2 Unix SMB/CIFS implementation.
3 msDS-ManagedPassword attribute for Group Managed Service Accounts
5 Copyright (C) Catalyst.Net Ltd 2024
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <https://www.gnu.org/licenses/>.
21 #ifndef DSDB_GMSA_UTIL_H
22 #define DSDB_GMSA_UTIL_H
25 #include "ldb_module.h"
28 #include "lib/crypto/gkdi.h"
29 #include "lib/crypto/gmsa.h"
30 #include "lib/util/data_blob.h"
31 #include "lib/util/time.h"
34 /* An optional request to set the previous password. */
35 struct ldb_request
*old_pw_req
;
36 /* A request to set the current password. */
37 struct ldb_request
*new_pw_req
;
38 /* An request to set the managed password ID. */
39 struct ldb_request
*pwd_id_req
;
42 struct gmsa_update_pwd_part
{
43 const struct ProvRootKey
*root_key
;
47 struct gmsa_update_pwd
{
48 struct gmsa_update_pwd_part prev_id
;
49 struct gmsa_update_pwd_part new_id
;
53 int gmsa_allowed_to_view_managed_password(TALLOC_CTX
*mem_ctx
,
54 struct ldb_context
*ldb
,
55 const struct ldb_message
*msg
,
56 const struct dom_sid
*account_sid
,
60 void gmsa_update_managed_pwd_id(struct KeyEnvelope
*pwd_id
,
61 const struct gmsa_update_pwd_part
*new_pwd
);
63 NTSTATUS
gmsa_pack_managed_pwd_id(TALLOC_CTX
*mem_ctx
,
64 const struct KeyEnvelope
*pwd_id
,
65 DATA_BLOB
*pwd_id_out
);
67 int gmsa_generate_blobs(struct ldb_context
*ldb
,
69 const NTTIME current_time
,
70 const struct dom_sid
*const account_sid
,
71 DATA_BLOB
*pwd_id_blob_out
,
72 struct gmsa_null_terminated_password
**password_out
);
74 NTSTATUS
gmsa_pack_managed_pwd(TALLOC_CTX
*mem_ctx
,
75 const uint8_t *new_password
,
76 const uint8_t *old_password
,
77 uint64_t query_interval
,
78 uint64_t unchanged_interval
,
79 DATA_BLOB
*managed_pwd_out
);
81 bool dsdb_account_is_gmsa(struct ldb_context
*ldb
,
82 const struct ldb_message
*msg
);
84 const struct KeyEnvelopeId
*gmsa_get_managed_pwd_id(
85 const struct ldb_message
*msg
,
86 struct KeyEnvelopeId
*key_env_out
);
88 struct gmsa_return_pwd
{
89 struct gmsa_null_terminated_password
*prev_pwd
;
90 struct gmsa_null_terminated_password
*new_pwd
;
91 NTTIME query_interval
;
92 NTTIME unchanged_interval
;
95 int gmsa_recalculate_managed_pwd(TALLOC_CTX
*mem_ctx
,
96 struct ldb_context
*ldb
,
97 const struct ldb_message
*msg
,
98 const NTTIME current_time
,
99 struct gmsa_update
**update_out
,
100 struct gmsa_return_pwd
*return_out
);
102 #define DSDB_GMSA_TIME_OPAQUE ("dsdb_gmsa_time_opaque")
104 bool dsdb_gmsa_current_time(struct ldb_context
*ldb
, NTTIME
*current_time_out
);
106 #endif /* DSDB_GMSA_UTIL_H */