#include "includes.h"
#include "ldb_module.h"
#include "libcli/auth/libcli_auth.h"
+#include "libcli/security/dom_sid.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "dsdb/samdb/samdb.h"
#include "param/param.h"
#include "lib/krb5_wrap/krb5_samba.h"
+#ifdef ENABLE_GPGME
+#undef class
+#include <gpgme.h>
+#endif
+
/* If we have decided there is a reason to work on this request, then
* setup all the password hash types correctly.
*
struct ldb_reply *search_res;
+ struct ldb_message *update_msg;
+
struct dsdb_control_password_change_status *status;
struct dsdb_control_password_change *change;
+ const char **gpg_key_ids;
+
bool pwd_reset;
bool change_status;
bool hash_values;
bool userPassword;
+ bool update_password;
+ bool update_lastset;
bool pwd_last_set_bypass;
+ bool pwd_last_set_default;
+ bool smartcard_reset;
};
const char *sAMAccountName;
const char *user_principal_name;
bool is_computer;
+ bool is_krbtgt;
uint32_t restrictions;
} u;
} g;
};
+static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
+ const char *name,
+ enum ldb_request_type operation,
+ const struct ldb_val **new_val,
+ const struct ldb_val **old_val);
+
static int password_hash_bypass(struct ldb_module *module, struct ldb_request *request)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
io->g.salt = talloc_strndup(io->ac,
(char *)salt.data,
salt.length);
- kerberos_free_data_contents(io->smb_krb5_context->krb5_context, &salt);
+ smb_krb5_free_data_contents(io->smb_krb5_context->krb5_context, &salt);
if (!io->g.salt) {
return ldb_oom(ldb);
}
return LDB_SUCCESS;
}
+static int setup_primary_samba_gpg(struct setup_password_fields_io *io,
+ struct package_PrimarySambaGPGBlob *pgb)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
+#ifdef ENABLE_GPGME
+ gpgme_error_t gret;
+ gpgme_ctx_t ctx = NULL;
+ size_t num_keys = str_list_length(io->ac->gpg_key_ids);
+ gpgme_key_t keys[num_keys+1];
+ size_t ki = 0;
+ size_t kr = 0;
+ gpgme_data_t plain_data = NULL;
+ gpgme_data_t crypt_data = NULL;
+ size_t crypt_length = 0;
+ char *crypt_mem = NULL;
+
+ gret = gpgme_new(&ctx);
+ if (gret != GPG_ERR_NO_ERROR) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "%s:%s: gret[%u] %s\n",
+ __location__, __func__,
+ gret, gpgme_strerror(gret));
+ return ldb_module_operr(io->ac->module);
+ }
+
+ gpgme_set_armor(ctx, 1);
+
+ gret = gpgme_data_new_from_mem(&plain_data,
+ (const char *)io->n.cleartext_utf16->data,
+ io->n.cleartext_utf16->length,
+ 0 /* no copy */);
+ if (gret != GPG_ERR_NO_ERROR) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "%s:%s: gret[%u] %s\n",
+ __location__, __func__,
+ gret, gpgme_strerror(gret));
+ gpgme_release(ctx);
+ return ldb_module_operr(io->ac->module);
+ }
+ gret = gpgme_data_new(&crypt_data);
+ if (gret != GPG_ERR_NO_ERROR) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "%s:%s: gret[%u] %s\n",
+ __location__, __func__,
+ gret, gpgme_strerror(gret));
+ gpgme_data_release(plain_data);
+ gpgme_release(ctx);
+ return ldb_module_operr(io->ac->module);
+ }
+
+ for (ki = 0; ki < num_keys; ki++) {
+ const char *key_id = io->ac->gpg_key_ids[ki];
+ size_t len = strlen(key_id);
+
+ keys[ki] = NULL;
+
+ if (len < 16) {
+ ldb_debug(ldb, LDB_DEBUG_FATAL,
+ "%s:%s: ki[%zu] key_id[%s] strlen < 16, "
+ "please specify at least the 64bit key id\n",
+ __location__, __func__,
+ ki, key_id);
+ for (kr = 0; keys[kr] != NULL; kr++) {
+ gpgme_key_release(keys[kr]);
+ }
+ gpgme_data_release(crypt_data);
+ gpgme_data_release(plain_data);
+ gpgme_release(ctx);
+ return ldb_module_operr(io->ac->module);
+ }
+
+ gret = gpgme_get_key(ctx, key_id, &keys[ki], 0 /* public key */);
+ if (gret != GPG_ERR_NO_ERROR) {
+ keys[ki] = NULL;
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "%s:%s: ki[%zu] key_id[%s] gret[%u] %s\n",
+ __location__, __func__,
+ ki, key_id,
+ gret, gpgme_strerror(gret));
+ for (kr = 0; keys[kr] != NULL; kr++) {
+ gpgme_key_release(keys[kr]);
+ }
+ gpgme_data_release(crypt_data);
+ gpgme_data_release(plain_data);
+ gpgme_release(ctx);
+ return ldb_module_operr(io->ac->module);
+ }
+ }
+ keys[ki] = NULL;
+
+ gret = gpgme_op_encrypt(ctx, keys,
+ GPGME_ENCRYPT_ALWAYS_TRUST,
+ plain_data, crypt_data);
+ gpgme_data_release(plain_data);
+ plain_data = NULL;
+ for (kr = 0; keys[kr] != NULL; kr++) {
+ gpgme_key_release(keys[kr]);
+ keys[kr] = NULL;
+ }
+ gpgme_release(ctx);
+ ctx = NULL;
+ if (gret != GPG_ERR_NO_ERROR) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "%s:%s: gret[%u] %s\n",
+ __location__, __func__,
+ gret, gpgme_strerror(gret));
+ gpgme_data_release(crypt_data);
+ return ldb_module_operr(io->ac->module);
+ }
+
+ crypt_mem = gpgme_data_release_and_get_mem(crypt_data, &crypt_length);
+ crypt_data = NULL;
+ if (crypt_mem == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+
+ pgb->gpg_blob = data_blob_talloc(io->ac,
+ (const uint8_t *)crypt_mem,
+ crypt_length);
+ gpgme_free(crypt_mem);
+ crypt_mem = NULL;
+ crypt_length = 0;
+ if (pgb->gpg_blob.data == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+
+ return LDB_SUCCESS;
+#else /* ENABLE_GPGME */
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "You configured 'password hash gpg key ids', "
+ "but GPGME support is missing. (%s:%d)",
+ __FILE__, __LINE__);
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+#endif /* else ENABLE_GPGME */
+}
+
static int setup_supplemental_field(struct setup_password_fields_io *io)
{
struct ldb_context *ldb;
struct supplementalCredentialsBlob scb;
- struct supplementalCredentialsBlob _old_scb;
struct supplementalCredentialsBlob *old_scb = NULL;
- /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
+ /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest, CLEARTEXT, SambaGPG) */
uint32_t num_names = 0;
- const char *names[1+4];
+ const char *names[1+5];
uint32_t num_packages = 0;
- struct supplementalCredentialsPackage packages[1+4];
+ struct supplementalCredentialsPackage packages[1+5];
/* Packages */
struct supplementalCredentialsPackage *pp = NULL;
struct package_PackagesBlob pb;
struct package_PrimaryCLEARTEXTBlob pcb;
DATA_BLOB pcb_blob;
char *pcb_hexstr;
+ /* Primary:SambaGPG */
+ const char **ng = NULL;
+ struct supplementalCredentialsPackage *pg = NULL;
+ struct package_PrimarySambaGPGBlob pgb;
+ DATA_BLOB pgb_blob;
+ char *pgb_hexstr;
int ret;
enum ndr_err_code ndr_err;
uint8_t zero16[16];
bool do_newer_keys = false;
bool do_cleartext = false;
+ bool do_samba_gpg = false;
ZERO_STRUCT(zero16);
ZERO_STRUCT(names);
+ ZERO_STRUCT(packages);
ldb = ldb_module_get_ctx(io->ac->module);
return LDB_SUCCESS;
}
- /* if there's an old supplementaCredentials blob then parse it */
+ /* if there's an old supplementaCredentials blob then use it */
if (io->o.supplemental) {
- ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
- &_old_scb,
- (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
- ldb_asprintf_errstring(ldb,
- "setup_supplemental_field: "
- "failed to pull old supplementalCredentialsBlob: %s",
- nt_errstr(status));
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
- old_scb = &_old_scb;
+ if (io->o.scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
+ old_scb = &io->o.scb;
} else {
ldb_debug(ldb, LDB_DEBUG_ERROR,
- "setup_supplemental_field: "
- "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
- _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
+ "setup_supplemental_field: "
+ "supplementalCredentialsBlob "
+ "signature[0x%04X] expected[0x%04X]",
+ io->o.scb.sub.signature,
+ SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
}
}
/* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */
do_cleartext = true;
}
+ if (io->ac->gpg_key_ids != NULL) {
+ do_samba_gpg = true;
+ }
+
/*
* The ordering is this
*
* Primary:Kerberos
* Primary:WDigest
* Primary:CLEARTEXT (optional)
+ * Primary:SambaGPG (optional)
*
* And the 'Packages' package is insert before the last
* other package.
+ *
+ * Note: it's important that Primary:SambaGPG is added as
+ * the last element. This is the indication that it matches
+ * the current password. When a password change happens on
+ * a Windows DC, it will keep the old Primary:SambaGPG value,
+ * but as the first element.
*/
if (do_newer_keys) {
/* Primary:Kerberos-Newer-Keys */
nk = &names[num_names++];
pk = &packages[num_packages++];
- if (!do_cleartext) {
+ if (!do_cleartext && !do_samba_gpg) {
/* Packages */
pp = &packages[num_packages++];
}
pd = &packages[num_packages++];
if (do_cleartext) {
- /* Packages */
- pp = &packages[num_packages++];
+ if (!do_samba_gpg) {
+ /* Packages */
+ pp = &packages[num_packages++];
+ }
/* Primary:CLEARTEXT */
nc = &names[num_names++];
pc = &packages[num_packages++];
}
+ if (do_samba_gpg) {
+ /* Packages */
+ pp = &packages[num_packages++];
+
+ /* Primary:SambaGPG */
+ ng = &names[num_names++];
+ pg = &packages[num_packages++];
+ }
+
if (pkn) {
/*
* setup 'Primary:Kerberos-Newer-Keys' element
pc->data = pcb_hexstr;
}
+ /*
+ * setup 'Primary:SambaGPG' element
+ */
+ if (pg) {
+ *ng = "SambaGPG";
+
+ ret = setup_primary_samba_gpg(io, &pgb);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ndr_err = ndr_push_struct_blob(&pgb_blob, io->ac, &pgb,
+ (ndr_push_flags_fn_t)ndr_push_package_PrimarySambaGPGBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
+ ldb_asprintf_errstring(ldb,
+ "setup_supplemental_field: failed to "
+ "push package_PrimarySambaGPGBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ pgb_hexstr = data_blob_hex_string_upper(io->ac, &pgb_blob);
+ if (!pgb_hexstr) {
+ return ldb_oom(ldb);
+ }
+ pg->name = "Primary:SambaGPG";
+ pg->reserved = 1;
+ pg->data = pgb_hexstr;
+ }
+
/*
* setup 'Packages' element
*/
* setup 'supplementalCredentials' value
*/
ZERO_STRUCT(scb);
+ scb.sub.signature = SUPPLEMENTAL_CREDENTIALS_SIGNATURE;
scb.sub.num_packages = num_packages;
scb.sub.packages = packages;
static int setup_last_set_field(struct setup_password_fields_io *io)
{
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
const struct ldb_message *msg = NULL;
struct timeval tv = { .tv_sec = 0 };
+ const struct ldb_val *old_val = NULL;
+ const struct ldb_val *new_val = NULL;
+ int ret;
switch (io->ac->req->operation) {
case LDB_ADD:
}
if (io->ac->pwd_last_set_bypass) {
- struct ldb_message_element *el;
+ struct ldb_message_element *el1 = NULL;
+ struct ldb_message_element *el2 = NULL;
if (msg == NULL) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- el = ldb_msg_find_element(msg, "pwdLastSet");
- if (el == NULL) {
+ el1 = dsdb_get_single_valued_attr(msg, "pwdLastSet",
+ io->ac->req->operation);
+ if (el1 == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ el2 = ldb_msg_find_element(msg, "pwdLastSet");
+ if (el2 == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if (el1 != el2) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
return LDB_SUCCESS;
}
- /* set it as now */
- GetTimeOfDay(&tv);
- io->g.last_set = timeval_to_nttime(&tv);
+ ret = msg_find_old_and_new_pwd_val(msg, "pwdLastSet",
+ io->ac->req->operation,
+ &new_val, &old_val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (old_val != NULL && new_val == NULL) {
+ ldb_set_errstring(ldb,
+ "'pwdLastSet' deletion is not allowed!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
+ io->g.last_set = UINT64_MAX;
+ if (new_val != NULL) {
+ struct ldb_message *tmp_msg = NULL;
+
+ tmp_msg = ldb_msg_new(io->ac);
+ if (tmp_msg == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+
+ if (old_val != NULL) {
+ NTTIME old_last_set = 0;
+
+ ret = ldb_msg_add_value(tmp_msg, "oldval",
+ old_val, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ old_last_set = samdb_result_nttime(tmp_msg,
+ "oldval",
+ 1);
+ if (io->u.pwdLastSet != old_last_set) {
+ return dsdb_module_werror(io->ac->module,
+ LDB_ERR_NO_SUCH_ATTRIBUTE,
+ WERR_DS_CANT_REM_MISSING_ATT_VAL,
+ "setup_last_set_field: old pwdLastSet "
+ "value not found!");
+ }
+ }
+
+ ret = ldb_msg_add_value(tmp_msg, "newval",
+ new_val, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ io->g.last_set = samdb_result_nttime(tmp_msg,
+ "newval",
+ 1);
+ } else if (ldb_msg_find_element(msg, "pwdLastSet")) {
+ ldb_set_errstring(ldb,
+ "'pwdLastSet' deletion is not allowed!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ } else if (io->ac->smartcard_reset) {
+ /*
+ * adding UF_SMARTCARD_REQUIRED doesn't update
+ * pwdLastSet implicitly.
+ */
+ io->ac->update_lastset = false;
+ }
+
+ /* only 0 or -1 (0xFFFFFFFFFFFFFFFF) are allowed */
+ switch (io->g.last_set) {
+ case 0:
+ if (!io->ac->pwd_last_set_default) {
+ break;
+ }
+ if (!io->ac->update_password) {
+ break;
+ }
+ /* fall through */
+ case UINT64_MAX:
+ if (!io->ac->update_password &&
+ io->u.pwdLastSet != 0 &&
+ io->u.pwdLastSet != UINT64_MAX)
+ {
+ /*
+ * Just setting pwdLastSet to -1, while not changing
+ * any password field has no effect if pwdLastSet
+ * is already non-zero.
+ */
+ io->ac->update_lastset = false;
+ break;
+ }
+ /* -1 means set it as now */
+ GetTimeOfDay(&tv);
+ io->g.last_set = timeval_to_nttime(&tv);
+ break;
+ default:
+ return dsdb_module_werror(io->ac->module,
+ LDB_ERR_OTHER,
+ WERR_INVALID_PARAMETER,
+ "setup_last_set_field: "
+ "pwdLastSet must be 0 or -1 only!");
+ }
+
+ if (io->ac->req->operation == LDB_ADD) {
+ /*
+ * We always need to store the value on add
+ * operations.
+ */
+ return LDB_SUCCESS;
+ }
+
+ if (io->g.last_set == io->u.pwdLastSet) {
+ /*
+ * Just setting pwdLastSet to 0, is no-op if it's already 0.
+ */
+ io->ac->update_lastset = false;
+ }
return LDB_SUCCESS;
}
struct loadparm_context);
int ret;
+ ret = setup_last_set_field(io);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (!io->ac->update_password) {
+ return LDB_SUCCESS;
+ }
+
/* transform the old password (for password changes) */
ret = setup_given_passwords(io, &io->og);
if (ret != LDB_SUCCESS) {
return ret;
}
- ret = setup_last_set_field(io);
- if (ret != LDB_SUCCESS) {
- return ret;
+ return LDB_SUCCESS;
+}
+
+static int setup_smartcard_reset(struct setup_password_fields_io *io)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
+ struct loadparm_context *lp_ctx = talloc_get_type(
+ ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
+ struct supplementalCredentialsBlob scb = { .__ndr_size = 0 };
+ enum ndr_err_code ndr_err;
+
+ if (!io->ac->smartcard_reset) {
+ return LDB_SUCCESS;
}
+ io->g.nt_hash = talloc(io->ac, struct samr_Password);
+ if (io->g.nt_hash == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+ generate_secret_buffer(io->g.nt_hash->hash,
+ sizeof(io->g.nt_hash->hash));
+ io->g.nt_history_len = 0;
+
+ if (lpcfg_lanman_auth(lp_ctx)) {
+ io->g.lm_hash = talloc(io->ac, struct samr_Password);
+ if (io->g.lm_hash == NULL) {
+ return ldb_module_oom(io->ac->module);
+ }
+ generate_secret_buffer(io->g.lm_hash->hash,
+ sizeof(io->g.lm_hash->hash));
+ } else {
+ io->g.lm_hash = NULL;
+ }
+ io->g.lm_history_len = 0;
+
+ /*
+ * We take the "old" value and store it
+ * with num_packages = 0.
+ *
+ * On "add" we have scb.sub.signature == 0, which
+ * results in:
+ *
+ * [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00
+ *
+ * On modify it's likely to be scb.sub.signature ==
+ * SUPPLEMENTAL_CREDENTIALS_SIGNATURE (0x0050), which results in
+ * something like:
+ *
+ * [0000] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00
+ * [0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
+ * [0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
+ * [0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
+ * [0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
+ * [0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
+ * [0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 00
+ *
+ * See https://bugzilla.samba.org/show_bug.cgi?id=11441
+ * and ndr_{push,pull}_supplementalCredentialsSubBlob().
+ */
+ scb = io->o.scb;
+ scb.sub.num_packages = 0;
+
+ /*
+ * setup 'supplementalCredentials' value without packages
+ */
+ ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
+ &scb,
+ (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
+ ldb_asprintf_errstring(ldb,
+ "setup_smartcard_reset: "
+ "failed to push supplementalCredentialsBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ io->ac->update_password = true;
return LDB_SUCCESS;
}
static int check_password_restrictions(struct setup_password_fields_io *io)
{
- struct ldb_context *ldb;
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
int ret;
+ struct loadparm_context *lp_ctx =
+ lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+ struct loadparm_context);
- ldb = ldb_module_get_ctx(io->ac->module);
+ if (!io->ac->update_password) {
+ return LDB_SUCCESS;
+ }
/* First check the old password is correct, for password changes */
if (!io->ac->pwd_reset) {
*/
if (io->n.cleartext_utf8 != NULL) {
enum samr_ValidationStatus vstat;
- vstat = samdb_check_password(io->n.cleartext_utf8,
+ vstat = samdb_check_password(io->ac, lp_ctx,
+ io->n.cleartext_utf8,
io->ac->status->domain_data.pwdProperties,
io->ac->status->domain_data.minPwdLength);
switch (vstat) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
- "the password doesn't fit by a certain reason!",
+ "the password doesn't fit due to a miscellaneous restriction!",
W_ERROR_V(WERR_PASSWORD_RESTRICTION),
ldb_strerror(ret));
return ret;
return LDB_SUCCESS;
}
-static int update_final_msg(struct setup_password_fields_io *io,
- struct ldb_message *msg)
+static int update_final_msg(struct setup_password_fields_io *io)
{
struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
int ret;
+ int el_flags = 0;
+ bool update_password = io->ac->update_password;
+ bool update_scb = io->ac->update_password;
+
+ /*
+ * If we add a user without initial password,
+ * we need to add replication meta data for
+ * following attributes:
+ * - unicodePwd
+ * - dBCSPwd
+ * - ntPwdHistory
+ * - lmPwdHistory
+ *
+ * If we add a user with initial password or a
+ * password is changed of an existing user,
+ * we need to replace the following attributes
+ * with a forced meta data update, e.g. also
+ * when updating an empty attribute with an empty value:
+ * - unicodePwd
+ * - dBCSPwd
+ * - ntPwdHistory
+ * - lmPwdHistory
+ * - supplementalCredentials
+ */
+
+ switch (io->ac->req->operation) {
+ case LDB_ADD:
+ update_password = true;
+ el_flags |= DSDB_FLAG_INTERNAL_FORCE_META_DATA;
+ break;
+ case LDB_MODIFY:
+ el_flags |= LDB_FLAG_MOD_REPLACE;
+ el_flags |= DSDB_FLAG_INTERNAL_FORCE_META_DATA;
+ break;
+ default:
+ return ldb_module_operr(io->ac->module);
+ }
+
+ if (update_password) {
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "unicodePwd",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "dBCSPwd",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "ntPwdHistory",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "lmPwdHistory",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ if (update_scb) {
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "supplementalCredentials",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
+ if (io->ac->update_lastset) {
+ ret = ldb_msg_add_empty(io->ac->update_msg,
+ "pwdLastSet",
+ el_flags, NULL);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
if (io->g.nt_hash != NULL) {
- ret = samdb_msg_add_hash(ldb, io->ac, msg,
+ ret = samdb_msg_add_hash(ldb, io->ac,
+ io->ac->update_msg,
"unicodePwd",
io->g.nt_hash);
if (ret != LDB_SUCCESS) {
}
}
if (io->g.lm_hash != NULL) {
- ret = samdb_msg_add_hash(ldb, io->ac, msg,
+ ret = samdb_msg_add_hash(ldb, io->ac,
+ io->ac->update_msg,
"dBCSPwd",
io->g.lm_hash);
if (ret != LDB_SUCCESS) {
}
}
if (io->g.nt_history_len > 0) {
- ret = samdb_msg_add_hashes(ldb, io->ac, msg,
+ ret = samdb_msg_add_hashes(ldb, io->ac,
+ io->ac->update_msg,
"ntPwdHistory",
io->g.nt_history,
io->g.nt_history_len);
}
}
if (io->g.lm_history_len > 0) {
- ret = samdb_msg_add_hashes(ldb, io->ac, msg,
+ ret = samdb_msg_add_hashes(ldb, io->ac,
+ io->ac->update_msg,
"lmPwdHistory",
io->g.lm_history,
io->g.lm_history_len);
}
}
if (io->g.supplemental.length > 0) {
- ret = ldb_msg_add_value(msg, "supplementalCredentials",
+ ret = ldb_msg_add_value(io->ac->update_msg,
+ "supplementalCredentials",
&io->g.supplemental, NULL);
if (ret != LDB_SUCCESS) {
return ret;
}
}
- ret = samdb_msg_add_uint64(ldb, io->ac, msg,
- "pwdLastSet",
- io->g.last_set);
- if (ret != LDB_SUCCESS) {
- return ret;
+ if (io->ac->update_lastset) {
+ ret = samdb_msg_add_uint64(ldb, io->ac,
+ io->ac->update_msg,
+ "pwdLastSet",
+ io->g.last_set);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
}
return LDB_SUCCESS;
ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
int ret;
const struct ldb_message *info_msg = NULL;
+ struct dom_sid *account_sid = NULL;
+ int rodc_krbtgt = 0;
ZERO_STRUCTP(io);
/*
* We only take pwdLastSet from the existing object
* otherwise we leave it as 0.
+ *
+ * If no attribute is available, e.g. on deleted objects
+ * we remember that as UINT64_MAX.
*/
- io->u.pwdLastSet = samdb_result_nttime(info_msg, "pwdLastSet", 0);
+ io->u.pwdLastSet = samdb_result_nttime(info_msg, "pwdLastSet",
+ UINT64_MAX);
}
io->u.sAMAccountName = ldb_msg_find_attr_as_string(info_msg,
"sAMAccountName", NULL);
"userPrincipalName", NULL);
io->u.is_computer = ldb_msg_check_string_attribute(info_msg, "objectClass", "computer");
+ /* Ensure it has an objectSID too */
+ account_sid = samdb_result_dom_sid(ac, info_msg, "objectSid");
+ if (account_sid != NULL) {
+ NTSTATUS status;
+ uint32_t rid = 0;
+
+ status = dom_sid_split_rid(account_sid, account_sid, NULL, &rid);
+ if (NT_STATUS_IS_OK(status)) {
+ if (rid == DOMAIN_RID_KRBTGT) {
+ io->u.is_krbtgt = true;
+ }
+ }
+ }
+
+ rodc_krbtgt = ldb_msg_find_attr_as_int(info_msg,
+ "msDS-SecondaryKrbTgtNumber", 0);
+ if (rodc_krbtgt != 0) {
+ io->u.is_krbtgt = true;
+ }
+
if (io->u.sAMAccountName == NULL) {
ldb_asprintf_errstring(ldb,
"setup_io: sAMAccountName attribute is missing on %s for attempted password set/change",
& (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
| UF_SERVER_TRUST_ACCOUNT));
+ if (io->u.is_krbtgt) {
+ io->u.restrictions = 0;
+ io->ac->status->domain_data.pwdHistoryLength =
+ MAX(io->ac->status->domain_data.pwdHistoryLength, 3);
+ }
+
if (ac->userPassword) {
ret = msg_find_old_and_new_pwd_val(client_msg, "userPassword",
ac->req->operation,
/* refuse the change if someone tries to set/change the password by
* the lanman hash alone and we've deactivated that mechanism. This
* would end in an account without any password! */
- if ((!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
+ if (io->ac->update_password
+ && (!io->n.cleartext_utf8) && (!io->n.cleartext_utf16)
&& (!io->n.nt_hash) && (!io->n.lm_hash)) {
ldb_asprintf_errstring(ldb,
"setup_io: "
return ldb_operr(ldb);
}
+ if (io->u.is_krbtgt) {
+ size_t min = 196;
+ size_t max = 255;
+ size_t diff = max - min;
+ size_t len = max;
+ struct ldb_val *krbtgt_utf16 = NULL;
+
+ if (!ac->pwd_reset) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS,
+ WERR_DS_ATT_ALREADY_EXISTS,
+ "Password change on krbtgt not permitted!");
+ }
+
+ if (io->n.cleartext_utf16 == NULL) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_UNWILLING_TO_PERFORM,
+ WERR_DS_INVALID_ATTRIBUTE_SYNTAX,
+ "Password reset on krbtgt requires UTF16!");
+ }
+
+ /*
+ * Instead of taking the callers value,
+ * we just generate a new random value here.
+ *
+ * Include null termination in the array.
+ */
+ if (diff > 0) {
+ size_t tmp;
+
+ generate_random_buffer((uint8_t *)&tmp, sizeof(tmp));
+
+ tmp %= diff;
+
+ len = min + tmp;
+ }
+
+ krbtgt_utf16 = talloc_zero(io->ac, struct ldb_val);
+ if (krbtgt_utf16 == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ *krbtgt_utf16 = data_blob_talloc_zero(krbtgt_utf16,
+ (len+1)*2);
+ if (krbtgt_utf16->data == NULL) {
+ return ldb_oom(ldb);
+ }
+ krbtgt_utf16->length = len * 2;
+ generate_secret_buffer(krbtgt_utf16->data,
+ krbtgt_utf16->length);
+ io->n.cleartext_utf16 = krbtgt_utf16;
+ }
+
+ if (existing_msg != NULL) {
+ NTSTATUS status;
+
+ if (ac->pwd_reset) {
+ /* Get the old password from the database */
+ status = samdb_result_passwords_no_lockout(ac,
+ lp_ctx,
+ existing_msg,
+ &io->o.lm_hash,
+ &io->o.nt_hash);
+ } else {
+ /* Get the old password from the database */
+ status = samdb_result_passwords(ac,
+ lp_ctx,
+ existing_msg,
+ &io->o.lm_hash,
+ &io->o.nt_hash);
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ WERR_ACCOUNT_LOCKED_OUT,
+ "Password change not permitted,"
+ " account locked out!");
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * This only happens if the database has gone weird,
+ * not if we are just missing the passwords
+ */
+ return ldb_operr(ldb);
+ }
+
+ io->o.nt_history_len = samdb_result_hashes(ac, existing_msg,
+ "ntPwdHistory",
+ &io->o.nt_history);
+ io->o.lm_history_len = samdb_result_hashes(ac, existing_msg,
+ "lmPwdHistory",
+ &io->o.lm_history);
+ io->o.supplemental = ldb_msg_find_ldb_val(existing_msg,
+ "supplementalCredentials");
+
+ if (io->o.supplemental != NULL) {
+ enum ndr_err_code ndr_err;
+
+ ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
+ &io->o.scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ ldb_asprintf_errstring(ldb,
+ "setup_io: failed to pull "
+ "old supplementalCredentialsBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ }
+ }
+
return LDB_SUCCESS;
}
static struct ph_context *ph_init_context(struct ldb_module *module,
struct ldb_request *req,
- bool userPassword)
+ bool userPassword,
+ bool update_password)
{
struct ldb_context *ldb;
struct ph_context *ac;
+ struct loadparm_context *lp_ctx = NULL;
ldb = ldb_module_get_ctx(module);
ac->module = module;
ac->req = req;
ac->userPassword = userPassword;
+ ac->update_password = update_password;
+ ac->update_lastset = true;
+
+ lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"),
+ struct loadparm_context);
+ ac->gpg_key_ids = lpcfg_password_hash_gpg_key_ids(lp_ctx);
return ac;
}
/* Mark the "bypass pwdLastSet" control as uncritical (done) */
ctrl->critical = false;
}
+
+ ac->pwd_last_set_default = false;
+ ctrl = ldb_request_get_control(ac->req,
+ DSDB_CONTROL_PASSWORD_DEFAULT_LAST_SET_OID);
+ if (ctrl != NULL) {
+ ac->pwd_last_set_default = true;
+
+ /* Mark the "bypass pwdLastSet" control as uncritical (done) */
+ ctrl->critical = false;
+ }
+
+ ac->smartcard_reset = false;
+ ctrl = ldb_request_get_control(ac->req,
+ DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID);
+ if (ctrl != NULL) {
+ struct dsdb_control_password_user_account_control *uac = NULL;
+ uint32_t added_flags = 0;
+
+ uac = talloc_get_type_abort(ctrl->data,
+ struct dsdb_control_password_user_account_control);
+
+ added_flags = uac->new_flags & ~uac->old_flags;
+
+ if (added_flags & UF_SMARTCARD_REQUIRED) {
+ ac->smartcard_reset = true;
+ }
+
+ /* Mark the "smartcard required" control as uncritical (done) */
+ ctrl->critical = false;
+ }
}
static int ph_op_callback(struct ldb_request *req, struct ldb_reply *ares)
const char **a = NULL;
unsigned int attr_cnt = 0;
struct ldb_control *bypass = NULL;
+ struct ldb_control *uac_ctrl = NULL;
bool userPassword = dsdb_user_password_support(module, req, req);
+ bool update_password = false;
+ bool processing_needed = false;
*_ac = NULL;
}
}
- if (attr_cnt == 0) {
+ if (attr_cnt > 0) {
+ update_password = true;
+ processing_needed = true;
+ }
+
+ if (ldb_msg_find_element(msg, "pwdLastSet")) {
+ processing_needed = true;
+ }
+
+ uac_ctrl = ldb_request_get_control(req,
+ DSDB_CONTROL_PASSWORD_USER_ACCOUNT_CONTROL_OID);
+ if (uac_ctrl != NULL) {
+ struct dsdb_control_password_user_account_control *uac = NULL;
+ uint32_t added_flags = 0;
+
+ uac = talloc_get_type_abort(uac_ctrl->data,
+ struct dsdb_control_password_user_account_control);
+
+ added_flags = uac->new_flags & ~uac->old_flags;
+
+ if (added_flags & UF_SMARTCARD_REQUIRED) {
+ processing_needed = true;
+ }
+ }
+
+ if (!processing_needed) {
return ldb_next_request(module, req);
}
- ac = ph_init_context(module, req, userPassword);
+ ac = ph_init_context(module, req, userPassword, update_password);
if (!ac) {
DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
return ldb_operr(ldb);
}
ph_apply_controls(ac);
+ /*
+ * Make a copy in order to apply our modifications
+ * to the final update
+ */
+ ac->update_msg = ldb_msg_copy_shallow(ac, msg);
+ if (ac->update_msg == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ /*
+ * Remove all password related attributes.
+ */
+ if (ac->userPassword) {
+ ldb_msg_remove_attr(ac->update_msg, "userPassword");
+ }
+ ldb_msg_remove_attr(ac->update_msg, "clearTextPassword");
+ ldb_msg_remove_attr(ac->update_msg, "unicodePwd");
+ ldb_msg_remove_attr(ac->update_msg, "ntPwdHistory");
+ ldb_msg_remove_attr(ac->update_msg, "dBCSPwd");
+ ldb_msg_remove_attr(ac->update_msg, "lmPwdHistory");
+ ldb_msg_remove_attr(ac->update_msg, "supplementalCredentials");
+ ldb_msg_remove_attr(ac->update_msg, "pwdLastSet");
+
*_ac = ac;
return LDB_SUCCESS;
}
static int password_hash_add_do_add(struct ph_context *ac)
{
- struct ldb_context *ldb;
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
struct ldb_request *down_req;
- struct ldb_message *msg;
struct setup_password_fields_io io;
int ret;
return ret;
}
- ldb = ldb_module_get_ctx(ac->module);
-
- msg = ldb_msg_copy_shallow(ac, ac->req->op.add.message);
- if (msg == NULL) {
- return ldb_operr(ldb);
- }
-
- /* remove attributes that we just read into 'io' */
- if (ac->userPassword) {
- ldb_msg_remove_attr(msg, "userPassword");
- }
- ldb_msg_remove_attr(msg, "clearTextPassword");
- ldb_msg_remove_attr(msg, "unicodePwd");
- ldb_msg_remove_attr(msg, "dBCSPwd");
- ldb_msg_remove_attr(msg, "pwdLastSet");
-
ret = setup_password_fields(&io);
if (ret != LDB_SUCCESS) {
return ret;
return ret;
}
- ret = update_final_msg(&io, msg);
+ ret = setup_smartcard_reset(&io);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = update_final_msg(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_build_add_req(&down_req, ldb, ac,
- msg,
+ ac->update_msg,
ac->req->controls,
ac, ph_op_callback,
ac->req);
struct ldb_message_element *passwordAttr;
struct ldb_message *msg;
struct ldb_request *down_req;
+ struct ldb_control *restore = NULL;
int ret;
+ unsigned int i = 0;
ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ restore = ldb_request_get_control(req,
+ DSDB_CONTROL_RESTORE_TOMBSTONE_OID);
+ if (restore == NULL) {
+ /*
+ * A tomstone reanimation generates a double update
+ * of pwdLastSet.
+ *
+ * So we only remove it without the
+ * DSDB_CONTROL_RESTORE_TOMBSTONE_OID control.
+ */
+ ldb_msg_remove_attr(msg, "pwdLastSet");
+ }
+
+
/* if there was nothing else to be modified skip to next step */
if (msg->num_elements == 0) {
return password_hash_mod_search_self(ac);
}
+ /*
+ * Now we apply all changes remaining in msg
+ * and remove them from our final update_msg
+ */
+
+ for (i = 0; i < msg->num_elements; i++) {
+ ldb_msg_remove_attr(ac->update_msg,
+ msg->elements[i].name);
+ }
+
ret = ldb_build_mod_req(&down_req, ldb, ac,
msg,
req->controls,
"badPasswordTime",
"badPwdCount",
"lockoutTime",
+ "msDS-SecondaryKrbTgtNumber",
NULL };
struct ldb_request *search_req;
int ret;
static int password_hash_mod_do_mod(struct ph_context *ac)
{
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- struct loadparm_context *lp_ctx =
- talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
- struct loadparm_context);
struct ldb_request *mod_req;
- struct ldb_message *msg;
- const struct ldb_message *searched_msg;
struct setup_password_fields_io io;
int ret;
- NTSTATUS status;
-
- /* use a new message structure so that we can modify it */
- msg = ldb_msg_new(ac);
- if (msg == NULL) {
- return ldb_operr(ldb);
- }
-
- /* modify dn */
- msg->dn = ac->req->op.mod.message->dn;
-
- searched_msg = ac->search_res->message;
/* Prepare the internal data structure containing the passwords */
ret = setup_io(ac, ac->req->op.mod.message,
if (ret != LDB_SUCCESS) {
return ret;
}
-
- if (io.ac->pwd_reset) {
- /* Get the old password from the database */
- status = samdb_result_passwords_no_lockout(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash,
- &io.o.nt_hash);
- } else {
- /* Get the old password from the database */
- status = samdb_result_passwords(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash, &io.o.nt_hash);
- }
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
- ldb_asprintf_errstring(ldb,
- "%08X: check_password: "
- "Password change not permitted, account locked out!",
- W_ERROR_V(WERR_ACCOUNT_LOCKED_OUT));
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
-
- if (!NT_STATUS_IS_OK(status)) {
- /*
- * This only happens if the database has gone weird,
- * not if we are just missing the passwords
- */
- return ldb_operr(ldb);
- }
-
- io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
- io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
- io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
ret = setup_password_fields(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
- /* make sure we replace all the old attributes */
- ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
- ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
+ ret = setup_smartcard_reset(&io);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
- ret = update_final_msg(&io, msg);
+ ret = update_final_msg(&io);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = ldb_build_mod_req(&mod_req, ldb, ac,
- msg,
+ ac->update_msg,
ac->req->controls,
ac, ph_op_callback,
ac->req);
int ldb_password_hash_module_init(const char *version)
{
+#ifdef ENABLE_GPGME
+ const char *gversion = NULL;
+#endif /* ENABLE_GPGME */
+
LDB_MODULE_CHECK_VERSION(version);
+
+#ifdef ENABLE_GPGME
+ /*
+ * Note: this sets a SIGPIPE handler
+ * if none is active already. See:
+ * https://www.gnupg.org/documentation/manuals/gpgme/Signal-Handling.html#Signal-Handling
+ */
+ gversion = gpgme_check_version(GPGME_VERSION);
+ if (gversion == NULL) {
+ fprintf(stderr, "%s() in %s version[%s]: "
+ "gpgme_check_version(%s) not available, "
+ "gpgme_check_version(NULL) => '%s'\n",
+ __func__, __FILE__, version,
+ GPGME_VERSION, gpgme_check_version(NULL));
+ return LDB_ERR_UNAVAILABLE;
+ }
+#endif /* ENABLE_GPGME */
+
return ldb_register_module(&ldb_password_hash_module_ops);
}
git.samba.org / nivanova / samba-autobuild / .git / blobdiff