[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-32-10-g0914572
Günther Deschner
gd at samba.org
Thu Aug 28 22:17:23 GMT 2008
The branch, v3-0-test has been updated
via 09145720b510647e7c24e3062a4a1246cc7bff5b (commit)
via 84fbac51ffc5f4a8a4f7b1baf5e9b1af174505f5 (commit)
via a5b913dd31cc3c4d01458e6fcc0a03852a2738a2 (commit)
via 15fe1a3fa07493060a0155bd4f9f0f9bd1588d50 (commit)
from 91dcce0e4deb87c6d5e491eb9dbb09fd04981d28 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit 09145720b510647e7c24e3062a4a1246cc7bff5b
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 29 00:06:09 2008 +0200
net: net should just use machine account creds when changing passwords.
Guenther
commit 84fbac51ffc5f4a8a4f7b1baf5e9b1af174505f5
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 29 00:05:32 2008 +0200
Backport bugfix for bug #5710.
In order to successfully update a machine account password we need to use
Netlogon ServerPasswordSet2 when NETLOGON_NEG_PASSWORD_SET2 has been negotiated.
Guenther
commit a5b913dd31cc3c4d01458e6fcc0a03852a2738a2
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 29 00:02:54 2008 +0200
netlogon: "re-run make idl" - implement netr_ServerPasswordSet2 client.
Guenther
commit 15fe1a3fa07493060a0155bd4f9f0f9bd1588d50
Author: Günther Deschner <gd at samba.org>
Date: Fri Aug 29 00:01:45 2008 +0200
netlogon: define NET_SRVPWSET2 call.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/include/rpc_dce.h | 2 +
source/include/rpc_netlogon.h | 18 ++++++++
source/libsmb/trusts_util.c | 28 +++++++------
source/rpc_client/cli_netlogon.c | 50 +++++++++++++++++++++++
source/rpc_parse/parse_net.c | 80 ++++++++++++++++++++++++++++++++++++++
source/utils/net_rpc.c | 2 +
6 files changed, 167 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/include/rpc_dce.h b/source/include/rpc_dce.h
index ad5fb68..abc11ce 100644
--- a/source/include/rpc_dce.h
+++ b/source/include/rpc_dce.h
@@ -104,6 +104,8 @@ enum RPC_PKT_TYPE {
#define NETLOGON_NEG_128BIT 0x00004000
#define NETLOGON_NEG_SCHANNEL 0x40000000
+#define NETLOGON_NEG_PASSWORD_SET2 0x00020000
+
/* The 7 here seems to be required to get Win2k not to downgrade us
to NT4. Actually, anything other than 1ff would seem to do... */
#define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
diff --git a/source/include/rpc_netlogon.h b/source/include/rpc_netlogon.h
index 324755a..b4b014d 100644
--- a/source/include/rpc_netlogon.h
+++ b/source/include/rpc_netlogon.h
@@ -42,6 +42,7 @@
#define NET_AUTH3 0x1a
#define NET_DSR_GETDCNAMEEX 0x1b
#define NET_DSR_GETSITENAME 0x1c
+#define NET_SRVPWSET2 0x1e
#define NET_DSR_GETDCNAMEEX2 0x22
#define NET_SAMLOGON_EX 0x27
@@ -530,6 +531,23 @@ typedef struct net_r_srv_pwset_info {
NTSTATUS status; /* return code */
} NET_R_SRV_PWSET;
+typedef struct net_crypt_password {
+ uint8_t data[512];
+ uint32_t length;
+} NET_CRYPT_PWD;
+
+/* NET_Q_SRV_PWSET2 */
+typedef struct net_q_srv_pwset2_info {
+ DOM_CLNT_INFO clnt_id; /* client identification/authentication info */
+ NET_CRYPT_PWD pwd; /* new password */
+} NET_Q_SRV_PWSET2;
+
+/* NET_R_SRV_PWSET2 */
+typedef struct net_r_srv_pwset2_info {
+ DOM_CRED srv_cred; /* server-calculated credentials */
+ NTSTATUS status; /* return code */
+} NET_R_SRV_PWSET2;
+
/* NET_ID_INFO_2 */
typedef struct net_network_info_2 {
uint32 ptr_id_info2; /* pointer to id_info_2 */
diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
index bd6bbfe..257d04e 100644
--- a/source/libsmb/trusts_util.c
+++ b/source/libsmb/trusts_util.c
@@ -32,18 +32,14 @@
static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
const unsigned char orig_trust_passwd_hash[16],
+ const char *new_trust_pwd_cleartext,
const unsigned char new_trust_passwd_hash[16],
uint32 sec_channel_type)
{
NTSTATUS result;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
- /* Check if the netlogon pipe is open using schannel. If so we
- already have valid creds. If not we must set them up. */
-
- if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
-
- result = rpccli_netlogon_setup_creds(cli,
+ result = rpccli_netlogon_setup_creds(cli,
cli->cli->desthost, /* server name */
lp_workgroup(), /* domain */
global_myname(), /* client name */
@@ -52,14 +48,19 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX
sec_channel_type,
&neg_flags);
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
- nt_errstr(result)));
- return result;
- }
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
+ nt_errstr(result)));
+ return result;
}
- result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash);
+ if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
+ result = rpccli_net_srv_pwset2(cli, mem_ctx, global_myname(),
+ new_trust_pwd_cleartext);
+ } else {
+ result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(),
+ new_trust_passwd_hash);
+ }
if (!NT_STATUS_IS_OK(result)) {
DEBUG(0,("just_change_the_password: unable to change password (%s)!\n",
@@ -95,6 +96,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
E_md4hash(new_trust_passwd, new_trust_passwd_hash);
nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
+ new_trust_passwd,
new_trust_passwd_hash, sec_channel_type);
if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c
index fb8c5cf..3c77597 100644
--- a/source/rpc_client/cli_netlogon.c
+++ b/source/rpc_client/cli_netlogon.c
@@ -1082,3 +1082,53 @@ NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
return result;
}
+
+/***************************************************************************
+LSA Server Password Set2.
+****************************************************************************/
+
+NTSTATUS rpccli_net_srv_pwset2(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *machine_name,
+ const char *clear_text_mach_pwd)
+{
+ prs_struct rbuf;
+ prs_struct qbuf;
+ DOM_CRED clnt_creds;
+ NET_Q_SRV_PWSET2 q;
+ NET_R_SRV_PWSET2 r;
+ uint16 sec_chan_type = 2;
+ NTSTATUS result;
+
+ creds_client_step(cli->dc, &clnt_creds);
+
+ DEBUG(4,("cli_net_srv_pwset2: srv:%s acct:%s sc: %d mc: %s\n",
+ cli->dc->remote_machine, cli->dc->mach_acct, sec_chan_type, machine_name));
+
+ /* store the parameters */
+ init_q_srv_pwset2(&q, cli->dc->remote_machine, (const char *)cli->dc->sess_key,
+ cli->dc->mach_acct, sec_chan_type, machine_name,
+ &clnt_creds, clear_text_mach_pwd);
+
+ CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SRVPWSET2,
+ q, r,
+ qbuf, rbuf,
+ net_io_q_srv_pwset2,
+ net_io_r_srv_pwset2,
+ NT_STATUS_UNSUCCESSFUL);
+
+ result = r.status;
+
+ if (!NT_STATUS_IS_OK(result)) {
+ /* report error code */
+ DEBUG(0,("cli_net_srv_pwset2: %s\n", nt_errstr(result)));
+ }
+
+ /* Always check returned credentials. */
+ if (!creds_client_check(cli->dc, &r.srv_cred.challenge)) {
+ DEBUG(0,("rpccli_net_srv_pwset2: credentials chain check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return result;
+}
diff --git a/source/rpc_parse/parse_net.c b/source/rpc_parse/parse_net.c
index 693de2d..708f5ba 100644
--- a/source/rpc_parse/parse_net.c
+++ b/source/rpc_parse/parse_net.c
@@ -996,6 +996,86 @@ BOOL net_io_r_srv_pwset(const char *desc, NET_R_SRV_PWSET *r_s, prs_struct *ps,
return True;
}
+/*******************************************************************
+ Inits a NET_Q_SRV_PWSET2.
+********************************************************************/
+
+void init_q_srv_pwset2(NET_Q_SRV_PWSET2 *q_s,
+ const char *logon_srv,
+ const char *sess_key,
+ const char *acct_name,
+ uint16 sec_chan,
+ const char *comp_name,
+ DOM_CRED *cred,
+ const char *clear_text_mach_pwd)
+{
+ uint8_t password_buf[516];
+ NET_CRYPT_PWD new_password;
+
+ DEBUG(5,("init_q_srv_pwset2\n"));
+
+ /* Process the new password. */
+
+ encode_pw_buffer(password_buf, clear_text_mach_pwd, STR_UNICODE);
+
+ SamOEMhash(password_buf, (const unsigned char *)sess_key, 516);
+ memcpy(new_password.data, password_buf, 512);
+ new_password.length = IVAL(password_buf, 512);
+
+ init_clnt_info(&q_s->clnt_id, logon_srv, acct_name, sec_chan, comp_name, cred);
+
+ memcpy(&q_s->pwd, &new_password, sizeof(q_s->pwd));
+}
+
+/*******************************************************************
+ Reads or writes a structure.
+********************************************************************/
+
+BOOL net_io_q_srv_pwset2(const char *desc, NET_Q_SRV_PWSET2 *q_s, prs_struct *ps, int depth)
+{
+ if (q_s == NULL)
+ return False;
+
+ prs_debug(ps, depth, desc, "net_io_q_srv_pwset2");
+ depth++;
+
+ if(!prs_align(ps))
+ return False;
+
+ if(!smb_io_clnt_info("", &q_s->clnt_id, ps, depth)) /* client identification/authentication info */
+ return False;
+ if(!prs_uint8s(False, "pwd.data", ps, depth, q_s->pwd.data, 516)) /* new password - undocumented */
+ return False;
+ if(!prs_uint32("pwd.length", ps, depth, &q_s->pwd.length)) /* new password - undocumented */
+ return False;
+
+ return True;
+}
+
+/*******************************************************************
+ Reads or writes a structure.
+********************************************************************/
+
+BOOL net_io_r_srv_pwset2(const char *desc, NET_R_SRV_PWSET2 *r_s, prs_struct *ps, int depth)
+{
+ if (r_s == NULL)
+ return False;
+
+ prs_debug(ps, depth, desc, "net_io_r_srv_pwset2");
+ depth++;
+
+ if(!prs_align(ps))
+ return False;
+
+ if(!smb_io_cred("", &r_s->srv_cred, ps, depth)) /* server challenge */
+ return False;
+
+ if(!prs_ntstatus("status", ps, depth, &r_s->status))
+ return False;
+
+ return True;
+}
+
/*************************************************************************
Init DOM_SID2 array from a string containing multiple sids
*************************************************************************/
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index 4b77db9..54ebd7b 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -227,6 +227,8 @@ static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid,
int net_rpc_changetrustpw(int argc, const char **argv)
{
+ net_use_machine_account();
+
return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
rpc_changetrustpw_internals,
argc, argv);
--
Samba Shared Repository
More information about the samba-cvs
mailing list