From 75c54d54ad9fdff7098c1b4f11252528f35ea658 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 17 Feb 2022 07:35:54 +1300 Subject: [PATCH 1/1] dsdb: Remove LM hash parameter from samdb_set_password() and callers This fixes the rpc.samr test because we no longer specify an LM hash to the DSDB layer only to have it rejected by password_hash. Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- selftest/knownfail.d/lm-hash-support-gone | 2 -- source4/dsdb/common/util.c | 19 +++++-------------- source4/kdc/kpasswd-helper.c | 1 - source4/kdc/kpasswd_glue.c | 1 - source4/rpc_server/netlogon/dcerpc_netlogon.c | 4 ++-- source4/rpc_server/samr/samr_password.c | 18 ++---------------- 6 files changed, 9 insertions(+), 36 deletions(-) diff --git a/selftest/knownfail.d/lm-hash-support-gone b/selftest/knownfail.d/lm-hash-support-gone index 0afd5960a0c..c217783a4de 100644 --- a/selftest/knownfail.d/lm-hash-support-gone +++ b/selftest/knownfail.d/lm-hash-support-gone @@ -1,5 +1,3 @@ -^samba4.rpc.samr.passwords .* -^samba4.rpc.samr.passwords.pwdlastset* ^samba4.blackbox.smbclient .*LANMAN* ^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(ad_dc:local\) ^samba.tests.ntlm_auth.samba.tests.ntlm_auth.NTLMAuthHelpersTests.test_diagnostics\(ad_member:local\) diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 6b24adc1b2e..2381b074d6a 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -2235,7 +2235,6 @@ int samdb_set_password_callback(struct ldb_request *req, struct ldb_reply *ares) static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *user_dn, struct ldb_dn *domain_dn, const DATA_BLOB *new_password, - const struct samr_Password *lmNewHash, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, @@ -2262,21 +2261,15 @@ static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX } msg->dn = user_dn; if ((new_password != NULL) - && ((lmNewHash == NULL) && (ntNewHash == NULL))) { + && ((ntNewHash == NULL))) { /* we have the password as plaintext UTF16 */ CHECK_RET(ldb_msg_add_value(msg, "clearTextPassword", new_password, NULL)); el = ldb_msg_find_element(msg, "clearTextPassword"); el->flags = LDB_FLAG_MOD_REPLACE; } else if ((new_password == NULL) - && ((lmNewHash != NULL) || (ntNewHash != NULL))) { - /* we have a password as LM and/or NT hash */ - if (lmNewHash != NULL) { - CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg, - "dBCSPwd", lmNewHash)); - el = ldb_msg_find_element(msg, "dBCSPwd"); - el->flags = LDB_FLAG_MOD_REPLACE; - } + && ((ntNewHash != NULL))) { + /* we have a password as NT hash */ if (ntNewHash != NULL) { CHECK_RET(samdb_msg_add_hash(ldb, mem_ctx, msg, "unicodePwd", ntNewHash)); @@ -2429,7 +2422,6 @@ static NTSTATUS samdb_set_password_internal(struct ldb_context *ldb, TALLOC_CTX NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_dn *user_dn, struct ldb_dn *domain_dn, const DATA_BLOB *new_password, - const struct samr_Password *lmNewHash, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, @@ -2438,7 +2430,7 @@ NTSTATUS samdb_set_password(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, return samdb_set_password_internal(ldb, mem_ctx, user_dn, domain_dn, new_password, - lmNewHash, ntNewHash, + ntNewHash, old_password_checked, reject_reason, _dominfo, false); /* reject trusts */ @@ -2466,7 +2458,6 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, const struct dom_sid *user_sid, const uint32_t *new_version, /* optional for trusts */ const DATA_BLOB *new_password, - const struct samr_Password *lmNewHash, const struct samr_Password *ntNewHash, enum dsdb_password_checked old_password_checked, enum samPwdChangeReason *reject_reason, @@ -2833,7 +2824,7 @@ NTSTATUS samdb_set_password_sid(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, nt_status = samdb_set_password_internal(ldb, mem_ctx, user_msg->dn, NULL, new_password, - lmNewHash, ntNewHash, + ntNewHash, old_password_checked, reject_reason, _dominfo, true); /* permit trusts */ diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c index 65ddb7e444c..ffd0a1ef060 100644 --- a/source4/kdc/kpasswd-helper.c +++ b/source4/kdc/kpasswd-helper.c @@ -221,7 +221,6 @@ NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx, target_dn, NULL, /* domain_dn */ password, - NULL, /* lmNewHash */ NULL, /* ntNewHash */ DSDB_PASSWORD_RESET, reject_reason, diff --git a/source4/kdc/kpasswd_glue.c b/source4/kdc/kpasswd_glue.c index d50d9d2bcee..68f347c60bd 100644 --- a/source4/kdc/kpasswd_glue.c +++ b/source4/kdc/kpasswd_glue.c @@ -71,7 +71,6 @@ NTSTATUS samdb_kpasswd_change_password(TALLOC_CTX *mem_ctx, NULL, password, NULL, - NULL, DSDB_PASSWORD_CHECKED_AND_CORRECT, reject_reason, dominfo); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 124fe2f269f..062a92597ce 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -766,7 +766,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call creds->sid, NULL, /* Don't have version */ NULL, /* Don't have plaintext */ - NULL, r->in.new_password, + r->in.new_password, DSDB_PASSWORD_CHECKED_AND_CORRECT, /* Password change */ NULL, NULL); return nt_status; @@ -907,7 +907,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal creds->sid, new_version, &new_password, /* we have plaintext */ - NULL, NULL, + NULL, DSDB_PASSWORD_CHECKED_AND_CORRECT, /* Password change */ NULL, NULL); return nt_status; diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index 950107f8627..b59558320f1 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -259,7 +259,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, status = samdb_set_password(sam_ctx, mem_ctx, user_dn, NULL, &new_password, - NULL, NULL, + NULL, DSDB_PASSWORD_CHECKED_AND_CORRECT, &reason, &dominfo); @@ -421,7 +421,6 @@ NTSTATUS samr_set_password(struct dcesrv_call_state *dce_call, domain_dn, &new_password, NULL, - NULL, DSDB_PASSWORD_RESET, NULL, NULL); @@ -492,7 +491,6 @@ NTSTATUS samr_set_password_ex(struct dcesrv_call_state *dce_call, domain_dn, &new_password, NULL, - NULL, DSDB_PASSWORD_RESET, NULL, NULL); @@ -540,18 +538,6 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, return nt_status; } - if (lm_pwd_hash != NULL) { - in = data_blob_const(lm_pwd_hash, 16); - out = data_blob_talloc_zero(mem_ctx, 16); - - rc = sess_crypt_blob(&out, &in, &session_key, SAMBA_GNUTLS_DECRYPT); - if (rc != 0) { - return gnutls_error_to_ntstatus(rc, - NT_STATUS_ACCESS_DISABLED_BY_POLICY_OTHER); - } - - d_lm_pwd_hash = (struct samr_Password *) out.data; - } if (nt_pwd_hash != NULL) { in = data_blob_const(nt_pwd_hash, 16); out = data_blob_talloc_zero(mem_ctx, 16); @@ -568,7 +554,7 @@ NTSTATUS samr_set_password_buffers(struct dcesrv_call_state *dce_call, if ((d_lm_pwd_hash != NULL) || (d_nt_pwd_hash != NULL)) { nt_status = samdb_set_password(sam_ctx, mem_ctx, account_dn, domain_dn, NULL, - d_lm_pwd_hash, d_nt_pwd_hash, + d_nt_pwd_hash, DSDB_PASSWORD_RESET, NULL, NULL); } -- 2.34.1