mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
samba-tool user: When possible, obtain AES256 key and salt
We will make use of these in the next commit to check that the supplemental packages are up-to-date with the current password. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
f33aa94c9e
commit
aa9136ab74
@ -17,6 +17,7 @@
|
|||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
import builtins
|
||||||
import samba.getopt as options
|
import samba.getopt as options
|
||||||
import ldb
|
import ldb
|
||||||
import pwd
|
import pwd
|
||||||
@ -1287,6 +1288,29 @@ class GetPasswordCommand(Command):
|
|||||||
return binascii.a2b_hex(p.data)
|
return binascii.a2b_hex(p.data)
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
def get_kerberos_ctr():
|
||||||
|
primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
|
||||||
|
if primary_krb5 is None:
|
||||||
|
primary_krb5 = get_package("Primary:Kerberos")
|
||||||
|
if primary_krb5 is None:
|
||||||
|
return (0, None)
|
||||||
|
krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
|
||||||
|
primary_krb5)
|
||||||
|
return (krb5_blob.version, krb5_blob.ctr)
|
||||||
|
|
||||||
|
aes256_key = None
|
||||||
|
kerberos_salt = None
|
||||||
|
|
||||||
|
(krb5_v, krb5_ctr) = get_kerberos_ctr()
|
||||||
|
if krb5_v in [3, 4]:
|
||||||
|
kerberos_salt = krb5_ctr.salt.string
|
||||||
|
|
||||||
|
if krb5_ctr.keys:
|
||||||
|
def is_aes256(k):
|
||||||
|
return k.keytype == 18
|
||||||
|
aes256_key = next(builtins.filter(is_aes256, krb5_ctr.keys),
|
||||||
|
None)
|
||||||
|
|
||||||
if decrypt:
|
if decrypt:
|
||||||
#
|
#
|
||||||
# Samba adds 'Primary:SambaGPG' at the end.
|
# Samba adds 'Primary:SambaGPG' at the end.
|
||||||
@ -1499,16 +1523,6 @@ class GetPasswordCommand(Command):
|
|||||||
# first matching scheme
|
# first matching scheme
|
||||||
return (None, scheme_match)
|
return (None, scheme_match)
|
||||||
|
|
||||||
def get_kerberos_ctr():
|
|
||||||
primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
|
|
||||||
if primary_krb5 is None:
|
|
||||||
primary_krb5 = get_package("Primary:Kerberos")
|
|
||||||
if primary_krb5 is None:
|
|
||||||
return (0, None)
|
|
||||||
krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
|
|
||||||
primary_krb5)
|
|
||||||
return (krb5_blob.version, krb5_blob.ctr)
|
|
||||||
|
|
||||||
# Extract the rounds value from the options of a virtualCrypt attribute
|
# Extract the rounds value from the options of a virtualCrypt attribute
|
||||||
# i.e. options = "rounds=20;other=ignored;" will return 20
|
# i.e. options = "rounds=20;other=ignored;" will return 20
|
||||||
# if the rounds option is not found or the value is not a number, 0 is returned
|
# if the rounds option is not found or the value is not a number, 0 is returned
|
||||||
@ -1583,10 +1597,9 @@ class GetPasswordCommand(Command):
|
|||||||
if v is None:
|
if v is None:
|
||||||
continue
|
continue
|
||||||
elif a == "virtualKerberosSalt":
|
elif a == "virtualKerberosSalt":
|
||||||
(krb5_v, krb5_ctr) = get_kerberos_ctr()
|
v = kerberos_salt
|
||||||
if krb5_v not in [3, 4]:
|
if v is None:
|
||||||
continue
|
continue
|
||||||
v = krb5_ctr.salt.string
|
|
||||||
elif a.startswith("virtualWDigest"):
|
elif a.startswith("virtualWDigest"):
|
||||||
primary_wdigest = get_package("Primary:WDigest")
|
primary_wdigest = get_package("Primary:WDigest")
|
||||||
if primary_wdigest is None:
|
if primary_wdigest is None:
|
||||||
|
Loading…
Reference in New Issue
Block a user