source3/libsmb/trusts_util.c

   1 /*
   2  *  Unix SMB/CIFS implementation.
   3  *  Routines to operate on various trust relationships
   4  *  Copyright (C) Andrew Bartlett                   2001
   5  *  Copyright (C) Rafal Szczesniak                  2003
   6  *
   7  *  This program is free software; you can redistribute it and/or modify
   8  *  it under the terms of the GNU General Public License as published by
   9  *  the Free Software Foundation; either version 3 of the License, or
  10  *  (at your option) any later version.
  11  *
  12  *  This program is distributed in the hope that it will be useful,
  13  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  14  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15  *  GNU General Public License for more details.
  16  *
  17  *  You should have received a copy of the GNU General Public License
  18  *  along with this program; if not, see <http://www.gnu.org/licenses/>.
  19  */
  20
  21 #include "includes.h"
  22 #include "../libcli/auth/libcli_auth.h"
  23 #include "../libcli/auth/netlogon_creds_cli.h"
  24 #include "rpc_client/cli_netlogon.h"
  25 #include "rpc_client/cli_pipe.h"
  26 #include "../librpc/gen_ndr/ndr_netlogon.h"
  27 #include "secrets.h"
  28 #include "passdb.h"
  29 #include "libsmb/libsmb.h"
  30 #include "source3/include/messages.h"
  31 #include "source3/include/g_lock.h"
  32
  33 /*********************************************************
  34  Change the domain password on the PDC.
  35  Do most of the legwork ourselfs.  Caller must have
  36  already setup the connection to the NETLOGON pipe
  37 **********************************************************/
  38
  39 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
  40                                            TALLOC_CTX *mem_ctx,
  41                                            const char *domain)
  42 {
  43         unsigned char old_trust_passwd_hash[16];
  44         unsigned char new_trust_passwd_hash[16];
  45         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
  46         const char *account_name;
  47         char *new_trust_passwd;
  48         NTSTATUS nt_status;
  49
  50         if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
  51                                &sec_channel_type)) {
  52                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
  53                 return NT_STATUS_UNSUCCESSFUL;
  54         }
  55
  56         switch (sec_channel_type) {
  57         case SEC_CHAN_WKSTA:
  58         case SEC_CHAN_DOMAIN:
  59                 break;
  60         default:
  61                 return NT_STATUS_NOT_SUPPORTED;
  62         }
  63
  64         /* Create a random machine account password */
  65         new_trust_passwd = generate_random_password(mem_ctx,
  66                                 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
  67                                 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
  68         if (new_trust_passwd == NULL) {
  69                 DEBUG(0, ("generate_random_password failed\n"));
  70                 return NT_STATUS_NO_MEMORY;
  71         }
  72
  73         E_md4hash(new_trust_passwd, new_trust_passwd_hash);
  74
  75         nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
  76                                                        account_name,
  77                                                        old_trust_passwd_hash,
  78                                                        new_trust_passwd,
  79                                                        new_trust_passwd_hash,
  80                                                        sec_channel_type);
  81
  82         if (NT_STATUS_IS_OK(nt_status)) {
  83                 DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
  84                          current_timestring(talloc_tos(), False)));
  85                 /*
  86                  * Return the result of trying to write the new password
  87                  * back into the trust account file.
  88                  */
  89
  90                 switch (sec_channel_type) {
  91
  92                 case SEC_CHAN_WKSTA:
  93                         if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
  94                                 nt_status = NT_STATUS_UNSUCCESSFUL;
  95                         }
  96                         break;
  97
  98                 case SEC_CHAN_DOMAIN: {
  99                         char *pwd;
 100                         struct dom_sid sid;
 101                         time_t pass_last_set_time;
 102
 103                         /* we need to get the sid first for the
 104                          * pdb_set_trusteddom_pw call */
 105
 106                         if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
 107                                 nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 108                         }
 109                         if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
 110                                 nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
 111                         }
 112                         break;
 113                 }
 114                 }
 115         }
 116
 117         return nt_status;
 118 }
 119
 120 struct trust_pw_change_state {
 121         struct g_lock_ctx *g_ctx;
 122         char *g_lock_key;
 123 };
 124
 125 static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
 126 {
 127         g_lock_unlock(state->g_ctx, state->g_lock_key);
 128         return 0;
 129 }
 130
 131 NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
 132                          struct messaging_context *msg_ctx,
 133                          struct dcerpc_binding_handle *b,
 134                          const char *domain,
 135                          bool force)
 136 {
 137         TALLOC_CTX *frame = talloc_stackframe();
 138         struct trust_pw_change_state *state;
 139         struct samr_Password current_nt_hash;
 140         const struct samr_Password *previous_nt_hash = NULL;
 141         enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
 142         const char *account_name;
 143         char *new_trust_passwd;
 144         char *pwd;
 145         struct dom_sid sid;
 146         time_t pass_last_set_time;
 147         struct timeval g_timeout = { 0, };
 148         int timeout = 0;
 149         struct timeval tv = { 0, };
 150         NTSTATUS status;
 151
 152         state = talloc_zero(frame, struct trust_pw_change_state);
 153         if (state == NULL) {
 154                 TALLOC_FREE(frame);
 155                 return NT_STATUS_NO_MEMORY;
 156         }
 157
 158         state->g_ctx = g_lock_ctx_init(state, msg_ctx);
 159         if (state->g_ctx == NULL) {
 160                 TALLOC_FREE(frame);
 161                 return NT_STATUS_NO_MEMORY;
 162         }
 163
 164         state->g_lock_key = talloc_asprintf(state,
 165                                 "trust_password_change_%s",
 166                                 domain);
 167         if (state->g_lock_key == NULL) {
 168                 TALLOC_FREE(frame);
 169                 return NT_STATUS_NO_MEMORY;
 170         }
 171
 172         g_timeout = timeval_current_ofs(10, 0);
 173         status = g_lock_lock(state->g_ctx,
 174                              state->g_lock_key,
 175                              G_LOCK_WRITE, g_timeout);
 176         if (!NT_STATUS_IS_OK(status)) {
 177                 DEBUG(1, ("could not get g_lock on [%s]!\n",
 178                           state->g_lock_key));
 179                 TALLOC_FREE(frame);
 180                 return status;
 181         }
 182
 183         talloc_set_destructor(state, trust_pw_change_state_destructor);
 184
 185         if (!get_trust_pw_hash(domain, current_nt_hash.hash,
 186                                &account_name,
 187                                &sec_channel_type)) {
 188                 DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
 189                 TALLOC_FREE(frame);
 190                 return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 191         }
 192
 193         switch (sec_channel_type) {
 194         case SEC_CHAN_WKSTA:
 195                 pwd = secrets_fetch_machine_password(domain,
 196                                                      &pass_last_set_time,
 197                                                      NULL);
 198                 if (pwd == NULL) {
 199                         TALLOC_FREE(frame);
 200                         return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 201                 }
 202                 break;
 203         case SEC_CHAN_DOMAIN:
 204                 if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
 205                         TALLOC_FREE(frame);
 206                         return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
 207                 }
 208                 break;
 209         default:
 210                 TALLOC_FREE(frame);
 211                 return NT_STATUS_NOT_SUPPORTED;
 212         }
 213
 214         timeout = lp_machine_password_timeout();
 215         if (timeout == 0) {
 216                 if (!force) {
 217                         DEBUG(10,("machine password never expires\n"));
 218                         TALLOC_FREE(frame);
 219                         return NT_STATUS_OK;
 220                 }
 221         }
 222
 223         tv.tv_sec = pass_last_set_time;
 224         DEBUG(10, ("password last changed %s\n",
 225                    timeval_string(talloc_tos(), &tv, false)));
 226         tv.tv_sec += timeout;
 227         DEBUGADD(10, ("password valid until %s\n",
 228                       timeval_string(talloc_tos(), &tv, false)));
 229
 230         if (!force && !timeval_expired(&tv)) {
 231                 TALLOC_FREE(frame);
 232                 return NT_STATUS_OK;
 233         }
 234
 235         /* Create a random machine account password */
 236         new_trust_passwd = generate_random_password(frame,
 237                                 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
 238                                 DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
 239         if (new_trust_passwd == NULL) {
 240                 DEBUG(0, ("generate_random_password failed\n"));
 241                 TALLOC_FREE(frame);
 242                 return NT_STATUS_NO_MEMORY;
 243         }
 244
 245         status = netlogon_creds_cli_auth(context, b,
 246                                          current_nt_hash,
 247                                          previous_nt_hash);
 248         if (!NT_STATUS_IS_OK(status)) {
 249                 TALLOC_FREE(frame);
 250                 return status;
 251         }
 252
 253         status = netlogon_creds_cli_ServerPasswordSet(context, b,
 254                                                       new_trust_passwd, NULL);
 255         if (!NT_STATUS_IS_OK(status)) {
 256                 TALLOC_FREE(frame);
 257                 return status;
 258         }
 259
 260         DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
 261                  current_timestring(talloc_tos(), False)));
 262
 263         /*
 264          * Return the result of trying to write the new password
 265          * back into the trust account file.
 266          */
 267
 268         switch (sec_channel_type) {
 269
 270         case SEC_CHAN_WKSTA:
 271                 if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
 272                         TALLOC_FREE(frame);
 273                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 274                 }
 275                 break;
 276
 277         case SEC_CHAN_DOMAIN:
 278                 /*
 279                  * we need to get the sid first for the
 280                  * pdb_set_trusteddom_pw call
 281                  */
 282                 if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
 283                         TALLOC_FREE(frame);
 284                         return NT_STATUS_INTERNAL_DB_CORRUPTION;
 285                 }
 286                 break;
 287
 288         default:
 289                 break;
 290         }
 291
 292         TALLOC_FREE(frame);
 293         return NT_STATUS_OK;
 294 }