The Samba-Bugzilla – Attachment 13166 Details for
Bug 12751
Allow passing trusted domain password as plain-text to PASSDB layer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.6 branch
samba-v4.6-s3-pass-cleartext-password-to-passdb-on-tdo-change.patch (text/plain), 8.93 KB, created by
Alexander Bokovoy
on 2017-04-21 07:45:02 UTC
(
hide
)
Description:
patch for 4.6 branch
Filename:
MIME Type:
Creator:
Alexander Bokovoy
Created:
2017-04-21 07:45:02 UTC
Size:
8.93 KB
patch
obsolete
>From 05a8c67179923f5b8e05e5eda72ddf9298547223 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Fri, 31 Mar 2017 12:44:58 +0300 >Subject: [PATCH 1/2] _netr_ServerPasswordSet2: use info level 26 to set plain > text machine password > >To support password change for machine or trusted domain accounts in Active >Directory environment we need to pass down actual plain text password >instead of NT hashes. This would allow a backend like ipasam to update >Kerberos keys as well as NT hashes. > >By calling samr_SetUserInfo2 info level 26 we ensure PASSDB layer can >actually get the plain text password. If PASSDB backend implements >pdb_update_sam_account() callback, it then gets the plain text password >from samr_SetUserInfo2. > >A plain text password is a data blob represented as up to 256 WCHARs. It >is UTF-16 coded on wire and we have its length from the buffer. >SetUserInfo2 SAMR call chain in decode_pw_buffer() does explicitly >expect 512+4 bytes in the buffer. It then calls convert_string_talloc() >to convert it to UNIX charset passing the correct value of the plaintext >password length. However, convert_string_talloc() expects the length of >input string *including* the terminating null and we pass just the >string length. > >convert_string_talloc() then explicitly null-terminates the resulting >string by adding two nulls. In most cases UNIX charset is UTF-8, so we >get null-terminated UTF-8 string down to PASSDB layer. > >MS-SAMR does not limit what does the password should contain. It says >it is 'userPassword' value. Either 'userPassword' or 'unicodePwd' cannot >contain null characters according to MS-ADTS 3.1.1.3.1.5 because they >must be proper UTF-8 and UTF-16 strings accordingly. > >We are talking to our own SAMR service here. > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit ff4fb6935a32e33ef01c97d4ee103bc11ac31da0) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12751 >--- > source3/rpc_server/netlogon/srv_netlog_nt.c | 79 +++++++++++++++++++++++------ > 1 file changed, 64 insertions(+), 15 deletions(-) > >diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c >index ef2c827..aef4c94 100644 >--- a/source3/rpc_server/netlogon/srv_netlog_nt.c >+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c >@@ -33,6 +33,7 @@ > #include "../librpc/gen_ndr/ndr_lsa_c.h" > #include "rpc_client/cli_lsarpc.h" > #include "rpc_client/init_lsa.h" >+#include "rpc_client/init_samr.h" > #include "rpc_server/rpc_ncacn_np.h" > #include "../libcli/security/security.h" > #include "../libcli/security/dom_sid.h" >@@ -1138,14 +1139,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, > return status; > } > >+ > /************************************************************************* > *************************************************************************/ > >+struct _samr_Credentials_t { >+ enum { >+ CRED_TYPE_NT_HASH, >+ CRED_TYPE_PLAIN_TEXT, >+ } cred_type; >+ union { >+ struct samr_Password *nt_hash; >+ const char *password; >+ } creds; >+}; >+ >+ > static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, > struct auth_session_info *session_info, > struct messaging_context *msg_ctx, > const char *account_name, >- struct samr_Password *nt_hash) >+ struct _samr_Credentials_t *cr) > { > NTSTATUS status; > NTSTATUS result = NT_STATUS_OK; >@@ -1155,9 +1169,11 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, > uint32_t acct_ctrl; > union samr_UserInfo *info; > struct samr_UserInfo18 info18; >+ struct samr_UserInfo26 info26; > DATA_BLOB in,out; > int rc; > DATA_BLOB session_key; >+ enum samr_UserInfoLevel infolevel; > > ZERO_STRUCT(user_handle); > >@@ -1229,22 +1245,44 @@ static NTSTATUS netr_set_machine_account_password(TALLOC_CTX *mem_ctx, > goto out; > } > >- ZERO_STRUCT(info18); >+ switch(cr->cred_type) { >+ case CRED_TYPE_NT_HASH: >+ ZERO_STRUCT(info18); >+ >+ infolevel = UserInternal1Information; >+ >+ in = data_blob_const(cr->creds.nt_hash, 16); >+ out = data_blob_talloc_zero(mem_ctx, 16); >+ sess_crypt_blob(&out, &in, &session_key, true); >+ memcpy(info18.nt_pwd.hash, out.data, out.length); >+ >+ info18.nt_pwd_active = true; >+ >+ info->info18 = info18; >+ break; >+ case CRED_TYPE_PLAIN_TEXT: >+ ZERO_STRUCT(info26); > >- in = data_blob_const(nt_hash->hash, 16); >- out = data_blob_talloc_zero(mem_ctx, 16); >- sess_crypt_blob(&out, &in, &session_key, true); >- memcpy(info18.nt_pwd.hash, out.data, out.length); >+ infolevel = UserInternal5InformationNew; > >- info18.nt_pwd_active = true; >+ init_samr_CryptPasswordEx(cr->creds.password, >+ &session_key, >+ &info26.password); > >- info->info18 = info18; >+ info26.password_expired = PASS_DONT_CHANGE_AT_NEXT_LOGON; >+ info->info26 = info26; >+ break; >+ default: >+ status = NT_STATUS_INTERNAL_ERROR; >+ goto out; >+ break; >+ } > > become_root(); > status = dcerpc_samr_SetUserInfo2(h, > mem_ctx, > &user_handle, >- UserInternal1Information, >+ infolevel, > info, > &result); > unbecome_root(); >@@ -1274,6 +1312,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, > NTSTATUS status = NT_STATUS_OK; > int i; > struct netlogon_creds_CredentialState *creds = NULL; >+ struct _samr_Credentials_t cr = { CRED_TYPE_NT_HASH, {0}}; > > DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); > >@@ -1308,11 +1347,12 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, > DEBUG(100,("%02X ", r->in.new_password->hash[i])); > DEBUG(100,("\n")); > >+ cr.creds.nt_hash = r->in.new_password; > status = netr_set_machine_account_password(p->mem_ctx, > p->session_info, > p->msg_ctx, > creds->account_name, >- r->in.new_password); >+ &cr); > return status; > } > >@@ -1327,7 +1367,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > struct netlogon_creds_CredentialState *creds = NULL; > DATA_BLOB plaintext; > struct samr_CryptPassword password_buf; >- struct samr_Password nt_hash; >+ struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}}; > > become_root(); > status = netr_creds_server_step_check(p, p->mem_ctx, >@@ -1350,6 +1390,10 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > return status; > } > >+ DEBUG(3,("_netr_ServerPasswordSet2: Server Password Seti2 by remote " >+ "machine:[%s] on account [%s]\n", >+ r->in.computer_name, creds->computer_name)); >+ > memcpy(password_buf.data, r->in.new_password->data, 512); > SIVAL(password_buf.data, 512, r->in.new_password->length); > >@@ -1359,18 +1403,23 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, > netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); > } > >- if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) { >+ if (!decode_pw_buffer(p->mem_ctx, >+ password_buf.data, >+ (char**) &plaintext.data, >+ &plaintext.length, >+ CH_UTF16)) { >+ DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password " >+ "from a buffer. Rejecting auth request as a wrong password\n")); > TALLOC_FREE(creds); > return NT_STATUS_WRONG_PASSWORD; > } > >- mdfour(nt_hash.hash, plaintext.data, plaintext.length); >- >+ cr.creds.password = (const char*) plaintext.data; > status = netr_set_machine_account_password(p->mem_ctx, > p->session_info, > p->msg_ctx, > creds->account_name, >- &nt_hash); >+ &cr); > TALLOC_FREE(creds); > return status; > } >-- >2.9.3 > > >From b43d69077bb798222ebcefb28582fb75ce42d9f4 Mon Sep 17 00:00:00 2001 >From: Alexander Bokovoy <ab@samba.org> >Date: Tue, 18 Apr 2017 18:28:29 +0300 >Subject: [PATCH 2/2] s3-tests: assignement in shell shall have no spaces > around equal sign > >When assigning value to 'failed', no spaces should be around '=' sign. > >Signed-off-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Apr 19 02:53:25 CEST 2017 on sn-devel-144 > >(cherry picked from commit d58481bd133a8f59ae553eeff6335162f3c7071c) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12751 >--- > source3/script/tests/test_net_cred_change.sh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh >index 9013d07..de56be5 100755 >--- a/source3/script/tests/test_net_cred_change.sh >+++ b/source3/script/tests/test_net_cred_change.sh >@@ -9,8 +9,8 @@ fi > > incdir=`dirname $0`/../../../testprogs/blackbox > . $incdir/subunit.sh >-testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1` >-testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1` >-testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1` >+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed=`expr $failed + 1` >+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed=`expr $failed + 1` >+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed=`expr $failed + 1` > > testok $0 $failed >-- >2.9.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 12751
: 13166