source/smbd/change_trust_pw.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Periodic Trust account password changing.
   4  *  Copyright (C) Andrew Tridgell              1992-1997,
   5  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1997,
   6  *  Copyright (C) Paul Ashton                       1997.
   7  *  Copyright (C) Jeremy Allison                    1998.
   8  *  Copyright (C) Andrew Bartlett                   2001.
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License as published by
  12  *  the Free Software Foundation; either version 2 of the License, or
  13  *  (at your option) any later version.
  14  *
  15  *  This program is distributed in the hope that it will be useful,
  16  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  17  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18  *  GNU General Public License for more details.
  19  *
  20  *  You should have received a copy of the GNU General Public License
  21  *  along with this program; if not, write to the Free Software
  22  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  23  */
  24
  25 #include "includes.h"
  26
  27 extern pstring global_myname;
  28
  29 /*********************************************************
  30  Change the domain password on the PDC.
  31 **********************************************************/
  32
  33 static NTSTATUS modify_trust_password( char *domain, char *remote_machine,
  34                                    unsigned char orig_trust_passwd_hash[16])
  35 {
  36   struct cli_state *cli;
  37   DOM_SID domain_sid;
  38   NTSTATUS nt_status;
  39
  40   /*
  41    * Ensure we have the domain SID for this domain.
  42    */
  43
  44   if (!secrets_fetch_domain_sid(domain, &domain_sid)) {
  45     DEBUG(0, ("modify_trust_password: unable to fetch domain sid.\n"));
  46     return NT_STATUS_UNSUCCESSFUL;
  47   }
  48
  49   if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname, remote_machine,
  50                                            NULL, 0,
  51                                            "IPC$", "IPC",
  52                                            "", "",
  53                                            "", 0))) {
  54           DEBUG(0,("modify_trust_password: Connection to %s failed!\n", remote_machine));
  55           return NT_STATUS_UNSUCCESSFUL;
  56   }
  57
  58   /*
  59    * Ok - we have an anonymous connection to the IPC$ share.
  60    * Now start the NT Domain stuff :-).
  61    */
  62
  63   if(cli_nt_session_open(cli, PIPE_NETLOGON) == False) {
  64     DEBUG(0,("modify_trust_password: unable to open the domain client session to \
  65 machine %s. Error was : %s.\n", remote_machine, cli_errstr(cli)));
  66     cli_nt_session_close(cli);
  67     cli_ulogoff(cli);
  68     cli_shutdown(cli);
  69     return NT_STATUS_UNSUCCESSFUL;
  70   }
  71
  72   nt_status = trust_pw_change_and_store_it(cli, cli->mem_ctx,
  73                                            orig_trust_passwd_hash);
  74
  75   cli_nt_session_close(cli);
  76   cli_ulogoff(cli);
  77   cli_shutdown(cli);
  78   return nt_status;
  79 }
  80
  81 /************************************************************************
  82  Change the trust account password for a domain.
  83 ************************************************************************/
  84
  85 NTSTATUS change_trust_account_password( char *domain, char *remote_machine_list)
  86 {
  87   fstring remote_machine;
  88   unsigned char old_trust_passwd_hash[16];
  89   time_t lct;
  90   NTSTATUS res = NT_STATUS_UNSUCCESSFUL;
  91
  92   if(!secrets_fetch_trust_account_password(domain, old_trust_passwd_hash, &lct)) {
  93     DEBUG(0,("change_trust_account_password: unable to read the machine \
  94 account password for domain %s.\n", domain));
  95     return NT_STATUS_UNSUCCESSFUL;
  96   }
  97
  98   while(remote_machine_list &&
  99         next_token(&remote_machine_list, remote_machine,
 100                    LIST_SEP, sizeof(remote_machine))) {
 101     strupper(remote_machine);
 102     if(strequal(remote_machine, "*")) {
 103
 104       /*
 105        * We have been asked to dynamcially determine the IP addresses of the PDC.
 106        */
 107
 108       struct in_addr *ip_list = NULL;
 109       int count = 0;
 110       int i;
 111
 112       /* Use the PDC *only* for this. */
 113       if(!get_dc_list(True, domain, &ip_list, &count))
 114         continue;
 115
 116       /*
 117        * Try and connect to the PDC/BDC list in turn as an IP
 118        * address used as a string.
 119        */
 120
 121       for(i = 0; i < count; i++) {
 122         fstring dc_name;
 123         if(!lookup_dc_name(global_myname, domain, &ip_list[i], dc_name))
 124           continue;
 125         if(NT_STATUS_IS_OK(res = modify_trust_password( domain, dc_name,
 126                                          old_trust_passwd_hash)))
 127           break;
 128       }
 129
 130       SAFE_FREE(ip_list);
 131
 132     } else {
 133             res = modify_trust_password( domain, remote_machine,
 134                                          old_trust_passwd_hash);
 135     }
 136
 137   }
 138
 139   if (!NT_STATUS_IS_OK(res)) {
 140           DEBUG(0,("%s : change_trust_account_password: Failed to change password for \
 141 domain %s.\n", timestring(False), domain));
 142   }
 143
 144   return res;
 145 }