samba-tool: add virtualKerberosSalt attribute to 'user getpassword/sy…

…ncpasswords' This might be useful for someone, but at least it's very useful for tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13539 Signed-off-by: Stefan Metzmacher <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]> (cherry picked from commit 39c281a)
wenhualin1005 · Sep 5, 2018 · fab6d42 · fab6d42
1 parent f7b9267
commit fab6d42
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
@@ -199,6 +199,9 @@ def get_rounds(options):
 for x in range(1, 30):
     virtual_attributes["virtualWDigest%02d" % x] = {}
 
+# Add Kerberos virtual attributes
+virtual_attributes["virtualKerberosSalt"] = {}
+
 virtual_attributes_help  = "The attributes to display (comma separated). "
 virtual_attributes_help += "Possible supported virtual attributes: %s" % ", ".join(sorted(virtual_attributes.keys()))
 if len(disabled_virtual_attributes) != 0:
@@ -1217,6 +1220,16 @@ def get_userPassword_hash(blob, algorithm, rounds):
             # first matching scheme
             return (None, scheme_match)
 
+        def get_kerberos_ctr():
+            primary_krb5 = get_package("Primary:Kerberos-Newer-Keys")
+            if primary_krb5 is None:
+                primary_krb5 = get_package("Primary:Kerberos")
+            if primary_krb5 is None:
+                return (0, None)
+            krb5_blob = ndr_unpack(drsblobs.package_PrimaryKerberosBlob,
+                                   primary_krb5)
+            return (krb5_blob.version, krb5_blob.ctr)
+
         # We use sort here in order to have a predictable processing order
         for a in sorted(virtual_attributes.keys()):
             if not a.lower() in lower_attrs:
@@ -1268,6 +1281,11 @@ def get_userPassword_hash(blob, algorithm, rounds):
                 v = get_package("Primary:SambaGPG", min_idx=-1)
                 if v is None:
                     continue
+            elif a == "virtualKerberosSalt":
+                (krb5_v, krb5_ctr) = get_kerberos_ctr()
+                if krb5_v not in [3, 4]:
+                    continue
+                v = krb5_ctr.salt.string
             elif a.startswith("virtualWDigest"):
                 primary_wdigest = get_package("Primary:WDigest")
                 if primary_wdigest is None:
@@ -1384,6 +1402,9 @@ class cmd_user_getpassword(GetPasswordCommand):
                         https://msdn.microsoft.com/en-us/library/cc245680.aspx
                           is incorrect
 
+   virtualKerberosSalt:   This results the salt string that is used to compute
+                          Kerberos keys from a UTF-8 cleartext password.
+
    virtualSambaGPG:       The raw cleartext as stored in the
                           'Primary:SambaGPG' buffer inside of the
                           supplementalCredentials attribute.
@@ -1551,6 +1572,9 @@ class cmd_user_syncpasswords(GetPasswordCommand):
                         https://msdn.microsoft.com/en-us/library/cc245680.aspx
                           is incorrect.
 
+   virtualKerberosSalt:   This results the salt string that is used to compute
+                          Kerberos keys from a UTF-8 cleartext password.
+
    virtualSambaGPG:       The raw cleartext as stored in the
                           'Primary:SambaGPG' buffer inside of the
                           supplementalCredentials attribute.