source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23
  24 /*********************************************************
  25  Change the domain password on the PDC.
  26  Store the password ourselves, but use the supplied password
  27  Caller must have already setup the connection to the NETLOGON pipe
  28 **********************************************************/
  29
  30 NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
  31                                       const char *domain,
  32                                       unsigned char orig_trust_passwd_hash[16],
  33                                       uint32 sec_channel_type)
  34 {
  35         unsigned char new_trust_passwd_hash[16];
  36         char *new_trust_passwd;
  37         NTSTATUS nt_status;
  38
  39         /* Create a random machine account password */
  40         new_trust_passwd = generate_random_str(mem_ctx, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  41
  42         if (new_trust_passwd == NULL) {
  43                 DEBUG(0, ("talloc_strdup failed\n"));
  44                 return NT_STATUS_NO_MEMORY;
  45         }
  46
  47         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  48
  49         nt_status = rpccli_netlogon_auth_set_trust_password(
  50                 cli, mem_ctx, orig_trust_passwd_hash, new_trust_passwd,
  51                 new_trust_passwd_hash, sec_channel_type);
  52
  53         if (NT_STATUS_IS_OK(nt_status)) {
  54                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  55                          current_timestring(debug_ctx(), False)));
  56                 /*
  57                  * Return the result of trying to write the new password
  58                  * back into the trust account file.
  59                  */
  60                 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
  61                         nt_status = NT_STATUS_UNSUCCESSFUL;
  62                 }
  63         }
  64
  65         return nt_status;
  66 }
  67
  68 /*********************************************************
  69  Change the domain password on the PDC.
  70  Do most of the legwork ourselfs.  Caller must have
  71  already setup the connection to the NETLOGON pipe
  72 **********************************************************/
  73
  74 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
  75                                            TALLOC_CTX *mem_ctx,
  76                                            const char *domain)
  77 {
  78         unsigned char old_trust_passwd_hash[16];
  79         uint32 sec_channel_type = 0;
  80
  81         if (!secrets_fetch_trust_account_password(domain,
  82                                                   old_trust_passwd_hash,
  83                                                   NULL, &sec_channel_type)) {
  84                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
  85                 return NT_STATUS_UNSUCCESSFUL;
  86         }
  87
  88         return trust_pw_change_and_store_it(cli, mem_ctx, domain,
  89                                             old_trust_passwd_hash,
  90                                             sec_channel_type);
  91 }
  92
  93 /*********************************************************************
  94  Enumerate the list of trusted domains from a DC
  95 *********************************************************************/
  96
  97 bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
  98                                      char ***domain_names, uint32 *num_domains,
  99                                      DOM_SID **sids )
 100 {
 101         struct policy_handle    pol;
 102         NTSTATUS        result = NT_STATUS_UNSUCCESSFUL;
 103         fstring         dc_name;
 104         struct sockaddr_storage dc_ss;
 105         uint32          enum_ctx = 0;
 106         struct cli_state *cli = NULL;
 107         struct rpc_pipe_client *lsa_pipe;
 108         bool            retry;
 109         struct lsa_DomainList dom_list;
 110         int i;
 111
 112         *domain_names = NULL;
 113         *num_domains = 0;
 114         *sids = NULL;
 115
 116         /* lookup a DC first */
 117
 118         if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
 119                 DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
 120                         domain));
 121                 return False;
 122         }
 123
 124         /* setup the anonymous connection */
 125
 126         result = cli_full_connection( &cli, global_myname(), dc_name, &dc_ss, 0, "IPC$", "IPC",
 127                 "", "", "", 0, Undefined, &retry);
 128         if ( !NT_STATUS_IS_OK(result) )
 129                 goto done;
 130
 131         /* open the LSARPC_PIPE */
 132
 133         result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
 134                                           &lsa_pipe);
 135         if (!NT_STATUS_IS_OK(result)) {
 136                 goto done;
 137         }
 138
 139         /* get a handle */
 140
 141         result = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
 142                 LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
 143         if ( !NT_STATUS_IS_OK(result) )
 144                 goto done;
 145
 146         /* Lookup list of trusted domains */
 147
 148         result = rpccli_lsa_EnumTrustDom(lsa_pipe, mem_ctx,
 149                                          &pol,
 150                                          &enum_ctx,
 151                                          &dom_list,
 152                                          (uint32_t)-1);
 153         if ( !NT_STATUS_IS_OK(result) )
 154                 goto done;
 155
 156         *num_domains = dom_list.count;
 157
 158         *domain_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, *num_domains);
 159         if (!*domain_names) {
 160                 result = NT_STATUS_NO_MEMORY;
 161                 goto done;
 162         }
 163
 164         *sids = TALLOC_ZERO_ARRAY(mem_ctx, DOM_SID, *num_domains);
 165         if (!*sids) {
 166                 result = NT_STATUS_NO_MEMORY;
 167                 goto done;
 168         }
 169
 170         for (i=0; i< *num_domains; i++) {
 171                 (*domain_names)[i] = CONST_DISCARD(char *, dom_list.domains[i].name.string);
 172                 (*sids)[i] = *dom_list.domains[i].sid;
 173         }
 174
 175 done:
 176         /* cleanup */
 177         if (cli) {
 178                 DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
 179                 cli_shutdown( cli );
 180         }
 181
 182         return NT_STATUS_IS_OK(result);
 183 }