s4-kdc: Add a kpasswd_samdb_set_password() helper function

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c
index 5ecb6e976b447670938f955ab9e9670eb7662ae3..996b318bd4015fa4a1f9c711ff2f104bb07e595b 100644 (file)
--- a/source4/kdc/kpasswd-helper.c
+++ b/source4/kdc/kpasswd-helper.c
@@ -23,6 +23,8 @@
 #include "includes.h"
 #include "system/kerberos.h"
 #include "librpc/gen_ndr/samr.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/auth.h"
 #include "kdc/kpasswd-helper.h"
 
 bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
@@ -156,3 +158,84 @@ bool kpasswd_make_pwchange_reply(TALLOC_CTX *mem_ctx,
                                        "Password changed",
                                        error_blob);
 }
+
+NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx,
+                                   struct tevent_context *event_ctx,
+                                   struct loadparm_context *lp_ctx,
+                                   struct auth_session_info *session_info,
+                                   bool is_service_principal,
+                                   const char *target_principal_name,
+                                   DATA_BLOB *password,
+                                   enum samPwdChangeReason *reject_reason,
+                                   struct samr_DomInfo1 **dominfo)
+{
+       NTSTATUS status;
+       struct ldb_context *samdb;
+       struct ldb_dn *target_dn = NULL;
+       int rc;
+
+       samdb = samdb_connect(mem_ctx,
+                             event_ctx,
+                             lp_ctx,
+                             session_info,
+                             0);
+       if (samdb == NULL) {
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
+       DBG_INFO("%s\\%s (%s) is changing password of %s\n",
+                session_info->info->domain_name,
+                session_info->info->account_name,
+                dom_sid_string(mem_ctx,
+                               &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
+                target_principal_name);
+
+       rc = ldb_transaction_start(samdb);
+       if (rc != LDB_SUCCESS) {
+               return NT_STATUS_TRANSACTION_ABORTED;
+       }
+
+       if (is_service_principal) {
+               status = crack_service_principal_name(samdb,
+                                                     mem_ctx,
+                                                     target_principal_name,
+                                                     &target_dn,
+                                                     NULL);
+       } else {
+               status = crack_user_principal_name(samdb,
+                                                  mem_ctx,
+                                                  target_principal_name,
+                                                  &target_dn,
+                                                  NULL);
+       }
+       if (!NT_STATUS_IS_OK(status)) {
+               ldb_transaction_cancel(samdb);
+               return status;
+       }
+
+       status = samdb_set_password(samdb,
+                                   mem_ctx,
+                                   target_dn,
+                                   NULL, /* domain_dn */
+                                   password,
+                                   NULL, /* lmNewHash */
+                                   NULL, /* ntNewHash */
+                                   NULL, /* lmOldHash */
+                                   NULL, /* ntOldHash */
+                                   reject_reason,
+                                   dominfo);
+       if (NT_STATUS_IS_OK(status)) {
+               rc = ldb_transaction_commit(samdb);
+               if (rc != LDB_SUCCESS) {
+                       DBG_WARNING("Failed to commit transaction to "
+                                   "set password on %s: %s\n",
+                                   ldb_dn_get_linearized(target_dn),
+                                   ldb_errstring(samdb));
+                       return NT_STATUS_TRANSACTION_ABORTED;
+               }
+       } else {
+               ldb_transaction_cancel(samdb);
+       }
+
+       return status;
+}

diff --git a/source4/kdc/kpasswd-helper.h b/source4/kdc/kpasswd-helper.h
index d2ff1e3ec2fc324da424c267ec8fcd0a25e78e90..8fad81e0a5d499d59949873f2243bb8b1d8e4397 100644 (file)
--- a/source4/kdc/kpasswd-helper.h
+++ b/source4/kdc/kpasswd-helper.h
@@ -33,4 +33,14 @@ bool kpasswd_make_pwchange_reply(TALLOC_CTX *mem_ctx,
                                 struct samr_DomInfo1 *dominfo,
                                 DATA_BLOB *error_blob);
 
+NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx,
+                                   struct tevent_context *event_ctx,
+                                   struct loadparm_context *lp_ctx,
+                                   struct auth_session_info *session_info,
+                                   bool is_service_principal,
+                                   const char *target_principal_name,
+                                   DATA_BLOB *password,
+                                   enum samPwdChangeReason *reject_reason,
+                                   struct samr_DomInfo1 **dominfo);
+
 #endif /* _KPASSWD_HELPER_H */