search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Remove duplicate logic
[samba4-gss.git] / source3 / passdb / machine_account_secrets.c
blob0679535f0262d3d86ace48c02cde46868d32c6dd
1 /*
2 Unix SMB/CIFS implementation.
3 Copyright (C) Andrew Tridgell 1992-2001
4 Copyright (C) Andrew Bartlett 2002
5 Copyright (C) Rafal Szczesniak 2002
6 Copyright (C) Tim Potter 2001
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 /* the Samba secrets database stores any generated, private information
23 such as the local SID and machine trust password */
24
25 #include "includes.h"
26 #include "passdb.h"
27 #include "../libcli/auth/libcli_auth.h"
28 #include "secrets.h"
29 #include "dbwrap/dbwrap.h"
30 #include "../librpc/ndr/libndr.h"
31 #include "util_tdb.h"
32 #include "libcli/security/security.h"
33
34 #include "librpc/gen_ndr/libnet_join.h"
35 #include "librpc/gen_ndr/ndr_secrets.h"
36 #include "lib/crypto/crypto.h"
37 #include "lib/krb5_wrap/krb5_samba.h"
38 #include "lib/util/time_basic.h"
39 #include "../libds/common/flags.h"
40 #include "lib/util/string_wrappers.h"
41
42 #undef DBGC_CLASS
43 #define DBGC_CLASS DBGC_PASSDB
44
45 static char *domain_info_keystr(const char *domain);
46
47 static char *des_salt_key(const char *realm);
48
49 /**
50 * Form a key for fetching the domain sid
51 *
52 * @param domain domain name
53 *
54 * @return keystring
55 **/
56 static const char *domain_sid_keystr(const char *domain)
57 {
58 char *keystr;
59
60 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
61 SECRETS_DOMAIN_SID, domain);
62 SMB_ASSERT(keystr != NULL);
63 return keystr;
64 }
65
66 static const char *domain_guid_keystr(const char *domain)
67 {
68 char *keystr;
69
70 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
71 SECRETS_DOMAIN_GUID, domain);
72 SMB_ASSERT(keystr != NULL);
73 return keystr;
74 }
75
76 static const char *protect_ids_keystr(const char *domain)
77 {
78 char *keystr;
79
80 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
81 SECRETS_PROTECT_IDS, domain);
82 SMB_ASSERT(keystr != NULL);
83 return keystr;
84 }
85
86 /* N O T E: never use this outside of passdb modules that store the SID on their own */
87 bool secrets_mark_domain_protected(const char *domain)
88 {
89 bool ret;
90
91 ret = secrets_store(protect_ids_keystr(domain), "TRUE", 5);
92 if (!ret) {
93 DEBUG(0, ("Failed to protect the Domain IDs\n"));
94 }
95 return ret;
96 }
97
98 bool secrets_clear_domain_protection(const char *domain)
99 {
100 bool ret;
101 void *protection = secrets_fetch(protect_ids_keystr(domain), NULL);
102
103 if (protection) {
104 SAFE_FREE(protection);
105 ret = secrets_delete_entry(protect_ids_keystr(domain));
106 if (!ret) {
107 DEBUG(0, ("Failed to remove Domain IDs protection\n"));
108 }
109 return ret;
110 }
111 return true;
112 }
113
114 bool secrets_store_domain_sid(const char *domain, const struct dom_sid *sid)
115 {
116 char *protect_ids;
117 bool ret;
118 struct dom_sid clean_sid = { 0 };
119
120 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
121 if (protect_ids) {
122 if (strncmp(protect_ids, "TRUE", 4)) {
123 DEBUG(0, ("Refusing to store a Domain SID, "
124 "it has been marked as protected!\n"));
125 SAFE_FREE(protect_ids);
126 return false;
127 }
128 }
129 SAFE_FREE(protect_ids);
130
131 /*
132 * use a copy to prevent uninitialized memory from being carried over
133 * to the tdb
134 */
135 sid_copy(&clean_sid, sid);
136
137 ret = secrets_store(domain_sid_keystr(domain),
138 &clean_sid,
139 sizeof(struct dom_sid));
140
141 /* Force a re-query */
142 if (ret) {
143 /*
144 * Do not call get_global_domain_sid() here, or we will call it
145 * recursively.
146 */
147 reset_global_sam_sid();
148 }
149 return ret;
150 }
151
152 bool secrets_fetch_domain_sid(const char *domain, struct dom_sid *sid)
153 {
154 struct dom_sid *dyn_sid;
155 size_t size = 0;
156
157 dyn_sid = (struct dom_sid *)secrets_fetch(domain_sid_keystr(domain), &size);
158
159 if (dyn_sid == NULL)
160 return False;
161
162 if (size != sizeof(struct dom_sid)) {
163 SAFE_FREE(dyn_sid);
164 return False;
165 }
166
167 *sid = *dyn_sid;
168 SAFE_FREE(dyn_sid);
169 return True;
170 }
171
172 bool secrets_store_domain_guid(const char *domain, const struct GUID *guid)
173 {
174 char *protect_ids;
175 const char *key;
176
177 protect_ids = secrets_fetch(protect_ids_keystr(domain), NULL);
178 if (protect_ids) {
179 if (strncmp(protect_ids, "TRUE", 4)) {
180 DEBUG(0, ("Refusing to store a Domain SID, "
181 "it has been marked as protected!\n"));
182 SAFE_FREE(protect_ids);
183 return false;
184 }
185 }
186 SAFE_FREE(protect_ids);
187
188 key = domain_guid_keystr(domain);
189 return secrets_store(key, guid, sizeof(struct GUID));
190 }
191
192 bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
193 {
194 struct GUID *dyn_guid;
195 const char *key;
196 size_t size = 0;
197 struct GUID new_guid;
198
199 key = domain_guid_keystr(domain);
200 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
201
202 if (!dyn_guid) {
203 if (lp_server_role() == ROLE_DOMAIN_PDC ||
204 lp_server_role() == ROLE_IPA_DC) {
205 new_guid = GUID_random();
206 if (!secrets_store_domain_guid(domain, &new_guid))
207 return False;
208 dyn_guid = (struct GUID *)secrets_fetch(key, &size);
209 }
210 if (dyn_guid == NULL) {
211 return False;
212 }
213 }
214
215 if (size != sizeof(struct GUID)) {
216 DEBUG(1,("UUID size %d is wrong!\n", (int)size));
217 SAFE_FREE(dyn_guid);
218 return False;
219 }
220
221 *guid = *dyn_guid;
222 SAFE_FREE(dyn_guid);
223 return True;
224 }
225
226 /**
227 * Form a key for fetching the machine trust account sec channel type
228 *
229 * @param domain domain name
230 *
231 * @return keystring
232 **/
233 static const char *machine_sec_channel_type_keystr(const char *domain)
234 {
235 char *keystr;
236
237 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
238 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
239 domain);
240 SMB_ASSERT(keystr != NULL);
241 return keystr;
242 }
243
244 /**
245 * Form a key for fetching the machine trust account last change time
246 *
247 * @param domain domain name
248 *
249 * @return keystring
250 **/
251 static const char *machine_last_change_time_keystr(const char *domain)
252 {
253 char *keystr;
254
255 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
256 SECRETS_MACHINE_LAST_CHANGE_TIME,
257 domain);
258 SMB_ASSERT(keystr != NULL);
259 return keystr;
260 }
261
262
263 /**
264 * Form a key for fetching the machine previous trust account password
265 *
266 * @param domain domain name
267 *
268 * @return keystring
269 **/
270 static const char *machine_prev_password_keystr(const char *domain)
271 {
272 char *keystr;
273
274 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
275 SECRETS_MACHINE_PASSWORD_PREV, domain);
276 SMB_ASSERT(keystr != NULL);
277 return keystr;
278 }
279
280 /**
281 * Form a key for fetching the machine trust account password
282 *
283 * @param domain domain name
284 *
285 * @return keystring
286 **/
287 static const char *machine_password_keystr(const char *domain)
288 {
289 char *keystr;
290
291 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
292 SECRETS_MACHINE_PASSWORD, domain);
293 SMB_ASSERT(keystr != NULL);
294 return keystr;
295 }
296
297 /**
298 * Form a key for fetching the machine trust account password
299 *
300 * @param domain domain name
301 *
302 * @return stored password's key
303 **/
304 static const char *trust_keystr(const char *domain)
305 {
306 char *keystr;
307
308 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
309 SECRETS_MACHINE_ACCT_PASS, domain);
310 SMB_ASSERT(keystr != NULL);
311 return keystr;
312 }
313
314 /************************************************************************
315 Routine to get the default secure channel type for trust accounts
316 ************************************************************************/
317
318 enum netr_SchannelType get_default_sec_channel(void)
319 {
320 if (IS_DC) {
321 return SEC_CHAN_BDC;
322 } else {
323 return SEC_CHAN_WKSTA;
324 }
325 }
326
327 /************************************************************************
328 Routine to get the trust account password for a domain.
329 This only tries to get the legacy hashed version of the password.
330 The user of this function must have locked the trust password file using
331 the above secrets_lock_trust_account_password().
332 ************************************************************************/
333
334 bool secrets_fetch_trust_account_password_legacy(const char *domain,
335 uint8_t ret_pwd[16],
336 time_t *pass_last_set_time,
337 enum netr_SchannelType *channel)
338 {
339 struct machine_acct_pass *pass;
340 size_t size = 0;
341
342 if (!(pass = (struct machine_acct_pass *)secrets_fetch(
343 trust_keystr(domain), &size))) {
344 DEBUG(5, ("secrets_fetch failed!\n"));
345 return False;
346 }
347
348 if (size != sizeof(*pass)) {
349 DEBUG(0, ("secrets were of incorrect size!\n"));
350 BURN_FREE(pass, size);
351 return False;
352 }
353
354 if (pass_last_set_time) {
355 *pass_last_set_time = pass->mod_time;
356 }
357 memcpy(ret_pwd, pass->hash, 16);
358
359 if (channel) {
360 *channel = get_default_sec_channel();
361 }
362
363 BURN_FREE(pass, size);
364 return True;
365 }
366
367 /************************************************************************
368 Routine to delete all information related to the domain joined machine.
369 ************************************************************************/
370
371 bool secrets_delete_machine_password_ex(const char *domain, const char *realm)
372 {
373 const char *tmpkey = NULL;
374 bool ok;
375
376 tmpkey = domain_info_keystr(domain);
377 ok = secrets_delete(tmpkey);
378 if (!ok) {
379 return false;
380 }
381
382 if (realm != NULL) {
383 tmpkey = des_salt_key(domain);
384 ok = secrets_delete(tmpkey);
385 if (!ok) {
386 return false;
387 }
388 }
389
390 tmpkey = domain_guid_keystr(domain);
391 ok = secrets_delete(tmpkey);
392 if (!ok) {
393 return false;
394 }
395
396 tmpkey = machine_prev_password_keystr(domain);
397 ok = secrets_delete(tmpkey);
398 if (!ok) {
399 return false;
400 }
401
402 tmpkey = machine_password_keystr(domain);
403 ok = secrets_delete(tmpkey);
404 if (!ok) {
405 return false;
406 }
407
408 tmpkey = machine_sec_channel_type_keystr(domain);
409 ok = secrets_delete(tmpkey);
410 if (!ok) {
411 return false;
412 }
413
414 tmpkey = machine_last_change_time_keystr(domain);
415 ok = secrets_delete(tmpkey);
416 if (!ok) {
417 return false;
418 }
419
420 tmpkey = domain_sid_keystr(domain);
421 ok = secrets_delete(tmpkey);
422 if (!ok) {
423 return false;
424 }
425
426 return true;
427 }
428
429 /************************************************************************
430 Routine to delete the domain sid
431 ************************************************************************/
432
433 bool secrets_delete_domain_sid(const char *domain)
434 {
435 return secrets_delete_entry(domain_sid_keystr(domain));
436 }
437
438 /************************************************************************
439 Set the machine trust account password, the old pw and last change
440 time, domain SID and salting principals based on values passed in
441 (added to support the secrets_tdb_sync module on secrets.ldb)
442 ************************************************************************/
443
444 bool secrets_store_machine_pw_sync(const char *pass, const char *oldpass, const char *domain,
445 const char *realm,
446 const char *salting_principal, uint32_t supported_enc_types,
447 const struct dom_sid *domain_sid, uint32_t last_change_time,
448 uint32_t secure_channel_type,
449 bool delete_join)
450 {
451 bool ret;
452 uint8_t last_change_time_store[4];
453 TALLOC_CTX *frame = talloc_stackframe();
454 uint8_t sec_channel_bytes[4];
455
456 if (delete_join) {
457 secrets_delete_machine_password_ex(domain, realm);
458 TALLOC_FREE(frame);
459 return true;
460 }
461
462 ret = secrets_store(machine_password_keystr(domain), pass, strlen(pass)+1);
463 if (!ret) {
464 TALLOC_FREE(frame);
465 return ret;
466 }
467
468 if (oldpass) {
469 ret = secrets_store(machine_prev_password_keystr(domain), oldpass, strlen(oldpass)+1);
470 } else {
471 ret = secrets_delete(machine_prev_password_keystr(domain));
472 }
473 if (!ret) {
474 TALLOC_FREE(frame);
475 return ret;
476 }
477
478 if (secure_channel_type == 0) {
479 /* We delete this and instead have the read code fall back to
480 * a default based on server role, as our caller can't specify
481 * this with any more certainty */
482 ret = secrets_delete(machine_sec_channel_type_keystr(domain));
483 if (!ret) {
484 TALLOC_FREE(frame);
485 return ret;
486 }
487 } else {
488 SIVAL(&sec_channel_bytes, 0, secure_channel_type);
489 ret = secrets_store(machine_sec_channel_type_keystr(domain),
490 &sec_channel_bytes, sizeof(sec_channel_bytes));
491 if (!ret) {
492 TALLOC_FREE(frame);
493 return ret;
494 }
495 }
496
497 SIVAL(&last_change_time_store, 0, last_change_time);
498 ret = secrets_store(machine_last_change_time_keystr(domain),
499 &last_change_time_store, sizeof(last_change_time));
500
501 if (!ret) {
502 TALLOC_FREE(frame);
503 return ret;
504 }
505
506 ret = secrets_store_domain_sid(domain, domain_sid);
507
508 if (!ret) {
509 TALLOC_FREE(frame);
510 return ret;
511 }
512
513 if (realm != NULL) {
514 char *key = des_salt_key(realm);
515
516 if (salting_principal != NULL) {
517 ret = secrets_store(key,
518 salting_principal,
519 strlen(salting_principal)+1);
520 } else {
521 ret = secrets_delete(key);
522 }
523 }
524
525 TALLOC_FREE(frame);
526 return ret;
527 }
528
529 /************************************************************************
530 Return the standard DES salt key
531 ************************************************************************/
532
533 char* kerberos_standard_des_salt( void )
534 {
535 fstring salt;
536
537 fstr_sprintf( salt, "host/%s.%s@", lp_netbios_name(), lp_realm() );
538 (void)strlower_m( salt );
539 fstrcat( salt, lp_realm() );
540
541 return SMB_STRDUP( salt );
542 }
543
544 /************************************************************************
545 ************************************************************************/
546
547 static char *des_salt_key(const char *realm)
548 {
549 char *keystr;
550
551 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/DES/%s",
552 SECRETS_SALTING_PRINCIPAL,
553 realm);
554 SMB_ASSERT(keystr != NULL);
555 return keystr;
556 }
557
558 /************************************************************************
559 ************************************************************************/
560
561 bool kerberos_secrets_store_des_salt( const char* salt )
562 {
563 char* key;
564 bool ret;
565
566 key = des_salt_key(lp_realm());
567 if (key == NULL) {
568 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
569 return False;
570 }
571
572 if ( !salt ) {
573 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
574 secrets_delete_entry( key );
575 return True;
576 }
577
578 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
579
580 ret = secrets_store( key, salt, strlen(salt)+1 );
581
582 TALLOC_FREE(key);
583
584 return ret;
585 }
586
587 /************************************************************************
588 ************************************************************************/
589
590 static
591 char* kerberos_secrets_fetch_des_salt( void )
592 {
593 char *salt, *key;
594
595 key = des_salt_key(lp_realm());
596 if (key == NULL) {
597 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
598 return NULL;
599 }
600
601 salt = (char*)secrets_fetch( key, NULL );
602
603 TALLOC_FREE(key);
604
605 return salt;
606 }
607
608 /************************************************************************
609 Routine to get the salting principal for this service.
610 Caller must free if return is not null.
611 ************************************************************************/
612
613 char *kerberos_secrets_fetch_salt_princ(void)
614 {
615 char *salt_princ_s;
616 /* lookup new key first */
617
618 salt_princ_s = kerberos_secrets_fetch_des_salt();
619 if (salt_princ_s == NULL) {
620 /* fall back to host/machine.realm@REALM */
621 salt_princ_s = kerberos_standard_des_salt();
622 }
623
624 return salt_princ_s;
625 }
626
627 /************************************************************************
628 Routine to fetch the previous plaintext machine account password for a realm
629 the password is assumed to be a null terminated ascii string.
630 ************************************************************************/
631
632 char *secrets_fetch_prev_machine_password(const char *domain)
633 {
634 return (char *)secrets_fetch(machine_prev_password_keystr(domain), NULL);
635 }
636
637 /************************************************************************
638 Routine to fetch the last change time of the machine account password
639 for a realm
640 ************************************************************************/
641
642 time_t secrets_fetch_pass_last_set_time(const char *domain)
643 {
644 uint32_t *last_set_time;
645 time_t pass_last_set_time;
646
647 last_set_time = secrets_fetch(machine_last_change_time_keystr(domain),
648 NULL);
649 if (last_set_time) {
650 pass_last_set_time = IVAL(last_set_time,0);
651 SAFE_FREE(last_set_time);
652 } else {
653 pass_last_set_time = 0;
654 }
655
656 return pass_last_set_time;
657 }
658
659 /************************************************************************
660 Routine to fetch the plaintext machine account password for a realm
661 the password is assumed to be a null terminated ascii string.
662 ************************************************************************/
663
664 char *secrets_fetch_machine_password(const char *domain,
665 time_t *pass_last_set_time,
666 enum netr_SchannelType *channel)
667 {
668 char *ret;
669 ret = (char *)secrets_fetch(machine_password_keystr(domain), NULL);
670
671 if (pass_last_set_time) {
672 *pass_last_set_time = secrets_fetch_pass_last_set_time(domain);
673 }
674
675 if (channel) {
676 size_t size;
677 uint32_t *channel_type;
678 channel_type = (unsigned int *)secrets_fetch(machine_sec_channel_type_keystr(domain), &size);
679 if (channel_type) {
680 *channel = IVAL(channel_type,0);
681 SAFE_FREE(channel_type);
682 } else {
683 *channel = get_default_sec_channel();
684 }
685 }
686
687 return ret;
688 }
689
690 static int password_nt_hash_destructor(struct secrets_domain_info1_password *pw)
691 {
692 ZERO_STRUCT(pw->nt_hash);
693
694 return 0;
695 }
696
697 static int setup_password_zeroing(struct secrets_domain_info1_password *pw)
698 {
699 if (pw != NULL) {
700 size_t i;
701
702 talloc_keep_secret(pw->cleartext_blob.data);
703 talloc_set_destructor(pw, password_nt_hash_destructor);
704 for (i = 0; i < pw->num_keys; i++) {
705 talloc_keep_secret(pw->keys[i].value.data);
706 }
707 }
708
709 return 0;
710 }
711
712 static char *domain_info_keystr(const char *domain)
713 {
714 char *keystr;
715
716 keystr = talloc_asprintf_strupper_m(talloc_tos(), "%s/%s",
717 SECRETS_MACHINE_DOMAIN_INFO,
718 domain);
719 SMB_ASSERT(keystr != NULL);
720 return keystr;
721 }
722
723 /************************************************************************
724 Routine to get account password to trusted domain
725 ************************************************************************/
726
727 static NTSTATUS secrets_fetch_domain_info1_by_key(const char *key,
728 TALLOC_CTX *mem_ctx,
729 struct secrets_domain_info1 **_info1)
730 {
731 struct secrets_domain_infoB sdib = { .version = 0, };
732 enum ndr_err_code ndr_err;
733 /* unpacking structures */
734 DATA_BLOB blob;
735
736 /* fetching trusted domain password structure */
737 blob.data = (uint8_t *)secrets_fetch(key, &blob.length);
738 if (blob.data == NULL) {
739 DBG_NOTICE("secrets_fetch failed!\n");
740 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
741 }
742
743 /* unpack trusted domain password */
744 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &sdib,
745 (ndr_pull_flags_fn_t)ndr_pull_secrets_domain_infoB);
746 BURN_FREE(blob.data, blob.length);
747 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
748 DBG_ERR("ndr_pull_struct_blob failed - %s!\n",
749 ndr_errstr(ndr_err));
750 return NT_STATUS_INTERNAL_DB_CORRUPTION;
751 }
752
753 if (sdib.info.info1->next_change != NULL) {
754 setup_password_zeroing(sdib.info.info1->next_change->password);
755 }
756 setup_password_zeroing(sdib.info.info1->password);
757 setup_password_zeroing(sdib.info.info1->old_password);
758 setup_password_zeroing(sdib.info.info1->older_password);
759
760 if (sdib.version != SECRETS_DOMAIN_INFO_VERSION_1) {
761 DBG_ERR("sdib.version = %u\n", (unsigned)sdib.version);
762 return NT_STATUS_INTERNAL_DB_CORRUPTION;
763 }
764
765 *_info1 = sdib.info.info1;
766 return NT_STATUS_OK;;
767 }
768
769 static NTSTATUS secrets_fetch_domain_info(const char *domain,
770 TALLOC_CTX *mem_ctx,
771 struct secrets_domain_info1 **pinfo)
772 {
773 char *key = domain_info_keystr(domain);
774 return secrets_fetch_domain_info1_by_key(key, mem_ctx, pinfo);
775 }
776
777 void secrets_debug_domain_info(int lvl, const struct secrets_domain_info1 *info1,
778 const char *name)
779 {
780 struct secrets_domain_infoB sdib = {
781 .version = SECRETS_DOMAIN_INFO_VERSION_1,
782 };
783
784 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
785
786 NDR_PRINT_DEBUG_LEVEL(lvl, secrets_domain_infoB, &sdib);
787 }
788
789 char *secrets_domain_info_string(TALLOC_CTX *mem_ctx, const struct secrets_domain_info1 *info1,
790 const char *name, bool include_secrets)
791 {
792 TALLOC_CTX *frame = talloc_stackframe();
793 struct secrets_domain_infoB sdib = {
794 .version = SECRETS_DOMAIN_INFO_VERSION_1,
795 };
796 struct ndr_print *ndr = NULL;
797 char *ret = NULL;
798
799 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
800
801 ndr = talloc_zero(frame, struct ndr_print);
802 if (ndr == NULL) {
803 TALLOC_FREE(frame);
804 return NULL;
805 }
806 ndr->private_data = talloc_strdup(ndr, "");
807 if (ndr->private_data == NULL) {
808 TALLOC_FREE(frame);
809 return NULL;
810 }
811 ndr->print = ndr_print_string_helper;
812 ndr->depth = 1;
813 ndr->print_secrets = include_secrets;
814
815 ndr_print_secrets_domain_infoB(ndr, name, &sdib);
816 ret = talloc_steal(mem_ctx, (char *)ndr->private_data);
817 TALLOC_FREE(frame);
818 return ret;
819 }
820
821 static NTSTATUS secrets_store_domain_info1_by_key(const char *key,
822 const struct secrets_domain_info1 *info1)
823 {
824 struct secrets_domain_infoB sdib = {
825 .version = SECRETS_DOMAIN_INFO_VERSION_1,
826 };
827 /* packing structures */
828 DATA_BLOB blob;
829 enum ndr_err_code ndr_err;
830 bool ok;
831
832 sdib.info.info1 = discard_const_p(struct secrets_domain_info1, info1);
833
834 ndr_err = ndr_push_struct_blob(&blob, talloc_tos(), &sdib,
835 (ndr_push_flags_fn_t)ndr_push_secrets_domain_infoB);
836 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
837 return ndr_map_error2ntstatus(ndr_err);
838 }
839
840 ok = secrets_store(key, blob.data, blob.length);
841 data_blob_clear_free(&blob);
842 if (!ok) {
843 return NT_STATUS_INTERNAL_DB_ERROR;
844 }
845
846 return NT_STATUS_OK;
847 }
848
849 static NTSTATUS secrets_store_domain_info(const struct secrets_domain_info1 *info,
850 bool upgrade)
851 {
852 TALLOC_CTX *frame = talloc_stackframe();
853 const char *domain = info->domain_info.name.string;
854 const char *realm = info->domain_info.dns_domain.string;
855 char *key = domain_info_keystr(domain);
856 struct db_context *db = NULL;
857 struct timeval last_change_tv;
858 const DATA_BLOB *cleartext_blob = NULL;
859 DATA_BLOB pw_blob = data_blob_null;
860 DATA_BLOB old_pw_blob = data_blob_null;
861 const char *pw = NULL;
862 const char *old_pw = NULL;
863 bool ok;
864 NTSTATUS status;
865 int ret;
866 int role = lp_server_role();
867
868 switch (info->secure_channel_type) {
869 case SEC_CHAN_WKSTA:
870 case SEC_CHAN_BDC:
871 if (!upgrade && role >= ROLE_ACTIVE_DIRECTORY_DC) {
872 DBG_ERR("AD_DC not supported for %s\n",
873 domain);
874 TALLOC_FREE(frame);
875 return NT_STATUS_INTERNAL_ERROR;
876 }
877
878 break;
879 default:
880 DBG_ERR("SEC_CHAN_* not supported for %s\n",
881 domain);
882 TALLOC_FREE(frame);
883 return NT_STATUS_INTERNAL_ERROR;
884 }
885
886 db = secrets_db_ctx();
887
888 ret = dbwrap_transaction_start(db);
889 if (ret != 0) {
890 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
891 domain);
892 TALLOC_FREE(frame);
893 return NT_STATUS_INTERNAL_DB_ERROR;
894 }
895
896 ok = secrets_clear_domain_protection(domain);
897 if (!ok) {
898 DBG_ERR("secrets_clear_domain_protection(%s) failed\n",
899 domain);
900 dbwrap_transaction_cancel(db);
901 TALLOC_FREE(frame);
902 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
903 }
904
905 ok = secrets_delete_machine_password_ex(domain, realm);
906 if (!ok) {
907 DBG_ERR("secrets_delete_machine_password_ex(%s) failed\n",
908 domain);
909 dbwrap_transaction_cancel(db);
910 TALLOC_FREE(frame);
911 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
912 }
913
914 status = secrets_store_domain_info1_by_key(key, info);
915 if (!NT_STATUS_IS_OK(status)) {
916 DBG_ERR("secrets_store_domain_info1_by_key() failed "
917 "for %s - %s\n", domain, nt_errstr(status));
918 dbwrap_transaction_cancel(db);
919 TALLOC_FREE(frame);
920 return status;
921 }
922
923 /*
924 * We use info->password_last_change instead
925 * of info->password.change_time because
926 * we may want to defer the next change approach
927 * if the server rejected the change the last time,
928 * e.g. due to RefusePasswordChange=1.
929 */
930 nttime_to_timeval(&last_change_tv, info->password_last_change);
931
932 cleartext_blob = &info->password->cleartext_blob;
933 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
934 cleartext_blob->data,
935 cleartext_blob->length,
936 (void **)&pw_blob.data,
937 &pw_blob.length);
938 if (!ok) {
939 status = NT_STATUS_UNMAPPABLE_CHARACTER;
940 if (errno == ENOMEM) {
941 status = NT_STATUS_NO_MEMORY;
942 }
943 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
944 "failed for pw of %s - %s\n",
945 domain, nt_errstr(status));
946 dbwrap_transaction_cancel(db);
947 TALLOC_FREE(frame);
948 return status;
949 }
950 pw = (const char *)pw_blob.data;
951 if (info->old_password != NULL) {
952 cleartext_blob = &info->old_password->cleartext_blob;
953 ok = convert_string_talloc(frame, CH_UTF16MUNGED, CH_UNIX,
954 cleartext_blob->data,
955 cleartext_blob->length,
956 (void **)&old_pw_blob.data,
957 &old_pw_blob.length);
958 if (!ok) {
959 status = NT_STATUS_UNMAPPABLE_CHARACTER;
960 if (errno == ENOMEM) {
961 status = NT_STATUS_NO_MEMORY;
962 }
963 DBG_ERR("convert_string_talloc(CH_UTF16MUNGED, CH_UNIX) "
964 "failed for old_pw of %s - %s\n",
965 domain, nt_errstr(status));
966 dbwrap_transaction_cancel(db);
967 data_blob_clear_free(&pw_blob);
968 TALLOC_FREE(frame);
969 return status;
970 }
971 old_pw = (const char *)old_pw_blob.data;
972 }
973
974 ok = secrets_store_machine_pw_sync(pw, old_pw,
975 domain, realm,
976 info->salt_principal,
977 info->supported_enc_types,
978 info->domain_info.sid,
979 last_change_tv.tv_sec,
980 info->secure_channel_type,
981 false); /* delete_join */
982 data_blob_clear_free(&pw_blob);
983 data_blob_clear_free(&old_pw_blob);
984 if (!ok) {
985 DBG_ERR("secrets_store_machine_pw_sync(%s) failed\n",
986 domain);
987 dbwrap_transaction_cancel(db);
988 TALLOC_FREE(frame);
989 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
990 }
991
992 if (!GUID_all_zero(&info->domain_info.domain_guid)) {
993 ok = secrets_store_domain_guid(domain,
994 &info->domain_info.domain_guid);
995 if (!ok) {
996 DBG_ERR("secrets_store_domain_guid(%s) failed\n",
997 domain);
998 dbwrap_transaction_cancel(db);
999 TALLOC_FREE(frame);
1000 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1001 }
1002 }
1003
1004 ok = secrets_mark_domain_protected(domain);
1005 if (!ok) {
1006 DBG_ERR("secrets_mark_domain_protected(%s) failed\n",
1007 domain);
1008 dbwrap_transaction_cancel(db);
1009 TALLOC_FREE(frame);
1010 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1011 }
1012
1013 ret = dbwrap_transaction_commit(db);
1014 if (ret != 0) {
1015 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1016 domain);
1017 TALLOC_FREE(frame);
1018 return NT_STATUS_INTERNAL_DB_ERROR;
1019 }
1020
1021 TALLOC_FREE(frame);
1022 return NT_STATUS_OK;
1023 }
1024
1025 static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_password *p,
1026 const char *salt_principal)
1027 {
1028 #ifdef HAVE_ADS
1029 krb5_error_code krb5_ret;
1030 krb5_context krb5_ctx = NULL;
1031 DATA_BLOB cleartext_utf8_b = data_blob_null;
1032 krb5_data cleartext_utf8;
1033 krb5_data salt;
1034 krb5_keyblock key;
1035 DATA_BLOB aes_256_b = data_blob_null;
1036 DATA_BLOB aes_128_b = data_blob_null;
1037 bool ok;
1038 #endif /* HAVE_ADS */
1039 DATA_BLOB arc4_b = data_blob_null;
1040 const uint16_t max_keys = 3;
1041 struct secrets_domain_info1_kerberos_key *keys = NULL;
1042 uint16_t idx = 0;
1043 char *salt_data = NULL;
1044
1045 /*
1046 * We calculate:
1047 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
1048 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
1049 * ENCTYPE_ARCFOUR_HMAC
1050 *
1051 * We don't include ENCTYPE_DES_CBC_CRC
1052 * and ENCTYPE_DES_CBC_MD5
1053 * as they are no longer supported.
1054 *
1055 * Note we store all enctypes we support,
1056 * including the weak encryption types,
1057 * but that's no problem as we also
1058 * store the cleartext password anyway.
1059 *
1060 * Which values are then used to construct
1061 * a keytab is configured at runtime and the
1062 * configuration of msDS-SupportedEncryptionTypes.
1063 *
1064 * If we don't have kerberos support or no
1065 * salt, we only generate an entry for arcfour-hmac-md5.
1066 */
1067 keys = talloc_zero_array(p,
1068 struct secrets_domain_info1_kerberos_key,
1069 max_keys);
1070 if (keys == NULL) {
1071 return ENOMEM;
1072 }
1073
1074 arc4_b = data_blob_talloc(keys,
1075 p->nt_hash.hash,
1076 sizeof(p->nt_hash.hash));
1077 if (arc4_b.data == NULL) {
1078 DBG_ERR("data_blob_talloc failed for arcfour-hmac-md5.\n");
1079 TALLOC_FREE(keys);
1080 return ENOMEM;
1081 }
1082 talloc_keep_secret(arc4_b.data);
1083
1084 #ifdef HAVE_ADS
1085 if (salt_principal == NULL) {
1086 goto no_kerberos;
1087 }
1088
1089 krb5_ret = smb_krb5_init_context_common(&krb5_ctx);
1090 if (krb5_ret != 0) {
1091 DBG_ERR("kerberos init context failed (%s)\n",
1092 error_message(krb5_ret));
1093 TALLOC_FREE(keys);
1094 return krb5_ret;
1095 }
1096
1097 krb5_ret = smb_krb5_salt_principal2data(krb5_ctx, salt_principal,
1098 p, &salt_data);
1099 if (krb5_ret != 0) {
1100 DBG_ERR("smb_krb5_salt_principal2data(%s) failed: %s\n",
1101 salt_principal,
1102 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1103 krb5_free_context(krb5_ctx);
1104 TALLOC_FREE(keys);
1105 return krb5_ret;
1106 }
1107
1108 salt = (krb5_data) {
1109 .data = discard_const(salt_data),
1110 .length = strlen(salt_data),
1111 };
1112
1113 ok = convert_string_talloc(keys, CH_UTF16MUNGED, CH_UTF8,
1114 p->cleartext_blob.data,
1115 p->cleartext_blob.length,
1116 (void **)&cleartext_utf8_b.data,
1117 &cleartext_utf8_b.length);
1118 if (!ok) {
1119 if (errno != 0) {
1120 krb5_ret = errno;
1121 } else {
1122 krb5_ret = EINVAL;
1123 }
1124 krb5_free_context(krb5_ctx);
1125 TALLOC_FREE(keys);
1126 return krb5_ret;
1127 }
1128 talloc_keep_secret(cleartext_utf8_b.data);
1129 cleartext_utf8.data = (void *)cleartext_utf8_b.data;
1130 cleartext_utf8.length = cleartext_utf8_b.length;
1131
1132 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1133 NULL,
1134 &salt,
1135 &cleartext_utf8,
1136 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1137 &key);
1138 if (krb5_ret != 0) {
1139 DBG_ERR("generation of a aes256-cts-hmac-sha1-96 key failed: %s\n",
1140 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1141 krb5_free_context(krb5_ctx);
1142 TALLOC_FREE(keys);
1143 TALLOC_FREE(salt_data);
1144 return krb5_ret;
1145 }
1146 aes_256_b = data_blob_talloc(keys,
1147 KRB5_KEY_DATA(&key),
1148 KRB5_KEY_LENGTH(&key));
1149 krb5_free_keyblock_contents(krb5_ctx, &key);
1150 if (aes_256_b.data == NULL) {
1151 DBG_ERR("data_blob_talloc failed for aes-256.\n");
1152 krb5_free_context(krb5_ctx);
1153 TALLOC_FREE(keys);
1154 TALLOC_FREE(salt_data);
1155 return ENOMEM;
1156 }
1157 talloc_keep_secret(aes_256_b.data);
1158
1159 krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
1160 NULL,
1161 &salt,
1162 &cleartext_utf8,
1163 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1164 &key);
1165 if (krb5_ret != 0) {
1166 DBG_ERR("generation of a aes128-cts-hmac-sha1-96 key failed: %s\n",
1167 smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
1168 krb5_free_context(krb5_ctx);
1169 TALLOC_FREE(keys);
1170 TALLOC_FREE(salt_data);
1171 return krb5_ret;
1172 }
1173 aes_128_b = data_blob_talloc(keys,
1174 KRB5_KEY_DATA(&key),
1175 KRB5_KEY_LENGTH(&key));
1176 krb5_free_keyblock_contents(krb5_ctx, &key);
1177 if (aes_128_b.data == NULL) {
1178 DBG_ERR("data_blob_talloc failed for aes-128.\n");
1179 krb5_free_context(krb5_ctx);
1180 TALLOC_FREE(keys);
1181 TALLOC_FREE(salt_data);
1182 return ENOMEM;
1183 }
1184 talloc_keep_secret(aes_128_b.data);
1185
1186 krb5_free_context(krb5_ctx);
1187 no_kerberos:
1188
1189 if (aes_256_b.length != 0) {
1190 keys[idx].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
1191 keys[idx].iteration_count = 4096;
1192 keys[idx].value = aes_256_b;
1193 idx += 1;
1194 }
1195
1196 if (aes_128_b.length != 0) {
1197 keys[idx].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
1198 keys[idx].iteration_count = 4096;
1199 keys[idx].value = aes_128_b;
1200 idx += 1;
1201 }
1202
1203 #endif /* HAVE_ADS */
1204
1205 keys[idx].keytype = ENCTYPE_ARCFOUR_HMAC;
1206 keys[idx].iteration_count = 4096;
1207 keys[idx].value = arc4_b;
1208 idx += 1;
1209
1210 p->salt_data = salt_data;
1211 p->default_iteration_count = 4096;
1212 p->num_keys = idx;
1213 p->keys = keys;
1214 return 0;
1215 }
1216
1217 static NTSTATUS secrets_domain_info_password_create(TALLOC_CTX *mem_ctx,
1218 const char *cleartext_unix,
1219 const char *salt_principal,
1220 NTTIME change_time,
1221 const char *change_server,
1222 struct secrets_domain_info1_password **_p)
1223 {
1224 struct secrets_domain_info1_password *p = NULL;
1225 bool ok;
1226 size_t len;
1227 int ret;
1228
1229 if (change_server == NULL) {
1230 return NT_STATUS_INVALID_PARAMETER_MIX;
1231 }
1232
1233 p = talloc_zero(mem_ctx, struct secrets_domain_info1_password);
1234 if (p == NULL) {
1235 return NT_STATUS_NO_MEMORY;
1236 }
1237 p->change_time = change_time;
1238 p->change_server = talloc_strdup(p, change_server);
1239 if (p->change_server == NULL) {
1240 TALLOC_FREE(p);
1241 return NT_STATUS_NO_MEMORY;
1242 }
1243 len = strlen(cleartext_unix);
1244 ok = convert_string_talloc(p, CH_UNIX, CH_UTF16,
1245 cleartext_unix, len,
1246 (void **)&p->cleartext_blob.data,
1247 &p->cleartext_blob.length);
1248 if (!ok) {
1249 NTSTATUS status = NT_STATUS_UNMAPPABLE_CHARACTER;
1250 if (errno == ENOMEM) {
1251 status = NT_STATUS_NO_MEMORY;
1252 }
1253 TALLOC_FREE(p);
1254 return status;
1255 }
1256 talloc_keep_secret(p->cleartext_blob.data);
1257 mdfour(p->nt_hash.hash,
1258 p->cleartext_blob.data,
1259 p->cleartext_blob.length);
1260
1261 talloc_set_destructor(p, password_nt_hash_destructor);
1262 ret = secrets_domain_info_kerberos_keys(p, salt_principal);
1263 if (ret != 0) {
1264 NTSTATUS status = krb5_to_nt_status(ret);
1265 TALLOC_FREE(p);
1266 return status;
1267 }
1268
1269 *_p = p;
1270 return NT_STATUS_OK;
1271 }
1272
1273 NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
1274 TALLOC_CTX *mem_ctx,
1275 struct secrets_domain_info1 **pinfo)
1276 {
1277 TALLOC_CTX *frame = NULL;
1278 struct secrets_domain_info1 *old = NULL;
1279 struct secrets_domain_info1 *info = NULL;
1280 const char *dns_domain = NULL;
1281 const char *server = NULL;
1282 struct db_context *db = NULL;
1283 time_t last_set_time;
1284 NTTIME last_set_nt;
1285 enum netr_SchannelType channel;
1286 char *pw = NULL;
1287 char *old_pw = NULL;
1288 struct dom_sid domain_sid;
1289 struct GUID domain_guid;
1290 bool ok;
1291 NTSTATUS status;
1292 int ret;
1293
1294 ok = strequal(domain, lp_workgroup());
1295 if (ok) {
1296 dns_domain = lp_dnsdomain();
1297
1298 if (dns_domain != NULL && dns_domain[0] == '\0') {
1299 dns_domain = NULL;
1300 }
1301 }
1302
1303 last_set_time = secrets_fetch_pass_last_set_time(domain);
1304 if (last_set_time == 0) {
1305 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1306 }
1307 unix_to_nt_time(&last_set_nt, last_set_time);
1308
1309 frame = talloc_stackframe();
1310
1311 status = secrets_fetch_domain_info(domain, frame, &old);
1312 if (NT_STATUS_IS_OK(status)) {
1313 if (old->password_last_change >= last_set_nt) {
1314 *pinfo = talloc_move(mem_ctx, &old);
1315 TALLOC_FREE(frame);
1316 return NT_STATUS_OK;
1317 }
1318 TALLOC_FREE(old);
1319 }
1320
1321 info = talloc_zero(frame, struct secrets_domain_info1);
1322 if (info == NULL) {
1323 DBG_ERR("talloc_zero failed\n");
1324 TALLOC_FREE(frame);
1325 return NT_STATUS_NO_MEMORY;
1326 }
1327
1328 db = secrets_db_ctx();
1329
1330 ret = dbwrap_transaction_start(db);
1331 if (ret != 0) {
1332 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1333 domain);
1334 TALLOC_FREE(frame);
1335 return NT_STATUS_INTERNAL_DB_ERROR;
1336 }
1337
1338 pw = secrets_fetch_machine_password(domain,
1339 &last_set_time,
1340 &channel);
1341 if (pw == NULL) {
1342 DBG_ERR("secrets_fetch_machine_password(%s) failed\n",
1343 domain);
1344 dbwrap_transaction_cancel(db);
1345 TALLOC_FREE(frame);
1346 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1347 }
1348 unix_to_nt_time(&last_set_nt, last_set_time);
1349
1350 old_pw = secrets_fetch_prev_machine_password(domain);
1351
1352 ok = secrets_fetch_domain_sid(domain, &domain_sid);
1353 if (!ok) {
1354 DBG_ERR("secrets_fetch_domain_sid(%s) failed\n",
1355 domain);
1356 dbwrap_transaction_cancel(db);
1357 BURN_FREE_STR(old_pw);
1358 BURN_FREE_STR(pw);
1359 TALLOC_FREE(frame);
1360 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
1361 }
1362
1363 ok = secrets_fetch_domain_guid(domain, &domain_guid);
1364 if (!ok) {
1365 domain_guid = GUID_zero();
1366 }
1367
1368 info->computer_name = lp_netbios_name();
1369 info->account_name = talloc_asprintf(frame, "%s$", info->computer_name);
1370 if (info->account_name == NULL) {
1371 DBG_ERR("talloc_asprintf(%s$) failed\n", info->computer_name);
1372 dbwrap_transaction_cancel(db);
1373 BURN_FREE_STR(old_pw);
1374 BURN_FREE_STR(pw);
1375 TALLOC_FREE(frame);
1376 return NT_STATUS_NO_MEMORY;
1377 }
1378 info->secure_channel_type = channel;
1379
1380 info->domain_info.name.string = domain;
1381 info->domain_info.dns_domain.string = dns_domain;
1382 info->domain_info.dns_forest.string = dns_domain;
1383 info->domain_info.domain_guid = domain_guid;
1384 info->domain_info.sid = &domain_sid;
1385
1386 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1387 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1388
1389 if (dns_domain != NULL) {
1390 /*
1391 * We just assume all AD domains are
1392 * NETR_TRUST_FLAG_NATIVE these days.
1393 *
1394 * This isn't used anyway for now.
1395 */
1396 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1397
1398 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1399
1400 server = info->domain_info.dns_domain.string;
1401 } else {
1402 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1403
1404 server = talloc_asprintf(info,
1405 "%s#%02X",
1406 domain,
1407 NBT_NAME_PDC);
1408 if (server == NULL) {
1409 DBG_ERR("talloc_asprintf(%s#%02X) failed\n",
1410 domain, NBT_NAME_PDC);
1411 dbwrap_transaction_cancel(db);
1412 BURN_FREE_STR(pw);
1413 BURN_FREE_STR(old_pw);
1414 TALLOC_FREE(frame);
1415 return NT_STATUS_NO_MEMORY;
1416 }
1417 }
1418 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1419
1420 info->join_time = 0;
1421
1422 /*
1423 * We don't have enough information about the configured
1424 * enctypes.
1425 */
1426 info->supported_enc_types = 0;
1427 info->salt_principal = NULL;
1428 if (info->trust_type == LSA_TRUST_TYPE_UPLEVEL) {
1429 char *p = NULL;
1430
1431 p = kerberos_secrets_fetch_salt_princ();
1432 if (p == NULL) {
1433 dbwrap_transaction_cancel(db);
1434 BURN_FREE_STR(old_pw);
1435 BURN_FREE_STR(pw);
1436 TALLOC_FREE(frame);
1437 return NT_STATUS_INTERNAL_ERROR;
1438 }
1439 info->salt_principal = talloc_strdup(info, p);
1440 SAFE_FREE(p);
1441 if (info->salt_principal == NULL) {
1442 dbwrap_transaction_cancel(db);
1443 BURN_FREE_STR(pw);
1444 BURN_FREE_STR(old_pw);
1445 TALLOC_FREE(frame);
1446 return NT_STATUS_NO_MEMORY;
1447 }
1448 }
1449
1450 info->password_last_change = last_set_nt;
1451 info->password_changes = 1;
1452 info->next_change = NULL;
1453
1454 status = secrets_domain_info_password_create(info,
1455 pw,
1456 info->salt_principal,
1457 last_set_nt, server,
1458 &info->password);
1459 BURN_FREE_STR(pw);
1460 if (!NT_STATUS_IS_OK(status)) {
1461 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1462 "for %s - %s\n", domain, nt_errstr(status));
1463 dbwrap_transaction_cancel(db);
1464 BURN_FREE_STR(old_pw);
1465 TALLOC_FREE(frame);
1466 return status;
1467 }
1468
1469 /*
1470 * After a join we don't have old passwords.
1471 */
1472 if (old_pw != NULL) {
1473 status = secrets_domain_info_password_create(info,
1474 old_pw,
1475 info->salt_principal,
1476 0, server,
1477 &info->old_password);
1478 BURN_FREE_STR(old_pw);
1479 if (!NT_STATUS_IS_OK(status)) {
1480 DBG_ERR("secrets_domain_info_password_create(old) failed "
1481 "for %s - %s\n", domain, nt_errstr(status));
1482 dbwrap_transaction_cancel(db);
1483 TALLOC_FREE(frame);
1484 return status;
1485 }
1486 info->password_changes += 1;
1487 } else {
1488 info->old_password = NULL;
1489 }
1490 info->older_password = NULL;
1491
1492 secrets_debug_domain_info(DBGLVL_INFO, info, "upgrade");
1493
1494 status = secrets_store_domain_info(info, true /* upgrade */);
1495 if (!NT_STATUS_IS_OK(status)) {
1496 DBG_ERR("secrets_store_domain_info() failed "
1497 "for %s - %s\n", domain, nt_errstr(status));
1498 dbwrap_transaction_cancel(db);
1499 TALLOC_FREE(frame);
1500 return status;
1501 }
1502
1503 /*
1504 * We now reparse it.
1505 */
1506 status = secrets_fetch_domain_info(domain, frame, &info);
1507 if (!NT_STATUS_IS_OK(status)) {
1508 DBG_ERR("secrets_fetch_domain_info() failed "
1509 "for %s - %s\n", domain, nt_errstr(status));
1510 dbwrap_transaction_cancel(db);
1511 TALLOC_FREE(frame);
1512 return status;
1513 }
1514
1515 ret = dbwrap_transaction_commit(db);
1516 if (ret != 0) {
1517 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1518 domain);
1519 dbwrap_transaction_cancel(db);
1520 TALLOC_FREE(frame);
1521 return NT_STATUS_INTERNAL_DB_ERROR;
1522 }
1523
1524 *pinfo = talloc_move(mem_ctx, &info);
1525 TALLOC_FREE(frame);
1526 return NT_STATUS_OK;
1527 }
1528
1529 NTSTATUS secrets_store_JoinCtx(const struct libnet_JoinCtx *r)
1530 {
1531 TALLOC_CTX *frame = talloc_stackframe();
1532 struct secrets_domain_info1 *old = NULL;
1533 struct secrets_domain_info1 *info = NULL;
1534 struct db_context *db = NULL;
1535 struct timeval tv = timeval_current();
1536 NTTIME now = timeval_to_nttime(&tv);
1537 const char *domain = r->out.netbios_domain_name;
1538 NTSTATUS status;
1539 int ret;
1540
1541 info = talloc_zero(frame, struct secrets_domain_info1);
1542 if (info == NULL) {
1543 DBG_ERR("talloc_zero failed\n");
1544 TALLOC_FREE(frame);
1545 return NT_STATUS_NO_MEMORY;
1546 }
1547
1548 info->computer_name = r->in.machine_name;
1549 info->account_name = r->out.account_name;
1550 info->secure_channel_type = r->in.secure_channel_type;
1551
1552 info->domain_info.name.string =
1553 r->out.netbios_domain_name;
1554 info->domain_info.dns_domain.string =
1555 r->out.dns_domain_name;
1556 info->domain_info.dns_forest.string =
1557 r->out.forest_name;
1558 info->domain_info.domain_guid = r->out.domain_guid;
1559 info->domain_info.sid = r->out.domain_sid;
1560
1561 info->trust_flags = NETR_TRUST_FLAG_PRIMARY;
1562 info->trust_flags |= NETR_TRUST_FLAG_OUTBOUND;
1563 if (r->out.domain_is_ad) {
1564 /*
1565 * We just assume all AD domains are
1566 * NETR_TRUST_FLAG_NATIVE these days.
1567 *
1568 * This isn't used anyway for now.
1569 */
1570 info->trust_flags |= NETR_TRUST_FLAG_NATIVE;
1571
1572 info->trust_type = LSA_TRUST_TYPE_UPLEVEL;
1573 } else {
1574 info->trust_type = LSA_TRUST_TYPE_DOWNLEVEL;
1575 }
1576 info->trust_attributes = LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL;
1577
1578 info->join_time = now;
1579
1580 info->supported_enc_types = r->out.set_encryption_types;
1581 info->salt_principal = r->out.krb5_salt;
1582
1583 if (info->salt_principal == NULL && r->out.domain_is_ad) {
1584 char *p = NULL;
1585
1586 ret = smb_krb5_salt_principal_str(info->domain_info.dns_domain.string,
1587 info->account_name,
1588 NULL /* userPrincipalName */,
1589 UF_WORKSTATION_TRUST_ACCOUNT,
1590 info, &p);
1591 if (ret != 0) {
1592 status = krb5_to_nt_status(ret);
1593 DBG_ERR("smb_krb5_salt_principal() failed "
1594 "for %s - %s\n", domain, nt_errstr(status));
1595 TALLOC_FREE(frame);
1596 return status;
1597 }
1598 info->salt_principal = p;
1599 }
1600
1601 info->password_last_change = now;
1602 info->password_changes = 1;
1603 info->next_change = NULL;
1604
1605 status = secrets_domain_info_password_create(info,
1606 r->in.machine_password,
1607 info->salt_principal,
1608 now, r->in.dc_name,
1609 &info->password);
1610 if (!NT_STATUS_IS_OK(status)) {
1611 DBG_ERR("secrets_domain_info_password_create(pw) failed "
1612 "for %s - %s\n", domain, nt_errstr(status));
1613 TALLOC_FREE(frame);
1614 return status;
1615 }
1616
1617 db = secrets_db_ctx();
1618
1619 ret = dbwrap_transaction_start(db);
1620 if (ret != 0) {
1621 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1622 domain);
1623 TALLOC_FREE(frame);
1624 return NT_STATUS_INTERNAL_DB_ERROR;
1625 }
1626
1627 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &old);
1628 if (NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
1629 DBG_DEBUG("no old join for domain(%s) available\n",
1630 domain);
1631 old = NULL;
1632 } else if (!NT_STATUS_IS_OK(status)) {
1633 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1634 domain);
1635 dbwrap_transaction_cancel(db);
1636 TALLOC_FREE(frame);
1637 return status;
1638 }
1639
1640 /*
1641 * We reuse values from an old join, so that
1642 * we still accept already granted kerberos tickets.
1643 */
1644 if (old != NULL) {
1645 info->old_password = old->password;
1646 info->older_password = old->old_password;
1647 }
1648
1649 secrets_debug_domain_info(DBGLVL_INFO, info, "join");
1650
1651 status = secrets_store_domain_info(info, false /* upgrade */);
1652 if (!NT_STATUS_IS_OK(status)) {
1653 DBG_ERR("secrets_store_domain_info() failed "
1654 "for %s - %s\n", domain, nt_errstr(status));
1655 dbwrap_transaction_cancel(db);
1656 TALLOC_FREE(frame);
1657 return status;
1658 }
1659
1660 ret = dbwrap_transaction_commit(db);
1661 if (ret != 0) {
1662 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1663 domain);
1664 TALLOC_FREE(frame);
1665 return NT_STATUS_INTERNAL_DB_ERROR;
1666 }
1667
1668 TALLOC_FREE(frame);
1669 return NT_STATUS_OK;
1670 }
1671
1672 NTSTATUS secrets_prepare_password_change(const char *domain, const char *dcname,
1673 const char *cleartext_unix,
1674 TALLOC_CTX *mem_ctx,
1675 struct secrets_domain_info1 **pinfo,
1676 struct secrets_domain_info1_change **pprev,
1677 NTSTATUS (*sync_pw2keytabs_fn)(void))
1678 {
1679 TALLOC_CTX *frame = talloc_stackframe();
1680 struct db_context *db = NULL;
1681 struct secrets_domain_info1 *info = NULL;
1682 struct secrets_domain_info1_change *prev = NULL;
1683 struct secrets_domain_info1_change *next = NULL;
1684 struct timeval tv = timeval_current();
1685 NTTIME now = timeval_to_nttime(&tv);
1686 NTSTATUS status;
1687 int ret;
1688
1689 db = secrets_db_ctx();
1690
1691 ret = dbwrap_transaction_start(db);
1692 if (ret != 0) {
1693 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1694 domain);
1695 TALLOC_FREE(frame);
1696 return NT_STATUS_INTERNAL_DB_ERROR;
1697 }
1698
1699 status = secrets_fetch_or_upgrade_domain_info(domain, frame, &info);
1700 if (!NT_STATUS_IS_OK(status)) {
1701 DBG_ERR("secrets_fetch_or_upgrade_domain_info(%s) failed\n",
1702 domain);
1703 dbwrap_transaction_cancel(db);
1704 TALLOC_FREE(frame);
1705 return status;
1706 }
1707
1708 prev = info->next_change;
1709 info->next_change = NULL;
1710
1711 next = talloc_zero(frame, struct secrets_domain_info1_change);
1712 if (next == NULL) {
1713 DBG_ERR("talloc_zero failed\n");
1714 TALLOC_FREE(frame);
1715 return NT_STATUS_NO_MEMORY;
1716 }
1717
1718 if (prev != NULL) {
1719 *next = *prev;
1720 } else {
1721 status = secrets_domain_info_password_create(next,
1722 cleartext_unix,
1723 info->salt_principal,
1724 now, dcname,
1725 &next->password);
1726 if (!NT_STATUS_IS_OK(status)) {
1727 DBG_ERR("secrets_domain_info_password_create(next) failed "
1728 "for %s - %s\n", domain, nt_errstr(status));
1729 dbwrap_transaction_cancel(db);
1730 TALLOC_FREE(frame);
1731 return status;
1732 }
1733 }
1734
1735 next->local_status = NT_STATUS_OK;
1736 next->remote_status = NT_STATUS_NOT_COMMITTED;
1737 next->change_time = now;
1738 next->change_server = dcname;
1739
1740 info->next_change = next;
1741
1742 secrets_debug_domain_info(DBGLVL_INFO, info, "prepare_change");
1743
1744 status = secrets_store_domain_info(info, false /* upgrade */);
1745 if (!NT_STATUS_IS_OK(status)) {
1746 DBG_ERR("secrets_store_domain_info() failed "
1747 "for %s - %s\n", domain, nt_errstr(status));
1748 dbwrap_transaction_cancel(db);
1749 TALLOC_FREE(frame);
1750 return status;
1751 }
1752
1753 /*
1754 * We now reparse it.
1755 */
1756 status = secrets_fetch_domain_info(domain, frame, &info);
1757 if (!NT_STATUS_IS_OK(status)) {
1758 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1759 dbwrap_transaction_cancel(db);
1760 TALLOC_FREE(frame);
1761 return status;
1762 }
1763
1764 ret = dbwrap_transaction_commit(db);
1765 if (ret != 0) {
1766 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1767 domain);
1768 TALLOC_FREE(frame);
1769 return NT_STATUS_INTERNAL_DB_ERROR;
1770 }
1771
1772 if (prev == NULL && sync_pw2keytabs_fn != NULL) {
1773 status = sync_pw2keytabs_fn();
1774 if (!NT_STATUS_IS_OK(status)) {
1775 DBG_ERR("Sync of machine password failed.\n");
1776 dbwrap_transaction_cancel(db);
1777 TALLOC_FREE(frame);
1778 return status;
1779 }
1780 }
1781
1782 *pinfo = talloc_move(mem_ctx, &info);
1783 if (prev != NULL) {
1784 *pprev = talloc_move(mem_ctx, &prev);
1785 } else {
1786 *pprev = NULL;
1787 }
1788
1789 TALLOC_FREE(frame);
1790 return NT_STATUS_OK;
1791 }
1792
1793 static NTSTATUS secrets_check_password_change(const struct secrets_domain_info1 *cookie,
1794 TALLOC_CTX *mem_ctx,
1795 struct secrets_domain_info1 **pstored)
1796 {
1797 const char *domain = cookie->domain_info.name.string;
1798 struct secrets_domain_info1 *stored = NULL;
1799 struct secrets_domain_info1_change *sn = NULL;
1800 struct secrets_domain_info1_change *cn = NULL;
1801 NTSTATUS status;
1802 bool cmp;
1803
1804 if (cookie->next_change == NULL) {
1805 DBG_ERR("cookie->next_change == NULL for %s.\n", domain);
1806 return NT_STATUS_INTERNAL_ERROR;
1807 }
1808
1809 if (cookie->next_change->password == NULL) {
1810 DBG_ERR("cookie->next_change->password == NULL for %s.\n", domain);
1811 return NT_STATUS_INTERNAL_ERROR;
1812 }
1813
1814 if (cookie->password == NULL) {
1815 DBG_ERR("cookie->password == NULL for %s.\n", domain);
1816 return NT_STATUS_INTERNAL_ERROR;
1817 }
1818
1819 /*
1820 * Here we check that the given structure still contains the
1821 * same secrets_domain_info1_change as currently stored.
1822 *
1823 * There's always a gap between secrets_prepare_password_change()
1824 * and the callers of secrets_check_password_change().
1825 */
1826
1827 status = secrets_fetch_domain_info(domain, mem_ctx, &stored);
1828 if (!NT_STATUS_IS_OK(status)) {
1829 DBG_ERR("secrets_fetch_domain_info(%s) failed\n", domain);
1830 return status;
1831 }
1832
1833 if (stored->next_change == NULL) {
1834 /*
1835 * We hit a race..., the administrator
1836 * rejoined or something similar happened.
1837 */
1838 DBG_ERR("stored->next_change == NULL for %s.\n", domain);
1839 TALLOC_FREE(stored);
1840 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1841 }
1842
1843 if (stored->password_last_change != cookie->password_last_change) {
1844 struct timeval store_tv;
1845 struct timeval_buf store_buf;
1846 struct timeval cookie_tv;
1847 struct timeval_buf cookie_buf;
1848
1849 nttime_to_timeval(&store_tv, stored->password_last_change);
1850 nttime_to_timeval(&cookie_tv, cookie->password_last_change);
1851
1852 DBG_ERR("password_last_change differs %s != %s for %s.\n",
1853 timeval_str_buf(&store_tv, false, false, &store_buf),
1854 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1855 domain);
1856 TALLOC_FREE(stored);
1857 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1858 }
1859
1860 sn = stored->next_change;
1861 cn = cookie->next_change;
1862
1863 if (sn->change_time != cn->change_time) {
1864 struct timeval store_tv;
1865 struct timeval_buf store_buf;
1866 struct timeval cookie_tv;
1867 struct timeval_buf cookie_buf;
1868
1869 nttime_to_timeval(&store_tv, sn->change_time);
1870 nttime_to_timeval(&cookie_tv, cn->change_time);
1871
1872 DBG_ERR("next change_time differs %s != %s for %s.\n",
1873 timeval_str_buf(&store_tv, false, false, &store_buf),
1874 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1875 domain);
1876 TALLOC_FREE(stored);
1877 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1878 }
1879
1880 if (sn->password->change_time != cn->password->change_time) {
1881 struct timeval store_tv;
1882 struct timeval_buf store_buf;
1883 struct timeval cookie_tv;
1884 struct timeval_buf cookie_buf;
1885
1886 nttime_to_timeval(&store_tv, sn->password->change_time);
1887 nttime_to_timeval(&cookie_tv, cn->password->change_time);
1888
1889 DBG_ERR("next password.change_time differs %s != %s for %s.\n",
1890 timeval_str_buf(&store_tv, false, false, &store_buf),
1891 timeval_str_buf(&cookie_tv, false, false, &cookie_buf),
1892 domain);
1893 TALLOC_FREE(stored);
1894 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1895 }
1896
1897 cmp = mem_equal_const_time(sn->password->nt_hash.hash,
1898 cn->password->nt_hash.hash,
1899 16);
1900 if (!cmp) {
1901 DBG_ERR("next password.nt_hash differs for %s.\n",
1902 domain);
1903 TALLOC_FREE(stored);
1904 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1905 }
1906
1907 cmp = mem_equal_const_time(stored->password->nt_hash.hash,
1908 cookie->password->nt_hash.hash,
1909 16);
1910 if (!cmp) {
1911 DBG_ERR("password.nt_hash differs for %s.\n",
1912 domain);
1913 TALLOC_FREE(stored);
1914 return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
1915 }
1916
1917 *pstored = stored;
1918 return NT_STATUS_OK;
1919 }
1920
1921 static NTSTATUS secrets_abort_password_change(const char *change_server,
1922 NTSTATUS local_status,
1923 NTSTATUS remote_status,
1924 const struct secrets_domain_info1 *cookie,
1925 bool defer)
1926 {
1927 const char *domain = cookie->domain_info.name.string;
1928 TALLOC_CTX *frame = talloc_stackframe();
1929 struct db_context *db = NULL;
1930 struct secrets_domain_info1 *info = NULL;
1931 const char *reason = defer ? "defer_change" : "failed_change";
1932 struct timeval tv = timeval_current();
1933 NTTIME now = timeval_to_nttime(&tv);
1934 NTSTATUS status;
1935 int ret;
1936
1937 db = secrets_db_ctx();
1938
1939 ret = dbwrap_transaction_start(db);
1940 if (ret != 0) {
1941 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
1942 domain);
1943 TALLOC_FREE(frame);
1944 return NT_STATUS_INTERNAL_DB_ERROR;
1945 }
1946
1947 /*
1948 * secrets_check_password_change()
1949 * checks that cookie->next_change
1950 * is valid and the same as store
1951 * in the database.
1952 */
1953 status = secrets_check_password_change(cookie, frame, &info);
1954 if (!NT_STATUS_IS_OK(status)) {
1955 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
1956 dbwrap_transaction_cancel(db);
1957 TALLOC_FREE(frame);
1958 return status;
1959 }
1960
1961 /*
1962 * Remember the last server and error.
1963 */
1964 info->next_change->change_server = change_server;
1965 info->next_change->change_time = now;
1966 info->next_change->local_status = local_status;
1967 info->next_change->remote_status = remote_status;
1968
1969 /*
1970 * Make sure the next automatic change is deferred.
1971 */
1972 if (defer) {
1973 info->password_last_change = now;
1974 }
1975
1976 secrets_debug_domain_info(DBGLVL_WARNING, info, reason);
1977
1978 status = secrets_store_domain_info(info, false /* upgrade */);
1979 if (!NT_STATUS_IS_OK(status)) {
1980 DBG_ERR("secrets_store_domain_info() failed "
1981 "for %s - %s\n", domain, nt_errstr(status));
1982 dbwrap_transaction_cancel(db);
1983 TALLOC_FREE(frame);
1984 return status;
1985 }
1986
1987 ret = dbwrap_transaction_commit(db);
1988 if (ret != 0) {
1989 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
1990 domain);
1991 TALLOC_FREE(frame);
1992 return NT_STATUS_INTERNAL_DB_ERROR;
1993 }
1994
1995 TALLOC_FREE(frame);
1996 return NT_STATUS_OK;
1997 }
1998
1999 NTSTATUS secrets_failed_password_change(const char *change_server,
2000 NTSTATUS local_status,
2001 NTSTATUS remote_status,
2002 const struct secrets_domain_info1 *cookie)
2003 {
2004 static const bool defer = false;
2005 return secrets_abort_password_change(change_server,
2006 local_status,
2007 remote_status,
2008 cookie, defer);
2009 }
2010
2011 NTSTATUS secrets_defer_password_change(const char *change_server,
2012 NTSTATUS local_status,
2013 NTSTATUS remote_status,
2014 const struct secrets_domain_info1 *cookie)
2015 {
2016 static const bool defer = true;
2017 return secrets_abort_password_change(change_server,
2018 local_status,
2019 remote_status,
2020 cookie, defer);
2021 }
2022
2023 NTSTATUS secrets_finish_password_change(const char *change_server,
2024 NTTIME change_time,
2025 const struct secrets_domain_info1 *cookie,
2026 NTSTATUS (*sync_pw2keytabs_fn)(void))
2027 {
2028 const char *domain = cookie->domain_info.name.string;
2029 TALLOC_CTX *frame = talloc_stackframe();
2030 struct db_context *db = NULL;
2031 struct secrets_domain_info1 *info = NULL;
2032 struct secrets_domain_info1_change *nc = NULL;
2033 NTSTATUS status;
2034 int ret;
2035
2036 db = secrets_db_ctx();
2037
2038 ret = dbwrap_transaction_start(db);
2039 if (ret != 0) {
2040 DBG_ERR("dbwrap_transaction_start() failed for %s\n",
2041 domain);
2042 TALLOC_FREE(frame);
2043 return NT_STATUS_INTERNAL_DB_ERROR;
2044 }
2045
2046 /*
2047 * secrets_check_password_change() checks that cookie->next_change is
2048 * valid and the same as store in the database.
2049 */
2050 status = secrets_check_password_change(cookie, frame, &info);
2051 if (!NT_STATUS_IS_OK(status)) {
2052 DBG_ERR("secrets_check_password_change(%s) failed\n", domain);
2053 dbwrap_transaction_cancel(db);
2054 TALLOC_FREE(frame);
2055 return status;
2056 }
2057
2058 nc = info->next_change;
2059
2060 nc->password->change_server = change_server;
2061 nc->password->change_time = change_time;
2062
2063 info->password_last_change = change_time;
2064 info->password_changes += 1;
2065 info->next_change = NULL;
2066
2067 info->older_password = info->old_password;
2068 info->old_password = info->password;
2069 info->password = nc->password;
2070
2071 secrets_debug_domain_info(DBGLVL_WARNING, info, "finish_change");
2072
2073 status = secrets_store_domain_info(info, false /* upgrade */);
2074 if (!NT_STATUS_IS_OK(status)) {
2075 DBG_ERR("secrets_store_domain_info() failed "
2076 "for %s - %s\n", domain, nt_errstr(status));
2077 dbwrap_transaction_cancel(db);
2078 TALLOC_FREE(frame);
2079 return status;
2080 }
2081
2082 /*
2083 * For the clustered samba, it is important to have following order:
2084 * 1. dbwrap_transaction_commit()
2085 * 2. sync_pw2keytabs()
2086 * Only this order ensures a correct behavior of
2087 * the 'sync machine password script' that does:
2088 * 'onnode all net ads keytab create'
2089 *
2090 * If we would call sync_pw2keytabs() before committing the changes to
2091 * the secrets.tdb, it will not be updated on other nodes, so triggering
2092 * 'net ads keytab create' will not see the new password yet.
2093 *
2094 * This applies also to secrets_prepare_password_change().
2095 */
2096 ret = dbwrap_transaction_commit(db);
2097 if (ret != 0) {
2098 DBG_ERR("dbwrap_transaction_commit() failed for %s\n",
2099 domain);
2100 TALLOC_FREE(frame);
2101 return NT_STATUS_INTERNAL_DB_ERROR;
2102 }
2103
2104 if (sync_pw2keytabs_fn != NULL) {
2105 status = sync_pw2keytabs_fn();
2106 if (!NT_STATUS_IS_OK(status)) {
2107 DBG_ERR("Sync of machine password failed.\n");
2108 TALLOC_FREE(frame);
2109 return status;
2110 }
2111 }
2112
2113 TALLOC_FREE(frame);
2114 return NT_STATUS_OK;
2115 }
GSS-enabled samba4