2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
27 #include "../libcli/auth/libcli_auth.h"
29 #include "dbwrap/dbwrap.h"
30 #include "../librpc/ndr/libndr.h"
32 #include "libcli/security/security.h"
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "librpc/gen_ndr/ndr_secrets.h"
36 #include "lib/crypto/crypto.h"
37 #include "lib/krb5_wrap/krb5_samba.h"
38 #include "lib/util/time_basic.h"
41 #define DBGC_CLASS DBGC_PASSDB
43 static char *domain_info_keystr(const char *domain
);
45 static char *des_salt_key(const char *realm
);
48 * Form a key for fetching the domain sid
50 * @param domain domain name
54 static const char *domain_sid_keystr(const char *domain
)
58 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
59 SECRETS_DOMAIN_SID
, domain
);
60 SMB_ASSERT(keystr
!= NULL
);
64 static const char *domain_guid_keystr(const char *domain
)
68 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
69 SECRETS_DOMAIN_GUID
, domain
);
70 SMB_ASSERT(keystr
!= NULL
);
74 static const char *protect_ids_keystr(const char *domain
)
78 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
79 SECRETS_PROTECT_IDS
, domain
);
80 SMB_ASSERT(keystr
!= NULL
);
84 /* N O T E: never use this outside of passdb modules that store the SID on their own */
85 bool secrets_mark_domain_protected(const char *domain
)
89 ret
= secrets_store(protect_ids_keystr(domain
), "TRUE", 5);
91 DEBUG(0, ("Failed to protect the Domain IDs\n"));
96 bool secrets_clear_domain_protection(const char *domain
)
99 void *protection
= secrets_fetch(protect_ids_keystr(domain
), NULL
);
102 SAFE_FREE(protection
);
103 ret
= secrets_delete_entry(protect_ids_keystr(domain
));
105 DEBUG(0, ("Failed to remove Domain IDs protection\n"));
112 bool secrets_store_domain_sid(const char *domain
, const struct dom_sid
*sid
)
117 protect_ids
= secrets_fetch(protect_ids_keystr(domain
), NULL
);
119 if (strncmp(protect_ids
, "TRUE", 4)) {
120 DEBUG(0, ("Refusing to store a Domain SID, "
121 "it has been marked as protected!\n"));
122 SAFE_FREE(protect_ids
);
126 SAFE_FREE(protect_ids
);
128 ret
= secrets_store(domain_sid_keystr(domain
), sid
, sizeof(struct dom_sid
));
130 /* Force a re-query, in the case where we modified our domain */
132 if (dom_sid_equal(get_global_sam_sid(), sid
) == false) {
133 reset_global_sam_sid();
139 bool secrets_fetch_domain_sid(const char *domain
, struct dom_sid
*sid
)
141 struct dom_sid
*dyn_sid
;
144 dyn_sid
= (struct dom_sid
*)secrets_fetch(domain_sid_keystr(domain
), &size
);
149 if (size
!= sizeof(struct dom_sid
)) {
159 bool secrets_store_domain_guid(const char *domain
, const struct GUID
*guid
)
164 protect_ids
= secrets_fetch(protect_ids_keystr(domain
), NULL
);
166 if (strncmp(protect_ids
, "TRUE", 4)) {
167 DEBUG(0, ("Refusing to store a Domain SID, "
168 "it has been marked as protected!\n"));
169 SAFE_FREE(protect_ids
);
173 SAFE_FREE(protect_ids
);
175 key
= domain_guid_keystr(domain
);
176 return secrets_store(key
, guid
, sizeof(struct GUID
));
179 bool secrets_fetch_domain_guid(const char *domain
, struct GUID
*guid
)
181 struct GUID
*dyn_guid
;
184 struct GUID new_guid
;
186 key
= domain_guid_keystr(domain
);
187 dyn_guid
= (struct GUID
*)secrets_fetch(key
, &size
);
190 if (lp_server_role() == ROLE_DOMAIN_PDC
) {
191 new_guid
= GUID_random();
192 if (!secrets_store_domain_guid(domain
, &new_guid
))
194 dyn_guid
= (struct GUID
*)secrets_fetch(key
, &size
);
196 if (dyn_guid
== NULL
) {
201 if (size
!= sizeof(struct GUID
)) {
202 DEBUG(1,("UUID size %d is wrong!\n", (int)size
));
213 * Form a key for fetching the machine trust account sec channel type
215 * @param domain domain name
219 static const char *machine_sec_channel_type_keystr(const char *domain
)
223 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
224 SECRETS_MACHINE_SEC_CHANNEL_TYPE
,
226 SMB_ASSERT(keystr
!= NULL
);
231 * Form a key for fetching the machine trust account last change time
233 * @param domain domain name
237 static const char *machine_last_change_time_keystr(const char *domain
)
241 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
242 SECRETS_MACHINE_LAST_CHANGE_TIME
,
244 SMB_ASSERT(keystr
!= NULL
);
250 * Form a key for fetching the machine previous trust account password
252 * @param domain domain name
256 static const char *machine_prev_password_keystr(const char *domain
)
260 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
261 SECRETS_MACHINE_PASSWORD_PREV
, domain
);
262 SMB_ASSERT(keystr
!= NULL
);
267 * Form a key for fetching the machine trust account password
269 * @param domain domain name
273 static const char *machine_password_keystr(const char *domain
)
277 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
278 SECRETS_MACHINE_PASSWORD
, domain
);
279 SMB_ASSERT(keystr
!= NULL
);
284 * Form a key for fetching the machine trust account password
286 * @param domain domain name
288 * @return stored password's key
290 static const char *trust_keystr(const char *domain
)
294 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
295 SECRETS_MACHINE_ACCT_PASS
, domain
);
296 SMB_ASSERT(keystr
!= NULL
);
300 /************************************************************************
301 Routine to get the default secure channel type for trust accounts
302 ************************************************************************/
304 enum netr_SchannelType
get_default_sec_channel(void)
306 if (lp_server_role() == ROLE_DOMAIN_BDC
||
307 lp_server_role() == ROLE_DOMAIN_PDC
||
308 lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC
) {
311 return SEC_CHAN_WKSTA
;
315 /************************************************************************
316 Routine to get the trust account password for a domain.
317 This only tries to get the legacy hashed version of the password.
318 The user of this function must have locked the trust password file using
319 the above secrets_lock_trust_account_password().
320 ************************************************************************/
322 bool secrets_fetch_trust_account_password_legacy(const char *domain
,
324 time_t *pass_last_set_time
,
325 enum netr_SchannelType
*channel
)
327 struct machine_acct_pass
*pass
;
330 if (!(pass
= (struct machine_acct_pass
*)secrets_fetch(
331 trust_keystr(domain
), &size
))) {
332 DEBUG(5, ("secrets_fetch failed!\n"));
336 if (size
!= sizeof(*pass
)) {
337 DEBUG(0, ("secrets were of incorrect size!\n"));
342 if (pass_last_set_time
) {
343 *pass_last_set_time
= pass
->mod_time
;
345 memcpy(ret_pwd
, pass
->hash
, 16);
348 *channel
= get_default_sec_channel();
355 /************************************************************************
356 Routine to get the trust account password for a domain.
357 The user of this function must have locked the trust password file using
358 the above secrets_lock_trust_account_password().
359 ************************************************************************/
361 bool secrets_fetch_trust_account_password(const char *domain
, uint8_t ret_pwd
[16],
362 time_t *pass_last_set_time
,
363 enum netr_SchannelType
*channel
)
367 plaintext
= secrets_fetch_machine_password(domain
, pass_last_set_time
,
370 DEBUG(4,("Using cleartext machine password\n"));
371 E_md4hash(plaintext
, ret_pwd
);
372 SAFE_FREE(plaintext
);
376 return secrets_fetch_trust_account_password_legacy(domain
, ret_pwd
,
381 /************************************************************************
382 Routine to delete all information related to the domain joined machine.
383 ************************************************************************/
385 bool secrets_delete_machine_password_ex(const char *domain
, const char *realm
)
387 const char *tmpkey
= NULL
;
390 tmpkey
= domain_info_keystr(domain
);
391 ok
= secrets_delete(tmpkey
);
397 tmpkey
= des_salt_key(domain
);
398 ok
= secrets_delete(tmpkey
);
404 tmpkey
= domain_guid_keystr(domain
);
405 ok
= secrets_delete(tmpkey
);
410 tmpkey
= machine_prev_password_keystr(domain
);
411 ok
= secrets_delete(tmpkey
);
416 tmpkey
= machine_password_keystr(domain
);
417 ok
= secrets_delete(tmpkey
);
422 tmpkey
= machine_sec_channel_type_keystr(domain
);
423 ok
= secrets_delete(tmpkey
);
428 tmpkey
= machine_last_change_time_keystr(domain
);
429 ok
= secrets_delete(tmpkey
);
434 tmpkey
= domain_sid_keystr(domain
);
435 ok
= secrets_delete(tmpkey
);
443 /************************************************************************
444 Routine to delete the domain sid
445 ************************************************************************/
447 bool secrets_delete_domain_sid(const char *domain
)
449 return secrets_delete_entry(domain_sid_keystr(domain
));
452 /************************************************************************
453 Set the machine trust account password, the old pw and last change
454 time, domain SID and salting principals based on values passed in
455 (added to supprt the secrets_tdb_sync module on secrets.ldb)
456 ************************************************************************/
458 bool secrets_store_machine_pw_sync(const char *pass
, const char *oldpass
, const char *domain
,
460 const char *salting_principal
, uint32_t supported_enc_types
,
461 const struct dom_sid
*domain_sid
, uint32_t last_change_time
,
462 uint32_t secure_channel_type
,
466 uint8_t last_change_time_store
[4];
467 TALLOC_CTX
*frame
= talloc_stackframe();
468 uint8_t sec_channel_bytes
[4];
471 secrets_delete_machine_password_ex(domain
, realm
);
476 ret
= secrets_store(machine_password_keystr(domain
), pass
, strlen(pass
)+1);
483 ret
= secrets_store(machine_prev_password_keystr(domain
), oldpass
, strlen(oldpass
)+1);
485 ret
= secrets_delete(machine_prev_password_keystr(domain
));
492 if (secure_channel_type
== 0) {
493 /* We delete this and instead have the read code fall back to
494 * a default based on server role, as our caller can't specify
495 * this with any more certainty */
496 ret
= secrets_delete(machine_sec_channel_type_keystr(domain
));
502 SIVAL(&sec_channel_bytes
, 0, secure_channel_type
);
503 ret
= secrets_store(machine_sec_channel_type_keystr(domain
),
504 &sec_channel_bytes
, sizeof(sec_channel_bytes
));
511 SIVAL(&last_change_time_store
, 0, last_change_time
);
512 ret
= secrets_store(machine_last_change_time_keystr(domain
),
513 &last_change_time_store
, sizeof(last_change_time
));
520 ret
= secrets_store_domain_sid(domain
, domain_sid
);
528 char *key
= des_salt_key(realm
);
530 if (salting_principal
!= NULL
) {
531 ret
= secrets_store(key
,
533 strlen(salting_principal
)+1);
535 ret
= secrets_delete(key
);
543 /************************************************************************
544 Return the standard DES salt key
545 ************************************************************************/
547 char* kerberos_standard_des_salt( void )
551 fstr_sprintf( salt
, "host/%s.%s@", lp_netbios_name(), lp_realm() );
552 (void)strlower_m( salt
);
553 fstrcat( salt
, lp_realm() );
555 return SMB_STRDUP( salt
);
558 /************************************************************************
559 ************************************************************************/
561 static char *des_salt_key(const char *realm
)
565 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/DES/%s",
566 SECRETS_SALTING_PRINCIPAL
,
568 SMB_ASSERT(keystr
!= NULL
);
572 /************************************************************************
573 ************************************************************************/
575 bool kerberos_secrets_store_des_salt( const char* salt
)
580 key
= des_salt_key(lp_realm());
582 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
587 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
588 secrets_delete_entry( key
);
592 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt
));
594 ret
= secrets_store( key
, salt
, strlen(salt
)+1 );
601 /************************************************************************
602 ************************************************************************/
605 char* kerberos_secrets_fetch_des_salt( void )
609 key
= des_salt_key(lp_realm());
611 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
615 salt
= (char*)secrets_fetch( key
, NULL
);
622 /************************************************************************
623 Routine to get the salting principal for this service.
624 Caller must free if return is not null.
625 ************************************************************************/
627 char *kerberos_secrets_fetch_salt_princ(void)
630 /* lookup new key first */
632 salt_princ_s
= kerberos_secrets_fetch_des_salt();
633 if (salt_princ_s
== NULL
) {
634 /* fall back to host/machine.realm@REALM */
635 salt_princ_s
= kerberos_standard_des_salt();
641 /************************************************************************
642 Routine to fetch the previous plaintext machine account password for a realm
643 the password is assumed to be a null terminated ascii string.
644 ************************************************************************/
646 char *secrets_fetch_prev_machine_password(const char *domain
)
648 return (char *)secrets_fetch(machine_prev_password_keystr(domain
), NULL
);
651 /************************************************************************
652 Routine to fetch the last change time of the machine account password
654 ************************************************************************/
656 time_t secrets_fetch_pass_last_set_time(const char *domain
)
658 uint32_t *last_set_time
;
659 time_t pass_last_set_time
;
661 last_set_time
= secrets_fetch(machine_last_change_time_keystr(domain
),
664 pass_last_set_time
= IVAL(last_set_time
,0);
665 SAFE_FREE(last_set_time
);
667 pass_last_set_time
= 0;
670 return pass_last_set_time
;
673 /************************************************************************
674 Routine to fetch the plaintext machine account password for a realm
675 the password is assumed to be a null terminated ascii string.
676 ************************************************************************/
678 char *secrets_fetch_machine_password(const char *domain
,
679 time_t *pass_last_set_time
,
680 enum netr_SchannelType
*channel
)
683 ret
= (char *)secrets_fetch(machine_password_keystr(domain
), NULL
);
685 if (pass_last_set_time
) {
686 *pass_last_set_time
= secrets_fetch_pass_last_set_time(domain
);
691 uint32_t *channel_type
;
692 channel_type
= (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain
), &size
);
694 *channel
= IVAL(channel_type
,0);
695 SAFE_FREE(channel_type
);
697 *channel
= get_default_sec_channel();
704 static char *domain_info_keystr(const char *domain
)
708 keystr
= talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
709 SECRETS_MACHINE_DOMAIN_INFO
,
711 SMB_ASSERT(keystr
!= NULL
);
715 /************************************************************************
716 Routine to get account password to trusted domain
717 ************************************************************************/
719 static NTSTATUS
secrets_fetch_domain_info1_by_key(const char *key
,
721 struct secrets_domain_info1
**_info1
)
723 struct secrets_domain_infoB sdib
= { .version
= 0, };
724 enum ndr_err_code ndr_err
;
725 /* unpacking structures */
728 /* fetching trusted domain password structure */
729 blob
.data
= (uint8_t *)secrets_fetch(key
, &blob
.length
);
730 if (blob
.data
== NULL
) {
731 DBG_NOTICE("secrets_fetch failed!\n");
732 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
735 /* unpack trusted domain password */
736 ndr_err
= ndr_pull_struct_blob(&blob
, mem_ctx
, &sdib
,
737 (ndr_pull_flags_fn_t
)ndr_pull_secrets_domain_infoB
);
738 SAFE_FREE(blob
.data
);
739 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
740 DBG_ERR("ndr_pull_struct_blob failed - %s!\n",
741 ndr_errstr(ndr_err
));
742 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
745 if (sdib
.version
!= SECRETS_DOMAIN_INFO_VERSION_1
) {
746 DBG_ERR("sdib.version = %u\n", (unsigned)sdib
.version
);
747 return NT_STATUS_INTERNAL_DB_CORRUPTION
;
750 *_info1
= sdib
.info
.info1
;
751 return NT_STATUS_OK
;;
754 static NTSTATUS
secrets_fetch_domain_info(const char *domain
,
756 struct secrets_domain_info1
**pinfo
)
758 char *key
= domain_info_keystr(domain
);
759 return secrets_fetch_domain_info1_by_key(key
, mem_ctx
, pinfo
);
762 void secrets_debug_domain_info(int lvl
, const struct secrets_domain_info1
*info1
,
765 struct secrets_domain_infoB sdib
= {
766 .version
= SECRETS_DOMAIN_INFO_VERSION_1
,
769 sdib
.info
.info1
= discard_const_p(struct secrets_domain_info1
, info1
);
771 ndr_print_debug((ndr_print_fn_t
)ndr_print_secrets_domain_infoB
,
775 char *secrets_domain_info_string(TALLOC_CTX
*mem_ctx
, const struct secrets_domain_info1
*info1
,
776 const char *name
, bool include_secrets
)
778 TALLOC_CTX
*frame
= talloc_stackframe();
779 struct secrets_domain_infoB sdib
= {
780 .version
= SECRETS_DOMAIN_INFO_VERSION_1
,
782 struct ndr_print
*ndr
= NULL
;
785 sdib
.info
.info1
= discard_const_p(struct secrets_domain_info1
, info1
);
787 ndr
= talloc_zero(frame
, struct ndr_print
);
792 ndr
->private_data
= talloc_strdup(ndr
, "");
793 if (ndr
->private_data
== NULL
) {
797 ndr
->print
= ndr_print_string_helper
;
799 ndr
->print_secrets
= include_secrets
;
801 ndr_print_secrets_domain_infoB(ndr
, name
, &sdib
);
802 ret
= talloc_steal(mem_ctx
, (char *)ndr
->private_data
);
807 static NTSTATUS
secrets_store_domain_info1_by_key(const char *key
,
808 const struct secrets_domain_info1
*info1
)
810 struct secrets_domain_infoB sdib
= {
811 .version
= SECRETS_DOMAIN_INFO_VERSION_1
,
813 /* packing structures */
815 enum ndr_err_code ndr_err
;
818 sdib
.info
.info1
= discard_const_p(struct secrets_domain_info1
, info1
);
820 ndr_err
= ndr_push_struct_blob(&blob
, talloc_tos(), &sdib
,
821 (ndr_push_flags_fn_t
)ndr_push_secrets_domain_infoB
);
822 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
823 return ndr_map_error2ntstatus(ndr_err
);
826 ok
= secrets_store(key
, blob
.data
, blob
.length
);
827 data_blob_clear_free(&blob
);
829 return NT_STATUS_INTERNAL_DB_ERROR
;
835 static NTSTATUS
secrets_store_domain_info(const struct secrets_domain_info1
*info
,
838 TALLOC_CTX
*frame
= talloc_stackframe();
839 const char *domain
= info
->domain_info
.name
.string
;
840 const char *realm
= info
->domain_info
.dns_domain
.string
;
841 char *key
= domain_info_keystr(domain
);
842 struct db_context
*db
= NULL
;
843 struct timeval last_change_tv
;
844 const DATA_BLOB
*cleartext_blob
= NULL
;
845 DATA_BLOB pw_blob
= data_blob_null
;
846 DATA_BLOB old_pw_blob
= data_blob_null
;
847 const char *pw
= NULL
;
848 const char *old_pw
= NULL
;
852 int role
= lp_server_role();
854 switch (info
->secure_channel_type
) {
857 if (!upgrade
&& role
>= ROLE_ACTIVE_DIRECTORY_DC
) {
858 DBG_ERR("AD_DC not supported for %s\n",
861 return NT_STATUS_INTERNAL_ERROR
;
866 DBG_ERR("SEC_CHAN_* not supported for %s\n",
869 return NT_STATUS_INTERNAL_ERROR
;
872 db
= secrets_db_ctx();
874 ret
= dbwrap_transaction_start(db
);
876 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
879 return NT_STATUS_INTERNAL_DB_ERROR
;
882 ok
= secrets_clear_domain_protection(domain
);
884 DBG_ERR("secrets_clear_domain_protection(%s) failed\n",
886 dbwrap_transaction_cancel(db
);
888 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
891 ok
= secrets_delete_machine_password_ex(domain
, realm
);
893 DBG_ERR("secrets_delete_machine_password_ex(%s) failed\n",
895 dbwrap_transaction_cancel(db
);
897 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
900 status
= secrets_store_domain_info1_by_key(key
, info
);
901 if (!NT_STATUS_IS_OK(status
)) {
902 DBG_ERR("secrets_store_domain_info1_by_key() failed "
903 "for %s - %s\n", domain
, nt_errstr(status
));
904 dbwrap_transaction_cancel(db
);
910 * We use info->password_last_change instead
911 * of info->password.change_time because
912 * we may want to defer the next change approach
913 * if the server rejected the change the last time,
914 * e.g. due to RefusePasswordChange=1.
916 nttime_to_timeval(&last_change_tv
, info
->password_last_change
);
918 cleartext_blob
= &info
->password
->cleartext_blob
;
919 ok
= convert_string_talloc(frame
, CH_UTF16MUNGED
, CH_UNIX
,
920 cleartext_blob
->data
,
921 cleartext_blob
->length
,
922 (void **)&pw_blob
.data
,
925 status
= NT_STATUS_UNMAPPABLE_CHARACTER
;
926 if (errno
== ENOMEM
) {
927 status
= NT_STATUS_NO_MEMORY
;
929 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
930 "failed for pw of %s - %s\n",
931 domain
, nt_errstr(status
));
932 dbwrap_transaction_cancel(db
);
936 pw
= (const char *)pw_blob
.data
;
937 if (info
->old_password
!= NULL
) {
938 cleartext_blob
= &info
->old_password
->cleartext_blob
;
939 ok
= convert_string_talloc(frame
, CH_UTF16MUNGED
, CH_UNIX
,
940 cleartext_blob
->data
,
941 cleartext_blob
->length
,
942 (void **)&old_pw_blob
.data
,
943 &old_pw_blob
.length
);
945 status
= NT_STATUS_UNMAPPABLE_CHARACTER
;
946 if (errno
== ENOMEM
) {
947 status
= NT_STATUS_NO_MEMORY
;
949 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
950 "failed for old_pw of %s - %s\n",
951 domain
, nt_errstr(status
));
952 dbwrap_transaction_cancel(db
);
953 data_blob_clear_free(&pw_blob
);
957 old_pw
= (const char *)old_pw_blob
.data
;
960 ok
= secrets_store_machine_pw_sync(pw
, old_pw
,
962 info
->salt_principal
,
963 info
->supported_enc_types
,
964 info
->domain_info
.sid
,
965 last_change_tv
.tv_sec
,
966 info
->secure_channel_type
,
967 false); /* delete_join */
968 data_blob_clear_free(&pw_blob
);
969 data_blob_clear_free(&old_pw_blob
);
971 DBG_ERR("secrets_store_machine_pw_sync(%s) failed\n",
973 dbwrap_transaction_cancel(db
);
975 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
978 if (!GUID_all_zero(&info
->domain_info
.domain_guid
)) {
979 ok
= secrets_store_domain_guid(domain
,
980 &info
->domain_info
.domain_guid
);
982 DBG_ERR("secrets_store_domain_guid(%s) failed\n",
984 dbwrap_transaction_cancel(db
);
986 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
990 ok
= secrets_mark_domain_protected(domain
);
992 DBG_ERR("secrets_mark_domain_protected(%s) failed\n",
994 dbwrap_transaction_cancel(db
);
996 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
999 ret
= dbwrap_transaction_commit(db
);
1001 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1004 return NT_STATUS_INTERNAL_DB_ERROR
;
1008 return NT_STATUS_OK
;
1011 static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_password
*p
,
1012 const char *salt_principal
)
1015 krb5_error_code krb5_ret
;
1016 krb5_context krb5_ctx
= NULL
;
1017 DATA_BLOB cleartext_utf8_b
= data_blob_null
;
1018 krb5_data cleartext_utf8
;
1021 DATA_BLOB aes_256_b
= data_blob_null
;
1022 DATA_BLOB aes_128_b
= data_blob_null
;
1023 DATA_BLOB des_md5_b
= data_blob_null
;
1025 #endif /* HAVE_ADS */
1026 DATA_BLOB arc4_b
= data_blob_null
;
1027 const uint16_t max_keys
= 4;
1028 struct secrets_domain_info1_kerberos_key
*keys
= NULL
;
1030 char *salt_data
= NULL
;
1034 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
1035 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
1036 * ENCTYPE_ARCFOUR_HMAC
1037 * ENCTYPE_DES_CBC_MD5
1039 * We don't include ENCTYPE_DES_CBC_CRC
1040 * as W2008R2 also doesn't store it anymore.
1042 * Note we store all enctypes we support,
1043 * including the weak encryption types,
1044 * but that's no problem as we also
1045 * store the cleartext password anyway.
1047 * Which values are then used to construct
1048 * a keytab is configured at runtime and the
1049 * configuration of msDS-SupportedEncryptionTypes.
1051 * If we don't have kerberos support or no
1052 * salt, we only generate an entry for arcfour-hmac-md5.
1054 keys
= talloc_zero_array(p
,
1055 struct secrets_domain_info1_kerberos_key
,
1061 arc4_b
= data_blob_talloc(keys
,
1063 sizeof(p
->nt_hash
.hash
));
1064 if (arc4_b
.data
== NULL
) {
1065 DBG_ERR("data_blob_talloc failed for arcfour-hmac-md5.\n");
1071 if (salt_principal
== NULL
) {
1075 initialize_krb5_error_table();
1076 krb5_ret
= krb5_init_context(&krb5_ctx
);
1077 if (krb5_ret
!= 0) {
1082 krb5_ret
= smb_krb5_salt_principal2data(krb5_ctx
, salt_principal
,
1084 if (krb5_ret
!= 0) {
1085 DBG_ERR("smb_krb5_salt_principal2data(%s) failed: %s\n",
1087 smb_get_krb5_error_message(krb5_ctx
, krb5_ret
, keys
));
1088 krb5_free_context(krb5_ctx
);
1093 salt
= (krb5_data
) {
1094 .data
= discard_const(salt_data
),
1095 .length
= strlen(salt_data
),
1098 ok
= convert_string_talloc(keys
, CH_UTF16MUNGED
, CH_UTF8
,
1099 p
->cleartext_blob
.data
,
1100 p
->cleartext_blob
.length
,
1101 (void **)&cleartext_utf8_b
.data
,
1102 &cleartext_utf8_b
.length
);
1109 krb5_free_context(krb5_ctx
);
1113 cleartext_utf8
.data
= (void *)cleartext_utf8_b
.data
;
1114 cleartext_utf8
.length
= cleartext_utf8_b
.length
;
1116 krb5_ret
= smb_krb5_create_key_from_string(krb5_ctx
,
1120 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
1122 if (krb5_ret
!= 0) {
1123 DBG_ERR("generation of a aes256-cts-hmac-sha1-96 key failed: %s\n",
1124 smb_get_krb5_error_message(krb5_ctx
, krb5_ret
, keys
));
1125 krb5_free_context(krb5_ctx
);
1127 TALLOC_FREE(salt_data
);
1130 aes_256_b
= data_blob_talloc(keys
,
1131 KRB5_KEY_DATA(&key
),
1132 KRB5_KEY_LENGTH(&key
));
1133 krb5_free_keyblock_contents(krb5_ctx
, &key
);
1134 if (aes_256_b
.data
== NULL
) {
1135 DBG_ERR("data_blob_talloc failed for aes-256.\n");
1136 krb5_free_context(krb5_ctx
);
1138 TALLOC_FREE(salt_data
);
1142 krb5_ret
= smb_krb5_create_key_from_string(krb5_ctx
,
1146 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
1148 if (krb5_ret
!= 0) {
1149 DBG_ERR("generation of a aes128-cts-hmac-sha1-96 key failed: %s\n",
1150 smb_get_krb5_error_message(krb5_ctx
, krb5_ret
, keys
));
1151 krb5_free_context(krb5_ctx
);
1153 TALLOC_FREE(salt_data
);
1156 aes_128_b
= data_blob_talloc(keys
,
1157 KRB5_KEY_DATA(&key
),
1158 KRB5_KEY_LENGTH(&key
));
1159 krb5_free_keyblock_contents(krb5_ctx
, &key
);
1160 if (aes_128_b
.data
== NULL
) {
1161 DBG_ERR("data_blob_talloc failed for aes-128.\n");
1162 krb5_free_context(krb5_ctx
);
1164 TALLOC_FREE(salt_data
);
1168 krb5_ret
= smb_krb5_create_key_from_string(krb5_ctx
,
1172 ENCTYPE_DES_CBC_MD5
,
1174 if (krb5_ret
!= 0) {
1175 DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
1176 smb_get_krb5_error_message(krb5_ctx
, krb5_ret
, keys
));
1177 krb5_free_context(krb5_ctx
);
1179 TALLOC_FREE(salt_data
);
1182 des_md5_b
= data_blob_talloc(keys
,
1183 KRB5_KEY_DATA(&key
),
1184 KRB5_KEY_LENGTH(&key
));
1185 krb5_free_keyblock_contents(krb5_ctx
, &key
);
1186 if (des_md5_b
.data
== NULL
) {
1187 DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
1188 krb5_free_context(krb5_ctx
);
1190 TALLOC_FREE(salt_data
);
1194 krb5_free_context(krb5_ctx
);
1197 if (aes_256_b
.length
!= 0) {
1198 keys
[idx
].keytype
= ENCTYPE_AES256_CTS_HMAC_SHA1_96
;
1199 keys
[idx
].iteration_count
= 4096;
1200 keys
[idx
].value
= aes_256_b
;
1204 if (aes_128_b
.length
!= 0) {
1205 keys
[idx
].keytype
= ENCTYPE_AES128_CTS_HMAC_SHA1_96
;
1206 keys
[idx
].iteration_count
= 4096;
1207 keys
[idx
].value
= aes_128_b
;
1211 #endif /* HAVE_ADS */
1213 keys
[idx
].keytype
= ENCTYPE_ARCFOUR_HMAC
;
1214 keys
[idx
].iteration_count
= 4096;
1215 keys
[idx
].value
= arc4_b
;
1219 if (des_md5_b
.length
!= 0) {
1220 keys
[idx
].keytype
= ENCTYPE_DES_CBC_MD5
;
1221 keys
[idx
].iteration_count
= 4096;
1222 keys
[idx
].value
= des_md5_b
;
1225 #endif /* HAVE_ADS */
1227 p
->salt_data
= salt_data
;
1228 p
->default_iteration_count
= 4096;
1234 static NTSTATUS
secrets_domain_info_password_create(TALLOC_CTX
*mem_ctx
,
1235 const char *cleartext_unix
,
1236 const char *salt_principal
,
1238 const char *change_server
,
1239 struct secrets_domain_info1_password
**_p
)
1241 struct secrets_domain_info1_password
*p
= NULL
;
1246 if (change_server
== NULL
) {
1247 return NT_STATUS_INVALID_PARAMETER_MIX
;
1250 p
= talloc_zero(mem_ctx
, struct secrets_domain_info1_password
);
1252 return NT_STATUS_NO_MEMORY
;
1254 p
->change_time
= change_time
;
1255 p
->change_server
= talloc_strdup(p
, change_server
);
1256 if (p
->change_server
== NULL
) {
1258 return NT_STATUS_NO_MEMORY
;
1260 len
= strlen(cleartext_unix
);
1261 ok
= convert_string_talloc(p
, CH_UNIX
, CH_UTF16
,
1262 cleartext_unix
, len
,
1263 (void **)&p
->cleartext_blob
.data
,
1264 &p
->cleartext_blob
.length
);
1266 NTSTATUS status
= NT_STATUS_UNMAPPABLE_CHARACTER
;
1267 if (errno
== ENOMEM
) {
1268 status
= NT_STATUS_NO_MEMORY
;
1273 mdfour(p
->nt_hash
.hash
,
1274 p
->cleartext_blob
.data
,
1275 p
->cleartext_blob
.length
);
1277 ret
= secrets_domain_info_kerberos_keys(p
, salt_principal
);
1279 NTSTATUS status
= krb5_to_nt_status(ret
);
1285 return NT_STATUS_OK
;
1288 NTSTATUS
secrets_fetch_or_upgrade_domain_info(const char *domain
,
1289 TALLOC_CTX
*mem_ctx
,
1290 struct secrets_domain_info1
**pinfo
)
1292 TALLOC_CTX
*frame
= NULL
;
1293 struct secrets_domain_info1
*old
= NULL
;
1294 struct secrets_domain_info1
*info
= NULL
;
1295 const char *dns_domain
= NULL
;
1296 const char *server
= NULL
;
1297 struct db_context
*db
= NULL
;
1298 time_t last_set_time
;
1300 enum netr_SchannelType channel
;
1302 char *old_pw
= NULL
;
1303 struct dom_sid domain_sid
;
1304 struct GUID domain_guid
;
1309 ok
= strequal(domain
, lp_workgroup());
1311 dns_domain
= lp_dnsdomain();
1313 if (dns_domain
!= NULL
&& dns_domain
[0] == '\0') {
1318 last_set_time
= secrets_fetch_pass_last_set_time(domain
);
1319 if (last_set_time
== 0) {
1320 return NT_STATUS_OK
;
1322 unix_to_nt_time(&last_set_nt
, last_set_time
);
1324 frame
= talloc_stackframe();
1326 status
= secrets_fetch_domain_info(domain
, frame
, &old
);
1327 if (NT_STATUS_IS_OK(status
)) {
1328 if (old
->password_last_change
>= last_set_nt
) {
1329 *pinfo
= talloc_move(mem_ctx
, &old
);
1331 return NT_STATUS_OK
;
1336 info
= talloc_zero(frame
, struct secrets_domain_info1
);
1338 DBG_ERR("talloc_zero failed\n");
1340 return NT_STATUS_NO_MEMORY
;
1343 db
= secrets_db_ctx();
1345 ret
= dbwrap_transaction_start(db
);
1347 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1350 return NT_STATUS_INTERNAL_DB_ERROR
;
1353 pw
= secrets_fetch_machine_password(domain
,
1357 DBG_ERR("secrets_fetch_machine_password(%s) failed\n",
1359 dbwrap_transaction_cancel(db
);
1361 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1363 unix_to_nt_time(&last_set_nt
, last_set_time
);
1365 old_pw
= secrets_fetch_prev_machine_password(domain
);
1367 ok
= secrets_fetch_domain_sid(domain
, &domain_sid
);
1369 DBG_ERR("secrets_fetch_domain_sid(%s) failed\n",
1371 dbwrap_transaction_cancel(db
);
1375 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
1378 ok
= secrets_fetch_domain_guid(domain
, &domain_guid
);
1380 domain_guid
= GUID_zero();
1383 info
->computer_name
= lp_netbios_name();
1384 info
->account_name
= talloc_asprintf(frame
, "%s$", info
->computer_name
);
1385 if (info
->account_name
== NULL
) {
1386 DBG_ERR("talloc_asprintf(%s$) failed\n", info
->computer_name
);
1387 dbwrap_transaction_cancel(db
);
1391 return NT_STATUS_NO_MEMORY
;
1393 info
->secure_channel_type
= channel
;
1395 info
->domain_info
.name
.string
= domain
;
1396 info
->domain_info
.dns_domain
.string
= dns_domain
;
1397 info
->domain_info
.dns_forest
.string
= dns_domain
;
1398 info
->domain_info
.domain_guid
= domain_guid
;
1399 info
->domain_info
.sid
= &domain_sid
;
1401 info
->trust_flags
= NETR_TRUST_FLAG_PRIMARY
;
1402 info
->trust_flags
|= NETR_TRUST_FLAG_OUTBOUND
;
1404 if (dns_domain
!= NULL
) {
1406 * We just assume all AD domains are
1407 * NETR_TRUST_FLAG_NATIVE these days.
1409 * This isn't used anyway for now.
1411 info
->trust_flags
|= NETR_TRUST_FLAG_NATIVE
;
1413 info
->trust_type
= LSA_TRUST_TYPE_UPLEVEL
;
1415 server
= info
->domain_info
.dns_domain
.string
;
1417 info
->trust_type
= LSA_TRUST_TYPE_DOWNLEVEL
;
1419 server
= talloc_asprintf(info
,
1423 if (server
== NULL
) {
1424 DBG_ERR("talloc_asprintf(%s#%02X) failed\n",
1425 domain
, NBT_NAME_PDC
);
1426 dbwrap_transaction_cancel(db
);
1430 return NT_STATUS_NO_MEMORY
;
1433 info
->trust_attributes
= LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
;
1435 info
->join_time
= 0;
1438 * We don't have enough information about the configured
1441 info
->supported_enc_types
= 0;
1442 info
->salt_principal
= NULL
;
1443 if (info
->trust_type
== LSA_TRUST_TYPE_UPLEVEL
) {
1446 p
= kerberos_secrets_fetch_salt_princ();
1448 dbwrap_transaction_cancel(db
);
1452 return NT_STATUS_INTERNAL_ERROR
;
1454 info
->salt_principal
= talloc_strdup(info
, p
);
1456 if (info
->salt_principal
== NULL
) {
1457 dbwrap_transaction_cancel(db
);
1461 return NT_STATUS_NO_MEMORY
;
1465 info
->password_last_change
= last_set_nt
;
1466 info
->password_changes
= 1;
1467 info
->next_change
= NULL
;
1469 status
= secrets_domain_info_password_create(info
,
1471 info
->salt_principal
,
1472 last_set_nt
, server
,
1475 if (!NT_STATUS_IS_OK(status
)) {
1476 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1477 "for %s - %s\n", domain
, nt_errstr(status
));
1478 dbwrap_transaction_cancel(db
);
1484 * After a join we don't have old passwords.
1486 if (old_pw
!= NULL
) {
1487 status
= secrets_domain_info_password_create(info
,
1489 info
->salt_principal
,
1491 &info
->old_password
);
1493 if (!NT_STATUS_IS_OK(status
)) {
1494 DBG_ERR("secrets_domain_info_password_create(old) failed "
1495 "for %s - %s\n", domain
, nt_errstr(status
));
1496 dbwrap_transaction_cancel(db
);
1500 info
->password_changes
+= 1;
1502 info
->old_password
= NULL
;
1504 info
->older_password
= NULL
;
1506 secrets_debug_domain_info(DBGLVL_INFO
, info
, "upgrade");
1508 status
= secrets_store_domain_info(info
, true /* upgrade */);
1509 if (!NT_STATUS_IS_OK(status
)) {
1510 DBG_ERR("secrets_store_domain_info() failed "
1511 "for %s - %s\n", domain
, nt_errstr(status
));
1512 dbwrap_transaction_cancel(db
);
1518 * We now reparse it.
1520 status
= secrets_fetch_domain_info(domain
, frame
, &info
);
1521 if (!NT_STATUS_IS_OK(status
)) {
1522 DBG_ERR("secrets_fetch_domain_info() failed "
1523 "for %s - %s\n", domain
, nt_errstr(status
));
1524 dbwrap_transaction_cancel(db
);
1529 ret
= dbwrap_transaction_commit(db
);
1531 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1533 dbwrap_transaction_cancel(db
);
1535 return NT_STATUS_INTERNAL_DB_ERROR
;
1538 *pinfo
= talloc_move(mem_ctx
, &info
);
1540 return NT_STATUS_OK
;
1543 NTSTATUS
secrets_store_JoinCtx(const struct libnet_JoinCtx
*r
)
1545 TALLOC_CTX
*frame
= talloc_stackframe();
1546 struct secrets_domain_info1
*old
= NULL
;
1547 struct secrets_domain_info1
*info
= NULL
;
1548 struct db_context
*db
= NULL
;
1549 struct timeval tv
= timeval_current();
1550 NTTIME now
= timeval_to_nttime(&tv
);
1551 const char *domain
= r
->out
.netbios_domain_name
;
1555 info
= talloc_zero(frame
, struct secrets_domain_info1
);
1557 DBG_ERR("talloc_zero failed\n");
1559 return NT_STATUS_NO_MEMORY
;
1562 info
->computer_name
= r
->in
.machine_name
;
1563 info
->account_name
= r
->out
.account_name
;
1564 info
->secure_channel_type
= r
->in
.secure_channel_type
;
1566 info
->domain_info
.name
.string
=
1567 r
->out
.netbios_domain_name
;
1568 info
->domain_info
.dns_domain
.string
=
1569 r
->out
.dns_domain_name
;
1570 info
->domain_info
.dns_forest
.string
=
1572 info
->domain_info
.domain_guid
= r
->out
.domain_guid
;
1573 info
->domain_info
.sid
= r
->out
.domain_sid
;
1575 info
->trust_flags
= NETR_TRUST_FLAG_PRIMARY
;
1576 info
->trust_flags
|= NETR_TRUST_FLAG_OUTBOUND
;
1577 if (r
->out
.domain_is_ad
) {
1579 * We just assume all AD domains are
1580 * NETR_TRUST_FLAG_NATIVE these days.
1582 * This isn't used anyway for now.
1584 info
->trust_flags
|= NETR_TRUST_FLAG_NATIVE
;
1586 info
->trust_type
= LSA_TRUST_TYPE_UPLEVEL
;
1588 info
->trust_type
= LSA_TRUST_TYPE_DOWNLEVEL
;
1590 info
->trust_attributes
= LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
;
1592 info
->join_time
= now
;
1594 info
->supported_enc_types
= r
->out
.set_encryption_types
;
1595 info
->salt_principal
= r
->out
.krb5_salt
;
1597 if (info
->salt_principal
== NULL
&& r
->out
.domain_is_ad
) {
1600 ret
= smb_krb5_salt_principal(info
->domain_info
.dns_domain
.string
,
1602 NULL
/* userPrincipalName */,
1603 true /* is_computer */,
1606 status
= krb5_to_nt_status(ret
);
1607 DBG_ERR("smb_krb5_salt_principal() failed "
1608 "for %s - %s\n", domain
, nt_errstr(status
));
1612 info
->salt_principal
= p
;
1615 info
->password_last_change
= now
;
1616 info
->password_changes
= 1;
1617 info
->next_change
= NULL
;
1619 status
= secrets_domain_info_password_create(info
,
1620 r
->in
.machine_password
,
1621 info
->salt_principal
,
1624 if (!NT_STATUS_IS_OK(status
)) {
1625 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1626 "for %s - %s\n", domain
, nt_errstr(status
));
1631 db
= secrets_db_ctx();
1633 ret
= dbwrap_transaction_start(db
);
1635 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1638 return NT_STATUS_INTERNAL_DB_ERROR
;
1641 status
= secrets_fetch_or_upgrade_domain_info(domain
, frame
, &old
);
1642 if (NT_STATUS_EQUAL(status
, NT_STATUS_CANT_ACCESS_DOMAIN_INFO
)) {
1643 DBG_DEBUG("no old join for domain(%s) available\n",
1646 } else if (!NT_STATUS_IS_OK(status
)) {
1647 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1649 dbwrap_transaction_cancel(db
);
1655 * We reuse values from an old join, so that
1656 * we still accept already granted kerberos tickets.
1659 info
->old_password
= old
->password
;
1660 info
->older_password
= old
->old_password
;
1663 secrets_debug_domain_info(DBGLVL_INFO
, info
, "join");
1665 status
= secrets_store_domain_info(info
, false /* upgrade */);
1666 if (!NT_STATUS_IS_OK(status
)) {
1667 DBG_ERR("secrets_store_domain_info() failed "
1668 "for %s - %s\n", domain
, nt_errstr(status
));
1669 dbwrap_transaction_cancel(db
);
1674 ret
= dbwrap_transaction_commit(db
);
1676 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1679 return NT_STATUS_INTERNAL_DB_ERROR
;
1683 return NT_STATUS_OK
;
1686 NTSTATUS
secrets_prepare_password_change(const char *domain
, const char *dcname
,
1687 const char *cleartext_unix
,
1688 TALLOC_CTX
*mem_ctx
,
1689 struct secrets_domain_info1
**pinfo
,
1690 struct secrets_domain_info1_change
**pprev
)
1692 TALLOC_CTX
*frame
= talloc_stackframe();
1693 struct db_context
*db
= NULL
;
1694 struct secrets_domain_info1
*info
= NULL
;
1695 struct secrets_domain_info1_change
*prev
= NULL
;
1696 struct secrets_domain_info1_change
*next
= NULL
;
1697 struct timeval tv
= timeval_current();
1698 NTTIME now
= timeval_to_nttime(&tv
);
1702 db
= secrets_db_ctx();
1704 ret
= dbwrap_transaction_start(db
);
1706 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1709 return NT_STATUS_INTERNAL_DB_ERROR
;
1712 status
= secrets_fetch_or_upgrade_domain_info(domain
, frame
, &info
);
1713 if (!NT_STATUS_IS_OK(status
)) {
1714 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1716 dbwrap_transaction_cancel(db
);
1721 prev
= info
->next_change
;
1722 info
->next_change
= NULL
;
1724 next
= talloc_zero(frame
, struct secrets_domain_info1_change
);
1726 DBG_ERR("talloc_zero failed\n");
1728 return NT_STATUS_NO_MEMORY
;
1734 status
= secrets_domain_info_password_create(next
,
1736 info
->salt_principal
,
1739 if (!NT_STATUS_IS_OK(status
)) {
1740 DBG_ERR("secrets_domain_info_password_create(next) failed "
1741 "for %s - %s\n", domain
, nt_errstr(status
));
1742 dbwrap_transaction_cancel(db
);
1748 next
->local_status
= NT_STATUS_OK
;
1749 next
->remote_status
= NT_STATUS_NOT_COMMITTED
;
1750 next
->change_time
= now
;
1751 next
->change_server
= dcname
;
1753 info
->next_change
= next
;
1755 secrets_debug_domain_info(DBGLVL_INFO
, info
, "prepare_change");
1757 status
= secrets_store_domain_info(info
, false /* upgrade */);
1758 if (!NT_STATUS_IS_OK(status
)) {
1759 DBG_ERR("secrets_store_domain_info() failed "
1760 "for %s - %s\n", domain
, nt_errstr(status
));
1761 dbwrap_transaction_cancel(db
);
1767 * We now reparse it.
1769 status
= secrets_fetch_domain_info(domain
, frame
, &info
);
1770 if (!NT_STATUS_IS_OK(status
)) {
1771 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain
);
1772 dbwrap_transaction_cancel(db
);
1777 ret
= dbwrap_transaction_commit(db
);
1779 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1782 return NT_STATUS_INTERNAL_DB_ERROR
;
1785 *pinfo
= talloc_move(mem_ctx
, &info
);
1787 *pprev
= talloc_move(mem_ctx
, &prev
);
1793 return NT_STATUS_OK
;
1796 static NTSTATUS
secrets_check_password_change(const struct secrets_domain_info1
*cookie
,
1797 TALLOC_CTX
*mem_ctx
,
1798 struct secrets_domain_info1
**pstored
)
1800 const char *domain
= cookie
->domain_info
.name
.string
;
1801 struct secrets_domain_info1
*stored
= NULL
;
1802 struct secrets_domain_info1_change
*sn
= NULL
;
1803 struct secrets_domain_info1_change
*cn
= NULL
;
1807 if (cookie
->next_change
== NULL
) {
1808 DBG_ERR("cookie->next_change == NULL for %s.\n", domain
);
1809 return NT_STATUS_INTERNAL_ERROR
;
1812 if (cookie
->next_change
->password
== NULL
) {
1813 DBG_ERR("cookie->next_change->password == NULL for %s.\n", domain
);
1814 return NT_STATUS_INTERNAL_ERROR
;
1817 if (cookie
->password
== NULL
) {
1818 DBG_ERR("cookie->password == NULL for %s.\n", domain
);
1819 return NT_STATUS_INTERNAL_ERROR
;
1823 * Here we check that the given strucure still contains the
1824 * same secrets_domain_info1_change as currently stored.
1826 * There's always a gap between secrets_prepare_password_change()
1827 * and the callers of secrets_check_password_change().
1830 status
= secrets_fetch_domain_info(domain
, mem_ctx
, &stored
);
1831 if (!NT_STATUS_IS_OK(status
)) {
1832 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain
);
1836 if (stored
->next_change
== NULL
) {
1838 * We hit a race..., the administrator
1839 * rejoined or something similar happened.
1841 DBG_ERR("stored->next_change == NULL for %s.\n", domain
);
1842 TALLOC_FREE(stored
);
1843 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1846 if (stored
->password_last_change
!= cookie
->password_last_change
) {
1847 struct timeval store_tv
;
1848 struct timeval_buf store_buf
;
1849 struct timeval cookie_tv
;
1850 struct timeval_buf cookie_buf
;
1852 nttime_to_timeval(&store_tv
, stored
->password_last_change
);
1853 nttime_to_timeval(&cookie_tv
, cookie
->password_last_change
);
1855 DBG_ERR("password_last_change differs %s != %s for %s.\n",
1856 timeval_str_buf(&store_tv
, false, false, &store_buf
),
1857 timeval_str_buf(&cookie_tv
, false, false, &cookie_buf
),
1859 TALLOC_FREE(stored
);
1860 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1863 sn
= stored
->next_change
;
1864 cn
= cookie
->next_change
;
1866 if (sn
->change_time
!= cn
->change_time
) {
1867 struct timeval store_tv
;
1868 struct timeval_buf store_buf
;
1869 struct timeval cookie_tv
;
1870 struct timeval_buf cookie_buf
;
1872 nttime_to_timeval(&store_tv
, sn
->change_time
);
1873 nttime_to_timeval(&cookie_tv
, cn
->change_time
);
1875 DBG_ERR("next change_time differs %s != %s for %s.\n",
1876 timeval_str_buf(&store_tv
, false, false, &store_buf
),
1877 timeval_str_buf(&cookie_tv
, false, false, &cookie_buf
),
1879 TALLOC_FREE(stored
);
1880 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1883 if (sn
->password
->change_time
!= cn
->password
->change_time
) {
1884 struct timeval store_tv
;
1885 struct timeval_buf store_buf
;
1886 struct timeval cookie_tv
;
1887 struct timeval_buf cookie_buf
;
1889 nttime_to_timeval(&store_tv
, sn
->password
->change_time
);
1890 nttime_to_timeval(&cookie_tv
, cn
->password
->change_time
);
1892 DBG_ERR("next password.change_time differs %s != %s for %s.\n",
1893 timeval_str_buf(&store_tv
, false, false, &store_buf
),
1894 timeval_str_buf(&cookie_tv
, false, false, &cookie_buf
),
1896 TALLOC_FREE(stored
);
1897 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1900 cmp
= memcmp(sn
->password
->nt_hash
.hash
,
1901 cn
->password
->nt_hash
.hash
,
1904 DBG_ERR("next password.nt_hash differs for %s.\n",
1906 TALLOC_FREE(stored
);
1907 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1910 cmp
= memcmp(stored
->password
->nt_hash
.hash
,
1911 cookie
->password
->nt_hash
.hash
,
1914 DBG_ERR("password.nt_hash differs for %s.\n",
1916 TALLOC_FREE(stored
);
1917 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT
;
1921 return NT_STATUS_OK
;
1924 static NTSTATUS
secrets_abort_password_change(const char *change_server
,
1925 NTSTATUS local_status
,
1926 NTSTATUS remote_status
,
1927 const struct secrets_domain_info1
*cookie
,
1930 const char *domain
= cookie
->domain_info
.name
.string
;
1931 TALLOC_CTX
*frame
= talloc_stackframe();
1932 struct db_context
*db
= NULL
;
1933 struct secrets_domain_info1
*info
= NULL
;
1934 const char *reason
= defer
? "defer_change" : "failed_change";
1935 struct timeval tv
= timeval_current();
1936 NTTIME now
= timeval_to_nttime(&tv
);
1940 db
= secrets_db_ctx();
1942 ret
= dbwrap_transaction_start(db
);
1944 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1947 return NT_STATUS_INTERNAL_DB_ERROR
;
1951 * secrets_check_password_change()
1952 * checks that cookie->next_change
1953 * is valid and the same as store
1956 status
= secrets_check_password_change(cookie
, frame
, &info
);
1957 if (!NT_STATUS_IS_OK(status
)) {
1958 DBG_ERR("secrets_check_password_change(%s) failed\n", domain
);
1959 dbwrap_transaction_cancel(db
);
1965 * Remember the last server and error.
1967 info
->next_change
->change_server
= change_server
;
1968 info
->next_change
->change_time
= now
;
1969 info
->next_change
->local_status
= local_status
;
1970 info
->next_change
->remote_status
= remote_status
;
1973 * Make sure the next automatic change is deferred.
1976 info
->password_last_change
= now
;
1979 secrets_debug_domain_info(DBGLVL_WARNING
, info
, reason
);
1981 status
= secrets_store_domain_info(info
, false /* upgrade */);
1982 if (!NT_STATUS_IS_OK(status
)) {
1983 DBG_ERR("secrets_store_domain_info() failed "
1984 "for %s - %s\n", domain
, nt_errstr(status
));
1985 dbwrap_transaction_cancel(db
);
1990 ret
= dbwrap_transaction_commit(db
);
1992 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1995 return NT_STATUS_INTERNAL_DB_ERROR
;
1999 return NT_STATUS_OK
;
2002 NTSTATUS
secrets_failed_password_change(const char *change_server
,
2003 NTSTATUS local_status
,
2004 NTSTATUS remote_status
,
2005 const struct secrets_domain_info1
*cookie
)
2007 static const bool defer
= false;
2008 return secrets_abort_password_change(change_server
,
2014 NTSTATUS
secrets_defer_password_change(const char *change_server
,
2015 NTSTATUS local_status
,
2016 NTSTATUS remote_status
,
2017 const struct secrets_domain_info1
*cookie
)
2019 static const bool defer
= true;
2020 return secrets_abort_password_change(change_server
,
2026 NTSTATUS
secrets_finish_password_change(const char *change_server
,
2028 const struct secrets_domain_info1
*cookie
)
2030 const char *domain
= cookie
->domain_info
.name
.string
;
2031 TALLOC_CTX
*frame
= talloc_stackframe();
2032 struct db_context
*db
= NULL
;
2033 struct secrets_domain_info1
*info
= NULL
;
2034 struct secrets_domain_info1_change
*nc
= NULL
;
2038 db
= secrets_db_ctx();
2040 ret
= dbwrap_transaction_start(db
);
2042 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
2045 return NT_STATUS_INTERNAL_DB_ERROR
;
2049 * secrets_check_password_change() checks that cookie->next_change is
2050 * valid and the same as store in the database.
2052 status
= secrets_check_password_change(cookie
, frame
, &info
);
2053 if (!NT_STATUS_IS_OK(status
)) {
2054 DBG_ERR("secrets_check_password_change(%s) failed\n", domain
);
2055 dbwrap_transaction_cancel(db
);
2060 nc
= info
->next_change
;
2062 nc
->password
->change_server
= change_server
;
2063 nc
->password
->change_time
= change_time
;
2065 info
->password_last_change
= change_time
;
2066 info
->password_changes
+= 1;
2067 info
->next_change
= NULL
;
2069 info
->older_password
= info
->old_password
;
2070 info
->old_password
= info
->password
;
2071 info
->password
= nc
->password
;
2073 secrets_debug_domain_info(DBGLVL_WARNING
, info
, "finish_change");
2075 status
= secrets_store_domain_info(info
, false /* upgrade */);
2076 if (!NT_STATUS_IS_OK(status
)) {
2077 DBG_ERR("secrets_store_domain_info() failed "
2078 "for %s - %s\n", domain
, nt_errstr(status
));
2079 dbwrap_transaction_cancel(db
);
2084 ret
= dbwrap_transaction_commit(db
);
2086 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
2089 return NT_STATUS_INTERNAL_DB_ERROR
;
2093 return NT_STATUS_OK
;