void attempt_machine_password_change(void)
{
unsigned char trust_passwd_hash[16];
time_t lct;
void *lock;
if (!global_machine_password_needs_changing) {
return;
}
if (lp_security() != SEC_DOMAIN) {
return;
}
/*
* We're in domain level security, and the code that
* read the machine password flagged that the machine
* password needs changing.
*/
/*
* First, open the machine password file with an exclusive lock.
*/
lock = secrets_get_trust_account_lock(NULL, lp_workgroup());
if (lock == NULL) {
DEBUG(0,("attempt_machine_password_change: unable to lock "
"the machine account password for machine %s in "
"domain %s.\n",
lp_netbios_name(), lp_workgroup() ));
return;
}
if(!secrets_fetch_trust_account_password(lp_workgroup(),
trust_passwd_hash, &lct, NULL)) {
DEBUG(0,("attempt_machine_password_change: unable to read the "
"machine account password for %s in domain %s.\n",
lp_netbios_name(), lp_workgroup()));
TALLOC_FREE(lock);
return;
}
/*
* Make sure someone else hasn't already done this.
*/
if(time(NULL) < lct + lp_machine_password_timeout()) {
global_machine_password_needs_changing = false;
TALLOC_FREE(lock);
return;
}
/* always just contact the PDC here */
change_trust_account_password( lp_workgroup(), NULL);
global_machine_password_needs_changing = false;
TALLOC_FREE(lock);
}
static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
TALLOC_CTX *mem_ctx, int argc,
char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
unsigned char trust_passwd[16];
uint32 database_id, num_deltas, tmp;
SAM_DELTA_HDR *hdr_deltas;
SAM_DELTA_CTR *deltas;
UINT64_S seqnum;
if (argc != 3) {
fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
return NT_STATUS_OK;
}
database_id = atoi(argv[1]);
tmp = atoi(argv[2]);
seqnum.low = tmp & 0xffff;
seqnum.high = 0;
if (!secrets_init()) {
fprintf(stderr, "Unable to initialise secrets database\n");
goto done;
}
/* Initialise session credentials */
if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
NULL)) {
fprintf(stderr, "could not fetch trust account password\n");
goto done;
}
result = cli_nt_setup_creds(cli, trust_passwd);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
goto done;
}
/* Synchronise sam database */
result = cli_netlogon_sam_deltas(cli, mem_ctx, database_id,
seqnum, &num_deltas,
&hdr_deltas, &deltas);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Display results */
display_sam_sync(num_deltas, hdr_deltas, deltas);
done:
return result;
}
static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
TALLOC_CTX *mem_ctx, int argc,
char **argv)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
unsigned char trust_passwd[16];
uint32 database_id = 0, num_deltas;
SAM_DELTA_HDR *hdr_deltas;
SAM_DELTA_CTR *deltas;
DOM_CRED ret_creds;
if (argc > 2) {
fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2)
database_id = atoi(argv[1]);
if (!secrets_init()) {
fprintf(stderr, "Unable to initialise secrets database\n");
return result;
}
/* Initialise session credentials */
if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
NULL)) {
fprintf(stderr, "could not fetch trust account password\n");
goto done;
}
result = cli_nt_setup_creds(cli, trust_passwd);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
goto done;
}
/* on first call the returnAuthenticator is empty */
memset(&ret_creds, 0, sizeof(ret_creds));
/* Synchronise sam database */
result = cli_netlogon_sam_sync(cli, mem_ctx, &ret_creds, database_id,
&num_deltas, &hdr_deltas, &deltas);
if (!NT_STATUS_IS_OK(result))
goto done;
/* Display results */
display_sam_sync(num_deltas, hdr_deltas, deltas);
done:
return result;
}
static PyObject *py_auth_smbd(PyObject *self, PyObject *args, PyObject *kw)
{
static char *kwlist[] =
{"username", "password", "use_lm_hash", "use_nt_hash", NULL };
struct winbindd_request request;
struct winbindd_response response;
char *username, *password;
int use_lm_hash = 1, use_nt_hash = 1;
if (!PyArg_ParseTupleAndKeywords(
args, kw, "ss|ii", kwlist, &username, &password,
&use_lm_hash, &use_nt_hash))
return NULL;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
PyErr_SetString("unable to create utf8 string");
return NULL;
}
generate_random_buffer(request.data.smbd_auth_crap.chal, 8);
if (use_lm_hash) {
SMBencrypt((uchar *)password,
request.data.smbd_auth_crap.chal,
(uchar *)request.data.smbd_auth_crap.lm_resp);
request.data.smbd_auth_crap.lm_resp_len = 24;
}
if (use_nt_hash) {
SMBNTencrypt((uchar *)password,
request.data.smbd_auth_crap.chal,
(uchar *)request.data.smbd_auth_crap.nt_resp);
request.data.smbd_auth_crap.nt_resp_len = 24;
}
if (!secrets_fetch_trust_account_password(
lp_workgroup(), request.data.smbd_auth_crap.proof, NULL)) {
PyErr_SetString(
winbind_error, "unable to fetch domain secret");
return NULL;
}
if (winbindd_request(WINBINDD_SMBD_AUTH_CRAP, &request, &response)
!= NSS_STATUS_SUCCESS) {
PyErr_SetString(winbind_error, "lookup failed");
return NULL;
}
return PyInt_FromLong(response.data.auth.nt_status);
}
static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
TALLOC_CTX *mem_ctx, int argc,
char **argv)
{
unsigned char trust_passwd[16];
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
int logon_type = NET_LOGON_TYPE;
char *username, *password;
/* Check arguments */
if (argc < 3 || argc > 4) {
fprintf(stderr, "Usage: samlogon <username> <password> "
"[logon_type]\n");
return NT_STATUS_OK;
}
username = argv[1];
password = argv[2];
if (argc == 4)
sscanf(argv[3], "%i", &logon_type);
/* Authenticate ourselves with the domain controller */
if (!secrets_init()) {
fprintf(stderr, "Unable to initialise secrets database\n");
return result;
}
if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
NULL)) {
fprintf(stderr, "could not fetch trust account password\n");
goto done;
}
result = cli_nt_setup_creds(cli, trust_passwd);
if (!NT_STATUS_IS_OK(result)) {
fprintf(stderr, "Error initialising session creds\n");
goto done;
}
/* Perform the sam logon */
result = cli_netlogon_sam_logon(cli, mem_ctx, username, password,
logon_type);
if (!NT_STATUS_IS_OK(result))
goto done;
done:
return result;
}
NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *domain)
{
unsigned char old_trust_passwd_hash[16];
uint32 sec_channel_type = 0;
if (!secrets_fetch_trust_account_password(domain,
old_trust_passwd_hash,
NULL, &sec_channel_type)) {
DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
return NT_STATUS_UNSUCCESSFUL;
}
return trust_pw_change_and_store_it(cli, mem_ctx, domain,
old_trust_passwd_hash,
sec_channel_type);
}
/**
* confirm that a domain join is still valid
*
* @return A shell status integer (0 for success)
*
**/
static int net_rpc_join_ok(const char *domain)
{
struct cli_state *cli;
uchar stored_md4_trust_password[16];
int retval = 1;
uint32 channel;
NTSTATUS result;
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
return 1;
}
if (!cli_nt_session_open(cli, PI_NETLOGON)) {
DEBUG(0,("Error connecting to NETLOGON pipe\n"));
goto done;
}
if (!secrets_fetch_trust_account_password(domain,
stored_md4_trust_password,
NULL, &channel)) {
DEBUG(0,("Could not retreive domain trust secret"));
goto done;
}
/* ensure that schannel uses the right domain */
fstrcpy(cli->domain, domain);
if (! NT_STATUS_IS_OK(result = cli_nt_establish_netlogon(cli, channel, stored_md4_trust_password))) {
DEBUG(0,("Error in domain join verfication (fresh connection)\n"));
goto done;
}
retval = 0; /* Success! */
done:
/* Close down pipe - this will clean up open policy handles */
if (cli->nt_pipe_fnum[cli->pipe_idx])
cli_nt_session_close(cli);
cli_shutdown(cli);
return retval;
}
/*
setup for schannel on any pipes opened on this connection
*/
static NTSTATUS setup_schannel( struct cli_state *cli, const char *domain )
{
NTSTATUS ret;
uchar trust_password[16];
uint32 sec_channel_type;
DOM_SID sid;
time_t lct;
/* use the domain trust password if we're on a DC
and this is not our domain */
if ( IS_DC && !strequal(domain, lp_workgroup()) ) {
char *pass = NULL;
if ( !secrets_fetch_trusted_domain_password( domain,
&pass, &sid, &lct) )
{
return NT_STATUS_UNSUCCESSFUL;
}
sec_channel_type = SEC_CHAN_DOMAIN;
E_md4hash(pass, trust_password);
SAFE_FREE( pass );
} else {
if (!secrets_fetch_trust_account_password(lp_workgroup(),
trust_password, NULL, &sec_channel_type))
{
return NT_STATUS_UNSUCCESSFUL;
}
}
ret = cli_nt_setup_netsec(cli, sec_channel_type,
AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN, trust_password);
return ret;
}
static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
NTSTATUS result;
const char *server_name = cli->desthost;
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct netr_Authenticator clnt_creds, srv_cred;
struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
unsigned char trust_passwd_hash[16];
enum netr_SchannelType sec_channel_type = 0;
struct netr_ChangeLogEntry e;
uint32_t rid = 500;
struct dcerpc_binding_handle *b = cli->binding_handle;
if (argc > 2) {
fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
return NT_STATUS_OK;
}
if (argc == 2) {
sscanf(argv[1], "%d", &rid);
}
if (!secrets_fetch_trust_account_password(lp_workgroup(),
trust_passwd_hash,
NULL, &sec_channel_type)) {
return NT_STATUS_UNSUCCESSFUL;
}
status = rpccli_netlogon_setup_creds(cli,
server_name, /* server name */
lp_workgroup(), /* domain */
lp_netbios_name(), /* client name */
lp_netbios_name(), /* machine account name */
trust_passwd_hash,
sec_channel_type,
&neg_flags);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
ZERO_STRUCT(e);
e.object_rid = rid;
e.db_index = SAM_DATABASE_DOMAIN;
e.delta_type = NETR_DELTA_USER;
status = dcerpc_netr_DatabaseRedo(b, mem_ctx,
server_name,
lp_netbios_name(),
&clnt_creds,
&srv_cred,
e,
0, /* is calculated automatically */
&delta_enum_array,
&result);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
DEBUG(0,("credentials chain check failed\n"));
return NT_STATUS_ACCESS_DENIED;
}
return result;
}
enum winbindd_result winbindd_check_machine_acct(struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
uchar trust_passwd[16];
int num_retries = 0;
struct cli_state *cli;
uint32 sec_channel_type;
struct winbindd_domain *contact_domain;
DEBUG(3, ("[%5lu]: check machine account\n", (unsigned long)state->pid));
/* Get trust account password */
again:
if (!secrets_fetch_trust_account_password(
lp_workgroup(), trust_passwd, NULL, &sec_channel_type)) {
result = NT_STATUS_INTERNAL_ERROR;
goto done;
}
contact_domain = find_our_domain();
if (!contact_domain) {
result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
DEBUG(1, ("Cannot find our own domain!\n"));
goto done;
}
/* This call does a cli_nt_setup_creds() which implicitly checks
the trust account password. */
/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain,
trust_passwd, sec_channel_type, True, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
goto done;
}
/* There is a race condition between fetching the trust account
password and the periodic machine password change. So it's
possible that the trust account password has been changed on us.
We are returned NT_STATUS_ACCESS_DENIED if this happens. */
#define MAX_RETRIES 8
if ((num_retries < MAX_RETRIES) &&
NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED)) {
num_retries++;
goto again;
}
/* Pass back result code - zero for success, other values for
specific failures. */
DEBUG(3, ("secret is %s\n", NT_STATUS_IS_OK(result) ?
"good" : "bad"));
done:
state->response.data.auth.nt_status = NT_STATUS_V(result);
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Checking the trust account password returned %s\n",
state->response.data.auth.nt_status_string));
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
}
