summaryrefslogtreecommitdiffstats
path: root/source3/libsmb/passchange.c
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-09-30 17:13:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:04:48 -0500
commit54abd2aa66069e6baf7769c496f46d9dba18db39 (patch)
tree9cf8e88168011797319ba9e9866749201b1eac1e /source3/libsmb/passchange.c
parent4a2cc231d22a82ed21771a72508f15d21ed63227 (diff)
downloadsamba-54abd2aa66069e6baf7769c496f46d9dba18db39.tar.gz
samba-54abd2aa66069e6baf7769c496f46d9dba18db39.tar.xz
samba-54abd2aa66069e6baf7769c496f46d9dba18db39.zip
r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
Diffstat (limited to 'source3/libsmb/passchange.c')
-rw-r--r--source3/libsmb/passchange.c66
1 files changed, 37 insertions, 29 deletions
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 8bce9c86a1e..b104a4678d9 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -21,16 +21,17 @@
#include "includes.h"
/*************************************************************
-change a password on a remote machine using IPC calls
+ Change a password on a remote machine using IPC calls.
*************************************************************/
+
BOOL remote_password_change(const char *remote_machine, const char *user_name,
const char *old_passwd, const char *new_passwd,
char *err_str, size_t err_str_len)
{
struct nmb_name calling, called;
struct cli_state cli;
+ struct rpc_pipe_client *pipe_hnd;
struct in_addr ip;
- struct ntuser_creds creds;
NTSTATUS result;
@@ -85,11 +86,9 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
return False;
}
- init_creds(&creds, "", "", NULL);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, "", "", NULL);
} else {
- init_creds(&creds, user_name, "", old_passwd);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, user_name, "", old_passwd);
}
if (!cli_send_tconX(&cli, "IPC$", "IPC", "", 1)) {
@@ -99,14 +98,19 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
return False;
}
- /* Try not to give the password away to easily */
+ /* Try not to give the password away too easily */
- cli.pipe_auth_flags = AUTH_PIPE_NTLMSSP;
- cli.pipe_auth_flags |= AUTH_PIPE_SIGN;
- cli.pipe_auth_flags |= AUTH_PIPE_SEAL;
-
- if ( !cli_nt_session_open( &cli, PI_SAMR ) ) {
+ pipe_hnd = cli_rpc_pipe_open_ntlmssp(&cli,
+ PI_SAMR,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ "", /* what domain... ? */
+ user_name,
+ old_passwd,
+ &result);
+
+ if (!pipe_hnd) {
if (lp_client_lanman_auth()) {
+ /* Use the old RAP method. */
if (!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
slprintf(err_str, err_str_len-1, "machine %s rejected the password change: Error was : %s.\n",
remote_machine, cli_errstr(&cli) );
@@ -114,14 +118,16 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
return False;
}
} else {
- slprintf(err_str, err_str_len-1, "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
- remote_machine);
+ slprintf(err_str, err_str_len-1,
+ "SAMR connection to machine %s failed. Error was %s, "
+ "but LANMAN password changed are disabled\n",
+ nt_errstr(result), remote_machine);
cli_shutdown(&cli);
return False;
}
}
- if (NT_STATUS_IS_OK(result = cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name,
+ if (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd, cli.mem_ctx, user_name,
new_passwd, old_passwd))) {
/* Great - it all worked! */
cli_shutdown(&cli);
@@ -138,25 +144,25 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
}
/* OK, that failed, so try again... */
- cli_nt_session_close(&cli);
+ cli_rpc_pipe_close(pipe_hnd);
/* Try anonymous NTLMSSP... */
- init_creds(&creds, "", "", NULL);
- cli_init_creds(&cli, &creds);
+ cli_init_creds(&cli, "", "", NULL);
- cli.pipe_auth_flags = 0;
-
result = NT_STATUS_UNSUCCESSFUL;
- /* OK, this is ugly, but... */
- if ( cli_nt_session_open( &cli, PI_SAMR )
- && NT_STATUS_IS_OK(result
- = cli_samr_chgpasswd_user(&cli, cli.mem_ctx, user_name,
- new_passwd, old_passwd))) {
+ /* OK, this is ugly, but... try an anonymous pipe. */
+ pipe_hnd = cli_rpc_pipe_open_noauth(&cli, PI_SAMR, &result);
+
+ if ( pipe_hnd &&
+ (NT_STATUS_IS_OK(result = rpccli_samr_chgpasswd_user(pipe_hnd,
+ cli.mem_ctx,
+ user_name,
+ new_passwd,
+ old_passwd)))) {
/* Great - it all worked! */
cli_shutdown(&cli);
return True;
-
} else {
if (!(NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)
|| NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
@@ -173,6 +179,7 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
just might not support SAMR password changes, so fall back */
if (lp_client_lanman_auth()) {
+ /* Use the old RAP method. */
if (cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
/* SAMR failed, but the old LanMan protocol worked! */
@@ -185,9 +192,10 @@ BOOL remote_password_change(const char *remote_machine, const char *user_name,
cli_shutdown(&cli);
return False;
} else {
- slprintf(err_str, err_str_len-1,
- "machine %s does not support SAMR connections, but LANMAN password changed are disabled\n",
- remote_machine);
+ slprintf(err_str, err_str_len-1,
+ "SAMR connection to machine %s failed. Error was %s, "
+ "but LANMAN password changed are disabled\n",
+ nt_errstr(result), remote_machine);
cli_shutdown(&cli);
return False;
}