Changeset 124 for branches/samba-3.0/source/passdb/secrets.c
- Timestamp:
- Mar 12, 2008, 9:08:18 AM (17 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/samba-3.0/source/passdb/secrets.c
r1 r124 269 269 /************************************************************************ 270 270 Routine to get the trust account password for a domain. 271 This only tries to get the legacy hashed version of the password. 271 272 The user of this function must have locked the trust password file using 272 273 the above secrets_lock_trust_account_password(). 273 274 ************************************************************************/ 274 275 276 BOOL secrets_fetch_trust_account_password_legacy(const char *domain, 277 uint8 ret_pwd[16], 278 time_t *pass_last_set_time, 279 uint32 *channel) 280 { 281 struct machine_acct_pass *pass; 282 size_t size = 0; 283 284 if (!(pass = (struct machine_acct_pass *)secrets_fetch( 285 trust_keystr(domain), &size))) { 286 DEBUG(5, ("secrets_fetch failed!\n")); 287 return False; 288 } 289 290 if (size != sizeof(*pass)) { 291 DEBUG(0, ("secrets were of incorrect size!\n")); 292 return False; 293 } 294 295 if (pass_last_set_time) { 296 *pass_last_set_time = pass->mod_time; 297 } 298 memcpy(ret_pwd, pass->hash, 16); 299 300 if (channel) { 301 *channel = get_default_sec_channel(); 302 } 303 304 /* Test if machine password has expired and needs to be changed */ 305 if (lp_machine_password_timeout()) { 306 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time + 307 (time_t)lp_machine_password_timeout())) { 308 global_machine_password_needs_changing = True; 309 } 310 } 311 312 SAFE_FREE(pass); 313 return True; 314 } 315 316 /************************************************************************ 317 Routine to get the trust account password for a domain. 318 The user of this function must have locked the trust password file using 319 the above secrets_lock_trust_account_password(). 320 ************************************************************************/ 321 275 322 BOOL secrets_fetch_trust_account_password(const char *domain, uint8 ret_pwd[16], 276 323 time_t *pass_last_set_time, 277 324 uint32 *channel) 278 325 { 279 struct machine_acct_pass *pass;280 326 char *plaintext; 281 size_t size = 0; 282 283 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, 327 328 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time, 284 329 channel); 285 330 if (plaintext) { … … 290 335 } 291 336 292 if (!(pass = (struct machine_acct_pass *)secrets_fetch( 293 trust_keystr(domain), &size))) { 294 DEBUG(5, ("secrets_fetch failed!\n")); 295 return False; 296 } 297 298 if (size != sizeof(*pass)) { 299 DEBUG(0, ("secrets were of incorrect size!\n")); 300 return False; 301 } 302 303 if (pass_last_set_time) { 304 *pass_last_set_time = pass->mod_time; 305 } 306 memcpy(ret_pwd, pass->hash, 16); 307 308 if (channel) { 309 *channel = get_default_sec_channel(); 310 } 311 312 /* Test if machine password has expired and needs to be changed */ 313 if (lp_machine_password_timeout()) { 314 if (pass->mod_time > 0 && time(NULL) > (pass->mod_time + 315 (time_t)lp_machine_password_timeout())) { 316 global_machine_password_needs_changing = True; 317 } 318 } 319 320 SAFE_FREE(pass); 321 return True; 337 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd, 338 pass_last_set_time, 339 channel); 322 340 } 323 341 … … 499 517 500 518 return True; 501 }502 503 /************************************************************************504 Routine to set the trust account password for a domain.505 ************************************************************************/506 507 BOOL secrets_store_trust_account_password(const char *domain, uint8 new_pwd[16])508 {509 struct machine_acct_pass pass;510 511 pass.mod_time = time(NULL);512 memcpy(pass.hash, new_pwd, 16);513 514 return secrets_store(trust_keystr(domain), (void *)&pass, sizeof(pass));515 519 } 516 520 … … 656 660 } 657 661 662 BOOL is_trusted_domain_situation(const char *domain_name) 663 { 664 return IS_DC && 665 lp_allow_trusted_domains() && 666 !strequal(domain_name, lp_workgroup()); 667 } 668 658 669 /******************************************************************* 659 Wrapper around retrieving the trust account password 670 Wrapper around retrieving the clear text trust account password. 671 appropriate account name is stored in account_name. 672 Caller must free password, but not account_name. 660 673 *******************************************************************/ 661 662 BOOL get_trust_pw (const char *domain, uint8 ret_pwd[16], uint32 *channel)663 { 664 DOM_SID sid; 674 675 BOOL get_trust_pw_clear(const char *domain, char **ret_pwd, 676 const char **account_name, uint32 *channel) 677 { 665 678 char *pwd; 666 679 time_t last_set_time; 667 680 668 681 /* if we are a DC and this is not our domain, then lookup an account 669 for the domain trust */ 670 671 if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains() ) { 672 if (!secrets_fetch_trusted_domain_password(domain, &pwd, &sid, 673 &last_set_time)) { 682 * for the domain trust */ 683 684 if (is_trusted_domain_situation(domain)) { 685 if (!secrets_fetch_trusted_domain_password(domain, ret_pwd, 686 NULL, &last_set_time)) 687 { 674 688 DEBUG(0, ("get_trust_pw: could not fetch trust " 675 689 "account password for trusted domain %s\n", … … 677 691 return False; 678 692 } 679 680 *channel = SEC_CHAN_DOMAIN; 693 694 if (channel != NULL) { 695 *channel = SEC_CHAN_DOMAIN; 696 } 697 698 if (account_name != NULL) { 699 *account_name = lp_workgroup(); 700 } 701 702 return True; 703 } 704 705 /* Just get the account for the requested domain. In the future this 706 * might also cover to be member of more than one domain. */ 707 708 pwd = secrets_fetch_machine_password(domain, &last_set_time, channel); 709 710 if (pwd != NULL) { 711 *ret_pwd = pwd; 712 if (account_name != NULL) { 713 *account_name = global_myname(); 714 } 715 716 return True; 717 } 718 719 DEBUG(5, ("get_trust_pw_clear: could not fetch clear text trust " 720 "account password for domain %s\n", domain)); 721 return False; 722 } 723 724 /******************************************************************* 725 Wrapper around retrieving the trust account password. 726 appropriate account name is stored in account_name. 727 *******************************************************************/ 728 729 BOOL get_trust_pw_hash(const char *domain, uint8 ret_pwd[16], 730 const char **account_name, uint32 *channel) 731 { 732 char *pwd = NULL; 733 time_t last_set_time; 734 735 if (get_trust_pw_clear(domain, &pwd, account_name, channel)) { 681 736 E_md4hash(pwd, ret_pwd); 682 737 SAFE_FREE(pwd); 683 684 738 return True; 685 } 686 687 /* Just get the account for the requested domain. In the future this 688 * might also cover to be member of more than one domain. */ 689 690 if (secrets_fetch_trust_account_password(domain, ret_pwd, 691 &last_set_time, channel)) 739 } else if (is_trusted_domain_situation(domain)) { 740 return False; 741 } 742 743 /* as a fallback, try to get the hashed pwd directly from the tdb... */ 744 745 if (secrets_fetch_trust_account_password_legacy(domain, ret_pwd, 746 &last_set_time, 747 channel)) 748 { 749 if (account_name != NULL) { 750 *account_name = global_myname(); 751 } 752 692 753 return True; 693 694 DEBUG(5, ("get_trust_pw: could not fetch trust account " 754 } 755 756 DEBUG(5, ("get_trust_pw_hash: could not fetch trust account " 695 757 "password for domain %s\n", domain)); 696 758 return False; 697 }698 699 /************************************************************************700 Routine to delete the machine trust account password file for a domain.701 ************************************************************************/702 703 BOOL trust_password_delete(const char *domain)704 {705 return secrets_delete(trust_keystr(domain));706 759 } 707 760
Note:
See TracChangeset
for help on using the changeset viewer.