The branch, master has been updated via f06b40a9196 bootstrap: Use quay.io to download fedora images via e8517ee7c70 WHATSNEW: Announce support for dropping the NT hash via e6957c1d479 samba-tool user: Accomodate missing unicodePwd in getpassword command via aa9136ab742 samba-tool user: When possible, obtain AES256 key and salt via f33aa94c9ee auth/credentials: Add get_aes256_key() via 0d9835e1e49 auth/credentials: Add cli_credentials_get_aes256_key() via d2a473a7b74 dsdb: Allow password history and password changes without an NT hash via 6029e2250c4 s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored via 18f2a6b231f s4:kdc: Add helper function to extract AES256 key and salt via 68c57d9f78d tests/krb5: Add test for presence of NT hash from cd09d4f470f third_party: Update nss_wraper to version 1.1.12
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f06b40a91966c521cd7f4ce4afc4e2f76c00a045 Author: Andreas Schneider <a...@samba.org> Date: Mon Jun 20 18:48:56 2022 +0200 bootstrap: Use quay.io to download fedora images The docker registry is rate limited now. This often leads to errors, so use the Red Hat registry. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Sun Jun 26 23:08:03 UTC 2022 on sn-devel-184 commit e8517ee7c700e351901bed1739ff21492854fc9b Author: Andrew Bartlett <abart...@samba.org> Date: Fri Mar 25 12:50:26 2022 +1300 WHATSNEW: Announce support for dropping the NT hash Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e6957c1d47996a98e905211f62ee1f3897700ecc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Apr 11 11:54:24 2022 +1200 samba-tool user: Accomodate missing unicodePwd in getpassword command To allow for the NT hash not being stored when NTLM authentication is disabled, we use the AES256 key instead for verification against the other packages if the unicodePwd attribute is not present. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit aa9136ab7427a89917a9d0ca7896348c49890b3f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 9 14:50:15 2022 +1200 samba-tool user: When possible, obtain AES256 key and salt We will make use of these in the next commit to check that the supplemental packages are up-to-date with the current password. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f33aa94c9ee26a44132feca8fc4c460f88a48ee2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 9 14:37:58 2022 +1200 auth/credentials: Add get_aes256_key() This makes it possible to generate AES256 keys in Python from a given password and salt. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0d9835e1e497d667ce49f00d5127d2231055793f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 9 14:35:05 2022 +1200 auth/credentials: Add cli_credentials_get_aes256_key() This allows us to generate AES256 keys from a given password and salt. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d2a473a7b7471937d1098a11258b875134ad702a Author: Andrew Bartlett <abart...@samba.org> Date: Mon Jan 31 14:08:13 2022 +1300 dsdb: Allow password history and password changes without an NT hash We now allow this to be via the ENCTYPE_AES256_CTS_HMAC_SHA1_96 hash instead which allows us to decouple Samba from the unsalted NT hash for organisations that are willing to take this step (for user accounts). (History checking is limited to the last three passwords only, as ntPwdHistory is limited to NT hash values, and the PrimaryKerberosCtr4 package only stores three sets of keys.) Since we don't store a salt per-key, but only a single salt, the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6029e2250c4dc837ed4f6b4613f988ae6dff49e3 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Jun 10 12:47:01 2022 +1200 s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored Since we don't store a salt per-key, but only a single salt, when we do not have the NT hash in the unicodePwd (eg ntlm auth = disabled), the check will fail for a previous password if the account was renamed prior to a newer password being set. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 18f2a6b231ffc4318f7f7e00f81d2815f7ebe9eb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed May 18 20:12:36 2022 +1200 s4:kdc: Add helper function to extract AES256 key and salt Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 68c57d9f78dd511d7238fbc6a479f5db928d5eee Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Apr 11 15:44:09 2022 +1200 tests/krb5: Add test for presence of NT hash Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 2 +- WHATSNEW.txt | 40 +++ auth/common_auth.h | 3 + auth/credentials/credentials.h | 6 + auth/credentials/credentials_krb5.c | 64 ++++ auth/credentials/pycredentials.c | 56 ++++ bootstrap/config.py | 4 +- bootstrap/generated-dists/f36mit120/Dockerfile | 2 +- bootstrap/generated-dists/fedora36/Dockerfile | 2 +- bootstrap/sha1sum.txt | 2 +- docs-xml/smbdotconf/security/nt_hash_store.xml | 70 ++++ docs-xml/smbdotconf/security/ntlmauth.xml | 9 + lib/param/loadparm.c | 1 + lib/param/loadparm.h | 7 + lib/param/param_table.c | 7 + python/samba/netcmd/user.py | 77 +++-- python/samba/tests/krb5/kdc_base_test.py | 8 +- python/samba/tests/krb5/nt_hash_tests.py | 143 ++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail.d/nt-hash-support-gone | 3 +- selftest/knownfail.d/password_settings | 2 - selftest/target/Samba4.pm | 2 +- source3/param/loadparm.c | 1 + source4/auth/ntlm/auth_sam.c | 265 +++++++++++++-- source4/auth/ntlm/wscript_build | 3 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 368 +++++++++++++++++++-- .../dsdb/samdb/ldb_modules/wscript_build_server | 2 +- source4/dsdb/tests/python/password_settings.py | 5 +- source4/kdc/db-glue.c | 94 ++++++ source4/kdc/db-glue.h | 9 + source4/selftest/tests.py | 9 + 31 files changed, 1173 insertions(+), 94 deletions(-) create mode 100644 docs-xml/smbdotconf/security/nt_hash_store.xml create mode 100755 python/samba/tests/krb5/nt_hash_tests.py delete mode 100644 selftest/knownfail.d/password_settings Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 2974212e888..ce30e044335 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -47,7 +47,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: f0d5c414802246c0df46f9bbbceeda4853fd24b7 + SAMBA_CI_CONTAINER_TAG: b62662cd85b10ca4767b9ead4e9b0482ad98ddb2 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a0cffa6d75b..3b31211b2bb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -108,6 +108,45 @@ CTDB changes comments, is no longer permitted. Please see ctdb-tunables(7) for more details. +Operation without the (unsalted) NT password hash +------------------------------------------------- + +When Samba is configured with 'nt hash store = never' then Samba will +no longer store the (unsalted) NT password hash for users in Active +Directory. (Trust accounts, like computers, domain controllers and +inter-domain trusts are not impacted). + +In the next version of Samba the default for 'nt hash store' will +change from 'always' to 'auto', where it will follow (behave as 'nt +hash store = never' when 'ntlm auth = disabled' is set. + +Security-focused deployments of Samba that have eliminated NTLM from +their networks will find setting 'ntlm auth = disabled' with 'nt hash +store = always' as a useful way to improve compliance with +best-practice guidance on password storage (which is to always use an +interated hash). + +Note that when 'nt hash store = never' is set, then arcfour-hmac-md5 +Kerberos keys will not be available for users who subsequently change +their password, as these keys derive their values from NT hashes. AES +keys are stored by default for all deployments of Samba with Domain +Functional Level 2008 or later, are supported by all modern clients, +and are much more secure. + +Finally, also note that password history in Active Directory is stored +in nTPwdHistory using a series of NT hash values. Therefore the full +password history feature is not available in this mode. + +To provide some protection against password re-use previous Kerberos +hash values (the current, old and older values are already stored) are +used, providing a history length of 3. + +There is one small limitation of this workaround: Changing the +sAMAccountName, userAccountControl or userPrincipalName of an account +can cause the Kerberos password salt to change. This means that after +*both* an account rename and a password change, only the current +password will be recognised for password history purposes. + REMOVED FEATURES ================ @@ -124,6 +163,7 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- dns port New default 53 + nt hash store New parameter always KNOWN ISSUES diff --git a/auth/common_auth.h b/auth/common_auth.h index d922b66ab4d..fb41d48be49 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -129,6 +129,9 @@ struct auth4_context { /* Private data for the callbacks on this auth context */ void *private_data; + /* Kerberos context, set up on demand */ + struct smb_krb5_context *smb_krb5_context; + struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct auth4_context *auth_ctx, diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 551b1611826..e9d8b8a44b1 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -344,4 +344,10 @@ NTSTATUS netlogon_creds_session_encrypt( struct netlogon_creds_CredentialState *state, DATA_BLOB data); +int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *salt, + DATA_BLOB *aes_256); + #endif /* __CREDENTIALS_H__ */ diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index e69e1a83b3c..bd47113e60c 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -1464,3 +1464,67 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c cred->target_service = talloc_strdup(cred, target_service); } +_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred, + TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const char *salt, + DATA_BLOB *aes_256) +{ + struct smb_krb5_context *smb_krb5_context = NULL; + krb5_error_code krb5_ret; + int ret; + const char *password = NULL; + krb5_data cleartext_data; + krb5_data salt_data; + krb5_keyblock key; + + if (cred->password_will_be_nt_hash) { + DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n")); + return EINVAL; + } + + password = cli_credentials_get_password(cred); + if (password == NULL) { + return EINVAL; + } + + cleartext_data.data = discard_const_p(char, password); + cleartext_data.length = strlen(password); + + ret = cli_credentials_get_krb5_context(cred, lp_ctx, + &smb_krb5_context); + if (ret != 0) { + return ret; + } + + salt_data.data = discard_const_p(char, salt); + salt_data.length = strlen(salt); + + /* + * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of + * the salt and the cleartext password + */ + krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context, + NULL, + &salt_data, + &cleartext_data, + ENCTYPE_AES256_CTS_HMAC_SHA1_96, + &key); + if (krb5_ret != 0) { + DEBUG(1,("cli_credentials_get_aes256_key: " + "generation of a aes256-cts-hmac-sha1-96 key failed: %s", + smb_get_krb5_error_message(smb_krb5_context->krb5_context, + krb5_ret, mem_ctx))); + return EINVAL; + } + *aes_256 = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(&key), + KRB5_KEY_LENGTH(&key)); + krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key); + if (aes_256->data == NULL) { + return ENOMEM; + } + talloc_keep_secret(aes_256->data); + + return 0; +} diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index b779f274b89..013d2958ea2 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -937,6 +937,54 @@ static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args return PyLong_FromLong(channel_type); } +static PyObject *py_creds_get_aes256_key(PyObject *self, PyObject *args) +{ + struct loadparm_context *lp_ctx = NULL; + TALLOC_CTX *mem_ctx = NULL; + PyObject *py_lp_ctx = Py_None; + const char *salt = NULL; + DATA_BLOB aes_256; + int code; + PyObject *ret = NULL; + struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); + if (creds == NULL) { + PyErr_Format(PyExc_TypeError, "Credentials expected"); + return NULL; + } + + if (!PyArg_ParseTuple(args, "s|O", &salt, &py_lp_ctx)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + code = cli_credentials_get_aes256_key(creds, + mem_ctx, + lp_ctx, + salt, + &aes_256); + if (code != 0) { + PyErr_SetString(PyExc_RuntimeError, + "Failed to generate AES256 key"); + talloc_free(mem_ctx); + return NULL; + } + + ret = PyBytes_FromStringAndSize((const char *)aes_256.data, + aes_256.length); + talloc_free(mem_ctx); + return ret; +} + static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self, PyObject *args) { @@ -1417,6 +1465,14 @@ static PyMethodDef py_creds_methods[] = { .ml_meth = py_creds_get_secure_channel_type, .ml_flags = METH_VARARGS, }, + { + .ml_name = "get_aes256_key", + .ml_meth = py_creds_get_aes256_key, + .ml_flags = METH_VARARGS, + .ml_doc = "S.get_aes256_key(salt[, lp]) -> bytes\n" + "Generate an AES256 key using the current password and\n" + "the specified salt", + }, { .ml_name = "encrypt_netr_crypt_password", .ml_meth = py_creds_encrypt_netr_crypt_password, diff --git a/bootstrap/config.py b/bootstrap/config.py index a204d1e19c3..a00b253ae77 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -490,7 +490,7 @@ RPM_DISTS = { } }, 'fedora36': { - 'docker_image': 'fedora:36', + 'docker_image': 'quay.io/fedora/fedora:36', 'vagrant_box': 'fedora/36-cloud-base', 'bootstrap': DNF_BOOTSTRAP, 'replace': { @@ -501,7 +501,7 @@ RPM_DISTS = { } }, 'f36mit120': { - 'docker_image': 'fedora:36', + 'docker_image': 'quay.io/fedora/fedora:36', 'vagrant_box': 'fedora/36-cloud-base', 'bootstrap': DNF_BOOTSTRAP_MIT, 'replace': { diff --git a/bootstrap/generated-dists/f36mit120/Dockerfile b/bootstrap/generated-dists/f36mit120/Dockerfile index 803f0752a11..8ceb585b6fd 100644 --- a/bootstrap/generated-dists/f36mit120/Dockerfile +++ b/bootstrap/generated-dists/f36mit120/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM fedora:36 +FROM quay.io/fedora/fedora:36 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/generated-dists/fedora36/Dockerfile b/bootstrap/generated-dists/fedora36/Dockerfile index 803f0752a11..8ceb585b6fd 100644 --- a/bootstrap/generated-dists/fedora36/Dockerfile +++ b/bootstrap/generated-dists/fedora36/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM fedora:36 +FROM quay.io/fedora/fedora:36 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index ac500bec4f2..d9766fd37b9 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -f0d5c414802246c0df46f9bbbceeda4853fd24b7 +b62662cd85b10ca4767b9ead4e9b0482ad98ddb2 diff --git a/docs-xml/smbdotconf/security/nt_hash_store.xml b/docs-xml/smbdotconf/security/nt_hash_store.xml new file mode 100644 index 00000000000..d7ed705de58 --- /dev/null +++ b/docs-xml/smbdotconf/security/nt_hash_store.xml @@ -0,0 +1,70 @@ +<samba:parameter name="nt hash store" + context="G" + type="enum" + enumlist="enum_nt_hash_store" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>This parameter determines whether or not <citerefentry><refentrytitle>samba</refentrytitle> + <manvolnum>8</manvolnum></citerefentry> will, as an AD DC, attempt to + store the NT password hash used in NTLM and NTLMv2 authentication for + users in this domain. </para> + + <para>If so configured, the Samba Active Directory Domain Controller, + will, except for trust accounts (computers, domain + controllers and inter-domain trusts) the + <emphasis>NOT store the NT hash</emphasis> + for new and changed accounts in the sam.ldb database.</para> + + <para>This avoids the storage of an unsalted hash for these + user-created passwords. As a consequence the + <constant>arcfour-hmac-md5</constant> Kerberos key type is + also unavailable in the KDC for these users - thankfully + <emphasis>modern clients will select an AES based key + instead.</emphasis></para> + + <para>NOTE: As the password history in Active Directory is + stored as an NT hash (and thus unavailable), a workaround is + used, relying instead on Kerberos password hash values. + This stores three passwords, the current, previous and second previous + password. This allows some checking against reuse. </para> + + <para>However as these values are salted, changing the + sAMAccountName, userAccountControl or userPrincipalName of + an account will cause the salt to change. After the rare + combination of both a rename and a password change only the + current password will be recognised for password history + purposes. + </para> + <para>The available settings are:</para> + + <itemizedlist> + <listitem> + <para><constant>always</constant> - Always store the NT hash + (as machine accounts will also always store an NT hash, + a hash will be stored for all accounts).</para> + + <para>This setting may be useful if <parameter + moreinfo="none">ntlm auth</parameter> is set to <constant>disabled</constant> + for a trial period</para> + + </listitem> + + <listitem> + <para><constant>never</constant> - Never store the NT hash + for user accounts, only for machine accounts</para> + </listitem> + + <listitem> + <para><constant>auto</constant> - Store an NT hash if <parameter + moreinfo="none">ntlm auth</parameter> is not set to <constant>disabled</constant>. + </para> + + </listitem> + + </itemizedlist> + +</description> + +<related>ntlm auth</related> +<value type="default">always</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 8d31c98eb05..d7c84ccaf85 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -62,6 +62,14 @@ authentication to forward to a full DC. Setting this option to <constant>disabled</constant> will cause these forwarded authentications to fail.</para> + + <para>Additionally, for Samba acting as an Active Directory + Domain Controller, for user accounts, if <parameter moreinfo="none">nt hash store</parameter> + is set to the default setting of <constant>auto</constant>, + the <emphasis>NT hash will not be stored</emphasis> + in the sam.ldb database for new users and after a + password change.</para> + </listitem> </itemizedlist> @@ -72,6 +80,7 @@ behaviour is unchanged.</para> </description> +<related>nt hash store</related> <related>lanman auth</related> <related>raw NTLMv2 auth</related> <value type="default">ntlmv2-only</value> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 599c4b00966..d8646120e6b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2651,6 +2651,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True"); lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "ntlmv2-only"); + lpcfg_do_global_parameter(lp_ctx, "NT hash store", "always"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index a3331436229..b1641ba88d2 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -262,6 +262,13 @@ enum samba_weak_crypto { SAMBA_WEAK_CRYPTO_DISALLOWED, }; +/* Controlling the storage of the NT password has on the AD DC */ +enum store_nt_hash { + NT_HASH_STORE_AUTO, + NT_HASH_STORE_NEVER, + NT_HASH_STORE_ALWAYS +}; + /* * Default passwd chat script. */ diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 9fac73ef113..3ffa4bcc411 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -403,6 +403,13 @@ static const struct enum_list enum_ntlm_auth[] = { {-1, NULL} }; +static const struct enum_list enum_nt_hash_store[] = { + {NT_HASH_STORE_AUTO, "auto"}, + {NT_HASH_STORE_NEVER, "never"}, + {NT_HASH_STORE_ALWAYS, "always"}, +}; + + static const struct enum_list enum_spotlight_backend[] = { {SPOTLIGHT_BACKEND_NOINDEX, "noindex"}, {SPOTLIGHT_BACKEND_TRACKER, "tracker"}, diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index 24f66ffbd91..50d800ed04a 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -17,6 +17,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import builtins import samba.getopt as options import ldb import pwd @@ -1287,6 +1288,29 @@ class GetPasswordCommand(Command): return binascii.a2b_hex(p.data) return None + def get_kerberos_ctr(): + primary_krb5 = get_package("Primary:Kerberos-Newer-Keys") + if primary_krb5 is None: + primary_krb5 = get_package("Primary:Kerberos") + if primary_krb5 is None: + return (0, None) + krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, + primary_krb5) + return (krb5_blob.version, krb5_blob.ctr) + + aes256_key = None + kerberos_salt = None + + (krb5_v, krb5_ctr) = get_kerberos_ctr() + if krb5_v in [3, 4]: + kerberos_salt = krb5_ctr.salt.string + + if krb5_ctr.keys: + def is_aes256(k): + return k.keytype == 18 + aes256_key = next(builtins.filter(is_aes256, krb5_ctr.keys), + None) + if decrypt: # # Samba adds 'Primary:SambaGPG' at the end. @@ -1297,22 +1321,34 @@ class GetPasswordCommand(Command): # # In order to get more protection we verify # the nthash of the decrypted utf16 password - # against the stored nthash in unicodePwd. + # against the stored nthash in unicodePwd if -- Samba Shared Repository