diff options
author | Stefan Metzmacher <metze@samba.org> | 2007-02-18 22:01:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:48:34 -0500 |
commit | 6e2d85e38baa2221c2d31d2246567e7523e00fd6 (patch) | |
tree | 03ffa66d3d404b0353943d15a11ae586a24ceff1 | |
parent | 0515f728e64dde0c197aee6180dce79ad281d5f8 (diff) | |
download | samba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.tar.gz samba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.tar.bz2 samba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.zip |
r21434: - get rid of "krb5Key"
- use "sambaPassword" only as virtual attribute for passing
the cleartext password (in unix charset) into the ldb layer
- store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos
blob to match w2k and w2k3
- aes key support is disabled by default, as we don't know
exacly how longhorn stores them. use password_hash:create_aes_key=yes
to force creation of them.
- store the cleartext password in the Primary:CLEARTEXT blob
if configured
TODO:
- find out how longhorn stores aes keys
- find out how the Primary:WDigest blob needs to be constructed
(not supported by w2k)
metze
(This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
-rw-r--r-- | source4/auth/sam.c | 2 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/local_password.c | 3 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 1088 | ||||
-rw-r--r-- | source4/kdc/hdb-ldb.c | 181 |
4 files changed, 865 insertions, 409 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index f9f801c800..7299078747 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -36,7 +36,7 @@ const char *user_attrs[] = { "userPrincipalName", "servicePrincipalName", "msDS-KeyVersionNumber", - "krb5Key", + "supplementalCredentials", /* passwords */ "dBCSPwd", diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c b/source4/dsdb/samdb/ldb_modules/local_password.c index e72b7cb3a3..1a49ed5847 100644 --- a/source4/dsdb/samdb/ldb_modules/local_password.c +++ b/source4/dsdb/samdb/ldb_modules/local_password.c @@ -52,8 +52,7 @@ */ static const char * const password_attrs[] = { - "sambaPassword", - "krb5Key", + "supplementalCredentials", "unicodePwd", "dBCSPwd", "lmPwdHistory", diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index a2fe2a85db..a31486fdda 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -45,6 +45,8 @@ #include "dsdb/common/flags.h" #include "hdb.h" #include "dsdb/samdb/ldb_modules/password_modules.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_drsblobs.h" /* If we have decided there is reason to work on this request, then * setup all the password hash types correctly. @@ -57,7 +59,7 @@ * calculate the password hashes. * * This function must not only update the unicodePwd, dBCSPwd and - * krb5Key fields, it must also atomicly increment the + * supplementalCredentials fields, it must also atomicly increment the * msDS-KeyVersionNumber. We should be in a transaction, so all this * should be quite safe... * @@ -95,324 +97,660 @@ struct domain_data { char *realm; }; -static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod) +struct setup_password_fields_io { + struct ph_context *ac; + struct domain_data *domain; + struct smb_krb5_context *smb_krb5_context; + + /* infos about the user account */ + struct { + uint32_t user_account_control; + const char *sAMAccountName; + const char *user_principal_name; + bool is_computer; + } u; + + /* new credentials */ + struct { + const char *cleartext; + struct samr_Password *nt_hash; + struct samr_Password *lm_hash; + } n; + + /* old credentials */ + struct { + uint32_t nt_history_len; + struct samr_Password *nt_history; + uint32_t lm_history_len; + struct samr_Password *lm_history; + const struct ldb_val *supplemental; + struct supplementalCredentialsBlob scb; + uint32_t kvno; + } o; + + /* generated credentials */ + struct { + struct samr_Password *nt_hash; + struct samr_Password *lm_hash; + uint32_t nt_history_len; + struct samr_Password *nt_history; + uint32_t lm_history_len; + struct samr_Password *lm_history; + struct ldb_val supplemental; + NTTIME last_set; + uint32_t kvno; + } g; +}; + +static int setup_nt_fields(struct setup_password_fields_io *io) { - const char *sambaPassword; - struct samr_Password tmp_hash; - - sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL); - if (sambaPassword == NULL) { /* impossible, what happened ?! */ - return LDB_ERR_CONSTRAINT_VIOLATION; + uint32_t i; + + io->g.nt_hash = io->n.nt_hash; + + if (io->domain->pwdHistoryLength == 0) { + return LDB_SUCCESS; } - if (is_mod) { - if (ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } - if (ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } - } + /* We might not have an old NT password */ + io->g.nt_history = talloc_array(io->ac, + struct samr_Password, + io->domain->pwdHistoryLength); + if (!io->g.nt_history) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) { + io->g.nt_history[i+1] = io->o.nt_history[i]; + } + io->g.nt_history_len = i + 1; - /* compute the new nt and lm hashes */ - E_md4hash(sambaPassword, tmp_hash.hash); - if (samdb_msg_add_hash(module->ldb, msg, msg, "unicodePwd", &tmp_hash) != 0) { + if (io->g.nt_hash) { + io->g.nt_history[0] = *io->g.nt_hash; + } else { + /* + * TODO: is this correct? + * the simular behavior is correct for the lm history case + */ + E_md4hash("", io->g.nt_history[0].hash); + } + + return LDB_SUCCESS; +} + +static int setup_lm_fields(struct setup_password_fields_io *io) +{ + uint32_t i; + + io->g.lm_hash = io->n.lm_hash; + + if (io->domain->pwdHistoryLength == 0) { + return LDB_SUCCESS; + } + + /* We might not have an old NT password */ + io->g.lm_history = talloc_array(io->ac, + struct samr_Password, + io->domain->pwdHistoryLength); + if (!io->g.lm_history) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - if (E_deshash(sambaPassword, tmp_hash.hash)) { - if (samdb_msg_add_hash(module->ldb, msg, msg, "dBCSPwd", &tmp_hash) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } + for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) { + io->g.lm_history[i+1] = io->o.lm_history[i]; + } + io->g.lm_history_len = i + 1; + + if (io->g.lm_hash) { + io->g.lm_history[0] = *io->g.lm_hash; + } else { + E_deshash("", io->g.lm_history[0].hash); } return LDB_SUCCESS; } -static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg, - struct smb_krb5_context *smb_krb5_context, - struct domain_data *domain, - const char *samAccountName, - const char *user_principal_name, - int is_computer) +static int setup_primary_kerberos(struct setup_password_fields_io *io, + const struct supplementalCredentialsBlob *old_scb, + struct package_PrimaryKerberosBlob *pkb) { - const char *sambaPassword; - Principal *salt_principal; krb5_error_code krb5_ret; - size_t num_keys; - Key *keys; - int i; + Principal *salt_principal; + krb5_salt salt; + krb5_keyblock key; + uint32_t k=0; + struct supplementalCredentialsPackage *old_scp = NULL; + struct package_PrimaryKerberosBlob _old_pkb; + struct package_PrimaryKerberosBlob *old_pkb = NULL; + uint32_t i; + NTSTATUS status; /* Many, many thanks to lukeh@padl.com for this * algorithm, described in his Nov 10 2004 mail to * samba-technical@samba.org */ - sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL); - if (sambaPassword == NULL) { /* impossible, what happened ?! */ - return LDB_ERR_OPERATIONS_ERROR; - } - - if (is_computer) { - /* Determine a salting principal */ - char *name = talloc_strdup(msg, samAccountName); + /* + * Determine a salting principal + */ + if (io->u.is_computer) { + char *name; char *saltbody; - if (name == NULL) { - ldb_asprintf_errstring(module->ldb, - "password_hash_handle: " - "generation of new kerberos keys failed: %s is a computer without a samAccountName", - ldb_dn_get_linearized(msg->dn)); + + name = talloc_strdup(io->ac, io->u.sAMAccountName); + if (!name) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } + if (name[strlen(name)-1] == '$') { name[strlen(name)-1] = '\0'; } - saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dns_domain); + + saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain); + if (!saltbody) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } - krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, - &salt_principal, - domain->realm, "host", - saltbody, NULL); - } else if (user_principal_name) { + krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context, + &salt_principal, + io->domain->realm, "host", + saltbody, NULL); + } else if (io->u.user_principal_name) { + char *user_principal_name; char *p; - user_principal_name = talloc_strdup(msg, user_principal_name); - if (user_principal_name == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } else { - p = strchr(user_principal_name, '@'); - if (p) { - p[0] = '\0'; - } - krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, - &salt_principal, - domain->realm, user_principal_name, NULL); - } - } else { - if (!samAccountName) { - ldb_asprintf_errstring(module->ldb, - "password_hash_handle: " - "generation of new kerberos keys failed: %s has no samAccountName", - ldb_dn_get_linearized(msg->dn)); + + user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name); + if (!user_principal_name) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, - &salt_principal, - domain->realm, samAccountName, - NULL); + + p = strchr(user_principal_name, '@'); + if (p) { + p[0] = '\0'; + } + + krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context, + &salt_principal, + io->domain->realm, user_principal_name, + NULL); + } else { + krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context, + &salt_principal, + io->domain->realm, io->u.sAMAccountName, + NULL); + } + if (krb5_ret) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_primary_kerberos: " + "generation of a salting principal failed: %s", + smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac)); + return LDB_ERR_OPERATIONS_ERROR; } + /* + * create salt from salt_principal + */ + krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context, + salt_principal, &salt); + krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal); if (krb5_ret) { - ldb_asprintf_errstring(module->ldb, - "password_hash_handle: " - "generation of a saltking principal failed: %s", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg)); + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_primary_kerberos: " + "generation of krb5_salt failed: %s", + smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac)); + return LDB_ERR_OPERATIONS_ERROR; + } + /* create a talloc copy */ + pkb->salt.string = talloc_strndup(io->ac, + salt.saltvalue.data, + salt.saltvalue.length); + krb5_free_salt(io->smb_krb5_context->krb5_context, salt); + if (!pkb->salt.string) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + salt.saltvalue.data = discard_const(pkb->salt.string); + salt.saltvalue.length = strlen(pkb->salt.string); + + /* + * prepare generation of keys + * + * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default) + * ENCTYPE_DES_CBC_MD5 + * ENCTYPE_DES_CBC_CRC + * + * NOTE: update num_keys1 when you add another enctype! + */ + pkb->num_keys1 = 0; + pkb->keys1 = talloc_array(io->ac, struct package_PrimaryKerberosKey, 3); + if (!pkb->keys1) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + pkb->unknown3_1 = talloc_zero_array(io->ac, uint64_t, pkb->num_keys1); + if (!pkb->unknown3_1) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - /* TODO: We may wish to control the encryption types chosen in future */ - krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context, - salt_principal, sambaPassword, &keys, &num_keys); - krb5_free_principal(smb_krb5_context->krb5_context, salt_principal); +if (lp_parm_bool(-1, "password_hash", "create_aes_key", false)) { +/* + * TODO: + * + * w2k and w2k3 doesn't support AES, so we'll not include + * the AES key here yet. + * + * Also we don't have an example supplementalCredentials blob + * from Windows Longhorn Server with AES support + * + */ + /* + * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of + * the salt and the cleartext password + */ + krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + io->n.cleartext, + salt, + &key); + pkb->keys1[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96; + pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB); + if (!pkb->keys1[k].value) { + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value, + key.keyvalue.data, + key.keyvalue.length); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + if (!pkb->keys1[k].value->data) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + k++; +} - if (krb5_ret) { - ldb_asprintf_errstring(module->ldb, - "password_hash_handle: " - "generation of new kerberos keys failed: %s", - smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg)); + /* + * create ENCTYPE_DES_CBC_MD5 key out of + * the salt and the cleartext password + */ + krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context, + ENCTYPE_DES_CBC_MD5, + io->n.cleartext, + salt, + &key); + pkb->keys1[k].keytype = ENCTYPE_DES_CBC_MD5; + pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB); + if (!pkb->keys1[k].value) { + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value, + key.keyvalue.data, + key.keyvalue.length); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + if (!pkb->keys1[k].value->data) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } + k++; - /* Walking all the key types generated, transform each - * key into an ASN.1 blob + /* + * create ENCTYPE_DES_CBC_CRC key out of + * the salt and the cleartext password */ - for (i=0; i < num_keys; i++) { - unsigned char *buf; - size_t buf_size; - size_t len; - struct ldb_val val; - int ret; - - if (keys[i].key.keytype == KEYTYPE_ARCFOUR) { - /* We might end up doing this below: - * This ensures we get the unicode - * conversion right. This should also - * be fixed in the Heimdal libs */ + krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context, + ENCTYPE_DES_CBC_CRC, + io->n.cleartext, + salt, + &key); + pkb->keys1[k].keytype = ENCTYPE_DES_CBC_CRC; + pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB); + if (!pkb->keys1[k].value) { + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value, + key.keyvalue.data, + key.keyvalue.length); + krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); + if (!pkb->keys1[k].value->data) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + k++; + + /* fix up key number */ + pkb->num_keys1 = k; + + /* initialize the old keys to zero */ + pkb->num_keys2 = 0; + pkb->keys2 = NULL; + pkb->unknown3_2 = NULL; + + /* if there're no old keys, then we're done */ + if (!old_scb) { + return LDB_SUCCESS; + } + + for (i=0; i < old_scb->sub.num_packages; i++) { + if (old_scb->sub.packages[i].unknown1 != 0x00000001) { continue; } - ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret); - if (krb5_ret) { - return LDB_ERR_OPERATIONS_ERROR; + + if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) { + continue; } - - val.data = talloc_memdup(msg, buf, len); - val.length = len; - free(buf); - if (!val.data || krb5_ret) { - hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); + + if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) { + continue; + } + + old_scp = &old_scb->sub.packages[i]; + break; + } + /* Primary:Kerberos element of supplementalCredentials */ + if (old_scp) { + DATA_BLOB blob; + + blob = strhex_to_data_blob(old_scp->data); + if (!blob.data) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - ret = ldb_msg_add_value(msg, "krb5Key", &val, NULL); - if (ret != LDB_SUCCESS) { - hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); - return ret; + talloc_steal(io->ac, blob.data); + + /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */ + status = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb, + (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_primary_kerberos: " + "failed to pull old package_PrimaryKerberosBlob: %s", + nt_errstr(status)); + return LDB_ERR_OPERATIONS_ERROR; } + old_pkb = &_old_pkb; } - - hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); + + /* if we didn't found the old keys we're done */ + if (!old_pkb) { + return LDB_SUCCESS; + } + + /* fill in the old keys */ + pkb->num_keys2 = old_pkb->num_keys1; + pkb->keys2 = old_pkb->keys1; + pkb->unknown3_2 = old_pkb->unknown3_1; return LDB_SUCCESS; } -static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg, - struct smb_krb5_context *smb_krb5_context) +static int setup_supplemental_field(struct setup_password_fields_io *io) { - struct samr_Password *ntPwdHash; - krb5_error_code krb5_ret; - unsigned char *buf; - size_t buf_size; - size_t len; - struct ldb_val val; - Key key; - - key.mkvno = 0; - key.salt = NULL; /* No salt for this enc type */ + struct supplementalCredentialsBlob scb; + struct supplementalCredentialsBlob _old_scb; + struct supplementalCredentialsBlob *old_scb = NULL; + /* Packages + (Kerberos and maybe CLEARTEXT) */ + uint32_t num_packages = 1 + 1; + struct supplementalCredentialsPackage packages[1+2]; + struct supplementalCredentialsPackage *pp = &packages[0]; + struct supplementalCredentialsPackage *pk = &packages[1]; + struct supplementalCredentialsPackage *pc = NULL; + struct package_PackagesBlob pb; + DATA_BLOB pb_blob; + char *pb_hexstr; + struct package_PrimaryKerberosBlob pkb; + DATA_BLOB pkb_blob; + char *pkb_hexstr; + struct package_PrimaryCLEARTEXTBlob pcb; + DATA_BLOB pcb_blob; + char *pcb_hexstr; + int ret; + NTSTATUS status; + uint8_t zero16[16]; + + ZERO_STRUCT(zero16); + + if (!io->n.cleartext) { + /* + * when we don't have a cleartext password + * we can't setup a supplementalCredential value + */ + return LDB_SUCCESS; + } + + /* if there's an old supplementaCredentials blob then parse it */ + if (io->o.supplemental) { + status = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, &_old_scb, + (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_supplemental_field: " + "failed to pull old supplementalCredentialsBlob: %s", + nt_errstr(status)); + return LDB_ERR_OPERATIONS_ERROR; + } - ntPwdHash = samdb_result_hash(msg, msg, "unicodePwd"); - if (ntPwdHash == NULL) { /* what happened ?! */ - return LDB_ERR_OPERATIONS_ERROR; + old_scb = &_old_scb; } - krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context, - KEYTYPE_ARCFOUR, - ntPwdHash->hash, sizeof(ntPwdHash->hash), - &key.key); - if (krb5_ret) { - return LDB_ERR_OPERATIONS_ERROR; + if (io->domain->store_cleartext && + (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { + pc = &packages[2]; + num_packages++; } - ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret); - if (krb5_ret) { + + /* Kerberos, CLEARTEXT and termination(counted by the Packages element) */ + pb.names = talloc_zero_array(io->ac, const char *, num_packages); + + /* + * setup 'Primary:Kerberos' element + */ + pb.names[0] = "Kerberos"; + + ret = setup_primary_kerberos(io, old_scb, &pkb); + if (ret != LDB_SUCCESS) { + return ret; + } + + status = ndr_push_struct_blob(&pkb_blob, io->ac, &pkb, + (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_supplemental_field: " + "failed to push package_PrimaryKerberosBlob: %s", + nt_errstr(status)); return LDB_ERR_OPERATIONS_ERROR; } - krb5_free_keyblock_contents(smb_krb5_context->krb5_context, - &key.key); - - val.data = talloc_memdup(msg, buf, len); - val.length = len; - free(buf); - if (!val.data) { + /* + * TODO: + * + * This is ugly, but we want to generate the same blob as + * w2k and w2k3...we should handle this in the idl + */ + status = data_blob_append(io->ac, &pkb_blob, zero16, sizeof(zero16)); + if (!NT_STATUS_IS_OK(status)) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } - if (ldb_msg_add_value(msg, "krb5Key", &val, NULL) != 0) { + pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob); + if (!pkb_hexstr) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } + pk->name = "Primary:Kerberos"; + pk->unknown1 = 1; + pk->data = pkb_hexstr; - return LDB_SUCCESS; -} - -static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod) -{ - NTTIME now_nt; - - /* set it as now */ - unix_to_nt_time(&now_nt, time(NULL)); - - if (!is_mod) { - /* be sure there isn't a 0 value set (eg. coming from the template) */ - ldb_msg_remove_attr(msg, "pwdLastSet"); - /* add */ - if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD, NULL) != 0) { + /* + * setup 'Primary:CLEARTEXT' element + */ + if (pc) { + pb.names[1] = "CLEARTEXT"; + + pcb.cleartext = io->n.cleartext; + + status = ndr_push_struct_blob(&pcb_blob, io->ac, &pcb, + (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_supplemental_field: " + "failed to push package_PrimaryCLEARTEXTBlob: %s", + nt_errstr(status)); return LDB_ERR_OPERATIONS_ERROR; } - } else { - /* replace */ - if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL) != 0) { + pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob); + if (!pcb_hexstr) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } + pc->name = "Primary:CLEARTEXT"; + pc->unknown1 = 1; + pc->data = pcb_hexstr; } - if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) { + /* + * setup 'Packages' element + */ + status = ndr_push_struct_blob(&pb_blob, io->ac, &pb, + (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_supplemental_field: " + "failed to push package_PackagesBlob: %s", + nt_errstr(status)); return LDB_ERR_OPERATIONS_ERROR; } - - return LDB_SUCCESS; -} - -static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous) -{ - /* replace or add */ - if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL) != 0) { + pb_hexstr = data_blob_hex_string(io->ac, &pb_blob); + if (!pb_hexstr) { + ldb_oom(io->ac->module->ldb); return LDB_ERR_OPERATIONS_ERROR; } + pp->name = "Packages"; + pp->unknown1 = 2; + pp->data = pb_hexstr; - if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) { + /* + * setup 'supplementalCredentials' value + */ + scb.sub.num_packages = num_packages; + scb.sub.packages = packages; + + status = ndr_push_struct_blob(&io->g.supplemental, io->ac, &scb, + (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob); + if (!NT_STATUS_IS_OK(status)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_supplemental_field: " + "failed to push supplementalCredentialsBlob: %s", + nt_errstr(status)); return LDB_ERR_OPERATIONS_ERROR; } return LDB_SUCCESS; } -static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen) +static int setup_last_set_field(struct setup_password_fields_io *io) { - struct samr_Password *nt_hash; - struct samr_Password *lm_hash; - struct samr_Password *nt_history; - struct samr_Password *lm_history; - struct samr_Password *new_nt_history; - struct samr_Password *new_lm_history; - int nt_hist_len; - int lm_hist_len; - int i; + /* set it as now */ + unix_to_nt_time(&io->g.last_set, time(NULL)); - nt_hash = samdb_result_hash(msg, old_msg, "unicodePwd"); - lm_hash = samdb_result_hash(msg, old_msg, "dBCSPwd"); + return LDB_SUCCESS; +} - /* if no previous passwords just return */ - if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS; +static int setup_kvno_field(struct setup_password_fields_io *io) +{ + /* increment by one */ + io->g.kvno = io->o.kvno + 1; - nt_hist_len = samdb_result_hashes(msg, old_msg, "ntPwdHistory", &nt_history); - lm_hist_len = samdb_result_hashes(msg, old_msg, "lmPwdHistory", &lm_history); + return LDB_SUCCESS; +} - /* We might not have an old NT password */ - new_nt_history = talloc_array(msg, struct samr_Password, hlen); - if (new_nt_history == NULL) { - return LDB_ERR_OPERATIONS_ERROR; - } - for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) { - new_nt_history[i+1] = nt_history[i]; - } - nt_hist_len = i + 1; - if (nt_hash) { - new_nt_history[0] = *nt_hash; - } else { - ZERO_STRUCT(new_nt_history[0]); +static int setup_password_fields(struct setup_password_fields_io *io) +{ + bool ok; + int ret; + + /* + * refuse the change if someone want to change the cleartext + * and supply his own hashes at the same time... + */ + if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_password_fields: " + "it's only allowed to set the cleartext password or the password hashes"); + return LDB_ERR_UNWILLING_TO_PERFORM; } - if (ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + + if (io->n.cleartext && !io->n.nt_hash) { + struct samr_Password *hash; + + hash = talloc(io->ac, struct samr_Password); + if (!hash) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* compute the new nt hash */ + ok = E_md4hash(io->n.cleartext, hash->hash); + if (ok) { + io->n.nt_hash = hash; + } else { + ldb_asprintf_errstring(io->ac->module->ldb, + "setup_password_fields: " + "failed to generate nthash from cleartext password"); + return LDB_ERR_OPERATIONS_ERROR; + } } - if (samdb_msg_add_hashes(msg, msg, "ntPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + + if (io->n.cleartext && !io->n.lm_hash) { + struct samr_Password *hash; + + hash = talloc(io->ac, struct samr_Password); + if (!hash) { + ldb_oom(io->ac->module->ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* compute the new lm hash */ + ok = E_deshash(io->n.cleartext, hash->hash); + if (ok) { + io->n.lm_hash = hash; + } else { + talloc_free(hash->hash); + } } - - /* Don't store 'long' passwords in the LM history, - but make sure to 'expire' one password off the other end */ - new_lm_history = talloc_array(msg, struct samr_Password, hlen); - if (new_lm_history == NULL) { - return LDB_ERR_OPERATIONS_ERROR; + ret = setup_nt_fields(io); + if (ret != 0) { + return ret; } - for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) { - new_lm_history[i+1] = lm_history[i]; + + ret = setup_lm_fields(io); + if (ret != 0) { + return ret; } - lm_hist_len = i + 1; - if (lm_hash) { - new_lm_history[0] = *lm_hash; - } else { - ZERO_STRUCT(new_lm_history[0]); + + ret = setup_supplemental_field(io); + if (ret != 0) { + return ret; } - if (ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + + ret = setup_last_set_field(io); + if (ret != 0) { + return ret; } - if (samdb_msg_add_hashes(msg, msg, "lmPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + + ret = setup_kvno_field(io); + if (ret != 0) { + return ret; } return LDB_SUCCESS; @@ -593,9 +931,14 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* nobody must touch password Histories */ - if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory") || - ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) { + /* nobody must touch this fields */ + if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) { return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -677,8 +1020,8 @@ static int password_hash_add_do_add(struct ldb_handle *h) { struct ph_context *ac; struct domain_data *domain; struct smb_krb5_context *smb_krb5_context; - struct ldb_message_element *sambaAttr; struct ldb_message *msg; + struct setup_password_fields_io io; int ret; ac = talloc_get_type(h->private_data, struct ph_context); @@ -704,54 +1047,84 @@ static int password_hash_add_do_add(struct ldb_handle *h) { return LDB_ERR_OPERATIONS_ERROR; } - /* if we have sambaPassword in the original message add the operatio on it here */ - sambaAttr = ldb_msg_find_element(msg, "sambaPassword"); - if (sambaAttr) { - unsigned int user_account_control; - ret = add_password_hashes(ac->module, msg, 0); - /* we can compute new password hashes from the unicode password */ + ZERO_STRUCT(io); + io.ac = ac; + io.domain = domain; + io.smb_krb5_context = smb_krb5_context; + + io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0); + io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL); + io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL); + io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer"); + + io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL); + io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd"); + io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd"); + + /* remove attributes */ + if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword"); + if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd"); + if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd"); + ldb_msg_remove_attr(msg, "pwdLastSet"); + io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1; + ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber"); + + ret = setup_password_fields(&io); + if (ret != LDB_SUCCESS) { + return ret; + } + + if (io.g.nt_hash) { + ret = samdb_msg_add_hash(ac->module->ldb, ac, msg, + "unicodePwd", io.g.nt_hash); if (ret != LDB_SUCCESS) { return ret; } - - /* now add krb5 keys based on unicode password */ - ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain, - ldb_msg_find_attr_as_string(msg, "samAccountName", NULL), - ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL), - ldb_msg_check_string_attribute(msg, "objectClass", "computer")); + } + if (io.g.lm_hash) { + ret = samdb_msg_add_hash(ac->module->ldb, ac, msg, + "dBCSPwd", io.g.lm_hash); if (ret != LDB_SUCCESS) { return ret; } - - /* if both the domain properties and the user account controls do not permit - * clear text passwords then wipe out the sambaPassword */ - user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); - if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { - /* Keep sambaPassword attribute */ - } else { - ldb_msg_remove_attr(msg, "sambaPassword"); - } } - - /* add also krb5 keys based on NT the hash (we might have unicodePwd, but not the cleartext */ - ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context); - if (ret != LDB_SUCCESS) { - return ret; + if (io.g.nt_history_len > 0) { + ret = samdb_msg_add_hashes(ac, msg, + "ntPwdHistory", + io.g.nt_history, + io.g.nt_history_len); + if (ret != LDB_SUCCESS) { + return ret; + } } - - /* don't touch it if a value is set. It could be an incoming samsync */ - if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) { - if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.lm_history_len > 0) { + ret = samdb_msg_add_hashes(ac, msg, + "lmPwdHistory", + io.g.lm_history, + io.g.lm_history_len); + if (ret != LDB_SUCCESS) { + return ret; } } - - /* don't touch it if a value is set. It could be an incoming samsync */ - if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) { - if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.supplemental.length > 0) { + ret = ldb_msg_add_value(msg, "supplementalCredentials", + &io.g.supplemental, NULL); + if (ret != LDB_SUCCESS) { + return ret; } } + ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg, + "pwdLastSet", + io.g.last_set); + if (ret != LDB_SUCCESS) { + return ret; + } + ret = samdb_msg_add_uint(ac->module->ldb, ac, msg, + "msDs-KeyVersionNumber", + io.g.kvno); + if (ret != LDB_SUCCESS) { + return ret; + } h->state = LDB_ASYNC_INIT; h->status = LDB_SUCCESS; @@ -788,8 +1161,13 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r } /* nobody must touch password Histories */ - if (ldb_msg_find_element(req->op.mod.message, "ntPwdHistory") || - ldb_msg_find_element(req->op.mod.message, "lmPwdHistory")) { + if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) { return LDB_ERR_UNWILLING_TO_PERFORM; } @@ -797,6 +1175,13 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd"); lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd"); + /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't + * need to make any changes. For password changes/set there should + * be a 'delete' or a 'modify' on this attribute. */ + if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) { + return ldb_next_request(module, req); + } + /* check passwords are single valued here */ /* TODO: remove this when passwords will be single valued in schema */ if (sambaAttr && (sambaAttr->num_values > 1)) { @@ -809,17 +1194,6 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r return LDB_ERR_CONSTRAINT_VIOLATION; } - /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't - * need to make any changes. For password changes/set there should - * be a 'delete' or a 'modify' on this attribute. */ - /* If the only operation is the deletion of the passwords then go on */ - if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) - && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) - && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) { - - return ldb_next_request(module, req); - } - h = ph_init_handle(req, module, PH_MOD); if (!h) { return LDB_ERR_OPERATIONS_ERROR; @@ -906,8 +1280,9 @@ static int password_hash_mod_search_self(struct ldb_handle *h) { "ntPwdHistory", "objectSid", "msDS-KeyVersionNumber", "objectClass", "userPrincipalName", - "samAccountName", + "sAMAccountName", "dBCSPwd", "unicodePwd", + "supplementalCredentials", NULL }; ac = talloc_get_type(h->private_data, struct ph_context); @@ -968,11 +1343,11 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) { struct ph_context *ac; struct domain_data *domain; struct smb_krb5_context *smb_krb5_context; - struct ldb_message_element *sambaAttr; struct ldb_message *msg; - int phlen; + struct ldb_message *orig_msg; + struct ldb_message *searched_msg; + struct setup_password_fields_io io; int ret; - BOOL added_hashes = False; ac = talloc_get_type(h->private_data, struct ph_context); @@ -1002,94 +1377,93 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) { return LDB_ERR_OPERATIONS_ERROR; } - /* we are going to replace the existing krb5key or delete it */ - if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE, NULL) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } + orig_msg = discard_const(ac->orig_req->op.mod.message); + searched_msg = ac->search_res->message; - /* if we have sambaPassword in the original message add the operation on it here */ - sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword"); - if (sambaAttr) { + ZERO_STRUCT(io); + io.ac = ac; + io.domain = domain; + io.smb_krb5_context = smb_krb5_context; - if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } + io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0); + io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL); + io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL); + io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer"); - /* if we are actually settting a new unicode password, - * use it to generate the password hashes */ - if (((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE) - && (sambaAttr->num_values == 1)) { - /* we can compute new password hashes from the unicode password */ - ret = add_password_hashes(ac->module, msg, 1); - if (ret != LDB_SUCCESS) { - return ret; - } - - added_hashes = True; - - /* now add krb5 keys based on unicode password */ - ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain, - ldb_msg_find_attr_as_string(ac->search_res->message, "samAccountName", NULL), - ldb_msg_find_attr_as_string(ac->search_res->message, "userPrincipalName", NULL), - ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer")); - - if (ret != LDB_SUCCESS) { - return ret; - } - - /* if the domain properties or the user account controls do not permit - * clear text passwords then wipe out the sambaPassword */ - if (domain->store_cleartext && - (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { - /* Keep sambaPassword attribute */ - } else { - ldb_msg_remove_attr(msg, "sambaPassword"); - } + io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL); + io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd"); + io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd"); - } + io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0); + io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history); + io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history); + io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials"); + + ret = setup_password_fields(&io); + if (ret != LDB_SUCCESS) { + return ret; } - /* if we didn't create the hashes above, try using values supplied directly */ - if (!added_hashes) { - struct ldb_message_element *el; - - el = ldb_msg_find_element(ac->orig_req->op.mod.message, "unicodePwd"); - if (ldb_msg_add(msg, el, el->flags) != 0) { - return LDB_ERR_OPERATIONS_ERROR; - } - - el = ldb_msg_find_element(ac->orig_req->op.mod.message, "dBCSPwd"); - if (ldb_msg_add(msg, el, el->flags) != 0) { - return LDB_ERR_OPERATIONS_ERROR; + /* make sure we replace all the old attributes */ + ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL); + ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL); + + if (io.g.nt_hash) { + ret = samdb_msg_add_hash(ac->module->ldb, ac, msg, + "unicodePwd", io.g.nt_hash); + if (ret != LDB_SUCCESS) { + return ret; } } - - /* add also krb5 keys based on NT the hash */ - if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.lm_hash) { + ret = samdb_msg_add_hash(ac->module->ldb, ac, msg, + "dBCSPwd", io.g.lm_hash); + if (ret != LDB_SUCCESS) { + return ret; + } } - - /* set change time */ - if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.nt_history_len > 0) { + ret = samdb_msg_add_hashes(ac, msg, + "ntPwdHistory", + io.g.nt_history, + io.g.nt_history_len); + if (ret != LDB_SUCCESS) { + return ret; + } } - - /* don't touch it if a value is set. It could be an incoming samsync */ - if (!ldb_msg_find_element(ac->orig_req->op.mod.message, - "msDS-KeyVersionNumber")) { - if (add_keyVersionNumber(ac->module, msg, - ldb_msg_find_attr_as_uint(ac->search_res->message, - "msDS-KeyVersionNumber", 0) - ) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.lm_history_len > 0) { + ret = samdb_msg_add_hashes(ac, msg, + "lmPwdHistory", + io.g.lm_history, + io.g.lm_history_len); + if (ret != LDB_SUCCESS) { + return ret; } } - - if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) { - if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) { - return LDB_ERR_OPERATIONS_ERROR; + if (io.g.supplemental.length > 0) { + ret = ldb_msg_add_value(msg, "supplementalCredentials", + &io.g.supplemental, NULL); + if (ret != LDB_SUCCESS) { + return ret; } } + ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg, + "pwdLastSet", + io.g.last_set); + if (ret != LDB_SUCCESS) { + return ret; + } + ret = samdb_msg_add_uint(ac->module->ldb, ac, msg, + "msDs-KeyVersionNumber", + io.g.kvno); + if (ret != LDB_SUCCESS) { + return ret; + } h->state = LDB_ASYNC_INIT; h->status = LDB_SUCCESS; diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index bad3e08829..ffab44c8e9 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -46,6 +46,9 @@ #include "auth/auth_sam.h" #include "db_wrap.h" #include "dsdb/samdb/samdb.h" +#include "librpc/ndr/libndr.h" +#include "librpc/gen_ndr/ndr_drsblobs.h" +#include "libcli/auth/libcli_auth.h" enum hdb_ldb_ent_type { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, @@ -67,9 +70,9 @@ static const char * const krb5_attrs[] = { "whenChanged", "msDS-KeyVersionNumber", - "krb5Key", "unicodePwd", + "supplementalCredentials", NULL }; @@ -205,10 +208,14 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context, hdb_entry_ex *entry_ex) { krb5_error_code ret = 0; - struct ldb_message_element *krb5keys; + NTSTATUS status; struct samr_Password *hash; - int i; - bool arcfour_needed = true; + const struct ldb_val *sc_val; + struct supplementalCredentialsBlob scb; + struct supplementalCredentialsPackage *scp = NULL; + struct package_PrimaryKerberosBlob _pkb; + struct package_PrimaryKerberosBlob *pkb = NULL; + uint32_t i; uint32_t allocated_keys = 0; entry_ex->entry.keys.val = NULL; @@ -216,19 +223,66 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context, entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0); - /* Get krb5Key from the db */ + /* Get keys from the db */ - krb5keys = ldb_msg_find_element(msg, "krb5Key"); hash = samdb_result_hash(mem_ctx, msg, "unicodePwd"); + sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials"); - if (krb5keys) { - allocated_keys = krb5keys->num_values; - } - + /* unicodePwd for enctype 0x17 (23) if present */ if (hash) { allocated_keys++; } + /* supplementalCredentials if present */ + if (sc_val) { + status = ndr_pull_struct_blob_all(sc_val, mem_ctx, &scb, + (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob); + if (!NT_STATUS_IS_OK(status)) { + dump_data(0, sc_val->data, sc_val->length); + ret = EINVAL; + goto out; + } + + for (i=0; i < scb.sub.num_packages; i++) { + if (scb.sub.packages[i].unknown1 != 0x00000001) { + continue; + } + + if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) != 0) { + continue; + } + + if (!scb.sub.packages[i].data || !scb.sub.packages[i].data[0]) { + continue; + } + + scp = &scb.sub.packages[i]; + break; + } + } + /* Primary:Kerberos element of supplementalCredentials */ + if (scp) { + DATA_BLOB blob; + + blob = strhex_to_data_blob(scp->data); + if (!blob.data) { + ret = ENOMEM; + goto out; + } + talloc_steal(mem_ctx, blob.data); + + /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */ + status = ndr_pull_struct_blob(&blob, mem_ctx, &_pkb, + (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob); + if (!NT_STATUS_IS_OK(status)) { + ret = EINVAL; + goto out; + } + pkb = &_pkb; + + allocated_keys += pkb->num_keys1; + } + if (allocated_keys == 0) { /* oh, no password. Apparently (comment in * hdb-ldap.c) this violates the ASN.1, but this @@ -244,49 +298,14 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context, goto out; } - /* Decode Kerberos keys into the hdb structure */ - for (i=0; (krb5keys && i < krb5keys->num_values); i++) { - size_t decode_len; - Key key; - ret = decode_Key(krb5keys->values[i].data, krb5keys->values[i].length, - &key, &decode_len); - if (ret) { - /* Could be bougus data in the entry, or out of memory */ - goto out; - } - - if (userAccountControl & UF_USE_DES_KEY_ONLY) { - switch (key.key.keytype) { - case KEYTYPE_DES: - arcfour_needed = false; - entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; - entry_ex->entry.keys.len++; - break; - default: - /* We must use DES keys only */ - break; - } - } else { - switch (key.key.keytype) { - case KEYTYPE_ARCFOUR: - arcfour_needed = false; - break; - default: - break; - } - entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; - entry_ex->entry.keys.len++; - } - } - - if (arcfour_needed && hash) { + if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) { Key key; key.mkvno = 0; key.salt = NULL; /* No salt for this enc type */ ret = krb5_keyblock_init(context, - KEYTYPE_ARCFOUR, + ENCTYPE_ARCFOUR_HMAC_MD5, hash->hash, sizeof(hash->hash), &key.key); if (ret) { @@ -297,11 +316,75 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context, entry_ex->entry.keys.len++; } + if (pkb) { + for (i=0; i < pkb->num_keys1; i++) { + bool use = true; + Key key; + + if (!pkb->keys1[i].value) continue; + + if (userAccountControl & UF_USE_DES_KEY_ONLY) { + switch (pkb->keys1[i].keytype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD5: + break; + default: + use = false; + break; + } + } + + if (!use) continue; + + key.mkvno = 0; + + if (pkb->salt.string) { + DATA_BLOB salt; + + salt = data_blob_string_const(pkb->salt.string); + + key.salt = calloc(1, sizeof(*key.salt)); + if (key.salt == NULL) { + ret = ENOMEM; + goto out; + } + + key.salt->type = hdb_pw_salt; + + ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length); + if (ret) { + free(key.salt); + key.salt = NULL; + goto out; + } + } + + ret = krb5_keyblock_init(context, + pkb->keys1[i].keytype, + pkb->keys1[i].value->data, + pkb->keys1[i].value->length, + &key.key); + if (ret) { + if (key.salt) { + free_Salt(key.salt); + free(key.salt); + key.salt = NULL; + } + goto out; + } + + entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; + entry_ex->entry.keys.len++; + } + } + out: - if (ret != 0 && entry_ex->entry.keys.val) { + if (ret != 0) { + entry_ex->entry.keys.len = 0; + } + if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) { free(entry_ex->entry.keys.val); entry_ex->entry.keys.val = NULL; - entry_ex->entry.keys.len = 0; } return ret; } |