mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
samba-tool user: Accomodate missing unicodePwd in getpassword command
To allow for the NT hash not being stored when NTLM authentication is disabled, we use the AES256 key instead for verification against the other packages if the unicodePwd attribute is not present. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
aa9136ab74
commit
e6957c1d47
@ -1321,22 +1321,34 @@ class GetPasswordCommand(Command):
|
||||
#
|
||||
# In order to get more protection we verify
|
||||
# the nthash of the decrypted utf16 password
|
||||
# against the stored nthash in unicodePwd.
|
||||
# against the stored nthash in unicodePwd if
|
||||
# available, otherwise against the first 16
|
||||
# bytes of the AES256 key.
|
||||
#
|
||||
sgv = get_package("Primary:SambaGPG", min_idx=-1)
|
||||
if sgv is not None and unicodePwd is not None:
|
||||
if sgv is not None:
|
||||
try:
|
||||
cv = gpg_decrypt(sgv)
|
||||
#
|
||||
# We only use the password if it matches
|
||||
# the current nthash stored in the unicodePwd
|
||||
# attribute
|
||||
# attribute, or the current AES256 key.
|
||||
#
|
||||
tmp = credentials.Credentials()
|
||||
tmp.set_anonymous()
|
||||
tmp.set_utf16_password(cv)
|
||||
nthash = tmp.get_nt_hash()
|
||||
if nthash == unicodePwd:
|
||||
|
||||
decrypted = None
|
||||
current_hash = None
|
||||
|
||||
if unicodePwd is not None:
|
||||
decrypted = tmp.get_nt_hash()
|
||||
current_hash = unicodePwd
|
||||
elif aes256_key is not None and kerberos_salt is not None:
|
||||
decrypted = tmp.get_aes256_key(kerberos_salt)
|
||||
current_hash = aes256_key.value
|
||||
|
||||
if current_hash is not None and current_hash == decrypted:
|
||||
calculated["Primary:CLEARTEXT"] = cv
|
||||
|
||||
except Exception as e:
|
||||
@ -1496,10 +1508,18 @@ class GetPasswordCommand(Command):
|
||||
up = ndr_unpack(drsblobs.package_PrimaryUserPasswordBlob, blob)
|
||||
SCHEME = "{CRYPT}"
|
||||
|
||||
# Check that the NT hash has not been changed without updating
|
||||
# the user password hashes. This indicates that password has been
|
||||
# changed without updating the supplemental credentials.
|
||||
if unicodePwd != bytearray(up.current_nt_hash.hash):
|
||||
# Check that the NT hash or AES256 key have not been changed
|
||||
# without updating the user password hashes. This indicates that
|
||||
# password has been changed without updating the supplemental
|
||||
# credentials.
|
||||
if unicodePwd is not None:
|
||||
current_hash = unicodePwd
|
||||
elif aes256_key is not None:
|
||||
current_hash = aes256_key.value[:16]
|
||||
else:
|
||||
return None, None
|
||||
|
||||
if current_hash != bytearray(up.current_nt_hash.hash):
|
||||
return None, None
|
||||
|
||||
scheme_prefix = "$%d$" % algorithm
|
||||
|
@ -1,4 +1,3 @@
|
||||
^samba.tests.samba_tool.user.samba.tests.samba_tool.user.UserCmdTestCase.test_setpassword.ad_dc_no_ntlm:local
|
||||
^samba4.ldap.login_basics.python.ad_dc_no_ntlm..__main__.BasicUserAuthTests.test_login_basics_ntlm.ad_dc_no_ntlm
|
||||
^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_attempt_reuse_2.ad_dc_no_ntlm
|
||||
^samba4.ldap.passwords.python.ad_dc_no_ntlm..__main__.PasswordTests.test_old_password_rename_simple_bind_2.ad_dc_no_ntlm
|
||||
|
Loading…
Reference in New Issue
Block a user