s4:auth: Accept previous gMSA password for NTLM authentication five minutes after...

gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/gmsa b/selftest/knownfail.d/gmsa
index 39564088878c9cf25dfe4bd48f8bc9b409d8078d..5fc73e60af41378e11cae989d5887217f7d2b348 100644 (file)
--- a/selftest/knownfail.d/gmsa
+++ b/selftest/knownfail.d/gmsa
@@ -1,6 +1,5 @@
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_gensec_ntlmssp\(ad_dc:local\)$
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_be_locked_out_with_ldap_authentication\(ad_dc:local\)$
-^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_gmsa_cannot_perform_gensec_ntlmssp_logon_with_previous_password_five_minutes_apart\(ad_dc:local\)$
 # The unencrypted simple bind fails because the ad_dc environment sets ‘ldap
 # server require strong auth = yes’.
 ^samba\.tests\.krb5\.gmsa_tests\.samba\.tests\.krb5\.gmsa_tests\.GmsaTests\.test_retrieving_password_after_unencrypted_simple_bind\(ad_dc:local\)$

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d58068385794270f9df3eda98b11760ccb8a528d..a7f83b7e022f377f6e6727a2fde85b77299b677d 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -28,12 +28,14 @@
 #include "../libcli/auth/ntlm_check.h"
 #include "auth/ntlm/auth_proto.h"
 #include "auth/auth_sam.h"
+#include "dsdb/gmsa/util.h"
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/samdb/ldb_modules/util.h"
 #include "dsdb/common/util.h"
 #include "param/param.h"
 #include "librpc/gen_ndr/ndr_irpc_c.h"
 #include "librpc/gen_ndr/ndr_winbind_c.h"
+#include "lib/crypto/gkdi.h"
 #include "lib/messaging/irpc.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libds/common/roles.h"
@@ -471,6 +473,7 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
                int allowed_period_mins;
                NTTIME allowed_period;
                bool ok;
+               bool is_gmsa;
 
                /* Reset these variables back to starting as empty */
                aes_256_key = NULL;
@@ -639,11 +642,26 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
                 * before the user can lock and unlock their other screens
                 * (resetting their cached password).
                 *
-                * See http://support.microsoft.com/kb/906305
-                * OldPasswordAllowedPeriod ("old password allowed period")
-                * is specified in minutes. The default is 60.
                 */
-               allowed_period_mins = lpcfg_old_password_allowed_period(auth_context->lp_ctx);
+
+               /* Is the account a Group Managed Service Account? */
+               is_gmsa = dsdb_account_is_gmsa(sam_ctx, msg);
+               if (is_gmsa) {
+                       /*
+                        * For Group Managed Service Accounts, the previous
+                        * password is allowed for five minutes after a password
+                        * change.
+                        */
+                       allowed_period_mins = gkdi_max_clock_skew_mins;
+               } else {
+                       /*
+                        * See http://support.microsoft.com/kb/906305
+                        * OldPasswordAllowedPeriod ("old password allowed
+                        * period") is specified in minutes. The default is 60.
+                        */
+                       allowed_period_mins = lpcfg_old_password_allowed_period(
+                               auth_context->lp_ctx);
+               }
                /*
                 * NTTIME uses 100ns units
                 */