1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

samba-tool user: Accomodate missing unicodePwd in getpassword command

To allow for the NT hash not being stored when NTLM authentication is
disabled, we use the AES256 key instead for verification against the
other packages if the unicodePwd attribute is not present.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-04-11 11:54:24 +12:00 committed by Andrew Bartlett
parent aa9136ab74
commit e6957c1d47
2 changed files with 29 additions and 10 deletions

View File

@ -1321,22 +1321,34 @@ class GetPasswordCommand(Command):
#
# In order to get more protection we verify
# the nthash of the decrypted utf16 password
# against the stored nthash in unicodePwd.
# against the stored nthash in unicodePwd if
# available, otherwise against the first 16
# bytes of the AES256 key.
#
sgv = get_package("Primary:SambaGPG", min_idx=-1)
if sgv is not None and unicodePwd is not None:
if sgv is not None:
try:
cv = gpg_decrypt(sgv)
#
# We only use the password if it matches
# the current nthash stored in the unicodePwd
# attribute
# attribute, or the current AES256 key.
#
tmp = credentials.Credentials()
tmp.set_anonymous()
tmp.set_utf16_password(cv)
nthash = tmp.get_nt_hash()
if nthash == unicodePwd:
decrypted = None
current_hash = None
if unicodePwd is not None:
decrypted = tmp.get_nt_hash()
current_hash = unicodePwd
elif aes256_key is not None and kerberos_salt is not None:
decrypted = tmp.get_aes256_key(kerberos_salt)
current_hash = aes256_key.value
if current_hash is not None and current_hash == decrypted:
calculated["Primary:CLEARTEXT"] = cv
except Exception as e:
@ -1496,10 +1508,18 @@ class GetPasswordCommand(Command):
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob, blob)
SCHEME = "{CRYPT}"
# Check that the NT hash has not been changed without updating
# the user password hashes. This indicates that password has been
# changed without updating the supplemental credentials.
if unicodePwd != bytearray(up.current_nt_hash.hash):
# Check that the NT hash or AES256 key have not been changed
# without updating the user password hashes. This indicates that
# password has been changed without updating the supplemental
# credentials.
if unicodePwd is not None:
current_hash = unicodePwd
elif aes256_key is not None:
current_hash = aes256_key.value[:16]
else:
return None, None
if current_hash != bytearray(up.current_nt_hash.hash):
return None, None
scheme_prefix = "$%d$" % algorithm

View File

@ -1,4 +1,3 @@
^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword.ad_dc_no_ntlm:local
^samba4.ldap.login_basics.python.ad_dc_no_ntlm..__main__.BasicUserAuthTests.test_login_basics_ntlm.ad_dc_no_ntlm
^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_attempt_reuse_2.ad_dc_no_ntlm
^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_simple_bind_2.ad_dc_no_ntlm