[PATCH] allow passdb backend to change trusted domain object password with clear text

Andrew Bartlett abartlet at samba.org
Fri Apr 7 19:46:23 UTC 2017 

On Fri, 2017-04-07 at 12:12 -0700, Jeremy Allison via samba-technical
wrote:
> On Thu, Apr 06, 2017 at 06:46:06PM +0300, Alexander Bokovoy via
> samba-technical wrote:
> > Hi,
> > 
> > attached patch switches _netr_ServerPasswordSet2 to use
> > SetUserInfo2
> > info level 26. This allows us to pass through clear text password
> > change
> > down to passdb backend. This is critical for AD-like configurations
> > (FreeIPA) where it is not enough to change NT or LM hashes for TDO,
> > as
> > one needs to generate Kerberos keys as well.
> > 
> > I'm working on a corresponding change in FreeIPA ipasam module as
> > well.
> > It currently does not provide pdb_update_sam_account() callback so
> > end
> > result is still NT_STATUS_NOT_IMPLEMENTED as can be witnessed with
> > 'nltest /sc_change_pwd:ipa.domain' but we are getting closer.
> > +							const char
> > *account_name,
> > +							DATA_BLOB
> > *plain_text)
> > +{
> > +	NTSTATUS status;
> > +	NTSTATUS result = NT_STATUS_OK;
> > +	struct dcerpc_binding_handle *h = NULL;
> > +	struct tsocket_address *local;
> > +	struct policy_handle user_handle;
> > +	uint32_t acct_ctrl;
> > +	union samr_UserInfo *info;
> > +	struct samr_UserInfo26 info26;
> > +	int rc;
> > +	DATA_BLOB session_key;
> > +
> > +	ZERO_STRUCT(user_handle);
> > +
> > +	status = session_extract_session_key(session_info,
> > +					     &session_key,
> > +					     KEY_USE_16BYTES);
> > +	if (!NT_STATUS_IS_OK(status)) {
> > +		goto out;
> > +	}
> > +
> > +	rc = tsocket_address_inet_from_strings(mem_ctx,
> > +					       "ip",
> > +					       "127.0.0.1",
> > +					       0,
> > +					       &local);
> 
> Alexander - is the above going to work on an IPv6-only
> box ?
> 
> Can you test that please.

Those strings are just used for logging, the connection is over the
named pipes.

While well beyond what Alexander wants to take on for this (which is
following a pattern already well used) I would really like it if
netr_set_machine_account_password and this new function actually passed
over the client IP.  That way the authorization logs don't include this
fake localhost address.  If we are going to have the samr server as the
choke point in source3, it would be nicer to the future developer
adding more audit logging if we didn't mislead it.

The address is on:

struct pipes_struct {
	struct pipes_struct *next, *prev;

	const struct tsocket_address *local_address;
	const struct tsocket_address *remote_address;

Or, alternately (for things like the get_md4() call), we don't use
named pipes, but ncalrpc as the system user so we clearly know this is
an internal connection. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list