[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Jun 26 23:09:01 UTC 2022
The branch, master has been updated
via f06b40a9196 bootstrap: Use quay.io to download fedora images
via e8517ee7c70 WHATSNEW: Announce support for dropping the NT hash
via e6957c1d479 samba-tool user: Accomodate missing unicodePwd in getpassword command
via aa9136ab742 samba-tool user: When possible, obtain AES256 key and salt
via f33aa94c9ee auth/credentials: Add get_aes256_key()
via 0d9835e1e49 auth/credentials: Add cli_credentials_get_aes256_key()
via d2a473a7b74 dsdb: Allow password history and password changes without an NT hash
via 6029e2250c4 s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored
via 18f2a6b231f s4:kdc: Add helper function to extract AES256 key and salt
via 68c57d9f78d tests/krb5: Add test for presence of NT hash
from cd09d4f470f third_party: Update nss_wraper to version 1.1.12
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f06b40a91966c521cd7f4ce4afc4e2f76c00a045
Author: Andreas Schneider <asn at samba.org>
Date: Mon Jun 20 18:48:56 2022 +0200
bootstrap: Use quay.io to download fedora images
The docker registry is rate limited now. This often leads to errors, so
use the Red Hat registry.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Jun 26 23:08:03 UTC 2022 on sn-devel-184
commit e8517ee7c700e351901bed1739ff21492854fc9b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 25 12:50:26 2022 +1300
WHATSNEW: Announce support for dropping the NT hash
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e6957c1d47996a98e905211f62ee1f3897700ecc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Apr 11 11:54:24 2022 +1200
samba-tool user: Accomodate missing unicodePwd in getpassword command
To allow for the NT hash not being stored when NTLM authentication is
disabled, we use the AES256 key instead for verification against the
other packages if the unicodePwd attribute is not present.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aa9136ab7427a89917a9d0ca7896348c49890b3f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 9 14:50:15 2022 +1200
samba-tool user: When possible, obtain AES256 key and salt
We will make use of these in the next commit to check that the
supplemental packages are up-to-date with the current password.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f33aa94c9ee26a44132feca8fc4c460f88a48ee2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 9 14:37:58 2022 +1200
auth/credentials: Add get_aes256_key()
This makes it possible to generate AES256 keys in Python from a given
password and salt.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0d9835e1e497d667ce49f00d5127d2231055793f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 9 14:35:05 2022 +1200
auth/credentials: Add cli_credentials_get_aes256_key()
This allows us to generate AES256 keys from a given password and salt.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d2a473a7b7471937d1098a11258b875134ad702a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jan 31 14:08:13 2022 +1300
dsdb: Allow password history and password changes without an NT hash
We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead
which allows us to decouple Samba from the unsalted NT hash for
organisations that are willing to take this step (for user accounts).
(History checking is limited to the last three passwords only, as
ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4
package only stores three sets of keys.)
Since we don't store a salt per-key, but only a single salt, the check
will fail for a previous password if the account was renamed prior to a
newer password being set.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6029e2250c4dc837ed4f6b4613f988ae6dff49e3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jun 10 12:47:01 2022 +1200
s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored
Since we don't store a salt per-key, but only a single salt, when we do
not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check
will fail for a previous password if the account was renamed prior to a
newer password being set.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 18f2a6b231ffc4318f7f7e00f81d2815f7ebe9eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed May 18 20:12:36 2022 +1200
s4:kdc: Add helper function to extract AES256 key and salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 68c57d9f78dd511d7238fbc6a479f5db928d5eee
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Apr 11 15:44:09 2022 +1200
tests/krb5: Add test for presence of NT hash
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 2 +-
WHATSNEW.txt | 40 +++
auth/common_auth.h | 3 +
auth/credentials/credentials.h | 6 +
auth/credentials/credentials_krb5.c | 64 ++++
auth/credentials/pycredentials.c | 56 ++++
bootstrap/config.py | 4 +-
bootstrap/generated-dists/f36mit120/Dockerfile | 2 +-
bootstrap/generated-dists/fedora36/Dockerfile | 2 +-
bootstrap/sha1sum.txt | 2 +-
docs-xml/smbdotconf/security/nt_hash_store.xml | 70 ++++
docs-xml/smbdotconf/security/ntlmauth.xml | 9 +
lib/param/loadparm.c | 1 +
lib/param/loadparm.h | 7 +
lib/param/param_table.c | 7 +
python/samba/netcmd/user.py | 77 +++--
python/samba/tests/krb5/kdc_base_test.py | 8 +-
python/samba/tests/krb5/nt_hash_tests.py | 143 ++++++++
python/samba/tests/usage.py | 1 +
selftest/knownfail.d/nt-hash-support-gone | 3 +-
selftest/knownfail.d/password_settings | 2 -
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 1 +
source4/auth/ntlm/auth_sam.c | 265 +++++++++++++--
source4/auth/ntlm/wscript_build | 3 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 368 +++++++++++++++++++--
.../dsdb/samdb/ldb_modules/wscript_build_server | 2 +-
source4/dsdb/tests/python/password_settings.py | 5 +-
source4/kdc/db-glue.c | 94 ++++++
source4/kdc/db-glue.h | 9 +
source4/selftest/tests.py | 9 +
31 files changed, 1173 insertions(+), 94 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/nt_hash_store.xml
create mode 100755 python/samba/tests/krb5/nt_hash_tests.py
delete mode 100644 selftest/knownfail.d/password_settings
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 2974212e888..ce30e044335 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -47,7 +47,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: f0d5c414802246c0df46f9bbbceeda4853fd24b7
+ SAMBA_CI_CONTAINER_TAG: b62662cd85b10ca4767b9ead4e9b0482ad98ddb2
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a0cffa6d75b..3b31211b2bb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -108,6 +108,45 @@ CTDB changes
comments, is no longer permitted. Please see ctdb-tunables(7) for
more details.
+Operation without the (unsalted) NT password hash
+-------------------------------------------------
+
+When Samba is configured with 'nt hash store = never' then Samba will
+no longer store the (unsalted) NT password hash for users in Active
+Directory. (Trust accounts, like computers, domain controllers and
+inter-domain trusts are not impacted).
+
+In the next version of Samba the default for 'nt hash store' will
+change from 'always' to 'auto', where it will follow (behave as 'nt
+hash store = never' when 'ntlm auth = disabled' is set.
+
+Security-focused deployments of Samba that have eliminated NTLM from
+their networks will find setting 'ntlm auth = disabled' with 'nt hash
+store = always' as a useful way to improve compliance with
+best-practice guidance on password storage (which is to always use an
+interated hash).
+
+Note that when 'nt hash store = never' is set, then arcfour-hmac-md5
+Kerberos keys will not be available for users who subsequently change
+their password, as these keys derive their values from NT hashes. AES
+keys are stored by default for all deployments of Samba with Domain
+Functional Level 2008 or later, are supported by all modern clients,
+and are much more secure.
+
+Finally, also note that password history in Active Directory is stored
+in nTPwdHistory using a series of NT hash values. Therefore the full
+password history feature is not available in this mode.
+
+To provide some protection against password re-use previous Kerberos
+hash values (the current, old and older values are already stored) are
+used, providing a history length of 3.
+
+There is one small limitation of this workaround: Changing the
+sAMAccountName, userAccountControl or userPrincipalName of an account
+can cause the Kerberos password salt to change. This means that after
+*both* an account rename and a password change, only the current
+password will be recognised for password history purposes.
+
REMOVED FEATURES
================
@@ -124,6 +163,7 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
dns port New default 53
+ nt hash store New parameter always
KNOWN ISSUES
diff --git a/auth/common_auth.h b/auth/common_auth.h
index d922b66ab4d..fb41d48be49 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -129,6 +129,9 @@ struct auth4_context {
/* Private data for the callbacks on this auth context */
void *private_data;
+ /* Kerberos context, set up on demand */
+ struct smb_krb5_context *smb_krb5_context;
+
struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct auth4_context *auth_ctx,
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 551b1611826..e9d8b8a44b1 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -344,4 +344,10 @@ NTSTATUS netlogon_creds_session_encrypt(
struct netlogon_creds_CredentialState *state,
DATA_BLOB data);
+int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *salt,
+ DATA_BLOB *aes_256);
+
#endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e69e1a83b3c..bd47113e60c 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1464,3 +1464,67 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
cred->target_service = talloc_strdup(cred, target_service);
}
+_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *salt,
+ DATA_BLOB *aes_256)
+{
+ struct smb_krb5_context *smb_krb5_context = NULL;
+ krb5_error_code krb5_ret;
+ int ret;
+ const char *password = NULL;
+ krb5_data cleartext_data;
+ krb5_data salt_data;
+ krb5_keyblock key;
+
+ if (cred->password_will_be_nt_hash) {
+ DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n"));
+ return EINVAL;
+ }
+
+ password = cli_credentials_get_password(cred);
+ if (password == NULL) {
+ return EINVAL;
+ }
+
+ cleartext_data.data = discard_const_p(char, password);
+ cleartext_data.length = strlen(password);
+
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ &smb_krb5_context);
+ if (ret != 0) {
+ return ret;
+ }
+
+ salt_data.data = discard_const_p(char, salt);
+ salt_data.length = strlen(salt);
+
+ /*
+ * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * the salt and the cleartext password
+ */
+ krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
+ NULL,
+ &salt_data,
+ &cleartext_data,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ &key);
+ if (krb5_ret != 0) {
+ DEBUG(1,("cli_credentials_get_aes256_key: "
+ "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ krb5_ret, mem_ctx)));
+ return EINVAL;
+ }
+ *aes_256 = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
+ if (aes_256->data == NULL) {
+ return ENOMEM;
+ }
+ talloc_keep_secret(aes_256->data);
+
+ return 0;
+}
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index b779f274b89..013d2958ea2 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -937,6 +937,54 @@ static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args
return PyLong_FromLong(channel_type);
}
+static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args)
+{
+ struct loadparm_context *lp_ctx = NULL;
+ TALLOC_CTX *mem_ctx = NULL;
+ PyObject *py_lp_ctx = Py_None;
+ const char *salt = NULL;
+ DATA_BLOB aes_256;
+ int code;
+ PyObject *ret = NULL;
+ struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTuple(args, "s|O", &salt, &py_lp_ctx))
+ return NULL;
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+ if (lp_ctx == NULL) {
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ code = cli_credentials_get_aes256_key(creds,
+ mem_ctx,
+ lp_ctx,
+ salt,
+ &aes_256);
+ if (code != 0) {
+ PyErr_SetString(PyExc_RuntimeError,
+ "Failed to generate AES256 key");
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ ret = PyBytes_FromStringAndSize((const char *)aes_256.data,
+ aes_256.length);
+ talloc_free(mem_ctx);
+ return ret;
+}
+
static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
PyObject *args)
{
@@ -1417,6 +1465,14 @@ static PyMethodDef py_creds_methods[] = {
.ml_meth = py_creds_get_secure_channel_type,
.ml_flags = METH_VARARGS,
},
+ {
+ .ml_name = "get_aes256_key",
+ .ml_meth = py_creds_get_aes256_key,
+ .ml_flags = METH_VARARGS,
+ .ml_doc = "S.get_aes256_key(salt[, lp]) -> bytes\n"
+ "Generate an AES256 key using the current password and\n"
+ "the specified salt",
+ },
{
.ml_name = "encrypt_netr_crypt_password",
.ml_meth = py_creds_encrypt_netr_crypt_password,
diff --git a/bootstrap/config.py b/bootstrap/config.py
index a204d1e19c3..a00b253ae77 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -490,7 +490,7 @@ RPM_DISTS = {
}
},
'fedora36': {
- 'docker_image': 'fedora:36',
+ 'docker_image': 'quay.io/fedora/fedora:36',
'vagrant_box': 'fedora/36-cloud-base',
'bootstrap': DNF_BOOTSTRAP,
'replace': {
@@ -501,7 +501,7 @@ RPM_DISTS = {
}
},
'f36mit120': {
- 'docker_image': 'fedora:36',
+ 'docker_image': 'quay.io/fedora/fedora:36',
'vagrant_box': 'fedora/36-cloud-base',
'bootstrap': DNF_BOOTSTRAP_MIT,
'replace': {
diff --git a/bootstrap/generated-dists/f36mit120/Dockerfile b/bootstrap/generated-dists/f36mit120/Dockerfile
index 803f0752a11..8ceb585b6fd 100644
--- a/bootstrap/generated-dists/f36mit120/Dockerfile
+++ b/bootstrap/generated-dists/f36mit120/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM fedora:36
+FROM quay.io/fedora/fedora:36
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/fedora36/Dockerfile b/bootstrap/generated-dists/fedora36/Dockerfile
index 803f0752a11..8ceb585b6fd 100644
--- a/bootstrap/generated-dists/fedora36/Dockerfile
+++ b/bootstrap/generated-dists/fedora36/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM fedora:36
+FROM quay.io/fedora/fedora:36
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index ac500bec4f2..d9766fd37b9 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-f0d5c414802246c0df46f9bbbceeda4853fd24b7
+b62662cd85b10ca4767b9ead4e9b0482ad98ddb2
diff --git a/docs-xml/smbdotconf/security/nt_hash_store.xml b/docs-xml/smbdotconf/security/nt_hash_store.xml
new file mode 100644
index 00000000000..d7ed705de58
--- /dev/null
+++ b/docs-xml/smbdotconf/security/nt_hash_store.xml
@@ -0,0 +1,70 @@
+<samba:parameter name="nt hash store"
+ context="G"
+ type="enum"
+ enumlist="enum_nt_hash_store"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will, as an AD DC, attempt to
+ store the NT password hash used in NTLM and NTLMv2 authentication for
+ users in this domain. </para>
+
+ <para>If so configured, the Samba Active Directory Domain Controller,
+ will, except for trust accounts (computers, domain
+ controllers and inter-domain trusts) the
+ <emphasis>NOT store the NT hash</emphasis>
+ for new and changed accounts in the sam.ldb database.</para>
+
+ <para>This avoids the storage of an unsalted hash for these
+ user-created passwords. As a consequence the
+ <constant>arcfour-hmac-md5</constant> Kerberos key type is
+ also unavailable in the KDC for these users - thankfully
+ <emphasis>modern clients will select an AES based key
+ instead.</emphasis></para>
+
+ <para>NOTE: As the password history in Active Directory is
+ stored as an NT hash (and thus unavailable), a workaround is
+ used, relying instead on Kerberos password hash values.
+ This stores three passwords, the current, previous and second previous
+ password. This allows some checking against reuse. </para>
+
+ <para>However as these values are salted, changing the
+ sAMAccountName, userAccountControl or userPrincipalName of
+ an account will cause the salt to change. After the rare
+ combination of both a rename and a password change only the
+ current password will be recognised for password history
+ purposes.
+ </para>
+ <para>The available settings are:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><constant>always</constant> - Always store the NT hash
+ (as machine accounts will also always store an NT hash,
+ a hash will be stored for all accounts).</para>
+
+ <para>This setting may be useful if <parameter
+ moreinfo="none">ntlm auth</parameter> is set to <constant>disabled</constant>
+ for a trial period</para>
+
+ </listitem>
+
+ <listitem>
+ <para><constant>never</constant> - Never store the NT hash
+ for user accounts, only for machine accounts</para>
+ </listitem>
+
+ <listitem>
+ <para><constant>auto</constant> - Store an NT hash if <parameter
+ moreinfo="none">ntlm auth</parameter> is not set to <constant>disabled</constant>.
+ </para>
+
+ </listitem>
+
+ </itemizedlist>
+
+</description>
+
+<related>ntlm auth</related>
+<value type="default">always</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml
index 8d31c98eb05..d7c84ccaf85 100644
--- a/docs-xml/smbdotconf/security/ntlmauth.xml
+++ b/docs-xml/smbdotconf/security/ntlmauth.xml
@@ -62,6 +62,14 @@
authentication to forward to a full DC. Setting this option
to <constant>disabled</constant> will cause these forwarded
authentications to fail.</para>
+
+ <para>Additionally, for Samba acting as an Active Directory
+ Domain Controller, for user accounts, if <parameter moreinfo="none">nt hash store</parameter>
+ is set to the default setting of <constant>auto</constant>,
+ the <emphasis>NT hash will not be stored</emphasis>
+ in the sam.ldb database for new users and after a
+ password change.</para>
+
</listitem>
</itemizedlist>
@@ -72,6 +80,7 @@
behaviour is unchanged.</para>
</description>
+<related>nt hash store</related>
<related>lanman auth</related>
<related>raw NTLMv2 auth</related>
<value type="default">ntlmv2-only</value>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 599c4b00966..d8646120e6b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2651,6 +2651,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only");
+ lpcfg_do_global_parameter(lp_ctx, "NT hash store", "always");
lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index a3331436229..b1641ba88d2 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -262,6 +262,13 @@ enum samba_weak_crypto {
SAMBA_WEAK_CRYPTO_DISALLOWED,
};
+/* Controlling the storage of the NT password has on the AD DC */
+enum store_nt_hash {
+ NT_HASH_STORE_AUTO,
+ NT_HASH_STORE_NEVER,
+ NT_HASH_STORE_ALWAYS
+};
+
/*
* Default passwd chat script.
*/
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 9fac73ef113..3ffa4bcc411 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -403,6 +403,13 @@ static const struct enum_list enum_ntlm_auth[] = {
{-1, NULL}
};
+static const struct enum_list enum_nt_hash_store[] = {
+ {NT_HASH_STORE_AUTO, "auto"},
+ {NT_HASH_STORE_NEVER, "never"},
+ {NT_HASH_STORE_ALWAYS, "always"},
+};
+
+
static const struct enum_list enum_spotlight_backend[] = {
{SPOTLIGHT_BACKEND_NOINDEX, "noindex"},
{SPOTLIGHT_BACKEND_TRACKER, "tracker"},
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 24f66ffbd91..50d800ed04a 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -17,6 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import builtins
import samba.getopt as options
import ldb
import pwd
@@ -1287,6 +1288,29 @@ class GetPasswordCommand(Command):
return binascii.a2b_hex(p.data)
return None
+ def get_kerberos_ctr():
+ primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
+ if primary_krb5 is None:
+ primary_krb5 = get_package("Primary:Kerberos")
+ if primary_krb5 is None:
+ return (0, None)
+ krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
+ primary_krb5)
+ return (krb5_blob.version, krb5_blob.ctr)
+
+ aes256_key = None
+ kerberos_salt = None
+
+ (krb5_v, krb5_ctr) = get_kerberos_ctr()
+ if krb5_v in [3, 4]:
+ kerberos_salt = krb5_ctr.salt.string
+
+ if krb5_ctr.keys:
+ def is_aes256(k):
+ return k.keytype == 18
+ aes256_key = next(builtins.filter(is_aes256, krb5_ctr.keys),
+ None)
+
if decrypt:
#
# Samba adds 'Primary:SambaGPG' at the end.
@@ -1297,22 +1321,34 @@ class GetPasswordCommand(Command):
#
# In order to get more protection we verify
# the nthash of the decrypted utf16 password
- # against the stored nthash in unicodePwd.
+ # against the stored nthash in unicodePwd if
--
Samba Shared Repository
More information about the samba-cvs
mailing list