[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-2949-g8ae7040
Günther Deschner
gd at samba.org
Thu Aug 21 21:57:39 GMT 2008
The branch, v3-2-test has been updated
via 8ae7040a5e64f1a1d2088aeca1dab90470455d8a (commit)
via 059979f8e7d7d0459f83184ad5b06a8e6281f558 (commit)
via d9fa27a079dde0ebd9c2d6dc1c1bff3ae570f9e8 (commit)
from 02e260ab5254c9691846f7009f685e1b11032f80 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit 8ae7040a5e64f1a1d2088aeca1dab90470455d8a
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:05:35 2008 +0200
Fix Bug #5710 and make machine account password changing work again.
When we negotiated NETLOGON_NEG_PASSWORD_SET2 we need to use
NetrServerPasswordSet2 to change the machine password.
Tested with NT4, W2k, W2k3 and W2k8.
Guenther
commit 059979f8e7d7d0459f83184ad5b06a8e6281f558
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:02:03 2008 +0200
re-run make idl.
Guenther
(cherry picked from commit f24cef9fa7be45212744d39b7c66804e64147afd)
commit d9fa27a079dde0ebd9c2d6dc1c1bff3ae570f9e8
Author: Günther Deschner <gd at samba.org>
Date: Thu Aug 21 15:01:36 2008 +0200
IDL: fix IDL for netr_ServerPasswordSet2().
Guenther
(cherry picked from commit 7b312a0abc6de5a51555ccfbde7f8f78fc11d043)
-----------------------------------------------------------------------
Summary of changes:
source/librpc/gen_ndr/cli_netlogon.c | 6 +-
source/librpc/gen_ndr/cli_netlogon.h | 6 +-
source/librpc/gen_ndr/ndr_netlogon.c | 38 ++++++++++++++---
source/librpc/gen_ndr/netlogon.h | 4 +-
source/librpc/idl/netlogon.idl | 6 +-
source/libsmb/trusts_util.c | 75 +++++++++++++++++++++++----------
6 files changed, 95 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/librpc/gen_ndr/cli_netlogon.c b/source/librpc/gen_ndr/cli_netlogon.c
index 61f4103..f5b4715 100644
--- a/source/librpc/gen_ndr/cli_netlogon.c
+++ b/source/librpc/gen_ndr/cli_netlogon.c
@@ -1534,9 +1534,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */)
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */)
{
struct netr_ServerPasswordSet2 r;
NTSTATUS status;
diff --git a/source/librpc/gen_ndr/cli_netlogon.h b/source/librpc/gen_ndr/cli_netlogon.h
index 2968732..2033315 100644
--- a/source/librpc/gen_ndr/cli_netlogon.h
+++ b/source/librpc/gen_ndr/cli_netlogon.h
@@ -239,9 +239,9 @@ NTSTATUS rpccli_netr_ServerPasswordSet2(struct rpc_pipe_client *cli,
const char *account_name /* [in] [charset(UTF16)] */,
enum netr_SchannelType secure_channel_type /* [in] */,
const char *computer_name /* [in] [charset(UTF16)] */,
- struct netr_Authenticator credential /* [in] */,
- struct netr_CryptPassword new_password /* [in] */,
- struct netr_Authenticator *return_authenticator /* [out] [ref] */);
+ struct netr_Authenticator *credential /* [in] [ref] */,
+ struct netr_Authenticator *return_authenticator /* [out] [ref] */,
+ struct netr_CryptPassword *new_password /* [in] [ref] */);
NTSTATUS rpccli_netr_ServerPasswordGet(struct rpc_pipe_client *cli,
TALLOC_CTX *mem_ctx,
const char *server_name /* [in] [unique,charset(UTF16)] */,
diff --git a/source/librpc/gen_ndr/ndr_netlogon.c b/source/librpc/gen_ndr/ndr_netlogon.c
index ce61f8d..eff816c 100644
--- a/source/librpc/gen_ndr/ndr_netlogon.c
+++ b/source/librpc/gen_ndr/ndr_netlogon.c
@@ -12310,8 +12310,14 @@ static enum ndr_err_code ndr_push_netr_ServerPasswordSet2(struct ndr_push *ndr,
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, 0));
NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, ndr_charset_length(r->in.computer_name, CH_UTF16)));
NDR_CHECK(ndr_push_charset(ndr, NDR_SCALARS, r->in.computer_name, ndr_charset_length(r->in.computer_name, CH_UTF16), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (r->in.credential == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ if (r->in.new_password == NULL) {
+ return ndr_push_error(ndr, NDR_ERR_INVALID_POINTER, "NULL [ref] pointer");
+ }
+ NDR_CHECK(ndr_push_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
}
if (flags & NDR_OUT) {
if (r->out.return_authenticator == NULL) {
@@ -12327,7 +12333,9 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
{
uint32_t _ptr_server_name;
TALLOC_CTX *_mem_save_server_name_0;
+ TALLOC_CTX *_mem_save_credential_0;
TALLOC_CTX *_mem_save_return_authenticator_0;
+ TALLOC_CTX *_mem_save_new_password_0;
if (flags & NDR_IN) {
ZERO_STRUCT(r->out);
@@ -12364,8 +12372,20 @@ static enum ndr_err_code ndr_pull_netr_ServerPasswordSet2(struct ndr_pull *ndr,
}
NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t)));
NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.computer_name, ndr_get_array_length(ndr, &r->in.computer_name), sizeof(uint16_t), CH_UTF16));
- NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, &r->in.credential));
- NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, &r->in.new_password));
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.credential);
+ }
+ _mem_save_credential_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.credential, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_Authenticator(ndr, NDR_SCALARS, r->in.credential));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_credential_0, LIBNDR_FLAG_REF_ALLOC);
+ if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
+ NDR_PULL_ALLOC(ndr, r->in.new_password);
+ }
+ _mem_save_new_password_0 = NDR_PULL_GET_MEM_CTX(ndr);
+ NDR_PULL_SET_MEM_CTX(ndr, r->in.new_password, LIBNDR_FLAG_REF_ALLOC);
+ NDR_CHECK(ndr_pull_netr_CryptPassword(ndr, NDR_SCALARS, r->in.new_password));
+ NDR_PULL_SET_MEM_CTX(ndr, _mem_save_new_password_0, LIBNDR_FLAG_REF_ALLOC);
NDR_PULL_ALLOC(ndr, r->out.return_authenticator);
ZERO_STRUCTP(r->out.return_authenticator);
}
@@ -12401,8 +12421,14 @@ _PUBLIC_ void ndr_print_netr_ServerPasswordSet2(struct ndr_print *ndr, const cha
ndr_print_string(ndr, "account_name", r->in.account_name);
ndr_print_netr_SchannelType(ndr, "secure_channel_type", r->in.secure_channel_type);
ndr_print_string(ndr, "computer_name", r->in.computer_name);
- ndr_print_netr_Authenticator(ndr, "credential", &r->in.credential);
- ndr_print_netr_CryptPassword(ndr, "new_password", &r->in.new_password);
+ ndr_print_ptr(ndr, "credential", r->in.credential);
+ ndr->depth++;
+ ndr_print_netr_Authenticator(ndr, "credential", r->in.credential);
+ ndr->depth--;
+ ndr_print_ptr(ndr, "new_password", r->in.new_password);
+ ndr->depth++;
+ ndr_print_netr_CryptPassword(ndr, "new_password", r->in.new_password);
+ ndr->depth--;
ndr->depth--;
}
if (flags & NDR_OUT) {
diff --git a/source/librpc/gen_ndr/netlogon.h b/source/librpc/gen_ndr/netlogon.h
index 9e86051..1cea1f0 100644
--- a/source/librpc/gen_ndr/netlogon.h
+++ b/source/librpc/gen_ndr/netlogon.h
@@ -1355,8 +1355,8 @@ struct netr_ServerPasswordSet2 {
const char *account_name;/* [charset(UTF16)] */
enum netr_SchannelType secure_channel_type;
const char *computer_name;/* [charset(UTF16)] */
- struct netr_Authenticator credential;
- struct netr_CryptPassword new_password;
+ struct netr_Authenticator *credential;/* [ref] */
+ struct netr_CryptPassword *new_password;/* [ref] */
} in;
struct {
diff --git a/source/librpc/idl/netlogon.idl b/source/librpc/idl/netlogon.idl
index 98cf1e7..74535fc 100644
--- a/source/librpc/idl/netlogon.idl
+++ b/source/librpc/idl/netlogon.idl
@@ -1182,9 +1182,9 @@ interface netlogon
[in] [string,charset(UTF16)] uint16 account_name[],
[in] netr_SchannelType secure_channel_type,
[in] [string,charset(UTF16)] uint16 computer_name[],
- [in] netr_Authenticator credential,
- [in] netr_CryptPassword new_password,
- [out,ref] netr_Authenticator *return_authenticator
+ [in,ref] netr_Authenticator *credential,
+ [out,ref] netr_Authenticator *return_authenticator,
+ [in,ref] netr_CryptPassword *new_password
);
/****************/
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index c3f5f25..0535d1b 100644
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -31,34 +31,60 @@
static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const unsigned char orig_trust_passwd_hash[16],
+ const char *new_trust_pwd_cleartext,
const unsigned char new_trust_passwd_hash[16],
uint32 sec_channel_type)
{
NTSTATUS result;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
- /* Check if the netlogon pipe is open using schannel. If so we
- already have valid creds. If not we must set them up. */
-
- if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
- result = rpccli_netlogon_setup_creds(cli,
- cli->cli->desthost, /* server name */
- lp_workgroup(), /* domain */
- global_myname(), /* client name */
- global_myname(), /* machine account name */
- orig_trust_passwd_hash,
- sec_channel_type,
- &neg_flags);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
- nt_errstr(result)));
- return result;
- }
+ result = rpccli_netlogon_setup_creds(cli,
+ cli->cli->desthost, /* server name */
+ lp_workgroup(), /* domain */
+ global_myname(), /* client name */
+ global_myname(), /* machine account name */
+ orig_trust_passwd_hash,
+ sec_channel_type,
+ &neg_flags);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
+ nt_errstr(result)));
+ return result;
}
- {
+ if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
+
+ struct netr_Authenticator clnt_creds, srv_cred;
+ struct netr_CryptPassword new_password;
+ struct samr_CryptPassword password_buf;
+
+ netlogon_creds_client_step(cli->dc, &clnt_creds);
+
+ encode_pw_buffer(password_buf.data, new_trust_pwd_cleartext, STR_UNICODE);
+
+ SamOEMhash(password_buf.data, cli->dc->sess_key, 516);
+ memcpy(new_password.data, password_buf.data, 512);
+ new_password.length = IVAL(password_buf.data, 512);
+
+ result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx,
+ cli->dc->remote_machine,
+ cli->dc->mach_acct,
+ sec_channel_type,
+ global_myname(),
+ &clnt_creds,
+ &srv_cred,
+ &new_password);
+
+ /* Always check returned credentials. */
+ if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
+ DEBUG(0,("rpccli_netr_ServerPasswordSet2: "
+ "credentials chain check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ } else {
+
struct netr_Authenticator clnt_creds, srv_cred;
struct samr_Password new_password;
@@ -118,8 +144,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
E_md4hash(new_trust_passwd, new_trust_passwd_hash);
- nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
- new_trust_passwd_hash, sec_channel_type);
+ nt_status = just_change_the_password(cli, mem_ctx,
+ orig_trust_passwd_hash,
+ new_trust_passwd,
+ new_trust_passwd_hash,
+ sec_channel_type);
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
--
Samba Shared Repository
More information about the samba-cvs
mailing list