2 Unix SMB/CIFS implementation.
4 User credentials handling for Group Managed Service Accounts
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2023
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_gmsa.h" /* for struct MANAGEDPASSWORD_BLOB */
24 #include "auth/credentials/credentials.h"
25 #include "auth/credentials/credentials_internal.h"
26 #include "lib/util/charset/charset.h"
27 #include "lib/crypto/gkdi.h"
29 * All current callers set "for_keytab = true", but if we start using
30 * this for getting a TGT we need the logic to ignore a very new
33 NTSTATUS
cli_credentials_set_gmsa_passwords(struct cli_credentials
*creds
,
34 const DATA_BLOB
*managed_password_blob
,
36 const char **error_string
)
38 struct MANAGEDPASSWORD_BLOB managed_password
;
39 DATA_BLOB managed_pw_utf16
;
40 DATA_BLOB previous_managed_pw_utf16
;
41 enum ndr_err_code ndr_err
;
42 TALLOC_CTX
*frame
= talloc_stackframe();
43 bool only_use_previous_pw
;
46 * Group Managed Service Accounts are type
47 * UF_WORKSTATION_TRUST_ACCOUNT and will follow those salting
50 cli_credentials_set_secure_channel_type(creds
, SEC_CHAN_WKSTA
);
52 ndr_err
= ndr_pull_struct_blob_all(managed_password_blob
,
55 (ndr_pull_flags_fn_t
)ndr_pull_MANAGEDPASSWORD_BLOB
);
56 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
57 *error_string
= talloc_asprintf(creds
,
58 "Failed to parse msDS-ManagedPassword "
59 "as MANAGEDPASSWORD_BLOB");
61 return NT_STATUS_ILL_FORMED_PASSWORD
;
65 * We check if this is 'for keytab' as a keytab wants to know
66 * about a near-future password as it will be on disk for some
69 only_use_previous_pw
=
70 managed_password
.passwords
.query_interval
!= NULL
71 && *managed_password
.passwords
.query_interval
<= gkdi_max_clock_skew
72 && for_keytab
== false;
75 * We look at the old password first as we might bail out
76 * early if the new password is "too fresh"
78 if (managed_password
.passwords
.previous
) {
79 previous_managed_pw_utf16
80 = data_blob_const(managed_password
.passwords
.previous
,
81 utf16_len(managed_password
.passwords
.previous
));
83 cli_credentials_set_old_utf16_password(creds
, &previous_managed_pw_utf16
);
85 if (only_use_previous_pw
) {
86 /* We are in the 5 mins where we know the next
87 * password, but it will not be available yet, just
88 * use the old password for now.
90 cli_credentials_set_utf16_password(creds
, &previous_managed_pw_utf16
,
94 * We are done, the new password is of no
103 if (only_use_previous_pw
) {
104 *error_string
= talloc_asprintf(creds
,
105 "No old password but new password is too new "
106 "(< 5min) in msDS-ManagedPassword "
107 "MANAGEDPASSWORD_BLOB");
109 return NT_STATUS_ILL_FORMED_PASSWORD
;
112 if (managed_password
.passwords
.current
== NULL
) {
113 *error_string
= talloc_asprintf(creds
,
114 "Failed to find new password in msDS-ManagedPassword "
115 "MANAGEDPASSWORD_BLOB");
117 return NT_STATUS_ILL_FORMED_PASSWORD
;
121 = data_blob_const(managed_password
.passwords
.current
,
122 utf16_len(managed_password
.passwords
.current
));
124 cli_credentials_set_utf16_password(creds
, &managed_pw_utf16
,