00001
00002
00003
00004
00005
00006
00007
00008
00009
00010
00011
00012
00013
00014
00015
00016
00017
00018
00019
00020
00021
00022 #include "includes.h"
00023
00024
00025
00026
00027
00028
00029
00030
00031
00032
00033 static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
00034 const unsigned char orig_trust_passwd_hash[16],
00035 const char *new_trust_pwd_cleartext,
00036 const unsigned char new_trust_passwd_hash[16],
00037 uint32 sec_channel_type)
00038 {
00039 NTSTATUS result;
00040 uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
00041
00042 result = rpccli_netlogon_setup_creds(cli,
00043 cli->cli->desthost,
00044 lp_workgroup(),
00045 global_myname(),
00046 global_myname(),
00047 orig_trust_passwd_hash,
00048 sec_channel_type,
00049 &neg_flags);
00050
00051 if (!NT_STATUS_IS_OK(result)) {
00052 DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
00053 nt_errstr(result)));
00054 return result;
00055 }
00056
00057 if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
00058 result = rpccli_net_srv_pwset2(cli, mem_ctx, global_myname(),
00059 new_trust_pwd_cleartext);
00060 } else {
00061 result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(),
00062 new_trust_passwd_hash);
00063 }
00064
00065 if (!NT_STATUS_IS_OK(result)) {
00066 DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
00067 nt_errstr(result)));
00068 }
00069 return result;
00070 }
00071
00072
00073
00074
00075
00076
00077
00078 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
00079 const char *domain,
00080 unsigned char orig_trust_passwd_hash[16],
00081 uint32 sec_channel_type)
00082 {
00083 unsigned char new_trust_passwd_hash[16];
00084 char *new_trust_passwd;
00085 char *str;
00086 NTSTATUS nt_status;
00087
00088
00089 str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
00090
00091 if ((new_trust_passwd = talloc_strdup(mem_ctx, str)) == NULL) {
00092 DEBUG(0, ("talloc_strdup failed\n"));
00093 return NT_STATUS_NO_MEMORY;
00094 }
00095
00096 E_md4hash(new_trust_passwd, new_trust_passwd_hash);
00097
00098 nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
00099 new_trust_passwd,
00100 new_trust_passwd_hash, sec_channel_type);
00101
00102 if (NT_STATUS_IS_OK(nt_status)) {
00103 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
00104 current_timestring(False)));
00105
00106
00107
00108
00109 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
00110 nt_status = NT_STATUS_UNSUCCESSFUL;
00111 }
00112 }
00113
00114 return nt_status;
00115 }
00116
00117
00118
00119
00120
00121
00122
00123 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
00124 TALLOC_CTX *mem_ctx,
00125 const char *domain)
00126 {
00127 unsigned char old_trust_passwd_hash[16];
00128 uint32 sec_channel_type = 0;
00129
00130 if (!secrets_fetch_trust_account_password(domain,
00131 old_trust_passwd_hash,
00132 NULL, &sec_channel_type)) {
00133 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
00134 return NT_STATUS_UNSUCCESSFUL;
00135 }
00136
00137 return trust_pw_change_and_store_it(cli, mem_ctx, domain,
00138 old_trust_passwd_hash,
00139 sec_channel_type);
00140 }
00141
00142
00143
00144
00145
00146 BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
00147 char ***domain_names, uint32 *num_domains,
00148 DOM_SID **sids )
00149 {
00150 POLICY_HND pol;
00151 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
00152 fstring dc_name;
00153 struct in_addr dc_ip;
00154 uint32 enum_ctx = 0;
00155 struct cli_state *cli = NULL;
00156 struct rpc_pipe_client *lsa_pipe;
00157 BOOL retry;
00158
00159 *domain_names = NULL;
00160 *num_domains = 0;
00161 *sids = NULL;
00162
00163
00164
00165 if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) {
00166 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
00167 domain));
00168 return False;
00169 }
00170
00171
00172
00173 result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC",
00174 "", "", "", 0, Undefined, &retry);
00175 if ( !NT_STATUS_IS_OK(result) )
00176 goto done;
00177
00178
00179
00180 lsa_pipe = cli_rpc_pipe_open_noauth( cli, PI_LSARPC, &result );
00181 if ( !lsa_pipe) {
00182 goto done;
00183 }
00184
00185
00186
00187 result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
00188 POLICY_VIEW_LOCAL_INFORMATION, &pol);
00189 if ( !NT_STATUS_IS_OK(result) )
00190 goto done;
00191
00192
00193
00194 result = rpccli_lsa_enum_trust_dom(lsa_pipe, mem_ctx, &pol, &enum_ctx,
00195 num_domains, domain_names, sids);
00196 if ( !NT_STATUS_IS_OK(result) )
00197 goto done;
00198
00199 done:
00200
00201 if (cli) {
00202 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
00203 cli_shutdown( cli );
00204 }
00205
00206 return NT_STATUS_IS_OK(result);
00207 }