1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-21 18:04:06 +03:00
Jo Sutton 977f5753fc s4:dsdb: Add dsdb_update_gmsa_keys()
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-21 22:10:36 +00:00

132 lines
4.0 KiB
C
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
Unix SMB/CIFS implementation.
msDS-ManagedPassword attribute for Group Managed Service Accounts
Copyright (C) Catalyst.Net Ltd 2024
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
#ifndef DSDB_GMSA_UTIL_H
#define DSDB_GMSA_UTIL_H
#include "ldb.h"
#include "ldb_module.h"
#include <talloc.h>
#include "lib/crypto/gkdi.h"
#include "lib/crypto/gmsa.h"
#include "lib/util/data_blob.h"
#include "lib/util/time.h"
struct gmsa_update {
/* The DN of the gMSA to be updated. */
struct ldb_dn *dn;
/*
* The managed password ID (if any) found in the database at the time of
* preparing this update.
*/
const DATA_BLOB *found_pwd_id;
/* An optional request to set the previous password. */
struct ldb_request *old_pw_req;
/* A request to set the current password. */
struct ldb_request *new_pw_req;
/* An request to set the managed password ID. */
struct ldb_request *pwd_id_req;
};
struct gmsa_update_pwd_part {
const struct ProvRootKey *root_key;
struct Gkid gkid;
};
struct gmsa_update_pwd {
struct gmsa_update_pwd_part prev_id;
struct gmsa_update_pwd_part new_id;
};
struct dom_sid;
int gmsa_allowed_to_view_managed_password(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message *msg,
const struct dom_sid *account_sid,
bool *allowed_out);
struct KeyEnvelope;
void gmsa_update_managed_pwd_id(struct KeyEnvelope *pwd_id,
const struct gmsa_update_pwd_part *new_pwd);
NTSTATUS gmsa_pack_managed_pwd_id(TALLOC_CTX *mem_ctx,
const struct KeyEnvelope *pwd_id,
DATA_BLOB *pwd_id_out);
int gmsa_generate_blobs(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const NTTIME current_time,
const struct dom_sid *const account_sid,
DATA_BLOB *pwd_id_blob_out,
struct gmsa_null_terminated_password **password_out);
NTSTATUS gmsa_pack_managed_pwd(TALLOC_CTX *mem_ctx,
const uint8_t *new_password,
const uint8_t *old_password,
uint64_t query_interval,
uint64_t unchanged_interval,
DATA_BLOB *managed_pwd_out);
bool dsdb_account_is_gmsa(struct ldb_context *ldb,
const struct ldb_message *msg);
const struct KeyEnvelopeId *gmsa_get_managed_pwd_id(
const struct ldb_message *msg,
struct KeyEnvelopeId *key_env_out);
struct gmsa_return_pwd {
struct gmsa_null_terminated_password *prev_pwd;
struct gmsa_null_terminated_password *new_pwd;
NTTIME query_interval;
NTTIME unchanged_interval;
};
/*
* Recalculate the managed password of an account. The account referred to by
* msg should be a Group Managed Service Account.
*
* Updated passwords are returned in update_out.
*
* Pass in a nonNULL pointer for return_out if you want the passwords as
* reflected by the msDS-ManagedPassword operational attribute.
*/
int gmsa_recalculate_managed_pwd(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const struct ldb_message *msg,
const NTTIME current_time,
struct gmsa_update **update_out,
struct gmsa_return_pwd *return_out);
int dsdb_update_gmsa_entry_keys(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct gmsa_update *gmsa_update);
int dsdb_update_gmsa_keys(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_result *res,
bool *retry_out);
#define DSDB_GMSA_TIME_OPAQUE ("dsdb_gmsa_time_opaque")
bool dsdb_gmsa_current_time(struct ldb_context *ldb, NTTIME *current_time_out);
#endif /* DSDB_GMSA_UTIL_H */