2 Unix SMB/CIFS implementation.
4 User credentials handling for Group Managed Service Accounts
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2023
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
24 #include "librpc/gen_ndr/ndr_gmsa.h" /* for struct MANAGEDPASSWORD_BLOB */
25 #include "auth/credentials/credentials.h"
26 #include "auth/credentials/credentials_internal.h"
27 #include "lib/util/charset/charset.h"
28 #include "lib/crypto/gkdi.h"
30 * All current callers set "for_keytab = true", but if we start using
31 * this for getting a TGT we need the logic to ignore a very new
34 NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
35 const DATA_BLOB *managed_password_blob,
37 const char **error_string)
39 struct MANAGEDPASSWORD_BLOB managed_password;
40 DATA_BLOB managed_pw_utf16;
41 DATA_BLOB previous_managed_pw_utf16;
42 enum ndr_err_code ndr_err;
43 TALLOC_CTX *frame = talloc_stackframe();
46 * We check if this is 'for keytab' as a keytab wants to know
47 * about a near-future password as it will be on disk for some
50 bool only_use_previous_pw =
51 managed_password.passwords.query_interval != NULL
52 && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
53 && for_keytab == false;
56 * Group Managed Service Accounts are type
57 * UF_WORKSTATION_TRUST_ACCOUNT and will follow those salting
60 cli_credentials_set_secure_channel_type(creds, SEC_CHAN_WKSTA);
62 ndr_err = ndr_pull_struct_blob_all(managed_password_blob,
65 (ndr_pull_flags_fn_t)ndr_pull_MANAGEDPASSWORD_BLOB);
66 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
67 *error_string = talloc_asprintf(creds,
68 "Failed to parse msDS-ManagedPassword "
69 "as MANAGEDPASSWORD_BLOB");
71 return NT_STATUS_ILL_FORMED_PASSWORD;
75 * We look at the old password first as we might bail out
76 * early if the new password is "too fresh"
78 if (managed_password.passwords.previous) {
79 previous_managed_pw_utf16
80 = data_blob_const(managed_password.passwords.previous,
81 utf16_len(managed_password.passwords.previous));
83 cli_credentials_set_old_utf16_password(creds, &previous_managed_pw_utf16);
85 if (only_use_previous_pw) {
86 /* We are in the 5 mins where we know the next
87 * password, but it will not be available yet, just
88 * use the old password for now.
90 cli_credentials_set_utf16_password(creds, &previous_managed_pw_utf16,
94 * We are done, the new password is of no
103 if (only_use_previous_pw) {
104 *error_string = talloc_asprintf(creds,
105 "No old password but new password is too new "
106 "(< 5min) in msDS-ManagedPassword "
107 "MANAGEDPASSWORD_BLOB");
109 return NT_STATUS_ILL_FORMED_PASSWORD;
112 if (managed_password.passwords.current == NULL) {
113 *error_string = talloc_asprintf(creds,
114 "Failed to find new password in msDS-ManagedPassword "
115 "MANAGEDPASSWORD_BLOB");
117 return NT_STATUS_ILL_FORMED_PASSWORD;
121 = data_blob_const(managed_password.passwords.current,
122 utf16_len(managed_password.passwords.current));
124 cli_credentials_set_utf16_password(creds, &managed_pw_utf16,