2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "../libcli/auth/libcli_auth.h"
23 #include "../librpc/gen_ndr/cli_lsa.h"
24 #include "rpc_client/cli_lsarpc.h"
25 #include "rpc_client/cli_netlogon.h"
27 /*********************************************************
28 Change the domain password on the PDC.
29 Store the password ourselves, but use the supplied password
30 Caller must have already setup the connection to the NETLOGON pipe
31 **********************************************************/
33 NTSTATUS
trust_pw_change_and_store_it(struct rpc_pipe_client
*cli
, TALLOC_CTX
*mem_ctx
,
35 const char *account_name
,
36 unsigned char orig_trust_passwd_hash
[16],
37 enum netr_SchannelType sec_channel_type
)
39 unsigned char new_trust_passwd_hash
[16];
40 char *new_trust_passwd
;
43 switch (sec_channel_type
) {
48 return NT_STATUS_NOT_SUPPORTED
;
51 /* Create a random machine account password */
52 new_trust_passwd
= generate_random_str(mem_ctx
, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
);
54 if (new_trust_passwd
== NULL
) {
55 DEBUG(0, ("talloc_strdup failed\n"));
56 return NT_STATUS_NO_MEMORY
;
59 E_md4hash(new_trust_passwd
, new_trust_passwd_hash
);
61 nt_status
= rpccli_netlogon_set_trust_password(cli
, mem_ctx
,
63 orig_trust_passwd_hash
,
65 new_trust_passwd_hash
,
68 if (NT_STATUS_IS_OK(nt_status
)) {
69 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
70 current_timestring(talloc_tos(), False
)));
72 * Return the result of trying to write the new password
73 * back into the trust account file.
76 switch (sec_channel_type
) {
79 if (!secrets_store_machine_password(new_trust_passwd
, domain
, sec_channel_type
)) {
80 nt_status
= NT_STATUS_UNSUCCESSFUL
;
84 case SEC_CHAN_DOMAIN
: {
87 time_t pass_last_set_time
;
89 /* we need to get the sid first for the
90 * pdb_set_trusteddom_pw call */
92 if (!pdb_get_trusteddom_pw(domain
, &pwd
, &sid
, &pass_last_set_time
)) {
93 nt_status
= NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
;
95 if (!pdb_set_trusteddom_pw(domain
, new_trust_passwd
, &sid
)) {
96 nt_status
= NT_STATUS_INTERNAL_DB_CORRUPTION
;
108 /*********************************************************
109 Change the domain password on the PDC.
110 Do most of the legwork ourselfs. Caller must have
111 already setup the connection to the NETLOGON pipe
112 **********************************************************/
114 NTSTATUS
trust_pw_find_change_and_store_it(struct rpc_pipe_client
*cli
,
118 unsigned char old_trust_passwd_hash
[16];
119 enum netr_SchannelType sec_channel_type
= SEC_CHAN_NULL
;
120 const char *account_name
;
122 if (!get_trust_pw_hash(domain
, old_trust_passwd_hash
, &account_name
,
123 &sec_channel_type
)) {
124 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain
));
125 return NT_STATUS_UNSUCCESSFUL
;
128 return trust_pw_change_and_store_it(cli
, mem_ctx
, domain
,
130 old_trust_passwd_hash
,
134 /*********************************************************************
135 Enumerate the list of trusted domains from a DC
136 *********************************************************************/
138 bool enumerate_domain_trusts( TALLOC_CTX
*mem_ctx
, const char *domain
,
139 char ***domain_names
, uint32
*num_domains
,
142 struct policy_handle pol
;
143 NTSTATUS result
= NT_STATUS_UNSUCCESSFUL
;
145 struct sockaddr_storage dc_ss
;
147 struct cli_state
*cli
= NULL
;
148 struct rpc_pipe_client
*lsa_pipe
= NULL
;
150 struct lsa_DomainList dom_list
;
153 *domain_names
= NULL
;
157 /* lookup a DC first */
159 if ( !get_dc_name(domain
, NULL
, dc_name
, &dc_ss
) ) {
160 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
165 /* setup the anonymous connection */
167 result
= cli_full_connection( &cli
, global_myname(), dc_name
, &dc_ss
, 0, "IPC$", "IPC",
168 "", "", "", 0, Undefined
, &retry
);
169 if ( !NT_STATUS_IS_OK(result
) )
172 /* open the LSARPC_PIPE */
174 result
= cli_rpc_pipe_open_noauth(cli
, &ndr_table_lsarpc
.syntax_id
,
176 if (!NT_STATUS_IS_OK(result
)) {
182 result
= rpccli_lsa_open_policy(lsa_pipe
, mem_ctx
, True
,
183 LSA_POLICY_VIEW_LOCAL_INFORMATION
, &pol
);
184 if ( !NT_STATUS_IS_OK(result
) )
187 /* Lookup list of trusted domains */
189 result
= rpccli_lsa_EnumTrustDom(lsa_pipe
, mem_ctx
,
194 if ( !NT_STATUS_IS_OK(result
) )
197 *num_domains
= dom_list
.count
;
199 *domain_names
= TALLOC_ZERO_ARRAY(mem_ctx
, char *, *num_domains
);
200 if (!*domain_names
) {
201 result
= NT_STATUS_NO_MEMORY
;
205 *sids
= TALLOC_ZERO_ARRAY(mem_ctx
, DOM_SID
, *num_domains
);
207 result
= NT_STATUS_NO_MEMORY
;
211 for (i
=0; i
< *num_domains
; i
++) {
212 (*domain_names
)[i
] = CONST_DISCARD(char *, dom_list
.domains
[i
].name
.string
);
213 (*sids
)[i
] = *dom_list
.domains
[i
].sid
;
219 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
223 return NT_STATUS_IS_OK(result
);