2003-07-01 21:51:52 +04:00
/*
2002-01-30 09:08:46 +03:00
* Unix SMB / CIFS implementation .
2003-03-14 20:05:13 +03:00
* Routines to operate on various trust relationships
* Copyright ( C ) Andrew Bartlett 2001
* Copyright ( C ) Rafal Szczesniak 2003
2001-12-05 14:00:26 +03:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2001-12-05 14:00:26 +03:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2001-12-05 14:00:26 +03:00
*/
# include "includes.h"
/*********************************************************
Change the domain password on the PDC .
Store the password ourselves , but use the supplied password
Caller must have already setup the connection to the NETLOGON pipe
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
NTSTATUS trust_pw_change_and_store_it ( struct rpc_pipe_client * cli , TALLOC_CTX * mem_ctx ,
2003-04-16 14:20:14 +04:00
const char * domain ,
unsigned char orig_trust_passwd_hash [ 16 ] ,
uint32 sec_channel_type )
2001-12-05 14:00:26 +03:00
{
unsigned char new_trust_passwd_hash [ 16 ] ;
char * new_trust_passwd ;
char * str ;
NTSTATUS nt_status ;
/* Create a random machine account password */
str = generate_random_str ( DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH ) ;
2006-06-20 00:00:51 +04:00
if ( ( new_trust_passwd = talloc_strdup ( mem_ctx , str ) ) = = NULL ) {
DEBUG ( 0 , ( " talloc_strdup failed \n " ) ) ;
return NT_STATUS_NO_MEMORY ;
}
2001-12-05 14:00:26 +03:00
2002-06-25 11:58:29 +04:00
E_md4hash ( new_trust_passwd , new_trust_passwd_hash ) ;
2001-12-05 14:00:26 +03:00
2008-09-21 20:57:26 +04:00
nt_status = rpccli_netlogon_set_trust_password ( cli , mem_ctx ,
orig_trust_passwd_hash ,
new_trust_passwd ,
new_trust_passwd_hash ,
sec_channel_type ) ;
2001-12-05 14:00:26 +03:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
2002-06-25 12:57:24 +04:00
DEBUG ( 3 , ( " %s : trust_pw_change_and_store_it: Changed password. \n " ,
2008-03-28 17:49:13 +03:00
current_timestring ( debug_ctx ( ) , False ) ) ) ;
2001-12-05 14:00:26 +03:00
/*
* Return the result of trying to write the new password
* back into the trust account file .
*/
2007-03-13 23:53:38 +03:00
if ( ! secrets_store_machine_password ( new_trust_passwd , domain , sec_channel_type ) ) {
2001-12-05 14:00:26 +03:00
nt_status = NT_STATUS_UNSUCCESSFUL ;
}
}
return nt_status ;
}
/*********************************************************
Change the domain password on the PDC .
Do most of the legwork ourselfs . Caller must have
already setup the connection to the NETLOGON pipe
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2005-09-30 21:13:37 +04:00
NTSTATUS trust_pw_find_change_and_store_it ( struct rpc_pipe_client * cli ,
2003-04-16 14:20:14 +04:00
TALLOC_CTX * mem_ctx ,
2002-11-13 02:15:52 +03:00
const char * domain )
2001-12-05 14:00:26 +03:00
{
unsigned char old_trust_passwd_hash [ 16 ] ;
2003-04-16 14:20:14 +04:00
uint32 sec_channel_type = 0 ;
2001-12-05 14:00:26 +03:00
if ( ! secrets_fetch_trust_account_password ( domain ,
old_trust_passwd_hash ,
2003-04-16 14:20:14 +04:00
NULL , & sec_channel_type ) ) {
2001-12-05 14:00:26 +03:00
DEBUG ( 0 , ( " could not fetch domain secrets for domain %s! \n " , domain ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2003-04-16 14:20:14 +04:00
return trust_pw_change_and_store_it ( cli , mem_ctx , domain ,
old_trust_passwd_hash ,
sec_channel_type ) ;
2003-03-14 20:05:13 +03:00
}
2003-07-01 07:49:41 +04:00
/*********************************************************************
Enumerate the list of trusted domains from a DC
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool enumerate_domain_trusts ( TALLOC_CTX * mem_ctx , const char * domain ,
2003-07-01 21:51:52 +04:00
char * * * domain_names , uint32 * num_domains ,
2003-07-01 07:49:41 +04:00
DOM_SID * * sids )
{
POLICY_HND pol ;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
fstring dc_name ;
2007-10-25 01:16:54 +04:00
struct sockaddr_storage dc_ss ;
2003-07-01 07:49:41 +04:00
uint32 enum_ctx = 0 ;
struct cli_state * cli = NULL ;
2005-09-30 21:13:37 +04:00
struct rpc_pipe_client * lsa_pipe ;
2007-10-19 04:40:25 +04:00
bool retry ;
2008-02-13 02:25:40 +03:00
struct lsa_DomainList dom_list ;
int i ;
2003-07-01 21:51:52 +04:00
2003-07-01 07:49:41 +04:00
* domain_names = NULL ;
* num_domains = 0 ;
* sids = NULL ;
2003-07-01 21:51:52 +04:00
2003-07-01 07:49:41 +04:00
/* lookup a DC first */
2003-07-01 21:51:52 +04:00
2007-10-25 01:16:54 +04:00
if ( ! get_dc_name ( domain , NULL , dc_name , & dc_ss ) ) {
2003-07-01 07:49:41 +04:00
DEBUG ( 3 , ( " enumerate_domain_trusts: can't locate a DC for domain %s \n " ,
domain ) ) ;
return False ;
}
2003-07-01 21:51:52 +04:00
2003-07-01 07:49:41 +04:00
/* setup the anonymous connection */
2003-07-01 21:51:52 +04:00
2007-10-25 01:16:54 +04:00
result = cli_full_connection ( & cli , global_myname ( ) , dc_name , & dc_ss , 0 , " IPC$ " , " IPC " ,
2003-07-31 03:49:29 +04:00
" " , " " , " " , 0 , Undefined , & retry ) ;
2003-07-01 07:49:41 +04:00
if ( ! NT_STATUS_IS_OK ( result ) )
goto done ;
2003-07-01 21:51:52 +04:00
2003-07-01 07:49:41 +04:00
/* open the LSARPC_PIPE */
2003-07-01 21:51:52 +04:00
2008-07-20 13:04:31 +04:00
result = cli_rpc_pipe_open_noauth ( cli , & ndr_table_lsarpc . syntax_id ,
& lsa_pipe ) ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
2003-07-01 07:49:41 +04:00
goto done ;
}
2003-07-01 21:51:52 +04:00
2003-07-01 07:49:41 +04:00
/* get a handle */
2003-07-01 21:51:52 +04:00
2005-09-30 21:13:37 +04:00
result = rpccli_lsa_open_policy ( lsa_pipe , mem_ctx , True ,
2008-02-27 17:49:31 +03:00
LSA_POLICY_VIEW_LOCAL_INFORMATION , & pol ) ;
2003-07-01 07:49:41 +04:00
if ( ! NT_STATUS_IS_OK ( result ) )
goto done ;
/* Lookup list of trusted domains */
2008-02-13 02:25:40 +03:00
result = rpccli_lsa_EnumTrustDom ( lsa_pipe , mem_ctx ,
& pol ,
& enum_ctx ,
& dom_list ,
( uint32_t ) - 1 ) ;
2003-07-01 21:51:52 +04:00
if ( ! NT_STATUS_IS_OK ( result ) )
2003-07-01 07:49:41 +04:00
goto done ;
2003-07-01 21:51:52 +04:00
2008-02-13 02:25:40 +03:00
* num_domains = dom_list . count ;
* domain_names = TALLOC_ZERO_ARRAY ( mem_ctx , char * , * num_domains ) ;
if ( ! * domain_names ) {
result = NT_STATUS_NO_MEMORY ;
goto done ;
}
* sids = TALLOC_ZERO_ARRAY ( mem_ctx , DOM_SID , * num_domains ) ;
if ( ! * sids ) {
result = NT_STATUS_NO_MEMORY ;
goto done ;
}
for ( i = 0 ; i < * num_domains ; i + + ) {
( * domain_names ) [ i ] = CONST_DISCARD ( char * , dom_list . domains [ i ] . name . string ) ;
( * sids ) [ i ] = * dom_list . domains [ i ] . sid ;
}
2003-07-01 21:51:52 +04:00
done :
2003-07-01 07:49:41 +04:00
/* cleanup */
2003-09-16 07:54:42 +04:00
if ( cli ) {
2003-11-22 09:15:28 +03:00
DEBUG ( 10 , ( " enumerate_domain_trusts: shutting down connection... \n " ) ) ;
2003-09-16 07:54:42 +04:00
cli_shutdown ( cli ) ;
}
2003-03-15 11:18:29 +03:00
2003-07-01 21:51:52 +04:00
return NT_STATUS_IS_OK ( result ) ;
2003-03-14 20:05:13 +03:00
}
