search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:utils: Use talloc instead of malloc functions
[Samba.git] / source4 / kdc / mit_samba.c
blob2593cbfcd4b11e09dedd0b18c5fc25045f8ff54d
1 /*
2 MIT-Samba4 library
3
4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include "lib/replace/system/filesys.h"
29 #include <com_err.h>
30 #include <kdb.h>
31 #include <kadm5/kadm_err.h>
32 #include "kdc/sdb.h"
33 #include "kdc/sdb_kdb.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "auth/kerberos/pac_utils.h"
36 #include "kdc/samba_kdc.h"
37 #include "kdc/pac-glue.h"
38 #include "kdc/db-glue.h"
39 #include "auth/auth.h"
40 #include "kdc/kpasswd_glue.h"
41 #include "auth/auth_sam.h"
42
43 #include "mit_samba.h"
44
45 #undef DBGC_CLASS
46 #define DBGC_CLASS DBGC_KERBEROS
47
48 void mit_samba_context_free(struct mit_samba_context *ctx)
49 {
50 /* free MIT's krb5_context */
51 if (ctx->context) {
52 krb5_free_context(ctx->context);
53 }
54
55 /* then free everything else */
56 talloc_free(ctx);
57 }
58
59 /*
60 * Implement a callback to log to the MIT KDC log facility
61 *
62 * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
63 */
64 static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
65 {
66 int is_error = errno;
67
68 if (msg_level > 0) {
69 is_error = 0;
70 }
71
72 com_err("mitkdc", is_error, "%s", msg);
73 }
74
75 krb5_error_code mit_samba_context_init(struct mit_samba_context **_ctx)
76 {
77 NTSTATUS status;
78 struct mit_samba_context *ctx;
79 const char *s4_conf_file;
80 krb5_error_code ret;
81 struct samba_kdc_base_context base_ctx = {};
82
83 ctx = talloc_zero(NULL, struct mit_samba_context);
84 if (!ctx) {
85 ret = ENOMEM;
86 goto done;
87 }
88
89 base_ctx.ev_ctx = tevent_context_init(ctx);
90 if (!base_ctx.ev_ctx) {
91 ret = ENOMEM;
92 goto done;
93 }
94 tevent_loop_allow_nesting(base_ctx.ev_ctx);
95 base_ctx.lp_ctx = loadparm_init_global(false);
96 if (!base_ctx.lp_ctx) {
97 ret = ENOMEM;
98 goto done;
99 }
100
101 debug_set_callback(NULL, mit_samba_debug);
102
103 /* init s4 configuration */
104 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
105 if (s4_conf_file != NULL) {
106 char *p = talloc_strdup(ctx, s4_conf_file);
107 if (p == NULL) {
108 ret = ENOMEM;
109 goto done;
110 }
111 lpcfg_load(base_ctx.lp_ctx, p);
112 TALLOC_FREE(p);
113 } else {
114 lpcfg_load_default(base_ctx.lp_ctx);
115 }
116
117 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
118 if (!NT_STATUS_IS_OK(status)) {
119 ret = EINVAL;
120 goto done;
121 }
122
123 /* init MIT's krb_context and log facilities */
124 ret = smb_krb5_init_context_basic(ctx,
125 ctx->db_ctx->lp_ctx,
126 &ctx->context);
127 if (ret) {
128 goto done;
129 }
130
131 ret = 0;
132
133 done:
134 if (ret) {
135 mit_samba_context_free(ctx);
136 } else {
137 *_ctx = ctx;
138 }
139 return ret;
140 }
141
142 int mit_samba_generate_salt(krb5_data *salt)
143 {
144 if (salt == NULL) {
145 return EINVAL;
146 }
147
148 salt->length = 16;
149 salt->data = malloc(salt->length);
150 if (salt->data == NULL) {
151 return ENOMEM;
152 }
153
154 generate_random_buffer((uint8_t *)salt->data, salt->length);
155
156 return 0;
157 }
158
159 int mit_samba_generate_random_password(krb5_data *pwd)
160 {
161 TALLOC_CTX *tmp_ctx;
162 char *password;
163 char *data = NULL;
164 const unsigned length = 24;
165
166 if (pwd == NULL) {
167 return EINVAL;
168 }
169
170 tmp_ctx = talloc_named(NULL,
171 0,
172 "mit_samba_generate_random_password context");
173 if (tmp_ctx == NULL) {
174 return ENOMEM;
175 }
176
177 password = generate_random_password(tmp_ctx, length, length);
178 if (password == NULL) {
179 talloc_free(tmp_ctx);
180 return ENOMEM;
181 }
182
183 data = strdup(password);
184 talloc_free(tmp_ctx);
185 if (data == NULL) {
186 return ENOMEM;
187 }
188
189 *pwd = smb_krb5_make_data(data, length);
190
191 return 0;
192 }
193
194 krb5_error_code mit_samba_get_principal(struct mit_samba_context *ctx,
195 krb5_const_principal principal,
196 unsigned int kflags,
197 krb5_db_entry **_kentry)
198 {
199 struct sdb_entry sentry = {};
200 krb5_db_entry *kentry;
201 krb5_error_code ret;
202 uint32_t sflags = 0;
203 krb5_principal referral_principal = NULL;
204
205 kentry = calloc(1, sizeof(krb5_db_entry));
206 if (kentry == NULL) {
207 return ENOMEM;
208 }
209
210 /*
211 * The MIT KDC code that wants the canonical name in all lookups, and
212 * takes care to canonicalize only when appropriate.
213 */
214 sflags |= SDB_F_FORCE_CANON;
215
216 if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
217 sflags |= SDB_F_CANON;
218 }
219
220 if (kflags & KRB5_KDB_FLAG_CLIENT) {
221 sflags |= SDB_F_GET_CLIENT;
222 sflags |= SDB_F_FOR_AS_REQ;
223 } else {
224 int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
225 if (equal == -1) {
226 return ENOMEM;
227 }
228
229 if (equal) {
230 sflags |= SDB_F_GET_KRBTGT;
231 } else {
232 sflags |= SDB_F_GET_SERVER;
233 sflags |= SDB_F_FOR_TGS_REQ;
234 }
235 }
236
237 /* always set this or the created_by data will not be populated by samba's
238 * backend and we will fail to parse the entry later */
239 sflags |= SDB_F_ADMIN_DATA;
240
241
242 fetch_referral_principal:
243 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
244 principal, sflags, 0, &sentry);
245 switch (ret) {
246 case 0:
247 break;
248 case SDB_ERR_NOENTRY:
249 ret = KRB5_KDB_NOENTRY;
250 goto done;
251 case SDB_ERR_WRONG_REALM: {
252 char *dest_realm = NULL;
253 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
254
255 if (sflags & SDB_F_FOR_AS_REQ) {
256 /*
257 * If this is a request for a TGT, we are done. The KDC
258 * will return the correct error to the client.
259 */
260 ret = 0;
261 break;
262 }
263
264 if (referral_principal != NULL) {
265 sdb_entry_free(&sentry);
266 ret = KRB5_KDB_NOENTRY;
267 goto done;
268 }
269
270 /*
271 * We get a TGS request
272 *
273 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
274 *
275 * to our DC for the realm
276 *
277 * ADDOM.SAMBA.EXAMPLE.COM
278 *
279 * We look up if we have an entry in the database and get an
280 * entry with the principal:
281 *
282 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
283 *
284 * and the error: SDB_ERR_WRONG_REALM.
285 *
286 * In the case of a TGS-REQ we need to return a referral ticket
287 * for the next trust hop to the client. This ticket will have
288 * the following principal:
289 *
290 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
291 *
292 * We just redo the lookup in the database with the referral
293 * principal and return success.
294 */
295 dest_realm = smb_krb5_principal_get_realm(
296 ctx, ctx->context, sentry.principal);
297 sdb_entry_free(&sentry);
298 if (dest_realm == NULL) {
299 ret = KRB5_KDB_NOENTRY;
300 goto done;
301 }
302
303 ret = smb_krb5_make_principal(ctx->context,
304 &referral_principal,
305 our_realm,
306 KRB5_TGS_NAME,
307 dest_realm,
308 NULL);
309 TALLOC_FREE(dest_realm);
310 if (ret != 0) {
311 goto done;
312 }
313
314 principal = referral_principal;
315 goto fetch_referral_principal;
316 }
317 case SDB_ERR_NOT_FOUND_HERE:
318 /* FIXME: RODC support */
319 default:
320 goto done;
321 }
322
323 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
324
325 sdb_entry_free(&sentry);
326
327 done:
328 krb5_free_principal(ctx->context, referral_principal);
329 referral_principal = NULL;
330
331 if (ret) {
332 free(kentry);
333 } else {
334 *_kentry = kentry;
335 }
336 return ret;
337 }
338
339 krb5_error_code mit_samba_get_firstkey(struct mit_samba_context *ctx,
340 krb5_db_entry **_kentry)
341 {
342 struct sdb_entry sentry = {};
343 krb5_db_entry *kentry;
344 krb5_error_code ret;
345
346 kentry = malloc(sizeof(krb5_db_entry));
347 if (kentry == NULL) {
348 return ENOMEM;
349 }
350
351 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, SDB_F_ADMIN_DATA, &sentry);
352 switch (ret) {
353 case 0:
354 break;
355 case SDB_ERR_NOENTRY:
356 free(kentry);
357 return KRB5_KDB_NOENTRY;
358 case SDB_ERR_NOT_FOUND_HERE:
359 /* FIXME: RODC support */
360 default:
361 free(kentry);
362 return ret;
363 }
364
365 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
366
367 sdb_entry_free(&sentry);
368
369 if (ret) {
370 free(kentry);
371 } else {
372 *_kentry = kentry;
373 }
374 return ret;
375 }
376
377 krb5_error_code mit_samba_get_nextkey(struct mit_samba_context *ctx,
378 krb5_db_entry **_kentry)
379 {
380 struct sdb_entry sentry = {};
381 krb5_db_entry *kentry;
382 krb5_error_code ret;
383
384 kentry = malloc(sizeof(krb5_db_entry));
385 if (kentry == NULL) {
386 return ENOMEM;
387 }
388
389 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, SDB_F_ADMIN_DATA, &sentry);
390 switch (ret) {
391 case 0:
392 break;
393 case SDB_ERR_NOENTRY:
394 free(kentry);
395 return KRB5_KDB_NOENTRY;
396 case SDB_ERR_NOT_FOUND_HERE:
397 /* FIXME: RODC support */
398 default:
399 free(kentry);
400 return ret;
401 }
402
403 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
404
405 sdb_entry_free(&sentry);
406
407 if (ret) {
408 free(kentry);
409 } else {
410 *_kentry = kentry;
411 }
412 return ret;
413 }
414
415 krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
416 krb5_context context,
417 uint32_t flags,
418 krb5_db_entry *client,
419 krb5_db_entry *server,
420 krb5_keyblock *replaced_reply_key,
421 krb5_pac *pac)
422 {
423 TALLOC_CTX *tmp_ctx;
424 const struct auth_user_info_dc *user_info_dc = NULL;
425 struct auth_user_info_dc *user_info_dc_shallow_copy = NULL;
426 DATA_BLOB *logon_info_blob = NULL;
427 DATA_BLOB *upn_dns_info_blob = NULL;
428 DATA_BLOB *cred_ndr = NULL;
429 DATA_BLOB **cred_ndr_ptr = NULL;
430 DATA_BLOB cred_blob = data_blob_null;
431 DATA_BLOB *pcred_blob = NULL;
432 DATA_BLOB *pac_attrs_blob = NULL;
433 DATA_BLOB *requester_sid_blob = NULL;
434 const DATA_BLOB *client_claims_blob = NULL;
435 NTSTATUS nt_status;
436 krb5_error_code code;
437 struct samba_kdc_entry *skdc_entry;
438 struct samba_kdc_entry *server_entry = NULL;
439 bool is_krbtgt;
440 /* Only include resource groups in a service ticket. */
441 enum auth_group_inclusion group_inclusion;
442 enum samba_asserted_identity asserted_identity =
443 (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
444 SAMBA_ASSERTED_IDENTITY_SERVICE :
445 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
446
447 if (client == NULL) {
448 return EINVAL;
449 }
450 skdc_entry = talloc_get_type_abort(client->e_data,
451 struct samba_kdc_entry);
452
453 if (server == NULL) {
454 return EINVAL;
455 }
456 {
457 int result = smb_krb5_principal_is_tgs(smb_ctx->context, server->princ);
458 if (result == -1) {
459 return ENOMEM;
460 }
461
462 is_krbtgt = result;
463 }
464 server_entry = talloc_get_type_abort(server->e_data,
465 struct samba_kdc_entry);
466
467 /* Only include resource groups in a service ticket. */
468 if (is_krbtgt) {
469 group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
470 } else if (server_entry->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
471 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
472 } else {
473 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
474 }
475
476 tmp_ctx = talloc_named(smb_ctx,
477 0,
478 "mit_samba_get_pac context");
479 if (tmp_ctx == NULL) {
480 return ENOMEM;
481 }
482
483 /* Check if we have a PREAUTH key */
484 if (replaced_reply_key != NULL) {
485 cred_ndr_ptr = &cred_ndr;
486 }
487
488 code = samba_kdc_get_user_info_from_db(tmp_ctx,
489 server_entry->kdc_db_ctx->samdb,
490 skdc_entry,
491 skdc_entry->msg,
492 &user_info_dc);
493 if (code) {
494 talloc_free(tmp_ctx);
495 return code;
496 }
497
498 /* Make a shallow copy of the user_info_dc structure. */
499 nt_status = authsam_shallow_copy_user_info_dc(tmp_ctx,
500 user_info_dc,
501 &user_info_dc_shallow_copy);
502 user_info_dc = NULL;
503
504 if (!NT_STATUS_IS_OK(nt_status)) {
505 DBG_ERR("Failed to allocate shallow copy of user_info_dc: %s\n",
506 nt_errstr(nt_status));
507 talloc_free(tmp_ctx);
508 return map_errno_from_nt_status(nt_status);
509 }
510
511
512 nt_status = samba_kdc_add_asserted_identity(asserted_identity,
513 user_info_dc_shallow_copy);
514 if (!NT_STATUS_IS_OK(nt_status)) {
515 DBG_ERR("Failed to add asserted identity: %s\n",
516 nt_errstr(nt_status));
517 talloc_free(tmp_ctx);
518 return EINVAL;
519 }
520
521 nt_status = samba_kdc_add_claims_valid(user_info_dc_shallow_copy);
522 if (!NT_STATUS_IS_OK(nt_status)) {
523 DBG_ERR("Failed to add Claims Valid: %s\n",
524 nt_errstr(nt_status));
525 talloc_free(tmp_ctx);
526 return EINVAL;
527 }
528
529 /* We no longer need to modify this, so assign to const variable */
530 user_info_dc = user_info_dc_shallow_copy;
531
532 nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
533 user_info_dc,
534 group_inclusion,
535 &logon_info_blob);
536 if (!NT_STATUS_IS_OK(nt_status)) {
537 talloc_free(tmp_ctx);
538 return EINVAL;
539 }
540
541 if (cred_ndr_ptr != NULL) {
542 nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx,
543 skdc_entry,
544 cred_ndr_ptr);
545 if (!NT_STATUS_IS_OK(nt_status)) {
546 talloc_free(tmp_ctx);
547 return EINVAL;
548 }
549 }
550
551 nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
552 user_info_dc,
553 &upn_dns_info_blob);
554 if (!NT_STATUS_IS_OK(nt_status)) {
555 talloc_free(tmp_ctx);
556 return EINVAL;
557 }
558
559 if (is_krbtgt) {
560 nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx,
561 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
562 &pac_attrs_blob);
563 if (!NT_STATUS_IS_OK(nt_status)) {
564 talloc_free(tmp_ctx);
565 return EINVAL;
566 }
567
568 nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
569 user_info_dc,
570 &requester_sid_blob);
571 if (!NT_STATUS_IS_OK(nt_status)) {
572 talloc_free(tmp_ctx);
573 return EINVAL;
574 }
575 }
576
577 nt_status = samba_kdc_get_claims_blob(tmp_ctx,
578 skdc_entry,
579 &client_claims_blob);
580 if (!NT_STATUS_IS_OK(nt_status)) {
581 talloc_free(tmp_ctx);
582 return EINVAL;
583 }
584
585 if (replaced_reply_key != NULL && cred_ndr != NULL) {
586 code = samba_kdc_encrypt_pac_credentials(context,
587 replaced_reply_key,
588 cred_ndr,
589 tmp_ctx,
590 &cred_blob);
591 if (code != 0) {
592 talloc_free(tmp_ctx);
593 return code;
594 }
595 pcred_blob = &cred_blob;
596 }
597
598 code = samba_make_krb5_pac(context,
599 logon_info_blob,
600 pcred_blob,
601 upn_dns_info_blob,
602 pac_attrs_blob,
603 requester_sid_blob,
604 NULL /* deleg_blob */,
605 client_claims_blob,
606 NULL /* device_info_blob */,
607 NULL /* device_claims_blob */,
608 *pac);
609
610 talloc_free(tmp_ctx);
611 return code;
612 }
613
614 krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
615 krb5_context context,
616 int kdc_flags,
617 krb5_db_entry *client,
618 krb5_db_entry *server,
619 krb5_db_entry *krbtgt,
620 krb5_pac old_pac,
621 krb5_pac new_pac)
622 {
623 TALLOC_CTX *tmp_ctx = NULL;
624 krb5_error_code code;
625 struct samba_kdc_entry *client_skdc_entry = NULL;
626 struct samba_kdc_entry *server_skdc_entry = NULL;
627 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
628 struct samba_kdc_entry_pac client_pac_entry = {};
629 bool is_in_db = false;
630 bool is_trusted = false;
631 uint32_t flags = 0;
632
633 /* Create a memory context early so code can use talloc_stackframe() */
634 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context");
635 if (tmp_ctx == NULL) {
636 return ENOMEM;
637 }
638
639 if (client != NULL) {
640 client_skdc_entry =
641 talloc_get_type_abort(client->e_data,
642 struct samba_kdc_entry);
643 }
644
645 if (krbtgt == NULL) {
646 code = EINVAL;
647 goto done;
648 }
649 krbtgt_skdc_entry =
650 talloc_get_type_abort(krbtgt->e_data,
651 struct samba_kdc_entry);
652
653 if (server == NULL) {
654 code = EINVAL;
655 goto done;
656 }
657 server_skdc_entry =
658 talloc_get_type_abort(server->e_data,
659 struct samba_kdc_entry);
660
661 /*
662 * If the krbtgt was generated by an RODC, and we are not that
663 * RODC, then we need to regenerate the PAC - we can't trust
664 * it, and confirm that the RODC was permitted to print this ticket
665 *
666 * Because of the samba_kdc_validate_pac_blob() step we can be
667 * sure that the record in 'client' or 'server' matches the SID in the
668 * original PAC.
669 */
670 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
671 &is_in_db,
672 &is_trusted);
673 if (code != 0) {
674 goto done;
675 }
676
677 if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
678 flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
679 }
680
681 if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
682 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
683 }
684
685 client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac,
686 client_skdc_entry,
687 samba_kdc_entry_is_trust(krbtgt_skdc_entry),
688 is_trusted);
689
690 code = samba_kdc_verify_pac(tmp_ctx,
691 context,
692 krbtgt_skdc_entry->kdc_db_ctx->samdb,
693 flags,
694 client_pac_entry,
695 krbtgt_skdc_entry);
696 if (code != 0) {
697 goto done;
698 }
699
700 code = samba_kdc_update_pac(tmp_ctx,
701 context,
702 krbtgt_skdc_entry->kdc_db_ctx->samdb,
703 krbtgt_skdc_entry->kdc_db_ctx->lp_ctx,
704 flags,
705 client_pac_entry,
706 server->princ,
707 server_skdc_entry,
708 NULL /* delegated_proxy_principal */,
709 (struct samba_kdc_entry_pac) {} /* delegated_proxy */,
710 (struct samba_kdc_entry_pac) {} /* device */,
711 new_pac,
712 NULL /* server_audit_info_out */,
713 NULL /* status_out */);
714 if (code != 0) {
715 if (code == ENOATTR) {
716 /*
717 * We can't tell the KDC to not issue a PAC. It will
718 * just return the newly allocated empty PAC.
719 */
720 code = 0;
721 }
722 }
723
724 done:
725 talloc_free(tmp_ctx);
726 return code;
727 }
728
729 /* provide header, function is exported but there are no public headers */
730
731 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
732
733 /* this function allocates 'data' using malloc.
734 * The caller is responsible for freeing it */
735 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
736 {
737 krb5_error_code ret = 0;
738 krb5_pa_data pa, *ppa[2];
739 krb5_data *d = NULL;
740
741 if (!e_data)
742 return;
743
744 e_data->data = NULL;
745 e_data->length = 0;
746
747 pa.magic = KV5M_PA_DATA;
748 pa.pa_type = KRB5_PADATA_PW_SALT /* KERB_ERR_TYPE_EXTENDED */;
749 pa.length = 12;
750 pa.contents = malloc(pa.length);
751 if (!pa.contents) {
752 return;
753 }
754
755 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
756 SIVAL(pa.contents, 4, 0);
757 SIVAL(pa.contents, 8, 1);
758
759 ppa[0] = &pa;
760 ppa[1] = NULL;
761
762 ret = encode_krb5_padata_sequence(ppa, &d);
763 free(pa.contents);
764 if (ret) {
765 return;
766 }
767
768 e_data->data = (uint8_t *)d->data;
769 e_data->length = d->length;
770
771 /* free d, not d->data - gd */
772 free(d);
773
774 return;
775 }
776
777 krb5_error_code mit_samba_check_client_access(struct mit_samba_context *ctx,
778 krb5_db_entry *client,
779 const char *client_name,
780 krb5_db_entry *server,
781 const char *server_name,
782 const char *netbios_name,
783 bool password_change,
784 DATA_BLOB *e_data)
785 {
786 struct samba_kdc_entry *skdc_entry;
787 NTSTATUS nt_status;
788
789 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
790
791 nt_status = samba_kdc_check_client_access(skdc_entry,
792 client_name,
793 netbios_name,
794 password_change);
795
796 if (!NT_STATUS_IS_OK(nt_status)) {
797 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
798 return ENOMEM;
799 }
800
801 samba_kdc_build_edata_reply(nt_status, e_data);
802
803 return samba_kdc_map_policy_err(nt_status);
804 }
805
806 return 0;
807 }
808
809 krb5_error_code mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
810 const krb5_db_entry *server,
811 krb5_const_principal target_principal)
812 {
813 struct samba_kdc_entry *server_skdc_entry =
814 talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
815 krb5_error_code code;
816
817 code = samba_kdc_check_s4u2proxy(ctx->context,
818 ctx->db_ctx,
819 server_skdc_entry,
820 target_principal);
821
822 return code;
823 }
824
825 krb5_error_code mit_samba_check_allowed_to_delegate_from(
826 struct mit_samba_context *ctx,
827 krb5_const_principal client_principal,
828 krb5_const_principal server_principal,
829 krb5_pac header_pac,
830 const krb5_db_entry *proxy)
831 {
832 struct samba_kdc_entry *proxy_skdc_entry =
833 talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
834 struct auth_user_info_dc *user_info_dc = NULL;
835 TALLOC_CTX *mem_ctx = NULL;
836 krb5_error_code code;
837
838 mem_ctx = talloc_new(NULL);
839 if (mem_ctx == NULL) {
840 return ENOMEM;
841 }
842
843 /*
844 * FIXME: If ever we support RODCs, we must check that the PAC has not
845 * been issued by an RODC (other than ourselves) — otherwise the PAC
846 * cannot be trusted. Because the plugin interface does not give us the
847 * client entry, we cannot look up its groups in the database.
848 */
849 code = kerberos_pac_to_user_info_dc(mem_ctx,
850 header_pac,
851 ctx->context,
852 &user_info_dc,
853 AUTH_INCLUDE_RESOURCE_GROUPS,
854 NULL,
855 NULL,
856 NULL);
857 if (code != 0) {
858 goto out;
859 }
860
861 code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
862 ctx->db_ctx,
863 client_principal,
864 server_principal,
865 user_info_dc,
866 NULL /* device_info_dc */,
867 (struct auth_claims) {},
868 proxy_skdc_entry);
869 out:
870 talloc_free(mem_ctx);
871 return code;
872 }
873
874 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
875 NTSTATUS result,
876 enum samPwdChangeReason reject_reason,
877 struct samr_DomInfo1 *dominfo)
878 {
879 krb5_error_code code = KADM5_PASS_Q_GENERIC;
880
881 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
882 code = KADM5_BAD_PRINCIPAL;
883 krb5_set_error_message(context,
884 code,
885 "No such user when changing password");
886 }
887 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
888 code = KADM5_PASS_Q_GENERIC;
889 krb5_set_error_message(context,
890 code,
891 "Not permitted to change password");
892 }
893 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
894 dominfo != NULL) {
895 switch (reject_reason) {
896 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
897 code = KADM5_PASS_Q_TOOSHORT;
898 krb5_set_error_message(context,
899 code,
900 "Password too short, password "
901 "must be at least %d characters "
902 "long.",
903 dominfo->min_password_length);
904 break;
905 case SAM_PWD_CHANGE_NOT_COMPLEX:
906 code = KADM5_PASS_Q_DICT;
907 krb5_set_error_message(context,
908 code,
909 "Password does not meet "
910 "complexity requirements");
911 break;
912 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
913 code = KADM5_PASS_TOOSOON;
914 krb5_set_error_message(context,
915 code,
916 "Password is already in password "
917 "history. New password must not "
918 "match any of your %d previous "
919 "passwords.",
920 dominfo->password_history_length);
921 break;
922 default:
923 code = KADM5_PASS_Q_GENERIC;
924 krb5_set_error_message(context,
925 code,
926 "Password change rejected, "
927 "password changes may not be "
928 "permitted on this account, or "
929 "the minimum password age may "
930 "not have elapsed.");
931 break;
932 }
933 }
934
935 return code;
936 }
937
938 krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
939 char *pwd,
940 krb5_db_entry *db_entry)
941 {
942 NTSTATUS status;
943 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
944 TALLOC_CTX *tmp_ctx;
945 DATA_BLOB password;
946 enum samPwdChangeReason reject_reason;
947 struct samr_DomInfo1 *dominfo;
948 const char *error_string = NULL;
949 const struct auth_user_info_dc *user_info_dc = NULL;
950 struct samba_kdc_entry *p =
951 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
952 krb5_error_code code = 0;
953
954 #ifdef DEBUG_PASSWORD
955 DBG_WARNING("mit_samba_kpasswd_change_password called with: %s\n", pwd);
956 #endif
957
958 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
959 if (tmp_ctx == NULL) {
960 return ENOMEM;
961 }
962
963 code = samba_kdc_get_user_info_from_db(tmp_ctx,
964 ctx->db_ctx->samdb,
965 p,
966 p->msg,
967 &user_info_dc);
968 if (code) {
969 const char *krb5err = krb5_get_error_message(ctx->context, code);
970 DBG_WARNING("samba_kdc_get_user_info_from_db failed: %s\n",
971 krb5err != NULL ? krb5err : "<unknown>");
972 krb5_free_error_message(ctx->context, krb5err);
973
974 goto out;
975 }
976
977 status = auth_generate_session_info(tmp_ctx,
978 ctx->db_ctx->lp_ctx,
979 ctx->db_ctx->samdb,
980 user_info_dc,
981 0, /* session_info_flags */
982 &ctx->session_info);
983
984 if (!NT_STATUS_IS_OK(status)) {
985 DBG_WARNING("auth_generate_session_info failed: %s\n",
986 nt_errstr(status));
987 code = EINVAL;
988 goto out;
989 }
990
991 /* password is expected as UTF16 */
992
993 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
994 pwd, strlen(pwd),
995 &password.data, &password.length)) {
996 DBG_WARNING("convert_string_talloc failed\n");
997 code = EINVAL;
998 goto out;
999 }
1000
1001 status = samdb_kpasswd_change_password(tmp_ctx,
1002 ctx->db_ctx->lp_ctx,
1003 ctx->db_ctx->ev_ctx,
1004 ctx->session_info,
1005 &password,
1006 &reject_reason,
1007 &dominfo,
1008 &error_string,
1009 &result);
1010 if (!NT_STATUS_IS_OK(status)) {
1011 DBG_WARNING("samdb_kpasswd_change_password failed: %s\n",
1012 nt_errstr(status));
1013 code = KADM5_PASS_Q_GENERIC;
1014 krb5_set_error_message(ctx->context, code, "%s", error_string);
1015 goto out;
1016 }
1017
1018 if (!NT_STATUS_IS_OK(result)) {
1019 code = mit_samba_change_pwd_error(ctx->context,
1020 result,
1021 reject_reason,
1022 dominfo);
1023 }
1024
1025 out:
1026 talloc_free(tmp_ctx);
1027
1028 return code;
1029 }
1030
1031 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1032 {
1033 /* struct netr_SendToSamBase *send_to_sam = NULL; */
1034 struct samba_kdc_entry *p =
1035 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1036 struct ldb_dn *domain_dn;
1037
1038 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1039
1040 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1041 p->msg,
1042 domain_dn,
1043 true,
1044 NULL, NULL);
1045 /* TODO: RODC support */
1046 }
1047
1048
1049 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1050 {
1051 struct samba_kdc_entry *p =
1052 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1053
1054 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1055 p->msg,
1056 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1057 }
1058
1059 bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1060 {
1061 struct samba_kdc_entry *skdc_entry =
1062 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1063
1064 return samba_princ_needs_pac(skdc_entry);
1065 }
Samba GIT mirror