[PATCH] Register bypass control in password hashes ldb module
Samuel Cabrero
scabrero at zentyal.com
Tue Jul 24 16:34:24 MDT 2012
El 21/07/12 00:59, Andrew Bartlett escribió:
> On Fri, 2012-07-20 at 07:28 -0700, Matthieu Patou wrote:
>> On 07/20/2012 03:13 AM, Samuel Cabrero wrote:
>>> Hi,
>>>
>>> let me introduce myself. My name is Samuel and I am a Zentyal developer,
>>> where we have been working to integrate samba4 in our Zentyal Server
>>> product.
>>>
>>> I submit a patch for your review and hope to have it included in master.
>>> The patch registers the DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID control in
>>> the password hashes LDB module to allow writing the kerberos keys in the
>>> samba4 LDAP.
>>>
>>> This patch is needed when you have your users stored in an external
>>> database and want to import them to samba after the provision. In our
>>> particular case the users are stored in openldap with the heimdal keys,
>>> so after provision we extract the hashes from the krb5Key attributes,
>>> generate the supplementalCredentials blob and the unicodePwd attribute
>>> and write them to the samba user entry registering this control to
>>> execute the LDAP modify request.
>> I'm not too pleased with this kind of control, potentially bad guys
>> could use it for doing wrong things.
>> I understand your need but we can't make this control available over LDAP.
>
> Correct. The lack of registration is also a security barrier, as
> otherwise an unprivileged user could bypass the restrictions on password
> modification. We may need to make this clearer somewhere.
>
>> Also did you had a look at the samba3upgrade of samba-tool domain ? I
>> suspect it's doing things similar to what you want to acheive.
>
> Indeed, a far better approach is to extend the patches that Gémes Géza
> is creating to have the 'samba-tool domain classicupgrade' read the LDAP
> directory. Then you can apply the same code you have to generate the
> supplementalCredentials blob (unicodePwd is already handled).
>
> BTW, what language is your supplementalCredentials blob creation written
> in? In the long term it may assist with another interesting approach I
> looked into (but have not implemented) was to allow Heimdal kadmin to
> create new user entries or update keys. One of the larger challenges
> that stopped me working on that was the tedium of parsing the key
> structure into a valid supplementalCredentials blob.
>
> Thanks,
>
> Andrew Bartlett
>
Thanks for the suggestion, I'll look into it.
The implementation to generate the supplementalCredentials is written in
perl, you can have a look here
http://git.zentyal.org/zentyal.git/blob/HEAD:/main/samba/src/EBox/LDB/Credentials.pm
We have also written a LDB module to forward all the operations to a
unix socket encoded as JSON, it may be interesting for someone. We use
it to keep our openldap and the samba ldap in sync. The code is here
http://git.zentyal.org/zentyal.git/blob/HEAD:/extra/samba-zentyal-modules/zentyal.c
Cheers.
--
Samuel Cabrero - Developer
scabrero at zentyal.com
The Linux small business server
www.zentyal.com
More information about the samba-technical
mailing list