mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
246 lines
7.7 KiB
C
246 lines
7.7 KiB
C
/*
|
|
* Unix SMB/Netbios implementation.
|
|
* Version 1.9.
|
|
* RPC Pipe client / server routines
|
|
* Copyright (C) Andrew Tridgell 1992-1997,
|
|
* Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
|
|
* Copyright (C) Paul Ashton 1997.
|
|
* Copyright (C) Jeremy Allison 1998.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
extern pstring global_myname;
|
|
|
|
/*********************************************************
|
|
Change the domain password on the PDC.
|
|
**********************************************************/
|
|
|
|
static BOOL modify_trust_password( char *domain, char *remote_machine,
|
|
unsigned char orig_trust_passwd_hash[16],
|
|
unsigned char new_trust_passwd_hash[16])
|
|
{
|
|
struct cli_state cli;
|
|
|
|
ZERO_STRUCT(cli);
|
|
if(cli_initialise(&cli) == NULL) {
|
|
DEBUG(0,("modify_trust_password: unable to initialize client connection.\n"));
|
|
return False;
|
|
}
|
|
|
|
if(!resolve_name( remote_machine, &cli.dest_ip, 0x20)) {
|
|
DEBUG(0,("modify_trust_password: Can't resolve address for %s\n", remote_machine));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (ismyip(cli.dest_ip)) {
|
|
DEBUG(0,("modify_trust_password: Machine %s is one of our addresses. Cannot add \
|
|
to ourselves.\n", remote_machine));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (!cli_connect(&cli, remote_machine, &cli.dest_ip)) {
|
|
DEBUG(0,("modify_trust_password: unable to connect to SMB server on \
|
|
machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (!attempt_netbios_session_request(&cli, global_myname, remote_machine, &cli.dest_ip)) {
|
|
DEBUG(0,("modify_trust_password: machine %s rejected the NetBIOS \
|
|
session request. Error was %s\n", remote_machine, cli_errstr(&cli) ));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
cli.protocol = PROTOCOL_NT1;
|
|
|
|
if (!cli_negprot(&cli)) {
|
|
DEBUG(0,("modify_trust_password: machine %s rejected the negotiate protocol. \
|
|
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (cli.protocol != PROTOCOL_NT1) {
|
|
DEBUG(0,("modify_trust_password: machine %s didn't negotiate NT protocol.\n",
|
|
remote_machine));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Do an anonymous session setup.
|
|
*/
|
|
|
|
if (!cli_session_setup(&cli, "", "", 0, "", 0, "")) {
|
|
DEBUG(0,("modify_trust_password: machine %s rejected the session setup. \
|
|
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (!(cli.sec_mode & 1)) {
|
|
DEBUG(0,("modify_trust_password: machine %s isn't in user level security mode\n",
|
|
remote_machine));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
|
|
DEBUG(0,("modify_trust_password: machine %s rejected the tconX on the IPC$ share. \
|
|
Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Ok - we have an anonymous connection to the IPC$ share.
|
|
* Now start the NT Domain stuff :-).
|
|
*/
|
|
|
|
if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) {
|
|
DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
|
|
cli_ulogoff(&cli);
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
|
|
DEBUG(0,("modify_trust_password: unable to open the domain client session to \
|
|
machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
|
|
cli_nt_session_close(&cli);
|
|
cli_ulogoff(&cli);
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if(cli_nt_setup_creds(&cli, orig_trust_passwd_hash) == False) {
|
|
DEBUG(0,("modify_trust_password: unable to setup the PDC credentials to machine \
|
|
%s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
|
|
cli_nt_session_close(&cli);
|
|
cli_ulogoff(&cli);
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
if( cli_nt_srv_pwset( &cli,new_trust_passwd_hash ) == False) {
|
|
DEBUG(0,("modify_trust_password: unable to change password for machine %s in domain \
|
|
%s to Domain controller %s. Error was %s.\n", global_myname, domain, remote_machine,
|
|
cli_errstr(&cli)));
|
|
cli_close(&cli, cli.nt_pipe_fnum);
|
|
cli_ulogoff(&cli);
|
|
cli_shutdown(&cli);
|
|
return False;
|
|
}
|
|
|
|
cli_nt_session_close(&cli);
|
|
cli_ulogoff(&cli);
|
|
cli_shutdown(&cli);
|
|
|
|
return True;
|
|
}
|
|
|
|
/************************************************************************
|
|
Change the trust account password for a domain.
|
|
The user of this function must have locked the trust password file for
|
|
update.
|
|
************************************************************************/
|
|
|
|
BOOL change_trust_account_password( char *domain, char *remote_machine_list)
|
|
{
|
|
fstring remote_machine;
|
|
unsigned char old_trust_passwd_hash[16];
|
|
unsigned char new_trust_passwd_hash[16];
|
|
time_t lct;
|
|
BOOL res = False;
|
|
|
|
if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
|
|
DEBUG(0,("change_trust_account_password: unable to read the machine \
|
|
account password for domain %s.\n", domain));
|
|
return False;
|
|
}
|
|
|
|
/*
|
|
* Create the new (random) password.
|
|
*/
|
|
generate_random_buffer( new_trust_passwd_hash, 16, True);
|
|
|
|
while(remote_machine_list &&
|
|
next_token(&remote_machine_list, remote_machine,
|
|
LIST_SEP, sizeof(remote_machine))) {
|
|
strupper(remote_machine);
|
|
if(strequal(remote_machine, "*")) {
|
|
|
|
/*
|
|
* We have been asked to dynamcially determine the IP addresses of the PDC.
|
|
*/
|
|
|
|
struct in_addr *ip_list = NULL;
|
|
int count = 0;
|
|
int i;
|
|
|
|
/* Use the PDC *only* for this. */
|
|
if(!get_dc_list(True, domain, &ip_list, &count))
|
|
continue;
|
|
|
|
/*
|
|
* Try and connect to the PDC/BDC list in turn as an IP
|
|
* address used as a string.
|
|
*/
|
|
|
|
for(i = 0; i < count; i++) {
|
|
fstring dc_name;
|
|
if(!lookup_pdc_name(global_myname, domain, &ip_list[i], dc_name))
|
|
continue;
|
|
if((res = modify_trust_password( domain, dc_name,
|
|
old_trust_passwd_hash, new_trust_passwd_hash)))
|
|
break;
|
|
}
|
|
|
|
if(ip_list != NULL)
|
|
free((char *)ip_list);
|
|
|
|
} else {
|
|
res = modify_trust_password( domain, remote_machine,
|
|
old_trust_passwd_hash, new_trust_passwd_hash);
|
|
}
|
|
|
|
if(res) {
|
|
DEBUG(0,("%s : change_trust_account_password: Changed password for \
|
|
domain %s.\n", timestring(False), domain));
|
|
/*
|
|
* Return the result of trying to write the new password
|
|
* back into the trust account file.
|
|
*/
|
|
res = secrets_store_trust_account_password(domain, new_trust_passwd_hash);
|
|
memset(new_trust_passwd_hash, 0, 16);
|
|
memset(old_trust_passwd_hash, 0, 16);
|
|
return res;
|
|
}
|
|
}
|
|
|
|
memset(new_trust_passwd_hash, 0, 16);
|
|
memset(old_trust_passwd_hash, 0, 16);
|
|
|
|
DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
|
|
domain %s.\n", timestring(False), domain));
|
|
return False;
|
|
}
|