search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-kerberos: only use krb5 headers where required.
[Samba.git] / source / libads / kerberos.c
blobf7091022e6955c3997c172440d4aa80361bf1dbc
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Gerald Carter 2006.
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smb_krb5.h"
26
27 #ifdef HAVE_KRB5
28
29 #define DEFAULT_KRB5_PORT 88
30
31 #define LIBADS_CCACHE_NAME "MEMORY:libads"
32
33 /*
34 we use a prompter to avoid a crash bug in the kerberos libs when
35 dealing with empty passwords
36 this prompter is just a string copy ...
37 */
38 static krb5_error_code
39 kerb_prompter(krb5_context ctx, void *data,
40 const char *name,
41 const char *banner,
42 int num_prompts,
43 krb5_prompt prompts[])
44 {
45 if (num_prompts == 0) return 0;
46
47 memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
48 if (prompts[0].reply->length > 0) {
49 if (data) {
50 strncpy((char *)prompts[0].reply->data, (const char *)data,
51 prompts[0].reply->length-1);
52 prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
53 } else {
54 prompts[0].reply->length = 0;
55 }
56 }
57 return 0;
58 }
59
60 static bool smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx,
61 DATA_BLOB *edata_blob,
62 KRB5_EDATA_NTSTATUS *edata)
63 {
64 bool ret = False;
65 prs_struct ps;
66
67 if (!mem_ctx || !edata_blob || !edata)
68 return False;
69
70 if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
71 return False;
72
73 if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
74 goto out;
75
76 prs_set_offset(&ps, 0);
77
78 if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
79 goto out;
80
81 if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
82 goto out;
83
84 if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
85 goto out;
86
87 ret = True;
88 out:
89 prs_mem_free(&ps);
90
91 return ret;
92 }
93
94 static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
95 NTSTATUS *nt_status)
96 {
97 DATA_BLOB edata;
98 DATA_BLOB unwrapped_edata;
99 TALLOC_CTX *mem_ctx;
100 KRB5_EDATA_NTSTATUS parsed_edata;
101
102 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
103 edata = data_blob(error->e_data->data, error->e_data->length);
104 #else
105 edata = data_blob(error->e_data.data, error->e_data.length);
106 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
107
108 #ifdef DEVELOPER
109 dump_data(10, edata.data, edata.length);
110 #endif /* DEVELOPER */
111
112 mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
113 if (mem_ctx == NULL) {
114 data_blob_free(&edata);
115 return False;
116 }
117
118 if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
119 data_blob_free(&edata);
120 TALLOC_FREE(mem_ctx);
121 return False;
122 }
123
124 data_blob_free(&edata);
125
126 if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
127 data_blob_free(&unwrapped_edata);
128 TALLOC_FREE(mem_ctx);
129 return False;
130 }
131
132 data_blob_free(&unwrapped_edata);
133
134 if (nt_status) {
135 *nt_status = parsed_edata.ntstatus;
136 }
137
138 TALLOC_FREE(mem_ctx);
139
140 return True;
141 }
142
143 static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx,
144 krb5_get_init_creds_opt *opt,
145 NTSTATUS *nt_status)
146 {
147 bool ret = False;
148 krb5_error *error = NULL;
149
150 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
151 ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
152 if (ret) {
153 DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
154 error_message(ret)));
155 return False;
156 }
157 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
158
159 if (!error) {
160 DEBUG(1,("no krb5_error\n"));
161 return False;
162 }
163
164 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
165 if (!error->e_data) {
166 #else
167 if (error->e_data.data == NULL) {
168 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
169 DEBUG(1,("no edata in krb5_error\n"));
170 krb5_free_error(ctx, error);
171 return False;
172 }
173
174 ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
175
176 krb5_free_error(ctx, error);
177
178 return ret;
179 }
180
181 /*
182 simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
183 place in default cache location.
184 remus@snapserver.com
185 */
186 int kerberos_kinit_password_ext(const char *principal,
187 const char *password,
188 int time_offset,
189 time_t *expire_time,
190 time_t *renew_till_time,
191 const char *cache_name,
192 bool request_pac,
193 bool add_netbios_addr,
194 time_t renewable_time,
195 NTSTATUS *ntstatus)
196 {
197 krb5_context ctx = NULL;
198 krb5_error_code code = 0;
199 krb5_ccache cc = NULL;
200 krb5_principal me = NULL;
201 krb5_creds my_creds;
202 krb5_get_init_creds_opt *opt = NULL;
203 smb_krb5_addresses *addr = NULL;
204
205 ZERO_STRUCT(my_creds);
206
207 initialize_krb5_error_table();
208 if ((code = krb5_init_context(&ctx)))
209 goto out;
210
211 if (time_offset != 0) {
212 krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
213 }
214
215 DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
216 principal,
217 cache_name ? cache_name: krb5_cc_default_name(ctx),
218 getenv("KRB5_CONFIG")));
219
220 if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
221 goto out;
222 }
223
224 if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
225 goto out;
226 }
227
228 if ((code = smb_krb5_get_init_creds_opt_alloc(ctx, &opt))) {
229 goto out;
230 }
231
232 krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
233 krb5_get_init_creds_opt_set_forwardable(opt, True);
234 #if 0
235 /* insane testing */
236 krb5_get_init_creds_opt_set_tkt_life(opt, 60);
237 #endif
238
239 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
240 if (request_pac) {
241 if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
242 goto out;
243 }
244 }
245 #endif
246 if (add_netbios_addr) {
247 if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
248 goto out;
249 }
250 krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
251 }
252
253 if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
254 kerb_prompter, CONST_DISCARD(char *,password),
255 0, NULL, opt))) {
256 goto out;
257 }
258
259 if ((code = krb5_cc_initialize(ctx, cc, me))) {
260 goto out;
261 }
262
263 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
264 goto out;
265 }
266
267 if (expire_time) {
268 *expire_time = (time_t) my_creds.times.endtime;
269 }
270
271 if (renew_till_time) {
272 *renew_till_time = (time_t) my_creds.times.renew_till;
273 }
274 out:
275 if (ntstatus) {
276
277 NTSTATUS status;
278
279 /* fast path */
280 if (code == 0) {
281 *ntstatus = NT_STATUS_OK;
282 goto cleanup;
283 }
284
285 /* try to get ntstatus code out of krb5_error when we have it
286 * inside the krb5_get_init_creds_opt - gd */
287
288 if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
289 *ntstatus = status;
290 goto cleanup;
291 }
292
293 /* fall back to self-made-mapping */
294 *ntstatus = krb5_to_nt_status(code);
295 }
296
297 cleanup:
298 krb5_free_cred_contents(ctx, &my_creds);
299 if (me) {
300 krb5_free_principal(ctx, me);
301 }
302 if (addr) {
303 smb_krb5_free_addresses(ctx, addr);
304 }
305 if (opt) {
306 smb_krb5_get_init_creds_opt_free(ctx, opt);
307 }
308 if (cc) {
309 krb5_cc_close(ctx, cc);
310 }
311 if (ctx) {
312 krb5_free_context(ctx);
313 }
314 return code;
315 }
316
317
318
319 /* run kinit to setup our ccache */
320 int ads_kinit_password(ADS_STRUCT *ads)
321 {
322 char *s;
323 int ret;
324 const char *account_name;
325 fstring acct_name;
326
327 if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
328 account_name = ads->auth.user_name;
329 goto got_accountname;
330 }
331
332 if ( IS_DC ) {
333 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
334 account_name = lp_workgroup();
335 } else {
336 /* always use the sAMAccountName for security = domain */
337 /* global_myname()$@REA.LM */
338 if ( lp_security() == SEC_DOMAIN ) {
339 fstr_sprintf( acct_name, "%s$", global_myname() );
340 account_name = acct_name;
341 }
342 else
343 /* This looks like host/global_myname()@REA.LM */
344 account_name = ads->auth.user_name;
345 }
346
347 got_accountname:
348 if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
349 return KRB5_CC_NOMEM;
350 }
351
352 if (!ads->auth.password) {
353 SAFE_FREE(s);
354 return KRB5_LIBOS_CANTREADPWD;
355 }
356
357 ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
358 &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
359 NULL);
360
361 if (ret) {
362 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
363 s, error_message(ret)));
364 }
365 SAFE_FREE(s);
366 return ret;
367 }
368
369 int ads_kdestroy(const char *cc_name)
370 {
371 krb5_error_code code;
372 krb5_context ctx = NULL;
373 krb5_ccache cc = NULL;
374
375 initialize_krb5_error_table();
376 if ((code = krb5_init_context (&ctx))) {
377 DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
378 error_message(code)));
379 return code;
380 }
381
382 if (!cc_name) {
383 if ((code = krb5_cc_default(ctx, &cc))) {
384 krb5_free_context(ctx);
385 return code;
386 }
387 } else {
388 if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
389 DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
390 error_message(code)));
391 krb5_free_context(ctx);
392 return code;
393 }
394 }
395
396 if ((code = krb5_cc_destroy (ctx, cc))) {
397 DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
398 error_message(code)));
399 }
400
401 krb5_free_context (ctx);
402 return code;
403 }
404
405 /************************************************************************
406 Routine to fetch the salting principal for a service. Active
407 Directory may use a non-obvious principal name to generate the salt
408 when it determines the key to use for encrypting tickets for a service,
409 and hopefully we detected that when we joined the domain.
410 ************************************************************************/
411
412 static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
413 {
414 char *key = NULL;
415 char *ret = NULL;
416
417 if (asprintf(&key, "%s/%s/enctype=%d",
418 SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) {
419 return NULL;
420 }
421 ret = (char *)secrets_fetch(key, NULL);
422 SAFE_FREE(key);
423 return ret;
424 }
425
426 /************************************************************************
427 Return the standard DES salt key
428 ************************************************************************/
429
430 char* kerberos_standard_des_salt( void )
431 {
432 fstring salt;
433
434 fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
435 strlower_m( salt );
436 fstrcat( salt, lp_realm() );
437
438 return SMB_STRDUP( salt );
439 }
440
441 /************************************************************************
442 ************************************************************************/
443
444 static char* des_salt_key( void )
445 {
446 char *key;
447
448 if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
449 lp_realm()) == -1) {
450 return NULL;
451 }
452
453 return key;
454 }
455
456 /************************************************************************
457 ************************************************************************/
458
459 bool kerberos_secrets_store_des_salt( const char* salt )
460 {
461 char* key;
462 bool ret;
463
464 if ( (key = des_salt_key()) == NULL ) {
465 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
466 return False;
467 }
468
469 if ( !salt ) {
470 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
471 secrets_delete( key );
472 return True;
473 }
474
475 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
476
477 ret = secrets_store( key, salt, strlen(salt)+1 );
478
479 SAFE_FREE( key );
480
481 return ret;
482 }
483
484 /************************************************************************
485 ************************************************************************/
486
487 char* kerberos_secrets_fetch_des_salt( void )
488 {
489 char *salt, *key;
490
491 if ( (key = des_salt_key()) == NULL ) {
492 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
493 return False;
494 }
495
496 salt = (char*)secrets_fetch( key, NULL );
497
498 SAFE_FREE( key );
499
500 return salt;
501 }
502
503 /************************************************************************
504 Routine to get the default realm from the kerberos credentials cache.
505 Caller must free if the return value is not NULL.
506 ************************************************************************/
507
508 char *kerberos_get_default_realm_from_ccache( void )
509 {
510 char *realm = NULL;
511 krb5_context ctx = NULL;
512 krb5_ccache cc = NULL;
513 krb5_principal princ = NULL;
514
515 initialize_krb5_error_table();
516 if (krb5_init_context(&ctx)) {
517 return NULL;
518 }
519
520 DEBUG(5,("kerberos_get_default_realm_from_ccache: "
521 "Trying to read krb5 cache: %s\n",
522 krb5_cc_default_name(ctx)));
523 if (krb5_cc_default(ctx, &cc)) {
524 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
525 "failed to read default cache\n"));
526 goto out;
527 }
528 if (krb5_cc_get_principal(ctx, cc, &princ)) {
529 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
530 "failed to get default principal\n"));
531 goto out;
532 }
533
534 #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
535 realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
536 #elif defined(HAVE_KRB5_PRINC_REALM)
537 {
538 krb5_data *realm_data = krb5_princ_realm(ctx, princ);
539 realm = SMB_STRNDUP(realm_data->data, realm_data->length);
540 }
541 #endif
542
543 out:
544
545 if (ctx) {
546 if (princ) {
547 krb5_free_principal(ctx, princ);
548 }
549 if (cc) {
550 krb5_cc_close(ctx, cc);
551 }
552 krb5_free_context(ctx);
553 }
554
555 return realm;
556 }
557
558
559 /************************************************************************
560 Routine to get the salting principal for this service. This is
561 maintained for backwards compatibilty with releases prior to 3.0.24.
562 Since we store the salting principal string only at join, we may have
563 to look for the older tdb keys. Caller must free if return is not null.
564 ************************************************************************/
565
566 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
567 krb5_principal host_princ,
568 int enctype)
569 {
570 char *unparsed_name = NULL, *salt_princ_s = NULL;
571 krb5_principal ret_princ = NULL;
572
573 /* lookup new key first */
574
575 if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
576
577 /* look under the old key. If this fails, just use the standard key */
578
579 if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
580 return (krb5_principal)NULL;
581 }
582 if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
583 /* fall back to host/machine.realm@REALM */
584 salt_princ_s = kerberos_standard_des_salt();
585 }
586 }
587
588 if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
589 ret_princ = NULL;
590 }
591
592 SAFE_FREE(unparsed_name);
593 SAFE_FREE(salt_princ_s);
594
595 return ret_princ;
596 }
597
598 /************************************************************************
599 Routine to set the salting principal for this service. Active
600 Directory may use a non-obvious principal name to generate the salt
601 when it determines the key to use for encrypting tickets for a service,
602 and hopefully we detected that when we joined the domain.
603 Setting principal to NULL deletes this entry.
604 ************************************************************************/
605
606 bool kerberos_secrets_store_salting_principal(const char *service,
607 int enctype,
608 const char *principal)
609 {
610 char *key = NULL;
611 bool ret = False;
612 krb5_context context = NULL;
613 krb5_principal princ = NULL;
614 char *princ_s = NULL;
615 char *unparsed_name = NULL;
616 krb5_error_code code;
617
618 if (((code = krb5_init_context(&context)) != 0) || (context == NULL)) {
619 DEBUG(5, ("kerberos_secrets_store_salting_pricipal: kdb5_init_context failed: %s\n",
620 error_message(code)));
621 return False;
622 }
623 if (strchr_m(service, '@')) {
624 if (asprintf(&princ_s, "%s", service) == -1) {
625 goto out;
626 }
627 } else {
628 if (asprintf(&princ_s, "%s@%s", service, lp_realm()) == -1) {
629 goto out;
630 }
631 }
632
633 if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
634 goto out;
635
636 }
637 if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) {
638 goto out;
639 }
640
641 if (asprintf(&key, "%s/%s/enctype=%d",
642 SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype)
643 == -1) {
644 goto out;
645 }
646
647 if ((principal != NULL) && (strlen(principal) > 0)) {
648 ret = secrets_store(key, principal, strlen(principal) + 1);
649 } else {
650 ret = secrets_delete(key);
651 }
652
653 out:
654
655 SAFE_FREE(key);
656 SAFE_FREE(princ_s);
657 SAFE_FREE(unparsed_name);
658
659 if (princ) {
660 krb5_free_principal(context, princ);
661 }
662
663 if (context) {
664 krb5_free_context(context);
665 }
666
667 return ret;
668 }
669
670
671 /************************************************************************
672 ************************************************************************/
673
674 int kerberos_kinit_password(const char *principal,
675 const char *password,
676 int time_offset,
677 const char *cache_name)
678 {
679 return kerberos_kinit_password_ext(principal,
680 password,
681 time_offset,
682 0,
683 0,
684 cache_name,
685 False,
686 False,
687 0,
688 NULL);
689 }
690
691 /************************************************************************
692 ************************************************************************/
693
694 static char *print_kdc_line(char *mem_ctx,
695 const char *prev_line,
696 const struct sockaddr_storage *pss)
697 {
698 char *kdc_str = NULL;
699
700 if (pss->ss_family == AF_INET) {
701 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
702 prev_line,
703 print_canonical_sockaddr(mem_ctx, pss));
704 } else {
705 char addr[INET6_ADDRSTRLEN];
706 uint16_t port = get_sockaddr_port(pss);
707
708 if (port != 0 && port != DEFAULT_KRB5_PORT) {
709 /* Currently for IPv6 we can't specify a non-default
710 krb5 port with an address, as this requires a ':'.
711 Resolve to a name. */
712 char hostname[MAX_DNS_NAME_LENGTH];
713 int ret = sys_getnameinfo((const struct sockaddr *)pss,
714 sizeof(*pss),
715 hostname, sizeof(hostname),
716 NULL, 0,
717 NI_NAMEREQD);
718 if (ret) {
719 DEBUG(0,("print_kdc_line: can't resolve name "
720 "for kdc with non-default port %s. "
721 "Error %s\n.",
722 print_canonical_sockaddr(mem_ctx, pss),
723 gai_strerror(ret)));
724 }
725 /* Success, use host:port */
726 kdc_str = talloc_asprintf(mem_ctx,
727 "%s\tkdc = %s:%u\n",
728 prev_line,
729 hostname,
730 (unsigned int)port);
731 } else {
732 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
733 prev_line,
734 print_sockaddr(addr,
735 sizeof(addr),
736 pss));
737 }
738 }
739 return kdc_str;
740 }
741
742 /************************************************************************
743 Create a string list of available kdc's, possibly searching by sitename.
744 Does DNS queries.
745
746 If "sitename" is given, the DC's in that site are listed first.
747
748 ************************************************************************/
749
750 static char *get_kdc_ip_string(char *mem_ctx,
751 const char *realm,
752 const char *sitename,
753 struct sockaddr_storage *pss)
754 {
755 int i;
756 struct ip_service *ip_srv_site = NULL;
757 struct ip_service *ip_srv_nonsite = NULL;
758 int count_site = 0;
759 int count_nonsite;
760 char *kdc_str = print_kdc_line(mem_ctx, "", pss);
761
762 if (kdc_str == NULL) {
763 return NULL;
764 }
765
766 /*
767 * First get the KDC's only in this site, the rest will be
768 * appended later
769 */
770
771 if (sitename) {
772
773 get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
774
775 for (i = 0; i < count_site; i++) {
776 if (sockaddr_equal(&ip_srv_site[i].ss, pss)) {
777 continue;
778 }
779 /* Append to the string - inefficient
780 * but not done often. */
781 kdc_str = print_kdc_line(mem_ctx,
782 kdc_str,
783 &ip_srv_site[i].ss);
784 if (!kdc_str) {
785 SAFE_FREE(ip_srv_site);
786 return NULL;
787 }
788 }
789 }
790
791 /* Get all KDC's. */
792
793 get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
794
795 for (i = 0; i < count_nonsite; i++) {
796 int j;
797
798 if (sockaddr_equal(&ip_srv_nonsite[i].ss, pss)) {
799 continue;
800 }
801
802 /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
803 for (j = 0; j < count_site; j++) {
804 if (sockaddr_equal(&ip_srv_nonsite[i].ss,
805 &ip_srv_site[j].ss)) {
806 break;
807 }
808 /* As the lists are sorted we can break early if nonsite > site. */
809 if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
810 break;
811 }
812 }
813 if (j != i) {
814 continue;
815 }
816
817 /* Append to the string - inefficient but not done often. */
818 kdc_str = print_kdc_line(mem_ctx,
819 kdc_str,
820 &ip_srv_nonsite[i].ss);
821 if (!kdc_str) {
822 SAFE_FREE(ip_srv_site);
823 SAFE_FREE(ip_srv_nonsite);
824 return NULL;
825 }
826 }
827
828
829 SAFE_FREE(ip_srv_site);
830 SAFE_FREE(ip_srv_nonsite);
831
832 DEBUG(10,("get_kdc_ip_string: Returning %s\n",
833 kdc_str ));
834
835 return kdc_str;
836 }
837
838 /************************************************************************
839 Create a specific krb5.conf file in the private directory pointing
840 at a specific kdc for a realm. Keyed off domain name. Sets
841 KRB5_CONFIG environment variable to point to this file. Must be
842 run as root or will fail (which is a good thing :-).
843 ************************************************************************/
844
845 bool create_local_private_krb5_conf_for_domain(const char *realm,
846 const char *domain,
847 const char *sitename,
848 struct sockaddr_storage *pss)
849 {
850 char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
851 char *tmpname = NULL;
852 char *fname = NULL;
853 char *file_contents = NULL;
854 char *kdc_ip_string = NULL;
855 size_t flen = 0;
856 ssize_t ret;
857 int fd;
858 char *realm_upper = NULL;
859
860 if (!dname) {
861 return False;
862 }
863 if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
864 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
865 "failed to create directory %s. Error was %s\n",
866 dname, strerror(errno) ));
867 TALLOC_FREE(dname);
868 return False;
869 }
870
871 tmpname = talloc_asprintf(dname, "%s/smb_tmp_krb5.XXXXXX", lp_lockdir());
872 if (!tmpname) {
873 TALLOC_FREE(dname);
874 return False;
875 }
876
877 fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
878 if (!fname) {
879 TALLOC_FREE(dname);
880 return False;
881 }
882
883 DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
884 fname, realm, domain ));
885
886 realm_upper = talloc_strdup(fname, realm);
887 strupper_m(realm_upper);
888
889 kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
890 if (!kdc_ip_string) {
891 TALLOC_FREE(dname);
892 return False;
893 }
894
895 file_contents = talloc_asprintf(fname,
896 "[libdefaults]\n\tdefault_realm = %s\n"
897 "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
898 "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
899 "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
900 "[realms]\n\t%s = {\n"
901 "\t%s\t}\n",
902 realm_upper, realm_upper, kdc_ip_string);
903
904 if (!file_contents) {
905 TALLOC_FREE(dname);
906 return False;
907 }
908
909 flen = strlen(file_contents);
910
911 fd = smb_mkstemp(tmpname);
912 if (fd == -1) {
913 DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
914 " for file %s. Errno %s\n",
915 tmpname, strerror(errno) ));
916 TALLOC_FREE(dname);
917 return false;
918 }
919
920 if (fchmod(fd, 0644)==-1) {
921 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
922 " Errno %s\n",
923 tmpname, strerror(errno) ));
924 unlink(tmpname);
925 close(fd);
926 TALLOC_FREE(dname);
927 return False;
928 }
929
930 ret = write(fd, file_contents, flen);
931 if (flen != ret) {
932 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
933 " returned %d (should be %u). Errno %s\n",
934 (int)ret, (unsigned int)flen, strerror(errno) ));
935 unlink(tmpname);
936 close(fd);
937 TALLOC_FREE(dname);
938 return False;
939 }
940 if (close(fd)==-1) {
941 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
942 " Errno %s\n", strerror(errno) ));
943 unlink(tmpname);
944 TALLOC_FREE(dname);
945 return False;
946 }
947
948 if (rename(tmpname, fname) == -1) {
949 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
950 "of %s to %s failed. Errno %s\n",
951 tmpname, fname, strerror(errno) ));
952 unlink(tmpname);
953 TALLOC_FREE(dname);
954 return False;
955 }
956
957 DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
958 "file %s with realm %s KDC list = %s\n",
959 fname, realm_upper, kdc_ip_string));
960
961 /* Set the environment variable to this file. */
962 setenv("KRB5_CONFIG", fname, 1);
963
964 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
965
966 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
967 /* Insanity, sheer insanity..... */
968
969 if (strequal(realm, lp_realm())) {
970 char linkpath[PATH_MAX+1];
971 int lret;
972
973 lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, sizeof(linkpath)-1);
974 if (lret != -1) {
975 linkpath[lret] = '\0';
976 }
977
978 if (lret != -1 || strcmp(linkpath, fname) == 0) {
979 /* Symlink already exists. */
980 TALLOC_FREE(dname);
981 return True;
982 }
983
984 /* Try and replace with a symlink. */
985 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
986 const char *newpath = SYSTEM_KRB5_CONF_PATH ## ".saved";
987 if (errno != EEXIST) {
988 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
989 "of %s to %s failed. Errno %s\n",
990 fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
991 TALLOC_FREE(dname);
992 return True; /* Not a fatal error. */
993 }
994
995 /* Yes, this is a race conditon... too bad. */
996 if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
997 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
998 "of %s to %s failed. Errno %s\n",
999 SYSTEM_KRB5_CONF_PATH, newpath,
1000 strerror(errno) ));
1001 TALLOC_FREE(dname);
1002 return True; /* Not a fatal error. */
1003 }
1004
1005 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
1006 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
1007 "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
1008 fname, strerror(errno) ));
1009 TALLOC_FREE(dname);
1010 return True; /* Not a fatal error. */
1011 }
1012 }
1013 }
1014 #endif
1015
1016 TALLOC_FREE(dname);
1017
1018 return True;
1019 }
1020 #endif
Samba GIT mirror