s4/scripting/devel: Add tool to roll over the krbtgt password

This may be handy if this key is compromised, or along with chgtdcpass to isolate test copies
of production domains in such a way that they cannot mix.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jelmer Vernooij <jelmer@samba.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index ed63c25268..3b664fe051 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -637,6 +637,25 @@ def update_dns_account_password(samdb, secrets_ldb, names):
 
         secrets_ldb.modify(msg)
 
+def update_krbtgt_account_password(samdb, names):
+    """Update (change) the password of the krbtgt account
+
+    :param samdb: An LDB object related to the sam.ldb file of a given provision
+    :param names: List of key provision parameters"""
+
+    expression = "samAccountName=krbtgt"
+    res = samdb.search(expression=expression, attrs=[])
+    assert(len(res) == 1)
+
+    msg = ldb.Message(res[0].dn)
+    machinepass = samba.generate_random_password(128, 255)
+    mputf16 = machinepass.encode('utf-16-le')
+    msg["clearTextPassword"] = ldb.MessageElement(mputf16,
+                                                  ldb.FLAG_MOD_REPLACE,
+                                                  "clearTextPassword")
+
+    samdb.modify(msg)
+
 def search_constructed_attrs_stored(samdb, rootdn, attrs):
     """Search a given sam DB for calculated attributes that are
     still stored in the db.