search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reserve IOCTL 0xACE for proxy<->proxy communication channel
[Samba/vfs_proxy.git] / source3 / libsmb / trusts_util.c
blobf0595695d2279920c04497f3a46941fea6fcca4c
1 /*
2 * Unix SMB/CIFS implementation.
3 * Routines to operate on various trust relationships
4 * Copyright (C) Andrew Bartlett 2001
5 * Copyright (C) Rafal Szczesniak 2003
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 /*********************************************************
24 Change the domain password on the PDC.
25 Store the password ourselves, but use the supplied password
26 Caller must have already setup the connection to the NETLOGON pipe
27 **********************************************************/
28
29 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
30 const char *domain,
31 unsigned char orig_trust_passwd_hash[16],
32 uint32 sec_channel_type)
33 {
34 unsigned char new_trust_passwd_hash[16];
35 char *new_trust_passwd;
36 NTSTATUS nt_status;
37
38 /* Create a random machine account password */
39 new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
40
41 if (new_trust_passwd == NULL) {
42 DEBUG(0, ("talloc_strdup failed\n"));
43 return NT_STATUS_NO_MEMORY;
44 }
45
46 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
47
48 nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
49 orig_trust_passwd_hash,
50 new_trust_passwd,
51 new_trust_passwd_hash,
52 sec_channel_type);
53
54 if (NT_STATUS_IS_OK(nt_status)) {
55 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
56 current_timestring(debug_ctx(), False)));
57 /*
58 * Return the result of trying to write the new password
59 * back into the trust account file.
60 */
61 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
62 nt_status = NT_STATUS_UNSUCCESSFUL;
63 }
64 }
65
66 return nt_status;
67 }
68
69 /*********************************************************
70 Change the domain password on the PDC.
71 Do most of the legwork ourselfs. Caller must have
72 already setup the connection to the NETLOGON pipe
73 **********************************************************/
74
75 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
76 TALLOC_CTX *mem_ctx,
77 const char *domain)
78 {
79 unsigned char old_trust_passwd_hash[16];
80 uint32 sec_channel_type = 0;
81
82 if (!secrets_fetch_trust_account_password(domain,
83 old_trust_passwd_hash,
84 NULL, &sec_channel_type)) {
85 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
86 return NT_STATUS_UNSUCCESSFUL;
87 }
88
89 return trust_pw_change_and_store_it(cli, mem_ctx, domain,
90 old_trust_passwd_hash,
91 sec_channel_type);
92 }
93
94 /*********************************************************************
95 Enumerate the list of trusted domains from a DC
96 *********************************************************************/
97
98 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
99 char ***domain_names, uint32 *num_domains,
100 DOM_SID **sids )
101 {
102 POLICY_HND pol;
103 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
104 fstring dc_name;
105 struct sockaddr_storage dc_ss;
106 uint32 enum_ctx = 0;
107 struct cli_state *cli = NULL;
108 struct rpc_pipe_client *lsa_pipe;
109 bool retry;
110 struct lsa_DomainList dom_list;
111 int i;
112
113 *domain_names = NULL;
114 *num_domains = 0;
115 *sids = NULL;
116
117 /* lookup a DC first */
118
119 if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
120 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
121 domain));
122 return False;
123 }
124
125 /* setup the anonymous connection */
126
127 result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
128 "", "", "", 0, Undefined, &retry);
129 if ( !NT_STATUS_IS_OK(result) )
130 goto done;
131
132 /* open the LSARPC_PIPE */
133
134 result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
135 &lsa_pipe);
136 if (!NT_STATUS_IS_OK(result)) {
137 goto done;
138 }
139
140 /* get a handle */
141
142 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
143 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
144 if ( !NT_STATUS_IS_OK(result) )
145 goto done;
146
147 /* Lookup list of trusted domains */
148
149 result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
150 &pol,
151 &enum_ctx,
152 &dom_list,
153 (uint32_t)-1);
154 if ( !NT_STATUS_IS_OK(result) )
155 goto done;
156
157 *num_domains = dom_list.count;
158
159 *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
160 if (!*domain_names) {
161 result = NT_STATUS_NO_MEMORY;
162 goto done;
163 }
164
165 *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
166 if (!*sids) {
167 result = NT_STATUS_NO_MEMORY;
168 goto done;
169 }
170
171 for (i=0; i< *num_domains; i++) {
172 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
173 (*sids)[i] = *dom_list.domains[i].sid;
174 }
175
176 done:
177 /* cleanup */
178 if (cli) {
179 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
180 cli_shutdown( cli );
181 }
182
183 return NT_STATUS_IS_OK(result);
184 }
Proof-of-concept samba4 based caching proxy