Attachment #10495 for bug #46745

View | Details | Raw Unified | Return to bug 46745
Collapse All | Expand All




						 "PrimaryKerberos num_old_keys > num_keys");
			}

			if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5 &&
				k->ctr.ctr3.keys[0].keytype != DUMMY_NTHASH_KEYTYPE) {
				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "PrimaryKerberos key[0] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
			}
			// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
			// [MS-SAMR] Section 2.2.10.8 footnote <23>

				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE");
			}
			if (k->ctr.ctr3.keys[0].value_len != 8 &&
				k->ctr.ctr3.keys[0].keytype == ENCTYPE_DES_CBC_MD5) {
				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "PrimaryKerberos key[0] value_len != 8");
			}

				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "KerberosNewerKeys key[1] != AES128");
			}
			if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5 &&
				k->ctr.ctr4.keys[2].keytype != DUMMY_NTHASH_KEYTYPE) {
				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "KerberosNewerKeys key[2] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
			}
			// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
			// [MS-SAMR] Section 2.2.10.8 footnote <23>

				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "KerberosNewerKeys key[1] value_len != 16");
			}
			if (k->ctr.ctr4.keys[2].value_len != 8 &&
				k->ctr.ctr4.keys[2].keytype == ENCTYPE_DES_CBC_MD5) {
				return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
						 "KerberosNewerKeys key[2] value_len != 8");
			}

Return to bug 46745

Lines 419-427 static int password_hash_bypass(struct l Link Here

(-)samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c (-6 / +10 lines)
419	"PrimaryKerberos num_old_keys > num_keys");	419	"PrimaryKerberos num_old_keys > num_keys");
420	}	420	}
421		421
422	if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) {	422	if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5 &&
		423	k->ctr.ctr3.keys[0].keytype != DUMMY_NTHASH_KEYTYPE) {
423	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	424	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
424	"PrimaryKerberos key[0] != DES_CBC_MD5");	425	"PrimaryKerberos key[0] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
425	}	426	}
426	// W2k8 and later DCs pass a dummy NThash to W2k3 DCs	427	// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
427	// [MS-SAMR] Section 2.2.10.8 footnote <23>	428	// [MS-SAMR] Section 2.2.10.8 footnote <23>
Lines 430-436 static int password_hash_bypass(struct l Link Here
430	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	431	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
431	"PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE");	432	"PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE");
432	}	433	}
433	if (k->ctr.ctr3.keys[0].value_len != 8) {	434	if (k->ctr.ctr3.keys[0].value_len != 8 &&
		435	k->ctr.ctr3.keys[0].keytype == ENCTYPE_DES_CBC_MD5) {
434	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	436	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
435	"PrimaryKerberos key[0] value_len != 8");	437	"PrimaryKerberos key[0] value_len != 8");
436	}	438	}
Lines 512-520 static int password_hash_bypass(struct l Link Here
512	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	514	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
513	"KerberosNewerKeys key[1] != AES128");	515	"KerberosNewerKeys key[1] != AES128");
514	}	516	}
515	if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) {	517	if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5 &&
		518	k->ctr.ctr4.keys[2].keytype != DUMMY_NTHASH_KEYTYPE) {
516	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	519	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
517	"KerberosNewerKeys key[2] != DES_CBC_MD5");	520	"KerberosNewerKeys key[2] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE");
518	}	521	}
519	// W2k8 and later DCs pass a dummy NThash to W2k3 DCs	522	// W2k8 and later DCs pass a dummy NThash to W2k3 DCs
520	// [MS-SAMR] Section 2.2.10.8 footnote <23>	523	// [MS-SAMR] Section 2.2.10.8 footnote <23>
Lines 532-538 static int password_hash_bypass(struct l Link Here
532	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	535	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
533	"KerberosNewerKeys key[1] value_len != 16");	536	"KerberosNewerKeys key[1] value_len != 16");
534	}	537	}
535	if (k->ctr.ctr4.keys[2].value_len != 8) {	538	if (k->ctr.ctr4.keys[2].value_len != 8 &&
		539	k->ctr.ctr4.keys[2].keytype == ENCTYPE_DES_CBC_MD5) {
536	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,	540	return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION,
537	"KerberosNewerKeys key[2] value_len != 8");	541	"KerberosNewerKeys key[2] value_len != 8");
538	}	542	}