This commit was manufactured by cvs2svn to create branch 'SAMBA_3_0'.(This used to...
[nivanova/samba-autobuild/.git] / source3 / libsmb / trusts_util.c
1 /* 
2  *  Unix SMB/CIFS implementation.
3  *  Routines to operate on various trust relationships
4  *  Copyright (C) Andrew Bartlett                   2001
5  *  Copyright (C) Rafal Szczesniak                  2003
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 2 of the License, or
10  *  (at your option) any later version.
11  *  
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *  
17  *  You should have received a copy of the GNU General Public License
18  *  along with this program; if not, write to the Free Software
19  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20  */
21
22 #include "includes.h"
23
24 /*********************************************************
25  Change the domain password on the PDC.
26
27  Just changes the password betwen the two values specified.
28
29  Caller must have the cli connected to the netlogon pipe
30  already.
31 **********************************************************/
32 static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_ctx, 
33                                          unsigned char orig_trust_passwd_hash[16],
34                                          unsigned char new_trust_passwd_hash[16],
35                                          uint32 sec_channel_type)
36 {
37         NTSTATUS result;
38         uint32 neg_flags = 0x000001ff;
39
40         result = cli_nt_setup_creds(cli, sec_channel_type, orig_trust_passwd_hash, &neg_flags, 2);
41         
42         if (!NT_STATUS_IS_OK(result)) {
43                 DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
44                          nt_errstr(result)));
45                 return result;
46         }
47
48         result = cli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash);
49
50         if (!NT_STATUS_IS_OK(result)) {
51                 DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
52                          nt_errstr(result)));
53         }
54         return result;
55 }
56
57 /*********************************************************
58  Change the domain password on the PDC.
59  Store the password ourselves, but use the supplied password
60  Caller must have already setup the connection to the NETLOGON pipe
61 **********************************************************/
62
63 NTSTATUS trust_pw_change_and_store_it(struct cli_state *cli, TALLOC_CTX *mem_ctx, 
64                                       const char *domain,
65                                       unsigned char orig_trust_passwd_hash[16],
66                                       uint32 sec_channel_type)
67 {
68         unsigned char new_trust_passwd_hash[16];
69         char *new_trust_passwd;
70         char *str;
71         NTSTATUS nt_status;
72                 
73         /* Create a random machine account password */
74         str = generate_random_str(DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
75         new_trust_passwd = talloc_strdup(mem_ctx, str);
76         
77         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
78
79         nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
80                                              new_trust_passwd_hash, sec_channel_type);
81         
82         if (NT_STATUS_IS_OK(nt_status)) {
83                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
84                          timestring(False)));
85                 /*
86                  * Return the result of trying to write the new password
87                  * back into the trust account file.
88                  */
89                 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
90                         nt_status = NT_STATUS_UNSUCCESSFUL;
91                 }
92         }
93
94         return nt_status;
95 }
96
97 /*********************************************************
98  Change the domain password on the PDC.
99  Do most of the legwork ourselfs.  Caller must have
100  already setup the connection to the NETLOGON pipe
101 **********************************************************/
102
103 NTSTATUS trust_pw_find_change_and_store_it(struct cli_state *cli, 
104                                            TALLOC_CTX *mem_ctx, 
105                                            const char *domain) 
106 {
107         unsigned char old_trust_passwd_hash[16];
108         char *up_domain;
109         uint32 sec_channel_type = 0;
110
111         up_domain = talloc_strdup(mem_ctx, domain);
112
113         if (!secrets_fetch_trust_account_password(domain,
114                                                   old_trust_passwd_hash, 
115                                                   NULL, &sec_channel_type)) {
116                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
117                 return NT_STATUS_UNSUCCESSFUL;
118         }
119         
120         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
121                                             old_trust_passwd_hash,
122                                             sec_channel_type);
123         
124 }
125
126
127 /**
128  * Verify whether or not given domain is trusted.
129  *
130  * @param domain_name name of the domain to be verified
131  * @return true if domain is one of the trusted once or
132  *         false if otherwise
133  **/
134  
135 BOOL is_trusted_domain(const char* dom_name)
136 {
137         DOM_SID trustdom_sid;
138         char *pass = NULL;
139         time_t lct;
140         BOOL ret;
141
142         if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
143                 /*
144                  * Query the secrets db as an ultimate source of information
145                  * about trusted domain names. This is PDC or BDC case.
146                  */
147                 ret = secrets_fetch_trusted_domain_password(dom_name, &pass, &trustdom_sid, &lct);
148                 SAFE_FREE(pass);
149                 if (ret) 
150                         return ret;
151         }
152
153         /*
154          * Query the trustdom_cache updated periodically. The only
155          * way for domain member server.
156          */
157         if (trustdom_cache_enable() &&
158                 trustdom_cache_fetch(dom_name, &trustdom_sid)) {
159                 trustdom_cache_shutdown();
160                 return True;
161         }
162
163         /*
164          * if nothing's been found, then give up here, although
165          * the last resort might be to query the PDC.
166          */
167         return False;
168 }
169