2 Unix SMB/CIFS implementation.
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "libnet/libnet.h"
22 #include "librpc/gen_ndr/ndr_drsblobs.h"
24 #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
26 static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx,
27 struct libnet_keytab_context *ctx,
33 struct libnet_keytab_entry entry;
36 entry.name = talloc_strdup(mem_ctx, name);
37 entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
40 name, ctx->dns_domain_name);
41 entry.password = blob;
42 NT_STATUS_HAVE_NO_MEMORY(entry.name);
43 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
44 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
46 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
47 &ctx->entries, &ctx->count);
48 NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
53 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
54 struct replUpToDateVectorBlob **pold_utdv)
56 krb5_error_code ret = 0;
57 struct libnet_keytab_context *keytab_ctx;
58 struct libnet_keytab_entry *entry;
59 struct replUpToDateVectorBlob *old_utdv = NULL;
62 ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
64 return krb5_to_nt_status(ret);
67 keytab_ctx->dns_domain_name = ctx->dns_domain_name;
68 ctx->private_data = keytab_ctx;
70 principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
71 ctx->nc_dn, ctx->dns_domain_name);
72 NT_STATUS_HAVE_NO_MEMORY(principal);
74 entry = libnet_keytab_search(keytab_ctx, principal, 0, mem_ctx);
76 enum ndr_err_code ndr_err;
77 old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
79 ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv,
81 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
82 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
83 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
84 ctx->error_message = talloc_asprintf(mem_ctx,
85 "Failed to pull UpToDateVector: %s",
90 NDR_PRINT_DEBUG(replUpToDateVectorBlob, old_utdv);
94 *pold_utdv = old_utdv;
100 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
101 struct replUpToDateVectorBlob *new_utdv)
103 NTSTATUS status = NT_STATUS_OK;
104 krb5_error_code ret = 0;
105 struct libnet_keytab_context *keytab_ctx =
106 (struct libnet_keytab_context *)ctx->private_data;
109 enum ndr_err_code ndr_err;
112 NDR_PRINT_DEBUG(replUpToDateVectorBlob, new_utdv);
113 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, new_utdv,
114 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
115 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
116 status = ndr_map_error2ntstatus(ndr_err);
117 ctx->error_message = talloc_asprintf(mem_ctx,
118 "Failed to push UpToDateVector: %s",
123 status = add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
124 ctx->nc_dn, "UTDV", blob);
125 if (!NT_STATUS_IS_OK(status)) {
130 ret = libnet_keytab_add(keytab_ctx);
132 status = krb5_to_nt_status(ret);
133 ctx->error_message = talloc_asprintf(mem_ctx,
134 "Failed to add entries to keytab %s: %s",
135 keytab_ctx->keytab_name, error_message(ret));
139 ctx->result_message = talloc_asprintf(mem_ctx,
140 "Vampired %d accounts to keytab %s",
142 keytab_ctx->keytab_name);
145 TALLOC_FREE(keytab_ctx);
149 /****************************************************************
150 ****************************************************************/
152 static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
153 struct libnet_keytab_context *ctx,
154 struct drsuapi_DsReplicaObjectListItemEx *cur)
156 NTSTATUS status = NT_STATUS_OK;
160 struct drsuapi_DsReplicaAttribute *attr;
161 bool got_pwd = false;
167 uint32_t sam_type = 0;
169 uint32_t pwd_history_len = 0;
170 uint8_t *pwd_history = NULL;
172 ZERO_STRUCT(nt_passwd);
174 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
176 attr = &cur->object.attribute_ctr.attributes[i];
178 if (attr->value_ctr.num_values != 1) {
182 if (!attr->value_ctr.values[0].blob) {
186 blob = attr->value_ctr.values[0].blob;
188 switch (attr->attid) {
189 case DRSUAPI_ATTRIBUTE_unicodePwd:
191 if (blob->length != 16) {
195 memcpy(&nt_passwd, blob->data, 16);
198 /* pick the kvno from the meta_data version,
199 * thanks, metze, for explaining this */
201 if (!cur->meta_data_ctr) {
204 if (cur->meta_data_ctr->count !=
205 cur->object.attribute_ctr.num_attributes) {
208 kvno = cur->meta_data_ctr->meta_data[i].version;
210 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
211 pwd_history_len = blob->length / 16;
212 pwd_history = blob->data;
214 case DRSUAPI_ATTRIBUTE_msDS_KeyVersionNumber:
215 kvno = IVAL(blob->data, 0);
217 case DRSUAPI_ATTRIBUTE_userPrincipalName:
218 pull_string_talloc(mem_ctx, NULL, 0, &upn,
219 blob->data, blob->length,
222 case DRSUAPI_ATTRIBUTE_sAMAccountName:
223 pull_string_talloc(mem_ctx, NULL, 0, &name,
224 blob->data, blob->length,
227 case DRSUAPI_ATTRIBUTE_sAMAccountType:
228 sam_type = IVAL(blob->data, 0);
230 case DRSUAPI_ATTRIBUTE_userAccountControl:
231 uacc = IVAL(blob->data, 0);
238 if (!got_pwd || !name) {
242 DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
243 DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x ",
246 DEBUGADD(1,("upn: %s", upn));
250 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
251 data_blob_talloc(mem_ctx, nt_passwd, 16));
253 if (!NT_STATUS_IS_OK(status)) {
257 if ((kvno < 0) && (kvno < pwd_history_len)) {
261 /* add password history */
263 /* skip first entry */
271 for (; i<pwd_history_len; i++) {
272 status = add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
273 data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
274 if (!NT_STATUS_IS_OK(status)) {
282 /****************************************************************
283 ****************************************************************/
285 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
287 struct drsuapi_DsReplicaObjectListItemEx *cur,
288 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
290 NTSTATUS status = NT_STATUS_OK;
291 struct libnet_keytab_context *keytab_ctx =
292 (struct libnet_keytab_context *)ctx->private_data;
294 for (; cur; cur = cur->next_object) {
295 status = parse_object(mem_ctx, keytab_ctx, cur);
296 if (!NT_STATUS_IS_OK(status)) {
307 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
308 struct replUpToDateVectorBlob **pold_utdv)
310 return NT_STATUS_NOT_SUPPORTED;
313 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
314 struct replUpToDateVectorBlob *new_utdv)
316 return NT_STATUS_NOT_SUPPORTED;
319 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
321 struct drsuapi_DsReplicaObjectListItemEx *cur,
322 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
324 return NT_STATUS_NOT_SUPPORTED;
326 #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
328 const struct dssync_ops libnet_dssync_keytab_ops = {
329 .startup = keytab_startup,
330 .process_objects = keytab_process_objects,
331 .finish = keytab_finish,