source3/libads/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "ads.h"
  24
  25 #ifdef HAVE_KRB5
  26
  27 /**
  28  * Set the machine account password
  29  * @param ads connection to ads server
  30  * @param hostname machine whose password is being set
  31  * @param password new password
  32  * @return status of password change
  33  **/
  34 ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
  35                                     const char *machine_account,
  36                                     const char *password)
  37 {
  38         ADS_STATUS status;
  39         char *principal = NULL;
  40
  41         /*
  42           we need to use the '$' form of the name here (the machine account name),
  43           as otherwise the server might end up setting the password for a user
  44           instead
  45          */
  46         if (asprintf(&principal, "%s@%s", machine_account, ads->config.realm) < 0) {
  47                 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
  48         }
  49
  50         status = ads_krb5_set_password(ads->auth.kdc_server, principal,
  51                                        password, ads->auth.time_offset);
  52
  53         SAFE_FREE(principal);
  54         return status;
  55 }
  56
  57 /* run kinit to setup our ccache */
  58 int ads_kinit_password(ADS_STRUCT *ads)
  59 {
  60         char *s;
  61         int ret;
  62         const char *account_name;
  63         fstring acct_name;
  64
  65         if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
  66                 account_name = ads->auth.user_name;
  67                 goto got_accountname;
  68         }
  69
  70         if ( IS_DC ) {
  71                 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
  72                 account_name = lp_workgroup();
  73         } else {
  74                 /* always use the sAMAccountName for security = domain */
  75                 /* lp_netbios_name()$@REA.LM */
  76                 if ( lp_security() == SEC_DOMAIN ) {
  77                         fstr_sprintf( acct_name, "%s$", lp_netbios_name() );
  78                         account_name = acct_name;
  79                 }
  80                 else
  81                         /* This looks like host/lp_netbios_name()@REA.LM */
  82                         account_name = ads->auth.user_name;
  83         }
  84
  85  got_accountname:
  86         if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
  87                 return KRB5_CC_NOMEM;
  88         }
  89
  90         if (!ads->auth.password) {
  91                 SAFE_FREE(s);
  92                 return KRB5_LIBOS_CANTREADPWD;
  93         }
  94
  95         ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
  96                         &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
  97                         NULL);
  98
  99         if (ret) {
 100                 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
 101                          s, error_message(ret)));
 102         }
 103         SAFE_FREE(s);
 104         return ret;
 105 }
 106
 107 #endif