diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-08-23 12:27:19 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2017-02-25 01:34:34 +0100 |
commit | f6dc0739f8d60205231991b63aae09ed441d4d56 (patch) | |
tree | 221f215266f622c0d60636b4349fa9a67eef7343 | |
parent | 40366fd386b3793451857670109f7c0be7011230 (diff) | |
download | samba-f6dc0739f8d60205231991b63aae09ed441d4d56.tar.gz |
samba-tool:domain: use generate_random_machine_password() for trusted domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b2fac99ac63739398aa716c26d8e187a25bb8400)
-rw-r--r-- | python/samba/join.py | 3 | ||||
-rw-r--r-- | python/samba/netcmd/domain.py | 29 |
2 files changed, 7 insertions, 25 deletions
diff --git a/python/samba/join.py b/python/samba/join.py index 040ad42022a..8868a8dee27 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -1326,7 +1326,8 @@ def join_subdomain(logger=None, server=None, creds=None, lp=None, site=None, ctx.domsid = security.random_sid() ctx.acct_dn = None ctx.dnshostname = "%s.%s" % (ctx.myname.lower(), ctx.dnsdomain) - ctx.trustdom_pass = samba.generate_random_password(128, 128) + # Windows uses 240 bytes as UTF16 so we do + ctx.trustdom_pass = samba.generate_random_machine_password(120, 120) ctx.userAccountControl = samba.dsdb.UF_SERVER_TRUST_ACCOUNT | samba.dsdb.UF_TRUSTED_FOR_DELEGATION diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index b4081e63911..5acaeb9b951 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -2272,33 +2272,14 @@ class cmd_domain_trust_create(DomainTrustCommand): # needs to pass the NL_PASSWORD_VERSION structure within the # 512 bytes and a 2 bytes confounder is required. # - def random_trust_secret(length, use_aes_keys=True): - secret = [0] * length - - pw1 = samba.generate_random_password(length/2, length/2) - if not use_aes_keys: - # With arcfour-hmac-md5 we have to use valid utf16 - # in order to generate the correct pre-auth key - # based on a utf8 password. - # - # We can remove this once our client libraries - # support using the correct NTHASH. - return string_to_byte_array(pw1.encode('utf-16-le')) - - # We mix characters from generate_random_password - # with random numbers from random.randint() - for i in range(len(secret)): - if len(pw1) > i: - secret[i] = ord(pw1[i]) - else: - secret[i] = random.randint(0, 255) - - return secret + def random_trust_secret(length): + pw = samba.generate_random_machine_password(length/2, length/2) + return string_to_byte_array(pw.encode('utf-16-le')) if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_INBOUND: - incoming_secret = random_trust_secret(240, use_aes_keys=use_aes_keys) + incoming_secret = random_trust_secret(240) if local_trust_info.trust_direction & lsa.LSA_TRUST_DIRECTION_OUTBOUND: - outgoing_secret = random_trust_secret(240, use_aes_keys=use_aes_keys) + outgoing_secret = random_trust_secret(240) remote_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN remote_policy_access |= lsa.LSA_POLICY_CREATE_SECRET |