The branch, master has been updated via 281b73f build: Add hints on what libraries to install for gpgme support on failure via 4a34070 WHATSNEW: recomment python-crypto and python-m2crypto via aaee982 WHATSNEW: add 'Password sync as active directory domain controller' via 88e968c s4:torture/ndr: Add supplementalCredentials blob from Samba with the new SambaGPG blob via bbe3a6a python:samba/tests: use 'samba-tool user {getpassword,syncpasswords}' with --decrypt-samba-gpg via a4efb11 selftest:Samba4: configure "password hash gpg key ids" for ad_dc (if available) via d903338 s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local via 3e9a6c8 selftest:gnupg: add a gpg key for Samba Selftest <selft...@samba.example.com> via f45a0ff samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user syncpasswords' via 763acdc s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials via 8d64999 drsblobs.idl: add package_PrimarySambaGPGBlob via 81190f9 s4:dsdb/samdb: add configure checks for libgpgme via b66ff2f docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids" via f28d003 docs-xml/smbdotconf: add "password hash gpg key ids" option via 39d194d .travis.yml: install libgpgme11-dev python[3]-gpgme via eb33f73 docs-xml/smbdotconf: reference "unix password sync" with "samba-tool user syncpasswords" via d5541ef docs-xml:samba-tool.8: document "user syncpasswords" command via 8791960 python:samba/tests: add simple 'samba-tool user syncpasswords' test via c68cb6a samba-tool: add 'user syncpasswords' command via c8fb61c docs-xml:samba-tool.8: document "user getpassword" command via 4ef5266 python:samba/tests: verify the packages order in supplementalCredentials via 3add197 python:samba/tests: add simple 'samba-tool user getpassword' test via deb2a02 samba-tool: add 'user getpassword' command via 67404ba pycredentials: add set_utf16_[old_]password() via a5591e5 pycredentials: add {get,set}_old_password() via 1fd9271 WHATNEW: the default for "ntlm auth" is "no" via 162c1f8 selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member' via cd8dfed docs-xml:smbdotconf: default "ntlm auth" to "no" via 70827ca selftest: set "ntlm auth = yes" for now as a lot of tests rely on it via 7fd5629 s3:selftest: run smbclient_auth with a few more combinations via 19b3712 s3:tests: add 'as user' to the test names in test_smbclient_auth.sh via 9c994ba s3:ntlm_auth: call fault_setup() in order to get usefull backtraces from c8f2bb1 WHATSNEW. Add text for Open File Description (OFD) locks.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 281b73f124dce47cb17b2e83b880fbba17daca5b Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jun 29 10:35:16 2016 +1200 build: Add hints on what libraries to install for gpgme support on failure Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Jul 22 19:51:09 CEST 2016 on sn-devel-144 commit 4a340708de6510a8ce7c5a1f0a516b5709b5b694 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Jun 27 08:25:30 2016 +0200 WHATSNEW: recomment python-crypto and python-m2crypto They're used for some samba-tool commands. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit aaee982b4a5c4f1f7c5d4146be9d178b53907067 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Feb 17 10:07:27 2016 +0100 WHATSNEW: add 'Password sync as active directory domain controller' Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 88e968c9cce4a54eec92db6bb20b45a22d5eb492 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Jul 20 16:45:34 2016 +1200 s4:torture/ndr: Add supplementalCredentials blob from Samba with the new SambaGPG blob Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit bbe3a6a1b177fa391dc72255fc03eb37a0fb6438 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 03:19:58 2016 +0100 python:samba/tests: use 'samba-tool user {getpassword,syncpasswords}' with --decrypt-samba-gpg Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit a4efb11964d508fc843915e606d7aec515567031 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 12 13:51:00 2016 +0100 selftest:Samba4: configure "password hash gpg key ids" for ad_dc (if available) Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit d903338ed66d20525082b4e078b526045843d080 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 10:04:40 2016 +0100 s4:selftest: run samba.tests.samba_tool.user also against ad_dc:local In future ad_dc_ntvfs and ad_dc will differ regarding the Primary:SambaGPG password feature. So we should test both. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 3e9a6c85f763ccdaca241d5a7a1d4a9bf61c5970 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 12 13:51:00 2016 +0100 selftest:gnupg: add a gpg key for Samba Selftest <selft...@samba.example.com> This key doesn't have a passphrase and allows automatic testing of decryption. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit f45a0ffe868bdb4304c9a5619938407d5c1c7e83 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 22 21:52:26 2016 +0100 samba-tool: add --decrypt-samba-gpg support to 'user getpasswords' and 'user syncpasswords' This get's the cleartext passwords by decrypting the 'Primary:SambaGPG' value in order to provide the virtual attributes: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA The virtual attribute virtualSambaGPG provides the raw (encrypted) value of the 'Primary:SambaGPG' value. See the "password hash gpg key ids" option for the encryption part of this feature. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 763acdc2e78f570b362914bb1ac1b3ed1fd94964 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 12 10:51:38 2016 +0100 s4:dsdb/samdb: optionally store package_PrimarySambaGPGBlob in supplementalCredentials It's important that Primary:SambaGPG is added as the last element. This is the indication that it matches the current password. When a password change happens on a Windows DC, it will keep the old Primary:SambaGPG value, but as the first element. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 8d64999d1c6239776a75503ff8df67b00ae5c4c8 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 12 10:51:38 2016 +0100 drsblobs.idl: add package_PrimarySambaGPGBlob This will be used to store the cleartext utf16 password GPG encrypted in the supplementalCredentials attribute. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 81190f910a3bd8083d963c0d983a1a3fd20f91ed Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jan 12 10:51:38 2016 +0100 s4:dsdb/samdb: add configure checks for libgpgme This will be used to store the cleartext utf16 password GPG encrypted as 'Primary:SambaGPG' in the supplementalCredentials attribute. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit b66ff2f47b374b4a2fd76567ef2aa89c680b2255 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 15 09:56:03 2016 +0100 docs-xml/smbdotconf: reference "unix password sync" with "password hash gpg key ids" Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit f28d0038c857368f9b30449b5a091af6aeebbff4 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 15 09:10:54 2016 +0100 docs-xml/smbdotconf: add "password hash gpg key ids" option Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 39d194d6c9f47e9da41ae4381226af7d11db3b27 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 07:01:18 2016 +0100 .travis.yml: install libgpgme11-dev python[3]-gpgme Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit eb33f7334fbfa2094d580a42ba376264f21ed273 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 15 09:56:03 2016 +0100 docs-xml/smbdotconf: reference "unix password sync" with "samba-tool user syncpasswords" Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit d5541ef6272e030c6fcdf85f7ea6a5ae4167bd0e Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 15 09:15:38 2016 +0100 docs-xml:samba-tool.8: document "user syncpasswords" command Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 8791960bf6bcca75a5790bfb7319acdbf63560f6 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 03:19:58 2016 +0100 python:samba/tests: add simple 'samba-tool user syncpasswords' test Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit c68cb6a1d9d366ac3e564245ecca34348a4f1aa2 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 22 21:52:26 2016 +0100 samba-tool: add 'user syncpasswords' command This provides an easy way to keep passwords in sync with another account database, e.g. an OpenLDAP server. It provides a functionality like the "passwd program" for the "unix password sync" feature of a standalone, member and classic (NT4) server, but for an active directory domain controller. The provided script is called for each account/password related change. Like the 'user getpassword' command it allows virtual attributes like: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA Note that this command should just run on a single domain controller (typically the PDC-emulator). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit c8fb61cadca367b53e8d7ee64a3d19ab5ebf75e4 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Feb 15 09:15:38 2016 +0100 docs-xml:samba-tool.8: document "user getpassword" command Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 4ef52663c1350b8ca0096448d3ce6af42ff4752e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 03:19:58 2016 +0100 python:samba/tests: verify the packages order in supplementalCredentials Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3add197e202d3d540d65e7b9b856e95b4829724f Author: Stefan Metzmacher <me...@samba.org> Date: Tue Feb 16 03:19:58 2016 +0100 python:samba/tests: add simple 'samba-tool user getpassword' test Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit deb2a0258e74b0fd6a570d7abbe3485a7d346b5f Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jan 22 21:52:26 2016 +0100 samba-tool: add 'user getpassword' command This provides an easy way to get the passwords of a user including the cleartext passwords (if stored) and derived hashes. This is done by providing virtual attributes like: virtualClearTextUTF16, virtualClearTextUTF8, virtualCryptSHA256, virtualCryptSHA512, virtualSSHA This is much easier than using ldbsearch and manually parsing the supplementalCredentials attribute. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Alexander Bokovoy <a...@samba.org> commit 67404bac52c1b4d303c4b131efb168c805cdfd78 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jul 12 09:57:16 2016 +0200 pycredentials: add set_utf16_[old_]password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a5591e597dbcbd74a6cb76786f479d5962a41cfd Author: Stefan Metzmacher <me...@samba.org> Date: Tue Jul 12 08:14:36 2016 +0200 pycredentials: add {get,set}_old_password() Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1fd927136be7230d5b670bf9b9ffe91071ec94d8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 21 20:04:10 2016 +0200 WHATNEW: the default for "ntlm auth" is "no" Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 162c1f85bff47ef01febfb2d2c8b81a1cace0abb Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 21 19:50:36 2016 +0200 selftest: don't allow ntlmv1 for 'nt4_member' and 'ad_member' Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cd8dfed1a67515c5fee14501d3e003e545e41d9e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Mar 15 21:59:42 2016 +0100 docs-xml:smbdotconf: default "ntlm auth" to "no" Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 70827ca78c63d41c555ea4d1219f71c55bbc23e0 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 21 09:26:27 2016 +0200 selftest: set "ntlm auth = yes" for now as a lot of tests rely on it In future we should use a mix of environments some which support ntlmv1 and some without. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7fd562969405535a6c7b614b92e8049abbd0781c Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 21 19:45:04 2016 +0200 s3:selftest: run smbclient_auth with a few more combinations E.g. we try lanman, ntlmv1 and ntlmv2 authentication. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 19b3712b62c4632423b7c669f99dd0fc501c6036 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jul 21 19:41:57 2016 +0200 s3:tests: add 'as user' to the test names in test_smbclient_auth.sh We already have 'as anon', having an indication for each case makes it easier to mark some as knownfail. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9c994ba86e645903d2b4ff98edb2460a8c8468fe Author: Stefan Metzmacher <me...@samba.org> Date: Wed May 11 23:09:53 2016 +0200 s3:ntlm_auth: call fault_setup() in order to get usefull backtraces Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + .travis.yml | 2 +- WHATSNEW.txt | 54 +- auth/credentials/pycredentials.c | 85 +- docs-xml/manpages/samba-tool.8.xml | 12 + docs-xml/smbdotconf/security/ntlmauth.xml | 10 +- .../smbdotconf/security/passwordhashgpgkeyids.xml | 45 + docs-xml/smbdotconf/security/unixpasswordsync.xml | 10 +- lib/param/loadparm.c | 2 +- librpc/idl/drsblobs.idl | 8 + python/samba/netcmd/user.py | 1309 ++++++++++++++++++++ python/samba/tests/samba_tool/user.py | 171 ++- selftest/gnupg/gpg.conf | 4 + selftest/gnupg/pubring.gpg | Bin 0 -> 1214 bytes selftest/gnupg/secring.gpg | Bin 0 -> 2516 bytes selftest/gnupg/trustdb.gpg | Bin 0 -> 1280 bytes selftest/knownfail | 3 +- selftest/selftest.pl | 1 + selftest/target/Samba3.pm | 3 + selftest/target/Samba4.pm | 33 + source3/param/loadparm.c | 2 +- source3/script/tests/test_smbclient_auth.sh | 18 +- source3/selftest/tests.py | 9 +- source3/utils/ntlm_auth.c | 1 + source4/dsdb/samdb/ldb_modules/password_hash.c | 242 +++- source4/dsdb/samdb/ldb_modules/wscript | 32 + .../dsdb/samdb/ldb_modules/wscript_build_server | 2 +- source4/selftest/tests.py | 1 + source4/torture/ndr/drsblobs.c | 101 ++ wscript | 2 + 30 files changed, 2124 insertions(+), 39 deletions(-) create mode 100644 docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml create mode 100644 selftest/gnupg/gpg.conf create mode 100644 selftest/gnupg/pubring.gpg create mode 100644 selftest/gnupg/secring.gpg create mode 100644 selftest/gnupg/trustdb.gpg create mode 100644 source4/dsdb/samdb/ldb_modules/wscript Changeset truncated at 500 lines: diff --git a/.gitignore b/.gitignore index 33e8fc5..46c01af 100644 --- a/.gitignore +++ b/.gitignore @@ -17,6 +17,7 @@ autom4te.cache *.patch *.pyc semantic.cache +/selftest/gnupg/random_seed /pidl/blib /pidl/cover_db /pidl/Makefile diff --git a/.travis.yml b/.travis.yml index cf1b0d2..483ad50 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ matrix: before_install: - sudo apt-get update -qq - - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python3-crypto python3-dev python3-dnspython realpath screen xsltproc zlib1g-dev + - sudo apt-get install --assume-yes acl attr autoconf bison build-essential debhelper dnsutils docbook-xml docbook-xsl flex gdb git krb5-user libacl1-dev libaio-dev libattr1-dev libblkid-dev libbsd-dev libcap-dev libcups2-dev libgnutls-dev libgpgme11-dev libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl libpopt-dev libreadline-dev perl perl-modules pkg-config python-crypto python-dev python-dnspython python-gpgme python3-crypto python3-dev python3-dnspython python3-gpgme realpath screen xsltproc zlib1g-dev script: - git fetch --unshallow diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7d2405b..505d28b 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -12,7 +12,19 @@ Samba 4.5 will be the next version of the Samba suite. UPGRADING ========= -Nothing special. +NTLMv1 authentication disabled by default +----------------------------------------- + +In order to improve security we have changed +the default value for the "ntlm auth" option from +"yes" to "no". This may have impact on very old +client which doesn't support NTLMv2 yet. + +The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x. + +By default Samba will only allow NTLMv2 via NTLMSSP now, +as we have the following default "lanman auth = no", +"ntlm auth = no" and "raw NTLMv2 auth = no". NEW FEATURES/CHANGES @@ -146,6 +158,26 @@ descriptors having file locks are opened onto the same file. An internal tunable "smbd:force process locks = true" may be used to turn off OFD locks if there appear to be problems with them. +Password sync as active directory domain controller +--------------------------------------------------- + +The new commands 'samba-tool user getpassword' +and 'samba-tool user syncpasswords' provide +access and syncing of various password fields. + +If compiled with GPGME support (--with-gpgme) it's +possible to store cleartext passwords in a PGP/OpenGPG +encrypted form by configuring the new "password hash gpg key ids" +option. This requires gpgme devel and python packages to be installed +(e.g. libgpgme11-dev and python-gpgme on debian/ubuntu). + +Python crypto requirements +-------------------------- + +Some samba-tool subcommands require python-crypto and/or +python-m2crypto packages to be installed. + + REMOVED FEATURES ================ @@ -154,15 +186,19 @@ only user and username parameters These two parameters have long been deprecated and superseded by "valid users" and "invalid users". + smb.conf changes ----------------- - - Parameter Name Description Default - -------------- ----------- ------- - only user Removed - username Removed - kccsrv:samba_kcc Changed default true - smb2 leases Changed default yes +================ + + Parameter Name Description Default + -------------- ----------- ------- + kccsrv:samba_kcc Changed default yes + ntlm auth Changed default no + only user Removed + password hash gpg key ids New + smb2 leases Changed default yes + username Removed + KNOWN ISSUES ============ diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 1344391..43fba37 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -64,7 +64,6 @@ static PyObject *py_creds_get_password(PyObject *self, PyObject *unused) return PyString_FromStringOrNULL(cli_credentials_get_password(PyCredentials_AsCliCredentials(self))); } - static PyObject *py_creds_set_password(PyObject *self, PyObject *args) { char *newval; @@ -79,6 +78,78 @@ static PyObject *py_creds_set_password(PyObject *self, PyObject *args) return PyBool_FromLong(cli_credentials_set_password(PyCredentials_AsCliCredentials(self), newval, obt)); } +static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args) +{ + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + PyObject *newval = NULL; + DATA_BLOB blob = data_blob_null; + Py_ssize_t size = 0; + int result; + bool ok; + + if (!PyArg_ParseTuple(args, "O|i", &newval, &_obt)) { + return NULL; + } + obt = _obt; + + result = PyBytes_AsStringAndSize(newval, (char **)&blob.data, &size); + if (result != 0) { + PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes"); + return NULL; + } + blob.length = size; + + ok = cli_credentials_set_utf16_password(PyCredentials_AsCliCredentials(self), + &blob, obt); + + return PyBool_FromLong(ok); +} + +static PyObject *py_creds_get_old_password(PyObject *self, PyObject *unused) +{ + return PyString_FromStringOrNULL(cli_credentials_get_old_password(PyCredentials_AsCliCredentials(self))); +} + +static PyObject *py_creds_set_old_password(PyObject *self, PyObject *args) +{ + char *oldval; + enum credentials_obtained obt = CRED_SPECIFIED; + int _obt = obt; + + if (!PyArg_ParseTuple(args, "s|i", &oldval, &_obt)) { + return NULL; + } + obt = _obt; + + return PyBool_FromLong(cli_credentials_set_old_password(PyCredentials_AsCliCredentials(self), oldval, obt)); +} + +static PyObject *py_creds_set_old_utf16_password(PyObject *self, PyObject *args) +{ + PyObject *oldval = NULL; + DATA_BLOB blob = data_blob_null; + Py_ssize_t size = 0; + int result; + bool ok; + + if (!PyArg_ParseTuple(args, "O", &oldval)) { + return NULL; + } + + result = PyBytes_AsStringAndSize(oldval, (char **)&blob.data, &size); + if (result != 0) { + PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes"); + return NULL; + } + blob.length = size; + + ok = cli_credentials_set_old_utf16_password(PyCredentials_AsCliCredentials(self), + &blob); + + return PyBool_FromLong(ok); +} + static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused) { return PyString_FromStringOrNULL(cli_credentials_get_domain(PyCredentials_AsCliCredentials(self))); @@ -398,6 +469,18 @@ static PyMethodDef py_creds_methods[] = { { "set_password", py_creds_set_password, METH_VARARGS, "S.set_password(password, obtained=CRED_SPECIFIED) -> None\n" "Change password." }, + { "set_utf16_password", py_creds_set_utf16_password, METH_VARARGS, + "S.set_utf16_password(password, obtained=CRED_SPECIFIED) -> None\n" + "Change password." }, + { "get_old_password", py_creds_get_old_password, METH_NOARGS, + "S.get_old_password() -> password\n" + "Obtain old password." }, + { "set_old_password", py_creds_set_old_password, METH_VARARGS, + "S.set_old_password(password, obtained=CRED_SPECIFIED) -> None\n" + "Change old password." }, + { "set_old_utf16_password", py_creds_set_old_utf16_password, METH_VARARGS, + "S.set_old_utf16_password(password, obtained=CRED_SPECIFIED) -> None\n" + "Change old password." }, { "get_domain", py_creds_get_domain, METH_NOARGS, "S.get_domain() -> domain\n" "Obtain domain name." }, diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 3416ecf..dea984f 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -587,6 +587,18 @@ <para>Sets or resets the password of an user account.</para> </refsect3> +<refsect3> + <title>user getpassword <replaceable>username</replaceable> [options]</title> + <para>Gets the password of an user account.</para> +</refsect3> + +<refsect3> + <title>user syncpasswords <replaceable>--cache-ldb-initialize</replaceable> [options]</title> + <para>Syncs the passwords of all user accounts, using an optional script.</para> + <para>Note that this command should run on a single domain controller only + (typically the PDC-emulator).</para> +</refsect3> + <refsect2> <title>vampire [options] <replaceable>domain</replaceable></title> <para>Join and synchronise a remote AD domain to the local server. diff --git a/docs-xml/smbdotconf/security/ntlmauth.xml b/docs-xml/smbdotconf/security/ntlmauth.xml index 6af1908..884ee9d 100644 --- a/docs-xml/smbdotconf/security/ntlmauth.xml +++ b/docs-xml/smbdotconf/security/ntlmauth.xml @@ -12,8 +12,14 @@ <para>If this option, and <command moreinfo="none">lanman auth</command> are both disabled, then only NTLMv2 logins will be permited. Not all clients support NTLMv2, and most will require - special configuration to use it.</para> + special configuration to use it.</para> + + <para>The primary user of NTLMv1 is MSCHAPv2 for VPNs and 802.1x.</para> + + <para>The default changed from "yes" to "no" with Samba 4.5.</para> </description> -<value type="default">yes</value> +<related>lanman auth</related> +<related>raw NTLMv2 auth</related> +<value type="default">no</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml new file mode 100644 index 0000000..e53cdbe --- /dev/null +++ b/docs-xml/smbdotconf/security/passwordhashgpgkeyids.xml @@ -0,0 +1,45 @@ +<samba:parameter name="password hash gpg key ids" + context="G" + type="cmdlist" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para>If <command moreinfo="none">samba</command> is running as an + active directory domain controller, it is possible to store the + cleartext password of accounts in a PGP/OpenGPG encrypted form.</para> + + <para>You can specify one or more recipients by key id or user id. + Note that 32bit key ids are not allowed, specify at least 64bit.</para> + + <para>The value is stored as 'Primary:SambaGPG' in the + <command moreinfo="none">supplementalCredentials</command> attribute.</para> + + <para>As password changes can occur on any domain controller, + you should configure this on each of them. Note that this feature is currently + available only on Samba domain controllers.</para> + + <para>This option is only available if <command moreinfo="none">samba</command> + was compiled with <command moreinfo="none">gpgme</command> support.</para> + + <para>You may need to export the <command moreinfo="none">GNUPGHOME</command> + environment variable before starting <command moreinfo="none">samba</command>. + <emphasis>It is strongly recommended to only store the public key in this + location. The private key is not used for encryption and should be + only stored where decryption is required.</emphasis></para> + + <para>Being able to restore the cleartext password helps, when they need to be imported + into other authentication systems later (see <command moreinfo="none">samba-tool user getpassword</command>) + or you want to keep the passwords in sync with another system, e.g. an OpenLDAP server + (see <command moreinfo="none">samba-tool user syncpasswords</command>).</para> + + <para>While this option needs to be configured on all domain controllers, the + <command moreinfo="none">samba-tool user syncpasswords</command> command should + run on a single domain controller only (typically the PDC-emulator).</para> +</description> + +<related>unix password sync</related> + +<value type="default"></value> +<value type="example">4952E40301FAB41A</value> +<value type="example">selft...@samba.example.com</value> +<value type="example">selft...@samba.example.com, 4952E40301FAB41A</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/unixpasswordsync.xml b/docs-xml/smbdotconf/security/unixpasswordsync.xml index 321ece5..89b0158 100644 --- a/docs-xml/smbdotconf/security/unixpasswordsync.xml +++ b/docs-xml/smbdotconf/security/unixpasswordsync.xml @@ -9,12 +9,18 @@ If this is set to <constant>yes</constant> the program specified in the <parameter moreinfo="none">passwd program</parameter> parameter is called <emphasis>AS ROOT</emphasis> - to allow the new UNIX password to be set without access to the - old UNIX password (as the SMB password change code has no - access to the old password cleartext, only the new).</para> + old UNIX password (as the SMB password change code has no + access to the old password cleartext, only the new).</para> + + <para>This option has no effect if <command moreinfo="none">samba</command> + is running as an active directory domain controller, in that case have a + look at the <smbconfoption name="password hash gpg key ids"/> option and the + <command moreinfo="none">samba-tool user syncpasswords</command> command.</para> </description> <related>passwd program</related> <related>passwd chat</related> +<related>password hash gpg key ids</related> <value type="default">no</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 548d105..5f4610e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True"); lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False"); - lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True"); + lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl index 645ec38..09168a8 100644 --- a/librpc/idl/drsblobs.idl +++ b/librpc/idl/drsblobs.idl @@ -445,6 +445,14 @@ interface drsblobs { [in] package_PrimaryWDigestBlob blob ); + typedef [public] struct { + [flag(NDR_REMAINING)] DATA_BLOB gpg_blob; + } package_PrimarySambaGPGBlob; + + void decode_PrimarySambaGPG( + [in] package_PrimarySambaGPGBlob blob + ); + typedef struct { [value(0)] uint32 size; } AuthInfoNone; diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index e087de8..5adc287 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -20,13 +20,28 @@ import samba.getopt as options import ldb import pwd +import os +import sys +import fcntl +import signal +import errno +import time +import base64 +import binascii +from subprocess import Popen, PIPE, STDOUT from getpass import getpass from samba.auth import system_session from samba.samdb import SamDB +from samba.dcerpc import misc +from samba.dcerpc import security +from samba.dcerpc import drsblobs +from samba.ndr import ndr_unpack, ndr_pack, ndr_print from samba import ( + credentials, dsdb, gensec, generate_random_password, + Ldb, ) from samba.net import Net @@ -38,6 +53,127 @@ from samba.netcmd import ( ) +try: + import io + import gpgme + gpgme_support = True + decrypt_samba_gpg_help = "Decrypt the SambaGPG password as cleartext source" +except ImportError as e: + gpgme_support = False + decrypt_samba_gpg_help = "Decrypt the SambaGPG password not supported, " + \ + "python-gpgme required" + +disabled_virtual_attributes = { + } + +virtual_attributes = { + "virtualClearTextUTF8": { + "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, + }, + "virtualClearTextUTF16": { + "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, + }, + "virtualSambaGPG": { + "flags": ldb.ATTR_FLAG_FORCE_BASE64_LDIF, + }, + } + +get_random_bytes_fn = None +if get_random_bytes_fn is None: + try: + import Crypto.Random + get_random_bytes_fn = Crypto.Random.get_random_bytes + except ImportError as e: + pass +if get_random_bytes_fn is None: + try: + import M2Crypto.Rand + get_random_bytes_fn = M2Crypto.Rand.rand_bytes + except ImportError as e: + pass + +def check_random(): + if get_random_bytes_fn is not None: + return None + return "Crypto.Random or M2Crypto.Rand required" + +def get_random_bytes(num): + random_reason = check_random() + if random_reason is not None: + raise ImportError(random_reason) + return get_random_bytes_fn(num) + +def get_crypt_value(alg, utf8pw): + algs = { + "5": {"length": 43}, + "6": {"length": 86}, + } + assert alg in algs + salt = get_random_bytes(16) + # The salt needs to be in [A-Za-z0-9./] + # base64 is close enough and as we had 16 + # random bytes but only need 16 characters + # we can ignore the possible == at the end + # of the base64 string + # we just need to replace '+' by '.' + b64salt = base64.b64encode(salt) + crypt_salt = "$%s$%s$" % (alg, b64salt[0:16].replace('+', '.')) + crypt_value = crypt.crypt(utf8pw, crypt_salt) + if crypt_value is None: + raise NotImplementedError("crypt.crypt(%s) returned None" % (crypt_salt)) + expected_len = len(crypt_salt) + algs[alg]["length"] + if len(crypt_value) != expected_len: + raise NotImplementedError("crypt.crypt(%s) returned a value with length %d, expected length is %d" % ( + crypt_salt, len(crypt_value), expected_len)) + return crypt_value + +try: + random_reason = check_random() + if random_reason is not None: + raise ImportError(random_reason) + import hashlib + h = hashlib.sha1() + h = None + virtual_attributes["virtualSSHA"] = { + } +except ImportError as e: + reason = "hashlib.sha1()" + if random_reason: + reason += " and " + random_reason + reason += " required" + disabled_virtual_attributes["virtualSSHA"] = { + "reason" : reason, + } + +for (alg, attr) in [("5", "virtualCryptSHA256"), ("6", "virtualCryptSHA512")]: + try: + random_reason = check_random() + if random_reason is not None: -- Samba Shared Repository