#
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_must_change_now
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_smartcard_required
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_samlogon_smartcard_required
-^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_now
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_smartcard_required_must_change_now\(
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_now\(
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_before_tgt_expiry
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_expired
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_short_tgt
+^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_soon
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_before_tgt_expiry
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_expired
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_smartcard_required_must_change_short_tgt
return ret;
}
- if (!io->ac->update_password) {
+ if (!io->ac->update_password && !io->ac->smartcard_reset) {
return LDB_SUCCESS;
}
if (io->u.is_krbtgt) {
- size_t min = 196;
- size_t max = 255;
- size_t diff = max - min;
- size_t len = max;
- struct ldb_val *krbtgt_utf16 = NULL;
-
if (!io->ac->pwd_reset) {
return dsdb_module_werror(io->ac->module,
LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS,
WERR_DS_INVALID_ATTRIBUTE_SYNTAX,
"Password reset on krbtgt requires UTF16!");
}
+ }
+
+ /*
+ * Both krbtgt and smartcard reset (on addition of
+ * UF_SMARTCARD_REQUIRED) need random passwords for all
+ * supported keys
+ */
+ if (io->u.is_krbtgt || io->ac->smartcard_reset) {
+ size_t min = 196;
+ size_t max = 255;
+ size_t diff = max - min;
+ size_t len = max;
+ struct ldb_val *krbtgt_utf16 = NULL;
/*
* Instead of taking the callers value,
static int setup_smartcard_reset(struct setup_password_fields_io *io)
{
- struct ldb_context *ldb = ldb_module_get_ctx(io->ac->module);
- struct supplementalCredentialsBlob scb = { .__ndr_size = 0 };
- enum ndr_err_code ndr_err;
if (!io->ac->smartcard_reset) {
return LDB_SUCCESS;
}
- io->g.nt_hash = talloc(io->ac, struct samr_Password);
- if (io->g.nt_hash == NULL) {
- return ldb_module_oom(io->ac->module);
- }
- generate_secret_buffer(io->g.nt_hash->hash,
- sizeof(io->g.nt_hash->hash));
- io->g.nt_history_len = 0;
-
/*
- * We take the "old" value and store it
- * with num_packages = 0.
- *
- * On "add" we have scb.sub.signature == 0, which
- * results in:
- *
- * [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00
- *
- * On modify it's likely to be scb.sub.signature ==
- * SUPPLEMENTAL_CREDENTIALS_SIGNATURE (0x0050), which results in
- * something like:
- *
- * [0000] 00 00 00 00 62 00 00 00 00 00 00 00 20 00 20 00
- * [0010] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
- * [0020] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
- * [0030] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
- * [0040] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
- * [0050] 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
- * [0060] 20 00 20 00 20 00 20 00 20 00 20 00 50 00 00
- *
- * See https://bugzilla.samba.org/show_bug.cgi?id=11441
- * and ndr_{push,pull}_supplementalCredentialsSubBlob().
+ * We must not keep the old password history otherwise the
+ * password will not appear to have been randomised until the
+ * 60min window is over
*/
- scb = io->o.scb;
- scb.sub.num_packages = 0;
+ io->g.nt_history_len = 0;
/*
- * setup 'supplementalCredentials' value without packages
+ * The password has been randomly set earlier, but now we need
+ * to declare this a password update so that the change is
+ * made (this ensures that the other rules about updates are
+ * skipped in case, which is the setting of
+ * UF_SMARTCARD_REQUIRED on an account
*/
- ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac,
- &scb,
- (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
- ldb_asprintf_errstring(ldb,
- "setup_smartcard_reset: "
- "failed to push supplementalCredentialsBlob: %s",
- nt_errstr(status));
- return LDB_ERR_OPERATIONS_ERROR;
- }
io->ac->update_password = true;
return LDB_SUCCESS;
}
}
+ /*
+ * There is no restriction on a smartcard_reset update, even
+ * if a password was specified, as it is randomised in this
+ * module.
+ */
+ if (io->ac->smartcard_reset) {
+ return LDB_SUCCESS;
+ }
+
+ /*
+ * Only non-trust accounts have restrictions.
+ *
+ * This is where a krbtgt random password set will also exit, as
+ * io->u.restrictions = 0 is called earlier.
+ */
if (io->u.restrictions == 0) {
- /* FIXME: Is this right? */
return LDB_SUCCESS;
}
projects / thirdparty / samba.git / commitdiff
