[SCM] Samba Shared Repository - branch v3-2-test updated - release-3-2-0pre2-3256-ga6a8025

Günther Deschner gd at samba.org
Wed Dec 10 10:55:54 GMT 2008


The branch, v3-2-test has been updated
       via  a6a8025d48e63a8bcb1fb03efa8ab85e415f8a38 (commit)
       via  a4164a55b5b20ae347a22810405c738f868d8493 (commit)
       via  b51eaa4a4da0dfc46919e9a544b3d26569a1495c (commit)
       via  948a2e5d38b5d69e3c65e81d0b0fd750410bc066 (commit)
       via  458e85603673e04577fc493528c870c3d5ec6b54 (commit)
       via  599155842583781736933ef340e37fd5c87f88ca (commit)
      from  1ac0175bb13ce34fbb2deaa880a4021625b259be (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test


- Log -----------------------------------------------------------------
commit a6a8025d48e63a8bcb1fb03efa8ab85e415f8a38
Author: Günther Deschner <gd at samba.org>
Date:   Sat Nov 29 00:12:26 2008 +0100

    s3-libnetjoin: Fix bug #5749. Re-set acctflags while joining. fix from metze.
    
    Guenther
    (cherry picked from commit bc3a277455dd4557e796ddc0bef0f52a11f889e7)

commit a4164a55b5b20ae347a22810405c738f868d8493
Author: Günther Deschner <gd at samba.org>
Date:   Sat Nov 29 00:10:18 2008 +0100

    s3-libnetjoin: remove unused md4_trust_password, found by metze.
    
    Guenther
    (cherry picked from commit f479fdc29813c3452fd22c4a2780f0bc5066e664)

commit b51eaa4a4da0dfc46919e9a544b3d26569a1495c
Author: Günther Deschner <gd at samba.org>
Date:   Fri Nov 28 11:15:29 2008 +0100

    s3-samr: add init_samr_user_info25 and init_samr_user_info26.
    
    Guenther

commit 948a2e5d38b5d69e3c65e81d0b0fd750410bc066
Author: Günther Deschner <gd at samba.org>
Date:   Mon Nov 24 18:49:37 2008 +0100

    s3-samr: fix init_samr_user_info{23,24} callers.
    
    Guenther

commit 458e85603673e04577fc493528c870c3d5ec6b54
Author: Günther Deschner <gd at samba.org>
Date:   Wed Jul 30 19:52:56 2008 +0200

    rpc_client: use init_samr_CryptPassword(Ex) in client tools.
    
    Guenther
    (cherry picked from commit 97f7f9f21f17e8414de15953cf4eaa9959dc6f75)

commit 599155842583781736933ef340e37fd5c87f88ca
Author: Günther Deschner <gd at samba.org>
Date:   Fri Jul 18 20:42:55 2008 +0200

    rpc_client: add init_samr_CryptPasswordEx and init_samr_CryptPassword.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source/libnet/libnet_join.c   |   76 +++++++++++-----------
 source/rpc_client/init_samr.c |  144 +++++++++++++++++++++++++++++++++++++++--
 source/utils/net_rpc.c        |   25 ++++----
 source/utils/net_rpc_join.c   |   12 ++--
 4 files changed, 192 insertions(+), 65 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index 7451cb2..526a0bd 100644
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -734,15 +734,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 	struct lsa_String lsa_acct_name;
 	uint32_t user_rid;
 	uint32_t acct_flags = ACB_WSTRUST;
-	uchar pwbuf[532];
-	struct MD5Context md5ctx;
-	uchar md5buffer[16];
-	DATA_BLOB digested_session_key;
-	uchar md4_trust_password[16];
 	struct samr_Ids user_rids;
 	struct samr_Ids name_types;
 	union samr_UserInfo user_info;
 
+	struct samr_CryptPassword crypt_pwd;
+	struct samr_CryptPasswordEx crypt_pwd_ex;
+
 	ZERO_STRUCT(sam_pol);
 	ZERO_STRUCT(domain_pol);
 	ZERO_STRUCT(user_pol);
@@ -870,23 +868,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	/* Create a random machine account password and generate the hash */
-
-	E_md4hash(r->in.machine_password, md4_trust_password);
-	encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
-
-	generate_random_buffer((uint8_t*)md5buffer, sizeof(md5buffer));
-	digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
-
-	MD5Init(&md5ctx);
-	MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
-	MD5Update(&md5ctx, cli->user_session_key.data,
-		  cli->user_session_key.length);
-	MD5Final(digested_session_key.data, &md5ctx);
-
-	SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
-	memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
-
 	/* Fill in the additional account flags now */
 
 	acct_flags |= ACB_PWNOEXP;
@@ -897,33 +878,50 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 		;;
 	}
 
-	/* Set password and account flags on machine account */
-
-	ZERO_STRUCT(user_info.info25);
-
-	user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
-					       ACCT_LM_PWD_SET |
-					       SAMR_FIELD_ACCT_FLAGS;
-
-	user_info.info25.info.acct_flags = acct_flags;
-	memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
+	/* Set account flags on machine account */
+	ZERO_STRUCT(user_info.info16);
+	user_info.info16.acct_flags = acct_flags;
 
 	status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
 					 &user_pol,
-					 25,
+					 16,
 					 &user_info);
 
-	if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+	if (!NT_STATUS_IS_OK(status)) {
 
-		uchar pwbuf2[516];
+		rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+				       &user_pol);
+
+		libnet_join_set_error_string(mem_ctx, r,
+			"Failed to set account flags for machine account (%s)\n",
+			nt_errstr(status));
+		goto done;
+	}
 
-		encode_pw_buffer(pwbuf2, r->in.machine_password, STR_UNICODE);
+	/* Set password on machine account - first try level 26 */
+
+	init_samr_CryptPasswordEx(r->in.machine_password,
+				  &cli->user_session_key,
+				  &crypt_pwd_ex);
+
+	init_samr_user_info26(&user_info.info26, &crypt_pwd_ex,
+			      PASS_DONT_CHANGE_AT_NEXT_LOGON);
+
+	status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+					  &user_pol,
+					  26,
+					  &user_info);
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
 
 		/* retry with level 24 */
-		init_samr_user_info24(&user_info.info24, pwbuf2, 24);
 
-		SamOEMhashBlob(user_info.info24.password.data, 516,
-			       &cli->user_session_key);
+		init_samr_CryptPassword(r->in.machine_password,
+					&cli->user_session_key,
+					&crypt_pwd);
+
+		init_samr_user_info24(&user_info.info24, &crypt_pwd,
+				      PASS_DONT_CHANGE_AT_NEXT_LOGON);
 
 		status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 						  &user_pol,
diff --git a/source/rpc_client/init_samr.c b/source/rpc_client/init_samr.c
index c5d7dcd..0e6c277 100644
--- a/source/rpc_client/init_samr.c
+++ b/source/rpc_client/init_samr.c
@@ -410,8 +410,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
 			   uint8_t nt_password_set,
 			   uint8_t lm_password_set,
 			   uint8_t password_expired,
-			   uint8_t data[516],
-			   uint8_t pw_len)
+			   struct samr_CryptPassword *pwd_buf)
 {
 	memset(r, '\0', sizeof(*r));
 	init_samr_user_info21(&r->info,
@@ -444,7 +443,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
 			      lm_password_set,
 			      password_expired);
 
-	memcpy(r->password.data, data, sizeof(r->password.data));
+	r->password = *pwd_buf;
 }
 
 /*************************************************************************
@@ -452,11 +451,142 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
  *************************************************************************/
 
 void init_samr_user_info24(struct samr_UserInfo24 *r,
-			   uint8_t data[516],
-			   uint8_t pw_len)
+			   struct samr_CryptPassword *pwd_buf,
+			   uint8_t password_expired)
 {
 	DEBUG(10, ("init_samr_user_info24:\n"));
 
-	memcpy(r->password.data, data, sizeof(r->password.data));
-	r->pw_len = pw_len;
+	r->password = *pwd_buf;
+	r->password_expired = password_expired;
+}
+
+/*************************************************************************
+ init_samr_user_info25
+ *************************************************************************/
+
+void init_samr_user_info25(struct samr_UserInfo25 *r,
+			   NTTIME last_logon,
+			   NTTIME last_logoff,
+			   NTTIME last_password_change,
+			   NTTIME acct_expiry,
+			   NTTIME allow_password_change,
+			   NTTIME force_password_change,
+			   const char *account_name,
+			   const char *full_name,
+			   const char *home_directory,
+			   const char *home_drive,
+			   const char *logon_script,
+			   const char *profile_path,
+			   const char *description,
+			   const char *workstations,
+			   const char *comment,
+			   struct lsa_BinaryString *parameters,
+			   uint32_t rid,
+			   uint32_t primary_gid,
+			   uint32_t acct_flags,
+			   uint32_t fields_present,
+			   struct samr_LogonHours logon_hours,
+			   uint16_t bad_password_count,
+			   uint16_t logon_count,
+			   uint16_t country_code,
+			   uint16_t code_page,
+			   uint8_t nt_password_set,
+			   uint8_t lm_password_set,
+			   uint8_t password_expired,
+			   struct samr_CryptPasswordEx *pwd_buf)
+{
+	DEBUG(10, ("init_samr_user_info25:\n"));
+
+	memset(r, '\0', sizeof(*r));
+	init_samr_user_info21(&r->info,
+			      last_logon,
+			      last_logoff,
+			      last_password_change,
+			      acct_expiry,
+			      allow_password_change,
+			      force_password_change,
+			      account_name,
+			      full_name,
+			      home_directory,
+			      home_drive,
+			      logon_script,
+			      profile_path,
+			      description,
+			      workstations,
+			      comment,
+			      parameters,
+			      rid,
+			      primary_gid,
+			      acct_flags,
+			      fields_present,
+			      logon_hours,
+			      bad_password_count,
+			      logon_count,
+			      country_code,
+			      code_page,
+			      nt_password_set,
+			      lm_password_set,
+			      password_expired);
+
+	r->password = *pwd_buf;
+}
+
+/*************************************************************************
+ init_samr_user_info26
+ *************************************************************************/
+
+void init_samr_user_info26(struct samr_UserInfo26 *r,
+			   struct samr_CryptPasswordEx *pwd_buf,
+			   uint8_t password_expired)
+{
+	DEBUG(10, ("init_samr_user_info26:\n"));
+
+	r->password = *pwd_buf;
+	r->password_expired = password_expired;
+}
+
+/*************************************************************************
+ inits a samr_CryptPasswordEx structure
+ *************************************************************************/
+
+void init_samr_CryptPasswordEx(const char *pwd,
+			       DATA_BLOB *session_key,
+			       struct samr_CryptPasswordEx *pwd_buf)
+{
+	/* samr_CryptPasswordEx */
+
+	uchar pwbuf[532];
+	struct MD5Context md5_ctx;
+	uint8_t confounder[16];
+	DATA_BLOB confounded_session_key = data_blob(NULL, 16);
+
+	encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+
+	generate_random_buffer((uint8_t *)confounder, 16);
+
+	MD5Init(&md5_ctx);
+	MD5Update(&md5_ctx, confounder, 16);
+	MD5Update(&md5_ctx, session_key->data,
+			    session_key->length);
+	MD5Final(confounded_session_key.data, &md5_ctx);
+
+	SamOEMhashBlob(pwbuf, 516, &confounded_session_key);
+	memcpy(&pwbuf[516], confounder, 16);
+
+	memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
+	data_blob_free(&confounded_session_key);
+}
+
+/*************************************************************************
+ inits a samr_CryptPassword structure
+ *************************************************************************/
+
+void init_samr_CryptPassword(const char *pwd,
+			     DATA_BLOB *session_key,
+			     struct samr_CryptPassword *pwd_buf)
+{
+	/* samr_CryptPassword */
+
+	encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+	SamOEMhashBlob(pwd_buf->data, 516, session_key);
 }
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index ceb429f..d4d11de 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -804,11 +804,11 @@ static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
 {
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	POLICY_HND connect_pol, domain_pol, user_pol;
-	uchar pwbuf[516];
 	const char *user;
 	const char *new_password;
 	char *prompt = NULL;
 	union samr_UserInfo info;
+	struct samr_CryptPassword crypt_pwd;
 
 	if (argc < 1) {
 		d_printf("User must be specified\n");
@@ -878,12 +878,12 @@ static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
 
 	/* Set password on account */
 
-	encode_pw_buffer(pwbuf, new_password, STR_UNICODE);
+	init_samr_CryptPassword(new_password,
+				&cli->user_session_key,
+				&crypt_pwd);
 
-	init_samr_user_info24(&info.info24, pwbuf, 24);
-
-	SamOEMhashBlob(info.info24.password.data, 516,
-		       &cli->user_session_key);
+	init_samr_user_info24(&info.info24, &crypt_pwd,
+			      PASS_DONT_CHANGE_AT_NEXT_LOGON);
 
 	result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 					  &user_pol,
@@ -5418,9 +5418,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
 		struct samr_LogonHours hours;
 		struct lsa_BinaryString parameters;
 		const int units_per_week = 168;
-		uchar pwbuf[516];
-
-		encode_pw_buffer(pwbuf, argv[1], STR_UNICODE);
+		struct samr_CryptPassword crypt_pwd;
 
 		ZERO_STRUCT(notime);
 		ZERO_STRUCT(hours);
@@ -5434,6 +5432,10 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
 		hours.units_per_week = units_per_week;
 		memset(hours.bits, 0xFF, units_per_week);
 
+		init_samr_CryptPassword(argv[1],
+					&cli->user_session_key,
+					&crypt_pwd);
+
 		init_samr_user_info23(&info.info23,
 				      notime, notime, notime,
 				      notime, notime, notime,
@@ -5443,10 +5445,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
 				      SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_PASSWORD,
 				      hours,
 				      0, 0, 0, 0, 0, 0, 0,
-				      pwbuf, 24);
-
-		SamOEMhashBlob(info.info23.password.data, 516,
-			       &cli->user_session_key);
+				      &crypt_pwd);
 
 		result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 						  &user_pol,
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index ea3bb10..b9d7d59 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -146,7 +146,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
 	/* Password stuff */
 
 	char *clear_trust_password = NULL;
-	uchar pwbuf[516];
+	struct samr_CryptPassword crypt_pwd;
 	uchar md4_trust_password[16];
 	union samr_UserInfo set_info;
 
@@ -333,14 +333,14 @@ int net_rpc_join_newstyle(int argc, const char **argv)
 		E_md4hash(clear_trust_password, md4_trust_password);
 	}
 
-	encode_pw_buffer(pwbuf, clear_trust_password, STR_UNICODE);
-
 	/* Set password on machine account */
 
-	init_samr_user_info24(&set_info.info24, pwbuf, 24);
+	init_samr_CryptPassword(clear_trust_password,
+				&cli->user_session_key,
+				&crypt_pwd);
 
-	SamOEMhashBlob(set_info.info24.password.data, 516,
-		       &cli->user_session_key);
+	init_samr_user_info24(&set_info.info24, &crypt_pwd,
+			      PASS_DONT_CHANGE_AT_NEXT_LOGON);
 
 	CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
 					       &user_pol,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list