From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 7 Feb 2022 18:32:08 +0000 (+0100)
Subject: s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()
X-Git-Tag: talloc-2.4.1~258
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a75378e354286d095d82f644d645768345cd00fb;p=thirdparty%2Fsamba.git

s4:kdc: translate sdb_entry->old[er]_keys into hdb_add_history_key()

It means that using the old or older password no longer
changes badPwdCount for Kerberos authentication.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14054

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Jun 24 07:18:03 UTC 2023 on atb-devel-224
---

diff --git a/selftest/knownfail.d/test_login_basics_krb5 b/selftest/knownfail.d/test_login_basics_krb5
deleted file mode 100644
index c77f20fdcdb..00000000000
--- a/selftest/knownfail.d/test_login_basics_krb5
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 9c5b76cac5a..8196f4f4d6b 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -2221,3 +2221,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_bad_pwd_allowed_from_user_deny.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_denied_no_fast.ad_dc
 ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_tgt_lifetime_min.ad_dc
+#
+# MIT does not support password history in order to avoid badPwdCount changes
+# with the last password, see https://bugzilla.samba.org/show_bug.cgi?id=14054
+#
+^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_krb5
diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index 994a52d7d44..93d2f3f5980 100644
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -147,6 +147,31 @@ static int sdb_keys_to_Keys(const struct sdb_keys *s, Keys *h)
 	return 0;
 }
 
+static int sdb_keys_to_HistKeys(krb5_context context,
+				const struct sdb_keys *s,
+				krb5_kvno kvno,
+				hdb_entry *h)
+{
+	unsigned int i;
+
+	for (i = 0; i < s->len; i++) {
+		Key k = { 0, };
+		int ret;
+
+		ret = sdb_key_to_Key(&s->val[i], &k);
+		if (ret != 0) {
+			return ENOMEM;
+		}
+		ret = hdb_add_history_key(context, h, kvno, &k);
+		free_Key(&k);
+		if (ret != 0) {
+			return ENOMEM;
+		}
+	}
+
+	return 0;
+}
+
 static int sdb_event_to_Event(krb5_context context,
 			      const struct sdb_event *s, Event *h)
 {
@@ -192,6 +217,26 @@ int sdb_entry_to_hdb_entry(krb5_context context,
 		goto error;
 	}
 
+	if (h->kvno > 1) {
+		rc = sdb_keys_to_HistKeys(context,
+					  &s->old_keys,
+					  h->kvno - 1,
+					  h);
+		if (rc != 0) {
+			goto error;
+		}
+	}
+
+	if (h->kvno > 2) {
+		rc = sdb_keys_to_HistKeys(context,
+					  &s->older_keys,
+					  h->kvno - 2,
+					  h);
+		if (rc != 0) {
+			goto error;
+		}
+	}
+
 	rc = sdb_event_to_Event(context,
 				 &s->created_by,
 				 &h->created_by);