4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to userPassword and friends
30 * Author: Andrew Bartlett
31 * Author: Stefan Metzmacher
35 #include "libcli/ldap/ldap_ndr.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb.h"
38 #include "ldb/include/ldb_private.h"
39 #include "librpc/gen_ndr/misc.h"
40 #include "librpc/gen_ndr/samr.h"
41 #include "libcli/auth/libcli_auth.h"
42 #include "libcli/security/security.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45 #include "system/time.h"
46 #include "dsdb/samdb/samdb.h"
47 #include "dsdb/common/flags.h"
48 #include "dsdb/samdb/ldb_modules/password_modules.h"
49 #include "librpc/ndr/libndr.h"
50 #include "librpc/gen_ndr/ndr_drsblobs.h"
51 #include "lib/crypto/crypto.h"
52 #include "param/param.h"
54 /* If we have decided there is reason to work on this request, then
55 * setup all the password hash types correctly.
57 * If the administrator doesn't want the userPassword stored (set in the
58 * domain and per-account policies) then we must strip that out before
59 * we do the first operation.
61 * Once this is done (which could update anything at all), we
62 * calculate the password hashes.
64 * This function must not only update the unicodePwd, dBCSPwd and
65 * supplementalCredentials fields, it must also atomicly increment the
66 * msDS-KeyVersionNumber. We should be in a transaction, so all this
67 * should be quite safe...
69 * Finally, if the administrator has requested that a password history
70 * be maintained, then this should also be written out.
76 enum ph_type {PH_ADD, PH_MOD} type;
77 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
79 struct ldb_module *module;
80 struct ldb_request *orig_req;
82 struct ldb_request *dom_req;
83 struct ldb_reply *dom_res;
85 struct ldb_request *down_req;
87 struct ldb_request *search_req;
88 struct ldb_reply *search_res;
90 struct ldb_request *mod_req;
92 struct dom_sid *domain_sid;
98 uint_t pwdHistoryLength;
104 struct setup_password_fields_io {
105 struct ph_context *ac;
106 struct domain_data *domain;
107 struct smb_krb5_context *smb_krb5_context;
109 /* infos about the user account */
111 uint32_t user_account_control;
112 const char *sAMAccountName;
113 const char *user_principal_name;
117 /* new credentials */
119 const char *cleartext;
120 struct samr_Password *nt_hash;
121 struct samr_Password *lm_hash;
124 /* old credentials */
126 uint32_t nt_history_len;
127 struct samr_Password *nt_history;
128 uint32_t lm_history_len;
129 struct samr_Password *lm_history;
130 const struct ldb_val *supplemental;
131 struct supplementalCredentialsBlob scb;
135 /* generated credentials */
137 struct samr_Password *nt_hash;
138 struct samr_Password *lm_hash;
139 uint32_t nt_history_len;
140 struct samr_Password *nt_history;
141 uint32_t lm_history_len;
142 struct samr_Password *lm_history;
148 struct ldb_val supplemental;
154 static int setup_nt_fields(struct setup_password_fields_io *io)
158 io->g.nt_hash = io->n.nt_hash;
160 if (io->domain->pwdHistoryLength == 0) {
164 /* We might not have an old NT password */
165 io->g.nt_history = talloc_array(io->ac,
166 struct samr_Password,
167 io->domain->pwdHistoryLength);
168 if (!io->g.nt_history) {
169 ldb_oom(io->ac->module->ldb);
170 return LDB_ERR_OPERATIONS_ERROR;
173 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
174 io->g.nt_history[i+1] = io->o.nt_history[i];
176 io->g.nt_history_len = i + 1;
179 io->g.nt_history[0] = *io->g.nt_hash;
182 * TODO: is this correct?
183 * the simular behavior is correct for the lm history case
185 E_md4hash("", io->g.nt_history[0].hash);
191 static int setup_lm_fields(struct setup_password_fields_io *io)
195 io->g.lm_hash = io->n.lm_hash;
197 if (io->domain->pwdHistoryLength == 0) {
201 /* We might not have an old NT password */
202 io->g.lm_history = talloc_array(io->ac,
203 struct samr_Password,
204 io->domain->pwdHistoryLength);
205 if (!io->g.lm_history) {
206 ldb_oom(io->ac->module->ldb);
207 return LDB_ERR_OPERATIONS_ERROR;
210 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
211 io->g.lm_history[i+1] = io->o.lm_history[i];
213 io->g.lm_history_len = i + 1;
216 io->g.lm_history[0] = *io->g.lm_hash;
218 E_deshash("", io->g.lm_history[0].hash);
224 static int setup_kerberos_keys(struct setup_password_fields_io *io)
226 krb5_error_code krb5_ret;
227 Principal *salt_principal;
231 /* Many, many thanks to lukeh@padl.com for this
232 * algorithm, described in his Nov 10 2004 mail to
233 * samba-technical@samba.org */
236 * Determine a salting principal
238 if (io->u.is_computer) {
242 name = talloc_strdup(io->ac, io->u.sAMAccountName);
244 ldb_oom(io->ac->module->ldb);
245 return LDB_ERR_OPERATIONS_ERROR;
248 if (name[strlen(name)-1] == '$') {
249 name[strlen(name)-1] = '\0';
252 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
254 ldb_oom(io->ac->module->ldb);
255 return LDB_ERR_OPERATIONS_ERROR;
258 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
260 io->domain->realm, "host",
262 } else if (io->u.user_principal_name) {
263 char *user_principal_name;
266 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
267 if (!user_principal_name) {
268 ldb_oom(io->ac->module->ldb);
269 return LDB_ERR_OPERATIONS_ERROR;
272 p = strchr(user_principal_name, '@');
277 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
279 io->domain->realm, user_principal_name,
282 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
284 io->domain->realm, io->u.sAMAccountName,
288 ldb_asprintf_errstring(io->ac->module->ldb,
289 "setup_kerberos_keys: "
290 "generation of a salting principal failed: %s",
291 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
292 return LDB_ERR_OPERATIONS_ERROR;
296 * create salt from salt_principal
298 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
299 salt_principal, &salt);
300 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
302 ldb_asprintf_errstring(io->ac->module->ldb,
303 "setup_kerberos_keys: "
304 "generation of krb5_salt failed: %s",
305 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
306 return LDB_ERR_OPERATIONS_ERROR;
308 /* create a talloc copy */
309 io->g.salt = talloc_strndup(io->ac,
311 salt.saltvalue.length);
312 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
314 ldb_oom(io->ac->module->ldb);
315 return LDB_ERR_OPERATIONS_ERROR;
317 salt.saltvalue.data = discard_const(io->g.salt);
318 salt.saltvalue.length = strlen(io->g.salt);
321 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
322 * the salt and the cleartext password
324 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
325 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
330 ldb_asprintf_errstring(io->ac->module->ldb,
331 "setup_kerberos_keys: "
332 "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
333 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
334 return LDB_ERR_OPERATIONS_ERROR;
336 io->g.aes_256 = data_blob_talloc(io->ac,
338 key.keyvalue.length);
339 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
340 if (!io->g.aes_256.data) {
341 ldb_oom(io->ac->module->ldb);
342 return LDB_ERR_OPERATIONS_ERROR;
346 * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
347 * the salt and the cleartext password
349 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
350 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
355 ldb_asprintf_errstring(io->ac->module->ldb,
356 "setup_kerberos_keys: "
357 "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
358 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
359 return LDB_ERR_OPERATIONS_ERROR;
361 io->g.aes_128 = data_blob_talloc(io->ac,
363 key.keyvalue.length);
364 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
365 if (!io->g.aes_128.data) {
366 ldb_oom(io->ac->module->ldb);
367 return LDB_ERR_OPERATIONS_ERROR;
371 * create ENCTYPE_DES_CBC_MD5 key out of
372 * the salt and the cleartext password
374 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
380 ldb_asprintf_errstring(io->ac->module->ldb,
381 "setup_kerberos_keys: "
382 "generation of a des-cbc-md5 key failed: %s",
383 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
384 return LDB_ERR_OPERATIONS_ERROR;
386 io->g.des_md5 = data_blob_talloc(io->ac,
388 key.keyvalue.length);
389 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
390 if (!io->g.des_md5.data) {
391 ldb_oom(io->ac->module->ldb);
392 return LDB_ERR_OPERATIONS_ERROR;
396 * create ENCTYPE_DES_CBC_CRC key out of
397 * the salt and the cleartext password
399 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
405 ldb_asprintf_errstring(io->ac->module->ldb,
406 "setup_kerberos_keys: "
407 "generation of a des-cbc-crc key failed: %s",
408 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
409 return LDB_ERR_OPERATIONS_ERROR;
411 io->g.des_crc = data_blob_talloc(io->ac,
413 key.keyvalue.length);
414 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
415 if (!io->g.des_crc.data) {
416 ldb_oom(io->ac->module->ldb);
417 return LDB_ERR_OPERATIONS_ERROR;
423 static int setup_primary_kerberos(struct setup_password_fields_io *io,
424 const struct supplementalCredentialsBlob *old_scb,
425 struct package_PrimaryKerberosBlob *pkb)
427 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
428 struct supplementalCredentialsPackage *old_scp = NULL;
429 struct package_PrimaryKerberosBlob _old_pkb;
430 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
432 enum ndr_err_code ndr_err;
435 * prepare generation of keys
437 * ENCTYPE_DES_CBC_MD5
438 * ENCTYPE_DES_CBC_CRC
440 pkb3->salt.string = io->g.salt;
442 pkb3->keys = talloc_array(io->ac,
443 struct package_PrimaryKerberosKey,
446 ldb_oom(io->ac->module->ldb);
447 return LDB_ERR_OPERATIONS_ERROR;
450 pkb3->keys[0].keytype = ENCTYPE_DES_CBC_MD5;
451 pkb3->keys[0].value = &io->g.des_md5;
452 pkb3->keys[1].keytype = ENCTYPE_DES_CBC_CRC;
453 pkb3->keys[1].value = &io->g.des_crc;
455 /* initialize the old keys to zero */
456 pkb3->num_old_keys = 0;
457 pkb3->old_keys = NULL;
459 /* if there're no old keys, then we're done */
464 for (i=0; i < old_scb->sub.num_packages; i++) {
465 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
469 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
473 old_scp = &old_scb->sub.packages[i];
476 /* Primary:Kerberos element of supplementalCredentials */
480 blob = strhex_to_data_blob(old_scp->data);
482 ldb_oom(io->ac->module->ldb);
483 return LDB_ERR_OPERATIONS_ERROR;
485 talloc_steal(io->ac, blob.data);
487 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
488 ndr_err = ndr_pull_struct_blob(&blob, io->ac, lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), &_old_pkb,
489 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
490 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
491 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
492 ldb_asprintf_errstring(io->ac->module->ldb,
493 "setup_primary_kerberos: "
494 "failed to pull old package_PrimaryKerberosBlob: %s",
496 return LDB_ERR_OPERATIONS_ERROR;
499 if (_old_pkb.version != 3) {
500 ldb_asprintf_errstring(io->ac->module->ldb,
501 "setup_primary_kerberos: "
502 "package_PrimaryKerberosBlob version[%u] expected[3]",
504 return LDB_ERR_OPERATIONS_ERROR;
507 old_pkb3 = &_old_pkb.ctr.ctr3;
510 /* if we didn't found the old keys we're done */
515 /* fill in the old keys */
516 pkb3->num_old_keys = old_pkb3->num_keys;
517 pkb3->old_keys = old_pkb3->keys;
522 static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
523 const struct supplementalCredentialsBlob *old_scb,
524 struct package_PrimaryKerberosNewerBlob *pkb)
526 struct package_PrimaryKerberosNewerCtr4 *pkb4 = &pkb->ctr.ctr4;
527 struct supplementalCredentialsPackage *old_scp = NULL;
528 struct package_PrimaryKerberosNewerBlob _old_pkb;
529 struct package_PrimaryKerberosNewerCtr4 *old_pkb4 = NULL;
531 enum ndr_err_code ndr_err;
534 * prepare generation of keys
536 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
537 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
538 * ENCTYPE_DES_CBC_MD5
539 * ENCTYPE_DES_CBC_CRC
541 pkb4->salt.string = io->g.salt;
543 pkb4->keys = talloc_array(io->ac,
544 struct package_PrimaryKerberosNewerKey,
547 ldb_oom(io->ac->module->ldb);
548 return LDB_ERR_OPERATIONS_ERROR;
551 pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
552 pkb4->keys[0].value = &io->g.aes_256;
553 pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
554 pkb4->keys[1].value = &io->g.aes_128;
555 pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
556 pkb4->keys[2].value = &io->g.des_md5;
557 pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
558 pkb4->keys[3].value = &io->g.des_crc;
560 /* initialize the old keys to zero */
561 pkb4->num_old_keys1 = 0;
562 pkb4->old_keys1 = NULL;
563 pkb4->num_old_keys2 = 0;
564 pkb4->old_keys2 = NULL;
566 /* if there're no old keys, then we're done */
571 for (i=0; i < old_scb->sub.num_packages; i++) {
572 if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
576 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
580 old_scp = &old_scb->sub.packages[i];
583 /* Primary:Kerberos element of supplementalCredentials */
587 blob = strhex_to_data_blob(old_scp->data);
589 ldb_oom(io->ac->module->ldb);
590 return LDB_ERR_OPERATIONS_ERROR;
592 talloc_steal(io->ac, blob.data);
594 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
595 ndr_err = ndr_pull_struct_blob(&blob, io->ac,
596 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
598 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
599 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
600 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
601 ldb_asprintf_errstring(io->ac->module->ldb,
602 "setup_primary_kerberos_newer: "
603 "failed to pull old package_PrimaryKerberosNewerBlob: %s",
605 return LDB_ERR_OPERATIONS_ERROR;
608 if (_old_pkb.version != 4) {
609 ldb_asprintf_errstring(io->ac->module->ldb,
610 "setup_primary_kerberos: "
611 "package_PrimaryKerberosNewerBlob version[%u] expected[4]",
613 return LDB_ERR_OPERATIONS_ERROR;
616 old_pkb4 = &_old_pkb.ctr.ctr4;
619 /* if we didn't found the old keys we're done */
624 /* fill in the old keys */
625 pkb4->num_old_keys1 = old_pkb4->num_keys;
626 pkb4->old_keys1 = old_pkb4->keys;
627 pkb4->num_old_keys2 = old_pkb4->num_old_keys1;
628 pkb4->old_keys2 = old_pkb4->old_keys1;
633 static int setup_primary_wdigest(struct setup_password_fields_io *io,
634 const struct supplementalCredentialsBlob *old_scb,
635 struct package_PrimaryWDigestBlob *pdb)
637 DATA_BLOB sAMAccountName;
638 DATA_BLOB sAMAccountName_l;
639 DATA_BLOB sAMAccountName_u;
640 const char *user_principal_name = io->u.user_principal_name;
641 DATA_BLOB userPrincipalName;
642 DATA_BLOB userPrincipalName_l;
643 DATA_BLOB userPrincipalName_u;
644 DATA_BLOB netbios_domain;
645 DATA_BLOB netbios_domain_l;
646 DATA_BLOB netbios_domain_u;
647 DATA_BLOB dns_domain;
648 DATA_BLOB dns_domain_l;
649 DATA_BLOB dns_domain_u;
662 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
663 * for what precalculated hashes are supposed to be stored...
665 * I can't reproduce all values which should contain "Digest" as realm,
666 * am I doing something wrong or is w2k3 just broken...?
668 * W2K3 fills in following for a user:
670 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
671 * sAMAccountName: NewUser2Sam
672 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
674 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
675 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
676 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
677 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
678 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
679 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
680 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
681 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
682 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
683 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
684 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
685 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
686 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
687 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
688 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
689 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
690 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
691 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
692 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
693 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
694 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
695 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
696 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
697 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
698 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
699 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
700 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
701 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
702 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
704 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
705 * sAMAccountName: NewUser2Sam
707 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
708 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
709 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
710 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
711 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
712 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
713 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
714 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
715 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
716 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
717 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
718 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
719 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
720 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
721 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
722 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
723 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
724 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
725 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
726 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
727 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
728 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
729 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
730 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
731 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
732 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
733 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
734 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
735 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
739 * sAMAccountName, netbios_domain
742 .user = &sAMAccountName,
743 .realm = &netbios_domain,
746 .user = &sAMAccountName_l,
747 .realm = &netbios_domain_l,
750 .user = &sAMAccountName_u,
751 .realm = &netbios_domain_u,
754 .user = &sAMAccountName,
755 .realm = &netbios_domain_u,
758 .user = &sAMAccountName,
759 .realm = &netbios_domain_l,
762 .user = &sAMAccountName_u,
763 .realm = &netbios_domain_l,
766 .user = &sAMAccountName_l,
767 .realm = &netbios_domain_u,
770 * sAMAccountName, dns_domain
773 .user = &sAMAccountName,
774 .realm = &dns_domain,
777 .user = &sAMAccountName_l,
778 .realm = &dns_domain_l,
781 .user = &sAMAccountName_u,
782 .realm = &dns_domain_u,
785 .user = &sAMAccountName,
786 .realm = &dns_domain_u,
789 .user = &sAMAccountName,
790 .realm = &dns_domain_l,
793 .user = &sAMAccountName_u,
794 .realm = &dns_domain_l,
797 .user = &sAMAccountName_l,
798 .realm = &dns_domain_u,
801 * userPrincipalName, no realm
804 .user = &userPrincipalName,
808 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
809 * the fallback to the sAMAccountName based userPrincipalName is correct
811 .user = &userPrincipalName_l,
814 .user = &userPrincipalName_u,
817 * nt4dom\sAMAccountName, no realm
820 .user = &sAMAccountName,
821 .nt4dom = &netbios_domain
824 .user = &sAMAccountName_l,
825 .nt4dom = &netbios_domain_l
828 .user = &sAMAccountName_u,
829 .nt4dom = &netbios_domain_u
833 * the following ones are guessed depending on the technet2 article
834 * but not reproducable on a w2k3 server
836 /* sAMAccountName with "Digest" realm */
838 .user = &sAMAccountName,
842 .user = &sAMAccountName_l,
846 .user = &sAMAccountName_u,
849 /* userPrincipalName with "Digest" realm */
851 .user = &userPrincipalName,
855 .user = &userPrincipalName_l,
859 .user = &userPrincipalName_u,
862 /* nt4dom\\sAMAccountName with "Digest" realm */
864 .user = &sAMAccountName,
865 .nt4dom = &netbios_domain,
869 .user = &sAMAccountName_l,
870 .nt4dom = &netbios_domain_l,
874 .user = &sAMAccountName_u,
875 .nt4dom = &netbios_domain_u,
880 /* prepare DATA_BLOB's used in the combinations array */
881 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
882 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
883 if (!sAMAccountName_l.data) {
884 ldb_oom(io->ac->module->ldb);
885 return LDB_ERR_OPERATIONS_ERROR;
887 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
888 if (!sAMAccountName_u.data) {
889 ldb_oom(io->ac->module->ldb);
890 return LDB_ERR_OPERATIONS_ERROR;
893 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
894 if (!user_principal_name) {
895 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
896 io->u.sAMAccountName,
897 io->domain->dns_domain);
898 if (!user_principal_name) {
899 ldb_oom(io->ac->module->ldb);
900 return LDB_ERR_OPERATIONS_ERROR;
903 userPrincipalName = data_blob_string_const(user_principal_name);
904 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
905 if (!userPrincipalName_l.data) {
906 ldb_oom(io->ac->module->ldb);
907 return LDB_ERR_OPERATIONS_ERROR;
909 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
910 if (!userPrincipalName_u.data) {
911 ldb_oom(io->ac->module->ldb);
912 return LDB_ERR_OPERATIONS_ERROR;
915 netbios_domain = data_blob_string_const(io->domain->netbios_domain);
916 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
917 if (!netbios_domain_l.data) {
918 ldb_oom(io->ac->module->ldb);
919 return LDB_ERR_OPERATIONS_ERROR;
921 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
922 if (!netbios_domain_u.data) {
923 ldb_oom(io->ac->module->ldb);
924 return LDB_ERR_OPERATIONS_ERROR;
927 dns_domain = data_blob_string_const(io->domain->dns_domain);
928 dns_domain_l = data_blob_string_const(io->domain->dns_domain);
929 dns_domain_u = data_blob_string_const(io->domain->realm);
931 cleartext = data_blob_string_const(io->n.cleartext);
933 digest = data_blob_string_const("Digest");
935 delim = data_blob_string_const(":");
936 backslash = data_blob_string_const("\\");
938 pdb->num_hashes = ARRAY_SIZE(wdigest);
939 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
941 ldb_oom(io->ac->module->ldb);
942 return LDB_ERR_OPERATIONS_ERROR;
945 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
946 struct MD5Context md5;
948 if (wdigest[i].nt4dom) {
949 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
950 MD5Update(&md5, backslash.data, backslash.length);
952 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
953 MD5Update(&md5, delim.data, delim.length);
954 if (wdigest[i].realm) {
955 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
957 MD5Update(&md5, delim.data, delim.length);
958 MD5Update(&md5, cleartext.data, cleartext.length);
959 MD5Final(pdb->hashes[i].hash, &md5);
965 static int setup_supplemental_field(struct setup_password_fields_io *io)
967 struct supplementalCredentialsBlob scb;
968 struct supplementalCredentialsBlob _old_scb;
969 struct supplementalCredentialsBlob *old_scb = NULL;
970 /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
971 uint32_t num_names = 0;
972 const char *names[1+4];
973 uint32_t num_packages = 0;
974 struct supplementalCredentialsPackage packages[1+4];
976 struct supplementalCredentialsPackage *pp = NULL;
977 struct package_PackagesBlob pb;
980 /* Primary:Kerberos-Newer-Keys */
981 const char **nkn = NULL;
982 struct supplementalCredentialsPackage *pkn = NULL;
983 struct package_PrimaryKerberosNewerBlob pknb;
986 /* Primary:Kerberos */
987 const char **nk = NULL;
988 struct supplementalCredentialsPackage *pk = NULL;
989 struct package_PrimaryKerberosBlob pkb;
992 /* Primary:WDigest */
993 const char **nd = NULL;
994 struct supplementalCredentialsPackage *pd = NULL;
995 struct package_PrimaryWDigestBlob pdb;
998 /* Primary:CLEARTEXT */
999 const char **nc = NULL;
1000 struct supplementalCredentialsPackage *pc = NULL;
1001 struct package_PrimaryCLEARTEXTBlob pcb;
1005 enum ndr_err_code ndr_err;
1007 bool do_newer_keys = false;
1008 bool do_cleartext = false;
1010 ZERO_STRUCT(zero16);
1013 if (!io->n.cleartext) {
1015 * when we don't have a cleartext password
1016 * we can't setup a supplementalCredential value
1021 /* if there's an old supplementaCredentials blob then parse it */
1022 if (io->o.supplemental) {
1023 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
1024 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1026 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
1027 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1028 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1029 ldb_asprintf_errstring(io->ac->module->ldb,
1030 "setup_supplemental_field: "
1031 "failed to pull old supplementalCredentialsBlob: %s",
1033 return LDB_ERR_OPERATIONS_ERROR;
1036 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
1037 old_scb = &_old_scb;
1039 ldb_debug(io->ac->module->ldb, LDB_DEBUG_ERROR,
1040 "setup_supplemental_field: "
1041 "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
1042 _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
1046 /* TODO: do the correct check for this, it maybe depends on the functional level? */
1047 do_newer_keys = lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"),
1048 NULL, "password_hash", "create_aes_key", false);
1050 if (io->domain->store_cleartext &&
1051 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
1052 do_cleartext = true;
1056 * The ordering is this
1058 * Primary:Kerberos-Newer-Keys (optional)
1061 * Primary:CLEARTEXT (optional)
1063 * And the 'Packages' package is insert before the last
1066 if (do_newer_keys) {
1067 /* Primary:Kerberos-Newer-Keys */
1068 nkn = &names[num_names++];
1069 pkn = &packages[num_packages++];
1072 /* Primary:Kerberos */
1073 nk = &names[num_names++];
1074 pk = &packages[num_packages++];
1076 if (!do_cleartext) {
1078 pp = &packages[num_packages++];
1081 /* Primary:WDigest */
1082 nd = &names[num_names++];
1083 pd = &packages[num_packages++];
1087 pp = &packages[num_packages++];
1089 /* Primary:CLEARTEXT */
1090 nc = &names[num_names++];
1091 pc = &packages[num_packages++];
1096 * setup 'Primary:Kerberos-Newer-Keys' element
1098 *nkn = "Kerberos-Newer-Keys";
1100 ret = setup_primary_kerberos_newer(io, old_scb, &pknb);
1101 if (ret != LDB_SUCCESS) {
1105 ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
1106 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1108 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosNewerBlob);
1109 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1110 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1111 ldb_asprintf_errstring(io->ac->module->ldb,
1112 "setup_supplemental_field: "
1113 "failed to push package_PrimaryKerberosNeverBlob: %s",
1115 return LDB_ERR_OPERATIONS_ERROR;
1117 pknb_hexstr = data_blob_hex_string(io->ac, &pknb_blob);
1119 ldb_oom(io->ac->module->ldb);
1120 return LDB_ERR_OPERATIONS_ERROR;
1122 pkn->name = "Primary:Kerberos-Newer-Keys";
1124 pkn->data = pknb_hexstr;
1128 * setup 'Primary:Kerberos' element
1132 ret = setup_primary_kerberos(io, old_scb, &pkb);
1133 if (ret != LDB_SUCCESS) {
1137 ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac,
1138 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1140 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1141 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1142 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1143 ldb_asprintf_errstring(io->ac->module->ldb,
1144 "setup_supplemental_field: "
1145 "failed to push package_PrimaryKerberosBlob: %s",
1147 return LDB_ERR_OPERATIONS_ERROR;
1149 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
1151 ldb_oom(io->ac->module->ldb);
1152 return LDB_ERR_OPERATIONS_ERROR;
1154 pk->name = "Primary:Kerberos";
1156 pk->data = pkb_hexstr;
1159 * setup 'Primary:WDigest' element
1163 ret = setup_primary_wdigest(io, old_scb, &pdb);
1164 if (ret != LDB_SUCCESS) {
1168 ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac,
1169 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1171 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
1172 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1173 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1174 ldb_asprintf_errstring(io->ac->module->ldb,
1175 "setup_supplemental_field: "
1176 "failed to push package_PrimaryWDigestBlob: %s",
1178 return LDB_ERR_OPERATIONS_ERROR;
1180 pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
1182 ldb_oom(io->ac->module->ldb);
1183 return LDB_ERR_OPERATIONS_ERROR;
1185 pd->name = "Primary:WDigest";
1187 pd->data = pdb_hexstr;
1190 * setup 'Primary:CLEARTEXT' element
1195 pcb.cleartext = io->n.cleartext;
1197 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac,
1198 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1200 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
1201 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1202 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1203 ldb_asprintf_errstring(io->ac->module->ldb,
1204 "setup_supplemental_field: "
1205 "failed to push package_PrimaryCLEARTEXTBlob: %s",
1207 return LDB_ERR_OPERATIONS_ERROR;
1209 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
1211 ldb_oom(io->ac->module->ldb);
1212 return LDB_ERR_OPERATIONS_ERROR;
1214 pc->name = "Primary:CLEARTEXT";
1216 pc->data = pcb_hexstr;
1220 * setup 'Packages' element
1223 ndr_err = ndr_push_struct_blob(&pb_blob, io->ac,
1224 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1226 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1227 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1228 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1229 ldb_asprintf_errstring(io->ac->module->ldb,
1230 "setup_supplemental_field: "
1231 "failed to push package_PackagesBlob: %s",
1233 return LDB_ERR_OPERATIONS_ERROR;
1235 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1237 ldb_oom(io->ac->module->ldb);
1238 return LDB_ERR_OPERATIONS_ERROR;
1240 pp->name = "Packages";
1242 pp->data = pb_hexstr;
1245 * setup 'supplementalCredentials' value
1248 scb.sub.num_packages = num_packages;
1249 scb.sub.packages = packages;
1251 ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
1252 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1254 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1255 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1256 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1257 ldb_asprintf_errstring(io->ac->module->ldb,
1258 "setup_supplemental_field: "
1259 "failed to push supplementalCredentialsBlob: %s",
1261 return LDB_ERR_OPERATIONS_ERROR;
1267 static int setup_last_set_field(struct setup_password_fields_io *io)
1270 unix_to_nt_time(&io->g.last_set, time(NULL));
1275 static int setup_kvno_field(struct setup_password_fields_io *io)
1277 /* increment by one */
1278 io->g.kvno = io->o.kvno + 1;
1283 static int setup_password_fields(struct setup_password_fields_io *io)
1289 * refuse the change if someone want to change the cleartext
1290 * and supply his own hashes at the same time...
1292 if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
1293 ldb_asprintf_errstring(io->ac->module->ldb,
1294 "setup_password_fields: "
1295 "it's only allowed to set the cleartext password or the password hashes");
1296 return LDB_ERR_UNWILLING_TO_PERFORM;
1299 if (io->n.cleartext) {
1300 struct samr_Password *hash;
1302 hash = talloc(io->ac, struct samr_Password);
1304 ldb_oom(io->ac->module->ldb);
1305 return LDB_ERR_OPERATIONS_ERROR;
1308 /* compute the new nt hash */
1309 ok = E_md4hash(io->n.cleartext, hash->hash);
1311 io->n.nt_hash = hash;
1313 ldb_asprintf_errstring(io->ac->module->ldb,
1314 "setup_password_fields: "
1315 "failed to generate nthash from cleartext password");
1316 return LDB_ERR_OPERATIONS_ERROR;
1320 if (io->n.cleartext) {
1321 struct samr_Password *hash;
1323 hash = talloc(io->ac, struct samr_Password);
1325 ldb_oom(io->ac->module->ldb);
1326 return LDB_ERR_OPERATIONS_ERROR;
1329 /* compute the new lm hash */
1330 ok = E_deshash(io->n.cleartext, hash->hash);
1332 io->n.lm_hash = hash;
1334 talloc_free(hash->hash);
1338 if (io->n.cleartext) {
1339 ret = setup_kerberos_keys(io);
1345 ret = setup_nt_fields(io);
1350 ret = setup_lm_fields(io);
1355 ret = setup_supplemental_field(io);
1360 ret = setup_last_set_field(io);
1365 ret = setup_kvno_field(io);
1373 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
1375 struct ph_context *ac;
1376 struct ldb_handle *h;
1378 h = talloc_zero(req, struct ldb_handle);
1380 ldb_set_errstring(module->ldb, "Out of Memory");
1386 ac = talloc_zero(h, struct ph_context);
1388 ldb_set_errstring(module->ldb, "Out of Memory");
1393 h->private_data = (void *)ac;
1395 h->state = LDB_ASYNC_INIT;
1396 h->status = LDB_SUCCESS;
1399 ac->module = module;
1405 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1407 struct ph_context *ac;
1409 ac = talloc_get_type(context, struct ph_context);
1411 /* we are interested only in the single reply (base search) we receive here */
1412 if (ares->type == LDB_REPLY_ENTRY) {
1413 if (ac->dom_res != NULL) {
1414 ldb_set_errstring(ldb, "Too many results");
1416 return LDB_ERR_OPERATIONS_ERROR;
1418 ac->dom_res = talloc_steal(ac, ares);
1426 static int build_domain_data_request(struct ph_context *ac)
1428 /* attrs[] is returned from this function in
1429 ac->dom_req->op.search.attrs, so it must be static, as
1430 otherwise the compiler can put it on the stack */
1431 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1434 ac->dom_req = talloc_zero(ac, struct ldb_request);
1435 if (ac->dom_req == NULL) {
1436 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1437 return LDB_ERR_OPERATIONS_ERROR;
1439 ac->dom_req->operation = LDB_SEARCH;
1440 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
1441 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
1443 filter = talloc_asprintf(ac->dom_req,
1444 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
1445 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
1446 if (filter == NULL) {
1447 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1448 talloc_free(ac->dom_req);
1449 return LDB_ERR_OPERATIONS_ERROR;
1452 ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
1453 if (ac->dom_req->op.search.tree == NULL) {
1454 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1455 talloc_free(ac->dom_req);
1456 return LDB_ERR_OPERATIONS_ERROR;
1458 ac->dom_req->op.search.attrs = attrs;
1459 ac->dom_req->controls = NULL;
1460 ac->dom_req->context = ac;
1461 ac->dom_req->callback = get_domain_data_callback;
1462 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
1467 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
1469 struct domain_data *data;
1471 struct ph_context *ac;
1474 ac = talloc_get_type(ctx, struct ph_context);
1476 data = talloc_zero(ac, struct domain_data);
1482 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
1487 data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
1488 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1489 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
1491 /* For a domain DN, this puts things in dotted notation */
1492 /* For builtin domains, this will give details for the host,
1493 * but that doesn't really matter, as it's just used for salt
1494 * and kerberos principals, which don't exist here */
1496 tmp = ldb_dn_canonical_string(ctx, res->message->dn);
1501 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1502 p = strchr(tmp, '/');
1508 data->dns_domain = strlower_talloc(data, tmp);
1509 if (data->dns_domain == NULL) {
1510 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1513 data->realm = strupper_talloc(data, tmp);
1514 if (data->realm == NULL) {
1515 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1518 p = strchr(tmp, '.');
1522 data->netbios_domain = strupper_talloc(data, tmp);
1523 if (data->netbios_domain == NULL) {
1524 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1532 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1534 struct ldb_handle *h;
1535 struct ph_context *ac;
1536 struct ldb_message_element *sambaAttr;
1537 struct ldb_message_element *ntAttr;
1538 struct ldb_message_element *lmAttr;
1541 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1543 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1544 return ldb_next_request(module, req);
1547 /* If the caller is manipulating the local passwords directly, let them pass */
1548 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1549 req->op.add.message->dn) == 0) {
1550 return ldb_next_request(module, req);
1553 /* nobody must touch this fields */
1554 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1555 return LDB_ERR_UNWILLING_TO_PERFORM;
1557 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1558 return LDB_ERR_UNWILLING_TO_PERFORM;
1560 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1561 return LDB_ERR_UNWILLING_TO_PERFORM;
1564 /* If no part of this ADD touches the userPassword, or the NT
1565 * or LM hashes, then we don't need to make any changes. */
1567 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1568 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1569 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1571 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1572 return ldb_next_request(module, req);
1575 /* if it is not an entry of type person its an error */
1576 /* TODO: remove this when userPassword will be in schema */
1577 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1578 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1579 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1582 /* check userPassword is single valued here */
1583 /* TODO: remove this when userPassword will be single valued in schema */
1584 if (sambaAttr && sambaAttr->num_values > 1) {
1585 ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n");
1586 return LDB_ERR_CONSTRAINT_VIOLATION;
1589 if (ntAttr && (ntAttr->num_values > 1)) {
1590 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
1591 return LDB_ERR_CONSTRAINT_VIOLATION;
1593 if (lmAttr && (lmAttr->num_values > 1)) {
1594 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
1595 return LDB_ERR_CONSTRAINT_VIOLATION;
1598 if (sambaAttr && sambaAttr->num_values == 0) {
1599 ldb_set_errstring(module->ldb, "userPassword must have a value!\n");
1600 return LDB_ERR_CONSTRAINT_VIOLATION;
1603 if (ntAttr && (ntAttr->num_values == 0)) {
1604 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
1605 return LDB_ERR_CONSTRAINT_VIOLATION;
1607 if (lmAttr && (lmAttr->num_values == 0)) {
1608 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
1609 return LDB_ERR_CONSTRAINT_VIOLATION;
1612 h = ph_init_handle(req, module, PH_ADD);
1614 return LDB_ERR_OPERATIONS_ERROR;
1616 ac = talloc_get_type(h->private_data, struct ph_context);
1618 /* get user domain data */
1619 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1620 if (ac->domain_sid == NULL) {
1621 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1622 return LDB_ERR_OPERATIONS_ERROR;
1625 ret = build_domain_data_request(ac);
1626 if (ret != LDB_SUCCESS) {
1630 ac->step = PH_ADD_SEARCH_DOM;
1634 return ldb_next_request(module, ac->dom_req);
1637 static int password_hash_add_do_add(struct ldb_handle *h) {
1639 struct ph_context *ac;
1640 struct domain_data *domain;
1641 struct smb_krb5_context *smb_krb5_context;
1642 struct ldb_message *msg;
1643 struct setup_password_fields_io io;
1646 ac = talloc_get_type(h->private_data, struct ph_context);
1648 domain = get_domain_data(ac->module, ac, ac->dom_res);
1649 if (domain == NULL) {
1650 return LDB_ERR_OPERATIONS_ERROR;
1653 ac->down_req = talloc(ac, struct ldb_request);
1654 if (ac->down_req == NULL) {
1655 return LDB_ERR_OPERATIONS_ERROR;
1658 *(ac->down_req) = *(ac->orig_req);
1659 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1660 if (ac->down_req->op.add.message == NULL) {
1661 return LDB_ERR_OPERATIONS_ERROR;
1664 /* Some operations below require kerberos contexts */
1665 if (smb_krb5_init_context(ac->down_req,
1666 ldb_get_opaque(h->module->ldb, "EventContext"),
1667 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1668 &smb_krb5_context) != 0) {
1669 return LDB_ERR_OPERATIONS_ERROR;
1675 io.smb_krb5_context = smb_krb5_context;
1677 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1678 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1679 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1680 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1682 io.n.cleartext = samdb_result_string(msg, "userPassword", NULL);
1683 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1684 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1686 /* remove attributes */
1687 if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword");
1688 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1689 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1690 ldb_msg_remove_attr(msg, "pwdLastSet");
1691 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1692 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1694 ret = setup_password_fields(&io);
1695 if (ret != LDB_SUCCESS) {
1700 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1701 "unicodePwd", io.g.nt_hash);
1702 if (ret != LDB_SUCCESS) {
1707 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1708 "dBCSPwd", io.g.lm_hash);
1709 if (ret != LDB_SUCCESS) {
1713 if (io.g.nt_history_len > 0) {
1714 ret = samdb_msg_add_hashes(ac, msg,
1717 io.g.nt_history_len);
1718 if (ret != LDB_SUCCESS) {
1722 if (io.g.lm_history_len > 0) {
1723 ret = samdb_msg_add_hashes(ac, msg,
1726 io.g.lm_history_len);
1727 if (ret != LDB_SUCCESS) {
1731 if (io.g.supplemental.length > 0) {
1732 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1733 &io.g.supplemental, NULL);
1734 if (ret != LDB_SUCCESS) {
1738 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1741 if (ret != LDB_SUCCESS) {
1744 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1745 "msDs-KeyVersionNumber",
1747 if (ret != LDB_SUCCESS) {
1751 h->state = LDB_ASYNC_INIT;
1752 h->status = LDB_SUCCESS;
1754 ac->step = PH_ADD_DO_ADD;
1756 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1758 /* perform the operation */
1759 return ldb_next_request(ac->module, ac->down_req);
1762 static int password_hash_mod_search_self(struct ldb_handle *h);
1764 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1766 struct ldb_handle *h;
1767 struct ph_context *ac;
1768 struct ldb_message_element *sambaAttr;
1769 struct ldb_message_element *ntAttr;
1770 struct ldb_message_element *lmAttr;
1771 struct ldb_message *msg;
1773 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1775 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1776 return ldb_next_request(module, req);
1779 /* If the caller is manipulating the local passwords directly, let them pass */
1780 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1781 req->op.mod.message->dn) == 0) {
1782 return ldb_next_request(module, req);
1785 /* nobody must touch password Histories */
1786 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1787 return LDB_ERR_UNWILLING_TO_PERFORM;
1789 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1790 return LDB_ERR_UNWILLING_TO_PERFORM;
1792 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1793 return LDB_ERR_UNWILLING_TO_PERFORM;
1796 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1797 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1798 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1800 /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't
1801 * need to make any changes. For password changes/set there should
1802 * be a 'delete' or a 'modify' on this attribute. */
1803 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1804 return ldb_next_request(module, req);
1807 /* check passwords are single valued here */
1808 /* TODO: remove this when passwords will be single valued in schema */
1809 if (sambaAttr && (sambaAttr->num_values > 1)) {
1810 return LDB_ERR_CONSTRAINT_VIOLATION;
1812 if (ntAttr && (ntAttr->num_values > 1)) {
1813 return LDB_ERR_CONSTRAINT_VIOLATION;
1815 if (lmAttr && (lmAttr->num_values > 1)) {
1816 return LDB_ERR_CONSTRAINT_VIOLATION;
1819 h = ph_init_handle(req, module, PH_MOD);
1821 return LDB_ERR_OPERATIONS_ERROR;
1823 ac = talloc_get_type(h->private_data, struct ph_context);
1825 /* return or own handle to deal with this call */
1828 /* prepare the first operation */
1829 ac->down_req = talloc_zero(ac, struct ldb_request);
1830 if (ac->down_req == NULL) {
1831 ldb_set_errstring(module->ldb, "Out of memory!");
1832 return LDB_ERR_OPERATIONS_ERROR;
1835 *(ac->down_req) = *req; /* copy the request */
1837 /* use a new message structure so that we can modify it */
1838 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1840 /* - remove any imodification to the password from the first commit
1841 * we will make the real modification later */
1842 if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
1843 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1844 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1846 /* if there was nothing else to be modify skip to next step */
1847 if (msg->num_elements == 0) {
1848 talloc_free(ac->down_req);
1849 ac->down_req = NULL;
1850 return password_hash_mod_search_self(h);
1853 ac->down_req->context = NULL;
1854 ac->down_req->callback = NULL;
1856 ac->step = PH_MOD_DO_REQ;
1858 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1860 return ldb_next_request(module, ac->down_req);
1863 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1865 struct ph_context *ac;
1867 ac = talloc_get_type(context, struct ph_context);
1869 /* we are interested only in the single reply (base search) we receive here */
1870 if (ares->type == LDB_REPLY_ENTRY) {
1871 if (ac->search_res != NULL) {
1872 ldb_set_errstring(ldb, "Too many results");
1874 return LDB_ERR_OPERATIONS_ERROR;
1877 /* if it is not an entry of type person this is an error */
1878 /* TODO: remove this when userPassword will be in schema */
1879 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1880 ldb_set_errstring(ldb, "Object class violation");
1882 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1885 ac->search_res = talloc_steal(ac, ares);
1893 static int password_hash_mod_search_self(struct ldb_handle *h) {
1895 struct ph_context *ac;
1896 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
1898 "objectSid", "msDS-KeyVersionNumber",
1899 "objectClass", "userPrincipalName",
1901 "dBCSPwd", "unicodePwd",
1902 "supplementalCredentials",
1905 ac = talloc_get_type(h->private_data, struct ph_context);
1907 /* prepare the search operation */
1908 ac->search_req = talloc_zero(ac, struct ldb_request);
1909 if (ac->search_req == NULL) {
1910 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1911 return LDB_ERR_OPERATIONS_ERROR;
1914 ac->search_req->operation = LDB_SEARCH;
1915 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1916 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1917 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1918 if (ac->search_req->op.search.tree == NULL) {
1919 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1920 return LDB_ERR_OPERATIONS_ERROR;
1922 ac->search_req->op.search.attrs = attrs;
1923 ac->search_req->controls = NULL;
1924 ac->search_req->context = ac;
1925 ac->search_req->callback = get_self_callback;
1926 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1928 ac->step = PH_MOD_SEARCH_SELF;
1930 return ldb_next_request(ac->module, ac->search_req);
1933 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1935 struct ph_context *ac;
1938 ac = talloc_get_type(h->private_data, struct ph_context);
1940 /* get object domain sid */
1941 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1942 if (ac->domain_sid == NULL) {
1943 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1944 return LDB_ERR_OPERATIONS_ERROR;
1947 /* get user domain data */
1948 ret = build_domain_data_request(ac);
1949 if (ret != LDB_SUCCESS) {
1953 ac->step = PH_MOD_SEARCH_DOM;
1955 return ldb_next_request(ac->module, ac->dom_req);
1958 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1960 struct ph_context *ac;
1961 struct domain_data *domain;
1962 struct smb_krb5_context *smb_krb5_context;
1963 struct ldb_message *msg;
1964 struct ldb_message *orig_msg;
1965 struct ldb_message *searched_msg;
1966 struct setup_password_fields_io io;
1969 ac = talloc_get_type(h->private_data, struct ph_context);
1971 domain = get_domain_data(ac->module, ac, ac->dom_res);
1972 if (domain == NULL) {
1973 return LDB_ERR_OPERATIONS_ERROR;
1976 ac->mod_req = talloc(ac, struct ldb_request);
1977 if (ac->mod_req == NULL) {
1978 return LDB_ERR_OPERATIONS_ERROR;
1981 *(ac->mod_req) = *(ac->orig_req);
1983 /* use a new message structure so that we can modify it */
1984 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1986 return LDB_ERR_OPERATIONS_ERROR;
1990 msg->dn = ac->orig_req->op.mod.message->dn;
1992 /* Some operations below require kerberos contexts */
1993 if (smb_krb5_init_context(ac->mod_req,
1994 ldb_get_opaque(h->module->ldb, "EventContext"),
1995 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1996 &smb_krb5_context) != 0) {
1997 return LDB_ERR_OPERATIONS_ERROR;
2000 orig_msg = discard_const(ac->orig_req->op.mod.message);
2001 searched_msg = ac->search_res->message;
2006 io.smb_krb5_context = smb_krb5_context;
2008 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
2009 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
2010 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
2011 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
2013 io.n.cleartext = samdb_result_string(orig_msg, "userPassword", NULL);
2014 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
2015 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
2017 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
2018 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
2019 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
2020 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
2022 ret = setup_password_fields(&io);
2023 if (ret != LDB_SUCCESS) {
2027 /* make sure we replace all the old attributes */
2028 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
2029 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
2030 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2031 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2032 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
2033 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
2034 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
2037 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
2038 "unicodePwd", io.g.nt_hash);
2039 if (ret != LDB_SUCCESS) {
2044 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
2045 "dBCSPwd", io.g.lm_hash);
2046 if (ret != LDB_SUCCESS) {
2050 if (io.g.nt_history_len > 0) {
2051 ret = samdb_msg_add_hashes(ac, msg,
2054 io.g.nt_history_len);
2055 if (ret != LDB_SUCCESS) {
2059 if (io.g.lm_history_len > 0) {
2060 ret = samdb_msg_add_hashes(ac, msg,
2063 io.g.lm_history_len);
2064 if (ret != LDB_SUCCESS) {
2068 if (io.g.supplemental.length > 0) {
2069 ret = ldb_msg_add_value(msg, "supplementalCredentials",
2070 &io.g.supplemental, NULL);
2071 if (ret != LDB_SUCCESS) {
2075 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
2078 if (ret != LDB_SUCCESS) {
2081 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
2082 "msDs-KeyVersionNumber",
2084 if (ret != LDB_SUCCESS) {
2088 h->state = LDB_ASYNC_INIT;
2089 h->status = LDB_SUCCESS;
2091 ac->step = PH_MOD_DO_MOD;
2093 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
2095 /* perform the search */
2096 return ldb_next_request(ac->module, ac->mod_req);
2099 static int ph_wait(struct ldb_handle *handle) {
2100 struct ph_context *ac;
2103 if (!handle || !handle->private_data) {
2104 return LDB_ERR_OPERATIONS_ERROR;
2107 if (handle->state == LDB_ASYNC_DONE) {
2108 return handle->status;
2111 handle->state = LDB_ASYNC_PENDING;
2112 handle->status = LDB_SUCCESS;
2114 ac = talloc_get_type(handle->private_data, struct ph_context);
2117 case PH_ADD_SEARCH_DOM:
2118 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
2120 if (ret != LDB_SUCCESS) {
2121 handle->status = ret;
2124 if (ac->dom_req->handle->status != LDB_SUCCESS) {
2125 handle->status = ac->dom_req->handle->status;
2129 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
2133 /* domain search done, go on */
2134 return password_hash_add_do_add(handle);
2137 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
2139 if (ret != LDB_SUCCESS) {
2140 handle->status = ret;
2143 if (ac->down_req->handle->status != LDB_SUCCESS) {
2144 handle->status = ac->down_req->handle->status;
2148 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
2155 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
2157 if (ret != LDB_SUCCESS) {
2158 handle->status = ret;
2161 if (ac->down_req->handle->status != LDB_SUCCESS) {
2162 handle->status = ac->down_req->handle->status;
2166 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
2170 /* non-password mods done, go on */
2171 return password_hash_mod_search_self(handle);
2173 case PH_MOD_SEARCH_SELF:
2174 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
2176 if (ret != LDB_SUCCESS) {
2177 handle->status = ret;
2180 if (ac->search_req->handle->status != LDB_SUCCESS) {
2181 handle->status = ac->search_req->handle->status;
2185 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
2189 if (ac->search_res == NULL) {
2190 return LDB_ERR_NO_SUCH_OBJECT;
2193 /* self search done, go on */
2194 return password_hash_mod_search_dom(handle);
2196 case PH_MOD_SEARCH_DOM:
2197 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
2199 if (ret != LDB_SUCCESS) {
2200 handle->status = ret;
2203 if (ac->dom_req->handle->status != LDB_SUCCESS) {
2204 handle->status = ac->dom_req->handle->status;
2208 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
2212 /* domain search done, go on */
2213 return password_hash_mod_do_mod(handle);
2216 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
2218 if (ret != LDB_SUCCESS) {
2219 handle->status = ret;
2222 if (ac->mod_req->handle->status != LDB_SUCCESS) {
2223 handle->status = ac->mod_req->handle->status;
2227 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
2234 ret = LDB_ERR_OPERATIONS_ERROR;
2241 handle->state = LDB_ASYNC_DONE;
2245 static int ph_wait_all(struct ldb_handle *handle) {
2249 while (handle->state != LDB_ASYNC_DONE) {
2250 ret = ph_wait(handle);
2251 if (ret != LDB_SUCCESS) {
2256 return handle->status;
2259 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
2261 if (type == LDB_WAIT_ALL) {
2262 return ph_wait_all(handle);
2264 return ph_wait(handle);
2268 _PUBLIC_ const struct ldb_module_ops ldb_password_hash_module_ops = {
2269 .name = "password_hash",
2270 .add = password_hash_add,
2271 .modify = password_hash_modify,
2272 .wait = password_hash_wait