sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code
samba-mirror/source3/rpc_client/ntclienttrust.c

168 lines
4.4 KiB
C
Raw Normal View History

"For I have laboured mightily on Luke's code, and hath broken all I saw" - the book of Jeremy, chapter 1 :-). So here is the mega-merge of the NTDOM branch server code. It doesn't include the new client side pieces, we'll look at that later. This should give the same functionality, server wise, as the NTDOM branch does, only merged into the main branch. Any fixes to domain controler functionality should be added to the main branch, not the NTDOM branch. This code compiles without warnings on gcc2.8, but will need further testing before we are sure all the working functionality of the NTDOM server branch has been correctly carried over. I hereby declare the server side of the NTDOM branch dead (and all who sail in her :-). Jeremy. (This used to be commit 118ba4d77a33248e762a2cf843fb7cbc906ee6e7)
1998-03-11 21:11:04 +00:00
/*
Unix SMB/Netbios implementation.
Version 1.9.
NT Domain Authentication SMB / MSRPC client
Copyright (C) Andrew Tridgell 1994-1997
Copyright (C) Luke Kenneth Casson Leighton 1996-1997
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#ifdef SYSLOG
#undef SYSLOG
#endif
#include "includes.h"
#include "nterr.h"
extern int DEBUGLEVEL;
/************************************************************************
check workstation trust account status
************************************************************************/
BOOL trust_account_check(struct in_addr dest_ip, char *dest_host,
char *myhostname, char *domain, fstring mach_acct,
fstring new_mach_pwd)
{
pstring tmp;
fstring mach_pwd;
struct cli_state cli_trust;
uchar lm_owf_mach_pwd[16];
uchar nt_owf_mach_pwd[16];
uchar lm_sess_pwd[24];
uchar nt_sess_pwd[24];
BOOL right_error_code = False;
uint8 err_cls;
uint32 err_num;
char *start_mach_pwd;
char *change_mach_pwd;
/* initial machine password */
fstrcpy(mach_pwd, myhostname);
strlower(mach_pwd);
This is a security audit change of the main source. It removed all ocurrences of the following functions : sprintf strcpy strcat The replacements are slprintf, safe_strcpy and safe_strcat. It should not be possible to use code in Samba that uses sprintf, strcpy or strcat, only the safe_equivalents. Once Andrew has fixed the slprintf implementation then this code will be moved back to the 1.9.18 code stream. Jeremy. (This used to be commit 2d774454005f0b54e5684cf618da7060594dfcbb)
1998-05-12 00:55:32 +00:00
slprintf(tmp, sizeof(tmp) - 1,"Enter Workstation Trust Account password for [%s].\nDefault is [%s].\nPassword:",
"For I have laboured mightily on Luke's code, and hath broken all I saw" - the book of Jeremy, chapter 1 :-). So here is the mega-merge of the NTDOM branch server code. It doesn't include the new client side pieces, we'll look at that later. This should give the same functionality, server wise, as the NTDOM branch does, only merged into the main branch. Any fixes to domain controler functionality should be added to the main branch, not the NTDOM branch. This code compiles without warnings on gcc2.8, but will need further testing before we are sure all the working functionality of the NTDOM server branch has been correctly carried over. I hereby declare the server side of the NTDOM branch dead (and all who sail in her :-). Jeremy. (This used to be commit 118ba4d77a33248e762a2cf843fb7cbc906ee6e7)
1998-03-11 21:11:04 +00:00
mach_acct, mach_pwd);
start_mach_pwd = (char*)getpass(tmp);
if (start_mach_pwd[0] != 0)
{
fstrcpy(mach_pwd, start_mach_pwd);
}
This is a security audit change of the main source. It removed all ocurrences of the following functions : sprintf strcpy strcat The replacements are slprintf, safe_strcpy and safe_strcat. It should not be possible to use code in Samba that uses sprintf, strcpy or strcat, only the safe_equivalents. Once Andrew has fixed the slprintf implementation then this code will be moved back to the 1.9.18 code stream. Jeremy. (This used to be commit 2d774454005f0b54e5684cf618da7060594dfcbb)
1998-05-12 00:55:32 +00:00
slprintf(tmp, sizeof(tmp)-1, "Enter new Workstation Trust Account password for [%s]\nPress Return to leave at old value.\nNew Password:",
"For I have laboured mightily on Luke's code, and hath broken all I saw" - the book of Jeremy, chapter 1 :-). So here is the mega-merge of the NTDOM branch server code. It doesn't include the new client side pieces, we'll look at that later. This should give the same functionality, server wise, as the NTDOM branch does, only merged into the main branch. Any fixes to domain controler functionality should be added to the main branch, not the NTDOM branch. This code compiles without warnings on gcc2.8, but will need further testing before we are sure all the working functionality of the NTDOM server branch has been correctly carried over. I hereby declare the server side of the NTDOM branch dead (and all who sail in her :-). Jeremy. (This used to be commit 118ba4d77a33248e762a2cf843fb7cbc906ee6e7)
1998-03-11 21:11:04 +00:00
mach_acct);
change_mach_pwd = (char*)getpass(tmp);
if (change_mach_pwd[0] != 0)
{
fstrcpy(new_mach_pwd, change_mach_pwd);
}
else
{
DEBUG(1,("trust_account_check: password change not requested\n"));
change_mach_pwd[0] = 0;
}
DEBUG(1,("initialise cli_trust connection\n"));
if (!cli_initialise(&cli_trust))
{
DEBUG(1,("cli_initialise failed for cli_trust\n"));
return False;
}
DEBUG(1,("server connect for cli_trust\n"));
if (!server_connect_init(&cli_trust, myhostname, dest_ip, dest_host))
{
cli_error(&cli_trust, &err_cls, &err_num);
DEBUG(1,("server_connect_init failed (%s)\n", cli_errstr(&cli_trust)));
cli_shutdown(&cli_trust);
return False;
}
DEBUG(1,("server connect cli_trust succeeded\n"));
nt_lm_owf_gen(mach_pwd, nt_owf_mach_pwd, lm_owf_mach_pwd);
DEBUG(5,("generating nt owf from initial machine pwd: %s\n", mach_pwd));
#ifdef DEBUG_PASSWORD
DEBUG(100,("client cryptkey: "));
dump_data(100, cli_trust.cryptkey, sizeof(cli_trust.cryptkey));
#endif
SMBencrypt(nt_owf_mach_pwd, cli_trust.cryptkey, nt_sess_pwd);
#ifdef DEBUG_PASSWORD
DEBUG(100,("nt_owf_mach_pwd: "));
dump_data(100, nt_owf_mach_pwd, sizeof(lm_owf_mach_pwd));
DEBUG(100,("nt_sess_pwd: "));
dump_data(100, nt_sess_pwd, sizeof(nt_sess_pwd));
#endif
SMBencrypt(lm_owf_mach_pwd, cli_trust.cryptkey, lm_sess_pwd);
#ifdef DEBUG_PASSWORD
DEBUG(100,("lm_owf_mach_pwd: "));
dump_data(100, lm_owf_mach_pwd, sizeof(lm_owf_mach_pwd));
DEBUG(100,("lm_sess_pwd: "));
dump_data(100, lm_sess_pwd, sizeof(lm_sess_pwd));
#endif
right_error_code = False;
if (cli_session_setup(&cli_trust, mach_acct,
nt_owf_mach_pwd, sizeof(nt_owf_mach_pwd),
nt_owf_mach_pwd, sizeof(nt_owf_mach_pwd), domain))
{
DEBUG(0,("cli_session_setup: NO ERROR! AAAGH! BUG IN SERVER DETECTED!!!\n"));
cli_shutdown(&cli_trust);
return False;
}
cli_error(&cli_trust, &err_cls, &err_num);
if (err_num == (0xC0000000 | NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT))
{
DEBUG(1,("cli_send_tconX: valid workstation trust account exists\n"));
right_error_code = True;
}
if (err_num == (0xC0000000 | NT_STATUS_NO_SUCH_USER))
{
DEBUG(1,("cli_send_tconX: workstation trust account does not exist\n"));
right_error_code = False;
}
if (!right_error_code)
{
DEBUG(1,("server_validate failed (%s)\n", cli_errstr(&cli_trust)));
}
cli_shutdown(&cli_trust);
return right_error_code;
}
Copy Permalink