2003-07-01 17:51:52 +00:00
/*
2002-01-30 06:08:46 +00:00
* Unix SMB / CIFS implementation .
2003-03-14 17:05:13 +00:00
* Routines to operate on various trust relationships
* Copyright ( C ) Andrew Bartlett 2001
* Copyright ( C ) Rafal Szczesniak 2003
2001-12-05 11:00:26 +00:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
* the Free Software Foundation ; either version 3 of the License , or
2001-12-05 11:00:26 +00:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 05:23:25 +00:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2001-12-05 11:00:26 +00:00
*/
# include "includes.h"
2009-03-16 21:27:58 +11:00
# include "../libcli/auth/libcli_auth.h"
2010-05-18 18:26:03 +02:00
# include "rpc_client/cli_netlogon.h"
2011-02-28 10:19:44 +01:00
# include "rpc_client/cli_pipe.h"
2010-06-30 12:10:55 +02:00
# include "../librpc/gen_ndr/ndr_netlogon.h"
2010-08-05 02:25:37 +02:00
# include "secrets.h"
2011-03-18 18:58:37 +01:00
# include "passdb.h"
2011-05-06 11:47:43 +02:00
# include "libsmb/libsmb.h"
2001-12-05 11:00:26 +00:00
/*********************************************************
Change the domain password on the PDC .
Store the password ourselves , but use the supplied password
Caller must have already setup the connection to the NETLOGON pipe
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 17:13:37 +00:00
NTSTATUS trust_pw_change_and_store_it ( struct rpc_pipe_client * cli , TALLOC_CTX * mem_ctx ,
2003-04-16 10:20:14 +00:00
const char * domain ,
2009-10-08 00:34:05 +02:00
const char * account_name ,
2003-04-16 10:20:14 +00:00
unsigned char orig_trust_passwd_hash [ 16 ] ,
2009-10-13 10:15:34 +02:00
enum netr_SchannelType sec_channel_type )
2001-12-05 11:00:26 +00:00
{
unsigned char new_trust_passwd_hash [ 16 ] ;
char * new_trust_passwd ;
NTSTATUS nt_status ;
2009-10-04 15:13:44 +02:00
2009-10-08 00:39:40 +02:00
switch ( sec_channel_type ) {
case SEC_CHAN_WKSTA :
case SEC_CHAN_DOMAIN :
break ;
default :
return NT_STATUS_NOT_SUPPORTED ;
}
2001-12-05 11:00:26 +00:00
/* Create a random machine account password */
2008-10-19 10:05:48 +02:00
new_trust_passwd = generate_random_str ( mem_ctx , DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH ) ;
2006-06-19 20:00:51 +00:00
2008-10-19 10:05:48 +02:00
if ( new_trust_passwd = = NULL ) {
2006-06-19 20:00:51 +00:00
DEBUG ( 0 , ( " talloc_strdup failed \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2009-10-04 15:13:44 +02:00
2002-06-25 07:58:29 +00:00
E_md4hash ( new_trust_passwd , new_trust_passwd_hash ) ;
2001-12-05 11:00:26 +00:00
2009-10-05 22:14:06 +02:00
nt_status = rpccli_netlogon_set_trust_password ( cli , mem_ctx ,
2009-10-08 00:34:05 +02:00
account_name ,
2009-10-05 22:14:06 +02:00
orig_trust_passwd_hash ,
new_trust_passwd ,
new_trust_passwd_hash ,
sec_channel_type ) ;
2009-10-04 15:13:44 +02:00
2001-12-05 11:00:26 +00:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
2002-06-25 08:57:24 +00:00
DEBUG ( 3 , ( " %s : trust_pw_change_and_store_it: Changed password. \n " ,
2009-11-03 10:59:18 +01:00
current_timestring ( talloc_tos ( ) , False ) ) ) ;
2001-12-05 11:00:26 +00:00
/*
* Return the result of trying to write the new password
* back into the trust account file .
*/
2009-10-08 00:39:40 +02:00
switch ( sec_channel_type ) {
case SEC_CHAN_WKSTA :
if ( ! secrets_store_machine_password ( new_trust_passwd , domain , sec_channel_type ) ) {
nt_status = NT_STATUS_UNSUCCESSFUL ;
}
break ;
case SEC_CHAN_DOMAIN : {
char * pwd ;
struct dom_sid sid ;
time_t pass_last_set_time ;
/* we need to get the sid first for the
* pdb_set_trusteddom_pw call */
if ( ! pdb_get_trusteddom_pw ( domain , & pwd , & sid , & pass_last_set_time ) ) {
nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE ;
}
if ( ! pdb_set_trusteddom_pw ( domain , new_trust_passwd , & sid ) ) {
nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION ;
}
break ;
}
default :
break ;
2001-12-05 11:00:26 +00:00
}
}
return nt_status ;
}
/*********************************************************
Change the domain password on the PDC .
Do most of the legwork ourselfs . Caller must have
already setup the connection to the NETLOGON pipe
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 17:13:37 +00:00
NTSTATUS trust_pw_find_change_and_store_it ( struct rpc_pipe_client * cli ,
2003-04-16 10:20:14 +00:00
TALLOC_CTX * mem_ctx ,
2002-11-12 23:15:52 +00:00
const char * domain )
2001-12-05 11:00:26 +00:00
{
unsigned char old_trust_passwd_hash [ 16 ] ;
2009-10-13 10:15:34 +02:00
enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL ;
2009-10-08 00:39:40 +02:00
const char * account_name ;
2003-04-16 10:20:14 +00:00
2009-10-08 00:39:40 +02:00
if ( ! get_trust_pw_hash ( domain , old_trust_passwd_hash , & account_name ,
& sec_channel_type ) ) {
2001-12-05 11:00:26 +00:00
DEBUG ( 0 , ( " could not fetch domain secrets for domain %s! \n " , domain ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2009-10-04 15:13:44 +02:00
2003-04-16 10:20:14 +00:00
return trust_pw_change_and_store_it ( cli , mem_ctx , domain ,
2009-10-08 00:39:40 +02:00
account_name ,
2003-04-16 10:20:14 +00:00
old_trust_passwd_hash ,
sec_channel_type ) ;
2003-03-14 17:05:13 +00:00
}
2010-06-30 12:10:55 +02:00
NTSTATUS change_trust_account_password ( const char * domain , const char * remote_machine )
{
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL ;
struct sockaddr_storage pdc_ss ;
fstring dc_name ;
struct cli_state * cli = NULL ;
struct rpc_pipe_client * netlogon_pipe = NULL ;
DEBUG ( 5 , ( " change_trust_account_password: Attempting to change trust account password in domain %s.... \n " ,
domain ) ) ;
if ( remote_machine = = NULL | | ! strcmp ( remote_machine , " * " ) ) {
/* Use the PDC *only* for this */
if ( ! get_pdc_ip ( domain , & pdc_ss ) ) {
DEBUG ( 0 , ( " Can't get IP for PDC for domain %s \n " , domain ) ) ;
goto failed ;
}
if ( ! name_status_find ( domain , 0x1b , 0x20 , & pdc_ss , dc_name ) )
goto failed ;
} else {
/* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
fstrcpy ( dc_name , remote_machine ) ;
}
/* if this next call fails, then give up. We can't do
password changes on BDC ' s - - jerry */
2011-06-09 15:31:03 +10:00
if ( ! NT_STATUS_IS_OK ( cli_full_connection ( & cli , lp_netbios_name ( ) , dc_name ,
2010-06-30 12:10:55 +02:00
NULL , 0 ,
" IPC$ " , " IPC " ,
" " , " " ,
2011-11-02 18:41:50 +01:00
" " , 0 , SMB_SIGNING_DEFAULT ) ) ) {
2010-06-30 12:10:55 +02:00
DEBUG ( 0 , ( " modify_trust_password: Connection to %s failed! \n " , dc_name ) ) ;
nt_status = NT_STATUS_UNSUCCESSFUL ;
goto failed ;
}
/*
* Ok - we have an anonymous connection to the IPC $ share .
* Now start the NT Domain stuff : - ) .
*/
/* Shouldn't we open this with schannel ? JRA. */
nt_status = cli_rpc_pipe_open_noauth (
cli , & ndr_table_netlogon . syntax_id , & netlogon_pipe ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
DEBUG ( 0 , ( " modify_trust_password: unable to open the domain client session to machine %s. Error was : %s. \n " ,
dc_name , nt_errstr ( nt_status ) ) ) ;
cli_shutdown ( cli ) ;
cli = NULL ;
goto failed ;
}
nt_status = trust_pw_find_change_and_store_it (
netlogon_pipe , netlogon_pipe , domain ) ;
cli_shutdown ( cli ) ;
cli = NULL ;
failed :
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
DEBUG ( 0 , ( " %s : change_trust_account_password: Failed to change password for domain %s. \n " ,
current_timestring ( talloc_tos ( ) , False ) , domain ) ) ;
}
else
DEBUG ( 5 , ( " change_trust_account_password: sucess! \n " ) ) ;
return nt_status ;
}