summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2007-02-18 22:01:02 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:48:34 -0500
commit6e2d85e38baa2221c2d31d2246567e7523e00fd6 (patch)
tree03ffa66d3d404b0353943d15a11ae586a24ceff1 /source4
parent0515f728e64dde0c197aee6180dce79ad281d5f8 (diff)
downloadsamba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.tar.gz
samba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.tar.bz2
samba-6e2d85e38baa2221c2d31d2246567e7523e00fd6.zip
r21434: - get rid of "krb5Key"
- use "sambaPassword" only as virtual attribute for passing the cleartext password (in unix charset) into the ldb layer - store des-cbc-crc, des-cbc-md5 keys in the Primary:Kerberos blob to match w2k and w2k3 - aes key support is disabled by default, as we don't know exacly how longhorn stores them. use password_hash:create_aes_key=yes to force creation of them. - store the cleartext password in the Primary:CLEARTEXT blob if configured TODO: - find out how longhorn stores aes keys - find out how the Primary:WDigest blob needs to be constructed (not supported by w2k) metze (This used to be commit e20b53f6feaaca2cc81ee7d296ca3ff757ee3953)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/sam.c2
-rw-r--r--source4/dsdb/samdb/ldb_modules/local_password.c3
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c1088
-rw-r--r--source4/kdc/hdb-ldb.c181
4 files changed, 865 insertions, 409 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f9f801c800..7299078747 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,7 +36,7 @@ const char *user_attrs[] = {
"userPrincipalName",
"servicePrincipalName",
"msDS-KeyVersionNumber",
- "krb5Key",
+ "supplementalCredentials",
/* passwords */
"dBCSPwd",
diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c b/source4/dsdb/samdb/ldb_modules/local_password.c
index e72b7cb3a3..1a49ed5847 100644
--- a/source4/dsdb/samdb/ldb_modules/local_password.c
+++ b/source4/dsdb/samdb/ldb_modules/local_password.c
@@ -52,8 +52,7 @@
*/
static const char * const password_attrs[] = {
- "sambaPassword",
- "krb5Key",
+ "supplementalCredentials",
"unicodePwd",
"dBCSPwd",
"lmPwdHistory",
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index a2fe2a85db..a31486fdda 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -45,6 +45,8 @@
#include "dsdb/common/flags.h"
#include "hdb.h"
#include "dsdb/samdb/ldb_modules/password_modules.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
/* If we have decided there is reason to work on this request, then
* setup all the password hash types correctly.
@@ -57,7 +59,7 @@
* calculate the password hashes.
*
* This function must not only update the unicodePwd, dBCSPwd and
- * krb5Key fields, it must also atomicly increment the
+ * supplementalCredentials fields, it must also atomicly increment the
* msDS-KeyVersionNumber. We should be in a transaction, so all this
* should be quite safe...
*
@@ -95,324 +97,660 @@ struct domain_data {
char *realm;
};
-static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod)
+struct setup_password_fields_io {
+ struct ph_context *ac;
+ struct domain_data *domain;
+ struct smb_krb5_context *smb_krb5_context;
+
+ /* infos about the user account */
+ struct {
+ uint32_t user_account_control;
+ const char *sAMAccountName;
+ const char *user_principal_name;
+ bool is_computer;
+ } u;
+
+ /* new credentials */
+ struct {
+ const char *cleartext;
+ struct samr_Password *nt_hash;
+ struct samr_Password *lm_hash;
+ } n;
+
+ /* old credentials */
+ struct {
+ uint32_t nt_history_len;
+ struct samr_Password *nt_history;
+ uint32_t lm_history_len;
+ struct samr_Password *lm_history;
+ const struct ldb_val *supplemental;
+ struct supplementalCredentialsBlob scb;
+ uint32_t kvno;
+ } o;
+
+ /* generated credentials */
+ struct {
+ struct samr_Password *nt_hash;
+ struct samr_Password *lm_hash;
+ uint32_t nt_history_len;
+ struct samr_Password *nt_history;
+ uint32_t lm_history_len;
+ struct samr_Password *lm_history;
+ struct ldb_val supplemental;
+ NTTIME last_set;
+ uint32_t kvno;
+ } g;
+};
+
+static int setup_nt_fields(struct setup_password_fields_io *io)
{
- const char *sambaPassword;
- struct samr_Password tmp_hash;
-
- sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
- if (sambaPassword == NULL) { /* impossible, what happened ?! */
- return LDB_ERR_CONSTRAINT_VIOLATION;
+ uint32_t i;
+
+ io->g.nt_hash = io->n.nt_hash;
+
+ if (io->domain->pwdHistoryLength == 0) {
+ return LDB_SUCCESS;
}
- if (is_mod) {
- if (ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
- if (ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
- }
+ /* We might not have an old NT password */
+ io->g.nt_history = talloc_array(io->ac,
+ struct samr_Password,
+ io->domain->pwdHistoryLength);
+ if (!io->g.nt_history) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
+ io->g.nt_history[i+1] = io->o.nt_history[i];
+ }
+ io->g.nt_history_len = i + 1;
- /* compute the new nt and lm hashes */
- E_md4hash(sambaPassword, tmp_hash.hash);
- if (samdb_msg_add_hash(module->ldb, msg, msg, "unicodePwd", &tmp_hash) != 0) {
+ if (io->g.nt_hash) {
+ io->g.nt_history[0] = *io->g.nt_hash;
+ } else {
+ /*
+ * TODO: is this correct?
+ * the simular behavior is correct for the lm history case
+ */
+ E_md4hash("", io->g.nt_history[0].hash);
+ }
+
+ return LDB_SUCCESS;
+}
+
+static int setup_lm_fields(struct setup_password_fields_io *io)
+{
+ uint32_t i;
+
+ io->g.lm_hash = io->n.lm_hash;
+
+ if (io->domain->pwdHistoryLength == 0) {
+ return LDB_SUCCESS;
+ }
+
+ /* We might not have an old NT password */
+ io->g.lm_history = talloc_array(io->ac,
+ struct samr_Password,
+ io->domain->pwdHistoryLength);
+ if (!io->g.lm_history) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- if (E_deshash(sambaPassword, tmp_hash.hash)) {
- if (samdb_msg_add_hash(module->ldb, msg, msg, "dBCSPwd", &tmp_hash) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
+ io->g.lm_history[i+1] = io->o.lm_history[i];
+ }
+ io->g.lm_history_len = i + 1;
+
+ if (io->g.lm_hash) {
+ io->g.lm_history[0] = *io->g.lm_hash;
+ } else {
+ E_deshash("", io->g.lm_history[0].hash);
}
return LDB_SUCCESS;
}
-static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg,
- struct smb_krb5_context *smb_krb5_context,
- struct domain_data *domain,
- const char *samAccountName,
- const char *user_principal_name,
- int is_computer)
+static int setup_primary_kerberos(struct setup_password_fields_io *io,
+ const struct supplementalCredentialsBlob *old_scb,
+ struct package_PrimaryKerberosBlob *pkb)
{
- const char *sambaPassword;
- Principal *salt_principal;
krb5_error_code krb5_ret;
- size_t num_keys;
- Key *keys;
- int i;
+ Principal *salt_principal;
+ krb5_salt salt;
+ krb5_keyblock key;
+ uint32_t k=0;
+ struct supplementalCredentialsPackage *old_scp = NULL;
+ struct package_PrimaryKerberosBlob _old_pkb;
+ struct package_PrimaryKerberosBlob *old_pkb = NULL;
+ uint32_t i;
+ NTSTATUS status;
/* Many, many thanks to lukeh@padl.com for this
* algorithm, described in his Nov 10 2004 mail to
* samba-technical@samba.org */
- sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
- if (sambaPassword == NULL) { /* impossible, what happened ?! */
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- if (is_computer) {
- /* Determine a salting principal */
- char *name = talloc_strdup(msg, samAccountName);
+ /*
+ * Determine a salting principal
+ */
+ if (io->u.is_computer) {
+ char *name;
char *saltbody;
- if (name == NULL) {
- ldb_asprintf_errstring(module->ldb,
- "password_hash_handle: "
- "generation of new kerberos keys failed: %s is a computer without a samAccountName",
- ldb_dn_get_linearized(msg->dn));
+
+ name = talloc_strdup(io->ac, io->u.sAMAccountName);
+ if (!name) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
+
if (name[strlen(name)-1] == '$') {
name[strlen(name)-1] = '\0';
}
- saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dns_domain);
+
+ saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
+ if (!saltbody) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
- &salt_principal,
- domain->realm, "host",
- saltbody, NULL);
- } else if (user_principal_name) {
+ krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ &salt_principal,
+ io->domain->realm, "host",
+ saltbody, NULL);
+ } else if (io->u.user_principal_name) {
+ char *user_principal_name;
char *p;
- user_principal_name = talloc_strdup(msg, user_principal_name);
- if (user_principal_name == NULL) {
- return LDB_ERR_OPERATIONS_ERROR;
- } else {
- p = strchr(user_principal_name, '@');
- if (p) {
- p[0] = '\0';
- }
- krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
- &salt_principal,
- domain->realm, user_principal_name, NULL);
- }
- } else {
- if (!samAccountName) {
- ldb_asprintf_errstring(module->ldb,
- "password_hash_handle: "
- "generation of new kerberos keys failed: %s has no samAccountName",
- ldb_dn_get_linearized(msg->dn));
+
+ user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
+ if (!user_principal_name) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
- &salt_principal,
- domain->realm, samAccountName,
- NULL);
+
+ p = strchr(user_principal_name, '@');
+ if (p) {
+ p[0] = '\0';
+ }
+
+ krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ &salt_principal,
+ io->domain->realm, user_principal_name,
+ NULL);
+ } else {
+ krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ &salt_principal,
+ io->domain->realm, io->u.sAMAccountName,
+ NULL);
+ }
+ if (krb5_ret) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_primary_kerberos: "
+ "generation of a salting principal failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
+ return LDB_ERR_OPERATIONS_ERROR;
}
+ /*
+ * create salt from salt_principal
+ */
+ krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
+ salt_principal, &salt);
+ krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
- ldb_asprintf_errstring(module->ldb,
- "password_hash_handle: "
- "generation of a saltking principal failed: %s",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_primary_kerberos: "
+ "generation of krb5_salt failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ /* create a talloc copy */
+ pkb->salt.string = talloc_strndup(io->ac,
+ salt.saltvalue.data,
+ salt.saltvalue.length);
+ krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
+ if (!pkb->salt.string) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ salt.saltvalue.data = discard_const(pkb->salt.string);
+ salt.saltvalue.length = strlen(pkb->salt.string);
+
+ /*
+ * prepare generation of keys
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
+ * ENCTYPE_DES_CBC_MD5
+ * ENCTYPE_DES_CBC_CRC
+ *
+ * NOTE: update num_keys1 when you add another enctype!
+ */
+ pkb->num_keys1 = 0;
+ pkb->keys1 = talloc_array(io->ac, struct package_PrimaryKerberosKey, 3);
+ if (!pkb->keys1) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ pkb->unknown3_1 = talloc_zero_array(io->ac, uint64_t, pkb->num_keys1);
+ if (!pkb->unknown3_1) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- /* TODO: We may wish to control the encryption types chosen in future */
- krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
- salt_principal, sambaPassword, &keys, &num_keys);
- krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
+if (lp_parm_bool(-1, "password_hash", "create_aes_key", false)) {
+/*
+ * TODO:
+ *
+ * w2k and w2k3 doesn't support AES, so we'll not include
+ * the AES key here yet.
+ *
+ * Also we don't have an example supplementalCredentials blob
+ * from Windows Longhorn Server with AES support
+ *
+ */
+ /*
+ * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * the salt and the cleartext password
+ */
+ krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ io->n.cleartext,
+ salt,
+ &key);
+ pkb->keys1[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
+ if (!pkb->keys1[k].value) {
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
+ key.keyvalue.data,
+ key.keyvalue.length);
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ if (!pkb->keys1[k].value->data) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ k++;
+}
- if (krb5_ret) {
- ldb_asprintf_errstring(module->ldb,
- "password_hash_handle: "
- "generation of new kerberos keys failed: %s",
- smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
+ /*
+ * create ENCTYPE_DES_CBC_MD5 key out of
+ * the salt and the cleartext password
+ */
+ krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+ ENCTYPE_DES_CBC_MD5,
+ io->n.cleartext,
+ salt,
+ &key);
+ pkb->keys1[k].keytype = ENCTYPE_DES_CBC_MD5;
+ pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
+ if (!pkb->keys1[k].value) {
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
+ key.keyvalue.data,
+ key.keyvalue.length);
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ if (!pkb->keys1[k].value->data) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
+ k++;
- /* Walking all the key types generated, transform each
- * key into an ASN.1 blob
+ /*
+ * create ENCTYPE_DES_CBC_CRC key out of
+ * the salt and the cleartext password
*/
- for (i=0; i < num_keys; i++) {
- unsigned char *buf;
- size_t buf_size;
- size_t len;
- struct ldb_val val;
- int ret;
-
- if (keys[i].key.keytype == KEYTYPE_ARCFOUR) {
- /* We might end up doing this below:
- * This ensures we get the unicode
- * conversion right. This should also
- * be fixed in the Heimdal libs */
+ krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+ ENCTYPE_DES_CBC_CRC,
+ io->n.cleartext,
+ salt,
+ &key);
+ pkb->keys1[k].keytype = ENCTYPE_DES_CBC_CRC;
+ pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
+ if (!pkb->keys1[k].value) {
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
+ key.keyvalue.data,
+ key.keyvalue.length);
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ if (!pkb->keys1[k].value->data) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ k++;
+
+ /* fix up key number */
+ pkb->num_keys1 = k;
+
+ /* initialize the old keys to zero */
+ pkb->num_keys2 = 0;
+ pkb->keys2 = NULL;
+ pkb->unknown3_2 = NULL;
+
+ /* if there're no old keys, then we're done */
+ if (!old_scb) {
+ return LDB_SUCCESS;
+ }
+
+ for (i=0; i < old_scb->sub.num_packages; i++) {
+ if (old_scb->sub.packages[i].unknown1 != 0x00000001) {
continue;
}
- ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
- if (krb5_ret) {
- return LDB_ERR_OPERATIONS_ERROR;
+
+ if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
+ continue;
}
-
- val.data = talloc_memdup(msg, buf, len);
- val.length = len;
- free(buf);
- if (!val.data || krb5_ret) {
- hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
+
+ if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
+ continue;
+ }
+
+ old_scp = &old_scb->sub.packages[i];
+ break;
+ }
+ /* Primary:Kerberos element of supplementalCredentials */
+ if (old_scp) {
+ DATA_BLOB blob;
+
+ blob = strhex_to_data_blob(old_scp->data);
+ if (!blob.data) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = ldb_msg_add_value(msg, "krb5Key", &val, NULL);
- if (ret != LDB_SUCCESS) {
- hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
- return ret;
+ talloc_steal(io->ac, blob.data);
+
+ /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
+ status = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_primary_kerberos: "
+ "failed to pull old package_PrimaryKerberosBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
}
+ old_pkb = &_old_pkb;
}
-
- hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
+
+ /* if we didn't found the old keys we're done */
+ if (!old_pkb) {
+ return LDB_SUCCESS;
+ }
+
+ /* fill in the old keys */
+ pkb->num_keys2 = old_pkb->num_keys1;
+ pkb->keys2 = old_pkb->keys1;
+ pkb->unknown3_2 = old_pkb->unknown3_1;
return LDB_SUCCESS;
}
-static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg,
- struct smb_krb5_context *smb_krb5_context)
+static int setup_supplemental_field(struct setup_password_fields_io *io)
{
- struct samr_Password *ntPwdHash;
- krb5_error_code krb5_ret;
- unsigned char *buf;
- size_t buf_size;
- size_t len;
- struct ldb_val val;
- Key key;
-
- key.mkvno = 0;
- key.salt = NULL; /* No salt for this enc type */
+ struct supplementalCredentialsBlob scb;
+ struct supplementalCredentialsBlob _old_scb;
+ struct supplementalCredentialsBlob *old_scb = NULL;
+ /* Packages + (Kerberos and maybe CLEARTEXT) */
+ uint32_t num_packages = 1 + 1;
+ struct supplementalCredentialsPackage packages[1+2];
+ struct supplementalCredentialsPackage *pp = &packages[0];
+ struct supplementalCredentialsPackage *pk = &packages[1];
+ struct supplementalCredentialsPackage *pc = NULL;
+ struct package_PackagesBlob pb;
+ DATA_BLOB pb_blob;
+ char *pb_hexstr;
+ struct package_PrimaryKerberosBlob pkb;
+ DATA_BLOB pkb_blob;
+ char *pkb_hexstr;
+ struct package_PrimaryCLEARTEXTBlob pcb;
+ DATA_BLOB pcb_blob;
+ char *pcb_hexstr;
+ int ret;
+ NTSTATUS status;
+ uint8_t zero16[16];
+
+ ZERO_STRUCT(zero16);
+
+ if (!io->n.cleartext) {
+ /*
+ * when we don't have a cleartext password
+ * we can't setup a supplementalCredential value
+ */
+ return LDB_SUCCESS;
+ }
+
+ /* if there's an old supplementaCredentials blob then parse it */
+ if (io->o.supplemental) {
+ status = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, &_old_scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_supplemental_field: "
+ "failed to pull old supplementalCredentialsBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- ntPwdHash = samdb_result_hash(msg, msg, "unicodePwd");
- if (ntPwdHash == NULL) { /* what happened ?! */
- return LDB_ERR_OPERATIONS_ERROR;
+ old_scb = &_old_scb;
}
- krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
- KEYTYPE_ARCFOUR,
- ntPwdHash->hash, sizeof(ntPwdHash->hash),
- &key.key);
- if (krb5_ret) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io->domain->store_cleartext &&
+ (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+ pc = &packages[2];
+ num_packages++;
}
- ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
- if (krb5_ret) {
+
+ /* Kerberos, CLEARTEXT and termination(counted by the Packages element) */
+ pb.names = talloc_zero_array(io->ac, const char *, num_packages);
+
+ /*
+ * setup 'Primary:Kerberos' element
+ */
+ pb.names[0] = "Kerberos";
+
+ ret = setup_primary_kerberos(io, old_scb, &pkb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ status = ndr_push_struct_blob(&pkb_blob, io->ac, &pkb,
+ (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_supplemental_field: "
+ "failed to push package_PrimaryKerberosBlob: %s",
+ nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
- krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
- &key.key);
-
- val.data = talloc_memdup(msg, buf, len);
- val.length = len;
- free(buf);
- if (!val.data) {
+ /*
+ * TODO:
+ *
+ * This is ugly, but we want to generate the same blob as
+ * w2k and w2k3...we should handle this in the idl
+ */
+ status = data_blob_append(io->ac, &pkb_blob, zero16, sizeof(zero16));
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- if (ldb_msg_add_value(msg, "krb5Key", &val, NULL) != 0) {
+ pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
+ if (!pkb_hexstr) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
+ pk->name = "Primary:Kerberos";
+ pk->unknown1 = 1;
+ pk->data = pkb_hexstr;
- return LDB_SUCCESS;
-}
-
-static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod)
-{
- NTTIME now_nt;
-
- /* set it as now */
- unix_to_nt_time(&now_nt, time(NULL));
-
- if (!is_mod) {
- /* be sure there isn't a 0 value set (eg. coming from the template) */
- ldb_msg_remove_attr(msg, "pwdLastSet");
- /* add */
- if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD, NULL) != 0) {
+ /*
+ * setup 'Primary:CLEARTEXT' element
+ */
+ if (pc) {
+ pb.names[1] = "CLEARTEXT";
+
+ pcb.cleartext = io->n.cleartext;
+
+ status = ndr_push_struct_blob(&pcb_blob, io->ac, &pcb,
+ (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_supplemental_field: "
+ "failed to push package_PrimaryCLEARTEXTBlob: %s",
+ nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
- } else {
- /* replace */
- if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+ pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
+ if (!pcb_hexstr) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
+ pc->name = "Primary:CLEARTEXT";
+ pc->unknown1 = 1;
+ pc->data = pcb_hexstr;
}
- if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) {
+ /*
+ * setup 'Packages' element
+ */
+ status = ndr_push_struct_blob(&pb_blob, io->ac, &pb,
+ (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_supplemental_field: "
+ "failed to push package_PackagesBlob: %s",
+ nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
-
- return LDB_SUCCESS;
-}
-
-static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous)
-{
- /* replace or add */
- if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
+ pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
+ if (!pb_hexstr) {
+ ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
+ pp->name = "Packages";
+ pp->unknown1 = 2;
+ pp->data = pb_hexstr;
- if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) {
+ /*
+ * setup 'supplementalCredentials' value
+ */
+ scb.sub.num_packages = num_packages;
+ scb.sub.packages = packages;
+
+ status = ndr_push_struct_blob(&io->g.supplemental, io->ac, &scb,
+ (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_supplemental_field: "
+ "failed to push supplementalCredentialsBlob: %s",
+ nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
-static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen)
+static int setup_last_set_field(struct setup_password_fields_io *io)
{
- struct samr_Password *nt_hash;
- struct samr_Password *lm_hash;
- struct samr_Password *nt_history;
- struct samr_Password *lm_history;
- struct samr_Password *new_nt_history;
- struct samr_Password *new_lm_history;
- int nt_hist_len;
- int lm_hist_len;
- int i;
+ /* set it as now */
+ unix_to_nt_time(&io->g.last_set, time(NULL));
- nt_hash = samdb_result_hash(msg, old_msg, "unicodePwd");
- lm_hash = samdb_result_hash(msg, old_msg, "dBCSPwd");
+ return LDB_SUCCESS;
+}
- /* if no previous passwords just return */
- if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS;
+static int setup_kvno_field(struct setup_password_fields_io *io)
+{
+ /* increment by one */
+ io->g.kvno = io->o.kvno + 1;
- nt_hist_len = samdb_result_hashes(msg, old_msg, "ntPwdHistory", &nt_history);
- lm_hist_len = samdb_result_hashes(msg, old_msg, "lmPwdHistory", &lm_history);
+ return LDB_SUCCESS;
+}
- /* We might not have an old NT password */
- new_nt_history = talloc_array(msg, struct samr_Password, hlen);
- if (new_nt_history == NULL) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
- for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) {
- new_nt_history[i+1] = nt_history[i];
- }
- nt_hist_len = i + 1;
- if (nt_hash) {
- new_nt_history[0] = *nt_hash;
- } else {
- ZERO_STRUCT(new_nt_history[0]);
+static int setup_password_fields(struct setup_password_fields_io *io)
+{
+ bool ok;
+ int ret;
+
+ /*
+ * refuse the change if someone want to change the cleartext
+ * and supply his own hashes at the same time...
+ */
+ if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_password_fields: "
+ "it's only allowed to set the cleartext password or the password hashes");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
}
- if (ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+
+ if (io->n.cleartext && !io->n.nt_hash) {
+ struct samr_Password *hash;
+
+ hash = talloc(io->ac, struct samr_Password);
+ if (!hash) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /* compute the new nt hash */
+ ok = E_md4hash(io->n.cleartext, hash->hash);
+ if (ok) {
+ io->n.nt_hash = hash;
+ } else {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_password_fields: "
+ "failed to generate nthash from cleartext password");
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
}
- if (samdb_msg_add_hashes(msg, msg, "ntPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+
+ if (io->n.cleartext && !io->n.lm_hash) {
+ struct samr_Password *hash;
+
+ hash = talloc(io->ac, struct samr_Password);
+ if (!hash) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ /* compute the new lm hash */
+ ok = E_deshash(io->n.cleartext, hash->hash);
+ if (ok) {
+ io->n.lm_hash = hash;
+ } else {
+ talloc_free(hash->hash);
+ }
}
-
- /* Don't store 'long' passwords in the LM history,
- but make sure to 'expire' one password off the other end */
- new_lm_history = talloc_array(msg, struct samr_Password, hlen);
- if (new_lm_history == NULL) {
- return LDB_ERR_OPERATIONS_ERROR;
+ ret = setup_nt_fields(io);
+ if (ret != 0) {
+ return ret;
}
- for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) {
- new_lm_history[i+1] = lm_history[i];
+
+ ret = setup_lm_fields(io);
+ if (ret != 0) {
+ return ret;
}
- lm_hist_len = i + 1;
- if (lm_hash) {
- new_lm_history[0] = *lm_hash;
- } else {
- ZERO_STRUCT(new_lm_history[0]);
+
+ ret = setup_supplemental_field(io);
+ if (ret != 0) {
+ return ret;
}
- if (ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+
+ ret = setup_last_set_field(io);
+ if (ret != 0) {
+ return ret;
}
- if (samdb_msg_add_hashes(msg, msg, "lmPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+
+ ret = setup_kvno_field(io);
+ if (ret != 0) {
+ return ret;
}
return LDB_SUCCESS;
@@ -593,9 +931,14 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
- /* nobody must touch password Histories */
- if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory") ||
- ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+ /* nobody must touch this fields */
+ if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
@@ -677,8 +1020,8 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
struct ph_context *ac;
struct domain_data *domain;
struct smb_krb5_context *smb_krb5_context;
- struct ldb_message_element *sambaAttr;
struct ldb_message *msg;
+ struct setup_password_fields_io io;
int ret;
ac = talloc_get_type(h->private_data, struct ph_context);
@@ -704,54 +1047,84 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
return LDB_ERR_OPERATIONS_ERROR;
}
- /* if we have sambaPassword in the original message add the operatio on it here */
- sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
- if (sambaAttr) {
- unsigned int user_account_control;
- ret = add_password_hashes(ac->module, msg, 0);
- /* we can compute new password hashes from the unicode password */
+ ZERO_STRUCT(io);
+ io.ac = ac;
+ io.domain = domain;
+ io.smb_krb5_context = smb_krb5_context;
+
+ io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
+ io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
+ io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
+ io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
+
+ io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL);
+ io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
+ io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
+
+ /* remove attributes */
+ if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword");
+ if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
+ if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
+ ldb_msg_remove_attr(msg, "pwdLastSet");
+ io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
+ ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
+
+ ret = setup_password_fields(&io);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (io.g.nt_hash) {
+ ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+ "unicodePwd", io.g.nt_hash);
if (ret != LDB_SUCCESS) {
return ret;
}
-
- /* now add krb5 keys based on unicode password */
- ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
- ldb_msg_find_attr_as_string(msg, "samAccountName", NULL),
- ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL),
- ldb_msg_check_string_attribute(msg, "objectClass", "computer"));
+ }
+ if (io.g.lm_hash) {
+ ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+ "dBCSPwd", io.g.lm_hash);
if (ret != LDB_SUCCESS) {
return ret;
}
-
- /* if both the domain properties and the user account controls do not permit
- * clear text passwords then wipe out the sambaPassword */
- user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
- if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
- /* Keep sambaPassword attribute */
- } else {
- ldb_msg_remove_attr(msg, "sambaPassword");
- }
}
-
- /* add also krb5 keys based on NT the hash (we might have unicodePwd, but not the cleartext */
- ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
- if (ret != LDB_SUCCESS) {
- return ret;
+ if (io.g.nt_history_len > 0) {
+ ret = samdb_msg_add_hashes(ac, msg,
+ "ntPwdHistory",
+ io.g.nt_history,
+ io.g.nt_history_len);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
-
- /* don't touch it if a value is set. It could be an incoming samsync */
- if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) {
- if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.lm_history_len > 0) {
+ ret = samdb_msg_add_hashes(ac, msg,
+ "lmPwdHistory",
+ io.g.lm_history,
+ io.g.lm_history_len);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
-
- /* don't touch it if a value is set. It could be an incoming samsync */
- if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) {
- if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.supplemental.length > 0) {
+ ret = ldb_msg_add_value(msg, "supplementalCredentials",
+ &io.g.supplemental, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
+ ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
+ "pwdLastSet",
+ io.g.last_set);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
+ "msDs-KeyVersionNumber",
+ io.g.kvno);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
h->state = LDB_ASYNC_INIT;
h->status = LDB_SUCCESS;
@@ -788,8 +1161,13 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
}
/* nobody must touch password Histories */
- if (ldb_msg_find_element(req->op.mod.message, "ntPwdHistory") ||
- ldb_msg_find_element(req->op.mod.message, "lmPwdHistory")) {
+ if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
@@ -797,6 +1175,13 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
+ /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
+ * need to make any changes. For password changes/set there should
+ * be a 'delete' or a 'modify' on this attribute. */
+ if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
+ return ldb_next_request(module, req);
+ }
+
/* check passwords are single valued here */
/* TODO: remove this when passwords will be single valued in schema */
if (sambaAttr && (sambaAttr->num_values > 1)) {
@@ -809,17 +1194,6 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
- * need to make any changes. For password changes/set there should
- * be a 'delete' or a 'modify' on this attribute. */
- /* If the only operation is the deletion of the passwords then go on */
- if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
- && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
- && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) {
-
- return ldb_next_request(module, req);
- }
-
h = ph_init_handle(req, module, PH_MOD);
if (!h) {
return LDB_ERR_OPERATIONS_ERROR;
@@ -906,8 +1280,9 @@ static int password_hash_mod_search_self(struct ldb_handle *h) {
"ntPwdHistory",
"objectSid", "msDS-KeyVersionNumber",
"objectClass", "userPrincipalName",
- "samAccountName",
+ "sAMAccountName",
"dBCSPwd", "unicodePwd",
+ "supplementalCredentials",
NULL };
ac = talloc_get_type(h->private_data, struct ph_context);
@@ -968,11 +1343,11 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
struct ph_context *ac;
struct domain_data *domain;
struct smb_krb5_context *smb_krb5_context;
- struct ldb_message_element *sambaAttr;
struct ldb_message *msg;
- int phlen;
+ struct ldb_message *orig_msg;
+ struct ldb_message *searched_msg;
+ struct setup_password_fields_io io;
int ret;
- BOOL added_hashes = False;
ac = talloc_get_type(h->private_data, struct ph_context);
@@ -1002,94 +1377,93 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
return LDB_ERR_OPERATIONS_ERROR;
}
- /* we are going to replace the existing krb5key or delete it */
- if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE, NULL) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ orig_msg = discard_const(ac->orig_req->op.mod.message);
+ searched_msg = ac->search_res->message;
- /* if we have sambaPassword in the original message add the operation on it here */
- sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword");
- if (sambaAttr) {
+ ZERO_STRUCT(io);
+ io.ac = ac;
+ io.domain = domain;
+ io.smb_krb5_context = smb_krb5_context;
- if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
+ io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
+ io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
+ io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
- /* if we are actually settting a new unicode password,
- * use it to generate the password hashes */
- if (((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE)
- && (sambaAttr->num_values == 1)) {
- /* we can compute new password hashes from the unicode password */
- ret = add_password_hashes(ac->module, msg, 1);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
- added_hashes = True;
-
- /* now add krb5 keys based on unicode password */
- ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
- ldb_msg_find_attr_as_string(ac->search_res->message, "samAccountName", NULL),
- ldb_msg_find_attr_as_string(ac->search_res->message, "userPrincipalName", NULL),
- ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer"));
-
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
- /* if the domain properties or the user account controls do not permit
- * clear text passwords then wipe out the sambaPassword */
- if (domain->store_cleartext &&
- (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
- /* Keep sambaPassword attribute */
- } else {
- ldb_msg_remove_attr(msg, "sambaPassword");
- }
+ io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL);
+ io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
+ io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
- }
+ io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
+ io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
+ io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
+ io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
+
+ ret = setup_password_fields(&io);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
- /* if we didn't create the hashes above, try using values supplied directly */
- if (!added_hashes) {
- struct ldb_message_element *el;
-
- el = ldb_msg_find_element(ac->orig_req->op.mod.message, "unicodePwd");
- if (ldb_msg_add(msg, el, el->flags) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- el = ldb_msg_find_element(ac->orig_req->op.mod.message, "dBCSPwd");
- if (ldb_msg_add(msg, el, el->flags) != 0) {
- return LDB_ERR_OPERATIONS_ERROR;
+ /* make sure we replace all the old attributes */
+ ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
+
+ if (io.g.nt_hash) {
+ ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+ "unicodePwd", io.g.nt_hash);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
-
- /* add also krb5 keys based on NT the hash */
- if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.lm_hash) {
+ ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+ "dBCSPwd", io.g.lm_hash);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
-
- /* set change time */
- if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.nt_history_len > 0) {
+ ret = samdb_msg_add_hashes(ac, msg,
+ "ntPwdHistory",
+ io.g.nt_history,
+ io.g.nt_history_len);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
-
- /* don't touch it if a value is set. It could be an incoming samsync */
- if (!ldb_msg_find_element(ac->orig_req->op.mod.message,
- "msDS-KeyVersionNumber")) {
- if (add_keyVersionNumber(ac->module, msg,
- ldb_msg_find_attr_as_uint(ac->search_res->message,
- "msDS-KeyVersionNumber", 0)
- ) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.lm_history_len > 0) {
+ ret = samdb_msg_add_hashes(ac, msg,
+ "lmPwdHistory",
+ io.g.lm_history,
+ io.g.lm_history_len);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
-
- if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) {
- if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ if (io.g.supplemental.length > 0) {
+ ret = ldb_msg_add_value(msg, "supplementalCredentials",
+ &io.g.supplemental, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
+ ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
+ "pwdLastSet",
+ io.g.last_set);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
+ "msDs-KeyVersionNumber",
+ io.g.kvno);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
h->state = LDB_ASYNC_INIT;
h->status = LDB_SUCCESS;
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index bad3e08829..ffab44c8e9 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -46,6 +46,9 @@
#include "auth/auth_sam.h"
#include "db_wrap.h"
#include "dsdb/samdb/samdb.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "libcli/auth/libcli_auth.h"
enum hdb_ldb_ent_type
{ HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER,
@@ -67,9 +70,9 @@ static const char * const krb5_attrs[] = {
"whenChanged",
"msDS-KeyVersionNumber",
- "krb5Key",
"unicodePwd",
+ "supplementalCredentials",
NULL
};
@@ -205,10 +208,14 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
hdb_entry_ex *entry_ex)
{
krb5_error_code ret = 0;
- struct ldb_message_element *krb5keys;
+ NTSTATUS status;
struct samr_Password *hash;
- int i;
- bool arcfour_needed = true;
+ const struct ldb_val *sc_val;
+ struct supplementalCredentialsBlob scb;
+ struct supplementalCredentialsPackage *scp = NULL;
+ struct package_PrimaryKerberosBlob _pkb;
+ struct package_PrimaryKerberosBlob *pkb = NULL;
+ uint32_t i;
uint32_t allocated_keys = 0;
entry_ex->entry.keys.val = NULL;
@@ -216,19 +223,66 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
- /* Get krb5Key from the db */
+ /* Get keys from the db */
- krb5keys = ldb_msg_find_element(msg, "krb5Key");
hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
+ sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
- if (krb5keys) {
- allocated_keys = krb5keys->num_values;
- }
-
+ /* unicodePwd for enctype 0x17 (23) if present */
if (hash) {
allocated_keys++;
}
+ /* supplementalCredentials if present */
+ if (sc_val) {
+ status = ndr_pull_struct_blob_all(sc_val, mem_ctx, &scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ dump_data(0, sc_val->data, sc_val->length);
+ ret = EINVAL;
+ goto out;
+ }
+
+ for (i=0; i < scb.sub.num_packages; i++) {
+ if (scb.sub.packages[i].unknown1 != 0x00000001) {
+ continue;
+ }
+
+ if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) != 0) {
+ continue;
+ }
+
+ if (!scb.sub.packages[i].data || !scb.sub.packages[i].data[0]) {
+ continue;
+ }
+
+ scp = &scb.sub.packages[i];
+ break;
+ }
+ }
+ /* Primary:Kerberos element of supplementalCredentials */
+ if (scp) {
+ DATA_BLOB blob;
+
+ blob = strhex_to_data_blob(scp->data);
+ if (!blob.data) {
+ ret = ENOMEM;
+ goto out;
+ }
+ talloc_steal(mem_ctx, blob.data);
+
+ /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
+ status = ndr_pull_struct_blob(&blob, mem_ctx, &_pkb,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = EINVAL;
+ goto out;
+ }
+ pkb = &_pkb;
+
+ allocated_keys += pkb->num_keys1;
+ }
+
if (allocated_keys == 0) {
/* oh, no password. Apparently (comment in
* hdb-ldap.c) this violates the ASN.1, but this
@@ -244,49 +298,14 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
goto out;
}
- /* Decode Kerberos keys into the hdb structure */
- for (i=0; (krb5keys && i < krb5keys->num_values); i++) {
- size_t decode_len;
- Key key;
- ret = decode_Key(krb5keys->values[i].data, krb5keys->values[i].length,
- &key, &decode_len);
- if (ret) {
- /* Could be bougus data in the entry, or out of memory */
- goto out;
- }
-
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- switch (key.key.keytype) {
- case KEYTYPE_DES:
- arcfour_needed = false;
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
- break;
- default:
- /* We must use DES keys only */
- break;
- }
- } else {
- switch (key.key.keytype) {
- case KEYTYPE_ARCFOUR:
- arcfour_needed = false;
- break;
- default:
- break;
- }
- entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
- entry_ex->entry.keys.len++;
- }
- }
-
- if (arcfour_needed && hash) {
+ if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
Key key;
key.mkvno = 0;
key.salt = NULL; /* No salt for this enc type */
ret = krb5_keyblock_init(context,
- KEYTYPE_ARCFOUR,
+ ENCTYPE_ARCFOUR_HMAC_MD5,
hash->hash, sizeof(hash->hash),
&key.key);
if (ret) {
@@ -297,11 +316,75 @@ static krb5_error_code LDB_message2entry_keys(krb5_context context,
entry_ex->entry.keys.len++;
}
+ if (pkb) {
+ for (i=0; i < pkb->num_keys1; i++) {
+ bool use = true;
+ Key key;
+
+ if (!pkb->keys1[i].value) continue;
+
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ switch (pkb->keys1[i].keytype) {
+ case ENCTYPE_DES_CBC_CRC:
+ case ENCTYPE_DES_CBC_MD5:
+ break;
+ default:
+ use = false;
+ break;
+ }
+ }
+
+ if (!use) continue;
+
+ key.mkvno = 0;
+
+ if (pkb->salt.string) {
+ DATA_BLOB salt;
+
+ salt = data_blob_string_const(pkb->salt.string);
+
+ key.salt = calloc(1, sizeof(*key.salt));
+ if (key.salt == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ key.salt->type = hdb_pw_salt;
+
+ ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
+ if (ret) {
+ free(key.salt);
+ key.salt = NULL;
+ goto out;
+ }
+ }
+
+ ret = krb5_keyblock_init(context,
+ pkb->keys1[i].keytype,
+ pkb->keys1[i].value->data,
+ pkb->keys1[i].value->length,
+ &key.key);
+ if (ret) {
+ if (key.salt) {
+ free_Salt(key.salt);
+ free(key.salt);
+ key.salt = NULL;
+ }
+ goto out;
+ }
+
+ entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+ entry_ex->entry.keys.len++;
+ }
+ }
+
out:
- if (ret != 0 && entry_ex->entry.keys.val) {
+ if (ret != 0) {
+ entry_ex->entry.keys.len = 0;
+ }
+ if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
free(entry_ex->entry.keys.val);
entry_ex->entry.keys.val = NULL;
- entry_ex->entry.keys.len = 0;
}
return ret;
}