141 lines
4.2 KiB
Diff
141 lines
4.2 KiB
Diff
From 051eb5f7e4969bf6c2f45346df2f07324fa21882 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Thu, 26 Jul 2012 22:05:25 +0300
|
|
Subject: [PATCH 53/79] When ipaNTHash is missing, ask IPA to generate it from
|
|
kerberos keys
|
|
|
|
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
---
|
|
daemons/ipa-sam/ipa_sam.c | 96 +++++++++++++++++++++++++++++++++++++++++++++--
|
|
1 file changed, 93 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
|
|
index ab4b116c5f2b3b8dae6e8309403afba5fdf86708..aa54429b5bec4b26906b2a34e59ff95299a67f80 100644
|
|
--- a/daemons/ipa-sam/ipa_sam.c
|
|
+++ b/daemons/ipa-sam/ipa_sam.c
|
|
@@ -2400,6 +2400,74 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
|
|
return true;
|
|
}
|
|
|
|
+static bool ipasam_nthash_retrieve(struct ldapsam_privates *ldap_state,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ char *entry_dn,
|
|
+ DATA_BLOB *nthash)
|
|
+{
|
|
+ int ret;
|
|
+ bool retval;
|
|
+ LDAPMessage *result;
|
|
+ LDAPMessage *entry = NULL;
|
|
+ int count;
|
|
+ struct smbldap_state *smbldap_state = ldap_state->smbldap_state;
|
|
+ const char *attr_list[] = {
|
|
+ LDAP_ATTRIBUTE_NTHASH,
|
|
+ NULL
|
|
+ };
|
|
+
|
|
+ ret = smbldap_search(smbldap_state, entry_dn,
|
|
+ LDAP_SCOPE_BASE, "", attr_list, 0,
|
|
+ &result);
|
|
+ if (ret != LDAP_SUCCESS) {
|
|
+ DEBUG(1, ("Failed to get NT hash: %s\n",
|
|
+ ldap_err2string (ret)));
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ count = ldap_count_entries(smbldap_state->ldap_struct, result);
|
|
+
|
|
+ if (count != 1) {
|
|
+ DEBUG(1, ("Unexpected number of results [%d] for NT hash "
|
|
+ "of the single entry search.\n", count));
|
|
+ ldap_msgfree(result);
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ entry = ldap_first_entry(smbldap_state->ldap_struct, result);
|
|
+ if (entry == NULL) {
|
|
+ DEBUG(0, ("Could not get entry\n"));
|
|
+ ldap_msgfree(result);
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ retval = smbldap_talloc_single_blob(mem_ctx,
|
|
+ smbldap_state->ldap_struct,
|
|
+ entry, LDAP_ATTRIBUTE_NTHASH,
|
|
+ nthash);
|
|
+ ldap_msgfree(result);
|
|
+ return retval;
|
|
+}
|
|
+
|
|
+static bool ipasam_nthash_regen(struct ldapsam_privates *ldap_state,
|
|
+ TALLOC_CTX *mem_ctx,
|
|
+ char * entry_dn)
|
|
+{
|
|
+ LDAPMod **mods;
|
|
+ int ret;
|
|
+
|
|
+ mods = NULL;
|
|
+ smbldap_make_mod(ldap_state->smbldap_state->ldap_struct,
|
|
+ NULL, &mods, LDAP_ATTRIBUTE_NTHASH, "MagicRegen");
|
|
+
|
|
+ talloc_autofree_ldapmod(mem_ctx, mods);
|
|
+ ret = smbldap_add(ldap_state->smbldap_state, entry_dn, mods);
|
|
+ if (ret != LDAP_SUCCESS) {
|
|
+ DEBUG(5, ("ipasam: attempt to regen ipaNTHash failed\n"));
|
|
+ }
|
|
+ return (ret == LDAP_SUCCESS);
|
|
+}
|
|
+
|
|
static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
|
|
struct samu * sampass,
|
|
LDAPMessage * entry)
|
|
@@ -2414,6 +2482,7 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
|
|
char *profile_path = NULL;
|
|
char *temp = NULL;
|
|
bool ret = false;
|
|
+ bool retval = false;
|
|
DATA_BLOB nthash;
|
|
|
|
TALLOC_CTX *tmp_ctx = talloc_init("init_sam_from_ldap");
|
|
@@ -2504,14 +2573,35 @@ static bool init_sam_from_ldap(struct ldapsam_privates *ldap_state,
|
|
|
|
pdb_set_acct_ctrl(sampass, ACB_NORMAL, PDB_SET);
|
|
|
|
- if (!smbldap_talloc_single_blob(tmp_ctx,
|
|
+ retval = smbldap_talloc_single_blob(tmp_ctx,
|
|
ldap_state->smbldap_state->ldap_struct,
|
|
entry, LDAP_ATTRIBUTE_NTHASH,
|
|
- &nthash)) {
|
|
+ &nthash);
|
|
+ if (!retval) {
|
|
+ /* NT Hash is not in place. Attempt to retrieve it from
|
|
+ * the RC4-HMAC key if that exists in Kerberos credentials.
|
|
+ * IPA 389-ds plugin allows to ask for it by setting
|
|
+ * ipaNTHash to MagicRegen value.
|
|
+ * */
|
|
+ temp = smbldap_talloc_dn(tmp_ctx, ldap_state->smbldap_state->ldap_struct, entry);
|
|
+ if (temp) {
|
|
+ retval = ipasam_nthash_regen(tmp_ctx,
|
|
+ ldap_state->smbldap_state->ldap_struct,
|
|
+ temp);
|
|
+ if (retval) {
|
|
+ retval = ipasam_nthash_retrieve(tmp_ctx,
|
|
+ ldap_state->smbldap_state->ldap_struct,
|
|
+ temp, &nthash);
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (!retval) {
|
|
DEBUG(5, ("Failed to read NT hash form LDAP response.\n"));
|
|
}
|
|
+
|
|
if (nthash.length != NT_HASH_LEN && nthash.length != 0) {
|
|
- DEBUG(5, ("NT hash from LDAP has the wrong size.\n"));
|
|
+ DEBUG(5, ("NT hash from LDAP has the wrong size. Perhaps password was not re-set?\n"));
|
|
} else {
|
|
if (!pdb_set_nt_passwd(sampass, nthash.data, PDB_SET)) {
|
|
DEBUG(5, ("Failed to set NT hash.\n"));
|
|
--
|
|
1.7.11.2
|
|
|