git.samba.org - gd/samba-autobuild/.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Mon, 31 Jan 2022 01:08:13 +0000 (14:08 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Sun, 26 Jun 2022 22:10:29 +0000 (22:10 +0000)
commit	d2a473a7b7471937d1098a11258b875134ad702a
tree	d73130772308bd5e017792658b7e8e292adfa249	tree
parent	6029e2250c4dc837ed4f6b4613f988ae6dff49e3	commit \| diff

dsdb: Allow password history and password changes without an NT hash

We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).

(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)

Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

docs-xml/smbdotconf/security/nt_hash_store.xml	[new file with mode: 0644]	blob
docs-xml/smbdotconf/security/ntlmauth.xml		diff \| blob \| history
lib/param/loadparm.c		diff \| blob \| history
lib/param/loadparm.h		diff \| blob \| history
lib/param/param_table.c		diff \| blob \| history
selftest/knownfail.d/nt-hash-support-gone		diff \| blob \| history
selftest/knownfail.d/password_settings	[deleted file]	blob \| history
selftest/target/Samba4.pm		diff \| blob \| history
source3/param/loadparm.c		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/password_hash.c		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/wscript_build_server		diff \| blob \| history
source4/dsdb/tests/python/password_settings.py		diff \| blob \| history