[SCM] Samba Shared Repository - branch v4-5-test updated
Stefan Metzmacher
metze at samba.org
Thu Jul 13 13:04:03 UTC 2017
The branch, v4-5-test has been updated
via 6512059 selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
via 6c728cc s3:secrets: remove unused secrets_store_[prev_]machine_password()
via ad1e456 s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
via 7d86014 net: make use of secrets_*_password_change() for "net changesecretpw"
via ab5109f s3:trusts_util: make use the workstation password change more robust
via 75a05ad s3:libnet: make use of secrets_store_JoinCtx()
via d9a2394 net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
via f3da295 s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
via 97b72e3 secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
via 4d66652 netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
via 19addd1 netlogon.idl: make netr_TrustFlags [public]
via e635a4f lsa.idl: make lsa_DnsDomainInfo [public]
via 1e5489d s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
via 399945b libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
via 0c7de3c libcli/auth: add const to set_pw_in_buffer()
via 09461fe libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
via c1d6f18 s3:trusts_util: pass dcname to trust_pw_change()
via 9afd00e s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
via 3c3765f s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
via 64b3919 s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
via 04384a4 s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
via a920733 s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
via fdbf0de s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
via 96319f6 s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
via 1bbefc1 s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
via f5dc61c s3:secrets: rename secrets_delete() to secrets_delete_entry()
via f30adda s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
via 0a36325 s3:secrets: add some const to secrets_store_domain_guid()
via ec6b939 s3:secrets: split out a domain_guid_keystr() function
via de0f730 s3:secrets: rework des_salt_key() to take the realm as argument
via fd161f1 s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
via 701361c s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
via 24478a5 s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
via aa2f79b s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
via 0aa6bfd s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
via 2ef7d5a s3:libads: provide a simpler kerberos_fetch_salt_princ() function
via 0f4d181 s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
via 87b27a5 s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
via 00a2ce6 s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
via a210289 s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
via 7110ea3 s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
via 4765cb4 s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
via 9d818ce s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
via 18cd978 s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
via f18c0ca s3:libnet_join: remember the domain_guid for AD domains
via d68b34b s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
via 35b6d50 s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
via 77980ad s3:libnet_join: remove dead code from libnet_join_connect_ads()
via cef8c67 krb5_wrap: add smb_krb5_salt_principal2data()
via 5b96252 krb5_wrap: add smb_krb5_salt_principal()
via 88abba9 s3:libads: remove unused kerberos_secrets_store_salting_principal()
via 208c771 s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
via 899c0d5 idl_types.h: add NDR_SECRET shortcut
via 9bbacf5 librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
via 7b3bfd5 librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
via 0c8ae83 pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
via 941aaa9 werror: replace WERR_SETUP_NOT_JOINED with WERR_NERR_SETUPNOTJOINED in source3/libnet/libnet_join.c
via 3a491cd krb5_wrap: add smb_krb5_free_data_contents() compat define (for v4-5)
via 82f9cba s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
via 2cae38b selftest: add a test for accessing previous version of directories with snapdirseverywhere
via 911e3ab s3/smbd: let non_widelink_open() chdir() to directories directly
from 3de773e VERSION: Bump version up to 4.5.13...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit 65120599d845ebf1e3f9159320ca841dd16224f8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 22 15:30:56 2017 +0200
selftest:Samba3: call "net primarytrust dumpinfo" setup_nt4_member() after the join
Here we check that we get 'REDACTED SECRET VALUES' printed, in order
to avoid regression on the non '-f' behavior.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 9530284383f252efd64bfdf138579964c6500eba)
Autobuild-User(v4-5-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-5-test): Thu Jul 13 15:03:29 CEST 2017 on sn-devel-144
commit 6c728cc38f19265d67637d4bf517c0bb4446d9f6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:42:09 2017 +0200
s3:secrets: remove unused secrets_store_[prev_]machine_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit f513c20ee04fe896900c99ae804753d445414d7d)
commit ad1e456f306a29c47526d987308aec34daec1bee
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:41:34 2017 +0200
s3:libads: make use of secrets_*_password_change() in ads_change_trust_account_password()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b874dc90c91dd41c35e99bf7c4fe04220465edca)
commit 7d86014e10399df3aae90e1c6a0c114d1364d83f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 23 17:29:31 2017 +0200
net: make use of secrets_*_password_change() for "net changesecretpw"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4ae6a3ffb233c9b9576a3b5bb15a51ee56e4dbc3)
commit ab5109fd4600a37cc6ae0375db13d279b0b20ae1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:47:17 2017 +0200
s3:trusts_util: make use the workstation password change more robust
We use secrets_{prepare,failed,defer,finish}_password_change() to make
the process more robust.
Even if we just just verified the current password with the DC
it can still happen that the remote password change will fail.
If a server has the RefusePasswordChange=1 under
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,
it will reject NetrServerPasswordSet2() with NT_STATUS_WRONG_PASSWORD.
This results in a successful local change, but a failing remote change,
which means the domain membership is broken (as we don't fallback to
the previous password for ntlmssp nor kerberos yet).
An (at least Samba) RODC will also reject a password change,
see https://bugzilla.samba.org/show_bug.cgi?id=12773.
Even with this change we still have open problems, e.g. if the password was
changed, but we didn't get the servers response. In order to fix that we need
to use only netlogon and lsa over unprotected transports, just using schannel
authentication (which supports the fallback to the old password).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 40c42af11fda062fef9df96a9b5ae3e02709f07c)
commit 75a05ad5c73de9020fda80c4b0c8a80777795812
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:29:59 2017 +0200
s3:libnet: make use of secrets_store_JoinCtx()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c3ad8be5d5192070c599350d6ab28c064206b6cf)
commit d9a23941c389904f87285cbbc7ba442460920532
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 18:05:40 2017 +0200
net: add "net primarytrust dumpinfo" command that dumps the details of the workstation trust
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c7c17d9f503d6037aa8ed0bd7ab7cf52f5f28382)
commit f3da29546508024971153081f7714b6846b4d1fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:17 2017 +0200
s3:secrets: add infrastructure to use secrets_domain_infoB to store credentials
We now store various hashed keys at change time and maintain a lot of details
that will help debugging failed password changes.
We keep storing the legacy values:
SECRETS/SID/
SECRETS/DOMGUID/
SECRETS/MACHINE_LAST_CHANGE_TIME/
SECRETS/MACHINE_PASSWORD/
SECRETS/MACHINE_PASSWORD.PREV/
SECRETS/SALTING_PRINCIPAL/DES/
This allows downgrades to older Samba versions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5f0038fba612afd7fc15b7ab321df979891170d8)
commit 97b72e3f1cdddcd11964e96b9d549a1b6ebfbbd3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:11:18 2017 +0200
secrets.idl: add secrets_domain_info that will be used in secrets.tdb for machine account trusts
This blob will be store in secrets.tdb. It makes it possible to store much
more useful details about the workstation trust.
The key feature that that triggered this change is the ability
to store details for the next password change before doing
the remote change. This will allow us to recover from failures.
While being there I also thought about possible new features,
which we may implement in the near future.
We also store the raw UTF16 like cleartext buffer as well as derived
keys like the NTHASH (arcfour-hmac-md5 key) and other kerberos keys.
This will allow us to avoid recalculating the keys for an in memory
keytab in future.
I also added pointer to an optional lsa_ForestTrustInformation structure,
which might be useful to implement multi-tenancy in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a59c9cba31a801d90db06b767cfd44776f4ede77)
commit 4d66652062f57292a259258a9536dd2941e9e0e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 10:09:01 2017 +0200
netlogon.idl: use lsa_TrustType and lsa_TrustAttributes in netr_trust_extension
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 28ac10503476de3c000b3deee2c1f67e0b305578)
commit 19addd11fee15ec4ce979df5f05ac3dc951da895
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:37 2017 +0200
netlogon.idl: make netr_TrustFlags [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 60274475332dafdfb829a7c086ea09cd9ed00540)
commit e635a4fb7054dbffd85d21c740cc0a49f78ca11b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 11:35:20 2017 +0200
lsa.idl: make lsa_DnsDomainInfo [public]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ea0798881a7aaf5897a3a3806149536d3d54fc3b)
commit 1e5489d91850397a04cd96bbe11ba6b58ba716d3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 21:30:39 2017 +0200
s3:trusts_util: also pass the previous_nt_hash to netlogon_creds_cli_auth()
Even in the case where only the password is known to the server, we should
try to leave a valid authentication behind.
We have better ways to indentify which password worked than only using
the current one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d60404b032eca5384d889352f52b9b129861b4af)
commit 399945b47d1f9eeaae00ce60d4ef98ac23e13df6
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:18:37 2017 +0200
libcli/auth: pass the cleartext blob to netlogon_creds_cli_ServerPasswordSet*()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0f5945a06df4bef501ca5085c621294057007225)
commit 0c7de3ca9009fb62e0296d00d6aa59e79b835992
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 11:17:03 2017 +0200
libcli/auth: add const to set_pw_in_buffer()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1b48c8515ed8fd29204c82cc47f958f4636cd494)
commit 09461fe4bc614fb06841d1f9bfda37b80cd499b1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 20:44:40 2017 +0200
libcli/auth: pass an array of nt_hashes to netlogon_creds_cli_auth*()
This way the caller can pass more than 2 hashes and can only
know which hash was used for a successful connection.
We allow up to 4 hashes (next, current, old, older).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ddd7ac68ccae8b4df6c6a65b3dad20e21924f538)
commit c1d6f18d1999add7df9bd5cc3bce44be4fb93007
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 15:36:29 2017 +0200
s3:trusts_util: pass dcname to trust_pw_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1421abfc733247a6b71eefd819dfeae7151a6d78)
commit 9afd00e79f4cd282f489a54e84bed0a7f748e332
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 05:56:32 2017 +0200
s3:secrets: use secrets_delete for all keys in secrets_delete_machine_password_ex()
We just want all values to be removed at the end, it doesn't matter
if they didn't existed before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bfe35abc1fb15e70a99fa74d064051a1ad541ed0)
commit 3c3765fb10c51ce6ea22f0b8343ade79fa8d1d68
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:44:31 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() also remove the des_salt key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit dfaadc81925e313901c9b30cd98a4b4fd2404f9d)
commit 64b3919668474852b40dd04ef018ae7a9f7eab7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:40:05 2017 +0200
s3:secrets: let secrets_delete_machine_password_ex() remove SID and GUID too
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cf8a4646fe71a974b6a5ee13ae7d7751a5a0adc9)
commit 04384a477bc348d0cd875c2bc27067ec029c2d40
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:31:01 2017 +0200
s3:secrets: rewrite secrets_delete_machine_password_ex() using helper variables
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5bc2764fe517748c03a57b61f2f7ef889c92825d)
commit a920733cf6aca9f9e9e6f1bedbe36b9ceec5499c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 24 06:44:32 2017 +0200
s3:secrets: replace secrets_delete_prev_machine_password() by secrets_delete()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5b95cb74e7b2838d228f9773c0e20982b81d1e7d)
commit fdbf0dee0a31c2659dc422e231495f4c4f835e06
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:27:45 2017 +0200
s3:secrets: let secrets_store_machine_pw_sync() delete the des_salt_key when there's no value
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 45eea321a6faa6db1c9c706a27527cc0766dc831)
commit 96319f6d21dcd092f414392809b4b5f35b8a2bb5
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: make use of secrets_delete() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c5ded1123797b2bd152b0989e24eba7cae6a5792)
commit 1bbefc1c46ecc511d25d41e1788ab2e9549d8f50
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:21:37 2017 +0200
s3:secrets: re-add secrets_delete() helper to simplify deleting optional keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fde4af1c329655d7ef3f55727632b3f026a3ea73)
commit f5dc61c9ffa501c3a0bd41281f45db47a172458e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 20 13:07:15 2017 +0200
s3:secrets: rename secrets_delete() to secrets_delete_entry()
secrets_delete_entry() fails if the key doesn't exist.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit cd1e888773c4fd3db63ce38a496fc3d54eb8e021)
commit f30adda2b4a1c23e0747839bd23e9036552f8f76
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:18:33 2017 +0200
s3:secrets: make use of des_salt_key() in secrets_store_machine_pw_sync()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4e37d7805b345d80ca6e8a598e39fc81f72a27ce)
commit 0a363257b896d01529e4eaddc36224c81c0c8f91
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 21 19:38:15 2017 +0200
s3:secrets: add some const to secrets_store_domain_guid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 99013685a1114829579e420df3625ed79eb7ee94)
commit ec6b9392166b2228b61947f1803ed6125c4d111e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 12:10:45 2017 +0200
s3:secrets: split out a domain_guid_keystr() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit d37e30cef7906b7b2b14351ad81d0d884811557b)
commit de0f7301daf1c58f758140170a8be6d6a0c72c66
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon May 22 11:38:12 2017 +0200
s3:secrets: rework des_salt_key() to take the realm as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 072dd87e639d7dbfc583ede5ddf6559d9d433b8b)
commit fd161f1506aacbbf42a16359206d035012585218
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:17:00 2017 +0200
s3:secrets: move kerberos_secrets_*salt related functions to machine_account_secrets.c
These don't use any krb5_context related functions and they just
work on secrets.tdb, so they really belong to machine_account_secrets.c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 504b446d8dc7410ad63eba9d214e9cf271cf3b2f)
commit 701361c6809934fe0ada8bdbd436d95e504664d0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:09:20 2017 +0200
s3:libads: remove unused kerberos_fetch_salt_princ_for_host_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1a26805ad9f19f02a52d9eaa4f2f11ff20ee76ac)
commit 24478a5533704a50876ad1aa4fc7477964bc0e80
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:08:24 2017 +0200
s3:libads: make use of kerberos_secrets_fetch_salt_princ() in ads_keytab_add_entry()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b0928a2687a9ffe92ebdce7b5252781d62e7e02d)
commit aa2f79bee68249d96b0b137f6528b8db35529cd5
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 17:04:36 2017 +0200
s3:libnet: make use of kerberos_secrets_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 51ae7b42d4d52016b39b79447a3e28d473e676cb)
commit 0aa6bfdec2334beaf17a3c818f183015f9141f1f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:28:42 2017 +0200
s3:gse_krb5: simplify fill_keytab_from_password() by using kerberos_fetch_salt_princ()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1d1cf9792f9227e65857c85ff66a961331e3c16e)
commit 2ef7d5ab0f15f127dbcb2a2393e486a72ca4b436
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:15:34 2017 +0200
s3:libads: provide a simpler kerberos_fetch_salt_princ() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5fe939e32cdaf7bb5b6dac67e7b0118ce65846be)
commit 0f4d1818e20d2a1db47589abb2dc7f6b236d32e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 16:01:55 2017 +0200
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 487b4717b58a6f1ba913708ce8419145b7f4fac8)
commit 87b27a5be78bc41b5f3144440f4634ce967ccf27
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 16:02:44 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() to libnet_join_joindomain_store_secrets()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 7d2eea39112fd69d2b710181b23301562efea387)
commit 00a2ce6f29f01addc639bae70808613f798095fe
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:59:00 2017 +0200
s3:libnet_join: move libnet_join_joindomain_store_secrets() to libnet_join_post_processing()
We should not store the secrets before we did all remote changes
(except the optional dns updates).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit a922e01baeccedc3ffc8a893f1d6072bb203220f)
commit a210289630d2201150c53acd98a4bb4ed96da34c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:52:59 2017 +0200
s3:libnet_join: call do_JoinConfig() after we did remote changes on the server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 559de1e7236fd4a38f2a1f9980216db95d0430ce)
commit 7110ea3673bdbb6f84d687aac2688972e7f7dc4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:50:49 2017 +0200
s3:libnet_join: split libnet_join_post_processing_ads() into modify/sync
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0ab7944a2b00df4aa155a239c86f97e4e731b864)
commit 4765cb4cc4ebbaa009b0662e0a15932b8fe2654c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:48:49 2017 +0200
s3:libnet_join: move kerberos_secrets_store_des_salt() out of libnet_join_derive_salting_principal()
We should separate the calculation and the storing steps.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0c65d5f41023076fd201c3a179df77dd615cdb01)
commit 9d818ce22e504b2a38306a0904d47dd045e32586
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:40:25 2017 +0200
s3:libnet_join: remember r->out.krb5_salt in libnet_join_derive_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 549c9d9a07d3002442cbbb7a90d0a7fef4a92bff)
commit 18cd9780fd1f9fd44f2df670f48e1784ac3dbc8d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 15:38:26 2017 +0200
s3:libnet_join.idl: add krb5_salt to libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3b13e4d2d0f73c6374ffdae57528cd1a7f333792)
commit f18c0caf6ef654df6c6eaf94d5cbbe9b2f4fc14e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join: remember the domain_guid for AD domains
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit fc2bad0cf34fca5e65fba7e036acf1d8c61f05c0)
commit d68b34ba68d4c17d37ee0bf2c595ce09f4770de4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:45:22 2017 +0200
s3:libnet_join.idl: return the domain_guid in libnet_JoinCtx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 03e455f5a815ce2134e216dc28929646a964384f)
commit 35b6d50cccce7c873d771b6b306cb5fba1d423e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 13:53:19 2017 +0200
s3:libnet_join: calculate r->out.account_name in libnet_join_pre_processing()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 826223cc8d36871c2bcb37fe23241f1dbe99a0db)
commit 77980addb9c4e713420ed470291a2ebc52d91e76
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 12:42:04 2017 +0200
s3:libnet_join: remove dead code from libnet_join_connect_ads()
username[strlen(username)] is *always* '\0'!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5958c6790fbceb39065353c07fe25f74ddf09ef0)
commit cef8c677b7efc4f644ddad00e471560659e0d497
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu May 18 11:32:46 2017 +0200
krb5_wrap: add smb_krb5_salt_principal2data()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ec2da944d304852d76137e8f9d234462bc807c6b)
commit 5b9625277d66910eadaaca8b12aa76798755e3d5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 17:13:02 2017 +0200
krb5_wrap: add smb_krb5_salt_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 5df46700cfb0a15fec2d366e12728cd497188741)
commit 88abba9fb6e7d20fea68bd3f982a97643f25bfa7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 16:13:37 2017 +0200
s3:libads: remove unused kerberos_secrets_store_salting_principal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c56043a94a10c76a220ce3c7eb7cb8cf2e992cab)
commit 208c7719b436041c9d1ad5faa5aa5749fac13cbd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed May 17 15:05:51 2017 +0200
s3:librpc: let NDR_SECRETS depend on NDR_SECURITY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 4260b52a399667bcdbaa375a20952237ff68449c)
commit 899c0d5e42ae5da61c1752358f6efd3dd705605b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:46 2017 +0200
idl_types.h: add NDR_SECRET shortcut
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 969ab12c56cd12dcc0e63e9b662397c1604a0cc0)
commit 9bbacf5770eb185b473b2e8d93891b602560b089
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 17:58:20 2017 +0200
librpc/ndr: add LIBNDR_FLAG_IS_SECRET handling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 32aa3a199dfd61eb5982e158008964b4747599b8)
commit 7b3bfd5d73038e067c08ce91bdedf227873779d6
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 15:22:42 2017 +0200
librpc/ndr: align the definition of LIBNDR_STRING_FLAGS with currently defined flags
The range included the unused (1<<14) before.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 91d8272e8604b5d87bcc0ce365b553bc760c8ed3)
commit 0c8ae8360fe2de1faa99f5a98cd6a8882e73ad29
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jun 12 18:58:49 2017 +0200
pidl:NDR/Parser: add missing {start,end}_flags() to ParseElementPrint()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 81bbfb010599b65308aca89cc50532372ca4cb00)
commit 941aaa99ce058feda396b00042a67203d4e25ba4
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 3 15:24:39 2015 +0100
werror: replace WERR_SETUP_NOT_JOINED with WERR_NERR_SETUPNOTJOINED in source3/libnet/libnet_join.c
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
(cherry picked from commit 3bb394f3d62aaeda5c71cf1d508a7b67fd6e742d)
commit 3a491cd6ac12e37ce9e719a7b26a2eabee994f52
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri May 19 13:29:10 2017 +0200
krb5_wrap: add smb_krb5_free_data_contents() compat define (for v4-5)
4.6 and higher have renamed kerberos_free_data_contents() into
smb_krb5_free_data_contents() in commit
e8632e2af50588dd47dc00fb72e85a398c844622.
But here we don't want to backport that commit,
while making it easy to backports patches from master.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 82f9cbab3444c547d38ca1900464e48e449a73ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Jul 10 11:29:58 2017 +0200
s3:smbd: consistently use talloc_tos() memory for rpc_pipe_open_interface()
The result is only used temporary and should not be leaked on a long term
memory context as 'conn'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12890
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 77cbced5d2f8bf65c8d02f5edfaba8cbad519d08)
commit 2cae38b094e4b2e2dd5dbbb63a8f10245c1883c7
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 7 13:12:19 2017 +0200
selftest: add a test for accessing previous version of directories with snapdirseverywhere
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Sat Jul 8 00:33:51 CEST 2017 on sn-devel-144
(cherry picked from commit cc9ba98c08665e0ed6927fd81fa43a7bb7842e45)
commit 911e3abdf362bfc6c8524c144bd35ba900383c6e
Author: Ralph Boehme <slow at samba.org>
Date: Fri Jul 7 12:57:57 2017 +0200
s3/smbd: let non_widelink_open() chdir() to directories directly
If the caller passes O_DIRECTORY we just try to chdir() to smb_fname
directly, not to the parent directory.
The security check in check_reduced_name() will continue to work, but
this fixes the case of an open() for a previous version of a
subdirectory that contains snapshopt.
Eg:
[share]
path = /shares/test
vfs objects = shadow_copy2
shadow:snapdir = .snapshots
shadow:snapdirseverywhere = yes
Directory tree with fake snapshots:
$ tree -a /shares/test/
/shares/test/
├── dir
│ ├── file
│ └── .snapshots
│ └── @GMT-2017.07.04-04.30.12
│ └── file
├── dir2
│ └── file
├── file
├── .snapshots
│ └── @GMT-2001.01.01-00.00.00
│ ├── dir2
│ │ └── file
│ └── file
└── testfsctl.dat
./bin/smbclient -U slow%x //localhost/share -c 'ls @GMT-2017.07.04-04.30.12/dir/*'
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \@GMT-2017.07.04-04.30.12\dir\*
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12885
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b886a9443d49f6e27fa3863d87c9e24d12e62874)
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 187 ++++
lib/krb5_wrap/krb5_samba.h | 12 +
libcli/auth/netlogon_creds_cli.c | 78 +-
libcli/auth/netlogon_creds_cli.h | 16 +-
libcli/auth/proto.h | 2 +-
libcli/auth/smbencrypt.c | 2 +-
librpc/idl/idl_types.h | 6 +
librpc/idl/lsa.idl | 2 +-
librpc/idl/netlogon.idl | 6 +-
librpc/ndr/libndr.h | 24 +-
librpc/ndr/ndr.c | 23 +
librpc/ndr/ndr_basic.c | 44 +
pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 4 +
selftest/target/Samba3.pm | 10 +
source3/include/proto.h | 1 +
source3/include/secrets.h | 38 +-
source3/libads/kerberos.c | 200 ----
source3/libads/kerberos_keytab.c | 14 +-
source3/libads/kerberos_proto.h | 8 -
source3/libads/util.c | 106 +-
source3/libnet/libnet_join.c | 133 ++-
source3/libnet/libnet_keytab.c | 5 +-
source3/librpc/crypto/gse_krb5.c | 40 +-
source3/librpc/idl/libnet_join.idl | 4 +-
source3/librpc/idl/secrets.idl | 92 +-
source3/librpc/wscript_build | 2 +-
source3/libsmb/trusts_util.c | 276 ++++-
source3/passdb/machine_account_secrets.c | 1661 ++++++++++++++++++++++++++++--
source3/passdb/secrets.c | 25 +-
source3/passdb/secrets_lsa.c | 2 +-
source3/rpc_client/cli_netlogon.c | 15 +-
source3/rpcclient/cmd_netlogon.c | 2 +
source3/script/tests/test_shadow_copy.sh | 23 +
source3/smbd/lanman.c | 20 +-
source3/smbd/open.c | 30 +-
source3/smbd/reply.c | 2 +-
source3/utils/net.c | 142 ++-
source3/utils/net_rpc.c | 8 +
source3/winbindd/winbindd_dual.c | 1 +
source3/winbindd/winbindd_dual_srv.c | 2 +
40 files changed, 2747 insertions(+), 521 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 76e8795..fe29386 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -324,6 +324,193 @@ int smb_krb5_get_pw_salt(krb5_context context,
#error UNKNOWN_SALT_FUNCTIONS
#endif
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *upper_realm = NULL;
+ const char *principal = NULL;
+ int principal_len = 0;
+
+ *_salt_principal = NULL;
+
+ if (sAMAccountName == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (realm == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ upper_realm = strupper_talloc(frame, realm);
+ if (upper_realm == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ /* Many, many thanks to lukeh at padl.com for this
+ * algorithm, described in his Nov 10 2004 mail to
+ * samba-technical at lists.samba.org */
+
+ /*
+ * Determine a salting principal
+ */
+ if (is_computer) {
+ int computer_len = 0;
+ char *tmp = NULL;
+
+ computer_len = strlen(sAMAccountName);
+ if (sAMAccountName[computer_len-1] == '$') {
+ computer_len -= 1;
+ }
+
+ tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+ computer_len, computer_len,
+ sAMAccountName, realm);
+ if (tmp == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ principal = strlower_talloc(frame, tmp);
+ TALLOC_FREE(tmp);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ principal_len = strlen(principal);
+
+ } else if (userPrincipalName != NULL) {
+ char *p;
+
+ principal = userPrincipalName;
+ p = strchr(principal, '@');
+ if (p != NULL) {
+ principal_len = PTR_DIFF(p, principal);
+ } else {
+ principal_len = strlen(principal);
+ }
+ } else {
+ principal = sAMAccountName;
+ principal_len = strlen(principal);
+ }
+
+ *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
+ principal_len, principal_len,
+ principal, upper_realm);
+ if (*_salt_principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+/**
+ * @brief Converts the salt principal string into the salt data blob
+ *
+ * This function takes a salt_principal as string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * It generates values like:
+ * - EXAMPLE.COMhost/somehost.example.com
+ * - EXAMPLE.COMSomeAccount
+ * - EXAMPLE.COMSomePrincipal
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal
+ */
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data)
+{
+ krb5_error_code ret;
+ krb5_principal salt_princ = NULL;
+ krb5_data salt;
+
+ *_salt_data = NULL;
+
+ ret = krb5_parse_name(context, salt_principal, &salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = smb_krb5_get_pw_salt(context, salt_princ, &salt);
+ krb5_free_principal(context, salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ *_salt_data = talloc_strndup(mem_ctx,
+ (char *)salt.data,
+ salt.length);
+ smb_krb5_free_data_contents(context, &salt);
+ if (*_salt_data == NULL) {
+ return ENOMEM;
+ }
+
+ return 0;
+}
+
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
krb5_enctype **enctypes)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 2d31619..116bffc 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -362,6 +362,16 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ bool is_computer,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data);
int smb_krb5_create_key_from_string(krb5_context context,
krb5_const_principal host_princ,
@@ -408,4 +418,6 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
time_t *tgs_expire,
const char *impersonate_princ_s);
+#define smb_krb5_free_data_contents(a, b) kerberos_free_data_contents(a, b)
+
#endif /* _KRB5_SAMBA_H */
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index d55142e..29baae4 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -36,6 +36,7 @@
#include "source3/include/messages.h"
#include "source3/include/g_lock.h"
#include "libds/common/roles.h"
+#include "lib/crypto/crypto.h"
struct netlogon_creds_cli_locked_state;
@@ -942,9 +943,10 @@ struct netlogon_creds_cli_auth_state {
struct tevent_context *ev;
struct netlogon_creds_cli_context *context;
struct dcerpc_binding_handle *binding_handle;
- struct samr_Password current_nt_hash;
- struct samr_Password previous_nt_hash;
- struct samr_Password used_nt_hash;
+ uint8_t num_nt_hashes;
+ uint8_t idx_nt_hashes;
+ const struct samr_Password * const *nt_hashes;
+ const struct samr_Password *used_nt_hash;
char *srv_name_slash;
uint32_t current_flags;
struct netr_Credential client_challenge;
@@ -956,7 +958,6 @@ struct netlogon_creds_cli_auth_state {
bool try_auth3;
bool try_auth2;
bool require_auth2;
- bool try_previous_nt_hash;
struct netlogon_creds_cli_locked_state *locked_state;
};
@@ -967,8 +968,8 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash)
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes)
{
struct tevent_req *req;
struct netlogon_creds_cli_auth_state *state;
@@ -984,12 +985,19 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->ev = ev;
state->context = context;
state->binding_handle = b;
- state->current_nt_hash = current_nt_hash;
- if (previous_nt_hash != NULL) {
- state->previous_nt_hash = *previous_nt_hash;
- state->try_previous_nt_hash = true;
+ if (num_nt_hashes < 1) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+ if (num_nt_hashes > 4) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
}
+ state->num_nt_hashes = num_nt_hashes;
+ state->idx_nt_hashes = 0;
+ state->nt_hashes = nt_hashes;
+
if (context->db.locked_state != NULL) {
tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
return tevent_req_post(req, ev);
@@ -1019,7 +1027,7 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
state->require_auth2 = true;
}
- state->used_nt_hash = state->current_nt_hash;
+ state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
state->current_flags = context->client.proposed_flags;
if (context->db.g_ctx != NULL) {
@@ -1141,7 +1149,7 @@ static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
state->context->client.type,
&state->client_challenge,
&state->server_challenge,
- &state->used_nt_hash,
+ state->used_nt_hash,
&state->client_credential,
state->current_flags);
if (tevent_req_nomem(state->creds, req)) {
@@ -1283,7 +1291,8 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
return;
}
- if (!state->try_previous_nt_hash) {
+ state->idx_nt_hashes += 1;
+ if (state->idx_nt_hashes >= state->num_nt_hashes) {
/*
* we already retried, giving up...
*/
@@ -1294,8 +1303,7 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
/*
* lets retry with the old nt hash.
*/
- state->try_previous_nt_hash = false;
- state->used_nt_hash = state->previous_nt_hash;
+ state->used_nt_hash = state->nt_hashes[state->idx_nt_hashes];
state->current_flags = state->context->client.proposed_flags;
netlogon_creds_cli_auth_challenge_start(req);
return;
@@ -1330,43 +1338,52 @@ static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
tevent_req_done(req);
}
-NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req,
+ uint8_t *idx_nt_hashes)
{
+ struct netlogon_creds_cli_auth_state *state =
+ tevent_req_data(req,
+ struct netlogon_creds_cli_auth_state);
NTSTATUS status;
+ *idx_nt_hashes = 0;
+
if (tevent_req_is_nterror(req, &status)) {
tevent_req_received(req);
return status;
}
+ *idx_nt_hashes = state->idx_nt_hashes;
tevent_req_received(req);
return NT_STATUS_OK;
}
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash)
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes,
+ uint8_t *idx_nt_hashes)
{
TALLOC_CTX *frame = talloc_stackframe();
struct tevent_context *ev;
struct tevent_req *req;
NTSTATUS status = NT_STATUS_NO_MEMORY;
+ *idx_nt_hashes = 0;
+
ev = samba_tevent_context_init(frame);
if (ev == NULL) {
goto fail;
}
req = netlogon_creds_cli_auth_send(frame, ev, context, b,
- current_nt_hash,
- previous_nt_hash);
+ num_nt_hashes, nt_hashes);
if (req == NULL) {
goto fail;
}
if (!tevent_req_poll_ntstatus(req, ev, &status)) {
goto fail;
}
- status = netlogon_creds_cli_auth_recv(req);
+ status = netlogon_creds_cli_auth_recv(req, idx_nt_hashes);
fail:
TALLOC_FREE(frame);
return status;
@@ -1734,7 +1751,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version)
{
struct tevent_req *req;
@@ -1752,20 +1769,21 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
state->context = context;
state->binding_handle = b;
- /*
- * netr_ServerPasswordSet
- */
- ok = E_md4hash(new_password, state->samr_password.hash);
- if (!ok) {
+ if (new_password->length < 14) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
}
/*
+ * netr_ServerPasswordSet
+ */
+ mdfour(state->samr_password.hash, new_password->data, new_password->length);
+
+ /*
* netr_ServerPasswordSet2
*/
- ok = encode_pw_buffer(state->samr_crypt_password.data,
- new_password, STR_UNICODE);
+ ok = set_pw_in_buffer(state->samr_crypt_password.data,
+ new_password);
if (!ok) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
return tevent_req_post(req, ev);
@@ -2035,7 +2053,7 @@ NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version)
{
TALLOC_CTX *frame = talloc_stackframe();
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 949e03b..a7fd48c 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -84,13 +84,15 @@ struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash);
-NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes);
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req,
+ uint8_t *idx_nt_hashes);
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- struct samr_Password current_nt_hash,
- const struct samr_Password *previous_nt_hash);
+ uint8_t num_nt_hashes,
+ const struct samr_Password * const *nt_hashes,
+ uint8_t *idx_nt_hashes);
struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -104,13 +106,13 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version);
NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
- const char *new_password,
+ const DATA_BLOB *new_password,
const uint32_t *new_version);
struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index cc9ae33..a03f45e 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -187,7 +187,7 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
encode a password buffer with an already unicode password. The
rest of the buffer is filled with random data to make it harder to attack.
************************************************************/
-bool set_pw_in_buffer(uint8_t buffer[516], DATA_BLOB *password);
+bool set_pw_in_buffer(uint8_t buffer[516], const DATA_BLOB *password);
/***********************************************************
decode a password buffer
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index ebf6812..afd9286 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -804,7 +804,7 @@ void encode_or_decode_arc4_passwd_buffer(unsigned char pw_buf[532], const DATA_B
encode a password buffer with an already unicode password. The
rest of the buffer is filled with random data to make it harder to attack.
--
Samba Shared Repository
More information about the samba-cvs
mailing list