1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

29 Commits

Author SHA1 Message Date
Gary Lockyer
1d3ae2d92f dsdb encrypted secrets module
Encrypt the samba secret attributes on disk.  This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.

Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.

Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-18 00:10:16 +01:00
Gary Lockyer
826e50a5f6 idl drsblobs: add the blobs required for Primary:userPassword
Add the blobs required to allow the storing of an sha256 or sha512 hash of
the password in supplemental credentials

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-25 02:25:12 +02:00
Bob Campbell
380b56e38a drsblobs: Add decode for replPropertyMetaData1
Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
2017-03-13 05:10:11 +01:00
Stefan Metzmacher
8d64999d1c drsblobs.idl: add package_PrimarySambaGPGBlob
This will be used to store the cleartext utf16 password
GPG encrypted in the supplementalCredentials attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2016-07-22 16:03:27 +02:00
Stefan Metzmacher
e9c9615a1f drsblobs.idl: mark supplementalCredentialsSubBlob as nopull,nopush
This commit moves the autogenerated ndr_{pull,push}_supplementalCredentialsSubBlob()
function to the handwritten librpc/ndr/ndr_drsblobs.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11441

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-07-20 21:27:17 +02:00
Stefan Metzmacher
aea55377f9 drsblobs.idl: improve idl for ForestTrustInfoRecord*
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:44 +01:00
Stefan Metzmacher
5abb9acc9b drsblobs.idl: make replPropertyMetaData1 public
This is used as binary data for the msDS-RevealedUsers attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Dave Craft
bc03cba552 Add NTDSConnection schedule attr blob
Add schedule blob to drsblobs to allow
NDR unpacking into a python class.

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-12-08 11:48:17 +11:00
Stefan Metzmacher
26a37284b9 drsblobs.idl: remove nopython from package_PrimaryKerberosBlob related stuff
This allows parsing and construction of the supplementatlCredentials
attribute in python.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Dec 10 19:08:33 CET 2010 on sn-devel-104
2010-12-10 19:08:33 +01:00
Günther Deschner
e2f15d2a25 s4-trusts: fix trustDomainPasswords drsblobs IDL and server side support.
Also remove bogus trustCurrentPasswords struct which we just had because our IDL
was incorrect.

Guenther
2010-08-25 13:27:50 +02:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Kamen Mazdrashki
8dd5705a59 librpc/idl: Use [nopython] attr for types used in decode_PrimaryKerberos method
C code generation for python module generates invalid code
(i.e. can not be compiled).
Another reason to 'hide' those types from Python is
that those types are not used at the moment
(and most probably won't be used in the future)
2010-04-09 12:21:28 +03:00
Andrew Bartlett
2ea99c22c3 librpc/idl Use [nopython] on some drsblobs.idl 'functions' as an example
It makes little sense to expose these 'functions' to anything other
than ndrdump.

Andrew Bartlett
2010-04-09 12:21:27 +03:00
Kamen Mazdrashki
63e1aae69c s4/idl: Schema:schemaInfo attribute description 2010-04-09 12:21:24 +03:00
Günther Deschner
1ff55500de drsblobs: remove utf8string2 from ForestTrustData.
Simo, it's not really worth to add a new idl type just for being able to omit
the size field. The size field is part of the spec in MS-ADTS 7.1.6.9.3.1 so we
should have it as well.

Guenther
2010-03-25 11:04:52 +01:00
Simo Sorce
7d89c7c17b idl: fix comment and convert whitespaces to tabs 2010-03-24 07:46:00 -04:00
Simo Sorce
fd2bc08138 idl: fix forest trust information idl
--validate now passes
2010-03-23 18:47:39 -04:00
Simo Sorce
9f84d72ef1 idl:drsblobs add code to interpret msDS-TrustForestTrustInfo 2010-03-23 01:09:50 -04:00
Kamen Mazdrashki
163cc1a02d s4/idl: drsuapi_DsReplicaSyncOptions flags are no more used
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-03-10 17:11:55 +01:00
Kamen Mazdrashki
cd3d165778 s4/idl: PrefixMap description for W2K3 and W2K8 Schema:prefixMap attribute
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2010-02-01 15:23:29 +01:00
Andrew Tridgell
f461a72ec3 idl: switched to using the WSPP names for the 'neighbour' DRS options
The documentation shows that all these functions in fact use the same
flags variable type. To be consistent between functions, and to allow
easy reference to the WSPP docs, it is better for us to also use this
generic DrsOptions bitfield rather than one per operations.
2010-01-18 07:25:18 +11:00
Andrew Tridgell
3f5d535972 idl-drsblobs: mark some more reserved values as value(0)
This prevents valgrind errors when we store these blobs in a database
2009-10-22 12:47:53 +11:00
Stefan Metzmacher
1c3a706932 drsblobs.idl: fix repsFromTo2 blob size calculation
metze
2009-09-20 06:36:39 +02:00
Stefan Metzmacher
8958a04e6f drsblobs.idl: add decoding for repsFromTo2
This is used in windows 2008.

metze
2009-09-20 06:17:32 +02:00
Andrew Tridgell
dca7afb799 s4: fixed format of repsTo in samdb
Metze pointed out what the windows tool ldp.exe will examine repsTo
attributes on remote DCs, so we do in fact need to use the same format
that windows uses. This patch changes the server side implementation
of UpdateRefs to use the windows format
2009-09-09 12:36:51 +10:00
Andrew Tridgell
5cd6b460ff s4: added the structure for repsTo
This structure is stored in NDR format in the repsTo attribute of each
partition. It is updated by the DSUpdateRefs DSRUAPI call
2009-09-08 11:52:45 +10:00
Günther Deschner
a0c4fbdb3c librpc: add header file for drsblobs helper functions.
Guenther
2009-02-04 12:38:21 +01:00
Jelmer Vernooij
08259c1c52 Add iconv_convenience argument to size functions. 2009-01-01 04:45:33 +01:00
Günther Deschner
f34b6bfe34 idl: share drsblobs idl.
Guenther
2008-10-18 23:54:49 +02:00