The branch, master has been updated
via 5bafaa73f6dda13b05744b177cb18a310cb2f749 (commit)
via f88e95c6b077b69c6e243ce46961cc12bdcfb911 (commit)
via 20a8ea91e10af167067cc794a251265aaf489e75 (commit)
from 3fa1d7332c19d0521b8da9f2cd8162260f0ab660 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5bafaa73f6dda13b05744b177cb18a310cb2f749
Author: Volker Lendecke <[email protected]>
Date: Mon Oct 5 22:09:01 2009 +0200
s3:winbind: Slightly simplify the logic of nss_init(), make it static
commit f88e95c6b077b69c6e243ce46961cc12bdcfb911
Author: Volker Lendecke <[email protected]>
Date: Mon Oct 5 22:00:16 2009 +0200
s3:winbind: Fix typos
commit 20a8ea91e10af167067cc794a251265aaf489e75
Author: Volker Lendecke <[email protected]>
Date: Sun Oct 4 15:47:33 2009 +0200
s3: Attempt to fix machine password change
-----------------------------------------------------------------------
Summary of changes:
source3/include/client.h | 1 +
source3/include/nss_info.h | 2 -
source3/include/proto.h | 9 ++++++-
source3/libnet/libnet_join.c | 9 +++---
source3/libsmb/trusts_util.c | 8 ++---
source3/rpc_client/cli_netlogon.c | 51 ++++++++++++++++++++++++------------
source3/winbindd/nss_info.c | 32 +++++++++++++----------
source3/winbindd/winbindd_cm.c | 2 +
source3/winbindd/winbindd_dual.c | 42 ++++++++++++++++++++++++------
9 files changed, 103 insertions(+), 53 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/include/client.h b/source3/include/client.h
index 82d94b0..ba3a4e7 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -147,6 +147,7 @@ struct rpc_pipe_client {
/* The following is only non-null on a netlogon client pipe. */
struct netlogon_creds_CredentialState *dc;
+ uint32_t auth_neg_flags;
/* Used by internal rpc_pipe_client */
pipes_struct *pipes_struct;
diff --git a/source3/include/nss_info.h b/source3/include/nss_info.h
index 90d992a..a60a6f0 100644
--- a/source3/include/nss_info.h
+++ b/source3/include/nss_info.h
@@ -83,8 +83,6 @@ NTSTATUS smb_register_idmap_nss(int version,
const char *name,
struct nss_info_methods *methods);
-NTSTATUS nss_init( const char **nss_list );
-
NTSTATUS nss_get_info( const char *domain, const DOM_SID *user_sid,
TALLOC_CTX *ctx,
ADS_STRUCT *ads, LDAPMessage *msg,
diff --git a/source3/include/proto.h b/source3/include/proto.h
index c8e4fe1..a9768ba 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -5240,7 +5240,14 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct
rpc_pipe_client *cli,
const unsigned char
orig_trust_passwd_hash[16],
const char *new_trust_pwd_cleartext,
const unsigned char
new_trust_passwd_hash[16],
- uint32_t sec_channel_type);
+ uint32_t sec_channel_type,
+ uint32_t neg_flags);
+NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const unsigned char
orig_trust_passwd_hash[16],
+ const char
*new_trust_pwd_cleartext,
+ const unsigned char
new_trust_passwd_hash[16],
+ uint32_t sec_channel_type);
/* The following definitions come from rpc_client/cli_pipe.c */
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 8c30307..70b28e3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -788,11 +788,10 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
E_md4hash(trust_passwd, orig_trust_passwd_hash);
- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
- orig_trust_passwd_hash,
- r->in.machine_password,
- new_trust_passwd_hash,
- r->in.secure_channel_type);
+ status = rpccli_netlogon_auth_set_trust_password(
+ pipe_hnd, mem_ctx, orig_trust_passwd_hash,
+ r->in.machine_password, new_trust_passwd_hash,
+ r->in.secure_channel_type);
return status;
}
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index adf1525..d9b7570 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,11 +46,9 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client
*cli, TALLOC_CTX *m
E_md4hash(new_trust_passwd, new_trust_passwd_hash);
- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
- orig_trust_passwd_hash,
- new_trust_passwd,
- new_trust_passwd_hash,
- sec_channel_type);
+ nt_status = rpccli_netlogon_auth_set_trust_password(
+ cli, mem_ctx, orig_trust_passwd_hash, new_trust_passwd,
+ new_trust_passwd_hash, sec_channel_type);
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3,("%s : trust_pw_change_and_store_it: Changed
password.\n",
diff --git a/source3/rpc_client/cli_netlogon.c
b/source3/rpc_client/cli_netlogon.c
index 911a50f..db7d135 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -512,27 +512,12 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct
rpc_pipe_client *cli,
const unsigned char
orig_trust_passwd_hash[16],
const char *new_trust_pwd_cleartext,
const unsigned char
new_trust_passwd_hash[16],
- uint32_t sec_channel_type)
+ uint32_t sec_channel_type,
+ uint32_t neg_flags)
{
NTSTATUS result;
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct netr_Authenticator clnt_creds, srv_cred;
- result = rpccli_netlogon_setup_creds(cli,
- cli->desthost, /* server name */
- lp_workgroup(), /* domain */
- global_myname(), /* client name */
- global_myname(), /* machine
account name */
- orig_trust_passwd_hash,
- sec_channel_type,
- &neg_flags);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup
creds (%s)!\n",
- nt_errstr(result)));
- return result;
- }
-
netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
@@ -586,3 +571,35 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct
rpc_pipe_client *cli,
return result;
}
+NTSTATUS rpccli_netlogon_auth_set_trust_password(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const unsigned char
orig_trust_passwd_hash[16],
+ const char
*new_trust_pwd_cleartext,
+ const unsigned char
new_trust_passwd_hash[16],
+ uint32_t sec_channel_type)
+{
+ NTSTATUS result;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+
+ result = rpccli_netlogon_setup_creds(cli,
+ cli->desthost, /* server name */
+ lp_workgroup(), /* domain */
+ global_myname(), /* client name */
+ global_myname(), /* machine
account name */
+ orig_trust_passwd_hash,
+ sec_channel_type,
+ &neg_flags);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup
creds (%s)!\n",
+ nt_errstr(result)));
+ return result;
+ }
+
+ return rpccli_netlogon_set_trust_password(cli, mem_ctx,
+ orig_trust_passwd_hash,
+ new_trust_pwd_cleartext,
+ new_trust_passwd_hash,
+ sec_channel_type,
+ neg_flags);
+}
diff --git a/source3/winbindd/nss_info.c b/source3/winbindd/nss_info.c
index c2518dc..663fc9a 100644
--- a/source3/winbindd/nss_info.c
+++ b/source3/winbindd/nss_info.c
@@ -164,23 +164,25 @@ static NTSTATUS nss_domain_list_add_domain(const char
*domain,
to initialize the state on a per domain basis.
*******************************************************************/
- NTSTATUS nss_init( const char **nss_list )
+static NTSTATUS nss_init(const char **nss_list)
{
NTSTATUS status;
- static NTSTATUS nss_initialized = NT_STATUS_UNSUCCESSFUL;
+ static bool nss_initialized = false;
int i;
char *backend, *domain;
struct nss_function_entry *nss_backend;
/* check for previous successful initializations */
- if ( NT_STATUS_IS_OK(nss_initialized) )
+ if (nss_initialized) {
return NT_STATUS_OK;
+ }
- /* The "template" backend should alqays be registered as it
+ /* The "template" backend should always be registered as it
is a static module */
- if ( (nss_backend = nss_get_backend( "template" )) == NULL ) {
+ nss_backend = nss_get_backend("template");
+ if (nss_backend == NULL) {
static_init_nss_info;
}
@@ -200,19 +202,21 @@ static NTSTATUS nss_domain_list_add_domain(const char
*domain,
/* validate the backend */
- if ( (nss_backend = nss_get_backend( backend )) == NULL ) {
+ nss_backend = nss_get_backend(backend);
+ if (nss_backend == NULL) {
/* attempt to register the backend */
status = smb_probe_module( "nss_info", backend );
if ( !NT_STATUS_IS_OK(status) ) {
continue;
}
+ }
- /* try again */
- if ( (nss_backend = nss_get_backend( backend )) == NULL
) {
- DEBUG(0,("nss_init: unregistered backend %s!.
Skipping\n",
- backend));
- continue;
- }
+ /* try again */
+ nss_backend = nss_get_backend(backend);
+ if (nss_backend == NULL) {
+ DEBUG(0, ("nss_init: unregistered backend %s!. "
+ "Skipping\n", backend));
+ continue;
}
/*
@@ -241,10 +245,10 @@ static NTSTATUS nss_domain_list_add_domain(const char
*domain,
"Defaulting to \"template\".\n"));
- /* we shouild default to use template here */
+ /* we should default to use template here */
}
- nss_initialized = NT_STATUS_OK;
+ nss_initialized = true;
return NT_STATUS_OK;
}
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 9a78839..029a021 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2470,6 +2470,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain
*domain,
return !NT_STATUS_IS_OK(result) ? result :
NT_STATUS_PIPE_NOT_AVAILABLE;
}
+ conn->netlogon_pipe->auth_neg_flags = neg_flags;
+
/*
* Try NetSamLogonEx for AD domains
*/
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index edf784c..546f5f0 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -30,6 +30,7 @@
#include "includes.h"
#include "winbindd.h"
#include "../../nsswitch/libwbclient/wbc_async.h"
+#include "../libcli/auth/libcli_auth.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -1061,9 +1062,12 @@ static void machine_password_change_handler(struct
event_context *ctx,
struct winbindd_child *child =
(struct winbindd_child *)private_data;
struct rpc_pipe_client *netlogon_pipe = NULL;
- TALLOC_CTX *frame;
NTSTATUS result;
struct timeval next_change;
+ uint8_t old_trust_passwd_hash[16];
+ uint8_t new_trust_passwd_hash[16];
+ char *new_trust_passwd;
+ uint32_t sec_channel_type = 0;
DEBUG(10,("machine_password_change_handler called\n"));
@@ -1089,22 +1093,42 @@ static void machine_password_change_handler(struct
event_context *ctx,
return;
}
- frame = talloc_stackframe();
+ if (!secrets_fetch_trust_account_password(
+ child->domain->name, old_trust_passwd_hash, NULL,
+ &sec_channel_type)) {
+ DEBUG(0, ("could not fetch domain secrets for domain %s!\n",
+ child->domain->name));
+ return;
+ }
+
+ new_trust_passwd = generate_random_str(
+ talloc_tos(), DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ if (new_trust_passwd == NULL) {
+ DEBUG(0, ("talloc_strdup failed\n"));
+ return;
+ }
- result = trust_pw_find_change_and_store_it(netlogon_pipe,
- frame,
- child->domain->name);
- TALLOC_FREE(frame);
+ E_md4hash(new_trust_passwd, new_trust_passwd_hash);
+
+ result = rpccli_netlogon_set_trust_password(
+ netlogon_pipe, talloc_tos(), old_trust_passwd_hash,
+ new_trust_passwd, new_trust_passwd_hash, sec_channel_type,
+ netlogon_pipe->auth_neg_flags);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("machine_password_change_handler: "
"failed to change machine password: %s\n",
nt_errstr(result)));
- } else {
- DEBUG(10,("machine_password_change_handler: "
- "successfully changed machine password\n"));
+ /*
+ * Don't try a second time, this will very likely also
+ * fail.
+ */
+ return;
}
+ DEBUG(3,("machine_password_change_handler: Changed password at %s.\n",
+ current_timestring(debug_ctx(), False)));
+
child->machine_password_change_event =
event_add_timed(winbind_event_context(), NULL,
next_change,
machine_password_change_handler,
--
Samba Shared Repository
