source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../librpc/gen_ndr/ndr_lsa_c.h"
  24 #include "rpc_client/cli_lsarpc.h"
  25 #include "rpc_client/cli_netlogon.h"
  26 #include "rpc_client/cli_pipe.h"
  27 #include "../librpc/gen_ndr/ndr_netlogon.h"
  28 #include "secrets.h"
  29 #include "passdb.h"
  30 #include "libsmb/libsmb.h"
  31
  32 /*********************************************************
  33  Change the domain password on the PDC.
  34  Store the password ourselves, but use the supplied password
  35  Caller must have already setup the connection to the NETLOGON pipe
  36 **********************************************************/
  37
  38 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
  39                                       const char *domain,
  40                                       const char *account_name,
  41                                       unsigned char orig_trust_passwd_hash[16],
  42                                       enum netr_SchannelType sec_channel_type)
  43 {
  44         unsigned char new_trust_passwd_hash[16];
  45         char *new_trust_passwd;
  46         NTSTATUS nt_status;
  47
  48         switch (sec_channel_type) {
  49         case SEC_CHAN_WKSTA:
  50         case SEC_CHAN_DOMAIN:
  51                 break;
  52         default:
  53                 return NT_STATUS_NOT_SUPPORTED;
  54         }
  55
  56         /* Create a random machine account password */
  57         new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  58
  59         if (new_trust_passwd == NULL) {
  60                 DEBUG(0, ("talloc_strdup failed\n"));
  61                 return NT_STATUS_NO_MEMORY;
  62         }
  63
  64         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  65
  66         nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
  67                                                        account_name,
  68                                                        orig_trust_passwd_hash,
  69                                                        new_trust_passwd,
  70                                                        new_trust_passwd_hash,
  71                                                        sec_channel_type);
  72
  73         if (NT_STATUS_IS_OK(nt_status)) {
  74                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  75                          current_timestring(talloc_tos(), False)));
  76                 /*
  77                  * Return the result of trying to write the new password
  78                  * back into the trust account file.
  79                  */
  80
  81                 switch (sec_channel_type) {
  82
  83                 case SEC_CHAN_WKSTA:
  84                         if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
  85                                 nt_status = NT_STATUS_UNSUCCESSFUL;
  86                         }
  87                         break;
  88
  89                 case SEC_CHAN_DOMAIN: {
  90                         char *pwd;
  91                         struct dom_sid sid;
  92                         time_t pass_last_set_time;
  93
  94                         /* we need to get the sid first for the
  95                          * pdb_set_trusteddom_pw call */
  96
  97                         if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
  98                                 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
  99                         }
 100                         if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
 101                                 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 102                         }
 103                         break;
 104                 }
 105                 default:
 106                         break;
 107                 }
 108         }
 109
 110         return nt_status;
 111 }
 112
 113 /*********************************************************
 114  Change the domain password on the PDC.
 115  Do most of the legwork ourselfs.  Caller must have
 116  already setup the connection to the NETLOGON pipe
 117 **********************************************************/
 118
 119 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 120                                            TALLOC_CTX *mem_ctx,
 121                                            const char *domain)
 122 {
 123         unsigned char old_trust_passwd_hash[16];
 124         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
 125         const char *account_name;
 126
 127         if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
 128                                &sec_channel_type)) {
 129                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
 130                 return NT_STATUS_UNSUCCESSFUL;
 131         }
 132
 133         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
 134                                             account_name,
 135                                             old_trust_passwd_hash,
 136                                             sec_channel_type);
 137 }
 138
 139 /*********************************************************************
 140  Enumerate the list of trusted domains from a DC
 141 *********************************************************************/
 142
 143 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 144                                      char ***domain_names, uint32 *num_domains,
 145                                      struct dom_sid **sids )
 146 {
 147         struct policy_handle    pol;
 148         NTSTATUS status, result;
 149         fstring         dc_name;
 150         struct sockaddr_storage dc_ss;
 151         uint32          enum_ctx = 0;
 152         struct cli_state *cli = NULL;
 153         struct rpc_pipe_client *lsa_pipe = NULL;
 154         struct lsa_DomainList dom_list;
 155         int i;
 156         struct dcerpc_binding_handle *b = NULL;
 157
 158         *domain_names = NULL;
 159         *num_domains = 0;
 160         *sids = NULL;
 161
 162         /* lookup a DC first */
 163
 164         if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
 165                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
 166                         domain));
 167                 return False;
 168         }
 169
 170         /* setup the anonymous connection */
 171
 172         status = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
 173                 "", "", "", 0, Undefined);
 174         if ( !NT_STATUS_IS_OK(status) )
 175                 goto done;
 176
 177         /* open the LSARPC_PIPE */
 178
 179         status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
 180                                           &lsa_pipe);
 181         if (!NT_STATUS_IS_OK(status)) {
 182                 goto done;
 183         }
 184
 185         b = lsa_pipe->binding_handle;
 186
 187         /* get a handle */
 188
 189         status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
 190                 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
 191         if ( !NT_STATUS_IS_OK(status) )
 192                 goto done;
 193
 194         /* Lookup list of trusted domains */
 195
 196         status = dcerpc_lsa_EnumTrustDom(b, mem_ctx,
 197                                          &pol,
 198                                          &enum_ctx,
 199                                          &dom_list,
 200                                          (uint32_t)-1,
 201                                          &result);
 202         if ( !NT_STATUS_IS_OK(status) )
 203                 goto done;
 204         if (!NT_STATUS_IS_OK(result)) {
 205                 status = result;
 206                 goto done;
 207         }
 208
 209         *num_domains = dom_list.count;
 210
 211         *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
 212         if (!*domain_names) {
 213                 status = NT_STATUS_NO_MEMORY;
 214                 goto done;
 215         }
 216
 217         *sids = TALLOC_ZERO_ARRAY(mem_ctx, struct dom_sid, *num_domains);
 218         if (!*sids) {
 219                 status = NT_STATUS_NO_MEMORY;
 220                 goto done;
 221         }
 222
 223         for (i=0; i< *num_domains; i++) {
 224                 (*domain_names)[i] = discard_const_p(char, dom_list.domains[i].name.string);
 225                 (*sids)[i] = *dom_list.domains[i].sid;
 226         }
 227
 228 done:
 229         /* cleanup */
 230         if (cli) {
 231                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
 232                 cli_shutdown( cli );
 233         }
 234
 235         return NT_STATUS_IS_OK(status);
 236 }
 237
 238 NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
 239 {
 240         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 241         struct sockaddr_storage pdc_ss;
 242         fstring dc_name;
 243         struct cli_state *cli = NULL;
 244         struct rpc_pipe_client *netlogon_pipe = NULL;
 245
 246         DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
 247                 domain));
 248
 249         if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
 250                 /* Use the PDC *only* for this */
 251
 252                 if ( !get_pdc_ip(domain, &pdc_ss) ) {
 253                         DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
 254                         goto failed;
 255                 }
 256
 257                 if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
 258                         goto failed;
 259         } else {
 260                 /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
 261                 fstrcpy( dc_name, remote_machine );
 262         }
 263
 264         /* if this next call fails, then give up.  We can't do
 265            password changes on BDC's  --jerry */
 266
 267         if (!NT_STATUS_IS_OK(cli_full_connection(&cli, global_myname(), dc_name,
 268                                            NULL, 0,
 269                                            "IPC$", "IPC",
 270                                            "", "",
 271                                            "", 0, Undefined))) {
 272                 DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
 273                 nt_status = NT_STATUS_UNSUCCESSFUL;
 274                 goto failed;
 275         }
 276
 277         /*
 278          * Ok - we have an anonymous connection to the IPC$ share.
 279          * Now start the NT Domain stuff :-).
 280          */
 281
 282         /* Shouldn't we open this with schannel ? JRA. */
 283
 284         nt_status = cli_rpc_pipe_open_noauth(
 285                 cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
 286         if (!NT_STATUS_IS_OK(nt_status)) {
 287                 DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
 288                         dc_name, nt_errstr(nt_status)));
 289                 cli_shutdown(cli);
 290                 cli = NULL;
 291                 goto failed;
 292         }
 293
 294         nt_status = trust_pw_find_change_and_store_it(
 295                 netlogon_pipe, netlogon_pipe, domain);
 296
 297         cli_shutdown(cli);
 298         cli = NULL;
 299
 300 failed:
 301         if (!NT_STATUS_IS_OK(nt_status)) {
 302                 DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
 303                         current_timestring(talloc_tos(), False), domain));
 304         }
 305         else
 306                 DEBUG(5,("change_trust_account_password: sucess!\n"));
 307
 308         return nt_status;
 309 }