The branch, v4-4-test has been updated
via 3526615 vfs_streams_xattr: use fsp, not base_fsp
via 7c10e19 libcli/auth: use the correct creds value against servers
without LogonSamLogonEx
via 023fbcb librpc/rpc: fix regression in
NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error mapping
via 4db119f krb5_wrap: use our own code to calculate the
ENCTYPE_ARCFOUR_HMAC key
via e29d92c s4:libcli/raw: remove unused
DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via 6cc7a29 s3:include: remove unused
DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
via 746fe43 s3:net_rpc_trust: make use of trust_pw_new_value()
via b9eaad8 s3:libnet_join: make use of trust_pw_new_value()
via 49df7f2 s3:libads: use trust_pw_new_value() for krb5 machine
passwords
via cb01a46 s3:libsmb: use trust_pw_new_value() in trust_pw_change()
via d332077 s3:libsmb: add trust_pw_new_value() helper function
via 73f8a92 s3:libsmb: let trust_pw_change() verify the new password at
the end.
via 8206490 s3:libsmb: let trust_pw_change() debug more verbose
information
via b8e5ee1 lib/util: add generate_random_machine_password() function
via ebef87a libcli/auth: add netlogon_creds_cli_debug_string()
via 0269265 libcli/auth: check E_md4hash() result in
netlogon_creds_cli_ServerPasswordSet_send()
from f2924e9 ctdb-scripts: Initialise CTDB_NFS_CALLOUT in statd-callout
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit 352661537b24abd9262c91d013049cff204b5eb2
Author: Ralph Boehme <[email protected]>
Date: Fri Feb 17 08:10:53 2017 +0100
vfs_streams_xattr: use fsp, not base_fsp
The base_fsp's fd is always -1 as it's closed after being openend in
create_file_unixpath().
Additionally in streams_xattr_open force using of SMB_VFS_FSETXATTR() by
sticking the just created fd into the fsp (and removing it afterwards).
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12591
Signed-off-by: Ralph Boehme <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Wed Feb 22 08:25:46 CET 2017 on sn-devel-144
(cherry picked from commit 021189e32ba507832b5e821e5cda8a2889225955)
Autobuild-User(v4-4-test): Stefan Metzmacher <[email protected]>
Autobuild-Date(v4-4-test): Sat Feb 25 05:08:00 CET 2017 on sn-devel-144
commit 7c10e19374188094d01e3d7c2807fad1e19996ac
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 15 08:58:20 2017 +0100
libcli/auth: use the correct creds value against servers without
LogonSamLogonEx
If we use the credential chain we need to use the value from
netlogon_creds_client_authenticator() to make sure we have the current
value to encrypt in logon info.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836)
commit 023fbcbde8034579867f977645d67312f4bef733
Author: Stefan Metzmacher <[email protected]>
Date: Wed Feb 15 08:07:06 2017 +0100
librpc/rpc: fix regression in NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE error
mapping
Commit 1eef70872930fa4f9d3dedd23476b34cae638428 changed the mapping for
DCERPC_NCA_S_FAULT_INVALID_TAG from NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
to NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12585
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit c97e39b34fcf260ded42ef1a9efe7ed55e65a1cf)
commit 4db119f99f52fb61dd1f6175adce86fe63258f75
Author: Stefan Metzmacher <[email protected]>
Date: Tue Feb 21 12:15:07 2017 +0100
krb5_wrap: use our own code to calculate the ENCTYPE_ARCFOUR_HMAC key
Our own convert_string_talloc() function handles a wider range
of unicode code points than the MIT krb5 or heimdal code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
Autobuild-User(master): Ralph Böhme <[email protected]>
Autobuild-Date(master): Tue Feb 21 20:08:16 CET 2017 on sn-devel-144
(similar to commit 10e1b92c288ae27f775debb16c3e122b6063fa21)
commit e29d92c0612fab735dc9ce9bc2b16fa256ded569
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 12:41:48 2016 +0200
s4:libcli/raw: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit e9c184088cbbb47e48d9e96fc753a56c544301dc)
commit 6cc7a293c2bec4170205310d5576e9a2cdbc564d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 12:41:48 2016 +0200
s3:include: remove unused DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 21cbf8e4db6928a8a3fb712b3750bb50c1201948)
commit 746fe432eb4fc81f62e0e6ab68c9a2b21803a50e
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 10:42:30 2016 +0200
s3:net_rpc_trust: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 13fd543929c72fa5af1ae6e21ca8dda9a57a0f55)
commit b9eaad88004af7d5856ba632b881457d41a053e3
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 12:09:57 2016 +0200
s3:libnet_join: make use of trust_pw_new_value()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 77edef9555acd6e0c843582637bc367fa0d2a203)
commit 49df7f267808f5a61855b5e88fbabd4f86bd2800
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 10:38:58 2016 +0200
s3:libads: use trust_pw_new_value() for krb5 machine passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(similar to commit 00136940757ea6947f97c9c92b25207d9413727b)
commit cb01a46347913f2e0da50539ef2672be51bc22cb
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: use trust_pw_new_value() in trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit c21e9981d04fa016ef708941ea82051d0438b7a7)
commit d33207755a21a21cb2ad9af37df378cd765676c3
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 12:12:35 2016 +0200
s3:libsmb: add trust_pw_new_value() helper function
This generates a new trust password based on the secure channel type
and lp_security().
NT4 really has a limit of 28 UTF16 bytes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 9e26ad86fbd7e6f39f98fb9d037ac86f3146cb11)
commit 73f8a92f3c1291be85c8568ccc983fb2f5b95842
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 9 22:53:52 2017 +0100
s3:libsmb: let trust_pw_change() verify the new password at the end.
We should notice problems as early as possible, it makes no
sense to keep things working for a while and later find out
the we lost our trust relationship with our domain.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit a2877541681e07f09aee7d7c21adbe50346755e3)
commit 820649017bb7ad471799e1854ca00c9c2868765e
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 18 19:57:30 2017 +0100
s3:libsmb: let trust_pw_change() debug more verbose information
Password changes caused much trouble in the past, so we better debug
them at log level 0 and may see them also in the syslog.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 4185689dbf0085fcb3840ad8b520df21a33e5d2a)
commit b8e5ee1e557940fbf6ff23304809919bae4f783c
Author: Stefan Metzmacher <[email protected]>
Date: Tue Aug 23 09:30:05 2016 +0200
lib/util: add generate_random_machine_password() function
It generates more random password for the use as machine password,
restricted to codepoints <= 0xFFFF in order to be compatible
with MIT krb5 and Heimdal.
Note: the fallback to ascii if 'unix charset' is not 'utf8'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit ad12cfae42cc592166d6a1c1ee323f1aae82f235)
commit ebef87abe869f6ef5edc291abf8bfd37194fe469
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 9 21:47:52 2017 +0100
libcli/auth: add netlogon_creds_cli_debug_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit abe427775ee8ed1d278d5094ca127f85289ca5a3)
commit 0269265c1d83e990800fa7105eb5bb7de681c422
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 18 19:02:21 2017 +0000
libcli/auth: check E_md4hash() result in
netlogon_creds_cli_ServerPasswordSet_send()
We need to make sure we can convert the given string to an nthash.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit 8a209e5a0ca810d8cf0e5ebc1902fae8c5cb241e)
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 37 ++++++++
lib/util/genrand_util.c | 168 +++++++++++++++++++++++++++++++++++-
lib/util/samba_util.h | 32 ++++++-
libcli/auth/netlogon_creds_cli.c | 33 ++++++-
libcli/auth/netlogon_creds_cli.h | 4 +
librpc/rpc/dcerpc_error.c | 8 +-
source3/include/proto.h | 3 +
source3/include/smb.h | 6 --
source3/libads/util.c | 9 +-
source3/libnet/libnet_join.c | 16 ++--
source3/libsmb/trusts_util.c | 143 +++++++++++++++++++++++-------
source3/modules/vfs_streams_xattr.c | 41 ++++-----
source3/utils/net_rpc_trust.c | 6 +-
source3/wscript_build | 2 +-
source4/libcli/raw/smb.h | 7 --
15 files changed, 426 insertions(+), 89 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 6cfd498..7f0ba4a 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -24,6 +24,7 @@
#include "system/filesys.h"
#include "krb5_samba.h"
#include "lib/util/asn1.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -165,6 +166,42 @@ int smb_krb5_create_key_from_string(krb5_context context,
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
diff --git a/lib/util/genrand_util.c b/lib/util/genrand_util.c
index fbd9998..76b7cd9 100644
--- a/lib/util/genrand_util.c
+++ b/lib/util/genrand_util.c
@@ -210,7 +210,7 @@ again:
}
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min,
size_t max)
@@ -258,6 +258,172 @@ again:
}
/**
+ * Generate a random machine password (based on random utf16 characters,
+ * converted to utf8). min must be at least 14, max must be at most 255.
+ *
+ * If 'unix charset' is not utf8, the password consist of random ascii
+ * values!
+ */
+
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t
min, size_t max)
+{
+ TALLOC_CTX *frame = NULL;
+ struct generate_random_machine_password_state {
+ uint8_t password_buffer[256 * 2];
+ uint8_t tmp;
+ } *state;
+ char *new_pw = NULL;
+ size_t len = max;
+ char *utf8_pw = NULL;
+ size_t utf8_len = 0;
+ char *unix_pw = NULL;
+ size_t unix_len = 0;
+ size_t diff;
+ size_t i;
+ bool ok;
+ int cmp;
+
+ if (max > 255) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min < 14) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ if (min > max) {
+ errno = EINVAL;
+ return NULL;
+ }
+
+ frame = talloc_stackframe_pool(2048);
+ state = talloc_zero(frame, struct
generate_random_machine_password_state);
+
+ diff = max - min;
+
+ if (diff > 0) {
+ size_t tmp;
+
+ generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+
+ tmp %= diff;
+
+ len = min + tmp;
+ }
+
+ /*
+ * Create a random machine account password
+ * We create a random buffer and convert that to utf8.
+ * This is similar to what windows is doing.
+ *
+ * In future we may store the raw random buffer,
+ * but for now we need to pass the password as
+ * char pointer through some layers.
+ *
+ * As most kerberos keys are derived from the
+ * utf8 password we need to fallback to
+ * ASCII passwords if "unix charset" is not utf8.
+ */
+ generate_secret_buffer(state->password_buffer, len * 2);
+ for (i = 0; i < len; i++) {
+ size_t idx = i*2;
+ uint16_t c;
+
+ /*
+ * both MIT krb5 and HEIMDAL only
+ * handle codepoints up to 0xffff.
+ *
+ * It means we need to avoid
+ * 0xD800 - 0xDBFF (high surrogate)
+ * and
+ * 0xDC00 - 0xDFFF (low surrogate)
+ * in the random utf16 data.
+ *
+ * 55296 0xD800 0154000 0b1101100000000000
+ * 57343 0xDFFF 0157777 0b1101111111111111
+ * 8192 0x2000 020000 0b10000000000000
+ *
+ * The above values show that we can check
+ * for 0xD800 and just add 0x2000 to avoid
+ * the surrogate ranges.
+ *
+ * The rest will be handled by CH_UTF16MUNGED
+ * see utf16_munged_pull().
+ */
+ c = SVAL(state->password_buffer, idx);
+ if (c & 0xD800) {
+ c |= 0x2000;
+ }
+ SSVAL(state->password_buffer, idx, c);
+ }
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UTF8,
+ state->password_buffer, len * 2,
+ (void *)&utf8_pw, &utf8_len);
+ if (!ok) {
+ DEBUG(0, ("%s: convert_string_talloc() failed\n",
+ __func__));
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+
+ ok = convert_string_talloc(frame,
+ CH_UTF16MUNGED, CH_UNIX,
+ state->password_buffer, len * 2,
+ (void *)&unix_pw, &unix_len);
+ if (!ok) {
+ goto ascii_fallback;
+ }
+
+ if (utf8_len != unix_len) {
+ goto ascii_fallback;
+ }
+
+ cmp = memcmp((const uint8_t *)utf8_pw,
+ (const uint8_t *)unix_pw,
+ utf8_len);
+ if (cmp != 0) {
+ goto ascii_fallback;
+ }
+
+ new_pw = talloc_strdup(mem_ctx, utf8_pw);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+
+ascii_fallback:
+ for (i = 0; i < len; i++) {
+ /*
+ * truncate to ascii
+ */
+ state->tmp = state->password_buffer[i] & 0x7f;
+ if (state->tmp == 0) {
+ state->tmp = state->password_buffer[i] >> 1;
+ }
+ if (state->tmp == 0) {
+ state->tmp = 0x01;
+ }
+ state->password_buffer[i] = state->tmp;
+ }
+ state->password_buffer[i] = '\0';
+
+ new_pw = talloc_strdup(mem_ctx, (const char *)state->password_buffer);
+ if (new_pw == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ talloc_set_name_const(new_pw, __func__);
+ TALLOC_FREE(frame);
+ return new_pw;
+}
+
+/**
* Generate an array of unique text strings all of the same length.
* The returned string will be allocated.
* Returns NULL if the number of unique combinations cannot be created.
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index 1f265e8..89f0535 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -103,11 +103,41 @@ _PUBLIC_ uint32_t generate_random(void);
_PUBLIC_ bool check_password_quality(const char *s);
/**
- * Generate a random text password.
+ * Generate a random text password (based on printable ascii characters).
+ * This function is designed to provide a password that
+ * meats the complexity requirements of UF_NORMAL_ACCOUNT objects
+ * and they should be human readable and writeable on any keyboard layout.
+ *
+ * Characters used are:
+ *
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+_-#.,@$%&!?:;<=>()[]~
*/
_PUBLIC_ char *generate_random_password(TALLOC_CTX *mem_ctx, size_t min,
size_t max);
/**
+ * Generate a random machine password
+ *
+ * min and max are the number of utf16 characters used
+ * to generate on utf8 compatible password.
+ *
+ * Note: if 'unix charset' is not 'utf8' (the default)
+ * then each utf16 character is only filled with
+ * values from 0x01 to 0x7f (ascii values without 0x00).
+ * This is important as the password neets to be
+ * a valid value as utf8 string and at the same time
+ * a valid value in the 'unix charset'.
+ *
+ * If 'unix charset' is 'utf8' (the default) then
+ * each utf16 character is a random value from 0x0000
+ * 0xFFFF (exluding the surrogate ranges from 0xD800-0xDFFF)
+ * while the translation from CH_UTF16MUNGED
+ * to CH_UTF8 replaces invalid values (see utf16_munged_pull()).
+ *
+ * Note: these passwords may not pass the complexity requirements
+ * for UF_NORMAL_ACCOUNT objects (except krbtgt accounts).
+ */
+_PUBLIC_ char *generate_random_machine_password(TALLOC_CTX *mem_ctx, size_t
min, size_t max);
+
+/**
Use the random number generator to generate a random string.
**/
_PUBLIC_ char *generate_random_str_list(TALLOC_CTX *mem_ctx, size_t len, const
char *list);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 38b1351..d55142e 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -484,6 +484,14 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char
*client_computer,
return NT_STATUS_OK;
}
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx)
+{
+ return talloc_asprintf(mem_ctx, "netlogon_creds_cli:%s",
+ context->db.key_name);
+}
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context)
{
@@ -1747,7 +1755,11 @@ struct tevent_req
*netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
/*
* netr_ServerPasswordSet
*/
- E_md4hash(new_password, state->samr_password.hash);
+ ok = E_md4hash(new_password, state->samr_password.hash);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
/*
* netr_ServerPasswordSet2
@@ -2075,11 +2087,24 @@ struct netlogon_creds_cli_LogonSamLogon_state {
/*
* the read only credentials before we started the operation
+ * used for netr_LogonSamLogonEx() if required (validation_level = 3).
*/
struct netlogon_creds_CredentialState *ro_creds;
+ /*
+ * The (locked) credentials used for the credential chain
+ * used for netr_LogonSamLogonWithFlags() or
+ * netr_LogonSamLogonWith().
+ */
struct netlogon_creds_CredentialState *lk_creds;
+ /*
+ * While we have locked the global credentials (lk_creds above)
+ * we operate an a temporary copy, because a server
+ * may not support netr_LogonSamLogonWithFlags() and
+ * didn't process our netr_Authenticator, so we need to
+ * restart from lk_creds.
+ */
struct netlogon_creds_CredentialState tmp_creds;
struct netr_Authenticator req_auth;
struct netr_Authenticator rep_auth;
@@ -2311,7 +2336,7 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct
tevent_req *req)
return;
}
- netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
+ netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds,
state->logon_level,
state->logon);
@@ -2414,8 +2439,10 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct
tevent_req *subreq)
/*
* We got a race, lets retry with on authenticator
* protection.
+ *
+ * netlogon_creds_cli_LogonSamLogon_start()
+ * will TALLOC_FREE(state->ro_creds);
*/
- TALLOC_FREE(state->ro_creds);
state->try_logon_ex = false;
netlogon_creds_cli_LogonSamLogon_start(req);
return;
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 006367a..949e03b 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -52,6 +52,10 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char
*client_computer,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_context);
+char *netlogon_creds_cli_debug_string(
+ const struct netlogon_creds_cli_context *context,
+ TALLOC_CTX *mem_ctx);
+
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context);
diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
index f386025..8af0e71 100644
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -50,12 +50,10 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_DIV_BY_ZERO,
NT_STATUS_RPC_FP_DIV_ZERO),
_FAULT_STR(DCERPC_NCA_S_FAULT_INT_OVERFLOW, NT_STATUS_RPC_FP_OVERFLOW),
/*
- * What's the difference between NT_STATUS_RPC_INVALID_TAG
- * and NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ???
- *
- * Our callers expect NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+ * Our callers expect NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
+ * instead of NT_STATUS_RPC_INVALID_TAG.
*/
- _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG,
NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE),
+ _FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG,
NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_TAG, NT_STATUS_RPC_INVALID_TAG),
_FAULT_STR(DCERPC_NCA_S_FAULT_INVALID_BOUND,
NT_STATUS_RPC_INVALID_BOUND),
_FAULT_STR(DCERPC_NCA_S_FAULT_RPC_VERSION_MISMATCH,
NT_STATUS_RPC_PROTOCOL_ERROR),
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 62cd257..c29e266 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -882,6 +882,9 @@ void update_trustdom_cache( void );
struct netlogon_creds_cli_context;
struct messaging_context;
struct dcerpc_binding_handle;
+char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
+ enum netr_SchannelType sec_channel_type,
+ int security);
NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
struct messaging_context *msg_ctx,
struct dcerpc_binding_handle *b,
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 7eeef88..a9a4fbe 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -736,12 +736,6 @@ struct node_status_extra {
#define SAFE_NETBIOS_CHARS ". -_"
-/* The maximum length of a trust account password.
- Used when we randomly create it, 15 char passwords
- exceed NT4's max password length */
-
-#define DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH 14
-
#define PORT_NONE 0
#ifndef LDAP_PORT
#define LDAP_PORT 389
diff --git a/source3/libads/util.c b/source3/libads/util.c
index 2e22bca..b0754be 100644
--- a/source3/libads/util.c
+++ b/source3/libads/util.c
@@ -35,9 +35,12 @@ ADS_STATUS ads_change_trust_account_password(ADS_STRUCT
*ads, char *host_princip
return ADS_ERROR_SYSTEM(ENOENT);
}
- new_password = generate_random_password(talloc_tos(),
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ new_password = trust_pw_new_value(talloc_tos(), SEC_CHAN_WKSTA,
SEC_ADS);
+ if (new_password == NULL) {
+ ret = ADS_ERROR_SYSTEM(errno);
+ DEBUG(1,("Failed to generate machine password\n"));
+ goto failed;
+ }
ret = kerberos_set_password(ads->auth.kdc_server, host_principal,
password, host_principal, new_password, ads->auth.time_offset);
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index bab58f3..7e0afc1 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1128,9 +1128,11 @@ static NTSTATUS
libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
}
if (!r->in.machine_password) {
- r->in.machine_password = generate_random_password(mem_ctx,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ int security = r->in.ads ? SEC_ADS : SEC_DOMAIN;
+
+ r->in.machine_password = trust_pw_new_value(mem_ctx,
+ r->in.secure_channel_type,
+ security);
if (r->in.machine_password == NULL) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
@@ -1223,9 +1225,11 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX
*mem_ctx,
}
if (!r->in.machine_password) {
- r->in.machine_password = generate_random_password(mem_ctx,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+ int security = r->in.ads ? SEC_ADS : SEC_DOMAIN;
+
+ r->in.machine_password = trust_pw_new_value(mem_ctx,
+ r->in.secure_channel_type,
+ security);
NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
}
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index c56949e..2cc6264 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -47,6 +47,62 @@ static int trust_pw_change_state_destructor(struct
trust_pw_change_state *state)
return 0;
}
+char *trust_pw_new_value(TALLOC_CTX *mem_ctx,
+ enum netr_SchannelType sec_channel_type,
+ int security)
+{
+ /*
+ * use secure defaults.
--
Samba Shared Repository
