dsdb: modify unicodePwd requires encrypted connection

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Apr  6 01:33:05 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/unicodepwd_encrypted b/selftest/knownfail.d/unicodepwd_encrypted
deleted file mode 100644 (file)
index 375f797..0000000
--- a/selftest/knownfail.d/unicodepwd_encrypted
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.unicodepwd_encrypted\(.*\).__main__.UnicodePwdEncryptedConnectionTests.test_simple_bind_plain
-^samba4.unicodepwd_encrypted\(.*\).__main__.UnicodePwdEncryptedConnectionTests.test_without_seal

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index ccdb1c8f44a1f9551ae381daa1fed0040cd56add..417e34b79e60b1e74e934ed6872d78c1395ad811 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2869,6 +2869,8 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
        struct loadparm_context *lp_ctx =
                talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
                                struct loadparm_context);
+       struct dsdb_encrypted_connection_state *opaque_connection_state =
+               ldb_get_opaque(ldb,DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME);
 
        *werror = WERR_INVALID_PARAMETER;
 
@@ -2876,6 +2878,24 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
                return LDB_SUCCESS;
        }
 
+       /*
+        * Prevent update password on an insecure connection.
+        * The opaque is added in the ldap backend init.
+        */
+       if (opaque_connection_state != NULL &&
+           !opaque_connection_state->using_encrypted_connection) {
+               ret = LDB_ERR_UNWILLING_TO_PERFORM;
+               *werror = WERR_GEN_FAILURE;
+               ldb_asprintf_errstring(ldb,
+                                      "%08X: SvcErr: DSID-031A126C, "
+                                      "problem 5003 (WILL_NOT_PERFORM), "
+                                      "data 0\n"
+                                      "Password modification over LDAP "
+                                      "must be over an encrypted connection",
+                                      W_ERROR_V(*werror));
+               return ret;
+       }
+
        /*
         * First check the old password is correct, for password
         * changes when this hasn't already been checked by a

diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index 8bc67301a986126ba70bd302aa73868a0dc6936a..7ca6d26f67a929f24aa60e7ffc8839114e302d2c 100644 (file)
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -375,6 +375,11 @@ struct dsdb_extended_dn_store_format {
 
 #define DSDB_FULL_JOIN_REPLICATION_COMPLETED_OPAQUE_NAME "DSDB_FULL_JOIN_REPLICATION_COMPLETED"
 
+#define DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME "DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_MSG"
+struct dsdb_encrypted_connection_state {
+       bool using_encrypted_connection;
+};
+
 #define DSDB_SAMDB_MINIMUM_ALLOWED_RID   1000
 
 #define DSDB_METADATA_SCHEMA_SEQ_NUM   "SCHEMA_SEQ_NUM"

diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 9429ba1561f6a477c57eeafce5735e051ce6b040..8db85c58fac0c8339d48f678fcc7917503b9c9e2 100644 (file)
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -186,6 +186,11 @@ static int map_ldb_error(TALLOC_CTX *mem_ctx, int ldb_err,
 int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
                              char **errstring)
 {
+       bool using_tls = conn->sockets.active == conn->sockets.tls;
+       bool using_seal = conn->gensec != NULL && gensec_have_feature(conn->gensec,
+                                                                     GENSEC_FEATURE_SEAL);
+       struct dsdb_encrypted_connection_state *opaque_connection_state = NULL;
+
        int ret = samdb_connect_url(conn,
                                    conn->connection->event.ctx,
                                    conn->lp_ctx,
@@ -199,6 +204,24 @@ int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
                return ret;
        }
 
+       /*
+        * We can safely call ldb_set_opaque() on this ldb as we have
+        * set remote_address above which avoids the ldb handle cache
+        */
+       opaque_connection_state = talloc_zero(conn, struct dsdb_encrypted_connection_state);
+       if (opaque_connection_state == NULL) {
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       opaque_connection_state->using_encrypted_connection = using_tls || using_seal;
+       ret = ldb_set_opaque(conn->ldb,
+                            DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME,
+                            opaque_connection_state);
+       if (ret != LDB_SUCCESS) {
+               DBG_ERR("ldb_set_opaque() failed to store our "
+                       "encrypted connection state!");
+               return ret;
+       }
+
        if (conn->server_credentials) {
                struct gensec_security *gensec_security = NULL;
                const char **sasl_mechs = NULL;