4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to sambaPassword and friends
30 * Author: Andrew Bartlett
34 #include "libcli/ldap/ldap.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "librpc/gen_ndr/misc.h"
38 #include "librpc/gen_ndr/samr.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "libcli/security/security.h"
41 #include "system/kerberos.h"
42 #include "auth/kerberos/kerberos.h"
43 #include "system/time.h"
44 #include "dsdb/samdb/samdb.h"
48 /* If we have decided there is reason to work on this request, then
49 * setup all the password hash types correctly.
51 * If the administrator doesn't want the sambaPassword stored (set in the
52 * domain and per-account policies) then we must strip that out before
53 * we do the first operation.
55 * Once this is done (which could update anything at all), we
56 * calculate the password hashes.
58 * This function must not only update the ntPwdHash, lmPwdHash and
59 * krb5Key fields, it must also atomicly increment the
60 * msDS-KeyVersionNumber. We should be in a transaction, so all this
61 * should be quite safe...
63 * Finally, if the administrator has requested that a password history
64 * be maintained, then this should also be written out.
70 enum ph_type {PH_ADD, PH_MOD} type;
71 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
73 struct ldb_module *module;
74 struct ldb_request *orig_req;
76 struct ldb_request *dom_req;
77 struct ldb_reply *dom_res;
79 struct ldb_request *down_req;
81 struct ldb_request *search_req;
82 struct ldb_reply *search_res;
84 struct ldb_request *mod_req;
86 struct dom_sid *domain_sid;
91 uint_t pwdHistoryLength;
96 static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod)
98 const char *sambaPassword;
99 struct samr_Password tmp_hash;
101 sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL);
102 if (sambaPassword == NULL) { /* impossible, what happened ?! */
103 return LDB_ERR_OPERATIONS_ERROR;
107 if (ldb_msg_add_empty(msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
108 return LDB_ERR_OPERATIONS_ERROR;
110 if (ldb_msg_add_empty(msg, "lmPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
111 return LDB_ERR_OPERATIONS_ERROR;
115 /* compute the new nt and lm hashes */
116 E_md4hash(sambaPassword, tmp_hash.hash);
117 if (samdb_msg_add_hash(module->ldb, msg, msg, "ntPwdHash", &tmp_hash) != 0) {
118 return LDB_ERR_OPERATIONS_ERROR;
121 if (E_deshash(sambaPassword, tmp_hash.hash)) {
122 if (samdb_msg_add_hash(module->ldb, msg, msg, "lmPwdHash", &tmp_hash) != 0) {
123 return LDB_ERR_OPERATIONS_ERROR;
130 static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg,
131 struct smb_krb5_context *smb_krb5_context,
132 struct domain_data *domain,
133 const char *samAccountName,
134 const char *user_principal_name,
137 const char *sambaPassword;
138 Principal *salt_principal;
139 krb5_error_code krb5_ret;
144 /* Many, many thanks to lukeh@padl.com for this
145 * algorithm, described in his Nov 10 2004 mail to
146 * samba-technical@samba.org */
148 sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL);
149 if (sambaPassword == NULL) { /* impossible, what happened ?! */
150 return LDB_ERR_OPERATIONS_ERROR;
154 /* Determine a salting principal */
155 char *name = talloc_strdup(msg, samAccountName);
158 ldb_set_errstring(module->ldb,
159 talloc_asprintf(msg, "password_hash_handle: "
160 "generation of new kerberos keys failed: %s is a computer without a samAccountName",
161 ldb_dn_linearize(msg, msg->dn)));
162 return LDB_ERR_OPERATIONS_ERROR;
164 if (name[strlen(name)-1] == '$') {
165 name[strlen(name)-1] = '\0';
167 saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dnsDomain);
169 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
171 domain->realm, "host",
173 } else if (user_principal_name) {
175 user_principal_name = talloc_strdup(msg, user_principal_name);
176 if (user_principal_name == NULL) {
177 return LDB_ERR_OPERATIONS_ERROR;
179 p = strchr(user_principal_name, '@');
183 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
185 domain->realm, user_principal_name, NULL);
188 if (!samAccountName) {
189 ldb_set_errstring(module->ldb,
190 talloc_asprintf(msg, "password_hash_handle: "
191 "generation of new kerberos keys failed: %s has no samAccountName",
192 ldb_dn_linearize(msg, msg->dn)));
193 return LDB_ERR_OPERATIONS_ERROR;
195 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
197 domain->realm, samAccountName,
202 ldb_set_errstring(module->ldb,
203 talloc_asprintf(msg, "password_hash_handle: "
204 "generation of a saltking principal failed: %s",
205 smb_get_krb5_error_message(smb_krb5_context->krb5_context,
207 return LDB_ERR_OPERATIONS_ERROR;
210 /* TODO: We may wish to control the encryption types chosen in future */
211 krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
212 salt_principal, sambaPassword, &keys, &num_keys);
213 krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
216 ldb_set_errstring(module->ldb,
217 talloc_asprintf(msg, "password_hash_handle: "
218 "generation of new kerberos keys failed: %s",
219 smb_get_krb5_error_message(smb_krb5_context->krb5_context,
221 return LDB_ERR_OPERATIONS_ERROR;
224 /* Walking all the key types generated, transform each
225 * key into an ASN.1 blob
227 for (i=0; i < num_keys; i++) {
234 if (keys[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
235 /* We might end up doing this below:
236 * This ensures we get the unicode
237 * conversion right. This should also
238 * be fixed in the Heimdal libs */
241 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
243 return LDB_ERR_OPERATIONS_ERROR;
246 val.data = talloc_memdup(msg, buf, len);
249 if (!val.data || krb5_ret) {
250 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
251 return LDB_ERR_OPERATIONS_ERROR;
253 ret = ldb_msg_add_value(msg, "krb5Key", &val);
254 if (ret != LDB_SUCCESS) {
255 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
260 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
265 static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg,
266 struct smb_krb5_context *smb_krb5_context)
268 struct samr_Password *ntPwdHash;
269 krb5_error_code krb5_ret;
277 key.salt = NULL; /* No salt for this enc type */
279 ntPwdHash = samdb_result_hash(msg, msg, "ntPwdHash");
280 if (ntPwdHash == NULL) { /* what happened ?! */
281 return LDB_ERR_OPERATIONS_ERROR;
284 krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
285 ETYPE_ARCFOUR_HMAC_MD5,
286 ntPwdHash->hash, sizeof(ntPwdHash->hash),
289 return LDB_ERR_OPERATIONS_ERROR;
291 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
293 return LDB_ERR_OPERATIONS_ERROR;
295 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
298 val.data = talloc_memdup(msg, buf, len);
302 return LDB_ERR_OPERATIONS_ERROR;
304 if (ldb_msg_add_value(msg, "krb5Key", &val) != 0) {
305 return LDB_ERR_OPERATIONS_ERROR;
311 static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod)
316 unix_to_nt_time(&now_nt, time(NULL));
319 /* be sure there isn't a 0 value set (eg. coming from the template) */
320 ldb_msg_remove_attr(msg, "pwdLastSet");
322 if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD) != 0) {
323 return LDB_ERR_OPERATIONS_ERROR;
327 if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE) != 0) {
328 return LDB_ERR_OPERATIONS_ERROR;
332 if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) {
333 return LDB_ERR_OPERATIONS_ERROR;
339 static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous)
342 if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE) != 0) {
343 return LDB_ERR_OPERATIONS_ERROR;
346 if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) {
347 return LDB_ERR_OPERATIONS_ERROR;
353 static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen)
355 struct samr_Password *nt_hash;
356 struct samr_Password *lm_hash;
357 struct samr_Password *nt_history;
358 struct samr_Password *lm_history;
359 struct samr_Password *new_nt_history;
360 struct samr_Password *new_lm_history;
365 nt_hash = samdb_result_hash(msg, old_msg, "ntPwdHash");
366 lm_hash = samdb_result_hash(msg, old_msg, "lmPwdHash");
368 /* if no previous passwords just return */
369 if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS;
371 nt_hist_len = samdb_result_hashes(msg, old_msg, "sambaNTPwdHistory", &nt_history);
372 lm_hist_len = samdb_result_hashes(msg, old_msg, "sambaLMPwdHistory", &lm_history);
374 /* We might not have an old NT password */
375 new_nt_history = talloc_array(msg, struct samr_Password, hlen);
376 if (new_nt_history == NULL) {
377 return LDB_ERR_OPERATIONS_ERROR;
379 for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) {
380 new_nt_history[i+1] = nt_history[i];
384 new_nt_history[0] = *nt_hash;
386 ZERO_STRUCT(new_nt_history[0]);
388 if (ldb_msg_add_empty(msg, "sambaNTPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
389 return LDB_ERR_OPERATIONS_ERROR;
391 if (samdb_msg_add_hashes(msg, msg, "sambaNTPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) {
392 return LDB_ERR_OPERATIONS_ERROR;
396 /* Don't store 'long' passwords in the LM history,
397 but make sure to 'expire' one password off the other end */
398 new_lm_history = talloc_array(msg, struct samr_Password, hlen);
399 if (new_lm_history == NULL) {
400 return LDB_ERR_OPERATIONS_ERROR;
402 for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) {
403 new_lm_history[i+1] = lm_history[i];
407 new_lm_history[0] = *lm_hash;
409 ZERO_STRUCT(new_lm_history[0]);
411 if (ldb_msg_add_empty(msg, "sambaLMPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
412 return LDB_ERR_OPERATIONS_ERROR;
414 if (samdb_msg_add_hashes(msg, msg, "sambaLMPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) {
415 return LDB_ERR_OPERATIONS_ERROR;
421 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
423 struct ph_context *ac;
424 struct ldb_handle *h;
426 h = talloc_zero(req, struct ldb_handle);
428 ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory"));
434 ac = talloc_zero(h, struct ph_context);
436 ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory"));
441 h->private_data = (void *)ac;
443 h->state = LDB_ASYNC_INIT;
444 h->status = LDB_SUCCESS;
453 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
455 struct ph_context *ac;
457 if (!context || !ares) {
458 ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
459 return LDB_ERR_OPERATIONS_ERROR;
462 ac = talloc_get_type(context, struct ph_context);
464 /* we are interested only in the single reply (base search) we receive here */
465 if (ares->type == LDB_REPLY_ENTRY) {
466 if (ac->dom_res != NULL) {
467 ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results"));
469 return LDB_ERR_OPERATIONS_ERROR;
471 ac->dom_res = talloc_steal(ac, ares);
479 static int build_domain_data_request(struct ph_context *ac)
481 /* attrs[] is returned from this function in
482 ac->dom_req->op.search.attrs, so it must be static, as
483 otherwise the compiler can put it on the stack */
484 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", "dnsDomain", NULL };
487 ac->dom_req = talloc_zero(ac, struct ldb_request);
488 if (ac->dom_req == NULL) {
489 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
490 return LDB_ERR_OPERATIONS_ERROR;
492 ac->dom_req->operation = LDB_SEARCH;
493 ac->dom_req->op.search.base = samdb_base_dn(ac);
494 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
496 filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))",
497 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
498 if (filter == NULL) {
499 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
500 talloc_free(ac->dom_req);
501 return LDB_ERR_OPERATIONS_ERROR;
504 ac->dom_req->op.search.tree = ldb_parse_tree(ac->module->ldb, filter);
505 if (ac->dom_req->op.search.tree == NULL) {
506 ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter"));
507 talloc_free(ac->dom_req);
508 return LDB_ERR_OPERATIONS_ERROR;
510 ac->dom_req->op.search.attrs = attrs;
511 ac->dom_req->controls = NULL;
512 ac->dom_req->async.context = ac;
513 ac->dom_req->async.callback = get_domain_data_callback;
514 ac->dom_req->async.timeout = ac->orig_req->async.timeout;
515 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
520 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
522 struct domain_data *data;
524 struct ph_context *ac;
526 ac = talloc_get_type(ctx, struct ph_context);
528 data = talloc_zero(ac, struct domain_data);
534 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
539 data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
540 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
541 tmp = ldb_msg_find_string(res->message, "dnsDomain", NULL);
544 data->dnsDomain = talloc_strdup(data, tmp);
545 if (data->dnsDomain == NULL) {
546 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
549 data->realm = strupper_talloc(data, tmp);
550 if (data->realm == NULL) {
551 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
559 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
561 struct ldb_handle *h;
562 struct ph_context *ac;
563 struct ldb_message_element *sambaAttr;
564 struct ldb_message_element *ntAttr;
565 struct ldb_message_element *lmAttr;
568 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
570 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
571 return ldb_next_request(module, req);
574 /* nobody must touch password Histories */
575 if (ldb_msg_find_element(req->op.add.message, "sambaNTPwdHistory") ||
576 ldb_msg_find_element(req->op.add.message, "sambaLMPwdHistory")) {
577 return LDB_ERR_UNWILLING_TO_PERFORM;
580 /* If no part of this ADD touches the sambaPassword, or the NT
581 * or LM hashes, then we don't need to make any changes. */
583 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
584 ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
585 lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
587 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
588 return ldb_next_request(module, req);
591 /* if it is not an entry of type person its an error */
592 /* TODO: remove this when sambaPassword will be in schema */
593 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
594 ldb_set_errstring(module->ldb, talloc_asprintf(module, "Cannot set a password on entry that does not have objectClass 'person'"));
595 return LDB_ERR_OBJECT_CLASS_VIOLATION;
598 /* check sambaPassword is single valued here */
599 /* TODO: remove this when sambaPassword will be single valued in schema */
600 if (sambaAttr && sambaAttr->num_values > 1) {
601 ldb_set_errstring(module->ldb,
603 "mupltiple values for sambaPassword not allowed!\n"));
604 return LDB_ERR_CONSTRAINT_VIOLATION;
607 if (ntAttr && (ntAttr->num_values > 1)) {
608 ldb_set_errstring(module->ldb,
610 "mupltiple values for lmPwdHash not allowed!\n"));
611 return LDB_ERR_CONSTRAINT_VIOLATION;
613 if (lmAttr && (lmAttr->num_values > 1)) {
614 ldb_set_errstring(module->ldb,
616 "mupltiple values for lmPwdHash not allowed!\n"));
617 return LDB_ERR_CONSTRAINT_VIOLATION;
620 h = ph_init_handle(req, module, PH_ADD);
622 return LDB_ERR_OPERATIONS_ERROR;
624 ac = talloc_get_type(h->private_data, struct ph_context);
626 /* get user domain data */
627 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
628 if (ac->domain_sid == NULL) {
629 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
630 return LDB_ERR_OPERATIONS_ERROR;
633 ret = build_domain_data_request(ac);
634 if (ret != LDB_SUCCESS) {
638 ac->step = PH_ADD_SEARCH_DOM;
640 req->async.handle = h;
642 return ldb_next_request(module, ac->dom_req);
645 static int password_hash_add_do_add(struct ldb_handle *h) {
647 struct ph_context *ac;
648 struct domain_data *domain;
649 struct smb_krb5_context *smb_krb5_context;
650 struct ldb_message_element *sambaAttr;
651 struct ldb_message *msg;
654 ac = talloc_get_type(h->private_data, struct ph_context);
656 domain = get_domain_data(ac->module, ac, ac->dom_res);
657 if (domain == NULL) {
658 return LDB_ERR_OPERATIONS_ERROR;
661 ac->down_req = talloc(ac, struct ldb_request);
662 if (ac->down_req == NULL) {
663 return LDB_ERR_OPERATIONS_ERROR;
666 *(ac->down_req) = *(ac->orig_req);
667 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
668 if (ac->down_req->op.add.message == NULL) {
669 return LDB_ERR_OPERATIONS_ERROR;
672 /* Some operations below require kerberos contexts */
673 if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) {
674 return LDB_ERR_OPERATIONS_ERROR;
677 /* if we have sambaPassword in the original message add the operatio on it here */
678 sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
680 ret = add_password_hashes(ac->module, msg, 0);
681 /* we can compute new password hashes from the unicode password */
682 if (ret != LDB_SUCCESS) {
686 /* now add krb5 keys based on unicode password */
687 ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
688 ldb_msg_find_string(msg, "samAccountName", NULL),
689 ldb_msg_find_string(msg, "userPrincipalName", NULL),
690 ldb_msg_check_string_attribute(msg, "objectClass", "computer"));
691 if (ret != LDB_SUCCESS) {
695 /* add also kr5 keys based on NT the hash */
696 ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
697 if (ret != LDB_SUCCESS) {
701 /* if both the domain properties and the user account controls do not permit
702 * clear text passwords then wipe out the sambaPassword */
703 if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
704 (!(ldb_msg_find_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
705 ldb_msg_remove_attr(msg, "sambaPassword");
709 /* don't touch it if a value is set. It could be an incoming samsync */
710 if (ldb_msg_find_uint64(msg, "pwdLastSet", 0) == 0) {
711 if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {
712 return LDB_ERR_OPERATIONS_ERROR;
716 /* don't touch it if a value is set. It could be an incoming samsync */
717 if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) {
718 if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) {
719 return LDB_ERR_OPERATIONS_ERROR;
723 h->state = LDB_ASYNC_INIT;
724 h->status = LDB_SUCCESS;
726 ac->step = PH_ADD_DO_ADD;
728 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
730 /* perform the operation */
731 return ldb_next_request(ac->module, ac->down_req);
734 static int password_hash_mod_search_self(struct ldb_handle *h);
736 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
738 struct ldb_handle *h;
739 struct ph_context *ac;
740 struct ldb_message_element *sambaAttr;
741 struct ldb_message_element *ntAttr;
742 struct ldb_message_element *lmAttr;
744 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
746 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
747 return ldb_next_request(module, req);
750 /* nobody must touch password Histories */
751 if (ldb_msg_find_element(req->op.mod.message, "sambaNTPwdHistory") ||
752 ldb_msg_find_element(req->op.mod.message, "sambaLMPwdHistory")) {
753 return LDB_ERR_UNWILLING_TO_PERFORM;
756 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
757 ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
758 lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
760 /* check passwords are single valued here */
761 /* TODO: remove this when passwords will be single valued in schema */
762 if (sambaAttr && (sambaAttr->num_values > 1)) {
763 return LDB_ERR_CONSTRAINT_VIOLATION;
765 if (ntAttr && (ntAttr->num_values > 1)) {
766 return LDB_ERR_CONSTRAINT_VIOLATION;
768 if (lmAttr && (lmAttr->num_values > 1)) {
769 return LDB_ERR_CONSTRAINT_VIOLATION;
772 /* If no part of this touches the sambaPassword OR ntPwdHash and/or lmPwdHash, then we don't
773 * need to make any changes. For password changes/set there should
774 * be a 'delete' or a 'modify' on this attribute. */
775 /* If the only operation is the deletion of the passwords then go on */
776 if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
777 && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
778 && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) {
780 return ldb_next_request(module, req);
783 h = ph_init_handle(req, module, PH_MOD);
785 return LDB_ERR_OPERATIONS_ERROR;
787 ac = talloc_get_type(h->private_data, struct ph_context);
789 /* return or own handle to deal with this call */
790 req->async.handle = h;
792 /* prepare the first operation */
793 ac->down_req = talloc_zero(ac, struct ldb_request);
794 if (ac->down_req == NULL) {
795 ldb_set_errstring(module->ldb, talloc_asprintf(module->ldb, "Out of memory!"));
796 return LDB_ERR_OPERATIONS_ERROR;
799 *(ac->down_req) = *req; /* copy the request */
801 /* use a new message structure so that we can modify it */
802 ac->down_req->op.mod.message = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
804 /* - remove any imodification to the password from the first commit
805 * we will make the real modification later */
806 if (sambaAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "sambaPassword");
807 if (ntAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "ntPwdHash");
808 if (lmAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "lmPwdHash");
810 /* if there was nothing else to be modify skip to next step */
811 if (ac->down_req->op.mod.message->num_elements == 0) {
812 talloc_free(ac->down_req);
814 return password_hash_mod_search_self(h);
817 ac->down_req->async.context = NULL;
818 ac->down_req->async.callback = NULL;
820 ac->step = PH_MOD_DO_REQ;
822 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
824 return ldb_next_request(module, ac->down_req);
827 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
829 struct ph_context *ac;
831 if (!context || !ares) {
832 ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
833 return LDB_ERR_OPERATIONS_ERROR;
836 ac = talloc_get_type(context, struct ph_context);
838 /* we are interested only in the single reply (base search) we receive here */
839 if (ares->type == LDB_REPLY_ENTRY) {
840 if (ac->search_res != NULL) {
841 ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results"));
843 return LDB_ERR_OPERATIONS_ERROR;
846 /* if it is not an entry of type person this is an error */
847 /* TODO: remove this when sambaPassword will be in schema */
848 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
849 ldb_set_errstring(ldb, talloc_asprintf(ldb, "Object class violation"));
851 return LDB_ERR_OBJECT_CLASS_VIOLATION;
854 ac->search_res = talloc_steal(ac, ares);
862 static int password_hash_mod_search_self(struct ldb_handle *h) {
864 struct ph_context *ac;
865 static const char * const attrs[] = { "userAccountControl", "sambaLMPwdHistory",
867 "objectSid", "msDS-KeyVersionNumber",
868 "objectClass", "userPrincipalName",
870 "lmPwdHash", "ntPwdHash",
873 ac = talloc_get_type(h->private_data, struct ph_context);
875 /* prepare the search operation */
876 ac->search_req = talloc_zero(ac, struct ldb_request);
877 if (ac->search_req == NULL) {
878 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
879 return LDB_ERR_OPERATIONS_ERROR;
882 ac->search_req->operation = LDB_SEARCH;
883 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
884 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
885 ac->search_req->op.search.tree = ldb_parse_tree(ac->module->ldb, NULL);
886 if (ac->search_req->op.search.tree == NULL) {
887 ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter"));
888 return LDB_ERR_OPERATIONS_ERROR;
890 ac->search_req->op.search.attrs = attrs;
891 ac->search_req->controls = NULL;
892 ac->search_req->async.context = ac;
893 ac->search_req->async.callback = get_self_callback;
894 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
896 ac->step = PH_MOD_SEARCH_SELF;
898 return ldb_next_request(ac->module, ac->search_req);
901 static int password_hash_mod_search_dom(struct ldb_handle *h) {
903 struct ph_context *ac;
906 ac = talloc_get_type(h->private_data, struct ph_context);
908 /* get object domain sid */
909 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
910 if (ac->domain_sid == NULL) {
911 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
912 return LDB_ERR_OPERATIONS_ERROR;
915 /* get user domain data */
916 ret = build_domain_data_request(ac);
917 if (ret != LDB_SUCCESS) {
921 ac->step = PH_MOD_SEARCH_DOM;
923 return ldb_next_request(ac->module, ac->dom_req);
926 static int password_hash_mod_do_mod(struct ldb_handle *h) {
928 struct ph_context *ac;
929 struct domain_data *domain;
930 struct smb_krb5_context *smb_krb5_context;
931 struct ldb_message_element *sambaAttr;
932 struct ldb_message *msg;
935 BOOL added_hashes = False;
937 ac = talloc_get_type(h->private_data, struct ph_context);
939 domain = get_domain_data(ac->module, ac, ac->dom_res);
940 if (domain == NULL) {
941 return LDB_ERR_OPERATIONS_ERROR;
944 ac->mod_req = talloc(ac, struct ldb_request);
945 if (ac->mod_req == NULL) {
946 return LDB_ERR_OPERATIONS_ERROR;
949 *(ac->mod_req) = *(ac->orig_req);
951 /* use a new message structure so that we can modify it */
952 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
954 return LDB_ERR_OPERATIONS_ERROR;
958 msg->dn = ac->orig_req->op.mod.message->dn;
960 /* Some operations below require kerberos contexts */
961 if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) {
962 return LDB_ERR_OPERATIONS_ERROR;
965 /* we are going to replace the existing krb5key or delete it */
966 if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE) != 0) {
967 return LDB_ERR_OPERATIONS_ERROR;
970 /* if we have sambaPassword in the original message add the operation on it here */
971 sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword");
974 if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) {
975 return LDB_ERR_OPERATIONS_ERROR;
978 /* if we are actually settting a new unicode password,
979 * use it to generate the password hashes */
980 if (((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE)
981 && (sambaAttr->num_values == 1)) {
982 /* we can compute new password hashes from the unicode password */
983 ret = add_password_hashes(ac->module, msg, 1);
984 if (ret != LDB_SUCCESS) {
990 /* now add krb5 keys based on unicode password */
991 ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
992 ldb_msg_find_string(ac->search_res->message, "samAccountName", NULL),
993 ldb_msg_find_string(ac->search_res->message, "userPrincipalName", NULL),
994 ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer"));
996 if (ret != LDB_SUCCESS) {
1000 /* if the domain properties or the user account controls do not permit
1001 * clear text passwords then wipe out the sambaPassword */
1002 if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
1003 (!(ldb_msg_find_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
1004 ldb_msg_remove_attr(msg, "sambaPassword");
1010 /* if we didn't create the hashes above, try using values supplied directly */
1011 if (!added_hashes) {
1012 struct ldb_message_element *el;
1014 el = ldb_msg_find_element(ac->orig_req->op.mod.message, "ntPwdHash");
1015 if (ldb_msg_add(msg, el, el->flags) != 0) {
1016 return LDB_ERR_OPERATIONS_ERROR;
1019 el = ldb_msg_find_element(ac->orig_req->op.mod.message, "lmPwdHash");
1020 if (ldb_msg_add(msg, el, el->flags) != 0) {
1021 return LDB_ERR_OPERATIONS_ERROR;
1025 /* add also krb5 keys based on NT the hash */
1026 if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
1027 return LDB_ERR_OPERATIONS_ERROR;
1030 /* set change time */
1031 if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) {
1032 return LDB_ERR_OPERATIONS_ERROR;
1035 /* don't touch it if a value is set. It could be an incoming samsync */
1036 if (!ldb_msg_find_element(ac->orig_req->op.mod.message,
1037 "msDS-KeyVersionNumber")) {
1038 if (add_keyVersionNumber(ac->module, msg,
1039 ldb_msg_find_uint(ac->search_res->message,
1040 "msDS-KeyVersionNumber", 0)
1042 return LDB_ERR_OPERATIONS_ERROR;
1046 if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) {
1047 if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) {
1048 return LDB_ERR_OPERATIONS_ERROR;
1052 h->state = LDB_ASYNC_INIT;
1053 h->status = LDB_SUCCESS;
1055 ac->step = PH_MOD_DO_MOD;
1057 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1059 /* perform the search */
1060 return ldb_next_request(ac->module, ac->mod_req);
1063 static int ph_wait(struct ldb_handle *handle) {
1064 struct ph_context *ac;
1067 if (!handle || !handle->private_data) {
1068 return LDB_ERR_OPERATIONS_ERROR;
1071 if (handle->state == LDB_ASYNC_DONE) {
1072 return handle->status;
1075 handle->state = LDB_ASYNC_PENDING;
1076 handle->status = LDB_SUCCESS;
1078 ac = talloc_get_type(handle->private_data, struct ph_context);
1081 case PH_ADD_SEARCH_DOM:
1082 ret = ldb_wait(ac->dom_req->async.handle, LDB_WAIT_NONE);
1084 if (ret != LDB_SUCCESS) {
1085 handle->status = ret;
1088 if (ac->dom_req->async.handle->status != LDB_SUCCESS) {
1089 handle->status = ac->dom_req->async.handle->status;
1093 if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
1097 /* domain search done, go on */
1098 return password_hash_add_do_add(handle);
1101 ret = ldb_wait(ac->down_req->async.handle, LDB_WAIT_NONE);
1103 if (ret != LDB_SUCCESS) {
1104 handle->status = ret;
1107 if (ac->down_req->async.handle->status != LDB_SUCCESS) {
1108 handle->status = ac->down_req->async.handle->status;
1112 if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
1119 ret = ldb_wait(ac->down_req->async.handle, LDB_WAIT_NONE);
1121 if (ret != LDB_SUCCESS) {
1122 handle->status = ret;
1125 if (ac->down_req->async.handle->status != LDB_SUCCESS) {
1126 handle->status = ac->down_req->async.handle->status;
1130 if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
1134 /* non-password mods done, go on */
1135 return password_hash_mod_search_self(handle);
1137 case PH_MOD_SEARCH_SELF:
1138 ret = ldb_wait(ac->search_req->async.handle, LDB_WAIT_NONE);
1140 if (ret != LDB_SUCCESS) {
1141 handle->status = ret;
1144 if (ac->search_req->async.handle->status != LDB_SUCCESS) {
1145 handle->status = ac->search_req->async.handle->status;
1149 if (ac->search_req->async.handle->state != LDB_ASYNC_DONE) {
1153 /* self search done, go on */
1154 return password_hash_mod_search_dom(handle);
1156 case PH_MOD_SEARCH_DOM:
1157 ret = ldb_wait(ac->dom_req->async.handle, LDB_WAIT_NONE);
1159 if (ret != LDB_SUCCESS) {
1160 handle->status = ret;
1163 if (ac->dom_req->async.handle->status != LDB_SUCCESS) {
1164 handle->status = ac->dom_req->async.handle->status;
1168 if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
1172 /* domain search done, go on */
1173 return password_hash_mod_do_mod(handle);
1176 ret = ldb_wait(ac->mod_req->async.handle, LDB_WAIT_NONE);
1178 if (ret != LDB_SUCCESS) {
1179 handle->status = ret;
1182 if (ac->mod_req->async.handle->status != LDB_SUCCESS) {
1183 handle->status = ac->mod_req->async.handle->status;
1187 if (ac->mod_req->async.handle->state != LDB_ASYNC_DONE) {
1194 ret = LDB_ERR_OPERATIONS_ERROR;
1201 handle->state = LDB_ASYNC_DONE;
1205 static int ph_wait_all(struct ldb_handle *handle) {
1209 while (handle->state != LDB_ASYNC_DONE) {
1210 ret = ph_wait(handle);
1211 if (ret != LDB_SUCCESS) {
1216 return handle->status;
1219 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
1221 if (type == LDB_WAIT_ALL) {
1222 return ph_wait_all(handle);
1224 return ph_wait(handle);
1228 static const struct ldb_module_ops password_hash_ops = {
1229 .name = "password_hash",
1230 .add = password_hash_add,
1231 .modify = password_hash_modify,
1232 .wait = password_hash_wait
1236 int password_hash_module_init(void)
1238 return ldb_register_module(&password_hash_ops);