2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
27 #include "../libcli/auth/libcli_auth.h"
29 #include "dbwrap/dbwrap.h"
30 #include "../librpc/ndr/libndr.h"
32 #include "libcli/security/security.h"
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "librpc/gen_ndr/ndr_secrets.h"
36 #include "lib/crypto/crypto.h"
37 #include "lib/krb5_wrap/krb5_samba.h"
38 #include "lib/util/time_basic.h"
39 #include "../libds/common/flags.h"
42 #define DBGC_CLASS DBGC_PASSDB
44 static char *domain_info_keystr(const char *domain);
46 static char *des_salt_key(const char *realm);
49 * Form a key for fetching the domain sid
51 * @param domain domain name
55 static const char *domain_sid_keystr(const char *domain)
59 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
60 SECRETS_DOMAIN_SID, domain);
61 SMB_ASSERT(keystr != NULL);
65 static const char *domain_guid_keystr(const char *domain)
69 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
70 SECRETS_DOMAIN_GUID, domain);
71 SMB_ASSERT(keystr != NULL);
75 static const char *protect_ids_keystr(const char *domain)
79 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
80 SECRETS_PROTECT_IDS, domain);
81 SMB_ASSERT(keystr != NULL);
85 /* N O T E: never use this outside of passdb modules that store the SID on their own */
86 bool secrets_mark_domain_protected(const char *domain)
90 ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5);
92 DEBUG(0, ("Failed to protect the Domain IDs\n"));
97 bool secrets_clear_domain_protection(const char *domain)
100 void *protection = secrets_fetch(protect_ids_keystr(domain), NULL);
103 SAFE_FREE(protection);
104 ret = secrets_delete_entry(protect_ids_keystr(domain));
106 DEBUG(0, ("Failed to remove Domain IDs protection\n"));
113 bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
118 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
120 if (strncmp(protect_ids, "TRUE", 4)) {
121 DEBUG(0, ("Refusing to store a Domain SID, "
122 "it has been marked as protected!\n"));
123 SAFE_FREE(protect_ids);
127 SAFE_FREE(protect_ids);
129 ret = secrets_store(domain_sid_keystr(domain), sid, sizeof(struct dom_sid ));
131 /* Force a re-query, in the case where we modified our domain */
133 if (dom_sid_equal(get_global_sam_sid(), sid) == false) {
134 reset_global_sam_sid();
140 bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
142 struct dom_sid *dyn_sid;
145 dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
150 if (size != sizeof(struct dom_sid)) {
160 bool secrets_store_domain_guid(const char *domain, const struct GUID *guid)
165 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
167 if (strncmp(protect_ids, "TRUE", 4)) {
168 DEBUG(0, ("Refusing to store a Domain SID, "
169 "it has been marked as protected!\n"));
170 SAFE_FREE(protect_ids);
174 SAFE_FREE(protect_ids);
176 key = domain_guid_keystr(domain);
177 return secrets_store(key, guid, sizeof(struct GUID));
180 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
182 struct GUID *dyn_guid;
185 struct GUID new_guid;
187 key = domain_guid_keystr(domain);
188 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
191 if (lp_server_role() == ROLE_DOMAIN_PDC) {
192 new_guid = GUID_random();
193 if (!secrets_store_domain_guid(domain, &new_guid))
195 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
197 if (dyn_guid == NULL) {
202 if (size != sizeof(struct GUID)) {
203 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
214 * Form a key for fetching the machine trust account sec channel type
216 * @param domain domain name
220 static const char *machine_sec_channel_type_keystr(const char *domain)
224 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
225 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
227 SMB_ASSERT(keystr != NULL);
232 * Form a key for fetching the machine trust account last change time
234 * @param domain domain name
238 static const char *machine_last_change_time_keystr(const char *domain)
242 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
243 SECRETS_MACHINE_LAST_CHANGE_TIME,
245 SMB_ASSERT(keystr != NULL);
251 * Form a key for fetching the machine previous trust account password
253 * @param domain domain name
257 static const char *machine_prev_password_keystr(const char *domain)
261 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
262 SECRETS_MACHINE_PASSWORD_PREV, domain);
263 SMB_ASSERT(keystr != NULL);
268 * Form a key for fetching the machine trust account password
270 * @param domain domain name
274 static const char *machine_password_keystr(const char *domain)
278 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
279 SECRETS_MACHINE_PASSWORD, domain);
280 SMB_ASSERT(keystr != NULL);
285 * Form a key for fetching the machine trust account password
287 * @param domain domain name
289 * @return stored password's key
291 static const char *trust_keystr(const char *domain)
295 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
296 SECRETS_MACHINE_ACCT_PASS, domain);
297 SMB_ASSERT(keystr != NULL);
301 /************************************************************************
302 Routine to get the default secure channel type for trust accounts
303 ************************************************************************/
305 enum netr_SchannelType get_default_sec_channel(void)
307 if (lp_server_role() == ROLE_DOMAIN_BDC ||
308 lp_server_role() == ROLE_DOMAIN_PDC ||
309 lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
312 return SEC_CHAN_WKSTA;
316 /************************************************************************
317 Routine to get the trust account password for a domain.
318 This only tries to get the legacy hashed version of the password.
319 The user of this function must have locked the trust password file using
320 the above secrets_lock_trust_account_password().
321 ************************************************************************/
323 bool secrets_fetch_trust_account_password_legacy(const char *domain,
325 time_t *pass_last_set_time,
326 enum netr_SchannelType *channel)
328 struct machine_acct_pass *pass;
331 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
332 trust_keystr(domain), &size))) {
333 DEBUG(5, ("secrets_fetch failed!\n"));
337 if (size != sizeof(*pass)) {
338 DEBUG(0, ("secrets were of incorrect size!\n"));
343 if (pass_last_set_time) {
344 *pass_last_set_time = pass->mod_time;
346 memcpy(ret_pwd, pass->hash, 16);
349 *channel = get_default_sec_channel();
356 /************************************************************************
357 Routine to get the trust account password for a domain.
358 The user of this function must have locked the trust password file using
359 the above secrets_lock_trust_account_password().
360 ************************************************************************/
362 bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
363 time_t *pass_last_set_time,
364 enum netr_SchannelType *channel)
368 plaintext = secrets_fetch_machine_password(domain, pass_last_set_time,
371 DEBUG(4,("Using cleartext machine password\n"));
372 E_md4hash(plaintext, ret_pwd);
373 SAFE_FREE(plaintext);
377 return secrets_fetch_trust_account_password_legacy(domain, ret_pwd,
382 /************************************************************************
383 Routine to delete all information related to the domain joined machine.
384 ************************************************************************/
386 bool secrets_delete_machine_password_ex(const char *domain, const char *realm)
388 const char *tmpkey = NULL;
391 tmpkey = domain_info_keystr(domain);
392 ok = secrets_delete(tmpkey);
398 tmpkey = des_salt_key(domain);
399 ok = secrets_delete(tmpkey);
405 tmpkey = domain_guid_keystr(domain);
406 ok = secrets_delete(tmpkey);
411 tmpkey = machine_prev_password_keystr(domain);
412 ok = secrets_delete(tmpkey);
417 tmpkey = machine_password_keystr(domain);
418 ok = secrets_delete(tmpkey);
423 tmpkey = machine_sec_channel_type_keystr(domain);
424 ok = secrets_delete(tmpkey);
429 tmpkey = machine_last_change_time_keystr(domain);
430 ok = secrets_delete(tmpkey);
435 tmpkey = domain_sid_keystr(domain);
436 ok = secrets_delete(tmpkey);
444 /************************************************************************
445 Routine to delete the domain sid
446 ************************************************************************/
448 bool secrets_delete_domain_sid(const char *domain)
450 return secrets_delete_entry(domain_sid_keystr(domain));
453 /************************************************************************
454 Set the machine trust account password, the old pw and last change
455 time, domain SID and salting principals based on values passed in
456 (added to supprt the secrets_tdb_sync module on secrets.ldb)
457 ************************************************************************/
459 bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain,
461 const char *salting_principal, uint32_t supported_enc_types,
462 const struct dom_sid *domain_sid, uint32_t last_change_time,
463 uint32_t secure_channel_type,
467 uint8_t last_change_time_store[4];
468 TALLOC_CTX *frame = talloc_stackframe();
469 uint8_t sec_channel_bytes[4];
472 secrets_delete_machine_password_ex(domain, realm);
477 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
484 ret = secrets_store(machine_prev_password_keystr(domain), oldpass, strlen(oldpass)+1);
486 ret = secrets_delete(machine_prev_password_keystr(domain));
493 if (secure_channel_type == 0) {
494 /* We delete this and instead have the read code fall back to
495 * a default based on server role, as our caller can't specify
496 * this with any more certainty */
497 ret = secrets_delete(machine_sec_channel_type_keystr(domain));
503 SIVAL(&sec_channel_bytes, 0, secure_channel_type);
504 ret = secrets_store(machine_sec_channel_type_keystr(domain),
505 &sec_channel_bytes, sizeof(sec_channel_bytes));
512 SIVAL(&last_change_time_store, 0, last_change_time);
513 ret = secrets_store(machine_last_change_time_keystr(domain),
514 &last_change_time_store, sizeof(last_change_time));
521 ret = secrets_store_domain_sid(domain, domain_sid);
529 char *key = des_salt_key(realm);
531 if (salting_principal != NULL) {
532 ret = secrets_store(key,
534 strlen(salting_principal)+1);
536 ret = secrets_delete(key);
544 /************************************************************************
545 Return the standard DES salt key
546 ************************************************************************/
548 char* kerberos_standard_des_salt( void )
552 fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
553 (void)strlower_m( salt );
554 fstrcat( salt, lp_realm() );
556 return SMB_STRDUP( salt );
559 /************************************************************************
560 ************************************************************************/
562 static char *des_salt_key(const char *realm)
566 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/DES/%s",
567 SECRETS_SALTING_PRINCIPAL,
569 SMB_ASSERT(keystr != NULL);
573 /************************************************************************
574 ************************************************************************/
576 bool kerberos_secrets_store_des_salt( const char* salt )
581 key = des_salt_key(lp_realm());
583 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
588 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
589 secrets_delete_entry( key );
593 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
595 ret = secrets_store( key, salt, strlen(salt)+1 );
602 /************************************************************************
603 ************************************************************************/
606 char* kerberos_secrets_fetch_des_salt( void )
610 key = des_salt_key(lp_realm());
612 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
616 salt = (char*)secrets_fetch( key, NULL );
623 /************************************************************************
624 Routine to get the salting principal for this service.
625 Caller must free if return is not null.
626 ************************************************************************/
628 char *kerberos_secrets_fetch_salt_princ(void)
631 /* lookup new key first */
633 salt_princ_s = kerberos_secrets_fetch_des_salt();
634 if (salt_princ_s == NULL) {
635 /* fall back to host/machine.realm@REALM */
636 salt_princ_s = kerberos_standard_des_salt();
642 /************************************************************************
643 Routine to fetch the previous plaintext machine account password for a realm
644 the password is assumed to be a null terminated ascii string.
645 ************************************************************************/
647 char *secrets_fetch_prev_machine_password(const char *domain)
649 return (char *)secrets_fetch(machine_prev_password_keystr(domain), NULL);
652 /************************************************************************
653 Routine to fetch the last change time of the machine account password
655 ************************************************************************/
657 time_t secrets_fetch_pass_last_set_time(const char *domain)
659 uint32_t *last_set_time;
660 time_t pass_last_set_time;
662 last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
665 pass_last_set_time = IVAL(last_set_time,0);
666 SAFE_FREE(last_set_time);
668 pass_last_set_time = 0;
671 return pass_last_set_time;
674 /************************************************************************
675 Routine to fetch the plaintext machine account password for a realm
676 the password is assumed to be a null terminated ascii string.
677 ************************************************************************/
679 char *secrets_fetch_machine_password(const char *domain,
680 time_t *pass_last_set_time,
681 enum netr_SchannelType *channel)
684 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
686 if (pass_last_set_time) {
687 *pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
692 uint32_t *channel_type;
693 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
695 *channel = IVAL(channel_type,0);
696 SAFE_FREE(channel_type);
698 *channel = get_default_sec_channel();
705 static char *domain_info_keystr(const char *domain)
709 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
710 SECRETS_MACHINE_DOMAIN_INFO,
712 SMB_ASSERT(keystr != NULL);
716 /************************************************************************
717 Routine to get account password to trusted domain
718 ************************************************************************/
720 static NTSTATUS secrets_fetch_domain_info1_by_key(const char *key,
722 struct secrets_domain_info1 **_info1)
724 struct secrets_domain_infoB sdib = { .version = 0, };
725 enum ndr_err_code ndr_err;
726 /* unpacking structures */
729 /* fetching trusted domain password structure */
730 blob.data = (uint8_t *)secrets_fetch(key, &blob.length);
731 if (blob.data == NULL) {
732 DBG_NOTICE("secrets_fetch failed!\n");
733 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
736 /* unpack trusted domain password */
737 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &sdib,
738 (ndr_pull_flags_fn_t)ndr_pull_secrets_domain_infoB);
739 SAFE_FREE(blob.data);
740 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
741 DBG_ERR("ndr_pull_struct_blob failed - %s!\n",
742 ndr_errstr(ndr_err));
743 return NT_STATUS_INTERNAL_DB_CORRUPTION;
746 if (sdib.version != SECRETS_DOMAIN_INFO_VERSION_1) {
747 DBG_ERR("sdib.version = %u\n", (unsigned)sdib.version);
748 return NT_STATUS_INTERNAL_DB_CORRUPTION;
751 *_info1 = sdib.info.info1;
752 return NT_STATUS_OK;;
755 static NTSTATUS secrets_fetch_domain_info(const char *domain,
757 struct secrets_domain_info1 **pinfo)
759 char *key = domain_info_keystr(domain);
760 return secrets_fetch_domain_info1_by_key(key, mem_ctx, pinfo);
763 void secrets_debug_domain_info(int lvl, const struct secrets_domain_info1 *info1,
766 struct secrets_domain_infoB sdib = {
767 .version = SECRETS_DOMAIN_INFO_VERSION_1,
770 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
772 ndr_print_debug((ndr_print_fn_t)ndr_print_secrets_domain_infoB,
776 char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domain_info1 *info1,
777 const char *name, bool include_secrets)
779 TALLOC_CTX *frame = talloc_stackframe();
780 struct secrets_domain_infoB sdib = {
781 .version = SECRETS_DOMAIN_INFO_VERSION_1,
783 struct ndr_print *ndr = NULL;
786 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
788 ndr = talloc_zero(frame, struct ndr_print);
793 ndr->private_data = talloc_strdup(ndr, "");
794 if (ndr->private_data == NULL) {
798 ndr->print = ndr_print_string_helper;
800 ndr->print_secrets = include_secrets;
802 ndr_print_secrets_domain_infoB(ndr, name, &sdib);
803 ret = talloc_steal(mem_ctx, (char *)ndr->private_data);
808 static NTSTATUS secrets_store_domain_info1_by_key(const char *key,
809 const struct secrets_domain_info1 *info1)
811 struct secrets_domain_infoB sdib = {
812 .version = SECRETS_DOMAIN_INFO_VERSION_1,
814 /* packing structures */
816 enum ndr_err_code ndr_err;
819 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
821 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &sdib,
822 (ndr_push_flags_fn_t)ndr_push_secrets_domain_infoB);
823 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
824 return ndr_map_error2ntstatus(ndr_err);
827 ok = secrets_store(key, blob.data, blob.length);
828 data_blob_clear_free(&blob);
830 return NT_STATUS_INTERNAL_DB_ERROR;
836 static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *info,
839 TALLOC_CTX *frame = talloc_stackframe();
840 const char *domain = info->domain_info.name.string;
841 const char *realm = info->domain_info.dns_domain.string;
842 char *key = domain_info_keystr(domain);
843 struct db_context *db = NULL;
844 struct timeval last_change_tv;
845 const DATA_BLOB *cleartext_blob = NULL;
846 DATA_BLOB pw_blob = data_blob_null;
847 DATA_BLOB old_pw_blob = data_blob_null;
848 const char *pw = NULL;
849 const char *old_pw = NULL;
853 int role = lp_server_role();
855 switch (info->secure_channel_type) {
858 if (!upgrade && role >= ROLE_ACTIVE_DIRECTORY_DC) {
859 DBG_ERR("AD_DC not supported for %s\n",
862 return NT_STATUS_INTERNAL_ERROR;
867 DBG_ERR("SEC_CHAN_* not supported for %s\n",
870 return NT_STATUS_INTERNAL_ERROR;
873 db = secrets_db_ctx();
875 ret = dbwrap_transaction_start(db);
877 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
880 return NT_STATUS_INTERNAL_DB_ERROR;
883 ok = secrets_clear_domain_protection(domain);
885 DBG_ERR("secrets_clear_domain_protection(%s) failed\n",
887 dbwrap_transaction_cancel(db);
889 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
892 ok = secrets_delete_machine_password_ex(domain, realm);
894 DBG_ERR("secrets_delete_machine_password_ex(%s) failed\n",
896 dbwrap_transaction_cancel(db);
898 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
901 status = secrets_store_domain_info1_by_key(key, info);
902 if (!NT_STATUS_IS_OK(status)) {
903 DBG_ERR("secrets_store_domain_info1_by_key() failed "
904 "for %s - %s\n", domain, nt_errstr(status));
905 dbwrap_transaction_cancel(db);
911 * We use info->password_last_change instead
912 * of info->password.change_time because
913 * we may want to defer the next change approach
914 * if the server rejected the change the last time,
915 * e.g. due to RefusePasswordChange=1.
917 nttime_to_timeval(&last_change_tv, info->password_last_change);
919 cleartext_blob = &info->password->cleartext_blob;
920 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
921 cleartext_blob->data,
922 cleartext_blob->length,
923 (void **)&pw_blob.data,
926 status = NT_STATUS_UNMAPPABLE_CHARACTER;
927 if (errno == ENOMEM) {
928 status = NT_STATUS_NO_MEMORY;
930 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
931 "failed for pw of %s - %s\n",
932 domain, nt_errstr(status));
933 dbwrap_transaction_cancel(db);
937 pw = (const char *)pw_blob.data;
938 if (info->old_password != NULL) {
939 cleartext_blob = &info->old_password->cleartext_blob;
940 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
941 cleartext_blob->data,
942 cleartext_blob->length,
943 (void **)&old_pw_blob.data,
944 &old_pw_blob.length);
946 status = NT_STATUS_UNMAPPABLE_CHARACTER;
947 if (errno == ENOMEM) {
948 status = NT_STATUS_NO_MEMORY;
950 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
951 "failed for old_pw of %s - %s\n",
952 domain, nt_errstr(status));
953 dbwrap_transaction_cancel(db);
954 data_blob_clear_free(&pw_blob);
958 old_pw = (const char *)old_pw_blob.data;
961 ok = secrets_store_machine_pw_sync(pw, old_pw,
963 info->salt_principal,
964 info->supported_enc_types,
965 info->domain_info.sid,
966 last_change_tv.tv_sec,
967 info->secure_channel_type,
968 false); /* delete_join */
969 data_blob_clear_free(&pw_blob);
970 data_blob_clear_free(&old_pw_blob);
972 DBG_ERR("secrets_store_machine_pw_sync(%s) failed\n",
974 dbwrap_transaction_cancel(db);
976 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
979 if (!GUID_all_zero(&info->domain_info.domain_guid)) {
980 ok = secrets_store_domain_guid(domain,
981 &info->domain_info.domain_guid);
983 DBG_ERR("secrets_store_domain_guid(%s) failed\n",
985 dbwrap_transaction_cancel(db);
987 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
991 ok = secrets_mark_domain_protected(domain);
993 DBG_ERR("secrets_mark_domain_protected(%s) failed\n",
995 dbwrap_transaction_cancel(db);
997 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1000 ret = dbwrap_transaction_commit(db);
1002 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1005 return NT_STATUS_INTERNAL_DB_ERROR;
1009 return NT_STATUS_OK;
1012 static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_password *p,
1013 const char *salt_principal)
1016 krb5_error_code krb5_ret;
1017 krb5_context krb5_ctx = NULL;
1018 DATA_BLOB cleartext_utf8_b = data_blob_null;
1019 krb5_data cleartext_utf8;
1022 DATA_BLOB aes_256_b = data_blob_null;
1023 DATA_BLOB aes_128_b = data_blob_null;
1024 DATA_BLOB des_md5_b = data_blob_null;
1026 #endif /* HAVE_ADS */
1027 DATA_BLOB arc4_b = data_blob_null;
1028 const uint16_t max_keys = 4;
1029 struct secrets_domain_info1_kerberos_key *keys = NULL;
1031 char *salt_data = NULL;
1035 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
1036 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
1037 * ENCTYPE_ARCFOUR_HMAC
1038 * ENCTYPE_DES_CBC_MD5
1040 * We don't include ENCTYPE_DES_CBC_CRC
1041 * as W2008R2 also doesn't store it anymore.
1043 * Note we store all enctypes we support,
1044 * including the weak encryption types,
1045 * but that's no problem as we also
1046 * store the cleartext password anyway.
1048 * Which values are then used to construct
1049 * a keytab is configured at runtime and the
1050 * configuration of msDS-SupportedEncryptionTypes.
1052 * If we don't have kerberos support or no
1053 * salt, we only generate an entry for arcfour-hmac-md5.
1055 keys = talloc_zero_array(p,
1056 struct secrets_domain_info1_kerberos_key,
1062 arc4_b = data_blob_talloc(keys,
1064 sizeof(p->nt_hash.hash));
1065 if (arc4_b.data == NULL) {
1066 DBG_ERR("data_blob_talloc failed for arcfour-hmac-md5.\n");
1072 if (salt_principal == NULL) {
1076 initialize_krb5_error_table();
1077 krb5_ret = krb5_init_context(&krb5_ctx);
1078 if (krb5_ret != 0) {
1083 krb5_ret = smb_krb5_salt_principal2data(krb5_ctx, salt_principal,
1085 if (krb5_ret != 0) {
1086 DBG_ERR("smb_krb5_salt_principal2data(%s) failed: %s\n",
1088 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1089 krb5_free_context(krb5_ctx);
1094 salt = (krb5_data) {
1095 .data = discard_const(salt_data),
1096 .length = strlen(salt_data),
1099 ok = convert_string_talloc(keys, CH_UTF16MUNGED, CH_UTF8,
1100 p->cleartext_blob.data,
1101 p->cleartext_blob.length,
1102 (void **)&cleartext_utf8_b.data,
1103 &cleartext_utf8_b.length);
1110 krb5_free_context(krb5_ctx);
1114 cleartext_utf8.data = (void *)cleartext_utf8_b.data;
1115 cleartext_utf8.length = cleartext_utf8_b.length;
1117 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1121 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1123 if (krb5_ret != 0) {
1124 DBG_ERR("generation of a aes256-cts-hmac-sha1-96 key failed: %s\n",
1125 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1126 krb5_free_context(krb5_ctx);
1128 TALLOC_FREE(salt_data);
1131 aes_256_b = data_blob_talloc(keys,
1132 KRB5_KEY_DATA(&key),
1133 KRB5_KEY_LENGTH(&key));
1134 krb5_free_keyblock_contents(krb5_ctx, &key);
1135 if (aes_256_b.data == NULL) {
1136 DBG_ERR("data_blob_talloc failed for aes-256.\n");
1137 krb5_free_context(krb5_ctx);
1139 TALLOC_FREE(salt_data);
1143 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1147 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1149 if (krb5_ret != 0) {
1150 DBG_ERR("generation of a aes128-cts-hmac-sha1-96 key failed: %s\n",
1151 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1152 krb5_free_context(krb5_ctx);
1154 TALLOC_FREE(salt_data);
1157 aes_128_b = data_blob_talloc(keys,
1158 KRB5_KEY_DATA(&key),
1159 KRB5_KEY_LENGTH(&key));
1160 krb5_free_keyblock_contents(krb5_ctx, &key);
1161 if (aes_128_b.data == NULL) {
1162 DBG_ERR("data_blob_talloc failed for aes-128.\n");
1163 krb5_free_context(krb5_ctx);
1165 TALLOC_FREE(salt_data);
1169 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1173 ENCTYPE_DES_CBC_MD5,
1175 if (krb5_ret != 0) {
1176 DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
1177 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1178 krb5_free_context(krb5_ctx);
1180 TALLOC_FREE(salt_data);
1183 des_md5_b = data_blob_talloc(keys,
1184 KRB5_KEY_DATA(&key),
1185 KRB5_KEY_LENGTH(&key));
1186 krb5_free_keyblock_contents(krb5_ctx, &key);
1187 if (des_md5_b.data == NULL) {
1188 DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
1189 krb5_free_context(krb5_ctx);
1191 TALLOC_FREE(salt_data);
1195 krb5_free_context(krb5_ctx);
1198 if (aes_256_b.length != 0) {
1199 keys[idx].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
1200 keys[idx].iteration_count = 4096;
1201 keys[idx].value = aes_256_b;
1205 if (aes_128_b.length != 0) {
1206 keys[idx].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
1207 keys[idx].iteration_count = 4096;
1208 keys[idx].value = aes_128_b;
1212 #endif /* HAVE_ADS */
1214 keys[idx].keytype = ENCTYPE_ARCFOUR_HMAC;
1215 keys[idx].iteration_count = 4096;
1216 keys[idx].value = arc4_b;
1220 if (des_md5_b.length != 0) {
1221 keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
1222 keys[idx].iteration_count = 4096;
1223 keys[idx].value = des_md5_b;
1226 #endif /* HAVE_ADS */
1228 p->salt_data = salt_data;
1229 p->default_iteration_count = 4096;
1235 static NTSTATUS secrets_domain_info_password_create(TALLOC_CTX *mem_ctx,
1236 const char *cleartext_unix,
1237 const char *salt_principal,
1239 const char *change_server,
1240 struct secrets_domain_info1_password **_p)
1242 struct secrets_domain_info1_password *p = NULL;
1247 if (change_server == NULL) {
1248 return NT_STATUS_INVALID_PARAMETER_MIX;
1251 p = talloc_zero(mem_ctx, struct secrets_domain_info1_password);
1253 return NT_STATUS_NO_MEMORY;
1255 p->change_time = change_time;
1256 p->change_server = talloc_strdup(p, change_server);
1257 if (p->change_server == NULL) {
1259 return NT_STATUS_NO_MEMORY;
1261 len = strlen(cleartext_unix);
1262 ok = convert_string_talloc(p, CH_UNIX, CH_UTF16,
1263 cleartext_unix, len,
1264 (void **)&p->cleartext_blob.data,
1265 &p->cleartext_blob.length);
1267 NTSTATUS status = NT_STATUS_UNMAPPABLE_CHARACTER;
1268 if (errno == ENOMEM) {
1269 status = NT_STATUS_NO_MEMORY;
1274 mdfour(p->nt_hash.hash,
1275 p->cleartext_blob.data,
1276 p->cleartext_blob.length);
1278 ret = secrets_domain_info_kerberos_keys(p, salt_principal);
1280 NTSTATUS status = krb5_to_nt_status(ret);
1286 return NT_STATUS_OK;
1289 NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
1290 TALLOC_CTX *mem_ctx,
1291 struct secrets_domain_info1 **pinfo)
1293 TALLOC_CTX *frame = NULL;
1294 struct secrets_domain_info1 *old = NULL;
1295 struct secrets_domain_info1 *info = NULL;
1296 const char *dns_domain = NULL;
1297 const char *server = NULL;
1298 struct db_context *db = NULL;
1299 time_t last_set_time;
1301 enum netr_SchannelType channel;
1303 char *old_pw = NULL;
1304 struct dom_sid domain_sid;
1305 struct GUID domain_guid;
1310 ok = strequal(domain, lp_workgroup());
1312 dns_domain = lp_dnsdomain();
1314 if (dns_domain != NULL && dns_domain[0] == '\0') {
1319 last_set_time = secrets_fetch_pass_last_set_time(domain);
1320 if (last_set_time == 0) {
1321 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1323 unix_to_nt_time(&last_set_nt, last_set_time);
1325 frame = talloc_stackframe();
1327 status = secrets_fetch_domain_info(domain, frame, &old);
1328 if (NT_STATUS_IS_OK(status)) {
1329 if (old->password_last_change >= last_set_nt) {
1330 *pinfo = talloc_move(mem_ctx, &old);
1332 return NT_STATUS_OK;
1337 info = talloc_zero(frame, struct secrets_domain_info1);
1339 DBG_ERR("talloc_zero failed\n");
1341 return NT_STATUS_NO_MEMORY;
1344 db = secrets_db_ctx();
1346 ret = dbwrap_transaction_start(db);
1348 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1351 return NT_STATUS_INTERNAL_DB_ERROR;
1354 pw = secrets_fetch_machine_password(domain,
1358 DBG_ERR("secrets_fetch_machine_password(%s) failed\n",
1360 dbwrap_transaction_cancel(db);
1362 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1364 unix_to_nt_time(&last_set_nt, last_set_time);
1366 old_pw = secrets_fetch_prev_machine_password(domain);
1368 ok = secrets_fetch_domain_sid(domain, &domain_sid);
1370 DBG_ERR("secrets_fetch_domain_sid(%s) failed\n",
1372 dbwrap_transaction_cancel(db);
1376 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1379 ok = secrets_fetch_domain_guid(domain, &domain_guid);
1381 domain_guid = GUID_zero();
1384 info->computer_name = lp_netbios_name();
1385 info->account_name = talloc_asprintf(frame, "%s$", info->computer_name);
1386 if (info->account_name == NULL) {
1387 DBG_ERR("talloc_asprintf(%s$) failed\n", info->computer_name);
1388 dbwrap_transaction_cancel(db);
1392 return NT_STATUS_NO_MEMORY;
1394 info->secure_channel_type = channel;
1396 info->domain_info.name.string = domain;
1397 info->domain_info.dns_domain.string = dns_domain;
1398 info->domain_info.dns_forest.string = dns_domain;
1399 info->domain_info.domain_guid = domain_guid;
1400 info->domain_info.sid = &domain_sid;
1402 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1403 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1405 if (dns_domain != NULL) {
1407 * We just assume all AD domains are
1408 * NETR_TRUST_FLAG_NATIVE these days.
1410 * This isn't used anyway for now.
1412 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1414 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1416 server = info->domain_info.dns_domain.string;
1418 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1420 server = talloc_asprintf(info,
1424 if (server == NULL) {
1425 DBG_ERR("talloc_asprintf(%s#%02X) failed\n",
1426 domain, NBT_NAME_PDC);
1427 dbwrap_transaction_cancel(db);
1431 return NT_STATUS_NO_MEMORY;
1434 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1436 info->join_time = 0;
1439 * We don't have enough information about the configured
1442 info->supported_enc_types = 0;
1443 info->salt_principal = NULL;
1444 if (info->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
1447 p = kerberos_secrets_fetch_salt_princ();
1449 dbwrap_transaction_cancel(db);
1453 return NT_STATUS_INTERNAL_ERROR;
1455 info->salt_principal = talloc_strdup(info, p);
1457 if (info->salt_principal == NULL) {
1458 dbwrap_transaction_cancel(db);
1462 return NT_STATUS_NO_MEMORY;
1466 info->password_last_change = last_set_nt;
1467 info->password_changes = 1;
1468 info->next_change = NULL;
1470 status = secrets_domain_info_password_create(info,
1472 info->salt_principal,
1473 last_set_nt, server,
1476 if (!NT_STATUS_IS_OK(status)) {
1477 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1478 "for %s - %s\n", domain, nt_errstr(status));
1479 dbwrap_transaction_cancel(db);
1486 * After a join we don't have old passwords.
1488 if (old_pw != NULL) {
1489 status = secrets_domain_info_password_create(info,
1491 info->salt_principal,
1493 &info->old_password);
1495 if (!NT_STATUS_IS_OK(status)) {
1496 DBG_ERR("secrets_domain_info_password_create(old) failed "
1497 "for %s - %s\n", domain, nt_errstr(status));
1498 dbwrap_transaction_cancel(db);
1502 info->password_changes += 1;
1504 info->old_password = NULL;
1506 info->older_password = NULL;
1508 secrets_debug_domain_info(DBGLVL_INFO, info, "upgrade");
1510 status = secrets_store_domain_info(info, true /* upgrade */);
1511 if (!NT_STATUS_IS_OK(status)) {
1512 DBG_ERR("secrets_store_domain_info() failed "
1513 "for %s - %s\n", domain, nt_errstr(status));
1514 dbwrap_transaction_cancel(db);
1520 * We now reparse it.
1522 status = secrets_fetch_domain_info(domain, frame, &info);
1523 if (!NT_STATUS_IS_OK(status)) {
1524 DBG_ERR("secrets_fetch_domain_info() failed "
1525 "for %s - %s\n", domain, nt_errstr(status));
1526 dbwrap_transaction_cancel(db);
1531 ret = dbwrap_transaction_commit(db);
1533 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1535 dbwrap_transaction_cancel(db);
1537 return NT_STATUS_INTERNAL_DB_ERROR;
1540 *pinfo = talloc_move(mem_ctx, &info);
1542 return NT_STATUS_OK;
1545 NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r)
1547 TALLOC_CTX *frame = talloc_stackframe();
1548 struct secrets_domain_info1 *old = NULL;
1549 struct secrets_domain_info1 *info = NULL;
1550 struct db_context *db = NULL;
1551 struct timeval tv = timeval_current();
1552 NTTIME now = timeval_to_nttime(&tv);
1553 const char *domain = r->out.netbios_domain_name;
1557 info = talloc_zero(frame, struct secrets_domain_info1);
1559 DBG_ERR("talloc_zero failed\n");
1561 return NT_STATUS_NO_MEMORY;
1564 info->computer_name = r->in.machine_name;
1565 info->account_name = r->out.account_name;
1566 info->secure_channel_type = r->in.secure_channel_type;
1568 info->domain_info.name.string =
1569 r->out.netbios_domain_name;
1570 info->domain_info.dns_domain.string =
1571 r->out.dns_domain_name;
1572 info->domain_info.dns_forest.string =
1574 info->domain_info.domain_guid = r->out.domain_guid;
1575 info->domain_info.sid = r->out.domain_sid;
1577 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1578 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1579 if (r->out.domain_is_ad) {
1581 * We just assume all AD domains are
1582 * NETR_TRUST_FLAG_NATIVE these days.
1584 * This isn't used anyway for now.
1586 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1588 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1590 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1592 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1594 info->join_time = now;
1596 info->supported_enc_types = r->out.set_encryption_types;
1597 info->salt_principal = r->out.krb5_salt;
1599 if (info->salt_principal == NULL && r->out.domain_is_ad) {
1602 ret = smb_krb5_salt_principal(info->domain_info.dns_domain.string,
1604 NULL /* userPrincipalName */,
1605 UF_WORKSTATION_TRUST_ACCOUNT,
1608 status = krb5_to_nt_status(ret);
1609 DBG_ERR("smb_krb5_salt_principal() failed "
1610 "for %s - %s\n", domain, nt_errstr(status));
1614 info->salt_principal = p;
1617 info->password_last_change = now;
1618 info->password_changes = 1;
1619 info->next_change = NULL;
1621 status = secrets_domain_info_password_create(info,
1622 r->in.machine_password,
1623 info->salt_principal,
1626 if (!NT_STATUS_IS_OK(status)) {
1627 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1628 "for %s - %s\n", domain, nt_errstr(status));
1633 db = secrets_db_ctx();
1635 ret = dbwrap_transaction_start(db);
1637 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1640 return NT_STATUS_INTERNAL_DB_ERROR;
1643 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &old);
1644 if (NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1645 DBG_DEBUG("no old join for domain(%s) available\n",
1648 } else if (!NT_STATUS_IS_OK(status)) {
1649 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1651 dbwrap_transaction_cancel(db);
1657 * We reuse values from an old join, so that
1658 * we still accept already granted kerberos tickets.
1661 info->old_password = old->password;
1662 info->older_password = old->old_password;
1665 secrets_debug_domain_info(DBGLVL_INFO, info, "join");
1667 status = secrets_store_domain_info(info, false /* upgrade */);
1668 if (!NT_STATUS_IS_OK(status)) {
1669 DBG_ERR("secrets_store_domain_info() failed "
1670 "for %s - %s\n", domain, nt_errstr(status));
1671 dbwrap_transaction_cancel(db);
1676 ret = dbwrap_transaction_commit(db);
1678 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1681 return NT_STATUS_INTERNAL_DB_ERROR;
1685 return NT_STATUS_OK;
1688 NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
1689 const char *cleartext_unix,
1690 TALLOC_CTX *mem_ctx,
1691 struct secrets_domain_info1 **pinfo,
1692 struct secrets_domain_info1_change **pprev)
1694 TALLOC_CTX *frame = talloc_stackframe();
1695 struct db_context *db = NULL;
1696 struct secrets_domain_info1 *info = NULL;
1697 struct secrets_domain_info1_change *prev = NULL;
1698 struct secrets_domain_info1_change *next = NULL;
1699 struct timeval tv = timeval_current();
1700 NTTIME now = timeval_to_nttime(&tv);
1704 db = secrets_db_ctx();
1706 ret = dbwrap_transaction_start(db);
1708 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1711 return NT_STATUS_INTERNAL_DB_ERROR;
1714 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &info);
1715 if (!NT_STATUS_IS_OK(status)) {
1716 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1718 dbwrap_transaction_cancel(db);
1723 prev = info->next_change;
1724 info->next_change = NULL;
1726 next = talloc_zero(frame, struct secrets_domain_info1_change);
1728 DBG_ERR("talloc_zero failed\n");
1730 return NT_STATUS_NO_MEMORY;
1736 status = secrets_domain_info_password_create(next,
1738 info->salt_principal,
1741 if (!NT_STATUS_IS_OK(status)) {
1742 DBG_ERR("secrets_domain_info_password_create(next) failed "
1743 "for %s - %s\n", domain, nt_errstr(status));
1744 dbwrap_transaction_cancel(db);
1750 next->local_status = NT_STATUS_OK;
1751 next->remote_status = NT_STATUS_NOT_COMMITTED;
1752 next->change_time = now;
1753 next->change_server = dcname;
1755 info->next_change = next;
1757 secrets_debug_domain_info(DBGLVL_INFO, info, "prepare_change");
1759 status = secrets_store_domain_info(info, false /* upgrade */);
1760 if (!NT_STATUS_IS_OK(status)) {
1761 DBG_ERR("secrets_store_domain_info() failed "
1762 "for %s - %s\n", domain, nt_errstr(status));
1763 dbwrap_transaction_cancel(db);
1769 * We now reparse it.
1771 status = secrets_fetch_domain_info(domain, frame, &info);
1772 if (!NT_STATUS_IS_OK(status)) {
1773 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1774 dbwrap_transaction_cancel(db);
1779 ret = dbwrap_transaction_commit(db);
1781 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1784 return NT_STATUS_INTERNAL_DB_ERROR;
1787 *pinfo = talloc_move(mem_ctx, &info);
1789 *pprev = talloc_move(mem_ctx, &prev);
1795 return NT_STATUS_OK;
1798 static NTSTATUS secrets_check_password_change(const struct secrets_domain_info1 *cookie,
1799 TALLOC_CTX *mem_ctx,
1800 struct secrets_domain_info1 **pstored)
1802 const char *domain = cookie->domain_info.name.string;
1803 struct secrets_domain_info1 *stored = NULL;
1804 struct secrets_domain_info1_change *sn = NULL;
1805 struct secrets_domain_info1_change *cn = NULL;
1809 if (cookie->next_change == NULL) {
1810 DBG_ERR("cookie->next_change == NULL for %s.\n", domain);
1811 return NT_STATUS_INTERNAL_ERROR;
1814 if (cookie->next_change->password == NULL) {
1815 DBG_ERR("cookie->next_change->password == NULL for %s.\n", domain);
1816 return NT_STATUS_INTERNAL_ERROR;
1819 if (cookie->password == NULL) {
1820 DBG_ERR("cookie->password == NULL for %s.\n", domain);
1821 return NT_STATUS_INTERNAL_ERROR;
1825 * Here we check that the given strucure still contains the
1826 * same secrets_domain_info1_change as currently stored.
1828 * There's always a gap between secrets_prepare_password_change()
1829 * and the callers of secrets_check_password_change().
1832 status = secrets_fetch_domain_info(domain, mem_ctx, &stored);
1833 if (!NT_STATUS_IS_OK(status)) {
1834 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1838 if (stored->next_change == NULL) {
1840 * We hit a race..., the administrator
1841 * rejoined or something similar happened.
1843 DBG_ERR("stored->next_change == NULL for %s.\n", domain);
1844 TALLOC_FREE(stored);
1845 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1848 if (stored->password_last_change != cookie->password_last_change) {
1849 struct timeval store_tv;
1850 struct timeval_buf store_buf;
1851 struct timeval cookie_tv;
1852 struct timeval_buf cookie_buf;
1854 nttime_to_timeval(&store_tv, stored->password_last_change);
1855 nttime_to_timeval(&cookie_tv, cookie->password_last_change);
1857 DBG_ERR("password_last_change differs %s != %s for %s.\n",
1858 timeval_str_buf(&store_tv, false, false, &store_buf),
1859 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1861 TALLOC_FREE(stored);
1862 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1865 sn = stored->next_change;
1866 cn = cookie->next_change;
1868 if (sn->change_time != cn->change_time) {
1869 struct timeval store_tv;
1870 struct timeval_buf store_buf;
1871 struct timeval cookie_tv;
1872 struct timeval_buf cookie_buf;
1874 nttime_to_timeval(&store_tv, sn->change_time);
1875 nttime_to_timeval(&cookie_tv, cn->change_time);
1877 DBG_ERR("next change_time differs %s != %s for %s.\n",
1878 timeval_str_buf(&store_tv, false, false, &store_buf),
1879 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1881 TALLOC_FREE(stored);
1882 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1885 if (sn->password->change_time != cn->password->change_time) {
1886 struct timeval store_tv;
1887 struct timeval_buf store_buf;
1888 struct timeval cookie_tv;
1889 struct timeval_buf cookie_buf;
1891 nttime_to_timeval(&store_tv, sn->password->change_time);
1892 nttime_to_timeval(&cookie_tv, cn->password->change_time);
1894 DBG_ERR("next password.change_time differs %s != %s for %s.\n",
1895 timeval_str_buf(&store_tv, false, false, &store_buf),
1896 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1898 TALLOC_FREE(stored);
1899 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1902 cmp = memcmp(sn->password->nt_hash.hash,
1903 cn->password->nt_hash.hash,
1906 DBG_ERR("next password.nt_hash differs for %s.\n",
1908 TALLOC_FREE(stored);
1909 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1912 cmp = memcmp(stored->password->nt_hash.hash,
1913 cookie->password->nt_hash.hash,
1916 DBG_ERR("password.nt_hash differs for %s.\n",
1918 TALLOC_FREE(stored);
1919 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1923 return NT_STATUS_OK;
1926 static NTSTATUS secrets_abort_password_change(const char *change_server,
1927 NTSTATUS local_status,
1928 NTSTATUS remote_status,
1929 const struct secrets_domain_info1 *cookie,
1932 const char *domain = cookie->domain_info.name.string;
1933 TALLOC_CTX *frame = talloc_stackframe();
1934 struct db_context *db = NULL;
1935 struct secrets_domain_info1 *info = NULL;
1936 const char *reason = defer ? "defer_change" : "failed_change";
1937 struct timeval tv = timeval_current();
1938 NTTIME now = timeval_to_nttime(&tv);
1942 db = secrets_db_ctx();
1944 ret = dbwrap_transaction_start(db);
1946 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1949 return NT_STATUS_INTERNAL_DB_ERROR;
1953 * secrets_check_password_change()
1954 * checks that cookie->next_change
1955 * is valid and the same as store
1958 status = secrets_check_password_change(cookie, frame, &info);
1959 if (!NT_STATUS_IS_OK(status)) {
1960 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
1961 dbwrap_transaction_cancel(db);
1967 * Remember the last server and error.
1969 info->next_change->change_server = change_server;
1970 info->next_change->change_time = now;
1971 info->next_change->local_status = local_status;
1972 info->next_change->remote_status = remote_status;
1975 * Make sure the next automatic change is deferred.
1978 info->password_last_change = now;
1981 secrets_debug_domain_info(DBGLVL_WARNING, info, reason);
1983 status = secrets_store_domain_info(info, false /* upgrade */);
1984 if (!NT_STATUS_IS_OK(status)) {
1985 DBG_ERR("secrets_store_domain_info() failed "
1986 "for %s - %s\n", domain, nt_errstr(status));
1987 dbwrap_transaction_cancel(db);
1992 ret = dbwrap_transaction_commit(db);
1994 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1997 return NT_STATUS_INTERNAL_DB_ERROR;
2001 return NT_STATUS_OK;
2004 NTSTATUS secrets_failed_password_change(const char *change_server,
2005 NTSTATUS local_status,
2006 NTSTATUS remote_status,
2007 const struct secrets_domain_info1 *cookie)
2009 static const bool defer = false;
2010 return secrets_abort_password_change(change_server,
2016 NTSTATUS secrets_defer_password_change(const char *change_server,
2017 NTSTATUS local_status,
2018 NTSTATUS remote_status,
2019 const struct secrets_domain_info1 *cookie)
2021 static const bool defer = true;
2022 return secrets_abort_password_change(change_server,
2028 NTSTATUS secrets_finish_password_change(const char *change_server,
2030 const struct secrets_domain_info1 *cookie)
2032 const char *domain = cookie->domain_info.name.string;
2033 TALLOC_CTX *frame = talloc_stackframe();
2034 struct db_context *db = NULL;
2035 struct secrets_domain_info1 *info = NULL;
2036 struct secrets_domain_info1_change *nc = NULL;
2040 db = secrets_db_ctx();
2042 ret = dbwrap_transaction_start(db);
2044 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
2047 return NT_STATUS_INTERNAL_DB_ERROR;
2051 * secrets_check_password_change() checks that cookie->next_change is
2052 * valid and the same as store in the database.
2054 status = secrets_check_password_change(cookie, frame, &info);
2055 if (!NT_STATUS_IS_OK(status)) {
2056 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
2057 dbwrap_transaction_cancel(db);
2062 nc = info->next_change;
2064 nc->password->change_server = change_server;
2065 nc->password->change_time = change_time;
2067 info->password_last_change = change_time;
2068 info->password_changes += 1;
2069 info->next_change = NULL;
2071 info->older_password = info->old_password;
2072 info->old_password = info->password;
2073 info->password = nc->password;
2075 secrets_debug_domain_info(DBGLVL_WARNING, info, "finish_change");
2077 status = secrets_store_domain_info(info, false /* upgrade */);
2078 if (!NT_STATUS_IS_OK(status)) {
2079 DBG_ERR("secrets_store_domain_info() failed "
2080 "for %s - %s\n", domain, nt_errstr(status));
2081 dbwrap_transaction_cancel(db);
2086 ret = dbwrap_transaction_commit(db);
2088 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
2091 return NT_STATUS_INTERNAL_DB_ERROR;
2095 return NT_STATUS_OK;
git.samba.org / samba.git / blob