auth/credentials/credentials_gmsa.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    User credentials handling for Group Managed Service Accounts
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2023
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
  24 #include "librpc/gen_ndr/ndr_gmsa.h" /* for struct MANAGEDPASSWORD_BLOB */
  25 #include "auth/credentials/credentials.h"
  26 #include "auth/credentials/credentials_internal.h"
  27 #include "lib/util/charset/charset.h"
  28 #include "lib/crypto/gkdi.h"
  29 /*
  30  * All current callers set "for_keytab = true", but if we start using
  31  * this for getting a TGT we need the logic to ignore a very new
  32  * key
  33  */
  34 NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
  35                                             const DATA_BLOB *managed_password_blob,
  36                                             bool for_keytab,
  37                                             const char **error_string)
  38 {
  39         struct MANAGEDPASSWORD_BLOB managed_password;
  40         DATA_BLOB managed_pw_utf16;
  41         DATA_BLOB previous_managed_pw_utf16;
  42         enum ndr_err_code ndr_err;
  43         TALLOC_CTX *frame = talloc_stackframe();
  44
  45         /*
  46          * We check if this is 'for keytab' as a keytab wants to know
  47          * about a near-future password as it will be on disk for some
  48          * time
  49          */
  50         bool only_use_previous_pw =
  51                 managed_password.passwords.query_interval != NULL
  52                 && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
  53                 && for_keytab == false;
  54
  55         /*
  56          * Group Managed Service Accounts are type
  57          * UF_WORKSTATION_TRUST_ACCOUNT and will follow those salting
  58          * rules
  59          */
  60         cli_credentials_set_secure_channel_type(creds, SEC_CHAN_WKSTA);
  61
  62         ndr_err = ndr_pull_struct_blob_all(managed_password_blob,
  63                                            frame,
  64                                            &managed_password,
  65                                            (ndr_pull_flags_fn_t)ndr_pull_MANAGEDPASSWORD_BLOB);
  66         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  67                 *error_string = talloc_asprintf(creds,
  68                                                 "Failed to parse msDS-ManagedPassword "
  69                                                 "as MANAGEDPASSWORD_BLOB");
  70                 TALLOC_FREE(frame);
  71                 return NT_STATUS_ILL_FORMED_PASSWORD;
  72         }
  73
  74         /*
  75          * We look at the old password first as we might bail out
  76          * early if the new password is "too fresh"
  77          */
  78         if (managed_password.passwords.previous) {
  79                 previous_managed_pw_utf16
  80                         = data_blob_const(managed_password.passwords.previous,
  81                                           utf16_len(managed_password.passwords.previous));
  82
  83                 cli_credentials_set_old_utf16_password(creds, &previous_managed_pw_utf16);
  84
  85                 if (only_use_previous_pw) {
  86                         /* We are in the 5 mins where we know the next
  87                          * password, but it will not be available yet, just
  88                          * use the old password for now.
  89                          */
  90                         cli_credentials_set_utf16_password(creds, &previous_managed_pw_utf16,
  91                                                            CRED_SPECIFIED);
  92
  93                         /*
  94                          * We are done, the new password is of no
  95                          * interest to us
  96                          */
  97                         TALLOC_FREE(frame);
  98                         return NT_STATUS_OK;
  99                 }
 100
 101         }
 102
 103         if (only_use_previous_pw) {
 104                 *error_string = talloc_asprintf(creds,
 105                                                 "No old password but new password is too new "
 106                                                 "(< 5min) in msDS-ManagedPassword "
 107                                                 "MANAGEDPASSWORD_BLOB");
 108                 TALLOC_FREE(frame);
 109                 return NT_STATUS_ILL_FORMED_PASSWORD;
 110         }
 111
 112         if (managed_password.passwords.current == NULL) {
 113                 *error_string = talloc_asprintf(creds,
 114                                                 "Failed to find new password in msDS-ManagedPassword "
 115                                                 "MANAGEDPASSWORD_BLOB");
 116                 TALLOC_FREE(frame);
 117                 return NT_STATUS_ILL_FORMED_PASSWORD;
 118         }
 119
 120         managed_pw_utf16
 121                 = data_blob_const(managed_password.passwords.current,
 122                                   utf16_len(managed_password.passwords.current));
 123
 124         cli_credentials_set_utf16_password(creds, &managed_pw_utf16,
 125                                            CRED_SPECIFIED);
 126
 127         TALLOC_FREE(frame);
 128         return NT_STATUS_OK;
 129 }