#include "includes.h"
#include "ldb_module.h"
-#include "auth/session.h"
#include "libcli/auth/libcli_auth.h"
-#include "libcli/security/security.h"
-#include "libcli/security/session.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "dsdb/samdb/samdb.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
#include "../lib/crypto/crypto.h"
#include "param/param.h"
+#include "lib/krb5_wrap/krb5_samba.h"
/* If we have decided there is a reason to work on this request, then
* setup all the password hash types correctly.
bool change_status;
bool hash_values;
bool userPassword;
+ bool pwd_last_set_bypass;
};
} g;
};
+static int password_hash_bypass(struct ldb_module *module, struct ldb_request *request)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const struct ldb_message *msg;
+ struct ldb_message_element *nte;
+ struct ldb_message_element *lme;
+ struct ldb_message_element *nthe;
+ struct ldb_message_element *lmhe;
+ struct ldb_message_element *sce;
+
+ switch (request->operation) {
+ case LDB_ADD:
+ msg = request->op.add.message;
+ break;
+ case LDB_MODIFY:
+ msg = request->op.mod.message;
+ break;
+ default:
+ return ldb_next_request(module, request);
+ }
+
+ /* nobody must touch password histories and 'supplementalCredentials' */
+ nte = dsdb_get_single_valued_attr(msg, "unicodePwd",
+ request->operation);
+ lme = dsdb_get_single_valued_attr(msg, "dBCSPwd",
+ request->operation);
+ nthe = dsdb_get_single_valued_attr(msg, "ntPwdHistory",
+ request->operation);
+ lmhe = dsdb_get_single_valued_attr(msg, "lmPwdHistory",
+ request->operation);
+ sce = dsdb_get_single_valued_attr(msg, "supplementalCredentials",
+ request->operation);
+
+#define CHECK_HASH_ELEMENT(e, min, max) do {\
+ if (e && e->num_values) { \
+ unsigned int _count; \
+ if (e->num_values != 1) { \
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
+ "num_values != 1"); \
+ } \
+ if ((e->values[0].length % 16) != 0) { \
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
+ "length % 16 != 0"); \
+ } \
+ _count = e->values[0].length / 16; \
+ if (_count < min) { \
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
+ "count < min"); \
+ } \
+ if (_count > max) { \
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, \
+ "count > max"); \
+ } \
+ } \
+} while (0)
+
+ CHECK_HASH_ELEMENT(nte, 1, 1);
+ CHECK_HASH_ELEMENT(lme, 1, 1);
+ CHECK_HASH_ELEMENT(nthe, 1, INT32_MAX);
+ CHECK_HASH_ELEMENT(lmhe, 1, INT32_MAX);
+
+ if (sce && sce->num_values) {
+ enum ndr_err_code ndr_err;
+ struct supplementalCredentialsBlob *scb;
+ struct supplementalCredentialsPackage *scpp = NULL;
+ struct supplementalCredentialsPackage *scpk = NULL;
+ struct supplementalCredentialsPackage *scpkn = NULL;
+ struct supplementalCredentialsPackage *scpct = NULL;
+ DATA_BLOB scpbp = data_blob_null;
+ DATA_BLOB scpbk = data_blob_null;
+ DATA_BLOB scpbkn = data_blob_null;
+ DATA_BLOB scpbct = data_blob_null;
+ DATA_BLOB blob;
+ uint32_t i;
+
+ if (sce->num_values != 1) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "num_values != 1");
+ }
+
+ scb = talloc_zero(request, struct supplementalCredentialsBlob);
+ if (!scb) {
+ return ldb_module_oom(module);
+ }
+
+ ndr_err = ndr_pull_struct_blob_all(&sce->values[0], scb, scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob_all");
+ }
+
+ if (scb->sub.num_packages < 2) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "num_packages < 2");
+ }
+
+ for (i=0; i < scb->sub.num_packages; i++) {
+ DATA_BLOB subblob;
+
+ subblob = strhex_to_data_blob(scb, scb->sub.packages[i].data);
+ if (subblob.data == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ if (strcmp(scb->sub.packages[i].name, "Packages") == 0) {
+ if (scpp) {
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Packages twice");
+ }
+ scpp = &scb->sub.packages[i];
+ scpbp = subblob;
+ continue;
+ }
+ if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos") == 0) {
+ if (scpk) {
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Primary:Kerberos twice");
+ }
+ scpk = &scb->sub.packages[i];
+ scpbk = subblob;
+ continue;
+ }
+ if (strcmp(scb->sub.packages[i].name, "Primary:Kerberos-Newer-Keys") == 0) {
+ if (scpkn) {
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Primary:Kerberos-Newer-Keys twice");
+ }
+ scpkn = &scb->sub.packages[i];
+ scpbkn = subblob;
+ continue;
+ }
+ if (strcmp(scb->sub.packages[i].name, "Primary:CLEARTEXT") == 0) {
+ if (scpct) {
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Primary:CLEARTEXT twice");
+ }
+ scpct = &scb->sub.packages[i];
+ scpbct = subblob;
+ continue;
+ }
+
+ data_blob_free(&subblob);
+ }
+
+ if (scpp == NULL) {
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Primary:Packages missing");
+ }
+
+ if (scpk == NULL) {
+ /*
+ * If Primary:Kerberos is missing w2k8r2 reboots
+ * when a password is changed.
+ */
+ return ldb_error(ldb,
+ LDB_ERR_CONSTRAINT_VIOLATION,
+ "Primary:Kerberos missing");
+ }
+
+ if (scpp) {
+ struct package_PackagesBlob *p;
+ uint32_t n;
+
+ p = talloc_zero(scb, struct package_PackagesBlob);
+ if (p == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ndr_err = ndr_pull_struct_blob(&scpbp, p, p,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PackagesBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob Packages");
+ }
+
+ if (p->names == NULL) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "Packages names == NULL");
+ }
+
+ for (n = 0; p->names[n]; n++) {
+ /* noop */
+ }
+
+ if (scb->sub.num_packages != (n + 1)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "Packages num_packages != num_names + 1");
+ }
+
+ talloc_free(p);
+ }
+
+ if (scpk) {
+ struct package_PrimaryKerberosBlob *k;
+
+ k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
+ if (k == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ndr_err = ndr_pull_struct_blob(&scpbk, k, k,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob PrimaryKerberos");
+ }
+
+ if (k->version != 3) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos version != 3");
+ }
+
+ if (k->ctr.ctr3.salt.string == NULL) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos salt == NULL");
+ }
+
+ if (strlen(k->ctr.ctr3.salt.string) == 0) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos strlen(salt) == 0");
+ }
+
+ if (k->ctr.ctr3.num_keys != 2) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos num_keys != 2");
+ }
+
+ if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos num_old_keys > num_keys");
+ }
+
+ if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos key[0] != DES_CBC_MD5");
+ }
+ if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos key[1] != DES_CBC_CRC");
+ }
+
+ if (k->ctr.ctr3.keys[0].value_len != 8) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos key[0] value_len != 8");
+ }
+ if (k->ctr.ctr3.keys[1].value_len != 8) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos key[1] value_len != 8");
+ }
+
+ for (i = 0; i < k->ctr.ctr3.num_old_keys; i++) {
+ if (k->ctr.ctr3.old_keys[i].keytype ==
+ k->ctr.ctr3.keys[i].keytype &&
+ k->ctr.ctr3.old_keys[i].value_len ==
+ k->ctr.ctr3.keys[i].value_len) {
+ continue;
+ }
+
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryKerberos old_keys type/value_len doesn't match");
+ }
+
+ talloc_free(k);
+ }
+
+ if (scpkn) {
+ struct package_PrimaryKerberosBlob *k;
+
+ k = talloc_zero(scb, struct package_PrimaryKerberosBlob);
+ if (k == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ndr_err = ndr_pull_struct_blob(&scpbkn, k, k,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob PrimaryKerberosNeverKeys");
+ }
+
+ if (k->version != 4) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNerverKeys version != 4");
+ }
+
+ if (k->ctr.ctr4.salt.string == NULL) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys salt == NULL");
+ }
+
+ if (strlen(k->ctr.ctr4.salt.string) == 0) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys strlen(salt) == 0");
+ }
+
+ if (k->ctr.ctr4.num_keys != 4) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys num_keys != 2");
+ }
+
+ if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys num_old_keys > num_keys");
+ }
+
+ if (k->ctr.ctr4.num_older_keys > k->ctr.ctr4.num_old_keys) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys num_older_keys > num_old_keys");
+ }
+
+ if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[0] != AES256");
+ }
+ if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[1] != AES128");
+ }
+ if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[2] != DES_CBC_MD5");
+ }
+ if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[3] != DES_CBC_CRC");
+ }
+
+ if (k->ctr.ctr4.keys[0].value_len != 32) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[0] value_len != 32");
+ }
+ if (k->ctr.ctr4.keys[1].value_len != 16) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[1] value_len != 16");
+ }
+ if (k->ctr.ctr4.keys[2].value_len != 8) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[2] value_len != 8");
+ }
+ if (k->ctr.ctr4.keys[3].value_len != 8) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "KerberosNewerKeys key[3] value_len != 8");
+ }
+
+ /*
+ * TODO:
+ * Maybe we can check old and older keys here.
+ * But we need to do some tests, if the old keys
+ * can be taken from the PrimaryKerberos blob
+ * (with only des keys), when the domain was upgraded
+ * from w2k3 to w2k8.
+ */
+
+ talloc_free(k);
+ }
+
+ if (scpct) {
+ struct package_PrimaryCLEARTEXTBlob *ct;
+
+ ct = talloc_zero(scb, struct package_PrimaryCLEARTEXTBlob);
+ if (ct == NULL) {
+ return ldb_module_oom(module);
+ }
+
+ ndr_err = ndr_pull_struct_blob(&scpbct, ct, ct,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryCLEARTEXTBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob PrimaryCLEARTEXT");
+ }
+
+ if ((ct->cleartext.length % 2) != 0) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "PrimaryCLEARTEXT length % 2 != 0");
+ }
+
+ talloc_free(ct);
+ }
+
+ ndr_err = ndr_push_struct_blob(&blob, scb, scb,
+ (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "ndr_pull_struct_blob_all");
+ }
+
+ if (sce->values[0].length != blob.length) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "supplementalCredentialsBlob length differ");
+ }
+
+ if (memcmp(sce->values[0].data, blob.data, blob.length) != 0) {
+ return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
+ "supplementalCredentialsBlob memcmp differ");
+ }
+
+ talloc_free(scb);
+ }
+
+ ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_bypass - validated\n");
+ return ldb_next_request(module, request);
+}
+
/* Get the NT hash, and fill it in as an entry in the password history,
and specify it into io->g.nt_hash */
{
struct ldb_context *ldb;
krb5_error_code krb5_ret;
- Principal *salt_principal;
- krb5_salt salt;
+ krb5_principal salt_principal;
+ krb5_data salt;
krb5_keyblock key;
krb5_data cleartext_data;
ldb = ldb_module_get_ctx(io->ac->module);
- cleartext_data.data = io->n.cleartext_utf8->data;
+ cleartext_data.data = (char *)io->n.cleartext_utf8->data;
cleartext_data.length = io->n.cleartext_utf8->length;
/* Many, many thanks to lukeh@padl.com for this
* algorithm, described in his Nov 10 2004 mail to
- * samba-technical@samba.org */
+ * samba-technical@lists.samba.org */
/*
* Determine a salting principal
return ldb_oom(ldb);
}
- krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ krb5_ret = smb_krb5_make_principal(io->smb_krb5_context->krb5_context,
&salt_principal,
io->ac->status->domain_data.realm,
"host", saltbody, NULL);
p[0] = '\0';
}
- krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ krb5_ret = smb_krb5_make_principal(io->smb_krb5_context->krb5_context,
&salt_principal,
io->ac->status->domain_data.realm,
user_principal_name, NULL);
} else {
- krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+ krb5_ret = smb_krb5_make_principal(io->smb_krb5_context->krb5_context,
&salt_principal,
io->ac->status->domain_data.realm,
io->u.sAMAccountName, NULL);
/*
* create salt from salt_principal
*/
- krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
+ krb5_ret = smb_krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
salt_principal, &salt);
krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
}
/* create a talloc copy */
io->g.salt = talloc_strndup(io->ac,
- (char *)salt.saltvalue.data,
- salt.saltvalue.length);
- krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
+ (char *)salt.data,
+ salt.length);
+ kerberos_free_data_contents(io->smb_krb5_context->krb5_context, &salt);
if (!io->g.salt) {
return ldb_oom(ldb);
}
- salt.saltvalue.data = discard_const(io->g.salt);
- salt.saltvalue.length = strlen(io->g.salt);
+ /* now use the talloced copy of the salt */
+ salt.data = discard_const(io->g.salt);
+ salt.length = strlen(io->g.salt);
/*
* create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
return LDB_ERR_OPERATIONS_ERROR;
}
io->g.aes_256 = data_blob_talloc(io->ac,
- key.keyvalue.data,
- key.keyvalue.length);
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
if (!io->g.aes_256.data) {
return ldb_oom(ldb);
* create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
return LDB_ERR_OPERATIONS_ERROR;
}
io->g.aes_128 = data_blob_talloc(io->ac,
- key.keyvalue.data,
- key.keyvalue.length);
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
if (!io->g.aes_128.data) {
return ldb_oom(ldb);
* create ENCTYPE_DES_CBC_MD5 key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_DES_CBC_MD5,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_DES_CBC_MD5,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
return LDB_ERR_OPERATIONS_ERROR;
}
io->g.des_md5 = data_blob_talloc(io->ac,
- key.keyvalue.data,
- key.keyvalue.length);
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
if (!io->g.des_md5.data) {
return ldb_oom(ldb);
* create ENCTYPE_DES_CBC_CRC key out of
* the salt and the cleartext password
*/
- krb5_ret = krb5_string_to_key_data_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_DES_CBC_CRC,
- cleartext_data,
- salt,
- &key);
+ krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
+ NULL,
+ &salt,
+ &cleartext_data,
+ ENCTYPE_DES_CBC_CRC,
+ &key);
if (krb5_ret) {
ldb_asprintf_errstring(ldb,
"setup_kerberos_keys: "
return LDB_ERR_OPERATIONS_ERROR;
}
io->g.des_crc = data_blob_talloc(io->ac,
- key.keyvalue.data,
- key.keyvalue.length);
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
if (!io->g.des_crc.data) {
return ldb_oom(ldb);
}
for (i=0; i < ARRAY_SIZE(wdigest); i++) {
- struct MD5Context md5;
+ MD5_CTX md5;
MD5Init(&md5);
if (wdigest[i].nt4dom) {
MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
static int setup_last_set_field(struct setup_password_fields_io *io)
{
+ const struct ldb_message *msg = NULL;
+ struct timeval tv = { .tv_sec = 0 };
+
+ switch (io->ac->req->operation) {
+ case LDB_ADD:
+ msg = io->ac->req->op.add.message;
+ break;
+ case LDB_MODIFY:
+ msg = io->ac->req->op.mod.message;
+ break;
+ default:
+ return LDB_ERR_OPERATIONS_ERROR;
+ break;
+ }
+
+ if (io->ac->pwd_last_set_bypass) {
+ struct ldb_message_element *el;
+
+ if (msg == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ el = ldb_msg_find_element(msg, "pwdLastSet");
+ if (el == NULL) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ io->g.last_set = samdb_result_nttime(msg, "pwdLastSet", 0);
+ return LDB_SUCCESS;
+ }
+
/* set it as now */
- unix_to_nt_time(&io->g.last_set, time(NULL));
+ GetTimeOfDay(&tv);
+ io->g.last_set = timeval_to_nttime(&tv);
return LDB_SUCCESS;
}
g->cleartext_utf8->data,
g->cleartext_utf8->length,
(void *)&cleartext_utf16_blob->data,
- &cleartext_utf16_blob->length,
- false)) {
- ldb_asprintf_errstring(ldb,
- "setup_password_fields: "
- "failed to generate UTF16 password from cleartext UTF8 password");
- return LDB_ERR_OPERATIONS_ERROR;
+ &cleartext_utf16_blob->length)) {
+ if (g->cleartext_utf8->length != 0) {
+ talloc_free(cleartext_utf16_blob);
+ ldb_asprintf_errstring(ldb,
+ "setup_password_fields: "
+ "failed to generate UTF16 password from cleartext UTF8 one for user '%s'!",
+ io->u.sAMAccountName);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ } else {
+ /* passwords with length "0" are valid! */
+ cleartext_utf16_blob->data = NULL;
+ cleartext_utf16_blob->length = 0;
+ }
}
g->cleartext_utf16 = cleartext_utf16_blob;
} else if (g->cleartext_utf16) {
- char *cleartext_utf8_str;
struct ldb_val *cleartext_utf8_blob;
- size_t converted_pw_len;
cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
if (!cleartext_utf8_blob) {
CH_UTF16MUNGED, CH_UTF8,
g->cleartext_utf16->data,
g->cleartext_utf16->length,
- (void *)&cleartext_utf8_str,
- &converted_pw_len, false)) {
- /* We must bail out here, the input wasn't even a multiple of 2 bytes */
- talloc_free(cleartext_utf8_blob);
- ldb_asprintf_errstring(ldb,
- "setup_password_fields: "
- "UTF16 password for user %s had odd length (length must be a multiple of 2)", io->u.sAMAccountName);
- return LDB_ERR_OPERATIONS_ERROR;
- } else {
- *cleartext_utf8_blob = data_blob_const(cleartext_utf8_str,
- converted_pw_len);
- g->cleartext_utf8 = cleartext_utf8_blob;
+ (void *)&cleartext_utf8_blob->data,
+ &cleartext_utf8_blob->length)) {
+ if (g->cleartext_utf16->length != 0) {
+ /* We must bail out here, the input wasn't even
+ * a multiple of 2 bytes */
+ talloc_free(cleartext_utf8_blob);
+ ldb_asprintf_errstring(ldb,
+ "setup_password_fields: "
+ "failed to generate UTF8 password from cleartext UTF 16 one for user '%s' - the latter had odd length (length must be a multiple of 2)!",
+ io->u.sAMAccountName);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ } else {
+ /* passwords with length "0" are valid! */
+ cleartext_utf8_blob->data = NULL;
+ cleartext_utf8_blob->length = 0;
+ }
}
+ g->cleartext_utf8 = cleartext_utf8_blob;
}
if (g->cleartext_utf16) {
return LDB_SUCCESS;
}
+static int make_error_and_update_badPwdCount(struct setup_password_fields_io *io)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
+ struct ldb_message *mod_msg = NULL;
+ NTSTATUS status;
+ int ret;
+
+ status = dsdb_update_bad_pwd_count(io->ac, ldb,
+ io->ac->search_res->message,
+ io->ac->dom_res->message,
+ &mod_msg);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (mod_msg == NULL) {
+ goto done;
+ }
+
+ /*
+ * OK, horrible semantics ahead.
+ *
+ * - We need to abort any existing transaction
+ * - create a transaction arround the badPwdCount update
+ * - re-open the transaction so the upper layer
+ * doesn't know what happened.
+ *
+ * This is needed because returning an error to the upper
+ * layer will cancel the transaction and undo the badPwdCount
+ * update.
+ */
+
+ /*
+ * Checking errors here is a bit pointless.
+ * What can we do if we can't end the transaction?
+ */
+ ret = ldb_next_del_trans(io->ac->module);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_FATAL,
+ "Failed to abort transaction prior to update of badPwdCount of %s: %s",
+ ldb_dn_get_linearized(io->ac->search_res->message->dn),
+ ldb_errstring(ldb));
+ /*
+ * just return the original error
+ */
+ goto done;
+ }
+
+ /* Likewise, what should we do if we can't open a new transaction? */
+ ret = ldb_next_start_trans(io->ac->module);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "Failed to open transaction to update badPwdCount of %s: %s",
+ ldb_dn_get_linearized(io->ac->search_res->message->dn),
+ ldb_errstring(ldb));
+ /*
+ * just return the original error
+ */
+ goto done;
+ }
+
+ ret = dsdb_module_modify(io->ac->module, mod_msg,
+ DSDB_FLAG_NEXT_MODULE,
+ io->ac->req);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "Failed to update badPwdCount of %s: %s",
+ ldb_dn_get_linearized(io->ac->search_res->message->dn),
+ ldb_errstring(ldb));
+ /*
+ * We can only ignore this...
+ */
+ }
+
+ ret = ldb_next_end_trans(io->ac->module);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "Failed to close transaction to update badPwdCount of %s: %s",
+ ldb_dn_get_linearized(io->ac->search_res->message->dn),
+ ldb_errstring(ldb));
+ /*
+ * We can only ignore this...
+ */
+ }
+
+ ret = ldb_next_start_trans(io->ac->module);
+ if (ret != LDB_SUCCESS) {
+ ldb_debug(ldb, LDB_DEBUG_ERROR,
+ "Failed to open transaction after update of badPwdCount of %s: %s",
+ ldb_dn_get_linearized(io->ac->search_res->message->dn),
+ ldb_errstring(ldb));
+ /*
+ * We can only ignore this...
+ */
+ }
+
+done:
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ ldb_asprintf_errstring(ldb,
+ "%08X: %s - check_password_restrictions: "
+ "The old password specified doesn't match!",
+ W_ERROR_V(WERR_INVALID_PASSWORD),
+ ldb_strerror(ret));
+ return ret;
+}
+
static int check_password_restrictions(struct setup_password_fields_io *io)
{
struct ldb_context *ldb;
int ret;
- enum samr_ValidationStatus stat;
ldb = ldb_module_get_ctx(io->ac->module);
/* The password modify through the NT hash is encouraged and
has no problems at all */
if (io->og.nt_hash) {
- if (!io->o.nt_hash) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "There's no old nt_hash, which is needed "
- "in order to change your password!",
- W_ERROR_V(WERR_INVALID_PASSWORD),
- ldb_strerror(ret));
- return ret;
- }
-
- if (memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "The old password specified doesn't match!",
- W_ERROR_V(WERR_INVALID_PASSWORD),
- ldb_strerror(ret));
- return ret;
+ if (!io->o.nt_hash || memcmp(io->og.nt_hash->hash, io->o.nt_hash->hash, 16) != 0) {
+ return make_error_and_update_badPwdCount(io);
}
nt_hash_checked = true;
* the NT hash was already checked - otherwise it's mandatory.
* (as the SAMR operations request it). */
if (io->og.lm_hash) {
- if (!io->o.lm_hash && !nt_hash_checked) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "There's no old lm_hash, which is needed "
- "in order to change your password!",
- W_ERROR_V(WERR_INVALID_PASSWORD),
- ldb_strerror(ret));
- return ret;
- }
-
- if (io->o.lm_hash &&
- memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "The old password specified doesn't match!",
- W_ERROR_V(WERR_INVALID_PASSWORD),
- ldb_strerror(ret));
- return ret;
+ if ((!io->o.lm_hash && !nt_hash_checked)
+ || (io->o.lm_hash && memcmp(io->og.lm_hash->hash, io->o.lm_hash->hash, 16) != 0)) {
+ return make_error_and_update_badPwdCount(io);
}
}
}
return LDB_SUCCESS;
}
+ /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
+ if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) &&
+ !io->ac->pwd_reset)
+ {
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ ldb_asprintf_errstring(ldb,
+ "%08X: %s - check_password_restrictions: "
+ "password is too young to change!",
+ W_ERROR_V(WERR_PASSWORD_RESTRICTION),
+ ldb_strerror(ret));
+ return ret;
+ }
+
/*
* Fundamental password checks done by the call
* "samdb_check_password".
* It is also in use by "dcesrv_samr_ValidatePassword".
*/
if (io->n.cleartext_utf8 != NULL) {
- stat = samdb_check_password(io->n.cleartext_utf8,
- io->ac->status->domain_data.pwdProperties,
- io->ac->status->domain_data.minPwdLength);
- switch (stat) {
+ enum samr_ValidationStatus vstat;
+ vstat = samdb_check_password(io->n.cleartext_utf8,
+ io->ac->status->domain_data.pwdProperties,
+ io->ac->status->domain_data.minPwdLength);
+ switch (vstat) {
case SAMR_VALIDATION_STATUS_SUCCESS:
/* perfect -> proceed! */
break;
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
"%08X: %s - check_password_restrictions: "
- "the password does not meet the complexity criterias!",
+ "the password does not meet the complexity criteria!",
W_ERROR_V(WERR_PASSWORD_RESTRICTION),
ldb_strerror(ret));
io->ac->status->reject_reason = SAM_PWD_CHANGE_NOT_COMPLEX;
/* checks the LM hash password history */
for (i = 0; i < io->o.lm_history_len; i++) {
- ret = memcmp(io->n.nt_hash, io->o.lm_history[i].hash, 16);
+ ret = memcmp(io->n.lm_hash, io->o.lm_history[i].hash, 16);
if (ret == 0) {
ret = LDB_ERR_CONSTRAINT_VIOLATION;
ldb_asprintf_errstring(ldb,
return ret;
}
- /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
- if (io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) {
- ret = LDB_ERR_CONSTRAINT_VIOLATION;
- ldb_asprintf_errstring(ldb,
- "%08X: %s - check_password_restrictions: "
- "password is too young to change!",
- W_ERROR_V(WERR_PASSWORD_RESTRICTION),
- ldb_strerror(ret));
- return ret;
- }
-
return LDB_SUCCESS;
}
{
const struct ldb_val *quoted_utf16, *old_quoted_utf16, *lm_hash, *old_lm_hash;
struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
- struct loadparm_context *lp_ctx =
- lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
- struct loadparm_context);
+ struct loadparm_context *lp_ctx = talloc_get_type(
+ ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
int ret;
ZERO_STRUCTP(io);
/* Some operations below require kerberos contexts */
if (smb_krb5_init_context(ac,
- ldb_get_event_context(ldb),
(struct loadparm_context *)ldb_get_opaque(ldb, "loadparm"),
&io->smb_krb5_context) != 0) {
return ldb_operr(ldb);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ if (io->u.userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ struct ldb_control *permit_trust = ldb_request_get_control(ac->req,
+ DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID);
+
+ if (permit_trust == NULL) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ ldb_asprintf_errstring(ldb,
+ "%08X: %s - setup_io: changing the interdomain trust password "
+ "on %s not allowed via LDAP. Use LSA or NETLOGON",
+ W_ERROR_V(WERR_ACCESS_DENIED),
+ ldb_strerror(ret),
+ ldb_dn_get_linearized(searched_msg->dn));
+ return ret;
+ }
+ }
+
/* Only non-trust accounts have restrictions (possibly this test is the
* wrong way around, but we like to be restrictive if possible */
io->u.restrictions = !(io->u.userAccountControl
& (UF_INTERDOMAIN_TRUST_ACCOUNT | UF_WORKSTATION_TRUST_ACCOUNT
| UF_SERVER_TRUST_ACCOUNT));
- if ((io->u.userAccountControl & UF_PASSWD_NOTREQD) != 0) {
- /* see [MS-ADTS] 2.2.15 */
- io->u.restrictions = 0;
- }
-
if (ac->userPassword) {
ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
ac->req->operation,
}
}
+ if (io->n.cleartext_utf8 != NULL) {
+ struct ldb_val *cleartext_utf8_blob;
+ char *p;
+
+ cleartext_utf8_blob = talloc(io->ac, struct ldb_val);
+ if (!cleartext_utf8_blob) {
+ return ldb_oom(ldb);
+ }
+
+ *cleartext_utf8_blob = *io->n.cleartext_utf8;
+
+ /* make sure we have a null terminated string */
+ p = talloc_strndup(cleartext_utf8_blob,
+ (const char *)io->n.cleartext_utf8->data,
+ io->n.cleartext_utf8->length);
+ if ((p == NULL) && (io->n.cleartext_utf8->length > 0)) {
+ return ldb_oom(ldb);
+ }
+ cleartext_utf8_blob->data = (uint8_t *)p;
+
+ io->n.cleartext_utf8 = cleartext_utf8_blob;
+ }
+
ret = msg_find_old_and_new_pwd_val(orig_msg, "clearTextPassword",
ac->req->operation,
&io->n.cleartext_utf16,
}
/* Checks and converts the actual "unicodePwd" attribute */
- if (quoted_utf16 &&
+ if (!ac->hash_values &&
+ quoted_utf16 &&
quoted_utf16->length >= 4 &&
quoted_utf16->data[0] == '"' &&
quoted_utf16->data[1] == 0 &&
}
/* Checks and converts the previous "unicodePwd" attribute */
- if (old_quoted_utf16 &&
+ if (!ac->hash_values &&
+ old_quoted_utf16 &&
old_quoted_utf16->length >= 4 &&
old_quoted_utf16->data[0] == '"' &&
old_quoted_utf16->data[1] == 0 &&
/* Mark the "change" control as uncritical (done) */
ctrl->critical = false;
}
+
+ ac->pwd_last_set_bypass = false;
+ ctrl = ldb_request_get_control(ac->req,
+ DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID);
+ if (ctrl != NULL) {
+ ac->pwd_last_set_bypass = true;
+
+ /* Mark the "bypass pwdLastSet" control as uncritical (done) */
+ ctrl->critical = false;
+ }
}
static int ph_op_callback(struct ldb_request *req, struct ldb_reply *ares)
struct ldb_context *ldb;
struct ph_context *ac;
struct loadparm_context *lp_ctx;
- int ret;
+ int ret = LDB_SUCCESS;
ac = talloc_get_type(req->context, struct ph_context);
ldb = ldb_module_get_ctx(ac->module);
ac->status->domain_data.store_cleartext =
ac->status->domain_data.pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
- talloc_free(ares);
-
/* For a domain DN, this puts things in dotted notation */
/* For builtin domains, this will give details for the host,
* but that doesn't really matter, as it's just used for salt
ac->status->reject_reason = SAM_PWD_CHANGE_NO_ERROR;
+ if (ac->dom_res != NULL) {
+ talloc_free(ares);
+
+ ldb_set_errstring(ldb, "Too many results");
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto done;
+ }
+
+ ac->dom_res = talloc_steal(ac, ares);
ret = LDB_SUCCESS;
break;
"maxPwdAge",
"minPwdAge",
"minPwdLength",
+ "lockoutThreshold",
+ "lockOutObservationWindow",
NULL };
int ret;
return ret;
}
-static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
+static int password_hash_needed(struct ldb_module *module,
+ struct ldb_request *req,
+ struct ph_context **_ac)
{
- struct ldb_context *ldb;
- struct ph_context *ac;
- struct ldb_message_element *userPasswordAttr, *clearTextPasswordAttr,
- *ntAttr, *lmAttr;
- int ret;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ const char *operation = NULL;
+ const struct ldb_message *msg = NULL;
+ struct ph_context *ac = NULL;
+ const char *passwordAttrs[] = {
+ "userPassword",
+ "clearTextPassword",
+ "unicodePwd",
+ "dBCSPwd",
+ NULL
+ };
+ const char **a = NULL;
+ unsigned int attr_cnt = 0;
struct ldb_control *bypass = NULL;
- bool userPassword = dsdb_user_password_support(module, req);
+ bool userPassword = dsdb_user_password_support(module, req, req);
- ldb = ldb_module_get_ctx(module);
+ *_ac = NULL;
- ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
+ ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_needed\n");
- if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
+ switch (req->operation) {
+ case LDB_ADD:
+ operation = "add";
+ msg = req->op.add.message;
+ break;
+ case LDB_MODIFY:
+ operation = "modify";
+ msg = req->op.mod.message;
+ break;
+ default:
return ldb_next_request(module, req);
}
- /* If the caller is manipulating the local passwords directly, let them pass */
- if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
- req->op.add.message->dn) == 0) {
+ if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
return ldb_next_request(module, req);
}
if (bypass != NULL) {
/* Mark the "bypass" control as uncritical (done) */
bypass->critical = false;
- ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add (bypassing)\n");
- return ldb_next_request(module, req);
+ ldb_debug(ldb, LDB_DEBUG_TRACE,
+ "password_hash_needed(%s) (bypassing)\n",
+ operation);
+ return password_hash_bypass(module, req);
}
/* nobody must touch password histories and 'supplementalCredentials' */
- if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
+ if (ldb_msg_find_element(msg, "ntPwdHistory")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+ if (ldb_msg_find_element(msg, "lmPwdHistory")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
+ if (ldb_msg_find_element(msg, "supplementalCredentials")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- /* If no part of this touches the 'userPassword' OR 'clearTextPassword'
- * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes. */
+ /*
+ * If no part of this touches the 'userPassword' OR 'clearTextPassword'
+ * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes.
+ * For password changes/set there should be a 'delete' or a 'modify'
+ * on these attributes.
+ */
+ for (a = passwordAttrs; *a != NULL; a++) {
+ if ((!userPassword) && (ldb_attr_cmp(*a, "userPassword") == 0)) {
+ continue;
+ }
- userPasswordAttr = NULL;
- if (userPassword) {
- userPasswordAttr = ldb_msg_find_element(req->op.add.message,
- "userPassword");
- /* MS-ADTS 3.1.1.3.1.5.2 */
- if ((userPasswordAttr != NULL) &&
- (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
- return LDB_ERR_CONSTRAINT_VIOLATION;
+ if (ldb_msg_find_element(msg, *a) != NULL) {
+ /* MS-ADTS 3.1.1.3.1.5.2 */
+ if ((ldb_attr_cmp(*a, "userPassword") == 0) &&
+ (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
+ ++attr_cnt;
}
}
- clearTextPasswordAttr = ldb_msg_find_element(req->op.add.message, "clearTextPassword");
- ntAttr = ldb_msg_find_element(req->op.add.message, "unicodePwd");
- lmAttr = ldb_msg_find_element(req->op.add.message, "dBCSPwd");
- if ((!userPasswordAttr) && (!clearTextPasswordAttr) && (!ntAttr) && (!lmAttr)) {
+ if (attr_cnt == 0) {
return ldb_next_request(module, req);
}
+ ac = ph_init_context(module, req, userPassword);
+ if (!ac) {
+ DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
+ return ldb_operr(ldb);
+ }
+ ph_apply_controls(ac);
+
+ *_ac = ac;
+ return LDB_SUCCESS;
+}
+
+static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ph_context *ac = NULL;
+ int ret;
+
+ ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
+
+ ret = password_hash_needed(module, req, &ac);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ if (ac == NULL) {
+ return ret;
+ }
+
/* Make sure we are performing the password set action on a (for us)
* valid object. Those are instances of either "user" and/or
* "inetOrgPerson". Otherwise continue with the submodules. */
if ((!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "user"))
&& (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "inetOrgPerson"))) {
+ TALLOC_FREE(ac);
+
if (ldb_msg_find_element(req->op.add.message, "clearTextPassword") != NULL) {
ldb_set_errstring(ldb,
"'clearTextPassword' is only allowed on objects of class 'user' and/or 'inetOrgPerson'!");
return ldb_next_request(module, req);
}
- ac = ph_init_context(module, req, userPassword);
- if (ac == NULL) {
- DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
- return ldb_operr(ldb);
- }
- ph_apply_controls(ac);
-
/* get user domain data */
ret = build_domain_data_request(ac);
if (ret != LDB_SUCCESS) {
static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
{
- struct ldb_context *ldb;
- struct ph_context *ac;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ph_context *ac = NULL;
const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
"unicodePwd", "dBCSPwd", NULL }, **l;
- unsigned int attr_cnt, del_attr_cnt, add_attr_cnt, rep_attr_cnt;
+ unsigned int del_attr_cnt, add_attr_cnt, rep_attr_cnt;
struct ldb_message_element *passwordAttr;
struct ldb_message *msg;
struct ldb_request *down_req;
int ret;
- struct ldb_control *bypass = NULL;
- bool userPassword = dsdb_user_password_support(module, req);
-
- ldb = ldb_module_get_ctx(module);
ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
- if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
- return ldb_next_request(module, req);
- }
-
- /* If the caller is manipulating the local passwords directly, let them pass */
- if (ldb_dn_compare_base(ldb_dn_new(req, ldb, LOCAL_BASE),
- req->op.mod.message->dn) == 0) {
- return ldb_next_request(module, req);
- }
-
- bypass = ldb_request_get_control(req,
- DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID);
- if (bypass != NULL) {
- /* Mark the "bypass" control as uncritical (done) */
- bypass->critical = false;
- ldb_debug(ldb, LDB_DEBUG_TRACE, "password_hash_modify (bypassing)\n");
- return ldb_next_request(module, req);
- }
-
- /* nobody must touch password histories and 'supplementalCredentials' */
- if (ldb_msg_find_element(req->op.mod.message, "ntPwdHistory")) {
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- if (ldb_msg_find_element(req->op.mod.message, "lmPwdHistory")) {
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
- if (ldb_msg_find_element(req->op.mod.message, "supplementalCredentials")) {
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
- /* If no part of this touches the 'userPassword' OR 'clearTextPassword'
- * OR 'unicodePwd' OR 'dBCSPwd' we don't need to make any changes.
- * For password changes/set there should be a 'delete' or a 'modify'
- * on these attributes. */
- attr_cnt = 0;
- for (l = passwordAttrs; *l != NULL; l++) {
- if ((!userPassword) && (ldb_attr_cmp(*l, "userPassword") == 0)) {
- continue;
- }
-
- if (ldb_msg_find_element(req->op.mod.message, *l) != NULL) {
- /* MS-ADTS 3.1.1.3.1.5.2 */
- if ((ldb_attr_cmp(*l, "userPassword") == 0) &&
- (dsdb_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
-
- ++attr_cnt;
- }
- }
- if (attr_cnt == 0) {
- return ldb_next_request(module, req);
+ ret = password_hash_needed(module, req, &ac);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
-
- ac = ph_init_context(module, req, userPassword);
- if (!ac) {
- DEBUG(0,(__location__ ": %s\n", ldb_errstring(ldb)));
- return ldb_operr(ldb);
+ if (ac == NULL) {
+ return ret;
}
- ph_apply_controls(ac);
/* use a new message structure so that we can modify it */
msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
{
struct ldb_context *ldb;
struct ph_context *ac;
- int ret;
+ int ret = LDB_SUCCESS;
ac = talloc_get_type(req->context, struct ph_context);
ldb = ldb_module_get_ctx(ac->module);
struct ldb_context *ldb;
static const char * const attrs[] = { "objectClass",
"userAccountControl",
+ "msDS-User-Account-Control-Computed",
"pwdLastSet",
"sAMAccountName",
"objectSid",
"ntPwdHistory",
"dBCSPwd",
"unicodePwd",
+ "badPasswordTime",
+ "badPwdCount",
+ "lockoutTime",
NULL };
struct ldb_request *search_req;
int ret;
return ret;
}
- /* Get the old password from the database */
- status = samdb_result_passwords(io.ac,
- lp_ctx,
- discard_const_p(struct ldb_message, searched_msg),
- &io.o.lm_hash, &io.o.nt_hash);
+ if (io.ac->pwd_reset) {
+ /* Get the old password from the database */
+ status = samdb_result_passwords_no_lockout(io.ac,
+ lp_ctx,
+ discard_const_p(struct ldb_message, searched_msg),
+ &io.o.lm_hash,
+ &io.o.nt_hash);
+ } else {
+ /* Get the old password from the database */
+ status = samdb_result_passwords(io.ac,
+ lp_ctx,
+ discard_const_p(struct ldb_message, searched_msg),
+ &io.o.lm_hash, &io.o.nt_hash);
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+ ldb_asprintf_errstring(ldb,
+ "%08X: check_password: "
+ "Password change not permitted, account locked out!",
+ W_ERROR_V(WERR_ACCOUNT_LOCKED_OUT));
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * This only happens if the database has gone weird,
+ * not if we are just missing the passwords
+ */
return ldb_operr(ldb);
}
git.samba.org / metze / samba / wip.git / blobdiff