[SCM] Samba Shared Repository - branch v4-0-test updated -
release-4-0-0alpha5-133-g08618bb
Stefan Metzmacher
metze at samba.org
Wed Jul 23 12:49:53 GMT 2008
The branch, v4-0-test has been updated
via 08618bbd508ede0bb9e1922fae562cffdca41cbd (commit)
via 8300259f103f8cfe014988fad0f7ee0d49bb1ac2 (commit)
via 97b7901afbccc9647ad2958d4cf12300de2655d1 (commit)
via ca9cd81a1798fb15195566422b3cad7c282fce89 (commit)
via 4ad73a0bf8952783d3d9a7339c0c4fd8ca28981a (commit)
via 5edff84429ef0d03b47a438e18861d26c97e17b6 (commit)
via 1bf552856f3a930c4716ceb73d9ba9adf7502d3d (commit)
via da9ceb2bf17f964334d9317829d40483e2c04b10 (commit)
via 7219740ef434091617c6bb727374251987ff2a62 (commit)
via 19b8c8e37bafab050ab61266c35006efada2947c (commit)
via 24c5b10136f6e640832193aaf9e6d7e865c288bc (commit)
via 5b860572686167d0291161f6597f143e538e2f3a (commit)
via 9a70b2237d4fdd523edfbca0329ad35e71faf998 (commit)
via 26e9169d454349795ad0bc64d7f65059541ab89e (commit)
via ca28d05b11e602e0f98cda0e02f973562c199dc6 (commit)
via ac02d6a0f765e3b66fb6796f129edb1a348ecd84 (commit)
via 6a7637b12e4a34915a53e81a0f47571da21fdc5a (commit)
from c123e597cc84685abf2b0d3564e1a26d80bbef2f (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 08618bbd508ede0bb9e1922fae562cffdca41cbd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 09:35:19 2008 +0200
password_hash: add generation of the Primary:Kerberos-Newer-Keys blob
But it's still of by default until we now what triggers this generation.
It could be that the value is always generated but the KDC only
uses it when in a specific funtional level, but it could also
be that it's only generated in a specific functional level.
metze
commit 8300259f103f8cfe014988fad0f7ee0d49bb1ac2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:47:27 2008 +0200
hdb-ldb: try to find Primary:Kerberos-Newer-Keys and fallback to Primary:Kerberos
Now provide AES tickets if we find the keys in the supplementalCredentials attribute
metze
commit 97b7901afbccc9647ad2958d4cf12300de2655d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 12:28:07 2008 +0200
drsblobs.idl: add idl for Primary:Kerberos-Newer-Keys blob in supplementalCredentials
metze
commit ca9cd81a1798fb15195566422b3cad7c282fce89
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:54:21 2008 +0200
password_hash: order the supplementalCredentials Packages in the same order like windows
metze
commit 4ad73a0bf8952783d3d9a7339c0c4fd8ca28981a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:27:36 2008 +0200
password_hash: split the generation of krb5 keys into a different function
metze
commit 5edff84429ef0d03b47a438e18861d26c97e17b6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:32:49 2008 +0200
password_hash: simplify the logic if we have cleartext we always generate the hashes
metze
commit 1bf552856f3a930c4716ceb73d9ba9adf7502d3d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 10:05:43 2008 +0200
password_hash: fix callers after idl change for package_PrimaryKerberos
metze
commit da9ceb2bf17f964334d9317829d40483e2c04b10
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 08:53:34 2008 +0200
drsblobs.idl: fix unknowns in package_PrimaryKerberos idl
metze
commit 7219740ef434091617c6bb727374251987ff2a62
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 13:41:51 2008 +0200
hdb-ldb: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
commit 19b8c8e37bafab050ab61266c35006efada2947c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 13:31:14 2008 +0200
password_hash: check the SUPPLEMENTAL_CREDENTIALS_SIGNATURE
metze
commit 24c5b10136f6e640832193aaf9e6d7e865c288bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 13:06:32 2008 +0200
drsblobs.idl: fix idl for supplementalCredentialsSubBlob
metze
commit 5b860572686167d0291161f6597f143e538e2f3a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 12:00:42 2008 +0200
password_hash: ignore reserved value, but still set it like windows does
metze
commit 9a70b2237d4fdd523edfbca0329ad35e71faf998
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jul 23 13:53:03 2008 +0200
drsblobs.idl: rename unknown1 -> reserved
metze
commit 26e9169d454349795ad0bc64d7f65059541ab89e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:31:45 2008 +0200
password_hash: don't add zero padding as w2k8 also don't add it
metze
commit ca28d05b11e602e0f98cda0e02f973562c199dc6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:46:24 2008 +0200
hdb-ldb: fix comment about padding
metze
commit ac02d6a0f765e3b66fb6796f129edb1a348ecd84
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 18:34:14 2008 +0200
hdb-ldb: fix crash bug in the error path
metze
commit 6a7637b12e4a34915a53e81a0f47571da21fdc5a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jul 22 14:06:36 2008 +0200
RPC-DSSYNC: print 'supplementalCredentials' more verbosely
metze
-----------------------------------------------------------------------
Summary of changes:
source/dsdb/samdb/ldb_modules/password_hash.c | 450 ++++++++++++++++++-------
source/kdc/hdb-ldb.c | 139 +++++++-
source/librpc/idl/drsblobs.idl | 64 +++-
source/torture/rpc/dssync.c | 10 +
4 files changed, 521 insertions(+), 142 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/dsdb/samdb/ldb_modules/password_hash.c b/source/dsdb/samdb/ldb_modules/password_hash.c
index 3e442b6..413ec12 100644
--- a/source/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source/dsdb/samdb/ldb_modules/password_hash.c
@@ -140,6 +140,11 @@ struct setup_password_fields_io {
struct samr_Password *nt_history;
uint32_t lm_history_len;
struct samr_Password *lm_history;
+ const char *salt;
+ DATA_BLOB aes_256;
+ DATA_BLOB aes_128;
+ DATA_BLOB des_md5;
+ DATA_BLOB des_crc;
struct ldb_val supplemental;
NTTIME last_set;
uint32_t kvno;
@@ -216,21 +221,12 @@ static int setup_lm_fields(struct setup_password_fields_io *io)
return LDB_SUCCESS;
}
-static int setup_primary_kerberos(struct setup_password_fields_io *io,
- const struct supplementalCredentialsBlob *old_scb,
- struct package_PrimaryKerberosBlob *pkb)
+static int setup_kerberos_keys(struct setup_password_fields_io *io)
{
krb5_error_code krb5_ret;
Principal *salt_principal;
krb5_salt salt;
krb5_keyblock key;
- uint32_t k=0;
- struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
- struct supplementalCredentialsPackage *old_scp = NULL;
- struct package_PrimaryKerberosBlob _old_pkb;
- struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
- uint32_t i;
- enum ndr_err_code ndr_err;
/* Many, many thanks to lukeh at padl.com for this
* algorithm, described in his Nov 10 2004 mail to
@@ -290,7 +286,7 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
}
if (krb5_ret) {
ldb_asprintf_errstring(io->ac->module->ldb,
- "setup_primary_kerberos: "
+ "setup_kerberos_keys: "
"generation of a salting principal failed: %s",
smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
@@ -304,81 +300,72 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
ldb_asprintf_errstring(io->ac->module->ldb,
- "setup_primary_kerberos: "
+ "setup_kerberos_keys: "
"generation of krb5_salt failed: %s",
smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
}
/* create a talloc copy */
- pkb3->salt.string = talloc_strndup(io->ac,
- salt.saltvalue.data,
- salt.saltvalue.length);
+ io->g.salt = talloc_strndup(io->ac,
+ salt.saltvalue.data,
+ salt.saltvalue.length);
krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
- if (!pkb3->salt.string) {
+ if (!io->g.salt) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- salt.saltvalue.data = discard_const(pkb3->salt.string);
- salt.saltvalue.length = strlen(pkb3->salt.string);
+ salt.saltvalue.data = discard_const(io->g.salt);
+ salt.saltvalue.length = strlen(io->g.salt);
/*
- * prepare generation of keys
- *
- * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
- * ENCTYPE_DES_CBC_MD5
- * ENCTYPE_DES_CBC_CRC
- *
- * NOTE: update num_keys when you add another enctype!
+ * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * the salt and the cleartext password
*/
- pkb3->num_keys = 3;
- pkb3->keys = talloc_array(io->ac, struct package_PrimaryKerberosKey, pkb3->num_keys);
- if (!pkb3->keys) {
- ldb_oom(io->ac->module->ldb);
+ krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ io->n.cleartext,
+ salt,
+ &key);
+ if (krb5_ret) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_kerberos_keys: "
+ "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
}
- pkb3->unknown3 = talloc_zero_array(io->ac, uint64_t, pkb3->num_keys);
- if (!pkb3->unknown3) {
+ io->g.aes_256 = data_blob_talloc(io->ac,
+ key.keyvalue.data,
+ key.keyvalue.length);
+ krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+ if (!io->g.aes_256.data) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- if (lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"), NULL, "password_hash", "create_aes_key", false)) {
- /*
- * TODO:
- *
- * w2k and w2k3 doesn't support AES, so we'll not include
- * the AES key here yet.
- *
- * Also we don't have an example supplementalCredentials blob
- * from Windows Longhorn Server with AES support
- *
- */
/*
- * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
* the salt and the cleartext password
*/
krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
io->n.cleartext,
salt,
&key);
- pkb3->keys[k].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
- pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
- if (!pkb3->keys[k].value) {
- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- ldb_oom(io->ac->module->ldb);
+ if (krb5_ret) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_kerberos_keys: "
+ "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
}
- *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
- key.keyvalue.data,
- key.keyvalue.length);
+ io->g.aes_128 = data_blob_talloc(io->ac,
+ key.keyvalue.data,
+ key.keyvalue.length);
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- if (!pkb3->keys[k].value->data) {
+ if (!io->g.aes_128.data) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- k++;
-}
/*
* create ENCTYPE_DES_CBC_MD5 key out of
@@ -389,22 +376,21 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
io->n.cleartext,
salt,
&key);
- pkb3->keys[k].keytype = ENCTYPE_DES_CBC_MD5;
- pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
- if (!pkb3->keys[k].value) {
- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- ldb_oom(io->ac->module->ldb);
+ if (krb5_ret) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_kerberos_keys: "
+ "generation of a des-cbc-md5 key failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
}
- *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
- key.keyvalue.data,
- key.keyvalue.length);
+ io->g.des_md5 = data_blob_talloc(io->ac,
+ key.keyvalue.data,
+ key.keyvalue.length);
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- if (!pkb3->keys[k].value->data) {
+ if (!io->g.des_md5.data) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- k++;
/*
* create ENCTYPE_DES_CBC_CRC key out of
@@ -415,30 +401,60 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
io->n.cleartext,
salt,
&key);
- pkb3->keys[k].keytype = ENCTYPE_DES_CBC_CRC;
- pkb3->keys[k].value = talloc(pkb3->keys, DATA_BLOB);
- if (!pkb3->keys[k].value) {
- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- ldb_oom(io->ac->module->ldb);
+ if (krb5_ret) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_kerberos_keys: "
+ "generation of a des-cbc-crc key failed: %s",
+ smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
return LDB_ERR_OPERATIONS_ERROR;
}
- *pkb3->keys[k].value = data_blob_talloc(pkb3->keys[k].value,
- key.keyvalue.data,
- key.keyvalue.length);
+ io->g.des_crc = data_blob_talloc(io->ac,
+ key.keyvalue.data,
+ key.keyvalue.length);
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
- if (!pkb3->keys[k].value->data) {
+ if (!io->g.des_crc.data) {
ldb_oom(io->ac->module->ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
- k++;
- /* fix up key number */
- pkb3->num_keys = k;
+ return LDB_SUCCESS;
+}
+
+static int setup_primary_kerberos(struct setup_password_fields_io *io,
+ const struct supplementalCredentialsBlob *old_scb,
+ struct package_PrimaryKerberosBlob *pkb)
+{
+ struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
+ struct supplementalCredentialsPackage *old_scp = NULL;
+ struct package_PrimaryKerberosBlob _old_pkb;
+ struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
+ uint32_t i;
+ enum ndr_err_code ndr_err;
+
+ /*
+ * prepare generation of keys
+ *
+ * ENCTYPE_DES_CBC_MD5
+ * ENCTYPE_DES_CBC_CRC
+ */
+ pkb3->salt.string = io->g.salt;
+ pkb3->num_keys = 2;
+ pkb3->keys = talloc_array(io->ac,
+ struct package_PrimaryKerberosKey,
+ pkb3->num_keys);
+ if (!pkb3->keys) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ pkb3->keys[0].keytype = ENCTYPE_DES_CBC_MD5;
+ pkb3->keys[0].value = &io->g.des_md5;
+ pkb3->keys[1].keytype = ENCTYPE_DES_CBC_CRC;
+ pkb3->keys[1].value = &io->g.des_crc;
/* initialize the old keys to zero */
pkb3->num_old_keys = 0;
pkb3->old_keys = NULL;
- pkb3->unknown3_old = NULL;
/* if there're no old keys, then we're done */
if (!old_scb) {
@@ -446,10 +462,6 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
}
for (i=0; i < old_scb->sub.num_packages; i++) {
- if (old_scb->sub.packages[i].unknown1 != 0x00000001) {
- continue;
- }
-
if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
continue;
}
@@ -503,7 +515,117 @@ static int setup_primary_kerberos(struct setup_password_fields_io *io,
/* fill in the old keys */
pkb3->num_old_keys = old_pkb3->num_keys;
pkb3->old_keys = old_pkb3->keys;
- pkb3->unknown3_old = old_pkb3->unknown3;
+
+ return LDB_SUCCESS;
+}
+
+static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
+ const struct supplementalCredentialsBlob *old_scb,
+ struct package_PrimaryKerberosNewerBlob *pkb)
+{
+ struct package_PrimaryKerberosNewerCtr4 *pkb4 = &pkb->ctr.ctr4;
+ struct supplementalCredentialsPackage *old_scp = NULL;
+ struct package_PrimaryKerberosNewerBlob _old_pkb;
+ struct package_PrimaryKerberosNewerCtr4 *old_pkb4 = NULL;
+ uint32_t i;
+ enum ndr_err_code ndr_err;
+
+ /*
+ * prepare generation of keys
+ *
+ * ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ * ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ * ENCTYPE_DES_CBC_MD5
+ * ENCTYPE_DES_CBC_CRC
+ */
+ pkb4->salt.string = io->g.salt;
+ pkb4->num_keys = 4;
+ pkb4->keys = talloc_array(io->ac,
+ struct package_PrimaryKerberosNewerKey,
+ pkb4->num_keys);
+ if (!pkb4->keys) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ pkb4->keys[0].keytype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ pkb4->keys[0].value = &io->g.aes_256;
+ pkb4->keys[1].keytype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ pkb4->keys[1].value = &io->g.aes_128;
+ pkb4->keys[2].keytype = ENCTYPE_DES_CBC_MD5;
+ pkb4->keys[2].value = &io->g.des_md5;
+ pkb4->keys[3].keytype = ENCTYPE_DES_CBC_CRC;
+ pkb4->keys[3].value = &io->g.des_crc;
+
+ /* initialize the old keys to zero */
+ pkb4->num_old_keys1 = 0;
+ pkb4->old_keys1 = NULL;
+ pkb4->num_old_keys2 = 0;
+ pkb4->old_keys2 = NULL;
+
+ /* if there're no old keys, then we're done */
+ if (!old_scb) {
+ return LDB_SUCCESS;
+ }
+
+ for (i=0; i < old_scb->sub.num_packages; i++) {
+ if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
+ continue;
+ }
+
+ if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
+ continue;
+ }
+
+ old_scp = &old_scb->sub.packages[i];
+ break;
+ }
+ /* Primary:Kerberos element of supplementalCredentials */
+ if (old_scp) {
+ DATA_BLOB blob;
+
+ blob = strhex_to_data_blob(old_scp->data);
+ if (!blob.data) {
+ ldb_oom(io->ac->module->ldb);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ talloc_steal(io->ac, blob.data);
+
+ /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
+ ndr_err = ndr_pull_struct_blob(&blob, io->ac,
+ lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
+ &_old_pkb,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosNewerBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_primary_kerberos_newer: "
+ "failed to pull old package_PrimaryKerberosNewerBlob: %s",
+ nt_errstr(status));
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (_old_pkb.version != 4) {
+ ldb_asprintf_errstring(io->ac->module->ldb,
+ "setup_primary_kerberos: "
+ "package_PrimaryKerberosNewerBlob version[%u] expected[4]",
+ _old_pkb.version);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ old_pkb4 = &_old_pkb.ctr.ctr4;
+ }
+
+ /* if we didn't found the old keys we're done */
+ if (!old_pkb4) {
+ return LDB_SUCCESS;
+ }
+
+ /* fill in the old keys */
+ pkb4->num_old_keys1 = old_pkb4->num_keys;
+ pkb4->old_keys1 = old_pkb4->keys;
+ pkb4->num_old_keys2 = old_pkb4->num_old_keys1;
+ pkb4->old_keys2 = old_pkb4->old_keys1;
return LDB_SUCCESS;
}
@@ -845,30 +967,48 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
struct supplementalCredentialsBlob scb;
struct supplementalCredentialsBlob _old_scb;
struct supplementalCredentialsBlob *old_scb = NULL;
- /* Packages + (Kerberos, WDigest and maybe CLEARTEXT) */
- uint32_t num_packages = 1 + 2;
- struct supplementalCredentialsPackage packages[1+3];
- struct supplementalCredentialsPackage *pp = &packages[0];
- struct supplementalCredentialsPackage *pk = &packages[1];
- struct supplementalCredentialsPackage *pd = &packages[2];
- struct supplementalCredentialsPackage *pc = NULL;
+ /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
+ uint32_t num_names = 0;
+ const char *names[1+4];
+ uint32_t num_packages = 0;
+ struct supplementalCredentialsPackage packages[1+4];
+ /* Packages */
+ struct supplementalCredentialsPackage *pp = NULL;
struct package_PackagesBlob pb;
DATA_BLOB pb_blob;
char *pb_hexstr;
+ /* Primary:Kerberos-Newer-Keys */
+ const char **nkn = NULL;
+ struct supplementalCredentialsPackage *pkn = NULL;
+ struct package_PrimaryKerberosNewerBlob pknb;
+ DATA_BLOB pknb_blob;
+ char *pknb_hexstr;
+ /* Primary:Kerberos */
+ const char **nk = NULL;
+ struct supplementalCredentialsPackage *pk = NULL;
struct package_PrimaryKerberosBlob pkb;
DATA_BLOB pkb_blob;
char *pkb_hexstr;
+ /* Primary:WDigest */
+ const char **nd = NULL;
+ struct supplementalCredentialsPackage *pd = NULL;
struct package_PrimaryWDigestBlob pdb;
DATA_BLOB pdb_blob;
char *pdb_hexstr;
+ /* Primary:CLEARTEXT */
+ const char **nc = NULL;
+ struct supplementalCredentialsPackage *pc = NULL;
struct package_PrimaryCLEARTEXTBlob pcb;
DATA_BLOB pcb_blob;
char *pcb_hexstr;
int ret;
enum ndr_err_code ndr_err;
uint8_t zero16[16];
+ bool do_newer_keys = false;
+ bool do_cleartext = false;
ZERO_STRUCT(zero16);
+ ZERO_STRUCT(names);
if (!io->n.cleartext) {
/*
@@ -880,7 +1020,9 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
/* if there's an old supplementaCredentials blob then parse it */
if (io->o.supplemental) {
- ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), &_old_scb,
+ ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
+ lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
+ &_old_scb,
(ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
@@ -891,22 +1033,101 @@ static int setup_supplemental_field(struct setup_password_fields_io *io)
return LDB_ERR_OPERATIONS_ERROR;
}
- old_scb = &_old_scb;
+ if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
+ old_scb = &_old_scb;
+ } else {
+ ldb_debug(io->ac->module->ldb, LDB_DEBUG_ERROR,
+ "setup_supplemental_field: "
+ "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
+ _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
+ }
}
+ /* TODO: do the correct check for this, it maybe depends on the functional level? */
+ do_newer_keys = lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"),
+ NULL, "password_hash", "create_aes_key", false);
+
if (io->domain->store_cleartext &&
(io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
- pc = &packages[3];
- num_packages++;
+ do_cleartext = true;
+ }
+
+ /*
+ * The ordering is this
+ *
+ * Primary:Kerberos-Newer-Keys (optional)
+ * Primary:Kerberos
+ * Primary:WDigest
--
Samba Shared Repository
More information about the samba-cvs
mailing list