*/
#include "includes.h"
+#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
extern bool global_machine_password_needs_changing;
+static struct named_mutex *mutex;
+
+/*
+ * Change machine password (called from main loop
+ * idle timeout. Must be done as root.
+ */
+
+void attempt_machine_password_change(void)
+{
+ unsigned char trust_passwd_hash[16];
+ time_t lct;
+ void *lock;
+
+ if (!global_machine_password_needs_changing) {
+ return;
+ }
+
+ if (lp_security() != SEC_DOMAIN) {
+ return;
+ }
+
+ /*
+ * We're in domain level security, and the code that
+ * read the machine password flagged that the machine
+ * password needs changing.
+ */
+
+ /*
+ * First, open the machine password file with an exclusive lock.
+ */
+
+ lock = secrets_get_trust_account_lock(NULL, lp_workgroup());
+
+ if (lock == NULL) {
+ DEBUG(0,("attempt_machine_password_change: unable to lock "
+ "the machine account password for machine %s in "
+ "domain %s.\n",
+ global_myname(), lp_workgroup() ));
+ return;
+ }
+
+ if(!secrets_fetch_trust_account_password(lp_workgroup(),
+ trust_passwd_hash, &lct, NULL)) {
+ DEBUG(0,("attempt_machine_password_change: unable to read the "
+ "machine account password for %s in domain %s.\n",
+ global_myname(), lp_workgroup()));
+ TALLOC_FREE(lock);
+ return;
+ }
+
+ /*
+ * Make sure someone else hasn't already done this.
+ */
+
+ if(time(NULL) < lct + lp_machine_password_timeout()) {
+ global_machine_password_needs_changing = false;
+ TALLOC_FREE(lock);
+ return;
+ }
+
+ /* always just contact the PDC here */
+
+ change_trust_account_password( lp_workgroup(), NULL);
+ global_machine_password_needs_changing = false;
+ TALLOC_FREE(lock);
+}
/**
* Connect to a remote server for (inter)domain security authenticaion.
* ACCESS_DENIED errors if 2 auths are done from the same machine. JRA.
*/
- if (!grab_server_mutex(dc_name)) {
+ mutex = grab_named_mutex(NULL, dc_name, 10);
+ if (mutex == NULL) {
return NT_STATUS_NO_LOGON_SERVERS;
}
*cli = NULL;
}
- release_server_mutex();
+ TALLOC_FREE(mutex);
return result;
}
/* open the netlogon pipe. */
if (lp_client_schannel()) {
/* We also setup the creds chain in the open_schannel call. */
- netlogon_pipe = cli_rpc_pipe_open_schannel(*cli, PI_NETLOGON,
- PIPE_AUTH_LEVEL_PRIVACY, domain, &result);
+ result = cli_rpc_pipe_open_schannel(
+ *cli, &ndr_table_netlogon.syntax_id,
+ PIPE_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
} else {
- netlogon_pipe = cli_rpc_pipe_open_noauth(*cli, PI_NETLOGON, &result);
+ result = cli_rpc_pipe_open_noauth(
+ *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
}
- if(!netlogon_pipe) {
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
cli_shutdown(*cli);
*cli = NULL;
- release_server_mutex();
+ TALLOC_FREE(mutex);
return result;
}
if (!lp_client_schannel()) {
/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
const char *account_name;
domain));
cli_shutdown(*cli);
*cli = NULL;
- release_server_mutex();
+ TALLOC_FREE(mutex);
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
if (!NT_STATUS_IS_OK(result)) {
cli_shutdown(*cli);
*cli = NULL;
- release_server_mutex();
+ TALLOC_FREE(mutex);
return result;
}
}
machine %s. Error was : %s.\n", dc_name, cli_errstr(*cli)));
cli_shutdown(*cli);
*cli = NULL;
- release_server_mutex();
+ TALLOC_FREE(mutex);
return NT_STATUS_NO_LOGON_SERVERS;
}
struct sockaddr_storage *dc_ss)
{
- NET_USER_INFO_3 info3;
+ struct netr_SamInfo3 *info3 = NULL;
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
saf_store( domain, cli->desthost );
- ZERO_STRUCT(info3);
-
/*
* If this call succeeds, we now have lots of info about the user
* in the info3 structure.
/* Let go as soon as possible so we avoid any potential deadlocks
with winbind lookup up users or groups. */
- release_server_mutex();
+ TALLOC_FREE(mutex);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("domain_client_validate: unable to validate password "
"for user %s in domain %s to Domain controller %s. "
"Error was %s.\n", user_info->smb_name,
- user_info->domain, dc_name,
+ user_info->client_domain, dc_name,
nt_errstr(nt_status)));
/* map to something more useful */
user_info->smb_name,
domain,
server_info,
- &info3);
+ info3);
if (NT_STATUS_IS_OK(nt_status)) {
- (*server_info)->was_mapped |= user_info->was_mapped;
+ (*server_info)->nss_token |= user_info->was_mapped;
if ( ! (*server_info)->guest) {
/* if a real user check pam account restrictions */
if ( !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("PAM account restriction prevents user login\n"));
cli_shutdown(cli);
+ TALLOC_FREE(info3);
return nt_status;
}
}
}
- netsamlogon_cache_store( user_info->smb_name, &info3 );
+ netsamlogon_cache_store(user_info->smb_name, info3);
+ TALLOC_FREE(info3);
}
/* Note - once the cli stream is shutdown the mem_ctx used
git.samba.org / ira / wip.git / blobdiff