Index: samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c =================================================================== --- samba-4.10.1.orig/source4/dsdb/samdb/ldb_modules/password_hash.c +++ samba-4.10.1/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -334,16 +336,6 @@ static int password_hash_bypass(struct l "Primary:Packages missing"); } - if (scpk == NULL) { - /* - * If Primary:Kerberos is missing w2k8r2 reboots - * when a password is changed. - */ - return ldb_error(ldb, - LDB_ERR_CONSTRAINT_VIOLATION, - "Primary:Kerberos missing"); - } - if (scpp) { struct package_PackagesBlob *p; uint32_t n; @@ -407,34 +399,11 @@ static int password_hash_bypass(struct l "PrimaryKerberos strlen(salt) == 0"); } - if (k->ctr.ctr3.num_keys != 2) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "PrimaryKerberos num_keys != 2"); - } - if (k->ctr.ctr3.num_old_keys > k->ctr.ctr3.num_keys) { return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos num_old_keys > num_keys"); } - if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "PrimaryKerberos key[0] != DES_CBC_MD5"); - } - if (k->ctr.ctr3.keys[1].keytype != ENCTYPE_DES_CBC_CRC) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "PrimaryKerberos key[1] != DES_CBC_CRC"); - } - - if (k->ctr.ctr3.keys[0].value_len != 8) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "PrimaryKerberos key[0] value_len != 8"); - } - if (k->ctr.ctr3.keys[1].value_len != 8) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "PrimaryKerberos key[1] value_len != 8"); - } - for (i = 0; i < k->ctr.ctr3.num_old_keys; i++) { if (k->ctr.ctr3.old_keys[i].keytype == k->ctr.ctr3.keys[i].keytype && @@ -442,6 +411,10 @@ static int password_hash_bypass(struct l k->ctr.ctr3.keys[i].value_len) { continue; } + if (k->ctr.ctr3.old_keys[i].keytype == DUMMY_NTHASH_KEYTYPE || + k->ctr.ctr3.keys[i].keytype == DUMMY_NTHASH_KEYTYPE) { + continue; + } return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "PrimaryKerberos old_keys type/value_len doesn't match"); @@ -480,11 +453,6 @@ static int password_hash_bypass(struct l "KerberosNewerKeys strlen(salt) == 0"); } - if (k->ctr.ctr4.num_keys != 4) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "KerberosNewerKeys num_keys != 2"); - } - if (k->ctr.ctr4.num_old_keys > k->ctr.ctr4.num_keys) { return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys num_old_keys > num_keys"); @@ -495,23 +463,6 @@ static int password_hash_bypass(struct l "KerberosNewerKeys num_older_keys > num_old_keys"); } - if (k->ctr.ctr4.keys[0].keytype != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "KerberosNewerKeys key[0] != AES256"); - } - if (k->ctr.ctr4.keys[1].keytype != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "KerberosNewerKeys key[1] != AES128"); - } - if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "KerberosNewerKeys key[2] != DES_CBC_MD5"); - } - if (k->ctr.ctr4.keys[3].keytype != ENCTYPE_DES_CBC_CRC) { - return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, - "KerberosNewerKeys key[3] != DES_CBC_CRC"); - } - if (k->ctr.ctr4.keys[0].value_len != 32) { return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[0] value_len != 32"); @@ -524,7 +475,8 @@ static int password_hash_bypass(struct l return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[2] value_len != 8"); } - if (k->ctr.ctr4.keys[3].value_len != 8) { + if (k->ctr.ctr4.keys[3].value_len != 8 && + k->ctr.ctr4.keys[3].keytype == ENCTYPE_DES_CBC_CRC) { return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, "KerberosNewerKeys key[3] value_len != 8"); }