ADS_STATUS ads_change_trust_account_password(ADS_STRUCT *ads, char *host_principal) { char *password; char *new_password; ADS_STATUS ret; enum netr_SchannelType sec_channel_type; if ((password = secrets_fetch_machine_password(lp_workgroup(), NULL, &sec_channel_type)) == NULL) { DEBUG(1,("Failed to retrieve password for principal %s\n", host_principal)); return ADS_ERROR_SYSTEM(ENOENT); } new_password = generate_random_password(talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH, DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH); ret = kerberos_set_password(ads->auth.kdc_server, host_principal, password, host_principal, new_password, ads->auth.time_offset); if (!ADS_ERR_OK(ret)) { goto failed; } if (!secrets_store_machine_password(new_password, lp_workgroup(), sec_channel_type)) { DEBUG(1,("Failed to save machine password\n")); ret = ADS_ERROR_SYSTEM(EACCES); goto failed; } failed: SAFE_FREE(password); return ret; }
static int net_ads_password(int argc, const char **argv) { ADS_STRUCT *ads; const char *auth_principal = opt_user_name; const char *auth_password = opt_password; char *realm = NULL; char *new_password = NULL; char *c, *prompt; const char *user; ADS_STATUS ret; if (opt_user_name == NULL || opt_password == NULL) { d_printf("You must supply an administrator username/password\n"); return -1; } if (argc < 1) { d_printf("ERROR: You must say which username to change password for\n"); return -1; } user = argv[0]; if (!strchr_m(user, '@')) { asprintf(&c, "%s@%s", argv[0], lp_realm()); user = c; } use_in_memory_ccache(); c = strchr(auth_principal, '@'); if (c) { realm = ++c; } else { realm = lp_realm(); } /* use the realm so we can eventually change passwords for users in realms other than default */ if (!(ads = ads_init(realm, NULL, NULL))) { return -1; } /* we don't actually need a full connect, but it's the easy way to fill in the KDC's addresss */ ads_connect(ads); if (!ads || !ads->config.realm) { d_printf("Didn't find the kerberos server!\n"); return -1; } if (argv[1]) { new_password = (char *)argv[1]; } else { asprintf(&prompt, "Enter new password for %s:", user); new_password = getpass(prompt); free(prompt); } ret = kerberos_set_password(ads->auth.kdc_server, auth_principal, auth_password, user, new_password, ads->auth.time_offset); if (!ADS_ERR_OK(ret)) { d_printf("Password change failed :-( ...\n"); ads_destroy(&ads); return -1; } d_printf("Password change for %s completed.\n", user); ads_destroy(&ads); return 0; }