#
# GMSA tests
#
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_authentication_triggers_keys_update\(ad_dc:local\)$
^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_managed_password_triggers_keys_update\(ad_dc:local\)$
"codePage",
"unicodePwd",
"dBCSPwd",
+ /* Required for Group Managed Service Accounts. */
+ "msDS-ManagedPasswordId",
+ "msDS-ManagedPasswordInterval",
+ "objectClass",
+ "whenCreated",
NULL};
int rc = dsdb_search_one(state->ldb,
ldb_get_default_basedn(state->ldb),
LDB_SCOPE_SUBTREE,
attrs,
- 0,
+ DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"%s",
filter);
if (rc != LDB_SUCCESS) {
NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
TALLOC_CTX *mem_ctx, const char *principal,
const char **attrs,
+ const uint32_t dsdb_flags,
struct ldb_dn **domain_dn,
struct ldb_message **msg)
{
/* pull the user attributes */
ret = dsdb_search_one(sam_ctx, tmp_ctx, msg, user_dn,
LDB_SCOPE_BASE, attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ dsdb_flags | DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(objectClass=*)");
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
if (principal) {
nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal,
- user_attrs, &domain_dn, &msg);
+ user_attrs, DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS, &domain_dn, &msg);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
/* pull the user attributes */
ret = dsdb_search_one(sam_ctx, tmp_ctx, &msg, user_dn,
LDB_SCOPE_BASE, user_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(objectClass=*)");
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
talloc_free(tmp_ctx);
&res,
user_msg->dn,
user_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN);
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS);
if (ret != LDB_SUCCESS) {
DBG_ERR("Unable to re-read account control data for %s\n",
ldb_dn_get_linearized(user_msg->dn));
/* pull the user attributes */
ret = dsdb_search_one(sam_ctx, mem_ctx, ret_msg, domain_dn, LDB_SCOPE_SUBTREE,
user_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(&(sAMAccountName=%s)(objectclass=user))",
account_name_encoded);
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
TALLOC_CTX *mem_ctx,
krb5_const_principal principal,
const char **attrs,
+ const uint32_t dsdb_flags,
struct ldb_dn **realm_dn,
struct ldb_message **msg)
{
}
nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
- mem_ctx, principal_string, attrs,
+ mem_ctx, principal_string, attrs, dsdb_flags,
realm_dn, msg);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
krb5_principal fallback_principal = NULL;
nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
mem_ctx,
fallback_string,
- attrs,
+ attrs, dsdb_flags,
realm_dn, msg);
SAFE_FREE(fallback_string);
}
struct ldb_message *msg = NULL;
ret = samba_kdc_lookup_client(context, kdc_db_ctx,
- mem_ctx, principal, user_attrs,
+ mem_ctx, principal, user_attrs, DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
&realm_dn, &msg);
if (ret != 0) {
return ret;
if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
lret = dsdb_search_one(kdc_db_ctx->samdb, tmp_ctx,
&msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
- krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(objectClass=user)");
} else {
/* We need to look up an RODC krbtgt (perhaps
lret = dsdb_search_one(kdc_db_ctx->samdb, tmp_ctx,
&msg, realm_dn, LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
}
mem_ctx,
msg, user_dn, LDB_SCOPE_BASE,
server_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(objectClass=*)");
if (ldb_ret != LDB_SUCCESS) {
return SDB_ERR_NOENTRY;
* not AS-REQ packets.
*/
return samba_kdc_lookup_client(context, kdc_db_ctx,
- mem_ctx, principal, server_attrs,
+ mem_ctx, principal, server_attrs, DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
realm_dn, msg);
} else {
/*
lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
*realm_dn, LDB_SCOPE_SUBTREE,
server_attrs,
- DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"%s", filter);
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
DBG_DEBUG("Failed to find an entry for %s filter:%s\n",
lret = dsdb_search(ldb_ctx, priv, &res,
priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
- DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(objectClass=user)");
if (lret != LDB_SUCCESS) {
ret = samba_kdc_lookup_client(context, kdc_db_ctx,
mem_ctx, certificate_principal,
- ms_upn_check_attrs, &realm_dn, &msg);
+ ms_upn_check_attrs, 0, &realm_dn, &msg);
if (ret != 0) {
talloc_free(mem_ctx);
ldb_get_default_basedn(kdc_db_ctx->samdb),
LDB_SCOPE_SUBTREE,
krbtgt_attrs,
- DSDB_SEARCH_NO_GLOBAL_CATALOG,
+ DSDB_SEARCH_NO_GLOBAL_CATALOG | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
"(&(objectClass=user)(samAccountName=krbtgt))");
if (ldb_ret != LDB_SUCCESS) {
#include "libcli/util/tstream.h"
#include "librpc/gen_ndr/ndr_ntp_signd.h"
#include "param/param.h"
+#include "dsdb/common/util.h"
#include "dsdb/samdb/samdb.h"
#include "auth/auth.h"
#include "libcli/security/security.h"
struct signed_reply signed_reply;
enum ndr_err_code ndr_err;
struct ldb_result *res;
- const char *attrs[] = { "unicodePwd", "userAccountControl", "cn", NULL };
+ static const char *attrs[] = {
+ "unicodePwd",
+ "userAccountControl",
+ "cn",
+ /* Required for Group Managed Service Accounts. */
+ "msDS-ManagedPasswordId",
+ "msDS-ManagedPasswordInterval",
+ "objectClass",
+ "objectSid",
+ "whenCreated",
+ NULL};
gnutls_hash_hd_t hash_hnd = NULL;
struct samr_Password *nt_hash;
uint32_t user_account_control;
sign_request.packet_id);
}
- ret = ldb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
- &res,
- ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
- LDB_SCOPE_SUBTREE,
- attrs,
- "(&(objectSid=%s)(objectClass=user))",
- ldap_encode_ndr_dom_sid(mem_ctx, sid));
+ ret = dsdb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
+ &res,
+ ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
+ "(&(objectSid=%s)(objectClass=user))",
+ ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret != LDB_SUCCESS) {
DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
"%s\n",
source='ntp_signd.c',
subsystem='service',
init_function='server_service_ntp_signd_init',
- deps='samdb NDR_NTP_SIGND LIBTSOCKET LIBSAMBA_TSOCKET GNUTLS_HELPERS',
+ deps='samdb NDR_NTP_SIGND LIBTSOCKET LIBSAMBA_TSOCKET GNUTLS_HELPERS samdb-common',
internal_module=False,
enabled=bld.AD_DC_BUILD_IS_ENABLED()
)
-
#include "lib/messaging/irpc.h"
#include "librpc/gen_ndr/ndr_irpc_c.h"
#include "../libcli/ldap/ldap_ndr.h"
+#include "dsdb/common/util.h"
#include "dsdb/samdb/ldb_modules/util.h"
#include "lib/tsocket/tsocket.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
struct samr_Password *curNtHash = NULL;
struct samr_Password *prevNtHash = NULL;
uint32_t user_account_control;
- int num_records;
struct ldb_message **msgs;
NTSTATUS nt_status;
- static const char *attrs[] = {"unicodePwd",
- "userAccountControl",
- "objectSid",
- "samAccountName",
- NULL};
+ static const char *attrs[] = {
+ "unicodePwd",
+ "userAccountControl",
+ "objectSid",
+ "samAccountName",
+ /* Required for Group Managed Service Accounts. */
+ "msDS-ManagedPasswordId",
+ "msDS-ManagedPasswordInterval",
+ "objectClass",
+ "whenCreated",
+ NULL};
uint32_t server_flags = 0;
uint32_t negotiate_flags = 0;
*trust_account_for_search = r->in.account_name;
}
- /* pull the user attributes */
- num_records = gendb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
- "(&(sAMAccountName=%s)(objectclass=user))",
- ldb_binary_encode_string(mem_ctx,
- *trust_account_for_search));
-
- if (num_records == 0) {
- DEBUG(3,("Couldn't find user [%s] in samdb.\n",
+ {
+ struct ldb_result *res = NULL;
+ int ret;
+
+ /* pull the user attributes */
+ ret = dsdb_search(
+ sam_ctx,
+ mem_ctx,
+ &res,
+ ldb_get_default_basedn(sam_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ DSDB_SEARCH_ONE_ONLY | DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
+ "(&(sAMAccountName=%s)(objectclass=user))",
+ ldb_binary_encode_string(mem_ctx,
+ *trust_account_for_search));
+ if (ret) {
+ DEBUG(3,("Couldn't find user [%s] in samdb.\n",
log_escape(mem_ctx, r->in.account_name)));
- return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
- }
+ }
- if (num_records > 1) {
- DEBUG(0,("Found %d records matching user [%s]\n",
- num_records,
- log_escape(mem_ctx, r->in.account_name)));
- return dcesrv_netr_ServerAuthenticate3_check_downgrade(
- dce_call, r, pipe_state, negotiate_flags,
- NULL, /* trust_account_in_db */
- NT_STATUS_INTERNAL_DB_CORRUPTION);
+ msgs = talloc_steal(mem_ctx, res->msgs);
+ talloc_free(res);
}
*trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
struct netlogon_creds_CredentialState *creds = NULL;
struct ldb_context *sam_ctx = NULL;
- const char * const attrs[] = {
+ static const char * const attrs[] = {
"unicodePwd",
"sAMAccountName",
"userAccountControl",
+ /* Required for Group Managed Service Accounts. */
+ "msDS-ManagedPasswordId",
+ "msDS-ManagedPasswordInterval",
+ "objectClass",
+ "objectSid",
+ "whenCreated",
NULL
};
struct ldb_message **res = NULL;
return NT_STATUS_NO_MEMORY;
}
- ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
- "(&(objectClass=user)(objectSid=%s))",
- asid);
- if (ret != 1) {
- return NT_STATUS_ACCOUNT_DISABLED;
+ {
+ struct ldb_result *result = NULL;
+
+ ret = dsdb_search(sam_ctx,
+ mem_ctx,
+ &result,
+ ldb_get_default_basedn(sam_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ DSDB_SEARCH_ONE_ONLY |
+ DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
+ "(&(objectClass=user)(objectSid=%s))",
+ asid);
+ if (ret) {
+ return NT_STATUS_ACCOUNT_DISABLED;
+ }
+
+ res = talloc_steal(mem_ctx, result->msgs);
+ talloc_free(result);
}
switch (creds->secure_channel_type) {
DSDB_MODULE_HELPERS
util_str_escape
DCERPC_SERVER_NETLOGON
+ samdb-common
'''
)