Attachment 3500 Details for Bug 5710 – fix password change

[patch] fix password change

diff (text/plain), 3.67 KB, created by Guenther Deschner on 2008-08-21 10:48:30 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Guenther Deschner

Created: 2008-08-21 10:48:30 UTC

Size: 3.67 KB

patch

obsolete

>commit bc01afc7fd636571868e080bd9a2285167f4ee59
>Author: GÃ¼nther Deschner <gd@samba.org>
>Date:   Thu Aug 21 15:05:35 2008 +0200
>
>    Fix Bug #5710 and make machine account password changing work again.
>    
>    When we negotiated NETLOGON_NEG_PASSWORD_SET2 we need to use
>    NetrServerPasswordSet2 to change the machine password.
>    
>    Guenther
>
>diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c
>index f4fdf9e..08a4993 100644
>--- a/source/libsmb/trusts_util.c
>+++ b/source/libsmb/trusts_util.c
>@@ -31,34 +31,60 @@
> 
> static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
> 					 const unsigned char orig_trust_passwd_hash[16],
>+					 const char *new_trust_pwd_cleartext,
> 					 const unsigned char new_trust_passwd_hash[16],
> 					 uint32 sec_channel_type)
> {
> 	NTSTATUS result;
>+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
> 
>-	/* Check if the netlogon pipe is open using schannel. If so we
>-	   already have valid creds. If not we must set them up. */
>-
>-	if (cli->auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
>-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
>-
>-		result = rpccli_netlogon_setup_creds(cli, 
>-					cli->desthost, /* server name */
>-					lp_workgroup(), /* domain */
>-					global_myname(), /* client name */
>-					global_myname(), /* machine account name */
>-					orig_trust_passwd_hash,
>-					sec_channel_type,
>-					&neg_flags);
>-
>-		if (!NT_STATUS_IS_OK(result)) {
>-			DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
>-				 nt_errstr(result)));
>-			return result;
>-		}
>+	result = rpccli_netlogon_setup_creds(cli,
>+					     cli->desthost, /* server name */
>+					     lp_workgroup(), /* domain */
>+					     global_myname(), /* client name */
>+					     global_myname(), /* machine account name */
>+					     orig_trust_passwd_hash,
>+					     sec_channel_type,
>+					     &neg_flags);
>+
>+	if (!NT_STATUS_IS_OK(result)) {
>+		DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n",
>+			 nt_errstr(result)));
>+		return result;
> 	}
> 
>-	{
>+	if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) {
>+
>+		struct netr_Authenticator clnt_creds, srv_cred;
>+		struct netr_CryptPassword new_password;
>+		struct samr_CryptPassword password_buf;
>+
>+		netlogon_creds_client_step(cli->dc, &clnt_creds);
>+
>+		encode_pw_buffer(password_buf.data, new_trust_pwd_cleartext, STR_UNICODE);
>+
>+		SamOEMhash(password_buf.data, cli->dc->sess_key, 516);
>+		memcpy(new_password.data, password_buf.data, 512);
>+		new_password.length = IVAL(password_buf.data, 512);
>+
>+		result = rpccli_netr_ServerPasswordSet2(cli, mem_ctx,
>+						       cli->dc->remote_machine,
>+						       cli->dc->mach_acct,
>+						       sec_channel_type,
>+						       global_myname(),
>+						       &clnt_creds,
>+						       &srv_cred,
>+						       &new_password);
>+
>+		/* Always check returned credentials. */
>+		if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
>+			DEBUG(0,("rpccli_netr_ServerPasswordSet2: "
>+				"credentials chain check failed\n"));
>+			return NT_STATUS_ACCESS_DENIED;
>+		}
>+
>+	} else {
>+
> 		struct netr_Authenticator clnt_creds, srv_cred;
> 		struct samr_Password new_password;
> 
>@@ -118,8 +144,11 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
> 	
> 	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
> 
>-	nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash,
>-					     new_trust_passwd_hash, sec_channel_type);
>+	nt_status = just_change_the_password(cli, mem_ctx,
>+					     orig_trust_passwd_hash,
>+					     new_trust_passwd,
>+					     new_trust_passwd_hash,
>+					     sec_channel_type);
> 	
> 	if (NT_STATUS_IS_OK(nt_status)) {
> 		DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",

Actions: View

Attachments on bug 5710: 3500