search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb: Add functions for Group Managed Service Accounts implementation
[Samba.git] / source4 / dsdb / gmsa / util.h
blob7d5430eae288c41a68cd50478d41474dc60c0655
1 /*
2 Unix SMB/CIFS implementation.
3 msDS-ManagedPassword attribute for Group Managed Service Accounts
4
5 Copyright (C) Catalyst.Net Ltd 2024
6
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <https://www.gnu.org/licenses/>.
19 */
20
21 #ifndef DSDB_GMSA_UTIL_H
22 #define DSDB_GMSA_UTIL_H
23
24 #include "ldb.h"
25 #include "ldb_module.h"
26 #include <talloc.h>
27
28 #include "lib/crypto/gkdi.h"
29 #include "lib/crypto/gmsa.h"
30 #include "lib/util/data_blob.h"
31 #include "lib/util/time.h"
32
33 struct gmsa_update {
34 /* An optional request to set the previous password. */
35 struct ldb_request *old_pw_req;
36 /* A request to set the current password. */
37 struct ldb_request *new_pw_req;
38 /* An request to set the managed password ID. */
39 struct ldb_request *pwd_id_req;
40 };
41
42 struct gmsa_update_pwd_part {
43 const struct ProvRootKey *root_key;
44 struct Gkid gkid;
45 };
46
47 struct gmsa_update_pwd {
48 struct gmsa_update_pwd_part prev_id;
49 struct gmsa_update_pwd_part new_id;
50 };
51
52 struct dom_sid;
53 int gmsa_allowed_to_view_managed_password(TALLOC_CTX *mem_ctx,
54 struct ldb_context *ldb,
55 const struct ldb_message *msg,
56 const struct dom_sid *account_sid,
57 bool *allowed_out);
58
59 struct KeyEnvelope;
60 void gmsa_update_managed_pwd_id(struct KeyEnvelope *pwd_id,
61 const struct gmsa_update_pwd_part *new_pwd);
62
63 NTSTATUS gmsa_pack_managed_pwd_id(TALLOC_CTX *mem_ctx,
64 const struct KeyEnvelope *pwd_id,
65 DATA_BLOB *pwd_id_out);
66
67 int gmsa_generate_blobs(struct ldb_context *ldb,
68 TALLOC_CTX *mem_ctx,
69 const NTTIME current_time,
70 const struct dom_sid *const account_sid,
71 DATA_BLOB *pwd_id_blob_out,
72 struct gmsa_null_terminated_password **password_out);
73
74 NTSTATUS gmsa_pack_managed_pwd(TALLOC_CTX *mem_ctx,
75 const uint8_t *new_password,
76 const uint8_t *old_password,
77 uint64_t query_interval,
78 uint64_t unchanged_interval,
79 DATA_BLOB *managed_pwd_out);
80
81 bool dsdb_account_is_gmsa(struct ldb_context *ldb,
82 const struct ldb_message *msg);
83
84 const struct KeyEnvelopeId *gmsa_get_managed_pwd_id(
85 const struct ldb_message *msg,
86 struct KeyEnvelopeId *key_env_out);
87
88 struct gmsa_return_pwd {
89 struct gmsa_null_terminated_password *prev_pwd;
90 struct gmsa_null_terminated_password *new_pwd;
91 NTTIME query_interval;
92 NTTIME unchanged_interval;
93 };
94
95 int gmsa_recalculate_managed_pwd(TALLOC_CTX *mem_ctx,
96 struct ldb_context *ldb,
97 const struct ldb_message *msg,
98 const NTTIME current_time,
99 struct gmsa_update **update_out,
100 struct gmsa_return_pwd *return_out);
101
102 #define DSDB_GMSA_TIME_OPAQUE ("dsdb_gmsa_time_opaque")
103
104 bool dsdb_gmsa_current_time(struct ldb_context *ldb, NTTIME *current_time_out);
105
106 #endif /* DSDB_GMSA_UTIL_H */
Samba GIT mirror