[PATCHES] Print time of last password change in 'net ads info'

Christof Schmitt cs at samba.org
Thu Jul 30 23:26:19 UTC 2015


I have seen cases where a machine lost access to an AD domain, because
another machine was joined with the same name. One way to identify this
is by comparing the password change timestamps between Samba and the AD
machine account. These patches add the password change timestamp to  the
'net ads info' output to make it easier to get the timestamp.

Christof
-------------- next part --------------
From 30cd7c9c15d5b0a51e8eecc2a9fedf49b2e25933 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:47:54 -0700
Subject: [PATCH 1/2] secrets: Add function to fetch only password change timestamp

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/include/secrets.h                |    1 +
 source3/passdb/machine_account_secrets.c |   32 +++++++++++++++++++++--------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 350bdc6..f397129 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -113,6 +113,7 @@ bool secrets_delete_machine_password_ex(const char *domain);
 bool secrets_delete_domain_sid(const char *domain);
 bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel);
 char *secrets_fetch_prev_machine_password(const char *domain);
+time_t secrets_fetch_pass_last_set_time(const char *domain);
 char *secrets_fetch_machine_password(const char *domain,
 				     time_t *pass_last_set_time,
 				     enum netr_SchannelType *channel);
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 717eaa1..3f097ab 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -565,6 +565,28 @@ char *secrets_fetch_prev_machine_password(const char *domain)
 }
 
 /************************************************************************
+ Routine to fetch the last change time of the machine account password
+  for a realm
+************************************************************************/
+
+time_t secrets_fetch_pass_last_set_time(const char *domain)
+{
+	uint32_t *last_set_time;
+	time_t pass_last_set_time;
+
+	last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
+				      NULL);
+	if (last_set_time) {
+		pass_last_set_time = IVAL(last_set_time,0);
+		SAFE_FREE(last_set_time);
+	} else {
+		pass_last_set_time = 0;
+	}
+
+	return pass_last_set_time;
+}
+
+/************************************************************************
  Routine to fetch the plaintext machine account password for a realm
  the password is assumed to be a null terminated ascii string.
 ************************************************************************/
@@ -577,15 +599,7 @@ char *secrets_fetch_machine_password(const char *domain,
 	ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
 
 	if (pass_last_set_time) {
-		size_t size;
-		uint32_t *last_set_time;
-		last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
-		if (last_set_time) {
-			*pass_last_set_time = IVAL(last_set_time,0);
-			SAFE_FREE(last_set_time);
-		} else {
-			*pass_last_set_time = 0;
-		}
+		*pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
 	}
 
 	if (channel) {
-- 
1.7.1


From 5a98cdef8d0fc2259c4bf4f0b38e74adcd72adb2 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:52:08 -0700
Subject: [PATCH 2/2] net: Print time of last password change in 'net ads info'

This is useful for debugging overwritten machine accounts, e.g. a
second machine is joined to a domain with the same name as the
first one.

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/utils/net_ads.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 28553fc..a0f59af 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -177,6 +177,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
 	char addr[INET6_ADDRSTRLEN];
+	time_t pass_time;
 
 	if (c->display_usage) {
 		d_printf("%s\n"
@@ -206,6 +207,8 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 		d_fprintf( stderr, _("Failed to get server's current time!\n"));
 	}
 
+	pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
+
 	print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
 
 	d_printf(_("LDAP server: %s\n"), addr);
@@ -219,6 +222,9 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 	d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
 	d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
 
+	d_printf(_("Last machine account password change: %s\n"),
+		 http_timestring(talloc_tos(), pass_time));
+
 	ads_destroy(&ads);
 	return 0;
 }
-- 
1.7.1



More information about the samba-technical mailing list