4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007-2010
8 Copyright (C) Matthias Dieter Wallnöfer 2009-2010
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
27 * Component: ldb password_hash module
29 * Description: correctly handle AD password changes fields
31 * Author: Andrew Bartlett
32 * Author: Stefan Metzmacher
36 #include "ldb_module.h"
37 #include "libcli/auth/libcli_auth.h"
38 #include "system/kerberos.h"
39 #include "auth/kerberos/kerberos.h"
40 #include "dsdb/samdb/samdb.h"
41 #include "dsdb/samdb/ldb_modules/util.h"
42 #include "dsdb/samdb/ldb_modules/password_modules.h"
43 #include "librpc/gen_ndr/ndr_drsblobs.h"
44 #include "../lib/crypto/crypto.h"
45 #include "param/param.h"
47 /* If we have decided there is a reason to work on this request, then
48 * setup all the password hash types correctly.
50 * If we haven't the hashes yet but the password given as plain-text (attributes
51 * 'unicodePwd', 'userPassword' and 'clearTextPassword') we have to check for
52 * the constraints. Once this is done, we calculate the password hashes.
54 * Notice: unlike the real AD which only supports the UTF16 special based
55 * 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
56 * understand also a UTF16 based 'clearTextPassword' one.
57 * The latter is also accessible through LDAP so it can also be set by external
58 * tools and scripts. But be aware that this isn't portable on non SAMBA 4 ADs!
60 * Also when the module receives only the password hashes (possible through
61 * specifying an internal LDB control - for security reasons) some checks are
62 * performed depending on the operation mode (see below) (e.g. if the password
63 * has been in use before if the password memory policy was activated).
65 * Attention: There is a difference between "modify" and "reset" operations
66 * (see MS-ADTS 3.1.1.3.1.5). If the client sends a "add" and "remove"
67 * operation for a password attribute we thread this as a "modify"; if it sends
68 * only a "replace" one we have an (administrative) reset.
70 * Finally, if the administrator has requested that a password history
71 * be maintained, then this should also be written out.
75 /* TODO: [consider always MS-ADTS 3.1.1.3.1.5]
76 * - Check for right connection encryption
79 /* Notice: Definition of "dsdb_control_password_change_status" moved into
83 struct ldb_module *module;
84 struct ldb_request *req;
86 struct ldb_request *dom_req;
87 struct ldb_reply *dom_res;
89 struct ldb_reply *search_res;
91 struct dsdb_control_password_change_status *status;
92 struct dsdb_control_password_change *change;
98 bool pwd_last_set_bypass;
102 struct setup_password_fields_io {
103 struct ph_context *ac;
105 struct smb_krb5_context *smb_krb5_context;
107 /* infos about the user account */
109 uint32_t userAccountControl;
111 const char *sAMAccountName;
112 const char *user_principal_name;
114 uint32_t restrictions;
117 /* new credentials and old given credentials */
118 struct setup_password_fields_given {
119 const struct ldb_val *cleartext_utf8;
120 const struct ldb_val *cleartext_utf16;
121 struct samr_Password *nt_hash;
122 struct samr_Password *lm_hash;
125 /* old credentials */
127 struct samr_Password *nt_hash;
128 struct samr_Password *lm_hash;
129 uint32_t nt_history_len;
130 struct samr_Password *nt_history;
131 uint32_t lm_history_len;
132 struct samr_Password *lm_history;
133 const struct ldb_val *supplemental;
134 struct supplementalCredentialsBlob scb;
137 /* generated credentials */
139 struct samr_Password *nt_hash;
140 struct samr_Password *lm_hash;
141 uint32_t nt_history_len;
142 struct samr_Password *nt_history;
143 uint32_t lm_history_len;
144 struct samr_Password *lm_history;
150 struct ldb_val supplemental;
155 static int password_hash_bypass(struct ldb_module *module, struct ldb_request *request)
157 struct ldb_context *ldb = ldb_module_get_ctx(module);
158 const struct ldb_message *msg;
159 struct ldb_message_element *nte;
160 struct ldb_message_element *lme;
161 struct ldb_message_element *nthe;
162 struct ldb_message_element *lmhe;
163 struct ldb_message_element *sce;
165 switch (request->operation) {
167 msg = request->op.add.message;
170 msg = request->op.mod.message;
173 return ldb_next_request(module, request);
176 /* nobody must touch password histories and 'supplementalCredentials' */
177 nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
179 lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
181 nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
183 lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
185 sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
188 #define CHECK_HASH_ELEMENT(e, min, max) do {\
189 if (e && e->num_values) { \
190 unsigned int _count; \
191 if (e->num_values != 1) { \
192 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
193 "num_values != 1"); \
195 if ((e->values[0].length % 16) != 0) { \
196 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
197 "length % 16 != 0"); \
199 _count = e->values[0].length / 16; \
200 if (_count < min) { \
201 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
204 if (_count > max) { \
205 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
211 CHECK_HASH_ELEMENT(nte, 1, 1);
212 CHECK_HASH_ELEMENT(lme, 1, 1);
213 CHECK_HASH_ELEMENT(nthe, 1, INT32_MAX);
214 CHECK_HASH_ELEMENT(lmhe, 1, INT32_MAX);
216 if (sce && sce->num_values) {
217 enum ndr_err_code ndr_err;
218 struct supplementalCredentialsBlob *scb;
219 struct supplementalCredentialsPackage *scpp = NULL;
220 struct supplementalCredentialsPackage *scpk = NULL;
221 struct supplementalCredentialsPackage *scpkn = NULL;
222 struct supplementalCredentialsPackage *scpct = NULL;
223 DATA_BLOB scpbp = data_blob_null;
224 DATA_BLOB scpbk = data_blob_null;
225 DATA_BLOB scpbkn = data_blob_null;
226 DATA_BLOB scpbct = data_blob_null;
230 if (sce->num_values != 1) {
231 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
235 scb = talloc_zero(request, struct supplementalCredentialsBlob);
237 return ldb_module_oom(module);
240 ndr_err = ndr_pull_struct_blob_all(&sce->values[0], scb, scb,
241 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
242 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
243 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
244 "ndr_pull_struct_blob_all");
247 if (scb->sub.num_packages < 2) {
248 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
252 for (i=0; i < scb->sub.num_packages; i++) {
255 subblob = strhex_to_data_blob(scb, scb->sub.packages[i].data);
256 if (subblob.data == NULL) {
257 return ldb_module_oom(module);
260 if (strcmp(scb->sub.packages[i].name, "Packages") == 0) {
262 return ldb_error(ldb,
263 LDB_ERR_CONSTRAINT_VIOLATION,
266 scpp = &scb->sub.packages[i];
270 if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos") == 0) {
272 return ldb_error(ldb,
273 LDB_ERR_CONSTRAINT_VIOLATION,
274 "Primary:Kerberos twice");
276 scpk = &scb->sub.packages[i];
280 if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos-Newer-Keys") == 0) {
282 return ldb_error(ldb,
283 LDB_ERR_CONSTRAINT_VIOLATION,
284 "Primary:Kerberos-Newer-Keys twice");
286 scpkn = &scb->sub.packages[i];
290 if (strcmp(scb->sub.packages[i].name, "Primary:CLEARTEXT") == 0) {
292 return ldb_error(ldb,
293 LDB_ERR_CONSTRAINT_VIOLATION,
294 "Primary:CLEARTEXT twice");
296 scpct = &scb->sub.packages[i];
301 data_blob_free(&subblob);
305 return ldb_error(ldb,
306 LDB_ERR_CONSTRAINT_VIOLATION,
307 "Primary:Packages missing");
312 * If Primary:Kerberos is missing w2k8r2 reboots
313 * when a password is changed.
315 return ldb_error(ldb,
316 LDB_ERR_CONSTRAINT_VIOLATION,
317 "Primary:Kerberos missing");
321 struct package_PackagesBlob *p;
324 p = talloc_zero(scb, struct package_PackagesBlob);
326 return ldb_module_oom(module);
329 ndr_err = ndr_pull_struct_blob(&scpbp, p, p,
330 (ndr_pull_flags_fn_t)ndr_pull_package_PackagesBlob);
331 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
332 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
333 "ndr_pull_struct_blob Packages");
336 if (p->names == NULL) {
337 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
338 "Packages names == NULL");
341 for (n = 0; p->names[n]; n++) {
345 if (scb->sub.num_packages != (n + 1)) {
346 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
347 "Packages num_packages != num_names + 1");
354 struct package_PrimaryKerberosBlob *k;
356 k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
358 return ldb_module_oom(module);
361 ndr_err = ndr_pull_struct_blob(&scpbk, k, k,
362 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
363 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
364 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
365 "ndr_pull_struct_blob PrimaryKerberos");
368 if (k->version != 3) {
369 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
370 "PrimaryKerberos version != 3");
373 if (k->ctr.ctr3.salt.string == NULL) {
374 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
375 "PrimaryKerberos salt == NULL");
378 if (strlen(k->ctr.ctr3.salt.string) == 0) {
379 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
380 "PrimaryKerberos strlen(salt) == 0");
383 if (k->ctr.ctr3.num_keys != 2) {
384 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
385 "PrimaryKerberos num_keys != 2");
388 if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) {
389 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
390 "PrimaryKerberos num_old_keys > num_keys");
393 if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) {
394 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
395 "PrimaryKerberos key[0] != DES_CBC_MD5");
397 if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) {
398 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
399 "PrimaryKerberos key[1] != DES_CBC_CRC");
402 if (k->ctr.ctr3.keys[0].value_len != 8) {
403 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
404 "PrimaryKerberos key[0] value_len != 8");
406 if (k->ctr.ctr3.keys[1].value_len != 8) {
407 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
408 "PrimaryKerberos key[1] value_len != 8");
411 for (i = 0; i < k->ctr.ctr3.num_old_keys; i++) {
412 if (k->ctr.ctr3.old_keys[i].keytype ==
413 k->ctr.ctr3.keys[i].keytype &&
414 k->ctr.ctr3.old_keys[i].value_len ==
415 k->ctr.ctr3.keys[i].value_len) {
419 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
420 "PrimaryKerberos old_keys type/value_len doesn't match");
427 struct package_PrimaryKerberosBlob *k;
429 k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
431 return ldb_module_oom(module);
434 ndr_err = ndr_pull_struct_blob(&scpbkn, k, k,
435 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
436 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
437 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
438 "ndr_pull_struct_blob PrimaryKerberosNeverKeys");
441 if (k->version != 4) {
442 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
443 "KerberosNerverKeys version != 4");
446 if (k->ctr.ctr4.salt.string == NULL) {
447 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
448 "KerberosNewerKeys salt == NULL");
451 if (strlen(k->ctr.ctr4.salt.string) == 0) {
452 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
453 "KerberosNewerKeys strlen(salt) == 0");
456 if (k->ctr.ctr4.num_keys != 4) {
457 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
458 "KerberosNewerKeys num_keys != 2");
461 if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) {
462 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
463 "KerberosNewerKeys num_old_keys > num_keys");
466 if (k->ctr.ctr4.num_older_keys > k->ctr.ctr4.num_old_keys) {
467 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
468 "KerberosNewerKeys num_older_keys > num_old_keys");
471 if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
472 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
473 "KerberosNewerKeys key[0] != AES256");
475 if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
476 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
477 "KerberosNewerKeys key[1] != AES128");
479 if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) {
480 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
481 "KerberosNewerKeys key[2] != DES_CBC_MD5");
483 if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) {
484 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
485 "KerberosNewerKeys key[3] != DES_CBC_CRC");
488 if (k->ctr.ctr4.keys[0].value_len != 32) {
489 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
490 "KerberosNewerKeys key[0] value_len != 32");
492 if (k->ctr.ctr4.keys[1].value_len != 16) {
493 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
494 "KerberosNewerKeys key[1] value_len != 16");
496 if (k->ctr.ctr4.keys[2].value_len != 8) {
497 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
498 "KerberosNewerKeys key[2] value_len != 8");
500 if (k->ctr.ctr4.keys[3].value_len != 8) {
501 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
502 "KerberosNewerKeys key[3] value_len != 8");
507 * Maybe we can check old and older keys here.
508 * But we need to do some tests, if the old keys
509 * can be taken from the PrimaryKerberos blob
510 * (with only des keys), when the domain was upgraded
518 struct package_PrimaryCLEARTEXTBlob *ct;
520 ct = talloc_zero(scb, struct package_PrimaryCLEARTEXTBlob);
522 return ldb_module_oom(module);
525 ndr_err = ndr_pull_struct_blob(&scpbct, ct, ct,
526 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryCLEARTEXTBlob);
527 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
528 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
529 "ndr_pull_struct_blob PrimaryCLEARTEXT");
532 if ((ct->cleartext.length % 2) != 0) {
533 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
534 "PrimaryCLEARTEXT length % 2 != 0");
540 ndr_err = ndr_push_struct_blob(&blob, scb, scb,
541 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
542 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
543 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
544 "ndr_pull_struct_blob_all");
547 if (sce->values[0].length != blob.length) {
548 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
549 "supplementalCredentialsBlob length differ");
552 if (memcmp(sce->values[0].data, blob.data, blob.length) != 0) {
553 return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
554 "supplementalCredentialsBlob memcmp differ");
560 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_bypass - validated\n");
561 return ldb_next_request(module, request);
564 /* Get the NT hash, and fill it in as an entry in the password history,
565 and specify it into io->g.nt_hash */
567 static int setup_nt_fields(struct setup_password_fields_io *io)
569 struct ldb_context *ldb;
572 io->g.nt_hash = io->n.nt_hash;
573 ldb = ldb_module_get_ctx(io->ac->module);
575 if (io->ac->status->domain_data.pwdHistoryLength == 0) {
579 /* We might not have an old NT password */
580 io->g.nt_history = talloc_array(io->ac,
581 struct samr_Password,
582 io->ac->status->domain_data.pwdHistoryLength);
583 if (!io->g.nt_history) {
587 for (i = 0; i < MIN(io->ac->status->domain_data.pwdHistoryLength-1,
588 io->o.nt_history_len); i++) {
589 io->g.nt_history[i+1] = io->o.nt_history[i];
591 io->g.nt_history_len = i + 1;
594 io->g.nt_history[0] = *io->g.nt_hash;
597 * TODO: is this correct?
598 * the simular behavior is correct for the lm history case
600 E_md4hash("", io->g.nt_history[0].hash);
606 /* Get the LANMAN hash, and fill it in as an entry in the password history,
607 and specify it into io->g.lm_hash */
609 static int setup_lm_fields(struct setup_password_fields_io *io)
611 struct ldb_context *ldb;
614 io->g.lm_hash = io->n.lm_hash;
615 ldb = ldb_module_get_ctx(io->ac->module);
617 if (io->ac->status->domain_data.pwdHistoryLength == 0) {
621 /* We might not have an old LM password */
622 io->g.lm_history = talloc_array(io->ac,
623 struct samr_Password,
624 io->ac->status->domain_data.pwdHistoryLength);
625 if (!io->g.lm_history) {
629 for (i = 0; i < MIN(io->ac->status->domain_data.pwdHistoryLength-1,
630 io->o.lm_history_len); i++) {
631 io->g.lm_history[i+1] = io->o.lm_history[i];
633 io->g.lm_history_len = i + 1;
636 io->g.lm_history[0] = *io->g.lm_hash;
638 E_deshash("", io->g.lm_history[0].hash);
644 static int setup_kerberos_keys(struct setup_password_fields_io *io)
646 struct ldb_context *ldb;
647 krb5_error_code krb5_ret;
648 Principal *salt_principal;
651 krb5_data cleartext_data;
653 ldb = ldb_module_get_ctx(io->ac->module);
654 cleartext_data.data = io->n.cleartext_utf8->data;
655 cleartext_data.length = io->n.cleartext_utf8->length;
657 /* Many, many thanks to lukeh@padl.com for this
658 * algorithm, described in his Nov 10 2004 mail to
659 * samba-technical@samba.org */
662 * Determine a salting principal
664 if (io->u.is_computer) {
668 name = strlower_talloc(io->ac, io->u.sAMAccountName);
673 if (name[strlen(name)-1] == '$') {
674 name[strlen(name)-1] = '\0';
677 saltbody = talloc_asprintf(io->ac, "%s.%s", name,
678 io->ac->status->domain_data.dns_domain);
683 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
685 io->ac->status->domain_data.realm,
686 "host", saltbody, NULL);
687 } else if (io->u.user_principal_name) {
688 char *user_principal_name;
691 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
692 if (!user_principal_name) {
696 p = strchr(user_principal_name, '@');
701 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
703 io->ac->status->domain_data.realm,
704 user_principal_name, NULL);
706 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
708 io->ac->status->domain_data.realm,
709 io->u.sAMAccountName, NULL);
712 ldb_asprintf_errstring(ldb,
713 "setup_kerberos_keys: "
714 "generation of a salting principal failed: %s",
715 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
717 return LDB_ERR_OPERATIONS_ERROR;
721 * create salt from salt_principal
723 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
724 salt_principal, &salt);
725 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
727 ldb_asprintf_errstring(ldb,
728 "setup_kerberos_keys: "
729 "generation of krb5_salt failed: %s",
730 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
732 return LDB_ERR_OPERATIONS_ERROR;
734 /* create a talloc copy */
735 io->g.salt = talloc_strndup(io->ac,
736 (char *)salt.saltvalue.data,
737 salt.saltvalue.length);
738 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
742 salt.saltvalue.data = discard_const(io->g.salt);
743 salt.saltvalue.length = strlen(io->g.salt);
746 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
747 * the salt and the cleartext password
749 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
750 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
755 ldb_asprintf_errstring(ldb,
756 "setup_kerberos_keys: "
757 "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
758 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
760 return LDB_ERR_OPERATIONS_ERROR;
762 io->g.aes_256 = data_blob_talloc(io->ac,
764 key.keyvalue.length);
765 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
766 if (!io->g.aes_256.data) {
771 * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
772 * the salt and the cleartext password
774 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
775 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
780 ldb_asprintf_errstring(ldb,
781 "setup_kerberos_keys: "
782 "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
783 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
785 return LDB_ERR_OPERATIONS_ERROR;
787 io->g.aes_128 = data_blob_talloc(io->ac,
789 key.keyvalue.length);
790 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
791 if (!io->g.aes_128.data) {
796 * create ENCTYPE_DES_CBC_MD5 key out of
797 * the salt and the cleartext password
799 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
805 ldb_asprintf_errstring(ldb,
806 "setup_kerberos_keys: "
807 "generation of a des-cbc-md5 key failed: %s",
808 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
810 return LDB_ERR_OPERATIONS_ERROR;
812 io->g.des_md5 = data_blob_talloc(io->ac,
814 key.keyvalue.length);
815 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
816 if (!io->g.des_md5.data) {
821 * create ENCTYPE_DES_CBC_CRC key out of
822 * the salt and the cleartext password
824 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
830 ldb_asprintf_errstring(ldb,
831 "setup_kerberos_keys: "
832 "generation of a des-cbc-crc key failed: %s",
833 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context,
835 return LDB_ERR_OPERATIONS_ERROR;
837 io->g.des_crc = data_blob_talloc(io->ac,
839 key.keyvalue.length);
840 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
841 if (!io->g.des_crc.data) {
848 static int setup_primary_kerberos(struct setup_password_fields_io *io,
849 const struct supplementalCredentialsBlob *old_scb,
850 struct package_PrimaryKerberosBlob *pkb)
852 struct ldb_context *ldb;
853 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
854 struct supplementalCredentialsPackage *old_scp = NULL;
855 struct package_PrimaryKerberosBlob _old_pkb;
856 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
858 enum ndr_err_code ndr_err;
860 ldb = ldb_module_get_ctx(io->ac->module);
863 * prepare generation of keys
865 * ENCTYPE_DES_CBC_MD5
866 * ENCTYPE_DES_CBC_CRC
869 pkb3->salt.string = io->g.salt;
871 pkb3->keys = talloc_array(io->ac,
872 struct package_PrimaryKerberosKey3,
878 pkb3->keys[0].keytype = ENCTYPE_DES_CBC_MD5;
879 pkb3->keys[0].value = &io->g.des_md5;
880 pkb3->keys[1].keytype = ENCTYPE_DES_CBC_CRC;
881 pkb3->keys[1].value = &io->g.des_crc;
883 /* initialize the old keys to zero */
884 pkb3->num_old_keys = 0;
885 pkb3->old_keys = NULL;
887 /* if there're no old keys, then we're done */
892 for (i=0; i < old_scb->sub.num_packages; i++) {
893 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
897 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
901 old_scp = &old_scb->sub.packages[i];
904 /* Primary:Kerberos element of supplementalCredentials */
908 blob = strhex_to_data_blob(io->ac, old_scp->data);
913 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
914 ndr_err = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
915 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
916 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
917 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
918 ldb_asprintf_errstring(ldb,
919 "setup_primary_kerberos: "
920 "failed to pull old package_PrimaryKerberosBlob: %s",
922 return LDB_ERR_OPERATIONS_ERROR;
925 if (_old_pkb.version != 3) {
926 ldb_asprintf_errstring(ldb,
927 "setup_primary_kerberos: "
928 "package_PrimaryKerberosBlob version[%u] expected[3]",
930 return LDB_ERR_OPERATIONS_ERROR;
933 old_pkb3 = &_old_pkb.ctr.ctr3;
936 /* if we didn't found the old keys we're done */
941 /* fill in the old keys */
942 pkb3->num_old_keys = old_pkb3->num_keys;
943 pkb3->old_keys = old_pkb3->keys;
948 static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
949 const struct supplementalCredentialsBlob *old_scb,
950 struct package_PrimaryKerberosBlob *pkb)
952 struct ldb_context *ldb;
953 struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
954 struct supplementalCredentialsPackage *old_scp = NULL;
955 struct package_PrimaryKerberosBlob _old_pkb;
956 struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
958 enum ndr_err_code ndr_err;
960 ldb = ldb_module_get_ctx(io->ac->module);
963 * prepare generation of keys
965 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
966 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
967 * ENCTYPE_DES_CBC_MD5
968 * ENCTYPE_DES_CBC_CRC
971 pkb4->salt.string = io->g.salt;
972 pkb4->default_iteration_count = 4096;
975 pkb4->keys = talloc_array(io->ac,
976 struct package_PrimaryKerberosKey4,
982 pkb4->keys[0].iteration_count = 4096;
983 pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
984 pkb4->keys[0].value = &io->g.aes_256;
985 pkb4->keys[1].iteration_count = 4096;
986 pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
987 pkb4->keys[1].value = &io->g.aes_128;
988 pkb4->keys[2].iteration_count = 4096;
989 pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
990 pkb4->keys[2].value = &io->g.des_md5;
991 pkb4->keys[3].iteration_count = 4096;
992 pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
993 pkb4->keys[3].value = &io->g.des_crc;
995 /* initialize the old keys to zero */
996 pkb4->num_old_keys = 0;
997 pkb4->old_keys = NULL;
998 pkb4->num_older_keys = 0;
999 pkb4->older_keys = NULL;
1001 /* if there're no old keys, then we're done */
1006 for (i=0; i < old_scb->sub.num_packages; i++) {
1007 if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
1011 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
1015 old_scp = &old_scb->sub.packages[i];
1018 /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
1022 blob = strhex_to_data_blob(io->ac, old_scp->data);
1024 return ldb_oom(ldb);
1027 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
1028 ndr_err = ndr_pull_struct_blob(&blob, io->ac,
1030 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
1031 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1032 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1033 ldb_asprintf_errstring(ldb,
1034 "setup_primary_kerberos_newer: "
1035 "failed to pull old package_PrimaryKerberosBlob: %s",
1037 return LDB_ERR_OPERATIONS_ERROR;
1040 if (_old_pkb.version != 4) {
1041 ldb_asprintf_errstring(ldb,
1042 "setup_primary_kerberos_newer: "
1043 "package_PrimaryKerberosBlob version[%u] expected[4]",
1045 return LDB_ERR_OPERATIONS_ERROR;
1048 old_pkb4 = &_old_pkb.ctr.ctr4;
1051 /* if we didn't found the old keys we're done */
1056 /* fill in the old keys */
1057 pkb4->num_old_keys = old_pkb4->num_keys;
1058 pkb4->old_keys = old_pkb4->keys;
1059 pkb4->num_older_keys = old_pkb4->num_old_keys;
1060 pkb4->older_keys = old_pkb4->old_keys;
1065 static int setup_primary_wdigest(struct setup_password_fields_io *io,
1066 const struct supplementalCredentialsBlob *old_scb,
1067 struct package_PrimaryWDigestBlob *pdb)
1069 struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
1070 DATA_BLOB sAMAccountName;
1071 DATA_BLOB sAMAccountName_l;
1072 DATA_BLOB sAMAccountName_u;
1073 const char *user_principal_name = io->u.user_principal_name;
1074 DATA_BLOB userPrincipalName;
1075 DATA_BLOB userPrincipalName_l;
1076 DATA_BLOB userPrincipalName_u;
1077 DATA_BLOB netbios_domain;
1078 DATA_BLOB netbios_domain_l;
1079 DATA_BLOB netbios_domain_u;
1080 DATA_BLOB dns_domain;
1081 DATA_BLOB dns_domain_l;
1082 DATA_BLOB dns_domain_u;
1085 DATA_BLOB backslash;
1094 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
1095 * for what precalculated hashes are supposed to be stored...
1097 * I can't reproduce all values which should contain "Digest" as realm,
1098 * am I doing something wrong or is w2k3 just broken...?
1100 * W2K3 fills in following for a user:
1102 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
1103 * sAMAccountName: NewUser2Sam
1104 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
1106 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
1107 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
1108 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
1109 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
1110 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
1111 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
1112 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
1113 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1114 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1115 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1116 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1117 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1118 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1119 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1120 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
1121 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
1122 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
1123 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
1124 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
1125 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
1126 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
1127 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
1128 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
1129 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
1130 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
1131 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
1132 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
1133 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
1134 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
1136 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
1137 * sAMAccountName: NewUser2Sam
1139 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
1140 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
1141 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
1142 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
1143 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
1144 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
1145 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
1146 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1147 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1148 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1149 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1150 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1151 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
1152 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
1153 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
1154 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
1155 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
1156 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
1157 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
1158 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
1159 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
1160 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
1161 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
1162 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
1163 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
1164 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
1165 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
1166 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
1167 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
1171 * sAMAccountName, netbios_domain
1174 .user = &sAMAccountName,
1175 .realm = &netbios_domain,
1178 .user = &sAMAccountName_l,
1179 .realm = &netbios_domain_l,
1182 .user = &sAMAccountName_u,
1183 .realm = &netbios_domain_u,
1186 .user = &sAMAccountName,
1187 .realm = &netbios_domain_u,
1190 .user = &sAMAccountName,
1191 .realm = &netbios_domain_l,
1194 .user = &sAMAccountName_u,
1195 .realm = &netbios_domain_l,
1198 .user = &sAMAccountName_l,
1199 .realm = &netbios_domain_u,
1202 * sAMAccountName, dns_domain
1205 .user = &sAMAccountName,
1206 .realm = &dns_domain,
1209 .user = &sAMAccountName_l,
1210 .realm = &dns_domain_l,
1213 .user = &sAMAccountName_u,
1214 .realm = &dns_domain_u,
1217 .user = &sAMAccountName,
1218 .realm = &dns_domain_u,
1221 .user = &sAMAccountName,
1222 .realm = &dns_domain_l,
1225 .user = &sAMAccountName_u,
1226 .realm = &dns_domain_l,
1229 .user = &sAMAccountName_l,
1230 .realm = &dns_domain_u,
1233 * userPrincipalName, no realm
1236 .user = &userPrincipalName,
1240 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
1241 * the fallback to the sAMAccountName based userPrincipalName is correct
1243 .user = &userPrincipalName_l,
1246 .user = &userPrincipalName_u,
1249 * nt4dom\sAMAccountName, no realm
1252 .user = &sAMAccountName,
1253 .nt4dom = &netbios_domain
1256 .user = &sAMAccountName_l,
1257 .nt4dom = &netbios_domain_l
1260 .user = &sAMAccountName_u,
1261 .nt4dom = &netbios_domain_u
1265 * the following ones are guessed depending on the technet2 article
1266 * but not reproducable on a w2k3 server
1268 /* sAMAccountName with "Digest" realm */
1270 .user = &sAMAccountName,
1274 .user = &sAMAccountName_l,
1278 .user = &sAMAccountName_u,
1281 /* userPrincipalName with "Digest" realm */
1283 .user = &userPrincipalName,
1287 .user = &userPrincipalName_l,
1291 .user = &userPrincipalName_u,
1294 /* nt4dom\\sAMAccountName with "Digest" realm */
1296 .user = &sAMAccountName,
1297 .nt4dom = &netbios_domain,
1301 .user = &sAMAccountName_l,
1302 .nt4dom = &netbios_domain_l,
1306 .user = &sAMAccountName_u,
1307 .nt4dom = &netbios_domain_u,
1312 /* prepare DATA_BLOB's used in the combinations array */
1313 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
1314 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
1315 if (!sAMAccountName_l.data) {
1316 return ldb_oom(ldb);
1318 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
1319 if (!sAMAccountName_u.data) {
1320 return ldb_oom(ldb);
1323 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
1324 if (!user_principal_name) {
1325 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
1326 io->u.sAMAccountName,
1327 io->ac->status->domain_data.dns_domain);
1328 if (!user_principal_name) {
1329 return ldb_oom(ldb);
1332 userPrincipalName = data_blob_string_const(user_principal_name);
1333 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
1334 if (!userPrincipalName_l.data) {
1335 return ldb_oom(ldb);
1337 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
1338 if (!userPrincipalName_u.data) {
1339 return ldb_oom(ldb);
1342 netbios_domain = data_blob_string_const(io->ac->status->domain_data.netbios_domain);
1343 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac,
1344 io->ac->status->domain_data.netbios_domain));
1345 if (!netbios_domain_l.data) {
1346 return ldb_oom(ldb);
1348 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac,
1349 io->ac->status->domain_data.netbios_domain));
1350 if (!netbios_domain_u.data) {
1351 return ldb_oom(ldb);
1354 dns_domain = data_blob_string_const(io->ac->status->domain_data.dns_domain);
1355 dns_domain_l = data_blob_string_const(io->ac->status->domain_data.dns_domain);
1356 dns_domain_u = data_blob_string_const(io->ac->status->domain_data.realm);
1358 digest = data_blob_string_const("Digest");
1360 delim = data_blob_string_const(":");
1361 backslash = data_blob_string_const("\\");
1363 pdb->num_hashes = ARRAY_SIZE(wdigest);
1364 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash,
1367 return ldb_oom(ldb);
1370 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
1371 struct MD5Context md5;
1373 if (wdigest[i].nt4dom) {
1374 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
1375 MD5Update(&md5, backslash.data, backslash.length);
1377 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
1378 MD5Update(&md5, delim.data, delim.length);
1379 if (wdigest[i].realm) {
1380 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
1382 MD5Update(&md5, delim.data, delim.length);
1383 MD5Update(&md5, io->n.cleartext_utf8->data, io->n.cleartext_utf8->length);
1384 MD5Final(pdb->hashes[i].hash, &md5);
1390 static int setup_supplemental_field(struct setup_password_fields_io *io)
1392 struct ldb_context *ldb;
1393 struct supplementalCredentialsBlob scb;
1394 struct supplementalCredentialsBlob _old_scb;
1395 struct supplementalCredentialsBlob *old_scb = NULL;
1396 /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
1397 uint32_t num_names = 0;
1398 const char *names[1+4];
1399 uint32_t num_packages = 0;
1400 struct supplementalCredentialsPackage packages[1+4];
1402 struct supplementalCredentialsPackage *pp = NULL;
1403 struct package_PackagesBlob pb;
1406 /* Primary:Kerberos-Newer-Keys */
1407 const char **nkn = NULL;
1408 struct supplementalCredentialsPackage *pkn = NULL;
1409 struct package_PrimaryKerberosBlob pknb;
1410 DATA_BLOB pknb_blob;
1412 /* Primary:Kerberos */
1413 const char **nk = NULL;
1414 struct supplementalCredentialsPackage *pk = NULL;
1415 struct package_PrimaryKerberosBlob pkb;
1418 /* Primary:WDigest */
1419 const char **nd = NULL;
1420 struct supplementalCredentialsPackage *pd = NULL;
1421 struct package_PrimaryWDigestBlob pdb;
1424 /* Primary:CLEARTEXT */
1425 const char **nc = NULL;
1426 struct supplementalCredentialsPackage *pc = NULL;
1427 struct package_PrimaryCLEARTEXTBlob pcb;
1431 enum ndr_err_code ndr_err;
1433 bool do_newer_keys = false;
1434 bool do_cleartext = false;
1436 ZERO_STRUCT(zero16);
1439 ldb = ldb_module_get_ctx(io->ac->module);
1441 if (!io->n.cleartext_utf8) {
1443 * when we don't have a cleartext password
1444 * we can't setup a supplementalCredential value
1449 /* if there's an old supplementaCredentials blob then parse it */
1450 if (io->o.supplemental) {
1451 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
1453 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
1454 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1455 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1456 ldb_asprintf_errstring(ldb,
1457 "setup_supplemental_field: "
1458 "failed to pull old supplementalCredentialsBlob: %s",
1460 return LDB_ERR_OPERATIONS_ERROR;
1463 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
1464 old_scb = &_old_scb;
1466 ldb_debug(ldb, LDB_DEBUG_ERROR,
1467 "setup_supplemental_field: "
1468 "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
1469 _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
1472 /* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
1473 do_newer_keys = (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008);
1475 if (io->ac->status->domain_data.store_cleartext &&
1476 (io->u.userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
1477 do_cleartext = true;
1481 * The ordering is this
1483 * Primary:Kerberos-Newer-Keys (optional)
1486 * Primary:CLEARTEXT (optional)
1488 * And the 'Packages' package is insert before the last
1491 if (do_newer_keys) {
1492 /* Primary:Kerberos-Newer-Keys */
1493 nkn = &names[num_names++];
1494 pkn = &packages[num_packages++];
1497 /* Primary:Kerberos */
1498 nk = &names[num_names++];
1499 pk = &packages[num_packages++];
1501 if (!do_cleartext) {
1503 pp = &packages[num_packages++];
1506 /* Primary:WDigest */
1507 nd = &names[num_names++];
1508 pd = &packages[num_packages++];
1512 pp = &packages[num_packages++];
1514 /* Primary:CLEARTEXT */
1515 nc = &names[num_names++];
1516 pc = &packages[num_packages++];
1521 * setup 'Primary:Kerberos-Newer-Keys' element
1523 *nkn = "Kerberos-Newer-Keys";
1525 ret = setup_primary_kerberos_newer(io, old_scb, &pknb);
1526 if (ret != LDB_SUCCESS) {
1530 ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
1532 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1533 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1534 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1535 ldb_asprintf_errstring(ldb,
1536 "setup_supplemental_field: "
1537 "failed to push package_PrimaryKerberosNeverBlob: %s",
1539 return LDB_ERR_OPERATIONS_ERROR;
1541 pknb_hexstr = data_blob_hex_string_upper(io->ac, &pknb_blob);
1543 return ldb_oom(ldb);
1545 pkn->name = "Primary:Kerberos-Newer-Keys";
1547 pkn->data = pknb_hexstr;
1551 * setup 'Primary:Kerberos' element
1555 ret = setup_primary_kerberos(io, old_scb, &pkb);
1556 if (ret != LDB_SUCCESS) {
1560 ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac,
1562 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1563 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1564 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1565 ldb_asprintf_errstring(ldb,
1566 "setup_supplemental_field: "
1567 "failed to push package_PrimaryKerberosBlob: %s",
1569 return LDB_ERR_OPERATIONS_ERROR;
1571 pkb_hexstr = data_blob_hex_string_upper(io->ac, &pkb_blob);
1573 return ldb_oom(ldb);
1575 pk->name = "Primary:Kerberos";
1577 pk->data = pkb_hexstr;
1580 * setup 'Primary:WDigest' element
1584 ret = setup_primary_wdigest(io, old_scb, &pdb);
1585 if (ret != LDB_SUCCESS) {
1589 ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac,
1591 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
1592 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1593 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1594 ldb_asprintf_errstring(ldb,
1595 "setup_supplemental_field: "
1596 "failed to push package_PrimaryWDigestBlob: %s",
1598 return LDB_ERR_OPERATIONS_ERROR;
1600 pdb_hexstr = data_blob_hex_string_upper(io->ac, &pdb_blob);
1602 return ldb_oom(ldb);
1604 pd->name = "Primary:WDigest";
1606 pd->data = pdb_hexstr;
1609 * setup 'Primary:CLEARTEXT' element
1614 pcb.cleartext = *io->n.cleartext_utf16;
1616 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac,
1618 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
1619 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1620 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1621 ldb_asprintf_errstring(ldb,
1622 "setup_supplemental_field: "
1623 "failed to push package_PrimaryCLEARTEXTBlob: %s",
1625 return LDB_ERR_OPERATIONS_ERROR;
1627 pcb_hexstr = data_blob_hex_string_upper(io->ac, &pcb_blob);
1629 return ldb_oom(ldb);
1631 pc->name = "Primary:CLEARTEXT";
1633 pc->data = pcb_hexstr;
1637 * setup 'Packages' element
1640 ndr_err = ndr_push_struct_blob(&pb_blob, io->ac,
1642 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1643 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1644 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1645 ldb_asprintf_errstring(ldb,
1646 "setup_supplemental_field: "
1647 "failed to push package_PackagesBlob: %s",
1649 return LDB_ERR_OPERATIONS_ERROR;
1651 pb_hexstr = data_blob_hex_string_upper(io->ac, &pb_blob);
1653 return ldb_oom(ldb);
1655 pp->name = "Packages";
1657 pp->data = pb_hexstr;
1660 * setup 'supplementalCredentials' value
1663 scb.sub.num_packages = num_packages;
1664 scb.sub.packages = packages;
1666 ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
1668 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1669 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1670 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1671 ldb_asprintf_errstring(ldb,
1672 "setup_supplemental_field: "
1673 "failed to push supplementalCredentialsBlob: %s",
1675 return LDB_ERR_OPERATIONS_ERROR;
1681 static int setup_last_set_field(struct setup_password_fields_io *io)
1683 const struct ldb_message *msg = NULL;
1685 switch (io->ac->req->operation) {
1687 msg = io->ac->req->op.add.message;
1690 msg = io->ac->req->op.mod.message;
1693 return LDB_ERR_OPERATIONS_ERROR;
1697 if (io->ac->pwd_last_set_bypass) {
1698 struct ldb_message_element *el;
1701 return LDB_ERR_CONSTRAINT_VIOLATION;
1704 el = ldb_msg_find_element(msg, "pwdLastSet");
1706 return LDB_ERR_CONSTRAINT_VIOLATION;
1709 io->g.last_set = samdb_result_nttime(msg, "pwdLastSet", 0);
1714 unix_to_nt_time(&io->g.last_set, time(NULL));
1719 static int setup_given_passwords(struct setup_password_fields_io *io,
1720 struct setup_password_fields_given *g)
1722 struct ldb_context *ldb;
1725 ldb = ldb_module_get_ctx(io->ac->module);
1727 if (g->cleartext_utf8) {
1728 struct ldb_val *cleartext_utf16_blob;
1730 cleartext_utf16_blob = talloc(io->ac, struct ldb_val);
1731 if (!cleartext_utf16_blob) {
1732 return ldb_oom(ldb);
1734 if (!convert_string_talloc(io->ac,
1736 g->cleartext_utf8->data,
1737 g->cleartext_utf8->length,
1738 (void *)&cleartext_utf16_blob->data,
1739 &cleartext_utf16_blob->length)) {
1740 if (g->cleartext_utf8->length != 0) {
1741 talloc_free(cleartext_utf16_blob);
1742 ldb_asprintf_errstring(ldb,
1743 "setup_password_fields: "
1744 "failed to generate UTF16 password from cleartext UTF8 one for user '%s'!",
1745 io->u.sAMAccountName);
1746 return LDB_ERR_CONSTRAINT_VIOLATION;
1748 /* passwords with length "0" are valid! */
1749 cleartext_utf16_blob->data = NULL;
1750 cleartext_utf16_blob->length = 0;
1753 g->cleartext_utf16 = cleartext_utf16_blob;
1754 } else if (g->cleartext_utf16) {
1755 struct ldb_val *cleartext_utf8_blob;
1757 cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
1758 if (!cleartext_utf8_blob) {
1759 return ldb_oom(ldb);
1761 if (!convert_string_talloc(io->ac,
1762 CH_UTF16MUNGED, CH_UTF8,
1763 g->cleartext_utf16->data,
1764 g->cleartext_utf16->length,
1765 (void *)&cleartext_utf8_blob->data,
1766 &cleartext_utf8_blob->length)) {
1767 if (g->cleartext_utf16->length != 0) {
1768 /* We must bail out here, the input wasn't even
1769 * a multiple of 2 bytes */
1770 talloc_free(cleartext_utf8_blob);
1771 ldb_asprintf_errstring(ldb,
1772 "setup_password_fields: "
1773 "failed to generate UTF8 password from cleartext UTF 16 one for user '%s' - the latter had odd length (length must be a multiple of 2)!",
1774 io->u.sAMAccountName);
1775 return LDB_ERR_CONSTRAINT_VIOLATION;
1777 /* passwords with length "0" are valid! */
1778 cleartext_utf8_blob->data = NULL;
1779 cleartext_utf8_blob->length = 0;
1782 g->cleartext_utf8 = cleartext_utf8_blob;
1785 if (g->cleartext_utf16) {
1786 struct samr_Password *nt_hash;
1788 nt_hash = talloc(io->ac, struct samr_Password);
1790 return ldb_oom(ldb);
1792 g->nt_hash = nt_hash;
1794 /* compute the new nt hash */
1795 mdfour(nt_hash->hash,
1796 g->cleartext_utf16->data,
1797 g->cleartext_utf16->length);
1800 if (g->cleartext_utf8) {
1801 struct samr_Password *lm_hash;
1803 lm_hash = talloc(io->ac, struct samr_Password);
1805 return ldb_oom(ldb);
1808 /* compute the new lm hash */
1809 ok = E_deshash((char *)g->cleartext_utf8->data, lm_hash->hash);
1811 g->lm_hash = lm_hash;
1813 talloc_free(lm_hash);
1820 static int setup_password_fields(struct setup_password_fields_io *io)
1822 struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
1823 struct loadparm_context *lp_ctx =
1824 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
1825 struct loadparm_context);
1828 /* transform the old password (for password changes) */
1829 ret = setup_given_passwords(io, &io->og);
1830 if (ret != LDB_SUCCESS) {
1834 /* transform the new password */
1835 ret = setup_given_passwords(io, &io->n);
1836 if (ret != LDB_SUCCESS) {
1840 if (io->n.cleartext_utf8) {
1841 ret = setup_kerberos_keys(io);
1842 if (ret != LDB_SUCCESS) {
1847 ret = setup_nt_fields(io);
1848 if (ret != LDB_SUCCESS) {
1852 if (lpcfg_lanman_auth(lp_ctx)) {
1853 ret = setup_lm_fields(io);
1854 if (ret != LDB_SUCCESS) {
1858 io->g.lm_hash = NULL;
1859 io->g.lm_history_len = 0;
1862 ret = setup_supplemental_field(io);
1863 if (ret != LDB_SUCCESS) {
1867 ret = setup_last_set_field(io);
1868 if (ret != LDB_SUCCESS) {
1875 static int check_password_restrictions(struct setup_password_fields_io *io)
1877 struct ldb_context *ldb;
1879 enum samr_ValidationStatus stat;
1881 ldb = ldb_module_get_ctx(io->ac->module);
1883 /* First check the old password is correct, for password changes */
1884 if (!io->ac->pwd_reset) {
1885 bool nt_hash_checked = false;
1887 /* we need the old nt or lm hash given by the client */
1888 if (!io->og.nt_hash && !io->og.lm_hash) {
1889 ldb_asprintf_errstring(ldb,
1890 "check_password_restrictions: "
1891 "You need to provide the old password in order "
1893 return LDB_ERR_UNWILLING_TO_PERFORM;
1896 /* The password modify through the NT hash is encouraged and
1897 has no problems at all */
1898 if (io->og.nt_hash) {
1899 if (!io->o.nt_hash) {
1900 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1901 ldb_asprintf_errstring(ldb,
1902 "%08X: %s - check_password_restrictions: "
1903 "There's no old nt_hash, which is needed "
1904 "in order to change your password!",
1905 W_ERROR_V(WERR_INVALID_PASSWORD),
1910 if (memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) {
1911 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1912 ldb_asprintf_errstring(ldb,
1913 "%08X: %s - check_password_restrictions: "
1914 "The old password specified doesn't match!",
1915 W_ERROR_V(WERR_INVALID_PASSWORD),
1920 nt_hash_checked = true;
1923 /* But it is also possible to change a password by the LM hash
1924 * alone for compatibility reasons. This check is optional if
1925 * the NT hash was already checked - otherwise it's mandatory.
1926 * (as the SAMR operations request it). */
1927 if (io->og.lm_hash) {
1928 if (!io->o.lm_hash && !nt_hash_checked) {
1929 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1930 ldb_asprintf_errstring(ldb,
1931 "%08X: %s - check_password_restrictions: "
1932 "There's no old lm_hash, which is needed "
1933 "in order to change your password!",
1934 W_ERROR_V(WERR_INVALID_PASSWORD),
1939 if (io->o.lm_hash &&
1940 memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) {
1941 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1942 ldb_asprintf_errstring(ldb,
1943 "%08X: %s - check_password_restrictions: "
1944 "The old password specified doesn't match!",
1945 W_ERROR_V(WERR_INVALID_PASSWORD),
1952 if (io->u.restrictions == 0) {
1953 /* FIXME: Is this right? */
1958 * Fundamental password checks done by the call
1959 * "samdb_check_password".
1960 * It is also in use by "dcesrv_samr_ValidatePassword".
1962 if (io->n.cleartext_utf8 != NULL) {
1963 stat = samdb_check_password(io->n.cleartext_utf8,
1964 io->ac->status->domain_data.pwdProperties,
1965 io->ac->status->domain_data.minPwdLength);
1967 case SAMR_VALIDATION_STATUS_SUCCESS:
1968 /* perfect -> proceed! */
1971 case SAMR_VALIDATION_STATUS_PWD_TOO_SHORT:
1972 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1973 ldb_asprintf_errstring(ldb,
1974 "%08X: %s - check_password_restrictions: "
1975 "the password is too short. It should be equal or longer than %u characters!",
1976 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
1978 io->ac->status->domain_data.minPwdLength);
1979 io->ac->status->reject_reason = SAM_PWD_CHANGE_PASSWORD_TOO_SHORT;
1982 case SAMR_VALIDATION_STATUS_NOT_COMPLEX_ENOUGH:
1983 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1984 ldb_asprintf_errstring(ldb,
1985 "%08X: %s - check_password_restrictions: "
1986 "the password does not meet the complexity criteria!",
1987 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
1989 io->ac->status->reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
1993 ret = LDB_ERR_CONSTRAINT_VIOLATION;
1994 ldb_asprintf_errstring(ldb,
1995 "%08X: %s - check_password_restrictions: "
1996 "the password doesn't fit by a certain reason!",
1997 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2003 if (io->ac->pwd_reset) {
2007 if (io->n.nt_hash) {
2010 /* checks the NT hash password history */
2011 for (i = 0; i < io->o.nt_history_len; i++) {
2012 ret = memcmp(io->n.nt_hash, io->o.nt_history[i].hash, 16);
2014 ret = LDB_ERR_CONSTRAINT_VIOLATION;
2015 ldb_asprintf_errstring(ldb,
2016 "%08X: %s - check_password_restrictions: "
2017 "the password was already used (in history)!",
2018 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2020 io->ac->status->reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
2026 if (io->n.lm_hash) {
2029 /* checks the LM hash password history */
2030 for (i = 0; i < io->o.lm_history_len; i++) {
2031 ret = memcmp(io->n.nt_hash, io->o.lm_history[i].hash, 16);
2033 ret = LDB_ERR_CONSTRAINT_VIOLATION;
2034 ldb_asprintf_errstring(ldb,
2035 "%08X: %s - check_password_restrictions: "
2036 "the password was already used (in history)!",
2037 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2039 io->ac->status->reject_reason = SAM_PWD_CHANGE_PWD_IN_HISTORY;
2045 /* are all password changes disallowed? */
2046 if (io->ac->status->domain_data.pwdProperties & DOMAIN_REFUSE_PASSWORD_CHANGE) {
2047 ret = LDB_ERR_CONSTRAINT_VIOLATION;
2048 ldb_asprintf_errstring(ldb,
2049 "%08X: %s - check_password_restrictions: "
2050 "password changes disabled!",
2051 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2056 /* can this user change the password? */
2057 if (io->u.userAccountControl & UF_PASSWD_CANT_CHANGE) {
2058 ret = LDB_ERR_CONSTRAINT_VIOLATION;
2059 ldb_asprintf_errstring(ldb,
2060 "%08X: %s - check_password_restrictions: "
2061 "password can't be changed on this account!",
2062 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2067 /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
2068 if (io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) {
2069 ret = LDB_ERR_CONSTRAINT_VIOLATION;
2070 ldb_asprintf_errstring(ldb,
2071 "%08X: %s - check_password_restrictions: "
2072 "password is too young to change!",
2073 W_ERROR_V(WERR_PASSWORD_RESTRICTION),
2082 * This is intended for use by the "password_hash" module since there
2083 * password changes can be specified through one message element with the
2084 * new password (to set) and another one with the old password (to unset).
2086 * The first which sets a password (new value) can have flags
2087 * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add" operations
2088 * for entries). The latter (old value) has always specified
2089 * LDB_FLAG_MOD_DELETE.
2091 * Returns LDB_ERR_CONSTRAINT_VIOLATION and LDB_ERR_UNWILLING_TO_PERFORM if
2092 * matching message elements are malformed in respect to the set/change rules.
2093 * Otherwise it returns LDB_SUCCESS.
2095 static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
2097 enum ldb_request_type operation,
2098 const struct ldb_val **new_val,
2099 const struct ldb_val **old_val)
2110 for (i = 0; i < msg->num_elements; i++) {
2111 if (ldb_attr_cmp(msg->elements[i].name, name) != 0) {
2115 if ((operation == LDB_MODIFY) &&
2116 (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_DELETE)) {
2117 /* 0 values are allowed */
2118 if (msg->elements[i].num_values == 1) {
2119 *old_val = &msg->elements[i].values[0];
2120 } else if (msg->elements[i].num_values > 1) {
2121 return LDB_ERR_CONSTRAINT_VIOLATION;
2123 } else if ((operation == LDB_MODIFY) &&
2124 (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_REPLACE)) {
2125 if (msg->elements[i].num_values > 0) {
2126 *new_val = &msg->elements[i].values[msg->elements[i].num_values - 1];
2128 return LDB_ERR_UNWILLING_TO_PERFORM;
2131 /* Add operations and LDB_FLAG_MOD_ADD */
2132 if (msg->elements[i].num_values > 0) {
2133 *new_val = &msg->elements[i].values[msg->elements[i].num_values - 1];
2135 return LDB_ERR_CONSTRAINT_VIOLATION;
2143 static int setup_io(struct ph_context *ac,
2144 const struct ldb_message *orig_msg,
2145 const struct ldb_message *searched_msg,
2146 struct setup_password_fields_io *io)
2148 const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
2149 struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
2150 struct loadparm_context *lp_ctx =
2151 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2152 struct loadparm_context);
2157 /* Some operations below require kerberos contexts */
2159 if (smb_krb5_init_context(ac,
2160 ldb_get_event_context(ldb),
2161 (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
2162 &io->smb_krb5_context) != 0) {
2163 return ldb_operr(ldb);
2168 io->u.userAccountControl = ldb_msg_find_attr_as_uint(searched_msg,
2169 "userAccountControl", 0);
2170 io->u.pwdLastSet = samdb_result_nttime(searched_msg, "pwdLastSet", 0);
2171 io->u.sAMAccountName = ldb_msg_find_attr_as_string(searched_msg,
2172 "sAMAccountName", NULL);
2173 io->u.user_principal_name = ldb_msg_find_attr_as_string(searched_msg,
2174 "userPrincipalName", NULL);
2175 io->u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
2177 if (io->u.sAMAccountName == NULL) {
2178 ldb_asprintf_errstring(ldb,
2179 "setup_io: sAMAccountName attribute is missing on %s for attempted password set/change",
2180 ldb_dn_get_linearized(searched_msg->dn));
2182 return LDB_ERR_CONSTRAINT_VIOLATION;
2185 /* Only non-trust accounts have restrictions (possibly this test is the
2186 * wrong way around, but we like to be restrictive if possible */
2187 io->u.restrictions = !(io->u.userAccountControl
2188 & (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
2189 | UF_SERVER_TRUST_ACCOUNT));
2191 if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) {
2192 /* see [MS-ADTS] 2.2.15 */
2193 io->u.restrictions = 0;
2196 if (ac->userPassword) {
2197 ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
2199 &io->n.cleartext_utf8,
2200 &io->og.cleartext_utf8);
2201 if (ret != LDB_SUCCESS) {
2202 ldb_asprintf_errstring(ldb,
2204 "it's only allowed to set the old password once!");
2209 ret = msg_find_old_and_new_pwd_val(orig_msg, "clearTextPassword",
2211 &io->n.cleartext_utf16,
2212 &io->og.cleartext_utf16);
2213 if (ret != LDB_SUCCESS) {
2214 ldb_asprintf_errstring(ldb,
2216 "it's only allowed to set the old password once!");
2220 /* this rather strange looking piece of code is there to
2221 handle a ldap client setting a password remotely using the
2222 unicodePwd ldap field. The syntax is that the password is
2223 in UTF-16LE, with a " at either end. Unfortunately the
2224 unicodePwd field is also used to store the nt hashes
2225 internally in Samba, and is used in the nt hash format on
2226 the wire in DRS replication, so we have a single name for
2227 two distinct values. The code below leaves us with a small
2228 chance (less than 1 in 2^32) of a mixup, if someone manages
2229 to create a MD4 hash which starts and ends in 0x22 0x00, as
2230 that would then be treated as a UTF16 password rather than
2233 ret = msg_find_old_and_new_pwd_val(orig_msg, "unicodePwd",
2237 if (ret != LDB_SUCCESS) {
2238 ldb_asprintf_errstring(ldb,
2240 "it's only allowed to set the old password once!");
2244 /* Checks and converts the actual "unicodePwd" attribute */
2245 if (!ac->hash_values &&
2247 quoted_utf16->length >= 4 &&
2248 quoted_utf16->data[0] == '"' &&
2249 quoted_utf16->data[1] == 0 &&
2250 quoted_utf16->data[quoted_utf16->length-2] == '"' &&
2251 quoted_utf16->data[quoted_utf16->length-1] == 0) {
2252 struct ldb_val *quoted_utf16_2;
2254 if (io->n.cleartext_utf16) {
2255 /* refuse the change if someone wants to change with
2256 with both UTF16 possibilities at the same time... */
2257 ldb_asprintf_errstring(ldb,
2259 "it's only allowed to set the cleartext password as 'unicodePwd' or as 'clearTextPassword'");
2260 return LDB_ERR_UNWILLING_TO_PERFORM;
2264 * adapt the quoted UTF16 string to be a real
2267 quoted_utf16_2 = talloc(io->ac, struct ldb_val);
2268 if (quoted_utf16_2 == NULL) {
2269 return ldb_oom(ldb);
2272 quoted_utf16_2->data = quoted_utf16->data + 2;
2273 quoted_utf16_2->length = quoted_utf16->length-4;
2274 io->n.cleartext_utf16 = quoted_utf16_2;
2275 io->n.nt_hash = NULL;
2277 } else if (quoted_utf16) {
2278 /* We have only the hash available -> so no plaintext here */
2279 if (!ac->hash_values) {
2280 /* refuse the change if someone wants to change
2281 the hash without control specified... */
2282 ldb_asprintf_errstring(ldb,
2284 "it's not allowed to set the NT hash password directly'");
2285 /* this looks odd but this is what Windows does:
2286 returns "UNWILLING_TO_PERFORM" on wrong
2287 password sets and "CONSTRAINT_VIOLATION" on
2288 wrong password changes. */
2289 if (old_quoted_utf16 == NULL) {
2290 return LDB_ERR_UNWILLING_TO_PERFORM;
2293 return LDB_ERR_CONSTRAINT_VIOLATION;
2296 io->n.nt_hash = talloc(io->ac, struct samr_Password);
2297 memcpy(io->n.nt_hash->hash, quoted_utf16->data,
2298 MIN(quoted_utf16->length, sizeof(io->n.nt_hash->hash)));
2301 /* Checks and converts the previous "unicodePwd" attribute */
2302 if (!ac->hash_values &&
2304 old_quoted_utf16->length >= 4 &&
2305 old_quoted_utf16->data[0] == '"' &&
2306 old_quoted_utf16->data[1] == 0 &&
2307 old_quoted_utf16->data[old_quoted_utf16->length-2] == '"' &&
2308 old_quoted_utf16->data[old_quoted_utf16->length-1] == 0) {
2309 struct ldb_val *old_quoted_utf16_2;
2311 if (io->og.cleartext_utf16) {
2312 /* refuse the change if someone wants to change with
2313 both UTF16 possibilities at the same time... */
2314 ldb_asprintf_errstring(ldb,
2316 "it's only allowed to set the cleartext password as 'unicodePwd' or as 'clearTextPassword'");
2317 return LDB_ERR_UNWILLING_TO_PERFORM;
2321 * adapt the quoted UTF16 string to be a real
2324 old_quoted_utf16_2 = talloc(io->ac, struct ldb_val);
2325 if (old_quoted_utf16_2 == NULL) {
2326 return ldb_oom(ldb);
2329 old_quoted_utf16_2->data = old_quoted_utf16->data + 2;
2330 old_quoted_utf16_2->length = old_quoted_utf16->length-4;
2332 io->og.cleartext_utf16 = old_quoted_utf16_2;
2333 io->og.nt_hash = NULL;
2334 } else if (old_quoted_utf16) {
2335 /* We have only the hash available -> so no plaintext here */
2336 if (!ac->hash_values) {
2337 /* refuse the change if someone wants to change
2338 the hash without control specified... */
2339 ldb_asprintf_errstring(ldb,
2341 "it's not allowed to set the NT hash password directly'");
2342 return LDB_ERR_UNWILLING_TO_PERFORM;
2345 io->og.nt_hash = talloc(io->ac, struct samr_Password);
2346 memcpy(io->og.nt_hash->hash, old_quoted_utf16->data,
2347 MIN(old_quoted_utf16->length, sizeof(io->og.nt_hash->hash)));
2350 /* Handles the "dBCSPwd" attribute (LM hash) */
2351 io->n.lm_hash = NULL; io->og.lm_hash = NULL;
2352 ret = msg_find_old_and_new_pwd_val(orig_msg, "dBCSPwd",
2354 &lm_hash, &old_lm_hash);
2355 if (ret != LDB_SUCCESS) {
2356 ldb_asprintf_errstring(ldb,
2358 "it's only allowed to set the old password once!");
2362 if (((lm_hash != NULL) || (old_lm_hash != NULL)) && (!ac->hash_values)) {
2363 /* refuse the change if someone wants to change the hash
2364 without control specified... */
2365 ldb_asprintf_errstring(ldb,
2367 "it's not allowed to set the LM hash password directly'");
2368 return LDB_ERR_UNWILLING_TO_PERFORM;
2371 if (lpcfg_lanman_auth(lp_ctx) && (lm_hash != NULL)) {
2372 io->n.lm_hash = talloc(io->ac, struct samr_Password);
2373 memcpy(io->n.lm_hash->hash, lm_hash->data, MIN(lm_hash->length,
2374 sizeof(io->n.lm_hash->hash)));
2376 if (lpcfg_lanman_auth(lp_ctx) && (old_lm_hash != NULL)) {
2377 io->og.lm_hash = talloc(io->ac, struct samr_Password);
2378 memcpy(io->og.lm_hash->hash, old_lm_hash->data, MIN(old_lm_hash->length,
2379 sizeof(io->og.lm_hash->hash)));
2383 * Handles the password change control if it's specified. It has the
2384 * precedance and overrides already specified old password values of
2385 * change requests (but that shouldn't happen since the control is
2386 * fully internal and only used in conjunction with replace requests!).
2388 if (ac->change != NULL) {
2389 io->og.nt_hash = NULL;
2390 if (ac->change->old_nt_pwd_hash != NULL) {
2391 io->og.nt_hash = talloc_memdup(io->ac,
2392 ac->change->old_nt_pwd_hash,
2393 sizeof(struct samr_Password));
2395 io->og.lm_hash = NULL;
2396 if (lpcfg_lanman_auth(lp_ctx) && (ac->change->old_lm_pwd_hash != NULL)) {
2397 io->og.lm_hash = talloc_memdup(io->ac,
2398 ac->change->old_lm_pwd_hash,
2399 sizeof(struct samr_Password));
2403 /* refuse the change if someone wants to change the clear-
2404 text and supply his own hashes at the same time... */
2405 if ((io->n.cleartext_utf8 || io->n.cleartext_utf16)
2406 && (io->n.nt_hash || io->n.lm_hash)) {
2407 ldb_asprintf_errstring(ldb,
2409 "it's only allowed to set the password in form of cleartext attributes or as hashes");
2410 return LDB_ERR_UNWILLING_TO_PERFORM;
2413 /* refuse the change if someone wants to change the password
2414 using both plaintext methods (UTF8 and UTF16) at the same time... */
2415 if (io->n.cleartext_utf8 && io->n.cleartext_utf16) {
2416 ldb_asprintf_errstring(ldb,
2418 "it's only allowed to set the cleartext password as 'unicodePwd' or as 'userPassword' or as 'clearTextPassword'");
2419 return LDB_ERR_UNWILLING_TO_PERFORM;
2422 /* refuse the change if someone tries to set/change the password by
2423 * the lanman hash alone and we've deactivated that mechanism. This
2424 * would end in an account without any password! */
2425 if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
2426 && (!io->n.nt_hash) && (!io->n.lm_hash)) {
2427 ldb_asprintf_errstring(ldb,
2429 "It' not possible to delete the password (changes using the LAN Manager hash alone could be deactivated)!");
2430 /* on "userPassword" and "clearTextPassword" we've to return
2431 * something different, since these are virtual attributes */
2432 if ((ldb_msg_find_element(orig_msg, "userPassword") != NULL) ||
2433 (ldb_msg_find_element(orig_msg, "clearTextPassword") != NULL)) {
2434 return LDB_ERR_CONSTRAINT_VIOLATION;
2436 return LDB_ERR_UNWILLING_TO_PERFORM;
2439 /* refuse the change if someone wants to compare against a plaintext
2440 or hash at the same time for a "password modify" operation... */
2441 if ((io->og.cleartext_utf8 || io->og.cleartext_utf16)
2442 && (io->og.nt_hash || io->og.lm_hash)) {
2443 ldb_asprintf_errstring(ldb,
2445 "it's only allowed to provide the old password in form of cleartext attributes or as hashes");
2446 return LDB_ERR_UNWILLING_TO_PERFORM;
2449 /* refuse the change if someone wants to compare against both
2450 * plaintexts at the same time for a "password modify" operation... */
2451 if (io->og.cleartext_utf8 && io->og.cleartext_utf16) {
2452 ldb_asprintf_errstring(ldb,
2454 "it's only allowed to provide the old cleartext password as 'unicodePwd' or as 'userPassword' or as 'clearTextPassword'");
2455 return LDB_ERR_UNWILLING_TO_PERFORM;
2458 /* Decides if we have a password modify or password reset operation */
2459 if (ac->req->operation == LDB_ADD) {
2460 /* On "add" we have only "password reset" */
2461 ac->pwd_reset = true;
2462 } else if (ac->req->operation == LDB_MODIFY) {
2463 if (io->og.cleartext_utf8 || io->og.cleartext_utf16
2464 || io->og.nt_hash || io->og.lm_hash) {
2465 /* If we have an old password specified then for sure it
2466 * is a user "password change" */
2467 ac->pwd_reset = false;
2469 /* Otherwise we have also here a "password reset" */
2470 ac->pwd_reset = true;
2473 /* this shouldn't happen */
2474 return ldb_operr(ldb);
2480 static struct ph_context *ph_init_context(struct ldb_module *module,
2481 struct ldb_request *req,
2484 struct ldb_context *ldb;
2485 struct ph_context *ac;
2487 ldb = ldb_module_get_ctx(module);
2489 ac = talloc_zero(req, struct ph_context);
2491 ldb_set_errstring(ldb, "Out of Memory");
2495 ac->module = module;
2497 ac->userPassword = userPassword;
2502 static void ph_apply_controls(struct ph_context *ac)
2504 struct ldb_control *ctrl;
2506 ac->change_status = false;
2507 ctrl = ldb_request_get_control(ac->req,
2508 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID);
2510 ac->change_status = true;
2512 /* Mark the "change status" control as uncritical (done) */
2513 ctrl->critical = false;
2516 ac->hash_values = false;
2517 ctrl = ldb_request_get_control(ac->req,
2518 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
2520 ac->hash_values = true;
2522 /* Mark the "hash values" control as uncritical (done) */
2523 ctrl->critical = false;
2526 ctrl = ldb_request_get_control(ac->req,
2527 DSDB_CONTROL_PASSWORD_CHANGE_OID);
2529 ac->change = (struct dsdb_control_password_change *) ctrl->data;
2531 /* Mark the "change" control as uncritical (done) */
2532 ctrl->critical = false;
2535 ac->pwd_last_set_bypass = false;
2536 ctrl = ldb_request_get_control(ac->req,
2537 DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID);
2539 ac->pwd_last_set_bypass = true;
2541 /* Mark the "bypass pwdLastSet" control as uncritical (done) */
2542 ctrl->critical = false;
2546 static int ph_op_callback(struct ldb_request *req, struct ldb_reply *ares)
2548 struct ph_context *ac;
2550 ac = talloc_get_type(req->context, struct ph_context);
2553 return ldb_module_done(ac->req, NULL, NULL,
2554 LDB_ERR_OPERATIONS_ERROR);
2557 if (ares->type == LDB_REPLY_REFERRAL) {
2558 return ldb_module_send_referral(ac->req, ares->referral);
2561 if ((ares->error != LDB_ERR_OPERATIONS_ERROR) && (ac->change_status)) {
2562 /* On success and trivial errors a status control is being
2563 * added (used for example by the "samdb_set_password" call) */
2564 ldb_reply_add_control(ares,
2565 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2570 if (ares->error != LDB_SUCCESS) {
2571 return ldb_module_done(ac->req, ares->controls,
2572 ares->response, ares->error);
2575 if (ares->type != LDB_REPLY_DONE) {
2577 return ldb_module_done(ac->req, NULL, NULL,
2578 LDB_ERR_OPERATIONS_ERROR);
2581 return ldb_module_done(ac->req, ares->controls,
2582 ares->response, ares->error);
2585 static int password_hash_add_do_add(struct ph_context *ac);
2586 static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares);
2587 static int password_hash_mod_search_self(struct ph_context *ac);
2588 static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares);
2589 static int password_hash_mod_do_mod(struct ph_context *ac);
2591 static int get_domain_data_callback(struct ldb_request *req,
2592 struct ldb_reply *ares)
2594 struct ldb_context *ldb;
2595 struct ph_context *ac;
2596 struct loadparm_context *lp_ctx;
2599 ac = talloc_get_type(req->context, struct ph_context);
2600 ldb = ldb_module_get_ctx(ac->module);
2603 ret = LDB_ERR_OPERATIONS_ERROR;
2606 if (ares->error != LDB_SUCCESS) {
2607 return ldb_module_done(ac->req, ares->controls,
2608 ares->response, ares->error);
2611 switch (ares->type) {
2612 case LDB_REPLY_ENTRY:
2613 if (ac->status != NULL) {
2616 ldb_set_errstring(ldb, "Too many results");
2617 ret = LDB_ERR_OPERATIONS_ERROR;
2621 /* Setup the "status" structure (used as control later) */
2622 ac->status = talloc_zero(ac->req,
2623 struct dsdb_control_password_change_status);
2624 if (ac->status == NULL) {
2628 ret = LDB_ERR_OPERATIONS_ERROR;
2632 /* Setup the "domain data" structure */
2633 ac->status->domain_data.pwdProperties =
2634 ldb_msg_find_attr_as_uint(ares->message, "pwdProperties", -1);
2635 ac->status->domain_data.pwdHistoryLength =
2636 ldb_msg_find_attr_as_uint(ares->message, "pwdHistoryLength", -1);
2637 ac->status->domain_data.maxPwdAge =
2638 ldb_msg_find_attr_as_int64(ares->message, "maxPwdAge", -1);
2639 ac->status->domain_data.minPwdAge =
2640 ldb_msg_find_attr_as_int64(ares->message, "minPwdAge", -1);
2641 ac->status->domain_data.minPwdLength =
2642 ldb_msg_find_attr_as_uint(ares->message, "minPwdLength", -1);
2643 ac->status->domain_data.store_cleartext =
2644 ac->status->domain_data.pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
2648 /* For a domain DN, this puts things in dotted notation */
2649 /* For builtin domains, this will give details for the host,
2650 * but that doesn't really matter, as it's just used for salt
2651 * and kerberos principals, which don't exist here */
2653 lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
2654 struct loadparm_context);
2656 ac->status->domain_data.dns_domain = lpcfg_dnsdomain(lp_ctx);
2657 ac->status->domain_data.realm = lpcfg_realm(lp_ctx);
2658 ac->status->domain_data.netbios_domain = lpcfg_sam_name(lp_ctx);
2660 ac->status->reject_reason = SAM_PWD_CHANGE_NO_ERROR;
2665 case LDB_REPLY_REFERRAL:
2671 case LDB_REPLY_DONE:
2673 /* call the next step */
2674 switch (ac->req->operation) {
2676 ret = password_hash_add_do_add(ac);
2680 ret = password_hash_mod_do_mod(ac);
2684 ret = LDB_ERR_OPERATIONS_ERROR;
2691 if (ret != LDB_SUCCESS) {
2692 struct ldb_reply *new_ares;
2694 new_ares = talloc_zero(ac->req, struct ldb_reply);
2695 if (new_ares == NULL) {
2697 return ldb_module_done(ac->req, NULL, NULL,
2698 LDB_ERR_OPERATIONS_ERROR);
2701 new_ares->error = ret;
2702 if ((ret != LDB_ERR_OPERATIONS_ERROR) && (ac->change_status)) {
2703 /* On success and trivial errors a status control is being
2704 * added (used for example by the "samdb_set_password" call) */
2705 ldb_reply_add_control(new_ares,
2706 DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID,
2711 return ldb_module_done(ac->req, new_ares->controls,
2712 new_ares->response, new_ares->error);
2718 static int build_domain_data_request(struct ph_context *ac)
2720 /* attrs[] is returned from this function in
2721 ac->dom_req->op.search.attrs, so it must be static, as
2722 otherwise the compiler can put it on the stack */
2723 struct ldb_context *ldb;
2724 static const char * const attrs[] = { "pwdProperties",
2732 ldb = ldb_module_get_ctx(ac->module);
2734 ret = ldb_build_search_req(&ac->dom_req, ldb, ac,
2735 ldb_get_default_basedn(ldb),
2739 ac, get_domain_data_callback,
2741 LDB_REQ_SET_LOCATION(ac->dom_req);
2745 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
2747 struct ldb_context *ldb;
2748 struct ph_context *ac;
2749 struct ldb_message_element *userPasswordAttr, *clearTextPasswordAttr,
2752 struct ldb_control *bypass = NULL;
2753 bool userPassword = dsdb_user_password_support(module, req, req);
2755 ldb = ldb_module_get_ctx(module);
2757 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
2759 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
2760 return ldb_next_request(module, req);
2763 /* If the caller is manipulating the local passwords directly, let them pass */
2764 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
2765 req->op.add.message->dn) == 0) {
2766 return ldb_next_request(module, req);
2769 bypass = ldb_request_get_control(req,
2770 DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID);
2771 if (bypass != NULL) {
2772 /* Mark the "bypass" control as uncritical (done) */
2773 bypass->critical = false;
2774 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add (bypassing)\n");
2775 return password_hash_bypass(module, req);
2778 /* nobody must touch password histories and 'supplementalCredentials' */
2779 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
2780 return LDB_ERR_UNWILLING_TO_PERFORM;
2782 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
2783 return LDB_ERR_UNWILLING_TO_PERFORM;
2785 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
2786 return LDB_ERR_UNWILLING_TO_PERFORM;
2789 /* If no part of this touches the 'userPassword' OR 'clearTextPassword'
2790 * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes. */
2792 userPasswordAttr = NULL;
2794 userPasswordAttr = ldb_msg_find_element(req->op.add.message,
2796 /* MS-ADTS 3.1.1.3.1.5.2 */
2797 if ((userPasswordAttr != NULL) &&
2798 (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
2799 return LDB_ERR_CONSTRAINT_VIOLATION;
2802 clearTextPasswordAttr = ldb_msg_find_element(req->op.add.message, "clearTextPassword");
2803 ntAttr = ldb_msg_find_element(req->op.add.message, "unicodePwd");
2804 lmAttr = ldb_msg_find_element(req->op.add.message, "dBCSPwd");
2806 if ((!userPasswordAttr) && (!clearTextPasswordAttr) && (!ntAttr) && (!lmAttr)) {
2807 return ldb_next_request(module, req);
2810 /* Make sure we are performing the password set action on a (for us)
2811 * valid object. Those are instances of either "user" and/or
2812 * "inetOrgPerson". Otherwise continue with the submodules. */
2813 if ((!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "user"))
2814 && (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "inetOrgPerson"))) {
2816 if (ldb_msg_find_element(req->op.add.message, "clearTextPassword") != NULL) {
2817 ldb_set_errstring(ldb,
2818 "'clearTextPassword' is only allowed on objects of class 'user' and/or 'inetOrgPerson'!");
2819 return LDB_ERR_NO_SUCH_ATTRIBUTE;
2822 return ldb_next_request(module, req);
2825 ac = ph_init_context(module, req, userPassword);
2827 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
2828 return ldb_operr(ldb);
2830 ph_apply_controls(ac);
2832 /* get user domain data */
2833 ret = build_domain_data_request(ac);
2834 if (ret != LDB_SUCCESS) {
2838 return ldb_next_request(module, ac->dom_req);
2841 static int password_hash_add_do_add(struct ph_context *ac)
2843 struct ldb_context *ldb;
2844 struct ldb_request *down_req;
2845 struct ldb_message *msg;
2846 struct setup_password_fields_io io;
2849 /* Prepare the internal data structure containing the passwords */
2850 ret = setup_io(ac, ac->req->op.add.message, ac->req->op.add.message, &io);
2851 if (ret != LDB_SUCCESS) {
2855 ldb = ldb_module_get_ctx(ac->module);
2857 msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
2859 return ldb_operr(ldb);
2862 /* remove attributes that we just read into 'io' */
2863 if (ac->userPassword) {
2864 ldb_msg_remove_attr(msg, "userPassword");
2866 ldb_msg_remove_attr(msg, "clearTextPassword");
2867 ldb_msg_remove_attr(msg, "unicodePwd");
2868 ldb_msg_remove_attr(msg, "dBCSPwd");
2869 ldb_msg_remove_attr(msg, "pwdLastSet");
2871 ret = setup_password_fields(&io);
2872 if (ret != LDB_SUCCESS) {
2876 ret = check_password_restrictions(&io);
2877 if (ret != LDB_SUCCESS) {
2882 ret = samdb_msg_add_hash(ldb, ac, msg,
2883 "unicodePwd", io.g.nt_hash);
2884 if (ret != LDB_SUCCESS) {
2889 ret = samdb_msg_add_hash(ldb, ac, msg,
2890 "dBCSPwd", io.g.lm_hash);
2891 if (ret != LDB_SUCCESS) {
2895 if (io.g.nt_history_len > 0) {
2896 ret = samdb_msg_add_hashes(ldb, ac, msg,
2899 io.g.nt_history_len);
2900 if (ret != LDB_SUCCESS) {
2904 if (io.g.lm_history_len > 0) {
2905 ret = samdb_msg_add_hashes(ldb, ac, msg,
2908 io.g.lm_history_len);
2909 if (ret != LDB_SUCCESS) {
2913 if (io.g.supplemental.length > 0) {
2914 ret = ldb_msg_add_value(msg, "supplementalCredentials",
2915 &io.g.supplemental, NULL);
2916 if (ret != LDB_SUCCESS) {
2920 ret = samdb_msg_add_uint64(ldb, ac, msg,
2923 if (ret != LDB_SUCCESS) {
2927 ret = ldb_build_add_req(&down_req, ldb, ac,
2932 LDB_REQ_SET_LOCATION(down_req);
2933 if (ret != LDB_SUCCESS) {
2937 return ldb_next_request(ac->module, down_req);
2940 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
2942 struct ldb_context *ldb;
2943 struct ph_context *ac;
2944 const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
2945 "unicodePwd", "dBCSPwd", NULL }, **l;
2946 unsigned int attr_cnt, del_attr_cnt, add_attr_cnt, rep_attr_cnt;
2947 struct ldb_message_element *passwordAttr;
2948 struct ldb_message *msg;
2949 struct ldb_request *down_req;
2951 struct ldb_control *bypass = NULL;
2952 bool userPassword = dsdb_user_password_support(module, req, req);
2954 ldb = ldb_module_get_ctx(module);
2956 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
2958 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
2959 return ldb_next_request(module, req);
2962 /* If the caller is manipulating the local passwords directly, let them pass */
2963 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
2964 req->op.mod.message->dn) == 0) {
2965 return ldb_next_request(module, req);
2968 bypass = ldb_request_get_control(req,
2969 DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID);
2970 if (bypass != NULL) {
2971 /* Mark the "bypass" control as uncritical (done) */
2972 bypass->critical = false;
2973 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify (bypassing)\n");
2974 return password_hash_bypass(module, req);
2977 /* nobody must touch password histories and 'supplementalCredentials' */
2978 if (ldb_msg_find_element(req->op.mod.message, "ntPwdHistory")) {
2979 return LDB_ERR_UNWILLING_TO_PERFORM;
2981 if (ldb_msg_find_element(req->op.mod.message, "lmPwdHistory")) {
2982 return LDB_ERR_UNWILLING_TO_PERFORM;
2984 if (ldb_msg_find_element(req->op.mod.message, "supplementalCredentials")) {
2985 return LDB_ERR_UNWILLING_TO_PERFORM;
2988 /* If no part of this touches the 'userPassword' OR 'clearTextPassword'
2989 * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes.
2990 * For password changes/set there should be a 'delete' or a 'modify'
2991 * on these attributes. */
2993 for (l = passwordAttrs; *l != NULL; l++) {
2994 if ((!userPassword) && (ldb_attr_cmp(*l, "userPassword") == 0)) {
2998 if (ldb_msg_find_element(req->op.mod.message, *l) != NULL) {
2999 /* MS-ADTS 3.1.1.3.1.5.2 */
3000 if ((ldb_attr_cmp(*l, "userPassword") == 0) &&
3001 (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
3002 return LDB_ERR_CONSTRAINT_VIOLATION;
3008 if (attr_cnt == 0) {
3009 return ldb_next_request(module, req);
3012 ac = ph_init_context(module, req, userPassword);
3014 DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
3015 return ldb_operr(ldb);
3017 ph_apply_controls(ac);
3019 /* use a new message structure so that we can modify it */
3020 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
3022 return ldb_oom(ldb);
3025 /* - check for single-valued password attributes
3026 * (if not return "CONSTRAINT_VIOLATION")
3027 * - check that for a password change operation one add and one delete
3029 * (if not return "CONSTRAINT_VIOLATION" or "UNWILLING_TO_PERFORM")
3030 * - check that a password change and a password set operation cannot
3032 * (if not return "UNWILLING_TO_PERFORM")
3033 * - remove all password attributes modifications from the first change
3034 * operation (anything without the passwords) - we will make the real
3035 * modification later */
3039 for (l = passwordAttrs; *l != NULL; l++) {
3040 if ((!ac->userPassword) &&
3041 (ldb_attr_cmp(*l, "userPassword") == 0)) {
3045 while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
3046 if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE) {
3049 if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD) {
3052 if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_REPLACE) {
3055 if ((passwordAttr->num_values != 1) &&
3056 (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD)) {
3058 ldb_asprintf_errstring(ldb,
3059 "'%s' attribute must have exactly one value on add operations!",
3061 return LDB_ERR_CONSTRAINT_VIOLATION;
3063 if ((passwordAttr->num_values > 1) &&
3064 (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE)) {
3066 ldb_asprintf_errstring(ldb,
3067 "'%s' attribute must have zero or one value(s) on delete operations!",
3069 return LDB_ERR_CONSTRAINT_VIOLATION;
3071 ldb_msg_remove_element(msg, passwordAttr);
3074 if ((del_attr_cnt == 0) && (add_attr_cnt > 0)) {
3076 ldb_set_errstring(ldb,
3077 "Only the add action for a password change specified!");
3078 return LDB_ERR_UNWILLING_TO_PERFORM;
3080 if ((del_attr_cnt > 1) || (add_attr_cnt > 1)) {
3082 ldb_set_errstring(ldb,
3083 "Only one delete and one add action for a password change allowed!");
3084 return LDB_ERR_UNWILLING_TO_PERFORM;
3086 if ((rep_attr_cnt > 0) && ((del_attr_cnt > 0) || (add_attr_cnt > 0))) {
3088 ldb_set_errstring(ldb,
3089 "Either a password change or a password set operation is allowed!");
3090 return LDB_ERR_UNWILLING_TO_PERFORM;
3093 /* if there was nothing else to be modified skip to next step */
3094 if (msg->num_elements == 0) {
3095 return password_hash_mod_search_self(ac);
3098 ret = ldb_build_mod_req(&down_req, ldb, ac,
3101 ac, ph_modify_callback,
3103 LDB_REQ_SET_LOCATION(down_req);
3104 if (ret != LDB_SUCCESS) {
3108 return ldb_next_request(module, down_req);
3111 static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
3113 struct ph_context *ac;
3115 ac = talloc_get_type(req->context, struct ph_context);
3118 return ldb_module_done(ac->req, NULL, NULL,
3119 LDB_ERR_OPERATIONS_ERROR);
3122 if (ares->type == LDB_REPLY_REFERRAL) {
3123 return ldb_module_send_referral(ac->req, ares->referral);
3126 if (ares->error != LDB_SUCCESS) {
3127 return ldb_module_done(ac->req, ares->controls,
3128 ares->response, ares->error);
3131 if (ares->type != LDB_REPLY_DONE) {
3133 return ldb_module_done(ac->req, NULL, NULL,
3134 LDB_ERR_OPERATIONS_ERROR);
3139 return password_hash_mod_search_self(ac);
3142 static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares)
3144 struct ldb_context *ldb;
3145 struct ph_context *ac;
3148 ac = talloc_get_type(req->context, struct ph_context);
3149 ldb = ldb_module_get_ctx(ac->module);
3152 ret = LDB_ERR_OPERATIONS_ERROR;
3155 if (ares->error != LDB_SUCCESS) {
3156 return ldb_module_done(ac->req, ares->controls,
3157 ares->response, ares->error);
3160 /* we are interested only in the single reply (base search) */
3161 switch (ares->type) {
3162 case LDB_REPLY_ENTRY:
3163 /* Make sure we are performing the password change action on a
3164 * (for us) valid object. Those are instances of either "user"
3165 * and/or "inetOrgPerson". Otherwise continue with the
3167 if ((!ldb_msg_check_string_attribute(ares->message, "objectClass", "user"))
3168 && (!ldb_msg_check_string_attribute(ares->message, "objectClass", "inetOrgPerson"))) {
3171 if (ldb_msg_find_element(ac->req->op.mod.message, "clearTextPassword") != NULL) {
3172 ldb_set_errstring(ldb,
3173 "'clearTextPassword' is only allowed on objects of class 'user' and/or 'inetOrgPerson'!");
3174 ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
3178 ret = ldb_next_request(ac->module, ac->req);
3182 if (ac->search_res != NULL) {
3185 ldb_set_errstring(ldb, "Too many results");
3186 ret = LDB_ERR_OPERATIONS_ERROR;
3190 ac->search_res = talloc_steal(ac, ares);
3194 case LDB_REPLY_REFERRAL:
3195 /* ignore anything else for now */
3200 case LDB_REPLY_DONE:
3203 /* get user domain data */
3204 ret = build_domain_data_request(ac);
3205 if (ret != LDB_SUCCESS) {
3206 return ldb_module_done(ac->req, NULL, NULL, ret);
3209 ret = ldb_next_request(ac->module, ac->dom_req);
3214 if (ret != LDB_SUCCESS) {
3215 return ldb_module_done(ac->req, NULL, NULL, ret);
3221 static int password_hash_mod_search_self(struct ph_context *ac)
3223 struct ldb_context *ldb;
3224 static const char * const attrs[] = { "objectClass",
3225 "userAccountControl",
3229 "userPrincipalName",
3230 "supplementalCredentials",
3236 struct ldb_request *search_req;
3239 ldb = ldb_module_get_ctx(ac->module);
3241 ret = ldb_build_search_req(&search_req, ldb, ac,
3242 ac->req->op.mod.message->dn,
3247 ac, ph_mod_search_callback,
3249 LDB_REQ_SET_LOCATION(search_req);
3250 if (ret != LDB_SUCCESS) {
3254 return ldb_next_request(ac->module, search_req);
3257 static int password_hash_mod_do_mod(struct ph_context *ac)
3259 struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
3260 struct loadparm_context *lp_ctx =
3261 talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
3262 struct loadparm_context);
3263 struct ldb_request *mod_req;
3264 struct ldb_message *msg;
3265 const struct ldb_message *orig_msg, *searched_msg;
3266 struct setup_password_fields_io io;
3270 /* use a new message structure so that we can modify it */
3271 msg = ldb_msg_new(ac);
3273 return ldb_operr(ldb);
3277 msg->dn = ac->req->op.mod.message->dn;
3279 orig_msg = ac->req->op.mod.message;
3280 searched_msg = ac->search_res->message;
3282 /* Prepare the internal data structure containing the passwords */
3283 ret = setup_io(ac, orig_msg, searched_msg, &io);
3284 if (ret != LDB_SUCCESS) {
3288 /* Get the old password from the database */
3289 status = samdb_result_passwords(io.ac,
3291 discard_const_p(struct ldb_message, searched_msg),
3292 &io.o.lm_hash, &io.o.nt_hash);
3293 if (!NT_STATUS_IS_OK(status)) {
3294 return ldb_operr(ldb);
3297 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
3298 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
3299 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
3301 ret = setup_password_fields(&io);
3302 if (ret != LDB_SUCCESS) {
3306 ret = check_password_restrictions(&io);
3307 if (ret != LDB_SUCCESS) {
3311 /* make sure we replace all the old attributes */
3312 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
3313 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
3314 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
3315 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
3316 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
3317 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
3320 ret = samdb_msg_add_hash(ldb, ac, msg,
3321 "unicodePwd", io.g.nt_hash);
3322 if (ret != LDB_SUCCESS) {
3327 ret = samdb_msg_add_hash(ldb, ac, msg,
3328 "dBCSPwd", io.g.lm_hash);
3329 if (ret != LDB_SUCCESS) {
3333 if (io.g.nt_history_len > 0) {
3334 ret = samdb_msg_add_hashes(ldb, ac, msg,
3337 io.g.nt_history_len);
3338 if (ret != LDB_SUCCESS) {
3342 if (io.g.lm_history_len > 0) {
3343 ret = samdb_msg_add_hashes(ldb, ac, msg,
3346 io.g.lm_history_len);
3347 if (ret != LDB_SUCCESS) {
3351 if (io.g.supplemental.length > 0) {
3352 ret = ldb_msg_add_value(msg, "supplementalCredentials",
3353 &io.g.supplemental, NULL);
3354 if (ret != LDB_SUCCESS) {
3358 ret = samdb_msg_add_uint64(ldb, ac, msg,
3361 if (ret != LDB_SUCCESS) {
3365 ret = ldb_build_mod_req(&mod_req, ldb, ac,
3370 LDB_REQ_SET_LOCATION(mod_req);
3371 if (ret != LDB_SUCCESS) {
3375 return ldb_next_request(ac->module, mod_req);
3378 static const struct ldb_module_ops ldb_password_hash_module_ops = {
3379 .name = "password_hash",
3380 .add = password_hash_add,
3381 .modify = password_hash_modify
3384 int ldb_password_hash_module_init(const char *version)
3386 LDB_MODULE_CHECK_VERSION(version);
3387 return ldb_register_module(&ldb_password_hash_module_ops);
git.samba.org / kai / samba-autobuild / .git / blob