s4-auth: Use consistant externally-supplied time in auth stack

This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts.  By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 1ea4f11d581bc51278a6c51a3407816332c1cd83..ecb33e8c356a7c361a35fc8b5e22625037cdb09a 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -109,6 +109,7 @@ struct cli_credentials;
 NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8]);
 NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
                            struct ldb_context *sam_ctx,
+                           NTTIME now,
                            uint32_t logon_parameters,
                            struct ldb_dn *domain_dn,
                            struct ldb_message *msg,

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index c5355a3554d8205b1bf95eb1c7c122a761fd2db6..e3eef793cd135a0b043fde1a38dd93d795e55037 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -322,6 +322,13 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
        uint32_t userAccountControl = 0;
        uint32_t current_kvno = 0;
        bool am_rodc;
+       NTTIME now;
+       bool time_ok;
+
+       time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
+       if (!time_ok) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
 
        tmp_ctx = talloc_new(mem_ctx);
        if (tmp_ctx == NULL) {
@@ -469,10 +476,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
        for (i = 1; i < MIN(history_len, 3); i++) {
                const struct samr_Password *nt_history_pwd = NULL;
                NTTIME pwdLastSet;
-               NTTIME now;
                int allowed_period_mins;
                NTTIME allowed_period;
-               bool ok;
                bool is_gmsa;
 
                /* Reset these variables back to starting as empty */
@@ -668,11 +673,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
                allowed_period = (NTTIME) allowed_period_mins *
                                 60 * 1000*1000*10;
                pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
-               ok = dsdb_gmsa_current_time(sam_ctx, &now);
-               if (!ok) {
-                       TALLOC_FREE(tmp_ctx);
-                       return NT_STATUS_WRONG_PASSWORD;
-               }
 
                if (now < pwdLastSet) {
                        /*
@@ -884,7 +884,17 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
        uint32_t acct_flags = samdb_result_acct_flags(msg, NULL);
        struct netr_SendToSamBase *send_to_sam = NULL;
        const struct authn_ntlm_client_policy *authn_client_policy = NULL;
-       TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+       struct ldb_context *sam_ctx = auth_context->sam_ctx;
+       TALLOC_CTX *tmp_ctx = NULL;
+       NTTIME now;
+       bool time_ok;
+
+       time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
+       if (!time_ok) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       tmp_ctx = talloc_new(mem_ctx);
        if (!tmp_ctx) {
                return NT_STATUS_NO_MEMORY;
        }
@@ -956,6 +966,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
        }
 
        nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx,
+                                      now,
                                       user_info->logon_parameters,
                                       domain_dn,
                                       msg,

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 90b6348236952c5a0c90225c0bfe6a9319152d47..d70fc468e20bfe9bd70cd596530be465c2466e9e 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -204,6 +204,7 @@ static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs)
 ****************************************************************************/
 _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
                                     struct ldb_context *sam_ctx,
+                                    NTTIME now,
                                     uint32_t logon_parameters,
                                     struct ldb_dn *domain_dn,
                                     struct ldb_message *msg,
@@ -216,8 +217,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        const char *workstation_list;
        NTTIME acct_expiry;
        NTTIME must_change_time;
-       struct timeval tv_now = timeval_current();
-       NTTIME now = timeval_to_nttime(&tv_now);
 
        DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 58f089f4562829b05e1c732d32d6aa31fb8ee1ea..ca07fd377444fdbf7ae66ea43da1a124dedc7ed0 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1559,6 +1559,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
        /* we allow all kinds of trusts here */
        nt_status = authsam_account_ok(tmp_ctx,
                                       kdc_entry->kdc_db_ctx->samdb,
+                                      kdc_entry->current_nttime,
                                       MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
                                       MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
                                       kdc_entry->realm_dn, kdc_entry->msg,