source/lsarpcd/lsarpcd.c

   1 /*
   2    Unix SMB/Netbios implementation.
   3    Version 1.9.
   4    Main SMB server routines
   5    Copyright (C) Andrew Tridgell              1992-2000
   6    Copyright (C) Luke Kenneth Casson Leighton 1996-2000
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program; if not, write to the Free Software
  20    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  21 */
  22
  23 #include "includes.h"
  24 #include "rpc_client.h"
  25 #include "nterr.h"
  26
  27 fstring pipe_name;
  28
  29 pstring servicesf = CONFIGFILE;
  30 extern pstring debugf;
  31 extern BOOL append_log;
  32 extern int DEBUGLEVEL;
  33
  34 /*****************************************************************************
  35  initialise srv_auth_fns array
  36  *****************************************************************************/
  37 static void auth_init(rpcsrv_struct * l)
  38 {
  39 }
  40
  41 static void service_init(char *service_name)
  42 {
  43         add_msrpc_command_processor(pipe_name, service_name, api_ntlsa_rpc);
  44
  45         if (!pwdb_initialise(True))
  46         {
  47                 exit(-1);
  48         }
  49
  50         if (!secret_init_db())
  51         {
  52                 exit(-1);
  53         }
  54 }
  55
  56 /****************************************************************************
  57   reload the services file
  58   **************************************************************************/
  59 static void update_trust_account(void)
  60 {
  61         BOOL trust_pwd_needs_changing = False;
  62         uint8 old_trust[16];
  63         NTTIME ntlct;
  64         uint32 s2 = NT_STATUS_NOPROBLEMO;
  65         uint32 s1 = NT_STATUS_NOPROBLEMO;
  66         uint32 s = NT_STATUS_NOPROBLEMO;
  67
  68         POLICY_HND pol_sec;
  69         POLICY_HND lsa_pol;
  70         STRING2 secret;
  71         STRING2 encsec;
  72         UNISTR2 uni_sec_name;
  73         char *name = "$MACHINE.ACC";
  74         extern fstring global_myworkgroup;
  75         time_t cur_time;
  76         time_t sec_time;
  77         uchar user_sess_key[16];
  78
  79         make_unistr2(&uni_sec_name, name, strlen(name));
  80
  81         s = _lsa_open_policy2(NULL, &lsa_pol, NULL,
  82                               SEC_RIGHTS_MAXIMUM_ALLOWED);
  83
  84         if (s == NT_STATUS_NOPROBLEMO)
  85         {
  86                 s1 = _lsa_open_secret(&lsa_pol, &uni_sec_name,
  87                                       SEC_RIGHTS_MAXIMUM_ALLOWED, &pol_sec);
  88         }
  89         else
  90         {
  91                 DEBUG(0, ("_lsa_open_policy2 failed with 0x%x\n", s));
  92                 return;
  93         }
  94
  95         if (s1 == NT_STATUS_NOPROBLEMO)
  96         {
  97                 if (!pol_get_usr_sesskey(get_global_hnd_cache(), &pol_sec,
  98                                          user_sess_key))
  99                 {
 100                         s2 = NT_STATUS_INVALID_HANDLE;
 101                 }
 102         }
 103         else
 104         {
 105                 DEBUG(0, ("_lsa_open_secret failed with 0x%x\n", s1));
 106                 _lsa_close(&lsa_pol);
 107                 return;
 108         }
 109
 110         if (s2 == NT_STATUS_NOPROBLEMO)
 111         {
 112                 s2 = _lsa_query_secret(&pol_sec, &encsec, &ntlct, NULL, NULL);
 113         }
 114         if (s2 == NT_STATUS_NOPROBLEMO)
 115         {
 116                 if (!nt_decrypt_string2(&secret, &encsec, user_sess_key))
 117                 {
 118                         s2 = NT_STATUS_INVALID_PARAMETER;
 119                 }
 120         }
 121         if (s2 == NT_STATUS_NOPROBLEMO)
 122         {
 123                 if (secret_to_nt_owf(old_trust, &secret))
 124                 {
 125                         dump_data_pw("$MACHINE.ACC-hashed:", old_trust, 16);
 126                 }
 127                 else
 128                 {
 129                         DEBUG(0,("old secret to OWF: failed\n"));
 130                 }
 131         }
 132
 133         cur_time = time(NULL);
 134         sec_time = nt_time_to_unix(&ntlct);
 135
 136         if (DEBUGLVL(100))
 137         {
 138                 DEBUG(100, ("secret time: %s\n", http_timestring(sec_time)));
 139                 DEBUG(100, ("current time: %s\n", http_timestring(cur_time)));
 140         }
 141
 142         if (s2 == NT_STATUS_NOPROBLEMO
 143             && cur_time > sec_time + lp_machine_password_timeout())
 144         {
 145                 DEBUG(1, ("$MACHINE.ACC password being updated.\n"));
 146                 trust_pwd_needs_changing = True;
 147         }
 148
 149         if (trust_pwd_needs_changing)
 150         {
 151                 unsigned char trust_passwd[16];
 152                 unsigned char trust_passwd_hash[16];
 153                 fstring srv_name;
 154                 BOOL res2;
 155
 156                 res2 = get_any_dc_name(global_myworkgroup, srv_name);
 157
 158                 generate_random_buffer(trust_passwd, 16, True);
 159                 secret_store_data(&secret, trust_passwd, 16);
 160
 161                 res2 = res2 ? secret_to_nt_owf(trust_passwd_hash, &secret) :
 162                         False;
 163
 164                 res2 = res2 ? nt_encrypt_string2(&encsec, &secret,
 165                                                  user_sess_key) : False;
 166
 167                 if (!strequal("\\\\.", srv_name))
 168                 {
 169                         res2 = res2 ?
 170                                 modify_trust_password(global_myworkgroup,
 171                                                       srv_name, old_trust,
 172                                                       trust_passwd_hash,
 173                                                       SEC_CHAN_WKSTA) : False;
 174                 }
 175
 176                 if (res2)
 177                 {
 178                         s2 = _lsa_set_secret(&pol_sec, &encsec, 0x0);
 179                 }
 180                 if (s2 != NT_STATUS_NOPROBLEMO)
 181                 {
 182                         DEBUG(0, ("$MACHINE.ACC password update FAILED\n"));
 183                 }
 184         }
 185
 186         if (s1 == NT_STATUS_NOPROBLEMO)
 187         {
 188                 _lsa_close(&pol_sec);
 189         }
 190         if (s == NT_STATUS_NOPROBLEMO)
 191         {
 192                 _lsa_close(&lsa_pol);
 193         }
 194         DEBUG(10,("update_trust_account: %d\n", __LINE__));
 195 }
 196
 197 /****************************************************************************
 198   reload the services file
 199   **************************************************************************/
 200 static BOOL reload_msrpc(BOOL test)
 201 {
 202         BOOL ret;
 203
 204         if (lp_loaded())
 205         {
 206                 pstring fname;
 207                 pstrcpy(fname, lp_configfile());
 208                 if (file_exist(fname, NULL) && !strcsequal(fname, servicesf))
 209                 {
 210                         pstrcpy(servicesf, fname);
 211                         test = False;
 212                 }
 213         }
 214
 215         reopen_logs();
 216
 217         if (test && !lp_file_list_changed())
 218                 return (True);
 219
 220         lp_killunused(NULL);
 221
 222         ret = lp_load(servicesf, False, False, True);
 223
 224         /* perhaps the config filename is now set */
 225         if (!test)
 226                 reload_msrpc(True);
 227
 228         reopen_logs();
 229
 230         load_interfaces();
 231
 232         return (ret);
 233 }
 234
 235 /****************************************************************************
 236   main program
 237 ****************************************************************************/
 238 static int main_init(int argc, char *argv[])
 239 {
 240 #ifdef HAVE_SET_AUTH_PARAMETERS
 241         set_auth_parameters(argc, argv);
 242 #endif
 243
 244 #ifdef HAVE_SETLUID
 245         /* needed for SecureWare on SCO */
 246         setluid(0);
 247 #endif
 248
 249         append_log = True;
 250
 251         TimeInit();
 252
 253         fstrcpy(pipe_name, "lsarpc");
 254         setup_logging(argv[0], False);
 255         slprintf(debugf, sizeof(debugf), "%s/log.%s", LOGFILEBASE, pipe_name);
 256
 257         return 0;
 258 }
 259
 260 static msrpc_service_fns fn_table = {
 261         auth_init,
 262         service_init,
 263         reload_msrpc,
 264         main_init,
 265         update_trust_account
 266 };
 267
 268 msrpc_service_fns *get_service_fns(void)
 269 {
 270         return &fn_table;
 271 }