Author: jra
Date: 2007-08-29 17:14:54 + (Wed, 29 Aug 2007)
New Revision: 24787
WebSVN:
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=revroot=sambarev=24787
Log:
Janitor for Mimir. Mimir, you checked into SAMBA_3_2 and
SAMBA_3_0 - this second branch is defunct. You should
be checking into SAMBA_3_2_0 instead - this is what we
will be shipping as 3.2.0.
Jeremy.
Use infolevel 25 to set the machine account's password (just like winxp).
This correctly updates pwdLastSet field on win2k3 server.
Modified:
branches/SAMBA_3_2_0/source/rpc_parse/parse_samr.c
branches/SAMBA_3_2_0/source/utils/net_domain.c
Changeset:
Modified: branches/SAMBA_3_2_0/source/rpc_parse/parse_samr.c
===
--- branches/SAMBA_3_2_0/source/rpc_parse/parse_samr.c 2007-08-29 14:50:04 UTC
(rev 24786)
+++ branches/SAMBA_3_2_0/source/rpc_parse/parse_samr.c 2007-08-29 17:14:54 UTC
(rev 24787)
@@ -5860,6 +5860,25 @@
}
}
+
+/*
+ init_samr_user_info25P
+ fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS
+*/
+
+void init_sam_user_info25P(SAM_USER_INFO_25 * usr,
+ uint32 fields_present, uint32 acb_info,
+ char newpass[532])
+{
+ usr-fields_present = fields_present;
+ ZERO_STRUCT(usr-padding1);
+ ZERO_STRUCT(usr-padding2);
+
+ usr-acb_info = acb_info;
+ memcpy(usr-pass, newpass, sizeof(usr-pass));
+}
+
+
/***
reads or writes a structure.
/
Modified: branches/SAMBA_3_2_0/source/utils/net_domain.c
===
--- branches/SAMBA_3_2_0/source/utils/net_domain.c 2007-08-29 14:50:04 UTC
(rev 24786)
+++ branches/SAMBA_3_2_0/source/utils/net_domain.c 2007-08-29 17:14:54 UTC
(rev 24787)
@@ -208,10 +208,14 @@
uint32 num_rids, *name_types, *user_rids;
uint32 flags = 0x3e8;
uint32 acb_info = ACB_WSTRUST;
- uchar pwbuf[516];
+ uint32 fields_present;
+ uchar pwbuf[532];
SAM_USERINFO_CTR ctr;
- SAM_USER_INFO_24 p24;
- SAM_USER_INFO_16 p16;
+ SAM_USER_INFO_25 p25;
+ const int infolevel = 25;
+ struct MD5Context md5ctx;
+ uchar md5buffer[16];
+ DATA_BLOB digested_session_key;
uchar md4_trust_password[16];
/* Open the domain */
@@ -282,24 +286,49 @@
status = rpccli_samr_open_user(pipe_hnd, mem_ctx, domain_pol,
SEC_RIGHTS_MAXIMUM_ALLOWED, user_rid, user_pol);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- /* Create a random machine account password */
+ /* Create a random machine account password and generate the hash */
- E_md4hash( clear_pw, md4_trust_password);
+ E_md4hash(clear_pw, md4_trust_password);
encode_pw_buffer(pwbuf, clear_pw, STR_UNICODE);
+
+ generate_random_buffer((uint8*)md5buffer, sizeof(md5buffer));
+ digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
+
+ MD5Init(md5ctx);
+ MD5Update(md5ctx, md5buffer, sizeof(md5buffer));
+ MD5Update(md5ctx, cli-user_session_key.data,
cli-user_session_key.length);
+ MD5Final(digested_session_key.data, md5ctx);
+
+ SamOEMhashBlob(pwbuf, sizeof(pwbuf), digested_session_key);
+ memcpy(pwbuf[516], md5buffer, sizeof(md5buffer));
- /* Set password on machine account */
+ /* Fill in the additional account flags now */
+ acb_info |= ACB_PWNOEXP;
+ if ( dom_type == ND_TYPE_AD ) {
+#if !defined(ENCTYPE_ARCFOUR_HMAC)
+ acb_info |= ACB_USE_DES_KEY_ONLY;
+#endif
+ ;;
+ }
+
+ /* Set password and account flags on machine account */
+
ZERO_STRUCT(ctr);
- ZERO_STRUCT(p24);
+ ZERO_STRUCT(p25);
- init_sam_user_info24(p24, (char *)pwbuf,24);
+ fields_present = ACCT_NT_PWD_SET | ACCT_LM_PWD_SET | ACCT_FLAGS;
+ init_sam_user_info25P(p25, fields_present, acb_info, (char *)pwbuf);
- ctr.switch_value = 24;
- ctr.info.id24 = p24;
+ ctr.switch_value = infolevel;
+ ctr.info.id25= p25;
- status = rpccli_samr_set_userinfo(pipe_hnd, mem_ctx, user_pol,
- 24, cli-user_session_key, ctr);
+ status = rpccli_samr_set_userinfo2(pipe_hnd, mem_ctx, user_pol,
+ infolevel, cli-user_session_key,
ctr);
if ( !NT_STATUS_IS_OK(status) ) {
d_fprintf( stderr, Failed to set password for machine account
(%s)\n,
@@ -307,35 +336,6 @@
return status;
}
-
- /* Why do we have to try
