wbinfo: Add --change-secret-at=dcname

Add WHATSNEW.txt entry and update wbinfo man page.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

WHATSNEW.txt

@@ -74,7 +74,13 @@ disable colour output. See https://no-color.org/ for a description of
 this variable. `samba-tool --color=always` will use colour regardless
 of NO_COLOR.
 
+New wbinfo option --change-secret-at
+------------------------------------
 
+The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
+which forces the trust account password to be changed at a specified domain
+controller. If the specified domain controller cannot be contacted the
+password change fails rather than trying other DCs.
 
 
 REMOVED FEATURES

docs-xml/manpages/wbinfo.1.xml

@@ -143,6 +143,14 @@
 		</para></listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term>--change-secret-at <replaceable>domain-controller</replaceable></term>
+		<listitem><para>Change the trust account password at a specific
+		domain controller. Fails if the specificied domain controller
+		cannot be contacted.
+		</para></listitem>
+		</varlistentry>
+
 		<varlistentry>
 		<term>--ccache-save <replaceable>username%password</replaceable></term>
 		<listitem><para>Store user and password for ccache.

nsswitch/wbinfo.c

@@ -849,6 +849,43 @@ static bool wbinfo_change_secret(const char *domain)
 	return true;
 }
 
+/* Change trust account password chose Domain Controller */
+
+static bool wbinfo_change_secret_at(const char *domain,
+				    const char *domain_controller)
+{
+	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+	struct wbcAuthErrorInfo *error = NULL;
+	const char *domain_name;
+
+	if (domain) {
+		domain_name = domain;
+	} else {
+		domain_name = get_winbind_domain();
+	}
+
+	wbc_status = wbcChangeTrustCredentialsAt(
+		domain_name, domain_controller,  &error);
+
+	d_printf("changing the trust secret for domain %s via RPC calls %s\n",
+		domain_name,
+		WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
+
+	if (wbc_status == WBC_ERR_AUTH_ERROR) {
+		d_fprintf(stderr, "wbcChangeTrustCredentials(%s): "
+			  "error code was %s (0x%x)\n",
+			  domain_name, error->nt_string, error->nt_status);
+		wbcFreeMemory(error);
+	}
+	if (!WBC_ERROR_IS_OK(wbc_status)) {
+		d_fprintf(stderr, "failed to call wbcChangeTrustCredentials: "
+			  "%s\n", wbcErrorString(wbc_status));
+		return false;
+	}
+
+	return true;
+}
+
 /* Check DC connection */
 
 static bool wbinfo_ping_dc(const char *domain)
@@ -2291,7 +2328,8 @@ enum {
 	OPT_LOGOFF_USER,
 	OPT_LOGOFF_UID,
 	OPT_LANMAN,
-	OPT_KRB5CCNAME
+	OPT_KRB5CCNAME,
+	OPT_CHANGE_SECRET_AT
 };
 
 int main(int argc, const char **argv, char **envp)
@@ -2507,6 +2545,13 @@ int main(int argc, const char **argv, char **envp)
 			.val        = 'c',
 			.descrip    = "Change shared secret",
 		},
+		{
+			.longName   = "change-secret-at",
+			.shortName  = 0,
+			.argInfo    = POPT_ARG_STRING,
+			.arg        = &string_arg,
+			.val        = OPT_CHANGE_SECRET_AT,
+			.descrip    = "Change shared secret at Domain Controler" },
 		{
 			.longName   = "ping-dc",
 			.shortName  = 'P',
@@ -3034,6 +3079,12 @@ int main(int argc, const char **argv, char **envp)
 				goto done;
 			}
 			break;
+		case OPT_CHANGE_SECRET_AT:
+			if (!wbinfo_change_secret_at(opt_domain_name, string_arg)) {
+				d_fprintf(stderr, "Could not change secret\n");
+				goto done;
+			}
+			break;
 		case 'P':
 			if (!wbinfo_ping_dc(opt_domain_name)) {
 				goto done;