1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

samba-tool user: When possible, obtain AES256 key and salt

We will make use of these in the next commit to check that the
supplemental packages are up-to-date with the current password.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-05-09 14:50:15 +12:00 committed by Andrew Bartlett
parent f33aa94c9e
commit aa9136ab74

View File

@ -17,6 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
import builtins
import samba.getopt as options import samba.getopt as options
import ldb import ldb
import pwd import pwd
@ -1287,6 +1288,29 @@ class GetPasswordCommand(Command):
return binascii.a2b_hex(p.data) return binascii.a2b_hex(p.data)
return None return None
def get_kerberos_ctr():
primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
if primary_krb5 is None:
primary_krb5 = get_package("Primary:Kerberos")
if primary_krb5 is None:
return (0, None)
krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
primary_krb5)
return (krb5_blob.version, krb5_blob.ctr)
aes256_key = None
kerberos_salt = None
(krb5_v, krb5_ctr) = get_kerberos_ctr()
if krb5_v in [3, 4]:
kerberos_salt = krb5_ctr.salt.string
if krb5_ctr.keys:
def is_aes256(k):
return k.keytype == 18
aes256_key = next(builtins.filter(is_aes256, krb5_ctr.keys),
None)
if decrypt: if decrypt:
# #
# Samba adds 'Primary:SambaGPG' at the end. # Samba adds 'Primary:SambaGPG' at the end.
@ -1499,16 +1523,6 @@ class GetPasswordCommand(Command):
# first matching scheme # first matching scheme
return (None, scheme_match) return (None, scheme_match)
def get_kerberos_ctr():
primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
if primary_krb5 is None:
primary_krb5 = get_package("Primary:Kerberos")
if primary_krb5 is None:
return (0, None)
krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
primary_krb5)
return (krb5_blob.version, krb5_blob.ctr)
# Extract the rounds value from the options of a virtualCrypt attribute # Extract the rounds value from the options of a virtualCrypt attribute
# i.e. options = "rounds=20;other=ignored;" will return 20 # i.e. options = "rounds=20;other=ignored;" will return 20
# if the rounds option is not found or the value is not a number, 0 is returned # if the rounds option is not found or the value is not a number, 0 is returned
@ -1583,10 +1597,9 @@ class GetPasswordCommand(Command):
if v is None: if v is None:
continue continue
elif a == "virtualKerberosSalt": elif a == "virtualKerberosSalt":
(krb5_v, krb5_ctr) = get_kerberos_ctr() v = kerberos_salt
if krb5_v not in [3, 4]: if v is None:
continue continue
v = krb5_ctr.salt.string
elif a.startswith("virtualWDigest"): elif a.startswith("virtualWDigest"):
primary_wdigest = get_package("Primary:WDigest") primary_wdigest = get_package("Primary:WDigest")
if primary_wdigest is None: if primary_wdigest is None: