From 9bd7e1e8870da87ea6f3c9e78933beeb08b65a0c Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 27 May 1998 00:30:52 +0000 Subject: loadparm.c: Added machine password timeout parameter - set to 7 days be default. password.c: Added code to tell server.c when machine password needs changing. server.c: Change machine password in idle cycles if it needs it. smbpassfile.c: Fixed up length calculations for machine password file. smbpasswd.c: Moved domain joining code/machine password changing code. lib/rpc/client/cli_netlogon.c: And this is where it now lives. Jeremy. (This used to be commit b8fedca6191de96159df0d1d17082d82e8e44773) --- source3/utils/smbpasswd.c | 192 +++++++--------------------------------------- 1 file changed, 27 insertions(+), 165 deletions(-) (limited to 'source3/utils/smbpasswd.c') diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c index 8e744c8641..c9742fc498 100644 --- a/source3/utils/smbpasswd.c +++ b/source3/utils/smbpasswd.c @@ -43,157 +43,30 @@ static void usage(char *name, BOOL is_root) Join a domain. **********************************************************/ -static int setup_account( char *domain, char *remote_machine, - unsigned char orig_trust_passwd_hash[16], - unsigned char new_trust_passwd_hash[16]) -{ - struct in_addr dest_ip; - struct cli_state cli; - - memset(&cli, '\0', sizeof(struct cli_state)); - if(cli_initialise(&cli) == False) { - fprintf(stderr, "%s: unable to initialize client connection.\n", prog_name); - return 1; - } - - if(!resolve_name( remote_machine, &dest_ip)) { - fprintf(stderr, "%s: Can't resolve address for %s\n", prog_name, remote_machine); - return 1; - } - - if (ismyip(dest_ip)) { - fprintf(stderr,"%s: Machine %s is one of our addresses. Cannot add to ourselves.\n", prog_name, - remote_machine); - return 1; - } - - if (!cli_connect(&cli, remote_machine, &dest_ip)) { - fprintf(stderr, "%s: unable to connect to SMB server on \ -machine %s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli) ); - return 1; - } - - if (!cli_session_request(&cli, remote_machine, 0x20, global_myname)) { - fprintf(stderr, "%s: machine %s rejected the session setup. \ -Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli) ); - cli_shutdown(&cli); - return 1; - } - - cli.protocol = PROTOCOL_NT1; - - if (!cli_negprot(&cli)) { - fprintf(stderr, "%s: machine %s rejected the negotiate protocol. \ -Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli) ); - cli_shutdown(&cli); - return 1; - } - if (cli.protocol != PROTOCOL_NT1) { - fprintf(stderr, "%s: machine %s didn't negotiate NT protocol.\n", prog_name, remote_machine); - cli_shutdown(&cli); - return 1; - } - - /* - * Do an anonymous session setup. - */ - - if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) { - fprintf(stderr, "%s: machine %s rejected the session setup. \ -Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli) ); - cli_shutdown(&cli); - return 1; - } - - if (!(cli.sec_mode & 1)) { - fprintf(stderr, "%s: machine %s isn't in user level security mode\n", prog_name, remote_machine); - cli_shutdown(&cli); - return 1; - } - - if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) { - fprintf(stderr, "%s: machine %s rejected the tconX on the IPC$ share. \ -Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli) ); - cli_shutdown(&cli); - return 1; - } - - /* - * Ok - we have an anonymous connection to the IPC$ share. - * Now start the NT Domain stuff :-). - */ - - if(cli_nt_session_open(&cli, PIPE_NETLOGON, False) == False) { - fprintf(stderr, "%s: unable to open the domain client session to \ -machine %s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli)); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return 1; - } - - if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) { - fprintf(stderr, "%s: unable to setup the PDC credentials to machine \ -%s. Error was : %s.\n", prog_name, remote_machine, cli_errstr(&cli)); - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return 1; - } - - if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) { - fprintf(stderr, "%s: unable to change password for machine %s in domain \ -%s to Domain controller %s. Error was %s.\n", prog_name, global_myname, domain, remote_machine, - cli_errstr(&cli)); - cli_close(&cli, cli.nt_pipe_fnum); - cli_ulogoff(&cli); - cli_shutdown(&cli); - return 1; - } - - cli_nt_session_close(&cli); - cli_ulogoff(&cli); - cli_shutdown(&cli); - - return 0; -} - -/********************************************************* -Join a domain. -**********************************************************/ - static int join_domain( char *domain, char *remote) { - fstring remote_machine; - char *p; + pstring remote_machine; fstring trust_passwd; - unsigned char trust_passwd_hash[16]; - unsigned char new_trust_passwd_hash[16]; - int ret = 1; + unsigned char orig_trust_passwd_hash[16]; + BOOL ret; - fstrcpy(remote_machine, remote ? remote : ""); + pstrcpy(remote_machine, remote ? remote : ""); fstrcpy(trust_passwd, global_myname); strlower(trust_passwd); - E_md4hash( (uchar *)trust_passwd, trust_passwd_hash); - - generate_random_buffer( new_trust_passwd_hash, 16, True); + E_md4hash( (uchar *)trust_passwd, orig_trust_passwd_hash); /* Ensure that we are not trying to join a domain if we are locally set up as a domain controller. */ if(lp_domain_controller() && strequal(lp_workgroup(), domain)) { - fprintf(stderr, "%s: Cannot join domain %s as we already configured as domain controller \ -for that domain.\n", prog_name, domain); + fprintf(stderr, "%s: Cannot join domain %s as we already configured as \ +domain controller for that domain.\n", prog_name, domain); return 1; } /* - * Write the new machine password. - */ - - /* - * Get the machine account password. + * Create the machine account password file. */ if(!trust_password_lock( domain, global_myname, True)) { fprintf(stderr, "%s: unable to open the machine account password file for \ @@ -201,53 +74,42 @@ machine %s in domain %s.\n", prog_name, global_myname, domain); return 1; } - if(!set_trust_account_password( new_trust_passwd_hash)) { - fprintf(stderr, "%s: unable to read the machine account password for \ + /* + * Write the old machine account password. + */ + + if(!set_trust_account_password( orig_trust_passwd_hash)) { + fprintf(stderr, "%s: unable to write the machine account password for \ machine %s in domain %s.\n", prog_name, global_myname, domain); trust_password_unlock(); return 1; } - trust_password_unlock(); - /* * If we are given a remote machine assume this is the PDC. */ - if(remote != NULL) { - strupper(remote_machine); - ret = setup_account( domain, remote_machine, trust_passwd_hash, new_trust_passwd_hash); - if(ret == 0) - printf("%s: Joined domain %s.\n", prog_name, domain); - } else { - /* - * Treat each name in the 'password server =' line as a potential - * PDC/BDC. Contact each in turn and try and authenticate and - * change the machine account password. - */ - - p = lp_passwordserver(); + if(remote == NULL) + pstrcpy(remote_machine, lp_passwordserver()); - if(!*p) - fprintf(stderr, "%s: No password server list given in smb.conf - \ + if(!*remote_machine) { + fprintf(stderr, "%s: No password server list given in smb.conf - \ unable to join domain.\n", prog_name); - - while(p && next_token( &p, remote_machine, LIST_SEP)) { - - strupper(remote_machine); - if(setup_account( domain, remote_machine, trust_passwd_hash, new_trust_passwd_hash) == 0) { - printf("%s: Joined domain %s.\n", prog_name, domain); - return 0; - } - } + trust_password_unlock(); + return 1; } - if(ret) { + ret = change_trust_account_password( domain, remote_machine); + trust_password_unlock(); + + if(!ret) { trust_password_delete( domain, global_myname); fprintf(stderr,"%s: Unable to join domain %s.\n", prog_name, domain); + } else { + printf("%s: Joined domain %s.\n", prog_name, domain); } - return ret; + return (int)ret; } /********************************************************* -- cgit