4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to userPassword and friends
30 * Author: Andrew Bartlett
31 * Author: Stefan Metzmacher
35 #include "libcli/ldap/ldap_ndr.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb.h"
38 #include "ldb/include/ldb_private.h"
39 #include "librpc/gen_ndr/misc.h"
40 #include "librpc/gen_ndr/samr.h"
41 #include "libcli/auth/libcli_auth.h"
42 #include "libcli/security/security.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45 #include "system/time.h"
46 #include "dsdb/samdb/samdb.h"
47 #include "dsdb/common/flags.h"
48 #include "dsdb/samdb/ldb_modules/password_modules.h"
49 #include "librpc/ndr/libndr.h"
50 #include "librpc/gen_ndr/ndr_drsblobs.h"
51 #include "lib/crypto/crypto.h"
52 #include "param/param.h"
54 /* If we have decided there is reason to work on this request, then
55 * setup all the password hash types correctly.
57 * If the administrator doesn't want the userPassword stored (set in the
58 * domain and per-account policies) then we must strip that out before
59 * we do the first operation.
61 * Once this is done (which could update anything at all), we
62 * calculate the password hashes.
64 * This function must not only update the unicodePwd, dBCSPwd and
65 * supplementalCredentials fields, it must also atomicly increment the
66 * msDS-KeyVersionNumber. We should be in a transaction, so all this
67 * should be quite safe...
69 * Finally, if the administrator has requested that a password history
70 * be maintained, then this should also be written out.
76 enum ph_type {PH_ADD, PH_MOD} type;
77 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
79 struct ldb_module *module;
80 struct ldb_request *orig_req;
82 struct ldb_request *dom_req;
83 struct ldb_reply *dom_res;
85 struct ldb_request *down_req;
87 struct ldb_request *search_req;
88 struct ldb_reply *search_res;
90 struct ldb_request *mod_req;
92 struct dom_sid *domain_sid;
98 uint_t pwdHistoryLength;
104 struct setup_password_fields_io {
105 struct ph_context *ac;
106 struct domain_data *domain;
107 struct smb_krb5_context *smb_krb5_context;
109 /* infos about the user account */
111 uint32_t user_account_control;
112 const char *sAMAccountName;
113 const char *user_principal_name;
117 /* new credentials */
119 const char *cleartext;
120 struct samr_Password *nt_hash;
121 struct samr_Password *lm_hash;
124 /* old credentials */
126 uint32_t nt_history_len;
127 struct samr_Password *nt_history;
128 uint32_t lm_history_len;
129 struct samr_Password *lm_history;
130 const struct ldb_val *supplemental;
131 struct supplementalCredentialsBlob scb;
135 /* generated credentials */
137 struct samr_Password *nt_hash;
138 struct samr_Password *lm_hash;
139 uint32_t nt_history_len;
140 struct samr_Password *nt_history;
141 uint32_t lm_history_len;
142 struct samr_Password *lm_history;
143 struct ldb_val supplemental;
149 static int setup_nt_fields(struct setup_password_fields_io *io)
153 io->g.nt_hash = io->n.nt_hash;
155 if (io->domain->pwdHistoryLength == 0) {
159 /* We might not have an old NT password */
160 io->g.nt_history = talloc_array(io->ac,
161 struct samr_Password,
162 io->domain->pwdHistoryLength);
163 if (!io->g.nt_history) {
164 ldb_oom(io->ac->module->ldb);
165 return LDB_ERR_OPERATIONS_ERROR;
168 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
169 io->g.nt_history[i+1] = io->o.nt_history[i];
171 io->g.nt_history_len = i + 1;
174 io->g.nt_history[0] = *io->g.nt_hash;
177 * TODO: is this correct?
178 * the simular behavior is correct for the lm history case
180 E_md4hash("", io->g.nt_history[0].hash);
186 static int setup_lm_fields(struct setup_password_fields_io *io)
190 io->g.lm_hash = io->n.lm_hash;
192 if (io->domain->pwdHistoryLength == 0) {
196 /* We might not have an old NT password */
197 io->g.lm_history = talloc_array(io->ac,
198 struct samr_Password,
199 io->domain->pwdHistoryLength);
200 if (!io->g.lm_history) {
201 ldb_oom(io->ac->module->ldb);
202 return LDB_ERR_OPERATIONS_ERROR;
205 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
206 io->g.lm_history[i+1] = io->o.lm_history[i];
208 io->g.lm_history_len = i + 1;
211 io->g.lm_history[0] = *io->g.lm_hash;
213 E_deshash("", io->g.lm_history[0].hash);
219 static int setup_primary_kerberos(struct setup_password_fields_io *io,
220 const struct supplementalCredentialsBlob *old_scb,
221 struct package_PrimaryKerberosBlob *pkb)
223 krb5_error_code krb5_ret;
224 Principal *salt_principal;
228 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
229 struct supplementalCredentialsPackage *old_scp = NULL;
230 struct package_PrimaryKerberosBlob _old_pkb;
231 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
233 enum ndr_err_code ndr_err;
235 /* Many, many thanks to lukeh@padl.com for this
236 * algorithm, described in his Nov 10 2004 mail to
237 * samba-technical@samba.org */
240 * Determine a salting principal
242 if (io->u.is_computer) {
246 name = talloc_strdup(io->ac, io->u.sAMAccountName);
248 ldb_oom(io->ac->module->ldb);
249 return LDB_ERR_OPERATIONS_ERROR;
252 if (name[strlen(name)-1] == '$') {
253 name[strlen(name)-1] = '\0';
256 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
258 ldb_oom(io->ac->module->ldb);
259 return LDB_ERR_OPERATIONS_ERROR;
262 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
264 io->domain->realm, "host",
266 } else if (io->u.user_principal_name) {
267 char *user_principal_name;
270 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
271 if (!user_principal_name) {
272 ldb_oom(io->ac->module->ldb);
273 return LDB_ERR_OPERATIONS_ERROR;
276 p = strchr(user_principal_name, '@');
281 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
283 io->domain->realm, user_principal_name,
286 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
288 io->domain->realm, io->u.sAMAccountName,
292 ldb_asprintf_errstring(io->ac->module->ldb,
293 "setup_primary_kerberos: "
294 "generation of a salting principal failed: %s",
295 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
296 return LDB_ERR_OPERATIONS_ERROR;
300 * create salt from salt_principal
302 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
303 salt_principal, &salt);
304 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
306 ldb_asprintf_errstring(io->ac->module->ldb,
307 "setup_primary_kerberos: "
308 "generation of krb5_salt failed: %s",
309 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
310 return LDB_ERR_OPERATIONS_ERROR;
312 /* create a talloc copy */
313 pkb3->salt.string = talloc_strndup(io->ac,
315 salt.saltvalue.length);
316 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
317 if (!pkb3->salt.string) {
318 ldb_oom(io->ac->module->ldb);
319 return LDB_ERR_OPERATIONS_ERROR;
321 salt.saltvalue.data = discard_const(pkb3->salt.string);
322 salt.saltvalue.length = strlen(pkb3->salt.string);
325 * prepare generation of keys
327 * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
328 * ENCTYPE_DES_CBC_MD5
329 * ENCTYPE_DES_CBC_CRC
331 * NOTE: update num_keys when you add another enctype!
334 pkb3->keys = talloc_array(io->ac, struct package_PrimaryKerberosKey, pkb3->num_keys);
336 ldb_oom(io->ac->module->ldb);
337 return LDB_ERR_OPERATIONS_ERROR;
339 pkb3->unknown3 = talloc_zero_array(io->ac, uint64_t, pkb3->num_keys);
340 if (!pkb3->unknown3) {
341 ldb_oom(io->ac->module->ldb);
342 return LDB_ERR_OPERATIONS_ERROR;
345 if (lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"), NULL, "password_hash", "create_aes_key", false)) {
349 * w2k and w2k3 doesn't support AES, so we'll not include
350 * the AES key here yet.
352 * Also we don't have an example supplementalCredentials blob
353 * from Windows Longhorn Server with AES support
357 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
358 * the salt and the cleartext password
360 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
361 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
365 pkb3->keys[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
366 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
367 if (!pkb3->keys[k].value) {
368 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
369 ldb_oom(io->ac->module->ldb);
370 return LDB_ERR_OPERATIONS_ERROR;
372 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
374 key.keyvalue.length);
375 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
376 if (!pkb3->keys[k].value->data) {
377 ldb_oom(io->ac->module->ldb);
378 return LDB_ERR_OPERATIONS_ERROR;
384 * create ENCTYPE_DES_CBC_MD5 key out of
385 * the salt and the cleartext password
387 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
392 pkb3->keys[k].keytype = ENCTYPE_DES_CBC_MD5;
393 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
394 if (!pkb3->keys[k].value) {
395 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
396 ldb_oom(io->ac->module->ldb);
397 return LDB_ERR_OPERATIONS_ERROR;
399 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
401 key.keyvalue.length);
402 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
403 if (!pkb3->keys[k].value->data) {
404 ldb_oom(io->ac->module->ldb);
405 return LDB_ERR_OPERATIONS_ERROR;
410 * create ENCTYPE_DES_CBC_CRC key out of
411 * the salt and the cleartext password
413 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
418 pkb3->keys[k].keytype = ENCTYPE_DES_CBC_CRC;
419 pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
420 if (!pkb3->keys[k].value) {
421 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
422 ldb_oom(io->ac->module->ldb);
423 return LDB_ERR_OPERATIONS_ERROR;
425 *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
427 key.keyvalue.length);
428 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
429 if (!pkb3->keys[k].value->data) {
430 ldb_oom(io->ac->module->ldb);
431 return LDB_ERR_OPERATIONS_ERROR;
435 /* fix up key number */
438 /* initialize the old keys to zero */
439 pkb3->num_old_keys = 0;
440 pkb3->old_keys = NULL;
441 pkb3->unknown3_old = NULL;
443 /* if there're no old keys, then we're done */
448 for (i=0; i < old_scb->sub.num_packages; i++) {
449 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
453 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
457 old_scp = &old_scb->sub.packages[i];
460 /* Primary:Kerberos element of supplementalCredentials */
464 blob = strhex_to_data_blob(old_scp->data);
466 ldb_oom(io->ac->module->ldb);
467 return LDB_ERR_OPERATIONS_ERROR;
469 talloc_steal(io->ac, blob.data);
471 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
472 ndr_err = ndr_pull_struct_blob(&blob, io->ac, lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), &_old_pkb,
473 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
474 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
475 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
476 ldb_asprintf_errstring(io->ac->module->ldb,
477 "setup_primary_kerberos: "
478 "failed to pull old package_PrimaryKerberosBlob: %s",
480 return LDB_ERR_OPERATIONS_ERROR;
483 if (_old_pkb.version != 3) {
484 ldb_asprintf_errstring(io->ac->module->ldb,
485 "setup_primary_kerberos: "
486 "package_PrimaryKerberosBlob version[%u] expected[3]",
488 return LDB_ERR_OPERATIONS_ERROR;
491 old_pkb3 = &_old_pkb.ctr.ctr3;
494 /* if we didn't found the old keys we're done */
499 /* fill in the old keys */
500 pkb3->num_old_keys = old_pkb3->num_keys;
501 pkb3->old_keys = old_pkb3->keys;
502 pkb3->unknown3_old = old_pkb3->unknown3;
507 static int setup_primary_wdigest(struct setup_password_fields_io *io,
508 const struct supplementalCredentialsBlob *old_scb,
509 struct package_PrimaryWDigestBlob *pdb)
511 DATA_BLOB sAMAccountName;
512 DATA_BLOB sAMAccountName_l;
513 DATA_BLOB sAMAccountName_u;
514 const char *user_principal_name = io->u.user_principal_name;
515 DATA_BLOB userPrincipalName;
516 DATA_BLOB userPrincipalName_l;
517 DATA_BLOB userPrincipalName_u;
518 DATA_BLOB netbios_domain;
519 DATA_BLOB netbios_domain_l;
520 DATA_BLOB netbios_domain_u;
521 DATA_BLOB dns_domain;
522 DATA_BLOB dns_domain_l;
523 DATA_BLOB dns_domain_u;
536 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
537 * for what precalculated hashes are supposed to be stored...
539 * I can't reproduce all values which should contain "Digest" as realm,
540 * am I doing something wrong or is w2k3 just broken...?
542 * W2K3 fills in following for a user:
544 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
545 * sAMAccountName: NewUser2Sam
546 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
548 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
549 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
550 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
551 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
552 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
553 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
554 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
555 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
556 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
557 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
558 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
559 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
560 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
561 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
562 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
563 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
564 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
565 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
566 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
567 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
568 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
569 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
570 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
571 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
572 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
573 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
574 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
575 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
576 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
578 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
579 * sAMAccountName: NewUser2Sam
581 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
582 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
583 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
584 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
585 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
586 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
587 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
588 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
589 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
590 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
591 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
592 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
593 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
594 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
595 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
596 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
597 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
598 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
599 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
600 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
601 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
602 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
603 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
604 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
605 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
606 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
607 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
608 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
609 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
613 * sAMAccountName, netbios_domain
616 .user = &sAMAccountName,
617 .realm = &netbios_domain,
620 .user = &sAMAccountName_l,
621 .realm = &netbios_domain_l,
624 .user = &sAMAccountName_u,
625 .realm = &netbios_domain_u,
628 .user = &sAMAccountName,
629 .realm = &netbios_domain_u,
632 .user = &sAMAccountName,
633 .realm = &netbios_domain_l,
636 .user = &sAMAccountName_u,
637 .realm = &netbios_domain_l,
640 .user = &sAMAccountName_l,
641 .realm = &netbios_domain_u,
644 * sAMAccountName, dns_domain
647 .user = &sAMAccountName,
648 .realm = &dns_domain,
651 .user = &sAMAccountName_l,
652 .realm = &dns_domain_l,
655 .user = &sAMAccountName_u,
656 .realm = &dns_domain_u,
659 .user = &sAMAccountName,
660 .realm = &dns_domain_u,
663 .user = &sAMAccountName,
664 .realm = &dns_domain_l,
667 .user = &sAMAccountName_u,
668 .realm = &dns_domain_l,
671 .user = &sAMAccountName_l,
672 .realm = &dns_domain_u,
675 * userPrincipalName, no realm
678 .user = &userPrincipalName,
682 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
683 * the fallback to the sAMAccountName based userPrincipalName is correct
685 .user = &userPrincipalName_l,
688 .user = &userPrincipalName_u,
691 * nt4dom\sAMAccountName, no realm
694 .user = &sAMAccountName,
695 .nt4dom = &netbios_domain
698 .user = &sAMAccountName_l,
699 .nt4dom = &netbios_domain_l
702 .user = &sAMAccountName_u,
703 .nt4dom = &netbios_domain_u
707 * the following ones are guessed depending on the technet2 article
708 * but not reproducable on a w2k3 server
710 /* sAMAccountName with "Digest" realm */
712 .user = &sAMAccountName,
716 .user = &sAMAccountName_l,
720 .user = &sAMAccountName_u,
723 /* userPrincipalName with "Digest" realm */
725 .user = &userPrincipalName,
729 .user = &userPrincipalName_l,
733 .user = &userPrincipalName_u,
736 /* nt4dom\\sAMAccountName with "Digest" realm */
738 .user = &sAMAccountName,
739 .nt4dom = &netbios_domain,
743 .user = &sAMAccountName_l,
744 .nt4dom = &netbios_domain_l,
748 .user = &sAMAccountName_u,
749 .nt4dom = &netbios_domain_u,
754 /* prepare DATA_BLOB's used in the combinations array */
755 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
756 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
757 if (!sAMAccountName_l.data) {
758 ldb_oom(io->ac->module->ldb);
759 return LDB_ERR_OPERATIONS_ERROR;
761 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
762 if (!sAMAccountName_u.data) {
763 ldb_oom(io->ac->module->ldb);
764 return LDB_ERR_OPERATIONS_ERROR;
767 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
768 if (!user_principal_name) {
769 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
770 io->u.sAMAccountName,
771 io->domain->dns_domain);
772 if (!user_principal_name) {
773 ldb_oom(io->ac->module->ldb);
774 return LDB_ERR_OPERATIONS_ERROR;
777 userPrincipalName = data_blob_string_const(user_principal_name);
778 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
779 if (!userPrincipalName_l.data) {
780 ldb_oom(io->ac->module->ldb);
781 return LDB_ERR_OPERATIONS_ERROR;
783 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
784 if (!userPrincipalName_u.data) {
785 ldb_oom(io->ac->module->ldb);
786 return LDB_ERR_OPERATIONS_ERROR;
789 netbios_domain = data_blob_string_const(io->domain->netbios_domain);
790 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
791 if (!netbios_domain_l.data) {
792 ldb_oom(io->ac->module->ldb);
793 return LDB_ERR_OPERATIONS_ERROR;
795 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
796 if (!netbios_domain_u.data) {
797 ldb_oom(io->ac->module->ldb);
798 return LDB_ERR_OPERATIONS_ERROR;
801 dns_domain = data_blob_string_const(io->domain->dns_domain);
802 dns_domain_l = data_blob_string_const(io->domain->dns_domain);
803 dns_domain_u = data_blob_string_const(io->domain->realm);
805 cleartext = data_blob_string_const(io->n.cleartext);
807 digest = data_blob_string_const("Digest");
809 delim = data_blob_string_const(":");
810 backslash = data_blob_string_const("\\");
812 pdb->num_hashes = ARRAY_SIZE(wdigest);
813 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
815 ldb_oom(io->ac->module->ldb);
816 return LDB_ERR_OPERATIONS_ERROR;
819 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
820 struct MD5Context md5;
822 if (wdigest[i].nt4dom) {
823 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
824 MD5Update(&md5, backslash.data, backslash.length);
826 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
827 MD5Update(&md5, delim.data, delim.length);
828 if (wdigest[i].realm) {
829 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
831 MD5Update(&md5, delim.data, delim.length);
832 MD5Update(&md5, cleartext.data, cleartext.length);
833 MD5Final(pdb->hashes[i].hash, &md5);
839 static int setup_supplemental_field(struct setup_password_fields_io *io)
841 struct supplementalCredentialsBlob scb;
842 struct supplementalCredentialsBlob _old_scb;
843 struct supplementalCredentialsBlob *old_scb = NULL;
844 /* Packages + (Kerberos, WDigest and maybe CLEARTEXT) */
845 uint32_t num_packages = 1 + 2;
846 struct supplementalCredentialsPackage packages[1+3];
847 struct supplementalCredentialsPackage *pp = &packages[0];
848 struct supplementalCredentialsPackage *pk = &packages[1];
849 struct supplementalCredentialsPackage *pd = &packages[2];
850 struct supplementalCredentialsPackage *pc = NULL;
851 struct package_PackagesBlob pb;
854 struct package_PrimaryKerberosBlob pkb;
857 struct package_PrimaryWDigestBlob pdb;
860 struct package_PrimaryCLEARTEXTBlob pcb;
864 enum ndr_err_code ndr_err;
869 if (!io->n.cleartext) {
871 * when we don't have a cleartext password
872 * we can't setup a supplementalCredential value
877 /* if there's an old supplementaCredentials blob then parse it */
878 if (io->o.supplemental) {
879 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
880 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
882 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
883 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
884 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
885 ldb_asprintf_errstring(io->ac->module->ldb,
886 "setup_supplemental_field: "
887 "failed to pull old supplementalCredentialsBlob: %s",
889 return LDB_ERR_OPERATIONS_ERROR;
892 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
895 ldb_debug(io->ac->module->ldb, LDB_DEBUG_ERROR,
896 "setup_supplemental_field: "
897 "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
898 _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
902 if (io->domain->store_cleartext &&
903 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
908 /* Kerberos, WDigest, CLEARTEXT and termination(counted by the Packages element) */
909 pb.names = talloc_zero_array(io->ac, const char *, num_packages);
912 * setup 'Primary:Kerberos' element
914 pb.names[0] = "Kerberos";
916 ret = setup_primary_kerberos(io, old_scb, &pkb);
917 if (ret != LDB_SUCCESS) {
921 ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac,
922 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
924 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
925 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
926 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
927 ldb_asprintf_errstring(io->ac->module->ldb,
928 "setup_supplemental_field: "
929 "failed to push package_PrimaryKerberosBlob: %s",
931 return LDB_ERR_OPERATIONS_ERROR;
933 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
935 ldb_oom(io->ac->module->ldb);
936 return LDB_ERR_OPERATIONS_ERROR;
938 pk->name = "Primary:Kerberos";
940 pk->data = pkb_hexstr;
943 * setup 'Primary:WDigest' element
945 pb.names[1] = "WDigest";
947 ret = setup_primary_wdigest(io, old_scb, &pdb);
948 if (ret != LDB_SUCCESS) {
952 ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac,
953 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
955 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
956 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
957 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
958 ldb_asprintf_errstring(io->ac->module->ldb,
959 "setup_supplemental_field: "
960 "failed to push package_PrimaryWDigestBlob: %s",
962 return LDB_ERR_OPERATIONS_ERROR;
964 pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
966 ldb_oom(io->ac->module->ldb);
967 return LDB_ERR_OPERATIONS_ERROR;
969 pd->name = "Primary:WDigest";
971 pd->data = pdb_hexstr;
974 * setup 'Primary:CLEARTEXT' element
977 pb.names[2] = "CLEARTEXT";
979 pcb.cleartext = io->n.cleartext;
981 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac,
982 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
984 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
985 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
986 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
987 ldb_asprintf_errstring(io->ac->module->ldb,
988 "setup_supplemental_field: "
989 "failed to push package_PrimaryCLEARTEXTBlob: %s",
991 return LDB_ERR_OPERATIONS_ERROR;
993 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
995 ldb_oom(io->ac->module->ldb);
996 return LDB_ERR_OPERATIONS_ERROR;
998 pc->name = "Primary:CLEARTEXT";
1000 pc->data = pcb_hexstr;
1004 * setup 'Packages' element
1006 ndr_err = ndr_push_struct_blob(&pb_blob, io->ac,
1007 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1009 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1010 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1011 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1012 ldb_asprintf_errstring(io->ac->module->ldb,
1013 "setup_supplemental_field: "
1014 "failed to push package_PackagesBlob: %s",
1016 return LDB_ERR_OPERATIONS_ERROR;
1018 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1020 ldb_oom(io->ac->module->ldb);
1021 return LDB_ERR_OPERATIONS_ERROR;
1023 pp->name = "Packages";
1025 pp->data = pb_hexstr;
1028 * setup 'supplementalCredentials' value
1030 scb.sub.num_packages = num_packages;
1031 scb.sub.packages = packages;
1033 ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
1034 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1036 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1037 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1038 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1039 ldb_asprintf_errstring(io->ac->module->ldb,
1040 "setup_supplemental_field: "
1041 "failed to push supplementalCredentialsBlob: %s",
1043 return LDB_ERR_OPERATIONS_ERROR;
1049 static int setup_last_set_field(struct setup_password_fields_io *io)
1052 unix_to_nt_time(&io->g.last_set, time(NULL));
1057 static int setup_kvno_field(struct setup_password_fields_io *io)
1059 /* increment by one */
1060 io->g.kvno = io->o.kvno + 1;
1065 static int setup_password_fields(struct setup_password_fields_io *io)
1071 * refuse the change if someone want to change the cleartext
1072 * and supply his own hashes at the same time...
1074 if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
1075 ldb_asprintf_errstring(io->ac->module->ldb,
1076 "setup_password_fields: "
1077 "it's only allowed to set the cleartext password or the password hashes");
1078 return LDB_ERR_UNWILLING_TO_PERFORM;
1081 if (io->n.cleartext && !io->n.nt_hash) {
1082 struct samr_Password *hash;
1084 hash = talloc(io->ac, struct samr_Password);
1086 ldb_oom(io->ac->module->ldb);
1087 return LDB_ERR_OPERATIONS_ERROR;
1090 /* compute the new nt hash */
1091 ok = E_md4hash(io->n.cleartext, hash->hash);
1093 io->n.nt_hash = hash;
1095 ldb_asprintf_errstring(io->ac->module->ldb,
1096 "setup_password_fields: "
1097 "failed to generate nthash from cleartext password");
1098 return LDB_ERR_OPERATIONS_ERROR;
1102 if (io->n.cleartext && !io->n.lm_hash) {
1103 struct samr_Password *hash;
1105 hash = talloc(io->ac, struct samr_Password);
1107 ldb_oom(io->ac->module->ldb);
1108 return LDB_ERR_OPERATIONS_ERROR;
1111 /* compute the new lm hash */
1112 ok = E_deshash(io->n.cleartext, hash->hash);
1114 io->n.lm_hash = hash;
1116 talloc_free(hash->hash);
1120 ret = setup_nt_fields(io);
1125 ret = setup_lm_fields(io);
1130 ret = setup_supplemental_field(io);
1135 ret = setup_last_set_field(io);
1140 ret = setup_kvno_field(io);
1148 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
1150 struct ph_context *ac;
1151 struct ldb_handle *h;
1153 h = talloc_zero(req, struct ldb_handle);
1155 ldb_set_errstring(module->ldb, "Out of Memory");
1161 ac = talloc_zero(h, struct ph_context);
1163 ldb_set_errstring(module->ldb, "Out of Memory");
1168 h->private_data = (void *)ac;
1170 h->state = LDB_ASYNC_INIT;
1171 h->status = LDB_SUCCESS;
1174 ac->module = module;
1180 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1182 struct ph_context *ac;
1184 ac = talloc_get_type(context, struct ph_context);
1186 /* we are interested only in the single reply (base search) we receive here */
1187 if (ares->type == LDB_REPLY_ENTRY) {
1188 if (ac->dom_res != NULL) {
1189 ldb_set_errstring(ldb, "Too many results");
1191 return LDB_ERR_OPERATIONS_ERROR;
1193 ac->dom_res = talloc_steal(ac, ares);
1201 static int build_domain_data_request(struct ph_context *ac)
1203 /* attrs[] is returned from this function in
1204 ac->dom_req->op.search.attrs, so it must be static, as
1205 otherwise the compiler can put it on the stack */
1206 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1209 ac->dom_req = talloc_zero(ac, struct ldb_request);
1210 if (ac->dom_req == NULL) {
1211 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1212 return LDB_ERR_OPERATIONS_ERROR;
1214 ac->dom_req->operation = LDB_SEARCH;
1215 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
1216 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
1218 filter = talloc_asprintf(ac->dom_req,
1219 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
1220 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
1221 if (filter == NULL) {
1222 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1223 talloc_free(ac->dom_req);
1224 return LDB_ERR_OPERATIONS_ERROR;
1227 ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
1228 if (ac->dom_req->op.search.tree == NULL) {
1229 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1230 talloc_free(ac->dom_req);
1231 return LDB_ERR_OPERATIONS_ERROR;
1233 ac->dom_req->op.search.attrs = attrs;
1234 ac->dom_req->controls = NULL;
1235 ac->dom_req->context = ac;
1236 ac->dom_req->callback = get_domain_data_callback;
1237 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
1242 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
1244 struct domain_data *data;
1246 struct ph_context *ac;
1249 ac = talloc_get_type(ctx, struct ph_context);
1251 data = talloc_zero(ac, struct domain_data);
1257 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
1262 data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
1263 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1264 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
1266 /* For a domain DN, this puts things in dotted notation */
1267 /* For builtin domains, this will give details for the host,
1268 * but that doesn't really matter, as it's just used for salt
1269 * and kerberos principals, which don't exist here */
1271 tmp = ldb_dn_canonical_string(ctx, res->message->dn);
1276 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1277 p = strchr(tmp, '/');
1283 data->dns_domain = strlower_talloc(data, tmp);
1284 if (data->dns_domain == NULL) {
1285 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1288 data->realm = strupper_talloc(data, tmp);
1289 if (data->realm == NULL) {
1290 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1293 p = strchr(tmp, '.');
1297 data->netbios_domain = strupper_talloc(data, tmp);
1298 if (data->netbios_domain == NULL) {
1299 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1307 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1309 struct ldb_handle *h;
1310 struct ph_context *ac;
1311 struct ldb_message_element *sambaAttr;
1312 struct ldb_message_element *ntAttr;
1313 struct ldb_message_element *lmAttr;
1316 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1318 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1319 return ldb_next_request(module, req);
1322 /* If the caller is manipulating the local passwords directly, let them pass */
1323 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1324 req->op.add.message->dn) == 0) {
1325 return ldb_next_request(module, req);
1328 /* nobody must touch this fields */
1329 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1330 return LDB_ERR_UNWILLING_TO_PERFORM;
1332 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1333 return LDB_ERR_UNWILLING_TO_PERFORM;
1335 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1336 return LDB_ERR_UNWILLING_TO_PERFORM;
1339 /* If no part of this ADD touches the userPassword, or the NT
1340 * or LM hashes, then we don't need to make any changes. */
1342 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1343 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1344 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1346 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1347 return ldb_next_request(module, req);
1350 /* if it is not an entry of type person its an error */
1351 /* TODO: remove this when userPassword will be in schema */
1352 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1353 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1354 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1357 /* check userPassword is single valued here */
1358 /* TODO: remove this when userPassword will be single valued in schema */
1359 if (sambaAttr && sambaAttr->num_values > 1) {
1360 ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n");
1361 return LDB_ERR_CONSTRAINT_VIOLATION;
1364 if (ntAttr && (ntAttr->num_values > 1)) {
1365 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
1366 return LDB_ERR_CONSTRAINT_VIOLATION;
1368 if (lmAttr && (lmAttr->num_values > 1)) {
1369 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
1370 return LDB_ERR_CONSTRAINT_VIOLATION;
1373 if (sambaAttr && sambaAttr->num_values == 0) {
1374 ldb_set_errstring(module->ldb, "userPassword must have a value!\n");
1375 return LDB_ERR_CONSTRAINT_VIOLATION;
1378 if (ntAttr && (ntAttr->num_values == 0)) {
1379 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
1380 return LDB_ERR_CONSTRAINT_VIOLATION;
1382 if (lmAttr && (lmAttr->num_values == 0)) {
1383 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
1384 return LDB_ERR_CONSTRAINT_VIOLATION;
1387 h = ph_init_handle(req, module, PH_ADD);
1389 return LDB_ERR_OPERATIONS_ERROR;
1391 ac = talloc_get_type(h->private_data, struct ph_context);
1393 /* get user domain data */
1394 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1395 if (ac->domain_sid == NULL) {
1396 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1397 return LDB_ERR_OPERATIONS_ERROR;
1400 ret = build_domain_data_request(ac);
1401 if (ret != LDB_SUCCESS) {
1405 ac->step = PH_ADD_SEARCH_DOM;
1409 return ldb_next_request(module, ac->dom_req);
1412 static int password_hash_add_do_add(struct ldb_handle *h) {
1414 struct ph_context *ac;
1415 struct domain_data *domain;
1416 struct smb_krb5_context *smb_krb5_context;
1417 struct ldb_message *msg;
1418 struct setup_password_fields_io io;
1421 ac = talloc_get_type(h->private_data, struct ph_context);
1423 domain = get_domain_data(ac->module, ac, ac->dom_res);
1424 if (domain == NULL) {
1425 return LDB_ERR_OPERATIONS_ERROR;
1428 ac->down_req = talloc(ac, struct ldb_request);
1429 if (ac->down_req == NULL) {
1430 return LDB_ERR_OPERATIONS_ERROR;
1433 *(ac->down_req) = *(ac->orig_req);
1434 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1435 if (ac->down_req->op.add.message == NULL) {
1436 return LDB_ERR_OPERATIONS_ERROR;
1439 /* Some operations below require kerberos contexts */
1440 if (smb_krb5_init_context(ac->down_req,
1441 ldb_get_opaque(h->module->ldb, "EventContext"),
1442 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1443 &smb_krb5_context) != 0) {
1444 return LDB_ERR_OPERATIONS_ERROR;
1450 io.smb_krb5_context = smb_krb5_context;
1452 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1453 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1454 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1455 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1457 io.n.cleartext = samdb_result_string(msg, "userPassword", NULL);
1458 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1459 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1461 /* remove attributes */
1462 if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword");
1463 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1464 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1465 ldb_msg_remove_attr(msg, "pwdLastSet");
1466 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1467 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1469 ret = setup_password_fields(&io);
1470 if (ret != LDB_SUCCESS) {
1475 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1476 "unicodePwd", io.g.nt_hash);
1477 if (ret != LDB_SUCCESS) {
1482 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1483 "dBCSPwd", io.g.lm_hash);
1484 if (ret != LDB_SUCCESS) {
1488 if (io.g.nt_history_len > 0) {
1489 ret = samdb_msg_add_hashes(ac, msg,
1492 io.g.nt_history_len);
1493 if (ret != LDB_SUCCESS) {
1497 if (io.g.lm_history_len > 0) {
1498 ret = samdb_msg_add_hashes(ac, msg,
1501 io.g.lm_history_len);
1502 if (ret != LDB_SUCCESS) {
1506 if (io.g.supplemental.length > 0) {
1507 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1508 &io.g.supplemental, NULL);
1509 if (ret != LDB_SUCCESS) {
1513 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1516 if (ret != LDB_SUCCESS) {
1519 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1520 "msDs-KeyVersionNumber",
1522 if (ret != LDB_SUCCESS) {
1526 h->state = LDB_ASYNC_INIT;
1527 h->status = LDB_SUCCESS;
1529 ac->step = PH_ADD_DO_ADD;
1531 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1533 /* perform the operation */
1534 return ldb_next_request(ac->module, ac->down_req);
1537 static int password_hash_mod_search_self(struct ldb_handle *h);
1539 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1541 struct ldb_handle *h;
1542 struct ph_context *ac;
1543 struct ldb_message_element *sambaAttr;
1544 struct ldb_message_element *ntAttr;
1545 struct ldb_message_element *lmAttr;
1546 struct ldb_message *msg;
1548 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1550 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1551 return ldb_next_request(module, req);
1554 /* If the caller is manipulating the local passwords directly, let them pass */
1555 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1556 req->op.mod.message->dn) == 0) {
1557 return ldb_next_request(module, req);
1560 /* nobody must touch password Histories */
1561 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1562 return LDB_ERR_UNWILLING_TO_PERFORM;
1564 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1565 return LDB_ERR_UNWILLING_TO_PERFORM;
1567 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1568 return LDB_ERR_UNWILLING_TO_PERFORM;
1571 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1572 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1573 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1575 /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't
1576 * need to make any changes. For password changes/set there should
1577 * be a 'delete' or a 'modify' on this attribute. */
1578 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1579 return ldb_next_request(module, req);
1582 /* check passwords are single valued here */
1583 /* TODO: remove this when passwords will be single valued in schema */
1584 if (sambaAttr && (sambaAttr->num_values > 1)) {
1585 return LDB_ERR_CONSTRAINT_VIOLATION;
1587 if (ntAttr && (ntAttr->num_values > 1)) {
1588 return LDB_ERR_CONSTRAINT_VIOLATION;
1590 if (lmAttr && (lmAttr->num_values > 1)) {
1591 return LDB_ERR_CONSTRAINT_VIOLATION;
1594 h = ph_init_handle(req, module, PH_MOD);
1596 return LDB_ERR_OPERATIONS_ERROR;
1598 ac = talloc_get_type(h->private_data, struct ph_context);
1600 /* return or own handle to deal with this call */
1603 /* prepare the first operation */
1604 ac->down_req = talloc_zero(ac, struct ldb_request);
1605 if (ac->down_req == NULL) {
1606 ldb_set_errstring(module->ldb, "Out of memory!");
1607 return LDB_ERR_OPERATIONS_ERROR;
1610 *(ac->down_req) = *req; /* copy the request */
1612 /* use a new message structure so that we can modify it */
1613 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1615 /* - remove any imodification to the password from the first commit
1616 * we will make the real modification later */
1617 if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
1618 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1619 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1621 /* if there was nothing else to be modify skip to next step */
1622 if (msg->num_elements == 0) {
1623 talloc_free(ac->down_req);
1624 ac->down_req = NULL;
1625 return password_hash_mod_search_self(h);
1628 ac->down_req->context = NULL;
1629 ac->down_req->callback = NULL;
1631 ac->step = PH_MOD_DO_REQ;
1633 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1635 return ldb_next_request(module, ac->down_req);
1638 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1640 struct ph_context *ac;
1642 ac = talloc_get_type(context, struct ph_context);
1644 /* we are interested only in the single reply (base search) we receive here */
1645 if (ares->type == LDB_REPLY_ENTRY) {
1646 if (ac->search_res != NULL) {
1647 ldb_set_errstring(ldb, "Too many results");
1649 return LDB_ERR_OPERATIONS_ERROR;
1652 /* if it is not an entry of type person this is an error */
1653 /* TODO: remove this when userPassword will be in schema */
1654 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1655 ldb_set_errstring(ldb, "Object class violation");
1657 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1660 ac->search_res = talloc_steal(ac, ares);
1668 static int password_hash_mod_search_self(struct ldb_handle *h) {
1670 struct ph_context *ac;
1671 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
1673 "objectSid", "msDS-KeyVersionNumber",
1674 "objectClass", "userPrincipalName",
1676 "dBCSPwd", "unicodePwd",
1677 "supplementalCredentials",
1680 ac = talloc_get_type(h->private_data, struct ph_context);
1682 /* prepare the search operation */
1683 ac->search_req = talloc_zero(ac, struct ldb_request);
1684 if (ac->search_req == NULL) {
1685 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1686 return LDB_ERR_OPERATIONS_ERROR;
1689 ac->search_req->operation = LDB_SEARCH;
1690 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1691 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1692 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1693 if (ac->search_req->op.search.tree == NULL) {
1694 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1695 return LDB_ERR_OPERATIONS_ERROR;
1697 ac->search_req->op.search.attrs = attrs;
1698 ac->search_req->controls = NULL;
1699 ac->search_req->context = ac;
1700 ac->search_req->callback = get_self_callback;
1701 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1703 ac->step = PH_MOD_SEARCH_SELF;
1705 return ldb_next_request(ac->module, ac->search_req);
1708 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1710 struct ph_context *ac;
1713 ac = talloc_get_type(h->private_data, struct ph_context);
1715 /* get object domain sid */
1716 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1717 if (ac->domain_sid == NULL) {
1718 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1719 return LDB_ERR_OPERATIONS_ERROR;
1722 /* get user domain data */
1723 ret = build_domain_data_request(ac);
1724 if (ret != LDB_SUCCESS) {
1728 ac->step = PH_MOD_SEARCH_DOM;
1730 return ldb_next_request(ac->module, ac->dom_req);
1733 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1735 struct ph_context *ac;
1736 struct domain_data *domain;
1737 struct smb_krb5_context *smb_krb5_context;
1738 struct ldb_message *msg;
1739 struct ldb_message *orig_msg;
1740 struct ldb_message *searched_msg;
1741 struct setup_password_fields_io io;
1744 ac = talloc_get_type(h->private_data, struct ph_context);
1746 domain = get_domain_data(ac->module, ac, ac->dom_res);
1747 if (domain == NULL) {
1748 return LDB_ERR_OPERATIONS_ERROR;
1751 ac->mod_req = talloc(ac, struct ldb_request);
1752 if (ac->mod_req == NULL) {
1753 return LDB_ERR_OPERATIONS_ERROR;
1756 *(ac->mod_req) = *(ac->orig_req);
1758 /* use a new message structure so that we can modify it */
1759 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1761 return LDB_ERR_OPERATIONS_ERROR;
1765 msg->dn = ac->orig_req->op.mod.message->dn;
1767 /* Some operations below require kerberos contexts */
1768 if (smb_krb5_init_context(ac->mod_req,
1769 ldb_get_opaque(h->module->ldb, "EventContext"),
1770 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1771 &smb_krb5_context) != 0) {
1772 return LDB_ERR_OPERATIONS_ERROR;
1775 orig_msg = discard_const(ac->orig_req->op.mod.message);
1776 searched_msg = ac->search_res->message;
1781 io.smb_krb5_context = smb_krb5_context;
1783 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
1784 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
1785 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
1786 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
1788 io.n.cleartext = samdb_result_string(orig_msg, "userPassword", NULL);
1789 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
1790 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
1792 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
1793 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
1794 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
1795 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
1797 ret = setup_password_fields(&io);
1798 if (ret != LDB_SUCCESS) {
1802 /* make sure we replace all the old attributes */
1803 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
1804 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
1805 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1806 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1807 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
1808 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
1809 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
1812 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1813 "unicodePwd", io.g.nt_hash);
1814 if (ret != LDB_SUCCESS) {
1819 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1820 "dBCSPwd", io.g.lm_hash);
1821 if (ret != LDB_SUCCESS) {
1825 if (io.g.nt_history_len > 0) {
1826 ret = samdb_msg_add_hashes(ac, msg,
1829 io.g.nt_history_len);
1830 if (ret != LDB_SUCCESS) {
1834 if (io.g.lm_history_len > 0) {
1835 ret = samdb_msg_add_hashes(ac, msg,
1838 io.g.lm_history_len);
1839 if (ret != LDB_SUCCESS) {
1843 if (io.g.supplemental.length > 0) {
1844 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1845 &io.g.supplemental, NULL);
1846 if (ret != LDB_SUCCESS) {
1850 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1853 if (ret != LDB_SUCCESS) {
1856 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1857 "msDs-KeyVersionNumber",
1859 if (ret != LDB_SUCCESS) {
1863 h->state = LDB_ASYNC_INIT;
1864 h->status = LDB_SUCCESS;
1866 ac->step = PH_MOD_DO_MOD;
1868 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1870 /* perform the search */
1871 return ldb_next_request(ac->module, ac->mod_req);
1874 static int ph_wait(struct ldb_handle *handle) {
1875 struct ph_context *ac;
1878 if (!handle || !handle->private_data) {
1879 return LDB_ERR_OPERATIONS_ERROR;
1882 if (handle->state == LDB_ASYNC_DONE) {
1883 return handle->status;
1886 handle->state = LDB_ASYNC_PENDING;
1887 handle->status = LDB_SUCCESS;
1889 ac = talloc_get_type(handle->private_data, struct ph_context);
1892 case PH_ADD_SEARCH_DOM:
1893 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1895 if (ret != LDB_SUCCESS) {
1896 handle->status = ret;
1899 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1900 handle->status = ac->dom_req->handle->status;
1904 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1908 /* domain search done, go on */
1909 return password_hash_add_do_add(handle);
1912 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1914 if (ret != LDB_SUCCESS) {
1915 handle->status = ret;
1918 if (ac->down_req->handle->status != LDB_SUCCESS) {
1919 handle->status = ac->down_req->handle->status;
1923 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1930 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1932 if (ret != LDB_SUCCESS) {
1933 handle->status = ret;
1936 if (ac->down_req->handle->status != LDB_SUCCESS) {
1937 handle->status = ac->down_req->handle->status;
1941 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1945 /* non-password mods done, go on */
1946 return password_hash_mod_search_self(handle);
1948 case PH_MOD_SEARCH_SELF:
1949 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
1951 if (ret != LDB_SUCCESS) {
1952 handle->status = ret;
1955 if (ac->search_req->handle->status != LDB_SUCCESS) {
1956 handle->status = ac->search_req->handle->status;
1960 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
1964 if (ac->search_res == NULL) {
1965 return LDB_ERR_NO_SUCH_OBJECT;
1968 /* self search done, go on */
1969 return password_hash_mod_search_dom(handle);
1971 case PH_MOD_SEARCH_DOM:
1972 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1974 if (ret != LDB_SUCCESS) {
1975 handle->status = ret;
1978 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1979 handle->status = ac->dom_req->handle->status;
1983 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1987 /* domain search done, go on */
1988 return password_hash_mod_do_mod(handle);
1991 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
1993 if (ret != LDB_SUCCESS) {
1994 handle->status = ret;
1997 if (ac->mod_req->handle->status != LDB_SUCCESS) {
1998 handle->status = ac->mod_req->handle->status;
2002 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
2009 ret = LDB_ERR_OPERATIONS_ERROR;
2016 handle->state = LDB_ASYNC_DONE;
2020 static int ph_wait_all(struct ldb_handle *handle) {
2024 while (handle->state != LDB_ASYNC_DONE) {
2025 ret = ph_wait(handle);
2026 if (ret != LDB_SUCCESS) {
2031 return handle->status;
2034 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
2036 if (type == LDB_WAIT_ALL) {
2037 return ph_wait_all(handle);
2039 return ph_wait(handle);
2043 _PUBLIC_ const struct ldb_module_ops ldb_password_hash_module_ops = {
2044 .name = "password_hash",
2045 .add = password_hash_add,
2046 .modify = password_hash_modify,
2047 .wait = password_hash_wait
git.samba.org / ira / wip.git / blob