4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to sambaPassword and friends
30 * Author: Andrew Bartlett
34 #include "libcli/ldap/ldap.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "librpc/gen_ndr/misc.h"
38 #include "librpc/gen_ndr/samr.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "libcli/security/security.h"
41 #include "system/kerberos.h"
42 #include "auth/kerberos/kerberos.h"
43 #include "system/time.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "dsdb/common/flags.h"
47 #include "dsdb/samdb/ldb_modules/password_modules.h"
49 /* If we have decided there is reason to work on this request, then
50 * setup all the password hash types correctly.
52 * If the administrator doesn't want the sambaPassword stored (set in the
53 * domain and per-account policies) then we must strip that out before
54 * we do the first operation.
56 * Once this is done (which could update anything at all), we
57 * calculate the password hashes.
59 * This function must not only update the ntPwdHash, lmPwdHash and
60 * krb5Key fields, it must also atomicly increment the
61 * msDS-KeyVersionNumber. We should be in a transaction, so all this
62 * should be quite safe...
64 * Finally, if the administrator has requested that a password history
65 * be maintained, then this should also be written out.
71 enum ph_type {PH_ADD, PH_MOD} type;
72 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
74 struct ldb_module *module;
75 struct ldb_request *orig_req;
77 struct ldb_request *dom_req;
78 struct ldb_reply *dom_res;
80 struct ldb_request *down_req;
82 struct ldb_request *search_req;
83 struct ldb_reply *search_res;
85 struct ldb_request *mod_req;
87 struct dom_sid *domain_sid;
92 uint_t pwdHistoryLength;
97 static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod)
99 const char *sambaPassword;
100 struct samr_Password tmp_hash;
102 sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
103 if (sambaPassword == NULL) { /* impossible, what happened ?! */
104 return LDB_ERR_OPERATIONS_ERROR;
108 if (ldb_msg_add_empty(msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
109 return LDB_ERR_OPERATIONS_ERROR;
111 if (ldb_msg_add_empty(msg, "lmPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
112 return LDB_ERR_OPERATIONS_ERROR;
116 /* compute the new nt and lm hashes */
117 E_md4hash(sambaPassword, tmp_hash.hash);
118 if (samdb_msg_add_hash(module->ldb, msg, msg, "ntPwdHash", &tmp_hash) != 0) {
119 return LDB_ERR_OPERATIONS_ERROR;
122 if (E_deshash(sambaPassword, tmp_hash.hash)) {
123 if (samdb_msg_add_hash(module->ldb, msg, msg, "lmPwdHash", &tmp_hash) != 0) {
124 return LDB_ERR_OPERATIONS_ERROR;
131 static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg,
132 struct smb_krb5_context *smb_krb5_context,
133 struct domain_data *domain,
134 const char *samAccountName,
135 const char *user_principal_name,
138 const char *sambaPassword;
139 Principal *salt_principal;
140 krb5_error_code krb5_ret;
145 /* Many, many thanks to lukeh@padl.com for this
146 * algorithm, described in his Nov 10 2004 mail to
147 * samba-technical@samba.org */
149 sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
150 if (sambaPassword == NULL) { /* impossible, what happened ?! */
151 return LDB_ERR_OPERATIONS_ERROR;
155 /* Determine a salting principal */
156 char *name = talloc_strdup(msg, samAccountName);
159 ldb_asprintf_errstring(module->ldb,
160 "password_hash_handle: "
161 "generation of new kerberos keys failed: %s is a computer without a samAccountName",
162 ldb_dn_linearize(msg, msg->dn));
163 return LDB_ERR_OPERATIONS_ERROR;
165 if (name[strlen(name)-1] == '$') {
166 name[strlen(name)-1] = '\0';
168 saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dnsDomain);
170 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
172 domain->realm, "host",
174 } else if (user_principal_name) {
176 user_principal_name = talloc_strdup(msg, user_principal_name);
177 if (user_principal_name == NULL) {
178 return LDB_ERR_OPERATIONS_ERROR;
180 p = strchr(user_principal_name, '@');
184 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
186 domain->realm, user_principal_name, NULL);
189 if (!samAccountName) {
190 ldb_asprintf_errstring(module->ldb,
191 "password_hash_handle: "
192 "generation of new kerberos keys failed: %s has no samAccountName",
193 ldb_dn_linearize(msg, msg->dn));
194 return LDB_ERR_OPERATIONS_ERROR;
196 krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
198 domain->realm, samAccountName,
203 ldb_asprintf_errstring(module->ldb,
204 "password_hash_handle: "
205 "generation of a saltking principal failed: %s",
206 smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
207 return LDB_ERR_OPERATIONS_ERROR;
210 /* TODO: We may wish to control the encryption types chosen in future */
211 krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
212 salt_principal, sambaPassword, &keys, &num_keys);
213 krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
216 ldb_asprintf_errstring(module->ldb,
217 "password_hash_handle: "
218 "generation of new kerberos keys failed: %s",
219 smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
220 return LDB_ERR_OPERATIONS_ERROR;
223 /* Walking all the key types generated, transform each
224 * key into an ASN.1 blob
226 for (i=0; i < num_keys; i++) {
233 if (keys[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
234 /* We might end up doing this below:
235 * This ensures we get the unicode
236 * conversion right. This should also
237 * be fixed in the Heimdal libs */
240 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
242 return LDB_ERR_OPERATIONS_ERROR;
245 val.data = talloc_memdup(msg, buf, len);
248 if (!val.data || krb5_ret) {
249 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
250 return LDB_ERR_OPERATIONS_ERROR;
252 ret = ldb_msg_add_value(msg, "krb5Key", &val);
253 if (ret != LDB_SUCCESS) {
254 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
259 hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
264 static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg,
265 struct smb_krb5_context *smb_krb5_context)
267 struct samr_Password *ntPwdHash;
268 krb5_error_code krb5_ret;
276 key.salt = NULL; /* No salt for this enc type */
278 ntPwdHash = samdb_result_hash(msg, msg, "ntPwdHash");
279 if (ntPwdHash == NULL) { /* what happened ?! */
280 return LDB_ERR_OPERATIONS_ERROR;
283 krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
284 ETYPE_ARCFOUR_HMAC_MD5,
285 ntPwdHash->hash, sizeof(ntPwdHash->hash),
288 return LDB_ERR_OPERATIONS_ERROR;
290 ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
292 return LDB_ERR_OPERATIONS_ERROR;
294 krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
297 val.data = talloc_memdup(msg, buf, len);
301 return LDB_ERR_OPERATIONS_ERROR;
303 if (ldb_msg_add_value(msg, "krb5Key", &val) != 0) {
304 return LDB_ERR_OPERATIONS_ERROR;
310 static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod)
315 unix_to_nt_time(&now_nt, time(NULL));
318 /* be sure there isn't a 0 value set (eg. coming from the template) */
319 ldb_msg_remove_attr(msg, "pwdLastSet");
321 if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD) != 0) {
322 return LDB_ERR_OPERATIONS_ERROR;
326 if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE) != 0) {
327 return LDB_ERR_OPERATIONS_ERROR;
331 if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) {
332 return LDB_ERR_OPERATIONS_ERROR;
338 static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous)
341 if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE) != 0) {
342 return LDB_ERR_OPERATIONS_ERROR;
345 if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) {
346 return LDB_ERR_OPERATIONS_ERROR;
352 static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen)
354 struct samr_Password *nt_hash;
355 struct samr_Password *lm_hash;
356 struct samr_Password *nt_history;
357 struct samr_Password *lm_history;
358 struct samr_Password *new_nt_history;
359 struct samr_Password *new_lm_history;
364 nt_hash = samdb_result_hash(msg, old_msg, "ntPwdHash");
365 lm_hash = samdb_result_hash(msg, old_msg, "lmPwdHash");
367 /* if no previous passwords just return */
368 if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS;
370 nt_hist_len = samdb_result_hashes(msg, old_msg, "sambaNTPwdHistory", &nt_history);
371 lm_hist_len = samdb_result_hashes(msg, old_msg, "sambaLMPwdHistory", &lm_history);
373 /* We might not have an old NT password */
374 new_nt_history = talloc_array(msg, struct samr_Password, hlen);
375 if (new_nt_history == NULL) {
376 return LDB_ERR_OPERATIONS_ERROR;
378 for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) {
379 new_nt_history[i+1] = nt_history[i];
383 new_nt_history[0] = *nt_hash;
385 ZERO_STRUCT(new_nt_history[0]);
387 if (ldb_msg_add_empty(msg, "sambaNTPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
388 return LDB_ERR_OPERATIONS_ERROR;
390 if (samdb_msg_add_hashes(msg, msg, "sambaNTPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) {
391 return LDB_ERR_OPERATIONS_ERROR;
395 /* Don't store 'long' passwords in the LM history,
396 but make sure to 'expire' one password off the other end */
397 new_lm_history = talloc_array(msg, struct samr_Password, hlen);
398 if (new_lm_history == NULL) {
399 return LDB_ERR_OPERATIONS_ERROR;
401 for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) {
402 new_lm_history[i+1] = lm_history[i];
406 new_lm_history[0] = *lm_hash;
408 ZERO_STRUCT(new_lm_history[0]);
410 if (ldb_msg_add_empty(msg, "sambaLMPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
411 return LDB_ERR_OPERATIONS_ERROR;
413 if (samdb_msg_add_hashes(msg, msg, "sambaLMPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) {
414 return LDB_ERR_OPERATIONS_ERROR;
420 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
422 struct ph_context *ac;
423 struct ldb_handle *h;
425 h = talloc_zero(req, struct ldb_handle);
427 ldb_set_errstring(module->ldb, "Out of Memory");
433 ac = talloc_zero(h, struct ph_context);
435 ldb_set_errstring(module->ldb, "Out of Memory");
440 h->private_data = (void *)ac;
442 h->state = LDB_ASYNC_INIT;
443 h->status = LDB_SUCCESS;
452 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
454 struct ph_context *ac;
456 if (!context || !ares) {
457 ldb_set_errstring(ldb, "NULL Context or Result in callback");
458 return LDB_ERR_OPERATIONS_ERROR;
461 ac = talloc_get_type(context, struct ph_context);
463 /* we are interested only in the single reply (base search) we receive here */
464 if (ares->type == LDB_REPLY_ENTRY) {
465 if (ac->dom_res != NULL) {
466 ldb_set_errstring(ldb, "Too many results");
468 return LDB_ERR_OPERATIONS_ERROR;
470 ac->dom_res = talloc_steal(ac, ares);
478 static int build_domain_data_request(struct ph_context *ac)
480 /* attrs[] is returned from this function in
481 ac->dom_req->op.search.attrs, so it must be static, as
482 otherwise the compiler can put it on the stack */
483 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", "dnsDomain", NULL };
486 ac->dom_req = talloc_zero(ac, struct ldb_request);
487 if (ac->dom_req == NULL) {
488 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
489 return LDB_ERR_OPERATIONS_ERROR;
491 ac->dom_req->operation = LDB_SEARCH;
492 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
493 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
495 filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))",
496 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
497 if (filter == NULL) {
498 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
499 talloc_free(ac->dom_req);
500 return LDB_ERR_OPERATIONS_ERROR;
503 ac->dom_req->op.search.tree = ldb_parse_tree(ac->module->ldb, filter);
504 if (ac->dom_req->op.search.tree == NULL) {
505 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
506 talloc_free(ac->dom_req);
507 return LDB_ERR_OPERATIONS_ERROR;
509 ac->dom_req->op.search.attrs = attrs;
510 ac->dom_req->controls = NULL;
511 ac->dom_req->context = ac;
512 ac->dom_req->callback = get_domain_data_callback;
513 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
518 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
520 struct domain_data *data;
522 struct ph_context *ac;
524 ac = talloc_get_type(ctx, struct ph_context);
526 data = talloc_zero(ac, struct domain_data);
532 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
537 data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
538 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
539 tmp = ldb_msg_find_attr_as_string(res->message, "dnsDomain", NULL);
542 data->dnsDomain = talloc_strdup(data, tmp);
543 if (data->dnsDomain == NULL) {
544 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
547 data->realm = strupper_talloc(data, tmp);
548 if (data->realm == NULL) {
549 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
557 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
559 struct ldb_handle *h;
560 struct ph_context *ac;
561 struct ldb_message_element *sambaAttr;
562 struct ldb_message_element *ntAttr;
563 struct ldb_message_element *lmAttr;
566 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
568 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
569 return ldb_next_request(module, req);
572 /* If the caller is manipulating the local passwords directly, let them pass */
573 if (ldb_dn_compare_base(module->ldb,
574 ldb_dn_explode(req, LOCAL_BASE),
575 req->op.add.message->dn) == 0) {
576 return ldb_next_request(module, req);
579 /* nobody must touch password Histories */
580 if (ldb_msg_find_element(req->op.add.message, "sambaNTPwdHistory") ||
581 ldb_msg_find_element(req->op.add.message, "sambaLMPwdHistory")) {
582 return LDB_ERR_UNWILLING_TO_PERFORM;
585 /* If no part of this ADD touches the sambaPassword, or the NT
586 * or LM hashes, then we don't need to make any changes. */
588 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
589 ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
590 lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
592 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
593 return ldb_next_request(module, req);
596 /* if it is not an entry of type person its an error */
597 /* TODO: remove this when sambaPassword will be in schema */
598 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
599 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
600 return LDB_ERR_OBJECT_CLASS_VIOLATION;
603 /* check sambaPassword is single valued here */
604 /* TODO: remove this when sambaPassword will be single valued in schema */
605 if (sambaAttr && sambaAttr->num_values > 1) {
606 ldb_set_errstring(module->ldb, "mupltiple values for sambaPassword not allowed!\n");
607 return LDB_ERR_CONSTRAINT_VIOLATION;
610 if (ntAttr && (ntAttr->num_values > 1)) {
611 ldb_set_errstring(module->ldb, "mupltiple values for lmPwdHash not allowed!\n");
612 return LDB_ERR_CONSTRAINT_VIOLATION;
614 if (lmAttr && (lmAttr->num_values > 1)) {
615 ldb_set_errstring(module->ldb, "mupltiple values for lmPwdHash not allowed!\n");
616 return LDB_ERR_CONSTRAINT_VIOLATION;
619 h = ph_init_handle(req, module, PH_ADD);
621 return LDB_ERR_OPERATIONS_ERROR;
623 ac = talloc_get_type(h->private_data, struct ph_context);
625 /* get user domain data */
626 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
627 if (ac->domain_sid == NULL) {
628 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
629 return LDB_ERR_OPERATIONS_ERROR;
632 ret = build_domain_data_request(ac);
633 if (ret != LDB_SUCCESS) {
637 ac->step = PH_ADD_SEARCH_DOM;
641 return ldb_next_request(module, ac->dom_req);
644 static int password_hash_add_do_add(struct ldb_handle *h) {
646 struct ph_context *ac;
647 struct domain_data *domain;
648 struct smb_krb5_context *smb_krb5_context;
649 struct ldb_message_element *sambaAttr;
650 struct ldb_message *msg;
653 ac = talloc_get_type(h->private_data, struct ph_context);
655 domain = get_domain_data(ac->module, ac, ac->dom_res);
656 if (domain == NULL) {
657 return LDB_ERR_OPERATIONS_ERROR;
660 ac->down_req = talloc(ac, struct ldb_request);
661 if (ac->down_req == NULL) {
662 return LDB_ERR_OPERATIONS_ERROR;
665 *(ac->down_req) = *(ac->orig_req);
666 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
667 if (ac->down_req->op.add.message == NULL) {
668 return LDB_ERR_OPERATIONS_ERROR;
671 /* Some operations below require kerberos contexts */
672 if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) {
673 return LDB_ERR_OPERATIONS_ERROR;
676 /* if we have sambaPassword in the original message add the operatio on it here */
677 sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
679 ret = add_password_hashes(ac->module, msg, 0);
680 /* we can compute new password hashes from the unicode password */
681 if (ret != LDB_SUCCESS) {
685 /* now add krb5 keys based on unicode password */
686 ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
687 ldb_msg_find_attr_as_string(msg, "samAccountName", NULL),
688 ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL),
689 ldb_msg_check_string_attribute(msg, "objectClass", "computer"));
690 if (ret != LDB_SUCCESS) {
694 /* add also kr5 keys based on NT the hash */
695 ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
696 if (ret != LDB_SUCCESS) {
700 /* if both the domain properties and the user account controls do not permit
701 * clear text passwords then wipe out the sambaPassword */
702 if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
703 (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
704 ldb_msg_remove_attr(msg, "sambaPassword");
708 /* don't touch it if a value is set. It could be an incoming samsync */
709 if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) {
710 if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {
711 return LDB_ERR_OPERATIONS_ERROR;
715 /* don't touch it if a value is set. It could be an incoming samsync */
716 if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) {
717 if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) {
718 return LDB_ERR_OPERATIONS_ERROR;
722 h->state = LDB_ASYNC_INIT;
723 h->status = LDB_SUCCESS;
725 ac->step = PH_ADD_DO_ADD;
727 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
729 /* perform the operation */
730 return ldb_next_request(ac->module, ac->down_req);
733 static int password_hash_mod_search_self(struct ldb_handle *h);
735 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
737 struct ldb_handle *h;
738 struct ph_context *ac;
739 struct ldb_message_element *sambaAttr;
740 struct ldb_message_element *ntAttr;
741 struct ldb_message_element *lmAttr;
742 struct ldb_message *msg;
744 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
746 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
747 return ldb_next_request(module, req);
750 /* If the caller is manipulating the local passwords directly, let them pass */
751 if (ldb_dn_compare_base(module->ldb,
752 ldb_dn_explode(req, LOCAL_BASE),
753 req->op.mod.message->dn) == 0) {
754 return ldb_next_request(module, req);
757 /* nobody must touch password Histories */
758 if (ldb_msg_find_element(req->op.mod.message, "sambaNTPwdHistory") ||
759 ldb_msg_find_element(req->op.mod.message, "sambaLMPwdHistory")) {
760 return LDB_ERR_UNWILLING_TO_PERFORM;
763 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
764 ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
765 lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
767 /* check passwords are single valued here */
768 /* TODO: remove this when passwords will be single valued in schema */
769 if (sambaAttr && (sambaAttr->num_values > 1)) {
770 return LDB_ERR_CONSTRAINT_VIOLATION;
772 if (ntAttr && (ntAttr->num_values > 1)) {
773 return LDB_ERR_CONSTRAINT_VIOLATION;
775 if (lmAttr && (lmAttr->num_values > 1)) {
776 return LDB_ERR_CONSTRAINT_VIOLATION;
779 /* If no part of this touches the sambaPassword OR ntPwdHash and/or lmPwdHash, then we don't
780 * need to make any changes. For password changes/set there should
781 * be a 'delete' or a 'modify' on this attribute. */
782 /* If the only operation is the deletion of the passwords then go on */
783 if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
784 && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
785 && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) {
787 return ldb_next_request(module, req);
790 h = ph_init_handle(req, module, PH_MOD);
792 return LDB_ERR_OPERATIONS_ERROR;
794 ac = talloc_get_type(h->private_data, struct ph_context);
796 /* return or own handle to deal with this call */
799 /* prepare the first operation */
800 ac->down_req = talloc_zero(ac, struct ldb_request);
801 if (ac->down_req == NULL) {
802 ldb_set_errstring(module->ldb, "Out of memory!");
803 return LDB_ERR_OPERATIONS_ERROR;
806 *(ac->down_req) = *req; /* copy the request */
808 /* use a new message structure so that we can modify it */
809 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
811 /* - remove any imodification to the password from the first commit
812 * we will make the real modification later */
813 if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
814 if (ntAttr) ldb_msg_remove_attr(msg, "ntPwdHash");
815 if (lmAttr) ldb_msg_remove_attr(msg, "lmPwdHash");
817 /* if there was nothing else to be modify skip to next step */
818 if (msg->num_elements == 0) {
819 talloc_free(ac->down_req);
821 return password_hash_mod_search_self(h);
824 ac->down_req->context = NULL;
825 ac->down_req->callback = NULL;
827 ac->step = PH_MOD_DO_REQ;
829 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
831 return ldb_next_request(module, ac->down_req);
834 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
836 struct ph_context *ac;
838 if (!context || !ares) {
839 ldb_set_errstring(ldb, "NULL Context or Result in callback");
840 return LDB_ERR_OPERATIONS_ERROR;
843 ac = talloc_get_type(context, struct ph_context);
845 /* we are interested only in the single reply (base search) we receive here */
846 if (ares->type == LDB_REPLY_ENTRY) {
847 if (ac->search_res != NULL) {
848 ldb_set_errstring(ldb, "Too many results");
850 return LDB_ERR_OPERATIONS_ERROR;
853 /* if it is not an entry of type person this is an error */
854 /* TODO: remove this when sambaPassword will be in schema */
855 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
856 ldb_set_errstring(ldb, "Object class violation");
858 return LDB_ERR_OBJECT_CLASS_VIOLATION;
861 ac->search_res = talloc_steal(ac, ares);
869 static int password_hash_mod_search_self(struct ldb_handle *h) {
871 struct ph_context *ac;
872 static const char * const attrs[] = { "userAccountControl", "sambaLMPwdHistory",
874 "objectSid", "msDS-KeyVersionNumber",
875 "objectClass", "userPrincipalName",
877 "lmPwdHash", "ntPwdHash",
880 ac = talloc_get_type(h->private_data, struct ph_context);
882 /* prepare the search operation */
883 ac->search_req = talloc_zero(ac, struct ldb_request);
884 if (ac->search_req == NULL) {
885 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
886 return LDB_ERR_OPERATIONS_ERROR;
889 ac->search_req->operation = LDB_SEARCH;
890 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
891 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
892 ac->search_req->op.search.tree = ldb_parse_tree(ac->module->ldb, NULL);
893 if (ac->search_req->op.search.tree == NULL) {
894 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
895 return LDB_ERR_OPERATIONS_ERROR;
897 ac->search_req->op.search.attrs = attrs;
898 ac->search_req->controls = NULL;
899 ac->search_req->context = ac;
900 ac->search_req->callback = get_self_callback;
901 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
903 ac->step = PH_MOD_SEARCH_SELF;
905 return ldb_next_request(ac->module, ac->search_req);
908 static int password_hash_mod_search_dom(struct ldb_handle *h) {
910 struct ph_context *ac;
913 ac = talloc_get_type(h->private_data, struct ph_context);
915 /* get object domain sid */
916 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
917 if (ac->domain_sid == NULL) {
918 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
919 return LDB_ERR_OPERATIONS_ERROR;
922 /* get user domain data */
923 ret = build_domain_data_request(ac);
924 if (ret != LDB_SUCCESS) {
928 ac->step = PH_MOD_SEARCH_DOM;
930 return ldb_next_request(ac->module, ac->dom_req);
933 static int password_hash_mod_do_mod(struct ldb_handle *h) {
935 struct ph_context *ac;
936 struct domain_data *domain;
937 struct smb_krb5_context *smb_krb5_context;
938 struct ldb_message_element *sambaAttr;
939 struct ldb_message *msg;
942 BOOL added_hashes = False;
944 ac = talloc_get_type(h->private_data, struct ph_context);
946 domain = get_domain_data(ac->module, ac, ac->dom_res);
947 if (domain == NULL) {
948 return LDB_ERR_OPERATIONS_ERROR;
951 ac->mod_req = talloc(ac, struct ldb_request);
952 if (ac->mod_req == NULL) {
953 return LDB_ERR_OPERATIONS_ERROR;
956 *(ac->mod_req) = *(ac->orig_req);
958 /* use a new message structure so that we can modify it */
959 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
961 return LDB_ERR_OPERATIONS_ERROR;
965 msg->dn = ac->orig_req->op.mod.message->dn;
967 /* Some operations below require kerberos contexts */
968 if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) {
969 return LDB_ERR_OPERATIONS_ERROR;
972 /* we are going to replace the existing krb5key or delete it */
973 if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE) != 0) {
974 return LDB_ERR_OPERATIONS_ERROR;
977 /* if we have sambaPassword in the original message add the operation on it here */
978 sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword");
981 if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) {
982 return LDB_ERR_OPERATIONS_ERROR;
985 /* if we are actually settting a new unicode password,
986 * use it to generate the password hashes */
987 if (((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE)
988 && (sambaAttr->num_values == 1)) {
989 /* we can compute new password hashes from the unicode password */
990 ret = add_password_hashes(ac->module, msg, 1);
991 if (ret != LDB_SUCCESS) {
997 /* now add krb5 keys based on unicode password */
998 ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
999 ldb_msg_find_attr_as_string(ac->search_res->message, "samAccountName", NULL),
1000 ldb_msg_find_attr_as_string(ac->search_res->message, "userPrincipalName", NULL),
1001 ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer"));
1003 if (ret != LDB_SUCCESS) {
1007 /* if the domain properties or the user account controls do not permit
1008 * clear text passwords then wipe out the sambaPassword */
1009 if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
1010 (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
1011 ldb_msg_remove_attr(msg, "sambaPassword");
1017 /* if we didn't create the hashes above, try using values supplied directly */
1018 if (!added_hashes) {
1019 struct ldb_message_element *el;
1021 el = ldb_msg_find_element(ac->orig_req->op.mod.message, "ntPwdHash");
1022 if (ldb_msg_add(msg, el, el->flags) != 0) {
1023 return LDB_ERR_OPERATIONS_ERROR;
1026 el = ldb_msg_find_element(ac->orig_req->op.mod.message, "lmPwdHash");
1027 if (ldb_msg_add(msg, el, el->flags) != 0) {
1028 return LDB_ERR_OPERATIONS_ERROR;
1032 /* add also krb5 keys based on NT the hash */
1033 if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
1034 return LDB_ERR_OPERATIONS_ERROR;
1037 /* set change time */
1038 if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) {
1039 return LDB_ERR_OPERATIONS_ERROR;
1042 /* don't touch it if a value is set. It could be an incoming samsync */
1043 if (!ldb_msg_find_element(ac->orig_req->op.mod.message,
1044 "msDS-KeyVersionNumber")) {
1045 if (add_keyVersionNumber(ac->module, msg,
1046 ldb_msg_find_attr_as_uint(ac->search_res->message,
1047 "msDS-KeyVersionNumber", 0)
1049 return LDB_ERR_OPERATIONS_ERROR;
1053 if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) {
1054 if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) {
1055 return LDB_ERR_OPERATIONS_ERROR;
1059 h->state = LDB_ASYNC_INIT;
1060 h->status = LDB_SUCCESS;
1062 ac->step = PH_MOD_DO_MOD;
1064 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1066 /* perform the search */
1067 return ldb_next_request(ac->module, ac->mod_req);
1070 static int ph_wait(struct ldb_handle *handle) {
1071 struct ph_context *ac;
1074 if (!handle || !handle->private_data) {
1075 return LDB_ERR_OPERATIONS_ERROR;
1078 if (handle->state == LDB_ASYNC_DONE) {
1079 return handle->status;
1082 handle->state = LDB_ASYNC_PENDING;
1083 handle->status = LDB_SUCCESS;
1085 ac = talloc_get_type(handle->private_data, struct ph_context);
1088 case PH_ADD_SEARCH_DOM:
1089 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1091 if (ret != LDB_SUCCESS) {
1092 handle->status = ret;
1095 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1096 handle->status = ac->dom_req->handle->status;
1100 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1104 /* domain search done, go on */
1105 return password_hash_add_do_add(handle);
1108 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1110 if (ret != LDB_SUCCESS) {
1111 handle->status = ret;
1114 if (ac->down_req->handle->status != LDB_SUCCESS) {
1115 handle->status = ac->down_req->handle->status;
1119 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1126 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1128 if (ret != LDB_SUCCESS) {
1129 handle->status = ret;
1132 if (ac->down_req->handle->status != LDB_SUCCESS) {
1133 handle->status = ac->down_req->handle->status;
1137 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1141 /* non-password mods done, go on */
1142 return password_hash_mod_search_self(handle);
1144 case PH_MOD_SEARCH_SELF:
1145 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
1147 if (ret != LDB_SUCCESS) {
1148 handle->status = ret;
1151 if (ac->search_req->handle->status != LDB_SUCCESS) {
1152 handle->status = ac->search_req->handle->status;
1156 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
1160 /* self search done, go on */
1161 return password_hash_mod_search_dom(handle);
1163 case PH_MOD_SEARCH_DOM:
1164 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1166 if (ret != LDB_SUCCESS) {
1167 handle->status = ret;
1170 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1171 handle->status = ac->dom_req->handle->status;
1175 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1179 /* domain search done, go on */
1180 return password_hash_mod_do_mod(handle);
1183 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
1185 if (ret != LDB_SUCCESS) {
1186 handle->status = ret;
1189 if (ac->mod_req->handle->status != LDB_SUCCESS) {
1190 handle->status = ac->mod_req->handle->status;
1194 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
1201 ret = LDB_ERR_OPERATIONS_ERROR;
1208 handle->state = LDB_ASYNC_DONE;
1212 static int ph_wait_all(struct ldb_handle *handle) {
1216 while (handle->state != LDB_ASYNC_DONE) {
1217 ret = ph_wait(handle);
1218 if (ret != LDB_SUCCESS) {
1223 return handle->status;
1226 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
1228 if (type == LDB_WAIT_ALL) {
1229 return ph_wait_all(handle);
1231 return ph_wait(handle);
1235 static const struct ldb_module_ops password_hash_ops = {
1236 .name = "password_hash",
1237 .add = password_hash_add,
1238 .modify = password_hash_modify,
1239 .wait = password_hash_wait
1243 int password_hash_module_init(void)
1245 return ldb_register_module(&password_hash_ops);