1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
|
/*
* Unix SMB/Netbios implementation. Version 1.9. SMB parameters and setup
* Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995.
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free
* Software Foundation; either version 2 of the License, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 675
* Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
extern int DEBUGLEVEL;
BOOL global_machine_password_needs_changing = False;
static int mach_passwd_lock_depth = 0;
static FILE *mach_passwd_fp = NULL;
/************************************************************************
Routine to get the name for a trust account file.
************************************************************************/
static void get_trust_account_file_name( char *domain, char *name, char *mac_file)
{
unsigned int mac_file_len;
char *p;
pstrcpy(mac_file, lp_smb_passwd_file());
p = strrchr(mac_file, '/');
if(p != NULL)
*++p = '\0';
mac_file_len = strlen(mac_file);
if ((int)(sizeof(pstring) - mac_file_len - strlen(domain) - strlen(name) - 6) < 0)
{
DEBUG(0,("get_trust_account_file_name: path %s too long to add trust details.\n",
mac_file));
return;
}
pstrcat(mac_file, domain);
pstrcat(mac_file, ".");
pstrcat(mac_file, name);
pstrcat(mac_file, ".mac");
DEBUG(5,("trust_account_file_name: %s\n", mac_file));
}
/************************************************************************
Routine to lock the trust account password file for a domain.
************************************************************************/
BOOL trust_password_lock( char *domain, char *name, BOOL update)
{
pstring mac_file;
if(mach_passwd_lock_depth == 0) {
get_trust_account_file_name( domain, name, mac_file);
if((mach_passwd_fp = sys_fopen(mac_file, "r+b")) == NULL) {
if(errno == ENOENT && update) {
mach_passwd_fp = sys_fopen(mac_file, "w+b");
}
if(mach_passwd_fp == NULL) {
DEBUG(0,("trust_password_lock: cannot open file %s - Error was %s.\n",
mac_file, strerror(errno) ));
return False;
}
}
chmod(mac_file, 0600);
if(!file_lock(fileno(mach_passwd_fp), (update ? F_WRLCK : F_RDLCK),
60, &mach_passwd_lock_depth))
{
DEBUG(0,("trust_password_lock: cannot lock file %s\n", mac_file));
fclose(mach_passwd_fp);
return False;
}
}
return True;
}
/************************************************************************
Routine to unlock the trust account password file for a domain.
************************************************************************/
BOOL trust_password_unlock(void)
{
BOOL ret = file_unlock(fileno(mach_passwd_fp), &mach_passwd_lock_depth);
if(mach_passwd_lock_depth == 0)
fclose(mach_passwd_fp);
return ret;
}
/************************************************************************
Routine to delete the trust account password file for a domain.
************************************************************************/
BOOL trust_password_delete( char *domain, char *name )
{
pstring mac_file;
get_trust_account_file_name( domain, name, mac_file);
return (unlink( mac_file ) == 0);
}
/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file.
************************************************************************/
BOOL get_trust_account_password( unsigned char *ret_pwd, time_t *pass_last_set_time)
{
char linebuf[256];
char *p;
int i;
linebuf[0] = '\0';
*pass_last_set_time = (time_t)0;
memset(ret_pwd, '\0', 16);
if(sys_fseek( mach_passwd_fp, (SMB_OFF_T)0, SEEK_SET) == -1) {
DEBUG(0,("get_trust_account_password: Failed to seek to start of file. Error was %s.\n",
strerror(errno) ));
return False;
}
fgets(linebuf, sizeof(linebuf), mach_passwd_fp);
if(ferror(mach_passwd_fp)) {
DEBUG(0,("get_trust_account_password: Failed to read password. Error was %s.\n",
strerror(errno) ));
return False;
}
if(linebuf[strlen(linebuf)-1] == '\n')
linebuf[strlen(linebuf)-1] = '\0';
/*
* The length of the line read
* must be 45 bytes ( <---XXXX 32 bytes-->:TLC-12345678
*/
if(strlen(linebuf) != 45) {
DEBUG(0,("get_trust_account_password: Malformed trust password file (wrong length \
- was %d, should be 45).\n", strlen(linebuf)));
#ifdef DEBUG_PASSWORD
DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
#endif
return False;
}
/*
* Get the hex password.
*/
if (!pwdb_gethexpwd((char *)linebuf, (char *)ret_pwd, NULL) || linebuf[32] != ':' ||
strncmp(&linebuf[33], "TLC-", 4)) {
DEBUG(0,("get_trust_account_password: Malformed trust password file (incorrect format).\n"));
#ifdef DEBUG_PASSWORD
DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
#endif
return False;
}
/*
* Get the last changed time.
*/
p = &linebuf[37];
for(i = 0; i < 8; i++) {
if(p[i] == '\0' || !isxdigit((int)p[i])) {
DEBUG(0,("get_trust_account_password: Malformed trust password file (no timestamp).\n"));
#ifdef DEBUG_PASSWORD
DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf));
#endif
return False;
}
}
/*
* p points at 8 characters of hex digits -
* read into a time_t as the seconds since
* 1970 that the password was last changed.
*/
*pass_last_set_time = (time_t)strtol(p, NULL, 16);
return True;
}
/************************************************************************
Routine to get the trust account password for a domain.
The user of this function must have locked the trust password file.
************************************************************************/
BOOL set_trust_account_password( unsigned char *md4_new_pwd)
{
char linebuf[64];
int i;
if(sys_fseek( mach_passwd_fp, (SMB_OFF_T)0, SEEK_SET) == -1) {
DEBUG(0,("set_trust_account_password: Failed to seek to start of file. Error was %s.\n",
strerror(errno) ));
return False;
}
for (i = 0; i < 16; i++)
slprintf(&linebuf[(i*2)], sizeof(linebuf) - (i*2) - 1, "%02X", md4_new_pwd[i]);
slprintf(&linebuf[32], 32, ":TLC-%08X\n", (unsigned)time(NULL));
if(fwrite( linebuf, 1, 46, mach_passwd_fp)!= 46) {
DEBUG(0,("set_trust_account_password: Failed to write file. Warning - the trust \
account is now invalid. Please recreate. Error was %s.\n", strerror(errno) ));
return False;
}
fflush(mach_passwd_fp);
return True;
}
BOOL trust_get_passwd( unsigned char trust_passwd[16], char *domain, char *myname)
{
time_t lct;
/*
* Get the trust account password.
*/
if(!trust_password_lock( domain, myname, False)) {
DEBUG(0,("domain_client_validate: unable to open the trust account password file for \
trust %s in domain %s.\n", myname, domain ));
return False;
}
if(get_trust_account_password( trust_passwd, &lct) == False) {
DEBUG(0,("domain_client_validate: unable to read the trust account password for \
trust %s in domain %s.\n", myname, domain ));
trust_password_unlock();
return False;
}
trust_password_unlock();
/*
* Here we check the last change time to see if the trust
* password needs changing. JRA.
*/
if(time(NULL) > lct + lp_machine_password_timeout())
{
global_machine_password_needs_changing = True;
}
return True;
}
/*********************************************************
record Trust Account password.
**********************************************************/
BOOL create_trust_account_file(char *domain, char *name, uchar pass[16])
{
/*
* Create the machine account password file.
*/
if (!trust_password_lock( domain, name, True))
{
DEBUG(0,("unable to open the trust account password file for \
account %s in domain %s.\n", name, domain));
return False;
}
/*
* Write the old machine account password.
*/
if (!set_trust_account_password( pass))
{
DEBUG(0,("unable to write the trust account password for \
%s in domain %s.\n", name, domain));
trust_password_unlock();
return False;
}
trust_password_unlock();
return True;
}
|