mirror of
https://github.com/samba-team/samba.git
synced 2025-01-28 17:47:29 +03:00
ce52f1c2ed
users w/o full administrative access on computer accounts to join a computer into AD domain. The patch and detailed changelog is available at: http://www.itcollege.ee/~aandreim/samba This is a list of changes in general: 1. When creating machine account do not fail if SD cannot be changed. setting SD is not mandatory and join will work perfectly without it. 2. Implement KPASSWD CHANGEPW protocol for changing trust password so machine account does not need to have reset password right for itself. 3. Command line utilities no longer interfere with user's existing kerberos ticket cache. 4. Command line utilities can do kerberos authentication even if username is specified (-U). Initial TGT will be requested in this case. I've modified the patch to share the kinit code, rather than copying it, and updated it to current CVS. The other change included in the original patch (local realms) has been left out for now. Andrew Bartlett
-
61 lines
1.8 KiB
C
61 lines
1.8 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
krb5 set password implementation
|
|
Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
|
|
#ifdef HAVE_KRB5
|
|
|
|
ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal)
|
|
{
|
|
char *tmp_password;
|
|
char *password;
|
|
char *new_password;
|
|
char *service_principal;
|
|
ADS_STATUS ret;
|
|
|
|
if ((password = secrets_fetch_machine_password()) == NULL) {
|
|
DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal));
|
|
return ADS_ERROR_SYSTEM(ENOENT);
|
|
}
|
|
|
|
tmp_password = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
|
|
new_password = strdup(tmp_password);
|
|
asprintf(&service_principal, "HOST/%s", host_principal);
|
|
|
|
ret = kerberos_set_password(ads->auth.kdc_server, service_principal, password, service_principal, new_password, ads->auth.time_offset);
|
|
|
|
if (!ADS_ERR_OK(ret)) goto failed;
|
|
|
|
if (!secrets_store_machine_password(new_password)) {
|
|
DEBUG(1,("Failed to save machine password\n"));
|
|
return ADS_ERROR_SYSTEM(EACCES);
|
|
}
|
|
|
|
failed:
|
|
SAFE_FREE(service_principal);
|
|
SAFE_FREE(new_password);
|
|
|
|
return ret;
|
|
}
|
|
|
|
|
|
|
|
#endif
|