search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r13121: Tag 4.0.0TP1
[Samba.git] / source / auth / credentials / credentials_files.c
blob219869cf3ae14cecdc18229b3bf83766a1585c64
1 /*
2 Unix SMB/CIFS implementation.
3
4 User credentials handling (as regards on-disk files)
5
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 2 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program; if not, write to the Free Software
22 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
28 #include "passdb/secrets.h"
29 #include "system/filesys.h"
30
31 /**
32 * Read a file descriptor, and parse it for a password (eg from a file or stdin)
33 *
34 * @param credentials Credentials structure on which to set the password
35 * @param fd open file descriptor to read the password from
36 * @param obtained This enum describes how 'specified' this password is
37 */
38
39 BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials,
40 int fd, enum credentials_obtained obtained)
41 {
42 char *p;
43 char pass[128];
44
45 for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
46 p && p - pass < sizeof(pass);) {
47 switch (read(fd, p, 1)) {
48 case 1:
49 if (*p != '\n' && *p != '\0') {
50 *++p = '\0'; /* advance p, and null-terminate pass */
51 break;
52 }
53 case 0:
54 if (p - pass) {
55 *p = '\0'; /* null-terminate it, just in case... */
56 p = NULL; /* then force the loop condition to become false */
57 break;
58 } else {
59 fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n");
60 return False;
61 }
62
63 default:
64 fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
65 fd, strerror(errno));
66 return False;
67 }
68 }
69
70 cli_credentials_set_password(credentials, pass, obtained);
71 return True;
72 }
73
74 /**
75 * Read a named file, and parse it for a password
76 *
77 * @param credentials Credentials structure on which to set the password
78 * @param file a named file to read the password from
79 * @param obtained This enum describes how 'specified' this password is
80 */
81
82 BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained)
83 {
84 int fd = open(file, O_RDONLY, 0);
85 BOOL ret;
86
87 if (fd < 0) {
88 fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n",
89 file, strerror(errno));
90 return False;
91 }
92
93 ret = cli_credentials_parse_password_fd(credentials, fd, obtained);
94
95 close(fd);
96
97 return ret;
98 }
99
100 /**
101 * Read a named file, and parse it for username, domain, realm and password
102 *
103 * @param credentials Credentials structure on which to set the password
104 * @param file a named file to read the details from
105 * @param obtained This enum describes how 'specified' this password is
106 */
107
108 BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained)
109 {
110 uint16_t len = 0;
111 char *ptr, *val, *param;
112 char **lines;
113 int i, numlines;
114
115 lines = file_lines_load(file, &numlines, NULL);
116
117 if (lines == NULL)
118 {
119 /* fail if we can't open the credentials file */
120 d_printf("ERROR: Unable to open credentials file!\n");
121 return False;
122 }
123
124 for (i = 0; i < numlines; i++) {
125 len = strlen(lines[i]);
126
127 if (len == 0)
128 continue;
129
130 /* break up the line into parameter & value.
131 * will need to eat a little whitespace possibly */
132 param = lines[i];
133 if (!(ptr = strchr_m (lines[i], '=')))
134 continue;
135
136 val = ptr+1;
137 *ptr = '\0';
138
139 /* eat leading white space */
140 while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
141 val++;
142
143 if (strwicmp("password", param) == 0) {
144 cli_credentials_set_password(cred, val, obtained);
145 } else if (strwicmp("username", param) == 0) {
146 cli_credentials_set_username(cred, val, obtained);
147 } else if (strwicmp("domain", param) == 0) {
148 cli_credentials_set_domain(cred, val, obtained);
149 } else if (strwicmp("realm", param) == 0) {
150 cli_credentials_set_realm(cred, val, obtained);
151 }
152 memset(lines[i], 0, len);
153 }
154
155 talloc_free(lines);
156
157 return True;
158 }
159
160
161 /**
162 * Fill in credentials for the machine trust account, from the secrets database.
163 *
164 * @param cred Credentials structure to fill in
165 * @retval NTSTATUS error detailing any failure
166 */
167 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
168 const char *base,
169 const char *filter)
170 {
171 TALLOC_CTX *mem_ctx;
172
173 struct ldb_context *ldb;
174 int ldb_ret;
175 struct ldb_message **msgs;
176 const char *attrs[] = {
177 "secret",
178 "priorSecret",
179 "samAccountName",
180 "flatname",
181 "realm",
182 "secureChannelType",
183 "ntPwdHash",
184 "msDS-KeyVersionNumber",
185 "saltPrincipal",
186 "privateKeytab",
187 "krb5Keytab",
188 NULL
189 };
190
191 const char *machine_account;
192 const char *password;
193 const char *old_password;
194 const char *domain;
195 const char *realm;
196 enum netr_SchannelType sct;
197 const char *salt_principal;
198 const char *keytab;
199
200 /* ok, we are going to get it now, don't recurse back here */
201 cred->machine_account_pending = False;
202
203 /* some other parts of the system will key off this */
204 cred->machine_account = True;
205
206 mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
207
208 /* Local secrets are stored in secrets.ldb */
209 ldb = secrets_db_connect(mem_ctx);
210 if (!ldb) {
211 /* set anonymous as the fallback, if the machine account won't work */
212 cli_credentials_set_anonymous(cred);
213 DEBUG(1, ("Could not open secrets.ldb\n"));
214 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
215 }
216
217 /* search for the secret record */
218 ldb_ret = gendb_search(ldb,
219 mem_ctx, ldb_dn_explode(mem_ctx, base),
220 &msgs, attrs,
221 "%s", filter);
222 if (ldb_ret == 0) {
223 DEBUG(1, ("Could not find entry to match filter: %s\n",
224 filter));
225 /* set anonymous as the fallback, if the machine account won't work */
226 cli_credentials_set_anonymous(cred);
227 talloc_free(mem_ctx);
228 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
229 } else if (ldb_ret != 1) {
230 DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
231 ldb_ret, filter));
232 /* set anonymous as the fallback, if the machine account won't work */
233 cli_credentials_set_anonymous(cred);
234 talloc_free(mem_ctx);
235 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
236 }
237
238 password = ldb_msg_find_string(msgs[0], "secret", NULL);
239 old_password = ldb_msg_find_string(msgs[0], "priorSecret", NULL);
240
241 machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL);
242
243 if (!machine_account) {
244 DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
245 cli_credentials_get_domain(cred)));
246 /* set anonymous as the fallback, if the machine account won't work */
247 cli_credentials_set_anonymous(cred);
248 talloc_free(mem_ctx);
249 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
250 }
251
252 salt_principal = ldb_msg_find_string(msgs[0], "saltPrincipal", NULL);
253 cli_credentials_set_salt_principal(cred, salt_principal);
254
255 sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0);
256 if (sct) {
257 cli_credentials_set_secure_channel_type(cred, sct);
258 }
259
260 if (!password) {
261 const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash");
262 struct samr_Password hash;
263 ZERO_STRUCT(hash);
264 if (nt_password_hash) {
265 memcpy(hash.hash, nt_password_hash->data,
266 MIN(nt_password_hash->length, sizeof(hash.hash)));
267
268 cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
269 } else {
270
271 DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
272 cli_credentials_get_domain(cred)));
273
274 /* set anonymous as the fallback, if the machine account won't work */
275 cli_credentials_set_anonymous(cred);
276
277 talloc_free(mem_ctx);
278 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
279 }
280 }
281
282 domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
283 if (domain) {
284 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
285 }
286
287 realm = ldb_msg_find_string(msgs[0], "realm", NULL);
288 if (realm) {
289 cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
290 }
291
292 cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
293 if (password) {
294 cli_credentials_set_password(cred, password, CRED_SPECIFIED);
295 }
296
297 cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
298
299 /* If there was an external keytab specified by reference in
300 * the LDB, then use this. Otherwise we will make one up
301 * (chewing CPU time) from the password */
302 keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL);
303 if (keytab) {
304 cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
305 } else {
306 keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL);
307 if (keytab) {
308 keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab));
309 if (keytab) {
310 cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
311 }
312 }
313 }
314 talloc_free(mem_ctx);
315
316 return NT_STATUS_OK;
317 }
318
319 /**
320 * Fill in credentials for the machine trust account, from the secrets database.
321 *
322 * @param cred Credentials structure to fill in
323 * @retval NTSTATUS error detailing any failure
324 */
325 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
326 {
327 char *filter;
328 /* Bleh, nasty recursion issues: We are setting a machine
329 * account here, so we don't want the 'pending' flag around
330 * any more */
331 cred->machine_account_pending = False;
332 filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
333 cli_credentials_get_domain(cred));
334 return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
335 filter);
336 }
337
338 /**
339 * Fill in credentials for the machine trust account, from the secrets database.
340 *
341 * @param cred Credentials structure to fill in
342 * @retval NTSTATUS error detailing any failure
343 */
344 NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
345 {
346 char *filter;
347 /* Bleh, nasty recursion issues: We are setting a machine
348 * account here, so we don't want the 'pending' flag around
349 * any more */
350 cred->machine_account_pending = False;
351 filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
352 cli_credentials_get_realm(cred),
353 cli_credentials_get_domain(cred));
354 return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
355 filter);
356 }
357
358 /**
359 * Fill in credentials for the machine trust account, from the secrets database.
360 *
361 * @param cred Credentials structure to fill in
362 * @retval NTSTATUS error detailing any failure
363 */
364 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
365 const char *serviceprincipal)
366 {
367 char *filter;
368 /* Bleh, nasty recursion issues: We are setting a machine
369 * account here, so we don't want the 'pending' flag around
370 * any more */
371 cred->machine_account_pending = False;
372 filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
373 cli_credentials_get_realm(cred),
374 cli_credentials_get_domain(cred),
375 serviceprincipal);
376 return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
377 filter);
378 }
379
380 /**
381 * Ask that when required, the credentials system will be filled with
382 * machine trust account, from the secrets database.
383 *
384 * @param cred Credentials structure to fill in
385 * @note This function is used to call the above function after, rather
386 * than during, popt processing.
387 *
388 */
389 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred)
390 {
391 cred->machine_account_pending = True;
392 }
393
394
395 NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
396 {
397 TALLOC_CTX *mem_ctx;
398 int ldb_ret;
399 struct ldb_context *ldb;
400 struct ldb_message **msgs;
401 const char *attrs[] = { NULL };
402 struct cli_credentials *creds;
403 const char *filter;
404 NTSTATUS status;
405 int i, ret;
406
407 mem_ctx = talloc_new(parent_ctx);
408 if (!mem_ctx) {
409 return NT_STATUS_NO_MEMORY;
410 }
411
412 /* Local secrets are stored in secrets.ldb */
413 ldb = secrets_db_connect(mem_ctx);
414 if (!ldb) {
415 DEBUG(1, ("Could not open secrets.ldb\n"));
416 talloc_free(mem_ctx);
417 return NT_STATUS_ACCESS_DENIED;
418 }
419
420 /* search for the secret record */
421 ldb_ret = gendb_search(ldb,
422 mem_ctx, NULL,
423 &msgs, attrs,
424 "objectClass=kerberosSecret");
425 if (ldb_ret == -1) {
426 DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
427 talloc_free(mem_ctx);
428 return NT_STATUS_INTERNAL_DB_CORRUPTION;
429 }
430
431 for (i=0; i < ldb_ret; i++) {
432 /* Make a credentials structure from it */
433 creds = cli_credentials_init(mem_ctx);
434 if (!creds) {
435 DEBUG(1, ("cli_credentials_init failed!"));
436 talloc_free(mem_ctx);
437 return NT_STATUS_NO_MEMORY;
438 }
439 cli_credentials_set_conf(creds);
440 filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_linearize(mem_ctx, msgs[i]->dn));
441 status = cli_credentials_set_secrets(creds, NULL, filter);
442 if (!NT_STATUS_IS_OK(status)) {
443 DEBUG(1, ("Failed to read secrets for keytab update for %s\n",
444 filter));
445 talloc_free(mem_ctx);
446 return status;
447 }
448 ret = cli_credentials_update_keytab(creds);
449 if (ret != 0) {
450 DEBUG(1, ("Failed to update keytab for %s\n",
451 filter));
452 talloc_free(mem_ctx);
453 return NT_STATUS_UNSUCCESSFUL;
454 }
455 }
456 return NT_STATUS_OK;
457 }
458
Samba GIT mirror