svn commit: lorikeet r270 - in trunk/heimdal: . lib/hdb

abartlet at samba.org abartlet at samba.org
Tue May 10 14:20:08 GMT 2005 

Author: abartlet
Date: 2005-05-10 14:20:07 +0000 (Tue, 10 May 2005)
New Revision: 270

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=270

Log:
Implement the algorithm described by Luke Howard of PADL last
November, for the correct salting of prinipals in a AD-like realm.

Update my config.abartlet script to disabled shared libs, as these
break when placed alongside MIT.

Andrew Bartlett

Modified:
   trunk/heimdal/config.abartlet
   trunk/heimdal/lib/hdb/hdb-ldb.c


Changeset:
Modified: trunk/heimdal/config.abartlet
===================================================================
--- trunk/heimdal/config.abartlet	2005-05-10 09:14:44 UTC (rev 269)
+++ trunk/heimdal/config.abartlet	2005-05-10 14:20:07 UTC (rev 270)
@@ -1 +1 @@
-CFLAGS="-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement" CC="ccache gcc" ./configure  --with-ldb=/usr/local --enable-shared --without-openssl
+CFLAGS="-g -O -Wall -Wstrict-prototypes -Wpointer-arith -Wcast-align -Wwrite-strings -Wdeclaration-after-statement" CC="ccache gcc" ./configure  --with-ldb=/usr/local --disable-shared --without-openssl

Modified: trunk/heimdal/lib/hdb/hdb-ldb.c
===================================================================
--- trunk/heimdal/lib/hdb/hdb-ldb.c	2005-05-10 09:14:44 UTC (rev 269)
+++ trunk/heimdal/lib/hdb/hdb-ldb.c	2005-05-10 14:20:07 UTC (rev 270)
@@ -44,9 +44,14 @@
 #include <ldb.h>
 #include <talloc.h>
 
+#include <ctype.h>
+
 #include "hdb-ldb.h"
 
+
+
 static const char * const krb5_attrs[] = {
+	"objectClass",
 	"cn",
 	"name",
 	"sAMAccountName",
@@ -211,12 +216,12 @@
 /*
  * Construct an hdb_entry from a directory entry.
  */
-static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, krb5_principal principal,
+static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, 
+					 TALLOC_CTX *mem_ctx, krb5_principal principal,
 					 enum hdb_ent_type ent_type, struct ldb_message *realm_msg,
 					 struct ldb_message *msg,
 					 hdb_entry *ent)
 {
-	const char *unparsed_name = NULL;
 	const char *unicodePwd;
 	int userAccountControl;
 	int i;
@@ -231,8 +236,14 @@
 	
 	ent->principal = malloc(sizeof(*(ent->principal)));
 	if (ent_type == HDB_ENT_TYPE_ENUM) {
-		unparsed_name = ldb_msg_find_string(msg, "samAccountName", NULL);
-		krb5_make_principal(context, &ent->principal, realm, unparsed_name, NULL);
+		const char *samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
+		if (!samAccountName) {
+			krb5_set_error_string(context, "LDB_message2entry: no samAccountName present");
+			ret = ENOENT;
+			goto out;
+		}
+		samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
+		krb5_make_principal(context, &ent->principal, realm, samAccountName, NULL);
 	} else {
 		copy_Principal(principal, ent->principal);
 	}
@@ -278,12 +289,74 @@
 	/* create the keys and enctypes */
 	unicodePwd = ldb_msg_find_string(msg, "unicodePwd", NULL);
 	if (unicodePwd) {
-		/*
-		 * create keys from unicodePwd
-		 */
-		ret = hdb_generate_key_set_password(context, ent->principal, 
+		/* Many, many thanks to lukeh at padl.com for this
+		 * algorithm, described in his Nov 10 2004 mail to
+		 * samba-technical at samba.org */
+
+		Principal *salt_principal;
+		const char *user_principal_name = ldb_msg_find_string(msg, "userPrincipalName", NULL);
+		struct ldb_message_element *objectclasses;
+		struct ldb_val computer_val;
+		computer_val.data = "computer";
+		computer_val.length = strlen(computer_val.data);
+		
+		objectclasses = ldb_msg_find_element(msg, "objectClass");
+
+		if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
+			/* Determine a salting principal */
+			char *samAccountName = talloc_strdup(mem_ctx, ldb_msg_find_string(msg, "samAccountName", NULL));
+			char *realm_lower = talloc_strdup(mem_ctx, realm);
+			char *saltbody;
+			int i;
+			if (!samAccountName) {
+				krb5_set_error_string(context, "LDB_message2entry: no samAccountName present");
+				ret = ENOENT;
+				goto out;
+			}
+			if (!realm_lower) {
+				krb5_set_error_string(context, "malloc: out of memory");
+				ret = ENOMEM;
+				goto out;
+			}
+			
+			/* TODO: Use Samba charset functions */
+			for (i=0; i< strlen(realm_lower); i++) {
+				realm_lower[i] = tolower(realm_lower[i]);
+			}
+			
+			if (samAccountName[strlen(samAccountName)-1] == '$') {
+				samAccountName[strlen(samAccountName)-1] = '\0';
+			}
+			saltbody = talloc_asprintf(mem_ctx, "%s.%s", samAccountName, realm_lower);
+			
+			ret = krb5_make_principal(context, &salt_principal, realm, "host", saltbody, NULL);
+		} else if (user_principal_name) {
+			char *p;
+			user_principal_name = talloc_strdup(mem_ctx, user_principal_name);
+			if (!user_principal_name) {
+				ret = ENOMEM;
+				goto out;
+			} else {
+				p = strchr(user_principal_name, '@');
+				if (p) {
+					p[0] = '\0';
+				}
+				ret = krb5_make_principal(context, &salt_principal, realm, user_principal_name, NULL);
+			} 
+		} else {
+			const char *samAccountName = ldb_msg_find_string(msg, "samAccountName", NULL);
+			ret = krb5_make_principal(context, &salt_principal, realm, samAccountName, NULL);
+		}
+
+		if (ret == 0) {
+			/*
+			 * create keys from unicodePwd
+			 */
+			ret = hdb_generate_key_set_password(context, salt_principal, 
 						    unicodePwd, 
-						    &ent->keys.val, &ent->keys.len);
+							    &ent->keys.val, &ent->keys.len);
+			krb5_free_principal(context, salt_principal);
+		}
 
 		if (ret != 0) {
 			krb5_warnx(context, "could not generate keys from unicodePwd\n");
@@ -567,7 +640,9 @@
 	if (ret != 0) {
 		krb5_warnx(context, "LDB_fetch: no principal found\n");
 	} else {
-		ret = LDB_message2entry(context, db, principal, ent_type, realm_msg[0], msg[0], entry);
+		ret = LDB_message2entry(context, db, mem_ctx, 
+					principal, ent_type, 
+					realm_msg[0], msg[0], entry);
 		if (ret != 0) {
 			krb5_warnx(context, "LDB_fetch: message2entry failed\n");	
 #if 0 /* master key support removed */
@@ -617,7 +692,9 @@
 	}
 
 	if (priv->index < priv->count) {
-		ret = LDB_message2entry(context, db, NULL, HDB_ENT_TYPE_ENUM, priv->realm_msgs[0], priv->msgs[priv->index++], entry);
+		ret = LDB_message2entry(context, db, mem_ctx, 
+					NULL, HDB_ENT_TYPE_ENUM, 
+					priv->realm_msgs[0], priv->msgs[priv->index++], entry);
 	} else {
 		ret = HDB_ERR_NOENTRY;
 	}

More information about the samba-cvs mailing list