[PATCH] allow passdb backend to change trusted domain object password with clear text
Alexander Bokovoy
ab at samba.org
Fri Apr 7 20:08:44 UTC 2017
On Fri, 07 Apr 2017, Jeremy Allison wrote:
> On Sat, Apr 08, 2017 at 07:46:23AM +1200, Andrew Bartlett wrote:
> > On Fri, 2017-04-07 at 12:12 -0700, Jeremy Allison via samba-technical
> > wrote:
> > > On Thu, Apr 06, 2017 at 06:46:06PM +0300, Alexander Bokovoy via
> > > samba-technical wrote:
> > > > Hi,
> > > >
> > > > attached patch switches _netr_ServerPasswordSet2 to use
> > > > SetUserInfo2
> > > > info level 26. This allows us to pass through clear text password
> > > > change
> > > > down to passdb backend. This is critical for AD-like configurations
> > > > (FreeIPA) where it is not enough to change NT or LM hashes for TDO,
> > > > as
> > > > one needs to generate Kerberos keys as well.
> > > >
> > > > I'm working on a corresponding change in FreeIPA ipasam module as
> > > > well.
> > > > It currently does not provide pdb_update_sam_account() callback so
> > > > end
> > > > result is still NT_STATUS_NOT_IMPLEMENTED as can be witnessed with
> > > > 'nltest /sc_change_pwd:ipa.domain' but we are getting closer.
> > > > + const char
> > > > *account_name,
> > > > + DATA_BLOB
> > > > *plain_text)
> > > > +{
> > > > + NTSTATUS status;
> > > > + NTSTATUS result = NT_STATUS_OK;
> > > > + struct dcerpc_binding_handle *h = NULL;
> > > > + struct tsocket_address *local;
> > > > + struct policy_handle user_handle;
> > > > + uint32_t acct_ctrl;
> > > > + union samr_UserInfo *info;
> > > > + struct samr_UserInfo26 info26;
> > > > + int rc;
> > > > + DATA_BLOB session_key;
> > > > +
> > > > + ZERO_STRUCT(user_handle);
> > > > +
> > > > + status = session_extract_session_key(session_info,
> > > > + &session_key,
> > > > + KEY_USE_16BYTES);
> > > > + if (!NT_STATUS_IS_OK(status)) {
> > > > + goto out;
> > > > + }
> > > > +
> > > > + rc = tsocket_address_inet_from_strings(mem_ctx,
> > > > + "ip",
> > > > + "127.0.0.1",
> > > > + 0,
> > > > + &local);
> > >
> > > Alexander - is the above going to work on an IPv6-only
> > > box ?
> > >
> > > Can you test that please.
> >
> > Those strings are just used for logging
>
> Nope. The code looks like:
>
> + rc = tsocket_address_inet_from_strings(mem_ctx,
> + "ip",
> + "127.0.0.1",
> + 0,
> + &local);
> + if (rc < 0) {
> + status = NT_STATUS_NO_MEMORY;
> + goto out;
> + }
>
> Third argument is "addr" which gets passed internally
> to getaddrinfo(). So it's calling getaddrinfo("127.0.0.1",...).
>
> What does that do an an IPv6-only box ? The right thing ?
> Maybe. But if it returns any error then we exit here, despite IPv6-localhost
> existing ::1 and being valid.
>
> Maybe. But we shouldn't be encoding IPv4-specific addresses
> anymore on a machine that potentially doesn't use them.
>
> That's what I was complaining about :-). I spent a long time
> making us IPv6 clean and I don't want to see regressions.
I'll see what I can do there but this code is a copy/paste from another
helper we have for NT/LM hash pass-through. Guenther already asked me to
consider how I can going these two functions in a common piece that
could be called for both cases, so I'll do refactoring for this too.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list