From f793c99ca54d62cb8142607e8449f5b5b3a5e79d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 13:05:44 +0100 Subject: Let get_trust_pw() determine the machine_account_name to use. Up to now each caller used its own logic. This eliminates code paths where there was a special treatment of the following situation: the domain given is not our workgroup (i.e. our own domain) and we are not a DC (i.e. it is not a typical trusted domain situation). In situation the given domain name was previously used as the machine account name, resulting in an account name of DOMAIN\\DOMAIN$, which does not seem very reasonable to me. get_trust_pw would not have obtained a password in this situation anyways. I hope I have not missed an important point here! Michael (This used to be commit 6ced4a7f88798dc449a667d63bc29bf6c569291f) --- source3/passdb/passdb.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/passdb/passdb.c') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 2a4d4c4a0a..f9b972da9b 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1523,10 +1523,12 @@ bool pdb_increment_bad_password_count(struct samu *sampass) /******************************************************************* - Wrapper around retrieving the trust account password + Wrapper around retrieving the trust account password. + appropriate account name is stored in account_name. *******************************************************************/ -bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel) +bool get_trust_pw(const char *domain, uint8 ret_pwd[16], + const char **account_name, uint32 *channel) { DOM_SID sid; char *pwd; @@ -1550,6 +1552,10 @@ bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel) E_md4hash(pwd, ret_pwd); SAFE_FREE(pwd); + if (account_name != NULL) { + *account_name = lp_workgroup(); + } + return True; } @@ -1558,7 +1564,13 @@ bool get_trust_pw(const char *domain, uint8 ret_pwd[16], uint32 *channel) if (secrets_fetch_trust_account_password(domain, ret_pwd, &last_set_time, channel)) + { + if (account_name != NULL) { + *account_name = global_myname(); + } + return True; + } DEBUG(5, ("get_trust_pw: could not fetch trust account " "password for domain %s\n", domain)); -- cgit From 1084151442552e63c0b9b310273d8d42711aa55c Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 13:59:54 +0100 Subject: Export logic of get_trust_pw() to new function get_trust_pw_clear(). get_trust_pw() just now computes the md4 hash of the result of get_trust_pw_clear() if that was successful. As a last resort, in the non-trusted-domain-situation, get_trust_pw() now tries to directly obtain the hashed version of the password out of secrets.tdb. Michael (This used to be commit 4562342eb84e6fdcec15d8b7ae83aa146aabe2b7) --- source3/passdb/passdb.c | 74 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 58 insertions(+), 16 deletions(-) (limited to 'source3/passdb/passdb.c') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f9b972da9b..488458fc85 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1521,58 +1521,100 @@ bool pdb_increment_bad_password_count(struct samu *sampass) return True; } +bool is_trusted_domain_situation(const char *domain_name) +{ + return IS_DC && + lp_allow_trusted_domains() && + !strequal(domain_name, lp_workgroup()); +} /******************************************************************* - Wrapper around retrieving the trust account password. + Wrapper around retrieving the clear text trust account password. appropriate account name is stored in account_name. + Caller must free password, but not account_name. *******************************************************************/ -bool get_trust_pw(const char *domain, uint8 ret_pwd[16], - const char **account_name, uint32 *channel) +bool get_trust_pw_clear(const char *domain, char **ret_pwd, + const char **account_name, uint32 *channel) { DOM_SID sid; char *pwd; time_t last_set_time; /* if we are a DC and this is not our domain, then lookup an account - for the domain trust */ + * for the domain trust */ - if (IS_DC && !strequal(domain, lp_workgroup()) && - lp_allow_trusted_domains()) - { - if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &last_set_time)) + if (is_trusted_domain_situation(domain)) { + if (!pdb_get_trusteddom_pw(domain, ret_pwd, &sid, + &last_set_time)) { DEBUG(0, ("get_trust_pw: could not fetch trust " "account password for trusted domain %s\n", domain)); - return False; + return false; } *channel = SEC_CHAN_DOMAIN; - E_md4hash(pwd, ret_pwd); - SAFE_FREE(pwd); if (account_name != NULL) { *account_name = lp_workgroup(); } - return True; + return true; } /* Just get the account for the requested domain. In the future this * might also cover to be member of more than one domain. */ - if (secrets_fetch_trust_account_password(domain, ret_pwd, - &last_set_time, channel)) + pwd = secrets_fetch_machine_password(domain, &last_set_time, channel); + + if (pwd != NULL) { + *ret_pwd = pwd; + if (account_name != NULL) { + *account_name = global_myname(); + } + + return true; + } + + DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust " + "account password for domain %s\n", domain)); + return false; +} + +/******************************************************************* + Wrapper around retrieving the trust account password. + appropriate account name is stored in account_name. +*******************************************************************/ + +bool get_trust_pw(const char *domain, uint8 ret_pwd[16], + const char **account_name, uint32 *channel) +{ + char *pwd = NULL; + time_t last_set_time; + + if (get_trust_pw_clear(domain, &pwd, account_name, channel)) { + E_md4hash(pwd, ret_pwd); + SAFE_FREE(pwd); + return true; + } else if (is_trusted_domain_situation(domain)) { + return false; + } + + /* as a fallback, try to get the hashed pwd directly from the tdb... */ + + if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd, + &last_set_time, + channel)) { if (account_name != NULL) { *account_name = global_myname(); } - return True; + return true; } - DEBUG(5, ("get_trust_pw: could not fetch trust account " + DEBUG(5, ("get_trust_pw_hash: could not fetch trust account " "password for domain %s\n", domain)); return False; } -- cgit From 31f221ed9316c8dc2f4911d7b8ddcdf8b74367db Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 14:07:32 +0100 Subject: Rename get_trust_pw() to get_trust_pw_hash(). Michael (This used to be commit 0cde7ac9cb39a0026a38ccf66dbecefc12931074) --- source3/passdb/passdb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source3/passdb/passdb.c') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 488458fc85..11c5b68197 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1587,8 +1587,8 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, appropriate account name is stored in account_name. *******************************************************************/ -bool get_trust_pw(const char *domain, uint8 ret_pwd[16], - const char **account_name, uint32 *channel) +bool get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], + const char **account_name, uint32 *channel) { char *pwd = NULL; time_t last_set_time; -- cgit From ce76bcff29819056dc7a4aac0c3468022a7485f1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Tue, 11 Dec 2007 14:12:49 +0100 Subject: Pass NULL instead of unneeded &sid: pdb_get_trusteddom_pw() checks. Michael (This used to be commit b2e12365b56f24586a7dfcb845f4de51f0b0e7d5) --- source3/passdb/passdb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'source3/passdb/passdb.c') diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index 11c5b68197..c4248bb48e 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -1537,7 +1537,6 @@ bool is_trusted_domain_situation(const char *domain_name) bool get_trust_pw_clear(const char *domain, char **ret_pwd, const char **account_name, uint32 *channel) { - DOM_SID sid; char *pwd; time_t last_set_time; @@ -1545,7 +1544,7 @@ bool get_trust_pw_clear(const char *domain, char **ret_pwd, * for the domain trust */ if (is_trusted_domain_situation(domain)) { - if (!pdb_get_trusteddom_pw(domain, ret_pwd, &sid, + if (!pdb_get_trusteddom_pw(domain, ret_pwd, NULL, &last_set_time)) { DEBUG(0, ("get_trust_pw: could not fetch trust " -- cgit