--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+ Password and authentication handling
+ Copyright (C) Andrew Bartlett 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+#include "includes.h"
+#include "secrets.h"
+#include "param/param.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "param/provision.h"
+#include "auth/credentials/credentials.h"
+#include "s3compat_globals.h"
+#include "s3compat_authenticate.h"
+
+/* We don't implement the 'store' part of this API */
+bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
+{
+ DEBUG(0, (__location__ "secrets_store_domain_sid: NOT IMPLEMENTED"));
+ return false;
+}
+
+bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
+{
+ struct dom_sid *secrets_sid;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ char *error_string;
+
+ if (!tmp_ctx) {
+ DEBUG(0, (__location__ "Failed to talloc_new"));
+ return false;
+ }
+ secrets_sid = secrets_get_domain_sid(tmp_ctx, s3compat_get_tevent_ctx(),
+ s3compat_get_lp_ctx(), domain, &error_string);
+ if (!secrets_sid) {
+ DEBUG(0, (__location__ "Failed to get domain SID for domain %s: %s\n", domain, error_string));
+ talloc_free(tmp_ctx);
+ return false;
+ };
+ *sid = *secrets_sid;
+ talloc_free(tmp_ctx);
+ return true;
+}
+
+bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
+{
+ DEBUG(0, (__location__ "secrets_fetch_domain_guid: NOT IMPLEMENTED"));
+ return false;
+
+}
+void *secrets_get_trust_account_lock(TALLOC_CTX *mem_ctx, const char *domain)
+{
+ DEBUG(0, (__location__ "secrets_get_trust_account_lock: NOT IMPLEMENTED"));
+ return NULL;
+}
+
+/* Return the NT Hash of the machine account password */
+bool secrets_fetch_trust_account_password_legacy(const char *domain,
+ uint8_t ret_pwd[16],
+ time_t *pass_last_set_time,
+ enum netr_SchannelType *channel)
+{
+ const struct samr_Password *password;
+ struct cli_credentials *creds;
+ if (pass_last_set_time) {
+ DEBUG(0, ("TODO: Return a valid pass_last_set_time"));
+ *pass_last_set_time = 0;
+ }
+ /* The machine account code uses event_context_find(), so use this as the parent */
+ creds = cli_credentials_init(s3compat_get_tevent_ctx());
+ if (!creds) {
+ return false;
+ }
+
+ cli_credentials_guess(creds, s3compat_get_lp_ctx());
+ cli_credentials_set_domain(creds, domain, CRED_SPECIFIED);
+ cli_credentials_set_machine_account(creds, s3compat_get_lp_ctx());
+ password = cli_credentials_get_nt_hash(creds, creds);
+ if (password) {
+ memcpy(ret_pwd, password->hash, 16);
+ if (channel) {
+ *channel = cli_credentials_get_secure_channel_type(creds);
+ }
+ if (pass_last_set_time) {
+ *pass_last_set_time = cli_credentials_get_password_last_changed_time(creds);
+ }
+ talloc_free(creds);
+ return true;
+ }
+ return false;
+}
+
+bool secrets_fetch_trust_account_password(const char *domain, uint8_t ret_pwd[16],
+ time_t *pass_last_set_time,
+ enum netr_SchannelType *channel)
+{
+ return secrets_fetch_trust_account_password_legacy(domain, ret_pwd, pass_last_set_time, channel);
+}
+
+bool secrets_delete_machine_password(const char *domain)
+{
+ DEBUG(0, (__location__ "secrets_delete_machine_password: NOT IMPLEMENTED"));
+ return false;
+}
+bool secrets_delete_machine_password_ex(const char *domain)
+{
+ return secrets_delete_machine_password(domain);
+}
+bool secrets_delete_domain_sid(const char *domain)
+{
+ return secrets_delete_machine_password(domain);
+}
+
+bool secrets_store_machine_password(const char *pass, const char *domain,
+ enum netr_SchannelType sec_channel)
+{
+ NTSTATUS status;
+ struct loadparm_context *lp_ctx = s3compat_get_lp_ctx();
+ char *error_string;
+ const char *error_string2;
+ struct provision_store_self_join_settings *set_secrets;
+ TALLOC_CTX *tmp_ctx = talloc_new(NULL);
+ if (!tmp_ctx) {
+ return false;
+ }
+ set_secrets = talloc_zero(tmp_ctx, struct provision_store_self_join_settings);
+ if (!set_secrets) {
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ ZERO_STRUCTP(set_secrets);
+ set_secrets->domain_name = domain;
+ set_secrets->realm = lp_realm(lp_ctx);
+ set_secrets->netbios_name = lp_netbios_name(lp_ctx);
+ set_secrets->secure_channel_type = sec_channel;
+ set_secrets->machine_password = pass;
+
+ DEBUG(0, ("TODO: Assuming key version number 0 after password change - this is WRONG"));
+ set_secrets->key_version_number = 0;
+ set_secrets->domain_sid = secrets_get_domain_sid(tmp_ctx, s3compat_get_tevent_ctx(),
+ lp_ctx, domain, &error_string);
+ if (!set_secrets->domain_sid) {
+ DEBUG(0, (__location__ "Failed to get domain SID for domain %s: %s\n", domain, error_string));
+ talloc_free(tmp_ctx);
+ return false;
+ };
+
+ status = provision_store_self_join(tmp_ctx, lp_ctx, s3compat_get_tevent_ctx(), set_secrets, &error_string2);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, (__location__ "Failed to get domain SID for domain %s: %s\n", domain, error_string2));
+ talloc_free(tmp_ctx);
+ return false;
+ }
+
+ talloc_free(tmp_ctx);
+ return true;
+}
+
+char *secrets_fetch_machine_password(const char *domain,
+ time_t *pass_last_set_time,
+ enum netr_SchannelType *channel)
+{
+ const char *password;
+ char *dup_password;
+ struct cli_credentials *creds;
+
+ /* The machine account code uses event_context_find(), so use this as the parent */
+ creds = cli_credentials_init(s3compat_get_tevent_ctx());
+ if (!creds) {
+ return NULL;
+ }
+
+ cli_credentials_guess(creds, s3compat_get_lp_ctx());
+ cli_credentials_set_domain(creds, domain, CRED_SPECIFIED);
+ cli_credentials_set_machine_account(creds, s3compat_get_lp_ctx());
+ password = cli_credentials_get_password(creds);
+ if (!password) {
+ talloc_free(creds);
+ return NULL;
+ }
+
+ if (pass_last_set_time) {
+ *pass_last_set_time = cli_credentials_get_password_last_changed_time(creds);
+ }
+ if (channel) {
+ *channel = cli_credentials_get_secure_channel_type(creds);
+ }
+ dup_password = strdup(password);
+ talloc_free(creds);
+ return dup_password;
+}