adf15258122d6cb08f0ff881d1a1b855ba967645
[ira/wip.git] / source3 / libsmb / trusts_util.c
1 /*
2  *  Unix SMB/CIFS implementation.
3  *  Routines to operate on various trust relationships
4  *  Copyright (C) Andrew Bartlett                   2001
5  *  Copyright (C) Rafal Szczesniak                  2003
6  *
7  *  This program is free software; you can redistribute it and/or modify
8  *  it under the terms of the GNU General Public License as published by
9  *  the Free Software Foundation; either version 3 of the License, or
10  *  (at your option) any later version.
11  *  
12  *  This program is distributed in the hope that it will be useful,
13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  *  GNU General Public License for more details.
16  *  
17  *  You should have received a copy of the GNU General Public License
18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
19  */
20
21 #include "includes.h"
22 #include "../libcli/auth/libcli_auth.h"
23
24 /*********************************************************
25  Change the domain password on the PDC.
26  Store the password ourselves, but use the supplied password
27  Caller must have already setup the connection to the NETLOGON pipe
28 **********************************************************/
29
30 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
31                                       const char *domain,
32                                       unsigned char orig_trust_passwd_hash[16],
33                                       uint32 sec_channel_type)
34 {
35         unsigned char new_trust_passwd_hash[16];
36         char *new_trust_passwd;
37         NTSTATUS nt_status;
38
39         /* Create a random machine account password */
40         new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
41
42         if (new_trust_passwd == NULL) {
43                 DEBUG(0, ("talloc_strdup failed\n"));
44                 return NT_STATUS_NO_MEMORY;
45         }
46
47         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
48
49         nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
50                                                        orig_trust_passwd_hash,
51                                                        new_trust_passwd,
52                                                        new_trust_passwd_hash,
53                                                        sec_channel_type);
54
55         if (NT_STATUS_IS_OK(nt_status)) {
56                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
57                          current_timestring(debug_ctx(), False)));
58                 /*
59                  * Return the result of trying to write the new password
60                  * back into the trust account file.
61                  */
62                 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
63                         nt_status = NT_STATUS_UNSUCCESSFUL;
64                 }
65         }
66
67         return nt_status;
68 }
69
70 /*********************************************************
71  Change the domain password on the PDC.
72  Do most of the legwork ourselfs.  Caller must have
73  already setup the connection to the NETLOGON pipe
74 **********************************************************/
75
76 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
77                                            TALLOC_CTX *mem_ctx, 
78                                            const char *domain) 
79 {
80         unsigned char old_trust_passwd_hash[16];
81         uint32 sec_channel_type = 0;
82
83         if (!secrets_fetch_trust_account_password(domain,
84                                                   old_trust_passwd_hash, 
85                                                   NULL, &sec_channel_type)) {
86                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
87                 return NT_STATUS_UNSUCCESSFUL;
88         }
89
90         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
91                                             old_trust_passwd_hash,
92                                             sec_channel_type);
93 }
94
95 /*********************************************************************
96  Enumerate the list of trusted domains from a DC
97 *********************************************************************/
98
99 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
100                                      char ***domain_names, uint32 *num_domains,
101                                      DOM_SID **sids )
102 {
103         struct policy_handle    pol;
104         NTSTATUS        result = NT_STATUS_UNSUCCESSFUL;
105         fstring         dc_name;
106         struct sockaddr_storage dc_ss;
107         uint32          enum_ctx = 0;
108         struct cli_state *cli = NULL;
109         struct rpc_pipe_client *lsa_pipe;
110         bool            retry;
111         struct lsa_DomainList dom_list;
112         int i;
113
114         *domain_names = NULL;
115         *num_domains = 0;
116         *sids = NULL;
117
118         /* lookup a DC first */
119
120         if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
121                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
122                         domain));
123                 return False;
124         }
125
126         /* setup the anonymous connection */
127
128         result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
129                 "", "", "", 0, Undefined, &retry);
130         if ( !NT_STATUS_IS_OK(result) )
131                 goto done;
132
133         /* open the LSARPC_PIPE */
134
135         result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
136                                           &lsa_pipe);
137         if (!NT_STATUS_IS_OK(result)) {
138                 goto done;
139         }
140
141         /* get a handle */
142
143         result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
144                 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
145         if ( !NT_STATUS_IS_OK(result) )
146                 goto done;
147
148         /* Lookup list of trusted domains */
149
150         result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
151                                          &pol,
152                                          &enum_ctx,
153                                          &dom_list,
154                                          (uint32_t)-1);
155         if ( !NT_STATUS_IS_OK(result) )
156                 goto done;
157
158         *num_domains = dom_list.count;
159
160         *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
161         if (!*domain_names) {
162                 result = NT_STATUS_NO_MEMORY;
163                 goto done;
164         }
165
166         *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
167         if (!*sids) {
168                 result = NT_STATUS_NO_MEMORY;
169                 goto done;
170         }
171
172         for (i=0; i< *num_domains; i++) {
173                 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
174                 (*sids)[i] = *dom_list.domains[i].sid;
175         }
176
177 done:
178         /* cleanup */
179         if (cli) {
180                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
181                 cli_shutdown( cli );
182         }
183
184         return NT_STATUS_IS_OK(result);
185 }