2 * Unix SMB/Netbios implementation. Version 1.9. SMB parameters and setup
3 * Copyright (C) Andrew Tridgell 1992-1998 Modified by Jeremy Allison 1995.
5 * This program is free software; you can redistribute it and/or modify it under
6 * the terms of the GNU General Public License as published by the Free
7 * Software Foundation; either version 2 of the License, or (at your option)
10 * This program is distributed in the hope that it will be useful, but WITHOUT
11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
15 * You should have received a copy of the GNU General Public License along with
16 * this program; if not, write to the Free Software Foundation, Inc., 675
17 * Mass Ave, Cambridge, MA 02139, USA.
21 * This file also contains migration code to move from an old
22 * trust account password file stored in the file :
23 * ${SAMBA_HOME}/private/{domain}.{netbiosname}.mac
24 * into a record stored in the tdb ${SAMBA_HOME}/private/secrets.tdb
30 extern int DEBUGLEVEL
;
31 extern pstring global_myname
;
33 BOOL global_machine_password_needs_changing
= False
;
36 static int mach_passwd_lock_depth
;
37 static FILE *mach_passwd_fp
;
39 /***************************************************************
40 Lock an fd. Abandon after waitsecs seconds.
41 ****************************************************************/
43 static BOOL
pw_file_lock(int fd
, int type
, int secs
, int *plock_depth
)
48 if(*plock_depth
== 0) {
49 if (!do_file_lock(fd
, secs
, type
)) {
50 DEBUG(10,("pw_file_lock: locking file failed, error = %s.\n",
61 /***************************************************************
62 Unlock an fd. Abandon after waitsecs seconds.
63 ****************************************************************/
65 static BOOL
pw_file_unlock(int fd
, int *plock_depth
)
70 ret
= do_file_lock(fd
, 5, F_UNLCK
);
76 DEBUG(10,("pw_file_unlock: unlocking file failed, error = %s.\n",
81 /************************************************************************
82 Routine to get the name for an old trust account file.
83 ************************************************************************/
85 static void get_trust_account_file_name( char *domain
, char *name
, char *mac_file
)
87 unsigned int mac_file_len
;
90 pstrcpy(mac_file
, lp_smb_passwd_file());
91 p
= strrchr(mac_file
, '/');
95 mac_file_len
= strlen(mac_file
);
97 if ((int)(sizeof(pstring
) - mac_file_len
- strlen(domain
) - strlen(name
) - 6) < 0)
99 DEBUG(0,("trust_password_lock: path %s too long to add trust details.\n",
104 pstrcat(mac_file
, domain
);
105 pstrcat(mac_file
, ".");
106 pstrcat(mac_file
, name
);
107 pstrcat(mac_file
, ".mac");
110 /************************************************************************
111 Routine to lock the old trust account password file for a domain.
112 As this is a function to migrate to the new secrets.tdb, we never
113 create the file here, only open it.
114 ************************************************************************/
116 static BOOL
trust_password_file_lock(char *domain
, char *name
)
120 if(mach_passwd_lock_depth
== 0) {
123 get_trust_account_file_name( domain
, name
, mac_file
);
125 if ((fd
= sys_open(mac_file
, O_RDWR
, 0)) == -1)
128 if((mach_passwd_fp
= fdopen(fd
, "w+b")) == NULL
) {
129 DEBUG(0,("trust_password_lock: cannot open file %s - Error was %s.\n",
130 mac_file
, strerror(errno
) ));
134 if(!pw_file_lock(fileno(mach_passwd_fp
), F_WRLCK
, 60, &mach_passwd_lock_depth
)) {
135 DEBUG(0,("trust_password_lock: cannot lock file %s\n", mac_file
));
136 fclose(mach_passwd_fp
);
145 /************************************************************************
146 Routine to unlock the old trust account password file for a domain.
147 ************************************************************************/
149 static BOOL
trust_password_file_unlock(void)
151 BOOL ret
= pw_file_unlock(fileno(mach_passwd_fp
), &mach_passwd_lock_depth
);
152 if(mach_passwd_lock_depth
== 0)
153 fclose(mach_passwd_fp
);
157 /************************************************************************
158 Routine to delete the old trust account password file for a domain.
159 Note that this file must be locked as it is truncated before the
160 delete. This is to ensure it only gets deleted by one smbd.
161 ************************************************************************/
163 static BOOL
trust_password_file_delete( char *domain
, char *name
)
168 get_trust_account_file_name( domain
, name
, mac_file
);
169 if(sys_ftruncate(fileno(mach_passwd_fp
),(SMB_OFF_T
)0) == -1) {
170 DEBUG(0,("trust_password_file_delete: Failed to truncate file %s (%s)\n",
171 mac_file
, strerror(errno
) ));
173 ret
= unlink( mac_file
);
177 /************************************************************************
178 Routine to get the old trust account password for a domain - to convert
179 to the new secrets.tdb entry.
180 The user of this function must have locked the trust password file.
181 ************************************************************************/
183 static BOOL
get_trust_account_password_from_file( unsigned char *ret_pwd
, time_t *pass_last_set_time
)
191 *pass_last_set_time
= (time_t)0;
192 memset(ret_pwd
, '\0', 16);
194 if(sys_fstat(fileno(mach_passwd_fp
), &st
) == -1) {
195 DEBUG(0,("get_trust_account_password: Failed to stat file. Error was %s.\n",
201 * If size is zero, another smbd has migrated this file
202 * to the secrets.tdb file, and we are in a race condition.
203 * Just ignore the file.
209 if(sys_fseek( mach_passwd_fp
, (SMB_OFF_T
)0, SEEK_SET
) == -1) {
210 DEBUG(0,("get_trust_account_password: Failed to seek to start of file. Error was %s.\n",
215 fgets(linebuf
, sizeof(linebuf
), mach_passwd_fp
);
216 if(ferror(mach_passwd_fp
)) {
217 DEBUG(0,("get_trust_account_password: Failed to read password. Error was %s.\n",
222 if(linebuf
[strlen(linebuf
)-1] == '\n')
223 linebuf
[strlen(linebuf
)-1] = '\0';
226 * The length of the line read
227 * must be 45 bytes ( <---XXXX 32 bytes-->:TLC-12345678
230 if(strlen(linebuf
) != 45) {
231 DEBUG(0,("get_trust_account_password: Malformed trust password file (wrong length \
232 - was %d, should be 45).\n", (int)strlen(linebuf
)));
233 #ifdef DEBUG_PASSWORD
234 DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf
));
240 * Get the hex password.
243 if (!pdb_gethexpwd((char *)linebuf
, ret_pwd
) || linebuf
[32] != ':' ||
244 strncmp(&linebuf
[33], "TLC-", 4)) {
245 DEBUG(0,("get_trust_account_password: Malformed trust password file (incorrect format).\n"));
246 #ifdef DEBUG_PASSWORD
247 DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf
));
253 * Get the last changed time.
257 for(i
= 0; i
< 8; i
++) {
258 if(p
[i
] == '\0' || !isxdigit((int)p
[i
])) {
259 DEBUG(0,("get_trust_account_password: Malformed trust password file (no timestamp).\n"));
260 #ifdef DEBUG_PASSWORD
261 DEBUG(100,("get_trust_account_password: line = |%s|\n", linebuf
));
268 * p points at 8 characters of hex digits -
269 * read into a time_t as the seconds since
270 * 1970 that the password was last changed.
273 *pass_last_set_time
= (time_t)strtol(p
, NULL
, 16);
278 /************************************************************************
279 form a key for fetching a domain trust password
280 ************************************************************************/
282 static char *trust_keystr(char *domain
)
284 static fstring keystr
;
285 slprintf(keystr
,sizeof(keystr
),"%s/%s", SECRETS_MACHINE_ACCT_PASS
, domain
);
289 /************************************************************************
290 Migrate an old DOMAIN.MACINE.mac password file to the tdb secrets db.
291 ************************************************************************/
293 static void migrate_from_old_password_file(char *domain
)
295 struct machine_acct_pass pass
;
297 if (!trust_password_file_lock(domain
, global_myname
))
300 if (!get_trust_account_password_from_file( pass
.hash
, &pass
.mod_time
)) {
301 trust_password_file_unlock();
305 trust_password_file_delete(domain
, global_myname
);
307 secrets_store(trust_keystr(domain
), (void *)&pass
, sizeof(pass
));
309 trust_password_file_unlock();
313 /************************************************************************
314 Routine to delete the trust account password file for a domain.
315 ************************************************************************/
317 BOOL
trust_password_delete(char *domain
)
319 return secrets_delete(trust_keystr(domain
));