1 files changed, 264 insertions, 0 deletions
diff --git a/source4/kdc/kpasswd-helper.c b/source4/kdc/kpasswd-helper.c
new file mode 100644
index 0000000..3e4ea36
--- /dev/null
+++ b/source4/kdc/kpasswd-helper.c
@@ -0,0 +1,264 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Samba kpasswd implementation
+
+   Copyright (c) 2005      Andrew Bartlett <abartlet@samba.org>
+   Copyright (c) 2016      Andreas Schneider <asn@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/kerberos.h"
+#include "librpc/gen_ndr/samr.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/auth.h"
+#include "kdc/kpasswd-helper.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_KERBEROS
+
+bool kpasswd_make_error_reply(TALLOC_CTX *mem_ctx,
+			      krb5_error_code error_code,
+			      const char *error_string,
+			      DATA_BLOB *error_data)
+{
+	bool ok;
+	char *s;
+	size_t slen;
+
+	if (error_code == 0) {
+		DBG_DEBUG("kpasswd reply - %s\n", error_string);
+	} else {
+		DBG_INFO("kpasswd reply - %s\n", error_string);
+	}
+
+	ok = push_utf8_talloc(mem_ctx, &s, error_string, &slen);
+	if (!ok) {
+		return false;
+	}
+
+	/*
+	 * The string 's' has one terminating nul-byte which is also
+	 * reflected by 'slen'. We subtract it from the length.
+	 */
+	if (slen < 1) {
+		talloc_free(s);
+		return false;
+	}
+	slen--;
+
+	/* Two bytes are added to the length to account for the error code. */
+	if (2 + slen < slen) {
+		talloc_free(s);
+		return false;
+	}
+	error_data->length = 2 + slen;
+	error_data->data = talloc_size(mem_ctx, error_data->length);
+	if (error_data->data == NULL) {
+		talloc_free(s);
+		return false;
+	}
+
+	RSSVAL(error_data->data, 0, error_code);
+	memcpy(error_data->data + 2, s, slen);
+
+	talloc_free(s);
+
+	return true;
+}
+
+bool kpasswd_make_pwchange_reply(TALLOC_CTX *mem_ctx,
+				 NTSTATUS status,
+				 enum samPwdChangeReason reject_reason,
+				 struct samr_DomInfo1 *dominfo,
+				 DATA_BLOB *error_blob)
+{
+	const char *reject_string = NULL;
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_ACCESSDENIED,
+						"No such user when changing password",
+						error_blob);
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_ACCESSDENIED,
+						"Not permitted to change password",
+						error_blob);
+	}
+	if (dominfo != NULL &&
+	    NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+		switch (reject_reason) {
+		case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
+			reject_string =
+				talloc_asprintf(mem_ctx,
+						"Password too short, password "
+						"must be at least %d characters "
+						"long.",
+						dominfo->min_password_length);
+			if (reject_string == NULL) {
+				reject_string = "Password too short";
+			}
+			break;
+		case SAM_PWD_CHANGE_NOT_COMPLEX:
+			reject_string = "Password does not meet complexity "
+					"requirements";
+			break;
+		case SAM_PWD_CHANGE_PWD_IN_HISTORY:
+			reject_string =
+				talloc_asprintf(mem_ctx,
+						"Password is already in password "
+						"history. New password must not "
+						"match any of your %d previous "
+						"passwords.",
+						dominfo->password_history_length);
+			if (reject_string == NULL) {
+				reject_string = "Password is already in password "
+						"history";
+			}
+			break;
+		default:
+			reject_string = "Password change rejected, password "
+					"changes may not be permitted on this "
+					"account, or the minimum password age "
+					"may not have elapsed.";
+			break;
+		}
+
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_SOFTERROR,
+						reject_string,
+						error_blob);
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		reject_string = talloc_asprintf(mem_ctx,
+						"Failed to set password: %s",
+						nt_errstr(status));
+		if (reject_string == NULL) {
+			reject_string = "Failed to set password";
+		}
+		return kpasswd_make_error_reply(mem_ctx,
+						KRB5_KPASSWD_HARDERROR,
+						reject_string,
+						error_blob);
+	}
+
+	return kpasswd_make_error_reply(mem_ctx,
+					KRB5_KPASSWD_SUCCESS,
+					"Password changed",
+					error_blob);
+}
+
+NTSTATUS kpasswd_samdb_set_password(TALLOC_CTX *mem_ctx,
+				    struct tevent_context *event_ctx,
+				    struct loadparm_context *lp_ctx,
+				    struct auth_session_info *session_info,
+				    bool is_service_principal,
+				    const char *target_principal_name,
+				    DATA_BLOB *password,
+				    enum samPwdChangeReason *reject_reason,
+				    struct samr_DomInfo1 **dominfo)
+{
+	NTSTATUS status;
+	struct ldb_context *samdb;
+	struct ldb_dn *target_dn = NULL;
+	int rc;
+
+	samdb = samdb_connect(mem_ctx,
+			      event_ctx,
+			      lp_ctx,
+			      session_info,
+			      NULL,
+			      0);
+	if (samdb == NULL) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	DBG_INFO("%s\\%s (%s) is changing password of %s\n",
+		 session_info->info->domain_name,
+		 session_info->info->account_name,
+		 dom_sid_string(mem_ctx,
+				&session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
+		 target_principal_name);
+
+	rc = ldb_transaction_start(samdb);
+	if (rc != LDB_SUCCESS) {
+		return NT_STATUS_TRANSACTION_ABORTED;
+	}
+
+	if (is_service_principal) {
+		status = crack_service_principal_name(samdb,
+						      mem_ctx,
+						      target_principal_name,
+						      &target_dn,
+						      NULL);
+	} else {
+		status = crack_user_principal_name(samdb,
+						   mem_ctx,
+						   target_principal_name,
+						   &target_dn,
+						   NULL);
+	}
+	if (!NT_STATUS_IS_OK(status)) {
+		ldb_transaction_cancel(samdb);
+		return status;
+	}
+
+	status = samdb_set_password(samdb,
+				    mem_ctx,
+				    target_dn,
+				    NULL, /* domain_dn */
+				    password,
+				    NULL, /* ntNewHash */
+				    DSDB_PASSWORD_RESET,
+				    reject_reason,
+				    dominfo);
+	if (NT_STATUS_IS_OK(status)) {
+		rc = ldb_transaction_commit(samdb);
+		if (rc != LDB_SUCCESS) {
+			DBG_WARNING("Failed to commit transaction to "
+				    "set password on %s: %s\n",
+				    ldb_dn_get_linearized(target_dn),
+				    ldb_errstring(samdb));
+			return NT_STATUS_TRANSACTION_ABORTED;
+		}
+	} else {
+		ldb_transaction_cancel(samdb);
+	}
+
+	return status;
+}
+
+krb5_error_code kpasswd_check_non_tgt(struct auth_session_info *session_info,
+				      const char **error_string)
+{
+	switch(session_info->ticket_type) {
+	case TICKET_TYPE_TGT:
+		/* TGTs are disallowed here. */
+		*error_string = "A TGT may not be used as a ticket to kpasswd";
+		return KRB5_KPASSWD_AUTHERROR;
+	case TICKET_TYPE_NON_TGT:
+		/* Non-TGTs are permitted, and expected. */
+		break;
+	default:
+		/* In case we forgot to set the type. */
+		*error_string = "Failed to ascertain that ticket to kpasswd is not a TGT";
+		return KRB5_KPASSWD_HARDERROR;
+	}
+
+	return 0;
+}