search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
winbind: Keep "force_reauth" in invalidate_cm_connection
[Samba.git] / source3 / passdb / machine_account_secrets.c
blob40511f96a8b0ea941be10c2d1b39cc6a770a5520
1 /*
2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
24
25 #include "includes.h"
26 #include "passdb.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "secrets.h"
29 #include "dbwrap/dbwrap.h"
30 #include "../librpc/ndr/libndr.h"
31 #include "util_tdb.h"
32 #include "libcli/security/security.h"
33
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "librpc/gen_ndr/ndr_secrets.h"
36 #include "lib/crypto/crypto.h"
37 #include "lib/krb5_wrap/krb5_samba.h"
38 #include "lib/util/time_basic.h"
39
40 #undef DBGC_CLASS
41 #define DBGC_CLASS DBGC_PASSDB
42
43 static char *domain_info_keystr(const char *domain);
44
45 static char *des_salt_key(const char *realm);
46
47 /**
48 * Form a key for fetching the domain sid
49 *
50 * @param domain domain name
51 *
52 * @return keystring
53 **/
54 static const char *domain_sid_keystr(const char *domain)
55 {
56 char *keystr;
57
58 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
59 SECRETS_DOMAIN_SID, domain);
60 SMB_ASSERT(keystr != NULL);
61 return keystr;
62 }
63
64 static const char *domain_guid_keystr(const char *domain)
65 {
66 char *keystr;
67
68 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
69 SECRETS_DOMAIN_GUID, domain);
70 SMB_ASSERT(keystr != NULL);
71 return keystr;
72 }
73
74 static const char *protect_ids_keystr(const char *domain)
75 {
76 char *keystr;
77
78 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
79 SECRETS_PROTECT_IDS, domain);
80 SMB_ASSERT(keystr != NULL);
81 return keystr;
82 }
83
84 /* N O T E: never use this outside of passdb modules that store the SID on their own */
85 bool secrets_mark_domain_protected(const char *domain)
86 {
87 bool ret;
88
89 ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5);
90 if (!ret) {
91 DEBUG(0, ("Failed to protect the Domain IDs\n"));
92 }
93 return ret;
94 }
95
96 bool secrets_clear_domain_protection(const char *domain)
97 {
98 bool ret;
99 void *protection = secrets_fetch(protect_ids_keystr(domain), NULL);
100
101 if (protection) {
102 SAFE_FREE(protection);
103 ret = secrets_delete_entry(protect_ids_keystr(domain));
104 if (!ret) {
105 DEBUG(0, ("Failed to remove Domain IDs protection\n"));
106 }
107 return ret;
108 }
109 return true;
110 }
111
112 bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
113 {
114 char *protect_ids;
115 bool ret;
116
117 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
118 if (protect_ids) {
119 if (strncmp(protect_ids, "TRUE", 4)) {
120 DEBUG(0, ("Refusing to store a Domain SID, "
121 "it has been marked as protected!\n"));
122 SAFE_FREE(protect_ids);
123 return false;
124 }
125 }
126 SAFE_FREE(protect_ids);
127
128 ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid ));
129
130 /* Force a re-query, in the case where we modified our domain */
131 if (ret) {
132 if (dom_sid_equal(get_global_sam_sid(), sid) == false) {
133 reset_global_sam_sid();
134 }
135 }
136 return ret;
137 }
138
139 bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
140 {
141 struct dom_sid *dyn_sid;
142 size_t size = 0;
143
144 dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
145
146 if (dyn_sid == NULL)
147 return False;
148
149 if (size != sizeof(struct dom_sid)) {
150 SAFE_FREE(dyn_sid);
151 return False;
152 }
153
154 *sid = *dyn_sid;
155 SAFE_FREE(dyn_sid);
156 return True;
157 }
158
159 bool secrets_store_domain_guid(const char *domain, const struct GUID *guid)
160 {
161 char *protect_ids;
162 const char *key;
163
164 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
165 if (protect_ids) {
166 if (strncmp(protect_ids, "TRUE", 4)) {
167 DEBUG(0, ("Refusing to store a Domain SID, "
168 "it has been marked as protected!\n"));
169 SAFE_FREE(protect_ids);
170 return false;
171 }
172 }
173 SAFE_FREE(protect_ids);
174
175 key = domain_guid_keystr(domain);
176 return secrets_store(key, guid, sizeof(struct GUID));
177 }
178
179 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
180 {
181 struct GUID *dyn_guid;
182 const char *key;
183 size_t size = 0;
184 struct GUID new_guid;
185
186 key = domain_guid_keystr(domain);
187 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
188
189 if (!dyn_guid) {
190 if (lp_server_role() == ROLE_DOMAIN_PDC) {
191 new_guid = GUID_random();
192 if (!secrets_store_domain_guid(domain, &new_guid))
193 return False;
194 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
195 }
196 if (dyn_guid == NULL) {
197 return False;
198 }
199 }
200
201 if (size != sizeof(struct GUID)) {
202 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
203 SAFE_FREE(dyn_guid);
204 return False;
205 }
206
207 *guid = *dyn_guid;
208 SAFE_FREE(dyn_guid);
209 return True;
210 }
211
212 /**
213 * Form a key for fetching the machine trust account sec channel type
214 *
215 * @param domain domain name
216 *
217 * @return keystring
218 **/
219 static const char *machine_sec_channel_type_keystr(const char *domain)
220 {
221 char *keystr;
222
223 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
224 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
225 domain);
226 SMB_ASSERT(keystr != NULL);
227 return keystr;
228 }
229
230 /**
231 * Form a key for fetching the machine trust account last change time
232 *
233 * @param domain domain name
234 *
235 * @return keystring
236 **/
237 static const char *machine_last_change_time_keystr(const char *domain)
238 {
239 char *keystr;
240
241 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
242 SECRETS_MACHINE_LAST_CHANGE_TIME,
243 domain);
244 SMB_ASSERT(keystr != NULL);
245 return keystr;
246 }
247
248
249 /**
250 * Form a key for fetching the machine previous trust account password
251 *
252 * @param domain domain name
253 *
254 * @return keystring
255 **/
256 static const char *machine_prev_password_keystr(const char *domain)
257 {
258 char *keystr;
259
260 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
261 SECRETS_MACHINE_PASSWORD_PREV, domain);
262 SMB_ASSERT(keystr != NULL);
263 return keystr;
264 }
265
266 /**
267 * Form a key for fetching the machine trust account password
268 *
269 * @param domain domain name
270 *
271 * @return keystring
272 **/
273 static const char *machine_password_keystr(const char *domain)
274 {
275 char *keystr;
276
277 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
278 SECRETS_MACHINE_PASSWORD, domain);
279 SMB_ASSERT(keystr != NULL);
280 return keystr;
281 }
282
283 /**
284 * Form a key for fetching the machine trust account password
285 *
286 * @param domain domain name
287 *
288 * @return stored password's key
289 **/
290 static const char *trust_keystr(const char *domain)
291 {
292 char *keystr;
293
294 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
295 SECRETS_MACHINE_ACCT_PASS, domain);
296 SMB_ASSERT(keystr != NULL);
297 return keystr;
298 }
299
300 /************************************************************************
301 Routine to get the default secure channel type for trust accounts
302 ************************************************************************/
303
304 enum netr_SchannelType get_default_sec_channel(void)
305 {
306 if (lp_server_role() == ROLE_DOMAIN_BDC ||
307 lp_server_role() == ROLE_DOMAIN_PDC ||
308 lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
309 return SEC_CHAN_BDC;
310 } else {
311 return SEC_CHAN_WKSTA;
312 }
313 }
314
315 /************************************************************************
316 Routine to get the trust account password for a domain.
317 This only tries to get the legacy hashed version of the password.
318 The user of this function must have locked the trust password file using
319 the above secrets_lock_trust_account_password().
320 ************************************************************************/
321
322 bool secrets_fetch_trust_account_password_legacy(const char *domain,
323 uint8_t ret_pwd[16],
324 time_t *pass_last_set_time,
325 enum netr_SchannelType *channel)
326 {
327 struct machine_acct_pass *pass;
328 size_t size = 0;
329
330 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
331 trust_keystr(domain), &size))) {
332 DEBUG(5, ("secrets_fetch failed!\n"));
333 return False;
334 }
335
336 if (size != sizeof(*pass)) {
337 DEBUG(0, ("secrets were of incorrect size!\n"));
338 SAFE_FREE(pass);
339 return False;
340 }
341
342 if (pass_last_set_time) {
343 *pass_last_set_time = pass->mod_time;
344 }
345 memcpy(ret_pwd, pass->hash, 16);
346
347 if (channel) {
348 *channel = get_default_sec_channel();
349 }
350
351 SAFE_FREE(pass);
352 return True;
353 }
354
355 /************************************************************************
356 Routine to get the trust account password for a domain.
357 The user of this function must have locked the trust password file using
358 the above secrets_lock_trust_account_password().
359 ************************************************************************/
360
361 bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
362 time_t *pass_last_set_time,
363 enum netr_SchannelType *channel)
364 {
365 char *plaintext;
366
367 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
368 channel);
369 if (plaintext) {
370 DEBUG(4,("Using cleartext machine password\n"));
371 E_md4hash(plaintext, ret_pwd);
372 SAFE_FREE(plaintext);
373 return True;
374 }
375
376 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
377 pass_last_set_time,
378 channel);
379 }
380
381 /************************************************************************
382 Routine to delete all information related to the domain joined machine.
383 ************************************************************************/
384
385 bool secrets_delete_machine_password_ex(const char *domain, const char *realm)
386 {
387 const char *tmpkey = NULL;
388 bool ok;
389
390 tmpkey = domain_info_keystr(domain);
391 ok = secrets_delete(tmpkey);
392 if (!ok) {
393 return false;
394 }
395
396 if (realm != NULL) {
397 tmpkey = des_salt_key(domain);
398 ok = secrets_delete(tmpkey);
399 if (!ok) {
400 return false;
401 }
402 }
403
404 tmpkey = domain_guid_keystr(domain);
405 ok = secrets_delete(tmpkey);
406 if (!ok) {
407 return false;
408 }
409
410 tmpkey = machine_prev_password_keystr(domain);
411 ok = secrets_delete(tmpkey);
412 if (!ok) {
413 return false;
414 }
415
416 tmpkey = machine_password_keystr(domain);
417 ok = secrets_delete(tmpkey);
418 if (!ok) {
419 return false;
420 }
421
422 tmpkey = machine_sec_channel_type_keystr(domain);
423 ok = secrets_delete(tmpkey);
424 if (!ok) {
425 return false;
426 }
427
428 tmpkey = machine_last_change_time_keystr(domain);
429 ok = secrets_delete(tmpkey);
430 if (!ok) {
431 return false;
432 }
433
434 tmpkey = domain_sid_keystr(domain);
435 ok = secrets_delete(tmpkey);
436 if (!ok) {
437 return false;
438 }
439
440 return true;
441 }
442
443 /************************************************************************
444 Routine to delete the domain sid
445 ************************************************************************/
446
447 bool secrets_delete_domain_sid(const char *domain)
448 {
449 return secrets_delete_entry(domain_sid_keystr(domain));
450 }
451
452 /************************************************************************
453 Set the machine trust account password, the old pw and last change
454 time, domain SID and salting principals based on values passed in
455 (added to supprt the secrets_tdb_sync module on secrets.ldb)
456 ************************************************************************/
457
458 bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain,
459 const char *realm,
460 const char *salting_principal, uint32_t supported_enc_types,
461 const struct dom_sid *domain_sid, uint32_t last_change_time,
462 uint32_t secure_channel_type,
463 bool delete_join)
464 {
465 bool ret;
466 uint8_t last_change_time_store[4];
467 TALLOC_CTX *frame = talloc_stackframe();
468 uint8_t sec_channel_bytes[4];
469
470 if (delete_join) {
471 secrets_delete_machine_password_ex(domain, realm);
472 TALLOC_FREE(frame);
473 return true;
474 }
475
476 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
477 if (!ret) {
478 TALLOC_FREE(frame);
479 return ret;
480 }
481
482 if (oldpass) {
483 ret = secrets_store(machine_prev_password_keystr(domain), oldpass, strlen(oldpass)+1);
484 } else {
485 ret = secrets_delete(machine_prev_password_keystr(domain));
486 }
487 if (!ret) {
488 TALLOC_FREE(frame);
489 return ret;
490 }
491
492 if (secure_channel_type == 0) {
493 /* We delete this and instead have the read code fall back to
494 * a default based on server role, as our caller can't specify
495 * this with any more certainty */
496 ret = secrets_delete(machine_sec_channel_type_keystr(domain));
497 if (!ret) {
498 TALLOC_FREE(frame);
499 return ret;
500 }
501 } else {
502 SIVAL(&sec_channel_bytes, 0, secure_channel_type);
503 ret = secrets_store(machine_sec_channel_type_keystr(domain),
504 &sec_channel_bytes, sizeof(sec_channel_bytes));
505 if (!ret) {
506 TALLOC_FREE(frame);
507 return ret;
508 }
509 }
510
511 SIVAL(&last_change_time_store, 0, last_change_time);
512 ret = secrets_store(machine_last_change_time_keystr(domain),
513 &last_change_time_store, sizeof(last_change_time));
514
515 if (!ret) {
516 TALLOC_FREE(frame);
517 return ret;
518 }
519
520 ret = secrets_store_domain_sid(domain, domain_sid);
521
522 if (!ret) {
523 TALLOC_FREE(frame);
524 return ret;
525 }
526
527 if (realm != NULL) {
528 char *key = des_salt_key(realm);
529
530 if (salting_principal != NULL) {
531 ret = secrets_store(key,
532 salting_principal,
533 strlen(salting_principal)+1);
534 } else {
535 ret = secrets_delete(key);
536 }
537 }
538
539 TALLOC_FREE(frame);
540 return ret;
541 }
542
543 /************************************************************************
544 Return the standard DES salt key
545 ************************************************************************/
546
547 char* kerberos_standard_des_salt( void )
548 {
549 fstring salt;
550
551 fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
552 (void)strlower_m( salt );
553 fstrcat( salt, lp_realm() );
554
555 return SMB_STRDUP( salt );
556 }
557
558 /************************************************************************
559 ************************************************************************/
560
561 static char *des_salt_key(const char *realm)
562 {
563 char *keystr;
564
565 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/DES/%s",
566 SECRETS_SALTING_PRINCIPAL,
567 realm);
568 SMB_ASSERT(keystr != NULL);
569 return keystr;
570 }
571
572 /************************************************************************
573 ************************************************************************/
574
575 bool kerberos_secrets_store_des_salt( const char* salt )
576 {
577 char* key;
578 bool ret;
579
580 key = des_salt_key(lp_realm());
581 if (key == NULL) {
582 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
583 return False;
584 }
585
586 if ( !salt ) {
587 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
588 secrets_delete_entry( key );
589 return True;
590 }
591
592 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
593
594 ret = secrets_store( key, salt, strlen(salt)+1 );
595
596 TALLOC_FREE(key);
597
598 return ret;
599 }
600
601 /************************************************************************
602 ************************************************************************/
603
604 static
605 char* kerberos_secrets_fetch_des_salt( void )
606 {
607 char *salt, *key;
608
609 key = des_salt_key(lp_realm());
610 if (key == NULL) {
611 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
612 return NULL;
613 }
614
615 salt = (char*)secrets_fetch( key, NULL );
616
617 TALLOC_FREE(key);
618
619 return salt;
620 }
621
622 /************************************************************************
623 Routine to get the salting principal for this service.
624 Caller must free if return is not null.
625 ************************************************************************/
626
627 char *kerberos_secrets_fetch_salt_princ(void)
628 {
629 char *salt_princ_s;
630 /* lookup new key first */
631
632 salt_princ_s = kerberos_secrets_fetch_des_salt();
633 if (salt_princ_s == NULL) {
634 /* fall back to host/machine.realm@REALM */
635 salt_princ_s = kerberos_standard_des_salt();
636 }
637
638 return salt_princ_s;
639 }
640
641 /************************************************************************
642 Routine to fetch the previous plaintext machine account password for a realm
643 the password is assumed to be a null terminated ascii string.
644 ************************************************************************/
645
646 char *secrets_fetch_prev_machine_password(const char *domain)
647 {
648 return (char *)secrets_fetch(machine_prev_password_keystr(domain), NULL);
649 }
650
651 /************************************************************************
652 Routine to fetch the last change time of the machine account password
653 for a realm
654 ************************************************************************/
655
656 time_t secrets_fetch_pass_last_set_time(const char *domain)
657 {
658 uint32_t *last_set_time;
659 time_t pass_last_set_time;
660
661 last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
662 NULL);
663 if (last_set_time) {
664 pass_last_set_time = IVAL(last_set_time,0);
665 SAFE_FREE(last_set_time);
666 } else {
667 pass_last_set_time = 0;
668 }
669
670 return pass_last_set_time;
671 }
672
673 /************************************************************************
674 Routine to fetch the plaintext machine account password for a realm
675 the password is assumed to be a null terminated ascii string.
676 ************************************************************************/
677
678 char *secrets_fetch_machine_password(const char *domain,
679 time_t *pass_last_set_time,
680 enum netr_SchannelType *channel)
681 {
682 char *ret;
683 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
684
685 if (pass_last_set_time) {
686 *pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
687 }
688
689 if (channel) {
690 size_t size;
691 uint32_t *channel_type;
692 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
693 if (channel_type) {
694 *channel = IVAL(channel_type,0);
695 SAFE_FREE(channel_type);
696 } else {
697 *channel = get_default_sec_channel();
698 }
699 }
700
701 return ret;
702 }
703
704 static char *domain_info_keystr(const char *domain)
705 {
706 char *keystr;
707
708 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
709 SECRETS_MACHINE_DOMAIN_INFO,
710 domain);
711 SMB_ASSERT(keystr != NULL);
712 return keystr;
713 }
714
715 /************************************************************************
716 Routine to get account password to trusted domain
717 ************************************************************************/
718
719 static NTSTATUS secrets_fetch_domain_info1_by_key(const char *key,
720 TALLOC_CTX *mem_ctx,
721 struct secrets_domain_info1 **_info1)
722 {
723 struct secrets_domain_infoB sdib = { .version = 0, };
724 enum ndr_err_code ndr_err;
725 /* unpacking structures */
726 DATA_BLOB blob;
727
728 /* fetching trusted domain password structure */
729 blob.data = (uint8_t *)secrets_fetch(key, &blob.length);
730 if (blob.data == NULL) {
731 DBG_NOTICE("secrets_fetch failed!\n");
732 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
733 }
734
735 /* unpack trusted domain password */
736 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &sdib,
737 (ndr_pull_flags_fn_t)ndr_pull_secrets_domain_infoB);
738 SAFE_FREE(blob.data);
739 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
740 DBG_ERR("ndr_pull_struct_blob failed - %s!\n",
741 ndr_errstr(ndr_err));
742 return NT_STATUS_INTERNAL_DB_CORRUPTION;
743 }
744
745 if (sdib.version != SECRETS_DOMAIN_INFO_VERSION_1) {
746 DBG_ERR("sdib.version = %u\n", (unsigned)sdib.version);
747 return NT_STATUS_INTERNAL_DB_CORRUPTION;
748 }
749
750 *_info1 = sdib.info.info1;
751 return NT_STATUS_OK;;
752 }
753
754 static NTSTATUS secrets_fetch_domain_info(const char *domain,
755 TALLOC_CTX *mem_ctx,
756 struct secrets_domain_info1 **pinfo)
757 {
758 char *key = domain_info_keystr(domain);
759 return secrets_fetch_domain_info1_by_key(key, mem_ctx, pinfo);
760 }
761
762 void secrets_debug_domain_info(int lvl, const struct secrets_domain_info1 *info1,
763 const char *name)
764 {
765 struct secrets_domain_infoB sdib = {
766 .version = SECRETS_DOMAIN_INFO_VERSION_1,
767 };
768
769 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
770
771 ndr_print_debug((ndr_print_fn_t)ndr_print_secrets_domain_infoB,
772 name, &sdib);
773 }
774
775 char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domain_info1 *info1,
776 const char *name, bool include_secrets)
777 {
778 TALLOC_CTX *frame = talloc_stackframe();
779 struct secrets_domain_infoB sdib = {
780 .version = SECRETS_DOMAIN_INFO_VERSION_1,
781 };
782 struct ndr_print *ndr = NULL;
783 char *ret = NULL;
784
785 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
786
787 ndr = talloc_zero(frame, struct ndr_print);
788 if (ndr == NULL) {
789 TALLOC_FREE(frame);
790 return NULL;
791 }
792 ndr->private_data = talloc_strdup(ndr, "");
793 if (ndr->private_data == NULL) {
794 TALLOC_FREE(frame);
795 return NULL;
796 }
797 ndr->print = ndr_print_string_helper;
798 ndr->depth = 1;
799 ndr->print_secrets = include_secrets;
800
801 ndr_print_secrets_domain_infoB(ndr, name, &sdib);
802 ret = talloc_steal(mem_ctx, (char *)ndr->private_data);
803 TALLOC_FREE(frame);
804 return ret;
805 }
806
807 static NTSTATUS secrets_store_domain_info1_by_key(const char *key,
808 const struct secrets_domain_info1 *info1)
809 {
810 struct secrets_domain_infoB sdib = {
811 .version = SECRETS_DOMAIN_INFO_VERSION_1,
812 };
813 /* packing structures */
814 DATA_BLOB blob;
815 enum ndr_err_code ndr_err;
816 bool ok;
817
818 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
819
820 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &sdib,
821 (ndr_push_flags_fn_t)ndr_push_secrets_domain_infoB);
822 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
823 return ndr_map_error2ntstatus(ndr_err);
824 }
825
826 ok = secrets_store(key, blob.data, blob.length);
827 data_blob_clear_free(&blob);
828 if (!ok) {
829 return NT_STATUS_INTERNAL_DB_ERROR;
830 }
831
832 return NT_STATUS_OK;
833 }
834
835 static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *info,
836 bool upgrade)
837 {
838 TALLOC_CTX *frame = talloc_stackframe();
839 const char *domain = info->domain_info.name.string;
840 const char *realm = info->domain_info.dns_domain.string;
841 char *key = domain_info_keystr(domain);
842 struct db_context *db = NULL;
843 struct timeval last_change_tv;
844 const DATA_BLOB *cleartext_blob = NULL;
845 DATA_BLOB pw_blob = data_blob_null;
846 DATA_BLOB old_pw_blob = data_blob_null;
847 const char *pw = NULL;
848 const char *old_pw = NULL;
849 bool ok;
850 NTSTATUS status;
851 int ret;
852 int role = lp_server_role();
853
854 switch (info->secure_channel_type) {
855 case SEC_CHAN_WKSTA:
856 case SEC_CHAN_BDC:
857 if (!upgrade && role >= ROLE_ACTIVE_DIRECTORY_DC) {
858 DBG_ERR("AD_DC not supported for %s\n",
859 domain);
860 TALLOC_FREE(frame);
861 return NT_STATUS_INTERNAL_ERROR;
862 }
863
864 break;
865 default:
866 DBG_ERR("SEC_CHAN_* not supported for %s\n",
867 domain);
868 TALLOC_FREE(frame);
869 return NT_STATUS_INTERNAL_ERROR;
870 }
871
872 db = secrets_db_ctx();
873
874 ret = dbwrap_transaction_start(db);
875 if (ret != 0) {
876 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
877 domain);
878 TALLOC_FREE(frame);
879 return NT_STATUS_INTERNAL_DB_ERROR;
880 }
881
882 ok = secrets_clear_domain_protection(domain);
883 if (!ok) {
884 DBG_ERR("secrets_clear_domain_protection(%s) failed\n",
885 domain);
886 dbwrap_transaction_cancel(db);
887 TALLOC_FREE(frame);
888 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
889 }
890
891 ok = secrets_delete_machine_password_ex(domain, realm);
892 if (!ok) {
893 DBG_ERR("secrets_delete_machine_password_ex(%s) failed\n",
894 domain);
895 dbwrap_transaction_cancel(db);
896 TALLOC_FREE(frame);
897 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
898 }
899
900 status = secrets_store_domain_info1_by_key(key, info);
901 if (!NT_STATUS_IS_OK(status)) {
902 DBG_ERR("secrets_store_domain_info1_by_key() failed "
903 "for %s - %s\n", domain, nt_errstr(status));
904 dbwrap_transaction_cancel(db);
905 TALLOC_FREE(frame);
906 return status;
907 }
908
909 /*
910 * We use info->password_last_change instead
911 * of info->password.change_time because
912 * we may want to defer the next change approach
913 * if the server rejected the change the last time,
914 * e.g. due to RefusePasswordChange=1.
915 */
916 nttime_to_timeval(&last_change_tv, info->password_last_change);
917
918 cleartext_blob = &info->password->cleartext_blob;
919 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
920 cleartext_blob->data,
921 cleartext_blob->length,
922 (void **)&pw_blob.data,
923 &pw_blob.length);
924 if (!ok) {
925 status = NT_STATUS_UNMAPPABLE_CHARACTER;
926 if (errno == ENOMEM) {
927 status = NT_STATUS_NO_MEMORY;
928 }
929 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
930 "failed for pw of %s - %s\n",
931 domain, nt_errstr(status));
932 dbwrap_transaction_cancel(db);
933 TALLOC_FREE(frame);
934 return status;
935 }
936 pw = (const char *)pw_blob.data;
937 if (info->old_password != NULL) {
938 cleartext_blob = &info->old_password->cleartext_blob;
939 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
940 cleartext_blob->data,
941 cleartext_blob->length,
942 (void **)&old_pw_blob.data,
943 &old_pw_blob.length);
944 if (!ok) {
945 status = NT_STATUS_UNMAPPABLE_CHARACTER;
946 if (errno == ENOMEM) {
947 status = NT_STATUS_NO_MEMORY;
948 }
949 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
950 "failed for old_pw of %s - %s\n",
951 domain, nt_errstr(status));
952 dbwrap_transaction_cancel(db);
953 data_blob_clear_free(&pw_blob);
954 TALLOC_FREE(frame);
955 return status;
956 }
957 old_pw = (const char *)old_pw_blob.data;
958 }
959
960 ok = secrets_store_machine_pw_sync(pw, old_pw,
961 domain, realm,
962 info->salt_principal,
963 info->supported_enc_types,
964 info->domain_info.sid,
965 last_change_tv.tv_sec,
966 info->secure_channel_type,
967 false); /* delete_join */
968 data_blob_clear_free(&pw_blob);
969 data_blob_clear_free(&old_pw_blob);
970 if (!ok) {
971 DBG_ERR("secrets_store_machine_pw_sync(%s) failed\n",
972 domain);
973 dbwrap_transaction_cancel(db);
974 TALLOC_FREE(frame);
975 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
976 }
977
978 if (!GUID_all_zero(&info->domain_info.domain_guid)) {
979 ok = secrets_store_domain_guid(domain,
980 &info->domain_info.domain_guid);
981 if (!ok) {
982 DBG_ERR("secrets_store_domain_guid(%s) failed\n",
983 domain);
984 dbwrap_transaction_cancel(db);
985 TALLOC_FREE(frame);
986 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
987 }
988 }
989
990 ok = secrets_mark_domain_protected(domain);
991 if (!ok) {
992 DBG_ERR("secrets_mark_domain_protected(%s) failed\n",
993 domain);
994 dbwrap_transaction_cancel(db);
995 TALLOC_FREE(frame);
996 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
997 }
998
999 ret = dbwrap_transaction_commit(db);
1000 if (ret != 0) {
1001 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1002 domain);
1003 TALLOC_FREE(frame);
1004 return NT_STATUS_INTERNAL_DB_ERROR;
1005 }
1006
1007 TALLOC_FREE(frame);
1008 return NT_STATUS_OK;
1009 }
1010
1011 static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_password *p,
1012 const char *salt_principal)
1013 {
1014 #ifdef HAVE_ADS
1015 krb5_error_code krb5_ret;
1016 krb5_context krb5_ctx = NULL;
1017 DATA_BLOB cleartext_utf8_b = data_blob_null;
1018 krb5_data cleartext_utf8;
1019 krb5_data salt;
1020 krb5_keyblock key;
1021 DATA_BLOB aes_256_b = data_blob_null;
1022 DATA_BLOB aes_128_b = data_blob_null;
1023 DATA_BLOB des_md5_b = data_blob_null;
1024 bool ok;
1025 #endif /* HAVE_ADS */
1026 DATA_BLOB arc4_b = data_blob_null;
1027 const uint16_t max_keys = 4;
1028 struct secrets_domain_info1_kerberos_key *keys = NULL;
1029 uint16_t idx = 0;
1030 char *salt_data = NULL;
1031
1032 /*
1033 * We calculate:
1034 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
1035 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
1036 * ENCTYPE_ARCFOUR_HMAC
1037 * ENCTYPE_DES_CBC_MD5
1038 *
1039 * We don't include ENCTYPE_DES_CBC_CRC
1040 * as W2008R2 also doesn't store it anymore.
1041 *
1042 * Note we store all enctypes we support,
1043 * including the weak encryption types,
1044 * but that's no problem as we also
1045 * store the cleartext password anyway.
1046 *
1047 * Which values are then used to construct
1048 * a keytab is configured at runtime and the
1049 * configuration of msDS-SupportedEncryptionTypes.
1050 *
1051 * If we don't have kerberos support or no
1052 * salt, we only generate an entry for arcfour-hmac-md5.
1053 */
1054 keys = talloc_zero_array(p,
1055 struct secrets_domain_info1_kerberos_key,
1056 max_keys);
1057 if (keys == NULL) {
1058 return ENOMEM;
1059 }
1060
1061 arc4_b = data_blob_talloc(keys,
1062 p->nt_hash.hash,
1063 sizeof(p->nt_hash.hash));
1064 if (arc4_b.data == NULL) {
1065 DBG_ERR("data_blob_talloc failed for arcfour-hmac-md5.\n");
1066 TALLOC_FREE(keys);
1067 return ENOMEM;
1068 }
1069
1070 #ifdef HAVE_ADS
1071 if (salt_principal == NULL) {
1072 goto no_kerberos;
1073 }
1074
1075 initialize_krb5_error_table();
1076 krb5_ret = krb5_init_context(&krb5_ctx);
1077 if (krb5_ret != 0) {
1078 TALLOC_FREE(keys);
1079 return krb5_ret;
1080 }
1081
1082 krb5_ret = smb_krb5_salt_principal2data(krb5_ctx, salt_principal,
1083 p, &salt_data);
1084 if (krb5_ret != 0) {
1085 DBG_ERR("smb_krb5_salt_principal2data(%s) failed: %s\n",
1086 salt_principal,
1087 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1088 krb5_free_context(krb5_ctx);
1089 TALLOC_FREE(keys);
1090 return krb5_ret;
1091 }
1092
1093 salt = (krb5_data) {
1094 .data = discard_const(salt_data),
1095 .length = strlen(salt_data),
1096 };
1097
1098 ok = convert_string_talloc(keys, CH_UTF16MUNGED, CH_UTF8,
1099 p->cleartext_blob.data,
1100 p->cleartext_blob.length,
1101 (void **)&cleartext_utf8_b.data,
1102 &cleartext_utf8_b.length);
1103 if (!ok) {
1104 if (errno != 0) {
1105 krb5_ret = errno;
1106 } else {
1107 krb5_ret = EINVAL;
1108 }
1109 krb5_free_context(krb5_ctx);
1110 TALLOC_FREE(keys);
1111 return krb5_ret;
1112 }
1113 cleartext_utf8.data = (void *)cleartext_utf8_b.data;
1114 cleartext_utf8.length = cleartext_utf8_b.length;
1115
1116 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1117 NULL,
1118 &salt,
1119 &cleartext_utf8,
1120 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1121 &key);
1122 if (krb5_ret != 0) {
1123 DBG_ERR("generation of a aes256-cts-hmac-sha1-96 key failed: %s\n",
1124 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1125 krb5_free_context(krb5_ctx);
1126 TALLOC_FREE(keys);
1127 TALLOC_FREE(salt_data);
1128 return krb5_ret;
1129 }
1130 aes_256_b = data_blob_talloc(keys,
1131 KRB5_KEY_DATA(&key),
1132 KRB5_KEY_LENGTH(&key));
1133 krb5_free_keyblock_contents(krb5_ctx, &key);
1134 if (aes_256_b.data == NULL) {
1135 DBG_ERR("data_blob_talloc failed for aes-256.\n");
1136 krb5_free_context(krb5_ctx);
1137 TALLOC_FREE(keys);
1138 TALLOC_FREE(salt_data);
1139 return ENOMEM;
1140 }
1141
1142 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1143 NULL,
1144 &salt,
1145 &cleartext_utf8,
1146 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1147 &key);
1148 if (krb5_ret != 0) {
1149 DBG_ERR("generation of a aes128-cts-hmac-sha1-96 key failed: %s\n",
1150 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1151 krb5_free_context(krb5_ctx);
1152 TALLOC_FREE(keys);
1153 TALLOC_FREE(salt_data);
1154 return krb5_ret;
1155 }
1156 aes_128_b = data_blob_talloc(keys,
1157 KRB5_KEY_DATA(&key),
1158 KRB5_KEY_LENGTH(&key));
1159 krb5_free_keyblock_contents(krb5_ctx, &key);
1160 if (aes_128_b.data == NULL) {
1161 DBG_ERR("data_blob_talloc failed for aes-128.\n");
1162 krb5_free_context(krb5_ctx);
1163 TALLOC_FREE(keys);
1164 TALLOC_FREE(salt_data);
1165 return ENOMEM;
1166 }
1167
1168 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1169 NULL,
1170 &salt,
1171 &cleartext_utf8,
1172 ENCTYPE_DES_CBC_MD5,
1173 &key);
1174 if (krb5_ret != 0) {
1175 DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
1176 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1177 krb5_free_context(krb5_ctx);
1178 TALLOC_FREE(keys);
1179 TALLOC_FREE(salt_data);
1180 return krb5_ret;
1181 }
1182 des_md5_b = data_blob_talloc(keys,
1183 KRB5_KEY_DATA(&key),
1184 KRB5_KEY_LENGTH(&key));
1185 krb5_free_keyblock_contents(krb5_ctx, &key);
1186 if (des_md5_b.data == NULL) {
1187 DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
1188 krb5_free_context(krb5_ctx);
1189 TALLOC_FREE(keys);
1190 TALLOC_FREE(salt_data);
1191 return ENOMEM;
1192 }
1193
1194 krb5_free_context(krb5_ctx);
1195 no_kerberos:
1196
1197 if (aes_256_b.length != 0) {
1198 keys[idx].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
1199 keys[idx].iteration_count = 4096;
1200 keys[idx].value = aes_256_b;
1201 idx += 1;
1202 }
1203
1204 if (aes_128_b.length != 0) {
1205 keys[idx].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
1206 keys[idx].iteration_count = 4096;
1207 keys[idx].value = aes_128_b;
1208 idx += 1;
1209 }
1210
1211 #endif /* HAVE_ADS */
1212
1213 keys[idx].keytype = ENCTYPE_ARCFOUR_HMAC;
1214 keys[idx].iteration_count = 4096;
1215 keys[idx].value = arc4_b;
1216 idx += 1;
1217
1218 #ifdef HAVE_ADS
1219 if (des_md5_b.length != 0) {
1220 keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
1221 keys[idx].iteration_count = 4096;
1222 keys[idx].value = des_md5_b;
1223 idx += 1;
1224 }
1225 #endif /* HAVE_ADS */
1226
1227 p->salt_data = salt_data;
1228 p->default_iteration_count = 4096;
1229 p->num_keys = idx;
1230 p->keys = keys;
1231 return 0;
1232 }
1233
1234 static NTSTATUS secrets_domain_info_password_create(TALLOC_CTX *mem_ctx,
1235 const char *cleartext_unix,
1236 const char *salt_principal,
1237 NTTIME change_time,
1238 const char *change_server,
1239 struct secrets_domain_info1_password **_p)
1240 {
1241 struct secrets_domain_info1_password *p = NULL;
1242 bool ok;
1243 size_t len;
1244 int ret;
1245
1246 if (change_server == NULL) {
1247 return NT_STATUS_INVALID_PARAMETER_MIX;
1248 }
1249
1250 p = talloc_zero(mem_ctx, struct secrets_domain_info1_password);
1251 if (p == NULL) {
1252 return NT_STATUS_NO_MEMORY;
1253 }
1254 p->change_time = change_time;
1255 p->change_server = talloc_strdup(p, change_server);
1256 if (p->change_server == NULL) {
1257 TALLOC_FREE(p);
1258 return NT_STATUS_NO_MEMORY;
1259 }
1260 len = strlen(cleartext_unix);
1261 ok = convert_string_talloc(p, CH_UNIX, CH_UTF16,
1262 cleartext_unix, len,
1263 (void **)&p->cleartext_blob.data,
1264 &p->cleartext_blob.length);
1265 if (!ok) {
1266 NTSTATUS status = NT_STATUS_UNMAPPABLE_CHARACTER;
1267 if (errno == ENOMEM) {
1268 status = NT_STATUS_NO_MEMORY;
1269 }
1270 TALLOC_FREE(p);
1271 return status;
1272 }
1273 mdfour(p->nt_hash.hash,
1274 p->cleartext_blob.data,
1275 p->cleartext_blob.length);
1276
1277 ret = secrets_domain_info_kerberos_keys(p, salt_principal);
1278 if (ret != 0) {
1279 NTSTATUS status = krb5_to_nt_status(ret);
1280 TALLOC_FREE(p);
1281 return status;
1282 }
1283
1284 *_p = p;
1285 return NT_STATUS_OK;
1286 }
1287
1288 NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
1289 TALLOC_CTX *mem_ctx,
1290 struct secrets_domain_info1 **pinfo)
1291 {
1292 TALLOC_CTX *frame = NULL;
1293 struct secrets_domain_info1 *old = NULL;
1294 struct secrets_domain_info1 *info = NULL;
1295 const char *dns_domain = NULL;
1296 const char *server = NULL;
1297 struct db_context *db = NULL;
1298 time_t last_set_time;
1299 NTTIME last_set_nt;
1300 enum netr_SchannelType channel;
1301 char *pw = NULL;
1302 char *old_pw = NULL;
1303 struct dom_sid domain_sid;
1304 struct GUID domain_guid;
1305 bool ok;
1306 NTSTATUS status;
1307 int ret;
1308
1309 ok = strequal(domain, lp_workgroup());
1310 if (ok) {
1311 dns_domain = lp_dnsdomain();
1312
1313 if (dns_domain != NULL && dns_domain[0] == '\0') {
1314 dns_domain = NULL;
1315 }
1316 }
1317
1318 last_set_time = secrets_fetch_pass_last_set_time(domain);
1319 if (last_set_time == 0) {
1320 return NT_STATUS_OK;
1321 }
1322 unix_to_nt_time(&last_set_nt, last_set_time);
1323
1324 frame = talloc_stackframe();
1325
1326 status = secrets_fetch_domain_info(domain, frame, &old);
1327 if (NT_STATUS_IS_OK(status)) {
1328 if (old->password_last_change >= last_set_nt) {
1329 *pinfo = talloc_move(mem_ctx, &old);
1330 TALLOC_FREE(frame);
1331 return NT_STATUS_OK;
1332 }
1333 TALLOC_FREE(old);
1334 }
1335
1336 info = talloc_zero(frame, struct secrets_domain_info1);
1337 if (info == NULL) {
1338 DBG_ERR("talloc_zero failed\n");
1339 TALLOC_FREE(frame);
1340 return NT_STATUS_NO_MEMORY;
1341 }
1342
1343 db = secrets_db_ctx();
1344
1345 ret = dbwrap_transaction_start(db);
1346 if (ret != 0) {
1347 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1348 domain);
1349 TALLOC_FREE(frame);
1350 return NT_STATUS_INTERNAL_DB_ERROR;
1351 }
1352
1353 pw = secrets_fetch_machine_password(domain,
1354 &last_set_time,
1355 &channel);
1356 if (pw == NULL) {
1357 DBG_ERR("secrets_fetch_machine_password(%s) failed\n",
1358 domain);
1359 dbwrap_transaction_cancel(db);
1360 TALLOC_FREE(frame);
1361 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1362 }
1363 unix_to_nt_time(&last_set_nt, last_set_time);
1364
1365 old_pw = secrets_fetch_prev_machine_password(domain);
1366
1367 ok = secrets_fetch_domain_sid(domain, &domain_sid);
1368 if (!ok) {
1369 DBG_ERR("secrets_fetch_domain_sid(%s) failed\n",
1370 domain);
1371 dbwrap_transaction_cancel(db);
1372 SAFE_FREE(old_pw);
1373 SAFE_FREE(pw);
1374 TALLOC_FREE(frame);
1375 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1376 }
1377
1378 ok = secrets_fetch_domain_guid(domain, &domain_guid);
1379 if (!ok) {
1380 domain_guid = GUID_zero();
1381 }
1382
1383 info->computer_name = lp_netbios_name();
1384 info->account_name = talloc_asprintf(frame, "%s$", info->computer_name);
1385 if (info->account_name == NULL) {
1386 DBG_ERR("talloc_asprintf(%s$) failed\n", info->computer_name);
1387 dbwrap_transaction_cancel(db);
1388 SAFE_FREE(old_pw);
1389 SAFE_FREE(pw);
1390 TALLOC_FREE(frame);
1391 return NT_STATUS_NO_MEMORY;
1392 }
1393 info->secure_channel_type = channel;
1394
1395 info->domain_info.name.string = domain;
1396 info->domain_info.dns_domain.string = dns_domain;
1397 info->domain_info.dns_forest.string = dns_domain;
1398 info->domain_info.domain_guid = domain_guid;
1399 info->domain_info.sid = &domain_sid;
1400
1401 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1402 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1403
1404 if (dns_domain != NULL) {
1405 /*
1406 * We just assume all AD domains are
1407 * NETR_TRUST_FLAG_NATIVE these days.
1408 *
1409 * This isn't used anyway for now.
1410 */
1411 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1412
1413 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1414
1415 server = info->domain_info.dns_domain.string;
1416 } else {
1417 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1418
1419 server = talloc_asprintf(info,
1420 "%s#%02X",
1421 domain,
1422 NBT_NAME_PDC);
1423 if (server == NULL) {
1424 DBG_ERR("talloc_asprintf(%s#%02X) failed\n",
1425 domain, NBT_NAME_PDC);
1426 dbwrap_transaction_cancel(db);
1427 SAFE_FREE(pw);
1428 SAFE_FREE(old_pw);
1429 TALLOC_FREE(frame);
1430 return NT_STATUS_NO_MEMORY;
1431 }
1432 }
1433 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1434
1435 info->join_time = 0;
1436
1437 /*
1438 * We don't have enough information about the configured
1439 * enctypes.
1440 */
1441 info->supported_enc_types = 0;
1442 info->salt_principal = NULL;
1443 if (info->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
1444 char *p = NULL;
1445
1446 p = kerberos_secrets_fetch_salt_princ();
1447 if (p == NULL) {
1448 dbwrap_transaction_cancel(db);
1449 SAFE_FREE(old_pw);
1450 SAFE_FREE(pw);
1451 TALLOC_FREE(frame);
1452 return NT_STATUS_INTERNAL_ERROR;
1453 }
1454 info->salt_principal = talloc_strdup(info, p);
1455 SAFE_FREE(p);
1456 if (info->salt_principal == NULL) {
1457 dbwrap_transaction_cancel(db);
1458 SAFE_FREE(pw);
1459 SAFE_FREE(old_pw);
1460 TALLOC_FREE(frame);
1461 return NT_STATUS_NO_MEMORY;
1462 }
1463 }
1464
1465 info->password_last_change = last_set_nt;
1466 info->password_changes = 1;
1467 info->next_change = NULL;
1468
1469 status = secrets_domain_info_password_create(info,
1470 pw,
1471 info->salt_principal,
1472 last_set_nt, server,
1473 &info->password);
1474 SAFE_FREE(pw);
1475 if (!NT_STATUS_IS_OK(status)) {
1476 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1477 "for %s - %s\n", domain, nt_errstr(status));
1478 dbwrap_transaction_cancel(db);
1479 SAFE_FREE(old_pw);
1480 TALLOC_FREE(frame);
1481 return status;
1482 }
1483
1484 /*
1485 * After a join we don't have old passwords.
1486 */
1487 if (old_pw != NULL) {
1488 status = secrets_domain_info_password_create(info,
1489 old_pw,
1490 info->salt_principal,
1491 0, server,
1492 &info->old_password);
1493 SAFE_FREE(old_pw);
1494 if (!NT_STATUS_IS_OK(status)) {
1495 DBG_ERR("secrets_domain_info_password_create(old) failed "
1496 "for %s - %s\n", domain, nt_errstr(status));
1497 dbwrap_transaction_cancel(db);
1498 TALLOC_FREE(frame);
1499 return status;
1500 }
1501 info->password_changes += 1;
1502 } else {
1503 info->old_password = NULL;
1504 }
1505 info->older_password = NULL;
1506
1507 secrets_debug_domain_info(DBGLVL_INFO, info, "upgrade");
1508
1509 status = secrets_store_domain_info(info, true /* upgrade */);
1510 if (!NT_STATUS_IS_OK(status)) {
1511 DBG_ERR("secrets_store_domain_info() failed "
1512 "for %s - %s\n", domain, nt_errstr(status));
1513 dbwrap_transaction_cancel(db);
1514 TALLOC_FREE(frame);
1515 return status;
1516 }
1517
1518 /*
1519 * We now reparse it.
1520 */
1521 status = secrets_fetch_domain_info(domain, frame, &info);
1522 if (!NT_STATUS_IS_OK(status)) {
1523 DBG_ERR("secrets_fetch_domain_info() failed "
1524 "for %s - %s\n", domain, nt_errstr(status));
1525 dbwrap_transaction_cancel(db);
1526 TALLOC_FREE(frame);
1527 return status;
1528 }
1529
1530 ret = dbwrap_transaction_commit(db);
1531 if (ret != 0) {
1532 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1533 domain);
1534 dbwrap_transaction_cancel(db);
1535 TALLOC_FREE(frame);
1536 return NT_STATUS_INTERNAL_DB_ERROR;
1537 }
1538
1539 *pinfo = talloc_move(mem_ctx, &info);
1540 TALLOC_FREE(frame);
1541 return NT_STATUS_OK;
1542 }
1543
1544 NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r)
1545 {
1546 TALLOC_CTX *frame = talloc_stackframe();
1547 struct secrets_domain_info1 *old = NULL;
1548 struct secrets_domain_info1 *info = NULL;
1549 struct db_context *db = NULL;
1550 struct timeval tv = timeval_current();
1551 NTTIME now = timeval_to_nttime(&tv);
1552 const char *domain = r->out.netbios_domain_name;
1553 NTSTATUS status;
1554 int ret;
1555
1556 info = talloc_zero(frame, struct secrets_domain_info1);
1557 if (info == NULL) {
1558 DBG_ERR("talloc_zero failed\n");
1559 TALLOC_FREE(frame);
1560 return NT_STATUS_NO_MEMORY;
1561 }
1562
1563 info->computer_name = r->in.machine_name;
1564 info->account_name = r->out.account_name;
1565 info->secure_channel_type = r->in.secure_channel_type;
1566
1567 info->domain_info.name.string =
1568 r->out.netbios_domain_name;
1569 info->domain_info.dns_domain.string =
1570 r->out.dns_domain_name;
1571 info->domain_info.dns_forest.string =
1572 r->out.forest_name;
1573 info->domain_info.domain_guid = r->out.domain_guid;
1574 info->domain_info.sid = r->out.domain_sid;
1575
1576 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1577 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1578 if (r->out.domain_is_ad) {
1579 /*
1580 * We just assume all AD domains are
1581 * NETR_TRUST_FLAG_NATIVE these days.
1582 *
1583 * This isn't used anyway for now.
1584 */
1585 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1586
1587 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1588 } else {
1589 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1590 }
1591 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1592
1593 info->join_time = now;
1594
1595 info->supported_enc_types = r->out.set_encryption_types;
1596 info->salt_principal = r->out.krb5_salt;
1597
1598 if (info->salt_principal == NULL && r->out.domain_is_ad) {
1599 char *p = NULL;
1600
1601 ret = smb_krb5_salt_principal(info->domain_info.dns_domain.string,
1602 info->account_name,
1603 NULL /* userPrincipalName */,
1604 true /* is_computer */,
1605 info, &p);
1606 if (ret != 0) {
1607 status = krb5_to_nt_status(ret);
1608 DBG_ERR("smb_krb5_salt_principal() failed "
1609 "for %s - %s\n", domain, nt_errstr(status));
1610 TALLOC_FREE(frame);
1611 return status;
1612 }
1613 info->salt_principal = p;
1614 }
1615
1616 info->password_last_change = now;
1617 info->password_changes = 1;
1618 info->next_change = NULL;
1619
1620 status = secrets_domain_info_password_create(info,
1621 r->in.machine_password,
1622 info->salt_principal,
1623 now, r->in.dc_name,
1624 &info->password);
1625 if (!NT_STATUS_IS_OK(status)) {
1626 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1627 "for %s - %s\n", domain, nt_errstr(status));
1628 TALLOC_FREE(frame);
1629 return status;
1630 }
1631
1632 db = secrets_db_ctx();
1633
1634 ret = dbwrap_transaction_start(db);
1635 if (ret != 0) {
1636 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1637 domain);
1638 TALLOC_FREE(frame);
1639 return NT_STATUS_INTERNAL_DB_ERROR;
1640 }
1641
1642 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &old);
1643 if (NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1644 DBG_DEBUG("no old join for domain(%s) available\n",
1645 domain);
1646 old = NULL;
1647 } else if (!NT_STATUS_IS_OK(status)) {
1648 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1649 domain);
1650 dbwrap_transaction_cancel(db);
1651 TALLOC_FREE(frame);
1652 return status;
1653 }
1654
1655 /*
1656 * We reuse values from an old join, so that
1657 * we still accept already granted kerberos tickets.
1658 */
1659 if (old != NULL) {
1660 info->old_password = old->password;
1661 info->older_password = old->old_password;
1662 }
1663
1664 secrets_debug_domain_info(DBGLVL_INFO, info, "join");
1665
1666 status = secrets_store_domain_info(info, false /* upgrade */);
1667 if (!NT_STATUS_IS_OK(status)) {
1668 DBG_ERR("secrets_store_domain_info() failed "
1669 "for %s - %s\n", domain, nt_errstr(status));
1670 dbwrap_transaction_cancel(db);
1671 TALLOC_FREE(frame);
1672 return status;
1673 }
1674
1675 ret = dbwrap_transaction_commit(db);
1676 if (ret != 0) {
1677 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1678 domain);
1679 TALLOC_FREE(frame);
1680 return NT_STATUS_INTERNAL_DB_ERROR;
1681 }
1682
1683 TALLOC_FREE(frame);
1684 return NT_STATUS_OK;
1685 }
1686
1687 NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
1688 const char *cleartext_unix,
1689 TALLOC_CTX *mem_ctx,
1690 struct secrets_domain_info1 **pinfo,
1691 struct secrets_domain_info1_change **pprev)
1692 {
1693 TALLOC_CTX *frame = talloc_stackframe();
1694 struct db_context *db = NULL;
1695 struct secrets_domain_info1 *info = NULL;
1696 struct secrets_domain_info1_change *prev = NULL;
1697 struct secrets_domain_info1_change *next = NULL;
1698 struct timeval tv = timeval_current();
1699 NTTIME now = timeval_to_nttime(&tv);
1700 NTSTATUS status;
1701 int ret;
1702
1703 db = secrets_db_ctx();
1704
1705 ret = dbwrap_transaction_start(db);
1706 if (ret != 0) {
1707 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1708 domain);
1709 TALLOC_FREE(frame);
1710 return NT_STATUS_INTERNAL_DB_ERROR;
1711 }
1712
1713 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &info);
1714 if (!NT_STATUS_IS_OK(status)) {
1715 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1716 domain);
1717 dbwrap_transaction_cancel(db);
1718 TALLOC_FREE(frame);
1719 return status;
1720 }
1721
1722 prev = info->next_change;
1723 info->next_change = NULL;
1724
1725 next = talloc_zero(frame, struct secrets_domain_info1_change);
1726 if (next == NULL) {
1727 DBG_ERR("talloc_zero failed\n");
1728 TALLOC_FREE(frame);
1729 return NT_STATUS_NO_MEMORY;
1730 }
1731
1732 if (prev != NULL) {
1733 *next = *prev;
1734 } else {
1735 status = secrets_domain_info_password_create(next,
1736 cleartext_unix,
1737 info->salt_principal,
1738 now, dcname,
1739 &next->password);
1740 if (!NT_STATUS_IS_OK(status)) {
1741 DBG_ERR("secrets_domain_info_password_create(next) failed "
1742 "for %s - %s\n", domain, nt_errstr(status));
1743 dbwrap_transaction_cancel(db);
1744 TALLOC_FREE(frame);
1745 return status;
1746 }
1747 }
1748
1749 next->local_status = NT_STATUS_OK;
1750 next->remote_status = NT_STATUS_NOT_COMMITTED;
1751 next->change_time = now;
1752 next->change_server = dcname;
1753
1754 info->next_change = next;
1755
1756 secrets_debug_domain_info(DBGLVL_INFO, info, "prepare_change");
1757
1758 status = secrets_store_domain_info(info, false /* upgrade */);
1759 if (!NT_STATUS_IS_OK(status)) {
1760 DBG_ERR("secrets_store_domain_info() failed "
1761 "for %s - %s\n", domain, nt_errstr(status));
1762 dbwrap_transaction_cancel(db);
1763 TALLOC_FREE(frame);
1764 return status;
1765 }
1766
1767 /*
1768 * We now reparse it.
1769 */
1770 status = secrets_fetch_domain_info(domain, frame, &info);
1771 if (!NT_STATUS_IS_OK(status)) {
1772 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1773 dbwrap_transaction_cancel(db);
1774 TALLOC_FREE(frame);
1775 return status;
1776 }
1777
1778 ret = dbwrap_transaction_commit(db);
1779 if (ret != 0) {
1780 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1781 domain);
1782 TALLOC_FREE(frame);
1783 return NT_STATUS_INTERNAL_DB_ERROR;
1784 }
1785
1786 *pinfo = talloc_move(mem_ctx, &info);
1787 if (prev != NULL) {
1788 *pprev = talloc_move(mem_ctx, &prev);
1789 } else {
1790 *pprev = NULL;
1791 }
1792
1793 TALLOC_FREE(frame);
1794 return NT_STATUS_OK;
1795 }
1796
1797 static NTSTATUS secrets_check_password_change(const struct secrets_domain_info1 *cookie,
1798 TALLOC_CTX *mem_ctx,
1799 struct secrets_domain_info1 **pstored)
1800 {
1801 const char *domain = cookie->domain_info.name.string;
1802 struct secrets_domain_info1 *stored = NULL;
1803 struct secrets_domain_info1_change *sn = NULL;
1804 struct secrets_domain_info1_change *cn = NULL;
1805 NTSTATUS status;
1806 int cmp;
1807
1808 if (cookie->next_change == NULL) {
1809 DBG_ERR("cookie->next_change == NULL for %s.\n", domain);
1810 return NT_STATUS_INTERNAL_ERROR;
1811 }
1812
1813 if (cookie->next_change->password == NULL) {
1814 DBG_ERR("cookie->next_change->password == NULL for %s.\n", domain);
1815 return NT_STATUS_INTERNAL_ERROR;
1816 }
1817
1818 if (cookie->password == NULL) {
1819 DBG_ERR("cookie->password == NULL for %s.\n", domain);
1820 return NT_STATUS_INTERNAL_ERROR;
1821 }
1822
1823 /*
1824 * Here we check that the given strucure still contains the
1825 * same secrets_domain_info1_change as currently stored.
1826 *
1827 * There's always a gap between secrets_prepare_password_change()
1828 * and the callers of secrets_check_password_change().
1829 */
1830
1831 status = secrets_fetch_domain_info(domain, mem_ctx, &stored);
1832 if (!NT_STATUS_IS_OK(status)) {
1833 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1834 return status;
1835 }
1836
1837 if (stored->next_change == NULL) {
1838 /*
1839 * We hit a race..., the administrator
1840 * rejoined or something similar happened.
1841 */
1842 DBG_ERR("stored->next_change == NULL for %s.\n", domain);
1843 TALLOC_FREE(stored);
1844 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1845 }
1846
1847 if (stored->password_last_change != cookie->password_last_change) {
1848 struct timeval store_tv;
1849 struct timeval_buf store_buf;
1850 struct timeval cookie_tv;
1851 struct timeval_buf cookie_buf;
1852
1853 nttime_to_timeval(&store_tv, stored->password_last_change);
1854 nttime_to_timeval(&cookie_tv, cookie->password_last_change);
1855
1856 DBG_ERR("password_last_change differs %s != %s for %s.\n",
1857 timeval_str_buf(&store_tv, false, false, &store_buf),
1858 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1859 domain);
1860 TALLOC_FREE(stored);
1861 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1862 }
1863
1864 sn = stored->next_change;
1865 cn = cookie->next_change;
1866
1867 if (sn->change_time != cn->change_time) {
1868 struct timeval store_tv;
1869 struct timeval_buf store_buf;
1870 struct timeval cookie_tv;
1871 struct timeval_buf cookie_buf;
1872
1873 nttime_to_timeval(&store_tv, sn->change_time);
1874 nttime_to_timeval(&cookie_tv, cn->change_time);
1875
1876 DBG_ERR("next change_time differs %s != %s for %s.\n",
1877 timeval_str_buf(&store_tv, false, false, &store_buf),
1878 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1879 domain);
1880 TALLOC_FREE(stored);
1881 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1882 }
1883
1884 if (sn->password->change_time != cn->password->change_time) {
1885 struct timeval store_tv;
1886 struct timeval_buf store_buf;
1887 struct timeval cookie_tv;
1888 struct timeval_buf cookie_buf;
1889
1890 nttime_to_timeval(&store_tv, sn->password->change_time);
1891 nttime_to_timeval(&cookie_tv, cn->password->change_time);
1892
1893 DBG_ERR("next password.change_time differs %s != %s for %s.\n",
1894 timeval_str_buf(&store_tv, false, false, &store_buf),
1895 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1896 domain);
1897 TALLOC_FREE(stored);
1898 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1899 }
1900
1901 cmp = memcmp(sn->password->nt_hash.hash,
1902 cn->password->nt_hash.hash,
1903 16);
1904 if (cmp != 0) {
1905 DBG_ERR("next password.nt_hash differs for %s.\n",
1906 domain);
1907 TALLOC_FREE(stored);
1908 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1909 }
1910
1911 cmp = memcmp(stored->password->nt_hash.hash,
1912 cookie->password->nt_hash.hash,
1913 16);
1914 if (cmp != 0) {
1915 DBG_ERR("password.nt_hash differs for %s.\n",
1916 domain);
1917 TALLOC_FREE(stored);
1918 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1919 }
1920
1921 *pstored = stored;
1922 return NT_STATUS_OK;
1923 }
1924
1925 static NTSTATUS secrets_abort_password_change(const char *change_server,
1926 NTSTATUS local_status,
1927 NTSTATUS remote_status,
1928 const struct secrets_domain_info1 *cookie,
1929 bool defer)
1930 {
1931 const char *domain = cookie->domain_info.name.string;
1932 TALLOC_CTX *frame = talloc_stackframe();
1933 struct db_context *db = NULL;
1934 struct secrets_domain_info1 *info = NULL;
1935 const char *reason = defer ? "defer_change" : "failed_change";
1936 struct timeval tv = timeval_current();
1937 NTTIME now = timeval_to_nttime(&tv);
1938 NTSTATUS status;
1939 int ret;
1940
1941 db = secrets_db_ctx();
1942
1943 ret = dbwrap_transaction_start(db);
1944 if (ret != 0) {
1945 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1946 domain);
1947 TALLOC_FREE(frame);
1948 return NT_STATUS_INTERNAL_DB_ERROR;
1949 }
1950
1951 /*
1952 * secrets_check_password_change()
1953 * checks that cookie->next_change
1954 * is valid and the same as store
1955 * in the database.
1956 */
1957 status = secrets_check_password_change(cookie, frame, &info);
1958 if (!NT_STATUS_IS_OK(status)) {
1959 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
1960 dbwrap_transaction_cancel(db);
1961 TALLOC_FREE(frame);
1962 return status;
1963 }
1964
1965 /*
1966 * Remember the last server and error.
1967 */
1968 info->next_change->change_server = change_server;
1969 info->next_change->change_time = now;
1970 info->next_change->local_status = local_status;
1971 info->next_change->remote_status = remote_status;
1972
1973 /*
1974 * Make sure the next automatic change is deferred.
1975 */
1976 if (defer) {
1977 info->password_last_change = now;
1978 }
1979
1980 secrets_debug_domain_info(DBGLVL_WARNING, info, reason);
1981
1982 status = secrets_store_domain_info(info, false /* upgrade */);
1983 if (!NT_STATUS_IS_OK(status)) {
1984 DBG_ERR("secrets_store_domain_info() failed "
1985 "for %s - %s\n", domain, nt_errstr(status));
1986 dbwrap_transaction_cancel(db);
1987 TALLOC_FREE(frame);
1988 return status;
1989 }
1990
1991 ret = dbwrap_transaction_commit(db);
1992 if (ret != 0) {
1993 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1994 domain);
1995 TALLOC_FREE(frame);
1996 return NT_STATUS_INTERNAL_DB_ERROR;
1997 }
1998
1999 TALLOC_FREE(frame);
2000 return NT_STATUS_OK;
2001 }
2002
2003 NTSTATUS secrets_failed_password_change(const char *change_server,
2004 NTSTATUS local_status,
2005 NTSTATUS remote_status,
2006 const struct secrets_domain_info1 *cookie)
2007 {
2008 static const bool defer = false;
2009 return secrets_abort_password_change(change_server,
2010 local_status,
2011 remote_status,
2012 cookie, defer);
2013 }
2014
2015 NTSTATUS secrets_defer_password_change(const char *change_server,
2016 NTSTATUS local_status,
2017 NTSTATUS remote_status,
2018 const struct secrets_domain_info1 *cookie)
2019 {
2020 static const bool defer = true;
2021 return secrets_abort_password_change(change_server,
2022 local_status,
2023 remote_status,
2024 cookie, defer);
2025 }
2026
2027 NTSTATUS secrets_finish_password_change(const char *change_server,
2028 NTTIME change_time,
2029 const struct secrets_domain_info1 *cookie)
2030 {
2031 const char *domain = cookie->domain_info.name.string;
2032 TALLOC_CTX *frame = talloc_stackframe();
2033 struct db_context *db = NULL;
2034 struct secrets_domain_info1 *info = NULL;
2035 struct secrets_domain_info1_change *nc = NULL;
2036 NTSTATUS status;
2037 int ret;
2038
2039 db = secrets_db_ctx();
2040
2041 ret = dbwrap_transaction_start(db);
2042 if (ret != 0) {
2043 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
2044 domain);
2045 TALLOC_FREE(frame);
2046 return NT_STATUS_INTERNAL_DB_ERROR;
2047 }
2048
2049 /*
2050 * secrets_check_password_change() checks that cookie->next_change is
2051 * valid and the same as store in the database.
2052 */
2053 status = secrets_check_password_change(cookie, frame, &info);
2054 if (!NT_STATUS_IS_OK(status)) {
2055 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
2056 dbwrap_transaction_cancel(db);
2057 TALLOC_FREE(frame);
2058 return status;
2059 }
2060
2061 nc = info->next_change;
2062
2063 nc->password->change_server = change_server;
2064 nc->password->change_time = change_time;
2065
2066 info->password_last_change = change_time;
2067 info->password_changes += 1;
2068 info->next_change = NULL;
2069
2070 info->older_password = info->old_password;
2071 info->old_password = info->password;
2072 info->password = nc->password;
2073
2074 secrets_debug_domain_info(DBGLVL_WARNING, info, "finish_change");
2075
2076 status = secrets_store_domain_info(info, false /* upgrade */);
2077 if (!NT_STATUS_IS_OK(status)) {
2078 DBG_ERR("secrets_store_domain_info() failed "
2079 "for %s - %s\n", domain, nt_errstr(status));
2080 dbwrap_transaction_cancel(db);
2081 TALLOC_FREE(frame);
2082 return status;
2083 }
2084
2085 ret = dbwrap_transaction_commit(db);
2086 if (ret != 0) {
2087 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
2088 domain);
2089 TALLOC_FREE(frame);
2090 return NT_STATUS_INTERNAL_DB_ERROR;
2091 }
2092
2093 TALLOC_FREE(frame);
2094 return NT_STATUS_OK;
2095 }
Samba GIT mirror