sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-15 05:57:49 +03:00
Code
samba-mirror/source4/dsdb/samdb/ldb_modules/password_hash.c
Simo Sorce 8081e4f402 r15795: Try to use the async code by default 
It passess all my tests, but I still need to work on a lot of stuff.
Shouldn't impact anybody else work, so I want to commit now and see what happens

Will work to remove the old code from modules and backends soon, and make some
more restyling in ldb internals.

So, if there is something you don't like in this desgin please speak now.

Simo.
(This used to be commit 8b2a563e716a789ea77cbfbf2f372724de5361ce)
2007-10-10 14:08:21 -05:00

1830 lines
56 KiB
C
Raw Blame History

/*
ldb database module
Copyright (C) Simo Sorce 2004
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
Copyright (C) Andrew Tridgell 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/*
* Name: ldb
*
* Component: ldb password_hash module
*
* Description: correctly update hash values based on changes to sambaPassword and friends
*
* Author: Andrew Bartlett
*/
#include "includes.h"
#include "libcli/ldap/ldap.h"
#include "ldb/include/ldb_errors.h"
#include "ldb/include/ldb_private.h"
#include "librpc/gen_ndr/misc.h"
#include "librpc/gen_ndr/samr.h"
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "system/time.h"
#include "dsdb/samdb/samdb.h"
#include "ads.h"
#include "hdb.h"
/* If we have decided there is reason to work on this request, then
* setup all the password hash types correctly.
*
* If the administrator doesn't want the sambaPassword stored (set in the
* domain and per-account policies) then we must strip that out before
* we do the first operation.
*
* Once this is done (which could update anything at all), we
* calculate the password hashes.
*
* This function must not only update the ntPwdHash, lmPwdHash and
* krb5Key fields, it must also atomicly increment the
* msDS-KeyVersionNumber. We should be in a transaction, so all this
* should be quite safe...
*
* Finally, if the administrator has requested that a password history
* be maintained, then this should also be written out.
*
*/
static int password_hash_handle(struct ldb_module *module, struct ldb_request *req,
const struct ldb_message *msg)
{
int ret, old_ret = -1;
uint_t pwdProperties, pwdHistoryLength;
uint_t userAccountControl;
const char *dnsDomain, *realm;
const char *sambaPassword = NULL;
struct samr_Password *sambaLMPwdHistory, *sambaNTPwdHistory;
struct samr_Password *lmPwdHash, *ntPwdHash;
struct samr_Password *lmOldHash = NULL, *ntOldHash = NULL;
struct samr_Password *new_sambaLMPwdHistory, *new_sambaNTPwdHistory;
struct samr_Password local_lmNewHash, local_ntNewHash;
int sambaLMPwdHistory_len, sambaNTPwdHistory_len;
uint_t kvno;
struct dom_sid *domain_sid;
time_t now = time(NULL);
NTTIME now_nt;
int i;
krb5_error_code krb5_ret;
struct smb_krb5_context *smb_krb5_context;
struct ldb_message_element *attribute;
struct ldb_dn *dn = msg->dn;
struct ldb_message *msg2;
struct ldb_request *search_request = NULL;
struct ldb_request *modify_request;
struct ldb_request *modified_orig_request;
struct ldb_result *res, *dom_res, *old_res;
struct ldb_message_element *objectclasses;
struct ldb_val computer_val;
struct ldb_val person_val;
BOOL is_computer;
struct ldb_message *modify_msg;
const char *domain_expression;
const char *old_user_attrs[] = { "lmPwdHash", "ntPwdHash", NULL };
const char *user_attrs[] = { "userAccountControl", "sambaLMPwdHistory",
"sambaNTPwdHistory",
"ntPwdHash",
"objectSid", "msDS-KeyVersionNumber",
"objectClass", "userPrincipalName",
"samAccountName",
NULL };
const char * const domain_attrs[] = { "pwdProperties", "pwdHistoryLength",
"dnsDomain", NULL };
TALLOC_CTX *mem_ctx;
/* Do the original action */
mem_ctx = talloc_new(module);
if (!mem_ctx) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (req->operation == LDB_REQ_MODIFY) {
search_request = talloc(mem_ctx, struct ldb_request);
if (!search_request) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
/* Look up the old ntPwdHash and lmPwdHash values, so
* we can later place these into the password
* history */
search_request->operation = LDB_REQ_SEARCH;
search_request->op.search.base = dn;
search_request->op.search.scope = LDB_SCOPE_BASE;
search_request->op.search.tree = ldb_parse_tree(module->ldb, NULL);
search_request->op.search.attrs = old_user_attrs;
search_request->controls = NULL;
old_ret = ldb_next_request(module, search_request);
}
/* we can't change things untill we copy it */
msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
/* look again, this time at the copied attribute */
if (!msg2 || (attribute = ldb_msg_find_element(msg2, "sambaPassword")) == NULL ) {
talloc_free(mem_ctx);
/* Gah? where did it go? Oh well... */
return LDB_ERR_OPERATIONS_ERROR;
}
/* Wipe out the sambaPassword attribute set, we will handle it in
* the second modify. We might not want it written to disk */
if (req->operation == LDB_REQ_ADD) {
if (attribute->num_values > 1) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "sambaPassword_handle: "
"attempted set of multiple sambaPassword attributes on %s rejected",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (attribute->num_values == 1) {
sambaPassword = (const char *)attribute->values[0].data;
ldb_msg_remove_attr(msg2, "sambaPassword");
}
} else if (((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_ADD)
|| ((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_REPLACE)) {
if (attribute->num_values > 1) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "sambaPassword_handle: "
"attempted set of multiple sambaPassword attributes on %s rejected",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (attribute->num_values == 1) {
sambaPassword = (const char *)attribute->values[0].data;
ldb_msg_remove_attr(msg2, "sambaPassword");
}
}
modified_orig_request = talloc(mem_ctx, struct ldb_request);
if (!modified_orig_request) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
*modified_orig_request = *req;
switch (modified_orig_request->operation) {
case LDB_REQ_ADD:
modified_orig_request->op.add.message = msg2;
break;
case LDB_REQ_MODIFY:
modified_orig_request->op.mod.message = msg2;
break;
default:
return LDB_ERR_OPERATIONS_ERROR;
}
/* Send the (modified) request of the original caller down to the database */
ret = ldb_next_request(module, modified_orig_request);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
/* While we do the search first (for the old password hashes),
* we don't want to override any error that the modify may
* have returned. Now check the error */
if (req->operation == LDB_REQ_MODIFY) {
if (old_ret) {
talloc_free(mem_ctx);
return old_ret;
}
/* Find out the old passwords details of the user */
old_res = search_request->op.search.res;
talloc_steal(mem_ctx, old_res);
talloc_free(search_request);
if (old_res->count != 1) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"(pre) search for %s found %d != 1 objects, for entry we just modified",
ldb_dn_linearize(mem_ctx, dn),
old_res->count));
/* What happend? The above add/modify worked... */
talloc_free(mem_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
lmOldHash = samdb_result_hash(mem_ctx, old_res->msgs[0], "lmPwdHash");
ntOldHash = samdb_result_hash(mem_ctx, old_res->msgs[0], "ntPwdHash");
}
/* Start finding out details we need for the second modify.
* We do this after the first add/modify because other modules
* will have filled in the templates, and we may have had
* things like the username (affecting the salt) changed along
* with the password. */
/* Now find out what is on the entry after the above add/modify */
search_request = talloc(mem_ctx, struct ldb_request);
if (!search_request) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
search_request->operation = LDB_REQ_SEARCH;
search_request->op.search.base = dn;
search_request->op.search.scope = LDB_SCOPE_BASE;
search_request->op.search.tree = ldb_parse_tree(module->ldb, NULL);
search_request->op.search.attrs = user_attrs;
search_request->controls = NULL;
ret = ldb_next_request(module, search_request);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
/* Find out the full details of the user */
res = search_request->op.search.res;
talloc_steal(mem_ctx, res);
talloc_free(search_request);
if (res->count != 1) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"search for %s found %d != 1 objects, for entry we just added/modified",
ldb_dn_linearize(mem_ctx, dn),
res->count));
/* What happend? The above add/modify worked... */
talloc_free(mem_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
userAccountControl = samdb_result_uint(res->msgs[0], "userAccountControl", 0);
sambaLMPwdHistory_len = samdb_result_hashes(mem_ctx, res->msgs[0],
"sambaLMPwdHistory", &sambaLMPwdHistory);
sambaNTPwdHistory_len = samdb_result_hashes(mem_ctx, res->msgs[0],
"sambaNTPwdHistory", &sambaNTPwdHistory);
ntPwdHash = samdb_result_hash(mem_ctx, res->msgs[0], "ntPwdHash");
kvno = samdb_result_uint(res->msgs[0], "msDS-KeyVersionNumber", 0);
domain_sid = samdb_result_sid_prefix(mem_ctx, res->msgs[0], "objectSid");
objectclasses = ldb_msg_find_element(res->msgs[0], "objectClass");
person_val = data_blob_string_const("person");
if (!objectclasses || !ldb_msg_find_val(objectclasses, &person_val)) {
/* Not a 'person', so the rest of this doesn't make
* sense. How we got a sambaPassword this far I don't
* know... */
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"attempted set of sambaPassword on non-'person' object %s rejected",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
computer_val = data_blob_string_const("computer");
if (ldb_msg_find_val(objectclasses, &computer_val)) {
is_computer = True;
} else {
is_computer = False;
}
domain_expression = talloc_asprintf(mem_ctx, "(&(objectSid=%s)(objectClass=domain))",
ldap_encode_ndr_dom_sid(mem_ctx, domain_sid));
/* Find the user's domain, then find out the domain password
* properties */
ret = ldb_search(module->ldb, NULL, LDB_SCOPE_SUBTREE, domain_expression,
domain_attrs, &dom_res);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
if (dom_res->count != 1) {
/* What happend? The user we are modifying must be odd... */
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"search for domain %s found %d != 1 objects",
dom_sid_string(mem_ctx, domain_sid),
dom_res->count));
talloc_free(mem_ctx);
return LDB_ERR_NO_SUCH_OBJECT;
}
pwdProperties = samdb_result_uint(dom_res->msgs[0], "pwdProperties", 0);
pwdHistoryLength = samdb_result_uint(dom_res->msgs[0], "pwdHistoryLength", 0);
dnsDomain = ldb_msg_find_string(dom_res->msgs[0], "dnsDomain", NULL);
realm = strupper_talloc(mem_ctx, dnsDomain);
/* Some operations below require kerberos contexts */
if (smb_krb5_init_context(mem_ctx, &smb_krb5_context) != 0) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
/* Prepare the modifications to set all the hash/key types */
modify_msg = ldb_msg_new(req);
modify_msg->dn = talloc_reference(modify_msg, dn);
#define CHECK_RET(x) \
do { \
int check_ret = x; \
if (check_ret != LDB_SUCCESS) { \
talloc_free(mem_ctx); \
return check_ret; \
} \
} while(0)
/* Setup krb5Key (we want to either delete an existing value,
* or replace with a new one). Both the unicode and NT hash
* only branches append keys to this multivalued entry. */
CHECK_RET(ldb_msg_add_empty(modify_msg, "krb5Key", LDB_FLAG_MOD_REPLACE));
/* Yay, we can compute new password hashes from the unicode
* password */
if (sambaPassword) {
Principal *salt_principal;
const char *user_principal_name = ldb_msg_find_string(res->msgs[0], "userPrincipalName", NULL);
Key *keys;
size_t num_keys;
/* compute the new nt and lm hashes */
if (E_deshash(sambaPassword, local_lmNewHash.hash)) {
lmPwdHash = &local_lmNewHash;
} else {
lmPwdHash = NULL;
}
E_md4hash(sambaPassword, local_ntNewHash.hash);
ntPwdHash = &local_ntNewHash;
CHECK_RET(ldb_msg_add_empty(modify_msg, "ntPwdHash",
LDB_FLAG_MOD_REPLACE));
CHECK_RET(samdb_msg_add_hash(module->ldb, req,
modify_msg, "ntPwdHash",
ntPwdHash));
CHECK_RET(ldb_msg_add_empty(modify_msg, "lmPwdHash",
LDB_FLAG_MOD_REPLACE));
if (lmPwdHash) {
CHECK_RET(samdb_msg_add_hash(module->ldb, req,
modify_msg, "lmPwdHash",
lmPwdHash));
}
/* Many, many thanks to lukeh@padl.com for this
* algorithm, described in his Nov 10 2004 mail to
* samba-technical@samba.org */
if (is_computer) {
/* Determine a salting principal */
char *samAccountName = talloc_strdup(mem_ctx, ldb_msg_find_string(res->msgs[0], "samAccountName", NULL));
char *saltbody;
if (!samAccountName) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"generation of new kerberos keys failed: %s is a computer without a samAccountName",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
if (samAccountName[strlen(samAccountName)-1] == '$') {
samAccountName[strlen(samAccountName)-1] = '\0';
}
saltbody = talloc_asprintf(mem_ctx, "%s.%s", samAccountName, dnsDomain);
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, &salt_principal, realm, "host", saltbody, NULL);
} else if (user_principal_name) {
char *p;
user_principal_name = talloc_strdup(mem_ctx, user_principal_name);
if (!user_principal_name) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
} else {
p = strchr(user_principal_name, '@');
if (p) {
p[0] = '\0';
}
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, &salt_principal, realm, user_principal_name, NULL);
}
} else {
const char *samAccountName = ldb_msg_find_string(res->msgs[0], "samAccountName", NULL);
if (!samAccountName) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"generation of new kerberos keys failed: %s has no samAccountName",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context, &salt_principal, realm, samAccountName, NULL);
}
if (krb5_ret) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"generation of a saltking principal failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
krb5_ret, mem_ctx)));
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
/* TODO: We may wish to control the encryption types chosen in future */
krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
salt_principal, sambaPassword, &keys, &num_keys);
krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
ldb_set_errstring(module->ldb,
talloc_asprintf(mem_ctx, "password_hash_handle: "
"generation of new kerberos keys failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
krb5_ret, mem_ctx)));
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
/* Walking all the key types generated, transform each
* key into an ASN.1 blob
*/
for (i=0; i < num_keys; i++) {
unsigned char *buf;
size_t buf_size;
size_t len;
struct ldb_val val;
if (keys[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
/* We might end up doing this below:
* This ensures we get the unicode
* conversion right. This should also
* be fixed in the Heimdal libs */
continue;
}
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
val.data = talloc_memdup(req, buf, len);
val.length = len;
free(buf);
if (!val.data || krb5_ret) {
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_msg_add_value(modify_msg, "krb5Key", &val);
if (ret != LDB_SUCCESS) {
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
talloc_free(mem_ctx);
return ret;
}
}
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
}
/* Possibly kill off the cleartext or store it */
CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaPassword", LDB_FLAG_MOD_REPLACE));
if (sambaPassword && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
(userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
CHECK_RET(ldb_msg_add_string(modify_msg, "sambaPassword", sambaPassword));
}
/* Even if we didn't get a sambaPassword, we can still setup
* krb5Key from the NT hash.
*
* This is an append, so it works with the 'continue' in the
* unicode loop above, to use Samba's NT hash function, which
* is more correct than Heimdal's
*/
if (ntPwdHash) {
unsigned char *buf;
size_t buf_size;
size_t len;
struct ldb_val val;
Key key;
key.mkvno = 0;
key.salt = NULL; /* No salt for this enc type */
krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ETYPE_ARCFOUR_HMAC_MD5,
ntPwdHash->hash, sizeof(ntPwdHash->hash),
&key.key);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&key.key);
val.data = talloc_memdup(req, buf, len);
val.length = len;
free(buf);
if (!val.data || ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
CHECK_RET(ldb_msg_add_value(modify_msg, "krb5Key", &val));
}
/* If the original caller did anything with pwdLastSet then skip this. It could be an incoming samsync */
attribute = ldb_msg_find_element(msg, "pwdLastSet");
if (attribute == NULL) {
/* Update the password last set time */
unix_to_nt_time(&now_nt, now);
CHECK_RET(ldb_msg_add_empty(modify_msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE));
CHECK_RET(samdb_msg_add_uint64(module->ldb, mem_ctx, modify_msg, "pwdLastSet", now_nt));
}
/* If the original caller did anything with "msDS-KeyVersionNumber" then skip this. It could be an incoming samsync */
attribute = ldb_msg_find_element(msg, "msDS-KeyVersionNumber");
if (attribute == NULL) {
if (kvno == 0) {
CHECK_RET(ldb_msg_add_empty(modify_msg, "msDS-KeyVersionNumber",
LDB_FLAG_MOD_REPLACE));
CHECK_RET(samdb_msg_add_uint(module->ldb, mem_ctx, modify_msg, "msDS-KeyVersionNumber", kvno + 1));
} else {
/* While we should be in a transaction, go one extra
* step in the dance for an 'atomic' increment. This
* may be of value against remote LDAP servers. (Note
* however that Mulitmaster replication stil offers no
* such guarantee) */
struct ldb_val old_kvno, new_kvno;
old_kvno.data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", kvno);
if (!old_kvno.data) {
return -1;
}
old_kvno.length = strlen((char *)old_kvno.data);
new_kvno.data = (uint8_t *)talloc_asprintf(mem_ctx, "%u", kvno + 1);
if (!new_kvno.data) {
return -1;
}
new_kvno.length = strlen((char *)new_kvno.data);
CHECK_RET(ldb_msg_add_empty(modify_msg, "msDS-KeyVersionNumber",
LDB_FLAG_MOD_DELETE));
CHECK_RET(ldb_msg_add_empty(modify_msg, "msDS-KeyVersionNumber",
LDB_FLAG_MOD_ADD));
modify_msg->elements[modify_msg->num_elements - 2].num_values = 1;
modify_msg->elements[modify_msg->num_elements - 2].values = &old_kvno;
modify_msg->elements[modify_msg->num_elements - 1].num_values = 1;
modify_msg->elements[modify_msg->num_elements - 1].values = &new_kvno;
}
}
CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaLMPwdHistory",
LDB_FLAG_MOD_REPLACE));
CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaNTPwdHistory",
LDB_FLAG_MOD_REPLACE));
/* If we have something to put into the history, or an old
* history element to expire, update the history */
if (pwdHistoryLength > 0 &&
((sambaNTPwdHistory_len > 0) || (sambaLMPwdHistory_len > 0)
|| lmOldHash || ntOldHash)) {
/* store the password history */
new_sambaLMPwdHistory = talloc_array(mem_ctx, struct samr_Password,
pwdHistoryLength);
if (!new_sambaLMPwdHistory) {
return LDB_ERR_OPERATIONS_ERROR;
}
new_sambaNTPwdHistory = talloc_array(mem_ctx, struct samr_Password,
pwdHistoryLength);
if (!new_sambaNTPwdHistory) {
return LDB_ERR_OPERATIONS_ERROR;
}
for (i=0;i<MIN(pwdHistoryLength-1, sambaLMPwdHistory_len);i++) {
new_sambaLMPwdHistory[i+1] = sambaLMPwdHistory[i];
}
for (i=0;i<MIN(pwdHistoryLength-1, sambaNTPwdHistory_len);i++) {
new_sambaNTPwdHistory[i+1] = sambaNTPwdHistory[i];
}
/* Don't store 'long' passwords in the LM history,
but make sure to 'expire' one password off the other end */
if (lmOldHash) {
new_sambaLMPwdHistory[0] = *lmOldHash;
} else {
ZERO_STRUCT(new_sambaLMPwdHistory[0]);
}
sambaLMPwdHistory_len = MIN(sambaLMPwdHistory_len + 1, pwdHistoryLength);
/* Likewise, we might not have an old NT password (lm
* only password change function on previous change) */
if (ntOldHash) {
new_sambaNTPwdHistory[0] = *ntOldHash;
} else {
ZERO_STRUCT(new_sambaNTPwdHistory[0]);
}
sambaNTPwdHistory_len = MIN(sambaNTPwdHistory_len + 1, pwdHistoryLength);
CHECK_RET(samdb_msg_add_hashes(mem_ctx, modify_msg,
"sambaLMPwdHistory",
new_sambaLMPwdHistory,
sambaLMPwdHistory_len));
CHECK_RET(samdb_msg_add_hashes(mem_ctx, modify_msg,
"sambaNTPwdHistory",
new_sambaNTPwdHistory,
sambaNTPwdHistory_len));
}
/* Too much code above, we should check we got it close to reasonable */
CHECK_RET(ldb_msg_sanity_check(modify_msg));
modify_request = talloc(mem_ctx, struct ldb_request);
if (!modify_request) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
modify_request->operation = LDB_REQ_MODIFY;
modify_request->op.mod.message = modify_msg;
modify_request->controls = NULL;
ret = ldb_next_request(module, modify_request);
talloc_free(mem_ctx);
return ret;
}
/* add_record: do things with the sambaPassword attribute */
static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
{
const struct ldb_message *msg = req->op.add.message;
ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add_record\n");
if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
return ldb_next_request(module, req);
}
/* If no part of this touches the sambaPassword, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
if (ldb_msg_find_element(msg, "sambaPassword") == NULL ) {
return ldb_next_request(module, req);
}
return password_hash_handle(module, req, msg);
}
/* modify_record: do things with the sambaPassword attribute */
static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
{
const struct ldb_message *msg = req->op.mod.message;
ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify_record\n");
if (ldb_dn_is_special(msg->dn)) { /* do not manipulate our control entries */
return ldb_next_request(module, req);
}
/* If no part of this touches the sambaPassword, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
if (ldb_msg_find_element(msg, "sambaPassword") == NULL ) {
return ldb_next_request(module, req);
}
return password_hash_handle(module, req, msg);
}
enum ph_type {PH_ADD, PH_MOD};
enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD};
struct ph_async_context {
enum ph_type type;
enum ph_step step;
struct ldb_module *module;
struct ldb_request *orig_req;
struct ldb_request *dom_req;
struct ldb_async_result *dom_res;
struct ldb_request *down_req;
struct ldb_request *search_req;
struct ldb_async_result *search_res;
struct ldb_request *mod_req;
};
struct domain_data {
uint_t pwdProperties;
uint_t pwdHistoryLength;
char *dnsDomain;
char *realm;
};
static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod)
{
const char *sambaPassword;
struct samr_Password tmp_hash;
sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL);
if (sambaPassword == NULL) { /* impossible, what happened ?! */
return LDB_ERR_OPERATIONS_ERROR;
}
/* compute the new nt and lm hashes */
if (is_mod) {
if (ldb_msg_add_empty(msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
E_md4hash(sambaPassword, tmp_hash.hash);
if (samdb_msg_add_hash(module->ldb, msg, msg, "ntPwdHash", &tmp_hash) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (E_deshash(sambaPassword, tmp_hash.hash)) {
if (is_mod) {
if (ldb_msg_add_empty(msg, "lmPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
if (samdb_msg_add_hash(module->ldb, msg, msg, "lmPwdHash", &tmp_hash) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
return LDB_SUCCESS;
}
static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg,
struct smb_krb5_context *smb_krb5_context,
struct domain_data *domain,
const char *samAccountName,
const char *user_principal_name,
int is_computer)
{
const char *sambaPassword;
Principal *salt_principal;
krb5_error_code krb5_ret;
size_t num_keys;
Key *keys;
int i;
/* Many, many thanks to lukeh@padl.com for this
* algorithm, described in his Nov 10 2004 mail to
* samba-technical@samba.org */
sambaPassword = ldb_msg_find_string(msg, "sambaPassword", NULL);
if (sambaPassword == NULL) { /* impossible, what happened ?! */
return LDB_ERR_OPERATIONS_ERROR;
}
if (is_computer) {
/* Determine a salting principal */
char *name = talloc_strdup(msg, samAccountName);
char *saltbody;
if (name == NULL) {
ldb_set_errstring(module->ldb,
talloc_asprintf(msg, "password_hash_handle: "
"generation of new kerberos keys failed: %s is a computer without a samAccountName",
ldb_dn_linearize(msg, msg->dn)));
return LDB_ERR_OPERATIONS_ERROR;
}
if (name[strlen(name)-1] == '$') {
name[strlen(name)-1] = '\0';
}
saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dnsDomain);
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
&salt_principal,
domain->realm, "host",
saltbody, NULL);
} else if (user_principal_name) {
char *p;
user_principal_name = talloc_strdup(msg, user_principal_name);
if (user_principal_name == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
} else {
p = strchr(user_principal_name, '@');
if (p) {
p[0] = '\0';
}
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
&salt_principal,
domain->realm, user_principal_name, NULL);
}
} else {
if (!samAccountName) {
ldb_set_errstring(module->ldb,
talloc_asprintf(msg, "password_hash_handle: "
"generation of new kerberos keys failed: %s has no samAccountName",
ldb_dn_linearize(msg, msg->dn)));
return LDB_ERR_OPERATIONS_ERROR;
}
krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
&salt_principal,
domain->realm, samAccountName,
NULL);
}
if (krb5_ret) {
ldb_set_errstring(module->ldb,
talloc_asprintf(msg, "password_hash_handle: "
"generation of a saltking principal failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
krb5_ret, msg)));
return LDB_ERR_OPERATIONS_ERROR;
}
/* TODO: We may wish to control the encryption types chosen in future */
krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
salt_principal, sambaPassword, &keys, &num_keys);
krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
ldb_set_errstring(module->ldb,
talloc_asprintf(msg, "password_hash_handle: "
"generation of new kerberos keys failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
krb5_ret, msg)));
return LDB_ERR_OPERATIONS_ERROR;
}
/* Walking all the key types generated, transform each
* key into an ASN.1 blob
*/
for (i=0; i < num_keys; i++) {
unsigned char *buf;
size_t buf_size;
size_t len;
struct ldb_val val;
int ret;
if (keys[i].key.keytype == ENCTYPE_ARCFOUR_HMAC) {
/* We might end up doing this below:
* This ensures we get the unicode
* conversion right. This should also
* be fixed in the Heimdal libs */
continue;
}
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
val.data = talloc_memdup(msg, buf, len);
val.length = len;
free(buf);
if (!val.data || krb5_ret) {
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
return LDB_ERR_OPERATIONS_ERROR;
}
ret = ldb_msg_add_value(msg, "krb5Key", &val);
if (ret != LDB_SUCCESS) {
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
return ret;
}
}
hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
return LDB_SUCCESS;
}
static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg,
struct smb_krb5_context *smb_krb5_context)
{
struct samr_Password *ntPwdHash;
krb5_error_code krb5_ret;
unsigned char *buf;
size_t buf_size;
size_t len;
struct ldb_val val;
Key key;
key.mkvno = 0;
key.salt = NULL; /* No salt for this enc type */
ntPwdHash = samdb_result_hash(msg, msg, "ntPwdHash");
if (ntPwdHash == NULL) { /* what happened ?! */
return LDB_ERR_OPERATIONS_ERROR;
}
krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
ntPwdHash->hash, sizeof(ntPwdHash->hash),
&key.key);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
if (krb5_ret) {
return LDB_ERR_OPERATIONS_ERROR;
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&key.key);
val.data = talloc_memdup(msg, buf, len);
val.length = len;
free(buf);
if (!val.data) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (ldb_msg_add_value(msg, "krb5Key", &val) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod)
{
NTTIME now_nt;
/* set it as now */
unix_to_nt_time(&now_nt, time(NULL));
if (!is_mod) {
/* be sure there isn't a 0 value set (eg. coming from the template) */
ldb_msg_remove_attr(msg, "pwdLastSet");
/* add */
if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
} else {
/* replace */
if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous)
{
/* replace or add */
if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen)
{
struct samr_Password *nt_hash;
struct samr_Password *lm_hash;
struct samr_Password *nt_history;
struct samr_Password *lm_history;
struct samr_Password *new_nt_history;
struct samr_Password *new_lm_history;
int nt_hist_len;
int lm_hist_len;
int i;
nt_hash = samdb_result_hash(msg, old_msg, "ntPwdHash");
lm_hash = samdb_result_hash(msg, old_msg, "lmPwdHash");
/* if no previous passwords just return */
if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS;
nt_hist_len = samdb_result_hashes(msg, old_msg, "sambaNTPwdHistory", &nt_history);
lm_hist_len = samdb_result_hashes(msg, old_msg, "sambaLMPwdHistory", &lm_history);
/* We might not have an old NT password */
new_nt_history = talloc_array(msg, struct samr_Password, hlen);
if (new_nt_history == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) {
new_nt_history[i+1] = nt_history[i];
}
nt_hist_len = i + 1;
if (nt_hash) {
new_nt_history[0] = *nt_hash;
} else {
ZERO_STRUCT(new_nt_history[0]);
}
if (ldb_msg_add_empty(msg, "sambaNTPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (samdb_msg_add_hashes(msg, msg, "sambaNTPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Don't store 'long' passwords in the LM history,
but make sure to 'expire' one password off the other end */
new_lm_history = talloc_array(msg, struct samr_Password, hlen);
if (new_lm_history == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) {
new_lm_history[i+1] = lm_history[i];
}
lm_hist_len = i + 1;
if (lm_hash) {
new_lm_history[0] = *lm_hash;
} else {
ZERO_STRUCT(new_lm_history[0]);
}
if (ldb_msg_add_empty(msg, "sambaLMPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (samdb_msg_add_hashes(msg, msg, "sambaLMPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
return LDB_SUCCESS;
}
static struct ldb_async_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
{
struct ph_async_context *ac;
struct ldb_async_handle *h;
h = talloc_zero(req, struct ldb_async_handle);
if (h == NULL) {
ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory"));
return NULL;
}
h->module = module;
ac = talloc_zero(h, struct ph_async_context);
if (ac == NULL) {
ldb_set_errstring(module->ldb, talloc_asprintf(module, "Out of Memory"));
talloc_free(h);
return NULL;
}
h->private_data = (void *)ac;
h->state = LDB_ASYNC_INIT;
h->status = LDB_SUCCESS;
ac->type = type;
ac->module = module;
ac->orig_req = req;
return h;
}
static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_async_result *ares)
{
struct ph_async_context *ac;
if (!context || !ares) {
ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
return LDB_ERR_OPERATIONS_ERROR;
}
ac = talloc_get_type(context, struct ph_async_context);
/* we are interested only in the single reply (base search) we receive here */
if (ares->type == LDB_REPLY_ENTRY) {
if (ac->dom_res != NULL) {
ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results"));
talloc_free(ares);
return LDB_ERR_OPERATIONS_ERROR;
}
ac->dom_res = talloc_steal(ac, ares);
} else {
talloc_free(ares);
}
return LDB_SUCCESS;
}
static int build_domain_data_request(struct ph_async_context *ac,
struct dom_sid *sid)
{
const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", "dnsDomain", NULL };
char *filter;
ac->dom_req = talloc_zero(ac, struct ldb_request);
if (ac->dom_req == NULL) {
ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
return LDB_ERR_OPERATIONS_ERROR;
}
ac->dom_req->operation = LDB_ASYNC_SEARCH;
ac->dom_req->op.search.base = NULL;
ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(objectClass=domain))", dom_sid_string(ac->dom_req, sid));
if (filter == NULL) {
ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
talloc_free(ac->dom_req);
return LDB_ERR_OPERATIONS_ERROR;
}
ac->dom_req->op.search.tree = ldb_parse_tree(ac->module->ldb, filter);
if (ac->dom_req->op.search.tree == NULL) {
ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter"));
talloc_free(ac->dom_req);
return LDB_ERR_OPERATIONS_ERROR;
}
ac->dom_req->op.search.attrs = attrs;
ac->dom_req->controls = NULL;
ac->dom_req->creds = ac->orig_req->creds;
ac->dom_req->async.context = ac;
ac->dom_req->async.callback = get_domain_data_callback;
ac->dom_req->async.timeout = ac->orig_req->async.timeout;
return LDB_SUCCESS;
}
static struct domain_data *get_domain_data(struct ldb_module *module, void *mem_ctx, struct ldb_async_result *res)
{
struct domain_data *data;
const char *tmp;
data = talloc_zero(mem_ctx, struct domain_data);
if (data == NULL) {
return NULL;
}
data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
tmp = ldb_msg_find_string(res->message, "dnsDomain", NULL);
if (tmp != NULL) {
data->dnsDomain = talloc_strdup(data, tmp);
if (data->dnsDomain == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
return NULL;
}
data->realm = strupper_talloc(mem_ctx, tmp);
if (data->realm == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
return NULL;
}
}
return data;
}
static int password_hash_add_async(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_async_handle *h;
struct ph_async_context *ac;
struct ldb_message_element *attribute;
struct dom_sid *domain_sid;
int ret;
ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add_async\n");
if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
return ldb_next_request(module, req);
}
/* nobody must touch password Histories */
if (ldb_msg_find_element(req->op.add.message, "sambaNTPwdHistory") ||
ldb_msg_find_element(req->op.add.message, "sambaLMPwdHistory")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* If no part of this touches the sambaPassword, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
if ((attribute = ldb_msg_find_element(req->op.add.message, "sambaPassword")) == NULL ) {
return ldb_next_request(module, req);
}
/* if it is not an entry of type person its an error */
/* TODO: remove this when sambaPassword will be in schema */
if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
/* check sambaPassword is single valued here */
/* TODO: remove this when sambaPassword will be single valued in schema */
if (attribute->num_values > 1) {
ldb_set_errstring(module->ldb, talloc_asprintf(req,
"mupltiple values for sambaPassword not allowed!\n"));
return LDB_ERR_CONSTRAINT_VIOLATION;
}
/* get user domain data */
domain_sid = samdb_result_sid_prefix(req, req->op.add.message, "objectSid");
if (domain_sid == NULL) {
ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
return LDB_ERR_OPERATIONS_ERROR;
}
h = ph_init_handle(req, module, PH_ADD);
if (!h) {
return LDB_ERR_OPERATIONS_ERROR;
}
ac = talloc_get_type(h->private_data, struct ph_async_context);
ret = build_domain_data_request(ac, domain_sid);
if (ret != LDB_SUCCESS) {
return ret;
}
ac->step = PH_ADD_SEARCH_DOM;
req->async.handle = h;
return ldb_next_request(module, ac->dom_req);
}
static int password_hash_add_async_do_add(struct ldb_async_handle *h) {
struct ph_async_context *ac;
struct domain_data *domain;
struct smb_krb5_context *smb_krb5_context;
struct ldb_message *msg;
ac = talloc_get_type(h->private_data, struct ph_async_context);
domain = get_domain_data(ac->module, ac, ac->dom_res);
if (domain == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ac->down_req = talloc(ac, struct ldb_request);
if (ac->down_req == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
*(ac->down_req) = *(ac->orig_req);
ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
if (ac->down_req->op.add.message == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* Some operations below require kerberos contexts */
if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* we can compute new password hashes from the unicode password */
if (add_password_hashes(ac->module, msg, 0) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* now add krb5 keys based on unicode password */
if (add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
ldb_msg_find_string(msg, "samAccountName", NULL),
ldb_msg_find_string(msg, "userPrincipalName", NULL),
ldb_msg_check_string_attribute(msg, "objectClass", "computer")
) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* add also kr5 keys based on NT the hash */
if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* if both the domain properties and the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
(!(ldb_msg_find_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
ldb_msg_remove_attr(msg, "sambaPassword");
}
/* don't touch it if a value is set. It could be an incoming samsync */
if (ldb_msg_find_uint64(msg, "pwdLastSet", 0) == 0) {
if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
/* don't touch it if a value is set. It could be an incoming samsync */
if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) {
if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
h->state = LDB_ASYNC_INIT;
h->status = LDB_SUCCESS;
ac->step = PH_ADD_DO_ADD;
/* perform the operation */
return ldb_next_request(ac->module, ac->down_req);
}
static int password_hash_mod_async_search_self(struct ldb_async_handle *h);
static int password_hash_modify_async(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_async_handle *h;
struct ph_async_context *ac;
struct ldb_message_element *sambaAttr;
struct ldb_message_element *ntAttr;
struct ldb_message_element *lmAttr;
ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add_async\n");
if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
return ldb_next_request(module, req);
}
/* nobody must touch password Histories */
if (ldb_msg_find_element(req->op.mod.message, "sambaNTPwdHistory") ||
ldb_msg_find_element(req->op.mod.message, "sambaLMPwdHistory")) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
/* check passwords are single valued here */
/* TODO: remove this when passwords will be single valued in schema */
if (sambaAttr && (sambaAttr->num_values > 1)) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (ntAttr && (ntAttr->num_values > 1)) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
if (lmAttr && (lmAttr->num_values > 1)) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
/* If no part of this touches the sambaPassword OR ntPwdHash and/or lmPwdHash, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
/* If the only operation is the deletion of the passwords then go on */
if ( ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
&& ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
&& ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) ) {
return ldb_next_request(module, req);
}
h = ph_init_handle(req, module, PH_MOD);
if (!h) {
return LDB_ERR_OPERATIONS_ERROR;
}
ac = talloc_get_type(h->private_data, struct ph_async_context);
/* return or own handle to deal with this call */
req->async.handle = h;
/* prepare the first operation */
ac->down_req = talloc_zero(ac, struct ldb_request);
if (ac->down_req == NULL) {
ldb_set_errstring(module->ldb, talloc_asprintf(module->ldb, "Out of memory!"));
return LDB_ERR_OPERATIONS_ERROR;
}
*(ac->down_req) = *req; /* copy the request */
/* use a new message structure so that we can modify it */
ac->down_req->op.mod.message = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
/* - remove any imodification to the password from the first commit
* we will make the real modification later */
if (sambaAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "sambaPassword");
if (ntAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "ntPwdHash");
if (lmAttr) ldb_msg_remove_attr(ac->down_req->op.mod.message, "lmPwdHash");
/* if there was nothing else to be modify skip to next step */
if (ac->down_req->op.mod.message->num_elements == 0) {
talloc_free(ac->down_req);
ac->down_req = NULL;
return password_hash_mod_async_search_self(h);
}
ac->down_req->async.context = NULL;
ac->down_req->async.callback = NULL;
ac->step = PH_MOD_DO_REQ;
return ldb_next_request(module, ac->down_req);
}
static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_async_result *ares)
{
struct ph_async_context *ac;
if (!context || !ares) {
ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
return LDB_ERR_OPERATIONS_ERROR;
}
ac = talloc_get_type(context, struct ph_async_context);
/* we are interested only in the single reply (base search) we receive here */
if (ares->type == LDB_REPLY_ENTRY) {
if (ac->search_res != NULL) {
ldb_set_errstring(ldb, talloc_asprintf(ldb, "Too many results"));
talloc_free(ares);
return LDB_ERR_OPERATIONS_ERROR;
}
/* if it is not an entry of type person this is an error */
/* TODO: remove this when sambaPassword will be in schema */
if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
ldb_set_errstring(ldb, talloc_asprintf(ldb, "Object class violation"));
talloc_free(ares);
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
ac->search_res = talloc_steal(ac, ares);
} else {
talloc_free(ares);
}
return LDB_SUCCESS;
}
static int password_hash_mod_async_search_self(struct ldb_async_handle *h) {
struct ph_async_context *ac;
ac = talloc_get_type(h->private_data, struct ph_async_context);
/* prepare the search operation */
ac->search_req = talloc_zero(ac, struct ldb_request);
if (ac->search_req == NULL) {
ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
return LDB_ERR_OPERATIONS_ERROR;
}
ac->search_req->operation = LDB_ASYNC_SEARCH;
ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
ac->search_req->op.search.scope = LDB_SCOPE_BASE;
ac->search_req->op.search.tree = ldb_parse_tree(ac->module->ldb, NULL);
if (ac->search_req->op.search.tree == NULL) {
ldb_set_errstring(ac->module->ldb, talloc_asprintf(ac, "Invalid search filter"));
return LDB_ERR_OPERATIONS_ERROR;
}
ac->search_req->op.search.attrs = NULL;
ac->search_req->controls = NULL;
ac->search_req->creds = ac->orig_req->creds;
ac->search_req->async.context = ac;
ac->search_req->async.callback = get_self_callback;
ac->search_req->async.timeout = ac->orig_req->async.timeout;
ac->step = PH_MOD_SEARCH_SELF;
return ldb_next_request(ac->module, ac->search_req);
}
static int password_hash_mod_async_search_dom(struct ldb_async_handle *h) {
struct ph_async_context *ac;
struct dom_sid *domain_sid;
int ret;
ac = talloc_get_type(h->private_data, struct ph_async_context);
/* get object domain sid */
domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
if (domain_sid == NULL) {
ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
return LDB_ERR_OPERATIONS_ERROR;
}
/* get user domain data */
ret = build_domain_data_request(ac, domain_sid);
if (ret != LDB_SUCCESS) {
return ret;
}
ac->step = PH_MOD_SEARCH_DOM;
return ldb_next_request(ac->module, ac->dom_req);
}
static int password_hash_mod_async_do_mod(struct ldb_async_handle *h) {
struct ph_async_context *ac;
struct domain_data *domain;
struct smb_krb5_context *smb_krb5_context;
struct ldb_message_element *sambaAttr;
struct ldb_message *msg;
int phlen;
ac = talloc_get_type(h->private_data, struct ph_async_context);
domain = get_domain_data(ac->module, ac, ac->dom_res);
if (domain == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
ac->mod_req = talloc(ac, struct ldb_request);
if (ac->mod_req == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
*(ac->mod_req) = *(ac->orig_req);
/* use a new message structure so that we can modify it */
ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
if (msg == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* modify dn */
msg->dn = ac->orig_req->op.mod.message->dn;
/* Some operations below require kerberos contexts */
if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* we are going to replace the existing krb5key or delete it */
if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* if we have sambaPassword in the original message add the operatio on it here */
sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword");
if (sambaAttr) {
if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* we are not deleteing it add password hashes */
if ((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE) {
/* we can compute new password hashes from the unicode password */
if (add_password_hashes(ac->module, msg, 1) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* now add krb5 keys based on unicode password */
if (add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
ldb_msg_find_string(ac->search_res->message, "samAccountName", NULL),
ldb_msg_find_string(ac->search_res->message, "userPrincipalName", NULL),
ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer")
) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* if the domain properties or the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
(!(ldb_msg_find_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
ldb_msg_remove_attr(msg, "sambaPassword");
}
}
}
/* if we don't have sambaPassword or we are trying to delete it try with nt or lm hasehs */
if ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE)) {
struct ldb_message_element *el;
el = ldb_msg_find_element(ac->orig_req->op.mod.message, "ntPwdHash");
if (ldb_msg_add(msg, el, el->flags) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
el = ldb_msg_find_element(ac->orig_req->op.mod.message, "lmPwdHash");
if (ldb_msg_add(msg, el, el->flags) != 0) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
/* add also kr5 keys based on NT the hash */
if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* set change time */
if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
/* don't touch it if a value is set. It could be an incoming samsync */
if (add_keyVersionNumber(ac->module, msg,
ldb_msg_find_uint(msg, "msDS-KeyVersionNumber", 0)
) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) {
if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) {
return LDB_ERR_OPERATIONS_ERROR;
}
}
h->state = LDB_ASYNC_INIT;
h->status = LDB_SUCCESS;
ac->step = PH_MOD_DO_MOD;
/* perform the search */
return ldb_next_request(ac->module, ac->mod_req);
}
static int ph_async_wait(struct ldb_async_handle *handle) {
struct ph_async_context *ac;
int ret;
if (!handle || !handle->private_data) {
return LDB_ERR_OPERATIONS_ERROR;
}
if (handle->state == LDB_ASYNC_DONE) {
return handle->status;
}
handle->state = LDB_ASYNC_PENDING;
ac = talloc_get_type(handle->private_data, struct ph_async_context);
switch (ac->step) {
case PH_ADD_SEARCH_DOM:
if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->dom_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
/* domain search done, go on */
return password_hash_add_async_do_add(handle);
case PH_ADD_DO_ADD:
if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->down_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
break;
case PH_MOD_DO_REQ:
if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->down_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->down_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
/* non-password mods done, go on */
return password_hash_mod_async_search_self(handle);
case PH_MOD_SEARCH_SELF:
if (ac->search_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->search_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->search_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
/* self search done, go on */
return password_hash_mod_async_search_dom(handle);
case PH_MOD_SEARCH_DOM:
if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->dom_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->dom_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
/* domain search done, go on */
return password_hash_mod_async_do_mod(handle);
case PH_MOD_DO_MOD:
if (ac->mod_req->async.handle->state != LDB_ASYNC_DONE) {
ret = ldb_async_wait(ac->mod_req->async.handle, LDB_WAIT_NONE);
if (ret != LDB_SUCCESS) goto done;
if (ac->mod_req->async.handle->state != LDB_ASYNC_DONE) {
return LDB_SUCCESS;
}
}
break;
default:
ret = LDB_ERR_OPERATIONS_ERROR;
goto done;
}
ret = LDB_SUCCESS;
done:
handle->state = LDB_ASYNC_DONE;
handle->status = ret;
return ret;
}
static int ph_async_wait_all(struct ldb_async_handle *handle) {
int ret;
while (handle->state != LDB_ASYNC_DONE) {
ret = ph_async_wait(handle);
if (ret != LDB_SUCCESS) {
return ret;
}
}
return handle->status;
}
static int password_hash_async_wait(struct ldb_async_handle *handle, enum ldb_async_wait_type type)
{
if (type == LDB_WAIT_ALL) {
return ph_async_wait_all(handle);
} else {
return ph_async_wait(handle);
}
}
static int password_hash_request(struct ldb_module *module, struct ldb_request *req)
{
switch (req->operation) {
case LDB_REQ_ADD:
return password_hash_add(module, req);
case LDB_REQ_MODIFY:
return password_hash_modify(module, req);
case LDB_ASYNC_ADD:
return password_hash_add_async(module, req);
case LDB_ASYNC_MODIFY:
return password_hash_modify_async(module, req);
default:
return ldb_next_request(module, req);
}
}
static const struct ldb_module_ops password_hash_ops = {
.name = "password_hash",
.request = password_hash_request,
.async_wait = password_hash_async_wait
};
int password_hash_module_init(void)
{
return ldb_register_module(&password_hash_ops);
}
View Git Blame Copy Permalink