[Patches] Fixes for machine password problems [bug #12262]
Stefan Metzmacher
metze at samba.org
Tue Feb 21 14:43:36 UTC 2017
Am 20.02.2017 um 20:08 schrieb Stefan Metzmacher:
> Hi,
>
> here's some patches to fix problem with the random passwords
> winbindd sets every week (by default).
> https://bugzilla.samba.org/show_bug.cgi?id=12262
>
> In Samba 4.2 we only used ascii passwords, but with 4.3
> we're using random unicode passwords. This causes
> a lot of trouble if someone uses "unix charset != utf8".
> But also with unix charset = utf8 it can sometimes happen
> that kerberos authentication start to fail if
> the password uses code points > 0xffff.
>
> Please review and push:-)
>
> Thanks!
> metze
>
> PS: As future improvement we could calculate the
> ENCTYPE_ARCFOUR_HMAC in smb_krb5_create_key_from_string()
> ourself using E_md4hash().
Here's the patch :-)
Please review and push :-)
Thanks!
metze
-------------- next part --------------
From 82004e77bba3785f3ce37820626f3e9c7677a785 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 21 Feb 2017 12:15:07 +0100
Subject: [PATCH] krb5_wrap: use our own code to calculate the
ENCTYPE_ARCFOUR_HMAC key
Our own convert_string_talloc() function handles a wider range
of unicode code points than the MIT krb5 or heimdal code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12262
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
lib/krb5_wrap/krb5_samba.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index bb0b5df..0c98147 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "system/filesys.h"
#include "krb5_samba.h"
+#include "lib/crypto/crypto.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
@@ -300,6 +301,42 @@ int smb_krb5_create_key_from_string(krb5_context context,
return -1;
}
+ if ((int)enctype == (int)ENCTYPE_ARCFOUR_HMAC) {
+ TALLOC_CTX *frame = talloc_stackframe();
+ uint8_t *utf16 = NULL;
+ size_t utf16_size = 0;
+ uint8_t nt_hash[16];
+ bool ok;
+
+ ok = convert_string_talloc(frame, CH_UNIX, CH_UTF16LE,
+ password->data, password->length,
+ (void **)&utf16, &utf16_size);
+ if (!ok) {
+ if (errno == 0) {
+ errno = EINVAL;
+ }
+ ret = errno;
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ mdfour(nt_hash, utf16, utf16_size);
+ memset(utf16, 0, utf16_size);
+ ret = smb_krb5_keyblock_init_contents(context,
+ ENCTYPE_ARCFOUR_HMAC,
+ nt_hash,
+ sizeof(nt_hash),
+ key);
+ ZERO_STRUCT(nt_hash);
+ if (ret != 0) {
+ TALLOC_FREE(frame);
+ return ret;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+ }
+
#if defined(HAVE_KRB5_PRINCIPAL2SALT) && defined(HAVE_KRB5_C_STRING_TO_KEY)
{/* MIT */
krb5_data _salt;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170221/0bfd32c1/signature.sig>
More information about the samba-technical
mailing list