2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 /* the Samba secrets database stores any generated, private information
24 such as the local SID and machine trust password */
29 #define DBGC_CLASS DBGC_PASSDB
31 static TDB_CONTEXT
*tdb
;
33 /* Urrrg. global.... */
34 BOOL global_machine_password_needs_changing
;
37 * Use a TDB to store an incrementing random seed.
39 * Initialised to the current pid, the very first time Samba starts,
40 * and incremented by one each time it is needed.
42 * @note Not called by systems with a working /dev/urandom.
44 static void get_rand_seed(int *new_seed
)
46 *new_seed
= sys_getpid();
48 tdb_change_int32_atomic(tdb
, "INFO/random_seed", new_seed
, 1);
52 /* open up the secrets database */
53 BOOL
secrets_init(void)
61 pstrcpy(fname
, lp_private_dir());
62 pstrcat(fname
,"/secrets.tdb");
64 tdb
= tdb_open_log(fname
, 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
67 DEBUG(0,("Failed to open %s\n", fname
));
72 * Set a reseed function for the crypto random generator
74 * This avoids a problem where systems without /dev/urandom
75 * could send the same challenge to multiple clients
77 set_rand_reseed_callback(get_rand_seed
);
79 /* Ensure that the reseed is done now, while we are root, etc */
80 generate_random_buffer(&dummy
, sizeof(dummy
));
85 /* read a entry from the secrets database - the caller must free the result
86 if size is non-null then the size of the entry is put in there
88 void *secrets_fetch(const char *key
, size_t *size
)
94 dbuf
= tdb_fetch(tdb
, string_tdb_data(key
));
100 /* store a secrets entry
102 BOOL
secrets_store(const char *key
, const void *data
, size_t size
)
107 return tdb_store(tdb
, string_tdb_data(key
), make_tdb_data(data
, size
),
112 /* delete a secets database entry
114 BOOL
secrets_delete(const char *key
)
119 return tdb_delete(tdb
, string_tdb_data(key
)) == 0;
122 BOOL
secrets_store_domain_sid(const char *domain
, const DOM_SID
*sid
)
127 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_SID
, domain
);
129 ret
= secrets_store(key
, sid
, sizeof(DOM_SID
));
131 /* Force a re-query, in case we modified our domain */
133 reset_global_sam_sid();
137 BOOL
secrets_fetch_domain_sid(const char *domain
, DOM_SID
*sid
)
143 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_SID
, domain
);
145 dyn_sid
= (DOM_SID
*)secrets_fetch(key
, &size
);
150 if (size
!= sizeof(DOM_SID
)) {
160 BOOL
secrets_store_domain_guid(const char *domain
, struct uuid
*guid
)
164 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_GUID
, domain
);
166 return secrets_store(key
, guid
, sizeof(struct uuid
));
169 BOOL
secrets_fetch_domain_guid(const char *domain
, struct uuid
*guid
)
171 struct uuid
*dyn_guid
;
174 struct uuid new_guid
;
176 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_DOMAIN_GUID
, domain
);
178 dyn_guid
= (struct uuid
*)secrets_fetch(key
, &size
);
181 if (lp_server_role() == ROLE_DOMAIN_PDC
) {
182 smb_uuid_generate_random(&new_guid
);
183 if (!secrets_store_domain_guid(domain
, &new_guid
))
185 dyn_guid
= (struct uuid
*)secrets_fetch(key
, &size
);
187 if (dyn_guid
== NULL
) {
192 if (size
!= sizeof(struct uuid
)) {
193 DEBUG(1,("UUID size %d is wrong!\n", (int)size
));
204 * Form a key for fetching the machine trust account password
206 * @param domain domain name
208 * @return stored password's key
210 const char *trust_keystr(const char *domain
)
212 static fstring keystr
;
214 slprintf(keystr
,sizeof(keystr
)-1,"%s/%s",
215 SECRETS_MACHINE_ACCT_PASS
, domain
);
222 * Form a key for fetching a trusted domain password
224 * @param domain trusted domain name
226 * @return stored password's key
228 static char *trustdom_keystr(const char *domain
)
230 static pstring keystr
;
232 pstr_sprintf(keystr
, "%s/%s", SECRETS_DOMTRUST_ACCT_PASS
, domain
);
238 /************************************************************************
239 Lock the trust password entry.
240 ************************************************************************/
242 BOOL
secrets_lock_trust_account_password(const char *domain
, BOOL dolock
)
248 return (tdb_lock_bystring(tdb
, trust_keystr(domain
)) == 0);
250 tdb_unlock_bystring(tdb
, trust_keystr(domain
));
254 /************************************************************************
255 Routine to get the default secure channel type for trust accounts
256 ************************************************************************/
258 uint32
get_default_sec_channel(void)
260 if (lp_server_role() == ROLE_DOMAIN_BDC
||
261 lp_server_role() == ROLE_DOMAIN_PDC
) {
264 return SEC_CHAN_WKSTA
;
268 /************************************************************************
269 Routine to get the trust account password for a domain.
270 The user of this function must have locked the trust password file using
271 the above secrets_lock_trust_account_password().
272 ************************************************************************/
274 BOOL
secrets_fetch_trust_account_password(const char *domain
, uint8 ret_pwd
[16],
275 time_t *pass_last_set_time
,
278 struct machine_acct_pass
*pass
;
282 plaintext
= secrets_fetch_machine_password(domain
, pass_last_set_time
,
285 DEBUG(4,("Using cleartext machine password\n"));
286 E_md4hash(plaintext
, ret_pwd
);
287 SAFE_FREE(plaintext
);
291 if (!(pass
= secrets_fetch(trust_keystr(domain
), &size
))) {
292 DEBUG(5, ("secrets_fetch failed!\n"));
296 if (size
!= sizeof(*pass
)) {
297 DEBUG(0, ("secrets were of incorrect size!\n"));
301 if (pass_last_set_time
) {
302 *pass_last_set_time
= pass
->mod_time
;
304 memcpy(ret_pwd
, pass
->hash
, 16);
307 *channel
= get_default_sec_channel();
310 /* Test if machine password has expired and needs to be changed */
311 if (lp_machine_password_timeout()) {
312 if (pass
->mod_time
> 0 && time(NULL
) > (pass
->mod_time
+
313 (time_t)lp_machine_password_timeout())) {
314 global_machine_password_needs_changing
= True
;
322 /************************************************************************
323 Routine to get account password to trusted domain
324 ************************************************************************/
326 BOOL
secrets_fetch_trusted_domain_password(const char *domain
, char** pwd
,
327 DOM_SID
*sid
, time_t *pass_last_set_time
)
329 struct trusted_dom_pass pass
;
332 /* unpacking structures */
338 /* fetching trusted domain password structure */
339 if (!(pass_buf
= secrets_fetch(trustdom_keystr(domain
), &size
))) {
340 DEBUG(5, ("secrets_fetch failed!\n"));
344 /* unpack trusted domain password */
345 pass_len
= tdb_trusted_dom_pass_unpack(pass_buf
, size
, &pass
);
348 if (pass_len
!= size
) {
349 DEBUG(5, ("Invalid secrets size. Unpacked data doesn't match trusted_dom_pass structure.\n"));
353 /* the trust's password */
355 *pwd
= SMB_STRDUP(pass
.pass
);
361 /* last change time */
362 if (pass_last_set_time
) *pass_last_set_time
= pass
.mod_time
;
365 if (sid
!= NULL
) sid_copy(sid
, &pass
.domain_sid
);
370 /************************************************************************
371 Routine to set the trust account password for a domain.
372 ************************************************************************/
374 BOOL
secrets_store_trust_account_password(const char *domain
, uint8 new_pwd
[16])
376 struct machine_acct_pass pass
;
378 pass
.mod_time
= time(NULL
);
379 memcpy(pass
.hash
, new_pwd
, 16);
381 return secrets_store(trust_keystr(domain
), (void *)&pass
, sizeof(pass
));
385 * Routine to store the password for trusted domain
387 * @param domain remote domain name
388 * @param pwd plain text password of trust relationship
389 * @param sid remote domain sid
391 * @return true if succeeded
394 BOOL
secrets_store_trusted_domain_password(const char* domain
, const char* pwd
,
397 smb_ucs2_t
*uni_dom_name
;
399 /* packing structures */
402 int pass_buf_len
= sizeof(pass_buf
);
404 struct trusted_dom_pass pass
;
407 if (push_ucs2_allocate(&uni_dom_name
, domain
) == (size_t)-1) {
408 DEBUG(0, ("Could not convert domain name %s to unicode\n",
413 strncpy_w(pass
.uni_name
, uni_dom_name
, sizeof(pass
.uni_name
) - 1);
414 pass
.uni_name_len
= strlen_w(uni_dom_name
)+1;
415 SAFE_FREE(uni_dom_name
);
417 /* last change time */
418 pass
.mod_time
= time(NULL
);
420 /* password of the trust */
421 pass
.pass_len
= strlen(pwd
);
422 fstrcpy(pass
.pass
, pwd
);
425 sid_copy(&pass
.domain_sid
, sid
);
427 pass_len
= tdb_trusted_dom_pass_pack(pass_buf
, pass_buf_len
, &pass
);
429 return secrets_store(trustdom_keystr(domain
), (void *)&pass_buf
, pass_len
);
432 /************************************************************************
433 Routine to set the plaintext machine account password for a realm
434 the password is assumed to be a null terminated ascii string
435 ************************************************************************/
437 BOOL
secrets_store_machine_password(const char *pass
, const char *domain
, uint32 sec_channel
)
441 uint32 last_change_time
;
442 uint32 sec_channel_type
;
444 asprintf(&key
, "%s/%s", SECRETS_MACHINE_PASSWORD
, domain
);
449 ret
= secrets_store(key
, pass
, strlen(pass
)+1);
455 asprintf(&key
, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME
, domain
);
460 SIVAL(&last_change_time
, 0, time(NULL
));
461 ret
= secrets_store(key
, &last_change_time
, sizeof(last_change_time
));
464 asprintf(&key
, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE
, domain
);
469 SIVAL(&sec_channel_type
, 0, sec_channel
);
470 ret
= secrets_store(key
, &sec_channel_type
, sizeof(sec_channel_type
));
476 /************************************************************************
477 Routine to fetch the plaintext machine account password for a realm
478 the password is assumed to be a null terminated ascii string.
479 ************************************************************************/
481 char *secrets_fetch_machine_password(const char *domain
,
482 time_t *pass_last_set_time
,
487 asprintf(&key
, "%s/%s", SECRETS_MACHINE_PASSWORD
, domain
);
489 ret
= (char *)secrets_fetch(key
, NULL
);
492 if (pass_last_set_time
) {
494 uint32
*last_set_time
;
495 asprintf(&key
, "%s/%s", SECRETS_MACHINE_LAST_CHANGE_TIME
, domain
);
497 last_set_time
= secrets_fetch(key
, &size
);
499 *pass_last_set_time
= IVAL(last_set_time
,0);
500 SAFE_FREE(last_set_time
);
502 *pass_last_set_time
= 0;
509 uint32
*channel_type
;
510 asprintf(&key
, "%s/%s", SECRETS_MACHINE_SEC_CHANNEL_TYPE
, domain
);
512 channel_type
= secrets_fetch(key
, &size
);
514 *channel
= IVAL(channel_type
,0);
515 SAFE_FREE(channel_type
);
517 *channel
= get_default_sec_channel();
525 /*******************************************************************
526 Wrapper around retrieving the trust account password
527 *******************************************************************/
529 BOOL
get_trust_pw(const char *domain
, uint8 ret_pwd
[16], uint32
*channel
)
533 time_t last_set_time
;
535 /* if we are a DC and this is not our domain, then lookup an account
536 for the domain trust */
538 if ( IS_DC
&& !strequal(domain
, lp_workgroup()) && lp_allow_trusted_domains() ) {
539 if (!secrets_fetch_trusted_domain_password(domain
, &pwd
, &sid
,
541 DEBUG(0, ("get_trust_pw: could not fetch trust "
542 "account password for trusted domain %s\n",
547 *channel
= SEC_CHAN_DOMAIN
;
548 E_md4hash(pwd
, ret_pwd
);
554 /* Just get the account for the requested domain. In the future this
555 * might also cover to be member of more than one domain. */
557 if (secrets_fetch_trust_account_password(domain
, ret_pwd
,
558 &last_set_time
, channel
))
561 DEBUG(5, ("get_trust_pw: could not fetch trust account "
562 "password for domain %s\n", domain
));
566 /************************************************************************
567 Routine to delete the machine trust account password file for a domain.
568 ************************************************************************/
570 BOOL
trust_password_delete(const char *domain
)
572 return secrets_delete(trust_keystr(domain
));
575 /************************************************************************
576 Routine to delete the password for trusted domain
577 ************************************************************************/
579 BOOL
trusted_domain_password_delete(const char *domain
)
581 return secrets_delete(trustdom_keystr(domain
));
584 BOOL
secrets_store_ldap_pw(const char* dn
, char* pw
)
589 if (asprintf(&key
, "%s/%s", SECRETS_LDAP_BIND_PW
, dn
) < 0) {
590 DEBUG(0, ("secrets_store_ldap_pw: asprintf failed!\n"));
594 ret
= secrets_store(key
, pw
, strlen(pw
)+1);
600 /*******************************************************************
601 Find the ldap password.
602 ******************************************************************/
604 BOOL
fetch_ldap_pw(char **dn
, char** pw
)
609 *dn
= smb_xstrdup(lp_ldap_admin_dn());
611 if (asprintf(&key
, "%s/%s", SECRETS_LDAP_BIND_PW
, *dn
) < 0) {
613 DEBUG(0, ("fetch_ldap_pw: asprintf failed!\n"));
616 *pw
=secrets_fetch(key
, &size
);
620 /* Upgrade 2.2 style entry */
622 char* old_style_key
= SMB_STRDUP(*dn
);
624 fstring old_style_pw
;
626 if (!old_style_key
) {
627 DEBUG(0, ("fetch_ldap_pw: strdup failed!\n"));
631 for (p
=old_style_key
; *p
; p
++)
632 if (*p
== ',') *p
= '/';
634 data
=secrets_fetch(old_style_key
, &size
);
635 if (!size
&& size
< sizeof(old_style_pw
)) {
636 DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
637 SAFE_FREE(old_style_key
);
642 size
= MIN(size
, sizeof(fstring
)-1);
643 strncpy(old_style_pw
, data
, size
);
644 old_style_pw
[size
] = 0;
648 if (!secrets_store_ldap_pw(*dn
, old_style_pw
)) {
649 DEBUG(0,("fetch_ldap_pw: ldap secret could not be upgraded!\n"));
650 SAFE_FREE(old_style_key
);
654 if (!secrets_delete(old_style_key
)) {
655 DEBUG(0,("fetch_ldap_pw: old ldap secret could not be deleted!\n"));
658 SAFE_FREE(old_style_key
);
660 *pw
= smb_xstrdup(old_style_pw
);
667 * Get trusted domains info from secrets.tdb.
670 NTSTATUS
secrets_trusted_domains(TALLOC_CTX
*mem_ctx
, uint32
*num_domains
,
671 struct trustdom_info
***domains
)
673 TDB_LIST_NODE
*keys
, *k
;
676 if (!secrets_init()) return NT_STATUS_ACCESS_DENIED
;
678 /* generate searching pattern */
679 pattern
= talloc_asprintf(mem_ctx
, "%s/*", SECRETS_DOMTRUST_ACCT_PASS
);
680 if (pattern
== NULL
) {
681 DEBUG(0, ("secrets_trusted_domains: talloc_asprintf() "
683 return NT_STATUS_NO_MEMORY
;
689 /* fetching trusted domains' data and collecting them in a list */
690 keys
= tdb_search_keys(tdb
, pattern
);
692 /* searching for keys in secrets db -- way to go ... */
693 for (k
= keys
; k
; k
= k
->next
) {
695 size_t size
= 0, packed_size
= 0;
696 struct trusted_dom_pass pass
;
698 struct trustdom_info
*dom_info
;
700 /* important: ensure null-termination of the key string */
701 secrets_key
= talloc_strndup(mem_ctx
,
705 DEBUG(0, ("strndup failed!\n"));
706 tdb_search_list_free(keys
);
707 return NT_STATUS_NO_MEMORY
;
710 packed_pass
= secrets_fetch(secrets_key
, &size
);
711 packed_size
= tdb_trusted_dom_pass_unpack(packed_pass
, size
,
713 /* packed representation isn't needed anymore */
714 SAFE_FREE(packed_pass
);
716 if (size
!= packed_size
) {
717 DEBUG(2, ("Secrets record %s is invalid!\n",
722 if (pass
.domain_sid
.num_auths
!= 4) {
723 DEBUG(0, ("SID %s is not a domain sid, has %d "
724 "auths instead of 4\n",
725 sid_string_static(&pass
.domain_sid
),
726 pass
.domain_sid
.num_auths
));
730 dom_info
= TALLOC_P(mem_ctx
, struct trustdom_info
);
731 if (dom_info
== NULL
) {
732 DEBUG(0, ("talloc failed\n"));
733 tdb_search_list_free(keys
);
734 return NT_STATUS_NO_MEMORY
;
737 if (pull_ucs2_talloc(mem_ctx
, &dom_info
->name
,
738 pass
.uni_name
) == (size_t)-1) {
739 DEBUG(2, ("pull_ucs2_talloc failed\n"));
740 tdb_search_list_free(keys
);
741 return NT_STATUS_NO_MEMORY
;
744 sid_copy(&dom_info
->sid
, &pass
.domain_sid
);
746 ADD_TO_ARRAY(mem_ctx
, struct trustdom_info
*, dom_info
,
747 domains
, num_domains
);
749 if (*domains
== NULL
) {
750 tdb_search_list_free(keys
);
751 return NT_STATUS_NO_MEMORY
;
753 talloc_steal(*domains
, dom_info
);
756 DEBUG(5, ("secrets_get_trusted_domains: got %d domains\n",
759 /* free the results of searching the keys */
760 tdb_search_list_free(keys
);
765 /*******************************************************************************
766 Lock the secrets tdb based on a string - this is used as a primitive form of mutex
767 between smbd instances.
768 *******************************************************************************/
770 BOOL
secrets_named_mutex(const char *name
, unsigned int timeout
)
777 ret
= tdb_lock_bystring_with_timeout(tdb
, name
, timeout
);
779 DEBUG(10,("secrets_named_mutex: got mutex for %s\n", name
));
784 /*******************************************************************************
785 Unlock a named mutex.
786 *******************************************************************************/
788 void secrets_named_mutex_release(const char *name
)
790 tdb_unlock_bystring(tdb
, name
);
791 DEBUG(10,("secrets_named_mutex: released mutex for %s\n", name
));
794 /*******************************************************************************
795 Store a complete AFS keyfile into secrets.tdb.
796 *******************************************************************************/
798 BOOL
secrets_store_afs_keyfile(const char *cell
, const struct afs_keyfile
*keyfile
)
802 if ((cell
== NULL
) || (keyfile
== NULL
))
805 if (ntohl(keyfile
->nkeys
) > SECRETS_AFS_MAXKEYS
)
808 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_AFS_KEYFILE
, cell
);
809 return secrets_store(key
, keyfile
, sizeof(struct afs_keyfile
));
812 /*******************************************************************************
813 Fetch the current (highest) AFS key from secrets.tdb
814 *******************************************************************************/
815 BOOL
secrets_fetch_afs_key(const char *cell
, struct afs_key
*result
)
818 struct afs_keyfile
*keyfile
;
822 slprintf(key
, sizeof(key
)-1, "%s/%s", SECRETS_AFS_KEYFILE
, cell
);
824 keyfile
= (struct afs_keyfile
*)secrets_fetch(key
, &size
);
829 if (size
!= sizeof(struct afs_keyfile
)) {
834 i
= ntohl(keyfile
->nkeys
);
836 if (i
> SECRETS_AFS_MAXKEYS
) {
841 *result
= keyfile
->entry
[i
-1];
843 result
->kvno
= ntohl(result
->kvno
);
848 /******************************************************************************
849 When kerberos is not available, choose between anonymous or
850 authenticated connections.
852 We need to use an authenticated connection if DCs have the
853 RestrictAnonymous registry entry set > 0, or the "Additional
854 restrictions for anonymous connections" set in the win2k Local
857 Caller to free() result in domain, username, password
858 *******************************************************************************/
859 void secrets_fetch_ipc_userpass(char **username
, char **domain
, char **password
)
861 *username
= secrets_fetch(SECRETS_AUTH_USER
, NULL
);
862 *domain
= secrets_fetch(SECRETS_AUTH_DOMAIN
, NULL
);
863 *password
= secrets_fetch(SECRETS_AUTH_PASSWORD
, NULL
);
865 if (*username
&& **username
) {
867 if (!*domain
|| !**domain
)
868 *domain
= smb_xstrdup(lp_workgroup());
870 if (!*password
|| !**password
)
871 *password
= smb_xstrdup("");
873 DEBUG(3, ("IPC$ connections done by user %s\\%s\n",
874 *domain
, *username
));
877 DEBUG(3, ("IPC$ connections done anonymously\n"));
878 *username
= smb_xstrdup("");
879 *domain
= smb_xstrdup("");
880 *password
= smb_xstrdup("");
884 /******************************************************************************
885 Open or create the schannel session store tdb.
886 *******************************************************************************/
888 static TDB_CONTEXT
*open_schannel_session_store(TALLOC_CTX
*mem_ctx
)
892 TDB_CONTEXT
*tdb_sc
= NULL
;
893 char *fname
= talloc_asprintf(mem_ctx
, "%s/schannel_store.tdb", lp_private_dir());
899 tdb_sc
= tdb_open_log(fname
, 0, TDB_DEFAULT
, O_RDWR
|O_CREAT
, 0600);
902 DEBUG(0,("open_schannel_session_store: Failed to open %s\n", fname
));
907 vers
= tdb_fetch_bystring(tdb_sc
, "SCHANNEL_STORE_VERSION");
908 if (vers
.dptr
== NULL
) {
909 /* First opener, no version. */
911 vers
.dptr
= (char *)&ver
;
913 tdb_store_bystring(tdb_sc
, "SCHANNEL_STORE_VERSION", vers
, TDB_REPLACE
);
915 } else if (vers
.dsize
== 4) {
916 ver
= IVAL(vers
.dptr
,0);
920 DEBUG(0,("open_schannel_session_store: wrong version number %d in %s\n",
926 DEBUG(0,("open_schannel_session_store: wrong version number size %d in %s\n",
927 (int)vers
.dsize
, fname
));
930 SAFE_FREE(vers
.dptr
);
936 /******************************************************************************
937 Store the schannel state after an AUTH2 call.
938 Note we must be root here.
939 *******************************************************************************/
941 BOOL
secrets_store_schannel_session_info(TALLOC_CTX
*mem_ctx
,
942 const char *remote_machine
,
943 const struct dcinfo
*pdc
)
945 TDB_CONTEXT
*tdb_sc
= NULL
;
948 char *keystr
= talloc_asprintf(mem_ctx
, "%s/%s", SECRETS_SCHANNEL_STATE
,
956 /* Work out how large the record is. */
957 value
.dsize
= tdb_pack(NULL
, 0, "dBBBBBfff",
959 8, pdc
->seed_chal
.data
,
960 8, pdc
->clnt_chal
.data
,
961 8, pdc
->srv_chal
.data
,
968 value
.dptr
= TALLOC(mem_ctx
, value
.dsize
);
974 value
.dsize
= tdb_pack(value
.dptr
, value
.dsize
, "dBBBBBfff",
976 8, pdc
->seed_chal
.data
,
977 8, pdc
->clnt_chal
.data
,
978 8, pdc
->srv_chal
.data
,
985 tdb_sc
= open_schannel_session_store(mem_ctx
);
988 TALLOC_FREE(value
.dptr
);
992 ret
= (tdb_store_bystring(tdb_sc
, keystr
, value
, TDB_REPLACE
) == 0 ? True
: False
);
994 DEBUG(3,("secrets_store_schannel_session_info: stored schannel info with key %s\n",
999 TALLOC_FREE(value
.dptr
);
1003 /******************************************************************************
1004 Restore the schannel state on a client reconnect.
1005 Note we must be root here.
1006 *******************************************************************************/
1008 BOOL
secrets_restore_schannel_session_info(TALLOC_CTX
*mem_ctx
,
1009 const char *remote_machine
,
1010 struct dcinfo
**ppdc
)
1012 TDB_CONTEXT
*tdb_sc
= NULL
;
1014 unsigned char *pseed_chal
= NULL
;
1015 unsigned char *pclnt_chal
= NULL
;
1016 unsigned char *psrv_chal
= NULL
;
1017 unsigned char *psess_key
= NULL
;
1018 unsigned char *pmach_pw
= NULL
;
1019 uint32 l1
, l2
, l3
, l4
, l5
;
1021 struct dcinfo
*pdc
= NULL
;
1022 char *keystr
= talloc_asprintf(mem_ctx
, "%s/%s", SECRETS_SCHANNEL_STATE
,
1033 tdb_sc
= open_schannel_session_store(mem_ctx
);
1035 TALLOC_FREE(keystr
);
1039 value
= tdb_fetch_bystring(tdb_sc
, keystr
);
1041 DEBUG(0,("secrets_restore_schannel_session_info: Failed to find entry with key %s\n",
1047 pdc
= TALLOC_ZERO_P(mem_ctx
, struct dcinfo
);
1049 /* Retrieve the record. */
1050 ret
= tdb_unpack(value
.dptr
, value
.dsize
, "dBBBBBfff",
1058 &pdc
->remote_machine
,
1061 if (ret
== -1 || l1
!= 8 || l2
!= 8 || l3
!= 8 || l4
!= 16 || l5
!= 16) {
1062 /* Bad record - delete it. */
1063 tdb_delete_bystring(tdb_sc
, keystr
);
1065 TALLOC_FREE(keystr
);
1067 SAFE_FREE(pseed_chal
);
1068 SAFE_FREE(pclnt_chal
);
1069 SAFE_FREE(psrv_chal
);
1070 SAFE_FREE(psess_key
);
1071 SAFE_FREE(pmach_pw
);
1072 SAFE_FREE(value
.dptr
);
1078 memcpy(pdc
->seed_chal
.data
, pseed_chal
, 8);
1079 memcpy(pdc
->clnt_chal
.data
, pclnt_chal
, 8);
1080 memcpy(pdc
->srv_chal
.data
, psrv_chal
, 8);
1081 memcpy(pdc
->sess_key
, psess_key
, 16);
1082 memcpy(pdc
->mach_pw
, pmach_pw
, 16);
1084 /* We know these are true so didn't bother to store them. */
1085 pdc
->challenge_sent
= True
;
1086 pdc
->authenticated
= True
;
1088 DEBUG(3,("secrets_restore_schannel_session_info: restored schannel info key %s\n",
1091 SAFE_FREE(pseed_chal
);
1092 SAFE_FREE(pclnt_chal
);
1093 SAFE_FREE(psrv_chal
);
1094 SAFE_FREE(psess_key
);
1095 SAFE_FREE(pmach_pw
);
1097 TALLOC_FREE(keystr
);
1098 SAFE_FREE(value
.dptr
);