[PATCHES] Print time of last password change in 'net ads info'

Christof Schmitt cs at samba.org
Fri Jul 31 17:31:13 UTC 2015 

On Fri, Jul 31, 2015 at 10:24:44AM -0700, Jeremy Allison wrote:
> On Fri, Jul 31, 2015 at 10:18:46AM -0700, Christof Schmitt wrote:
> > After going through the code, it seems that only "net ads status" fails
> > after losing access to the machine account "net ads info" still works.
> > So the originally proposed patch adds the output to the correct command.
> > 
> > Can someone comment on the patches or push them?
> 
> Oh sorry I already deleted it from my inbox. Can you
> resend with this message ?

Yes, see attached patches.

Christof
-------------- next part --------------
From 30cd7c9c15d5b0a51e8eecc2a9fedf49b2e25933 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:47:54 -0700
Subject: [PATCH 1/2] secrets: Add function to fetch only password change timestamp

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/include/secrets.h                |    1 +
 source3/passdb/machine_account_secrets.c |   32 +++++++++++++++++++++--------
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 350bdc6..f397129 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -113,6 +113,7 @@ bool secrets_delete_machine_password_ex(const char *domain);
 bool secrets_delete_domain_sid(const char *domain);
 bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel);
 char *secrets_fetch_prev_machine_password(const char *domain);
+time_t secrets_fetch_pass_last_set_time(const char *domain);
 char *secrets_fetch_machine_password(const char *domain,
 				     time_t *pass_last_set_time,
 				     enum netr_SchannelType *channel);
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 717eaa1..3f097ab 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -565,6 +565,28 @@ char *secrets_fetch_prev_machine_password(const char *domain)
 }
 
 /************************************************************************
+ Routine to fetch the last change time of the machine account password
+  for a realm
+************************************************************************/
+
+time_t secrets_fetch_pass_last_set_time(const char *domain)
+{
+	uint32_t *last_set_time;
+	time_t pass_last_set_time;
+
+	last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
+				      NULL);
+	if (last_set_time) {
+		pass_last_set_time = IVAL(last_set_time,0);
+		SAFE_FREE(last_set_time);
+	} else {
+		pass_last_set_time = 0;
+	}
+
+	return pass_last_set_time;
+}
+
+/************************************************************************
  Routine to fetch the plaintext machine account password for a realm
  the password is assumed to be a null terminated ascii string.
 ************************************************************************/
@@ -577,15 +599,7 @@ char *secrets_fetch_machine_password(const char *domain,
 	ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
 
 	if (pass_last_set_time) {
-		size_t size;
-		uint32_t *last_set_time;
-		last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
-		if (last_set_time) {
-			*pass_last_set_time = IVAL(last_set_time,0);
-			SAFE_FREE(last_set_time);
-		} else {
-			*pass_last_set_time = 0;
-		}
+		*pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
 	}
 
 	if (channel) {
-- 
1.7.1


From 5a98cdef8d0fc2259c4bf4f0b38e74adcd72adb2 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:52:08 -0700
Subject: [PATCH 2/2] net: Print time of last password change in 'net ads info'

This is useful for debugging overwritten machine accounts, e.g. a
second machine is joined to a domain with the same name as the
first one.

Signed-off-by: Christof Schmitt <cs at samba.org>
---
 source3/utils/net_ads.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 28553fc..a0f59af 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -177,6 +177,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 {
 	ADS_STRUCT *ads;
 	char addr[INET6_ADDRSTRLEN];
+	time_t pass_time;
 
 	if (c->display_usage) {
 		d_printf("%s\n"
@@ -206,6 +207,8 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 		d_fprintf( stderr, _("Failed to get server's current time!\n"));
 	}
 
+	pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
+
 	print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
 
 	d_printf(_("LDAP server: %s\n"), addr);
@@ -219,6 +222,9 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
 	d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
 	d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
 
+	d_printf(_("Last machine account password change: %s\n"),
+		 http_timestring(talloc_tos(), pass_time));
+
 	ads_destroy(&ads);
 	return 0;
 }
-- 
1.7.1

More information about the samba-technical mailing list