[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Mar 14 23:17:01 UTC 2024
The branch, master has been updated
via 97a23e57dc8 s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
via 9d7a97dc982 samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
via a0867595fbd s4-libnet: Prepare for a "rolling update" keytab export
via 7b662a92878 s4-auth/kerberos: Do not add true duplicates to exported keytab
via 3bb215d1946 selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
via f81d7047b6a selftest: Add tests for "samba-tool domain exportkeytab" with existing files"
via b2dff173666 samba-tool domain exportkeytab: Raise a proper CommandError
via 014f1b561e8 s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export
via 0cb1e4dbf8e samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
via 2f97f6fe484 lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
via 9fc4070f89d lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry()
via 43ce741d1ff python/tests: Add test that gMSA keytab export works and matches direct keytab export
via 91c05536108 s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong
via 0490aed7168 auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
via bd2edecff06 s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"
via 66a9c1daa86 s4-kdc: Prepare for gMSA support by recording it on the entry
via 48affb137fb auth/credentials: Allow generation of old Kerberos keys also
via b8308f3fe06 auth/credentials: Make cli_credentials_get_aes256_key into generic key access
via 13d346ce0c4 auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob
via 44063674734 s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()
via dd993c21703 auth/credentials: Dynamically calculate the salt principal (unless speccified)
via 9fc11e329c9 auth/credentials: Use salt on credentials object for Creds.get_aes256_key()
via 74f9d2e5190 auth/credentials: Add bindings for getting and setting the salt principal
via f34b910b5bc s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA
via d4155f8a998 Make "samba-tool domain exportkeytab" prune old keys
via 6b3ce044d2d s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()
via 2c33862b9e0 s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES
via a2ed51df7c0 s4-auth/kerberos: Remove unused paremters to create_keytab()
via 9246ee48040 samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb
via b6cffcb3fb0 libnet: Prepare to allow "samba-tool domain exportkeytab to support -H
via 7a8c091698e python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal
from c97071726e1 packaging: Provide a systemd service file for samba-bgqd
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 97a23e57dc88fe6b4a851bb0e0db09a4ee9b37fb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 14 16:55:19 2024 +1300
s4-auth/kerberos: Report errors observed during smb_krb5_remove_obsolete_keytab_entries()
Previously any errors noticed during the main loop would be ignored.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Mar 14 23:16:16 UTC 2024 on atb-devel-224
commit 9d7a97dc9820e9f69a25a7321d84eb18cd3c6c08
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 7 14:53:53 2024 +1300
samba-tool domain exportkeytab: Refuse to overwrite an existing file in full-db export
Since 87f67d336919172845f53067c67d1eab8e7ef18a samba-tool domain exportkeytab has
silently unlinked the given target file. Instead, the administrator now needs
to specify a file that does not exist.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit a0867595fbdb0e59b3c649f80f36e99ca74af41e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 6 17:48:09 2024 +1300
s4-libnet: Prepare for a "rolling update" keytab export
This mode will allow keytabs to be exported with all current keys added
to historical keys, which will be useful in a domain with many gMSA
servers that require wireshark decryption.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 7b662a928784c889f0d0e41244444b723fa6fd20
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 6 17:43:47 2024 +1300
s4-auth/kerberos: Do not add true duplicates to exported keytab
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 3bb215d194685b1f00e193680075b63147a0ada3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Mar 8 16:23:01 2024 +1300
selftest: Add tests of samba-tool domain export-keytab --keep-stale-entries behaviour
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit f81d7047b6adf4b9dba355565cf2730e01a7846f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 7 16:12:56 2024 +1300
selftest: Add tests for "samba-tool domain exportkeytab" with existing files"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit b2dff1736666568f304f8ae67796ecb1e768f38b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Mar 11 11:14:17 2024 +1300
samba-tool domain exportkeytab: Raise a proper CommandError
This avoids giving just a backtrace for things like exporting a keytab
to an existing file.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 014f1b561e823b037c58cd156f96c0e6ef953290
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 7 15:34:37 2024 +1300
s4-libnet: Raise NTSTATUSError not RuntimeError in keytab export
We should never raise RuntimeError if we have a better option.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 0cb1e4dbf8ef92d678eb2da7fc0a3c283ea68193
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 7 11:59:21 2024 +1300
samba-tool: Add option --keep-stale-entries to "samba-tool domain exportkeytab"
This will keep stale keys in the keytab, which may be useful for wireshark
but is not correct if the keytab is used for accepting Kerberos tickets,
as tickets encrypted with old passwords would still be accepted.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 2f97f6fe484bc39ac05d8738b238bfd57d800d03
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 6 17:42:01 2024 +1300
lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry()
The two callers of this function want two very different things, the
common point was wanting to call smb_krb5_kt_seek_and_delete_old_entries()
however this is now done earlier in sdb_kt_copy() with
smb_krb5_remove_obsolete_keytab_entries() or an unlink() in
libnet_export_keytab().
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 9fc4070f89dc64f66e2af38a1adf3ffc010e374a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 6 15:30:53 2024 +1300
lib/krb5_wrap: Rename confusing add_salt parameter to smb_krb5_kt_add_entry()
This just adds the key directly, it is not related to if salting is used or not.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 43ce741d1ff0920610ffea4863037442d937c388
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Feb 22 17:29:07 2024 +1300
python/tests: Add test that gMSA keytab export works and matches direct keytab export
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 91c05536108aed369fadff363799726e0b431dc4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 2 14:41:52 2024 +1300
s4-auth/kerberos: Note the good possability that the msDS-KeyVersionNumber is wrong
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 0490aed71686db5665ee560d0838a3721aa2ffda
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Feb 2 14:40:24 2024 +1300
auth/credentials: Cope with GMSA 5min password preview in cli_credentials_set_gmsa_passwords()
This is unused in Samba currently, but is a subtle race that will be difficult
to debug if this is ever used, so this makes things easier for some future
developer.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit bd2edecff06c2ce3393c5bfeb7906cce77eed702
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 18:10:45 2023 +1300
s4-libnet: Add export of gMSA keys to "samba-tool domain exportkeytab"
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 66a9c1daa86e824e55155f07fd05666cd9905ad9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 22 12:09:45 2023 +1300
s4-kdc: Prepare for gMSA support by recording it on the entry
This will allow the "samba-tool domain exportkeytab" code to do special gMSA
processing and in the future will allow the KDC to know it needs to check
if the keys in the DB need refreshing.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 48affb137fb3841b2e65f58d80fa959fa1c47741
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 14:04:23 2023 +1300
auth/credentials: Allow generation of old Kerberos keys also
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit b8308f3fe06f2d97b04554d79f321cd62dd01a2c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 22:25:25 2023 +1300
auth/credentials: Make cli_credentials_get_aes256_key into generic key access
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 13d346ce0c43f9c9017d6707bd41fe8c57ddfde1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 14:06:26 2023 +1300
auth/credentials: Add hook to set credentials from msDS-ManagedPassword blob
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 44063674734e2c3d11a3d6731387e6dca48f43c6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 09:01:36 2023 +1300
s4-libnet: Pass the full struct smb_krb5_context to sdb_kt_copy()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit dd993c217032ad6f6188947f4d4d96ec7da70823
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 12:00:46 2023 +1300
auth/credentials: Dynamically calculate the salt principal (unless speccified)
This helps pull the salt principal calculation into a single spot.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 9fc11e329c90351b9b14212ce849894acdd50b45
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 22:55:07 2023 +1300
auth/credentials: Use salt on credentials object for Creds.get_aes256_key()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 74f9d2e5190ce3b6533f4151939c0cba70e788ac
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 21 22:04:17 2023 +1300
auth/credentials: Add bindings for getting and setting the salt principal
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit f34b910b5bc7bd4097848d75af247279ee4e9781
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 11:53:06 2023 +1300
s4-libnet: Provide hint for "samba-tool domain exportkeytab" if used over LDAP without gMSA
Only gMSA accounts, and only for authoriszed users, can export be exported without
local sam.ldb access.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit d4155f8a99849ea60a75d68458eb8b051f80d649
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 11:18:13 2023 +1300
Make "samba-tool domain exportkeytab" prune old keys
This slowly prepares this to be an update tool, not just a one-off export tool
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 6b3ce044d2d426d3e90d63744ef81c5e96eeb67b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 11:08:57 2023 +1300
s4-auth/kerberos: Rename create_keytab() to smb_krb5_fill_keytab()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 2c33862b9e0ee210d15f3ae181584922c1fcb84b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 10:58:01 2023 +1300
s4-auth/kerberos: Add define ENC_STRONG_SALTED_TYPES
This allows us to mask out RC4 and insist on the modern AES types
where that makes sense.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit a2ed51df7c0ed291ce34a748df3c5e594bc9b7ae
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 20 10:40:07 2023 +1300
s4-auth/kerberos: Remove unused paremters to create_keytab()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 9246ee480400d92a95d4b269971c8e0052730534
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 19 17:04:35 2023 +1300
samba-tool domain exportkeytab: Add support for -H to point to a different sam.ldb
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit b6cffcb3fb0ad286501f4fa3a231c00495c2ecbe
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 19 15:58:49 2023 +1300
libnet: Prepare to allow "samba-tool domain exportkeytab to support -H
We need to allow a samdb to be passed from the python to support
using a specific DB or remote server for gMSA passwords.
The gMSA passwords will not use this code, but we need to be
consistant.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
commit 7a8c091698e1681868392f6902db2181711028c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 18 17:57:56 2023 +1300
python: Explain strange enable_net_export_keytab() behaviour is no longer due Heimdal
This code is now common between Heimdal and MIT Kerberos, but can still be missing
for builds of "samba-tool" that do not include the whole AD DC.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jo Sutton <josutton at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.h | 22 +-
auth/credentials/credentials_gmsa.c | 130 ++++++++
auth/credentials/credentials_krb5.c | 159 ++++++---
auth/credentials/credentials_krb5.h | 7 +
auth/credentials/pycredentials.c | 109 +++++-
auth/credentials/wscript_build | 7 +-
lib/krb5_wrap/krb5_samba.c | 65 ++--
lib/krb5_wrap/krb5_samba.h | 15 +-
python/samba/__init__.py | 4 +-
python/samba/netcmd/domain/keytab.py | 24 +-
python/samba/netcmd/user/readpasswords/common.py | 3 +-
python/samba/tests/dckeytab.py | 405 ++++++++++++++++++++++-
selftest/knownfail.d/export-keytab | 1 +
selftest/knownfail.d/gmsa | 1 +
source3/libads/kerberos_keytab.c | 30 +-
source3/winbindd/winbindd_util.c | 2 +-
source4/auth/kerberos/kerberos.h | 2 +
source4/auth/kerberos/kerberos_util.c | 104 ++++++
source4/auth/kerberos/srv_keytab.c | 256 +++++++++++++-
source4/kdc/db-glue.c | 51 ++-
source4/kdc/mit_kdc_irpc.c | 2 +-
source4/kdc/mit_samba.c | 2 +-
source4/kdc/samba_kdc.h | 2 +
source4/libnet/libnet_export_keytab.c | 234 ++++++++++---
source4/libnet/libnet_export_keytab.h | 2 +
source4/libnet/py_net_dckeytab.c | 38 ++-
source4/libnet/wscript_build | 3 +-
testprogs/blackbox/test_kinit_export_keytab.sh | 1 +
28 files changed, 1435 insertions(+), 246 deletions(-)
create mode 100644 auth/credentials/credentials_gmsa.c
create mode 100644 selftest/knownfail.d/export-keytab
create mode 100644 selftest/knownfail.d/gmsa
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 341c984f60c..9a9bd513201 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -262,7 +262,7 @@ void cli_credentials_set_impersonate_principal(struct cli_credentials *cred,
const char *principal,
const char *self_service);
void cli_credentials_set_target_service(struct cli_credentials *cred, const char *principal);
-const char *cli_credentials_get_salt_principal(struct cli_credentials *cred);
+char *cli_credentials_get_salt_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx);
const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cred);
const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
@@ -348,12 +348,6 @@ NTSTATUS netlogon_creds_session_encrypt(
struct netlogon_creds_CredentialState *state,
DATA_BLOB data);
-int cli_credentials_get_aes256_key(struct cli_credentials *cred,
- TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
- const char *salt,
- DATA_BLOB *aes_256);
-
/**
* Kerberos FAST handling
*/
@@ -366,4 +360,18 @@ struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct c
bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds);
+/**
+ * Group Managed Service Account helper
+ */
+
+/*
+ * All current callers set "for_keytab = true", but if we start using
+ * this for getting a TGT we need the logic to ignore a very new
+ * key
+ */
+NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
+ const DATA_BLOB *managed_password_blob,
+ bool for_keytab,
+ const char **error_string);
+
#endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_gmsa.c b/auth/credentials/credentials_gmsa.c
new file mode 100644
index 00000000000..f1c794ba093
--- /dev/null
+++ b/auth/credentials/credentials_gmsa.c
@@ -0,0 +1,130 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ User credentials handling for Group Managed Service Accounts
+
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2023
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+#include "librpc/gen_ndr/ndr_gmsa.h" /* for struct MANAGEDPASSWORD_BLOB */
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_internal.h"
+#include "lib/util/charset/charset.h"
+#include "lib/crypto/gkdi.h"
+/*
+ * All current callers set "for_keytab = true", but if we start using
+ * this for getting a TGT we need the logic to ignore a very new
+ * key
+ */
+NTSTATUS cli_credentials_set_gmsa_passwords(struct cli_credentials *creds,
+ const DATA_BLOB *managed_password_blob,
+ bool for_keytab,
+ const char **error_string)
+{
+ struct MANAGEDPASSWORD_BLOB managed_password;
+ DATA_BLOB managed_pw_utf16;
+ DATA_BLOB previous_managed_pw_utf16;
+ enum ndr_err_code ndr_err;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ /*
+ * We check if this is 'for keytab' as a keytab wants to know
+ * about a near-future password as it will be on disk for some
+ * time
+ */
+ bool only_use_previous_pw =
+ managed_password.passwords.query_interval != NULL
+ && *managed_password.passwords.query_interval <= gkdi_max_clock_skew
+ && for_keytab == false;
+
+ /*
+ * Group Managed Service Accounts are type
+ * UF_WORKSTATION_TRUST_ACCOUNT and will follow those salting
+ * rules
+ */
+ cli_credentials_set_secure_channel_type(creds, SEC_CHAN_WKSTA);
+
+ ndr_err = ndr_pull_struct_blob_all(managed_password_blob,
+ frame,
+ &managed_password,
+ (ndr_pull_flags_fn_t)ndr_pull_MANAGEDPASSWORD_BLOB);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ *error_string = talloc_asprintf(creds,
+ "Failed to parse msDS-ManagedPassword "
+ "as MANAGEDPASSWORD_BLOB");
+ TALLOC_FREE(frame);
+ return NT_STATUS_ILL_FORMED_PASSWORD;
+ }
+
+ /*
+ * We look at the old password first as we might bail out
+ * early if the new password is "too fresh"
+ */
+ if (managed_password.passwords.previous) {
+ previous_managed_pw_utf16
+ = data_blob_const(managed_password.passwords.previous,
+ utf16_len(managed_password.passwords.previous));
+
+ cli_credentials_set_old_utf16_password(creds, &previous_managed_pw_utf16);
+
+ if (only_use_previous_pw) {
+ /* We are in the 5 mins where we know the next
+ * password, but it will not be available yet, just
+ * use the old password for now.
+ */
+ cli_credentials_set_utf16_password(creds, &previous_managed_pw_utf16,
+ CRED_SPECIFIED);
+
+ /*
+ * We are done, the new password is of no
+ * interest to us
+ */
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ }
+
+ if (only_use_previous_pw) {
+ *error_string = talloc_asprintf(creds,
+ "No old password but new password is too new "
+ "(< 5min) in msDS-ManagedPassword "
+ "MANAGEDPASSWORD_BLOB");
+ TALLOC_FREE(frame);
+ return NT_STATUS_ILL_FORMED_PASSWORD;
+ }
+
+ if (managed_password.passwords.current == NULL) {
+ *error_string = talloc_asprintf(creds,
+ "Failed to find new password in msDS-ManagedPassword "
+ "MANAGEDPASSWORD_BLOB");
+ TALLOC_FREE(frame);
+ return NT_STATUS_ILL_FORMED_PASSWORD;
+ }
+
+ managed_pw_utf16
+ = data_blob_const(managed_password.passwords.current,
+ utf16_len(managed_password.passwords.current));
+
+ cli_credentials_set_utf16_password(creds, &managed_pw_utf16,
+ CRED_SPECIFIED);
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 4463401a767..c388f6c82df 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1174,10 +1174,8 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
krb5_keytab keytab;
TALLOC_CTX *mem_ctx;
const char *username = cli_credentials_get_username(cred);
- const char *upn = NULL;
const char *realm = cli_credentials_get_realm(cred);
char *salt_principal = NULL;
- uint32_t uac_flags = 0;
if (cred->keytab_obtained >= (MAX(cred->principal_obtained,
cred->username_obtained))) {
@@ -1200,37 +1198,10 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
return ENOMEM;
}
- switch (cred->secure_channel_type) {
- case SEC_CHAN_WKSTA:
- case SEC_CHAN_RODC:
- uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
- break;
- case SEC_CHAN_BDC:
- uac_flags = UF_SERVER_TRUST_ACCOUNT;
- break;
- case SEC_CHAN_DOMAIN:
- case SEC_CHAN_DNS_DOMAIN:
- uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
- break;
- default:
- upn = cli_credentials_get_principal(cred, mem_ctx);
- if (upn == NULL) {
- TALLOC_FREE(mem_ctx);
- return ENOMEM;
- }
- uac_flags = UF_NORMAL_ACCOUNT;
- break;
- }
-
- ret = smb_krb5_salt_principal_str(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
- if (ret) {
+ salt_principal = cli_credentials_get_salt_principal(cred, mem_ctx);
+ if (salt_principal == NULL) {
talloc_free(mem_ctx);
- return ret;
+ return ENOMEM;
}
ret = smb_krb5_create_memory_keytab(mem_ctx,
@@ -1412,9 +1383,61 @@ _PUBLIC_ int cli_credentials_get_kvno(struct cli_credentials *cred)
}
-const char *cli_credentials_get_salt_principal(struct cli_credentials *cred)
+char *cli_credentials_get_salt_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx)
{
- return cred->salt_principal;
+ TALLOC_CTX *frame = NULL;
+ const char *realm = NULL;
+ const char *username = NULL;
+ uint32_t uac_flags = 0;
+ char *salt_principal = NULL;
+ const char *upn = NULL;
+ int ret;
+
+ /* If specified, use the specified value */
+ if (cred->salt_principal != NULL) {
+ return talloc_strdup(mem_ctx, cred->salt_principal);
+ }
+
+ frame = talloc_stackframe();
+
+ switch (cred->secure_channel_type) {
+ case SEC_CHAN_WKSTA:
+ case SEC_CHAN_RODC:
+ uac_flags = UF_WORKSTATION_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_BDC:
+ uac_flags = UF_SERVER_TRUST_ACCOUNT;
+ break;
+ case SEC_CHAN_DOMAIN:
+ case SEC_CHAN_DNS_DOMAIN:
+ uac_flags = UF_INTERDOMAIN_TRUST_ACCOUNT;
+ break;
+ default:
+ upn = cli_credentials_get_principal(cred, frame);
+ if (upn == NULL) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+ uac_flags = UF_NORMAL_ACCOUNT;
+ break;
+ }
+
+ realm = cli_credentials_get_realm(cred);
+ username = cli_credentials_get_username(cred);
+
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
+ if (ret) {
+ TALLOC_FREE(frame);
+ return NULL;
+ }
+
+ TALLOC_FREE(frame);
+ return salt_principal;
}
_PUBLIC_ void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal)
@@ -1481,29 +1504,69 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
cred->target_service = talloc_strdup(cred, target_service);
}
-_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
- TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
- const char *salt,
- DATA_BLOB *aes_256)
+_PUBLIC_ int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ krb5_enctype enctype,
+ bool previous,
+ DATA_BLOB *key_blob)
{
struct smb_krb5_context *smb_krb5_context = NULL;
krb5_error_code krb5_ret;
int ret;
const char *password = NULL;
+ const char *salt = NULL;
krb5_data cleartext_data;
krb5_data salt_data = {
.length = 0,
};
krb5_keyblock key;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ struct samr_Password *nt_hash;
+
+ if (previous) {
+ nt_hash = cli_credentials_get_old_nt_hash(cred, frame);
+ } else {
+ nt_hash = cli_credentials_get_nt_hash(cred, frame);
+ }
+
+ if (nt_hash == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+ *key_blob = data_blob_talloc(mem_ctx,
+ nt_hash->hash,
+ sizeof(nt_hash->hash));
+ if (key_blob->data == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
if (cred->password_will_be_nt_hash) {
- DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n"));
+ DEBUG(1,("cli_credentials_get_kerberos_key: cannot generate Kerberos key using NT hash\n"));
+ TALLOC_FREE(frame);
return EINVAL;
}
- password = cli_credentials_get_password(cred);
+ salt = cli_credentials_get_salt_principal(cred, frame);
+ if (salt == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (previous) {
+ password = cli_credentials_get_old_password(cred);
+ } else {
+ password = cli_credentials_get_password(cred);
+ }
if (password == NULL) {
+ TALLOC_FREE(frame);
return EINVAL;
}
@@ -1513,6 +1576,7 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&smb_krb5_context);
if (ret != 0) {
+ TALLOC_FREE(frame);
return ret;
}
@@ -1520,31 +1584,34 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
salt_data.length = strlen(salt);
/*
- * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * create Kerberos key out of
* the salt and the cleartext password
*/
krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
NULL,
&salt_data,
&cleartext_data,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ enctype,
&key);
if (krb5_ret != 0) {
DEBUG(1,("cli_credentials_get_aes256_key: "
"generation of a aes256-cts-hmac-sha1-96 key failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
krb5_ret, mem_ctx)));
+ TALLOC_FREE(frame);
return EINVAL;
}
- *aes_256 = data_blob_talloc(mem_ctx,
+ *key_blob = data_blob_talloc(mem_ctx,
KRB5_KEY_DATA(&key),
KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
- if (aes_256->data == NULL) {
+ if (key_blob->data == NULL) {
+ TALLOC_FREE(frame);
return ENOMEM;
}
- talloc_keep_secret(aes_256->data);
+ talloc_keep_secret(key_blob->data);
+ TALLOC_FREE(frame);
return 0;
}
diff --git a/auth/credentials/credentials_krb5.h b/auth/credentials/credentials_krb5.h
index ae601047606..e454de36240 100644
--- a/auth/credentials/credentials_krb5.h
+++ b/auth/credentials/credentials_krb5.h
@@ -41,5 +41,12 @@ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred,
struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
struct cli_credentials *src);
+int cli_credentials_get_kerberos_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ krb5_enctype enctype,
+ bool previous,
+ DATA_BLOB *key_blob);
+
#endif /* __CREDENTIALS_KRB5_H__ */
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a27e02d1aa5..a16be546901 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -23,6 +23,7 @@
#include "pycredentials.h"
#include "param/param.h"
#include "auth/credentials/credentials_internal.h"
+#include "auth/credentials/credentials_krb5.h"
#include "librpc/gen_ndr/samr.h" /* for struct samr_Password */
#include "librpc/gen_ndr/netlogon.h"
#include "libcli/util/pyerrors.h"
@@ -973,14 +974,55 @@ static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args
return PyLong_FromLong(channel_type);
}
-static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args)
+static PyObject *py_creds_set_kerberos_salt_principal(PyObject *self, PyObject *args)
+{
+ char *salt_principal = NULL;
+ struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+
+ if (!PyArg_ParseTuple(args, "s", &salt_principal))
+ return NULL;
+
+ cli_credentials_set_salt_principal(
+ creds,
+ salt_principal);
+
+ Py_RETURN_NONE;
+}
+
+static PyObject *py_creds_get_kerberos_salt_principal(PyObject *self, PyObject *unused)
+{
+ TALLOC_CTX *mem_ctx;
+ PyObject *ret = NULL;
+ struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
+ if (creds == NULL) {
+ PyErr_Format(PyExc_TypeError, "Credentials expected");
+ return NULL;
+ }
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ ret = PyString_FromStringOrNULL(cli_credentials_get_salt_principal(creds, mem_ctx));
+
+ TALLOC_FREE(mem_ctx);
+
+ return ret;
+}
--
Samba Shared Repository
More information about the samba-cvs
mailing list