[PATCHES] Print time of last password change in 'net ads info'
Christof Schmitt
cs at samba.org
Fri Jul 31 17:31:13 UTC 2015
On Fri, Jul 31, 2015 at 10:24:44AM -0700, Jeremy Allison wrote:
> On Fri, Jul 31, 2015 at 10:18:46AM -0700, Christof Schmitt wrote:
> > After going through the code, it seems that only "net ads status" fails
> > after losing access to the machine account "net ads info" still works.
> > So the originally proposed patch adds the output to the correct command.
> >
> > Can someone comment on the patches or push them?
>
> Oh sorry I already deleted it from my inbox. Can you
> resend with this message ?
Yes, see attached patches.
Christof
-------------- next part --------------
From 30cd7c9c15d5b0a51e8eecc2a9fedf49b2e25933 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:47:54 -0700
Subject: [PATCH 1/2] secrets: Add function to fetch only password change timestamp
Signed-off-by: Christof Schmitt <cs at samba.org>
---
source3/include/secrets.h | 1 +
source3/passdb/machine_account_secrets.c | 32 +++++++++++++++++++++--------
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index 350bdc6..f397129 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -113,6 +113,7 @@ bool secrets_delete_machine_password_ex(const char *domain);
bool secrets_delete_domain_sid(const char *domain);
bool secrets_store_machine_password(const char *pass, const char *domain, enum netr_SchannelType sec_channel);
char *secrets_fetch_prev_machine_password(const char *domain);
+time_t secrets_fetch_pass_last_set_time(const char *domain);
char *secrets_fetch_machine_password(const char *domain,
time_t *pass_last_set_time,
enum netr_SchannelType *channel);
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 717eaa1..3f097ab 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -565,6 +565,28 @@ char *secrets_fetch_prev_machine_password(const char *domain)
}
/************************************************************************
+ Routine to fetch the last change time of the machine account password
+ for a realm
+************************************************************************/
+
+time_t secrets_fetch_pass_last_set_time(const char *domain)
+{
+ uint32_t *last_set_time;
+ time_t pass_last_set_time;
+
+ last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
+ NULL);
+ if (last_set_time) {
+ pass_last_set_time = IVAL(last_set_time,0);
+ SAFE_FREE(last_set_time);
+ } else {
+ pass_last_set_time = 0;
+ }
+
+ return pass_last_set_time;
+}
+
+/************************************************************************
Routine to fetch the plaintext machine account password for a realm
the password is assumed to be a null terminated ascii string.
************************************************************************/
@@ -577,15 +599,7 @@ char *secrets_fetch_machine_password(const char *domain,
ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
if (pass_last_set_time) {
- size_t size;
- uint32_t *last_set_time;
- last_set_time = (unsigned int *)secrets_fetch(machine_last_change_time_keystr(domain), &size);
- if (last_set_time) {
- *pass_last_set_time = IVAL(last_set_time,0);
- SAFE_FREE(last_set_time);
- } else {
- *pass_last_set_time = 0;
- }
+ *pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
}
if (channel) {
--
1.7.1
From 5a98cdef8d0fc2259c4bf4f0b38e74adcd72adb2 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Thu, 30 Jul 2015 15:52:08 -0700
Subject: [PATCH 2/2] net: Print time of last password change in 'net ads info'
This is useful for debugging overwritten machine accounts, e.g. a
second machine is joined to a domain with the same name as the
first one.
Signed-off-by: Christof Schmitt <cs at samba.org>
---
source3/utils/net_ads.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 28553fc..a0f59af 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -177,6 +177,7 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
char addr[INET6_ADDRSTRLEN];
+ time_t pass_time;
if (c->display_usage) {
d_printf("%s\n"
@@ -206,6 +207,8 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
d_fprintf( stderr, _("Failed to get server's current time!\n"));
}
+ pass_time = secrets_fetch_pass_last_set_time(ads->server.workgroup);
+
print_sockaddr(addr, sizeof(addr), &ads->ldap.ss);
d_printf(_("LDAP server: %s\n"), addr);
@@ -219,6 +222,9 @@ static int net_ads_info(struct net_context *c, int argc, const char **argv)
d_printf(_("KDC server: %s\n"), ads->auth.kdc_server );
d_printf(_("Server time offset: %d\n"), ads->auth.time_offset );
+ d_printf(_("Last machine account password change: %s\n"),
+ http_timestring(talloc_tos(), pass_time));
+
ads_destroy(&ads);
return 0;
}
--
1.7.1
More information about the samba-technical
mailing list