bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) { uchar new_lanman_p16[LM_HASH_LEN]; uchar new_nt_p16[NT_HASH_LEN]; uchar *pwhistory; uint32 pwHistLen; uint32 current_history_len; if (!plaintext) return False; /* Calculate the MD4 hash (NT compatible) of the password */ E_md4hash(plaintext, new_nt_p16); if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED)) return False; if (!E_deshash(plaintext, new_lanman_p16)) { /* E_deshash returns false for 'long' passwords (> 14 DOS chars). This allows us to match Win2k, which does not store a LM hash for these passwords (which would reduce the effective password length to 14 */ if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) return False; } else { if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED)) return False; } if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) return False; if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) == 0) { /* * No password history for non-user accounts */ return true; } pdb_get_account_policy(PDB_POLICY_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen == 0) { /* Set the history length to zero. */ pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED); return true; } /* * We need to make sure we don't have a race condition here - * the account policy history length can change between when * the pw_history was first loaded into the struct samu struct * and now.... JRA. */ pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len); if ((current_history_len != 0) && (pwhistory == NULL)) { DEBUG(1, ("pdb_set_plaintext_passwd: pwhistory == NULL!\n")); return false; } if (current_history_len < pwHistLen) { /* * Ensure we have space for the needed history. This * also takes care of an account which did not have * any history at all so far, i.e. pwhistory==NULL */ uchar *new_history = talloc_zero_array( sampass, uchar, pwHistLen*PW_HISTORY_ENTRY_LEN); if (!new_history) { return False; } memcpy(new_history, pwhistory, current_history_len*PW_HISTORY_ENTRY_LEN); pwhistory = new_history; } /* * Make room for the new password in the history list. */ if (pwHistLen > 1) { memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory, (pwHistLen-1)*PW_HISTORY_ENTRY_LEN ); } /* * Fill the salt area with 0-s: this indicates that * a plain nt hash is stored in the has area. * The old format was to store a 16 byte salt and * then an md5hash of the nt_hash concatenated with * the salt. */ memset(pwhistory, 0, PW_HISTORY_SALT_LEN); /* * Store the plain nt hash in the second 16 bytes. * The old format was to store the md5 hash of * the salt+newpw. */ memcpy(&pwhistory[PW_HISTORY_SALT_LEN], new_nt_p16, SALTED_MD5_HASH_LEN); pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED); return True; }
int main(int argc, char **argv) { TALLOC_CTX *ctx; struct samu *out = NULL; struct samu *in = NULL; NTSTATUS rv; int i; struct timeval tv; BOOL error = False; struct passwd *pwd; uint8 *buf; uint32 expire, min_age, history; struct pdb_methods *pdb; poptContext pc; static const char *backend = NULL; static const char *unix_user = "******"; struct poptOption long_options[] = { {"username", 'u', POPT_ARG_STRING, &unix_user, 0, "Unix user to use for testing", "USERNAME" }, {"backend", 'b', POPT_ARG_STRING, &backend, 0, "Backend to use if not default", "BACKEND[:SETTINGS]" }, POPT_AUTOHELP POPT_COMMON_SAMBA POPT_TABLEEND }; load_case_tables(); pc = poptGetContext("vfstest", argc, (const char **) argv, long_options, 0); poptSetOtherOptionHelp(pc, "backend[:settings] username"); while(poptGetNextOpt(pc) != -1); poptFreeContext(pc); /* Load configuration */ lp_load(dyn_CONFIGFILE, False, False, True, True); setup_logging("pdbtest", True); if (backend == NULL) { backend = lp_passdb_backend(); } rv = make_pdb_method_name(&pdb, backend); if (NT_STATUS_IS_ERR(rv)) { fprintf(stderr, "Error initializing '%s': %s\n", backend, get_friendly_nt_error_msg(rv)); exit(1); } ctx = talloc_init("PDBTEST"); if (!(out = samu_new(ctx))) { fprintf(stderr, "Can't create samu structure.\n"); exit(1); } if ((pwd = getpwnam_alloc(ctx, unix_user)) == NULL) { fprintf(stderr, "Error getting user information for %s\n", unix_user); exit(1); } samu_set_unix(out, pwd); pdb_set_profile_path(out, "\\\\torture\\profile", PDB_SET); pdb_set_homedir(out, "\\\\torture\\home", PDB_SET); pdb_set_logon_script(out, "torture_script.cmd", PDB_SET); pdb_get_account_policy(AP_PASSWORD_HISTORY, &history); if (history * PW_HISTORY_ENTRY_LEN < NT_HASH_LEN) { buf = (uint8 *)TALLOC(ctx, NT_HASH_LEN); } else { buf = (uint8 *)TALLOC(ctx, history * PW_HISTORY_ENTRY_LEN); } /* Generate some random hashes */ GetTimeOfDay(&tv); srand(tv.tv_usec); for (i = 0; i < NT_HASH_LEN; i++) { buf[i] = (uint8) rand(); } pdb_set_nt_passwd(out, buf, PDB_SET); for (i = 0; i < LM_HASH_LEN; i++) { buf[i] = (uint8) rand(); } pdb_set_lanman_passwd(out, buf, PDB_SET); for (i = 0; i < history * PW_HISTORY_ENTRY_LEN; i++) { buf[i] = (uint8) rand(); } pdb_set_pw_history(out, buf, history, PDB_SET); pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire); pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age); pdb_set_pass_last_set_time(out, time(NULL), PDB_SET); if (expire == 0 || expire == (uint32)-1) { pdb_set_pass_must_change_time(out, get_time_t_max(), PDB_SET); } else { pdb_set_pass_must_change_time(out, time(NULL)+expire, PDB_SET); } if (min_age == (uint32)-1) { pdb_set_pass_can_change_time(out, 0, PDB_SET); } else { pdb_set_pass_can_change_time(out, time(NULL)+min_age, PDB_SET); } /* Create account */ if (!NT_STATUS_IS_OK(rv = pdb->add_sam_account(pdb, out))) { fprintf(stderr, "Error in add_sam_account: %s\n", get_friendly_nt_error_msg(rv)); exit(1); } if (!(in = samu_new(ctx))) { fprintf(stderr, "Can't create samu structure.\n"); exit(1); } /* Get account information through getsampwnam() */ if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, out->username))) { fprintf(stderr, "Error getting sampw of added user %s.\n", out->username); if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) { fprintf(stderr, "Error in delete_sam_account %s\n", get_friendly_nt_error_msg(rv)); } TALLOC_FREE(ctx); } /* Verify integrity */ if (samu_correct(out, in)) { printf("User info written correctly\n"); } else { printf("User info NOT written correctly\n"); error = True; } /* Delete account */ if (!NT_STATUS_IS_OK(rv = pdb->delete_sam_account(pdb, out))) { fprintf(stderr, "Error in delete_sam_account %s\n", get_friendly_nt_error_msg(rv)); } pdb->setsampwent(pdb, False, 0); while (NT_STATUS_IS_OK(pdb->getsampwent(pdb, out))) { if (pdb_get_username(out) == NULL) { fprintf(stderr, "Got bad username through getsampwent()\n"); error = True; break; } if (NT_STATUS_IS_ERR(pdb->getsampwnam(pdb, in, pdb_get_username(out)))) { fprintf(stderr, "Error getting samu through getsampwnam() of an account we got through getsampwent!\n"); error = True; continue; } if (!samu_correct(out, in)) { printf("Record gotten through getsampwnam() differs from same record through getsampwent()\n"); } } pdb->endsampwent(pdb); TALLOC_FREE(ctx); if (error) { return 1; } return 0; }
bool pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext) { uchar new_lanman_p16[LM_HASH_LEN]; uchar new_nt_p16[NT_HASH_LEN]; if (!plaintext) return False; /* Calculate the MD4 hash (NT compatible) of the password */ E_md4hash(plaintext, new_nt_p16); if (!pdb_set_nt_passwd (sampass, new_nt_p16, PDB_CHANGED)) return False; if (!E_deshash(plaintext, new_lanman_p16)) { /* E_deshash returns false for 'long' passwords (> 14 DOS chars). This allows us to match Win2k, which does not store a LM hash for these passwords (which would reduce the effective password length to 14 */ if (!pdb_set_lanman_passwd (sampass, NULL, PDB_CHANGED)) return False; } else { if (!pdb_set_lanman_passwd (sampass, new_lanman_p16, PDB_CHANGED)) return False; } if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) return False; if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED)) return False; /* Store the password history. */ if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) { uchar *pwhistory; uint32 pwHistLen; pdb_get_account_policy(AP_PASSWORD_HISTORY, &pwHistLen); if (pwHistLen != 0){ uint32 current_history_len; /* We need to make sure we don't have a race condition here - the account policy history length can change between when the pw_history was first loaded into the struct samu struct and now.... JRA. */ pwhistory = (uchar *)pdb_get_pw_history(sampass, ¤t_history_len); if (current_history_len != pwHistLen) { /* After closing and reopening struct samu the history values will sync up. We can't do this here. */ /* current_history_len > pwHistLen is not a problem - we have more history than we need. */ if (current_history_len < pwHistLen) { /* Ensure we have space for the needed history. */ uchar *new_history = (uchar *)TALLOC(sampass, pwHistLen*PW_HISTORY_ENTRY_LEN); if (!new_history) { return False; } /* And copy it into the new buffer. */ if (current_history_len) { memcpy(new_history, pwhistory, current_history_len*PW_HISTORY_ENTRY_LEN); } /* Clearing out any extra space. */ memset(&new_history[current_history_len*PW_HISTORY_ENTRY_LEN], '\0', (pwHistLen-current_history_len)*PW_HISTORY_ENTRY_LEN); /* Finally replace it. */ pwhistory = new_history; } } if (pwhistory && pwHistLen){ /* Make room for the new password in the history list. */ if (pwHistLen > 1) { memmove(&pwhistory[PW_HISTORY_ENTRY_LEN], pwhistory, (pwHistLen -1)*PW_HISTORY_ENTRY_LEN ); } /* Create the new salt as the first part of the history entry. */ generate_random_buffer(pwhistory, PW_HISTORY_SALT_LEN); /* Generate the md5 hash of the salt+new password as the second part of the history entry. */ E_md5hash(pwhistory, new_nt_p16, &pwhistory[PW_HISTORY_SALT_LEN]); pdb_set_pw_history(sampass, pwhistory, pwHistLen, PDB_CHANGED); } else { DEBUG (10,("pdb_get_set.c: pdb_set_plaintext_passwd: pwhistory was NULL!\n")); } } else { /* Set the history length to zero. */ pdb_set_pw_history(sampass, NULL, 0, PDB_CHANGED); } } return True; }