Project

General

Profile

Feature #1990

nsswitch support for NT password hashes

Added by Gordon Ross almost 9 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
cifs - CIFS server and client
Start date:
2012-01-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
nsswitch ldap
Gerrit CR:

Description

Currently, the native CIFS service (smbsrv, smbd) "goes around" the name service switch mechanism (nsswitch) to get NT password hashes from /var/smb/smbpasswd, and does that only for users defined in local "files".

There have been requests for a way to fetch the NT password hashes using the nsswitch mechanism, so that for accounts defined in LDAP, we'll get the NT password hash from the "sambaNTPassword" element, etc.


Files

ntpasswd.h (1.72 KB) ntpasswd.h Gordon Ross, 2012-01-17 01:38 AM
#1

Updated by Gordon Ross almost 9 years ago

I did some investigations of what might be required to implement this. Basically, one needs to add a new "DB" lookup type similar to the "shadow" lookup. Here are some notes:

Design notes for adding a "get NT passwd" (hash),
similar to getspnam(3C).  API: getnpnam etc.
(Subst. /sp/ntpw/ in: getspnam, getspnam_r,
 getspent_r, setspent, endspent,
 fgetspent, fgetspent_r)

New DB file: /etc/ntpasswd

At first upgrade with this code, create
/etc/ntpasswd from /var/smb/smbpasswd
with updates to the format.  Old (smbpasswd) format:
    <user-name>:<user-id>:<LM hash>:<NTLM hash>
    gwr:81550::0123456789ABCDEF0123456789ABCDEF
New (ntpasswd) format:
    <user-name>:<user-id>:<LM hash>:<NTLM hash>:
    gwr:81550:*NO*LM*HASH*:0123456789ABCDEF0123456789ABCDEF:
Both hashes, if present, are 32-byte hex strings.
Note that the "LM hash" is usually absent (because
accepting or storing the LM hash undesirable from a
security standpoint, and not used in modern systems).
Note ":" at the end, missing from smbpasswd.

There is code to parse the old smbpasswd format in:
  usr/src/lib/smbsrv/libsmb/common/smb_pwdutil.c

New header:
  usr/src/head/ntpasswd.h  (like shadow.h)
  struct ntpw;  /* like shadow.h:spwd */
  (See sample ntpasswd.h)

Modify: usr/src/head/nss_dbdefs.h adding
#define    NSS_DBNAM_NTPASSWD    "ntpasswd" 
(after NSS_DBNAM_SHADOW)
Add NTPASSWD defines like the SHADOW ones.

I _don't_ think we need a new NSS_DBOP_...
because shadow uses the DBOP for passwd.  See:
    #define    NSS_DBOP_SHADOW_BYNAME    (NSS_DBOP_PASSWD_BYNAME)
So just use NSS_DBOP_PASSWD_BYNAME with nss_search().

Add new libc files like getspent*.c etc.
The NSS DB lookup goes like this:

    void
    _nss_initf_ntpaswd(nss_db_params_t *p)
    {
        p->name    = NSS_DBNAM_NTPASSWD;
        /* Use config for "passwd" */
        p->config_name    = NSS_DBNAM_PASSWD;
        p->default_config = NSS_DEFCONF_PASSWD;
    }

Add an NSS_MK_GETXYDBOPB() line to
usr/src/lib/libc/port/gen/nss_dbdefs.c
for  "ntpasswd", again like the "shadow" one.
Careful with getXbyY_to_dbop[] - see the
comment above it about nss_dbop_search().

See "shadow" DB support in:
  usr/src/lib/nsswitch/files/common/
  usr/src/lib/nsswitch/ldap/common/
and add "ntpaswd" method constructors, etc.

I think we can simply not implement "ntpasswd" 
in the other back-ends, but have to check.
(Might need stubs, might not.)

The proposed new "ntpasswd.h" header file is attached.
It would go in usr/src/head/ntpasswd.h

#2

Updated by Rich Lowe almost 9 years ago

getent support would be useful, if sufficiently privileged (that said, support for shadow isn't there).

#3

Updated by Milan Jurik almost 9 years ago

Which backends do you plan to support except "files"? If you will add support for LDAP, do you plan to do some changes for idsconfig e.g.? sambaNTPassword is not standard attribute (at least unknown to RFC2307). How about NIS? What will the benefit be to add some application specific database to generic /etc/nsswitch.conf? Any plans to use this database in more generic way, e.g. as some source for users?

#4

Updated by Gordon Ross almost 9 years ago

I would propose to implement this "ntpasswd" DB type for two "back ends": files, ldap.
The ldap backend might need some config settings somewhere, to allow for different
ldap schema, but that's a problem in general for the ldap back end.

The only current consumer would be smbsrv+smbd (and maybe getent).
Perhaps one could do this in smbd, but that gets ugly fast.

#5

Updated by Milan Jurik almost 9 years ago

I am only thinking loudly here, both ways (smbd and nsswitch) will need some additional configuration. If it will go to nsswitch then it should be transparent as much as possible. Some additional switch in LDAP config can lead to common setup errors.

#6

Updated by Gordon Ross about 5 years ago

  • Tags changed from needs-triage to nsswitch ldap
#7

Updated by Gordon Ross about 5 years ago

  • Category set to cifs - CIFS server and client

Also available in: Atom PDF