#include "includes.h"
/*************************************************************
-change a password on a remote machine using IPC calls
+ Change a password on a remote machine using IPC calls.
*************************************************************/
+
BOOL remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char *err_str, size_t err_str_len)
{
struct nmb_name calling, called;
struct cli_state cli;
+ struct rpc_pipe_client *pipe_hnd;
struct in_addr ip;
- struct ntuser_creds creds;
NTSTATUS result;
return False;
}
- init_creds(&creds, "", "", NULL);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, "", "", NULL);
} else {
- init_creds(&creds, user_name, "", old_passwd);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, user_name, "", old_passwd);
}
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
return False;
}
- /* Try not to give the password away to easily */
+ /* Try not to give the password away too easily */
- cli.pipe_auth_flags = AUTH_PIPE_NTLMSSP;
- cli.pipe_auth_flags |= AUTH_PIPE_SIGN;
- cli.pipe_auth_flags |= AUTH_PIPE_SEAL;
-
- if ( !cli_nt_session_open( &cli, PI_SAMR ) ) {
+ pipe_hnd = cli_rpc_pipe_open_ntlmssp(&cli,
+ PI_SAMR,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ "", /* what domain... ? */
+ user_name,
+ old_passwd,
+ &result);
+
+ if (!pipe_hnd) {
if (lp_client_lanman_auth()) {
+ /* Use the old RAP method. */
if (!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
return False;
}
} else {
- slprintf(err_str, err_str_len-1, "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
- remote_machine);
+ slprintf(err_str, err_str_len-1,
+ "SAMR connection to machine %s failed. Error was %s, "
+ "but LANMAN password changed are disabled\n",
+ nt_errstr(result), remote_machine);
cli_shutdown(&cli);
return False;
}
}
- if (NT_STATUS_IS_OK(result = cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name,
+ if (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd, cli.mem_ctx, user_name,
new_passwd, old_passwd))) {
/* Great - it all worked! */
cli_shutdown(&cli);
}
/* OK, that failed, so try again... */
- cli_nt_session_close(&cli);
+ cli_rpc_pipe_close(pipe_hnd);
/* Try anonymous NTLMSSP... */
- init_creds(&creds, "", "", NULL);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, "", "", NULL);
- cli.pipe_auth_flags = 0;
-
result = NT_STATUS_UNSUCCESSFUL;
- /* OK, this is ugly, but... */
- if ( cli_nt_session_open( &cli, PI_SAMR )
- && NT_STATUS_IS_OK(result
- = cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name,
- new_passwd, old_passwd))) {
+ /* OK, this is ugly, but... try an anonymous pipe. */
+ pipe_hnd = cli_rpc_pipe_open_noauth(&cli, PI_SAMR, &result);
+
+ if ( pipe_hnd &&
+ (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd,
+ cli.mem_ctx,
+ user_name,
+ new_passwd,
+ old_passwd)))) {
/* Great - it all worked! */
cli_shutdown(&cli);
return True;
-
} else {
if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
just might not support SAMR password changes, so fall back */
if (lp_client_lanman_auth()) {
+ /* Use the old RAP method. */
if (cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
/* SAMR failed, but the old LanMan protocol worked! */
cli_shutdown(&cli);
return False;
} else {
- slprintf(err_str, err_str_len-1,
- "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
- remote_machine);
+ slprintf(err_str, err_str_len-1,
+ "SAMR connection to machine %s failed. Error was %s, "
+ "but LANMAN password changed are disabled\n",
+ nt_errstr(result), remote_machine);
cli_shutdown(&cli);
return False;
}
git.samba.org / tprouty / samba.git / blobdiff