net: make use of secrets_*_password_change() for "net changesecretpw"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3)

diff --git a/source3/utils/net.c b/source3/utils/net.c
index fcf9942628d9667c0fb50da992706cd2390cb7bf..c4923d0b2ea722a5ba8e1cc1c4cb14fc4c1601dc 100644 (file)
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -172,9 +172,23 @@ static int net_changesecretpw(struct net_context *c, int argc,
                              const char **argv)
 {
         char *trust_pw;
-        enum netr_SchannelType sec_channel_type = SEC_CHAN_WKSTA;
+       int role = lp_server_role();
+
+       if (role != ROLE_DOMAIN_MEMBER) {
+               d_printf(_("Machine account password change only supported on a DOMAIN_MEMBER.\n"
+                          "Do NOT use this function unless you know what it does!\n"
+                          "This function will change the ADS Domain member "
+                          "machine account password in the secrets.tdb file!\n"));
+               return 1;
+       }
 
        if(c->opt_force) {
+               struct secrets_domain_info1 *info = NULL;
+               struct secrets_domain_info1_change *prev = NULL;
+               NTSTATUS status;
+               struct timeval tv = timeval_current();
+               NTTIME now = timeval_to_nttime(&tv);
+
                if (c->opt_stdin) {
                        set_line_buffering(stdin);
                        set_line_buffering(stdout);
@@ -188,14 +202,37 @@ static int net_changesecretpw(struct net_context *c, int argc,
                            return 1;
                }
 
-               if (!secrets_store_machine_password(trust_pw, lp_workgroup(), sec_channel_type)) {
-                           d_fprintf(stderr,
-                                     _("Unable to write the machine account password in the secrets database"));
-                           return 1;
+               status = secrets_prepare_password_change(lp_workgroup(),
+                                                        "localhost",
+                                                        trust_pw,
+                                                        talloc_tos(),
+                                                        &info, &prev);
+               if (!NT_STATUS_IS_OK(status)) {
+                       d_fprintf(stderr,
+                               _("Unable to write the machine account password in the secrets database"));
+                       return 1;
                }
-               else {
-                   d_printf(_("Modified trust account password in secrets database\n"));
+               if (prev != NULL) {
+                       d_fprintf(stderr,
+                               _("Pending machine account password change found - aborting."));
+                       status = secrets_failed_password_change("localhost",
+                                               NT_STATUS_REQUEST_NOT_ACCEPTED,
+                                               NT_STATUS_NOT_COMMITTED,
+                                               info);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               d_fprintf(stderr,
+                                       _("Failed to abort machine account password change"));
+                       }
+                       return 1;
                }
+               status = secrets_finish_password_change("localhost", now, info);
+               if (!NT_STATUS_IS_OK(status)) {
+                       d_fprintf(stderr,
+                               _("Unable to write the machine account password in the secrets database"));
+                       return 1;
+               }
+
+               d_printf(_("Modified trust account password in secrets database\n"));
        }
        else {
                d_printf(_("Machine account password change requires the -f flag.\n"