source: vendor/3.5.0/source3/libsmb/trusts_util.c

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago

Samba 3.5.0: Initial import
File size: 6.2 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21#include "includes.h"
22#include "../libcli/auth/libcli_auth.h"
23#include "../librpc/gen_ndr/cli_lsa.h"
24
25/*********************************************************
26 Change the domain password on the PDC.
27 Store the password ourselves, but use the supplied password
28 Caller must have already setup the connection to the NETLOGON pipe
29**********************************************************/
30
31NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
32 const char *domain,
33 const char *account_name,
34 unsigned char orig_trust_passwd_hash[16],
35 enum netr_SchannelType sec_channel_type)
36{
37 unsigned char new_trust_passwd_hash[16];
38 char *new_trust_passwd;
39 NTSTATUS nt_status;
40
41 switch (sec_channel_type) {
42 case SEC_CHAN_WKSTA:
43 case SEC_CHAN_DOMAIN:
44 break;
45 default:
46 return NT_STATUS_NOT_SUPPORTED;
47 }
48
49 /* Create a random machine account password */
50 new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
51
52 if (new_trust_passwd == NULL) {
53 DEBUG(0, ("talloc_strdup failed\n"));
54 return NT_STATUS_NO_MEMORY;
55 }
56
57 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
58
59 nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
60 account_name,
61 orig_trust_passwd_hash,
62 new_trust_passwd,
63 new_trust_passwd_hash,
64 sec_channel_type);
65
66 if (NT_STATUS_IS_OK(nt_status)) {
67 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
68 current_timestring(talloc_tos(), False)));
69 /*
70 * Return the result of trying to write the new password
71 * back into the trust account file.
72 */
73
74 switch (sec_channel_type) {
75
76 case SEC_CHAN_WKSTA:
77 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
78 nt_status = NT_STATUS_UNSUCCESSFUL;
79 }
80 break;
81
82 case SEC_CHAN_DOMAIN: {
83 char *pwd;
84 struct dom_sid sid;
85 time_t pass_last_set_time;
86
87 /* we need to get the sid first for the
88 * pdb_set_trusteddom_pw call */
89
90 if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
91 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
92 }
93 if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
94 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
95 }
96 break;
97 }
98 default:
99 break;
100 }
101 }
102
103 return nt_status;
104}
105
106/*********************************************************
107 Change the domain password on the PDC.
108 Do most of the legwork ourselfs. Caller must have
109 already setup the connection to the NETLOGON pipe
110**********************************************************/
111
112NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
113 TALLOC_CTX *mem_ctx,
114 const char *domain)
115{
116 unsigned char old_trust_passwd_hash[16];
117 enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
118 const char *account_name;
119
120 if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
121 &sec_channel_type)) {
122 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
123 return NT_STATUS_UNSUCCESSFUL;
124 }
125
126 return trust_pw_change_and_store_it(cli, mem_ctx, domain,
127 account_name,
128 old_trust_passwd_hash,
129 sec_channel_type);
130}
131
132/*********************************************************************
133 Enumerate the list of trusted domains from a DC
134*********************************************************************/
135
136bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
137 char ***domain_names, uint32 *num_domains,
138 DOM_SID **sids )
139{
140 struct policy_handle pol;
141 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
142 fstring dc_name;
143 struct sockaddr_storage dc_ss;
144 uint32 enum_ctx = 0;
145 struct cli_state *cli = NULL;
146 struct rpc_pipe_client *lsa_pipe = NULL;
147 bool retry;
148 struct lsa_DomainList dom_list;
149 int i;
150
151 *domain_names = NULL;
152 *num_domains = 0;
153 *sids = NULL;
154
155 /* lookup a DC first */
156
157 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
158 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
159 domain));
160 return False;
161 }
162
163 /* setup the anonymous connection */
164
165 result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
166 "", "", "", 0, Undefined, &retry);
167 if ( !NT_STATUS_IS_OK(result) )
168 goto done;
169
170 /* open the LSARPC_PIPE */
171
172 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
173 &lsa_pipe);
174 if (!NT_STATUS_IS_OK(result)) {
175 goto done;
176 }
177
178 /* get a handle */
179
180 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
181 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
182 if ( !NT_STATUS_IS_OK(result) )
183 goto done;
184
185 /* Lookup list of trusted domains */
186
187 result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
188 &pol,
189 &enum_ctx,
190 &dom_list,
191 (uint32_t)-1);
192 if ( !NT_STATUS_IS_OK(result) )
193 goto done;
194
195 *num_domains = dom_list.count;
196
197 *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
198 if (!*domain_names) {
199 result = NT_STATUS_NO_MEMORY;
200 goto done;
201 }
202
203 *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
204 if (!*sids) {
205 result = NT_STATUS_NO_MEMORY;
206 goto done;
207 }
208
209 for (i=0; i< *num_domains; i++) {
210 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
211 (*sids)[i] = *dom_list.domains[i].sid;
212 }
213
214done:
215 /* cleanup */
216 if (cli) {
217 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
218 cli_shutdown( cli );
219 }
220
221 return NT_STATUS_IS_OK(result);
222}
Note: See TracBrowser for help on using the repository browser.