sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-17 02:05:21 +03:00
Code
samba-mirror/source3/libads/util.c
Andrew Bartlett e4202a9fe7 Antti Andreimann <Antti.Andreimann@mail.ee> has done some changes to enable 
users w/o full administrative access on computer accounts to join a
computer into AD domain.

The patch and detailed changelog is available at:
http://www.itcollege.ee/~aandreim/samba

This is a list of changes in general:

1. When creating machine account do not fail if SD cannot be changed.
   setting SD is not mandatory and join will work perfectly without it.
2. Implement KPASSWD CHANGEPW protocol for changing trust password so
   machine account does not need to have reset password right for itself.
3. Command line utilities no longer interfere with user's existing
   kerberos ticket cache.
4. Command line utilities can do kerberos authentication even if
   username is specified (-U). Initial TGT will be requested in this case.

I've modified the patch to share the kinit code, rather than copying it,
and updated it to current CVS.  The other change included in the original patch
(local realms) has been left out for now.

Andrew Bartlett
(This used to be commit ce52f1c2ed4d3ddafe8ae6258c90b90fa434fe43)
2003-02-15 00:29:21 +00:00

61 lines
1.8 KiB
C
Raw Blame History

/*
Unix SMB/CIFS implementation.
krb5 set password implementation
Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#ifdef HAVE_KRB5
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
{
char *tmp_password;
char *password;
char *new_password;
char *service_principal;
ADS_STATUS ret;
if ((password = secrets_fetch_machine_password()) == NULL) {
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
return ADS_ERROR_SYSTEM(ENOENT);
}
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
new_password = strdup(tmp_password);
asprintf(&service_principal, "HOST/%s", host_principal);
ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
if (!ADS_ERR_OK(ret)) goto failed;
if (!secrets_store_machine_password(new_password)) {
DEBUG(1,("Failed to save machine password\n"));
return ADS_ERROR_SYSTEM(EACCES);
}
failed:
SAFE_FREE(service_principal);
SAFE_FREE(new_password);
return ret;
}
#endif
View Git Blame Copy Permalink