diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-05-09 14:50:15 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-06-26 22:10:29 +0000 |
commit | aa9136ab7427a89917a9d0ca7896348c49890b3f (patch) | |
tree | 4bc24138e32d9cda81c5361b0f7c3c256d553afa /python | |
parent | f33aa94c9ee26a44132feca8fc4c460f88a48ee2 (diff) | |
download | samba-aa9136ab7427a89917a9d0ca7896348c49890b3f.tar.gz |
samba-tool user: When possible, obtain AES256 key and salt
We will make use of these in the next commit to check that the
supplemental packages are up-to-date with the current password.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/netcmd/user.py | 39 |
1 files changed, 26 insertions, 13 deletions
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index 24f66ffbd91..bb99ff8ea17 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -17,6 +17,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import builtins import samba.getopt as options import ldb import pwd @@ -1287,6 +1288,29 @@ class GetPasswordCommand(Command): return binascii.a2b_hex(p.data) return None + def get_kerberos_ctr(): + primary_krb5 = get_package("Primary:Kerberos-Newer-Keys") + if primary_krb5 is None: + primary_krb5 = get_package("Primary:Kerberos") + if primary_krb5 is None: + return (0, None) + krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, + primary_krb5) + return (krb5_blob.version, krb5_blob.ctr) + + aes256_key = None + kerberos_salt = None + + (krb5_v, krb5_ctr) = get_kerberos_ctr() + if krb5_v in [3, 4]: + kerberos_salt = krb5_ctr.salt.string + + if krb5_ctr.keys: + def is_aes256(k): + return k.keytype == 18 + aes256_key = next(builtins.filter(is_aes256, krb5_ctr.keys), + None) + if decrypt: # # Samba adds 'Primary:SambaGPG' at the end. @@ -1499,16 +1523,6 @@ class GetPasswordCommand(Command): # first matching scheme return (None, scheme_match) - def get_kerberos_ctr(): - primary_krb5 = get_package("Primary:Kerberos-Newer-Keys") - if primary_krb5 is None: - primary_krb5 = get_package("Primary:Kerberos") - if primary_krb5 is None: - return (0, None) - krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob, - primary_krb5) - return (krb5_blob.version, krb5_blob.ctr) - # Extract the rounds value from the options of a virtualCrypt attribute # i.e. options = "rounds=20;other=ignored;" will return 20 # if the rounds option is not found or the value is not a number, 0 is returned @@ -1583,10 +1597,9 @@ class GetPasswordCommand(Command): if v is None: continue elif a == "virtualKerberosSalt": - (krb5_v, krb5_ctr) = get_kerberos_ctr() - if krb5_v not in [3, 4]: + v = kerberos_salt + if v is None: continue - v = krb5_ctr.salt.string elif a.startswith("virtualWDigest"): primary_wdigest = get_package("Primary:WDigest") if primary_wdigest is None: |