s3-spoolss: implement spoolss_EnumJobs level 3.
[Samba.git] / source3 / libsmb / trusts_util.c
blob8acdc0fa59ba2bfa6824bc20308c874ebc2bc4d2
1 /*
2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "../libcli/auth/libcli_auth.h"
23 #include "../librpc/gen_ndr/cli_lsa.h"
25 /*********************************************************
26 Change the domain password on the PDC.
27 Store the password ourselves, but use the supplied password
28 Caller must have already setup the connection to the NETLOGON pipe
29 **********************************************************/
31 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
32 const char *domain,
33 const char *account_name,
34 unsigned char orig_trust_passwd_hash[16],
35 enum netr_SchannelType sec_channel_type)
37 unsigned char new_trust_passwd_hash[16];
38 char *new_trust_passwd;
39 NTSTATUS nt_status;
41 switch (sec_channel_type) {
42 case SEC_CHAN_WKSTA:
43 case SEC_CHAN_DOMAIN:
44 break;
45 default:
46 return NT_STATUS_NOT_SUPPORTED;
49 /* Create a random machine account password */
50 new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
52 if (new_trust_passwd == NULL) {
53 DEBUG(0, ("talloc_strdup failed\n"));
54 return NT_STATUS_NO_MEMORY;
57 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
59 nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
60 account_name,
61 orig_trust_passwd_hash,
62 new_trust_passwd,
63 new_trust_passwd_hash,
64 sec_channel_type);
66 if (NT_STATUS_IS_OK(nt_status)) {
67 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
68 current_timestring(talloc_tos(), False)));
70 * Return the result of trying to write the new password
71 * back into the trust account file.
74 switch (sec_channel_type) {
76 case SEC_CHAN_WKSTA:
77 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
78 nt_status = NT_STATUS_UNSUCCESSFUL;
80 break;
82 case SEC_CHAN_DOMAIN: {
83 char *pwd;
84 struct dom_sid sid;
85 time_t pass_last_set_time;
87 /* we need to get the sid first for the
88 * pdb_set_trusteddom_pw call */
90 if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
91 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
93 if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
94 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
96 break;
98 default:
99 break;
103 return nt_status;
106 /*********************************************************
107 Change the domain password on the PDC.
108 Do most of the legwork ourselfs. Caller must have
109 already setup the connection to the NETLOGON pipe
110 **********************************************************/
112 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
113 TALLOC_CTX *mem_ctx,
114 const char *domain)
116 unsigned char old_trust_passwd_hash[16];
117 enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
118 const char *account_name;
120 if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
121 &sec_channel_type)) {
122 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
123 return NT_STATUS_UNSUCCESSFUL;
126 return trust_pw_change_and_store_it(cli, mem_ctx, domain,
127 account_name,
128 old_trust_passwd_hash,
129 sec_channel_type);
132 /*********************************************************************
133 Enumerate the list of trusted domains from a DC
134 *********************************************************************/
136 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
137 char ***domain_names, uint32 *num_domains,
138 DOM_SID **sids )
140 struct policy_handle pol;
141 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
142 fstring dc_name;
143 struct sockaddr_storage dc_ss;
144 uint32 enum_ctx = 0;
145 struct cli_state *cli = NULL;
146 struct rpc_pipe_client *lsa_pipe = NULL;
147 bool retry;
148 struct lsa_DomainList dom_list;
149 int i;
151 *domain_names = NULL;
152 *num_domains = 0;
153 *sids = NULL;
155 /* lookup a DC first */
157 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
158 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
159 domain));
160 return False;
163 /* setup the anonymous connection */
165 result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
166 "", "", "", 0, Undefined, &retry);
167 if ( !NT_STATUS_IS_OK(result) )
168 goto done;
170 /* open the LSARPC_PIPE */
172 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
173 &lsa_pipe);
174 if (!NT_STATUS_IS_OK(result)) {
175 goto done;
178 /* get a handle */
180 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
181 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
182 if ( !NT_STATUS_IS_OK(result) )
183 goto done;
185 /* Lookup list of trusted domains */
187 result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
188 &pol,
189 &enum_ctx,
190 &dom_list,
191 (uint32_t)-1);
192 if ( !NT_STATUS_IS_OK(result) )
193 goto done;
195 *num_domains = dom_list.count;
197 *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
198 if (!*domain_names) {
199 result = NT_STATUS_NO_MEMORY;
200 goto done;
203 *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
204 if (!*sids) {
205 result = NT_STATUS_NO_MEMORY;
206 goto done;
209 for (i=0; i< *num_domains; i++) {
210 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
211 (*sids)[i] = *dom_list.domains[i].sid;
214 done:
215 /* cleanup */
216 if (cli) {
217 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
218 cli_shutdown( cli );
221 return NT_STATUS_IS_OK(result);