source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../librpc/gen_ndr/cli_lsa.h"
  24 #include "rpc_client/cli_lsarpc.h"
  25 #include "rpc_client/cli_netlogon.h"
  26 #include "../librpc/gen_ndr/ndr_netlogon.h"
  27 #include "secrets.h"
  28
  29 /*********************************************************
  30  Change the domain password on the PDC.
  31  Store the password ourselves, but use the supplied password
  32  Caller must have already setup the connection to the NETLOGON pipe
  33 **********************************************************/
  34
  35 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
  36                                       const char *domain,
  37                                       const char *account_name,
  38                                       unsigned char orig_trust_passwd_hash[16],
  39                                       enum netr_SchannelType sec_channel_type)
  40 {
  41         unsigned char new_trust_passwd_hash[16];
  42         char *new_trust_passwd;
  43         NTSTATUS nt_status;
  44
  45         switch (sec_channel_type) {
  46         case SEC_CHAN_WKSTA:
  47         case SEC_CHAN_DOMAIN:
  48                 break;
  49         default:
  50                 return NT_STATUS_NOT_SUPPORTED;
  51         }
  52
  53         /* Create a random machine account password */
  54         new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  55
  56         if (new_trust_passwd == NULL) {
  57                 DEBUG(0, ("talloc_strdup failed\n"));
  58                 return NT_STATUS_NO_MEMORY;
  59         }
  60
  61         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  62
  63         nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
  64                                                        account_name,
  65                                                        orig_trust_passwd_hash,
  66                                                        new_trust_passwd,
  67                                                        new_trust_passwd_hash,
  68                                                        sec_channel_type);
  69
  70         if (NT_STATUS_IS_OK(nt_status)) {
  71                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  72                          current_timestring(talloc_tos(), False)));
  73                 /*
  74                  * Return the result of trying to write the new password
  75                  * back into the trust account file.
  76                  */
  77
  78                 switch (sec_channel_type) {
  79
  80                 case SEC_CHAN_WKSTA:
  81                         if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
  82                                 nt_status = NT_STATUS_UNSUCCESSFUL;
  83                         }
  84                         break;
  85
  86                 case SEC_CHAN_DOMAIN: {
  87                         char *pwd;
  88                         struct dom_sid sid;
  89                         time_t pass_last_set_time;
  90
  91                         /* we need to get the sid first for the
  92                          * pdb_set_trusteddom_pw call */
  93
  94                         if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
  95                                 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
  96                         }
  97                         if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
  98                                 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
  99                         }
 100                         break;
 101                 }
 102                 default:
 103                         break;
 104                 }
 105         }
 106
 107         return nt_status;
 108 }
 109
 110 /*********************************************************
 111  Change the domain password on the PDC.
 112  Do most of the legwork ourselfs.  Caller must have
 113  already setup the connection to the NETLOGON pipe
 114 **********************************************************/
 115
 116 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 117                                            TALLOC_CTX *mem_ctx,
 118                                            const char *domain)
 119 {
 120         unsigned char old_trust_passwd_hash[16];
 121         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
 122         const char *account_name;
 123
 124         if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
 125                                &sec_channel_type)) {
 126                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
 127                 return NT_STATUS_UNSUCCESSFUL;
 128         }
 129
 130         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
 131                                             account_name,
 132                                             old_trust_passwd_hash,
 133                                             sec_channel_type);
 134 }
 135
 136 /*********************************************************************
 137  Enumerate the list of trusted domains from a DC
 138 *********************************************************************/
 139
 140 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 141                                      char ***domain_names, uint32 *num_domains,
 142                                      struct dom_sid **sids )
 143 {
 144         struct policy_handle    pol;
 145         NTSTATUS        result = NT_STATUS_UNSUCCESSFUL;
 146         fstring         dc_name;
 147         struct sockaddr_storage dc_ss;
 148         uint32          enum_ctx = 0;
 149         struct cli_state *cli = NULL;
 150         struct rpc_pipe_client *lsa_pipe = NULL;
 151         struct lsa_DomainList dom_list;
 152         int i;
 153
 154         *domain_names = NULL;
 155         *num_domains = 0;
 156         *sids = NULL;
 157
 158         /* lookup a DC first */
 159
 160         if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
 161                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
 162                         domain));
 163                 return False;
 164         }
 165
 166         /* setup the anonymous connection */
 167
 168         result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
 169                 "", "", "", 0, Undefined, NULL);
 170         if ( !NT_STATUS_IS_OK(result) )
 171                 goto done;
 172
 173         /* open the LSARPC_PIPE */
 174
 175         result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
 176                                           &lsa_pipe);
 177         if (!NT_STATUS_IS_OK(result)) {
 178                 goto done;
 179         }
 180
 181         /* get a handle */
 182
 183         result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
 184                 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
 185         if ( !NT_STATUS_IS_OK(result) )
 186                 goto done;
 187
 188         /* Lookup list of trusted domains */
 189
 190         result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
 191                                          &pol,
 192                                          &enum_ctx,
 193                                          &dom_list,
 194                                          (uint32_t)-1);
 195         if ( !NT_STATUS_IS_OK(result) )
 196                 goto done;
 197
 198         *num_domains = dom_list.count;
 199
 200         *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
 201         if (!*domain_names) {
 202                 result = NT_STATUS_NO_MEMORY;
 203                 goto done;
 204         }
 205
 206         *sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, *num_domains);
 207         if (!*sids) {
 208                 result = NT_STATUS_NO_MEMORY;
 209                 goto done;
 210         }
 211
 212         for (i=0; i< *num_domains; i++) {
 213                 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
 214                 (*sids)[i] = *dom_list.domains[i].sid;
 215         }
 216
 217 done:
 218         /* cleanup */
 219         if (cli) {
 220                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
 221                 cli_shutdown( cli );
 222         }
 223
 224         return NT_STATUS_IS_OK(result);
 225 }
 226
 227 NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
 228 {
 229         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 230         struct sockaddr_storage pdc_ss;
 231         fstring dc_name;
 232         struct cli_state *cli = NULL;
 233         struct rpc_pipe_client *netlogon_pipe = NULL;
 234
 235         DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
 236                 domain));
 237
 238         if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
 239                 /* Use the PDC *only* for this */
 240
 241                 if ( !get_pdc_ip(domain, &pdc_ss) ) {
 242                         DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
 243                         goto failed;
 244                 }
 245
 246                 if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
 247                         goto failed;
 248         } else {
 249                 /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
 250                 fstrcpy( dc_name, remote_machine );
 251         }
 252
 253         /* if this next call fails, then give up.  We can't do
 254            password changes on BDC's  --jerry */
 255
 256         if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), dc_name,
 257                                            NULL, 0,
 258                                            "IPC$", "IPC",
 259                                            "", "",
 260                                            "", 0, Undefined, NULL))) {
 261                 DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
 262                 nt_status = NT_STATUS_UNSUCCESSFUL;
 263                 goto failed;
 264         }
 265
 266         /*
 267          * Ok - we have an anonymous connection to the IPC$ share.
 268          * Now start the NT Domain stuff :-).
 269          */
 270
 271         /* Shouldn't we open this with schannel ? JRA. */
 272
 273         nt_status = cli_rpc_pipe_open_noauth(
 274                 cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
 275         if (!NT_STATUS_IS_OK(nt_status)) {
 276                 DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
 277                         dc_name, nt_errstr(nt_status)));
 278                 cli_shutdown(cli);
 279                 cli = NULL;
 280                 goto failed;
 281         }
 282
 283         nt_status = trust_pw_find_change_and_store_it(
 284                 netlogon_pipe, netlogon_pipe, domain);
 285
 286         cli_shutdown(cli);
 287         cli = NULL;
 288
 289 failed:
 290         if (!NT_STATUS_IS_OK(nt_status)) {
 291                 DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
 292                         current_timestring(talloc_tos(), False), domain));
 293         }
 294         else
 295                 DEBUG(5,("change_trust_account_password: sucess!\n"));
 296
 297         return nt_status;
 298 }