search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:dsdb: Store account DN as part of gMSA update structure
[Samba.git] / source4 / dsdb / gmsa / util.h
blob9b7e3ee322289715ec389753d35d54ee058e8565
1 /*
2 Unix SMB/CIFS implementation.
3 msDS-ManagedPassword attribute for Group Managed Service Accounts
4
5 Copyright (C) Catalyst.Net Ltd 2024
6
7 This program is free software: you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation, either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <https://www.gnu.org/licenses/>.
19 */
20
21 #ifndef DSDB_GMSA_UTIL_H
22 #define DSDB_GMSA_UTIL_H
23
24 #include "ldb.h"
25 #include "ldb_module.h"
26 #include <talloc.h>
27
28 #include "lib/crypto/gkdi.h"
29 #include "lib/crypto/gmsa.h"
30 #include "lib/util/data_blob.h"
31 #include "lib/util/time.h"
32
33 struct gmsa_update {
34 /* The DN of the gMSA to be updated. */
35 struct ldb_dn *dn;
36 /* An optional request to set the previous password. */
37 struct ldb_request *old_pw_req;
38 /* A request to set the current password. */
39 struct ldb_request *new_pw_req;
40 /* An request to set the managed password ID. */
41 struct ldb_request *pwd_id_req;
42 };
43
44 struct gmsa_update_pwd_part {
45 const struct ProvRootKey *root_key;
46 struct Gkid gkid;
47 };
48
49 struct gmsa_update_pwd {
50 struct gmsa_update_pwd_part prev_id;
51 struct gmsa_update_pwd_part new_id;
52 };
53
54 struct dom_sid;
55 int gmsa_allowed_to_view_managed_password(TALLOC_CTX *mem_ctx,
56 struct ldb_context *ldb,
57 const struct ldb_message *msg,
58 const struct dom_sid *account_sid,
59 bool *allowed_out);
60
61 struct KeyEnvelope;
62 void gmsa_update_managed_pwd_id(struct KeyEnvelope *pwd_id,
63 const struct gmsa_update_pwd_part *new_pwd);
64
65 NTSTATUS gmsa_pack_managed_pwd_id(TALLOC_CTX *mem_ctx,
66 const struct KeyEnvelope *pwd_id,
67 DATA_BLOB *pwd_id_out);
68
69 int gmsa_generate_blobs(struct ldb_context *ldb,
70 TALLOC_CTX *mem_ctx,
71 const NTTIME current_time,
72 const struct dom_sid *const account_sid,
73 DATA_BLOB *pwd_id_blob_out,
74 struct gmsa_null_terminated_password **password_out);
75
76 NTSTATUS gmsa_pack_managed_pwd(TALLOC_CTX *mem_ctx,
77 const uint8_t *new_password,
78 const uint8_t *old_password,
79 uint64_t query_interval,
80 uint64_t unchanged_interval,
81 DATA_BLOB *managed_pwd_out);
82
83 bool dsdb_account_is_gmsa(struct ldb_context *ldb,
84 const struct ldb_message *msg);
85
86 const struct KeyEnvelopeId *gmsa_get_managed_pwd_id(
87 const struct ldb_message *msg,
88 struct KeyEnvelopeId *key_env_out);
89
90 struct gmsa_return_pwd {
91 struct gmsa_null_terminated_password *prev_pwd;
92 struct gmsa_null_terminated_password *new_pwd;
93 NTTIME query_interval;
94 NTTIME unchanged_interval;
95 };
96
97 int gmsa_recalculate_managed_pwd(TALLOC_CTX *mem_ctx,
98 struct ldb_context *ldb,
99 const struct ldb_message *msg,
100 const NTTIME current_time,
101 struct gmsa_update **update_out,
102 struct gmsa_return_pwd *return_out);
103
104 #define DSDB_GMSA_TIME_OPAQUE ("dsdb_gmsa_time_opaque")
105
106 bool dsdb_gmsa_current_time(struct ldb_context *ldb, NTTIME *current_time_out);
107
108 #endif /* DSDB_GMSA_UTIL_H */
Samba GIT mirror