mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
d603d8b392
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
1069 lines
25 KiB
C
1069 lines
25 KiB
C
/*
|
|
Unix SMB/CIFS implementation.
|
|
|
|
Copyright (C) Guenther Deschner <gd@samba.org> 2008
|
|
Copyright (C) Michael Adam 2008
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "smb_krb5.h"
|
|
#include "libnet/libnet_dssync.h"
|
|
#include "libnet/libnet_keytab.h"
|
|
#include "librpc/gen_ndr/ndr_drsblobs.h"
|
|
#include "lib/crypto/md4.h"
|
|
|
|
#if defined(HAVE_ADS)
|
|
|
|
static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
|
|
struct replUpToDateVectorBlob **pold_utdv)
|
|
{
|
|
krb5_error_code ret = 0;
|
|
struct libnet_keytab_context *keytab_ctx;
|
|
struct libnet_keytab_entry *entry;
|
|
struct replUpToDateVectorBlob *old_utdv = NULL;
|
|
char *principal;
|
|
|
|
ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
|
|
if (ret) {
|
|
return krb5_to_nt_status(ret);
|
|
}
|
|
|
|
keytab_ctx->dns_domain_name = ctx->dns_domain_name;
|
|
keytab_ctx->clean_old_entries = ctx->clean_old_entries;
|
|
ctx->private_data = keytab_ctx;
|
|
|
|
principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
|
|
ctx->nc_dn, ctx->dns_domain_name);
|
|
NT_STATUS_HAVE_NO_MEMORY(principal);
|
|
|
|
entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
|
|
mem_ctx);
|
|
if (entry) {
|
|
enum ndr_err_code ndr_err;
|
|
old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
|
|
|
|
ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv, old_utdv,
|
|
(ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
|
|
ctx->error_message = talloc_asprintf(ctx,
|
|
"Failed to pull UpToDateVector: %s",
|
|
nt_errstr(status));
|
|
return status;
|
|
}
|
|
|
|
if (DEBUGLEVEL >= 10) {
|
|
NDR_PRINT_DEBUG(replUpToDateVectorBlob, old_utdv);
|
|
}
|
|
}
|
|
|
|
if (pold_utdv) {
|
|
*pold_utdv = old_utdv;
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
|
|
struct replUpToDateVectorBlob *new_utdv)
|
|
{
|
|
NTSTATUS status = NT_STATUS_OK;
|
|
krb5_error_code ret = 0;
|
|
struct libnet_keytab_context *keytab_ctx =
|
|
(struct libnet_keytab_context *)ctx->private_data;
|
|
|
|
if (new_utdv) {
|
|
enum ndr_err_code ndr_err;
|
|
DATA_BLOB blob;
|
|
|
|
if (DEBUGLEVEL >= 10) {
|
|
NDR_PRINT_DEBUG(replUpToDateVectorBlob, new_utdv);
|
|
}
|
|
|
|
ndr_err = ndr_push_struct_blob(&blob, mem_ctx, new_utdv,
|
|
(ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
ctx->error_message = talloc_asprintf(ctx,
|
|
"Failed to push UpToDateVector: %s",
|
|
nt_errstr(status));
|
|
goto done;
|
|
}
|
|
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
|
|
ctx->nc_dn, "UTDV",
|
|
ENCTYPE_NULL,
|
|
blob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto done;
|
|
}
|
|
}
|
|
|
|
ret = libnet_keytab_add(keytab_ctx);
|
|
if (ret) {
|
|
status = krb5_to_nt_status(ret);
|
|
ctx->error_message = talloc_asprintf(ctx,
|
|
"Failed to add entries to keytab %s: %s",
|
|
keytab_ctx->keytab_name, error_message(ret));
|
|
goto done;
|
|
}
|
|
|
|
ctx->result_message = talloc_asprintf(ctx,
|
|
"Vampired %d accounts to keytab %s",
|
|
keytab_ctx->count,
|
|
keytab_ctx->keytab_name);
|
|
|
|
done:
|
|
TALLOC_FREE(keytab_ctx);
|
|
return status;
|
|
}
|
|
|
|
/****************************************************************
|
|
****************************************************************/
|
|
|
|
static NTSTATUS parse_supplemental_credentials(TALLOC_CTX *mem_ctx,
|
|
const DATA_BLOB *blob,
|
|
struct package_PrimaryKerberosCtr3 **pkb3,
|
|
struct package_PrimaryKerberosCtr4 **pkb4)
|
|
{
|
|
NTSTATUS status;
|
|
enum ndr_err_code ndr_err;
|
|
struct supplementalCredentialsBlob scb;
|
|
struct supplementalCredentialsPackage *scpk = NULL;
|
|
DATA_BLOB scpk_blob;
|
|
struct package_PrimaryKerberosBlob *pkb;
|
|
bool newer_keys = false;
|
|
uint32_t j;
|
|
|
|
ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, &scb,
|
|
(ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
goto done;
|
|
}
|
|
if ((scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
|
|
&& (scb.sub.num_packages != 0))
|
|
{
|
|
if (DEBUGLEVEL >= 10) {
|
|
NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
|
|
}
|
|
status = NT_STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
for (j=0; j < scb.sub.num_packages; j++) {
|
|
if (strcmp("Primary:Kerberos-Newer-Keys",
|
|
scb.sub.packages[j].name) == 0)
|
|
{
|
|
scpk = &scb.sub.packages[j];
|
|
if (!scpk->data || !scpk->data[0]) {
|
|
scpk = NULL;
|
|
continue;
|
|
}
|
|
newer_keys = true;
|
|
break;
|
|
} else if (strcmp("Primary:Kerberos",
|
|
scb.sub.packages[j].name) == 0)
|
|
{
|
|
/*
|
|
* grab this but don't break here:
|
|
* there might still be newer-keys ...
|
|
*/
|
|
scpk = &scb.sub.packages[j];
|
|
if (!scpk->data || !scpk->data[0]) {
|
|
scpk = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (!scpk) {
|
|
/* no data */
|
|
status = NT_STATUS_OK;
|
|
goto done;
|
|
}
|
|
|
|
scpk_blob = strhex_to_data_blob(mem_ctx, scpk->data);
|
|
if (!scpk_blob.data) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
|
|
pkb = talloc_zero(mem_ctx, struct package_PrimaryKerberosBlob);
|
|
if (!pkb) {
|
|
status = NT_STATUS_NO_MEMORY;
|
|
goto done;
|
|
}
|
|
ndr_err = ndr_pull_struct_blob(&scpk_blob, mem_ctx, pkb,
|
|
(ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
goto done;
|
|
}
|
|
|
|
if (!newer_keys && pkb->version != 3) {
|
|
status = NT_STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
if (newer_keys && pkb->version != 4) {
|
|
status = NT_STATUS_INVALID_PARAMETER;
|
|
goto done;
|
|
}
|
|
|
|
if (pkb->version == 4 && pkb4) {
|
|
*pkb4 = &pkb->ctr.ctr4;
|
|
} else if (pkb->version == 3 && pkb3) {
|
|
*pkb3 = &pkb->ctr.ctr3;
|
|
}
|
|
|
|
status = NT_STATUS_OK;
|
|
|
|
done:
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS store_or_fetch_attribute(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
const char *object_dn,
|
|
const char *attr,
|
|
char **value)
|
|
{
|
|
DATA_BLOB blob = { .length = 0, };
|
|
NTSTATUS status;
|
|
|
|
if (*value == NULL) {
|
|
/* look into keytab ... */
|
|
struct libnet_keytab_entry *entry = NULL;
|
|
char *principal = NULL;
|
|
|
|
D_DEBUG("looking for %s/%s@%s in keytab...\n",
|
|
attr, object_dn, ctx->dns_domain_name);
|
|
|
|
principal = talloc_asprintf(mem_ctx,
|
|
"%s/%s@%s",
|
|
attr,
|
|
object_dn,
|
|
ctx->dns_domain_name);
|
|
if (principal == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
entry = libnet_keytab_search(ctx,
|
|
principal,
|
|
0,
|
|
ENCTYPE_NULL,
|
|
mem_ctx);
|
|
if (entry != NULL) {
|
|
*value = talloc_strndup(mem_ctx,
|
|
(char *)entry->password.data,
|
|
entry->password.length);
|
|
if (*value == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
D_DEBUG("found %s: %s\n", attr, *value);
|
|
TALLOC_FREE(entry);
|
|
} else {
|
|
*value = NULL;
|
|
D_DEBUG("entry not found\n");
|
|
}
|
|
TALLOC_FREE(principal);
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
blob = data_blob_string_const_null(*value);
|
|
blob = data_blob_dup_talloc(mem_ctx, blob);
|
|
if (blob.data == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx,
|
|
ctx,
|
|
0,
|
|
object_dn,
|
|
attr,
|
|
ENCTYPE_NULL,
|
|
blob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS parse_user(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
struct drsuapi_DsReplicaObjectListItemEx *cur)
|
|
{
|
|
NTSTATUS status = NT_STATUS_OK;
|
|
uchar nt_passwd[16];
|
|
DATA_BLOB *blob;
|
|
int i = 0;
|
|
struct drsuapi_DsReplicaAttribute *attr;
|
|
bool got_pwd = false;
|
|
|
|
struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
|
|
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
|
|
|
|
char *object_dn = NULL;
|
|
char *upn = NULL;
|
|
char **spn = NULL;
|
|
uint32_t num_spns = 0;
|
|
char *name = NULL;
|
|
uint32_t kvno = 0;
|
|
uint32_t uacc = 0;
|
|
uint32_t sam_type = 0;
|
|
|
|
uint32_t pwd_history_len = 0;
|
|
uint8_t *pwd_history = NULL;
|
|
|
|
ZERO_STRUCT(nt_passwd);
|
|
|
|
object_dn = talloc_strdup(mem_ctx, cur->object.identifier->dn);
|
|
if (!object_dn) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
DEBUG(3, ("parsing user '%s'\n", object_dn));
|
|
|
|
for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
|
|
|
|
attr = &cur->object.attribute_ctr.attributes[i];
|
|
|
|
if (attr->attid == DRSUAPI_ATTID_servicePrincipalName) {
|
|
uint32_t count;
|
|
num_spns = attr->value_ctr.num_values;
|
|
spn = talloc_array(mem_ctx, char *, num_spns);
|
|
for (count = 0; count < num_spns; count++) {
|
|
blob = attr->value_ctr.values[count].blob;
|
|
if (blob == NULL) {
|
|
continue;
|
|
}
|
|
pull_string_talloc(spn, NULL, 0,
|
|
&spn[count],
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
}
|
|
}
|
|
|
|
if (attr->attid == DRSUAPI_ATTID_unicodePwd &&
|
|
cur->meta_data_ctr != NULL &&
|
|
cur->meta_data_ctr->count ==
|
|
cur->object.attribute_ctr.num_attributes)
|
|
{
|
|
/*
|
|
* pick the kvno from the unicodePwd
|
|
* meta data, even without a unicodePwd blob
|
|
*/
|
|
kvno = cur->meta_data_ctr->meta_data[i].version;
|
|
}
|
|
|
|
if (attr->value_ctr.num_values != 1) {
|
|
continue;
|
|
}
|
|
|
|
if (!attr->value_ctr.values[0].blob) {
|
|
continue;
|
|
}
|
|
|
|
blob = attr->value_ctr.values[0].blob;
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_unicodePwd:
|
|
|
|
if (blob->length != 16) {
|
|
break;
|
|
}
|
|
|
|
memcpy(&nt_passwd, blob->data, 16);
|
|
got_pwd = true;
|
|
break;
|
|
case DRSUAPI_ATTID_ntPwdHistory:
|
|
pwd_history_len = blob->length / 16;
|
|
pwd_history = blob->data;
|
|
break;
|
|
case DRSUAPI_ATTID_userPrincipalName:
|
|
pull_string_talloc(mem_ctx, NULL, 0, &upn,
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
break;
|
|
case DRSUAPI_ATTID_sAMAccountName:
|
|
pull_string_talloc(mem_ctx, NULL, 0, &name,
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
break;
|
|
case DRSUAPI_ATTID_sAMAccountType:
|
|
sam_type = IVAL(blob->data, 0);
|
|
break;
|
|
case DRSUAPI_ATTID_userAccountControl:
|
|
uacc = IVAL(blob->data, 0);
|
|
break;
|
|
case DRSUAPI_ATTID_supplementalCredentials:
|
|
status = parse_supplemental_credentials(mem_ctx,
|
|
blob,
|
|
&pkb3,
|
|
&pkb4);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DEBUG(2, ("parsing of supplemental "
|
|
"credentials failed: %s\n",
|
|
nt_errstr(status)));
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
status = store_or_fetch_attribute(mem_ctx,
|
|
ctx,
|
|
object_dn,
|
|
"SAMACCOUNTNAME",
|
|
&name);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("store_or_fetch_attribute(%s, %s, %s): %s\n",
|
|
object_dn, "SAMACCOUNTNAME", name,
|
|
nt_errstr(status));
|
|
return status;
|
|
}
|
|
|
|
if (!name) {
|
|
DEBUG(10, ("no name (sAMAccountName) found - skipping.\n"));
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
|
|
DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x",
|
|
sam_type, uacc));
|
|
if (upn) {
|
|
DEBUGADD(1,(", upn: %s", upn));
|
|
}
|
|
if (num_spns > 0) {
|
|
DEBUGADD(1, (", spns: ["));
|
|
for (i = 0; i < num_spns; i++) {
|
|
DEBUGADD(1, ("%s%s", spn[i],
|
|
(i+1 == num_spns)?"]":", "));
|
|
}
|
|
}
|
|
DEBUGADD(1,("\n"));
|
|
|
|
if (got_pwd) {
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
data_blob_talloc(mem_ctx, nt_passwd, 16));
|
|
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
|
|
/* add kerberos keys (if any) */
|
|
|
|
if (pkb4) {
|
|
for (i=0; i < pkb4->num_keys; i++) {
|
|
if (!pkb4->keys[i].value) {
|
|
continue;
|
|
}
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno,
|
|
name,
|
|
NULL,
|
|
pkb4->keys[i].keytype,
|
|
*pkb4->keys[i].value);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
for (i=0; i < pkb4->num_old_keys; i++) {
|
|
if (!pkb4->old_keys[i].value) {
|
|
continue;
|
|
}
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
|
|
name,
|
|
NULL,
|
|
pkb4->old_keys[i].keytype,
|
|
*pkb4->old_keys[i].value);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
for (i=0; i < pkb4->num_older_keys; i++) {
|
|
if (!pkb4->older_keys[i].value) {
|
|
continue;
|
|
}
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 2,
|
|
name,
|
|
NULL,
|
|
pkb4->older_keys[i].keytype,
|
|
*pkb4->older_keys[i].value);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (pkb3) {
|
|
for (i=0; i < pkb3->num_keys; i++) {
|
|
if (!pkb3->keys[i].value) {
|
|
continue;
|
|
}
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name,
|
|
NULL,
|
|
pkb3->keys[i].keytype,
|
|
*pkb3->keys[i].value);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
for (i=0; i < pkb3->num_old_keys; i++) {
|
|
if (!pkb3->old_keys[i].value) {
|
|
continue;
|
|
}
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
|
|
name,
|
|
NULL,
|
|
pkb3->old_keys[i].keytype,
|
|
*pkb3->old_keys[i].value);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
}
|
|
|
|
if (kvno < pwd_history_len) {
|
|
return status;
|
|
}
|
|
|
|
/* add password history */
|
|
|
|
/* skip first entry */
|
|
if (got_pwd) {
|
|
kvno--;
|
|
i = 1;
|
|
} else {
|
|
i = 0;
|
|
}
|
|
|
|
for (; i<pwd_history_len; i++) {
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS parse_AuthenticationInformation(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
const char *dn,
|
|
const char *trust_name,
|
|
const char *attr_name,
|
|
const char *salt_principal,
|
|
const char *type,
|
|
uint32_t *kvno,
|
|
const struct AuthenticationInformationArray *ia)
|
|
{
|
|
uint32_t i;
|
|
struct samr_Password _nthash = {{ 0, }};
|
|
const struct samr_Password *nthash = NULL;
|
|
const struct AuthInfoClear *clear = NULL;
|
|
DATA_BLOB password_utf8 = data_blob_null;
|
|
|
|
for (i = 0; i < ia->count; i++) {
|
|
const struct AuthenticationInformation *a = &ia->array[i];
|
|
|
|
switch (a->AuthType) {
|
|
case TRUST_AUTH_TYPE_VERSION:
|
|
*kvno = a->AuthInfo.version.version;
|
|
break;
|
|
case TRUST_AUTH_TYPE_NT4OWF:
|
|
nthash = &a->AuthInfo.nt4owf.password;
|
|
break;
|
|
case TRUST_AUTH_TYPE_CLEAR:
|
|
clear = &a->AuthInfo.clear;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (clear != NULL && clear->size != 0) {
|
|
DATA_BLOB password_utf16 = data_blob_null;
|
|
bool ok;
|
|
|
|
password_utf16 = data_blob_const(clear->password,
|
|
clear->size);
|
|
|
|
if (nthash == NULL) {
|
|
mdfour(_nthash.hash,
|
|
password_utf16.data,
|
|
password_utf16.length);
|
|
nthash = &_nthash;
|
|
}
|
|
|
|
ok = convert_string_talloc(mem_ctx,
|
|
CH_UTF16MUNGED, CH_UTF8,
|
|
password_utf16.data,
|
|
password_utf16.length,
|
|
(void *)&password_utf8.data,
|
|
&password_utf8.length);
|
|
if (!ok) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
if (password_utf8.length != 0) {
|
|
krb5_principal salt_princ = NULL;
|
|
krb5_data salt = { 0, };
|
|
krb5_data cleartext_data = { 0, };
|
|
krb5_enctype enctypes[] = {
|
|
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
|
|
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
};
|
|
size_t ei;
|
|
krb5_error_code kret;
|
|
NTSTATUS status;
|
|
|
|
kret = smb_krb5_parse_name(ctx->context,
|
|
salt_principal,
|
|
&salt_princ);
|
|
if (kret != 0) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
cleartext_data.data = discard_const_p(char, password_utf8.data);
|
|
cleartext_data.length = password_utf8.length;
|
|
|
|
kret = smb_krb5_get_pw_salt(ctx->context,
|
|
salt_princ,
|
|
&salt);
|
|
if (kret != 0) {
|
|
krb5_free_principal(ctx->context, salt_princ);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
for (ei = 0; ei < ARRAY_SIZE(enctypes); ei++) {
|
|
krb5_keyblock keyb = { 0, };
|
|
DATA_BLOB blob = data_blob_null;
|
|
|
|
kret = smb_krb5_create_key_from_string(ctx->context,
|
|
salt_princ,
|
|
&salt,
|
|
&cleartext_data,
|
|
enctypes[ei],
|
|
&keyb);
|
|
if (kret != 0) {
|
|
smb_krb5_free_data_contents(ctx->context, &salt);
|
|
krb5_free_principal(ctx->context, salt_princ);
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
blob = data_blob_talloc(mem_ctx,
|
|
KRB5_KEY_DATA(&keyb),
|
|
KRB5_KEY_LENGTH(&keyb));
|
|
krb5_free_keyblock_contents(ctx->context, &keyb);
|
|
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx,
|
|
ctx,
|
|
*kvno,
|
|
trust_name,
|
|
attr_name,
|
|
enctypes[ei],
|
|
blob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
smb_krb5_free_data_contents(ctx->context, &salt);
|
|
krb5_free_principal(ctx->context, salt_princ);
|
|
return status;
|
|
}
|
|
}
|
|
|
|
smb_krb5_free_data_contents(ctx->context, &salt);
|
|
krb5_free_principal(ctx->context, salt_princ);
|
|
}
|
|
|
|
if (nthash != NULL) {
|
|
DATA_BLOB blob = data_blob_null;
|
|
NTSTATUS status;
|
|
|
|
blob = data_blob_talloc(mem_ctx, nthash->hash, sizeof(nthash->hash));
|
|
|
|
status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx,
|
|
*kvno,
|
|
trust_name,
|
|
attr_name,
|
|
ENCTYPE_ARCFOUR_HMAC,
|
|
blob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS parse_trustAuthInOutBlob(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
const char *dn,
|
|
const char *trust_name,
|
|
const char *attr_name,
|
|
const char *salt_principal,
|
|
const DATA_BLOB *blob)
|
|
{
|
|
NTSTATUS status;
|
|
enum ndr_err_code ndr_err;
|
|
struct trustAuthInOutBlob taiob;
|
|
uint32_t kvno = 0;
|
|
|
|
ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, &taiob,
|
|
(ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
status = ndr_map_error2ntstatus(ndr_err);
|
|
goto done;
|
|
}
|
|
|
|
D_WARNING("# %s %s/%s\n", dn, attr_name, trust_name);
|
|
|
|
status = parse_AuthenticationInformation(mem_ctx,
|
|
ctx,
|
|
dn,
|
|
trust_name,
|
|
attr_name,
|
|
salt_principal,
|
|
"current",
|
|
&kvno,
|
|
&taiob.current);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("parsing of %s %s/current failed: %s\n",
|
|
dn, attr_name, nt_errstr(status));
|
|
}
|
|
|
|
kvno -= 1;
|
|
status = parse_AuthenticationInformation(mem_ctx,
|
|
ctx,
|
|
dn,
|
|
trust_name,
|
|
attr_name,
|
|
salt_principal,
|
|
"previous",
|
|
&kvno,
|
|
&taiob.previous);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("parsing of %s %s/previous failed: %s\n",
|
|
dn, attr_name, nt_errstr(status));
|
|
}
|
|
|
|
status = NT_STATUS_OK;
|
|
done:
|
|
return status;
|
|
}
|
|
|
|
static NTSTATUS parse_tdo(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
struct drsuapi_DsReplicaObjectListItemEx *cur)
|
|
{
|
|
uint32_t i;
|
|
const char *dn = cur->object.identifier->dn;
|
|
char *trustPartner = NULL;
|
|
char *flatName = NULL;
|
|
char *cn = NULL;
|
|
char *trust_name = NULL;
|
|
char *trust_realm = NULL;
|
|
char *our_realm = NULL;
|
|
const char *incoming_salt = NULL;
|
|
const char *outgoing_salt = NULL;
|
|
NTSTATUS status;
|
|
|
|
D_NOTICE("parsing trust '%s'\n", dn);
|
|
|
|
for (i = 0; i < cur->object.attribute_ctr.num_attributes; i++) {
|
|
struct drsuapi_DsReplicaAttribute *attr =
|
|
&cur->object.attribute_ctr.attributes[i];
|
|
const DATA_BLOB *blob = NULL;
|
|
|
|
if (attr->value_ctr.num_values != 1) {
|
|
continue;
|
|
}
|
|
|
|
if (attr->value_ctr.values[0].blob == NULL) {
|
|
continue;
|
|
}
|
|
|
|
blob = attr->value_ctr.values[0].blob;
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_trustPartner:
|
|
pull_string_talloc(mem_ctx, NULL, 0, &trustPartner,
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
break;
|
|
case DRSUAPI_ATTID_flatName:
|
|
pull_string_talloc(mem_ctx, NULL, 0, &flatName,
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
break;
|
|
case DRSUAPI_ATTID_cn:
|
|
pull_string_talloc(mem_ctx, NULL, 0, &cn,
|
|
blob->data, blob->length,
|
|
STR_UNICODE);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (trustPartner != NULL) {
|
|
trust_name = trustPartner;
|
|
} else if (flatName != NULL) {
|
|
trust_name = flatName;
|
|
} else {
|
|
trust_name = cn;
|
|
}
|
|
|
|
status = store_or_fetch_attribute(mem_ctx,
|
|
ctx,
|
|
dn,
|
|
"REMOTETRUSTNAME",
|
|
&trust_name);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("store_or_fetch_attribute(%s, %s, %s): %s\n",
|
|
dn, "REMOTETRUSTNAME", trust_name,
|
|
nt_errstr(status));
|
|
return status;
|
|
}
|
|
|
|
if (trust_name == NULL) {
|
|
D_DEBUG("no trust_name (trustPartner, flatName, cn) found - "
|
|
"skipping.\n");
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
trust_realm = strupper_talloc(mem_ctx, trust_name);
|
|
if (trust_realm == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
our_realm = strupper_talloc(mem_ctx, ctx->dns_domain_name);
|
|
if (our_realm == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
incoming_salt = talloc_asprintf(mem_ctx,
|
|
"krbtgt/%s@%s",
|
|
trust_realm,
|
|
our_realm);
|
|
if (incoming_salt == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
outgoing_salt = talloc_asprintf(mem_ctx,
|
|
"krbtgt/%s@%s",
|
|
our_realm,
|
|
trust_realm);
|
|
if (outgoing_salt == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
for (i = 0; i < cur->object.attribute_ctr.num_attributes; i++) {
|
|
struct drsuapi_DsReplicaAttribute *attr =
|
|
&cur->object.attribute_ctr.attributes[i];
|
|
const char *attr_name = NULL;
|
|
const DATA_BLOB *blob = NULL;
|
|
const char *salt_principal = NULL;
|
|
|
|
if (attr->value_ctr.num_values != 1) {
|
|
continue;
|
|
}
|
|
|
|
if (attr->value_ctr.values[0].blob == NULL) {
|
|
continue;
|
|
}
|
|
|
|
blob = attr->value_ctr.values[0].blob;
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_trustAuthIncoming:
|
|
attr_name = "trustAuthIncoming";
|
|
salt_principal = incoming_salt;
|
|
break;
|
|
case DRSUAPI_ATTID_trustAuthOutgoing:
|
|
attr_name = "trustAuthOutgoing";
|
|
salt_principal = outgoing_salt;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (attr_name == NULL) {
|
|
continue;
|
|
}
|
|
|
|
status = parse_trustAuthInOutBlob(mem_ctx,
|
|
ctx,
|
|
dn,
|
|
trust_name,
|
|
attr_name,
|
|
salt_principal,
|
|
blob);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
DBG_ERR("parsing of %s attr %s failed: %s\n",
|
|
dn, attr_name, nt_errstr(status));
|
|
}
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
|
|
struct libnet_keytab_context *ctx,
|
|
struct drsuapi_DsReplicaObjectListItemEx *cur)
|
|
{
|
|
uint32_t i;
|
|
|
|
if (cur->object.identifier->dn == NULL) {
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
for (i = 0; i < cur->object.attribute_ctr.num_attributes; i++) {
|
|
struct drsuapi_DsReplicaAttribute *attr =
|
|
&cur->object.attribute_ctr.attributes[i];
|
|
const DATA_BLOB *blob = NULL;
|
|
uint32_t val;
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_isDeleted:
|
|
case DRSUAPI_ATTID_isRecycled:
|
|
break;
|
|
default:
|
|
continue;
|
|
}
|
|
|
|
if (attr->value_ctr.num_values != 1) {
|
|
continue;
|
|
}
|
|
|
|
if (attr->value_ctr.values[0].blob == NULL) {
|
|
continue;
|
|
}
|
|
|
|
blob = attr->value_ctr.values[0].blob;
|
|
|
|
if (blob->length != 4) {
|
|
continue;
|
|
}
|
|
|
|
val = PULL_LE_U32(blob->data, 0);
|
|
if (val != 0) {
|
|
/* ignore deleted object */
|
|
return NT_STATUS_OK;
|
|
}
|
|
}
|
|
|
|
for (i = 0; i < cur->object.attribute_ctr.num_attributes; i++) {
|
|
struct drsuapi_DsReplicaAttribute *attr =
|
|
&cur->object.attribute_ctr.attributes[i];
|
|
|
|
switch (attr->attid) {
|
|
case DRSUAPI_ATTID_unicodePwd:
|
|
case DRSUAPI_ATTID_ntPwdHistory:
|
|
case DRSUAPI_ATTID_supplementalCredentials:
|
|
return parse_user(mem_ctx, ctx, cur);
|
|
case DRSUAPI_ATTID_trustAuthIncoming:
|
|
case DRSUAPI_ATTID_trustAuthOutgoing:
|
|
return parse_tdo(mem_ctx, ctx, cur);
|
|
default:
|
|
continue;
|
|
}
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
static bool dn_is_in_object_list(struct dssync_context *ctx,
|
|
const char *dn)
|
|
{
|
|
uint32_t count;
|
|
|
|
if (ctx->object_count == 0) {
|
|
return true;
|
|
}
|
|
|
|
for (count = 0; count < ctx->object_count; count++) {
|
|
if (strequal(ctx->object_dns[count], dn)) {
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/****************************************************************
|
|
****************************************************************/
|
|
|
|
static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct drsuapi_DsReplicaObjectListItemEx *cur,
|
|
struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
|
|
{
|
|
NTSTATUS status = NT_STATUS_OK;
|
|
struct libnet_keytab_context *keytab_ctx =
|
|
(struct libnet_keytab_context *)ctx->private_data;
|
|
|
|
for (; cur; cur = cur->next_object) {
|
|
/*
|
|
* When not in single object replication mode,
|
|
* the object_dn list is used as a positive write filter.
|
|
*/
|
|
if (!ctx->single_object_replication &&
|
|
!dn_is_in_object_list(ctx, cur->object.identifier->dn))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
status = parse_object(mem_ctx, keytab_ctx, cur);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
goto out;
|
|
}
|
|
}
|
|
|
|
out:
|
|
return status;
|
|
}
|
|
|
|
#else
|
|
|
|
static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
|
|
struct replUpToDateVectorBlob **pold_utdv)
|
|
{
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
|
|
struct replUpToDateVectorBlob *new_utdv)
|
|
{
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
|
|
static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
|
|
TALLOC_CTX *mem_ctx,
|
|
struct drsuapi_DsReplicaObjectListItemEx *cur,
|
|
struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
|
|
{
|
|
return NT_STATUS_NOT_SUPPORTED;
|
|
}
|
|
#endif /* defined(HAVE_ADS) */
|
|
|
|
const struct dssync_ops libnet_dssync_keytab_ops = {
|
|
.startup = keytab_startup,
|
|
.process_objects = keytab_process_objects,
|
|
.finish = keytab_finish,
|
|
};
|