From 50605ddd1ce722656da616723500555360e4e1b8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 30 Jan 2015 09:21:59 +0000 Subject: [PATCH] s3:trusts_util: add support for SEC_CHAN_DNS_DOMAIN in trust_pw_change() SEC_CHAN_DNS_DOMAIN trusts use longer passwords, Windows uses 240 UTF16 bytes. Some trustAttribute flags may also make impact on the length on Windows, but we could be better if we know that the remote domain is an AD domain. Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner --- source3/libsmb/trusts_util.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 48db393fb1d..cedb3365e28 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -66,6 +66,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, struct timeval g_timeout = { 0, }; int timeout = 0; struct timeval tv = { 0, }; + size_t new_len = DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH; NTSTATUS status; state = talloc_zero(frame, struct trust_pw_change_state); @@ -121,6 +122,17 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, } free(pwd); break; + case SEC_CHAN_DNS_DOMAIN: + /* + * new_len * 2 = 498 bytes is the largest possible length + * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes + * and a confounder with at least 2 bytes is required. + * + * Windows uses new_len = 120 => 240 bytes. + */ + new_len = 120; + + /* fall through */ case SEC_CHAN_DOMAIN: if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) { TALLOC_FREE(frame); @@ -154,9 +166,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, } /* Create a random machine account password */ - new_trust_passwd = generate_random_password(frame, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, - DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); + new_trust_passwd = generate_random_password(frame, new_len, new_len); if (new_trust_passwd == NULL) { DEBUG(0, ("generate_random_password failed\n")); TALLOC_FREE(frame); @@ -199,6 +209,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, } break; + case SEC_CHAN_DNS_DOMAIN: case SEC_CHAN_DOMAIN: /* * we need to get the sid first for the