2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "../libcli/auth/libcli_auth.h"
23 #include "../librpc/gen_ndr/cli_lsa.h"
24 #include "rpc_client/cli_lsarpc.h"
25 #include "rpc_client/cli_netlogon.h"
26 #include "../librpc/gen_ndr/ndr_netlogon.h"
28 /*********************************************************
29 Change the domain password on the PDC.
30 Store the password ourselves, but use the supplied password
31 Caller must have already setup the connection to the NETLOGON pipe
32 **********************************************************/
34 NTSTATUS
trust_pw_change_and_store_it(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
36 const char *account_name
,
37 unsigned char orig_trust_passwd_hash
[16],
38 enum netr_SchannelType sec_channel_type
)
40 unsigned char new_trust_passwd_hash
[16];
41 char *new_trust_passwd
;
44 switch (sec_channel_type
) {
49 return NT_STATUS_NOT_SUPPORTED
;
52 /* Create a random machine account password */
53 new_trust_passwd
= generate_random_str(mem_ctx
, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
);
55 if (new_trust_passwd
== NULL
) {
56 DEBUG(0, ("talloc_strdup failed\n"));
57 return NT_STATUS_NO_MEMORY
;
60 E_md4hash(new_trust_passwd
, new_trust_passwd_hash
);
62 nt_status
= rpccli_netlogon_set_trust_password(cli
, mem_ctx
,
64 orig_trust_passwd_hash
,
66 new_trust_passwd_hash
,
69 if (NT_STATUS_IS_OK(nt_status
)) {
70 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
71 current_timestring(talloc_tos(), False
)));
73 * Return the result of trying to write the new password
74 * back into the trust account file.
77 switch (sec_channel_type
) {
80 if (!secrets_store_machine_password(new_trust_passwd
, domain
, sec_channel_type
)) {
81 nt_status
= NT_STATUS_UNSUCCESSFUL
;
85 case SEC_CHAN_DOMAIN
: {
88 time_t pass_last_set_time
;
90 /* we need to get the sid first for the
91 * pdb_set_trusteddom_pw call */
93 if (!pdb_get_trusteddom_pw(domain
, &pwd
, &sid
, &pass_last_set_time
)) {
94 nt_status
= NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
;
96 if (!pdb_set_trusteddom_pw(domain
, new_trust_passwd
, &sid
)) {
97 nt_status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
109 /*********************************************************
110 Change the domain password on the PDC.
111 Do most of the legwork ourselfs. Caller must have
112 already setup the connection to the NETLOGON pipe
113 **********************************************************/
115 NTSTATUS
trust_pw_find_change_and_store_it(struct rpc_pipe_client
*cli
,
119 unsigned char old_trust_passwd_hash
[16];
120 enum netr_SchannelType sec_channel_type
= SEC_CHAN_NULL
;
121 const char *account_name
;
123 if (!get_trust_pw_hash(domain
, old_trust_passwd_hash
, &account_name
,
124 &sec_channel_type
)) {
125 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain
));
126 return NT_STATUS_UNSUCCESSFUL
;
129 return trust_pw_change_and_store_it(cli
, mem_ctx
, domain
,
131 old_trust_passwd_hash
,
135 /*********************************************************************
136 Enumerate the list of trusted domains from a DC
137 *********************************************************************/
139 bool enumerate_domain_trusts( TALLOC_CTX
*mem_ctx
, const char *domain
,
140 char ***domain_names
, uint32
*num_domains
,
141 struct dom_sid
**sids
)
143 struct policy_handle pol
;
144 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
146 struct sockaddr_storage dc_ss
;
148 struct cli_state
*cli
= NULL
;
149 struct rpc_pipe_client
*lsa_pipe
= NULL
;
151 struct lsa_DomainList dom_list
;
154 *domain_names
= NULL
;
158 /* lookup a DC first */
160 if ( !get_dc_name(domain
, NULL
, dc_name
, &dc_ss
) ) {
161 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
166 /* setup the anonymous connection */
168 result
= cli_full_connection( &cli
, global_myname(), dc_name
, &dc_ss
, 0, "IPC$", "IPC",
169 "", "", "", 0, Undefined
, &retry
);
170 if ( !NT_STATUS_IS_OK(result
) )
173 /* open the LSARPC_PIPE */
175 result
= cli_rpc_pipe_open_noauth(cli
, &ndr_table_lsarpc
.syntax_id
,
177 if (!NT_STATUS_IS_OK(result
)) {
183 result
= rpccli_lsa_open_policy(lsa_pipe
, mem_ctx
, True
,
184 LSA_POLICY_VIEW_LOCAL_INFORMATION
, &pol
);
185 if ( !NT_STATUS_IS_OK(result
) )
188 /* Lookup list of trusted domains */
190 result
= rpccli_lsa_EnumTrustDom(lsa_pipe
, mem_ctx
,
195 if ( !NT_STATUS_IS_OK(result
) )
198 *num_domains
= dom_list
.count
;
200 *domain_names
= TALLOC_ZERO_ARRAY(mem_ctx
, char *, *num_domains
);
201 if (!*domain_names
) {
202 result
= NT_STATUS_NO_MEMORY
;
206 *sids
= TALLOC_ZERO_ARRAY(mem_ctx
, struct dom_sid
, *num_domains
);
208 result
= NT_STATUS_NO_MEMORY
;
212 for (i
=0; i
< *num_domains
; i
++) {
213 (*domain_names
)[i
] = CONST_DISCARD(char *, dom_list
.domains
[i
].name
.string
);
214 (*sids
)[i
] = *dom_list
.domains
[i
].sid
;
220 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
224 return NT_STATUS_IS_OK(result
);
227 NTSTATUS
change_trust_account_password( const char *domain
, const char *remote_machine
)
229 NTSTATUS nt_status
= NT_STATUS_UNSUCCESSFUL
;
230 struct sockaddr_storage pdc_ss
;
232 struct cli_state
*cli
= NULL
;
233 struct rpc_pipe_client
*netlogon_pipe
= NULL
;
235 DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
238 if (remote_machine
== NULL
|| !strcmp(remote_machine
, "*")) {
239 /* Use the PDC *only* for this */
241 if ( !get_pdc_ip(domain
, &pdc_ss
) ) {
242 DEBUG(0,("Can't get IP for PDC for domain %s\n", domain
));
246 if ( !name_status_find( domain
, 0x1b, 0x20, &pdc_ss
, dc_name
) )
249 /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
250 fstrcpy( dc_name
, remote_machine
);
253 /* if this next call fails, then give up. We can't do
254 password changes on BDC's --jerry */
256 if (!NT_STATUS_IS_OK(cli_full_connection(&cli
, global_myname(), dc_name
,
260 "", 0, Undefined
, NULL
))) {
261 DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name
));
262 nt_status
= NT_STATUS_UNSUCCESSFUL
;
267 * Ok - we have an anonymous connection to the IPC$ share.
268 * Now start the NT Domain stuff :-).
271 /* Shouldn't we open this with schannel ? JRA. */
273 nt_status
= cli_rpc_pipe_open_noauth(
274 cli
, &ndr_table_netlogon
.syntax_id
, &netlogon_pipe
);
275 if (!NT_STATUS_IS_OK(nt_status
)) {
276 DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
277 dc_name
, nt_errstr(nt_status
)));
283 nt_status
= trust_pw_find_change_and_store_it(
284 netlogon_pipe
, netlogon_pipe
, domain
);
290 if (!NT_STATUS_IS_OK(nt_status
)) {
291 DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
292 current_timestring(talloc_tos(), False
), domain
));
295 DEBUG(5,("change_trust_account_password: sucess!\n"));