search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mount.cifs: check access of credential files before opening
[Samba.git] / source / libads / smb_krb5_locator.c
blobbe14a12697463b6222d7e9c8c4b3d680cd6607ec
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos locator plugin
4 Copyright (C) Guenther Deschner 2007
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
19 */
20
21 #include "includes.h"
22
23 #if defined(HAVE_KRB5) && defined(HAVE_KRB5_LOCATE_PLUGIN_H)
24
25 #include <krb5/locate_plugin.h>
26
27 static const char *get_service_from_locate_service_type(enum locate_service_type svc)
28 {
29 switch (svc) {
30 case locate_service_kdc:
31 case locate_service_master_kdc:
32 return "88";
33 case locate_service_kadmin:
34 case locate_service_krb524:
35 /* not supported */
36 return NULL;
37 case locate_service_kpasswd:
38 return "464";
39 default:
40 break;
41 }
42 return NULL;
43
44 }
45
46 static const char *locate_service_type_name(enum locate_service_type svc)
47 {
48 switch (svc) {
49 case locate_service_kdc:
50 return "locate_service_kdc";
51 case locate_service_master_kdc:
52 return "locate_service_master_kdc";
53 case locate_service_kadmin:
54 return "locate_service_kadmin";
55 case locate_service_krb524:
56 return "locate_service_krb524";
57 case locate_service_kpasswd:
58 return "locate_service_kpasswd";
59 default:
60 break;
61 }
62 return NULL;
63 }
64
65 static const char *socktype_name(int socktype)
66 {
67 switch (socktype) {
68 case SOCK_STREAM:
69 return "SOCK_STREAM";
70 case SOCK_DGRAM:
71 return "SOCK_DGRAM";
72 default:
73 break;
74 }
75 return "unknown";
76 }
77
78 static const char *family_name(int family)
79 {
80 switch (family) {
81 case AF_UNSPEC:
82 return "AF_UNSPEC";
83 case AF_INET:
84 return "AF_INET";
85 case AF_INET6:
86 return "AF_INET6";
87 default:
88 break;
89 }
90 return "unknown";
91 }
92
93 /**
94 * Check input parameters, return KRB5_PLUGIN_NO_HANDLE for unsupported ones
95 *
96 * @param svc
97 * @param realm string
98 * @param socktype integer
99 * @param family integer
100 *
101 * @return integer.
102 */
103
104 static int smb_krb5_locator_lookup_sanity_check(enum locate_service_type svc,
105 const char *realm,
106 int socktype,
107 int family)
108 {
109 if (!realm || strlen(realm) == 0) {
110 return EINVAL;
111 }
112
113 switch (svc) {
114 case locate_service_kdc:
115 case locate_service_master_kdc:
116 case locate_service_kpasswd:
117 break;
118 case locate_service_kadmin:
119 case locate_service_krb524:
120 #ifdef KRB5_PLUGIN_NO_HANDLE
121 return KRB5_PLUGIN_NO_HANDLE;
122 #else
123 return KRB5_KDC_UNREACH; /* Heimdal */
124 #endif
125 default:
126 return EINVAL;
127 }
128
129 switch (family) {
130 case AF_UNSPEC:
131 case AF_INET:
132 break;
133 case AF_INET6: /* not yet */
134 #ifdef KRB5_PLUGIN_NO_HANDLE
135 return KRB5_PLUGIN_NO_HANDLE;
136 #else
137 return KRB5_KDC_UNREACH; /* Heimdal */
138 #endif
139 default:
140 return EINVAL;
141 }
142
143 switch (socktype) {
144 case SOCK_STREAM:
145 case SOCK_DGRAM:
146 case 0: /* Heimdal uses that */
147 break;
148 default:
149 return EINVAL;
150 }
151
152 return 0;
153 }
154
155 /**
156 * Try to get addrinfo for a given host and call the krb5 callback
157 *
158 * @param name string
159 * @param service string
160 * @param in struct addrinfo hint
161 * @param cbfunc krb5 callback function
162 * @param cbdata void pointer cbdata
163 *
164 * @return krb5_error_code.
165 */
166
167 static krb5_error_code smb_krb5_locator_call_cbfunc(const char *name,
168 const char *service,
169 struct addrinfo *in,
170 int (*cbfunc)(void *, int, struct sockaddr *),
171 void *cbdata)
172 {
173 struct addrinfo *out;
174 int ret;
175 int count = 3;
176
177 while (count) {
178
179 ret = getaddrinfo(name, service, in, &out);
180 if (ret == 0) {
181 break;
182 }
183
184 if (ret == EAI_AGAIN) {
185 count--;
186 continue;
187 }
188
189 DEBUG(10,("smb_krb5_locator_lookup: got ret: %s (%d)\n",
190 gai_strerror(ret), ret));
191 #ifdef KRB5_PLUGIN_NO_HANDLE
192 return KRB5_PLUGIN_NO_HANDLE;
193 #else
194 return KRB5_KDC_UNREACH; /* Heimdal */
195 #endif
196 }
197
198 ret = cbfunc(cbdata, out->ai_socktype, out->ai_addr);
199 if (ret) {
200 DEBUG(10,("smb_krb5_locator_lookup: failed to call callback: %s (%d)\n",
201 error_message(ret), ret));
202 }
203
204 freeaddrinfo(out);
205
206 return ret;
207 }
208
209 /**
210 * PUBLIC INTERFACE: locate init
211 *
212 * @param context krb5_context
213 * @param privata_data pointer to private data pointer
214 *
215 * @return krb5_error_code.
216 */
217
218 krb5_error_code smb_krb5_locator_init(krb5_context context,
219 void **private_data)
220 {
221 setup_logging("smb_krb5_locator", True);
222 load_case_tables();
223 lp_load(dyn_CONFIGFILE,True,False,False,True);
224
225 DEBUG(10,("smb_krb5_locator_init: called\n"));
226
227 return 0;
228 }
229
230 /**
231 * PUBLIC INTERFACE: close locate
232 *
233 * @param private_data pointer to private data
234 *
235 * @return void.
236 */
237
238 void smb_krb5_locator_close(void *private_data)
239 {
240 DEBUG(10,("smb_krb5_locator_close: called\n"));
241
242 /* gfree_all(); */
243 }
244
245 /**
246 * PUBLIC INTERFACE: locate lookup
247 *
248 * @param private_data pointer to private data
249 * @param svc enum locate_service_type.
250 * @param realm string
251 * @param socktype integer
252 * @param family integer
253 * @param cbfunc callback function to send back entries
254 * @param cbdata void pointer to cbdata
255 *
256 * @return krb5_error_code.
257 */
258
259 krb5_error_code smb_krb5_locator_lookup(void *private_data,
260 enum locate_service_type svc,
261 const char *realm,
262 int socktype,
263 int family,
264 int (*cbfunc)(void *, int, struct sockaddr *),
265 void *cbdata)
266 {
267 NTSTATUS status;
268 krb5_error_code ret;
269 char *sitename = NULL;
270 struct ip_service *ip_list;
271 int count = 0;
272 struct addrinfo aihints;
273 char *saf_name = NULL;
274 int i;
275
276 DEBUG(10,("smb_krb5_locator_lookup: called for\n"));
277 DEBUGADD(10,("\tsvc: %s (%d), realm: %s\n",
278 locate_service_type_name(svc), svc, realm));
279 DEBUGADD(10,("\tsocktype: %s (%d), family: %s (%d)\n",
280 socktype_name(socktype), socktype,
281 family_name(family), family));
282
283 ret = smb_krb5_locator_lookup_sanity_check(svc, realm, socktype, family);
284 if (ret) {
285 DEBUG(10,("smb_krb5_locator_lookup: returning ret: %s (%d)\n",
286 error_message(ret), ret));
287 return ret;
288 }
289
290 /* first try to fetch from SAF cache */
291
292 saf_name = saf_fetch(realm);
293 if (!saf_name || strlen(saf_name) == 0) {
294 DEBUG(10,("smb_krb5_locator_lookup: no SAF name stored for %s\n",
295 realm));
296 goto find_kdc;
297 }
298
299 DEBUG(10,("smb_krb5_locator_lookup: got %s for %s from SAF cache\n",
300 saf_name, realm));
301
302 ZERO_STRUCT(aihints);
303
304 aihints.ai_family = family;
305 aihints.ai_socktype = socktype;
306
307 ret = smb_krb5_locator_call_cbfunc(saf_name,
308 get_service_from_locate_service_type(svc),
309 &aihints,
310 cbfunc, cbdata);
311 if (ret) {
312 return ret;
313 }
314
315 return 0;
316
317 find_kdc:
318
319 /* now try to find via site-aware DNS SRV query */
320
321 sitename = sitename_fetch(realm);
322 status = get_kdc_list(realm, sitename, &ip_list, &count);
323
324 /* if we didn't found any KDCs on our site go to the main list */
325
326 if (NT_STATUS_IS_OK(status) && sitename && (count == 0)) {
327 SAFE_FREE(ip_list);
328 SAFE_FREE(sitename);
329 status = get_kdc_list(realm, NULL, &ip_list, &count);
330 }
331
332 SAFE_FREE(sitename);
333
334 if (!NT_STATUS_IS_OK(status)) {
335 DEBUG(10,("smb_krb5_locator_lookup: got %s (%s)\n",
336 nt_errstr(status),
337 error_message(nt_status_to_krb5(status))));
338 #ifdef KRB5_PLUGIN_NO_HANDLE
339 return KRB5_PLUGIN_NO_HANDLE;
340 #else
341 return KRB5_KDC_UNREACH; /* Heimdal */
342 #endif
343 }
344
345 for (i=0; i<count; i++) {
346
347 const char *host = NULL;
348 const char *port = NULL;
349
350 ZERO_STRUCT(aihints);
351
352 aihints.ai_family = family;
353 aihints.ai_socktype = socktype;
354
355 host = inet_ntoa(ip_list[i].ip);
356 port = get_service_from_locate_service_type(svc);
357
358 ret = smb_krb5_locator_call_cbfunc(host,
359 port,
360 &aihints,
361 cbfunc, cbdata);
362 if (ret) {
363 /* got error */
364 break;
365 }
366 }
367
368 SAFE_FREE(ip_list);
369
370 return ret;
371 }
372
373 #ifdef HEIMDAL_KRB5_LOCATE_PLUGIN_H
374 #define SMB_KRB5_LOCATOR_SYMBOL_NAME resolve /* Heimdal */
375 #else
376 #define SMB_KRB5_LOCATOR_SYMBOL_NAME service_locator /* MIT */
377 #endif
378
379 const krb5plugin_service_locate_ftable SMB_KRB5_LOCATOR_SYMBOL_NAME = {
380 0, /* version */
381 smb_krb5_locator_init,
382 smb_krb5_locator_close,
383 smb_krb5_locator_lookup,
384 };
385
386 #endif
Samba GIT mirror