4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7 Copyright (C) Stefan Metzmacher 2007
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
26 * Component: ldb password_hash module
28 * Description: correctly update hash values based on changes to userPassword and friends
30 * Author: Andrew Bartlett
31 * Author: Stefan Metzmacher
35 #include "libcli/ldap/ldap_ndr.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb.h"
38 #include "ldb/include/ldb_private.h"
39 #include "librpc/gen_ndr/misc.h"
40 #include "librpc/gen_ndr/samr.h"
41 #include "libcli/auth/libcli_auth.h"
42 #include "libcli/security/security.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45 #include "system/time.h"
46 #include "dsdb/samdb/samdb.h"
47 #include "dsdb/common/flags.h"
48 #include "dsdb/samdb/ldb_modules/password_modules.h"
49 #include "librpc/ndr/libndr.h"
50 #include "librpc/gen_ndr/ndr_drsblobs.h"
51 #include "lib/crypto/crypto.h"
52 #include "param/param.h"
54 /* If we have decided there is reason to work on this request, then
55 * setup all the password hash types correctly.
57 * If the administrator doesn't want the userPassword stored (set in the
58 * domain and per-account policies) then we must strip that out before
59 * we do the first operation.
61 * Once this is done (which could update anything at all), we
62 * calculate the password hashes.
64 * This function must not only update the unicodePwd, dBCSPwd and
65 * supplementalCredentials fields, it must also atomicly increment the
66 * msDS-KeyVersionNumber. We should be in a transaction, so all this
67 * should be quite safe...
69 * Finally, if the administrator has requested that a password history
70 * be maintained, then this should also be written out.
76 enum ph_type {PH_ADD, PH_MOD} type;
77 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
79 struct ldb_module *module;
80 struct ldb_request *orig_req;
82 struct ldb_request *dom_req;
83 struct ldb_reply *dom_res;
85 struct ldb_request *down_req;
87 struct ldb_request *search_req;
88 struct ldb_reply *search_res;
90 struct ldb_request *mod_req;
92 struct dom_sid *domain_sid;
98 uint_t pwdHistoryLength;
104 struct setup_password_fields_io {
105 struct ph_context *ac;
106 struct domain_data *domain;
107 struct smb_krb5_context *smb_krb5_context;
109 /* infos about the user account */
111 uint32_t user_account_control;
112 const char *sAMAccountName;
113 const char *user_principal_name;
117 /* new credentials */
119 const char *cleartext;
120 struct samr_Password *nt_hash;
121 struct samr_Password *lm_hash;
124 /* old credentials */
126 uint32_t nt_history_len;
127 struct samr_Password *nt_history;
128 uint32_t lm_history_len;
129 struct samr_Password *lm_history;
130 const struct ldb_val *supplemental;
131 struct supplementalCredentialsBlob scb;
135 /* generated credentials */
137 struct samr_Password *nt_hash;
138 struct samr_Password *lm_hash;
139 uint32_t nt_history_len;
140 struct samr_Password *nt_history;
141 uint32_t lm_history_len;
142 struct samr_Password *lm_history;
146 struct ldb_val supplemental;
152 static int setup_nt_fields(struct setup_password_fields_io *io)
156 io->g.nt_hash = io->n.nt_hash;
158 if (io->domain->pwdHistoryLength == 0) {
162 /* We might not have an old NT password */
163 io->g.nt_history = talloc_array(io->ac,
164 struct samr_Password,
165 io->domain->pwdHistoryLength);
166 if (!io->g.nt_history) {
167 ldb_oom(io->ac->module->ldb);
168 return LDB_ERR_OPERATIONS_ERROR;
171 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
172 io->g.nt_history[i+1] = io->o.nt_history[i];
174 io->g.nt_history_len = i + 1;
177 io->g.nt_history[0] = *io->g.nt_hash;
180 * TODO: is this correct?
181 * the simular behavior is correct for the lm history case
183 E_md4hash("", io->g.nt_history[0].hash);
189 static int setup_lm_fields(struct setup_password_fields_io *io)
193 io->g.lm_hash = io->n.lm_hash;
195 if (io->domain->pwdHistoryLength == 0) {
199 /* We might not have an old NT password */
200 io->g.lm_history = talloc_array(io->ac,
201 struct samr_Password,
202 io->domain->pwdHistoryLength);
203 if (!io->g.lm_history) {
204 ldb_oom(io->ac->module->ldb);
205 return LDB_ERR_OPERATIONS_ERROR;
208 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
209 io->g.lm_history[i+1] = io->o.lm_history[i];
211 io->g.lm_history_len = i + 1;
214 io->g.lm_history[0] = *io->g.lm_hash;
216 E_deshash("", io->g.lm_history[0].hash);
222 static int setup_kerberos_keys(struct setup_password_fields_io *io)
224 krb5_error_code krb5_ret;
225 Principal *salt_principal;
229 /* Many, many thanks to lukeh@padl.com for this
230 * algorithm, described in his Nov 10 2004 mail to
231 * samba-technical@samba.org */
234 * Determine a salting principal
236 if (io->u.is_computer) {
240 name = talloc_strdup(io->ac, io->u.sAMAccountName);
242 ldb_oom(io->ac->module->ldb);
243 return LDB_ERR_OPERATIONS_ERROR;
246 if (name[strlen(name)-1] == '$') {
247 name[strlen(name)-1] = '\0';
250 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
252 ldb_oom(io->ac->module->ldb);
253 return LDB_ERR_OPERATIONS_ERROR;
256 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
258 io->domain->realm, "host",
260 } else if (io->u.user_principal_name) {
261 char *user_principal_name;
264 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
265 if (!user_principal_name) {
266 ldb_oom(io->ac->module->ldb);
267 return LDB_ERR_OPERATIONS_ERROR;
270 p = strchr(user_principal_name, '@');
275 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
277 io->domain->realm, user_principal_name,
280 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
282 io->domain->realm, io->u.sAMAccountName,
286 ldb_asprintf_errstring(io->ac->module->ldb,
287 "setup_kerberos_keys: "
288 "generation of a salting principal failed: %s",
289 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
290 return LDB_ERR_OPERATIONS_ERROR;
294 * create salt from salt_principal
296 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
297 salt_principal, &salt);
298 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
300 ldb_asprintf_errstring(io->ac->module->ldb,
301 "setup_kerberos_keys: "
302 "generation of krb5_salt failed: %s",
303 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
304 return LDB_ERR_OPERATIONS_ERROR;
306 /* create a talloc copy */
307 io->g.salt = talloc_strndup(io->ac,
309 salt.saltvalue.length);
310 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
312 ldb_oom(io->ac->module->ldb);
313 return LDB_ERR_OPERATIONS_ERROR;
315 salt.saltvalue.data = discard_const(io->g.salt);
316 salt.saltvalue.length = strlen(io->g.salt);
319 * create ENCTYPE_DES_CBC_MD5 key out of
320 * the salt and the cleartext password
322 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
328 ldb_asprintf_errstring(io->ac->module->ldb,
329 "setup_kerberos_keys: "
330 "generation of a des-cbc-md5 key failed: %s",
331 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
332 return LDB_ERR_OPERATIONS_ERROR;
334 io->g.des_md5 = data_blob_talloc(io->ac,
336 key.keyvalue.length);
337 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
338 if (!io->g.des_md5.data) {
339 ldb_oom(io->ac->module->ldb);
340 return LDB_ERR_OPERATIONS_ERROR;
344 * create ENCTYPE_DES_CBC_CRC key out of
345 * the salt and the cleartext password
347 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
353 ldb_asprintf_errstring(io->ac->module->ldb,
354 "setup_kerberos_keys: "
355 "generation of a des-cbc-crc key failed: %s",
356 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
357 return LDB_ERR_OPERATIONS_ERROR;
359 io->g.des_crc = data_blob_talloc(io->ac,
361 key.keyvalue.length);
362 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
363 if (!io->g.des_crc.data) {
364 ldb_oom(io->ac->module->ldb);
365 return LDB_ERR_OPERATIONS_ERROR;
371 static int setup_primary_kerberos(struct setup_password_fields_io *io,
372 const struct supplementalCredentialsBlob *old_scb,
373 struct package_PrimaryKerberosBlob *pkb)
375 struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
376 struct supplementalCredentialsPackage *old_scp = NULL;
377 struct package_PrimaryKerberosBlob _old_pkb;
378 struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
380 enum ndr_err_code ndr_err;
383 * prepare generation of keys
385 * ENCTYPE_DES_CBC_MD5
386 * ENCTYPE_DES_CBC_CRC
388 pkb3->salt.string = io->g.salt;
390 pkb3->keys = talloc_array(io->ac,
391 struct package_PrimaryKerberosKey,
394 ldb_oom(io->ac->module->ldb);
395 return LDB_ERR_OPERATIONS_ERROR;
398 pkb3->keys[0].keytype = ENCTYPE_DES_CBC_MD5;
399 pkb3->keys[0].value = &io->g.des_md5;
400 pkb3->keys[1].keytype = ENCTYPE_DES_CBC_CRC;
401 pkb3->keys[1].value = &io->g.des_crc;
403 /* initialize the old keys to zero */
404 pkb3->num_old_keys = 0;
405 pkb3->old_keys = NULL;
407 /* if there're no old keys, then we're done */
412 for (i=0; i < old_scb->sub.num_packages; i++) {
413 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
417 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
421 old_scp = &old_scb->sub.packages[i];
424 /* Primary:Kerberos element of supplementalCredentials */
428 blob = strhex_to_data_blob(old_scp->data);
430 ldb_oom(io->ac->module->ldb);
431 return LDB_ERR_OPERATIONS_ERROR;
433 talloc_steal(io->ac, blob.data);
435 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
436 ndr_err = ndr_pull_struct_blob(&blob, io->ac, lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), &_old_pkb,
437 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
438 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
439 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
440 ldb_asprintf_errstring(io->ac->module->ldb,
441 "setup_primary_kerberos: "
442 "failed to pull old package_PrimaryKerberosBlob: %s",
444 return LDB_ERR_OPERATIONS_ERROR;
447 if (_old_pkb.version != 3) {
448 ldb_asprintf_errstring(io->ac->module->ldb,
449 "setup_primary_kerberos: "
450 "package_PrimaryKerberosBlob version[%u] expected[3]",
452 return LDB_ERR_OPERATIONS_ERROR;
455 old_pkb3 = &_old_pkb.ctr.ctr3;
458 /* if we didn't found the old keys we're done */
463 /* fill in the old keys */
464 pkb3->num_old_keys = old_pkb3->num_keys;
465 pkb3->old_keys = old_pkb3->keys;
470 static int setup_primary_wdigest(struct setup_password_fields_io *io,
471 const struct supplementalCredentialsBlob *old_scb,
472 struct package_PrimaryWDigestBlob *pdb)
474 DATA_BLOB sAMAccountName;
475 DATA_BLOB sAMAccountName_l;
476 DATA_BLOB sAMAccountName_u;
477 const char *user_principal_name = io->u.user_principal_name;
478 DATA_BLOB userPrincipalName;
479 DATA_BLOB userPrincipalName_l;
480 DATA_BLOB userPrincipalName_u;
481 DATA_BLOB netbios_domain;
482 DATA_BLOB netbios_domain_l;
483 DATA_BLOB netbios_domain_u;
484 DATA_BLOB dns_domain;
485 DATA_BLOB dns_domain_l;
486 DATA_BLOB dns_domain_u;
499 * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
500 * for what precalculated hashes are supposed to be stored...
502 * I can't reproduce all values which should contain "Digest" as realm,
503 * am I doing something wrong or is w2k3 just broken...?
505 * W2K3 fills in following for a user:
507 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
508 * sAMAccountName: NewUser2Sam
509 * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
511 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
512 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
513 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
514 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
515 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
516 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
517 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
518 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
519 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
520 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
521 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
522 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
523 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
524 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
525 * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
526 * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
527 * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
528 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
529 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
530 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
531 * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
532 * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
533 * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
534 * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
535 * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
536 * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
537 * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
538 * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
539 * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
541 * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
542 * sAMAccountName: NewUser2Sam
544 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
545 * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
546 * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
547 * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
548 * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
549 * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
550 * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
551 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
552 * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
553 * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
554 * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
555 * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
556 * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
557 * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
558 * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
559 * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
560 * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
561 * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
562 * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
563 * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
564 * 31dc704d3640335b2123d4ee28aa1f11 => ???M1 changes with NewUser2Sam => NewUser1Sam
565 * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
566 * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
567 * 569b4533f2d9e580211dd040e5e360a8 => ???M2 changes with NewUser2Princ => NewUser1Princ
568 * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
569 * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
570 * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
571 * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
572 * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
576 * sAMAccountName, netbios_domain
579 .user = &sAMAccountName,
580 .realm = &netbios_domain,
583 .user = &sAMAccountName_l,
584 .realm = &netbios_domain_l,
587 .user = &sAMAccountName_u,
588 .realm = &netbios_domain_u,
591 .user = &sAMAccountName,
592 .realm = &netbios_domain_u,
595 .user = &sAMAccountName,
596 .realm = &netbios_domain_l,
599 .user = &sAMAccountName_u,
600 .realm = &netbios_domain_l,
603 .user = &sAMAccountName_l,
604 .realm = &netbios_domain_u,
607 * sAMAccountName, dns_domain
610 .user = &sAMAccountName,
611 .realm = &dns_domain,
614 .user = &sAMAccountName_l,
615 .realm = &dns_domain_l,
618 .user = &sAMAccountName_u,
619 .realm = &dns_domain_u,
622 .user = &sAMAccountName,
623 .realm = &dns_domain_u,
626 .user = &sAMAccountName,
627 .realm = &dns_domain_l,
630 .user = &sAMAccountName_u,
631 .realm = &dns_domain_l,
634 .user = &sAMAccountName_l,
635 .realm = &dns_domain_u,
638 * userPrincipalName, no realm
641 .user = &userPrincipalName,
645 * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
646 * the fallback to the sAMAccountName based userPrincipalName is correct
648 .user = &userPrincipalName_l,
651 .user = &userPrincipalName_u,
654 * nt4dom\sAMAccountName, no realm
657 .user = &sAMAccountName,
658 .nt4dom = &netbios_domain
661 .user = &sAMAccountName_l,
662 .nt4dom = &netbios_domain_l
665 .user = &sAMAccountName_u,
666 .nt4dom = &netbios_domain_u
670 * the following ones are guessed depending on the technet2 article
671 * but not reproducable on a w2k3 server
673 /* sAMAccountName with "Digest" realm */
675 .user = &sAMAccountName,
679 .user = &sAMAccountName_l,
683 .user = &sAMAccountName_u,
686 /* userPrincipalName with "Digest" realm */
688 .user = &userPrincipalName,
692 .user = &userPrincipalName_l,
696 .user = &userPrincipalName_u,
699 /* nt4dom\\sAMAccountName with "Digest" realm */
701 .user = &sAMAccountName,
702 .nt4dom = &netbios_domain,
706 .user = &sAMAccountName_l,
707 .nt4dom = &netbios_domain_l,
711 .user = &sAMAccountName_u,
712 .nt4dom = &netbios_domain_u,
717 /* prepare DATA_BLOB's used in the combinations array */
718 sAMAccountName = data_blob_string_const(io->u.sAMAccountName);
719 sAMAccountName_l = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
720 if (!sAMAccountName_l.data) {
721 ldb_oom(io->ac->module->ldb);
722 return LDB_ERR_OPERATIONS_ERROR;
724 sAMAccountName_u = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
725 if (!sAMAccountName_u.data) {
726 ldb_oom(io->ac->module->ldb);
727 return LDB_ERR_OPERATIONS_ERROR;
730 /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
731 if (!user_principal_name) {
732 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
733 io->u.sAMAccountName,
734 io->domain->dns_domain);
735 if (!user_principal_name) {
736 ldb_oom(io->ac->module->ldb);
737 return LDB_ERR_OPERATIONS_ERROR;
740 userPrincipalName = data_blob_string_const(user_principal_name);
741 userPrincipalName_l = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
742 if (!userPrincipalName_l.data) {
743 ldb_oom(io->ac->module->ldb);
744 return LDB_ERR_OPERATIONS_ERROR;
746 userPrincipalName_u = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
747 if (!userPrincipalName_u.data) {
748 ldb_oom(io->ac->module->ldb);
749 return LDB_ERR_OPERATIONS_ERROR;
752 netbios_domain = data_blob_string_const(io->domain->netbios_domain);
753 netbios_domain_l = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
754 if (!netbios_domain_l.data) {
755 ldb_oom(io->ac->module->ldb);
756 return LDB_ERR_OPERATIONS_ERROR;
758 netbios_domain_u = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
759 if (!netbios_domain_u.data) {
760 ldb_oom(io->ac->module->ldb);
761 return LDB_ERR_OPERATIONS_ERROR;
764 dns_domain = data_blob_string_const(io->domain->dns_domain);
765 dns_domain_l = data_blob_string_const(io->domain->dns_domain);
766 dns_domain_u = data_blob_string_const(io->domain->realm);
768 cleartext = data_blob_string_const(io->n.cleartext);
770 digest = data_blob_string_const("Digest");
772 delim = data_blob_string_const(":");
773 backslash = data_blob_string_const("\\");
775 pdb->num_hashes = ARRAY_SIZE(wdigest);
776 pdb->hashes = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
778 ldb_oom(io->ac->module->ldb);
779 return LDB_ERR_OPERATIONS_ERROR;
782 for (i=0; i < ARRAY_SIZE(wdigest); i++) {
783 struct MD5Context md5;
785 if (wdigest[i].nt4dom) {
786 MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
787 MD5Update(&md5, backslash.data, backslash.length);
789 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
790 MD5Update(&md5, delim.data, delim.length);
791 if (wdigest[i].realm) {
792 MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
794 MD5Update(&md5, delim.data, delim.length);
795 MD5Update(&md5, cleartext.data, cleartext.length);
796 MD5Final(pdb->hashes[i].hash, &md5);
802 static int setup_supplemental_field(struct setup_password_fields_io *io)
804 struct supplementalCredentialsBlob scb;
805 struct supplementalCredentialsBlob _old_scb;
806 struct supplementalCredentialsBlob *old_scb = NULL;
807 /* Packages + (Kerberos, WDigest and CLEARTEXT) */
808 uint32_t num_names = 0;
809 const char *names[1+3];
810 uint32_t num_packages = 0;
811 struct supplementalCredentialsPackage packages[1+3];
813 struct supplementalCredentialsPackage *pp = NULL;
814 struct package_PackagesBlob pb;
817 /* Primary:Kerberos */
818 const char **nk = NULL;
819 struct supplementalCredentialsPackage *pk = NULL;
820 struct package_PrimaryKerberosBlob pkb;
823 /* Primary:WDigest */
824 const char **nd = NULL;
825 struct supplementalCredentialsPackage *pd = NULL;
826 struct package_PrimaryWDigestBlob pdb;
829 /* Primary:CLEARTEXT */
830 const char **nc = NULL;
831 struct supplementalCredentialsPackage *pc = NULL;
832 struct package_PrimaryCLEARTEXTBlob pcb;
836 enum ndr_err_code ndr_err;
838 bool do_cleartext = false;
843 if (!io->n.cleartext) {
845 * when we don't have a cleartext password
846 * we can't setup a supplementalCredential value
851 /* if there's an old supplementaCredentials blob then parse it */
852 if (io->o.supplemental) {
853 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
854 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
856 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
857 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
858 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
859 ldb_asprintf_errstring(io->ac->module->ldb,
860 "setup_supplemental_field: "
861 "failed to pull old supplementalCredentialsBlob: %s",
863 return LDB_ERR_OPERATIONS_ERROR;
866 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
869 ldb_debug(io->ac->module->ldb, LDB_DEBUG_ERROR,
870 "setup_supplemental_field: "
871 "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
872 _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
876 if (io->domain->store_cleartext &&
877 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
882 * The ordering is this
886 * Primary:CLEARTEXT (optional)
888 * And the 'Packages' package is insert before the last
892 /* Primary:Kerberos */
893 nk = &names[num_names++];
894 pk = &packages[num_packages++];
898 pp = &packages[num_packages++];
901 /* Primary:WDigest */
902 nd = &names[num_names++];
903 pd = &packages[num_packages++];
907 pp = &packages[num_packages++];
909 /* Primary:CLEARTEXT */
910 nc = &names[num_names++];
911 pc = &packages[num_packages++];
915 * setup 'Primary:Kerberos' element
919 ret = setup_primary_kerberos(io, old_scb, &pkb);
920 if (ret != LDB_SUCCESS) {
924 ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac,
925 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
927 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
928 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
929 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
930 ldb_asprintf_errstring(io->ac->module->ldb,
931 "setup_supplemental_field: "
932 "failed to push package_PrimaryKerberosBlob: %s",
934 return LDB_ERR_OPERATIONS_ERROR;
936 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
938 ldb_oom(io->ac->module->ldb);
939 return LDB_ERR_OPERATIONS_ERROR;
941 pk->name = "Primary:Kerberos";
943 pk->data = pkb_hexstr;
946 * setup 'Primary:WDigest' element
950 ret = setup_primary_wdigest(io, old_scb, &pdb);
951 if (ret != LDB_SUCCESS) {
955 ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac,
956 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
958 (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
959 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
960 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
961 ldb_asprintf_errstring(io->ac->module->ldb,
962 "setup_supplemental_field: "
963 "failed to push package_PrimaryWDigestBlob: %s",
965 return LDB_ERR_OPERATIONS_ERROR;
967 pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
969 ldb_oom(io->ac->module->ldb);
970 return LDB_ERR_OPERATIONS_ERROR;
972 pd->name = "Primary:WDigest";
974 pd->data = pdb_hexstr;
977 * setup 'Primary:CLEARTEXT' element
982 pcb.cleartext = io->n.cleartext;
984 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac,
985 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
987 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
988 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
989 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
990 ldb_asprintf_errstring(io->ac->module->ldb,
991 "setup_supplemental_field: "
992 "failed to push package_PrimaryCLEARTEXTBlob: %s",
994 return LDB_ERR_OPERATIONS_ERROR;
996 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
998 ldb_oom(io->ac->module->ldb);
999 return LDB_ERR_OPERATIONS_ERROR;
1001 pc->name = "Primary:CLEARTEXT";
1003 pc->data = pcb_hexstr;
1007 * setup 'Packages' element
1010 ndr_err = ndr_push_struct_blob(&pb_blob, io->ac,
1011 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1013 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1014 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1015 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1016 ldb_asprintf_errstring(io->ac->module->ldb,
1017 "setup_supplemental_field: "
1018 "failed to push package_PackagesBlob: %s",
1020 return LDB_ERR_OPERATIONS_ERROR;
1022 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1024 ldb_oom(io->ac->module->ldb);
1025 return LDB_ERR_OPERATIONS_ERROR;
1027 pp->name = "Packages";
1029 pp->data = pb_hexstr;
1032 * setup 'supplementalCredentials' value
1035 scb.sub.num_packages = num_packages;
1036 scb.sub.packages = packages;
1038 ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
1039 lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1041 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1042 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1043 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1044 ldb_asprintf_errstring(io->ac->module->ldb,
1045 "setup_supplemental_field: "
1046 "failed to push supplementalCredentialsBlob: %s",
1048 return LDB_ERR_OPERATIONS_ERROR;
1054 static int setup_last_set_field(struct setup_password_fields_io *io)
1057 unix_to_nt_time(&io->g.last_set, time(NULL));
1062 static int setup_kvno_field(struct setup_password_fields_io *io)
1064 /* increment by one */
1065 io->g.kvno = io->o.kvno + 1;
1070 static int setup_password_fields(struct setup_password_fields_io *io)
1076 * refuse the change if someone want to change the cleartext
1077 * and supply his own hashes at the same time...
1079 if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
1080 ldb_asprintf_errstring(io->ac->module->ldb,
1081 "setup_password_fields: "
1082 "it's only allowed to set the cleartext password or the password hashes");
1083 return LDB_ERR_UNWILLING_TO_PERFORM;
1086 if (io->n.cleartext) {
1087 struct samr_Password *hash;
1089 hash = talloc(io->ac, struct samr_Password);
1091 ldb_oom(io->ac->module->ldb);
1092 return LDB_ERR_OPERATIONS_ERROR;
1095 /* compute the new nt hash */
1096 ok = E_md4hash(io->n.cleartext, hash->hash);
1098 io->n.nt_hash = hash;
1100 ldb_asprintf_errstring(io->ac->module->ldb,
1101 "setup_password_fields: "
1102 "failed to generate nthash from cleartext password");
1103 return LDB_ERR_OPERATIONS_ERROR;
1107 if (io->n.cleartext) {
1108 struct samr_Password *hash;
1110 hash = talloc(io->ac, struct samr_Password);
1112 ldb_oom(io->ac->module->ldb);
1113 return LDB_ERR_OPERATIONS_ERROR;
1116 /* compute the new lm hash */
1117 ok = E_deshash(io->n.cleartext, hash->hash);
1119 io->n.lm_hash = hash;
1121 talloc_free(hash->hash);
1125 if (io->n.cleartext) {
1126 ret = setup_kerberos_keys(io);
1132 ret = setup_nt_fields(io);
1137 ret = setup_lm_fields(io);
1142 ret = setup_supplemental_field(io);
1147 ret = setup_last_set_field(io);
1152 ret = setup_kvno_field(io);
1160 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
1162 struct ph_context *ac;
1163 struct ldb_handle *h;
1165 h = talloc_zero(req, struct ldb_handle);
1167 ldb_set_errstring(module->ldb, "Out of Memory");
1173 ac = talloc_zero(h, struct ph_context);
1175 ldb_set_errstring(module->ldb, "Out of Memory");
1180 h->private_data = (void *)ac;
1182 h->state = LDB_ASYNC_INIT;
1183 h->status = LDB_SUCCESS;
1186 ac->module = module;
1192 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1194 struct ph_context *ac;
1196 ac = talloc_get_type(context, struct ph_context);
1198 /* we are interested only in the single reply (base search) we receive here */
1199 if (ares->type == LDB_REPLY_ENTRY) {
1200 if (ac->dom_res != NULL) {
1201 ldb_set_errstring(ldb, "Too many results");
1203 return LDB_ERR_OPERATIONS_ERROR;
1205 ac->dom_res = talloc_steal(ac, ares);
1213 static int build_domain_data_request(struct ph_context *ac)
1215 /* attrs[] is returned from this function in
1216 ac->dom_req->op.search.attrs, so it must be static, as
1217 otherwise the compiler can put it on the stack */
1218 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1221 ac->dom_req = talloc_zero(ac, struct ldb_request);
1222 if (ac->dom_req == NULL) {
1223 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1224 return LDB_ERR_OPERATIONS_ERROR;
1226 ac->dom_req->operation = LDB_SEARCH;
1227 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
1228 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
1230 filter = talloc_asprintf(ac->dom_req,
1231 "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))",
1232 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
1233 if (filter == NULL) {
1234 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1235 talloc_free(ac->dom_req);
1236 return LDB_ERR_OPERATIONS_ERROR;
1239 ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
1240 if (ac->dom_req->op.search.tree == NULL) {
1241 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1242 talloc_free(ac->dom_req);
1243 return LDB_ERR_OPERATIONS_ERROR;
1245 ac->dom_req->op.search.attrs = attrs;
1246 ac->dom_req->controls = NULL;
1247 ac->dom_req->context = ac;
1248 ac->dom_req->callback = get_domain_data_callback;
1249 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
1254 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
1256 struct domain_data *data;
1258 struct ph_context *ac;
1261 ac = talloc_get_type(ctx, struct ph_context);
1263 data = talloc_zero(ac, struct domain_data);
1269 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
1274 data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
1275 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1276 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
1278 /* For a domain DN, this puts things in dotted notation */
1279 /* For builtin domains, this will give details for the host,
1280 * but that doesn't really matter, as it's just used for salt
1281 * and kerberos principals, which don't exist here */
1283 tmp = ldb_dn_canonical_string(ctx, res->message->dn);
1288 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1289 p = strchr(tmp, '/');
1295 data->dns_domain = strlower_talloc(data, tmp);
1296 if (data->dns_domain == NULL) {
1297 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1300 data->realm = strupper_talloc(data, tmp);
1301 if (data->realm == NULL) {
1302 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1305 p = strchr(tmp, '.');
1309 data->netbios_domain = strupper_talloc(data, tmp);
1310 if (data->netbios_domain == NULL) {
1311 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1319 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1321 struct ldb_handle *h;
1322 struct ph_context *ac;
1323 struct ldb_message_element *sambaAttr;
1324 struct ldb_message_element *ntAttr;
1325 struct ldb_message_element *lmAttr;
1328 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1330 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1331 return ldb_next_request(module, req);
1334 /* If the caller is manipulating the local passwords directly, let them pass */
1335 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1336 req->op.add.message->dn) == 0) {
1337 return ldb_next_request(module, req);
1340 /* nobody must touch this fields */
1341 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1342 return LDB_ERR_UNWILLING_TO_PERFORM;
1344 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1345 return LDB_ERR_UNWILLING_TO_PERFORM;
1347 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1348 return LDB_ERR_UNWILLING_TO_PERFORM;
1351 /* If no part of this ADD touches the userPassword, or the NT
1352 * or LM hashes, then we don't need to make any changes. */
1354 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1355 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1356 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1358 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1359 return ldb_next_request(module, req);
1362 /* if it is not an entry of type person its an error */
1363 /* TODO: remove this when userPassword will be in schema */
1364 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1365 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1366 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1369 /* check userPassword is single valued here */
1370 /* TODO: remove this when userPassword will be single valued in schema */
1371 if (sambaAttr && sambaAttr->num_values > 1) {
1372 ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n");
1373 return LDB_ERR_CONSTRAINT_VIOLATION;
1376 if (ntAttr && (ntAttr->num_values > 1)) {
1377 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
1378 return LDB_ERR_CONSTRAINT_VIOLATION;
1380 if (lmAttr && (lmAttr->num_values > 1)) {
1381 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
1382 return LDB_ERR_CONSTRAINT_VIOLATION;
1385 if (sambaAttr && sambaAttr->num_values == 0) {
1386 ldb_set_errstring(module->ldb, "userPassword must have a value!\n");
1387 return LDB_ERR_CONSTRAINT_VIOLATION;
1390 if (ntAttr && (ntAttr->num_values == 0)) {
1391 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
1392 return LDB_ERR_CONSTRAINT_VIOLATION;
1394 if (lmAttr && (lmAttr->num_values == 0)) {
1395 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
1396 return LDB_ERR_CONSTRAINT_VIOLATION;
1399 h = ph_init_handle(req, module, PH_ADD);
1401 return LDB_ERR_OPERATIONS_ERROR;
1403 ac = talloc_get_type(h->private_data, struct ph_context);
1405 /* get user domain data */
1406 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1407 if (ac->domain_sid == NULL) {
1408 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1409 return LDB_ERR_OPERATIONS_ERROR;
1412 ret = build_domain_data_request(ac);
1413 if (ret != LDB_SUCCESS) {
1417 ac->step = PH_ADD_SEARCH_DOM;
1421 return ldb_next_request(module, ac->dom_req);
1424 static int password_hash_add_do_add(struct ldb_handle *h) {
1426 struct ph_context *ac;
1427 struct domain_data *domain;
1428 struct smb_krb5_context *smb_krb5_context;
1429 struct ldb_message *msg;
1430 struct setup_password_fields_io io;
1433 ac = talloc_get_type(h->private_data, struct ph_context);
1435 domain = get_domain_data(ac->module, ac, ac->dom_res);
1436 if (domain == NULL) {
1437 return LDB_ERR_OPERATIONS_ERROR;
1440 ac->down_req = talloc(ac, struct ldb_request);
1441 if (ac->down_req == NULL) {
1442 return LDB_ERR_OPERATIONS_ERROR;
1445 *(ac->down_req) = *(ac->orig_req);
1446 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1447 if (ac->down_req->op.add.message == NULL) {
1448 return LDB_ERR_OPERATIONS_ERROR;
1451 /* Some operations below require kerberos contexts */
1452 if (smb_krb5_init_context(ac->down_req,
1453 ldb_get_opaque(h->module->ldb, "EventContext"),
1454 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1455 &smb_krb5_context) != 0) {
1456 return LDB_ERR_OPERATIONS_ERROR;
1462 io.smb_krb5_context = smb_krb5_context;
1464 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1465 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1466 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1467 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1469 io.n.cleartext = samdb_result_string(msg, "userPassword", NULL);
1470 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1471 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1473 /* remove attributes */
1474 if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword");
1475 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1476 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1477 ldb_msg_remove_attr(msg, "pwdLastSet");
1478 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1479 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1481 ret = setup_password_fields(&io);
1482 if (ret != LDB_SUCCESS) {
1487 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1488 "unicodePwd", io.g.nt_hash);
1489 if (ret != LDB_SUCCESS) {
1494 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1495 "dBCSPwd", io.g.lm_hash);
1496 if (ret != LDB_SUCCESS) {
1500 if (io.g.nt_history_len > 0) {
1501 ret = samdb_msg_add_hashes(ac, msg,
1504 io.g.nt_history_len);
1505 if (ret != LDB_SUCCESS) {
1509 if (io.g.lm_history_len > 0) {
1510 ret = samdb_msg_add_hashes(ac, msg,
1513 io.g.lm_history_len);
1514 if (ret != LDB_SUCCESS) {
1518 if (io.g.supplemental.length > 0) {
1519 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1520 &io.g.supplemental, NULL);
1521 if (ret != LDB_SUCCESS) {
1525 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1528 if (ret != LDB_SUCCESS) {
1531 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1532 "msDs-KeyVersionNumber",
1534 if (ret != LDB_SUCCESS) {
1538 h->state = LDB_ASYNC_INIT;
1539 h->status = LDB_SUCCESS;
1541 ac->step = PH_ADD_DO_ADD;
1543 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1545 /* perform the operation */
1546 return ldb_next_request(ac->module, ac->down_req);
1549 static int password_hash_mod_search_self(struct ldb_handle *h);
1551 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1553 struct ldb_handle *h;
1554 struct ph_context *ac;
1555 struct ldb_message_element *sambaAttr;
1556 struct ldb_message_element *ntAttr;
1557 struct ldb_message_element *lmAttr;
1558 struct ldb_message *msg;
1560 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1562 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1563 return ldb_next_request(module, req);
1566 /* If the caller is manipulating the local passwords directly, let them pass */
1567 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1568 req->op.mod.message->dn) == 0) {
1569 return ldb_next_request(module, req);
1572 /* nobody must touch password Histories */
1573 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1574 return LDB_ERR_UNWILLING_TO_PERFORM;
1576 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1577 return LDB_ERR_UNWILLING_TO_PERFORM;
1579 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1580 return LDB_ERR_UNWILLING_TO_PERFORM;
1583 sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1584 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1585 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1587 /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't
1588 * need to make any changes. For password changes/set there should
1589 * be a 'delete' or a 'modify' on this attribute. */
1590 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1591 return ldb_next_request(module, req);
1594 /* check passwords are single valued here */
1595 /* TODO: remove this when passwords will be single valued in schema */
1596 if (sambaAttr && (sambaAttr->num_values > 1)) {
1597 return LDB_ERR_CONSTRAINT_VIOLATION;
1599 if (ntAttr && (ntAttr->num_values > 1)) {
1600 return LDB_ERR_CONSTRAINT_VIOLATION;
1602 if (lmAttr && (lmAttr->num_values > 1)) {
1603 return LDB_ERR_CONSTRAINT_VIOLATION;
1606 h = ph_init_handle(req, module, PH_MOD);
1608 return LDB_ERR_OPERATIONS_ERROR;
1610 ac = talloc_get_type(h->private_data, struct ph_context);
1612 /* return or own handle to deal with this call */
1615 /* prepare the first operation */
1616 ac->down_req = talloc_zero(ac, struct ldb_request);
1617 if (ac->down_req == NULL) {
1618 ldb_set_errstring(module->ldb, "Out of memory!");
1619 return LDB_ERR_OPERATIONS_ERROR;
1622 *(ac->down_req) = *req; /* copy the request */
1624 /* use a new message structure so that we can modify it */
1625 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1627 /* - remove any imodification to the password from the first commit
1628 * we will make the real modification later */
1629 if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
1630 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1631 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1633 /* if there was nothing else to be modify skip to next step */
1634 if (msg->num_elements == 0) {
1635 talloc_free(ac->down_req);
1636 ac->down_req = NULL;
1637 return password_hash_mod_search_self(h);
1640 ac->down_req->context = NULL;
1641 ac->down_req->callback = NULL;
1643 ac->step = PH_MOD_DO_REQ;
1645 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1647 return ldb_next_request(module, ac->down_req);
1650 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1652 struct ph_context *ac;
1654 ac = talloc_get_type(context, struct ph_context);
1656 /* we are interested only in the single reply (base search) we receive here */
1657 if (ares->type == LDB_REPLY_ENTRY) {
1658 if (ac->search_res != NULL) {
1659 ldb_set_errstring(ldb, "Too many results");
1661 return LDB_ERR_OPERATIONS_ERROR;
1664 /* if it is not an entry of type person this is an error */
1665 /* TODO: remove this when userPassword will be in schema */
1666 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1667 ldb_set_errstring(ldb, "Object class violation");
1669 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1672 ac->search_res = talloc_steal(ac, ares);
1680 static int password_hash_mod_search_self(struct ldb_handle *h) {
1682 struct ph_context *ac;
1683 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
1685 "objectSid", "msDS-KeyVersionNumber",
1686 "objectClass", "userPrincipalName",
1688 "dBCSPwd", "unicodePwd",
1689 "supplementalCredentials",
1692 ac = talloc_get_type(h->private_data, struct ph_context);
1694 /* prepare the search operation */
1695 ac->search_req = talloc_zero(ac, struct ldb_request);
1696 if (ac->search_req == NULL) {
1697 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1698 return LDB_ERR_OPERATIONS_ERROR;
1701 ac->search_req->operation = LDB_SEARCH;
1702 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1703 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1704 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1705 if (ac->search_req->op.search.tree == NULL) {
1706 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1707 return LDB_ERR_OPERATIONS_ERROR;
1709 ac->search_req->op.search.attrs = attrs;
1710 ac->search_req->controls = NULL;
1711 ac->search_req->context = ac;
1712 ac->search_req->callback = get_self_callback;
1713 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1715 ac->step = PH_MOD_SEARCH_SELF;
1717 return ldb_next_request(ac->module, ac->search_req);
1720 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1722 struct ph_context *ac;
1725 ac = talloc_get_type(h->private_data, struct ph_context);
1727 /* get object domain sid */
1728 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1729 if (ac->domain_sid == NULL) {
1730 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1731 return LDB_ERR_OPERATIONS_ERROR;
1734 /* get user domain data */
1735 ret = build_domain_data_request(ac);
1736 if (ret != LDB_SUCCESS) {
1740 ac->step = PH_MOD_SEARCH_DOM;
1742 return ldb_next_request(ac->module, ac->dom_req);
1745 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1747 struct ph_context *ac;
1748 struct domain_data *domain;
1749 struct smb_krb5_context *smb_krb5_context;
1750 struct ldb_message *msg;
1751 struct ldb_message *orig_msg;
1752 struct ldb_message *searched_msg;
1753 struct setup_password_fields_io io;
1756 ac = talloc_get_type(h->private_data, struct ph_context);
1758 domain = get_domain_data(ac->module, ac, ac->dom_res);
1759 if (domain == NULL) {
1760 return LDB_ERR_OPERATIONS_ERROR;
1763 ac->mod_req = talloc(ac, struct ldb_request);
1764 if (ac->mod_req == NULL) {
1765 return LDB_ERR_OPERATIONS_ERROR;
1768 *(ac->mod_req) = *(ac->orig_req);
1770 /* use a new message structure so that we can modify it */
1771 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1773 return LDB_ERR_OPERATIONS_ERROR;
1777 msg->dn = ac->orig_req->op.mod.message->dn;
1779 /* Some operations below require kerberos contexts */
1780 if (smb_krb5_init_context(ac->mod_req,
1781 ldb_get_opaque(h->module->ldb, "EventContext"),
1782 (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"),
1783 &smb_krb5_context) != 0) {
1784 return LDB_ERR_OPERATIONS_ERROR;
1787 orig_msg = discard_const(ac->orig_req->op.mod.message);
1788 searched_msg = ac->search_res->message;
1793 io.smb_krb5_context = smb_krb5_context;
1795 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
1796 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
1797 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
1798 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
1800 io.n.cleartext = samdb_result_string(orig_msg, "userPassword", NULL);
1801 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
1802 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
1804 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
1805 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
1806 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
1807 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
1809 ret = setup_password_fields(&io);
1810 if (ret != LDB_SUCCESS) {
1814 /* make sure we replace all the old attributes */
1815 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
1816 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
1817 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1818 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1819 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
1820 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
1821 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
1824 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1825 "unicodePwd", io.g.nt_hash);
1826 if (ret != LDB_SUCCESS) {
1831 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1832 "dBCSPwd", io.g.lm_hash);
1833 if (ret != LDB_SUCCESS) {
1837 if (io.g.nt_history_len > 0) {
1838 ret = samdb_msg_add_hashes(ac, msg,
1841 io.g.nt_history_len);
1842 if (ret != LDB_SUCCESS) {
1846 if (io.g.lm_history_len > 0) {
1847 ret = samdb_msg_add_hashes(ac, msg,
1850 io.g.lm_history_len);
1851 if (ret != LDB_SUCCESS) {
1855 if (io.g.supplemental.length > 0) {
1856 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1857 &io.g.supplemental, NULL);
1858 if (ret != LDB_SUCCESS) {
1862 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1865 if (ret != LDB_SUCCESS) {
1868 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1869 "msDs-KeyVersionNumber",
1871 if (ret != LDB_SUCCESS) {
1875 h->state = LDB_ASYNC_INIT;
1876 h->status = LDB_SUCCESS;
1878 ac->step = PH_MOD_DO_MOD;
1880 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1882 /* perform the search */
1883 return ldb_next_request(ac->module, ac->mod_req);
1886 static int ph_wait(struct ldb_handle *handle) {
1887 struct ph_context *ac;
1890 if (!handle || !handle->private_data) {
1891 return LDB_ERR_OPERATIONS_ERROR;
1894 if (handle->state == LDB_ASYNC_DONE) {
1895 return handle->status;
1898 handle->state = LDB_ASYNC_PENDING;
1899 handle->status = LDB_SUCCESS;
1901 ac = talloc_get_type(handle->private_data, struct ph_context);
1904 case PH_ADD_SEARCH_DOM:
1905 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1907 if (ret != LDB_SUCCESS) {
1908 handle->status = ret;
1911 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1912 handle->status = ac->dom_req->handle->status;
1916 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1920 /* domain search done, go on */
1921 return password_hash_add_do_add(handle);
1924 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1926 if (ret != LDB_SUCCESS) {
1927 handle->status = ret;
1930 if (ac->down_req->handle->status != LDB_SUCCESS) {
1931 handle->status = ac->down_req->handle->status;
1935 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1942 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1944 if (ret != LDB_SUCCESS) {
1945 handle->status = ret;
1948 if (ac->down_req->handle->status != LDB_SUCCESS) {
1949 handle->status = ac->down_req->handle->status;
1953 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1957 /* non-password mods done, go on */
1958 return password_hash_mod_search_self(handle);
1960 case PH_MOD_SEARCH_SELF:
1961 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
1963 if (ret != LDB_SUCCESS) {
1964 handle->status = ret;
1967 if (ac->search_req->handle->status != LDB_SUCCESS) {
1968 handle->status = ac->search_req->handle->status;
1972 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
1976 if (ac->search_res == NULL) {
1977 return LDB_ERR_NO_SUCH_OBJECT;
1980 /* self search done, go on */
1981 return password_hash_mod_search_dom(handle);
1983 case PH_MOD_SEARCH_DOM:
1984 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1986 if (ret != LDB_SUCCESS) {
1987 handle->status = ret;
1990 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1991 handle->status = ac->dom_req->handle->status;
1995 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1999 /* domain search done, go on */
2000 return password_hash_mod_do_mod(handle);
2003 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
2005 if (ret != LDB_SUCCESS) {
2006 handle->status = ret;
2009 if (ac->mod_req->handle->status != LDB_SUCCESS) {
2010 handle->status = ac->mod_req->handle->status;
2014 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
2021 ret = LDB_ERR_OPERATIONS_ERROR;
2028 handle->state = LDB_ASYNC_DONE;
2032 static int ph_wait_all(struct ldb_handle *handle) {
2036 while (handle->state != LDB_ASYNC_DONE) {
2037 ret = ph_wait(handle);
2038 if (ret != LDB_SUCCESS) {
2043 return handle->status;
2046 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
2048 if (type == LDB_WAIT_ALL) {
2049 return ph_wait_all(handle);
2051 return ph_wait(handle);
2055 _PUBLIC_ const struct ldb_module_ops ldb_password_hash_module_ops = {
2056 .name = "password_hash",
2057 .add = password_hash_add,
2058 .modify = password_hash_modify,
2059 .wait = password_hash_wait