From a2877541681e07f09aee7d7c21adbe50346755e3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Feb 2017 22:53:52 +0100 Subject: [PATCH] s3:libsmb: let trust_pw_change() verify the new password at the end. We should notice problems as early as possible, it makes no sense to keep things working for a while and later find out the we lost our trust relationship with our domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262 Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- source3/libsmb/trusts_util.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index a3cabd4cba3..4b784c1babe 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -290,6 +290,39 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context, current_timestring(talloc_tos(), false), __func__, domain, context_name)); + ok = cli_credentials_set_password(creds, new_trust_passwd, CRED_SPECIFIED); + if (!ok) { + DEBUG(0, ("cli_credentials_set_password failed for domain %s!\n", + domain)); + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + current_nt_hash = cli_credentials_get_nt_hash(creds, frame); + if (current_nt_hash == NULL) { + DEBUG(0, ("cli_credentials_get_nt_hash failed for domain %s!\n", + domain)); + TALLOC_FREE(frame); + return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE; + } + + /* + * Now we verify the new password. + */ + status = netlogon_creds_cli_auth(context, b, + *current_nt_hash, + NULL); /* previous_nt_hash */ + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("netlogon_creds_cli_auth(%s) failed for new password - %s!\n", + context_name, nt_errstr(status))); + TALLOC_FREE(frame); + return status; + } + + DEBUG(0,("%s : %s(%s): Verified new password remotely using %s\n", + current_timestring(talloc_tos(), false), + __func__, domain, context_name)); + TALLOC_FREE(frame); return NT_STATUS_OK; } -- 2.34.1