4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to sambaPassword and friends
30 * Author: Andrew Bartlett
31 * Author: Stefan Metzmacher
35 #include "libcli/ldap/ldap.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "librpc/gen_ndr/misc.h"
39 #include "librpc/gen_ndr/samr.h"
40 #include "libcli/auth/libcli_auth.h"
41 #include "libcli/security/security.h"
42 #include "system/kerberos.h"
43 #include "auth/kerberos/kerberos.h"
44 #include "system/time.h"
45 #include "dsdb/samdb/samdb.h"
46 #include "dsdb/common/flags.h"
47 #include "dsdb/samdb/ldb_modules/password_modules.h"
48 #include "librpc/ndr/libndr.h"
49 #include "librpc/gen_ndr/ndr_drsblobs.h"
50 #include "lib/crypto/crypto.h"
51 #include "param/param.h"
53 /* If we have decided there is reason to work on this request, then
54 * setup all the password hash types correctly.
56 * If the administrator doesn't want the sambaPassword stored (set in the
57 * domain and per-account policies) then we must strip that out before
58 * we do the first operation.
60 * Once this is done (which could update anything at all), we
61 * calculate the password hashes.
63 * This function must not only update the unicodePwd, dBCSPwd and
64 * supplementalCredentials fields, it must also atomicly increment the
65 * msDS-KeyVersionNumber. We should be in a transaction, so all this
66 * should be quite safe...
68 * Finally, if the administrator has requested that a password history
69 * be maintained, then this should also be written out.
75 enum ph_type {PH_ADD, PH_MOD} type;
76 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
78 struct ldb_module *module;
79 struct ldb_request *orig_req;
81 struct ldb_request *dom_req;
82 struct ldb_reply *dom_res;
84 struct ldb_request *down_req;
86 struct ldb_request *search_req;
87 struct ldb_reply *search_res;
89 struct ldb_request *mod_req;
91 struct dom_sid *domain_sid;
97 uint_t pwdHistoryLength;
103 struct setup_password_fields_io {
104 struct ph_context *ac;
105 struct domain_data *domain;
106 struct smb_krb5_context *smb_krb5_context;
108 /* infos about the user account */
110 uint32_t user_account_control;
111 const char *sAMAccountName;
112 const char *user_principal_name;
116 /* new credentials */
118 const char *cleartext;
119 struct samr_Password *nt_hash;
120 struct samr_Password *lm_hash;
123 /* old credentials */
125 uint32_t nt_history_len;
126 struct samr_Password *nt_history;
127 uint32_t lm_history_len;
128 struct samr_Password *lm_history;
129 const struct ldb_val *supplemental;
130 struct supplementalCredentialsBlob scb;
134 /* generated credentials */
136 struct samr_Password *nt_hash;
137 struct samr_Password *lm_hash;
138 uint32_t nt_history_len;
139 struct samr_Password *nt_history;
140 uint32_t lm_history_len;
141 struct samr_Password *lm_history;
142 struct ldb_val supplemental;
148 static int setup_nt_fields(struct setup_password_fields_io *io)
152 io->g.nt_hash = io->n.nt_hash;
154 if (io->domain->pwdHistoryLength == 0) {
158 /* We might not have an old NT password */
159 io->g.nt_history = talloc_array(io->ac,
160 struct samr_Password,
161 io->domain->pwdHistoryLength);
162 if (!io->g.nt_history) {
163 ldb_oom(io->ac->module->ldb);
164 return LDB_ERR_OPERATIONS_ERROR;
167 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
168 io->g.nt_history[i+1] = io->o.nt_history[i];
170 io->g.nt_history_len = i + 1;
173 io->g.nt_history[0] = *io->g.nt_hash;
176 * TODO: is this correct?
177 * the simular behavior is correct for the lm history case
179 E_md4hash("", io->g.nt_history[0].hash);
185 static int setup_lm_fields(struct setup_password_fields_io *io)
189 io->g.lm_hash = io->n.lm_hash;
191 if (io->domain->pwdHistoryLength == 0) {
195 /* We might not have an old NT password */
196 io->g.lm_history = talloc_array(io->ac,
197 struct samr_Password,
198 io->domain->pwdHistoryLength);
199 if (!io->g.lm_history) {
200 ldb_oom(io->ac->module->ldb);
201 return LDB_ERR_OPERATIONS_ERROR;
204 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
205 io->g.lm_history[i+1] = io->o.lm_history[i];
207 io->g.lm_history_len = i + 1;
210 io->g.lm_history[0] = *io->g.lm_hash;
212 E_deshash("", io->g.lm_history[0].hash);
218 static int setup_primary_kerberos(struct setup_password_fields_io *io,
219 const struct supplementalCredentialsBlob *old_scb,
220 struct package_PrimaryKerberosBlob *pkb)
222 krb5_error_code krb5_ret;
223 Principal *salt_principal;
227 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
228 struct supplementalCredentialsPackage *old_scp = NULL;
229 struct package_PrimaryKerberosBlob _old_pkb;
230 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
234 /* Many, many thanks to lukeh@padl.com for this
235 * algorithm, described in his Nov 10 2004 mail to
236 * samba-technical@samba.org */
239 * Determine a salting principal
241 if (io->u.is_computer) {
245 name = talloc_strdup(io->ac, io->u.sAMAccountName);
247 ldb_oom(io->ac->module->ldb);
248 return LDB_ERR_OPERATIONS_ERROR;
251 if (name[strlen(name)-1] == '$') {
252 name[strlen(name)-1] = '\0';
255 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
257 ldb_oom(io->ac->module->ldb);
258 return LDB_ERR_OPERATIONS_ERROR;
261 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
263 io->domain->realm, "host",
265 } else if (io->u.user_principal_name) {
266 char *user_principal_name;
269 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
270 if (!user_principal_name) {
271 ldb_oom(io->ac->module->ldb);
272 return LDB_ERR_OPERATIONS_ERROR;
275 p = strchr(user_principal_name, '@');
280 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
282 io->domain->realm, user_principal_name,
285 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
287 io->domain->realm, io->u.sAMAccountName,
291 ldb_asprintf_errstring(io->ac->module->ldb,
292 "setup_primary_kerberos: "
293 "generation of a salting principal failed: %s",
294 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
295 return LDB_ERR_OPERATIONS_ERROR;
299 * create salt from salt_principal
301 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
302 salt_principal, &salt);
303 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
305 ldb_asprintf_errstring(io->ac->module->ldb,
306 "setup_primary_kerberos: "
307 "generation of krb5_salt failed: %s",
308 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
309 return LDB_ERR_OPERATIONS_ERROR;
311 /* create a talloc copy */
312 pkb3->salt.string = talloc_strndup(io->ac,
314 salt.saltvalue.length);
315 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
316 if (!pkb3->salt.string) {
317 ldb_oom(io->ac->module->ldb);
318 return LDB_ERR_OPERATIONS_ERROR;
320 salt.saltvalue.data = discard_const(pkb3->salt.string);
321 salt.saltvalue.length = strlen(pkb3->salt.string);
324 * prepare generation of keys
326 * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
327 * ENCTYPE_DES_CBC_MD5
328 * ENCTYPE_DES_CBC_CRC
330 * NOTE: update num_keys when you add another enctype!
333 pkb3->keys = talloc_array(io->ac, struct package_PrimaryKerberosKey, pkb3->num_keys);
335 ldb_oom(io->ac->module->ldb);
336 return LDB_ERR_OPERATIONS_ERROR;
338 pkb3->unknown3 = talloc_zero_array(io->ac, uint64_t, pkb3->num_keys);
339 if (!pkb3->unknown3) {
340 ldb_oom(io->ac->module->ldb);
341 return LDB_ERR_OPERATIONS_ERROR;
344 if (lp_parm_bool(NULL, "password_hash", "create_aes_key", false)) {
348 * w2k and w2k3 doesn't support AES, so we'll not include
349 * the AES key here yet.
351 * Also we don't have an example supplementalCredentials blob
352 * from Windows Longhorn Server with AES support
356 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
357 * the salt and the cleartext password
359 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
360 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
364 pkb3->keys[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
365 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
366 if (!pkb3->keys[k].value) {
367 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
368 ldb_oom(io->ac->module->ldb);
369 return LDB_ERR_OPERATIONS_ERROR;
371 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
373 key.keyvalue.length);
374 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
375 if (!pkb3->keys[k].value->data) {
376 ldb_oom(io->ac->module->ldb);
377 return LDB_ERR_OPERATIONS_ERROR;
383 * create ENCTYPE_DES_CBC_MD5 key out of
384 * the salt and the cleartext password
386 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
391 pkb3->keys[k].keytype = ENCTYPE_DES_CBC_MD5;
392 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
393 if (!pkb3->keys[k].value) {
394 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
395 ldb_oom(io->ac->module->ldb);
396 return LDB_ERR_OPERATIONS_ERROR;
398 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
400 key.keyvalue.length);
401 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
402 if (!pkb3->keys[k].value->data) {
403 ldb_oom(io->ac->module->ldb);
404 return LDB_ERR_OPERATIONS_ERROR;
409 * create ENCTYPE_DES_CBC_CRC key out of
410 * the salt and the cleartext password
412 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
417 pkb3->keys[k].keytype = ENCTYPE_DES_CBC_CRC;
418 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
419 if (!pkb3->keys[k].value) {
420 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
421 ldb_oom(io->ac->module->ldb);
422 return LDB_ERR_OPERATIONS_ERROR;
424 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
426 key.keyvalue.length);
427 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
428 if (!pkb3->keys[k].value->data) {
429 ldb_oom(io->ac->module->ldb);
430 return LDB_ERR_OPERATIONS_ERROR;
434 /* fix up key number */
437 /* initialize the old keys to zero */
438 pkb3->num_old_keys = 0;
439 pkb3->old_keys = NULL;
440 pkb3->unknown3_old = NULL;
442 /* if there're no old keys, then we're done */
447 for (i=0; i < old_scb->sub.num_packages; i++) {
448 if (old_scb->sub.packages[i].unknown1 != 0x00000001) {
452 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
456 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
460 old_scp = &old_scb->sub.packages[i];
463 /* Primary:Kerberos element of supplementalCredentials */
467 blob = strhex_to_data_blob(old_scp->data);
469 ldb_oom(io->ac->module->ldb);
470 return LDB_ERR_OPERATIONS_ERROR;
472 talloc_steal(io->ac, blob.data);
474 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
475 status = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
476 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
477 if (!NT_STATUS_IS_OK(status)) {
478 ldb_asprintf_errstring(io->ac->module->ldb,
479 "setup_primary_kerberos: "
480 "failed to pull old package_PrimaryKerberosBlob: %s",
482 return LDB_ERR_OPERATIONS_ERROR;
485 if (_old_pkb.version != 3) {
486 ldb_asprintf_errstring(io->ac->module->ldb,
487 "setup_primary_kerberos: "
488 "package_PrimaryKerberosBlob version[%u] expected[3]",
490 return LDB_ERR_OPERATIONS_ERROR;
493 old_pkb3 = &_old_pkb.ctr.ctr3;
496 /* if we didn't found the old keys we're done */
501 /* fill in the old keys */
502 pkb3->num_old_keys = old_pkb3->num_keys;
503 pkb3->old_keys = old_pkb3->keys;
504 pkb3->unknown3_old = old_pkb3->unknown3;
509 static int setup_primary_wdigest(struct setup_password_fields_io *io,
510 const struct supplementalCredentialsBlob *old_scb,
511 struct package_PrimaryWDigestBlob *pdb)
513 DATA_BLOB sAMAccountName;
514 DATA_BLOB sAMAccountName_l;
515 DATA_BLOB sAMAccountName_u;
516 const char *user_principal_name = io->u.user_principal_name;
517 DATA_BLOB userPrincipalName;
518 DATA_BLOB userPrincipalName_l;
519 DATA_BLOB userPrincipalName_u;
520 DATA_BLOB netbios_domain;
521 DATA_BLOB netbios_domain_l;
522 DATA_BLOB netbios_domain_u;
523 DATA_BLOB dns_domain;
524 DATA_BLOB dns_domain_l;
525 DATA_BLOB dns_domain_u;
538 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
539 * for what precalculated hashes are supposed to be stored...
541 * I can't reproduce all values which should contain "Digest" as realm,
542 * am I doing something wrong or is w2k3 just broken...?
544 * W2K3 fills in following for a user:
546 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
547 * sAMAccountName: NewUser2Sam
548 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
550 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
551 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
552 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
553 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
554 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
555 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
556 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
557 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
558 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
559 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
560 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
561 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
562 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
563 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
564 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
565 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
566 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
567 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
568 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
569 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
570 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
571 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
572 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
573 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
574 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
575 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
576 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
577 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
578 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
580 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
581 * sAMAccountName: NewUser2Sam
583 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
584 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
585 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
586 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
587 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
588 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
589 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
590 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
591 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
592 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
593 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
594 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
595 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
596 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
597 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
598 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
599 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
600 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
601 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
602 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
603 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
604 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
605 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
606 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
607 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
608 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
609 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
610 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
611 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
615 * sAMAccountName, netbios_domain
618 .user = &sAMAccountName,
619 .realm = &netbios_domain,
622 .user = &sAMAccountName_l,
623 .realm = &netbios_domain_l,
626 .user = &sAMAccountName_u,
627 .realm = &netbios_domain_u,
630 .user = &sAMAccountName,
631 .realm = &netbios_domain_u,
634 .user = &sAMAccountName,
635 .realm = &netbios_domain_l,
638 .user = &sAMAccountName_u,
639 .realm = &netbios_domain_l,
642 .user = &sAMAccountName_l,
643 .realm = &netbios_domain_u,
646 * sAMAccountName, dns_domain
649 .user = &sAMAccountName,
650 .realm = &dns_domain,
653 .user = &sAMAccountName_l,
654 .realm = &dns_domain_l,
657 .user = &sAMAccountName_u,
658 .realm = &dns_domain_u,
661 .user = &sAMAccountName,
662 .realm = &dns_domain_u,
665 .user = &sAMAccountName,
666 .realm = &dns_domain_l,
669 .user = &sAMAccountName_u,
670 .realm = &dns_domain_l,
673 .user = &sAMAccountName_l,
674 .realm = &dns_domain_u,
677 * userPrincipalName, no realm
680 .user = &userPrincipalName,
684 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
685 * the fallback to the sAMAccountName based userPrincipalName is correct
687 .user = &userPrincipalName_l,
690 .user = &userPrincipalName_u,
693 * nt4dom\sAMAccountName, no realm
696 .user = &sAMAccountName,
697 .nt4dom = &netbios_domain
700 .user = &sAMAccountName_l,
701 .nt4dom = &netbios_domain_l
704 .user = &sAMAccountName_u,
705 .nt4dom = &netbios_domain_u
709 * the following ones are guessed depending on the technet2 article
710 * but not reproducable on a w2k3 server
712 /* sAMAccountName with "Digest" realm */
714 .user = &sAMAccountName,
718 .user = &sAMAccountName_l,
722 .user = &sAMAccountName_u,
725 /* userPrincipalName with "Digest" realm */
727 .user = &userPrincipalName,
731 .user = &userPrincipalName_l,
735 .user = &userPrincipalName_u,
738 /* nt4dom\\sAMAccountName with "Digest" realm */
740 .user = &sAMAccountName,
741 .nt4dom = &netbios_domain,
745 .user = &sAMAccountName_l,
746 .nt4dom = &netbios_domain_l,
750 .user = &sAMAccountName_u,
751 .nt4dom = &netbios_domain_u,
756 /* prepare DATA_BLOB's used in the combinations array */
757 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
758 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
759 if (!sAMAccountName_l.data) {
760 ldb_oom(io->ac->module->ldb);
761 return LDB_ERR_OPERATIONS_ERROR;
763 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
764 if (!sAMAccountName_u.data) {
765 ldb_oom(io->ac->module->ldb);
766 return LDB_ERR_OPERATIONS_ERROR;
769 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
770 if (!user_principal_name) {
771 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
772 io->u.sAMAccountName,
773 io->domain->dns_domain);
774 if (!user_principal_name) {
775 ldb_oom(io->ac->module->ldb);
776 return LDB_ERR_OPERATIONS_ERROR;
779 userPrincipalName = data_blob_string_const(user_principal_name);
780 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
781 if (!userPrincipalName_l.data) {
782 ldb_oom(io->ac->module->ldb);
783 return LDB_ERR_OPERATIONS_ERROR;
785 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
786 if (!userPrincipalName_u.data) {
787 ldb_oom(io->ac->module->ldb);
788 return LDB_ERR_OPERATIONS_ERROR;
791 netbios_domain = data_blob_string_const(io->domain->netbios_domain);
792 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
793 if (!netbios_domain_l.data) {
794 ldb_oom(io->ac->module->ldb);
795 return LDB_ERR_OPERATIONS_ERROR;
797 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
798 if (!netbios_domain_u.data) {
799 ldb_oom(io->ac->module->ldb);
800 return LDB_ERR_OPERATIONS_ERROR;
803 dns_domain = data_blob_string_const(io->domain->dns_domain);
804 dns_domain_l = data_blob_string_const(io->domain->dns_domain);
805 dns_domain_u = data_blob_string_const(io->domain->realm);
807 cleartext = data_blob_string_const(io->n.cleartext);
809 digest = data_blob_string_const("Digest");
811 delim = data_blob_string_const(":");
812 backslash = data_blob_string_const("\\");
814 pdb->num_hashes = ARRAY_SIZE(wdigest);
815 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
817 ldb_oom(io->ac->module->ldb);
818 return LDB_ERR_OPERATIONS_ERROR;
821 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
822 struct MD5Context md5;
824 if (wdigest[i].nt4dom) {
825 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
826 MD5Update(&md5, backslash.data, backslash.length);
828 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
829 MD5Update(&md5, delim.data, delim.length);
830 if (wdigest[i].realm) {
831 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
833 MD5Update(&md5, delim.data, delim.length);
834 MD5Update(&md5, cleartext.data, cleartext.length);
835 MD5Final(pdb->hashes[i].hash, &md5);
841 static int setup_supplemental_field(struct setup_password_fields_io *io)
843 struct supplementalCredentialsBlob scb;
844 struct supplementalCredentialsBlob _old_scb;
845 struct supplementalCredentialsBlob *old_scb = NULL;
846 /* Packages + (Kerberos, WDigest and maybe CLEARTEXT) */
847 uint32_t num_packages = 1 + 2;
848 struct supplementalCredentialsPackage packages[1+3];
849 struct supplementalCredentialsPackage *pp = &packages[0];
850 struct supplementalCredentialsPackage *pk = &packages[1];
851 struct supplementalCredentialsPackage *pd = &packages[2];
852 struct supplementalCredentialsPackage *pc = NULL;
853 struct package_PackagesBlob pb;
856 struct package_PrimaryKerberosBlob pkb;
859 struct package_PrimaryWDigestBlob pdb;
862 struct package_PrimaryCLEARTEXTBlob pcb;
871 if (!io->n.cleartext) {
873 * when we don't have a cleartext password
874 * we can't setup a supplementalCredential value
879 /* if there's an old supplementaCredentials blob then parse it */
880 if (io->o.supplemental) {
881 status = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, &_old_scb,
882 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
883 if (!NT_STATUS_IS_OK(status)) {
884 ldb_asprintf_errstring(io->ac->module->ldb,
885 "setup_supplemental_field: "
886 "failed to pull old supplementalCredentialsBlob: %s",
888 return LDB_ERR_OPERATIONS_ERROR;
894 if (io->domain->store_cleartext &&
895 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
900 /* Kerberos, WDigest, CLEARTEXT and termination(counted by the Packages element) */
901 pb.names = talloc_zero_array(io->ac, const char *, num_packages);
904 * setup 'Primary:Kerberos' element
906 pb.names[0] = "Kerberos";
908 ret = setup_primary_kerberos(io, old_scb, &pkb);
909 if (ret != LDB_SUCCESS) {
913 status = ndr_push_struct_blob(&pkb_blob, io->ac, &pkb,
914 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
915 if (!NT_STATUS_IS_OK(status)) {
916 ldb_asprintf_errstring(io->ac->module->ldb,
917 "setup_supplemental_field: "
918 "failed to push package_PrimaryKerberosBlob: %s",
920 return LDB_ERR_OPERATIONS_ERROR;
925 * This is ugly, but we want to generate the same blob as
926 * w2k and w2k3...we should handle this in the idl
928 if (!data_blob_append(io->ac, &pkb_blob, zero16, sizeof(zero16))) {
929 ldb_oom(io->ac->module->ldb);
930 return LDB_ERR_OPERATIONS_ERROR;
932 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
934 ldb_oom(io->ac->module->ldb);
935 return LDB_ERR_OPERATIONS_ERROR;
937 pk->name = "Primary:Kerberos";
939 pk->data = pkb_hexstr;
942 * setup 'Primary:WDigest' element
944 pb.names[1] = "WDigest";
946 ret = setup_primary_wdigest(io, old_scb, &pdb);
947 if (ret != LDB_SUCCESS) {
951 status = ndr_push_struct_blob(&pdb_blob, io->ac, &pdb,
952 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
953 if (!NT_STATUS_IS_OK(status)) {
954 ldb_asprintf_errstring(io->ac->module->ldb,
955 "setup_supplemental_field: "
956 "failed to push package_PrimaryWDigestBlob: %s",
958 return LDB_ERR_OPERATIONS_ERROR;
960 pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
962 ldb_oom(io->ac->module->ldb);
963 return LDB_ERR_OPERATIONS_ERROR;
965 pd->name = "Primary:WDigest";
967 pd->data = pdb_hexstr;
970 * setup 'Primary:CLEARTEXT' element
973 pb.names[2] = "CLEARTEXT";
975 pcb.cleartext = io->n.cleartext;
977 status = ndr_push_struct_blob(&pcb_blob, io->ac, &pcb,
978 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
979 if (!NT_STATUS_IS_OK(status)) {
980 ldb_asprintf_errstring(io->ac->module->ldb,
981 "setup_supplemental_field: "
982 "failed to push package_PrimaryCLEARTEXTBlob: %s",
984 return LDB_ERR_OPERATIONS_ERROR;
986 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
988 ldb_oom(io->ac->module->ldb);
989 return LDB_ERR_OPERATIONS_ERROR;
991 pc->name = "Primary:CLEARTEXT";
993 pc->data = pcb_hexstr;
997 * setup 'Packages' element
999 status = ndr_push_struct_blob(&pb_blob, io->ac, &pb,
1000 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1001 if (!NT_STATUS_IS_OK(status)) {
1002 ldb_asprintf_errstring(io->ac->module->ldb,
1003 "setup_supplemental_field: "
1004 "failed to push package_PackagesBlob: %s",
1006 return LDB_ERR_OPERATIONS_ERROR;
1008 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1010 ldb_oom(io->ac->module->ldb);
1011 return LDB_ERR_OPERATIONS_ERROR;
1013 pp->name = "Packages";
1015 pp->data = pb_hexstr;
1018 * setup 'supplementalCredentials' value
1020 scb.sub.num_packages = num_packages;
1021 scb.sub.packages = packages;
1023 status = ndr_push_struct_blob(&io->g.supplemental, io->ac, &scb,
1024 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1025 if (!NT_STATUS_IS_OK(status)) {
1026 ldb_asprintf_errstring(io->ac->module->ldb,
1027 "setup_supplemental_field: "
1028 "failed to push supplementalCredentialsBlob: %s",
1030 return LDB_ERR_OPERATIONS_ERROR;
1036 static int setup_last_set_field(struct setup_password_fields_io *io)
1039 unix_to_nt_time(&io->g.last_set, time(NULL));
1044 static int setup_kvno_field(struct setup_password_fields_io *io)
1046 /* increment by one */
1047 io->g.kvno = io->o.kvno + 1;
1052 static int setup_password_fields(struct setup_password_fields_io *io)
1058 * refuse the change if someone want to change the cleartext
1059 * and supply his own hashes at the same time...
1061 if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
1062 ldb_asprintf_errstring(io->ac->module->ldb,
1063 "setup_password_fields: "
1064 "it's only allowed to set the cleartext password or the password hashes");
1065 return LDB_ERR_UNWILLING_TO_PERFORM;
1068 if (io->n.cleartext && !io->n.nt_hash) {
1069 struct samr_Password *hash;
1071 hash = talloc(io->ac, struct samr_Password);
1073 ldb_oom(io->ac->module->ldb);
1074 return LDB_ERR_OPERATIONS_ERROR;
1077 /* compute the new nt hash */
1078 ok = E_md4hash(io->n.cleartext, hash->hash);
1080 io->n.nt_hash = hash;
1082 ldb_asprintf_errstring(io->ac->module->ldb,
1083 "setup_password_fields: "
1084 "failed to generate nthash from cleartext password");
1085 return LDB_ERR_OPERATIONS_ERROR;
1089 if (io->n.cleartext && !io->n.lm_hash) {
1090 struct samr_Password *hash;
1092 hash = talloc(io->ac, struct samr_Password);
1094 ldb_oom(io->ac->module->ldb);
1095 return LDB_ERR_OPERATIONS_ERROR;
1098 /* compute the new lm hash */
1099 ok = E_deshash(io->n.cleartext, hash->hash);
1101 io->n.lm_hash = hash;
1103 talloc_free(hash->hash);
1107 ret = setup_nt_fields(io);
1112 ret = setup_lm_fields(io);
1117 ret = setup_supplemental_field(io);
1122 ret = setup_last_set_field(io);
1127 ret = setup_kvno_field(io);
1135 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
1137 struct ph_context *ac;
1138 struct ldb_handle *h;
1140 h = talloc_zero(req, struct ldb_handle);
1142 ldb_set_errstring(module->ldb, "Out of Memory");
1148 ac = talloc_zero(h, struct ph_context);
1150 ldb_set_errstring(module->ldb, "Out of Memory");
1155 h->private_data = (void *)ac;
1157 h->state = LDB_ASYNC_INIT;
1158 h->status = LDB_SUCCESS;
1161 ac->module = module;
1167 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1169 struct ph_context *ac;
1171 ac = talloc_get_type(context, struct ph_context);
1173 /* we are interested only in the single reply (base search) we receive here */
1174 if (ares->type == LDB_REPLY_ENTRY) {
1175 if (ac->dom_res != NULL) {
1176 ldb_set_errstring(ldb, "Too many results");
1178 return LDB_ERR_OPERATIONS_ERROR;
1180 ac->dom_res = talloc_steal(ac, ares);
1188 static int build_domain_data_request(struct ph_context *ac)
1190 /* attrs[] is returned from this function in
1191 ac->dom_req->op.search.attrs, so it must be static, as
1192 otherwise the compiler can put it on the stack */
1193 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1196 ac->dom_req = talloc_zero(ac, struct ldb_request);
1197 if (ac->dom_req == NULL) {
1198 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1199 return LDB_ERR_OPERATIONS_ERROR;
1201 ac->dom_req->operation = LDB_SEARCH;
1202 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
1203 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
1205 filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))",
1206 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
1207 if (filter == NULL) {
1208 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1209 talloc_free(ac->dom_req);
1210 return LDB_ERR_OPERATIONS_ERROR;
1213 ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
1214 if (ac->dom_req->op.search.tree == NULL) {
1215 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1216 talloc_free(ac->dom_req);
1217 return LDB_ERR_OPERATIONS_ERROR;
1219 ac->dom_req->op.search.attrs = attrs;
1220 ac->dom_req->controls = NULL;
1221 ac->dom_req->context = ac;
1222 ac->dom_req->callback = get_domain_data_callback;
1223 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
1228 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
1230 struct domain_data *data;
1232 struct ph_context *ac;
1235 ac = talloc_get_type(ctx, struct ph_context);
1237 data = talloc_zero(ac, struct domain_data);
1243 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
1248 data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
1249 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1250 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
1252 /* For a domain DN, this puts things in dotted notation */
1253 /* For builtin domains, this will give details for the host,
1254 * but that doesn't really matter, as it's just used for salt
1255 * and kerberos principals, which don't exist here */
1257 tmp = ldb_dn_canonical_string(ctx, res->message->dn);
1262 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1263 p = strchr(tmp, '/');
1269 data->dns_domain = strlower_talloc(data, tmp);
1270 if (data->dns_domain == NULL) {
1271 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1274 data->realm = strupper_talloc(data, tmp);
1275 if (data->realm == NULL) {
1276 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1279 p = strchr(tmp, '.');
1283 data->netbios_domain = strupper_talloc(data, tmp);
1284 if (data->netbios_domain == NULL) {
1285 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1293 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1295 struct ldb_handle *h;
1296 struct ph_context *ac;
1297 struct ldb_message_element *sambaAttr;
1298 struct ldb_message_element *ntAttr;
1299 struct ldb_message_element *lmAttr;
1302 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1304 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1305 return ldb_next_request(module, req);
1308 /* If the caller is manipulating the local passwords directly, let them pass */
1309 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1310 req->op.add.message->dn) == 0) {
1311 return ldb_next_request(module, req);
1314 /* nobody must touch this fields */
1315 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1316 return LDB_ERR_UNWILLING_TO_PERFORM;
1318 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1319 return LDB_ERR_UNWILLING_TO_PERFORM;
1321 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1322 return LDB_ERR_UNWILLING_TO_PERFORM;
1325 /* If no part of this ADD touches the sambaPassword, or the NT
1326 * or LM hashes, then we don't need to make any changes. */
1328 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
1329 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1330 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1332 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1333 return ldb_next_request(module, req);
1336 /* if it is not an entry of type person its an error */
1337 /* TODO: remove this when sambaPassword will be in schema */
1338 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1339 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1340 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1343 /* check sambaPassword is single valued here */
1344 /* TODO: remove this when sambaPassword will be single valued in schema */
1345 if (sambaAttr && sambaAttr->num_values > 1) {
1346 ldb_set_errstring(module->ldb, "mupltiple values for sambaPassword not allowed!\n");
1347 return LDB_ERR_CONSTRAINT_VIOLATION;
1350 if (ntAttr && (ntAttr->num_values > 1)) {
1351 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
1352 return LDB_ERR_CONSTRAINT_VIOLATION;
1354 if (lmAttr && (lmAttr->num_values > 1)) {
1355 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
1356 return LDB_ERR_CONSTRAINT_VIOLATION;
1359 if (sambaAttr && sambaAttr->num_values == 0) {
1360 ldb_set_errstring(module->ldb, "sambaPassword must have a value!\n");
1361 return LDB_ERR_CONSTRAINT_VIOLATION;
1364 if (ntAttr && (ntAttr->num_values == 0)) {
1365 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
1366 return LDB_ERR_CONSTRAINT_VIOLATION;
1368 if (lmAttr && (lmAttr->num_values == 0)) {
1369 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
1370 return LDB_ERR_CONSTRAINT_VIOLATION;
1373 h = ph_init_handle(req, module, PH_ADD);
1375 return LDB_ERR_OPERATIONS_ERROR;
1377 ac = talloc_get_type(h->private_data, struct ph_context);
1379 /* get user domain data */
1380 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1381 if (ac->domain_sid == NULL) {
1382 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1383 return LDB_ERR_OPERATIONS_ERROR;
1386 ret = build_domain_data_request(ac);
1387 if (ret != LDB_SUCCESS) {
1391 ac->step = PH_ADD_SEARCH_DOM;
1395 return ldb_next_request(module, ac->dom_req);
1398 static int password_hash_add_do_add(struct ldb_handle *h) {
1400 struct ph_context *ac;
1401 struct domain_data *domain;
1402 struct smb_krb5_context *smb_krb5_context;
1403 struct ldb_message *msg;
1404 struct setup_password_fields_io io;
1407 ac = talloc_get_type(h->private_data, struct ph_context);
1409 domain = get_domain_data(ac->module, ac, ac->dom_res);
1410 if (domain == NULL) {
1411 return LDB_ERR_OPERATIONS_ERROR;
1414 ac->down_req = talloc(ac, struct ldb_request);
1415 if (ac->down_req == NULL) {
1416 return LDB_ERR_OPERATIONS_ERROR;
1419 *(ac->down_req) = *(ac->orig_req);
1420 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1421 if (ac->down_req->op.add.message == NULL) {
1422 return LDB_ERR_OPERATIONS_ERROR;
1425 /* Some operations below require kerberos contexts */
1426 if (smb_krb5_init_context(ac->down_req,
1427 ldb_get_opaque(h->module->ldb, "EventContext"),
1428 &smb_krb5_context) != 0) {
1429 return LDB_ERR_OPERATIONS_ERROR;
1435 io.smb_krb5_context = smb_krb5_context;
1437 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1438 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1439 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1440 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1442 io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL);
1443 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1444 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1446 /* remove attributes */
1447 if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword");
1448 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1449 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1450 ldb_msg_remove_attr(msg, "pwdLastSet");
1451 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1452 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1454 ret = setup_password_fields(&io);
1455 if (ret != LDB_SUCCESS) {
1460 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1461 "unicodePwd", io.g.nt_hash);
1462 if (ret != LDB_SUCCESS) {
1467 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1468 "dBCSPwd", io.g.lm_hash);
1469 if (ret != LDB_SUCCESS) {
1473 if (io.g.nt_history_len > 0) {
1474 ret = samdb_msg_add_hashes(ac, msg,
1477 io.g.nt_history_len);
1478 if (ret != LDB_SUCCESS) {
1482 if (io.g.lm_history_len > 0) {
1483 ret = samdb_msg_add_hashes(ac, msg,
1486 io.g.lm_history_len);
1487 if (ret != LDB_SUCCESS) {
1491 if (io.g.supplemental.length > 0) {
1492 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1493 &io.g.supplemental, NULL);
1494 if (ret != LDB_SUCCESS) {
1498 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1501 if (ret != LDB_SUCCESS) {
1504 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1505 "msDs-KeyVersionNumber",
1507 if (ret != LDB_SUCCESS) {
1511 h->state = LDB_ASYNC_INIT;
1512 h->status = LDB_SUCCESS;
1514 ac->step = PH_ADD_DO_ADD;
1516 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1518 /* perform the operation */
1519 return ldb_next_request(ac->module, ac->down_req);
1522 static int password_hash_mod_search_self(struct ldb_handle *h);
1524 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1526 struct ldb_handle *h;
1527 struct ph_context *ac;
1528 struct ldb_message_element *sambaAttr;
1529 struct ldb_message_element *ntAttr;
1530 struct ldb_message_element *lmAttr;
1531 struct ldb_message *msg;
1533 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1535 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1536 return ldb_next_request(module, req);
1539 /* If the caller is manipulating the local passwords directly, let them pass */
1540 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1541 req->op.mod.message->dn) == 0) {
1542 return ldb_next_request(module, req);
1545 /* nobody must touch password Histories */
1546 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1547 return LDB_ERR_UNWILLING_TO_PERFORM;
1549 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1550 return LDB_ERR_UNWILLING_TO_PERFORM;
1552 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1553 return LDB_ERR_UNWILLING_TO_PERFORM;
1556 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
1557 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1558 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1560 /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
1561 * need to make any changes. For password changes/set there should
1562 * be a 'delete' or a 'modify' on this attribute. */
1563 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1564 return ldb_next_request(module, req);
1567 /* check passwords are single valued here */
1568 /* TODO: remove this when passwords will be single valued in schema */
1569 if (sambaAttr && (sambaAttr->num_values > 1)) {
1570 return LDB_ERR_CONSTRAINT_VIOLATION;
1572 if (ntAttr && (ntAttr->num_values > 1)) {
1573 return LDB_ERR_CONSTRAINT_VIOLATION;
1575 if (lmAttr && (lmAttr->num_values > 1)) {
1576 return LDB_ERR_CONSTRAINT_VIOLATION;
1579 h = ph_init_handle(req, module, PH_MOD);
1581 return LDB_ERR_OPERATIONS_ERROR;
1583 ac = talloc_get_type(h->private_data, struct ph_context);
1585 /* return or own handle to deal with this call */
1588 /* prepare the first operation */
1589 ac->down_req = talloc_zero(ac, struct ldb_request);
1590 if (ac->down_req == NULL) {
1591 ldb_set_errstring(module->ldb, "Out of memory!");
1592 return LDB_ERR_OPERATIONS_ERROR;
1595 *(ac->down_req) = *req; /* copy the request */
1597 /* use a new message structure so that we can modify it */
1598 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1600 /* - remove any imodification to the password from the first commit
1601 * we will make the real modification later */
1602 if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
1603 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1604 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1606 /* if there was nothing else to be modify skip to next step */
1607 if (msg->num_elements == 0) {
1608 talloc_free(ac->down_req);
1609 ac->down_req = NULL;
1610 return password_hash_mod_search_self(h);
1613 ac->down_req->context = NULL;
1614 ac->down_req->callback = NULL;
1616 ac->step = PH_MOD_DO_REQ;
1618 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1620 return ldb_next_request(module, ac->down_req);
1623 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1625 struct ph_context *ac;
1627 ac = talloc_get_type(context, struct ph_context);
1629 /* we are interested only in the single reply (base search) we receive here */
1630 if (ares->type == LDB_REPLY_ENTRY) {
1631 if (ac->search_res != NULL) {
1632 ldb_set_errstring(ldb, "Too many results");
1634 return LDB_ERR_OPERATIONS_ERROR;
1637 /* if it is not an entry of type person this is an error */
1638 /* TODO: remove this when sambaPassword will be in schema */
1639 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1640 ldb_set_errstring(ldb, "Object class violation");
1642 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1645 ac->search_res = talloc_steal(ac, ares);
1653 static int password_hash_mod_search_self(struct ldb_handle *h) {
1655 struct ph_context *ac;
1656 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
1658 "objectSid", "msDS-KeyVersionNumber",
1659 "objectClass", "userPrincipalName",
1661 "dBCSPwd", "unicodePwd",
1662 "supplementalCredentials",
1665 ac = talloc_get_type(h->private_data, struct ph_context);
1667 /* prepare the search operation */
1668 ac->search_req = talloc_zero(ac, struct ldb_request);
1669 if (ac->search_req == NULL) {
1670 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1671 return LDB_ERR_OPERATIONS_ERROR;
1674 ac->search_req->operation = LDB_SEARCH;
1675 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1676 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1677 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1678 if (ac->search_req->op.search.tree == NULL) {
1679 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1680 return LDB_ERR_OPERATIONS_ERROR;
1682 ac->search_req->op.search.attrs = attrs;
1683 ac->search_req->controls = NULL;
1684 ac->search_req->context = ac;
1685 ac->search_req->callback = get_self_callback;
1686 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1688 ac->step = PH_MOD_SEARCH_SELF;
1690 return ldb_next_request(ac->module, ac->search_req);
1693 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1695 struct ph_context *ac;
1698 ac = talloc_get_type(h->private_data, struct ph_context);
1700 /* get object domain sid */
1701 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1702 if (ac->domain_sid == NULL) {
1703 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1704 return LDB_ERR_OPERATIONS_ERROR;
1707 /* get user domain data */
1708 ret = build_domain_data_request(ac);
1709 if (ret != LDB_SUCCESS) {
1713 ac->step = PH_MOD_SEARCH_DOM;
1715 return ldb_next_request(ac->module, ac->dom_req);
1718 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1720 struct ph_context *ac;
1721 struct domain_data *domain;
1722 struct smb_krb5_context *smb_krb5_context;
1723 struct ldb_message *msg;
1724 struct ldb_message *orig_msg;
1725 struct ldb_message *searched_msg;
1726 struct setup_password_fields_io io;
1729 ac = talloc_get_type(h->private_data, struct ph_context);
1731 domain = get_domain_data(ac->module, ac, ac->dom_res);
1732 if (domain == NULL) {
1733 return LDB_ERR_OPERATIONS_ERROR;
1736 ac->mod_req = talloc(ac, struct ldb_request);
1737 if (ac->mod_req == NULL) {
1738 return LDB_ERR_OPERATIONS_ERROR;
1741 *(ac->mod_req) = *(ac->orig_req);
1743 /* use a new message structure so that we can modify it */
1744 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1746 return LDB_ERR_OPERATIONS_ERROR;
1750 msg->dn = ac->orig_req->op.mod.message->dn;
1752 /* Some operations below require kerberos contexts */
1753 if (smb_krb5_init_context(ac->mod_req,
1754 ldb_get_opaque(h->module->ldb, "EventContext"),
1755 &smb_krb5_context) != 0) {
1756 return LDB_ERR_OPERATIONS_ERROR;
1759 orig_msg = discard_const(ac->orig_req->op.mod.message);
1760 searched_msg = ac->search_res->message;
1765 io.smb_krb5_context = smb_krb5_context;
1767 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
1768 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
1769 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
1770 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
1772 io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL);
1773 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
1774 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
1776 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
1777 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
1778 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
1779 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
1781 ret = setup_password_fields(&io);
1782 if (ret != LDB_SUCCESS) {
1786 /* make sure we replace all the old attributes */
1787 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
1788 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
1789 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1790 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1791 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
1792 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
1793 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
1796 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1797 "unicodePwd", io.g.nt_hash);
1798 if (ret != LDB_SUCCESS) {
1803 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1804 "dBCSPwd", io.g.lm_hash);
1805 if (ret != LDB_SUCCESS) {
1809 if (io.g.nt_history_len > 0) {
1810 ret = samdb_msg_add_hashes(ac, msg,
1813 io.g.nt_history_len);
1814 if (ret != LDB_SUCCESS) {
1818 if (io.g.lm_history_len > 0) {
1819 ret = samdb_msg_add_hashes(ac, msg,
1822 io.g.lm_history_len);
1823 if (ret != LDB_SUCCESS) {
1827 if (io.g.supplemental.length > 0) {
1828 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1829 &io.g.supplemental, NULL);
1830 if (ret != LDB_SUCCESS) {
1834 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1837 if (ret != LDB_SUCCESS) {
1840 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1841 "msDs-KeyVersionNumber",
1843 if (ret != LDB_SUCCESS) {
1847 h->state = LDB_ASYNC_INIT;
1848 h->status = LDB_SUCCESS;
1850 ac->step = PH_MOD_DO_MOD;
1852 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1854 /* perform the search */
1855 return ldb_next_request(ac->module, ac->mod_req);
1858 static int ph_wait(struct ldb_handle *handle) {
1859 struct ph_context *ac;
1862 if (!handle || !handle->private_data) {
1863 return LDB_ERR_OPERATIONS_ERROR;
1866 if (handle->state == LDB_ASYNC_DONE) {
1867 return handle->status;
1870 handle->state = LDB_ASYNC_PENDING;
1871 handle->status = LDB_SUCCESS;
1873 ac = talloc_get_type(handle->private_data, struct ph_context);
1876 case PH_ADD_SEARCH_DOM:
1877 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1879 if (ret != LDB_SUCCESS) {
1880 handle->status = ret;
1883 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1884 handle->status = ac->dom_req->handle->status;
1888 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1892 /* domain search done, go on */
1893 return password_hash_add_do_add(handle);
1896 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1898 if (ret != LDB_SUCCESS) {
1899 handle->status = ret;
1902 if (ac->down_req->handle->status != LDB_SUCCESS) {
1903 handle->status = ac->down_req->handle->status;
1907 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1914 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1916 if (ret != LDB_SUCCESS) {
1917 handle->status = ret;
1920 if (ac->down_req->handle->status != LDB_SUCCESS) {
1921 handle->status = ac->down_req->handle->status;
1925 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1929 /* non-password mods done, go on */
1930 return password_hash_mod_search_self(handle);
1932 case PH_MOD_SEARCH_SELF:
1933 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
1935 if (ret != LDB_SUCCESS) {
1936 handle->status = ret;
1939 if (ac->search_req->handle->status != LDB_SUCCESS) {
1940 handle->status = ac->search_req->handle->status;
1944 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
1948 if (ac->search_res == NULL) {
1949 return LDB_ERR_NO_SUCH_OBJECT;
1952 /* self search done, go on */
1953 return password_hash_mod_search_dom(handle);
1955 case PH_MOD_SEARCH_DOM:
1956 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1958 if (ret != LDB_SUCCESS) {
1959 handle->status = ret;
1962 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1963 handle->status = ac->dom_req->handle->status;
1967 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1971 /* domain search done, go on */
1972 return password_hash_mod_do_mod(handle);
1975 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
1977 if (ret != LDB_SUCCESS) {
1978 handle->status = ret;
1981 if (ac->mod_req->handle->status != LDB_SUCCESS) {
1982 handle->status = ac->mod_req->handle->status;
1986 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
1993 ret = LDB_ERR_OPERATIONS_ERROR;
2000 handle->state = LDB_ASYNC_DONE;
2004 static int ph_wait_all(struct ldb_handle *handle) {
2008 while (handle->state != LDB_ASYNC_DONE) {
2009 ret = ph_wait(handle);
2010 if (ret != LDB_SUCCESS) {
2015 return handle->status;
2018 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
2020 if (type == LDB_WAIT_ALL) {
2021 return ph_wait_all(handle);
2023 return ph_wait(handle);
2027 static const struct ldb_module_ops password_hash_ops = {
2028 .name = "password_hash",
2029 .add = password_hash_add,
2030 .modify = password_hash_modify,
2031 .wait = password_hash_wait
2035 int password_hash_module_init(void)
2037 return ldb_register_module(&password_hash_ops);