Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 316302 Details for
Bug 461744
samba domain membership breaks after machine account password change
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
implement _samr_SetServerPassword2 client
samba-3.0.32-pwd_change.patch (text/plain), 9.79 KB, created by
Guenther Deschner
on 2008-09-10 11:59:15 UTC
(
hide
)
Description:
implement _samr_SetServerPassword2 client
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2008-09-10 11:59:15 UTC
Size:
9.79 KB
patch
obsolete
>commit 15fe1a3fa07493060a0155bd4f9f0f9bd1588d50 >Author: Günther Deschner <gd@samba.org> >Date: Fri Aug 29 00:01:45 2008 +0200 > > netlogon: define NET_SRVPWSET2 call. > > Guenther > >diff --git a/source/include/rpc_netlogon.h b/source/include/rpc_netlogon.h >index 324755a..b4b014d 100644 >--- a/source/include/rpc_netlogon.h >+++ b/source/include/rpc_netlogon.h >@@ -42,6 +42,7 @@ > #define NET_AUTH3 0x1a > #define NET_DSR_GETDCNAMEEX 0x1b > #define NET_DSR_GETSITENAME 0x1c >+#define NET_SRVPWSET2 0x1e > #define NET_DSR_GETDCNAMEEX2 0x22 > #define NET_SAMLOGON_EX 0x27 > >@@ -530,6 +531,23 @@ typedef struct net_r_srv_pwset_info { > NTSTATUS status; /* return code */ > } NET_R_SRV_PWSET; > >+typedef struct net_crypt_password { >+ uint8_t data[512]; >+ uint32_t length; >+} NET_CRYPT_PWD; >+ >+/* NET_Q_SRV_PWSET2 */ >+typedef struct net_q_srv_pwset2_info { >+ DOM_CLNT_INFO clnt_id; /* client identification/authentication info */ >+ NET_CRYPT_PWD pwd; /* new password */ >+} NET_Q_SRV_PWSET2; >+ >+/* NET_R_SRV_PWSET2 */ >+typedef struct net_r_srv_pwset2_info { >+ DOM_CRED srv_cred; /* server-calculated credentials */ >+ NTSTATUS status; /* return code */ >+} NET_R_SRV_PWSET2; >+ > /* NET_ID_INFO_2 */ > typedef struct net_network_info_2 { > uint32 ptr_id_info2; /* pointer to id_info_2 */ >commit a5b913dd31cc3c4d01458e6fcc0a03852a2738a2 >Author: Günther Deschner <gd@samba.org> >Date: Fri Aug 29 00:02:54 2008 +0200 > > netlogon: "re-run make idl" - implement netr_ServerPasswordSet2 client. > > Guenther > >diff --git a/source/rpc_client/cli_netlogon.c b/source/rpc_client/cli_netlogon.c >index fb8c5cf..3c77597 100644 >--- a/source/rpc_client/cli_netlogon.c >+++ b/source/rpc_client/cli_netlogon.c >@@ -1082,3 +1082,53 @@ NTSTATUS rpccli_net_srv_pwset(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, > > return result; > } >+ >+/*************************************************************************** >+LSA Server Password Set2. >+****************************************************************************/ >+ >+NTSTATUS rpccli_net_srv_pwset2(struct rpc_pipe_client *cli, >+ TALLOC_CTX *mem_ctx, >+ const char *machine_name, >+ const char *clear_text_mach_pwd) >+{ >+ prs_struct rbuf; >+ prs_struct qbuf; >+ DOM_CRED clnt_creds; >+ NET_Q_SRV_PWSET2 q; >+ NET_R_SRV_PWSET2 r; >+ uint16 sec_chan_type = 2; >+ NTSTATUS result; >+ >+ creds_client_step(cli->dc, &clnt_creds); >+ >+ DEBUG(4,("cli_net_srv_pwset2: srv:%s acct:%s sc: %d mc: %s\n", >+ cli->dc->remote_machine, cli->dc->mach_acct, sec_chan_type, machine_name)); >+ >+ /* store the parameters */ >+ init_q_srv_pwset2(&q, cli->dc->remote_machine, (const char *)cli->dc->sess_key, >+ cli->dc->mach_acct, sec_chan_type, machine_name, >+ &clnt_creds, clear_text_mach_pwd); >+ >+ CLI_DO_RPC(cli, mem_ctx, PI_NETLOGON, NET_SRVPWSET2, >+ q, r, >+ qbuf, rbuf, >+ net_io_q_srv_pwset2, >+ net_io_r_srv_pwset2, >+ NT_STATUS_UNSUCCESSFUL); >+ >+ result = r.status; >+ >+ if (!NT_STATUS_IS_OK(result)) { >+ /* report error code */ >+ DEBUG(0,("cli_net_srv_pwset2: %s\n", nt_errstr(result))); >+ } >+ >+ /* Always check returned credentials. */ >+ if (!creds_client_check(cli->dc, &r.srv_cred.challenge)) { >+ DEBUG(0,("rpccli_net_srv_pwset2: credentials chain check failed\n")); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ return result; >+} >diff --git a/source/rpc_parse/parse_net.c b/source/rpc_parse/parse_net.c >index 693de2d..708f5ba 100644 >--- a/source/rpc_parse/parse_net.c >+++ b/source/rpc_parse/parse_net.c >@@ -996,6 +996,86 @@ BOOL net_io_r_srv_pwset(const char *desc, NET_R_SRV_PWSET *r_s, prs_struct *ps, > return True; > } > >+/******************************************************************* >+ Inits a NET_Q_SRV_PWSET2. >+********************************************************************/ >+ >+void init_q_srv_pwset2(NET_Q_SRV_PWSET2 *q_s, >+ const char *logon_srv, >+ const char *sess_key, >+ const char *acct_name, >+ uint16 sec_chan, >+ const char *comp_name, >+ DOM_CRED *cred, >+ const char *clear_text_mach_pwd) >+{ >+ uint8_t password_buf[516]; >+ NET_CRYPT_PWD new_password; >+ >+ DEBUG(5,("init_q_srv_pwset2\n")); >+ >+ /* Process the new password. */ >+ >+ encode_pw_buffer(password_buf, clear_text_mach_pwd, STR_UNICODE); >+ >+ SamOEMhash(password_buf, (const unsigned char *)sess_key, 516); >+ memcpy(new_password.data, password_buf, 512); >+ new_password.length = IVAL(password_buf, 512); >+ >+ init_clnt_info(&q_s->clnt_id, logon_srv, acct_name, sec_chan, comp_name, cred); >+ >+ memcpy(&q_s->pwd, &new_password, sizeof(q_s->pwd)); >+} >+ >+/******************************************************************* >+ Reads or writes a structure. >+********************************************************************/ >+ >+BOOL net_io_q_srv_pwset2(const char *desc, NET_Q_SRV_PWSET2 *q_s, prs_struct *ps, int depth) >+{ >+ if (q_s == NULL) >+ return False; >+ >+ prs_debug(ps, depth, desc, "net_io_q_srv_pwset2"); >+ depth++; >+ >+ if(!prs_align(ps)) >+ return False; >+ >+ if(!smb_io_clnt_info("", &q_s->clnt_id, ps, depth)) /* client identification/authentication info */ >+ return False; >+ if(!prs_uint8s(False, "pwd.data", ps, depth, q_s->pwd.data, 516)) /* new password - undocumented */ >+ return False; >+ if(!prs_uint32("pwd.length", ps, depth, &q_s->pwd.length)) /* new password - undocumented */ >+ return False; >+ >+ return True; >+} >+ >+/******************************************************************* >+ Reads or writes a structure. >+********************************************************************/ >+ >+BOOL net_io_r_srv_pwset2(const char *desc, NET_R_SRV_PWSET2 *r_s, prs_struct *ps, int depth) >+{ >+ if (r_s == NULL) >+ return False; >+ >+ prs_debug(ps, depth, desc, "net_io_r_srv_pwset2"); >+ depth++; >+ >+ if(!prs_align(ps)) >+ return False; >+ >+ if(!smb_io_cred("", &r_s->srv_cred, ps, depth)) /* server challenge */ >+ return False; >+ >+ if(!prs_ntstatus("status", ps, depth, &r_s->status)) >+ return False; >+ >+ return True; >+} >+ > /************************************************************************* > Init DOM_SID2 array from a string containing multiple sids > *************************************************************************/ >commit 84fbac51ffc5f4a8a4f7b1baf5e9b1af174505f5 >Author: Günther Deschner <gd@samba.org> >Date: Fri Aug 29 00:05:32 2008 +0200 > > Backport bugfix for bug #5710. > > In order to successfully update a machine account password we need to use > Netlogon ServerPasswordSet2 when NETLOGON_NEG_PASSWORD_SET2 has been negotiated. > > Guenther > >diff --git a/source/include/rpc_dce.h b/source/include/rpc_dce.h >index ad5fb68..abc11ce 100644 >--- a/source/include/rpc_dce.h >+++ b/source/include/rpc_dce.h >@@ -104,6 +104,8 @@ enum RPC_PKT_TYPE { > #define NETLOGON_NEG_128BIT 0x00004000 > #define NETLOGON_NEG_SCHANNEL 0x40000000 > >+#define NETLOGON_NEG_PASSWORD_SET2 0x00020000 >+ > /* The 7 here seems to be required to get Win2k not to downgrade us > to NT4. Actually, anything other than 1ff would seem to do... */ > #define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff >diff --git a/source/libsmb/trusts_util.c b/source/libsmb/trusts_util.c >index bd6bbfe..257d04e 100644 >--- a/source/libsmb/trusts_util.c >+++ b/source/libsmb/trusts_util.c >@@ -32,18 +32,14 @@ > > static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, > const unsigned char orig_trust_passwd_hash[16], >+ const char *new_trust_pwd_cleartext, > const unsigned char new_trust_passwd_hash[16], > uint32 sec_channel_type) > { > NTSTATUS result; >+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; > >- /* Check if the netlogon pipe is open using schannel. If so we >- already have valid creds. If not we must set them up. */ >- >- if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { >- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >- >- result = rpccli_netlogon_setup_creds(cli, >+ result = rpccli_netlogon_setup_creds(cli, > cli->cli->desthost, /* server name */ > lp_workgroup(), /* domain */ > global_myname(), /* client name */ >@@ -52,14 +48,19 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX > sec_channel_type, > &neg_flags); > >- if (!NT_STATUS_IS_OK(result)) { >- DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", >- nt_errstr(result))); >- return result; >- } >+ if (!NT_STATUS_IS_OK(result)) { >+ DEBUG(3,("just_change_the_password: unable to setup creds (%s)!\n", >+ nt_errstr(result))); >+ return result; > } > >- result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), new_trust_passwd_hash); >+ if (neg_flags & NETLOGON_NEG_PASSWORD_SET2) { >+ result = rpccli_net_srv_pwset2(cli, mem_ctx, global_myname(), >+ new_trust_pwd_cleartext); >+ } else { >+ result = rpccli_net_srv_pwset(cli, mem_ctx, global_myname(), >+ new_trust_passwd_hash); >+ } > > if (!NT_STATUS_IS_OK(result)) { > DEBUG(0,("just_change_the_password: unable to change password (%s)!\n", >@@ -95,6 +96,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m > E_md4hash(new_trust_passwd, new_trust_passwd_hash); > > nt_status = just_change_the_password(cli, mem_ctx, orig_trust_passwd_hash, >+ new_trust_passwd, > new_trust_passwd_hash, sec_channel_type); > > if (NT_STATUS_IS_OK(nt_status)) { >commit 09145720b510647e7c24e3062a4a1246cc7bff5b >Author: Günther Deschner <gd@samba.org> >Date: Fri Aug 29 00:06:09 2008 +0200 > > net: net should just use machine account creds when changing passwords. > > Guenther > >diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c >index 4b77db9..54ebd7b 100644 >--- a/source/utils/net_rpc.c >+++ b/source/utils/net_rpc.c >@@ -227,6 +227,8 @@ static NTSTATUS rpc_changetrustpw_internals(const DOM_SID *domain_sid, > > int net_rpc_changetrustpw(int argc, const char **argv) > { >+ net_use_machine_account(); >+ > return run_rpc_command(NULL, PI_NETLOGON, NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, > rpc_changetrustpw_internals, > argc, argv);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=316302">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 461744
: 316302