source/libsmb/trust_passwd.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to change trust account passwords.
   4  *  Copyright (C) Andrew Bartlett                   2001.
   5  *
   6  *  This program is free software; you can redistribute it and/or modify
   7  *  it under the terms of the GNU General Public License as published by
   8  *  the Free Software Foundation; either version 2 of the License, or
   9  *  (at your option) any later version.
  10  *
  11  *  This program is distributed in the hope that it will be useful,
  12  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14  *  GNU General Public License for more details.
  15  *
  16  *  You should have received a copy of the GNU General Public License
  17  *  along with this program; if not, write to the Free Software
  18  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  19  */
  20
  21 #include "includes.h"
  22
  23 extern pstring global_myname;
  24
  25 /*********************************************************
  26  Change the domain password on the PDC.
  27
  28  Just changes the password betwen the two values specified.
  29
  30  Caller must have the cli connected to the netlogon pipe
  31  already.
  32 **********************************************************/
  33 static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx,
  34                                          unsigned char orig_trust_passwd_hash[16],
  35                                          unsigned char new_trust_passwd_hash[16])
  36 {
  37         NTSTATUS result;
  38         result = cli_nt_setup_creds(cli, (lp_server_role() == ROLE_DOMAIN_MEMBER) ?
  39                                    SEC_CHAN_WKSTA : SEC_CHAN_BDC, orig_trust_passwd_hash);
  40
  41         if (!NT_STATUS_IS_OK(result)) {
  42                 DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n",
  43                          nt_errstr(result)));
  44                 return result;
  45         }
  46
  47         result = cli_net_srv_pwset(cli, mem_ctx, global_myname, new_trust_passwd_hash);
  48
  49         if (!NT_STATUS_IS_OK(result)) {
  50                 DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
  51                          nt_errstr(result)));
  52         }
  53         return result;
  54 }
  55
  56 /*********************************************************
  57  Change the domain password on the PDC.
  58  Store the password ourselves, but use the supplied password
  59  Caller must have already setup the connection to the NETLOGON pipe
  60 **********************************************************/
  61
  62 NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx,
  63                                       unsigned char orig_trust_passwd_hash[16])
  64 {
  65         unsigned char new_trust_passwd_hash[16];
  66         char *new_trust_passwd;
  67         char *str;
  68         NTSTATUS nt_status;
  69
  70         /* Create a random machine account password */
  71         str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  72         new_trust_passwd = talloc_strdup(mem_ctx, str);
  73
  74         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  75
  76         nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
  77                                              new_trust_passwd_hash);
  78
  79         if (NT_STATUS_IS_OK(nt_status)) {
  80                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  81                          timestring(False)));
  82                 /*
  83                  * Return the result of trying to write the new password
  84                  * back into the trust account file.
  85                  */
  86                 if (!secrets_store_machine_password(new_trust_passwd)) {
  87                         nt_status = NT_STATUS_UNSUCCESSFUL;
  88                 }
  89         }
  90
  91         return nt_status;
  92 }
  93
  94 /*********************************************************
  95  Change the domain password on the PDC.
  96  Do most of the legwork ourselfs.  Caller must have
  97  already setup the connection to the NETLOGON pipe
  98 **********************************************************/
  99
 100 NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 101                                            char *domain)
 102 {
 103         unsigned char old_trust_passwd_hash[16];
 104         char *up_domain;
 105
 106         up_domain = talloc_strdup(mem_ctx, domain);
 107
 108         if (!secrets_fetch_trust_account_password(domain,
 109                                                   old_trust_passwd_hash,
 110                                                   NULL)) {
 111                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
 112                 return NT_STATUS_UNSUCCESSFUL;
 113         }
 114
 115         return trust_pw_change_and_store_it(cli, mem_ctx, old_trust_passwd_hash);
 116
 117 }