From d03b3faeb8e6e3446c606b3f167d2e9917514fda Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 29 May 2024 14:51:01 +1200
Subject: [PATCH] s4-auth: Use consistant externally-supplied time in auth
 stack

This makes the time during authentication stay consistent in the KDC
and follows the fake time when we are testing gMSA accounts.  By having
the account expiry follow exactly the same clock as the password expiry
we can hope for less supprises.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
---
 source4/auth/auth.h          |  1 +
 source4/auth/ntlm/auth_sam.c | 27 +++++++++++++++++++--------
 source4/auth/sam.c           |  3 +--
 source4/kdc/pac-glue.c       |  1 +
 4 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 1ea4f11d581..ecb33e8c356 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -109,6 +109,7 @@ struct cli_credentials;
 NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8]);
 NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_context *sam_ctx,
+			    NTTIME now,
 			    uint32_t logon_parameters,
 			    struct ldb_dn *domain_dn,
 			    struct ldb_message *msg,
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index c5355a3554d..e3eef793cd1 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -322,6 +322,13 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	uint32_t userAccountControl = 0;
 	uint32_t current_kvno = 0;
 	bool am_rodc;
+	NTTIME now;
+	bool time_ok;
+
+	time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
+	if (!time_ok) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
 	tmp_ctx = talloc_new(mem_ctx);
 	if (tmp_ctx == NULL) {
@@ -469,10 +476,8 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	for (i = 1; i < MIN(history_len, 3); i++) {
 		const struct samr_Password *nt_history_pwd = NULL;
 		NTTIME pwdLastSet;
-		NTTIME now;
 		int allowed_period_mins;
 		NTTIME allowed_period;
-		bool ok;
 		bool is_gmsa;
 
 		/* Reset these variables back to starting as empty */
@@ -668,11 +673,6 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 		allowed_period = (NTTIME) allowed_period_mins *
 				 60 * 1000*1000*10;
 		pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
-		ok = dsdb_gmsa_current_time(sam_ctx, &now);
-		if (!ok) {
-			TALLOC_FREE(tmp_ctx);
-			return NT_STATUS_WRONG_PASSWORD;
-		}
 
 		if (now < pwdLastSet) {
 			/*
@@ -884,7 +884,17 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 	uint32_t acct_flags = samdb_result_acct_flags(msg, NULL);
 	struct netr_SendToSamBase *send_to_sam = NULL;
 	const struct authn_ntlm_client_policy *authn_client_policy = NULL;
-	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	struct ldb_context *sam_ctx = auth_context->sam_ctx;
+	TALLOC_CTX *tmp_ctx = NULL;
+	NTTIME now;
+	bool time_ok;
+
+	time_ok = dsdb_gmsa_current_time(sam_ctx, &now);
+	if (!time_ok) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	tmp_ctx = talloc_new(mem_ctx);
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -956,6 +966,7 @@ static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,
 	}
 
 	nt_status = authsam_account_ok(tmp_ctx, auth_context->sam_ctx,
+				       now,
 				       user_info->logon_parameters,
 				       domain_dn,
 				       msg,
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 90b63482369..d70fc468e20 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -204,6 +204,7 @@ static bool logon_hours_ok(struct ldb_message *msg, const char *name_for_logs)
 ****************************************************************************/
 _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 				     struct ldb_context *sam_ctx,
+				     NTTIME now,
 				     uint32_t logon_parameters,
 				     struct ldb_dn *domain_dn,
 				     struct ldb_message *msg,
@@ -216,8 +217,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	const char *workstation_list;
 	NTTIME acct_expiry;
 	NTTIME must_change_time;
-	struct timeval tv_now = timeval_current();
-	NTTIME now = timeval_to_nttime(&tv_now);
 
 	DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 58f089f4562..ca07fd37744 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1559,6 +1559,7 @@ NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 	/* we allow all kinds of trusts here */
 	nt_status = authsam_account_ok(tmp_ctx,
 				       kdc_entry->kdc_db_ctx->samdb,
+				       kdc_entry->current_nttime,
 				       MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
 				       MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 				       kdc_entry->realm_dn, kdc_entry->msg,
-- 
2.47.3