search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mount.cifs: check access of credential files before opening
[Samba/gebeck_regimport.git] / source3 / libsmb / trusts_util.c
blob929816e92d29d85cbf3f18cbb7413d9629d725eb
1 /*
2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../libcli/auth/libcli_auth.h"
23
24 /*********************************************************
25 Change the domain password on the PDC.
26 Store the password ourselves, but use the supplied password
27 Caller must have already setup the connection to the NETLOGON pipe
28 **********************************************************/
29
30 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
31 const char *domain,
32 unsigned char orig_trust_passwd_hash[16],
33 uint32 sec_channel_type)
34 {
35 unsigned char new_trust_passwd_hash[16];
36 char *new_trust_passwd;
37 NTSTATUS nt_status;
38
39 /* Create a random machine account password */
40 new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
41
42 if (new_trust_passwd == NULL) {
43 DEBUG(0, ("talloc_strdup failed\n"));
44 return NT_STATUS_NO_MEMORY;
45 }
46
47 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
48
49 nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
50 orig_trust_passwd_hash,
51 new_trust_passwd,
52 new_trust_passwd_hash,
53 sec_channel_type);
54
55 if (NT_STATUS_IS_OK(nt_status)) {
56 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
57 current_timestring(debug_ctx(), False)));
58 /*
59 * Return the result of trying to write the new password
60 * back into the trust account file.
61 */
62 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
63 nt_status = NT_STATUS_UNSUCCESSFUL;
64 }
65 }
66
67 return nt_status;
68 }
69
70 /*********************************************************
71 Change the domain password on the PDC.
72 Do most of the legwork ourselfs. Caller must have
73 already setup the connection to the NETLOGON pipe
74 **********************************************************/
75
76 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
77 TALLOC_CTX *mem_ctx,
78 const char *domain)
79 {
80 unsigned char old_trust_passwd_hash[16];
81 uint32 sec_channel_type = 0;
82
83 if (!secrets_fetch_trust_account_password(domain,
84 old_trust_passwd_hash,
85 NULL, &sec_channel_type)) {
86 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
87 return NT_STATUS_UNSUCCESSFUL;
88 }
89
90 return trust_pw_change_and_store_it(cli, mem_ctx, domain,
91 old_trust_passwd_hash,
92 sec_channel_type);
93 }
94
95 /*********************************************************************
96 Enumerate the list of trusted domains from a DC
97 *********************************************************************/
98
99 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
100 char ***domain_names, uint32 *num_domains,
101 DOM_SID **sids )
102 {
103 struct policy_handle pol;
104 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
105 fstring dc_name;
106 struct sockaddr_storage dc_ss;
107 uint32 enum_ctx = 0;
108 struct cli_state *cli = NULL;
109 struct rpc_pipe_client *lsa_pipe;
110 bool retry;
111 struct lsa_DomainList dom_list;
112 int i;
113
114 *domain_names = NULL;
115 *num_domains = 0;
116 *sids = NULL;
117
118 /* lookup a DC first */
119
120 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
121 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
122 domain));
123 return False;
124 }
125
126 /* setup the anonymous connection */
127
128 result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
129 "", "", "", 0, Undefined, &retry);
130 if ( !NT_STATUS_IS_OK(result) )
131 goto done;
132
133 /* open the LSARPC_PIPE */
134
135 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
136 &lsa_pipe);
137 if (!NT_STATUS_IS_OK(result)) {
138 goto done;
139 }
140
141 /* get a handle */
142
143 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
144 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
145 if ( !NT_STATUS_IS_OK(result) )
146 goto done;
147
148 /* Lookup list of trusted domains */
149
150 result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
151 &pol,
152 &enum_ctx,
153 &dom_list,
154 (uint32_t)-1);
155 if ( !NT_STATUS_IS_OK(result) )
156 goto done;
157
158 *num_domains = dom_list.count;
159
160 *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
161 if (!*domain_names) {
162 result = NT_STATUS_NO_MEMORY;
163 goto done;
164 }
165
166 *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
167 if (!*sids) {
168 result = NT_STATUS_NO_MEMORY;
169 goto done;
170 }
171
172 for (i=0; i< *num_domains; i++) {
173 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
174 (*sids)[i] = *dom_list.domains[i].sid;
175 }
176
177 done:
178 /* cleanup */
179 if (cli) {
180 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
181 cli_shutdown( cli );
182 }
183
184 return NT_STATUS_IS_OK(result);
185 }
reg import