Add options to control NTLM hashes

By default LM hash is disabled.
Of course generation still depends on whether the SamAccount objectclass is
present in the user object.

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -73,6 +73,7 @@ const char *ipa_realm_tree;
 /* dn of Kerberos realm entry */
 const char *ipa_realm_dn;
 const char *ipa_pwd_config_dn;
+const char *ipa_etc_config_dn;
 const char *ipa_changepw_principal_dn;
 
 Slapi_PluginDesc ipapwd_plugin_desc = {
@@ -1117,6 +1118,14 @@ static int ipapwd_start( Slapi_PBlock *pb )
         goto done;
     }
 
+    ipa_etc_config_dn = slapi_ch_smprintf("cn=ipaConfig,cn=etc,%s",
+                                          ipa_realm_tree);
+    if (!ipa_etc_config_dn) {
+        slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory?\n");
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
     ret = LDAP_SUCCESS;
 
 done:

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h

@@ -47,6 +47,7 @@
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
+#include <stdbool.h>
 
 #include <prio.h>
 #include <ssl.h>
@@ -110,6 +111,8 @@ struct ipapwd_krbcfg {
     struct ipapwd_encsalt *pref_encsalts;
     char **passsync_mgrs;
     int num_passsync_mgrs;
+    bool allow_lm_hash;
+    bool allow_nt_hash;
 };
 
 int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c

@@ -48,6 +48,7 @@
 
 extern void *ipapwd_plugin_id;
 extern const char *ipa_realm_dn;
+extern const char *ipa_etc_config_dn;
 extern const char *ipa_pwd_config_dn;
 
 /* These are the default enc:salt types if nothing is defined.
@@ -152,6 +153,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     const struct berval *bval;
     struct berval *mkey = NULL;
     char **encsalts;
+    char **tmparray;
     char *tmpstr;
     int i, ret;
 
@@ -306,6 +308,32 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     for (i = 0; config->passsync_mgrs[i]; i++) /* count */ ;
     config->num_passsync_mgrs = i;
 
+    slapi_entry_free(config_entry);
+
+    /* get the ipa etc/ipaConfig entry */
+    config->allow_lm_hash = false;
+    config->allow_nt_hash = false;
+    ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
+    if (ret != LDAP_SUCCESS) {
+        slapi_log_error(SLAPI_LOG_FATAL, __func__, "No config Entry?\n");
+    } else {
+        tmparray = slapi_entry_attr_get_charray(config_entry,
+                                                "ipaConfigString");
+        for (i = 0; tmparray && tmparray[i]; i++) {
+            if (strcasecmp(tmparray[i], "AllowLMhash") == 0) {
+                config->allow_lm_hash = true;
+                continue;
+            }
+            if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
+                config->allow_nt_hash = true;
+                continue;
+            }
+        }
+        if (tmparray) slapi_ch_array_free(tmparray);
+    }
+
+    slapi_entry_free(config_entry);
+
     return config;
 
 free_and_error:

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c

@@ -557,8 +557,6 @@ enc_error:
 }
 
 
-#define KTF_LM_HASH 0x01
-#define KTF_NT_HASH 0x02
 #define KTF_DOS_CHARSET "CP850" /* same default as samba */
 #define KTF_UTF8 "UTF-8"
 #define KTF_UCS2 "UCS-2LE"
@@ -593,16 +591,19 @@ struct ntlm_keys {
 
 /* create the lm and nt hashes
    newPassword: the clear text utf8 password
-   flags: KTF_LM_HASH | KTF_NT_HASH
+   do_lm_hash: determine if LM hash is generated
+   do_nt_hash: determine if NT hash is generated
+   keys[out]: array with generated hashes
 */
 static int encode_ntlm_keys(char *newPasswd,
-                            unsigned int flags,
+                            bool do_lm_hash,
+                            bool do_nt_hash,
                             struct ntlm_keys *keys)
 {
     int ret = 0;
 
     /* do lanman first */
-    if (flags & KTF_LM_HASH) {
+    if (do_lm_hash) {
         iconv_t cd;
         size_t cs, il, ol;
         char *inc, *outc;
@@ -678,7 +679,7 @@ static int encode_ntlm_keys(char *newPasswd,
         memset(keys->lm, 0, 16);
     }
 
-    if (flags & KTF_NT_HASH) {
+    if (do_nt_hash) {
         iconv_t cd;
         size_t cs, il, ol, sl;
         char *inc, *outc;
@@ -770,13 +771,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
     if (is_smb) {
         char lm[33], nt[33];
         struct ntlm_keys ntlm;
-        int ntlm_flags = 0;
         int ret;
 
-        /* TODO: retrieve if we want to store the LM hash or not */
+        ret = encode_ntlm_keys(userpw,
-        ntlm_flags = KTF_LM_HASH | KTF_NT_HASH;
+                               krbcfg->allow_lm_hash,
-
+                               krbcfg->allow_nt_hash,
-        ret = encode_ntlm_keys(userpw, ntlm_flags, &ntlm);
+                               &ntlm);
         if (ret) {
             *errMesg = "Failed to generate NT/LM hashes\n";
             slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
@@ -784,12 +784,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
             rc = LDAP_OPERATIONS_ERROR;
             goto done;
         }
-        if (ntlm_flags & KTF_LM_HASH) {
+        if (krbcfg->allow_lm_hash) {
             hexbuf(lm, ntlm.lm);
             lm[32] = '\0';
             *lmhash = slapi_ch_strdup(lm);
         }
-        if (ntlm_flags & KTF_NT_HASH) {
+        if (krbcfg->allow_nt_hash) {
             hexbuf(nt, ntlm.nt);
             nt[32] = '\0';
             *nthash = slapi_ch_strdup(nt);

install/share/bootstrap-template.ldif

@@ -187,6 +187,7 @@ changetype: add
 objectClass: nsContainer
 objectClass: top
 objectClass: ipaGuiConfig
+objectClass: ipaConfigObject
 ipaUserSearchFields: uid,givenname,sn,telephonenumber,ou,title
 ipaGroupSearchFields: cn,description
 ipaSearchTimeLimit: 2
@@ -213,6 +214,7 @@ ipaUserObjectClasses: radiusprofile
 ipaUserObjectClasses: ipaobject
 ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
+ipaConfigString: AllowNThash
 
 dn: cn=account inactivation,cn=accounts,$SUFFIX
 changetype: add