search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
/tmp/newfun.msg
[Samba/gebeck_regimport.git] / source3 / libsmb / trusts_util.c
blob055851f6b7bf0f9789d96b459a92bb3292cfef52
1 /*
2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23
24 /*********************************************************
25 Change the domain password on the PDC.
26
27 Just changes the password betwen the two values specified.
28
29 Caller must have the cli connected to the netlogon pipe
30 already.
31 **********************************************************/
32 static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx,
33 unsigned char orig_trust_passwd_hash[16],
34 unsigned char new_trust_passwd_hash[16])
35 {
36 NTSTATUS result;
37 uint32 neg_flags = 0x000001ff;
38
39 result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2);
40
41 if (!NT_STATUS_IS_OK(result)) {
42 DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n",
43 nt_errstr(result)));
44 return result;
45 }
46
47 result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash);
48
49 if (!NT_STATUS_IS_OK(result)) {
50 DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
51 nt_errstr(result)));
52 }
53 return result;
54 }
55
56 /*********************************************************
57 Change the domain password on the PDC.
58 Store the password ourselves, but use the supplied password
59 Caller must have already setup the connection to the NETLOGON pipe
60 **********************************************************/
61
62 NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx,
63 unsigned char orig_trust_passwd_hash[16])
64 {
65 unsigned char new_trust_passwd_hash[16];
66 char *new_trust_passwd;
67 char *str;
68 NTSTATUS nt_status;
69
70 /* Create a random machine account password */
71 str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
72 new_trust_passwd = talloc_strdup(mem_ctx, str);
73
74 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
75
76 nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
77 new_trust_passwd_hash);
78
79 if (NT_STATUS_IS_OK(nt_status)) {
80 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
81 timestring(False)));
82 /*
83 * Return the result of trying to write the new password
84 * back into the trust account file.
85 */
86 if (!secrets_store_machine_password(new_trust_passwd)) {
87 nt_status = NT_STATUS_UNSUCCESSFUL;
88 }
89 }
90
91 return nt_status;
92 }
93
94 /*********************************************************
95 Change the domain password on the PDC.
96 Do most of the legwork ourselfs. Caller must have
97 already setup the connection to the NETLOGON pipe
98 **********************************************************/
99
100 NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx,
101 const char *domain)
102 {
103 unsigned char old_trust_passwd_hash[16];
104 char *up_domain;
105
106 up_domain = talloc_strdup(mem_ctx, domain);
107
108 if (!secrets_fetch_trust_account_password(domain,
109 old_trust_passwd_hash,
110 NULL)) {
111 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
112 return NT_STATUS_UNSUCCESSFUL;
113 }
114
115 return trust_pw_change_and_store_it(cli, mem_ctx, old_trust_passwd_hash);
116
117 }
118
119
120 /**
121 * Verify whether or not given domain is trusted.
122 *
123 * @param domain_name name of the domain to be verified
124 * @return true if domain is one of the trusted once or
125 * false if otherwise
126 **/
127
128 BOOL is_trusted_domain(const char* dom_name)
129 {
130 int enum_ctx = 0;
131 const int trustdom_size = 10;
132 int num_domains, i;
133 TRUSTDOM **domains;
134 NTSTATUS result;
135 fstring trustdom_name;
136 DOM_SID trustdom_sid;
137 TALLOC_CTX *mem_ctx;
138
139 /*
140 * Query the secrets db as an ultimate source of information
141 * about trusted domain names. This is PDC or BDC case.
142 */
143 mem_ctx = talloc_init("is_trusted_domain");
144
145 do {
146 result = secrets_get_trusted_domains(mem_ctx, &enum_ctx, trustdom_size,
147 &num_domains, &domains);
148 /* compare each returned entry against incoming connection's domain */
149 for (i = 0; i < num_domains; i++) {
150 pull_ucs2_fstring(trustdom_name, domains[i]->name);
151 if (strequal(trustdom_name, dom_name)) {
152 talloc_destroy(mem_ctx);
153 return True;
154 }
155 }
156 } while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));
157
158 /*
159 * Query the trustdom_cache updated periodically. The only
160 * way for domain member server.
161 */
162 if (trustdom_cache_enable() &&
163 trustdom_cache_fetch(dom_name, &trustdom_sid)) {
164 trustdom_cache_shutdown();
165 return True;
166 }
167
168 /*
169 * if nothing's been found, then give up here, although
170 * the last resort might be to query the PDC.
171 */
172 return False;
173 }
174
reg import