mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
4a95661686
When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC would use trusted domain account to authenticate to Samba. This means that Samba would do internally samr_QueryUserInfo2 request with level 16 (UserControlInformation), coming to PDB module via pdb_getsampwsid() call. For normal user or workstation accounts we expect to have Kerberos keys available and may be able to extract NTLM hash data from them. However, trusted domain account is not a normal Kebreros principal. It stores TDO credential in a different way. Since we never processed it through the pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash for TDO account at all, hence netr_ServerAuthenticate3 call was failing. NTLM hash is used internally in Samba. An external communication with AD DC will use an AES-based session key that is derived from the TDO credential. The credential itself can be treated as a plaintext here. Fix it by adding a recognition of the trusted domain object account and retrieve the NTLM hash from the correct attribute of the TDO. Fixes: https://pagure.io/freeipa/issue/9134 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> |
||
---|---|---|
.. | ||
dnssec | ||
ipa-kdb | ||
ipa-otpd | ||
ipa-sam | ||
ipa-slapi-plugins | ||
ipa-version.h.in | ||
Makefile.am |