mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s4:trust_utils: store new trust/machine passwords before trying it remotely.
If this fails we can still fallback to the old password... Before trying the password change we verify the dc knows our current password. This should make the password changes much more robust. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
This commit is contained in:
parent
1623992105
commit
29b173d2a7
@ -163,6 +163,19 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
/*
|
||||
* We could use cli_credentials_get_old_nt_hash(creds, frame) to
|
||||
* set previous_nt_hash.
|
||||
*
|
||||
* But we want to check if the dc has our current password and only do
|
||||
* a change if that's the case. So we keep previous_nt_hash = NULL.
|
||||
*
|
||||
* TODO:
|
||||
* If the previous password is the only password in common with the dc,
|
||||
* we better skip the password change, or use something like
|
||||
* ServerTrustPasswordsGet() or netr_ServerGetTrustInfo() to fix our
|
||||
* local secrets before doing the change.
|
||||
*/
|
||||
status = netlogon_creds_cli_auth(context, b,
|
||||
current_nt_hash,
|
||||
previous_nt_hash);
|
||||
@ -171,16 +184,6 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
|
||||
return status;
|
||||
}
|
||||
|
||||
status = netlogon_creds_cli_ServerPasswordSet(context, b,
|
||||
new_trust_passwd, NULL);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(frame);
|
||||
return status;
|
||||
}
|
||||
|
||||
DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
|
||||
current_timestring(talloc_tos(), False)));
|
||||
|
||||
/*
|
||||
* Return the result of trying to write the new password
|
||||
* back into the trust account file.
|
||||
@ -212,6 +215,22 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
|
||||
break;
|
||||
}
|
||||
|
||||
DEBUG(1,("%s : %s(%s): Changed password locally\n",
|
||||
current_timestring(talloc_tos(), false), __func__, domain));
|
||||
|
||||
status = netlogon_creds_cli_ServerPasswordSet(context, b,
|
||||
new_trust_passwd, NULL);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0,("%s : %s(%s) remote password change set failed - %s\n",
|
||||
current_timestring(talloc_tos(), false), __func__,
|
||||
domain, nt_errstr(status)));
|
||||
TALLOC_FREE(frame);
|
||||
return status;
|
||||
}
|
||||
|
||||
DEBUG(1,("%s : %s(%s): Changed password remotely.\n",
|
||||
current_timestring(talloc_tos(), false), __func__, domain));
|
||||
|
||||
TALLOC_FREE(frame);
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user