proper job on set secret stuff. added idle function to msrpc fn table.

called during idle or on exit of msrpc daemon.
author: Luke Leighton <lkcl@samba.org> 2000-02-20 05:47:02 +0000
committer: Luke Leighton <lkcl@samba.org> 2000-02-20 05:47:02 +0000
commit: 807f264eb662a0bb7a57f2cb9f93b26af2b663c0 (patch)
tree: 1b051c6896a465859264cfb622e0bd5a72a49c32 /source/lsarpcd
parent: 6678f948368302ce7cb83e27b83f441e4e79b134 (diff)
download: samba-807f264eb662a0bb7a57f2cb9f93b26af2b663c0.tar.gz
1 files changed, 86 insertions, 32 deletions
diff --git a/source/lsarpcd/lsarpcd.c b/source/lsarpcd/lsarpcd.c
index 23fc9518bcb..8f584096348 100644
--- a/source/lsarpcd/lsarpcd.c
+++ b/source/lsarpcd/lsarpcd.c
@@ -60,37 +60,76 @@ static void update_trust_account(void)
 	BOOL trust_pwd_needs_changing = False;
 	uint8 old_trust[16];
 	NTTIME ntlct;
-	BOOL res = True;
-	BOOL res1;
-	BOOL res2;
+	uint32 s2 = NT_STATUS_NOPROBLEMO;
+	uint32 s1 = NT_STATUS_NOPROBLEMO;
+	uint32 s = NT_STATUS_NOPROBLEMO;
 
 	POLICY_HND pol_sec;
 	POLICY_HND lsa_pol;
 	STRING2 secret;
+	STRING2 encsec;
 	UNISTR2 uni_sec_name;
 	char *name = "$MACHINE.ACC";
 	extern fstring global_myworkgroup;
+	time_t cur_time;
+	time_t sec_time;
+	uchar user_sess_key[16];
 
 	make_unistr2(&uni_sec_name, name, strlen(name));
 
-	res =
-		res ? _lsa_open_policy2(NULL, &lsa_pol, NULL,
-					0x02000000) : False;
+	s = _lsa_open_policy2(NULL, &lsa_pol, NULL, 0x02000000);
 
-	res1 = res ? _lsa_open_secret(&lsa_pol,
-				      &uni_sec_name, 0x02000000,
-				      &pol_sec) : False;
+	if (s == NT_STATUS_NOPROBLEMO)
+	{
+		s1 = _lsa_open_secret(&lsa_pol, &uni_sec_name, 0x02000000,
+				      &pol_sec);
+	}
+
+	if (s1 == NT_STATUS_NOPROBLEMO)
+	{
+		if (!pol_get_usr_sesskey(get_global_hnd_cache(), &pol_sec,
+					 user_sess_key))
+		{
+			s2 = NT_STATUS_INVALID_HANDLE;
+		}
+	}
+	if (s2 == NT_STATUS_NOPROBLEMO)
+	{
+		s2 = _lsa_query_secret(&pol_sec, &encsec, &ntlct, NULL, NULL);
+	}
+	if (s2 == NT_STATUS_NOPROBLEMO)
+	{
+		if (!nt_decrypt_string2(&secret, &encsec, user_sess_key))
+		{
+			s2 = NT_STATUS_INVALID_PARAMETER;
+		}
+	}
+	if (s2 == NT_STATUS_NOPROBLEMO)
+	{
+		if (!secret_get_data(&secret, old_trust, 16))
+		{
+			s2 = NT_STATUS_ACCESS_DENIED;
+		}
+		else
+		{
+			dump_data_pw("$MACHINE.ACC:", old_trust, 16);
+		}
+	}
 
-	res2 =
-		res1 ? _lsa_query_secret(&pol_sec, &secret, &ntlct, NULL,
-					 NULL) : False;
 
-	res2 = res2 ? secret_get_data(&secret, old_trust, 16) : False;
+	cur_time = time(NULL);
+	sec_time = nt_time_to_unix(&ntlct);
+
+	if (DEBUGLVL(100))
+	{
+		DEBUG(100, ("secret time: %s\n", http_timestring(sec_time)));
+		DEBUG(100, ("current time: %s\n", http_timestring(cur_time)));
+	}
 
-	if (res2 && time(NULL) >
-	    nt_time_to_unix(&ntlct) + lp_machine_password_timeout())
+	if (s2 == NT_STATUS_NOPROBLEMO
+	    && cur_time > sec_time + lp_machine_password_timeout())
 	{
-		DEBUG(1,("$MACHINE.ACC password being updated.\n"));
+		DEBUG(1, ("$MACHINE.ACC password being updated.\n"));
 		trust_pwd_needs_changing = True;
 	}
 
@@ -98,29 +137,45 @@ static void update_trust_account(void)
 	{
 		unsigned char trust_passwd_hash[16];
 		fstring srv_name;
+		BOOL res2;
 
-		res2 = res2 ? get_any_dc_name(global_myworkgroup,
-					      srv_name) : False;
+		res2 = get_any_dc_name(global_myworkgroup, srv_name);
 
 		generate_random_buffer(trust_passwd_hash, 16, True);
 		secret_store_data(&secret, trust_passwd_hash, 16);
 
-		res2 = res2 ? modify_trust_password(global_myworkgroup,
-						    srv_name, old_trust,
-						    trust_passwd_hash,
-						    SEC_CHAN_WKSTA) : False;
+		res2 =
+			res2 ? nt_encrypt_string2(&encsec, &secret,
+						  user_sess_key) : False;
 
-		res2 = res2 ? (_lsa_set_secret(&pol_sec, &secret, 0x0) ==
-			       NT_STATUS_NOPROBLEMO) : False;
-		if (!res2)
+		if (!strequal("\\\\.", srv_name))
 		{
-			DEBUG(0,("$MACHINE.ACC password update FAILED\n"));
+			res2 =
+				res2 ?
+				modify_trust_password(global_myworkgroup,
+						      srv_name, old_trust,
+						      trust_passwd_hash,
+						      SEC_CHAN_WKSTA) : False;
 		}
-	}
 
-	res1 = res1 ? _lsa_close(&pol_sec) : False;
+		if (res2)
+		{
+			s2 = _lsa_set_secret(&pol_sec, &encsec, 0x0);
+		}
+		if (s2 != NT_STATUS_NOPROBLEMO)
+		{
+			DEBUG(0, ("$MACHINE.ACC password update FAILED\n"));
+		}
+	}
 
-	res = res ? _lsa_close(&lsa_pol) : False;
+	if (s1 == NT_STATUS_NOPROBLEMO)
+	{
+		_lsa_close(&pol_sec);
+	}
+	if (s == NT_STATUS_NOPROBLEMO)
+	{
+		_lsa_close(&lsa_pol);
+	}
 }
 
 /****************************************************************************
@@ -130,8 +185,6 @@ static BOOL reload_msrpc(BOOL test)
 {
 	BOOL ret;
 
-	update_trust_account();
-
 	if (lp_loaded())
 	{
 		pstring fname;
@@ -192,7 +245,8 @@ static msrpc_service_fns fn_table = {
 	auth_init,
 	service_init,
 	reload_msrpc,
-	main_init
+	main_init,
+	update_trust_account
 };
 
 msrpc_service_fns *get_service_fns(void)
author	Luke Leighton <lkcl@samba.org>	2000-02-20 05:47:02 +0000
committer	Luke Leighton <lkcl@samba.org>	2000-02-20 05:47:02 +0000
commit	807f264eb662a0bb7a57f2cb9f93b26af2b663c0 (patch)
tree	1b051c6896a465859264cfb622e0bd5a72a49c32 /source/lsarpcd
parent	6678f948368302ce7cb83e27b83f441e4e79b134 (diff)
download	samba-807f264eb662a0bb7a57f2cb9f93b26af2b663c0.tar.gz