Line data Source code
1 : /*
2 : MIT-Samba4 library
3 :
4 : Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 : Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 : Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU General Public License for more details.
17 :
18 : You should have received a copy of the GNU General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #define TEVENT_DEPRECATED 1
23 :
24 : #include "includes.h"
25 : #include "param/param.h"
26 : #include "dsdb/samdb/samdb.h"
27 : #include "system/kerberos.h"
28 : #include <com_err.h>
29 : #include <kdb.h>
30 : #include <kadm5/kadm_err.h>
31 : #include "kdc/sdb.h"
32 : #include "kdc/sdb_kdb.h"
33 : #include "auth/kerberos/kerberos.h"
34 : #include "auth/kerberos/pac_utils.h"
35 : #include "kdc/samba_kdc.h"
36 : #include "kdc/pac-glue.h"
37 : #include "kdc/db-glue.h"
38 : #include "auth/auth.h"
39 : #include "kdc/kpasswd_glue.h"
40 : #include "auth/auth_sam.h"
41 :
42 : #include "mit_samba.h"
43 :
44 : #undef DBGC_CLASS
45 : #define DBGC_CLASS DBGC_KERBEROS
46 :
47 13 : void mit_samba_context_free(struct mit_samba_context *ctx)
48 : {
49 : /* free heimdal's krb5_context */
50 13 : if (ctx->context) {
51 13 : krb5_free_context(ctx->context);
52 : }
53 :
54 : /* then free everything else */
55 13 : talloc_free(ctx);
56 13 : }
57 :
58 : /*
59 : * Implement a callback to log to the MIT KDC log facility
60 : *
61 : * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
62 : */
63 61 : static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
64 : {
65 61 : int is_error = errno;
66 :
67 61 : if (msg_level > 0) {
68 17 : is_error = 0;
69 : }
70 :
71 61 : com_err("", is_error, "%s", msg);
72 61 : }
73 :
74 13 : int mit_samba_context_init(struct mit_samba_context **_ctx)
75 : {
76 : NTSTATUS status;
77 : struct mit_samba_context *ctx;
78 : const char *s4_conf_file;
79 : int ret;
80 : struct samba_kdc_base_context base_ctx;
81 :
82 13 : ctx = talloc_zero(NULL, struct mit_samba_context);
83 13 : if (!ctx) {
84 0 : ret = ENOMEM;
85 0 : goto done;
86 : }
87 :
88 13 : base_ctx.ev_ctx = tevent_context_init(ctx);
89 13 : if (!base_ctx.ev_ctx) {
90 0 : ret = ENOMEM;
91 0 : goto done;
92 : }
93 13 : tevent_loop_allow_nesting(base_ctx.ev_ctx);
94 13 : base_ctx.lp_ctx = loadparm_init_global(false);
95 13 : if (!base_ctx.lp_ctx) {
96 0 : ret = ENOMEM;
97 0 : goto done;
98 : }
99 :
100 13 : debug_set_callback(NULL, mit_samba_debug);
101 :
102 : /* init s4 configuration */
103 13 : s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
104 13 : if (s4_conf_file != NULL) {
105 13 : char *p = talloc_strdup(ctx, s4_conf_file);
106 13 : if (p == NULL) {
107 0 : ret = ENOMEM;
108 0 : goto done;
109 : }
110 13 : lpcfg_load(base_ctx.lp_ctx, p);
111 13 : TALLOC_FREE(p);
112 : } else {
113 0 : lpcfg_load_default(base_ctx.lp_ctx);
114 : }
115 :
116 13 : status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
117 13 : if (!NT_STATUS_IS_OK(status)) {
118 0 : ret = EINVAL;
119 0 : goto done;
120 : }
121 :
122 : /* init heimdal's krb_context and log facilities */
123 13 : ret = smb_krb5_init_context_basic(ctx,
124 13 : ctx->db_ctx->lp_ctx,
125 : &ctx->context);
126 13 : if (ret) {
127 0 : goto done;
128 : }
129 :
130 13 : ret = 0;
131 :
132 13 : done:
133 13 : if (ret) {
134 0 : mit_samba_context_free(ctx);
135 : } else {
136 13 : *_ctx = ctx;
137 : }
138 13 : return ret;
139 : }
140 :
141 0 : static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
142 : krb5_const_principal principal)
143 : {
144 : char *p;
145 0 : int eq = -1;
146 :
147 0 : p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
148 :
149 0 : eq = krb5_princ_size(ctx->context, principal) == 2 &&
150 0 : (strcmp(p, KRB5_TGS_NAME) == 0);
151 :
152 0 : talloc_free(p);
153 :
154 0 : return eq;
155 : }
156 :
157 0 : int mit_samba_generate_salt(krb5_data *salt)
158 : {
159 0 : if (salt == NULL) {
160 0 : return EINVAL;
161 : }
162 :
163 0 : salt->length = 16;
164 0 : salt->data = malloc(salt->length);
165 0 : if (salt->data == NULL) {
166 0 : return ENOMEM;
167 : }
168 :
169 0 : generate_random_buffer((uint8_t *)salt->data, salt->length);
170 :
171 0 : return 0;
172 : }
173 :
174 0 : int mit_samba_generate_random_password(krb5_data *pwd)
175 : {
176 : TALLOC_CTX *tmp_ctx;
177 : char *password;
178 :
179 0 : if (pwd == NULL) {
180 0 : return EINVAL;
181 : }
182 0 : pwd->length = 24;
183 :
184 0 : tmp_ctx = talloc_named(NULL,
185 : 0,
186 : "mit_samba_generate_random_password context");
187 0 : if (tmp_ctx == NULL) {
188 0 : return ENOMEM;
189 : }
190 :
191 0 : password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
192 0 : if (password == NULL) {
193 0 : talloc_free(tmp_ctx);
194 0 : return ENOMEM;
195 : }
196 :
197 0 : pwd->data = strdup(password);
198 0 : talloc_free(tmp_ctx);
199 0 : if (pwd->data == NULL) {
200 0 : return ENOMEM;
201 : }
202 :
203 0 : return 0;
204 : }
205 :
206 12 : int mit_samba_get_principal(struct mit_samba_context *ctx,
207 : krb5_const_principal principal,
208 : unsigned int kflags,
209 : krb5_db_entry **_kentry)
210 : {
211 12 : struct sdb_entry sentry = {};
212 : krb5_db_entry *kentry;
213 : int ret;
214 12 : uint32_t sflags = 0;
215 12 : krb5_principal referral_principal = NULL;
216 :
217 12 : kentry = calloc(1, sizeof(krb5_db_entry));
218 12 : if (kentry == NULL) {
219 0 : return ENOMEM;
220 : }
221 :
222 : #if KRB5_KDB_API_VERSION >= 10
223 : /*
224 : * The MIT KDC code that wants the canonical name in all lookups, and
225 : * takes care to canonicalize only when appropriate.
226 : */
227 12 : sflags |= SDB_F_FORCE_CANON;
228 : #endif
229 :
230 : #if KRB5_KDB_DAL_MAJOR_VERSION >= 9
231 : if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
232 : sflags |= SDB_F_CANON;
233 : }
234 :
235 : if (kflags & KRB5_KDB_FLAG_CLIENT) {
236 : sflags |= SDB_F_GET_CLIENT;
237 : sflags |= SDB_F_FOR_AS_REQ;
238 : } else {
239 : int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
240 : if (equal == -1) {
241 : return ENOMEM;
242 : }
243 :
244 : if (equal) {
245 : sflags |= SDB_F_GET_KRBTGT;
246 : } else {
247 : sflags |= SDB_F_GET_SERVER;
248 : sflags |= SDB_F_FOR_TGS_REQ;
249 : }
250 : }
251 : #else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */
252 12 : if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
253 0 : sflags |= SDB_F_CANON;
254 : }
255 12 : if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
256 : KRB5_KDB_FLAG_INCLUDE_PAC)) {
257 : /*
258 : * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
259 : * SDB_F_FOR_AS_REQ
260 : *
261 : * We use ANY to also allow AS_REQ for service principal names
262 : * This is supported by Windows.
263 : */
264 0 : sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
265 : } else {
266 12 : int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
267 12 : if (equal == -1) {
268 0 : return ENOMEM;
269 : }
270 :
271 12 : if (equal) {
272 0 : sflags |= SDB_F_GET_KRBTGT;
273 : } else {
274 12 : sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
275 : }
276 : }
277 : #endif /* KRB5_KDB_DAL_MAJOR_VERSION */
278 :
279 : /* always set this or the created_by data will not be populated by samba's
280 : * backend and we will fail to parse the entry later */
281 12 : sflags |= SDB_F_ADMIN_DATA;
282 :
283 :
284 12 : fetch_referral_principal:
285 12 : ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
286 : principal, sflags, 0, &sentry);
287 12 : switch (ret) {
288 12 : case 0:
289 12 : break;
290 0 : case SDB_ERR_NOENTRY:
291 0 : ret = KRB5_KDB_NOENTRY;
292 0 : goto done;
293 0 : case SDB_ERR_WRONG_REALM: {
294 0 : char *dest_realm = NULL;
295 0 : const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
296 :
297 0 : if (sflags & SDB_F_FOR_AS_REQ) {
298 : /*
299 : * If this is a request for a TGT, we are done. The KDC
300 : * will return the correct error to the client.
301 : */
302 0 : ret = 0;
303 0 : break;
304 : }
305 :
306 0 : if (referral_principal != NULL) {
307 0 : sdb_entry_free(&sentry);
308 0 : ret = KRB5_KDB_NOENTRY;
309 0 : goto done;
310 : }
311 :
312 : /*
313 : * We get a TGS request
314 : *
315 : * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
316 : *
317 : * to our DC for the realm
318 : *
319 : * ADDOM.SAMBA.EXAMPLE.COM
320 : *
321 : * We look up if we have and entry in the database and get an
322 : * entry with the pricipal:
323 : *
324 : * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
325 : *
326 : * and the error: SDB_ERR_WRONG_REALM.
327 : *
328 : * In the case of a TGS-REQ we need to return a referral ticket
329 : * fo the next trust hop to the client. This ticket will have
330 : * the following principal:
331 : *
332 : * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
333 : *
334 : * We just redo the lookup in the database with the referral
335 : * principal and return success.
336 : */
337 0 : dest_realm = smb_krb5_principal_get_realm(
338 0 : ctx, ctx->context, sentry.principal);
339 0 : sdb_entry_free(&sentry);
340 0 : if (dest_realm == NULL) {
341 0 : ret = KRB5_KDB_NOENTRY;
342 0 : goto done;
343 : }
344 :
345 0 : ret = smb_krb5_make_principal(ctx->context,
346 : &referral_principal,
347 : our_realm,
348 : KRB5_TGS_NAME,
349 : dest_realm,
350 : NULL);
351 0 : TALLOC_FREE(dest_realm);
352 0 : if (ret != 0) {
353 0 : goto done;
354 : }
355 :
356 0 : principal = referral_principal;
357 0 : goto fetch_referral_principal;
358 : }
359 0 : case SDB_ERR_NOT_FOUND_HERE:
360 : /* FIXME: RODC support */
361 : default:
362 0 : goto done;
363 : }
364 :
365 12 : ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
366 :
367 12 : sdb_entry_free(&sentry);
368 :
369 12 : done:
370 12 : krb5_free_principal(ctx->context, referral_principal);
371 12 : referral_principal = NULL;
372 :
373 12 : if (ret) {
374 0 : free(kentry);
375 : } else {
376 12 : *_kentry = kentry;
377 : }
378 12 : return ret;
379 : }
380 :
381 0 : int mit_samba_get_firstkey(struct mit_samba_context *ctx,
382 : krb5_db_entry **_kentry)
383 : {
384 0 : struct sdb_entry sentry = {};
385 : krb5_db_entry *kentry;
386 : int ret;
387 :
388 0 : kentry = malloc(sizeof(krb5_db_entry));
389 0 : if (kentry == NULL) {
390 0 : return ENOMEM;
391 : }
392 :
393 0 : ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
394 0 : switch (ret) {
395 0 : case 0:
396 0 : break;
397 0 : case SDB_ERR_NOENTRY:
398 0 : free(kentry);
399 0 : return KRB5_KDB_NOENTRY;
400 0 : case SDB_ERR_NOT_FOUND_HERE:
401 : /* FIXME: RODC support */
402 : default:
403 0 : free(kentry);
404 0 : return ret;
405 : }
406 :
407 0 : ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
408 :
409 0 : sdb_entry_free(&sentry);
410 :
411 0 : if (ret) {
412 0 : free(kentry);
413 : } else {
414 0 : *_kentry = kentry;
415 : }
416 0 : return ret;
417 : }
418 :
419 0 : int mit_samba_get_nextkey(struct mit_samba_context *ctx,
420 : krb5_db_entry **_kentry)
421 : {
422 0 : struct sdb_entry sentry = {};
423 : krb5_db_entry *kentry;
424 : int ret;
425 :
426 0 : kentry = malloc(sizeof(krb5_db_entry));
427 0 : if (kentry == NULL) {
428 0 : return ENOMEM;
429 : }
430 :
431 0 : ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
432 0 : switch (ret) {
433 0 : case 0:
434 0 : break;
435 0 : case SDB_ERR_NOENTRY:
436 0 : free(kentry);
437 0 : return KRB5_KDB_NOENTRY;
438 0 : case SDB_ERR_NOT_FOUND_HERE:
439 : /* FIXME: RODC support */
440 : default:
441 0 : free(kentry);
442 0 : return ret;
443 : }
444 :
445 0 : ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
446 :
447 0 : sdb_entry_free(&sentry);
448 :
449 0 : if (ret) {
450 0 : free(kentry);
451 : } else {
452 0 : *_kentry = kentry;
453 : }
454 0 : return ret;
455 : }
456 :
457 0 : int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
458 : krb5_context context,
459 : uint32_t flags,
460 : krb5_db_entry *client,
461 : krb5_db_entry *server,
462 : krb5_keyblock *replaced_reply_key,
463 : krb5_pac *pac)
464 : {
465 : TALLOC_CTX *tmp_ctx;
466 0 : DATA_BLOB *logon_info_blob = NULL;
467 0 : DATA_BLOB *upn_dns_info_blob = NULL;
468 0 : DATA_BLOB *cred_ndr = NULL;
469 0 : DATA_BLOB **cred_ndr_ptr = NULL;
470 0 : DATA_BLOB cred_blob = data_blob_null;
471 0 : DATA_BLOB *pcred_blob = NULL;
472 0 : DATA_BLOB *pac_attrs_blob = NULL;
473 0 : DATA_BLOB *requester_sid_blob = NULL;
474 : NTSTATUS nt_status;
475 : krb5_error_code code;
476 : struct samba_kdc_entry *skdc_entry;
477 : bool is_krbtgt;
478 0 : enum samba_asserted_identity asserted_identity =
479 0 : (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
480 0 : SAMBA_ASSERTED_IDENTITY_SERVICE :
481 : SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
482 :
483 0 : skdc_entry = talloc_get_type_abort(client->e_data,
484 : struct samba_kdc_entry);
485 :
486 0 : tmp_ctx = talloc_named(smb_ctx,
487 : 0,
488 : "mit_samba_get_pac context");
489 0 : if (tmp_ctx == NULL) {
490 0 : return ENOMEM;
491 : }
492 :
493 : /* Check if we have a PREAUTH key */
494 0 : if (replaced_reply_key != NULL) {
495 0 : cred_ndr_ptr = &cred_ndr;
496 : }
497 :
498 0 : is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ);
499 :
500 0 : nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
501 : skdc_entry,
502 : asserted_identity,
503 : &logon_info_blob,
504 : cred_ndr_ptr,
505 : &upn_dns_info_blob,
506 : is_krbtgt ? &pac_attrs_blob : NULL,
507 : PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
508 : is_krbtgt ? &requester_sid_blob : NULL,
509 : NULL);
510 0 : if (!NT_STATUS_IS_OK(nt_status)) {
511 0 : talloc_free(tmp_ctx);
512 0 : if (NT_STATUS_EQUAL(nt_status,
513 : NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
514 0 : return ENOENT;
515 : }
516 0 : return EINVAL;
517 : }
518 :
519 0 : if (replaced_reply_key != NULL && cred_ndr != NULL) {
520 0 : code = samba_kdc_encrypt_pac_credentials(context,
521 : replaced_reply_key,
522 : cred_ndr,
523 : tmp_ctx,
524 : &cred_blob);
525 0 : if (code != 0) {
526 0 : talloc_free(tmp_ctx);
527 0 : return code;
528 : }
529 0 : pcred_blob = &cred_blob;
530 : }
531 :
532 0 : code = samba_make_krb5_pac(context,
533 : logon_info_blob,
534 : pcred_blob,
535 : upn_dns_info_blob,
536 : pac_attrs_blob,
537 : requester_sid_blob,
538 : NULL,
539 : NULL,
540 : NULL,
541 : NULL,
542 : *pac);
543 :
544 0 : talloc_free(tmp_ctx);
545 0 : return code;
546 : }
547 :
548 : #if KRB5_KDB_DAL_MAJOR_VERSION < 9
549 0 : krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
550 : krb5_context context,
551 : int kdc_flags,
552 : krb5_const_principal client_principal,
553 : krb5_db_entry *client,
554 : krb5_db_entry *server,
555 : krb5_db_entry *krbtgt,
556 : krb5_keyblock *krbtgt_keyblock,
557 : krb5_pac *pac)
558 : {
559 : TALLOC_CTX *tmp_ctx;
560 : krb5_error_code code;
561 0 : struct samba_kdc_entry *client_skdc_entry = NULL;
562 0 : struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
563 0 : struct samba_kdc_entry *server_skdc_entry = NULL;
564 0 : krb5_principal delegated_proxy_principal = NULL;
565 0 : krb5_pac new_pac = NULL;
566 0 : bool is_in_db = false;
567 0 : bool is_untrusted = false;
568 0 : uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
569 :
570 : /* Create a memory context early so code can use talloc_stackframe() */
571 0 : tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
572 0 : if (tmp_ctx == NULL) {
573 0 : return ENOMEM;
574 : }
575 :
576 0 : if (client != NULL) {
577 : client_skdc_entry =
578 0 : talloc_get_type_abort(client->e_data,
579 : struct samba_kdc_entry);
580 : }
581 :
582 0 : if (server == NULL) {
583 0 : code = EINVAL;
584 0 : goto done;
585 : }
586 :
587 : server_skdc_entry =
588 0 : talloc_get_type_abort(server->e_data,
589 : struct samba_kdc_entry);
590 :
591 0 : if (krbtgt == NULL) {
592 0 : code = EINVAL;
593 0 : goto done;
594 : }
595 : krbtgt_skdc_entry =
596 0 : talloc_get_type_abort(krbtgt->e_data,
597 : struct samba_kdc_entry);
598 :
599 0 : code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
600 : &is_in_db,
601 : &is_untrusted);
602 0 : if (code != 0) {
603 0 : goto done;
604 : }
605 :
606 0 : if (is_untrusted) {
607 0 : flags |= SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
608 : }
609 :
610 0 : if (is_in_db) {
611 0 : flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
612 :
613 : }
614 :
615 0 : if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
616 0 : flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
617 : }
618 :
619 0 : if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
620 0 : flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
621 0 : delegated_proxy_principal = discard_const(client_principal);
622 : }
623 :
624 : /* Build an updated PAC */
625 0 : code = krb5_pac_init(context, &new_pac);
626 0 : if (code != 0) {
627 0 : goto done;
628 : }
629 :
630 0 : code = samba_kdc_update_pac(tmp_ctx,
631 : context,
632 0 : krbtgt_skdc_entry->kdc_db_ctx->samdb,
633 : flags,
634 : client_skdc_entry,
635 : server->princ,
636 : server_skdc_entry,
637 : krbtgt_skdc_entry,
638 : delegated_proxy_principal,
639 : *pac,
640 : new_pac);
641 0 : if (code != 0) {
642 0 : krb5_pac_free(context, new_pac);
643 0 : if (code == ENODATA) {
644 0 : krb5_pac_free(context, *pac);
645 0 : *pac = NULL;
646 0 : code = 0;
647 : }
648 0 : goto done;
649 : }
650 :
651 : /* We now replace the pac */
652 0 : krb5_pac_free(context, *pac);
653 0 : *pac = new_pac;
654 :
655 0 : done:
656 0 : talloc_free(tmp_ctx);
657 0 : return code;
658 : }
659 : #else
660 : krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
661 : krb5_context context,
662 : int kdc_flags,
663 : krb5_db_entry *client,
664 : krb5_db_entry *server,
665 : krb5_db_entry *krbtgt,
666 : krb5_pac old_pac,
667 : krb5_pac new_pac)
668 : {
669 : TALLOC_CTX *tmp_ctx = NULL;
670 : krb5_error_code code;
671 : struct samba_kdc_entry *client_skdc_entry = NULL;
672 : struct samba_kdc_entry *server_skdc_entry = NULL;
673 : struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
674 : bool is_in_db = false;
675 : bool is_untrusted = false;
676 : uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
677 :
678 : /* Create a memory context early so code can use talloc_stackframe() */
679 : tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context");
680 : if (tmp_ctx == NULL) {
681 : return ENOMEM;
682 : }
683 :
684 : if (client != NULL) {
685 : client_skdc_entry =
686 : talloc_get_type_abort(client->e_data,
687 : struct samba_kdc_entry);
688 : }
689 :
690 : if (krbtgt == NULL) {
691 : code = EINVAL;
692 : goto done;
693 : }
694 : krbtgt_skdc_entry =
695 : talloc_get_type_abort(krbtgt->e_data,
696 : struct samba_kdc_entry);
697 :
698 : server_skdc_entry =
699 : talloc_get_type_abort(server->e_data,
700 : struct samba_kdc_entry);
701 :
702 : /*
703 : * If the krbtgt was generated by an RODC, and we are not that
704 : * RODC, then we need to regenerate the PAC - we can't trust
705 : * it, and confirm that the RODC was permitted to print this ticket
706 : *
707 : * Because of the samba_kdc_validate_pac_blob() step we can be
708 : * sure that the record in 'client' or 'server' matches the SID in the
709 : * original PAC.
710 : */
711 : code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
712 : &is_in_db,
713 : &is_untrusted);
714 : if (code != 0) {
715 : goto done;
716 : }
717 :
718 : if (is_untrusted) {
719 : flags |= SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
720 : }
721 :
722 : if (is_in_db) {
723 : flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
724 :
725 : }
726 :
727 : if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
728 : flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
729 : }
730 :
731 : code = samba_kdc_update_pac(tmp_ctx,
732 : context,
733 : krbtgt_skdc_entry->kdc_db_ctx->samdb,
734 : flags,
735 : client_skdc_entry,
736 : server->princ,
737 : server_skdc_entry,
738 : krbtgt_skdc_entry,
739 : NULL,
740 : old_pac,
741 : new_pac);
742 : if (code != 0) {
743 : if (code == ENODATA) {
744 : /*
745 : * We can't tell the KDC to not issue a PAC. It will
746 : * just return the newly allocated empty PAC.
747 : */
748 : code = 0;
749 : }
750 : }
751 :
752 : done:
753 : talloc_free(tmp_ctx);
754 : return code;
755 : }
756 : #endif
757 :
758 : /* provide header, function is exported but there are no public headers */
759 :
760 : krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
761 :
762 : /* this function allocates 'data' using malloc.
763 : * The caller is responsible for freeing it */
764 0 : static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
765 : {
766 0 : krb5_error_code ret = 0;
767 : krb5_pa_data pa, *ppa[2];
768 0 : krb5_data *d = NULL;
769 :
770 0 : if (!e_data)
771 0 : return;
772 :
773 0 : e_data->data = NULL;
774 0 : e_data->length = 0;
775 :
776 0 : pa.magic = KV5M_PA_DATA;
777 0 : pa.pa_type = KRB5_PADATA_PW_SALT;
778 0 : pa.length = 12;
779 0 : pa.contents = malloc(pa.length);
780 0 : if (!pa.contents) {
781 0 : return;
782 : }
783 :
784 0 : SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
785 0 : SIVAL(pa.contents, 4, 0);
786 0 : SIVAL(pa.contents, 8, 1);
787 :
788 0 : ppa[0] = &pa;
789 0 : ppa[1] = NULL;
790 :
791 0 : ret = encode_krb5_padata_sequence(ppa, &d);
792 0 : free(pa.contents);
793 0 : if (ret) {
794 0 : return;
795 : }
796 :
797 0 : e_data->data = (uint8_t *)d->data;
798 0 : e_data->length = d->length;
799 :
800 : /* free d, not d->data - gd */
801 0 : free(d);
802 :
803 0 : return;
804 : }
805 :
806 0 : int mit_samba_check_client_access(struct mit_samba_context *ctx,
807 : krb5_db_entry *client,
808 : const char *client_name,
809 : krb5_db_entry *server,
810 : const char *server_name,
811 : const char *netbios_name,
812 : bool password_change,
813 : DATA_BLOB *e_data)
814 : {
815 : struct samba_kdc_entry *skdc_entry;
816 : NTSTATUS nt_status;
817 :
818 0 : skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
819 :
820 0 : nt_status = samba_kdc_check_client_access(skdc_entry,
821 : client_name,
822 : netbios_name,
823 : password_change);
824 :
825 0 : if (!NT_STATUS_IS_OK(nt_status)) {
826 0 : if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
827 0 : return ENOMEM;
828 : }
829 :
830 0 : samba_kdc_build_edata_reply(nt_status, e_data);
831 :
832 0 : return samba_kdc_map_policy_err(nt_status);
833 : }
834 :
835 0 : return 0;
836 : }
837 :
838 0 : int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
839 : const krb5_db_entry *server,
840 : krb5_const_principal target_principal)
841 : {
842 : #if KRB5_KDB_DAL_MAJOR_VERSION < 9
843 0 : return KRB5KDC_ERR_BADOPTION;
844 : #else
845 : struct samba_kdc_entry *server_skdc_entry =
846 : talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
847 : krb5_error_code code;
848 :
849 : code = samba_kdc_check_s4u2proxy(ctx->context,
850 : ctx->db_ctx,
851 : server_skdc_entry,
852 : target_principal);
853 :
854 : return code;
855 : #endif
856 : }
857 :
858 0 : krb5_error_code mit_samba_check_allowed_to_delegate_from(
859 : struct mit_samba_context *ctx,
860 : krb5_const_principal client_principal,
861 : krb5_const_principal server_principal,
862 : krb5_pac header_pac,
863 : const krb5_db_entry *proxy)
864 : {
865 : #if KRB5_KDB_DAL_MAJOR_VERSION < 8
866 : return KRB5KDC_ERR_POLICY;
867 : #else
868 : struct samba_kdc_entry *proxy_skdc_entry =
869 0 : talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
870 : krb5_error_code code;
871 :
872 0 : code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
873 : ctx->db_ctx,
874 : client_principal,
875 : server_principal,
876 : header_pac,
877 : proxy_skdc_entry);
878 :
879 0 : return code;
880 : #endif
881 : }
882 :
883 0 : static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
884 : NTSTATUS result,
885 : enum samPwdChangeReason reject_reason,
886 : struct samr_DomInfo1 *dominfo)
887 : {
888 0 : krb5_error_code code = KADM5_PASS_Q_GENERIC;
889 :
890 0 : if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
891 0 : code = KADM5_BAD_PRINCIPAL;
892 0 : krb5_set_error_message(context,
893 : code,
894 : "No such user when changing password");
895 : }
896 0 : if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
897 0 : code = KADM5_PASS_Q_GENERIC;
898 0 : krb5_set_error_message(context,
899 : code,
900 : "Not permitted to change password");
901 : }
902 0 : if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
903 : dominfo != NULL) {
904 0 : switch (reject_reason) {
905 0 : case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
906 0 : code = KADM5_PASS_Q_TOOSHORT;
907 0 : krb5_set_error_message(context,
908 : code,
909 : "Password too short, password "
910 : "must be at least %d characters "
911 : "long.",
912 0 : dominfo->min_password_length);
913 0 : break;
914 0 : case SAM_PWD_CHANGE_NOT_COMPLEX:
915 0 : code = KADM5_PASS_Q_DICT;
916 0 : krb5_set_error_message(context,
917 : code,
918 : "Password does not meet "
919 : "complexity requirements");
920 0 : break;
921 0 : case SAM_PWD_CHANGE_PWD_IN_HISTORY:
922 0 : code = KADM5_PASS_TOOSOON;
923 0 : krb5_set_error_message(context,
924 : code,
925 : "Password is already in password "
926 : "history. New password must not "
927 : "match any of your %d previous "
928 : "passwords.",
929 0 : dominfo->password_history_length);
930 0 : break;
931 0 : default:
932 0 : code = KADM5_PASS_Q_GENERIC;
933 0 : krb5_set_error_message(context,
934 : code,
935 : "Password change rejected, "
936 : "password changes may not be "
937 : "permitted on this account, or "
938 : "the minimum password age may "
939 : "not have elapsed.");
940 0 : break;
941 : }
942 : }
943 :
944 0 : return code;
945 : }
946 :
947 0 : int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
948 : char *pwd,
949 : krb5_db_entry *db_entry)
950 : {
951 : NTSTATUS status;
952 0 : NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
953 : TALLOC_CTX *tmp_ctx;
954 : DATA_BLOB password;
955 : enum samPwdChangeReason reject_reason;
956 : struct samr_DomInfo1 *dominfo;
957 0 : const char *error_string = NULL;
958 : struct auth_user_info_dc *user_info_dc;
959 : struct samba_kdc_entry *p =
960 0 : talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
961 0 : krb5_error_code code = 0;
962 :
963 : #ifdef DEBUG_PASSWORD
964 0 : DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
965 : #endif
966 :
967 0 : tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
968 0 : if (tmp_ctx == NULL) {
969 0 : return ENOMEM;
970 : }
971 :
972 0 : status = samba_kdc_get_user_info_from_db(p,
973 : p->msg,
974 : &user_info_dc);
975 0 : if (!NT_STATUS_IS_OK(status)) {
976 0 : DEBUG(1,("samba_kdc_get_user_info_from_db failed: %s\n",
977 : nt_errstr(status)));
978 0 : talloc_free(tmp_ctx);
979 0 : return EINVAL;
980 : }
981 :
982 0 : status = auth_generate_session_info(tmp_ctx,
983 0 : ctx->db_ctx->lp_ctx,
984 0 : ctx->db_ctx->samdb,
985 : user_info_dc,
986 : 0, /* session_info_flags */
987 : &ctx->session_info);
988 :
989 0 : if (!NT_STATUS_IS_OK(status)) {
990 0 : DEBUG(1,("auth_generate_session_info failed: %s\n",
991 : nt_errstr(status)));
992 0 : talloc_free(tmp_ctx);
993 0 : return EINVAL;
994 : }
995 :
996 : /* password is expected as UTF16 */
997 :
998 0 : if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
999 : pwd, strlen(pwd),
1000 : &password.data, &password.length)) {
1001 0 : DEBUG(1,("convert_string_talloc failed\n"));
1002 0 : talloc_free(tmp_ctx);
1003 0 : return EINVAL;
1004 : }
1005 :
1006 0 : status = samdb_kpasswd_change_password(tmp_ctx,
1007 0 : ctx->db_ctx->lp_ctx,
1008 0 : ctx->db_ctx->ev_ctx,
1009 : ctx->session_info,
1010 : &password,
1011 : &reject_reason,
1012 : &dominfo,
1013 : &error_string,
1014 : &result);
1015 0 : if (!NT_STATUS_IS_OK(status)) {
1016 0 : DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1017 : nt_errstr(status)));
1018 0 : code = KADM5_PASS_Q_GENERIC;
1019 0 : krb5_set_error_message(ctx->context, code, "%s", error_string);
1020 0 : goto out;
1021 : }
1022 :
1023 0 : if (!NT_STATUS_IS_OK(result)) {
1024 0 : code = mit_samba_change_pwd_error(ctx->context,
1025 : result,
1026 : reject_reason,
1027 : dominfo);
1028 : }
1029 :
1030 0 : out:
1031 0 : talloc_free(tmp_ctx);
1032 :
1033 0 : return code;
1034 : }
1035 :
1036 0 : void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1037 : {
1038 : /* struct netr_SendToSamBase *send_to_sam = NULL; */
1039 : struct samba_kdc_entry *p =
1040 0 : talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1041 : struct ldb_dn *domain_dn;
1042 :
1043 0 : domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1044 :
1045 0 : authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1046 0 : p->msg,
1047 : domain_dn,
1048 : true,
1049 : NULL, NULL);
1050 : /* TODO: RODC support */
1051 0 : }
1052 :
1053 :
1054 0 : void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1055 : {
1056 : struct samba_kdc_entry *p =
1057 0 : talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1058 :
1059 0 : authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1060 : p->msg,
1061 0 : ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1062 0 : }
1063 :
1064 0 : bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1065 : {
1066 : struct samba_kdc_entry *skdc_entry =
1067 0 : talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1068 :
1069 0 : return samba_princ_needs_pac(skdc_entry);
1070 : }
|
