Samba: libsmb/trusts_util.c ソースファイル

00001 /*
00002  *  Unix SMB/CIFS implementation.
00003  *  Routines to operate on various trust relationships
00004  *  Copyright (C) Andrew Bartlett                   2001
00005  *  Copyright (C) Rafal Szczesniak                  2003
00006  *
00007  *  This program is free software; you can redistribute it and/or modify
00008  *  it under the terms of the GNU General Public License as published by
00009  *  the Free Software Foundation; either version 2 of the License, or
00010  *  (at your option) any later version.
00011  *  
00012  *  This program is distributed in the hope that it will be useful,
00013  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00014  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00015  *  GNU General Public License for more details.
00016  *  
00017  *  You should have received a copy of the GNU General Public License
00018  *  along with this program; if not, write to the Free Software
00019  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
00020  */
00021 
00022 #include "includes.h"
00023 
00024 /*********************************************************
00025  Change the domain password on the PDC.
00026 
00027  Just changes the password betwen the two values specified.
00028 
00029  Caller must have the cli connected to the netlogon pipe
00030  already.
00031 **********************************************************/
00032 
00033 static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
00034                                          const unsigned char orig_trust_passwd_hash[16],
00035                                          const char *new_trust_pwd_cleartext,
00036                                          const unsigned char new_trust_passwd_hash[16],
00037                                          uint32 sec_channel_type)
00038 {
00039         NTSTATUS result;
00040         uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
00041 
00042         result = rpccli_netlogon_setup_creds(cli,
00043                                         cli->cli->desthost, /* server name */
00044                                         lp_workgroup(), /* domain */
00045                                         global_myname(), /* client name */
00046                                         global_myname(), /* machine account name */
00047                                         orig_trust_passwd_hash,
00048                                         sec_channel_type,
00049                                         &neg_flags);
00050 
00051         if (!NT_STATUS_IS_OK(result)) {
00052                 DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
00053                          nt_errstr(result)));
00054                 return result;
00055         }
00056 
00057         if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
00058                 result = rpccli_net_srv_pwset2(cli, mem_ctx, global_myname(),
00059                                                new_trust_pwd_cleartext);
00060         } else {
00061                 result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(),
00062                                               new_trust_passwd_hash);
00063         }
00064 
00065         if (!NT_STATUS_IS_OK(result)) {
00066                 DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
00067                          nt_errstr(result)));
00068         }
00069         return result;
00070 }
00071 
00072 /*********************************************************
00073  Change the domain password on the PDC.
00074  Store the password ourselves, but use the supplied password
00075  Caller must have already setup the connection to the NETLOGON pipe
00076 **********************************************************/
00077 
00078 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
00079                                       const char *domain,
00080                                       unsigned char orig_trust_passwd_hash[16],
00081                                       uint32 sec_channel_type)
00082 {
00083         unsigned char new_trust_passwd_hash[16];
00084         char *new_trust_passwd;
00085         char *str;
00086         NTSTATUS nt_status;
00087                 
00088         /* Create a random machine account password */
00089         str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
00090 
00091         if ((new_trust_passwd = talloc_strdup(mem_ctx, str)) == NULL) {
00092                 DEBUG(0, ("talloc_strdup failed\n"));
00093                 return NT_STATUS_NO_MEMORY;
00094         }
00095         
00096         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
00097 
00098         nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
00099                                              new_trust_passwd,
00100                                              new_trust_passwd_hash, sec_channel_type);
00101         
00102         if (NT_STATUS_IS_OK(nt_status)) {
00103                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
00104                          current_timestring(False)));
00105                 /*
00106                  * Return the result of trying to write the new password
00107                  * back into the trust account file.
00108                  */
00109                 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
00110                         nt_status = NT_STATUS_UNSUCCESSFUL;
00111                 }
00112         }
00113 
00114         return nt_status;
00115 }
00116 
00117 /*********************************************************
00118  Change the domain password on the PDC.
00119  Do most of the legwork ourselfs.  Caller must have
00120  already setup the connection to the NETLOGON pipe
00121 **********************************************************/
00122 
00123 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
00124                                            TALLOC_CTX *mem_ctx, 
00125                                            const char *domain) 
00126 {
00127         unsigned char old_trust_passwd_hash[16];
00128         uint32 sec_channel_type = 0;
00129 
00130         if (!secrets_fetch_trust_account_password(domain,
00131                                                   old_trust_passwd_hash, 
00132                                                   NULL, &sec_channel_type)) {
00133                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
00134                 return NT_STATUS_UNSUCCESSFUL;
00135         }
00136         
00137         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
00138                                             old_trust_passwd_hash,
00139                                             sec_channel_type);
00140 }
00141 
00142 /*********************************************************************
00143  Enumerate the list of trusted domains from a DC
00144 *********************************************************************/
00145 
00146 BOOL enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
00147                                      char ***domain_names, uint32 *num_domains,
00148                                      DOM_SID **sids )
00149 {
00150         POLICY_HND      pol;
00151         NTSTATUS        result = NT_STATUS_UNSUCCESSFUL;
00152         fstring         dc_name;
00153         struct in_addr  dc_ip;
00154         uint32          enum_ctx = 0;
00155         struct cli_state *cli = NULL;
00156         struct rpc_pipe_client *lsa_pipe;
00157         BOOL            retry;
00158 
00159         *domain_names = NULL;
00160         *num_domains = 0;
00161         *sids = NULL;
00162 
00163         /* lookup a DC first */
00164 
00165         if ( !get_dc_name(domain, NULL, dc_name, &dc_ip) ) {
00166                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
00167                         domain));
00168                 return False;
00169         }
00170 
00171         /* setup the anonymous connection */
00172 
00173         result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ip, 0, "IPC$", "IPC",
00174                 "", "", "", 0, Undefined, &retry);
00175         if ( !NT_STATUS_IS_OK(result) )
00176                 goto done;
00177 
00178         /* open the LSARPC_PIPE */
00179 
00180         lsa_pipe = cli_rpc_pipe_open_noauth( cli, PI_LSARPC, &result );
00181         if ( !lsa_pipe) {
00182                 goto done;
00183         }
00184 
00185         /* get a handle */
00186 
00187         result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
00188                 POLICY_VIEW_LOCAL_INFORMATION, &pol);
00189         if ( !NT_STATUS_IS_OK(result) )
00190                 goto done;
00191 
00192         /* Lookup list of trusted domains */
00193 
00194         result = rpccli_lsa_enum_trust_dom(lsa_pipe, mem_ctx, &pol, &enum_ctx,
00195                 num_domains, domain_names, sids);
00196         if ( !NT_STATUS_IS_OK(result) )
00197                 goto done;
00198 
00199 done:
00200         /* cleanup */
00201         if (cli) {
00202                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
00203                 cli_shutdown( cli );
00204         }
00205 
00206         return NT_STATUS_IS_OK(result);
00207 }