s3-netlogon: allow to change any type of trust account password in trust_pw_find_chan...
authorGünther Deschner <gd@samba.org>
Wed, 7 Oct 2009 22:39:40 +0000 (00:39 +0200)
committerGünther Deschner <gd@samba.org>
Tue, 13 Oct 2009 08:21:42 +0000 (10:21 +0200)
Guenther

source3/libsmb/trusts_util.c

index e201814163233b7eb43dca2d94d9b50f71168d77..1e2460cfcc0ef264109d0035038b7c507ad1c6a4 100644 (file)
@@ -37,6 +37,14 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
        char *new_trust_passwd;
        NTSTATUS nt_status;
 
        char *new_trust_passwd;
        NTSTATUS nt_status;
 
+       switch (sec_channel_type) {
+       case SEC_CHAN_WKSTA:
+       case SEC_CHAN_DOMAIN:
+               break;
+       default:
+               return NT_STATUS_NOT_SUPPORTED;
+       }
+
        /* Create a random machine account password */
        new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
 
        /* Create a random machine account password */
        new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
 
@@ -61,8 +69,33 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
                 * Return the result of trying to write the new password
                 * back into the trust account file.
                 */
                 * Return the result of trying to write the new password
                 * back into the trust account file.
                 */
-               if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
-                       nt_status = NT_STATUS_UNSUCCESSFUL;
+
+               switch (sec_channel_type) {
+
+               case SEC_CHAN_WKSTA:
+                       if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
+                               nt_status = NT_STATUS_UNSUCCESSFUL;
+                       }
+                       break;
+
+               case SEC_CHAN_DOMAIN: {
+                       char *pwd;
+                       struct dom_sid sid;
+                       time_t pass_last_set_time;
+
+                       /* we need to get the sid first for the
+                        * pdb_set_trusteddom_pw call */
+
+                       if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
+                               nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+                       }
+                       if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
+                               nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+                       }
+                       break;
+               }
+               default:
+                       break;
                }
        }
 
                }
        }
 
@@ -81,16 +114,16 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 {
        unsigned char old_trust_passwd_hash[16];
        uint32 sec_channel_type = 0;
 {
        unsigned char old_trust_passwd_hash[16];
        uint32 sec_channel_type = 0;
+       const char *account_name;
 
 
-       if (!secrets_fetch_trust_account_password(domain,
-                                                 old_trust_passwd_hash, 
-                                                 NULL, &sec_channel_type)) {
+       if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
+                              &sec_channel_type)) {
                DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
                return NT_STATUS_UNSUCCESSFUL;
        }
 
        return trust_pw_change_and_store_it(cli, mem_ctx, domain,
                DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
                return NT_STATUS_UNSUCCESSFUL;
        }
 
        return trust_pw_change_and_store_it(cli, mem_ctx, domain,
-                                           global_myname(),
+                                           account_name,
                                            old_trust_passwd_hash,
                                            sec_channel_type);
 }
                                            old_trust_passwd_hash,
                                            sec_channel_type);
 }