search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r21434: - get rid of "krb5Key"
[Samba/ekacnet.git] / source4 / dsdb / samdb / ldb_modules / password_hash.c
bloba31486fdda47f047a2c8c6bf130bada0fd52a9b2
1 /*
2 ldb database module
3
4 Copyright (C) Simo Sorce 2004-2006
5 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6 Copyright (C) Andrew Tridgell 2004
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 /*
24 * Name: ldb
25 *
26 * Component: ldb password_hash module
27 *
28 * Description: correctly update hash values based on changes to sambaPassword and friends
29 *
30 * Author: Andrew Bartlett
31 */
32
33 #include "includes.h"
34 #include "libcli/ldap/ldap.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "librpc/gen_ndr/misc.h"
38 #include "librpc/gen_ndr/samr.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "libcli/security/security.h"
41 #include "system/kerberos.h"
42 #include "auth/kerberos/kerberos.h"
43 #include "system/time.h"
44 #include "dsdb/samdb/samdb.h"
45 #include "dsdb/common/flags.h"
46 #include "hdb.h"
47 #include "dsdb/samdb/ldb_modules/password_modules.h"
48 #include "librpc/ndr/libndr.h"
49 #include "librpc/gen_ndr/ndr_drsblobs.h"
50
51 /* If we have decided there is reason to work on this request, then
52 * setup all the password hash types correctly.
53 *
54 * If the administrator doesn't want the sambaPassword stored (set in the
55 * domain and per-account policies) then we must strip that out before
56 * we do the first operation.
57 *
58 * Once this is done (which could update anything at all), we
59 * calculate the password hashes.
60 *
61 * This function must not only update the unicodePwd, dBCSPwd and
62 * supplementalCredentials fields, it must also atomicly increment the
63 * msDS-KeyVersionNumber. We should be in a transaction, so all this
64 * should be quite safe...
65 *
66 * Finally, if the administrator has requested that a password history
67 * be maintained, then this should also be written out.
68 *
69 */
70
71 struct ph_context {
72
73 enum ph_type {PH_ADD, PH_MOD} type;
74 enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
75
76 struct ldb_module *module;
77 struct ldb_request *orig_req;
78
79 struct ldb_request *dom_req;
80 struct ldb_reply *dom_res;
81
82 struct ldb_request *down_req;
83
84 struct ldb_request *search_req;
85 struct ldb_reply *search_res;
86
87 struct ldb_request *mod_req;
88
89 struct dom_sid *domain_sid;
90 };
91
92 struct domain_data {
93 BOOL store_cleartext;
94 uint_t pwdProperties;
95 uint_t pwdHistoryLength;
96 char *dns_domain;
97 char *realm;
98 };
99
100 struct setup_password_fields_io {
101 struct ph_context *ac;
102 struct domain_data *domain;
103 struct smb_krb5_context *smb_krb5_context;
104
105 /* infos about the user account */
106 struct {
107 uint32_t user_account_control;
108 const char *sAMAccountName;
109 const char *user_principal_name;
110 bool is_computer;
111 } u;
112
113 /* new credentials */
114 struct {
115 const char *cleartext;
116 struct samr_Password *nt_hash;
117 struct samr_Password *lm_hash;
118 } n;
119
120 /* old credentials */
121 struct {
122 uint32_t nt_history_len;
123 struct samr_Password *nt_history;
124 uint32_t lm_history_len;
125 struct samr_Password *lm_history;
126 const struct ldb_val *supplemental;
127 struct supplementalCredentialsBlob scb;
128 uint32_t kvno;
129 } o;
130
131 /* generated credentials */
132 struct {
133 struct samr_Password *nt_hash;
134 struct samr_Password *lm_hash;
135 uint32_t nt_history_len;
136 struct samr_Password *nt_history;
137 uint32_t lm_history_len;
138 struct samr_Password *lm_history;
139 struct ldb_val supplemental;
140 NTTIME last_set;
141 uint32_t kvno;
142 } g;
143 };
144
145 static int setup_nt_fields(struct setup_password_fields_io *io)
146 {
147 uint32_t i;
148
149 io->g.nt_hash = io->n.nt_hash;
150
151 if (io->domain->pwdHistoryLength == 0) {
152 return LDB_SUCCESS;
153 }
154
155 /* We might not have an old NT password */
156 io->g.nt_history = talloc_array(io->ac,
157 struct samr_Password,
158 io->domain->pwdHistoryLength);
159 if (!io->g.nt_history) {
160 ldb_oom(io->ac->module->ldb);
161 return LDB_ERR_OPERATIONS_ERROR;
162 }
163
164 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
165 io->g.nt_history[i+1] = io->o.nt_history[i];
166 }
167 io->g.nt_history_len = i + 1;
168
169 if (io->g.nt_hash) {
170 io->g.nt_history[0] = *io->g.nt_hash;
171 } else {
172 /*
173 * TODO: is this correct?
174 * the simular behavior is correct for the lm history case
175 */
176 E_md4hash("", io->g.nt_history[0].hash);
177 }
178
179 return LDB_SUCCESS;
180 }
181
182 static int setup_lm_fields(struct setup_password_fields_io *io)
183 {
184 uint32_t i;
185
186 io->g.lm_hash = io->n.lm_hash;
187
188 if (io->domain->pwdHistoryLength == 0) {
189 return LDB_SUCCESS;
190 }
191
192 /* We might not have an old NT password */
193 io->g.lm_history = talloc_array(io->ac,
194 struct samr_Password,
195 io->domain->pwdHistoryLength);
196 if (!io->g.lm_history) {
197 ldb_oom(io->ac->module->ldb);
198 return LDB_ERR_OPERATIONS_ERROR;
199 }
200
201 for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
202 io->g.lm_history[i+1] = io->o.lm_history[i];
203 }
204 io->g.lm_history_len = i + 1;
205
206 if (io->g.lm_hash) {
207 io->g.lm_history[0] = *io->g.lm_hash;
208 } else {
209 E_deshash("", io->g.lm_history[0].hash);
210 }
211
212 return LDB_SUCCESS;
213 }
214
215 static int setup_primary_kerberos(struct setup_password_fields_io *io,
216 const struct supplementalCredentialsBlob *old_scb,
217 struct package_PrimaryKerberosBlob *pkb)
218 {
219 krb5_error_code krb5_ret;
220 Principal *salt_principal;
221 krb5_salt salt;
222 krb5_keyblock key;
223 uint32_t k=0;
224 struct supplementalCredentialsPackage *old_scp = NULL;
225 struct package_PrimaryKerberosBlob _old_pkb;
226 struct package_PrimaryKerberosBlob *old_pkb = NULL;
227 uint32_t i;
228 NTSTATUS status;
229
230 /* Many, many thanks to lukeh@padl.com for this
231 * algorithm, described in his Nov 10 2004 mail to
232 * samba-technical@samba.org */
233
234 /*
235 * Determine a salting principal
236 */
237 if (io->u.is_computer) {
238 char *name;
239 char *saltbody;
240
241 name = talloc_strdup(io->ac, io->u.sAMAccountName);
242 if (!name) {
243 ldb_oom(io->ac->module->ldb);
244 return LDB_ERR_OPERATIONS_ERROR;
245 }
246
247 if (name[strlen(name)-1] == '$') {
248 name[strlen(name)-1] = '\0';
249 }
250
251 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
252 if (!saltbody) {
253 ldb_oom(io->ac->module->ldb);
254 return LDB_ERR_OPERATIONS_ERROR;
255 }
256
257 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
258 &salt_principal,
259 io->domain->realm, "host",
260 saltbody, NULL);
261 } else if (io->u.user_principal_name) {
262 char *user_principal_name;
263 char *p;
264
265 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
266 if (!user_principal_name) {
267 ldb_oom(io->ac->module->ldb);
268 return LDB_ERR_OPERATIONS_ERROR;
269 }
270
271 p = strchr(user_principal_name, '@');
272 if (p) {
273 p[0] = '\0';
274 }
275
276 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
277 &salt_principal,
278 io->domain->realm, user_principal_name,
279 NULL);
280 } else {
281 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
282 &salt_principal,
283 io->domain->realm, io->u.sAMAccountName,
284 NULL);
285 }
286 if (krb5_ret) {
287 ldb_asprintf_errstring(io->ac->module->ldb,
288 "setup_primary_kerberos: "
289 "generation of a salting principal failed: %s",
290 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
291 return LDB_ERR_OPERATIONS_ERROR;
292 }
293
294 /*
295 * create salt from salt_principal
296 */
297 krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
298 salt_principal, &salt);
299 krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
300 if (krb5_ret) {
301 ldb_asprintf_errstring(io->ac->module->ldb,
302 "setup_primary_kerberos: "
303 "generation of krb5_salt failed: %s",
304 smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
305 return LDB_ERR_OPERATIONS_ERROR;
306 }
307 /* create a talloc copy */
308 pkb->salt.string = talloc_strndup(io->ac,
309 salt.saltvalue.data,
310 salt.saltvalue.length);
311 krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
312 if (!pkb->salt.string) {
313 ldb_oom(io->ac->module->ldb);
314 return LDB_ERR_OPERATIONS_ERROR;
315 }
316 salt.saltvalue.data = discard_const(pkb->salt.string);
317 salt.saltvalue.length = strlen(pkb->salt.string);
318
319 /*
320 * prepare generation of keys
321 *
322 * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
323 * ENCTYPE_DES_CBC_MD5
324 * ENCTYPE_DES_CBC_CRC
325 *
326 * NOTE: update num_keys1 when you add another enctype!
327 */
328 pkb->num_keys1 = 0;
329 pkb->keys1 = talloc_array(io->ac, struct package_PrimaryKerberosKey, 3);
330 if (!pkb->keys1) {
331 ldb_oom(io->ac->module->ldb);
332 return LDB_ERR_OPERATIONS_ERROR;
333 }
334 pkb->unknown3_1 = talloc_zero_array(io->ac, uint64_t, pkb->num_keys1);
335 if (!pkb->unknown3_1) {
336 ldb_oom(io->ac->module->ldb);
337 return LDB_ERR_OPERATIONS_ERROR;
338 }
339
340 if (lp_parm_bool(-1, "password_hash", "create_aes_key", false)) {
341 /*
342 * TODO:
343 *
344 * w2k and w2k3 doesn't support AES, so we'll not include
345 * the AES key here yet.
346 *
347 * Also we don't have an example supplementalCredentials blob
348 * from Windows Longhorn Server with AES support
349 *
350 */
351 /*
352 * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
353 * the salt and the cleartext password
354 */
355 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
356 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
357 io->n.cleartext,
358 salt,
359 &key);
360 pkb->keys1[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
361 pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
362 if (!pkb->keys1[k].value) {
363 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
364 ldb_oom(io->ac->module->ldb);
365 return LDB_ERR_OPERATIONS_ERROR;
366 }
367 *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
368 key.keyvalue.data,
369 key.keyvalue.length);
370 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
371 if (!pkb->keys1[k].value->data) {
372 ldb_oom(io->ac->module->ldb);
373 return LDB_ERR_OPERATIONS_ERROR;
374 }
375 k++;
376 }
377
378 /*
379 * create ENCTYPE_DES_CBC_MD5 key out of
380 * the salt and the cleartext password
381 */
382 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
383 ENCTYPE_DES_CBC_MD5,
384 io->n.cleartext,
385 salt,
386 &key);
387 pkb->keys1[k].keytype = ENCTYPE_DES_CBC_MD5;
388 pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
389 if (!pkb->keys1[k].value) {
390 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
391 ldb_oom(io->ac->module->ldb);
392 return LDB_ERR_OPERATIONS_ERROR;
393 }
394 *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
395 key.keyvalue.data,
396 key.keyvalue.length);
397 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
398 if (!pkb->keys1[k].value->data) {
399 ldb_oom(io->ac->module->ldb);
400 return LDB_ERR_OPERATIONS_ERROR;
401 }
402 k++;
403
404 /*
405 * create ENCTYPE_DES_CBC_CRC key out of
406 * the salt and the cleartext password
407 */
408 krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
409 ENCTYPE_DES_CBC_CRC,
410 io->n.cleartext,
411 salt,
412 &key);
413 pkb->keys1[k].keytype = ENCTYPE_DES_CBC_CRC;
414 pkb->keys1[k].value = talloc(pkb->keys1, DATA_BLOB);
415 if (!pkb->keys1[k].value) {
416 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
417 ldb_oom(io->ac->module->ldb);
418 return LDB_ERR_OPERATIONS_ERROR;
419 }
420 *pkb->keys1[k].value = data_blob_talloc(pkb->keys1[k].value,
421 key.keyvalue.data,
422 key.keyvalue.length);
423 krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
424 if (!pkb->keys1[k].value->data) {
425 ldb_oom(io->ac->module->ldb);
426 return LDB_ERR_OPERATIONS_ERROR;
427 }
428 k++;
429
430 /* fix up key number */
431 pkb->num_keys1 = k;
432
433 /* initialize the old keys to zero */
434 pkb->num_keys2 = 0;
435 pkb->keys2 = NULL;
436 pkb->unknown3_2 = NULL;
437
438 /* if there're no old keys, then we're done */
439 if (!old_scb) {
440 return LDB_SUCCESS;
441 }
442
443 for (i=0; i < old_scb->sub.num_packages; i++) {
444 if (old_scb->sub.packages[i].unknown1 != 0x00000001) {
445 continue;
446 }
447
448 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
449 continue;
450 }
451
452 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
453 continue;
454 }
455
456 old_scp = &old_scb->sub.packages[i];
457 break;
458 }
459 /* Primary:Kerberos element of supplementalCredentials */
460 if (old_scp) {
461 DATA_BLOB blob;
462
463 blob = strhex_to_data_blob(old_scp->data);
464 if (!blob.data) {
465 ldb_oom(io->ac->module->ldb);
466 return LDB_ERR_OPERATIONS_ERROR;
467 }
468 talloc_steal(io->ac, blob.data);
469
470 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
471 status = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
472 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
473 if (!NT_STATUS_IS_OK(status)) {
474 ldb_asprintf_errstring(io->ac->module->ldb,
475 "setup_primary_kerberos: "
476 "failed to pull old package_PrimaryKerberosBlob: %s",
477 nt_errstr(status));
478 return LDB_ERR_OPERATIONS_ERROR;
479 }
480 old_pkb = &_old_pkb;
481 }
482
483 /* if we didn't found the old keys we're done */
484 if (!old_pkb) {
485 return LDB_SUCCESS;
486 }
487
488 /* fill in the old keys */
489 pkb->num_keys2 = old_pkb->num_keys1;
490 pkb->keys2 = old_pkb->keys1;
491 pkb->unknown3_2 = old_pkb->unknown3_1;
492
493 return LDB_SUCCESS;
494 }
495
496 static int setup_supplemental_field(struct setup_password_fields_io *io)
497 {
498 struct supplementalCredentialsBlob scb;
499 struct supplementalCredentialsBlob _old_scb;
500 struct supplementalCredentialsBlob *old_scb = NULL;
501 /* Packages + (Kerberos and maybe CLEARTEXT) */
502 uint32_t num_packages = 1 + 1;
503 struct supplementalCredentialsPackage packages[1+2];
504 struct supplementalCredentialsPackage *pp = &packages[0];
505 struct supplementalCredentialsPackage *pk = &packages[1];
506 struct supplementalCredentialsPackage *pc = NULL;
507 struct package_PackagesBlob pb;
508 DATA_BLOB pb_blob;
509 char *pb_hexstr;
510 struct package_PrimaryKerberosBlob pkb;
511 DATA_BLOB pkb_blob;
512 char *pkb_hexstr;
513 struct package_PrimaryCLEARTEXTBlob pcb;
514 DATA_BLOB pcb_blob;
515 char *pcb_hexstr;
516 int ret;
517 NTSTATUS status;
518 uint8_t zero16[16];
519
520 ZERO_STRUCT(zero16);
521
522 if (!io->n.cleartext) {
523 /*
524 * when we don't have a cleartext password
525 * we can't setup a supplementalCredential value
526 */
527 return LDB_SUCCESS;
528 }
529
530 /* if there's an old supplementaCredentials blob then parse it */
531 if (io->o.supplemental) {
532 status = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, &_old_scb,
533 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
534 if (!NT_STATUS_IS_OK(status)) {
535 ldb_asprintf_errstring(io->ac->module->ldb,
536 "setup_supplemental_field: "
537 "failed to pull old supplementalCredentialsBlob: %s",
538 nt_errstr(status));
539 return LDB_ERR_OPERATIONS_ERROR;
540 }
541
542 old_scb = &_old_scb;
543 }
544
545 if (io->domain->store_cleartext &&
546 (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
547 pc = &packages[2];
548 num_packages++;
549 }
550
551 /* Kerberos, CLEARTEXT and termination(counted by the Packages element) */
552 pb.names = talloc_zero_array(io->ac, const char *, num_packages);
553
554 /*
555 * setup 'Primary:Kerberos' element
556 */
557 pb.names[0] = "Kerberos";
558
559 ret = setup_primary_kerberos(io, old_scb, &pkb);
560 if (ret != LDB_SUCCESS) {
561 return ret;
562 }
563
564 status = ndr_push_struct_blob(&pkb_blob, io->ac, &pkb,
565 (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
566 if (!NT_STATUS_IS_OK(status)) {
567 ldb_asprintf_errstring(io->ac->module->ldb,
568 "setup_supplemental_field: "
569 "failed to push package_PrimaryKerberosBlob: %s",
570 nt_errstr(status));
571 return LDB_ERR_OPERATIONS_ERROR;
572 }
573 /*
574 * TODO:
575 *
576 * This is ugly, but we want to generate the same blob as
577 * w2k and w2k3...we should handle this in the idl
578 */
579 status = data_blob_append(io->ac, &pkb_blob, zero16, sizeof(zero16));
580 if (!NT_STATUS_IS_OK(status)) {
581 ldb_oom(io->ac->module->ldb);
582 return LDB_ERR_OPERATIONS_ERROR;
583 }
584 pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
585 if (!pkb_hexstr) {
586 ldb_oom(io->ac->module->ldb);
587 return LDB_ERR_OPERATIONS_ERROR;
588 }
589 pk->name = "Primary:Kerberos";
590 pk->unknown1 = 1;
591 pk->data = pkb_hexstr;
592
593 /*
594 * setup 'Primary:CLEARTEXT' element
595 */
596 if (pc) {
597 pb.names[1] = "CLEARTEXT";
598
599 pcb.cleartext = io->n.cleartext;
600
601 status = ndr_push_struct_blob(&pcb_blob, io->ac, &pcb,
602 (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
603 if (!NT_STATUS_IS_OK(status)) {
604 ldb_asprintf_errstring(io->ac->module->ldb,
605 "setup_supplemental_field: "
606 "failed to push package_PrimaryCLEARTEXTBlob: %s",
607 nt_errstr(status));
608 return LDB_ERR_OPERATIONS_ERROR;
609 }
610 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
611 if (!pcb_hexstr) {
612 ldb_oom(io->ac->module->ldb);
613 return LDB_ERR_OPERATIONS_ERROR;
614 }
615 pc->name = "Primary:CLEARTEXT";
616 pc->unknown1 = 1;
617 pc->data = pcb_hexstr;
618 }
619
620 /*
621 * setup 'Packages' element
622 */
623 status = ndr_push_struct_blob(&pb_blob, io->ac, &pb,
624 (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
625 if (!NT_STATUS_IS_OK(status)) {
626 ldb_asprintf_errstring(io->ac->module->ldb,
627 "setup_supplemental_field: "
628 "failed to push package_PackagesBlob: %s",
629 nt_errstr(status));
630 return LDB_ERR_OPERATIONS_ERROR;
631 }
632 pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
633 if (!pb_hexstr) {
634 ldb_oom(io->ac->module->ldb);
635 return LDB_ERR_OPERATIONS_ERROR;
636 }
637 pp->name = "Packages";
638 pp->unknown1 = 2;
639 pp->data = pb_hexstr;
640
641 /*
642 * setup 'supplementalCredentials' value
643 */
644 scb.sub.num_packages = num_packages;
645 scb.sub.packages = packages;
646
647 status = ndr_push_struct_blob(&io->g.supplemental, io->ac, &scb,
648 (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
649 if (!NT_STATUS_IS_OK(status)) {
650 ldb_asprintf_errstring(io->ac->module->ldb,
651 "setup_supplemental_field: "
652 "failed to push supplementalCredentialsBlob: %s",
653 nt_errstr(status));
654 return LDB_ERR_OPERATIONS_ERROR;
655 }
656
657 return LDB_SUCCESS;
658 }
659
660 static int setup_last_set_field(struct setup_password_fields_io *io)
661 {
662 /* set it as now */
663 unix_to_nt_time(&io->g.last_set, time(NULL));
664
665 return LDB_SUCCESS;
666 }
667
668 static int setup_kvno_field(struct setup_password_fields_io *io)
669 {
670 /* increment by one */
671 io->g.kvno = io->o.kvno + 1;
672
673 return LDB_SUCCESS;
674 }
675
676 static int setup_password_fields(struct setup_password_fields_io *io)
677 {
678 bool ok;
679 int ret;
680
681 /*
682 * refuse the change if someone want to change the cleartext
683 * and supply his own hashes at the same time...
684 */
685 if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
686 ldb_asprintf_errstring(io->ac->module->ldb,
687 "setup_password_fields: "
688 "it's only allowed to set the cleartext password or the password hashes");
689 return LDB_ERR_UNWILLING_TO_PERFORM;
690 }
691
692 if (io->n.cleartext && !io->n.nt_hash) {
693 struct samr_Password *hash;
694
695 hash = talloc(io->ac, struct samr_Password);
696 if (!hash) {
697 ldb_oom(io->ac->module->ldb);
698 return LDB_ERR_OPERATIONS_ERROR;
699 }
700
701 /* compute the new nt hash */
702 ok = E_md4hash(io->n.cleartext, hash->hash);
703 if (ok) {
704 io->n.nt_hash = hash;
705 } else {
706 ldb_asprintf_errstring(io->ac->module->ldb,
707 "setup_password_fields: "
708 "failed to generate nthash from cleartext password");
709 return LDB_ERR_OPERATIONS_ERROR;
710 }
711 }
712
713 if (io->n.cleartext && !io->n.lm_hash) {
714 struct samr_Password *hash;
715
716 hash = talloc(io->ac, struct samr_Password);
717 if (!hash) {
718 ldb_oom(io->ac->module->ldb);
719 return LDB_ERR_OPERATIONS_ERROR;
720 }
721
722 /* compute the new lm hash */
723 ok = E_deshash(io->n.cleartext, hash->hash);
724 if (ok) {
725 io->n.lm_hash = hash;
726 } else {
727 talloc_free(hash->hash);
728 }
729 }
730
731 ret = setup_nt_fields(io);
732 if (ret != 0) {
733 return ret;
734 }
735
736 ret = setup_lm_fields(io);
737 if (ret != 0) {
738 return ret;
739 }
740
741 ret = setup_supplemental_field(io);
742 if (ret != 0) {
743 return ret;
744 }
745
746 ret = setup_last_set_field(io);
747 if (ret != 0) {
748 return ret;
749 }
750
751 ret = setup_kvno_field(io);
752 if (ret != 0) {
753 return ret;
754 }
755
756 return LDB_SUCCESS;
757 }
758
759 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
760 {
761 struct ph_context *ac;
762 struct ldb_handle *h;
763
764 h = talloc_zero(req, struct ldb_handle);
765 if (h == NULL) {
766 ldb_set_errstring(module->ldb, "Out of Memory");
767 return NULL;
768 }
769
770 h->module = module;
771
772 ac = talloc_zero(h, struct ph_context);
773 if (ac == NULL) {
774 ldb_set_errstring(module->ldb, "Out of Memory");
775 talloc_free(h);
776 return NULL;
777 }
778
779 h->private_data = (void *)ac;
780
781 h->state = LDB_ASYNC_INIT;
782 h->status = LDB_SUCCESS;
783
784 ac->type = type;
785 ac->module = module;
786 ac->orig_req = req;
787
788 return h;
789 }
790
791 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
792 {
793 struct ph_context *ac;
794
795 if (!context || !ares) {
796 ldb_set_errstring(ldb, "NULL Context or Result in callback");
797 return LDB_ERR_OPERATIONS_ERROR;
798 }
799
800 ac = talloc_get_type(context, struct ph_context);
801
802 /* we are interested only in the single reply (base search) we receive here */
803 if (ares->type == LDB_REPLY_ENTRY) {
804 if (ac->dom_res != NULL) {
805 ldb_set_errstring(ldb, "Too many results");
806 talloc_free(ares);
807 return LDB_ERR_OPERATIONS_ERROR;
808 }
809 ac->dom_res = talloc_steal(ac, ares);
810 } else {
811 talloc_free(ares);
812 }
813
814 return LDB_SUCCESS;
815 }
816
817 static int build_domain_data_request(struct ph_context *ac)
818 {
819 /* attrs[] is returned from this function in
820 ac->dom_req->op.search.attrs, so it must be static, as
821 otherwise the compiler can put it on the stack */
822 static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
823 char *filter;
824
825 ac->dom_req = talloc_zero(ac, struct ldb_request);
826 if (ac->dom_req == NULL) {
827 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
828 return LDB_ERR_OPERATIONS_ERROR;
829 }
830 ac->dom_req->operation = LDB_SEARCH;
831 ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
832 ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
833
834 filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))",
835 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
836 if (filter == NULL) {
837 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
838 talloc_free(ac->dom_req);
839 return LDB_ERR_OPERATIONS_ERROR;
840 }
841
842 ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
843 if (ac->dom_req->op.search.tree == NULL) {
844 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
845 talloc_free(ac->dom_req);
846 return LDB_ERR_OPERATIONS_ERROR;
847 }
848 ac->dom_req->op.search.attrs = attrs;
849 ac->dom_req->controls = NULL;
850 ac->dom_req->context = ac;
851 ac->dom_req->callback = get_domain_data_callback;
852 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
853
854 return LDB_SUCCESS;
855 }
856
857 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
858 {
859 struct domain_data *data;
860 const char *tmp;
861 struct ph_context *ac;
862 char *p;
863
864 ac = talloc_get_type(ctx, struct ph_context);
865
866 data = talloc_zero(ac, struct domain_data);
867 if (data == NULL) {
868 return NULL;
869 }
870
871 if (res == NULL) {
872 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
873 talloc_free(data);
874 return NULL;
875 }
876
877 data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
878 data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
879 data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
880
881 /* For a domain DN, this puts things in dotted notation */
882 /* For builtin domains, this will give details for the host,
883 * but that doesn't really matter, as it's just used for salt
884 * and kerberos principals, which don't exist here */
885
886 tmp = ldb_dn_canonical_string(ctx, res->message->dn);
887 if (!tmp) {
888 return NULL;
889 }
890
891 /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
892 p = strchr(tmp, '/');
893 if (p) {
894 p[0] = '\0';
895 }
896
897 if (tmp != NULL) {
898 data->dns_domain = strlower_talloc(data, tmp);
899 if (data->dns_domain == NULL) {
900 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
901 return NULL;
902 }
903 data->realm = strupper_talloc(data, tmp);
904 if (data->realm == NULL) {
905 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
906 return NULL;
907 }
908 }
909
910 return data;
911 }
912
913 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
914 {
915 struct ldb_handle *h;
916 struct ph_context *ac;
917 struct ldb_message_element *sambaAttr;
918 struct ldb_message_element *ntAttr;
919 struct ldb_message_element *lmAttr;
920 int ret;
921
922 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
923
924 if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
925 return ldb_next_request(module, req);
926 }
927
928 /* If the caller is manipulating the local passwords directly, let them pass */
929 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
930 req->op.add.message->dn) == 0) {
931 return ldb_next_request(module, req);
932 }
933
934 /* nobody must touch this fields */
935 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
936 return LDB_ERR_UNWILLING_TO_PERFORM;
937 }
938 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
939 return LDB_ERR_UNWILLING_TO_PERFORM;
940 }
941 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
942 return LDB_ERR_UNWILLING_TO_PERFORM;
943 }
944
945 /* If no part of this ADD touches the sambaPassword, or the NT
946 * or LM hashes, then we don't need to make any changes. */
947
948 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
949 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
950 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
951
952 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
953 return ldb_next_request(module, req);
954 }
955
956 /* if it is not an entry of type person its an error */
957 /* TODO: remove this when sambaPassword will be in schema */
958 if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
959 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
960 return LDB_ERR_OBJECT_CLASS_VIOLATION;
961 }
962
963 /* check sambaPassword is single valued here */
964 /* TODO: remove this when sambaPassword will be single valued in schema */
965 if (sambaAttr && sambaAttr->num_values > 1) {
966 ldb_set_errstring(module->ldb, "mupltiple values for sambaPassword not allowed!\n");
967 return LDB_ERR_CONSTRAINT_VIOLATION;
968 }
969
970 if (ntAttr && (ntAttr->num_values > 1)) {
971 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
972 return LDB_ERR_CONSTRAINT_VIOLATION;
973 }
974 if (lmAttr && (lmAttr->num_values > 1)) {
975 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
976 return LDB_ERR_CONSTRAINT_VIOLATION;
977 }
978
979 if (sambaAttr && sambaAttr->num_values == 0) {
980 ldb_set_errstring(module->ldb, "sambaPassword must have a value!\n");
981 return LDB_ERR_CONSTRAINT_VIOLATION;
982 }
983
984 if (ntAttr && (ntAttr->num_values == 0)) {
985 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
986 return LDB_ERR_CONSTRAINT_VIOLATION;
987 }
988 if (lmAttr && (lmAttr->num_values == 0)) {
989 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
990 return LDB_ERR_CONSTRAINT_VIOLATION;
991 }
992
993 h = ph_init_handle(req, module, PH_ADD);
994 if (!h) {
995 return LDB_ERR_OPERATIONS_ERROR;
996 }
997 ac = talloc_get_type(h->private_data, struct ph_context);
998
999 /* get user domain data */
1000 ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1001 if (ac->domain_sid == NULL) {
1002 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1003 return LDB_ERR_OPERATIONS_ERROR;
1004 }
1005
1006 ret = build_domain_data_request(ac);
1007 if (ret != LDB_SUCCESS) {
1008 return ret;
1009 }
1010
1011 ac->step = PH_ADD_SEARCH_DOM;
1012
1013 req->handle = h;
1014
1015 return ldb_next_request(module, ac->dom_req);
1016 }
1017
1018 static int password_hash_add_do_add(struct ldb_handle *h) {
1019
1020 struct ph_context *ac;
1021 struct domain_data *domain;
1022 struct smb_krb5_context *smb_krb5_context;
1023 struct ldb_message *msg;
1024 struct setup_password_fields_io io;
1025 int ret;
1026
1027 ac = talloc_get_type(h->private_data, struct ph_context);
1028
1029 domain = get_domain_data(ac->module, ac, ac->dom_res);
1030 if (domain == NULL) {
1031 return LDB_ERR_OPERATIONS_ERROR;
1032 }
1033
1034 ac->down_req = talloc(ac, struct ldb_request);
1035 if (ac->down_req == NULL) {
1036 return LDB_ERR_OPERATIONS_ERROR;
1037 }
1038
1039 *(ac->down_req) = *(ac->orig_req);
1040 ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1041 if (ac->down_req->op.add.message == NULL) {
1042 return LDB_ERR_OPERATIONS_ERROR;
1043 }
1044
1045 /* Some operations below require kerberos contexts */
1046 if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) {
1047 return LDB_ERR_OPERATIONS_ERROR;
1048 }
1049
1050 ZERO_STRUCT(io);
1051 io.ac = ac;
1052 io.domain = domain;
1053 io.smb_krb5_context = smb_krb5_context;
1054
1055 io.u.user_account_control = samdb_result_uint(msg, "userAccountControl", 0);
1056 io.u.sAMAccountName = samdb_result_string(msg, "samAccountName", NULL);
1057 io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL);
1058 io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1059
1060 io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL);
1061 io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd");
1062 io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd");
1063
1064 /* remove attributes */
1065 if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword");
1066 if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1067 if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1068 ldb_msg_remove_attr(msg, "pwdLastSet");
1069 io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1070 ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1071
1072 ret = setup_password_fields(&io);
1073 if (ret != LDB_SUCCESS) {
1074 return ret;
1075 }
1076
1077 if (io.g.nt_hash) {
1078 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1079 "unicodePwd", io.g.nt_hash);
1080 if (ret != LDB_SUCCESS) {
1081 return ret;
1082 }
1083 }
1084 if (io.g.lm_hash) {
1085 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1086 "dBCSPwd", io.g.lm_hash);
1087 if (ret != LDB_SUCCESS) {
1088 return ret;
1089 }
1090 }
1091 if (io.g.nt_history_len > 0) {
1092 ret = samdb_msg_add_hashes(ac, msg,
1093 "ntPwdHistory",
1094 io.g.nt_history,
1095 io.g.nt_history_len);
1096 if (ret != LDB_SUCCESS) {
1097 return ret;
1098 }
1099 }
1100 if (io.g.lm_history_len > 0) {
1101 ret = samdb_msg_add_hashes(ac, msg,
1102 "lmPwdHistory",
1103 io.g.lm_history,
1104 io.g.lm_history_len);
1105 if (ret != LDB_SUCCESS) {
1106 return ret;
1107 }
1108 }
1109 if (io.g.supplemental.length > 0) {
1110 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1111 &io.g.supplemental, NULL);
1112 if (ret != LDB_SUCCESS) {
1113 return ret;
1114 }
1115 }
1116 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1117 "pwdLastSet",
1118 io.g.last_set);
1119 if (ret != LDB_SUCCESS) {
1120 return ret;
1121 }
1122 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1123 "msDs-KeyVersionNumber",
1124 io.g.kvno);
1125 if (ret != LDB_SUCCESS) {
1126 return ret;
1127 }
1128
1129 h->state = LDB_ASYNC_INIT;
1130 h->status = LDB_SUCCESS;
1131
1132 ac->step = PH_ADD_DO_ADD;
1133
1134 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1135
1136 /* perform the operation */
1137 return ldb_next_request(ac->module, ac->down_req);
1138 }
1139
1140 static int password_hash_mod_search_self(struct ldb_handle *h);
1141
1142 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1143 {
1144 struct ldb_handle *h;
1145 struct ph_context *ac;
1146 struct ldb_message_element *sambaAttr;
1147 struct ldb_message_element *ntAttr;
1148 struct ldb_message_element *lmAttr;
1149 struct ldb_message *msg;
1150
1151 ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1152
1153 if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1154 return ldb_next_request(module, req);
1155 }
1156
1157 /* If the caller is manipulating the local passwords directly, let them pass */
1158 if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1159 req->op.mod.message->dn) == 0) {
1160 return ldb_next_request(module, req);
1161 }
1162
1163 /* nobody must touch password Histories */
1164 if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1165 return LDB_ERR_UNWILLING_TO_PERFORM;
1166 }
1167 if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1168 return LDB_ERR_UNWILLING_TO_PERFORM;
1169 }
1170 if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1171 return LDB_ERR_UNWILLING_TO_PERFORM;
1172 }
1173
1174 sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
1175 ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1176 lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1177
1178 /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
1179 * need to make any changes. For password changes/set there should
1180 * be a 'delete' or a 'modify' on this attribute. */
1181 if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1182 return ldb_next_request(module, req);
1183 }
1184
1185 /* check passwords are single valued here */
1186 /* TODO: remove this when passwords will be single valued in schema */
1187 if (sambaAttr && (sambaAttr->num_values > 1)) {
1188 return LDB_ERR_CONSTRAINT_VIOLATION;
1189 }
1190 if (ntAttr && (ntAttr->num_values > 1)) {
1191 return LDB_ERR_CONSTRAINT_VIOLATION;
1192 }
1193 if (lmAttr && (lmAttr->num_values > 1)) {
1194 return LDB_ERR_CONSTRAINT_VIOLATION;
1195 }
1196
1197 h = ph_init_handle(req, module, PH_MOD);
1198 if (!h) {
1199 return LDB_ERR_OPERATIONS_ERROR;
1200 }
1201 ac = talloc_get_type(h->private_data, struct ph_context);
1202
1203 /* return or own handle to deal with this call */
1204 req->handle = h;
1205
1206 /* prepare the first operation */
1207 ac->down_req = talloc_zero(ac, struct ldb_request);
1208 if (ac->down_req == NULL) {
1209 ldb_set_errstring(module->ldb, "Out of memory!");
1210 return LDB_ERR_OPERATIONS_ERROR;
1211 }
1212
1213 *(ac->down_req) = *req; /* copy the request */
1214
1215 /* use a new message structure so that we can modify it */
1216 ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1217
1218 /* - remove any imodification to the password from the first commit
1219 * we will make the real modification later */
1220 if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
1221 if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1222 if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1223
1224 /* if there was nothing else to be modify skip to next step */
1225 if (msg->num_elements == 0) {
1226 talloc_free(ac->down_req);
1227 ac->down_req = NULL;
1228 return password_hash_mod_search_self(h);
1229 }
1230
1231 ac->down_req->context = NULL;
1232 ac->down_req->callback = NULL;
1233
1234 ac->step = PH_MOD_DO_REQ;
1235
1236 ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1237
1238 return ldb_next_request(module, ac->down_req);
1239 }
1240
1241 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1242 {
1243 struct ph_context *ac;
1244
1245 if (!context || !ares) {
1246 ldb_set_errstring(ldb, "NULL Context or Result in callback");
1247 return LDB_ERR_OPERATIONS_ERROR;
1248 }
1249
1250 ac = talloc_get_type(context, struct ph_context);
1251
1252 /* we are interested only in the single reply (base search) we receive here */
1253 if (ares->type == LDB_REPLY_ENTRY) {
1254 if (ac->search_res != NULL) {
1255 ldb_set_errstring(ldb, "Too many results");
1256 talloc_free(ares);
1257 return LDB_ERR_OPERATIONS_ERROR;
1258 }
1259
1260 /* if it is not an entry of type person this is an error */
1261 /* TODO: remove this when sambaPassword will be in schema */
1262 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1263 ldb_set_errstring(ldb, "Object class violation");
1264 talloc_free(ares);
1265 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1266 }
1267
1268 ac->search_res = talloc_steal(ac, ares);
1269 } else {
1270 talloc_free(ares);
1271 }
1272
1273 return LDB_SUCCESS;
1274 }
1275
1276 static int password_hash_mod_search_self(struct ldb_handle *h) {
1277
1278 struct ph_context *ac;
1279 static const char * const attrs[] = { "userAccountControl", "lmPwdHistory",
1280 "ntPwdHistory",
1281 "objectSid", "msDS-KeyVersionNumber",
1282 "objectClass", "userPrincipalName",
1283 "sAMAccountName",
1284 "dBCSPwd", "unicodePwd",
1285 "supplementalCredentials",
1286 NULL };
1287
1288 ac = talloc_get_type(h->private_data, struct ph_context);
1289
1290 /* prepare the search operation */
1291 ac->search_req = talloc_zero(ac, struct ldb_request);
1292 if (ac->search_req == NULL) {
1293 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1294 return LDB_ERR_OPERATIONS_ERROR;
1295 }
1296
1297 ac->search_req->operation = LDB_SEARCH;
1298 ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1299 ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1300 ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1301 if (ac->search_req->op.search.tree == NULL) {
1302 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1303 return LDB_ERR_OPERATIONS_ERROR;
1304 }
1305 ac->search_req->op.search.attrs = attrs;
1306 ac->search_req->controls = NULL;
1307 ac->search_req->context = ac;
1308 ac->search_req->callback = get_self_callback;
1309 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1310
1311 ac->step = PH_MOD_SEARCH_SELF;
1312
1313 return ldb_next_request(ac->module, ac->search_req);
1314 }
1315
1316 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1317
1318 struct ph_context *ac;
1319 int ret;
1320
1321 ac = talloc_get_type(h->private_data, struct ph_context);
1322
1323 /* get object domain sid */
1324 ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1325 if (ac->domain_sid == NULL) {
1326 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1327 return LDB_ERR_OPERATIONS_ERROR;
1328 }
1329
1330 /* get user domain data */
1331 ret = build_domain_data_request(ac);
1332 if (ret != LDB_SUCCESS) {
1333 return ret;
1334 }
1335
1336 ac->step = PH_MOD_SEARCH_DOM;
1337
1338 return ldb_next_request(ac->module, ac->dom_req);
1339 }
1340
1341 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1342
1343 struct ph_context *ac;
1344 struct domain_data *domain;
1345 struct smb_krb5_context *smb_krb5_context;
1346 struct ldb_message *msg;
1347 struct ldb_message *orig_msg;
1348 struct ldb_message *searched_msg;
1349 struct setup_password_fields_io io;
1350 int ret;
1351
1352 ac = talloc_get_type(h->private_data, struct ph_context);
1353
1354 domain = get_domain_data(ac->module, ac, ac->dom_res);
1355 if (domain == NULL) {
1356 return LDB_ERR_OPERATIONS_ERROR;
1357 }
1358
1359 ac->mod_req = talloc(ac, struct ldb_request);
1360 if (ac->mod_req == NULL) {
1361 return LDB_ERR_OPERATIONS_ERROR;
1362 }
1363
1364 *(ac->mod_req) = *(ac->orig_req);
1365
1366 /* use a new message structure so that we can modify it */
1367 ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1368 if (msg == NULL) {
1369 return LDB_ERR_OPERATIONS_ERROR;
1370 }
1371
1372 /* modify dn */
1373 msg->dn = ac->orig_req->op.mod.message->dn;
1374
1375 /* Some operations below require kerberos contexts */
1376 if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) {
1377 return LDB_ERR_OPERATIONS_ERROR;
1378 }
1379
1380 orig_msg = discard_const(ac->orig_req->op.mod.message);
1381 searched_msg = ac->search_res->message;
1382
1383 ZERO_STRUCT(io);
1384 io.ac = ac;
1385 io.domain = domain;
1386 io.smb_krb5_context = smb_krb5_context;
1387
1388 io.u.user_account_control = samdb_result_uint(searched_msg, "userAccountControl", 0);
1389 io.u.sAMAccountName = samdb_result_string(searched_msg, "samAccountName", NULL);
1390 io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL);
1391 io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
1392
1393 io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL);
1394 io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
1395 io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
1396
1397 io.o.kvno = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
1398 io.o.nt_history_len = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
1399 io.o.lm_history_len = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
1400 io.o.supplemental = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
1401
1402 ret = setup_password_fields(&io);
1403 if (ret != LDB_SUCCESS) {
1404 return ret;
1405 }
1406
1407 /* make sure we replace all the old attributes */
1408 ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
1409 ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
1410 ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1411 ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
1412 ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
1413 ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
1414 ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
1415
1416 if (io.g.nt_hash) {
1417 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1418 "unicodePwd", io.g.nt_hash);
1419 if (ret != LDB_SUCCESS) {
1420 return ret;
1421 }
1422 }
1423 if (io.g.lm_hash) {
1424 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1425 "dBCSPwd", io.g.lm_hash);
1426 if (ret != LDB_SUCCESS) {
1427 return ret;
1428 }
1429 }
1430 if (io.g.nt_history_len > 0) {
1431 ret = samdb_msg_add_hashes(ac, msg,
1432 "ntPwdHistory",
1433 io.g.nt_history,
1434 io.g.nt_history_len);
1435 if (ret != LDB_SUCCESS) {
1436 return ret;
1437 }
1438 }
1439 if (io.g.lm_history_len > 0) {
1440 ret = samdb_msg_add_hashes(ac, msg,
1441 "lmPwdHistory",
1442 io.g.lm_history,
1443 io.g.lm_history_len);
1444 if (ret != LDB_SUCCESS) {
1445 return ret;
1446 }
1447 }
1448 if (io.g.supplemental.length > 0) {
1449 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1450 &io.g.supplemental, NULL);
1451 if (ret != LDB_SUCCESS) {
1452 return ret;
1453 }
1454 }
1455 ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1456 "pwdLastSet",
1457 io.g.last_set);
1458 if (ret != LDB_SUCCESS) {
1459 return ret;
1460 }
1461 ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1462 "msDs-KeyVersionNumber",
1463 io.g.kvno);
1464 if (ret != LDB_SUCCESS) {
1465 return ret;
1466 }
1467
1468 h->state = LDB_ASYNC_INIT;
1469 h->status = LDB_SUCCESS;
1470
1471 ac->step = PH_MOD_DO_MOD;
1472
1473 ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
1474
1475 /* perform the search */
1476 return ldb_next_request(ac->module, ac->mod_req);
1477 }
1478
1479 static int ph_wait(struct ldb_handle *handle) {
1480 struct ph_context *ac;
1481 int ret;
1482
1483 if (!handle || !handle->private_data) {
1484 return LDB_ERR_OPERATIONS_ERROR;
1485 }
1486
1487 if (handle->state == LDB_ASYNC_DONE) {
1488 return handle->status;
1489 }
1490
1491 handle->state = LDB_ASYNC_PENDING;
1492 handle->status = LDB_SUCCESS;
1493
1494 ac = talloc_get_type(handle->private_data, struct ph_context);
1495
1496 switch (ac->step) {
1497 case PH_ADD_SEARCH_DOM:
1498 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1499
1500 if (ret != LDB_SUCCESS) {
1501 handle->status = ret;
1502 goto done;
1503 }
1504 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1505 handle->status = ac->dom_req->handle->status;
1506 goto done;
1507 }
1508
1509 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1510 return LDB_SUCCESS;
1511 }
1512
1513 /* domain search done, go on */
1514 return password_hash_add_do_add(handle);
1515
1516 case PH_ADD_DO_ADD:
1517 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1518
1519 if (ret != LDB_SUCCESS) {
1520 handle->status = ret;
1521 goto done;
1522 }
1523 if (ac->down_req->handle->status != LDB_SUCCESS) {
1524 handle->status = ac->down_req->handle->status;
1525 goto done;
1526 }
1527
1528 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1529 return LDB_SUCCESS;
1530 }
1531
1532 break;
1533
1534 case PH_MOD_DO_REQ:
1535 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
1536
1537 if (ret != LDB_SUCCESS) {
1538 handle->status = ret;
1539 goto done;
1540 }
1541 if (ac->down_req->handle->status != LDB_SUCCESS) {
1542 handle->status = ac->down_req->handle->status;
1543 goto done;
1544 }
1545
1546 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
1547 return LDB_SUCCESS;
1548 }
1549
1550 /* non-password mods done, go on */
1551 return password_hash_mod_search_self(handle);
1552
1553 case PH_MOD_SEARCH_SELF:
1554 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
1555
1556 if (ret != LDB_SUCCESS) {
1557 handle->status = ret;
1558 goto done;
1559 }
1560 if (ac->search_req->handle->status != LDB_SUCCESS) {
1561 handle->status = ac->search_req->handle->status;
1562 goto done;
1563 }
1564
1565 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
1566 return LDB_SUCCESS;
1567 }
1568
1569 if (ac->search_res == NULL) {
1570 return LDB_ERR_NO_SUCH_OBJECT;
1571 }
1572
1573 /* self search done, go on */
1574 return password_hash_mod_search_dom(handle);
1575
1576 case PH_MOD_SEARCH_DOM:
1577 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
1578
1579 if (ret != LDB_SUCCESS) {
1580 handle->status = ret;
1581 goto done;
1582 }
1583 if (ac->dom_req->handle->status != LDB_SUCCESS) {
1584 handle->status = ac->dom_req->handle->status;
1585 goto done;
1586 }
1587
1588 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
1589 return LDB_SUCCESS;
1590 }
1591
1592 /* domain search done, go on */
1593 return password_hash_mod_do_mod(handle);
1594
1595 case PH_MOD_DO_MOD:
1596 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
1597
1598 if (ret != LDB_SUCCESS) {
1599 handle->status = ret;
1600 goto done;
1601 }
1602 if (ac->mod_req->handle->status != LDB_SUCCESS) {
1603 handle->status = ac->mod_req->handle->status;
1604 goto done;
1605 }
1606
1607 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
1608 return LDB_SUCCESS;
1609 }
1610
1611 break;
1612
1613 default:
1614 ret = LDB_ERR_OPERATIONS_ERROR;
1615 goto done;
1616 }
1617
1618 ret = LDB_SUCCESS;
1619
1620 done:
1621 handle->state = LDB_ASYNC_DONE;
1622 return ret;
1623 }
1624
1625 static int ph_wait_all(struct ldb_handle *handle) {
1626
1627 int ret;
1628
1629 while (handle->state != LDB_ASYNC_DONE) {
1630 ret = ph_wait(handle);
1631 if (ret != LDB_SUCCESS) {
1632 return ret;
1633 }
1634 }
1635
1636 return handle->status;
1637 }
1638
1639 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
1640 {
1641 if (type == LDB_WAIT_ALL) {
1642 return ph_wait_all(handle);
1643 } else {
1644 return ph_wait(handle);
1645 }
1646 }
1647
1648 static const struct ldb_module_ops password_hash_ops = {
1649 .name = "password_hash",
1650 .add = password_hash_add,
1651 .modify = password_hash_modify,
1652 .wait = password_hash_wait
1653 };
1654
1655
1656 int password_hash_module_init(void)
1657 {
1658 return ldb_register_module(&password_hash_ops);
1659 }