4 Copyright (C) Simo Sorce 2004-2008
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to userPassword and friends
30 * Author: Andrew Bartlett
31 * Author: Stefan Metzmacher
35 #include "libcli/ldap/ldap_ndr.h"
36 #include "ldb_module.h"
37 #include "librpc/gen_ndr/misc.h"
38 #include "librpc/gen_ndr/samr.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "libcli/security/security.h"
41 #include "system/kerberos.h"
42 #include "auth/kerberos/kerberos.h"
43 #include "system/time.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "dsdb/common/flags.h"
46 #include "dsdb/samdb/ldb_modules/password_modules.h"
47 #include "librpc/ndr/libndr.h"
48 #include "librpc/gen_ndr/ndr_drsblobs.h"
49 #include "../lib/crypto/crypto.h"
50 #include "param/param.h"
52 /* If we have decided there is reason to work on this request, then
53 * setup all the password hash types correctly.
55 * If the administrator doesn't want the userPassword stored (set in the
56 * domain and per-account policies) then we must strip that out before
57 * we do the first operation.
59 * Once this is done (which could update anything at all), we
60 * calculate the password hashes.
62 * This function must not only update the unicodePwd, dBCSPwd and
63 * supplementalCredentials fields, it must also atomicly increment the
64 * msDS-KeyVersionNumber. We should be in a transaction, so all this
65 * should be quite safe...
67 * Finally, if the administrator has requested that a password history
68 * be maintained, then this should also be written out.
74 struct ldb_module *module;
75 struct ldb_request *req;
77 struct ldb_request *dom_req;
78 struct ldb_reply *dom_res;
80 struct ldb_reply *search_res;
82 struct dom_sid *domain_sid;
83 struct domain_data *domain;
89 uint_t pwdHistoryLength;
95 struct setup_password_fields_io {
96 struct ph_context *ac;
97 struct domain_data *domain;
98 struct smb_krb5_context *smb_krb5_context;
100 /* infos about the user account */
102 uint32_t user_account_control;
103 const char *sAMAccountName;
104 const char *user_principal_name;
108 /* new credentials */
110 const struct ldb_val *cleartext_utf8;
111 const struct ldb_val *cleartext_utf16;
112 struct samr_Password *nt_hash;
113 struct samr_Password *lm_hash;
116 /* old credentials */
118 uint32_t nt_history_len;
119 struct samr_Password *nt_history;
120 uint32_t lm_history_len;
121 struct samr_Password *lm_history;
122 const struct ldb_val *supplemental;
123 struct supplementalCredentialsBlob scb;
127 /* generated credentials */
129 struct samr_Password *nt_hash;
130 struct samr_Password *lm_hash;
131 uint32_t nt_history_len;
132 struct samr_Password *nt_history;
133 uint32_t lm_history_len;
134 struct samr_Password *lm_history;
140 struct ldb_val supplemental;
146 /* Get the NT hash, and fill it in as an entry in the password history,
147 and specify it into io->g.nt_hash */
149 static int setup_nt_fields(struct setup_password_fields_io *io)
151 struct ldb_context *ldb;
154 io->g.nt_hash = io->n.nt_hash;
155 ldb = ldb_module_get_ctx(io->ac->module);
157 if (io->domain->pwdHistoryLength == 0) {
161 /* We might not have an old NT password */
162 io->g.nt_history = talloc_array(io->ac,
163 struct samr_Password,
164 io->domain->pwdHistoryLength);
165 if (!io->g.nt_history) {
167 return LDB_ERR_OPERATIONS_ERROR;
170 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
171 io->g.nt_history[i+1] = io->o.nt_history[i];
173 io->g.nt_history_len = i + 1;
176 io->g.nt_history[0] = *io->g.nt_hash;
179 * TODO: is this correct?
180 * the simular behavior is correct for the lm history case
182 E_md4hash("", io->g.nt_history[0].hash);
188 /* Get the LANMAN hash, and fill it in as an entry in the password history,
189 and specify it into io->g.lm_hash */
191 static int setup_lm_fields(struct setup_password_fields_io *io)
193 struct ldb_context *ldb;
196 io->g.lm_hash = io->n.lm_hash;
197 ldb = ldb_module_get_ctx(io->ac->module);
199 if (io->domain->pwdHistoryLength == 0) {
203 /* We might not have an old NT password */
204 io->g.lm_history = talloc_array(io->ac,
205 struct samr_Password,
206 io->domain->pwdHistoryLength);
207 if (!io->g.lm_history) {
209 return LDB_ERR_OPERATIONS_ERROR;
212 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
213 io->g.lm_history[i+1] = io->o.lm_history[i];
215 io->g.lm_history_len = i + 1;
218 io->g.lm_history[0] = *io->g.lm_hash;
220 E_deshash("", io->g.lm_history[0].hash);
226 static int setup_kerberos_keys(struct setup_password_fields_io *io)
228 struct ldb_context *ldb;
229 krb5_error_code krb5_ret;
230 Principal *salt_principal;
233 krb5_data cleartext_data;
235 ldb = ldb_module_get_ctx(io->ac->module);
236 cleartext_data.data = io->n.cleartext_utf8->data;
237 cleartext_data.length = io->n.cleartext_utf8->length;
239 /* Many, many thanks to lukeh@padl.com for this
240 * algorithm, described in his Nov 10 2004 mail to
241 * samba-technical@samba.org */
244 * Determine a salting principal
246 if (io->u.is_computer) {
250 name = talloc_strdup(io->ac, io->u.sAMAccountName);
253 return LDB_ERR_OPERATIONS_ERROR;
256 if (name[strlen(name)-1] == '$') {
257 name[strlen(name)-1] = '\0';
260 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
263 return LDB_ERR_OPERATIONS_ERROR;
266 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
268 io->domain->realm, "host",
270 } else if (io->u.user_principal_name) {
271 char *user_principal_name;
274 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
275 if (!user_principal_name) {
277 return LDB_ERR_OPERATIONS_ERROR;
280 p = strchr(user_principal_name, '@');
285 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
287 io->domain->realm, user_principal_name,
290 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
292 io->domain->realm, io->u.sAMAccountName,
296 ldb_asprintf_errstring(ldb,
297 "setup_kerberos_keys: "
298 "generation of a salting principal failed: %s",
299 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
300 return LDB_ERR_OPERATIONS_ERROR;
304 * create salt from salt_principal
306 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
307 salt_principal, &salt);
308 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
310 ldb_asprintf_errstring(ldb,
311 "setup_kerberos_keys: "
312 "generation of krb5_salt failed: %s",
313 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
314 return LDB_ERR_OPERATIONS_ERROR;
316 /* create a talloc copy */
317 io->g.salt = talloc_strndup(io->ac,
319 salt.saltvalue.length);
320 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
323 return LDB_ERR_OPERATIONS_ERROR;
325 salt.saltvalue.data = discard_const(io->g.salt);
326 salt.saltvalue.length = strlen(io->g.salt);
329 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
330 * the salt and the cleartext password
332 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
333 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
338 ldb_asprintf_errstring(ldb,
339 "setup_kerberos_keys: "
340 "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
341 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
342 return LDB_ERR_OPERATIONS_ERROR;
344 io->g.aes_256 = data_blob_talloc(io->ac,
346 key.keyvalue.length);
347 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
348 if (!io->g.aes_256.data) {
350 return LDB_ERR_OPERATIONS_ERROR;
354 * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
355 * the salt and the cleartext password
357 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
358 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
363 ldb_asprintf_errstring(ldb,
364 "setup_kerberos_keys: "
365 "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
366 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
367 return LDB_ERR_OPERATIONS_ERROR;
369 io->g.aes_128 = data_blob_talloc(io->ac,
371 key.keyvalue.length);
372 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
373 if (!io->g.aes_128.data) {
375 return LDB_ERR_OPERATIONS_ERROR;
379 * create ENCTYPE_DES_CBC_MD5 key out of
380 * the salt and the cleartext password
382 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
388 ldb_asprintf_errstring(ldb,
389 "setup_kerberos_keys: "
390 "generation of a des-cbc-md5 key failed: %s",
391 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
392 return LDB_ERR_OPERATIONS_ERROR;
394 io->g.des_md5 = data_blob_talloc(io->ac,
396 key.keyvalue.length);
397 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
398 if (!io->g.des_md5.data) {
400 return LDB_ERR_OPERATIONS_ERROR;
404 * create ENCTYPE_DES_CBC_CRC key out of
405 * the salt and the cleartext password
407 krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
413 ldb_asprintf_errstring(ldb,
414 "setup_kerberos_keys: "
415 "generation of a des-cbc-crc key failed: %s",
416 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
417 return LDB_ERR_OPERATIONS_ERROR;
419 io->g.des_crc = data_blob_talloc(io->ac,
421 key.keyvalue.length);
422 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
423 if (!io->g.des_crc.data) {
425 return LDB_ERR_OPERATIONS_ERROR;
431 static int setup_primary_kerberos(struct setup_password_fields_io *io,
432 const struct supplementalCredentialsBlob *old_scb,
433 struct package_PrimaryKerberosBlob *pkb)
435 struct ldb_context *ldb;
436 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
437 struct supplementalCredentialsPackage *old_scp = NULL;
438 struct package_PrimaryKerberosBlob _old_pkb;
439 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
441 enum ndr_err_code ndr_err;
443 ldb = ldb_module_get_ctx(io->ac->module);
446 * prepare generation of keys
448 * ENCTYPE_DES_CBC_MD5
449 * ENCTYPE_DES_CBC_CRC
452 pkb3->salt.string = io->g.salt;
454 pkb3->keys = talloc_array(io->ac,
455 struct package_PrimaryKerberosKey3,
459 return LDB_ERR_OPERATIONS_ERROR;
462 pkb3->keys[0].keytype = ENCTYPE_DES_CBC_MD5;
463 pkb3->keys[0].value = &io->g.des_md5;
464 pkb3->keys[1].keytype = ENCTYPE_DES_CBC_CRC;
465 pkb3->keys[1].value = &io->g.des_crc;
467 /* initialize the old keys to zero */
468 pkb3->num_old_keys = 0;
469 pkb3->old_keys = NULL;
471 /* if there're no old keys, then we're done */
476 for (i=0; i < old_scb->sub.num_packages; i++) {
477 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
481 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
485 old_scp = &old_scb->sub.packages[i];
488 /* Primary:Kerberos element of supplementalCredentials */
492 blob = strhex_to_data_blob(io->ac, old_scp->data);
495 return LDB_ERR_OPERATIONS_ERROR;
498 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
499 ndr_err = ndr_pull_struct_blob(&blob, io->ac, lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")), &_old_pkb,
500 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
501 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
502 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
503 ldb_asprintf_errstring(ldb,
504 "setup_primary_kerberos: "
505 "failed to pull old package_PrimaryKerberosBlob: %s",
507 return LDB_ERR_OPERATIONS_ERROR;
510 if (_old_pkb.version != 3) {
511 ldb_asprintf_errstring(ldb,
512 "setup_primary_kerberos: "
513 "package_PrimaryKerberosBlob version[%u] expected[3]",
515 return LDB_ERR_OPERATIONS_ERROR;
518 old_pkb3 = &_old_pkb.ctr.ctr3;
521 /* if we didn't found the old keys we're done */
526 /* fill in the old keys */
527 pkb3->num_old_keys = old_pkb3->num_keys;
528 pkb3->old_keys = old_pkb3->keys;
533 static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
534 const struct supplementalCredentialsBlob *old_scb,
535 struct package_PrimaryKerberosBlob *pkb)
537 struct ldb_context *ldb;
538 struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
539 struct supplementalCredentialsPackage *old_scp = NULL;
540 struct package_PrimaryKerberosBlob _old_pkb;
541 struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
543 enum ndr_err_code ndr_err;
545 ldb = ldb_module_get_ctx(io->ac->module);
548 * prepare generation of keys
550 * ENCTYPE_AES256_CTS_HMAC_SHA1_96
551 * ENCTYPE_AES128_CTS_HMAC_SHA1_96
552 * ENCTYPE_DES_CBC_MD5
553 * ENCTYPE_DES_CBC_CRC
556 pkb4->salt.string = io->g.salt;
557 pkb4->default_iteration_count = 4096;
560 pkb4->keys = talloc_array(io->ac,
561 struct package_PrimaryKerberosKey4,
565 return LDB_ERR_OPERATIONS_ERROR;
568 pkb4->keys[0].iteration_count = 4096;
569 pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
570 pkb4->keys[0].value = &io->g.aes_256;
571 pkb4->keys[1].iteration_count = 4096;
572 pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
573 pkb4->keys[1].value = &io->g.aes_128;
574 pkb4->keys[2].iteration_count = 4096;
575 pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
576 pkb4->keys[2].value = &io->g.des_md5;
577 pkb4->keys[3].iteration_count = 4096;
578 pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
579 pkb4->keys[3].value = &io->g.des_crc;
581 /* initialize the old keys to zero */
582 pkb4->num_old_keys = 0;
583 pkb4->old_keys = NULL;
584 pkb4->num_older_keys = 0;
585 pkb4->older_keys = NULL;
587 /* if there're no old keys, then we're done */
592 for (i=0; i < old_scb->sub.num_packages; i++) {
593 if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
597 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
601 old_scp = &old_scb->sub.packages[i];
604 /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
608 blob = strhex_to_data_blob(io->ac, old_scp->data);
611 return LDB_ERR_OPERATIONS_ERROR;
614 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
615 ndr_err = ndr_pull_struct_blob(&blob, io->ac,
616 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
618 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
619 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
620 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
621 ldb_asprintf_errstring(ldb,
622 "setup_primary_kerberos_newer: "
623 "failed to pull old package_PrimaryKerberosBlob: %s",
625 return LDB_ERR_OPERATIONS_ERROR;
628 if (_old_pkb.version != 4) {
629 ldb_asprintf_errstring(ldb,
630 "setup_primary_kerberos_newer: "
631 "package_PrimaryKerberosBlob version[%u] expected[4]",
633 return LDB_ERR_OPERATIONS_ERROR;
636 old_pkb4 = &_old_pkb.ctr.ctr4;
639 /* if we didn't found the old keys we're done */
644 /* fill in the old keys */
645 pkb4->num_old_keys = old_pkb4->num_keys;
646 pkb4->old_keys = old_pkb4->keys;
647 pkb4->num_older_keys = old_pkb4->num_old_keys;
648 pkb4->older_keys = old_pkb4->old_keys;
653 static int setup_primary_wdigest(struct setup_password_fields_io *io,
654 const struct supplementalCredentialsBlob *old_scb,
655 struct package_PrimaryWDigestBlob *pdb)
657 struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
658 DATA_BLOB sAMAccountName;
659 DATA_BLOB sAMAccountName_l;
660 DATA_BLOB sAMAccountName_u;
661 const char *user_principal_name = io->u.user_principal_name;
662 DATA_BLOB userPrincipalName;
663 DATA_BLOB userPrincipalName_l;
664 DATA_BLOB userPrincipalName_u;
665 DATA_BLOB netbios_domain;
666 DATA_BLOB netbios_domain_l;
667 DATA_BLOB netbios_domain_u;
668 DATA_BLOB dns_domain;
669 DATA_BLOB dns_domain_l;
670 DATA_BLOB dns_domain_u;
682 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
683 * for what precalculated hashes are supposed to be stored...
685 * I can't reproduce all values which should contain "Digest" as realm,
686 * am I doing something wrong or is w2k3 just broken...?
688 * W2K3 fills in following for a user:
690 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
691 * sAMAccountName: NewUser2Sam
692 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
694 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
695 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
696 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
697 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
698 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
699 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
700 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
701 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
702 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
703 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
704 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
705 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
706 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
707 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
708 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
709 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
710 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
711 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
712 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
713 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
714 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
715 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
716 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
717 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
718 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
719 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
720 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
721 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
722 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
724 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
725 * sAMAccountName: NewUser2Sam
727 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
728 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
729 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
730 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
731 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
732 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
733 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
734 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
735 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
736 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
737 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
738 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
739 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
740 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
741 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
742 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
743 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
744 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
745 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
746 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
747 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
748 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
749 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
750 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
751 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
752 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
753 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
754 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
755 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
759 * sAMAccountName, netbios_domain
762 .user = &sAMAccountName,
763 .realm = &netbios_domain,
766 .user = &sAMAccountName_l,
767 .realm = &netbios_domain_l,
770 .user = &sAMAccountName_u,
771 .realm = &netbios_domain_u,
774 .user = &sAMAccountName,
775 .realm = &netbios_domain_u,
778 .user = &sAMAccountName,
779 .realm = &netbios_domain_l,
782 .user = &sAMAccountName_u,
783 .realm = &netbios_domain_l,
786 .user = &sAMAccountName_l,
787 .realm = &netbios_domain_u,
790 * sAMAccountName, dns_domain
793 .user = &sAMAccountName,
794 .realm = &dns_domain,
797 .user = &sAMAccountName_l,
798 .realm = &dns_domain_l,
801 .user = &sAMAccountName_u,
802 .realm = &dns_domain_u,
805 .user = &sAMAccountName,
806 .realm = &dns_domain_u,
809 .user = &sAMAccountName,
810 .realm = &dns_domain_l,
813 .user = &sAMAccountName_u,
814 .realm = &dns_domain_l,
817 .user = &sAMAccountName_l,
818 .realm = &dns_domain_u,
821 * userPrincipalName, no realm
824 .user = &userPrincipalName,
828 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
829 * the fallback to the sAMAccountName based userPrincipalName is correct
831 .user = &userPrincipalName_l,
834 .user = &userPrincipalName_u,
837 * nt4dom\sAMAccountName, no realm
840 .user = &sAMAccountName,
841 .nt4dom = &netbios_domain
844 .user = &sAMAccountName_l,
845 .nt4dom = &netbios_domain_l
848 .user = &sAMAccountName_u,
849 .nt4dom = &netbios_domain_u
853 * the following ones are guessed depending on the technet2 article
854 * but not reproducable on a w2k3 server
856 /* sAMAccountName with "Digest" realm */
858 .user = &sAMAccountName,
862 .user = &sAMAccountName_l,
866 .user = &sAMAccountName_u,
869 /* userPrincipalName with "Digest" realm */
871 .user = &userPrincipalName,
875 .user = &userPrincipalName_l,
879 .user = &userPrincipalName_u,
882 /* nt4dom\\sAMAccountName with "Digest" realm */
884 .user = &sAMAccountName,
885 .nt4dom = &netbios_domain,
889 .user = &sAMAccountName_l,
890 .nt4dom = &netbios_domain_l,
894 .user = &sAMAccountName_u,
895 .nt4dom = &netbios_domain_u,
900 /* prepare DATA_BLOB's used in the combinations array */
901 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
902 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
903 if (!sAMAccountName_l.data) {
905 return LDB_ERR_OPERATIONS_ERROR;
907 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
908 if (!sAMAccountName_u.data) {
910 return LDB_ERR_OPERATIONS_ERROR;
913 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
914 if (!user_principal_name) {
915 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
916 io->u.sAMAccountName,
917 io->domain->dns_domain);
918 if (!user_principal_name) {
920 return LDB_ERR_OPERATIONS_ERROR;
923 userPrincipalName = data_blob_string_const(user_principal_name);
924 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
925 if (!userPrincipalName_l.data) {
927 return LDB_ERR_OPERATIONS_ERROR;
929 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
930 if (!userPrincipalName_u.data) {
932 return LDB_ERR_OPERATIONS_ERROR;
935 netbios_domain = data_blob_string_const(io->domain->netbios_domain);
936 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
937 if (!netbios_domain_l.data) {
939 return LDB_ERR_OPERATIONS_ERROR;
941 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
942 if (!netbios_domain_u.data) {
944 return LDB_ERR_OPERATIONS_ERROR;
947 dns_domain = data_blob_string_const(io->domain->dns_domain);
948 dns_domain_l = data_blob_string_const(io->domain->dns_domain);
949 dns_domain_u = data_blob_string_const(io->domain->realm);
951 digest = data_blob_string_const("Digest");
953 delim = data_blob_string_const(":");
954 backslash = data_blob_string_const("\\");
956 pdb->num_hashes = ARRAY_SIZE(wdigest);
957 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
960 return LDB_ERR_OPERATIONS_ERROR;
963 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
964 struct MD5Context md5;
966 if (wdigest[i].nt4dom) {
967 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
968 MD5Update(&md5, backslash.data, backslash.length);
970 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
971 MD5Update(&md5, delim.data, delim.length);
972 if (wdigest[i].realm) {
973 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
975 MD5Update(&md5, delim.data, delim.length);
976 MD5Update(&md5, io->n.cleartext_utf8->data, io->n.cleartext_utf8->length);
977 MD5Final(pdb->hashes[i].hash, &md5);
983 static int setup_supplemental_field(struct setup_password_fields_io *io)
985 struct ldb_context *ldb;
986 struct supplementalCredentialsBlob scb;
987 struct supplementalCredentialsBlob _old_scb;
988 struct supplementalCredentialsBlob *old_scb = NULL;
989 /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
990 uint32_t num_names = 0;
991 const char *names[1+4];
992 uint32_t num_packages = 0;
993 struct supplementalCredentialsPackage packages[1+4];
995 struct supplementalCredentialsPackage *pp = NULL;
996 struct package_PackagesBlob pb;
999 /* Primary:Kerberos-Newer-Keys */
1000 const char **nkn = NULL;
1001 struct supplementalCredentialsPackage *pkn = NULL;
1002 struct package_PrimaryKerberosBlob pknb;
1003 DATA_BLOB pknb_blob;
1005 /* Primary:Kerberos */
1006 const char **nk = NULL;
1007 struct supplementalCredentialsPackage *pk = NULL;
1008 struct package_PrimaryKerberosBlob pkb;
1011 /* Primary:WDigest */
1012 const char **nd = NULL;
1013 struct supplementalCredentialsPackage *pd = NULL;
1014 struct package_PrimaryWDigestBlob pdb;
1017 /* Primary:CLEARTEXT */
1018 const char **nc = NULL;
1019 struct supplementalCredentialsPackage *pc = NULL;
1020 struct package_PrimaryCLEARTEXTBlob pcb;
1024 enum ndr_err_code ndr_err;
1026 bool do_newer_keys = false;
1027 bool do_cleartext = false;
1029 ZERO_STRUCT(zero16);
1032 ldb = ldb_module_get_ctx(io->ac->module);
1034 if (!io->n.cleartext_utf8) {
1036 * when we don't have a cleartext password
1037 * we can't setup a supplementalCredential value
1042 /* if there's an old supplementaCredentials blob then parse it */
1043 if (io->o.supplemental) {
1044 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
1045 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1047 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
1048 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1049 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1050 ldb_asprintf_errstring(ldb,
1051 "setup_supplemental_field: "
1052 "failed to pull old supplementalCredentialsBlob: %s",
1054 return LDB_ERR_OPERATIONS_ERROR;
1057 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
1058 old_scb = &_old_scb;
1060 ldb_debug(ldb, LDB_DEBUG_ERROR,
1061 "setup_supplemental_field: "
1062 "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
1063 _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
1067 /* TODO: do the correct check for this, it maybe depends on the functional level? */
1068 do_newer_keys = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
1069 NULL, "password_hash", "create_aes_key", false);
1071 if (io->domain->store_cleartext &&
1072 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
1073 do_cleartext = true;
1077 * The ordering is this
1079 * Primary:Kerberos-Newer-Keys (optional)
1082 * Primary:CLEARTEXT (optional)
1084 * And the 'Packages' package is insert before the last
1087 if (do_newer_keys) {
1088 /* Primary:Kerberos-Newer-Keys */
1089 nkn = &names[num_names++];
1090 pkn = &packages[num_packages++];
1093 /* Primary:Kerberos */
1094 nk = &names[num_names++];
1095 pk = &packages[num_packages++];
1097 if (!do_cleartext) {
1099 pp = &packages[num_packages++];
1102 /* Primary:WDigest */
1103 nd = &names[num_names++];
1104 pd = &packages[num_packages++];
1108 pp = &packages[num_packages++];
1110 /* Primary:CLEARTEXT */
1111 nc = &names[num_names++];
1112 pc = &packages[num_packages++];
1117 * setup 'Primary:Kerberos-Newer-Keys' element
1119 *nkn = "Kerberos-Newer-Keys";
1121 ret = setup_primary_kerberos_newer(io, old_scb, &pknb);
1122 if (ret != LDB_SUCCESS) {
1126 ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
1127 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1129 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1130 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1131 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1132 ldb_asprintf_errstring(ldb,
1133 "setup_supplemental_field: "
1134 "failed to push package_PrimaryKerberosNeverBlob: %s",
1136 return LDB_ERR_OPERATIONS_ERROR;
1138 pknb_hexstr = data_blob_hex_string(io->ac, &pknb_blob);
1141 return LDB_ERR_OPERATIONS_ERROR;
1143 pkn->name = "Primary:Kerberos-Newer-Keys";
1145 pkn->data = pknb_hexstr;
1149 * setup 'Primary:Kerberos' element
1153 ret = setup_primary_kerberos(io, old_scb, &pkb);
1154 if (ret != LDB_SUCCESS) {
1158 ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac,
1159 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1161 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1162 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1163 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1164 ldb_asprintf_errstring(ldb,
1165 "setup_supplemental_field: "
1166 "failed to push package_PrimaryKerberosBlob: %s",
1168 return LDB_ERR_OPERATIONS_ERROR;
1170 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
1173 return LDB_ERR_OPERATIONS_ERROR;
1175 pk->name = "Primary:Kerberos";
1177 pk->data = pkb_hexstr;
1180 * setup 'Primary:WDigest' element
1184 ret = setup_primary_wdigest(io, old_scb, &pdb);
1185 if (ret != LDB_SUCCESS) {
1189 ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac,
1190 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1192 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
1193 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1194 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1195 ldb_asprintf_errstring(ldb,
1196 "setup_supplemental_field: "
1197 "failed to push package_PrimaryWDigestBlob: %s",
1199 return LDB_ERR_OPERATIONS_ERROR;
1201 pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
1204 return LDB_ERR_OPERATIONS_ERROR;
1206 pd->name = "Primary:WDigest";
1208 pd->data = pdb_hexstr;
1211 * setup 'Primary:CLEARTEXT' element
1216 pcb.cleartext = *io->n.cleartext_utf16;
1218 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac,
1219 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1221 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
1222 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1223 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1224 ldb_asprintf_errstring(ldb,
1225 "setup_supplemental_field: "
1226 "failed to push package_PrimaryCLEARTEXTBlob: %s",
1228 return LDB_ERR_OPERATIONS_ERROR;
1230 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
1233 return LDB_ERR_OPERATIONS_ERROR;
1235 pc->name = "Primary:CLEARTEXT";
1237 pc->data = pcb_hexstr;
1241 * setup 'Packages' element
1244 ndr_err = ndr_push_struct_blob(&pb_blob, io->ac,
1245 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1247 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1248 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1249 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1250 ldb_asprintf_errstring(ldb,
1251 "setup_supplemental_field: "
1252 "failed to push package_PackagesBlob: %s",
1254 return LDB_ERR_OPERATIONS_ERROR;
1256 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1259 return LDB_ERR_OPERATIONS_ERROR;
1261 pp->name = "Packages";
1263 pp->data = pb_hexstr;
1266 * setup 'supplementalCredentials' value
1269 scb.sub.num_packages = num_packages;
1270 scb.sub.packages = packages;
1272 ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
1273 lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1275 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1276 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1277 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1278 ldb_asprintf_errstring(ldb,
1279 "setup_supplemental_field: "
1280 "failed to push supplementalCredentialsBlob: %s",
1282 return LDB_ERR_OPERATIONS_ERROR;
1288 static int setup_last_set_field(struct setup_password_fields_io *io)
1291 unix_to_nt_time(&io->g.last_set, time(NULL));
1296 static int setup_kvno_field(struct setup_password_fields_io *io)
1298 /* increment by one */
1299 io->g.kvno = io->o.kvno + 1;
1304 static int setup_password_fields(struct setup_password_fields_io *io)
1306 struct ldb_context *ldb;
1309 ssize_t converted_pw_len;
1311 ldb = ldb_module_get_ctx(io->ac->module);
1314 * refuse the change if someone want to change the cleartext
1315 * and supply his own hashes at the same time...
1317 if ((io->n.cleartext_utf8 || io->n.cleartext_utf16) && (io->n.nt_hash || io->n.lm_hash)) {
1318 ldb_asprintf_errstring(ldb,
1319 "setup_password_fields: "
1320 "it's only allowed to set the cleartext password or the password hashes");
1321 return LDB_ERR_UNWILLING_TO_PERFORM;
1324 if (io->n.cleartext_utf8 && io->n.cleartext_utf16) {
1325 ldb_asprintf_errstring(ldb,
1326 "setup_password_fields: "
1327 "it's only allowed to set the cleartext password as userPassword or clearTextPasssword, not both at once");
1328 return LDB_ERR_UNWILLING_TO_PERFORM;
1331 if (io->n.cleartext_utf8) {
1332 char **cleartext_utf16_str;
1333 struct ldb_val *cleartext_utf16_blob;
1334 io->n.cleartext_utf16 = cleartext_utf16_blob = talloc(io->ac, struct ldb_val);
1335 if (!io->n.cleartext_utf16) {
1337 return LDB_ERR_OPERATIONS_ERROR;
1339 converted_pw_len = convert_string_talloc_convenience(io->ac, lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1340 CH_UTF8, CH_UTF16, io->n.cleartext_utf8->data, io->n.cleartext_utf8->length,
1341 (void **)&cleartext_utf16_str);
1342 if (converted_pw_len == -1) {
1343 ldb_asprintf_errstring(ldb,
1344 "setup_password_fields: "
1345 "failed to generate UTF16 password from cleartext UTF8 password");
1346 return LDB_ERR_OPERATIONS_ERROR;
1348 *cleartext_utf16_blob = data_blob_const(cleartext_utf16_str, converted_pw_len);
1349 } else if (io->n.cleartext_utf16) {
1350 char *cleartext_utf8_str;
1351 struct ldb_val *cleartext_utf8_blob;
1352 io->n.cleartext_utf8 = cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
1353 if (!io->n.cleartext_utf8) {
1355 return LDB_ERR_OPERATIONS_ERROR;
1357 converted_pw_len = convert_string_talloc_convenience(io->ac, lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1358 CH_UTF16MUNGED, CH_UTF8, io->n.cleartext_utf16->data, io->n.cleartext_utf16->length,
1359 (void **)&cleartext_utf8_str);
1360 if (converted_pw_len == -1) {
1361 /* We can't bail out entirely, as these unconvertable passwords are frustratingly valid */
1362 io->n.cleartext_utf8 = NULL;
1363 talloc_free(cleartext_utf8_blob);
1365 *cleartext_utf8_blob = data_blob_const(cleartext_utf8_str, converted_pw_len);
1367 if (io->n.cleartext_utf16) {
1368 struct samr_Password *nt_hash;
1369 nt_hash = talloc(io->ac, struct samr_Password);
1372 return LDB_ERR_OPERATIONS_ERROR;
1374 io->n.nt_hash = nt_hash;
1376 /* compute the new nt hash */
1377 mdfour(nt_hash->hash, io->n.cleartext_utf16->data, io->n.cleartext_utf16->length);
1380 if (io->n.cleartext_utf8) {
1381 struct samr_Password *lm_hash;
1382 char *cleartext_unix;
1383 converted_pw_len = convert_string_talloc_convenience(io->ac, lp_iconv_convenience(ldb_get_opaque(ldb, "loadparm")),
1384 CH_UTF8, CH_UNIX, io->n.cleartext_utf8->data, io->n.cleartext_utf8->length,
1385 (void **)&cleartext_unix);
1386 if (converted_pw_len != -1) {
1387 lm_hash = talloc(io->ac, struct samr_Password);
1390 return LDB_ERR_OPERATIONS_ERROR;
1393 /* compute the new lm hash. */
1394 ok = E_deshash((char *)cleartext_unix, lm_hash->hash);
1396 io->n.lm_hash = lm_hash;
1398 talloc_free(lm_hash->hash);
1402 ret = setup_kerberos_keys(io);
1408 ret = setup_nt_fields(io);
1413 ret = setup_lm_fields(io);
1418 ret = setup_supplemental_field(io);
1423 ret = setup_last_set_field(io);
1428 ret = setup_kvno_field(io);
1436 static struct ph_context *ph_init_context(struct ldb_module *module,
1437 struct ldb_request *req)
1439 struct ldb_context *ldb;
1440 struct ph_context *ac;
1442 ldb = ldb_module_get_ctx(module);
1444 ac = talloc_zero(req, struct ph_context);
1446 ldb_set_errstring(ldb, "Out of Memory");
1450 ac->module = module;
1456 static int ph_op_callback(struct ldb_request *req, struct ldb_reply *ares)
1458 struct ph_context *ac;
1460 ac = talloc_get_type(req->context, struct ph_context);
1463 return ldb_module_done(ac->req, NULL, NULL,
1464 LDB_ERR_OPERATIONS_ERROR);
1466 if (ares->error != LDB_SUCCESS) {
1467 return ldb_module_done(ac->req, ares->controls,
1468 ares->response, ares->error);
1471 if (ares->type != LDB_REPLY_DONE) {
1473 return ldb_module_done(ac->req, NULL, NULL,
1474 LDB_ERR_OPERATIONS_ERROR);
1477 return ldb_module_done(ac->req, ares->controls,
1478 ares->response, ares->error);
1481 static int password_hash_add_do_add(struct ph_context *ac);
1482 static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares);
1483 static int password_hash_mod_search_self(struct ph_context *ac);
1484 static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares);
1485 static int password_hash_mod_do_mod(struct ph_context *ac);
1487 static int get_domain_data_callback(struct ldb_request *req,
1488 struct ldb_reply *ares)
1490 struct ldb_context *ldb;
1491 struct domain_data *data;
1492 struct ph_context *ac;
1497 ac = talloc_get_type(req->context, struct ph_context);
1498 ldb = ldb_module_get_ctx(ac->module);
1501 return ldb_module_done(ac->req, NULL, NULL,
1502 LDB_ERR_OPERATIONS_ERROR);
1504 if (ares->error != LDB_SUCCESS) {
1505 return ldb_module_done(ac->req, ares->controls,
1506 ares->response, ares->error);
1509 switch (ares->type) {
1510 case LDB_REPLY_ENTRY:
1511 if (ac->domain != NULL) {
1512 ldb_set_errstring(ldb, "Too many results");
1513 return ldb_module_done(ac->req, NULL, NULL,
1514 LDB_ERR_OPERATIONS_ERROR);
1517 data = talloc_zero(ac, struct domain_data);
1519 return ldb_module_done(ac->req, NULL, NULL,
1520 LDB_ERR_OPERATIONS_ERROR);
1523 data->pwdProperties = samdb_result_uint(ares->message, "pwdProperties", 0);
1524 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1525 data->pwdHistoryLength = samdb_result_uint(ares->message, "pwdHistoryLength", 0);
1527 /* For a domain DN, this puts things in dotted notation */
1528 /* For builtin domains, this will give details for the host,
1529 * but that doesn't really matter, as it's just used for salt
1530 * and kerberos principals, which don't exist here */
1532 tmp = ldb_dn_canonical_string(data, ares->message->dn);
1534 return ldb_module_done(ac->req, NULL, NULL,
1535 LDB_ERR_OPERATIONS_ERROR);
1538 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1539 p = strchr(tmp, '/');
1544 data->dns_domain = strlower_talloc(data, tmp);
1545 if (data->dns_domain == NULL) {
1547 return ldb_module_done(ac->req, NULL, NULL,
1548 LDB_ERR_OPERATIONS_ERROR);
1550 data->realm = strupper_talloc(data, tmp);
1551 if (data->realm == NULL) {
1553 return ldb_module_done(ac->req, NULL, NULL,
1554 LDB_ERR_OPERATIONS_ERROR);
1556 /* FIXME: NetbIOS name is *always* the first domain component ?? -SSS */
1557 p = strchr(tmp, '.');
1561 data->netbios_domain = strupper_talloc(data, tmp);
1562 if (data->netbios_domain == NULL) {
1564 return ldb_module_done(ac->req, NULL, NULL,
1565 LDB_ERR_OPERATIONS_ERROR);
1572 case LDB_REPLY_DONE:
1574 /* call the next step */
1575 switch (ac->req->operation) {
1577 ret = password_hash_add_do_add(ac);
1581 ret = password_hash_mod_do_mod(ac);
1585 ret = LDB_ERR_OPERATIONS_ERROR;
1588 if (ret != LDB_SUCCESS) {
1589 return ldb_module_done(ac->req, NULL, NULL, ret);
1592 case LDB_REPLY_REFERRAL:
1601 static int build_domain_data_request(struct ph_context *ac)
1603 /* attrs[] is returned from this function in
1604 ac->dom_req->op.search.attrs, so it must be static, as
1605 otherwise the compiler can put it on the stack */
1606 struct ldb_context *ldb;
1607 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1610 ldb = ldb_module_get_ctx(ac->module);
1612 filter = talloc_asprintf(ac,
1613 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
1614 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
1615 if (filter == NULL) {
1617 return LDB_ERR_OPERATIONS_ERROR;
1620 return ldb_build_search_req(&ac->dom_req, ldb, ac,
1621 ldb_get_default_basedn(ldb),
1625 ac, get_domain_data_callback,
1629 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1631 struct ldb_context *ldb;
1632 struct ph_context *ac;
1633 struct ldb_message_element *sambaAttr;
1634 struct ldb_message_element *clearTextPasswordAttr;
1635 struct ldb_message_element *ntAttr;
1636 struct ldb_message_element *lmAttr;
1639 ldb = ldb_module_get_ctx(module);
1641 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1643 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1644 return ldb_next_request(module, req);
1647 /* If the caller is manipulating the local passwords directly, let them pass */
1648 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
1649 req->op.add.message->dn) == 0) {
1650 return ldb_next_request(module, req);
1653 /* nobody must touch these fields */
1654 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1655 return LDB_ERR_UNWILLING_TO_PERFORM;
1657 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1658 return LDB_ERR_UNWILLING_TO_PERFORM;
1660 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1661 return LDB_ERR_UNWILLING_TO_PERFORM;
1664 /* If no part of this ADD touches the userPassword, or the NT
1665 * or LM hashes, then we don't need to make any changes. */
1667 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1668 clearTextPasswordAttr = ldb_msg_find_element(req->op.mod.message, "clearTextPassword");
1669 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1670 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1672 if ((!sambaAttr) && (!clearTextPasswordAttr) && (!ntAttr) && (!lmAttr)) {
1673 return ldb_next_request(module, req);
1676 /* if it is not an entry of type person its an error */
1677 /* TODO: remove this when userPassword will be in schema */
1678 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1679 ldb_set_errstring(ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1680 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1683 /* check userPassword is single valued here */
1684 /* TODO: remove this when userPassword will be single valued in schema */
1685 if (sambaAttr && sambaAttr->num_values > 1) {
1686 ldb_set_errstring(ldb, "mupltiple values for userPassword not allowed!\n");
1687 return LDB_ERR_CONSTRAINT_VIOLATION;
1689 if (clearTextPasswordAttr && clearTextPasswordAttr->num_values > 1) {
1690 ldb_set_errstring(ldb, "mupltiple values for clearTextPassword not allowed!\n");
1691 return LDB_ERR_CONSTRAINT_VIOLATION;
1694 if (ntAttr && (ntAttr->num_values > 1)) {
1695 ldb_set_errstring(ldb, "mupltiple values for unicodePwd not allowed!\n");
1696 return LDB_ERR_CONSTRAINT_VIOLATION;
1698 if (lmAttr && (lmAttr->num_values > 1)) {
1699 ldb_set_errstring(ldb, "mupltiple values for dBCSPwd not allowed!\n");
1700 return LDB_ERR_CONSTRAINT_VIOLATION;
1703 if (sambaAttr && sambaAttr->num_values == 0) {
1704 ldb_set_errstring(ldb, "userPassword must have a value!\n");
1705 return LDB_ERR_CONSTRAINT_VIOLATION;
1708 if (clearTextPasswordAttr && clearTextPasswordAttr->num_values == 0) {
1709 ldb_set_errstring(ldb, "clearTextPassword must have a value!\n");
1710 return LDB_ERR_CONSTRAINT_VIOLATION;
1713 if (ntAttr && (ntAttr->num_values == 0)) {
1714 ldb_set_errstring(ldb, "unicodePwd must have a value!\n");
1715 return LDB_ERR_CONSTRAINT_VIOLATION;
1717 if (lmAttr && (lmAttr->num_values == 0)) {
1718 ldb_set_errstring(ldb, "dBCSPwd must have a value!\n");
1719 return LDB_ERR_CONSTRAINT_VIOLATION;
1722 ac = ph_init_context(module, req);
1724 return LDB_ERR_OPERATIONS_ERROR;
1727 /* get user domain data */
1728 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1729 if (ac->domain_sid == NULL) {
1730 ldb_debug(ldb, LDB_DEBUG_ERROR,
1731 "can't handle entry with missing objectSid!\n");
1732 return LDB_ERR_OPERATIONS_ERROR;
1735 ret = build_domain_data_request(ac);
1736 if (ret != LDB_SUCCESS) {
1740 return ldb_next_request(module, ac->dom_req);
1743 static int password_hash_add_do_add(struct ph_context *ac)
1745 struct ldb_context *ldb;
1746 struct ldb_request *down_req;
1747 struct smb_krb5_context *smb_krb5_context;
1748 struct ldb_message *msg;
1749 struct setup_password_fields_io io;
1752 ldb = ldb_module_get_ctx(ac->module);
1754 msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
1756 return LDB_ERR_OPERATIONS_ERROR;
1759 /* Some operations below require kerberos contexts */
1760 if (smb_krb5_init_context(ac,
1761 ldb_get_event_context(ldb),
1762 (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
1763 &smb_krb5_context) != 0) {
1764 return LDB_ERR_OPERATIONS_ERROR;
1769 io.domain = ac->domain;
1770 io.smb_krb5_context = smb_krb5_context;
1772 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1773 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1774 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1775 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1777 io.n.cleartext_utf8 = ldb_msg_find_ldb_val(msg, "userPassword");
1778 io.n.cleartext_utf16 = ldb_msg_find_ldb_val(msg, "clearTextPassword");
1779 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1780 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1782 /* remove attributes */
1783 if (io.n.cleartext_utf8) ldb_msg_remove_attr(msg, "userPassword");
1784 if (io.n.cleartext_utf16) ldb_msg_remove_attr(msg, "clearTextPassword");
1785 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1786 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1787 ldb_msg_remove_attr(msg, "pwdLastSet");
1788 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1789 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1791 ret = setup_password_fields(&io);
1792 if (ret != LDB_SUCCESS) {
1797 ret = samdb_msg_add_hash(ldb, ac, msg,
1798 "unicodePwd", io.g.nt_hash);
1799 if (ret != LDB_SUCCESS) {
1804 ret = samdb_msg_add_hash(ldb, ac, msg,
1805 "dBCSPwd", io.g.lm_hash);
1806 if (ret != LDB_SUCCESS) {
1810 if (io.g.nt_history_len > 0) {
1811 ret = samdb_msg_add_hashes(ac, msg,
1814 io.g.nt_history_len);
1815 if (ret != LDB_SUCCESS) {
1819 if (io.g.lm_history_len > 0) {
1820 ret = samdb_msg_add_hashes(ac, msg,
1823 io.g.lm_history_len);
1824 if (ret != LDB_SUCCESS) {
1828 if (io.g.supplemental.length > 0) {
1829 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1830 &io.g.supplemental, NULL);
1831 if (ret != LDB_SUCCESS) {
1835 ret = samdb_msg_add_uint64(ldb, ac, msg,
1838 if (ret != LDB_SUCCESS) {
1841 ret = samdb_msg_add_uint(ldb, ac, msg,
1842 "msDs-KeyVersionNumber",
1844 if (ret != LDB_SUCCESS) {
1848 ret = ldb_build_add_req(&down_req, ldb, ac,
1853 if (ret != LDB_SUCCESS) {
1857 return ldb_next_request(ac->module, down_req);
1860 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1862 struct ldb_context *ldb;
1863 struct ph_context *ac;
1864 struct ldb_message_element *sambaAttr;
1865 struct ldb_message_element *clearTextAttr;
1866 struct ldb_message_element *ntAttr;
1867 struct ldb_message_element *lmAttr;
1868 struct ldb_message *msg;
1869 struct ldb_request *down_req;
1872 ldb = ldb_module_get_ctx(module);
1874 ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1876 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1877 return ldb_next_request(module, req);
1880 /* If the caller is manipulating the local passwords directly, let them pass */
1881 if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
1882 req->op.mod.message->dn) == 0) {
1883 return ldb_next_request(module, req);
1886 /* nobody must touch password Histories */
1887 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1888 return LDB_ERR_UNWILLING_TO_PERFORM;
1890 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1891 return LDB_ERR_UNWILLING_TO_PERFORM;
1893 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1894 return LDB_ERR_UNWILLING_TO_PERFORM;
1897 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1898 clearTextAttr = ldb_msg_find_element(req->op.mod.message, "clearTextPassword");
1899 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1900 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1902 /* If no part of this touches the userPassword OR
1903 * clearTextPassword OR unicodePwd and/or dBCSPwd, then we
1904 * don't need to make any changes. For password changes/set
1905 * there should be a 'delete' or a 'modify' on this
1907 if ((!sambaAttr) && (!clearTextAttr) && (!ntAttr) && (!lmAttr)) {
1908 return ldb_next_request(module, req);
1911 /* check passwords are single valued here */
1912 /* TODO: remove this when passwords will be single valued in schema */
1913 if (sambaAttr && (sambaAttr->num_values > 1)) {
1914 return LDB_ERR_CONSTRAINT_VIOLATION;
1916 if (clearTextAttr && (clearTextAttr->num_values > 1)) {
1917 return LDB_ERR_CONSTRAINT_VIOLATION;
1919 if (ntAttr && (ntAttr->num_values > 1)) {
1920 return LDB_ERR_CONSTRAINT_VIOLATION;
1922 if (lmAttr && (lmAttr->num_values > 1)) {
1923 return LDB_ERR_CONSTRAINT_VIOLATION;
1926 ac = ph_init_context(module, req);
1928 return LDB_ERR_OPERATIONS_ERROR;
1931 /* use a new message structure so that we can modify it */
1932 msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
1935 return LDB_ERR_OPERATIONS_ERROR;
1938 /* - remove any modification to the password from the first commit
1939 * we will make the real modification later */
1940 if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
1941 if (clearTextAttr) ldb_msg_remove_attr(msg, "clearTextPassword");
1942 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1943 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1945 /* if there was nothing else to be modified skip to next step */
1946 if (msg->num_elements == 0) {
1947 return password_hash_mod_search_self(ac);
1950 ret = ldb_build_mod_req(&down_req, ldb, ac,
1953 ac, ph_modify_callback,
1955 if (ret != LDB_SUCCESS) {
1959 return ldb_next_request(module, down_req);
1962 static int ph_modify_callback(struct ldb_request *req, struct ldb_reply *ares)
1964 struct ph_context *ac;
1967 ac = talloc_get_type(req->context, struct ph_context);
1970 return ldb_module_done(ac->req, NULL, NULL,
1971 LDB_ERR_OPERATIONS_ERROR);
1973 if (ares->error != LDB_SUCCESS) {
1974 return ldb_module_done(ac->req, ares->controls,
1975 ares->response, ares->error);
1978 if (ares->type != LDB_REPLY_DONE) {
1980 return ldb_module_done(ac->req, NULL, NULL,
1981 LDB_ERR_OPERATIONS_ERROR);
1984 ret = password_hash_mod_search_self(ac);
1985 if (ret != LDB_SUCCESS) {
1986 return ldb_module_done(ac->req, NULL, NULL, ret);
1993 static int ph_mod_search_callback(struct ldb_request *req, struct ldb_reply *ares)
1995 struct ldb_context *ldb;
1996 struct ph_context *ac;
1999 ac = talloc_get_type(req->context, struct ph_context);
2000 ldb = ldb_module_get_ctx(ac->module);
2003 return ldb_module_done(ac->req, NULL, NULL,
2004 LDB_ERR_OPERATIONS_ERROR);
2006 if (ares->error != LDB_SUCCESS) {
2007 return ldb_module_done(ac->req, ares->controls,
2008 ares->response, ares->error);
2011 /* we are interested only in the single reply (base search) */
2012 switch (ares->type) {
2013 case LDB_REPLY_ENTRY:
2015 if (ac->search_res != NULL) {
2016 ldb_set_errstring(ldb, "Too many results");
2018 return ldb_module_done(ac->req, NULL, NULL,
2019 LDB_ERR_OPERATIONS_ERROR);
2022 /* if it is not an entry of type person this is an error */
2023 /* TODO: remove this when sambaPassword will be in schema */
2024 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
2025 ldb_set_errstring(ldb, "Object class violation");
2027 return ldb_module_done(ac->req, NULL, NULL,
2028 LDB_ERR_OBJECT_CLASS_VIOLATION);
2031 ac->search_res = talloc_steal(ac, ares);
2034 case LDB_REPLY_DONE:
2036 /* get object domain sid */
2037 ac->domain_sid = samdb_result_sid_prefix(ac,
2038 ac->search_res->message,
2040 if (ac->domain_sid == NULL) {
2041 ldb_debug(ldb, LDB_DEBUG_ERROR,
2042 "can't handle entry without objectSid!\n");
2043 return ldb_module_done(ac->req, NULL, NULL,
2044 LDB_ERR_OPERATIONS_ERROR);
2047 /* get user domain data */
2048 ret = build_domain_data_request(ac);
2049 if (ret != LDB_SUCCESS) {
2050 return ldb_module_done(ac->req, NULL, NULL,ret);
2053 return ldb_next_request(ac->module, ac->dom_req);
2055 case LDB_REPLY_REFERRAL:
2056 /*ignore anything else for now */
2064 static int password_hash_mod_search_self(struct ph_context *ac)
2066 struct ldb_context *ldb;
2067 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
2069 "objectSid", "msDS-KeyVersionNumber",
2070 "objectClass", "userPrincipalName",
2072 "dBCSPwd", "unicodePwd",
2073 "supplementalCredentials",
2075 struct ldb_request *search_req;
2078 ldb = ldb_module_get_ctx(ac->module);
2080 ret = ldb_build_search_req(&search_req, ldb, ac,
2081 ac->req->op.mod.message->dn,
2086 ac, ph_mod_search_callback,
2089 if (ret != LDB_SUCCESS) {
2093 return ldb_next_request(ac->module, search_req);
2096 static int password_hash_mod_do_mod(struct ph_context *ac)
2098 struct ldb_context *ldb;
2099 struct ldb_request *mod_req;
2100 struct smb_krb5_context *smb_krb5_context;
2101 struct ldb_message *msg;
2102 struct ldb_message *orig_msg;
2103 struct ldb_message *searched_msg;
2104 struct setup_password_fields_io io;
2107 ldb = ldb_module_get_ctx(ac->module);
2109 /* use a new message structure so that we can modify it */
2110 msg = ldb_msg_new(ac);
2112 return LDB_ERR_OPERATIONS_ERROR;
2116 msg->dn = ac->req->op.mod.message->dn;
2118 /* Some operations below require kerberos contexts */
2119 if (smb_krb5_init_context(ac,
2120 ldb_get_event_context(ldb),
2121 (struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
2122 &smb_krb5_context) != 0) {
2123 return LDB_ERR_OPERATIONS_ERROR;
2126 orig_msg = discard_const(ac->req->op.mod.message);
2127 searched_msg = ac->search_res->message;
2131 io.domain = ac->domain;
2132 io.smb_krb5_context = smb_krb5_context;
2134 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
2135 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
2136 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
2137 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
2139 io.n.cleartext_utf8 = ldb_msg_find_ldb_val(orig_msg, "userPassword");
2140 io.n.cleartext_utf16 = ldb_msg_find_ldb_val(orig_msg, "clearTextPassword");
2141 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
2142 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
2144 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
2145 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
2146 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
2147 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
2149 ret = setup_password_fields(&io);
2150 if (ret != LDB_SUCCESS) {
2154 /* make sure we replace all the old attributes */
2155 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
2156 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
2157 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2158 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2159 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
2160 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
2161 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
2164 ret = samdb_msg_add_hash(ldb, ac, msg,
2165 "unicodePwd", io.g.nt_hash);
2166 if (ret != LDB_SUCCESS) {
2171 ret = samdb_msg_add_hash(ldb, ac, msg,
2172 "dBCSPwd", io.g.lm_hash);
2173 if (ret != LDB_SUCCESS) {
2177 if (io.g.nt_history_len > 0) {
2178 ret = samdb_msg_add_hashes(ac, msg,
2181 io.g.nt_history_len);
2182 if (ret != LDB_SUCCESS) {
2186 if (io.g.lm_history_len > 0) {
2187 ret = samdb_msg_add_hashes(ac, msg,
2190 io.g.lm_history_len);
2191 if (ret != LDB_SUCCESS) {
2195 if (io.g.supplemental.length > 0) {
2196 ret = ldb_msg_add_value(msg, "supplementalCredentials",
2197 &io.g.supplemental, NULL);
2198 if (ret != LDB_SUCCESS) {
2202 ret = samdb_msg_add_uint64(ldb, ac, msg,
2205 if (ret != LDB_SUCCESS) {
2208 ret = samdb_msg_add_uint(ldb, ac, msg,
2209 "msDs-KeyVersionNumber",
2211 if (ret != LDB_SUCCESS) {
2215 ret = ldb_build_mod_req(&mod_req, ldb, ac,
2220 if (ret != LDB_SUCCESS) {
2224 return ldb_next_request(ac->module, mod_req);
2227 _PUBLIC_ const struct ldb_module_ops ldb_password_hash_module_ops = {
2228 .name = "password_hash",
2229 .add = password_hash_add,
2230 .modify = password_hash_modify,