[PATCHES] Print time of last password change in 'net ads info'
Christof Schmitt
cs at samba.org
Fri Jul 31 17:18:46 UTC 2015
After going through the code, it seems that only "net ads status" fails
after losing access to the machine account "net ads info" still works.
So the originally proposed patch adds the output to the correct command.
Can someone comment on the patches or push them?
Thanks,
Christof
On Thu, Jul 30, 2015 at 07:33:23PM -0700, Christof Schmitt wrote:
> Please do not push this yet. The main point of querying the timestamp
> would be after the access to the cluster was lost, but just realized
> that net ads info already fails ealier in this case. I need to look for
> a better place for the output.
>
> Christof
>
> On Thu, Jul 30, 2015 at 04:26:18PM -0700, Christof Schmitt wrote:
> > I have seen cases where a machine lost access to an AD domain, because
> > another machine was joined with the same name. One way to identify this
> > is by comparing the password change timestamps between Samba and the AD
> > machine account. These patches add the password change timestamp to the
> > 'net ads info' output to make it easier to get the timestamp.
> >
> > Christof
>
> > From 30cd7c9c15d5b0a51e8eecc2a9fedf49b2e25933 Mon Sep 17 00:00:00 2001
> > From: Christof Schmitt <cs at samba.org>
> > Date: Thu, 30 Jul 2015 15:47:54 -0700
> > Subject: [PATCH 1/2] secrets: Add function to fetch only password change timestamp
> >
> > Signed-off-by: Christof Schmitt <cs at samba.org>
> > ---
> > source3/include/secrets.h | 1 +
> > source3/passdb/machine_account_secrets.c | 32 +++++++++++++++++++++--------
> > 2 files changed, 24 insertions(+), 9 deletions(-)
> >
> > diff --git a/source3/include/secrets.h b/source3/include/secrets.h
> > index 350bdc6..f397129 100644
> > --- a/source3/include/secrets.h
> > +++ b/source3/include/secrets.h
> > @@ -113,6 +113,7 @@ bool secrets_delete_machine_password_ex(const char *domain);
> > bool secrets_delete_domain_sid(const char *domain);
> > bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel);
> > char *secrets_fetch_prev_machine_password(const char *domain);
> > +time_t secrets_fetch_pass_last_set_time(const char *domain);
> > char *secrets_fetch_machine_password(const char *domain,
> > time_t *pass_last_set_time,
> > enum netr_SchannelType *channel);
> > diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
> > index 717eaa1..3f097ab 100644
> > --- a/source3/passdb/machine_account_secrets.c
> > +++ b/source3/passdb/machine_account_secrets.c
> > @@ -565,6 +565,28 @@ char *secrets_fetch_prev_machine_password(const char *domain)
> > }
> >
> > /************************************************************************
> > + Routine to fetch the last change time of the machine account password
> > + for a realm
> > +************************************************************************/
> > +
> > +time_t secrets_fetch_pass_last_set_time(const char *domain)
> > +{
> > + uint32_t *last_set_time;
> > + time_t pass_last_set_time;
> > +
> > + last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
> > + NULL);
> > + if (last_set_time) {
> > + pass_last_set_time = IVAL(last_set_time,0);
> > + SAFE_FREE(last_set_time);
> > + } else {
> > + pass_last_set_time = 0;
> > + }
> > +
> > + return pass_last_set_time;
> > +}
> > +
> > +/************************************************************************
> > Routine to fetch the plaintext machine account password for a realm
> > the password is assumed to be a null terminated ascii string.
> > ************************************************************************/
> > @@ -577,15 +599,7 @@ char *secrets_fetch_machine_password(const char *domain,
> > ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
> >
> > if (pass_last_set_time) {
> > - size_t size;
> > - uint32_t *last_set_time;
> > - last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
> > - if (last_set_time) {
> > - *pass_last_set_time = IVAL(last_set_time,0);
> > - SAFE_FREE(last_set_time);
> > - } else {
> > - *pass_last_set_time = 0;
> > - }
> > + *pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
> > }
> >
> > if (channel) {
> > --
> > 1.7.1
> >
> >
> > From 5a98cdef8d0fc2259c4bf4f0b38e74adcd72adb2 Mon Sep 17 00:00:00 2001
> > From: Christof Schmitt <cs at samba.org>
> > Date: Thu, 30 Jul 2015 15:52:08 -0700
> > Subject: [PATCH 2/2] net: Print time of last password change in 'net ads info'
> >
> > This is useful for debugging overwritten machine accounts, e.g. a
> > second machine is joined to a domain with the same name as the
> > first one.
> >
> > Signed-off-by: Christof Schmitt <cs at samba.org>
> > ---
> > source3/utils/net_ads.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
> > index 28553fc..a0f59af 100644
> > --- a/source3/utils/net_ads.c
> > +++ b/source3/utils/net_ads.c
> > @@ -177,6 +177,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
> > {
> > ADS_STRUCT *ads;
> > char addr[INET6_ADDRSTRLEN];
> > + time_t pass_time;
> >
> > if (c->display_usage) {
> > d_printf("%s\n"
> > @@ -206,6 +207,8 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
> > d_fprintf( stderr, _("Failed to get server's current time!\n"));
> > }
> >
> > + pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
> > +
> > print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
> >
> > d_printf(_("LDAP server: %s\n"), addr);
> > @@ -219,6 +222,9 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
> > d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
> > d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
> >
> > + d_printf(_("Last machine account password change: %s\n"),
> > + http_timestring(talloc_tos(), pass_time));
> > +
> > ads_destroy(&ads);
> > return 0;
> > }
> > --
> > 1.7.1
> >
>
More information about the samba-technical
mailing list