#include "system/network.h"
#include "dlinklist.h"
#include "lib/ldb/include/ldb.h"
+#include "heimdal/lib/krb5/krb5_locl.h"
#include "heimdal/lib/krb5/krb5-private.h"
#include "auth/auth.h"
+#include "dsdb/samdb/samdb.h"
+#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/samr/proto.h"
+#include "libcli/security/security.h"
/* hold information about one kdc socket */
struct kpasswd_socket {
"Not permitted to change password",
error_blob);
}
- if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+ if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
const char *reject_string;
switch (reject_reason) {
case SAMR_REJECT_TOO_SHORT:
reject_string = "Password does not meet complexity requirements";
break;
case SAMR_REJECT_OTHER:
+ default:
reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
dominfo->min_password_length, dominfo->password_history_length);
break;
reply);
}
- DEBUG(3, ("Changing password of %s\n", dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+ DEBUG(3, ("Changing password of %s\\%s (%s)\n",
+ session_info->server_info->domain_name,
+ session_info->server_info->account_name,
+ dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
/* User password change */
status = samdb_set_password_sid(samdb, mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply)
{
- NTSTATUS status;
- enum samr_RejectReason reject_reason;
- struct samr_DomInfo1 *dominfo;
- struct ldb_context *samdb;
struct auth_session_info *session_info;
- struct ldb_message *msg = ldb_msg_new(gensec_security);
- krb5_context context = kdc->smb_krb5_context->krb5_context;
- int ret;
- if (!samdb || !msg) {
- return False;
- }
-
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
switch (version) {
case KRB5_KPASSWD_VERS_CHANGEPW:
{
- char *password = talloc_strndup(mem_ctx, input->data, input->length);
+ char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
if (!password) {
return False;
}
}
case KRB5_KPASSWD_VERS_SETPW:
{
- size_t len;
+ NTSTATUS status;
+ enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
+ struct samr_DomInfo1 *dominfo = NULL;
+ struct ldb_context *samdb;
+ struct ldb_message *msg;
+ krb5_context context = kdc->smb_krb5_context->krb5_context;
+
ChangePasswdDataMS chpw;
char *password;
+
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
- samdb = samdb_connect(gensec_security, session_info);
+ size_t len;
+ int ret;
+
+ msg = ldb_msg_new(mem_ctx);
+ if (!msg) {
+ return False;
+ }
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
krb5_free_principal(context, principal);
+ samdb = samdb_connect(mem_ctx, session_info);
+ if (!samdb) {
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
+ KRB5_KPASSWD_HARDERROR,
+ "Unable to open database!",
+ reply);
+ }
+
+ DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
+ session_info->server_info->domain_name,
+ session_info->server_info->account_name,
+ dom_sid_string(mem_ctx, session_info->security_token->user_sid),
+ set_password_on_princ));
+ ret = ldb_transaction_start(samdb);
+ if (ret) {
+ status = NT_STATUS_TRANSACTION_ABORTED;
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ status,
+ SAMR_REJECT_OTHER,
+ NULL,
+ reply);
+ }
+
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
+ ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
- reject_reason,
- dominfo,
+ SAMR_REJECT_OTHER,
+ NULL,
reply);
}
- /* Admin password set */
- status = samdb_set_password(samdb, mem_ctx,
- set_password_on_dn, NULL,
- msg, password, NULL, NULL,
- False, /* this is a user password change */
- True, /* run restriction tests */
- &reject_reason, &dominfo);
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ ldb_transaction_cancel(samdb);
+ status = NT_STATUS_NO_MEMORY;
+ } else {
+ msg->dn = ldb_dn_copy(msg, set_password_on_dn);
+ if (!msg->dn) {
+ status = NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ /* Admin password set */
+ status = samdb_set_password(samdb, mem_ctx,
+ set_password_on_dn, NULL,
+ msg, password, NULL, NULL,
+ False, /* this is not a user password change */
+ True, /* run restriction tests */
+ &reject_reason, &dominfo);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ /* modify the samdb record */
+ ret = samdb_replace(samdb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(2,("Failed to modify record to set password on %s: %s\n",
+ ldb_dn_linearize(mem_ctx, msg->dn),
+ ldb_errstring(samdb)));
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ ret = ldb_transaction_commit(samdb);
+ if (ret != 0) {
+ DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
+ ldb_dn_linearize(mem_ctx, msg->dn),
+ ldb_errstring(samdb)));
+ status = NT_STATUS_TRANSACTION_ABORTED;
+ }
+ } else {
+ ldb_transaction_cancel(samdb);
+ }
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
}
default:
return kpasswdd_make_error_reply(kdc, mem_ctx,
- KRB5_KPASSWD_BAD_VERSION,
- talloc_asprintf(mem_ctx,
- "Protocol version %u not supported",
- version),
- reply);
+ KRB5_KPASSWD_BAD_VERSION,
+ talloc_asprintf(mem_ctx,
+ "Protocol version %u not supported",
+ version),
+ reply);
}
return True;
}
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *from,
- int src_port)
+ struct socket_address *peer_addr,
+ struct socket_address *my_addr)
{
BOOL ret;
const uint16_t header_len = 6;
uint16_t krb_priv_len;
uint16_t version;
NTSTATUS nt_status;
- DATA_BLOB ap_req, krb_priv_req, krb_priv_rep, ap_rep;
+ DATA_BLOB ap_req, krb_priv_req;
+ DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
+ DATA_BLOB ap_rep = data_blob(NULL, 0);
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
return False;
}
+ /* Be parinoid. We need to ensure we don't just let the
+ * caller lead us into a buffer overflow */
if (input->length <= header_len) {
talloc_free(tmp_ctx);
return False;
return False;
}
+ /* There are two different versions of this protocol so far,
+ * plus others in the standards pipe. Fortunetly they all
+ * take a very similar framing */
version = RSVAL(input->data, 2);
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
DEBUG(1, ("Failed to init server credentials\n"));
return False;
}
-
+
+ /* We want the credentials subsystem to use the krb5 context
+ * we already have, rather than a new context */
+ cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials);
nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
if (!NT_STATUS_IS_OK(nt_status)) {
return ret;
}
- gensec_set_credentials(gensec_security, server_credentials);
+ nt_status = gensec_set_credentials(gensec_security, server_credentials);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+
+ /* The kerberos PRIV packets include these addresses. MIT
+ * clients check that they are present */
+ nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+ nt_status = gensec_set_my_addr(gensec_security, my_addr);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+
+ /* We want the GENSEC wrap calls to generate PRIV tokens */
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
return False;
}
+ /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
return ret;
}
+ /* Extract the data from the KRB-PRIV half of the message */
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
return ret;
}
+ /* Figure out something to do with it (probably changing a password...) */
ret = kpasswd_process_request(kdc, tmp_ctx,
gensec_security,
version,
/* Argh! */
return False;
}
-
+
+ /* And wrap up the reply: This ensures that the error message
+ * or success can be verified by the client */
nt_status = gensec_wrap(gensec_security, tmp_ctx,
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {