The branch, master has been updated via a3306e3... s3-winbindd: add wbint_ChangeMachineAccount implementation. via 0c37c23... docs: document wbinfo -c. via 0a468fb... nsswitch: add wbinfo -c (change trust account passwords). via 74948c9... libwbclient: add wbcChangeTrustCredentials. from f394b5b... docs: document wbinfo -t --domain DOMAIN behavior.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a3306e352dad74c3c6ce441610defc472d570f4f Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 18:26:33 2009 +0200 s3-winbindd: add wbint_ChangeMachineAccount implementation. Guenther commit 0c37c23869fe8000609c91be3d44ba269ff38f3b Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 18:20:23 2009 +0200 docs: document wbinfo -c. Guenther commit 0a468fbe36e6049f8d7f971c1aa111e1573a406c Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 18:18:00 2009 +0200 nsswitch: add wbinfo -c (change trust account passwords). Guenther commit 74948c979ab19f20c7e5824aee50828e9bda0e35 Author: Günther Deschner <g...@samba.org> Date: Tue Oct 6 18:15:08 2009 +0200 libwbclient: add wbcChangeTrustCredentials. Guenther ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages-3/wbinfo.1.xml | 9 ++ nsswitch/libwbclient/wbc_pam.c | 38 +++++ nsswitch/libwbclient/wbclient.h | 11 ++ nsswitch/wbinfo.c | 39 +++++ nsswitch/winbind_struct_protocol.h | 1 + source3/Makefile.in | 1 + source3/librpc/gen_ndr/cli_wbint.c | 146 ++++++++++++++++++++ source3/librpc/gen_ndr/cli_wbint.h | 8 + source3/librpc/gen_ndr/ndr_wbint.c | 51 +++++++- source3/librpc/gen_ndr/ndr_wbint.h | 11 +- source3/librpc/gen_ndr/srv_wbint.c | 80 +++++++++++ source3/librpc/gen_ndr/srv_wbint.h | 2 + source3/librpc/gen_ndr/wbint.h | 8 + source3/librpc/idl/wbint.idl | 5 +- source3/winbindd/winbindd.c | 2 + source3/winbindd/winbindd_cache.c | 1 + ...chine_acct.c => winbindd_change_machine_acct.c} | 44 +++---- source3/winbindd/winbindd_dual_srv.c | 62 ++++++++ source3/winbindd/winbindd_proto.h | 7 + 19 files changed, 496 insertions(+), 30 deletions(-) copy source3/winbindd/{winbindd_check_machine_acct.c => winbindd_change_machine_acct.c} (58%) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages-3/wbinfo.1.xml b/docs-xml/manpages-3/wbinfo.1.xml index 8f83f5e..d6628e7 100644 --- a/docs-xml/manpages-3/wbinfo.1.xml +++ b/docs-xml/manpages-3/wbinfo.1.xml @@ -23,6 +23,7 @@ <arg choice="opt">--all-domains</arg> <arg choice="opt">--allocate-gid</arg> <arg choice="opt">--allocate-uid</arg> + <arg choice="opt">-c</arg> <arg choice="opt">-D domain</arg> <arg choice="opt">--domain domain</arg> <arg choice="opt">-g</arg> @@ -111,6 +112,14 @@ </varlistentry> <varlistentry> + <term>-c|--change-secret</term> + <listitem><para>Change the trust account password. May be used + in conjunction with <option>domain</option> in order to change + interdomain trust account passwords. + </para></listitem> + </varlistentry> + + <varlistentry> <term>--domain <replaceable>name</replaceable></term> <listitem><para>This parameter sets the domain on which any specified operations will performed. If special domain name '.' is used to represent diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c index 4cd212a..7a66a7f 100644 --- a/nsswitch/libwbclient/wbc_pam.c +++ b/nsswitch/libwbclient/wbc_pam.c @@ -532,6 +532,44 @@ wbcErr wbcCheckTrustCredentials(const char *domain, return wbc_status; } +/* Trigger a change of the trust credentials for a specific domain */ +wbcErr wbcChangeTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error) +{ + struct winbindd_request request; + struct winbindd_response response; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + if (domain) { + strncpy(request.domain_name, domain, + sizeof(request.domain_name)-1); + } + + /* Send request */ + + wbc_status = wbcRequestResponse(WINBINDD_CHANGE_MACHACC, + &request, + &response); + if (response.data.auth.nt_status != 0) { + if (error) { + wbc_status = wbc_create_error_info(NULL, + &response, + error); + BAIL_ON_WBC_ERROR(wbc_status); + } + + wbc_status = WBC_ERR_AUTH_ERROR; + BAIL_ON_WBC_ERROR(wbc_status); + } + BAIL_ON_WBC_ERROR(wbc_status); + + done: + return wbc_status; +} + /* Trigger an extended logoff notification to Winbind for a specific user */ wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params, struct wbcAuthErrorInfo **error) diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h index e262679..0c0c494 100644 --- a/nsswitch/libwbclient/wbclient.h +++ b/nsswitch/libwbclient/wbclient.h @@ -1202,6 +1202,17 @@ wbcErr wbcResolveWinsByIP(const char *ip, char **name); wbcErr wbcCheckTrustCredentials(const char *domain, struct wbcAuthErrorInfo **error); +/** + * @brief Trigger a change of the trust credentials for a specific domain + * + * @param *domain The name of the domain. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcChangeTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error); + /********************************************************** * Helper functions **********************************************************/ diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c index 7410a74..219ec24 100644 --- a/nsswitch/wbinfo.c +++ b/nsswitch/wbinfo.c @@ -754,6 +754,38 @@ static bool wbinfo_check_secret(const char *domain) return true; } +/* Change trust account password */ + +static bool wbinfo_change_secret(const char *domain) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcAuthErrorInfo *error = NULL; + const char *domain_name; + + if (domain) { + domain_name = domain; + } else { + domain_name = get_winbind_domain(); + } + + wbc_status = wbcChangeTrustCredentials(domain_name, &error); + + d_printf("changing the trust secret for domain %s via RPC calls %s\n", + domain_name, + WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); + + if (wbc_status == WBC_ERR_AUTH_ERROR) { + d_fprintf(stderr, "error code was %s (0x%x)\n", + error->nt_string, error->nt_status); + wbcFreeMemory(error); + } + if (!WBC_ERROR_IS_OK(wbc_status)) { + return false; + } + + return true; +} + /* Convert uid to sid */ static bool wbinfo_uid_to_sid(uid_t uid) @@ -1733,6 +1765,7 @@ int main(int argc, char **argv, char **envp) { "remove-uid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_REMOVE_UID_MAPPING, "Remove uid to sid mapping in idmap", "UID,SID" }, { "remove-gid-mapping", 0, POPT_ARG_STRING, &string_arg, OPT_REMOVE_GID_MAPPING, "Remove gid to sid mapping in idmap", "GID,SID" }, { "check-secret", 't', POPT_ARG_NONE, 0, 't', "Check shared secret" }, + { "change-secret", 'c', POPT_ARG_NONE, 0, 'c', "Change shared secret" }, { "trusted-domains", 'm', POPT_ARG_NONE, 0, 'm', "List trusted domains" }, { "all-domains", 0, POPT_ARG_NONE, 0, OPT_LIST_ALL_DOMAINS, "List all domains (trusted and own domain)" }, { "own-domain", 0, POPT_ARG_NONE, 0, OPT_LIST_OWN_DOMAIN, "List own domain" }, @@ -1963,6 +1996,12 @@ int main(int argc, char **argv, char **envp) goto done; } break; + case 'c': + if (!wbinfo_change_secret(opt_domain_name)) { + d_fprintf(stderr, "Could not change secret\n"); + goto done; + } + break; case 'm': if (!wbinfo_list_domains(false, verbose)) { d_fprintf(stderr, diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h index bd14410..3056e25 100644 --- a/nsswitch/winbind_struct_protocol.h +++ b/nsswitch/winbind_struct_protocol.h @@ -118,6 +118,7 @@ enum winbindd_cmd { /* Miscellaneous other stuff */ WINBINDD_CHECK_MACHACC, /* Check machine account pw works */ + WINBINDD_CHANGE_MACHACC, /* Change machine account pw */ WINBINDD_PING, /* Just tell me winbind is running */ WINBINDD_INFO, /* Various bit of info. Currently just tidbits */ WINBINDD_DOMAIN_NAME, /* The domain this winbind server is a member of (lp_workgroup()) */ diff --git a/source3/Makefile.in b/source3/Makefile.in index 694985f..90faadf 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1221,6 +1221,7 @@ WINBINDD_OBJ1 = \ winbindd/winbindd_list_users.o \ winbindd/winbindd_list_groups.o \ winbindd/winbindd_check_machine_acct.o \ + winbindd/winbindd_change_machine_acct.o \ winbindd/winbindd_set_mapping.o \ winbindd/winbindd_remove_mapping.o \ winbindd/winbindd_set_hwm.o \ diff --git a/source3/librpc/gen_ndr/cli_wbint.c b/source3/librpc/gen_ndr/cli_wbint.c index 3e5fc44..ecf8363 100644 --- a/source3/librpc/gen_ndr/cli_wbint.c +++ b/source3/librpc/gen_ndr/cli_wbint.c @@ -3075,6 +3075,152 @@ NTSTATUS rpccli_wbint_CheckMachineAccount(struct rpc_pipe_client *cli, return r.out.result; } +struct rpccli_wbint_ChangeMachineAccount_state { + struct wbint_ChangeMachineAccount orig; + struct wbint_ChangeMachineAccount tmp; + TALLOC_CTX *out_mem_ctx; + NTSTATUS (*dispatch_recv)(struct tevent_req *req, TALLOC_CTX *mem_ctx); +}; + +static void rpccli_wbint_ChangeMachineAccount_done(struct tevent_req *subreq); + +struct tevent_req *rpccli_wbint_ChangeMachineAccount_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct rpc_pipe_client *cli) +{ + struct tevent_req *req; + struct rpccli_wbint_ChangeMachineAccount_state *state; + struct tevent_req *subreq; + + req = tevent_req_create(mem_ctx, &state, + struct rpccli_wbint_ChangeMachineAccount_state); + if (req == NULL) { + return NULL; + } + state->out_mem_ctx = NULL; + state->dispatch_recv = cli->dispatch_recv; + + /* In parameters */ + + /* Out parameters */ + + /* Result */ + ZERO_STRUCT(state->orig.out.result); + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_IN_DEBUG(wbint_ChangeMachineAccount, &state->orig); + } + + /* make a temporary copy, that we pass to the dispatch function */ + state->tmp = state->orig; + + subreq = cli->dispatch_send(state, ev, cli, + &ndr_table_wbint, + NDR_WBINT_CHANGEMACHINEACCOUNT, + &state->tmp); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, rpccli_wbint_ChangeMachineAccount_done, req); + return req; +} + +static void rpccli_wbint_ChangeMachineAccount_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct rpccli_wbint_ChangeMachineAccount_state *state = tevent_req_data( + req, struct rpccli_wbint_ChangeMachineAccount_state); + NTSTATUS status; + TALLOC_CTX *mem_ctx; + + if (state->out_mem_ctx) { + mem_ctx = state->out_mem_ctx; + } else { + mem_ctx = state; + } + + status = state->dispatch_recv(subreq, mem_ctx); + TALLOC_FREE(subreq); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_nterror(req, status); + return; + } + + /* Copy out parameters */ + + /* Copy result */ + state->orig.out.result = state->tmp.out.result; + + /* Reset temporary structure */ + ZERO_STRUCT(state->tmp); + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_OUT_DEBUG(wbint_ChangeMachineAccount, &state->orig); + } + + tevent_req_done(req); +} + +NTSTATUS rpccli_wbint_ChangeMachineAccount_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + NTSTATUS *result) +{ + struct rpccli_wbint_ChangeMachineAccount_state *state = tevent_req_data( + req, struct rpccli_wbint_ChangeMachineAccount_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + tevent_req_received(req); + return status; + } + + /* Steal possbile out parameters to the callers context */ + talloc_steal(mem_ctx, state->out_mem_ctx); + + /* Return result */ + *result = state->orig.out.result; + + tevent_req_received(req); + return NT_STATUS_OK; +} + +NTSTATUS rpccli_wbint_ChangeMachineAccount(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx) +{ + struct wbint_ChangeMachineAccount r; + NTSTATUS status; + + /* In parameters */ + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_IN_DEBUG(wbint_ChangeMachineAccount, &r); + } + + status = cli->dispatch(cli, + mem_ctx, + &ndr_table_wbint, + NDR_WBINT_CHANGEMACHINEACCOUNT, + &r); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_OUT_DEBUG(wbint_ChangeMachineAccount, &r); + } + + if (NT_STATUS_IS_ERR(status)) { + return status; + } + + /* Return variables */ + + /* Return result */ + return r.out.result; +} + struct rpccli_wbint_SetMapping_state { struct wbint_SetMapping orig; struct wbint_SetMapping tmp; diff --git a/source3/librpc/gen_ndr/cli_wbint.h b/source3/librpc/gen_ndr/cli_wbint.h index 7d7c2bc..b08ef3f 100644 --- a/source3/librpc/gen_ndr/cli_wbint.h +++ b/source3/librpc/gen_ndr/cli_wbint.h @@ -240,6 +240,14 @@ NTSTATUS rpccli_wbint_CheckMachineAccount_recv(struct tevent_req *req, NTSTATUS *result); NTSTATUS rpccli_wbint_CheckMachineAccount(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx); +struct tevent_req *rpccli_wbint_ChangeMachineAccount_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct rpc_pipe_client *cli); +NTSTATUS rpccli_wbint_ChangeMachineAccount_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + NTSTATUS *result); +NTSTATUS rpccli_wbint_ChangeMachineAccount(struct rpc_pipe_client *cli, + TALLOC_CTX *mem_ctx); struct tevent_req *rpccli_wbint_SetMapping_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct rpc_pipe_client *cli, diff --git a/source3/librpc/gen_ndr/ndr_wbint.c b/source3/librpc/gen_ndr/ndr_wbint.c index 77e3a44..7c6aac9 100644 --- a/source3/librpc/gen_ndr/ndr_wbint.c +++ b/source3/librpc/gen_ndr/ndr_wbint.c @@ -2190,6 +2190,47 @@ _PUBLIC_ void ndr_print_wbint_CheckMachineAccount(struct ndr_print *ndr, const c ndr->depth--; } +static enum ndr_err_code ndr_push_wbint_ChangeMachineAccount(struct ndr_push *ndr, int flags, const struct wbint_ChangeMachineAccount *r) +{ + if (flags & NDR_IN) { + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_push_NTSTATUS(ndr, NDR_SCALARS, r->out.result)); + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code ndr_pull_wbint_ChangeMachineAccount(struct ndr_pull *ndr, int flags, struct wbint_ChangeMachineAccount *r) +{ + if (flags & NDR_IN) { + } + if (flags & NDR_OUT) { + NDR_CHECK(ndr_pull_NTSTATUS(ndr, NDR_SCALARS, &r->out.result)); + } + return NDR_ERR_SUCCESS; +} + +_PUBLIC_ void ndr_print_wbint_ChangeMachineAccount(struct ndr_print *ndr, const char *name, int flags, const struct wbint_ChangeMachineAccount *r) +{ + ndr_print_struct(ndr, name, "wbint_ChangeMachineAccount"); + ndr->depth++; + if (flags & NDR_SET_VALUES) { + ndr->flags |= LIBNDR_PRINT_SET_VALUES; + } + if (flags & NDR_IN) { + ndr_print_struct(ndr, "in", "wbint_ChangeMachineAccount"); + ndr->depth++; + ndr->depth--; + } + if (flags & NDR_OUT) { + ndr_print_struct(ndr, "out", "wbint_ChangeMachineAccount"); + ndr->depth++; + ndr_print_NTSTATUS(ndr, "result", r->out.result); + ndr->depth--; + } + ndr->depth--; +} + static enum ndr_err_code ndr_push_wbint_SetMapping(struct ndr_push *ndr, int flags, const struct wbint_SetMapping *r) { if (flags & NDR_IN) { @@ -2517,6 +2558,14 @@ static const struct ndr_interface_call wbint_calls[] = { false, }, { + "wbint_ChangeMachineAccount", + sizeof(struct wbint_ChangeMachineAccount), + (ndr_push_flags_fn_t) ndr_push_wbint_ChangeMachineAccount, + (ndr_pull_flags_fn_t) ndr_pull_wbint_ChangeMachineAccount, + (ndr_print_function_t) ndr_print_wbint_ChangeMachineAccount, + false, + }, + { "wbint_SetMapping", sizeof(struct wbint_SetMapping), (ndr_push_flags_fn_t) ndr_push_wbint_SetMapping, @@ -2569,7 +2618,7 @@ const struct ndr_interface_table ndr_table_wbint = { NDR_WBINT_VERSION }, .helpstring = NDR_WBINT_HELPSTRING, - .num_calls = 22, + .num_calls = 23, .calls = wbint_calls, .endpoints = &wbint_endpoints, .authservices = &wbint_authservices diff --git a/source3/librpc/gen_ndr/ndr_wbint.h b/source3/librpc/gen_ndr/ndr_wbint.h index 5cefc94..e163ff3 100644 --- a/source3/librpc/gen_ndr/ndr_wbint.h +++ b/source3/librpc/gen_ndr/ndr_wbint.h @@ -49,13 +49,15 @@ extern const struct ndr_interface_table ndr_table_wbint; #define NDR_WBINT_CHECKMACHINEACCOUNT (0x12) -#define NDR_WBINT_SETMAPPING (0x13) +#define NDR_WBINT_CHANGEMACHINEACCOUNT (0x13) -#define NDR_WBINT_REMOVEMAPPING (0x14) +#define NDR_WBINT_SETMAPPING (0x14) -#define NDR_WBINT_SETHWM (0x15) +#define NDR_WBINT_REMOVEMAPPING (0x15) -#define NDR_WBINT_CALL_COUNT (22) +#define NDR_WBINT_SETHWM (0x16) + +#define NDR_WBINT_CALL_COUNT (23) enum ndr_err_code ndr_push_wbint_userinfo(struct ndr_push *ndr, int ndr_flags, const struct wbint_userinfo *r); enum ndr_err_code ndr_pull_wbint_userinfo(struct ndr_pull *ndr, int ndr_flags, struct wbint_userinfo *r); void ndr_print_wbint_userinfo(struct ndr_print *ndr, const char *name, const struct wbint_userinfo *r); @@ -96,6 +98,7 @@ void ndr_print_wbint_QueryGroupList(struct ndr_print *ndr, const char *name, int void ndr_print_wbint_DsGetDcName(struct ndr_print *ndr, const char *name, int flags, const struct wbint_DsGetDcName *r); void ndr_print_wbint_LookupRids(struct ndr_print *ndr, const char *name, int flags, const struct wbint_LookupRids *r); void ndr_print_wbint_CheckMachineAccount(struct ndr_print *ndr, const char *name, int flags, const struct wbint_CheckMachineAccount *r); +void ndr_print_wbint_ChangeMachineAccount(struct ndr_print *ndr, const char *name, int flags, const struct wbint_ChangeMachineAccount *r); void ndr_print_wbint_SetMapping(struct ndr_print *ndr, const char *name, int flags, const struct wbint_SetMapping *r); void ndr_print_wbint_RemoveMapping(struct ndr_print *ndr, const char *name, int flags, const struct wbint_RemoveMapping *r); void ndr_print_wbint_SetHWM(struct ndr_print *ndr, const char *name, int flags, const struct wbint_SetHWM *r); diff --git a/source3/librpc/gen_ndr/srv_wbint.c b/source3/librpc/gen_ndr/srv_wbint.c index b3b535b..0f39cd9 100644 --- a/source3/librpc/gen_ndr/srv_wbint.c +++ b/source3/librpc/gen_ndr/srv_wbint.c @@ -1537,6 +1537,79 @@ static bool api_wbint_CheckMachineAccount(pipes_struct *p) return true; } +static bool api_wbint_ChangeMachineAccount(pipes_struct *p) +{ + const struct ndr_interface_call *call; + struct ndr_pull *pull; + struct ndr_push *push; + enum ndr_err_code ndr_err; + DATA_BLOB blob; + struct wbint_ChangeMachineAccount *r; + + call = &ndr_table_wbint.calls[NDR_WBINT_CHANGEMACHINEACCOUNT]; + + r = talloc(talloc_tos(), struct wbint_ChangeMachineAccount); + if (r == NULL) { + return false; + } + + if (!prs_data_blob(&p->in_data.data, &blob, r)) { + talloc_free(r); + return false; + } + + pull = ndr_pull_init_blob(&blob, r, NULL); -- Samba Shared Repository