[SCM] Samba Shared Repository - branch v3-2-test updated -
release-3-2-0pre2-3256-ga6a8025
Günther Deschner
gd at samba.org
Wed Dec 10 10:55:54 GMT 2008
The branch, v3-2-test has been updated
via a6a8025d48e63a8bcb1fb03efa8ab85e415f8a38 (commit)
via a4164a55b5b20ae347a22810405c738f868d8493 (commit)
via b51eaa4a4da0dfc46919e9a544b3d26569a1495c (commit)
via 948a2e5d38b5d69e3c65e81d0b0fd750410bc066 (commit)
via 458e85603673e04577fc493528c870c3d5ec6b54 (commit)
via 599155842583781736933ef340e37fd5c87f88ca (commit)
from 1ac0175bb13ce34fbb2deaa880a4021625b259be (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test
- Log -----------------------------------------------------------------
commit a6a8025d48e63a8bcb1fb03efa8ab85e415f8a38
Author: Günther Deschner <gd at samba.org>
Date: Sat Nov 29 00:12:26 2008 +0100
s3-libnetjoin: Fix bug #5749. Re-set acctflags while joining. fix from metze.
Guenther
(cherry picked from commit bc3a277455dd4557e796ddc0bef0f52a11f889e7)
commit a4164a55b5b20ae347a22810405c738f868d8493
Author: Günther Deschner <gd at samba.org>
Date: Sat Nov 29 00:10:18 2008 +0100
s3-libnetjoin: remove unused md4_trust_password, found by metze.
Guenther
(cherry picked from commit f479fdc29813c3452fd22c4a2780f0bc5066e664)
commit b51eaa4a4da0dfc46919e9a544b3d26569a1495c
Author: Günther Deschner <gd at samba.org>
Date: Fri Nov 28 11:15:29 2008 +0100
s3-samr: add init_samr_user_info25 and init_samr_user_info26.
Guenther
commit 948a2e5d38b5d69e3c65e81d0b0fd750410bc066
Author: Günther Deschner <gd at samba.org>
Date: Mon Nov 24 18:49:37 2008 +0100
s3-samr: fix init_samr_user_info{23,24} callers.
Guenther
commit 458e85603673e04577fc493528c870c3d5ec6b54
Author: Günther Deschner <gd at samba.org>
Date: Wed Jul 30 19:52:56 2008 +0200
rpc_client: use init_samr_CryptPassword(Ex) in client tools.
Guenther
(cherry picked from commit 97f7f9f21f17e8414de15953cf4eaa9959dc6f75)
commit 599155842583781736933ef340e37fd5c87f88ca
Author: Günther Deschner <gd at samba.org>
Date: Fri Jul 18 20:42:55 2008 +0200
rpc_client: add init_samr_CryptPasswordEx and init_samr_CryptPassword.
Guenther
-----------------------------------------------------------------------
Summary of changes:
source/libnet/libnet_join.c | 76 +++++++++++-----------
source/rpc_client/init_samr.c | 144 +++++++++++++++++++++++++++++++++++++++--
source/utils/net_rpc.c | 25 ++++----
source/utils/net_rpc_join.c | 12 ++--
4 files changed, 192 insertions(+), 65 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/libnet/libnet_join.c b/source/libnet/libnet_join.c
index 7451cb2..526a0bd 100644
--- a/source/libnet/libnet_join.c
+++ b/source/libnet/libnet_join.c
@@ -734,15 +734,13 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
struct lsa_String lsa_acct_name;
uint32_t user_rid;
uint32_t acct_flags = ACB_WSTRUST;
- uchar pwbuf[532];
- struct MD5Context md5ctx;
- uchar md5buffer[16];
- DATA_BLOB digested_session_key;
- uchar md4_trust_password[16];
struct samr_Ids user_rids;
struct samr_Ids name_types;
union samr_UserInfo user_info;
+ struct samr_CryptPassword crypt_pwd;
+ struct samr_CryptPasswordEx crypt_pwd_ex;
+
ZERO_STRUCT(sam_pol);
ZERO_STRUCT(domain_pol);
ZERO_STRUCT(user_pol);
@@ -870,23 +868,6 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
goto done;
}
- /* Create a random machine account password and generate the hash */
-
- E_md4hash(r->in.machine_password, md4_trust_password);
- encode_pw_buffer(pwbuf, r->in.machine_password, STR_UNICODE);
-
- generate_random_buffer((uint8_t*)md5buffer, sizeof(md5buffer));
- digested_session_key = data_blob_talloc(mem_ctx, 0, 16);
-
- MD5Init(&md5ctx);
- MD5Update(&md5ctx, md5buffer, sizeof(md5buffer));
- MD5Update(&md5ctx, cli->user_session_key.data,
- cli->user_session_key.length);
- MD5Final(digested_session_key.data, &md5ctx);
-
- SamOEMhashBlob(pwbuf, sizeof(pwbuf), &digested_session_key);
- memcpy(&pwbuf[516], md5buffer, sizeof(md5buffer));
-
/* Fill in the additional account flags now */
acct_flags |= ACB_PWNOEXP;
@@ -897,33 +878,50 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
;;
}
- /* Set password and account flags on machine account */
-
- ZERO_STRUCT(user_info.info25);
-
- user_info.info25.info.fields_present = ACCT_NT_PWD_SET |
- ACCT_LM_PWD_SET |
- SAMR_FIELD_ACCT_FLAGS;
-
- user_info.info25.info.acct_flags = acct_flags;
- memcpy(&user_info.info25.password.data, pwbuf, sizeof(pwbuf));
+ /* Set account flags on machine account */
+ ZERO_STRUCT(user_info.info16);
+ user_info.info16.acct_flags = acct_flags;
status = rpccli_samr_SetUserInfo(pipe_hnd, mem_ctx,
&user_pol,
- 25,
+ 16,
&user_info);
- if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
+ if (!NT_STATUS_IS_OK(status)) {
- uchar pwbuf2[516];
+ rpccli_samr_DeleteUser(pipe_hnd, mem_ctx,
+ &user_pol);
+
+ libnet_join_set_error_string(mem_ctx, r,
+ "Failed to set account flags for machine account (%s)\n",
+ nt_errstr(status));
+ goto done;
+ }
- encode_pw_buffer(pwbuf2, r->in.machine_password, STR_UNICODE);
+ /* Set password on machine account - first try level 26 */
+
+ init_samr_CryptPasswordEx(r->in.machine_password,
+ &cli->user_session_key,
+ &crypt_pwd_ex);
+
+ init_samr_user_info26(&user_info.info26, &crypt_pwd_ex,
+ PASS_DONT_CHANGE_AT_NEXT_LOGON);
+
+ status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+ &user_pol,
+ 26,
+ &user_info);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS(DCERPC_FAULT_INVALID_TAG))) {
/* retry with level 24 */
- init_samr_user_info24(&user_info.info24, pwbuf2, 24);
- SamOEMhashBlob(user_info.info24.password.data, 516,
- &cli->user_session_key);
+ init_samr_CryptPassword(r->in.machine_password,
+ &cli->user_session_key,
+ &crypt_pwd);
+
+ init_samr_user_info24(&user_info.info24, &crypt_pwd,
+ PASS_DONT_CHANGE_AT_NEXT_LOGON);
status = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
&user_pol,
diff --git a/source/rpc_client/init_samr.c b/source/rpc_client/init_samr.c
index c5d7dcd..0e6c277 100644
--- a/source/rpc_client/init_samr.c
+++ b/source/rpc_client/init_samr.c
@@ -410,8 +410,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
uint8_t nt_password_set,
uint8_t lm_password_set,
uint8_t password_expired,
- uint8_t data[516],
- uint8_t pw_len)
+ struct samr_CryptPassword *pwd_buf)
{
memset(r, '\0', sizeof(*r));
init_samr_user_info21(&r->info,
@@ -444,7 +443,7 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
lm_password_set,
password_expired);
- memcpy(r->password.data, data, sizeof(r->password.data));
+ r->password = *pwd_buf;
}
/*************************************************************************
@@ -452,11 +451,142 @@ void init_samr_user_info23(struct samr_UserInfo23 *r,
*************************************************************************/
void init_samr_user_info24(struct samr_UserInfo24 *r,
- uint8_t data[516],
- uint8_t pw_len)
+ struct samr_CryptPassword *pwd_buf,
+ uint8_t password_expired)
{
DEBUG(10, ("init_samr_user_info24:\n"));
- memcpy(r->password.data, data, sizeof(r->password.data));
- r->pw_len = pw_len;
+ r->password = *pwd_buf;
+ r->password_expired = password_expired;
+}
+
+/*************************************************************************
+ init_samr_user_info25
+ *************************************************************************/
+
+void init_samr_user_info25(struct samr_UserInfo25 *r,
+ NTTIME last_logon,
+ NTTIME last_logoff,
+ NTTIME last_password_change,
+ NTTIME acct_expiry,
+ NTTIME allow_password_change,
+ NTTIME force_password_change,
+ const char *account_name,
+ const char *full_name,
+ const char *home_directory,
+ const char *home_drive,
+ const char *logon_script,
+ const char *profile_path,
+ const char *description,
+ const char *workstations,
+ const char *comment,
+ struct lsa_BinaryString *parameters,
+ uint32_t rid,
+ uint32_t primary_gid,
+ uint32_t acct_flags,
+ uint32_t fields_present,
+ struct samr_LogonHours logon_hours,
+ uint16_t bad_password_count,
+ uint16_t logon_count,
+ uint16_t country_code,
+ uint16_t code_page,
+ uint8_t nt_password_set,
+ uint8_t lm_password_set,
+ uint8_t password_expired,
+ struct samr_CryptPasswordEx *pwd_buf)
+{
+ DEBUG(10, ("init_samr_user_info25:\n"));
+
+ memset(r, '\0', sizeof(*r));
+ init_samr_user_info21(&r->info,
+ last_logon,
+ last_logoff,
+ last_password_change,
+ acct_expiry,
+ allow_password_change,
+ force_password_change,
+ account_name,
+ full_name,
+ home_directory,
+ home_drive,
+ logon_script,
+ profile_path,
+ description,
+ workstations,
+ comment,
+ parameters,
+ rid,
+ primary_gid,
+ acct_flags,
+ fields_present,
+ logon_hours,
+ bad_password_count,
+ logon_count,
+ country_code,
+ code_page,
+ nt_password_set,
+ lm_password_set,
+ password_expired);
+
+ r->password = *pwd_buf;
+}
+
+/*************************************************************************
+ init_samr_user_info26
+ *************************************************************************/
+
+void init_samr_user_info26(struct samr_UserInfo26 *r,
+ struct samr_CryptPasswordEx *pwd_buf,
+ uint8_t password_expired)
+{
+ DEBUG(10, ("init_samr_user_info26:\n"));
+
+ r->password = *pwd_buf;
+ r->password_expired = password_expired;
+}
+
+/*************************************************************************
+ inits a samr_CryptPasswordEx structure
+ *************************************************************************/
+
+void init_samr_CryptPasswordEx(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPasswordEx *pwd_buf)
+{
+ /* samr_CryptPasswordEx */
+
+ uchar pwbuf[532];
+ struct MD5Context md5_ctx;
+ uint8_t confounder[16];
+ DATA_BLOB confounded_session_key = data_blob(NULL, 16);
+
+ encode_pw_buffer(pwbuf, pwd, STR_UNICODE);
+
+ generate_random_buffer((uint8_t *)confounder, 16);
+
+ MD5Init(&md5_ctx);
+ MD5Update(&md5_ctx, confounder, 16);
+ MD5Update(&md5_ctx, session_key->data,
+ session_key->length);
+ MD5Final(confounded_session_key.data, &md5_ctx);
+
+ SamOEMhashBlob(pwbuf, 516, &confounded_session_key);
+ memcpy(&pwbuf[516], confounder, 16);
+
+ memcpy(pwd_buf->data, pwbuf, sizeof(pwbuf));
+ data_blob_free(&confounded_session_key);
+}
+
+/*************************************************************************
+ inits a samr_CryptPassword structure
+ *************************************************************************/
+
+void init_samr_CryptPassword(const char *pwd,
+ DATA_BLOB *session_key,
+ struct samr_CryptPassword *pwd_buf)
+{
+ /* samr_CryptPassword */
+
+ encode_pw_buffer(pwd_buf->data, pwd, STR_UNICODE);
+ SamOEMhashBlob(pwd_buf->data, 516, session_key);
}
diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c
index ceb429f..d4d11de 100644
--- a/source/utils/net_rpc.c
+++ b/source/utils/net_rpc.c
@@ -804,11 +804,11 @@ static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
POLICY_HND connect_pol, domain_pol, user_pol;
- uchar pwbuf[516];
const char *user;
const char *new_password;
char *prompt = NULL;
union samr_UserInfo info;
+ struct samr_CryptPassword crypt_pwd;
if (argc < 1) {
d_printf("User must be specified\n");
@@ -878,12 +878,12 @@ static NTSTATUS rpc_user_password_internals(const DOM_SID *domain_sid,
/* Set password on account */
- encode_pw_buffer(pwbuf, new_password, STR_UNICODE);
+ init_samr_CryptPassword(new_password,
+ &cli->user_session_key,
+ &crypt_pwd);
- init_samr_user_info24(&info.info24, pwbuf, 24);
-
- SamOEMhashBlob(info.info24.password.data, 516,
- &cli->user_session_key);
+ init_samr_user_info24(&info.info24, &crypt_pwd,
+ PASS_DONT_CHANGE_AT_NEXT_LOGON);
result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
&user_pol,
@@ -5418,9 +5418,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
struct samr_LogonHours hours;
struct lsa_BinaryString parameters;
const int units_per_week = 168;
- uchar pwbuf[516];
-
- encode_pw_buffer(pwbuf, argv[1], STR_UNICODE);
+ struct samr_CryptPassword crypt_pwd;
ZERO_STRUCT(notime);
ZERO_STRUCT(hours);
@@ -5434,6 +5432,10 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
hours.units_per_week = units_per_week;
memset(hours.bits, 0xFF, units_per_week);
+ init_samr_CryptPassword(argv[1],
+ &cli->user_session_key,
+ &crypt_pwd);
+
init_samr_user_info23(&info.info23,
notime, notime, notime,
notime, notime, notime,
@@ -5443,10 +5445,7 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid,
SAMR_FIELD_ACCT_FLAGS | SAMR_FIELD_PASSWORD,
hours,
0, 0, 0, 0, 0, 0, 0,
- pwbuf, 24);
-
- SamOEMhashBlob(info.info23.password.data, 516,
- &cli->user_session_key);
+ &crypt_pwd);
result = rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
&user_pol,
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index ea3bb10..b9d7d59 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -146,7 +146,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
/* Password stuff */
char *clear_trust_password = NULL;
- uchar pwbuf[516];
+ struct samr_CryptPassword crypt_pwd;
uchar md4_trust_password[16];
union samr_UserInfo set_info;
@@ -333,14 +333,14 @@ int net_rpc_join_newstyle(int argc, const char **argv)
E_md4hash(clear_trust_password, md4_trust_password);
}
- encode_pw_buffer(pwbuf, clear_trust_password, STR_UNICODE);
-
/* Set password on machine account */
- init_samr_user_info24(&set_info.info24, pwbuf, 24);
+ init_samr_CryptPassword(clear_trust_password,
+ &cli->user_session_key,
+ &crypt_pwd);
- SamOEMhashBlob(set_info.info24.password.data, 516,
- &cli->user_session_key);
+ init_samr_user_info24(&set_info.info24, &crypt_pwd,
+ PASS_DONT_CHANGE_AT_NEXT_LOGON);
CHECK_RPC_ERR(rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
&user_pol,
--
Samba Shared Repository
More information about the samba-cvs
mailing list