diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-12-30 08:40:16 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:49:01 -0500 |
| commit | c82c9fe7bb47aa95d112159e46e79f52afe6f58d (patch) | |
| tree | 6b38abc284c8c84a1ff5157e1d11aed14f9a426d /source4/dsdb/samdb/samdb.c | |
| parent | 1c027f35d70b0719ba671034e897834b4bed9c4f (diff) | |
| download | samba-c82c9fe7bb47aa95d112159e46e79f52afe6f58d.tar.gz samba-c82c9fe7bb47aa95d112159e46e79f52afe6f58d.tar.bz2 samba-c82c9fe7bb47aa95d112159e46e79f52afe6f58d.zip | |
r12599: This new LDB module (and associated changes) allows Samba4 to operate
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
Diffstat (limited to 'source4/dsdb/samdb/samdb.c')
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 88 |
1 files changed, 25 insertions, 63 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index b6a2f9ce33..3d5535602b 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -510,13 +510,13 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, /* pull a samr_Password structutre from a result set. */ -struct samr_Password samdb_result_hash(struct ldb_message *msg, const char *attr) +struct samr_Password *samdb_result_hash(TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr) { - struct samr_Password hash; + struct samr_Password *hash = NULL; const struct ldb_val *val = ldb_msg_find_ldb_val(msg, attr); - ZERO_STRUCT(hash); - if (val) { - memcpy(hash.hash, val->data, MIN(val->length, sizeof(hash.hash))); + if (val && (val->length >= sizeof(hash->hash))) { + hash = talloc(mem_ctx, struct samr_Password); + memcpy(hash->hash, val->data, MIN(val->length, sizeof(hash->hash))); } return hash; } @@ -555,62 +555,28 @@ uint_t samdb_result_hashes(TALLOC_CTX *mem_ctx, struct ldb_message *msg, NTSTATUS samdb_result_passwords(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct samr_Password **lm_pwd, struct samr_Password **nt_pwd) { - - const char *unicodePwd = samdb_result_string(msg, "unicodePwd", NULL); - struct samr_Password *lmPwdHash, *ntPwdHash; - if (unicodePwd) { - if (nt_pwd) { - ntPwdHash = talloc(mem_ctx, struct samr_Password); - if (!ntPwdHash) { - return NT_STATUS_NO_MEMORY; - } - - E_md4hash(unicodePwd, ntPwdHash->hash); - *nt_pwd = ntPwdHash; - } - - if (lm_pwd) { - BOOL lm_hash_ok; - - lmPwdHash = talloc(mem_ctx, struct samr_Password); - if (!lmPwdHash) { - return NT_STATUS_NO_MEMORY; - } - - /* compute the new nt and lm hashes */ - lm_hash_ok = E_deshash(unicodePwd, lmPwdHash->hash); - - if (lm_hash_ok) { - *lm_pwd = lmPwdHash; - } else { - *lm_pwd = NULL; - } + if (nt_pwd) { + int num_nt; + num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash); + if (num_nt == 0) { + *nt_pwd = NULL; + } else if (num_nt > 1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } else { + *nt_pwd = &ntPwdHash[0]; } - } else { - if (nt_pwd) { - int num_nt; - num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHash", &ntPwdHash); - if (num_nt == 0) { - *nt_pwd = NULL; - } else if (num_nt > 1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } else { - *nt_pwd = &ntPwdHash[0]; - } - } - if (lm_pwd) { - int num_lm; - num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHash", &lmPwdHash); - if (num_lm == 0) { - *lm_pwd = NULL; - } else if (num_lm > 1) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } else { - *lm_pwd = &lmPwdHash[0]; - } + } + if (lm_pwd) { + int num_lm; + num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHash", &lmPwdHash); + if (num_lm == 0) { + *lm_pwd = NULL; + } else if (num_lm > 1) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } else { + *lm_pwd = &lmPwdHash[0]; } - } return NT_STATUS_OK; } @@ -729,13 +695,9 @@ int samdb_msg_add_dom_sid(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, stru int samdb_msg_add_delete(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attr_name) { - char *a = talloc_strdup(mem_ctx, attr_name); - if (a == NULL) { - return -1; - } /* we use an empty replace rather than a delete, as it allows for samdb_replace() to be used everywhere */ - return ldb_msg_add_empty(msg, a, LDB_FLAG_MOD_REPLACE); + return ldb_msg_add_empty(msg, attr_name, LDB_FLAG_MOD_REPLACE); } /* |