[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-32-10-g0914572

Günther Deschner gd at samba.org
Thu Aug 28 22:17:23 GMT 2008 

The branch, v3-0-test has been updated
       via  09145720b510647e7c24e3062a4a1246cc7bff5b (commit)
       via  84fbac51ffc5f4a8a4f7b1baf5e9b1af174505f5 (commit)
       via  a5b913dd31cc3c4d01458e6fcc0a03852a2738a2 (commit)
       via  15fe1a3fa07493060a0155bd4f9f0f9bd1588d50 (commit)
      from  91dcce0e4deb87c6d5e491eb9dbb09fd04981d28 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit 09145720b510647e7c24e3062a4a1246cc7bff5b
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 29 00:06:09 2008 +0200

    net: net should just use machine account creds when changing passwords.
    
    Guenther

commit 84fbac51ffc5f4a8a4f7b1baf5e9b1af174505f5
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 29 00:05:32 2008 +0200

    Backport bugfix for bug #5710.
    
    In order to successfully update a machine account password we need to use
    Netlogon ServerPasswordSet2 when NETLOGON_NEG_PASSWORD_SET2 has been negotiated.
    
    Guenther

commit a5b913dd31cc3c4d01458e6fcc0a03852a2738a2
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 29 00:02:54 2008 +0200

    netlogon: "re-run make idl" - implement netr_ServerPasswordSet2 client.
    
    Guenther

commit 15fe1a3fa07493060a0155bd4f9f0f9bd1588d50
Author: Günther Deschner <gd at samba.org>
Date:   Fri Aug 29 00:01:45 2008 +0200

    netlogon: define NET_SRVPWSET2 call.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source/include/rpc_dce.h         |    2 +
 source/include/rpc_netlogon.h    |   18 ++++++++
 source/libsmb/trusts_util.c      |   28 +++++++------
 source/rpc_client/cli_netlogon.c |   50 +++++++++++++++++++++++
 source/rpc_parse/parse_net.c     |   80 ++++++++++++++++++++++++++++++++++++++
 source/utils/net_rpc.c           |    2 +
 6 files changed, 167 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/include/rpc_dce.h b/source/include/rpc_dce.h
index ad5fb68..abc11ce 100644
--- a/source/include/rpc_dce.h
+++ b/source/include/rpc_dce.h
@@ -104,6 +104,8 @@ enum RPC_PKT_TYPE {
 #define NETLOGON_NEG_128BIT			0x00004000
 #define NETLOGON_NEG_SCHANNEL			0x40000000
 
+#define NETLOGON_NEG_PASSWORD_SET2		0x00020000
+
 /* The 7 here seems to be required to get Win2k not to downgrade us
    to NT4.  Actually, anything other than 1ff would seem to do... */
 #define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
diff --git a/source/include/rpc_netlogon.h b/source/include/rpc_netlogon.h
index 324755a..b4b014d 100644
--- a/source/include/rpc_netlogon.h
+++ b/source/include/rpc_netlogon.h
@@ -42,6 +42,7 @@
 #define NET_AUTH3		0x1a
 #define NET_DSR_GETDCNAMEEX	0x1b
 #define NET_DSR_GETSITENAME	0x1c
+#define NET_SRVPWSET2		0x1e
 #define NET_DSR_GETDCNAMEEX2	0x22
 #define NET_SAMLOGON_EX		0x27
 
@@ -530,6 +531,23 @@ typedef struct net_r_srv_pwset_info {
 	NTSTATUS status; /* return code */
 } NET_R_SRV_PWSET;
 
+typedef struct net_crypt_password {
+        uint8_t data[512];
+        uint32_t length;
+} NET_CRYPT_PWD;
+
+/* NET_Q_SRV_PWSET2 */
+typedef struct net_q_srv_pwset2_info {
+	DOM_CLNT_INFO clnt_id; /* client identification/authentication info */
+	NET_CRYPT_PWD pwd; /* new password */
+} NET_Q_SRV_PWSET2;
+
+/* NET_R_SRV_PWSET2 */
+typedef struct net_r_srv_pwset2_info {
+	DOM_CRED srv_cred;     /* server-calculated credentials */
+	NTSTATUS status; /* return code */
+} NET_R_SRV_PWSET2;
+
 /* NET_ID_INFO_2 */
 typedef struct net_network_info_2 {
 	uint32            ptr_id_info2;        /* pointer to id_info_2 */
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index bd6bbfe..257d04e 100644
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -32,18 +32,14 @@
 
 static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
 					 const unsigned char orig_trust_passwd_hash[16],
+					 const char *new_trust_pwd_cleartext,
 					 const unsigned char new_trust_passwd_hash[16],
 					 uint32 sec_channel_type)
 {
 	NTSTATUS result;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 
-	/* Check if the netlogon pipe is open using schannel. If so we
-	   already have valid creds. If not we must set them up. */
-
-	if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
-		result = rpccli_netlogon_setup_creds(cli, 
+	result = rpccli_netlogon_setup_creds(cli,
 					cli->cli->desthost, /* server name */
 					lp_workgroup(), /* domain */
 					global_myname(), /* client name */
@@ -52,14 +48,19 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX
 					sec_channel_type,
 					&neg_flags);
 
-		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
-				 nt_errstr(result)));
-			return result;
-		}
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
+			 nt_errstr(result)));
+		return result;
 	}
 
-	result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash);
+	if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
+		result = rpccli_net_srv_pwset2(cli, mem_ctx, global_myname(),
+					       new_trust_pwd_cleartext);
+	} else {
+		result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(),
+					      new_trust_passwd_hash);
+	}
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
@@ -95,6 +96,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
 
 	nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
+					     new_trust_passwd,
 					     new_trust_passwd_hash, sec_channel_type);
 	
 	if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c
index fb8c5cf..3c77597 100644
--- a/source/rpc_client/cli_netlogon.c
+++ b/source/rpc_client/cli_netlogon.c
@@ -1082,3 +1082,53 @@ NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
 
 	return result;
 }
+
+/***************************************************************************
+LSA Server Password Set2.
+****************************************************************************/
+
+NTSTATUS rpccli_net_srv_pwset2(struct rpc_pipe_client *cli,
+			       TALLOC_CTX *mem_ctx,
+			       const char *machine_name,
+			       const char *clear_text_mach_pwd)
+{
+	prs_struct rbuf;
+	prs_struct qbuf;
+	DOM_CRED clnt_creds;
+	NET_Q_SRV_PWSET2 q;
+	NET_R_SRV_PWSET2 r;
+	uint16 sec_chan_type = 2;
+	NTSTATUS result;
+
+	creds_client_step(cli->dc, &clnt_creds);
+
+	DEBUG(4,("cli_net_srv_pwset2: srv:%s acct:%s sc: %d mc: %s\n",
+		 cli->dc->remote_machine, cli->dc->mach_acct, sec_chan_type, machine_name));
+
+        /* store the parameters */
+	init_q_srv_pwset2(&q, cli->dc->remote_machine, (const char *)cli->dc->sess_key,
+			  cli->dc->mach_acct, sec_chan_type, machine_name,
+			  &clnt_creds, clear_text_mach_pwd);
+
+	CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SRVPWSET2,
+		q, r,
+		qbuf, rbuf,
+		net_io_q_srv_pwset2,
+		net_io_r_srv_pwset2,
+		NT_STATUS_UNSUCCESSFUL);
+
+	result = r.status;
+
+	if (!NT_STATUS_IS_OK(result)) {
+		/* report error code */
+		DEBUG(0,("cli_net_srv_pwset2: %s\n", nt_errstr(result)));
+	}
+
+	/* Always check returned credentials. */
+	if (!creds_client_check(cli->dc, &r.srv_cred.challenge)) {
+		DEBUG(0,("rpccli_net_srv_pwset2: credentials chain check failed\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return result;
+}
diff --git a/source/rpc_parse/parse_net.c b/source/rpc_parse/parse_net.c
index 693de2d..708f5ba 100644
--- a/source/rpc_parse/parse_net.c
+++ b/source/rpc_parse/parse_net.c
@@ -996,6 +996,86 @@ BOOL net_io_r_srv_pwset(const char *desc, NET_R_SRV_PWSET *r_s, prs_struct *ps,
 	return True;
 }
 
+/*******************************************************************
+ Inits a NET_Q_SRV_PWSET2.
+********************************************************************/
+
+void init_q_srv_pwset2(NET_Q_SRV_PWSET2 *q_s,
+		       const char *logon_srv,
+		       const char *sess_key,
+		       const char *acct_name,
+		       uint16 sec_chan,
+		       const char *comp_name,
+		       DOM_CRED *cred,
+		       const char *clear_text_mach_pwd)
+{
+	uint8_t password_buf[516];
+	NET_CRYPT_PWD new_password;
+
+	DEBUG(5,("init_q_srv_pwset2\n"));
+
+	/* Process the new password. */
+
+	encode_pw_buffer(password_buf, clear_text_mach_pwd, STR_UNICODE);
+
+	SamOEMhash(password_buf, (const unsigned char *)sess_key, 516);
+	memcpy(new_password.data, password_buf, 512);
+	new_password.length = IVAL(password_buf, 512);
+
+	init_clnt_info(&q_s->clnt_id, logon_srv, acct_name, sec_chan, comp_name, cred);
+
+	memcpy(&q_s->pwd, &new_password, sizeof(q_s->pwd));
+}
+
+/*******************************************************************
+ Reads or writes a structure.
+********************************************************************/
+
+BOOL net_io_q_srv_pwset2(const char *desc, NET_Q_SRV_PWSET2 *q_s, prs_struct *ps, int depth)
+{
+	if (q_s == NULL)
+		return False;
+
+	prs_debug(ps, depth, desc, "net_io_q_srv_pwset2");
+	depth++;
+
+	if(!prs_align(ps))
+		return False;
+
+	if(!smb_io_clnt_info("", &q_s->clnt_id, ps, depth)) /* client identification/authentication info */
+		return False;
+	if(!prs_uint8s(False, "pwd.data", ps, depth, q_s->pwd.data, 516)) /* new password - undocumented */
+		return False;
+	if(!prs_uint32("pwd.length", ps, depth, &q_s->pwd.length)) /* new password - undocumented */
+		return False;
+
+	return True;
+}
+
+/*******************************************************************
+ Reads or writes a structure.
+********************************************************************/
+
+BOOL net_io_r_srv_pwset2(const char *desc, NET_R_SRV_PWSET2 *r_s, prs_struct *ps, int depth)
+{
+	if (r_s == NULL)
+		return False;
+
+	prs_debug(ps, depth, desc, "net_io_r_srv_pwset2");
+	depth++;
+
+	if(!prs_align(ps))
+		return False;
+
+	if(!smb_io_cred("", &r_s->srv_cred, ps, depth)) /* server challenge */
+		return False;
+
+	if(!prs_ntstatus("status", ps, depth, &r_s->status))
+		return False;
+
+	return True;
+}
+
 /*************************************************************************
  Init DOM_SID2 array from a string containing multiple sids
  *************************************************************************/
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index 4b77db9..54ebd7b 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -227,6 +227,8 @@ static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid,
 
 int net_rpc_changetrustpw(int argc, const char **argv) 
 {
+	net_use_machine_account();
+
 	return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, 
 			       rpc_changetrustpw_internals,
 			       argc, argv);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list