source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../libcli/auth/netlogon_creds_cli.h"
  24 #include "rpc_client/cli_netlogon.h"
  25 #include "rpc_client/cli_pipe.h"
  26 #include "../librpc/gen_ndr/ndr_netlogon.h"
  27 #include "secrets.h"
  28 #include "passdb.h"
  29 #include "libsmb/libsmb.h"
  30 #include "source3/include/messages.h"
  31 #include "source3/include/g_lock.h"
  32
  33 /*********************************************************
  34  Change the domain password on the PDC.
  35  Do most of the legwork ourselfs.  Caller must have
  36  already setup the connection to the NETLOGON pipe
  37 **********************************************************/
  38
  39 struct trust_pw_change_state {
  40         struct g_lock_ctx *g_ctx;
  41         char *g_lock_key;
  42 };
  43
  44 static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
  45 {
  46         g_lock_unlock(state->g_ctx, state->g_lock_key);
  47         return 0;
  48 }
  49
  50 char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
  51                          enum netr_SchannelType sec_channel_type,
  52                          int security)
  53 {
  54         /*
  55          * use secure defaults.
  56          */
  57         size_t min = 128;
  58         size_t max = 255;
  59
  60         switch (sec_channel_type) {
  61         case SEC_CHAN_WKSTA:
  62         case SEC_CHAN_BDC:
  63                 if (security == SEC_DOMAIN) {
  64                         /*
  65                          * The maximum length of a trust account password.
  66                          * Used when we randomly create it, 15 char passwords
  67                          * exceed NT4's max password length.
  68                          */
  69                         min = 14;
  70                         max = 14;
  71                 }
  72                 break;
  73         case SEC_CHAN_DNS_DOMAIN:
  74                 /*
  75                  * new_len * 2 = 498 bytes is the largest possible length
  76                  * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes
  77                  * and a confounder with at least 2 bytes is required.
  78                  *
  79                  * Windows uses new_len = 120 => 240 bytes (utf16)
  80                  */
  81                 min = 120;
  82                 max = 120;
  83                 break;
  84                 /* fall through */
  85         case SEC_CHAN_DOMAIN:
  86                 /*
  87                  * The maximum length of a trust account password.
  88                  * Used when we randomly create it, 15 char passwords
  89                  * exceed NT4's max password length.
  90                  */
  91                 min = 14;
  92                 max = 14;
  93                 break;
  94         default:
  95                 break;
  96         }
  97
  98         /*
  99          * Create a random machine account password
 100          * We create a random buffer and convert that to utf8.
 101          * This is similar to what windows is doing.
 102          */
 103         return generate_random_machine_password(mem_ctx, min, max);
 104 }
 105
 106 NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
 107                          struct messaging_context *msg_ctx,
 108                          struct dcerpc_binding_handle *b,
 109                          const char *domain,
 110                          bool force)
 111 {
 112         TALLOC_CTX *frame = talloc_stackframe();
 113         const char *context_name = NULL;
 114         struct trust_pw_change_state *state;
 115         struct cli_credentials *creds = NULL;
 116         const struct samr_Password *current_nt_hash = NULL;
 117         const struct samr_Password *previous_nt_hash = NULL;
 118         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
 119         time_t pass_last_set_time;
 120         uint32_t old_version = 0;
 121         struct pdb_trusted_domain *td = NULL;
 122         struct timeval g_timeout = { 0, };
 123         int timeout = 0;
 124         struct timeval tv = { 0, };
 125         char *new_trust_passwd = NULL;
 126         uint32_t new_version = 0;
 127         uint32_t *new_trust_version = NULL;
 128         NTSTATUS status;
 129         bool ok;
 130
 131         state = talloc_zero(frame, struct trust_pw_change_state);
 132         if (state == NULL) {
 133                 TALLOC_FREE(frame);
 134                 return NT_STATUS_NO_MEMORY;
 135         }
 136
 137         state->g_ctx = g_lock_ctx_init(state, msg_ctx);
 138         if (state->g_ctx == NULL) {
 139                 TALLOC_FREE(frame);
 140                 return NT_STATUS_NO_MEMORY;
 141         }
 142
 143         state->g_lock_key = talloc_asprintf(state,
 144                                 "trust_password_change_%s",
 145                                 domain);
 146         if (state->g_lock_key == NULL) {
 147                 TALLOC_FREE(frame);
 148                 return NT_STATUS_NO_MEMORY;
 149         }
 150
 151         g_timeout = timeval_current_ofs(10, 0);
 152         status = g_lock_lock(state->g_ctx,
 153                              state->g_lock_key,
 154                              G_LOCK_WRITE, g_timeout);
 155         if (!NT_STATUS_IS_OK(status)) {
 156                 DEBUG(1, ("could not get g_lock on [%s]!\n",
 157                           state->g_lock_key));
 158                 TALLOC_FREE(frame);
 159                 return status;
 160         }
 161
 162         talloc_set_destructor(state, trust_pw_change_state_destructor);
 163
 164         status = pdb_get_trust_credentials(domain, NULL, frame, &creds);
 165         if (!NT_STATUS_IS_OK(status)) {
 166                 DEBUG(0, ("could not fetch domain creds for domain %s - %s!\n",
 167                           domain, nt_errstr(status)));
 168                 TALLOC_FREE(frame);
 169                 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 170         }
 171
 172         current_nt_hash = cli_credentials_get_nt_hash(creds, frame);
 173         if (current_nt_hash == NULL) {
 174                 DEBUG(0, ("cli_credentials_get_nt_hash failed for domain %s!\n",
 175                           domain));
 176                 TALLOC_FREE(frame);
 177                 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 178         }
 179
 180         old_version = cli_credentials_get_kvno(creds);
 181         pass_last_set_time = cli_credentials_get_password_last_changed_time(creds);
 182         sec_channel_type = cli_credentials_get_secure_channel_type(creds);
 183
 184         new_version = old_version + 1;
 185
 186         switch (sec_channel_type) {
 187         case SEC_CHAN_WKSTA:
 188         case SEC_CHAN_BDC:
 189                 break;
 190         case SEC_CHAN_DNS_DOMAIN:
 191         case SEC_CHAN_DOMAIN:
 192                 status = pdb_get_trusted_domain(frame, domain, &td);
 193                 if (!NT_STATUS_IS_OK(status)) {
 194                         DEBUG(0, ("pdb_get_trusted_domain() failed for domain %s - %s!\n",
 195                                   domain, nt_errstr(status)));
 196                         TALLOC_FREE(frame);
 197                         return status;
 198                 }
 199
 200                 new_trust_version = &new_version;
 201                 break;
 202         default:
 203                 TALLOC_FREE(frame);
 204                 return NT_STATUS_NOT_SUPPORTED;
 205         }
 206
 207         timeout = lp_machine_password_timeout();
 208         if (timeout == 0) {
 209                 if (!force) {
 210                         DEBUG(10,("machine password never expires\n"));
 211                         TALLOC_FREE(frame);
 212                         return NT_STATUS_OK;
 213                 }
 214         }
 215
 216         tv.tv_sec = pass_last_set_time;
 217         DEBUG(10, ("password last changed %s\n",
 218                    timeval_string(talloc_tos(), &tv, false)));
 219         tv.tv_sec += timeout;
 220         DEBUGADD(10, ("password valid until %s\n",
 221                       timeval_string(talloc_tos(), &tv, false)));
 222
 223         if (!force && !timeval_expired(&tv)) {
 224                 TALLOC_FREE(frame);
 225                 return NT_STATUS_OK;
 226         }
 227
 228         context_name = netlogon_creds_cli_debug_string(context, talloc_tos());
 229         if (context_name == NULL) {
 230                 TALLOC_FREE(frame);
 231                 return NT_STATUS_NO_MEMORY;
 232         }
 233
 234         /*
 235          * Create a random machine account password
 236          * We create a random buffer and convert that to utf8.
 237          * This is similar to what windows is doing.
 238          */
 239         new_trust_passwd = trust_pw_new_value(frame, sec_channel_type,
 240                                               lp_security());
 241         if (new_trust_passwd == NULL) {
 242                 DEBUG(0, ("trust_pw_new_value() failed\n"));
 243                 TALLOC_FREE(frame);
 244                 return NT_STATUS_NO_MEMORY;
 245         }
 246
 247         /*
 248          * We could use cli_credentials_get_old_nt_hash(creds, frame) to
 249          * set previous_nt_hash.
 250          *
 251          * But we want to check if the dc has our current password and only do
 252          * a change if that's the case. So we keep previous_nt_hash = NULL.
 253          *
 254          * TODO:
 255          * If the previous password is the only password in common with the dc,
 256          * we better skip the password change, or use something like
 257          * ServerTrustPasswordsGet() or netr_ServerGetTrustInfo() to fix our
 258          * local secrets before doing the change.
 259          */
 260         status = netlogon_creds_cli_auth(context, b,
 261                                          *current_nt_hash,
 262                                          previous_nt_hash);
 263         if (!NT_STATUS_IS_OK(status)) {
 264                 DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for old password - %s!\n",
 265                           context_name, nt_errstr(status)));
 266                 TALLOC_FREE(frame);
 267                 return status;
 268         }
 269
 270         DEBUG(0,("%s : %s(%s): Verified old password remotely using %s\n",
 271                  current_timestring(talloc_tos(), false),
 272                  __func__, domain, context_name));
 273
 274         /*
 275          * Return the result of trying to write the new password
 276          * back into the trust account file.
 277          */
 278
 279         switch (sec_channel_type) {
 280
 281         case SEC_CHAN_WKSTA:
 282         case SEC_CHAN_BDC:
 283                 ok = secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type);
 284                 if (!ok) {
 285                         DEBUG(0, ("secrets_store_machine_password failed for domain %s!\n",
 286                                   domain));
 287                         TALLOC_FREE(frame);
 288                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 289                 }
 290                 break;
 291
 292         case SEC_CHAN_DNS_DOMAIN:
 293         case SEC_CHAN_DOMAIN:
 294                 /*
 295                  * we need to get the sid first for the
 296                  * pdb_set_trusteddom_pw call
 297                  */
 298                 ok = pdb_set_trusteddom_pw(domain, new_trust_passwd,
 299                                            &td->security_identifier);
 300                 if (!ok) {
 301                         DEBUG(0, ("pdb_set_trusteddom_pw() failed for domain %s!\n",
 302                                   domain));
 303                         TALLOC_FREE(frame);
 304                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 305                 }
 306                 break;
 307
 308         default:
 309                 smb_panic("Unsupported secure channel type");
 310                 break;
 311         }
 312
 313         DEBUG(0,("%s : %s(%s): Changed password locally\n",
 314                  current_timestring(talloc_tos(), false), __func__, domain));
 315
 316         status = netlogon_creds_cli_ServerPasswordSet(context, b,
 317                                                       new_trust_passwd,
 318                                                       new_trust_version);
 319         if (!NT_STATUS_IS_OK(status)) {
 320                 DEBUG(0,("%s : %s(%s) remote password change set with %s failed - %s\n",
 321                          current_timestring(talloc_tos(), false),
 322                          __func__, domain, context_name,
 323                          nt_errstr(status)));
 324                 TALLOC_FREE(frame);
 325                 return status;
 326         }
 327
 328         DEBUG(0,("%s : %s(%s): Changed password remotely using %s\n",
 329                  current_timestring(talloc_tos(), false),
 330                  __func__, domain, context_name));
 331
 332         ok = cli_credentials_set_password(creds, new_trust_passwd, CRED_SPECIFIED);
 333         if (!ok) {
 334                 DEBUG(0, ("cli_credentials_set_password failed for domain %s!\n",
 335                           domain));
 336                 TALLOC_FREE(frame);
 337                 return NT_STATUS_NO_MEMORY;
 338         }
 339
 340         current_nt_hash = cli_credentials_get_nt_hash(creds, frame);
 341         if (current_nt_hash == NULL) {
 342                 DEBUG(0, ("cli_credentials_get_nt_hash failed for domain %s!\n",
 343                           domain));
 344                 TALLOC_FREE(frame);
 345                 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 346         }
 347
 348         /*
 349          * Now we verify the new password.
 350          */
 351         status = netlogon_creds_cli_auth(context, b,
 352                                          *current_nt_hash,
 353                                          NULL); /* previous_nt_hash */
 354         if (!NT_STATUS_IS_OK(status)) {
 355                 DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for new password - %s!\n",
 356                           context_name, nt_errstr(status)));
 357                 TALLOC_FREE(frame);
 358                 return status;
 359         }
 360
 361         DEBUG(0,("%s : %s(%s): Verified new password remotely using %s\n",
 362                  current_timestring(talloc_tos(), false),
 363                  __func__, domain, context_name));
 364
 365         TALLOC_FREE(frame);
 366         return NT_STATUS_OK;
 367 }