Lines 419-427
static int password_hash_bypass(struct l
|
Link Here
|
---|
|
419 |
"PrimaryKerberos num_old_keys > num_keys"); |
419 |
"PrimaryKerberos num_old_keys > num_keys"); |
420 |
} |
420 |
} |
421 |
|
421 |
|
422 |
if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5) { |
422 |
if (k->ctr.ctr3.keys[0].keytype != ENCTYPE_DES_CBC_MD5 && |
|
|
423 |
k->ctr.ctr3.keys[0].keytype != DUMMY_NTHASH_KEYTYPE) { |
423 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
424 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
424 |
"PrimaryKerberos key[0] != DES_CBC_MD5"); |
425 |
"PrimaryKerberos key[0] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE"); |
425 |
} |
426 |
} |
426 |
// W2k8 and later DCs pass a dummy NThash to W2k3 DCs |
427 |
// W2k8 and later DCs pass a dummy NThash to W2k3 DCs |
427 |
// [MS-SAMR] Section 2.2.10.8 footnote <23> |
428 |
// [MS-SAMR] Section 2.2.10.8 footnote <23> |
Lines 430-436
static int password_hash_bypass(struct l
|
Link Here
|
---|
|
430 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
431 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
431 |
"PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE"); |
432 |
"PrimaryKerberos key[1] != DES_CBC_CRC and != DUMMY_NTHASH_KEYTYPE"); |
432 |
} |
433 |
} |
433 |
if (k->ctr.ctr3.keys[0].value_len != 8) { |
434 |
if (k->ctr.ctr3.keys[0].value_len != 8 && |
|
|
435 |
k->ctr.ctr3.keys[0].keytype == ENCTYPE_DES_CBC_MD5) { |
434 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
436 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
435 |
"PrimaryKerberos key[0] value_len != 8"); |
437 |
"PrimaryKerberos key[0] value_len != 8"); |
436 |
} |
438 |
} |
Lines 512-520
static int password_hash_bypass(struct l
|
Link Here
|
---|
|
512 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
514 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
513 |
"KerberosNewerKeys key[1] != AES128"); |
515 |
"KerberosNewerKeys key[1] != AES128"); |
514 |
} |
516 |
} |
515 |
if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5) { |
517 |
if (k->ctr.ctr4.keys[2].keytype != ENCTYPE_DES_CBC_MD5 && |
|
|
518 |
k->ctr.ctr4.keys[2].keytype != DUMMY_NTHASH_KEYTYPE) { |
516 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
519 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
517 |
"KerberosNewerKeys key[2] != DES_CBC_MD5"); |
520 |
"KerberosNewerKeys key[2] != DES_CBC_MD5 and != DUMMY_NTHASH_KEYTYPE"); |
518 |
} |
521 |
} |
519 |
// W2k8 and later DCs pass a dummy NThash to W2k3 DCs |
522 |
// W2k8 and later DCs pass a dummy NThash to W2k3 DCs |
520 |
// [MS-SAMR] Section 2.2.10.8 footnote <23> |
523 |
// [MS-SAMR] Section 2.2.10.8 footnote <23> |
Lines 532-538
static int password_hash_bypass(struct l
|
Link Here
|
---|
|
532 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
535 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
533 |
"KerberosNewerKeys key[1] value_len != 16"); |
536 |
"KerberosNewerKeys key[1] value_len != 16"); |
534 |
} |
537 |
} |
535 |
if (k->ctr.ctr4.keys[2].value_len != 8) { |
538 |
if (k->ctr.ctr4.keys[2].value_len != 8 && |
|
|
539 |
k->ctr.ctr4.keys[2].keytype == ENCTYPE_DES_CBC_MD5) { |
536 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
540 |
return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, |
537 |
"KerberosNewerKeys key[2] value_len != 8"); |
541 |
"KerberosNewerKeys key[2] value_len != 8"); |
538 |
} |
542 |
} |