samba-tool:domain: use generate_random_machine_password() for trusted domains

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

python/samba/join.py

@@ -1330,7 +1330,8 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None,
     ctx.domsid = security.random_sid()
     ctx.acct_dn = None
     ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain)
-    ctx.trustdom_pass = samba.generate_random_password(128, 128)
+    # Windows uses 240 bytes as UTF16 so we do
+    ctx.trustdom_pass = samba.generate_random_machine_password(120, 120)
 
     ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION
 

python/samba/netcmd/domain.py

@@ -2265,33 +2265,14 @@ class cmd_domain_trust_create(DomainTrustCommand):
             # needs to pass the NL_PASSWORD_VERSION structure within the
             # 512 bytes and a 2 bytes confounder is required.
             #
-            def random_trust_secret(length, use_aes_keys=True):
-                secret = [0] * length
-
-                pw1 = samba.generate_random_password(length/2, length/2)
-                if not use_aes_keys:
-                    # With arcfour-hmac-md5 we have to use valid utf16
-                    # in order to generate the correct pre-auth key
-                    # based on a utf8 password.
-                    #
-                    # We can remove this once our client libraries
-                    # support using the correct NTHASH.
-                    return string_to_byte_array(pw1.encode('utf-16-le'))
-
-                # We mix characters from generate_random_password
-                # with random numbers from random.randint()
-                for i in range(len(secret)):
-                    if len(pw1) > i:
-                        secret[i] = ord(pw1[i])
-                    else:
-                        secret[i] = random.randint(0, 255)
-
-                return secret
+            def random_trust_secret(length):
+                pw = samba.generate_random_machine_password(length/2, length/2)
+                return string_to_byte_array(pw.encode('utf-16-le'))
 
             if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_INBOUND:
-                incoming_secret = random_trust_secret(240, use_aes_keys=use_aes_keys)
+                incoming_secret = random_trust_secret(240)
             if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_OUTBOUND:
-                outgoing_secret = random_trust_secret(240, use_aes_keys=use_aes_keys)
+                outgoing_secret = random_trust_secret(240)
 
             remote_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
             remote_policy_access |= lsa.LSA_POLICY_CREATE_SECRET