2 Unix SMB/CIFS implementation.
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "libnet/libnet.h"
23 #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
25 static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx,
26 struct libnet_keytab_context *ctx,
32 struct libnet_keytab_entry entry;
35 entry.name = talloc_strdup(mem_ctx, name);
36 entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
39 name, ctx->dns_domain_name);
40 entry.password = blob;
41 NT_STATUS_HAVE_NO_MEMORY(entry.name);
42 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
43 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
45 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
46 &ctx->entries, &ctx->count);
47 NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
52 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx)
54 krb5_error_code ret = 0;
55 struct libnet_keytab_context *keytab_ctx;
57 ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
59 return krb5_to_nt_status(ret);
62 keytab_ctx->dns_domain_name = ctx->dns_domain_name;
63 ctx->private_data = keytab_ctx;
68 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx)
70 NTSTATUS status = NT_STATUS_OK;
71 krb5_error_code ret = 0;
72 struct libnet_keytab_context *keytab_ctx =
73 (struct libnet_keytab_context *)ctx->private_data;
75 ret = libnet_keytab_add(keytab_ctx);
77 status = krb5_to_nt_status(ret);
78 ctx->error_message = talloc_asprintf(mem_ctx,
79 "Failed to add entries to keytab %s: %s",
80 keytab_ctx->keytab_name, error_message(ret));
84 ctx->result_message = talloc_asprintf(mem_ctx,
85 "Vampired %d accounts to keytab %s",
87 keytab_ctx->keytab_name);
90 TALLOC_FREE(keytab_ctx);
94 /****************************************************************
95 ****************************************************************/
97 static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
98 struct libnet_keytab_context *ctx,
99 struct drsuapi_DsReplicaObjectListItemEx *cur)
101 NTSTATUS status = NT_STATUS_OK;
103 struct libnet_keytab_entry entry;
106 struct drsuapi_DsReplicaAttribute *attr;
107 bool got_pwd = false;
113 uint32_t sam_type = 0;
115 uint32_t pwd_history_len = 0;
116 uint8_t *pwd_history = NULL;
118 ZERO_STRUCT(nt_passwd);
120 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
122 attr = &cur->object.attribute_ctr.attributes[i];
124 if (attr->value_ctr.num_values != 1) {
128 if (!attr->value_ctr.values[0].blob) {
132 blob = attr->value_ctr.values[0].blob;
134 switch (attr->attid) {
135 case DRSUAPI_ATTRIBUTE_unicodePwd:
137 if (blob->length != 16) {
141 memcpy(&nt_passwd, blob->data, 16);
144 /* pick the kvno from the meta_data version,
145 * thanks, metze, for explaining this */
147 if (!cur->meta_data_ctr) {
150 if (cur->meta_data_ctr->count !=
151 cur->object.attribute_ctr.num_attributes) {
154 kvno = cur->meta_data_ctr->meta_data[i].version;
156 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
157 pwd_history_len = blob->length / 16;
158 pwd_history = blob->data;
160 case DRSUAPI_ATTRIBUTE_msDS_KeyVersionNumber:
161 kvno = IVAL(blob->data, 0);
163 case DRSUAPI_ATTRIBUTE_userPrincipalName:
164 pull_string_talloc(mem_ctx, NULL, 0, &upn,
165 blob->data, blob->length,
168 case DRSUAPI_ATTRIBUTE_sAMAccountName:
169 pull_string_talloc(mem_ctx, NULL, 0, &name,
170 blob->data, blob->length,
173 case DRSUAPI_ATTRIBUTE_sAMAccountType:
174 sam_type = IVAL(blob->data, 0);
176 case DRSUAPI_ATTRIBUTE_userAccountControl:
177 uacc = IVAL(blob->data, 0);
184 if (!got_pwd || !name) {
188 DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
189 DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x ",
192 DEBUGADD(1,("upn: %s", upn));
196 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
197 data_blob_talloc(mem_ctx, nt_passwd, 16));
199 if (!NT_STATUS_IS_OK(status)) {
203 if ((kvno < 0) && (kvno < pwd_history_len)) {
207 /* add password history */
209 /* skip first entry */
217 for (; i<pwd_history_len; i++) {
220 entry.name = talloc_strdup(mem_ctx, name);
221 entry.principal = talloc_asprintf(mem_ctx, "%s@%s",
222 name, ctx->dns_domain_name);
223 entry.password = data_blob_talloc(mem_ctx, &pwd_history[i*16], 16);
224 NT_STATUS_HAVE_NO_MEMORY(entry.name);
225 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
226 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
228 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
229 &ctx->entries, &ctx->count);
235 /****************************************************************
236 ****************************************************************/
238 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
240 struct drsuapi_DsReplicaObjectListItemEx *cur,
241 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
243 NTSTATUS status = NT_STATUS_OK;
244 struct libnet_keytab_context *keytab_ctx =
245 (struct libnet_keytab_context *)ctx->private_data;
247 for (; cur; cur = cur->next_object) {
248 status = parse_object(mem_ctx, keytab_ctx, cur);
249 if (!NT_STATUS_IS_OK(status)) {
260 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx)
262 return NT_STATUS_NOT_SUPPORTED;
265 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx)
267 return NT_STATUS_NOT_SUPPORTED;
270 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
272 struct drsuapi_DsReplicaObjectListItemEx *cur,
273 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
275 return NT_STATUS_NOT_SUPPORTED;
277 #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
279 const struct dssync_ops libnet_dssync_keytab_ops = {
280 .startup = keytab_startup,
281 .process_objects = keytab_process_objects,
282 .finish = keytab_finish,