source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../librpc/gen_ndr/cli_lsa.h"
  24 #include "rpc_client/cli_lsarpc.h"
  25 #include "rpc_client/cli_netlogon.h"
  26
  27 /*********************************************************
  28  Change the domain password on the PDC.
  29  Store the password ourselves, but use the supplied password
  30  Caller must have already setup the connection to the NETLOGON pipe
  31 **********************************************************/
  32
  33 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
  34                                       const char *domain,
  35                                       const char *account_name,
  36                                       unsigned char orig_trust_passwd_hash[16],
  37                                       enum netr_SchannelType sec_channel_type)
  38 {
  39         unsigned char new_trust_passwd_hash[16];
  40         char *new_trust_passwd;
  41         NTSTATUS nt_status;
  42
  43         switch (sec_channel_type) {
  44         case SEC_CHAN_WKSTA:
  45         case SEC_CHAN_DOMAIN:
  46                 break;
  47         default:
  48                 return NT_STATUS_NOT_SUPPORTED;
  49         }
  50
  51         /* Create a random machine account password */
  52         new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  53
  54         if (new_trust_passwd == NULL) {
  55                 DEBUG(0, ("talloc_strdup failed\n"));
  56                 return NT_STATUS_NO_MEMORY;
  57         }
  58
  59         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  60
  61         nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
  62                                                        account_name,
  63                                                        orig_trust_passwd_hash,
  64                                                        new_trust_passwd,
  65                                                        new_trust_passwd_hash,
  66                                                        sec_channel_type);
  67
  68         if (NT_STATUS_IS_OK(nt_status)) {
  69                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  70                          current_timestring(talloc_tos(), False)));
  71                 /*
  72                  * Return the result of trying to write the new password
  73                  * back into the trust account file.
  74                  */
  75
  76                 switch (sec_channel_type) {
  77
  78                 case SEC_CHAN_WKSTA:
  79                         if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
  80                                 nt_status = NT_STATUS_UNSUCCESSFUL;
  81                         }
  82                         break;
  83
  84                 case SEC_CHAN_DOMAIN: {
  85                         char *pwd;
  86                         struct dom_sid sid;
  87                         time_t pass_last_set_time;
  88
  89                         /* we need to get the sid first for the
  90                          * pdb_set_trusteddom_pw call */
  91
  92                         if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
  93                                 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
  94                         }
  95                         if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
  96                                 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
  97                         }
  98                         break;
  99                 }
 100                 default:
 101                         break;
 102                 }
 103         }
 104
 105         return nt_status;
 106 }
 107
 108 /*********************************************************
 109  Change the domain password on the PDC.
 110  Do most of the legwork ourselfs.  Caller must have
 111  already setup the connection to the NETLOGON pipe
 112 **********************************************************/
 113
 114 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 115                                            TALLOC_CTX *mem_ctx,
 116                                            const char *domain)
 117 {
 118         unsigned char old_trust_passwd_hash[16];
 119         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
 120         const char *account_name;
 121
 122         if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
 123                                &sec_channel_type)) {
 124                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
 125                 return NT_STATUS_UNSUCCESSFUL;
 126         }
 127
 128         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
 129                                             account_name,
 130                                             old_trust_passwd_hash,
 131                                             sec_channel_type);
 132 }
 133
 134 /*********************************************************************
 135  Enumerate the list of trusted domains from a DC
 136 *********************************************************************/
 137
 138 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 139                                      char ***domain_names, uint32 *num_domains,
 140                                      struct dom_sid **sids )
 141 {
 142         struct policy_handle    pol;
 143         NTSTATUS        result = NT_STATUS_UNSUCCESSFUL;
 144         fstring         dc_name;
 145         struct sockaddr_storage dc_ss;
 146         uint32          enum_ctx = 0;
 147         struct cli_state *cli = NULL;
 148         struct rpc_pipe_client *lsa_pipe = NULL;
 149         bool            retry;
 150         struct lsa_DomainList dom_list;
 151         int i;
 152
 153         *domain_names = NULL;
 154         *num_domains = 0;
 155         *sids = NULL;
 156
 157         /* lookup a DC first */
 158
 159         if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
 160                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
 161                         domain));
 162                 return False;
 163         }
 164
 165         /* setup the anonymous connection */
 166
 167         result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
 168                 "", "", "", 0, Undefined, &retry);
 169         if ( !NT_STATUS_IS_OK(result) )
 170                 goto done;
 171
 172         /* open the LSARPC_PIPE */
 173
 174         result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
 175                                           &lsa_pipe);
 176         if (!NT_STATUS_IS_OK(result)) {
 177                 goto done;
 178         }
 179
 180         /* get a handle */
 181
 182         result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
 183                 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
 184         if ( !NT_STATUS_IS_OK(result) )
 185                 goto done;
 186
 187         /* Lookup list of trusted domains */
 188
 189         result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
 190                                          &pol,
 191                                          &enum_ctx,
 192                                          &dom_list,
 193                                          (uint32_t)-1);
 194         if ( !NT_STATUS_IS_OK(result) )
 195                 goto done;
 196
 197         *num_domains = dom_list.count;
 198
 199         *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
 200         if (!*domain_names) {
 201                 result = NT_STATUS_NO_MEMORY;
 202                 goto done;
 203         }
 204
 205         *sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, *num_domains);
 206         if (!*sids) {
 207                 result = NT_STATUS_NO_MEMORY;
 208                 goto done;
 209         }
 210
 211         for (i=0; i< *num_domains; i++) {
 212                 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
 213                 (*sids)[i] = *dom_list.domains[i].sid;
 214         }
 215
 216 done:
 217         /* cleanup */
 218         if (cli) {
 219                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
 220                 cli_shutdown( cli );
 221         }
 222
 223         return NT_STATUS_IS_OK(result);
 224 }