))); /* * Return the result of trying to write the new password * back into the trust account file. -- cgit From aa6055debd078504f6a7ed861443b02672fc9067 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 13 Mar 2007 16:13:24 +0000 Subject: r21823: Let secrets_store_machine_password() also store the account name. Not used yet, the next step will be a secrets_fetch_machine_account() function that also pulls the account name to be used in the appropriate places. Volker (This used to be commit f94e5af72e282f70ca5454cdf3aed510b747eb93) --- source3/libsmb/trusts_util.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e4061883eb..3460f2c47c 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -104,7 +104,10 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m * Return the result of trying to write the new password * back into the trust account file. */ - if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) { + if (!secrets_store_machine_password(new_trust_passwd, + global_myname(), + domain, + sec_channel_type)) { nt_status = NT_STATUS_UNSUCCESSFUL; } } -- cgit From f56da0890f645c4cecac7c60f67573e1f609fd4f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 13 Mar 2007 20:53:38 +0000 Subject: r21831: Back out r21823 for a while, this is going into a bzr tree first. Volker (This used to be commit fd0ee6722ddfcb64b5cc9c699375524ae3d8709b) --- source3/libsmb/trusts_util.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 3460f2c47c..e4061883eb 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -104,10 +104,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m * Return the result of trying to write the new password * back into the trust account file. */ - if (!secrets_store_machine_password(new_trust_passwd, - global_myname(), - domain, - sec_channel_type)) { + if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) { nt_status = NT_STATUS_UNSUCCESSFUL; } } -- cgit From d824b98f80ba186030cbb70b3a1e5daf80469ecd Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 9 Jul 2007 19:25:36 +0000 Subject: r23779: Change from v2 or later to v3 or later. Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e4061883eb..4b9f3e9441 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -6,7 +6,7 @@ * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or + * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, -- cgit From 153cfb9c83534b09f15cc16205d7adb19b394928 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 05:23:25 +0000 Subject: r23801: The FSF has moved around a lot. This fixes their Mass Ave address. (This used to be commit 87c91e4362c51819032bfbebbb273c52e203b227) --- source3/libsmb/trusts_util.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 4b9f3e9441..0922f9f41e 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -15,8 +15,7 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + * along with this program; if not, see . */ #include "includes.h" -- cgit From 3529156971e17c7ec13f6a6243f7b613e4666cdd Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 03:54:42 +0000 Subject: r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags, and client fixes. Patch from Todd Stetcher . (This used to be commit 8304ccba7346597425307e260e88647e49081f68) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 0922f9f41e..4a231dcd15 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ -- cgit From 5221ebb299081da6a806362212c6a8ceb9cc70a8 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 28 Sep 2007 18:15:34 +0000 Subject: r25407: Revert Longhorn join patch as it is not correct for the 3.2 tree. The translate_name() used by cli_session_setup_spnego() cann rely Winbindd since it is needed by the join process (and hence before Winbind can be run). (This used to be commit 00a93ed336c5f36643e6e33bd277608eaf05677c) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 4a231dcd15..0922f9f41e 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ -- cgit From 30191d1a5704ad2b158386b511558972d539ce47 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 18 Oct 2007 17:40:25 -0700 Subject: RIP BOOL. Convert BOOL -> bool. I found a few interesting bugs in various places whilst doing this (places that assumed BOOL == int). I also need to fix the Samba4 pidl generation (next checkin). Jeremy. (This used to be commit f35a266b3cbb3e5fa6a86be60f34fe340a3ca71f) --- source3/libsmb/trusts_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 0922f9f41e..e82d24426d 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -140,7 +140,7 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, Enumerate the list of trusted domains from a DC *********************************************************************/ -BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, +bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, char ***domain_names, uint32 *num_domains, DOM_SID **sids ) { @@ -151,7 +151,7 @@ BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, uint32 enum_ctx = 0; struct cli_state *cli = NULL; struct rpc_pipe_client *lsa_pipe; - BOOL retry; + bool retry; *domain_names = NULL; *num_domains = 0; -- cgit From f88b7a076be74a29a3bf876b4e2705f4a1ecf42b Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 24 Oct 2007 14:16:54 -0700 Subject: This is a large patch (sorry). Migrate from struct in_addr to struct sockaddr_storage in most places that matter (ie. not the nmbd and NetBIOS lookups). This passes make test on an IPv4 box, but I'll have to do more work/testing on IPv6 enabled boxes. This should now give us a framework for testing and finishing the IPv6 migration. It's at the state where someone with a working IPv6 setup should (theorecically) be able to type : smbclient //ipv6-address/share and have it work. Jeremy. (This used to be commit 98e154c3125d5732c37a72d74b0eb5cd7b6155fd) --- source3/libsmb/trusts_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index e82d24426d..732dc78c75 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -147,7 +147,7 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, POLICY_HND pol; NTSTATUS result = NT_STATUS_UNSUCCESSFUL; fstring dc_name; - struct in_addr dc_ip; + struct sockaddr_storage dc_ss; uint32 enum_ctx = 0; struct cli_state *cli = NULL; struct rpc_pipe_client *lsa_pipe; @@ -159,7 +159,7 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* lookup a DC first */ - if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) { + if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) { DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n", domain)); return False; @@ -167,7 +167,7 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* setup the anonymous connection */ - result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC", + result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC", "", "", "", 0, Undefined, &retry); if ( !NT_STATUS_IS_OK(result) ) goto done; -- cgit From 691c4b1a4175e3d4a073c396a2a7d8d315cd42bd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 17 Jan 2008 10:11:11 +0100 Subject: Windows 2008 (Longhorn) auth2 flag fixes. Interop fixes for AD specific flags. Original patch from Todd Stetcher. (This used to be commit 5aadfcdaacd6f136eab9e107a88b8544e6d2105f) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 732dc78c75..1ca7d56a83 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ -- cgit From 0ba3d44f7321cb235eb214194395d5da02824690 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 13 Feb 2008 00:25:40 +0100 Subject: Use rpccli_lsa_EnumTrustDom all over the place. Guenther (This used to be commit a25e7ffbca9c2c97dd36b0596e7cb38a72aaf9d9) --- source3/libsmb/trusts_util.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 1ca7d56a83..11f691bee6 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -152,6 +152,8 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, struct cli_state *cli = NULL; struct rpc_pipe_client *lsa_pipe; bool retry; + struct lsa_DomainList dom_list; + int i; *domain_names = NULL; *num_domains = 0; @@ -188,11 +190,33 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* Lookup list of trusted domains */ - result = rpccli_lsa_enum_trust_dom(lsa_pipe, mem_ctx, &pol, &enum_ctx, - num_domains, domain_names, sids); + result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx, + &pol, + &enum_ctx, + &dom_list, + (uint32_t)-1); if ( !NT_STATUS_IS_OK(result) ) goto done; + *num_domains = dom_list.count; + + *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains); + if (!*domain_names) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains); + if (!*sids) { + result = NT_STATUS_NO_MEMORY; + goto done; + } + + for (i=0; i< *num_domains; i++) { + (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string); + (*sids)[i] = *dom_list.domains[i].sid; + } + done: /* cleanup */ if (cli) { -- cgit From dd65a349350717eb17257ccf281561dd878ead12 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Sat, 16 Feb 2008 16:04:01 +0100 Subject: Use rpccli_netr_ServerPasswordSet in "just_change_the_password()". Guenther (This used to be commit 33f91c894488687a42500e751eb9016d99d9129c) --- source3/libsmb/trusts_util.c | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 11f691bee6..1e92bf21de 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -58,7 +58,32 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX } } - result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); + { + struct netr_Authenticator clnt_creds, srv_cred; + struct samr_Password new_password; + + netlogon_creds_client_step(cli->dc, &clnt_creds); + + cred_hash3(new_password.hash, + new_trust_passwd_hash, + cli->dc->sess_key, 1); + + result = rpccli_netr_ServerPasswordSet(cli, mem_ctx, + cli->dc->remote_machine, + cli->dc->mach_acct, + sec_channel_type, + global_myname(), + &clnt_creds, + &srv_cred, + &new_password); + + /* Always check returned credentials. */ + if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) { + DEBUG(0,("rpccli_netr_ServerPasswordSet: " + "credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + } if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("just_change_the_password: unable to change password (%s)!\n", -- cgit From 2d01ec2c390f8dd753600f22cefb17e7b8916ffd Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 27 Feb 2008 15:49:31 +0100 Subject: Use new LSA_POLICY defines in lsa rpc server code and other places. Guenther (This used to be commit 58cca9faf9db506bd2f6eab4a99ef85153797ab2) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 1e92bf21de..c079fb149a 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -209,7 +209,7 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* get a handle */ result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True, - POLICY_VIEW_LOCAL_INFORMATION, &pol); + LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol); if ( !NT_STATUS_IS_OK(result) ) goto done; -- cgit From 9644b6cb50ec01c04a0d6ab17a8e39054fd8b0f8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 28 Mar 2008 15:49:13 +0100 Subject: Add a talloc context parameter to current_timestring() to fix memleaks. current_timestring used to return a string talloced to talloc_tos(). When called by DEBUG from a TALLOC_FREE, this produced messages "no talloc stackframe around, leaking memory". For example when used from net conf. This also adds a temporary talloc context to alloc_sub_basic(). For this purpose, the exit strategy is slightly altered: a common exit point is used for success and failure. Michael (This used to be commit 16b5800d4e3a8b88bac67b2550d14e0aaaa302a9) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index c079fb149a..8c2f69cee3 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -123,7 +123,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", - current_timestring(False))); + current_timestring(debug_ctx(), False))); /* * Return the result of trying to write the new password * back into the trust account file. -- cgit From 99d35904552b01ef9f2adc40e16887da9eb4de69 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Wed, 2 Apr 2008 02:29:48 +0200 Subject: Fix NETLOGON credential chain with Windows 2008 all over the place. In order to avoid receiving NT_STATUS_DOWNGRADE_DETECTED from a w2k8 netr_ServerAuthenticate2 reply, we need to start with the AD netlogon negotiate flags everywhere (not only when running in security=ads). Only for NT4 we need to do a downgrade to the returned negotiate flags. Tested with w2k8, w2ksp4, w2k3r2 and nt4sp6. Guenther (This used to be commit 0970369ca0cb9ae465cff40e5c75739824daf1d0) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 8c2f69cee3..c3f5f2538a 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ -- cgit From 2a2188591b5ed922d09dc723adcf10f8b8f5e5a0 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 19 Apr 2008 21:56:43 +0200 Subject: Add "desthost" to rpc_pipe_client This reduces the dependency on cli_state (This used to be commit 783afab9c891dd7bcb78895b2a639b6f3a0edf5b) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index c3f5f2538a..20ac0143fd 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -43,7 +43,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; result = rpccli_netlogon_setup_creds(cli, - cli->cli->desthost, /* server name */ + cli->desthost, /* server name */ lp_workgroup(), /* domain */ global_myname(), /* client name */ global_myname(), /* machine account name */ -- cgit From 9e9d40d0977add05ac65d35251c1a5986c721e48 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Mon, 21 Apr 2008 10:39:37 +0200 Subject: Refactoring: Make cli_pipe_auth_data a pointer off rpc_pipe_client (This used to be commit f665afaaa3eff9ef54112e08ed034a6e1bb30edc) --- source3/libsmb/trusts_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 20ac0143fd..6b3bbaf1d8 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -39,7 +39,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX /* Check if the netlogon pipe is open using schannel. If so we already have valid creds. If not we must set them up. */ - if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { + if (cli->auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; result = rpccli_netlogon_setup_creds(cli, -- cgit From 1335da2a7cc639310e5d389e8e8dbe67c4e7ca25 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Jul 2008 11:04:31 +0200 Subject: Refactoring: Change calling conventions for cli_rpc_pipe_open_noauth Pass in ndr_syntax_id instead of pipe_idx, return NTSTATUS (This used to be commit 9abc9dc4dc13bd3e42f98eff64eacf24b51f5779) --- source3/libsmb/trusts_util.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 6b3bbaf1d8..f4fdf9eb6f 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -201,8 +201,9 @@ bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain, /* open the LSARPC_PIPE */ - lsa_pipe = cli_rpc_pipe_open_noauth( cli, PI_LSARPC, &result ); - if ( !lsa_pipe) { + result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id, + &lsa_pipe); + if (!NT_STATUS_IS_OK(result)) { goto done; } -- cgit From b67adb49ecbb7eff4446321962f3a00984e88d01 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 21 Aug 2008 15:05:35 +0200 Subject: Fix Bug #5710 and make machine account password changing work again. When we negotiated NETLOGON_NEG_PASSWORD_SET2 we need to use NetrServerPasswordSet2 to change the machine password. Tested with NT4, W2k, W2k3 and W2k8. Guenther (This used to be commit 5820360451e4db0fad0472f814cae667b2ea51fd) --- source3/libsmb/trusts_util.c | 75 ++++++++++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 23 deletions(-) (limited to 'source3/libsmb/trusts_util.c') diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index f4fdf9eb6f..08a49930b4 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -31,34 +31,60 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, const unsigned char orig_trust_passwd_hash[16], + const char *new_trust_pwd_cleartext, const unsigned char new_trust_passwd_hash[16], uint32 sec_channel_type) { NTSTATUS result; + uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; - /* Check if the netlogon pipe is open using schannel. If so we - already have valid creds. If not we must set them up. */ - - if (cli->auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; - - result = rpccli_netlogon_setup_creds(cli, - cli->desthost, /* server name */ - lp_workgroup(), /* domain */ - global_myname(), /* client name */ - global_myname(), /* machine account name */ - orig_trust_passwd_hash, - sec_channel_type, - &neg_flags); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", - nt_errstr(result))); - return result; - } + result = rpccli_netlogon_setup_creds(cli, + cli->desthost, /* server name */ + lp_workgroup(), /* domain */ + global_myname(), /* client name */ + global_myname(), /* machine account name */ + orig_trust_passwd_hash, + sec_channel_type, + &neg_flags); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", + nt_errstr(result))); + return result; } - { + if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) { + + struct netr_Authenticator clnt_creds, srv_cred; + struct netr_CryptPassword new_password; + struct samr_CryptPassword password_buf; + + netlogon_creds_client_step(cli->dc, &clnt_creds); + + encode_pw_buffer(password_buf.data, new_trust_pwd_cleartext, STR_UNICODE); + + SamOEMhash(password_buf.data, cli->dc->sess_key, 516); + memcpy(new_password.data, password_buf.data, 512); + new_password.length = IVAL(password_buf.data, 512); + + result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx, + cli->dc->remote_machine, + cli->dc->mach_acct, + sec_channel_type, + global_myname(), + &clnt_creds, + &srv_cred, + &new_password); + + /* Always check returned credentials. */ + if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) { + DEBUG(0,("rpccli_netr_ServerPasswordSet2: " + "credentials chain check failed\n")); + return NT_STATUS_ACCESS_DENIED; + } + + } else { + struct netr_Authenticator clnt_creds, srv_cred; struct samr_Password new_password; @@ -118,8 +144,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m E_md4hash(new_trust_passwd, new_trust_passwd_hash); - nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash, - new_trust_passwd_hash, sec_channel_type); + nt_status = just_change_the_password(cli, mem_ctx, + orig_trust_passwd_hash, + new_trust_passwd, + new_trust_passwd_hash, + sec_channel_type); if (NT_STATUS_IS_OK(nt_status)) { DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", -- cgit