2 Unix SMB/CIFS implementation.
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
5 Copyright (C) Michael Adam 2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
23 #include "librpc/gen_ndr/ndr_drsblobs.h"
25 #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
27 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
28 struct replUpToDateVectorBlob **pold_utdv)
30 krb5_error_code ret = 0;
31 struct libnet_keytab_context *keytab_ctx;
32 struct libnet_keytab_entry *entry;
33 struct replUpToDateVectorBlob *old_utdv = NULL;
36 ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
38 return krb5_to_nt_status(ret);
41 keytab_ctx->dns_domain_name = ctx->dns_domain_name;
42 keytab_ctx->clean_old_entries = ctx->clean_old_entries;
43 ctx->private_data = keytab_ctx;
45 principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
46 ctx->nc_dn, ctx->dns_domain_name);
47 NT_STATUS_HAVE_NO_MEMORY(principal);
49 entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
52 enum ndr_err_code ndr_err;
53 old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
55 ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv,
57 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
58 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
59 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
60 ctx->error_message = talloc_asprintf(ctx,
61 "Failed to pull UpToDateVector: %s",
66 if (DEBUGLEVEL >= 10) {
67 NDR_PRINT_DEBUG(replUpToDateVectorBlob, old_utdv);
72 *pold_utdv = old_utdv;
78 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
79 struct replUpToDateVectorBlob *new_utdv)
81 NTSTATUS status = NT_STATUS_OK;
82 krb5_error_code ret = 0;
83 struct libnet_keytab_context *keytab_ctx =
84 (struct libnet_keytab_context *)ctx->private_data;
87 enum ndr_err_code ndr_err;
90 if (DEBUGLEVEL >= 10) {
91 NDR_PRINT_DEBUG(replUpToDateVectorBlob, new_utdv);
94 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, new_utdv,
95 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
96 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
97 status = ndr_map_error2ntstatus(ndr_err);
98 ctx->error_message = talloc_asprintf(ctx,
99 "Failed to push UpToDateVector: %s",
104 status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
108 if (!NT_STATUS_IS_OK(status)) {
113 ret = libnet_keytab_add(keytab_ctx);
115 status = krb5_to_nt_status(ret);
116 ctx->error_message = talloc_asprintf(ctx,
117 "Failed to add entries to keytab %s: %s",
118 keytab_ctx->keytab_name, error_message(ret));
122 ctx->result_message = talloc_asprintf(ctx,
123 "Vampired %d accounts to keytab %s",
125 keytab_ctx->keytab_name);
128 TALLOC_FREE(keytab_ctx);
132 /****************************************************************
133 ****************************************************************/
135 static NTSTATUS parse_supplemental_credentials(TALLOC_CTX *mem_ctx,
136 const DATA_BLOB *blob,
137 struct package_PrimaryKerberosCtr3 **pkb3,
138 struct package_PrimaryKerberosCtr4 **pkb4)
141 enum ndr_err_code ndr_err;
142 struct supplementalCredentialsBlob scb;
143 struct supplementalCredentialsPackage *scpk = NULL;
145 struct package_PrimaryKerberosBlob *pkb;
146 bool newer_keys = false;
149 ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, NULL, &scb,
150 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
151 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
152 status = ndr_map_error2ntstatus(ndr_err);
155 if (scb.sub.signature !=
156 SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
158 if (DEBUGLEVEL >= 10) {
159 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
161 status = NT_STATUS_INVALID_PARAMETER;
164 for (j=0; j < scb.sub.num_packages; j++) {
165 if (strcmp("Primary:Kerberos-Newer-Keys",
166 scb.sub.packages[j].name) == 0)
168 scpk = &scb.sub.packages[j];
169 if (!scpk->data || !scpk->data[0]) {
175 } else if (strcmp("Primary:Kerberos",
176 scb.sub.packages[j].name) == 0)
179 * grab this but don't break here:
180 * there might still be newer-keys ...
182 scpk = &scb.sub.packages[j];
183 if (!scpk->data || !scpk->data[0]) {
191 status = NT_STATUS_OK;
195 scpk_blob = strhex_to_data_blob(mem_ctx, scpk->data);
196 if (!scpk_blob.data) {
197 status = NT_STATUS_NO_MEMORY;
201 pkb = TALLOC_ZERO_P(mem_ctx, struct package_PrimaryKerberosBlob);
203 status = NT_STATUS_NO_MEMORY;
206 ndr_err = ndr_pull_struct_blob(&scpk_blob, mem_ctx, NULL, pkb,
207 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
208 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
209 status = ndr_map_error2ntstatus(ndr_err);
213 if (!newer_keys && pkb->version != 3) {
214 status = NT_STATUS_INVALID_PARAMETER;
218 if (newer_keys && pkb->version != 4) {
219 status = NT_STATUS_INVALID_PARAMETER;
223 if (pkb->version == 4 && pkb4) {
224 *pkb4 = &pkb->ctr.ctr4;
225 } else if (pkb->version == 3 && pkb3) {
226 *pkb3 = &pkb->ctr.ctr3;
229 status = NT_STATUS_OK;
235 static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
236 struct libnet_keytab_context *ctx,
237 struct drsuapi_DsReplicaObjectListItemEx *cur)
239 NTSTATUS status = NT_STATUS_OK;
243 struct drsuapi_DsReplicaAttribute *attr;
244 bool got_pwd = false;
246 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
247 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
249 char *object_dn = NULL;
252 uint32_t num_spns = 0;
256 uint32_t sam_type = 0;
258 uint32_t pwd_history_len = 0;
259 uint8_t *pwd_history = NULL;
261 ZERO_STRUCT(nt_passwd);
263 object_dn = talloc_strdup(mem_ctx, cur->object.identifier->dn);
265 return NT_STATUS_NO_MEMORY;
268 DEBUG(3, ("parsing object '%s'\n", object_dn));
270 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
272 attr = &cur->object.attribute_ctr.attributes[i];
274 if (attr->attid == DRSUAPI_ATTRIBUTE_servicePrincipalName) {
276 num_spns = attr->value_ctr.num_values;
277 spn = TALLOC_ARRAY(mem_ctx, char *, num_spns);
278 for (count = 0; count < num_spns; count++) {
279 blob = attr->value_ctr.values[count].blob;
280 pull_string_talloc(spn, NULL, 0,
282 blob->data, blob->length,
287 if (attr->value_ctr.num_values != 1) {
291 if (!attr->value_ctr.values[0].blob) {
295 blob = attr->value_ctr.values[0].blob;
297 switch (attr->attid) {
298 case DRSUAPI_ATTRIBUTE_unicodePwd:
300 if (blob->length != 16) {
304 memcpy(&nt_passwd, blob->data, 16);
307 /* pick the kvno from the meta_data version,
308 * thanks, metze, for explaining this */
310 if (!cur->meta_data_ctr) {
313 if (cur->meta_data_ctr->count !=
314 cur->object.attribute_ctr.num_attributes) {
317 kvno = cur->meta_data_ctr->meta_data[i].version;
319 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
320 pwd_history_len = blob->length / 16;
321 pwd_history = blob->data;
323 case DRSUAPI_ATTRIBUTE_userPrincipalName:
324 pull_string_talloc(mem_ctx, NULL, 0, &upn,
325 blob->data, blob->length,
328 case DRSUAPI_ATTRIBUTE_sAMAccountName:
329 pull_string_talloc(mem_ctx, NULL, 0, &name,
330 blob->data, blob->length,
333 case DRSUAPI_ATTRIBUTE_sAMAccountType:
334 sam_type = IVAL(blob->data, 0);
336 case DRSUAPI_ATTRIBUTE_userAccountControl:
337 uacc = IVAL(blob->data, 0);
339 case DRSUAPI_ATTRIBUTE_supplementalCredentials:
340 status = parse_supplemental_credentials(mem_ctx,
344 if (!NT_STATUS_IS_OK(status)) {
345 DEBUG(2, ("parsing of supplemental "
346 "credentials failed: %s\n",
356 DEBUG(10, ("no password (unicodePwd) found - skipping.\n"));
361 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, 0, object_dn,
364 data_blob_talloc(mem_ctx, name,
366 if (!NT_STATUS_IS_OK(status)) {
370 /* look into keytab ... */
371 struct libnet_keytab_entry *entry = NULL;
372 char *principal = NULL;
374 DEBUG(10, ("looking for SAMACCOUNTNAME/%s@%s in keytayb...\n",
375 object_dn, ctx->dns_domain_name));
377 principal = talloc_asprintf(mem_ctx, "%s/%s@%s",
380 ctx->dns_domain_name);
382 DEBUG(1, ("talloc failed\n"));
383 return NT_STATUS_NO_MEMORY;
385 entry = libnet_keytab_search(ctx, principal, 0, ENCTYPE_NULL,
388 name = (char *)TALLOC_MEMDUP(mem_ctx,
389 entry->password.data,
390 entry->password.length);
392 DEBUG(1, ("talloc failed!"));
393 return NT_STATUS_NO_MEMORY;
395 DEBUG(10, ("found name %s\n", name));
399 DEBUG(10, ("entry not found\n"));
401 TALLOC_FREE(principal);
405 DEBUG(10, ("no name (sAMAccountName) found - skipping.\n"));
409 DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
410 DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x",
413 DEBUGADD(1,(", upn: %s", upn));
416 DEBUGADD(1, (", spns: ["));
417 for (i = 0; i < num_spns; i++) {
418 DEBUGADD(1, ("%s%s", spn[i],
419 (i+1 == num_spns)?"]":", "));
424 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
425 ENCTYPE_ARCFOUR_HMAC,
426 data_blob_talloc(mem_ctx, nt_passwd, 16));
428 if (!NT_STATUS_IS_OK(status)) {
432 /* add kerberos keys (if any) */
435 for (i=0; i < pkb4->num_keys; i++) {
436 if (!pkb4->keys[i].value) {
439 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno,
442 pkb4->keys[i].keytype,
443 *pkb4->keys[i].value);
444 if (!NT_STATUS_IS_OK(status)) {
448 for (i=0; i < pkb4->num_old_keys; i++) {
449 if (!pkb4->old_keys[i].value) {
452 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
455 pkb4->old_keys[i].keytype,
456 *pkb4->old_keys[i].value);
457 if (!NT_STATUS_IS_OK(status)) {
461 for (i=0; i < pkb4->num_older_keys; i++) {
462 if (!pkb4->older_keys[i].value) {
465 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 2,
468 pkb4->older_keys[i].keytype,
469 *pkb4->older_keys[i].value);
470 if (!NT_STATUS_IS_OK(status)) {
477 for (i=0; i < pkb3->num_keys; i++) {
478 if (!pkb3->keys[i].value) {
481 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name,
483 pkb3->keys[i].keytype,
484 *pkb3->keys[i].value);
485 if (!NT_STATUS_IS_OK(status)) {
489 for (i=0; i < pkb3->num_old_keys; i++) {
490 if (!pkb3->old_keys[i].value) {
493 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
496 pkb3->old_keys[i].keytype,
497 *pkb3->old_keys[i].value);
498 if (!NT_STATUS_IS_OK(status)) {
504 if ((kvno < 0) && (kvno < pwd_history_len)) {
508 /* add password history */
510 /* skip first entry */
518 for (; i<pwd_history_len; i++) {
519 status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
520 ENCTYPE_ARCFOUR_HMAC,
521 data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
522 if (!NT_STATUS_IS_OK(status)) {
530 static bool dn_is_in_object_list(struct dssync_context *ctx,
535 if (ctx->object_count == 0) {
539 for (count = 0; count < ctx->object_count; count++) {
540 if (strequal(ctx->object_dns[count], dn)) {
548 /****************************************************************
549 ****************************************************************/
551 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
553 struct drsuapi_DsReplicaObjectListItemEx *cur,
554 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
556 NTSTATUS status = NT_STATUS_OK;
557 struct libnet_keytab_context *keytab_ctx =
558 (struct libnet_keytab_context *)ctx->private_data;
560 for (; cur; cur = cur->next_object) {
562 * When not in single object replication mode,
563 * the object_dn list is used as a positive write filter.
565 if (!ctx->single_object_replication &&
566 !dn_is_in_object_list(ctx, cur->object.identifier->dn))
571 status = parse_object(mem_ctx, keytab_ctx, cur);
572 if (!NT_STATUS_IS_OK(status)) {
583 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
584 struct replUpToDateVectorBlob **pold_utdv)
586 return NT_STATUS_NOT_SUPPORTED;
589 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
590 struct replUpToDateVectorBlob *new_utdv)
592 return NT_STATUS_NOT_SUPPORTED;
595 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
597 struct drsuapi_DsReplicaObjectListItemEx *cur,
598 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
600 return NT_STATUS_NOT_SUPPORTED;
602 #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
604 const struct dssync_ops libnet_dssync_keytab_ops = {
605 .startup = keytab_startup,
606 .process_objects = keytab_process_objects,
607 .finish = keytab_finish,
git.samba.org / samba.git / blob