s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change

gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/gmsa

@@ -1,6 +1,5 @@
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_gensec_ntlmssp\(ad_dc:local\)$
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_ldap_authentication\(ad_dc:local\)$
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_perform_gensec_ntlmssp_logon_with_previous_password_five_minutes_apart\(ad_dc:local\)$
 # The unencrypted simple bind fails because the ad_dc environment sets ‘ldap
 # server require strong auth = yes’.
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_password_after_unencrypted_simple_bind\(ad_dc:local\)$

source4/auth/ntlm/auth_sam.c

@@ -28,12 +28,14 @@
 #include "../libcli/auth/ntlm_check.h"
 #include "auth/ntlm/auth_proto.h"
 #include "auth/auth_sam.h"
+#include "dsdb/gmsa/util.h"
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/samdb/ldb_modules/util.h"
 #include "dsdb/common/util.h"
 #include "param/param.h"
 #include "librpc/gen_ndr/ndr_irpc_c.h"
 #include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/crypto/gkdi.h"
 #include "lib/messaging/irpc.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libds/common/roles.h"
@@ -471,6 +473,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 		int allowed_period_mins;
 		NTTIME allowed_period;
 		bool ok;
+		bool is_gmsa;
 
 		/* Reset these variables back to starting as empty */
 		aes_256_key = NULL;
@@ -639,11 +642,26 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 		 * before the user can lock and unlock their other screens
 		 * (resetting their cached password).
 		 *
-		 * See http://support.microsoft.com/kb/906305
-		 * OldPasswordAllowedPeriod ("old password allowed period")
-		 * is specified in minutes. The default is 60.
 		 */
-		allowed_period_mins = lpcfg_old_password_allowed_period(auth_context->lp_ctx);
+
+		/* Is the account a Group Managed Service Account? */
+		is_gmsa = dsdb_account_is_gmsa(sam_ctx, msg);
+		if (is_gmsa) {
+			/*
+			 * For Group Managed Service Accounts, the previous
+			 * password is allowed for five minutes after a password
+			 * change.
+			 */
+			allowed_period_mins = gkdi_max_clock_skew_mins;
+		} else {
+			/*
+			 * See http://support.microsoft.com/kb/906305
+			 * OldPasswordAllowedPeriod ("old password allowed
+			 * period") is specified in minutes. The default is 60.
+			 */
+			allowed_period_mins = lpcfg_old_password_allowed_period(
+				auth_context->lp_ctx);
+		}
 		/*
 		 * NTTIME uses 100ns units
 		 */