diff options
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 1087 |
1 files changed, 1076 insertions, 11 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 46bafeefc2..b7f4aff67a 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -121,13 +121,6 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r /* Do the original action */ - /* If no part of this touches the sambaPassword, then we don't - * need to make any changes. For password changes/set there should - * be a 'delete' or a 'modify' on this attribute. */ - if ((attribute = ldb_msg_find_element(msg, "sambaPassword")) == NULL ) { - return ldb_next_request(module, req); - } - mem_ctx = talloc_new(module); if (!mem_ctx) { return LDB_ERR_OPERATIONS_ERROR; @@ -326,7 +319,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r is_computer = False; } - domain_expression = talloc_asprintf(mem_ctx, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", + domain_expression = talloc_asprintf(mem_ctx, "(&(objectSid=%s)(objectClass=domain))", ldap_encode_ndr_dom_sid(mem_ctx, domain_sid)); /* Find the user's domain, then find out the domain password @@ -663,12 +656,12 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r } sambaNTPwdHistory_len = MIN(sambaNTPwdHistory_len + 1, pwdHistoryLength); - CHECK_RET(samdb_msg_add_hashes(module->ldb, mem_ctx, modify_msg, + CHECK_RET(samdb_msg_add_hashes(mem_ctx, modify_msg, "sambaLMPwdHistory", new_sambaLMPwdHistory, sambaLMPwdHistory_len)); - CHECK_RET(samdb_msg_add_hashes(module->ldb, mem_ctx, modify_msg, + CHECK_RET(samdb_msg_add_hashes(mem_ctx, modify_msg, "sambaNTPwdHistory", new_sambaNTPwdHistory, sambaNTPwdHistory_len)); @@ -704,6 +697,13 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } + /* If no part of this touches the sambaPassword, then we don't + * need to make any changes. For password changes/set there should + * be a 'delete' or a 'modify' on this attribute. */ + if (ldb_msg_find_element(msg, "sambaPassword") == NULL ) { + return ldb_next_request(module, req); + } + return password_hash_handle(module, req, msg); } @@ -718,9 +718,1067 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r return ldb_next_request(module, req); } + /* If no part of this touches the sambaPassword, then we don't + * need to make any changes. For password changes/set there should + * be a 'delete' or a 'modify' on this attribute. */ + if (ldb_msg_find_element(msg, "sambaPassword") == NULL ) { + return ldb_next_request(module, req); + } + return password_hash_handle(module, req, msg); } +enum ph_type {PH_ADD, PH_MOD}; +enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD}; + +struct ph_async_context { + + enum ph_type type; + enum ph_step step; + + struct ldb_module *module; + struct ldb_request *orig_req; + + struct ldb_request *dom_req; + struct ldb_async_result *dom_res; + + struct ldb_request *down_req; + + struct ldb_request *search_req; + struct ldb_async_result *search_res; + + struct ldb_request *mod_req; +}; + +struct domain_data { + uint_t pwdProperties; + uint_t pwdHistoryLength; + char *dnsDomain; + char *realm; +}; + +static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod) +{ + const char *sambaPassword; + struct samr_Password tmp_hash; + + sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL); + if (sambaPassword == NULL) { /* impossible, what happened ?! */ + return LDB_ERR_OPERATIONS_ERROR; + } + + /* compute the new nt and lm hashes */ + if (is_mod) { + if (ldb_msg_add_empty(msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + E_md4hash(sambaPassword, tmp_hash.hash); + if (samdb_msg_add_hash(module->ldb, msg, msg, "ntPwdHash", &tmp_hash) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (E_deshash(sambaPassword, tmp_hash.hash)) { + if (is_mod) { + if (ldb_msg_add_empty(msg, "lmPwdHash", LDB_FLAG_MOD_REPLACE) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + if (samdb_msg_add_hash(module->ldb, msg, msg, "lmPwdHash", &tmp_hash) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + return LDB_SUCCESS; +} + +static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg, + struct smb_krb5_context *smb_krb5_context, + struct domain_data *domain, + const char *samAccountName, + const char *user_principal_name, + int is_computer) +{ + const char *sambaPassword; + Principal *salt_principal; + krb5_error_code krb5_ret; + size_t num_keys; + Key *keys; + int i; + + /* Many, many thanks to lukeh@padl.com for this + * algorithm, described in his Nov 10 2004 mail to + * samba-technical@samba.org */ + + sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL); + if (sambaPassword == NULL) { /* impossible, what happened ?! */ + return LDB_ERR_OPERATIONS_ERROR; + } + + if (is_computer) { + /* Determine a salting principal */ + char *name = talloc_strdup(msg, samAccountName); + char *saltbody; + if (name == NULL) { + ldb_set_errstring(module->ldb, + talloc_asprintf(msg, "password_hash_handle: " + "generation of new kerberos keys failed: %s is a computer without a samAccountName", + ldb_dn_linearize(msg, msg->dn))); + return LDB_ERR_OPERATIONS_ERROR; + } + if (name[strlen(name)-1] == '$') { + name[strlen(name)-1] = '\0'; + } + saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dnsDomain); + + krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, + &salt_principal, + domain->realm, "host", + saltbody, NULL); + } else if (user_principal_name) { + char *p; + user_principal_name = talloc_strdup(msg, user_principal_name); + if (user_principal_name == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } else { + p = strchr(user_principal_name, '@'); + if (p) { + p[0] = '\0'; + } + krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, + &salt_principal, + domain->realm, user_principal_name, NULL); + } + } else { + if (!samAccountName) { + ldb_set_errstring(module->ldb, + talloc_asprintf(msg, "password_hash_handle: " + "generation of new kerberos keys failed: %s has no samAccountName", + ldb_dn_linearize(msg, msg->dn))); + return LDB_ERR_OPERATIONS_ERROR; + } + krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, + &salt_principal, + domain->realm, samAccountName, + NULL); + } + + if (krb5_ret) { + ldb_set_errstring(module->ldb, + talloc_asprintf(msg, "password_hash_handle: " + "generation of a saltking principal failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + krb5_ret, msg))); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* TODO: We may wish to control the encryption types chosen in future */ + krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context, + salt_principal, sambaPassword, &keys, &num_keys); + krb5_free_principal(smb_krb5_context->krb5_context, salt_principal); + + if (krb5_ret) { + ldb_set_errstring(module->ldb, + talloc_asprintf(msg, "password_hash_handle: " + "generation of new kerberos keys failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + krb5_ret, msg))); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* Walking all the key types generated, transform each + * key into an ASN.1 blob + */ + for (i=0; i < num_keys; i++) { + unsigned char *buf; + size_t buf_size; + size_t len; + struct ldb_val val; + int ret; + + if (keys[i].key.keytype == ENCTYPE_ARCFOUR_HMAC) { + /* We might end up doing this below: + * This ensures we get the unicode + * conversion right. This should also + * be fixed in the Heimdal libs */ + continue; + } + ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret); + if (krb5_ret) { + return LDB_ERR_OPERATIONS_ERROR; + } + + val.data = talloc_memdup(msg, buf, len); + val.length = len; + free(buf); + if (!val.data || krb5_ret) { + hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); + return LDB_ERR_OPERATIONS_ERROR; + } + ret = ldb_msg_add_value(msg, "krb5Key", &val); + if (ret != LDB_SUCCESS) { + hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); + return ret; + } + } + + hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys); + + return LDB_SUCCESS; +} + +static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg, + struct smb_krb5_context *smb_krb5_context) +{ + struct samr_Password *ntPwdHash; + krb5_error_code krb5_ret; + unsigned char *buf; + size_t buf_size; + size_t len; + struct ldb_val val; + Key key; + + key.mkvno = 0; + key.salt = NULL; /* No salt for this enc type */ + + ntPwdHash = samdb_result_hash(msg, msg, "ntPwdHash"); + if (ntPwdHash == NULL) { /* what happened ?! */ + return LDB_ERR_OPERATIONS_ERROR; + } + + krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context, + ENCTYPE_ARCFOUR_HMAC, + ntPwdHash->hash, sizeof(ntPwdHash->hash), + &key.key); + if (krb5_ret) { + return LDB_ERR_OPERATIONS_ERROR; + } + ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret); + if (krb5_ret) { + return LDB_ERR_OPERATIONS_ERROR; + } + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, + &key.key); + + val.data = talloc_memdup(msg, buf, len); + val.length = len; + free(buf); + if (!val.data) { + return LDB_ERR_OPERATIONS_ERROR; + } + if (ldb_msg_add_value(msg, "krb5Key", &val) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + +static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg) +{ + NTTIME now_nt; + + /* set it as now */ + unix_to_nt_time(&now_nt, time(NULL)); + + /* replace or add */ + if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + +static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous) +{ + /* replace or add */ + if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + +static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen) +{ + struct samr_Password *nt_hash; + struct samr_Password *lm_hash; + struct samr_Password *nt_history; + struct samr_Password *lm_history; + struct samr_Password *new_nt_history; + struct samr_Password *new_lm_history; + int nt_hist_len; + int lm_hist_len; + int i; + + nt_hash = samdb_result_hash(msg, old_msg, "ntPwdHash"); + lm_hash = samdb_result_hash(msg, old_msg, "lmPwdHash"); + + /* if no previous passwords just return */ + if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS; + + nt_hist_len = samdb_result_hashes(msg, old_msg, "sambaNTPwdHistory", &nt_history); + lm_hist_len = samdb_result_hashes(msg, old_msg, "sambaLMPwdHistory", &lm_history); + + /* We might not have an old NT password */ + new_nt_history = talloc_array(msg, struct samr_Password, hlen); + if (new_nt_history == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) { + new_nt_history[i+1] = nt_history[i]; + } + nt_hist_len = i + 1; + if (nt_hash) { + new_nt_history[0] = *nt_hash; + } else { + ZERO_STRUCT(new_nt_history[0]); + } + if (ldb_msg_add_empty(msg, "sambaNTPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + if (samdb_msg_add_hashes(msg, msg, "sambaNTPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + + /* Don't store 'long' passwords in the LM history, + but make sure to 'expire' one password off the other end */ + new_lm_history = talloc_array(msg, struct samr_Password, hlen); + if (new_lm_history == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) { + new_lm_history[i+1] = lm_history[i]; + } + lm_hist_len = i + 1; + if (lm_hash) { + new_lm_history[0] = *lm_hash; + } else { + ZERO_STRUCT(new_lm_history[0]); + } + if (ldb_msg_add_empty(msg, "sambaLMPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + if (samdb_msg_add_hashes(msg, msg, "sambaLMPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + return LDB_SUCCESS; +} + +static struct ldb_async_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type) +{ + struct ph_async_context *ac; + struct ldb_async_handle *h; + + h = talloc_zero(req, struct ldb_async_handle); + if (h == NULL) { + ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory")); + return NULL; + } + + h->module = module; + + ac = talloc_zero(h, struct ph_async_context); + if (ac == NULL) { + ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory")); + talloc_free(h); + return NULL; + } + + h->private_data = (void *)ac; + + h->state = LDB_ASYNC_INIT; + h->status = LDB_SUCCESS; + + ac->type = type; + ac->module = module; + ac->orig_req = req; + + return h; +} + +static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_async_result *ares) +{ + struct ph_async_context *ac; + + if (!context || !ares) { + ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback")); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac = talloc_get_type(context, struct ph_async_context); + + /* we are interested only in the single reply (base search) we receive here */ + if (ares->type == LDB_REPLY_ENTRY) { + if (ac->dom_res != NULL) { + ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results")); + talloc_free(ares); + return LDB_ERR_OPERATIONS_ERROR; + } + ac->dom_res = talloc_steal(ac, ares); + } else { + talloc_free(ares); + } + + return LDB_SUCCESS; +} + +static int build_domain_data_request(struct ph_async_context *ac, + struct dom_sid *sid) +{ + const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", "dnsDomain", NULL }; + char *filter; + + ac->dom_req = talloc_zero(ac, struct ldb_request); + if (ac->dom_req == NULL) { + ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + ac->dom_req->operation = LDB_ASYNC_SEARCH; + ac->dom_req->op.search.base = NULL; + ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE; + + filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(objectClass=domain))", dom_sid_string(ac->dom_req, sid)); + if (filter == NULL) { + ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); + talloc_free(ac->dom_req); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->dom_req->op.search.tree = ldb_parse_tree(ac->module->ldb, filter); + if (ac->dom_req->op.search.tree == NULL) { + ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter")); + talloc_free(ac->dom_req); + return LDB_ERR_OPERATIONS_ERROR; + } + ac->dom_req->op.search.attrs = attrs; + ac->dom_req->controls = NULL; + ac->dom_req->creds = ac->orig_req->creds; + ac->dom_req->async.context = ac; + ac->dom_req->async.callback = get_domain_data_callback; + ac->dom_req->async.timeout = ac->orig_req->async.timeout; + + return LDB_SUCCESS; +} + +static struct domain_data *get_domain_data(struct ldb_module *module, void *mem_ctx, struct ldb_async_result *res) +{ + struct domain_data *data; + const char *tmp; + + data = talloc_zero(mem_ctx, struct domain_data); + if (data == NULL) { + return NULL; + } + + data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0); + data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0); + tmp = ldb_msg_find_string(res->message, "dnsDomain", NULL); + + if (tmp != NULL) { + data->dnsDomain = talloc_strdup(data, tmp); + if (data->dnsDomain == NULL) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n"); + return NULL; + } + data->realm = strupper_talloc(mem_ctx, tmp); + if (data->realm == NULL) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n"); + return NULL; + } + } + + return data; +} + +static int password_hash_add_async(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_async_handle *h; + struct ph_async_context *ac; + struct ldb_message_element *attribute; + struct dom_sid *domain_sid; + int ret; + + ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add_async\n"); + + if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + /* nobody must touch password Histories */ + if (ldb_msg_find_element(req->op.add.message, "sambaNTPwdHistory") || + ldb_msg_find_element(req->op.add.message, "sambaLMPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* If no part of this touches the sambaPassword, then we don't + * need to make any changes. For password changes/set there should + * be a 'delete' or a 'modify' on this attribute. */ + if ((attribute = ldb_msg_find_element(req->op.add.message, "sambaPassword")) == NULL ) { + return ldb_next_request(module, req); + } + + /* if it is not an entry of type person its an error */ + /* TODO: remove this when sambaPassword will be in schema */ + if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) { + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + + /* check sambaPassword is single valued here */ + /* TODO: remove this when sambaPassword will be single valued in schema */ + if (attribute->num_values > 1) { + ldb_set_errstring(module->ldb, talloc_asprintf(req, + "mupltiple values for sambaPassword not allowed!\n")); + return LDB_ERR_CONSTRAINT_VIOLATION; + } + + /* get user domain data */ + domain_sid = samdb_result_sid_prefix(req, req->op.add.message, "objectSid"); + if (domain_sid == NULL) { + ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + h = ph_init_handle(req, module, PH_ADD); + if (!h) { + return LDB_ERR_OPERATIONS_ERROR; + } + ac = talloc_get_type(h->private_data, struct ph_async_context); + + ret = build_domain_data_request(ac, domain_sid); + if (ret != LDB_SUCCESS) { + return ret; + } + + ac->step = PH_ADD_SEARCH_DOM; + + req->async.handle = h; + + return ldb_next_request(module, ac->dom_req); +} + +static int password_hash_add_async_do_add(struct ldb_async_handle *h) { + + struct ph_async_context *ac; + struct domain_data *domain; + struct smb_krb5_context *smb_krb5_context; + struct ldb_message *msg; + + ac = talloc_get_type(h->private_data, struct ph_async_context); + + domain = get_domain_data(ac->module, ac, ac->search_res); + if (domain == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->down_req = talloc(ac, struct ldb_request); + if (ac->down_req == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + *(ac->down_req) = *(ac->orig_req); + ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message); + if (ac->down_req->op.add.message == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* Some operations below require kerberos contexts */ + if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* we can compute new password hashes from the unicode password */ + if (add_password_hashes(ac->module, msg, 0) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* now add krb5 keys based on unicode password */ + if (add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain, + ldb_msg_find_string(msg, "samAccountName", NULL), + ldb_msg_find_string(msg, "userPrincipalName", NULL), + ldb_msg_check_string_attribute(msg, "objectClass", "computer") + ) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* add also kr5 keys based on NT the hash */ + if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* if both the domain properties and the user account controls do not permit + * clear text passwords then wipe out the sambaPassword */ + if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || + (!(ldb_msg_find_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + ldb_msg_remove_attr(msg, "sambaPassword"); + } + + /* don't touch it if a value is set. It could be an incoming samsync */ + if (ldb_msg_find_uint64(msg, "pwdLastSet", 0) == 0) { + if (set_pwdLastSet(ac->module, msg) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + /* don't touch it if a value is set. It could be an incoming samsync */ + if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) { + if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + h->state = LDB_ASYNC_INIT; + h->status = LDB_SUCCESS; + + ac->step = PH_ADD_DO_ADD; + + /* perform the operation */ + return ldb_next_request(ac->module, ac->down_req); +} + +static int password_hash_mod_async_search_self(struct ldb_async_handle *h); + +static int password_hash_modify_async(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_async_handle *h; + struct ph_async_context *ac; + struct ldb_message_element *sambaAttr; + struct ldb_message_element *ntAttr; + struct ldb_message_element *lmAttr; + + ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add_async\n"); + + if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + /* nobody must touch password Histories */ + if (ldb_msg_find_element(req->op.mod.message, "sambaNTPwdHistory") || + ldb_msg_find_element(req->op.mod.message, "sambaLMPwdHistory")) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword"); + ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash"); + lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash"); + + /* check passwords are single valued here */ + /* TODO: remove this when passwords will be single valued in schema */ + if (sambaAttr && (sambaAttr->num_values > 1)) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if (ntAttr && (ntAttr->num_values > 1)) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + if (lmAttr && (lmAttr->num_values > 1)) { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + + /* If no part of this touches the sambaPassword OR ntPwdHash and/or lmPwdHash, then we don't + * need to make any changes. For password changes/set there should + * be a 'delete' or a 'modify' on this attribute. */ + /* If the only operation is the deletion of the passwords then go on */ + if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) + && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) + && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) { + + return ldb_next_request(module, req); + } + + h = ph_init_handle(req, module, PH_MOD); + if (!h) { + return LDB_ERR_OPERATIONS_ERROR; + } + ac = talloc_get_type(h->private_data, struct ph_async_context); + + /* return or own handle to deal with this call */ + req->async.handle = h; + + /* prepare the first operation */ + ac->down_req = talloc_zero(ac, struct ldb_request); + if (ac->down_req == NULL) { + ldb_set_errstring(module->ldb, talloc_asprintf(module->ldb, "Out of memory!")); + return LDB_ERR_OPERATIONS_ERROR; + } + + *(ac->down_req) = *req; /* copy the request */ + + /* use a new message structure so that we can modify it */ + ac->down_req->op.mod.message = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message); + + /* - remove any imodification to the password from the first commit + * we will make the real modification later */ + if (sambaAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "sambaPassword"); + if (ntAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "ntPwdHash"); + if (lmAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "lmPwdHash"); + + /* if there was nothing else to be modify skip to next step */ + if (ac->down_req->op.mod.message->num_elements == 0) { + talloc_free(ac->down_req); + ac->down_req = NULL; + return password_hash_mod_async_search_self(h); + } + + ac->down_req->async.context = NULL; + ac->down_req->async.callback = NULL; + + ac->step = PH_MOD_DO_REQ; + + return ldb_next_request(module, ac->down_req); +} + +static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_async_result *ares) +{ + struct ph_async_context *ac; + + if (!context || !ares) { + ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback")); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac = talloc_get_type(context, struct ph_async_context); + + /* we are interested only in the single reply (base search) we receive here */ + if (ares->type == LDB_REPLY_ENTRY) { + if (ac->search_res != NULL) { + ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results")); + talloc_free(ares); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* if it is not an entry of type person this is an error */ + /* TODO: remove this when sambaPassword will be in schema */ + if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) { + ldb_set_errstring(ldb, talloc_asprintf(ldb, "Object class violation")); + talloc_free(ares); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + + ac->search_res = talloc_steal(ac, ares); + } else { + talloc_free(ares); + } + + return LDB_SUCCESS; +} + +static int password_hash_mod_async_search_self(struct ldb_async_handle *h) { + + struct ph_async_context *ac; + + ac = talloc_get_type(h->private_data, struct ph_async_context); + + /* prepare the search operation */ + ac->search_req = talloc_zero(ac, struct ldb_request); + if (ac->search_req == NULL) { + ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->search_req->operation = LDB_ASYNC_SEARCH; + ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn; + ac->search_req->op.search.scope = LDB_SCOPE_BASE; + ac->search_req->op.search.tree = ldb_parse_tree(ac->module->ldb, NULL); + if (ac->search_req->op.search.tree == NULL) { + ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter")); + return LDB_ERR_OPERATIONS_ERROR; + } + ac->search_req->op.search.attrs = NULL; + ac->search_req->controls = NULL; + ac->search_req->creds = ac->orig_req->creds; + ac->search_req->async.context = ac; + ac->search_req->async.callback = get_self_callback; + ac->search_req->async.timeout = ac->orig_req->async.timeout; + + ac->step = PH_MOD_SEARCH_SELF; + + return ldb_next_request(ac->module, ac->search_req); +} + +static int password_hash_mod_async_search_dom(struct ldb_async_handle *h) { + + struct ph_async_context *ac; + struct dom_sid *domain_sid; + int ret; + + ac = talloc_get_type(h->private_data, struct ph_async_context); + + /* get object domain sid */ + domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid"); + if (domain_sid == NULL) { + ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n"); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* get user domain data */ + ret = build_domain_data_request(ac, domain_sid); + if (ret != LDB_SUCCESS) { + return ret; + } + + ac->step = PH_MOD_SEARCH_DOM; + + return ldb_next_request(ac->module, ac->dom_req); +} + +static int password_hash_mod_async_do_mod(struct ldb_async_handle *h) { + + struct ph_async_context *ac; + struct domain_data *domain; + struct smb_krb5_context *smb_krb5_context; + struct ldb_message_element *sambaAttr; + struct ldb_message *msg; + int phlen; + + ac = talloc_get_type(h->private_data, struct ph_async_context); + + domain = get_domain_data(ac->module, ac, ac->dom_res); + if (domain == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ac->mod_req = talloc(ac, struct ldb_request); + if (ac->mod_req == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + *(ac->mod_req) = *(ac->orig_req); + + /* use a new message structure so that we can modify it */ + ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req); + if (msg == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* modify dn */ + msg->dn = ac->orig_req->op.mod.message->dn; + + /* Some operations below require kerberos contexts */ + if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* we are going to replace the existing krb5key or delete it */ + if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* if we have sambaPassword in the original message add the operatio on it here */ + sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword"); + if (sambaAttr) { + + if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* we are not deleteing it add password hashes */ + if ((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE) { + + /* we can compute new password hashes from the unicode password */ + if (add_password_hashes(ac->module, msg, 1) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* now add krb5 keys based on unicode password */ + if (add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain, + ldb_msg_find_string(ac->search_res->message, "samAccountName", NULL), + ldb_msg_find_string(ac->search_res->message, "userPrincipalName", NULL), + ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer") + ) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* if the domain properties or the user account controls do not permit + * clear text passwords then wipe out the sambaPassword */ + if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) || + (!(ldb_msg_find_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) { + ldb_msg_remove_attr(msg, "sambaPassword"); + } + + } + } + + /* if we don't have sambaPassword or we are trying to delete it try with nt or lm hasehs */ + if ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) { + struct ldb_message_element *el; + + el = ldb_msg_find_element(ac->orig_req->op.mod.message, "ntPwdHash"); + if (ldb_msg_add(msg, el, el->flags) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + el = ldb_msg_find_element(ac->orig_req->op.mod.message, "lmPwdHash"); + if (ldb_msg_add(msg, el, el->flags) != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + /* add also kr5 keys based on NT the hash */ + if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* set change time */ + if (set_pwdLastSet(ac->module, msg) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* don't touch it if a value is set. It could be an incoming samsync */ + if (add_keyVersionNumber(ac->module, msg, + ldb_msg_find_uint(msg, "msDS-KeyVersionNumber", 0) + ) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) { + if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + h->state = LDB_ASYNC_INIT; + h->status = LDB_SUCCESS; + + ac->step = PH_MOD_DO_MOD; + + /* perform the search */ + return ldb_next_request(ac->module, ac->mod_req); +} + +static int ph_async_wait(struct ldb_async_handle *handle) { + struct ph_async_context *ac; + int ret; + + if (!handle || !handle->private_data) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (handle->state == LDB_ASYNC_DONE) { + return handle->status; + } + + handle->state = LDB_ASYNC_PENDING; + + ac = talloc_get_type(handle->private_data, struct ph_async_context); + + switch (ac->step) { + case PH_ADD_SEARCH_DOM: + if (ac->dom_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->dom_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->dom_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + + /* domain search done, go on */ + return password_hash_add_async_do_add(handle); + + case PH_ADD_DO_ADD: + if (ac->down_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->down_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->down_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + return LDB_SUCCESS; + + case PH_MOD_DO_REQ: + if (ac->down_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->down_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->down_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + + /* non-password mods done, go on */ + return password_hash_mod_async_search_self(handle); + + case PH_MOD_SEARCH_SELF: + if (ac->search_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->search_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->search_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + + /* self search done, go on */ + return password_hash_mod_async_search_dom(handle); + + case PH_MOD_SEARCH_DOM: + if (ac->dom_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->dom_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->dom_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + + /* domain search done, go on */ + return password_hash_mod_async_do_mod(handle); + + case PH_MOD_DO_MOD: + if (ac->mod_req->async.handle->status != LDB_ASYNC_DONE) { + ret = ldb_async_wait(ac->mod_req->async.handle, LDB_WAIT_NONE); + if (ret != LDB_SUCCESS) goto error; + + if (ac->mod_req->async.handle->status != LDB_ASYNC_DONE) { + return LDB_SUCCESS; + } + } + return LDB_SUCCESS; + + default: + ret = LDB_ERR_OPERATIONS_ERROR; + goto error; + } + +error: + handle->state = LDB_ASYNC_DONE; + handle->status = ret; + return ret; +} + +static int ph_async_wait_all(struct ldb_async_handle *handle) { + + int ret; + + while (handle->state != LDB_ASYNC_DONE) { + ret = ph_async_wait(handle); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + return handle->status; +} + +static int password_hash_async_wait(struct ldb_async_handle *handle, enum ldb_async_wait_type type) +{ + if (type == LDB_WAIT_ALL) { + return ph_async_wait_all(handle); + } else { + return ph_async_wait(handle); + } +} + static int password_hash_request(struct ldb_module *module, struct ldb_request *req) { switch (req->operation) { @@ -731,6 +1789,12 @@ static int password_hash_request(struct ldb_module *module, struct ldb_request * case LDB_REQ_MODIFY: return password_hash_modify(module, req); + case LDB_ASYNC_ADD: + return password_hash_add_async(module, req); + + case LDB_ASYNC_MODIFY: + return password_hash_modify_async(module, req); + default: return ldb_next_request(module, req); @@ -739,7 +1803,8 @@ static int password_hash_request(struct ldb_module *module, struct ldb_request * static const struct ldb_module_ops password_hash_ops = { .name = "password_hash", - .request = password_hash_request + .request = password_hash_request, + .async_wait = password_hash_async_wait }; |