s3:libsmb: add trust_pw_new_value() helper function

This generates a new trust password based on the secure channel type
and lp_security().

NT4 really has a limit of 28 UTF16 bytes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 62cd257f70fdbd6c4cc09c0e31cf571d5b22120f..c29e2663a454736903f67d9a35742b85cf9df374 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -882,6 +882,9 @@ void update_trustdom_cache( void );
 struct netlogon_creds_cli_context;
 struct messaging_context;
 struct dcerpc_binding_handle;
+char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
+                        enum netr_SchannelType sec_channel_type,
+                        int security);
 NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
                         struct messaging_context *msg_ctx,
                         struct dcerpc_binding_handle *b,

diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 4b784c1babefe926354b9cbbae1199ef076d3f1c..efe8098a642ce8c15a9fd0d16b0f04b5c345e6c3 100644 (file)
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -47,6 +47,62 @@ static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
        return 0;
 }
 
+char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
+                        enum netr_SchannelType sec_channel_type,
+                        int security)
+{
+       /*
+        * use secure defaults.
+        */
+       size_t min = 128;
+       size_t max = 255;
+
+       switch (sec_channel_type) {
+       case SEC_CHAN_WKSTA:
+       case SEC_CHAN_BDC:
+               if (security == SEC_DOMAIN) {
+                       /*
+                        * The maximum length of a trust account password.
+                        * Used when we randomly create it, 15 char passwords
+                        * exceed NT4's max password length.
+                        */
+                       min = 14;
+                       max = 14;
+               }
+               break;
+       case SEC_CHAN_DNS_DOMAIN:
+               /*
+                * new_len * 2 = 498 bytes is the largest possible length
+                * NL_PASSWORD_VERSION consumes the rest of the possible 512 bytes
+                * and a confounder with at least 2 bytes is required.
+                *
+                * Windows uses new_len = 120 => 240 bytes (utf16)
+                */
+               min = 120;
+               max = 120;
+               break;
+               /* fall through */
+       case SEC_CHAN_DOMAIN:
+               /*
+                * The maximum length of a trust account password.
+                * Used when we randomly create it, 15 char passwords
+                * exceed NT4's max password length.
+                */
+               min = 14;
+               max = 14;
+               break;
+       default:
+               break;
+       }
+
+       /*
+        * Create a random machine account password
+        * We create a random buffer and convert that to utf8.
+        * This is similar to what windows is doing.
+        */
+       return generate_random_machine_password(mem_ctx, min, max);
+}
+
 NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
                         struct messaging_context *msg_ctx,
                         struct dcerpc_binding_handle *b,