[PATCH] allow passdb backend to change trusted domain object password with clear text

Andrew Bartlett abartlet at samba.org
Mon Apr 10 19:26:30 UTC 2017 

On Mon, 2017-04-10 at 16:51 +0300, Alexander Bokovoy wrote:
> On ma, 10 huhti 2017, Andrew Bartlett wrote:
> > On Mon, 2017-04-10 at 10:22 +0300, Alexander Bokovoy wrote:
> > > On pe, 07 huhti 2017, Jeremy Allison wrote:
> > > > On Fri, Apr 07, 2017 at 11:08:44PM +0300, Alexander Bokovoy
> > > > wrote:
> > > > 
> > > > > I'll see what I can do there but this code is a copy/paste
> > > > > from
> > > > > another
> > > > > helper we have for NT/LM hash pass-through. Guenther already
> > > > > asked me to
> > > > > consider how I can going these two functions in a common
> > > > > piece
> > > > > that
> > > > > could be called for both cases, so I'll do refactoring for
> > > > > this
> > > > > too.
> > > > 
> > > > Thanks. That other code might be wrong too :-).
> > > 
> > > Attached is the patch that unifies NT hash/plain text pass-
> > > through.
> > > This is a more concise change that doesn't duplicate existing
> > > code.
> > 
> > How certain are we that our plaintext password is null terminated?
> > 
> > +	cr.creds.password = (const char*) plaintext.data;
> 
> Good question. A plain text password is a data blob represented as up
> to
> 256 WCHARs. It is UTF-16 coded on wire and we have its length from
> the
> buffer.  SetUserInfo2 SAMR call chain in decode_pw_buffer() does
> explicitly
> expect 512+4 bytes in the buffer. It then calls
> convert_string_talloc() to
> convert it to UNIX charset passing the correct value of the plaintext
> password length. However, convert_string_talloc() expects the length
> of
> input string *including* the terminating null and we pass just the
> string length.
> 
> convert_string_talloc() then explicitly null-terminates the resulting
> string by adding two nulls. In most cases UNIX charset is UTF-8, so
> we
> get null-terminated UTF-8 string down to PASSDB layer.
> 
> However, MS-SAMR does not limit what does the password should
> contain.
> It says it is 'userPassword' value. Either 'userPassword' or
> 'unicodePwd' cannot contain null characters according to MS-ADTS
> 3.1.1.3.1.5 because they must be proper UTF-8 and UTF-16 strings
> accordingly. 
> 
> So I think we are good here,

Please copy this into a comment, so we remember and an auditor can be
re-assured. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list