search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
[Samba.git] / source4 / kdc / db-glue.c
blob024073eb5bdba4a371a10a3ffd7b86b73aa17a53
1 /*
2 Unix SMB/CIFS implementation.
3
4 Database Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "librpc/gen_ndr/ndr_security.h"
27 #include "auth/auth.h"
28 #include "auth/auth_sam.h"
29 #include "dsdb/samdb/samdb.h"
30 #include "dsdb/common/util.h"
31 #include "librpc/gen_ndr/ndr_drsblobs.h"
32 #include "param/param.h"
33 #include "param/secrets.h"
34 #include "../lib/crypto/md4.h"
35 #include "system/kerberos.h"
36 #include "auth/kerberos/kerberos.h"
37 #include "kdc/sdb.h"
38 #include "kdc/samba_kdc.h"
39 #include "kdc/db-glue.h"
40 #include "kdc/pac-glue.h"
41 #include "librpc/gen_ndr/ndr_irpc_c.h"
42 #include "lib/messaging/irpc.h"
43
44 #undef strcasecmp
45 #undef strncasecmp
46
47 #define SAMBA_KVNO_GET_KRBTGT(kvno) \
48 ((uint16_t)(((uint32_t)kvno) >> 16))
49
50 #define SAMBA_KVNO_GET_VALUE(kvno) \
51 ((uint16_t)(((uint32_t)kvno) & 0xFFFF))
52
53 #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
54 ((krb5_kvno)((((uint32_t)kvno) & 0xFFFF) | \
55 ((((uint32_t)krbtgt) << 16) & 0xFFFF0000)))
56
57 enum trust_direction {
58 UNKNOWN = 0,
59 INBOUND = LSA_TRUST_DIRECTION_INBOUND,
60 OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
61 };
62
63 static const char *trust_attrs[] = {
64 "securityIdentifier",
65 "flatName",
66 "trustPartner",
67 "trustAttributes",
68 "trustDirection",
69 "trustType",
70 "msDS-TrustForestTrustInfo",
71 "trustAuthIncoming",
72 "trustAuthOutgoing",
73 "whenCreated",
74 "msDS-SupportedEncryptionTypes",
75 NULL
76 };
77
78 /*
79 send a message to the drepl server telling it to initiate a
80 REPL_SECRET getncchanges extended op to fetch the users secrets
81 */
82 static void auth_sam_trigger_repl_secret(TALLOC_CTX *mem_ctx,
83 struct imessaging_context *msg_ctx,
84 struct tevent_context *event_ctx,
85 struct ldb_dn *user_dn)
86 {
87 struct dcerpc_binding_handle *irpc_handle;
88 struct drepl_trigger_repl_secret r;
89 struct tevent_req *req;
90 TALLOC_CTX *tmp_ctx;
91
92 tmp_ctx = talloc_new(mem_ctx);
93 if (tmp_ctx == NULL) {
94 return;
95 }
96
97 irpc_handle = irpc_binding_handle_by_name(tmp_ctx, msg_ctx,
98 "dreplsrv",
99 &ndr_table_irpc);
100 if (irpc_handle == NULL) {
101 DEBUG(1,(__location__ ": Unable to get binding handle for dreplsrv\n"));
102 TALLOC_FREE(tmp_ctx);
103 return;
104 }
105
106 r.in.user_dn = ldb_dn_get_linearized(user_dn);
107
108 /*
109 * This seem to rely on the current IRPC implementation,
110 * which delivers the message in the _send function.
111 *
112 * TODO: we need a ONE_WAY IRPC handle and register
113 * a callback and wait for it to be triggered!
114 */
115 req = dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx,
116 event_ctx,
117 irpc_handle,
118 &r);
119
120 /* we aren't interested in a reply */
121 talloc_free(req);
122 TALLOC_FREE(tmp_ctx);
123 }
124
125 static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, time_t default_val)
126 {
127 const char *tmp;
128 const char *gentime;
129 struct tm tm;
130
131 gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
132 if (!gentime)
133 return default_val;
134
135 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
136 if (tmp == NULL) {
137 return default_val;
138 }
139
140 return timegm(&tm);
141 }
142
143 static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
144 {
145 struct SDBFlags flags = int2SDBFlags(0);
146
147 /* we don't allow kadmin deletes */
148 flags.immutable = 1;
149
150 /* mark the principal as invalid to start with */
151 flags.invalid = 1;
152
153 flags.renewable = 1;
154
155 /* All accounts are servers, but this may be disabled again in the caller */
156 flags.server = 1;
157
158 /* Account types - clear the invalid bit if it turns out to be valid */
159 if (userAccountControl & UF_NORMAL_ACCOUNT) {
160 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
161 flags.client = 1;
162 }
163 flags.invalid = 0;
164 }
165
166 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
167 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
168 flags.client = 1;
169 }
170 flags.invalid = 0;
171 }
172 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
173 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
174 flags.client = 1;
175 }
176 flags.invalid = 0;
177 }
178 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
179 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
180 flags.client = 1;
181 }
182 flags.invalid = 0;
183 }
184
185 /* Not permitted to act as a client if disabled */
186 if (userAccountControl & UF_ACCOUNTDISABLE) {
187 flags.client = 0;
188 }
189 if (userAccountControl & UF_LOCKOUT) {
190 flags.locked_out = 1;
191 }
192 /*
193 if (userAccountControl & UF_PASSWORD_NOTREQD) {
194 flags.invalid = 1;
195 }
196 */
197 /*
198 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
199 */
200 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
201 flags.invalid = 1;
202 }
203
204 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
205
206 /*
207 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
208 flags.invalid = 1;
209 }
210 */
211 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
212 flags.require_hwauth = 1;
213 }
214 if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
215 flags.ok_as_delegate = 1;
216 }
217 if (userAccountControl & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) {
218 /*
219 * this is confusing...
220 *
221 * UF_TRUSTED_FOR_DELEGATION
222 * => ok_as_delegate
223 *
224 * and
225 *
226 * UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
227 * => trusted_for_delegation
228 */
229 flags.trusted_for_delegation = 1;
230 }
231 if (!(userAccountControl & UF_NOT_DELEGATED)) {
232 flags.forwardable = 1;
233 flags.proxiable = 1;
234 }
235
236 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
237 flags.require_preauth = 0;
238 } else {
239 flags.require_preauth = 1;
240 }
241
242 if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
243 flags.no_auth_data_reqd = 1;
244 }
245
246 return flags;
247 }
248
249 static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
250 {
251 if (p->db_entry != NULL) {
252 /*
253 * A sdb_entry still has a reference
254 */
255 return -1;
256 }
257
258 if (p->kdc_entry != NULL) {
259 /*
260 * hdb_entry or krb5_db_entry still
261 * have a reference...
262 */
263 return -1;
264 }
265
266 return 0;
267 }
268
269 /*
270 * Sort keys in descending order of strength.
271 *
272 * Explanaton from Greg Hudson:
273 *
274 * To encrypt tickets only the first returned key is used by the MIT KDC. The
275 * other keys just communicate support for session key enctypes, and aren't
276 * really used. The encryption key for the ticket enc part doesn't have
277 * to be of a type requested by the client. The session key enctype is chosen
278 * based on the client preference order, limited by the set of enctypes present
279 * in the server keys (unless the string attribute is set on the server
280 * principal overriding that set).
281 */
282
283 static int sdb_key_strength_priority(krb5_enctype etype)
284 {
285 static const krb5_enctype etype_list[] = {
286 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
287 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
288 ENCTYPE_DES3_CBC_SHA1,
289 ENCTYPE_ARCFOUR_HMAC,
290 ENCTYPE_DES_CBC_MD5,
291 ENCTYPE_DES_CBC_MD4,
292 ENCTYPE_DES_CBC_CRC,
293 ENCTYPE_NULL
294 };
295 int i;
296
297 for (i = 0; i < ARRAY_SIZE(etype_list); i++) {
298 if (etype == etype_list[i]) {
299 break;
300 }
301 }
302
303 return ARRAY_SIZE(etype_list) - i;
304 }
305
306 static int sdb_key_strength_cmp(const struct sdb_key *k1, const struct sdb_key *k2)
307 {
308 int p1 = sdb_key_strength_priority(KRB5_KEY_TYPE(&k1->key));
309 int p2 = sdb_key_strength_priority(KRB5_KEY_TYPE(&k2->key));
310
311 if (p1 == p2) {
312 return 0;
313 }
314
315 if (p1 > p2) {
316 /*
317 * Higher priority comes first
318 */
319 return -1;
320 } else {
321 return 1;
322 }
323 }
324
325 static void samba_kdc_sort_keys(struct sdb_keys *keys)
326 {
327 if (keys == NULL) {
328 return;
329 }
330
331 TYPESAFE_QSORT(keys->val, keys->len, sdb_key_strength_cmp);
332 }
333
334 int samba_kdc_set_fixed_keys(krb5_context context,
335 const struct ldb_val *secretbuffer,
336 uint32_t supported_enctypes,
337 struct sdb_keys *keys)
338 {
339 uint16_t allocated_keys = 0;
340 int ret;
341
342 allocated_keys = 3;
343 keys->len = 0;
344 keys->val = calloc(allocated_keys, sizeof(struct sdb_key));
345 if (keys->val == NULL) {
346 memset(secretbuffer->data, 0, secretbuffer->length);
347 ret = ENOMEM;
348 goto out;
349 }
350
351 if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
352 struct sdb_key key = {};
353
354 ret = smb_krb5_keyblock_init_contents(context,
355 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
356 secretbuffer->data,
357 MIN(secretbuffer->length, 32),
358 &key.key);
359 if (ret) {
360 memset(secretbuffer->data, 0, secretbuffer->length);
361 goto out;
362 }
363
364 keys->val[keys->len] = key;
365 keys->len++;
366 }
367
368 if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
369 struct sdb_key key = {};
370
371 ret = smb_krb5_keyblock_init_contents(context,
372 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
373 secretbuffer->data,
374 MIN(secretbuffer->length, 16),
375 &key.key);
376 if (ret) {
377 memset(secretbuffer->data, 0, secretbuffer->length);
378 goto out;
379 }
380
381 keys->val[keys->len] = key;
382 keys->len++;
383 }
384
385 if (supported_enctypes & ENC_RC4_HMAC_MD5) {
386 struct sdb_key key = {};
387
388 ret = smb_krb5_keyblock_init_contents(context,
389 ENCTYPE_ARCFOUR_HMAC,
390 secretbuffer->data,
391 MIN(secretbuffer->length, 16),
392 &key.key);
393 if (ret) {
394 memset(secretbuffer->data, 0, secretbuffer->length);
395 goto out;
396 }
397
398 keys->val[keys->len] = key;
399 keys->len++;
400 }
401 ret = 0;
402 out:
403 return ret;
404 }
405
406
407 static int samba_kdc_set_random_keys(krb5_context context,
408 uint32_t supported_enctypes,
409 struct sdb_keys *keys)
410 {
411 struct ldb_val secret_val;
412 uint8_t secretbuffer[32];
413
414 /*
415 * Fake keys until we have a better way to reject
416 * non-pkinit requests.
417 *
418 * We just need to indicate which encryption types are
419 * supported.
420 */
421 generate_secret_buffer(secretbuffer, sizeof(secretbuffer));
422
423 secret_val = data_blob_const(secretbuffer,
424 sizeof(secretbuffer));
425 return samba_kdc_set_fixed_keys(context,
426 &secret_val,
427 supported_enctypes,
428 keys);
429 }
430
431 struct samba_kdc_user_keys {
432 struct sdb_keys *skeys;
433 uint32_t kvno;
434 uint32_t *returned_kvno;
435 uint32_t supported_enctypes;
436 uint32_t *available_enctypes;
437 const struct samr_Password *nthash;
438 const char *salt_string;
439 uint16_t num_pkeys;
440 const struct package_PrimaryKerberosKey4 *pkeys;
441 };
442
443 static krb5_error_code samba_kdc_fill_user_keys(krb5_context context,
444 struct samba_kdc_user_keys *p)
445 {
446 /*
447 * Make sure we'll never reveal DES keys
448 */
449 uint32_t supported_enctypes = p->supported_enctypes & ENC_ALL_TYPES;
450 uint32_t _available_enctypes = 0;
451 uint32_t *available_enctypes = p->available_enctypes;
452 uint32_t _returned_kvno = 0;
453 uint32_t *returned_kvno = p->returned_kvno;
454 uint32_t num_pkeys = p->num_pkeys;
455 uint32_t allocated_keys = num_pkeys;
456 uint32_t i;
457 int ret;
458
459 if (available_enctypes == NULL) {
460 available_enctypes = &_available_enctypes;
461 }
462
463 *available_enctypes = 0;
464
465 if (returned_kvno == NULL) {
466 returned_kvno = &_returned_kvno;
467 }
468
469 *returned_kvno = p->kvno;
470
471 if (p->nthash != NULL) {
472 allocated_keys += 1;
473 }
474
475 allocated_keys = MAX(1, allocated_keys);
476
477 /* allocate space to decode into */
478 p->skeys->len = 0;
479 p->skeys->val = calloc(allocated_keys, sizeof(struct sdb_key));
480 if (p->skeys->val == NULL) {
481 return ENOMEM;
482 }
483
484 for (i=0; i < num_pkeys; i++) {
485 struct sdb_key key = {};
486 uint32_t enctype_bit;
487
488 if (p->pkeys[i].value == NULL) {
489 continue;
490 }
491
492 enctype_bit = kerberos_enctype_to_bitmap(p->pkeys[i].keytype);
493 if (!(enctype_bit & supported_enctypes)) {
494 continue;
495 }
496
497 if (p->salt_string != NULL) {
498 DATA_BLOB salt;
499
500 salt = data_blob_string_const(p->salt_string);
501
502 key.salt = calloc(1, sizeof(*key.salt));
503 if (key.salt == NULL) {
504 ret = ENOMEM;
505 goto fail;
506 }
507
508 key.salt->type = KRB5_PW_SALT;
509
510 ret = smb_krb5_copy_data_contents(&key.salt->salt,
511 salt.data,
512 salt.length);
513 if (ret) {
514 ZERO_STRUCTP(key.salt);
515 sdb_key_free(&key);
516 goto fail;
517 }
518 }
519
520 ret = smb_krb5_keyblock_init_contents(context,
521 p->pkeys[i].keytype,
522 p->pkeys[i].value->data,
523 p->pkeys[i].value->length,
524 &key.key);
525 if (ret == 0) {
526 p->skeys->val[p->skeys->len++] = key;
527 *available_enctypes |= enctype_bit;
528 continue;
529 }
530 ZERO_STRUCT(key.key);
531 sdb_key_free(&key);
532 if (ret == KRB5_PROG_ETYPE_NOSUPP) {
533 DEBUG(2,("Unsupported keytype ignored - type %u\n",
534 p->pkeys[i].keytype));
535 ret = 0;
536 continue;
537 }
538
539 goto fail;
540 }
541
542 if (p->nthash != NULL && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
543 struct sdb_key key = {};
544
545 ret = smb_krb5_keyblock_init_contents(context,
546 ENCTYPE_ARCFOUR_HMAC,
547 p->nthash->hash,
548 sizeof(p->nthash->hash),
549 &key.key);
550 if (ret == 0) {
551 p->skeys->val[p->skeys->len++] = key;
552
553 *available_enctypes |= ENC_RC4_HMAC_MD5;
554 } else if (ret == KRB5_PROG_ETYPE_NOSUPP) {
555 DEBUG(2,("Unsupported keytype ignored - type %u\n",
556 ENCTYPE_ARCFOUR_HMAC));
557 ret = 0;
558 }
559 if (ret != 0) {
560 goto fail;
561 }
562 }
563
564 samba_kdc_sort_keys(p->skeys);
565
566 return 0;
567 fail:
568 sdb_keys_free(p->skeys);
569 return ret;
570 }
571
572 krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
573 TALLOC_CTX *mem_ctx,
574 const struct ldb_message *msg,
575 bool is_krbtgt,
576 bool is_rodc,
577 uint32_t userAccountControl,
578 enum samba_kdc_ent_type ent_type,
579 unsigned flags,
580 krb5_kvno requested_kvno,
581 struct sdb_entry *entry,
582 const uint32_t supported_enctypes_in,
583 uint32_t *supported_enctypes_out)
584 {
585 krb5_error_code ret = 0;
586 enum ndr_err_code ndr_err;
587 struct samr_Password *hash;
588 unsigned int num_ntPwdHistory = 0;
589 struct samr_Password *ntPwdHistory = NULL;
590 struct samr_Password *old_hash = NULL;
591 struct samr_Password *older_hash = NULL;
592 const struct ldb_val *sc_val;
593 struct supplementalCredentialsBlob scb;
594 struct supplementalCredentialsPackage *scpk = NULL;
595 struct package_PrimaryKerberosBlob _pkb;
596 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
597 int krbtgt_number = 0;
598 uint32_t current_kvno;
599 uint32_t old_kvno = 0;
600 uint32_t older_kvno = 0;
601 uint32_t returned_kvno = 0;
602 uint16_t i;
603 struct samba_kdc_user_keys keys = { .num_pkeys = 0, };
604 struct samba_kdc_user_keys old_keys = { .num_pkeys = 0, };
605 struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, };
606 uint32_t available_enctypes = 0;
607 uint32_t supported_enctypes = supported_enctypes_in;
608
609 *supported_enctypes_out = 0;
610
611 /* Is this the krbtgt or a RODC krbtgt */
612 if (is_rodc) {
613 krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
614
615 if (krbtgt_number == -1) {
616 return EINVAL;
617 }
618 if (krbtgt_number == 0) {
619 return EINVAL;
620 }
621 }
622
623 if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT)
624 && (userAccountControl & UF_SMARTCARD_REQUIRED)) {
625 ret = samba_kdc_set_random_keys(context,
626 supported_enctypes,
627 &entry->keys);
628
629 *supported_enctypes_out = supported_enctypes;
630
631 goto out;
632 }
633
634 current_kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
635 if (current_kvno > 1) {
636 old_kvno = current_kvno - 1;
637 }
638 if (current_kvno > 2) {
639 older_kvno = current_kvno - 2;
640 }
641 if (is_krbtgt) {
642 /*
643 * Even for the main krbtgt account
644 * we have to strictly split the kvno into
645 * two 16-bit parts and the upper 16-bit
646 * need to be all zero, even if
647 * the msDS-KeyVersionNumber has a value
648 * larger than 65535.
649 *
650 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
651 */
652 current_kvno = SAMBA_KVNO_GET_VALUE(current_kvno);
653 old_kvno = SAMBA_KVNO_GET_VALUE(old_kvno);
654 older_kvno = SAMBA_KVNO_GET_VALUE(older_kvno);
655 requested_kvno = SAMBA_KVNO_GET_VALUE(requested_kvno);
656 }
657
658 /* Get keys from the db */
659
660 hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
661 num_ntPwdHistory = samdb_result_hashes(mem_ctx, msg,
662 "ntPwdHistory",
663 &ntPwdHistory);
664 if (num_ntPwdHistory > 1) {
665 old_hash = &ntPwdHistory[1];
666 }
667 if (num_ntPwdHistory > 2) {
668 older_hash = &ntPwdHistory[1];
669 }
670 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
671
672 /* supplementalCredentials if present */
673 if (sc_val) {
674 ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, &scb,
675 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
676 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
677 dump_data(0, sc_val->data, sc_val->length);
678 ret = EINVAL;
679 goto out;
680 }
681
682 if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
683 if (scb.sub.num_packages != 0) {
684 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
685 ret = EINVAL;
686 goto out;
687 }
688 }
689
690 for (i=0; i < scb.sub.num_packages; i++) {
691 if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
692 scpk = &scb.sub.packages[i];
693 if (!scpk->data || !scpk->data[0]) {
694 scpk = NULL;
695 continue;
696 }
697 break;
698 }
699 }
700 }
701 /*
702 * Primary:Kerberos-Newer-Keys element
703 * of supplementalCredentials
704 *
705 * The legacy Primary:Kerberos only contains
706 * single DES keys, which are completely ignored
707 * now.
708 */
709 if (scpk) {
710 DATA_BLOB blob;
711
712 blob = strhex_to_data_blob(mem_ctx, scpk->data);
713 if (!blob.data) {
714 ret = ENOMEM;
715 goto out;
716 }
717
718 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
719 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &_pkb,
720 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
721 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
722 ret = EINVAL;
723 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
724 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
725 goto out;
726 }
727
728 if (_pkb.version != 4) {
729 ret = EINVAL;
730 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
731 krb5_warnx(context, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
732 goto out;
733 }
734
735 pkb4 = &_pkb.ctr.ctr4;
736 }
737
738 keys = (struct samba_kdc_user_keys) {
739 .kvno = current_kvno,
740 .supported_enctypes = supported_enctypes,
741 .nthash = hash,
742 .salt_string = pkb4 != NULL ? pkb4->salt.string : NULL,
743 .num_pkeys = pkb4 != NULL ? pkb4->num_keys : 0,
744 .pkeys = pkb4 != NULL ? pkb4->keys : NULL,
745 };
746
747 old_keys = (struct samba_kdc_user_keys) {
748 .kvno = old_kvno,
749 .supported_enctypes = supported_enctypes,
750 .nthash = old_hash,
751 .salt_string = pkb4 != NULL ? pkb4->salt.string : NULL,
752 .num_pkeys = pkb4 != NULL ? pkb4->num_old_keys : 0,
753 .pkeys = pkb4 != NULL ? pkb4->old_keys : NULL,
754 };
755 older_keys = (struct samba_kdc_user_keys) {
756 .kvno = older_kvno,
757 .supported_enctypes = supported_enctypes,
758 .nthash = older_hash,
759 .salt_string = pkb4 != NULL ? pkb4->salt.string : NULL,
760 .num_pkeys = pkb4 != NULL ? pkb4->num_older_keys : 0,
761 .pkeys = pkb4 != NULL ? pkb4->older_keys : NULL,
762 };
763
764 if (flags & SDB_F_KVNO_SPECIFIED) {
765 if (requested_kvno == keys.kvno) {
766 /*
767 * The current kvno was requested,
768 * so we return it.
769 */
770 keys.skeys = &entry->keys;
771 keys.available_enctypes = &available_enctypes;
772 keys.returned_kvno = &returned_kvno;
773 } else if (requested_kvno == 0) {
774 /*
775 * don't return any keys
776 */
777 } else if (requested_kvno == old_keys.kvno) {
778 /*
779 * return the old keys as default keys
780 * with the requested kvno.
781 */
782 old_keys.skeys = &entry->keys;
783 old_keys.available_enctypes = &available_enctypes;
784 old_keys.returned_kvno = &returned_kvno;
785 } else if (requested_kvno == older_keys.kvno) {
786 /*
787 * return the older keys as default keys
788 * with the requested kvno.
789 */
790 older_keys.skeys = &entry->keys;
791 older_keys.available_enctypes = &available_enctypes;
792 older_keys.returned_kvno = &returned_kvno;
793 } else {
794 /*
795 * don't return any keys
796 */
797 }
798 } else {
799 bool include_history = false;
800
801 if ((flags & SDB_F_GET_CLIENT) && (flags & SDB_F_FOR_AS_REQ)) {
802 include_history = true;
803 } else if (flags & SDB_F_ADMIN_DATA) {
804 include_history = true;
805 }
806
807 keys.skeys = &entry->keys;
808 keys.available_enctypes = &available_enctypes;
809 keys.returned_kvno = &returned_kvno;
810
811 if (include_history && old_keys.kvno != 0) {
812 old_keys.skeys = &entry->old_keys;
813 }
814 if (include_history && older_keys.kvno != 0) {
815 older_keys.skeys = &entry->older_keys;
816 }
817 }
818
819 if (keys.skeys != NULL) {
820 ret = samba_kdc_fill_user_keys(context, &keys);
821 if (ret != 0) {
822 goto out;
823 }
824 }
825
826 if (old_keys.skeys != NULL) {
827 ret = samba_kdc_fill_user_keys(context, &old_keys);
828 if (ret != 0) {
829 goto out;
830 }
831 }
832
833 if (older_keys.skeys != NULL) {
834 ret = samba_kdc_fill_user_keys(context, &older_keys);
835 if (ret != 0) {
836 goto out;
837 }
838 }
839
840 *supported_enctypes_out |= available_enctypes;
841
842 /* Set FAST support bits */
843 *supported_enctypes_out |= supported_enctypes & (ENC_FAST_SUPPORTED |
844 ENC_COMPOUND_IDENTITY_SUPPORTED |
845 ENC_CLAIMS_SUPPORTED);
846
847 if (is_krbtgt) {
848 /*
849 * Even for the main krbtgt account
850 * we have to strictly split the kvno into
851 * two 16-bit parts and the upper 16-bit
852 * need to be all zero, even if
853 * the msDS-KeyVersionNumber has a value
854 * larger than 65535.
855 *
856 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
857 */
858 returned_kvno = SAMBA_KVNO_AND_KRBTGT(returned_kvno, krbtgt_number);
859 }
860 entry->kvno = returned_kvno;
861
862 out:
863 return ret;
864 }
865
866 static int principal_comp_strcmp_int(krb5_context context,
867 krb5_const_principal principal,
868 unsigned int component,
869 const char *string,
870 bool do_strcasecmp)
871 {
872 const char *p;
873
874 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING)
875 p = krb5_principal_get_comp_string(context, principal, component);
876 if (p == NULL) {
877 return -1;
878 }
879 if (do_strcasecmp) {
880 return strcasecmp(p, string);
881 } else {
882 return strcmp(p, string);
883 }
884 #else
885 size_t len;
886 krb5_data *d;
887 if (component >= krb5_princ_size(context, principal)) {
888 return -1;
889 }
890
891 d = krb5_princ_component(context, principal, component);
892 if (d == NULL) {
893 return -1;
894 }
895
896 p = d->data;
897
898 len = strlen(string);
899
900 /*
901 * We explicitly return -1 or 1. Subtracting of the two lengths might
902 * give the wrong result if the result overflows or loses data when
903 * narrowed to int.
904 */
905 if (d->length < len) {
906 return -1;
907 } else if (d->length > len) {
908 return 1;
909 }
910
911 if (do_strcasecmp) {
912 return strncasecmp(p, string, len);
913 } else {
914 return memcmp(p, string, len);
915 }
916 #endif
917 }
918
919 static int principal_comp_strcasecmp(krb5_context context,
920 krb5_const_principal principal,
921 unsigned int component,
922 const char *string)
923 {
924 return principal_comp_strcmp_int(context, principal,
925 component, string, true);
926 }
927
928 static int principal_comp_strcmp(krb5_context context,
929 krb5_const_principal principal,
930 unsigned int component,
931 const char *string)
932 {
933 return principal_comp_strcmp_int(context, principal,
934 component, string, false);
935 }
936
937 static bool is_kadmin_changepw(krb5_context context,
938 krb5_const_principal principal)
939 {
940 return krb5_princ_size(context, principal) == 2 &&
941 (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) &&
942 (principal_comp_strcmp(context, principal, 1, "changepw") == 0);
943 }
944
945 static krb5_error_code samba_kdc_get_entry_principal(
946 krb5_context context,
947 struct samba_kdc_db_context *kdc_db_ctx,
948 const char *samAccountName,
949 enum samba_kdc_ent_type ent_type,
950 unsigned flags,
951 bool is_kadmin_changepw,
952 krb5_const_principal in_princ,
953 krb5_principal *out_princ)
954 {
955 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
956 krb5_error_code code = 0;
957 bool canon = flags & (SDB_F_CANON|SDB_F_FORCE_CANON);
958
959 /*
960 * If we are set to canonicalize, we get back the fixed UPPER
961 * case realm, and the real username (ie matching LDAP
962 * samAccountName)
963 *
964 * Otherwise, if we are set to enterprise, we
965 * get back the whole principal as-sent
966 *
967 * Finally, if we are not set to canonicalize, we get back the
968 * fixed UPPER case realm, but the as-sent username
969 */
970
971 /*
972 * We need to ensure that the kadmin/changepw principal isn't able to
973 * issue krbtgt tickets, even if canonicalization is turned on.
974 */
975 if (!is_kadmin_changepw) {
976 if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
977 /*
978 * When requested to do so, ensure that the
979 * both realm values in the principal are set
980 * to the upper case, canonical realm
981 */
982 code = smb_krb5_make_principal(context,
983 out_princ,
984 lpcfg_realm(lp_ctx),
985 "krbtgt",
986 lpcfg_realm(lp_ctx),
987 NULL);
988 if (code != 0) {
989 return code;
990 }
991 smb_krb5_principal_set_type(context,
992 *out_princ,
993 KRB5_NT_SRV_INST);
994
995 return 0;
996 }
997
998 if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) ||
999 (ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) {
1000 /*
1001 * SDB_F_CANON maps from the canonicalize flag in the
1002 * packet, and has a different meaning between AS-REQ
1003 * and TGS-REQ. We only change the principal in the
1004 * AS-REQ case.
1005 *
1006 * The SDB_F_FORCE_CANON if for new MIT KDC code that
1007 * wants the canonical name in all lookups, and takes
1008 * care to canonicalize only when appropriate.
1009 */
1010 code = smb_krb5_make_principal(context,
1011 out_princ,
1012 lpcfg_realm(lp_ctx),
1013 samAccountName,
1014 NULL);
1015 return code;
1016 }
1017 }
1018
1019 /*
1020 * For a krbtgt entry, this appears to be required regardless of the
1021 * canonicalize flag from the client.
1022 */
1023 code = krb5_copy_principal(context, in_princ, out_princ);
1024 if (code != 0) {
1025 return code;
1026 }
1027
1028 /*
1029 * While we have copied the client principal, tests show that Win2k3
1030 * returns the 'corrected' realm, not the client-specified realm. This
1031 * code attempts to replace the client principal's realm with the one
1032 * we determine from our records
1033 */
1034 code = smb_krb5_principal_set_realm(context,
1035 *out_princ,
1036 lpcfg_realm(lp_ctx));
1037
1038 return code;
1039 }
1040
1041 /*
1042 * Construct an hdb_entry from a directory entry.
1043 */
1044 static krb5_error_code samba_kdc_message2entry(krb5_context context,
1045 struct samba_kdc_db_context *kdc_db_ctx,
1046 TALLOC_CTX *mem_ctx,
1047 krb5_const_principal principal,
1048 enum samba_kdc_ent_type ent_type,
1049 unsigned flags,
1050 krb5_kvno kvno,
1051 struct ldb_dn *realm_dn,
1052 struct ldb_message *msg,
1053 struct sdb_entry *entry)
1054 {
1055 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1056 uint32_t userAccountControl;
1057 uint32_t msDS_User_Account_Control_Computed;
1058 krb5_error_code ret = 0;
1059 krb5_boolean is_computer = FALSE;
1060 struct samba_kdc_entry *p;
1061 NTTIME acct_expiry;
1062 NTSTATUS status;
1063 bool protected_user = false;
1064 uint32_t rid;
1065 bool is_krbtgt = false;
1066 bool is_rodc = false;
1067 struct ldb_message_element *objectclasses;
1068 struct ldb_val computer_val = data_blob_string_const("computer");
1069 uint32_t supported_enctypes
1070 = ldb_msg_find_attr_as_uint(msg,
1071 "msDS-SupportedEncryptionTypes",
1072 0);
1073 const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
1074
1075 ZERO_STRUCTP(entry);
1076
1077 if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
1078 is_rodc = true;
1079 }
1080
1081 if (!samAccountName) {
1082 ret = ENOENT;
1083 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
1084 goto out;
1085 }
1086
1087 objectclasses = ldb_msg_find_element(msg, "objectClass");
1088
1089 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
1090 is_computer = TRUE;
1091 }
1092
1093 p = talloc_zero(mem_ctx, struct samba_kdc_entry);
1094 if (!p) {
1095 ret = ENOMEM;
1096 goto out;
1097 }
1098
1099 p->is_rodc = is_rodc;
1100 p->kdc_db_ctx = kdc_db_ctx;
1101 p->realm_dn = talloc_reference(p, realm_dn);
1102 if (!p->realm_dn) {
1103 ret = ENOMEM;
1104 goto out;
1105 }
1106
1107 talloc_set_destructor(p, samba_kdc_entry_destructor);
1108
1109 entry->skdc_entry = p;
1110
1111 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
1112
1113 msDS_User_Account_Control_Computed
1114 = ldb_msg_find_attr_as_uint(msg,
1115 "msDS-User-Account-Control-Computed",
1116 UF_ACCOUNTDISABLE);
1117
1118 /*
1119 * This brings in the lockout flag, block the account if not
1120 * found. We need the weird UF_ACCOUNTDISABLE check because
1121 * we do not want to fail open if the value is not returned,
1122 * but 0 is a valid value (all OK)
1123 */
1124 if (msDS_User_Account_Control_Computed == UF_ACCOUNTDISABLE) {
1125 ret = EINVAL;
1126 krb5_set_error_message(context, ret, "samba_kdc_message2entry: "
1127 "no msDS-User-Account-Control-Computed present");
1128 goto out;
1129 } else {
1130 userAccountControl |= msDS_User_Account_Control_Computed;
1131 }
1132
1133 if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
1134 p->is_krbtgt = true;
1135 }
1136
1137 /* First try and figure out the flags based on the userAccountControl */
1138 entry->flags = uf2SDBFlags(context, userAccountControl, ent_type);
1139
1140 /*
1141 * Take control of the returned principal here, rather than
1142 * allowing the Heimdal code to do it as we have specific
1143 * behaviour around the forced realm to honour
1144 */
1145 entry->flags.force_canonicalize = true;
1146
1147 /* Windows 2008 seems to enforce this (very sensible) rule by
1148 * default - don't allow offline attacks on a user's password
1149 * by asking for a ticket to them as a service (encrypted with
1150 * their probably patheticly insecure password) */
1151
1152 if (entry->flags.server
1153 && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
1154 if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
1155 entry->flags.server = 0;
1156 }
1157 }
1158
1159 /*
1160 * We restrict a 3-part SPN ending in my domain/realm to full
1161 * domain controllers.
1162 *
1163 * This avoids any cases where (eg) a demoted DC still has
1164 * these more restricted SPNs.
1165 */
1166 if (krb5_princ_size(context, principal) > 2) {
1167 char *third_part
1168 = smb_krb5_principal_get_comp_string(mem_ctx,
1169 context,
1170 principal,
1171 2);
1172 bool is_our_realm =
1173 lpcfg_is_my_domain_or_realm(lp_ctx,
1174 third_part);
1175 bool is_dc = userAccountControl &
1176 (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT);
1177 if (is_our_realm && !is_dc) {
1178 entry->flags.server = 0;
1179 }
1180 }
1181 /*
1182 * To give the correct type of error to the client, we must
1183 * not just return the entry without .server set, we must
1184 * pretend the principal does not exist. Otherwise we may
1185 * return ERR_POLICY instead of
1186 * KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
1187 */
1188 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER && entry->flags.server == 0) {
1189 ret = SDB_ERR_NOENTRY;
1190 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry");
1191 goto out;
1192 }
1193 if (flags & SDB_F_ADMIN_DATA) {
1194 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
1195 * of the Heimdal KDC. They are stored in a the traditional
1196 * DB for audit purposes, and still form part of the structure
1197 * we must return */
1198
1199 /* use 'whenCreated' */
1200 entry->created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
1201 /* use 'kadmin' for now (needed by mit_samba) */
1202
1203 ret = smb_krb5_make_principal(context,
1204 &entry->created_by.principal,
1205 lpcfg_realm(lp_ctx), "kadmin", NULL);
1206 if (ret) {
1207 krb5_clear_error_message(context);
1208 goto out;
1209 }
1210
1211 entry->modified_by = (struct sdb_event *) malloc(sizeof(struct sdb_event));
1212 if (entry->modified_by == NULL) {
1213 ret = ENOMEM;
1214 krb5_set_error_message(context, ret, "malloc: out of memory");
1215 goto out;
1216 }
1217
1218 /* use 'whenChanged' */
1219 entry->modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
1220 /* use 'kadmin' for now (needed by mit_samba) */
1221 ret = smb_krb5_make_principal(context,
1222 &entry->modified_by->principal,
1223 lpcfg_realm(lp_ctx), "kadmin", NULL);
1224 if (ret) {
1225 krb5_clear_error_message(context);
1226 goto out;
1227 }
1228 }
1229
1230
1231 /* The lack of password controls etc applies to krbtgt by
1232 * virtue of being that particular RID */
1233 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid);
1234
1235 if (!NT_STATUS_IS_OK(status)) {
1236 ret = EINVAL;
1237 goto out;
1238 }
1239
1240 if (rid == DOMAIN_RID_KRBTGT) {
1241 char *realm = NULL;
1242
1243 entry->valid_end = NULL;
1244 entry->pw_end = NULL;
1245
1246 entry->flags.invalid = 0;
1247 entry->flags.server = 1;
1248
1249 realm = smb_krb5_principal_get_realm(
1250 mem_ctx, context, principal);
1251 if (realm == NULL) {
1252 ret = ENOMEM;
1253 goto out;
1254 }
1255
1256 /* Don't mark all requests for the krbtgt/realm as
1257 * 'change password', as otherwise we could get into
1258 * trouble, and not enforce the password expirty.
1259 * Instead, only do it when request is for the kpasswd service */
1260 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER &&
1261 is_kadmin_changepw(context, principal) &&
1262 lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
1263 entry->flags.change_pw = 1;
1264 }
1265
1266 TALLOC_FREE(realm);
1267
1268 entry->flags.client = 0;
1269 entry->flags.forwardable = 1;
1270 entry->flags.ok_as_delegate = 1;
1271 } else if (is_rodc) {
1272 /* The RODC krbtgt account is like the main krbtgt,
1273 * but it does not have a changepw or kadmin
1274 * service */
1275
1276 entry->valid_end = NULL;
1277 entry->pw_end = NULL;
1278
1279 /* Also don't allow the RODC krbtgt to be a client (it should not be needed) */
1280 entry->flags.client = 0;
1281 entry->flags.invalid = 0;
1282 entry->flags.server = 1;
1283
1284 entry->flags.client = 0;
1285 entry->flags.forwardable = 1;
1286 entry->flags.ok_as_delegate = 0;
1287 } else if (entry->flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
1288 /* The account/password expiry only applies when the account is used as a
1289 * client (ie password login), not when used as a server */
1290
1291 /* Make very well sure we don't use this for a client,
1292 * it could bypass the password restrictions */
1293 entry->flags.client = 0;
1294
1295 entry->valid_end = NULL;
1296 entry->pw_end = NULL;
1297
1298 } else {
1299 NTTIME must_change_time
1300 = samdb_result_nttime(msg,
1301 "msDS-UserPasswordExpiryTimeComputed",
1302 0);
1303 if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
1304 entry->pw_end = NULL;
1305 } else {
1306 entry->pw_end = malloc(sizeof(*entry->pw_end));
1307 if (entry->pw_end == NULL) {
1308 ret = ENOMEM;
1309 goto out;
1310 }
1311 *entry->pw_end = nt_time_to_unix(must_change_time);
1312 }
1313
1314 acct_expiry = samdb_result_account_expires(msg);
1315 if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
1316 entry->valid_end = NULL;
1317 } else {
1318 entry->valid_end = malloc(sizeof(*entry->valid_end));
1319 if (entry->valid_end == NULL) {
1320 ret = ENOMEM;
1321 goto out;
1322 }
1323 *entry->valid_end = nt_time_to_unix(acct_expiry);
1324 }
1325 }
1326
1327 ret = samba_kdc_get_entry_principal(context,
1328 kdc_db_ctx,
1329 samAccountName,
1330 ent_type,
1331 flags,
1332 entry->flags.change_pw,
1333 principal,
1334 &entry->principal);
1335 if (ret != 0) {
1336 krb5_clear_error_message(context);
1337 goto out;
1338 }
1339
1340 entry->valid_start = NULL;
1341
1342 entry->max_life = malloc(sizeof(*entry->max_life));
1343 if (entry->max_life == NULL) {
1344 ret = ENOMEM;
1345 goto out;
1346 }
1347
1348 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
1349 *entry->max_life = kdc_db_ctx->policy.svc_tkt_lifetime;
1350 } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
1351 *entry->max_life = kdc_db_ctx->policy.usr_tkt_lifetime;
1352 } else {
1353 *entry->max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime,
1354 kdc_db_ctx->policy.usr_tkt_lifetime);
1355 }
1356
1357 if (entry->flags.change_pw) {
1358 /* Limit lifetime of kpasswd tickets to two minutes or less. */
1359 *entry->max_life = MIN(*entry->max_life, CHANGEPW_LIFETIME);
1360 }
1361
1362 entry->max_renew = malloc(sizeof(*entry->max_renew));
1363 if (entry->max_renew == NULL) {
1364 ret = ENOMEM;
1365 goto out;
1366 }
1367
1368 *entry->max_renew = kdc_db_ctx->policy.renewal_lifetime;
1369
1370 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT && (flags & SDB_F_FOR_AS_REQ)) {
1371 int result;
1372 struct auth_user_info_dc *user_info_dc = NULL;
1373 /*
1374 * These protections only apply to clients, so servers in the
1375 * Protected Users group may still have service tickets to them
1376 * encrypted with RC4. For accounts looked up as servers, note
1377 * that 'msg' does not contain the 'memberOf' attribute for
1378 * determining whether the account is a member of Protected
1379 * Users.
1380 *
1381 * Additionally, Microsoft advises that accounts for services
1382 * and computers should never be members of Protected Users, or
1383 * they may fail to authenticate.
1384 */
1385 status = samba_kdc_get_user_info_from_db(p, msg, &user_info_dc);
1386 if (!NT_STATUS_IS_OK(status)) {
1387 ret = EINVAL;
1388 goto out;
1389 }
1390
1391 result = dsdb_is_protected_user(kdc_db_ctx->samdb,
1392 user_info_dc->sids,
1393 user_info_dc->num_sids);
1394 if (result == -1) {
1395 ret = EINVAL;
1396 goto out;
1397 }
1398
1399 protected_user = result;
1400
1401 if (protected_user) {
1402 *entry->max_life = MIN(*entry->max_life, 4 * 60 * 60);
1403 *entry->max_renew = MIN(*entry->max_renew, 4 * 60 * 60);
1404
1405 entry->flags.forwardable = 0;
1406 entry->flags.proxiable = 0;
1407 }
1408 }
1409
1410 if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
1411 bool enable_fast;
1412
1413 is_krbtgt = true;
1414
1415 /* KDCs (and KDCs on RODCs) use AES */
1416 supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
1417
1418 enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
1419 if (enable_fast) {
1420 supported_enctypes |= ENC_FAST_SUPPORTED;
1421 }
1422 } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
1423 /* DCs and RODCs comptuer accounts use AES */
1424 supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
1425 } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
1426 (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
1427 /* for AS-REQ the client chooses the enc types it
1428 * supports, and this will vary between computers a
1429 * user logs in from.
1430 *
1431 * likewise for 'any' return as much as is supported,
1432 * to export into a keytab */
1433 supported_enctypes = ENC_ALL_TYPES;
1434 }
1435
1436 /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
1437 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
1438 supported_enctypes = 0;
1439 } else {
1440 /* Otherwise, add in the default enc types */
1441 supported_enctypes |= ENC_RC4_HMAC_MD5;
1442 }
1443
1444 if (protected_user) {
1445 supported_enctypes &= ~ENC_RC4_HMAC_MD5;
1446 }
1447
1448 /* Get keys from the db */
1449 ret = samba_kdc_message2entry_keys(context, p, msg,
1450 is_krbtgt, is_rodc,
1451 userAccountControl,
1452 ent_type, flags, kvno, entry,
1453 supported_enctypes,
1454 &supported_enctypes);
1455 if (ret) {
1456 /* Could be bogus data in the entry, or out of memory */
1457 goto out;
1458 }
1459
1460 if (entry->keys.len == 0) {
1461 if (kdc_db_ctx->rodc) {
1462 /*
1463 * We are on an RODC, but don't have keys for this
1464 * account. Signal this to the caller
1465 */
1466 auth_sam_trigger_repl_secret(kdc_db_ctx,
1467 kdc_db_ctx->msg_ctx,
1468 kdc_db_ctx->ev_ctx,
1469 msg->dn);
1470 return SDB_ERR_NOT_FOUND_HERE;
1471 }
1472
1473 /*
1474 * oh, no password. Apparently (comment in
1475 * hdb-ldap.c) this violates the ASN.1, but this
1476 * allows an entry with no keys (yet).
1477 */
1478 }
1479
1480 p->msg = talloc_steal(p, msg);
1481 p->supported_enctypes = supported_enctypes;
1482
1483 out:
1484 if (ret != 0) {
1485 /* This doesn't free ent itself, that is for the eventual caller to do */
1486 sdb_entry_free(entry);
1487 } else {
1488 talloc_steal(kdc_db_ctx, p);
1489 }
1490
1491 return ret;
1492 }
1493
1494 /*
1495 * Construct an hdb_entry from a directory entry.
1496 * The kvno is what the remote client asked for
1497 */
1498 static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
1499 struct samba_kdc_db_context *kdc_db_ctx,
1500 TALLOC_CTX *mem_ctx,
1501 enum trust_direction direction,
1502 struct ldb_dn *realm_dn,
1503 unsigned flags,
1504 uint32_t kvno,
1505 struct ldb_message *msg,
1506 struct sdb_entry *entry)
1507 {
1508 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1509 const char *our_realm = lpcfg_realm(lp_ctx);
1510 char *partner_realm = NULL;
1511 const char *realm = NULL;
1512 const char *krbtgt_realm = NULL;
1513 DATA_BLOB password_utf16 = data_blob_null;
1514 DATA_BLOB password_utf8 = data_blob_null;
1515 struct samr_Password _password_hash;
1516 const struct samr_Password *password_hash = NULL;
1517 const struct ldb_val *password_val;
1518 struct trustAuthInOutBlob password_blob;
1519 struct samba_kdc_entry *p;
1520 bool use_previous = false;
1521 uint32_t current_kvno;
1522 uint32_t previous_kvno;
1523 uint32_t num_keys = 0;
1524 enum ndr_err_code ndr_err;
1525 int ret;
1526 unsigned int i;
1527 struct AuthenticationInformationArray *auth_array;
1528 struct timeval tv;
1529 NTTIME an_hour_ago;
1530 uint32_t *auth_kvno;
1531 bool preferr_current = false;
1532 uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
1533 struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
1534 NTSTATUS status;
1535
1536 ZERO_STRUCTP(entry);
1537
1538 if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
1539 supported_enctypes = ldb_msg_find_attr_as_uint(msg,
1540 "msDS-SupportedEncryptionTypes",
1541 supported_enctypes);
1542 }
1543
1544 status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
1545 if (!NT_STATUS_IS_OK(status)) {
1546 krb5_clear_error_message(context);
1547 ret = ENOMEM;
1548 goto out;
1549 }
1550
1551 if (!(tdo->trust_direction & direction)) {
1552 krb5_clear_error_message(context);
1553 ret = SDB_ERR_NOENTRY;
1554 goto out;
1555 }
1556
1557 if (tdo->trust_type != LSA_TRUST_TYPE_UPLEVEL) {
1558 /*
1559 * Only UPLEVEL domains support kerberos here,
1560 * as we don't support LSA_TRUST_TYPE_MIT.
1561 */
1562 krb5_clear_error_message(context);
1563 ret = SDB_ERR_NOENTRY;
1564 goto out;
1565 }
1566
1567 if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION) {
1568 /*
1569 * We don't support selective authentication yet.
1570 */
1571 krb5_clear_error_message(context);
1572 ret = SDB_ERR_NOENTRY;
1573 goto out;
1574 }
1575
1576 if (tdo->domain_name.string == NULL) {
1577 krb5_clear_error_message(context);
1578 ret = SDB_ERR_NOENTRY;
1579 goto out;
1580 }
1581 partner_realm = strupper_talloc(mem_ctx, tdo->domain_name.string);
1582 if (partner_realm == NULL) {
1583 krb5_clear_error_message(context);
1584 ret = ENOMEM;
1585 goto out;
1586 }
1587
1588 if (direction == INBOUND) {
1589 realm = our_realm;
1590 krbtgt_realm = partner_realm;
1591
1592 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
1593 } else { /* OUTBOUND */
1594 realm = partner_realm;
1595 krbtgt_realm = our_realm;
1596
1597 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
1598 }
1599
1600 if (password_val == NULL) {
1601 krb5_clear_error_message(context);
1602 ret = SDB_ERR_NOENTRY;
1603 goto out;
1604 }
1605
1606 ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
1607 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
1608 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1609 krb5_clear_error_message(context);
1610 ret = EINVAL;
1611 goto out;
1612 }
1613
1614 p = talloc_zero(mem_ctx, struct samba_kdc_entry);
1615 if (!p) {
1616 ret = ENOMEM;
1617 goto out;
1618 }
1619
1620 p->is_trust = true;
1621 p->kdc_db_ctx = kdc_db_ctx;
1622 p->realm_dn = realm_dn;
1623 p->supported_enctypes = supported_enctypes;
1624
1625 talloc_set_destructor(p, samba_kdc_entry_destructor);
1626
1627 entry->skdc_entry = p;
1628
1629 /* use 'whenCreated' */
1630 entry->created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
1631 /* use 'kadmin' for now (needed by mit_samba) */
1632 ret = smb_krb5_make_principal(context,
1633 &entry->created_by.principal,
1634 realm, "kadmin", NULL);
1635 if (ret) {
1636 krb5_clear_error_message(context);
1637 goto out;
1638 }
1639
1640 /*
1641 * We always need to generate the canonicalized principal
1642 * with the values of our database.
1643 */
1644 ret = smb_krb5_make_principal(context, &entry->principal, realm,
1645 "krbtgt", krbtgt_realm, NULL);
1646 if (ret) {
1647 krb5_clear_error_message(context);
1648 goto out;
1649 }
1650 smb_krb5_principal_set_type(context, entry->principal,
1651 KRB5_NT_SRV_INST);
1652
1653 entry->valid_start = NULL;
1654
1655 /* we need to work out if we are going to use the current or
1656 * the previous password hash.
1657 * We base this on the kvno the client passes in. If the kvno
1658 * passed in is equal to the current kvno in our database then
1659 * we use the current structure. If it is the current kvno-1,
1660 * then we use the previous substrucure.
1661 */
1662
1663 /*
1664 * Windows preferrs the previous key for one hour.
1665 */
1666 tv = timeval_current();
1667 if (tv.tv_sec > 3600) {
1668 tv.tv_sec -= 3600;
1669 }
1670 an_hour_ago = timeval_to_nttime(&tv);
1671
1672 /* first work out the current kvno */
1673 current_kvno = 0;
1674 for (i=0; i < password_blob.count; i++) {
1675 struct AuthenticationInformation *a =
1676 &password_blob.current.array[i];
1677
1678 if (a->LastUpdateTime <= an_hour_ago) {
1679 preferr_current = true;
1680 }
1681
1682 if (a->AuthType == TRUST_AUTH_TYPE_VERSION) {
1683 current_kvno = a->AuthInfo.version.version;
1684 }
1685 }
1686 if (current_kvno == 0) {
1687 previous_kvno = 255;
1688 } else {
1689 previous_kvno = current_kvno - 1;
1690 }
1691 for (i=0; i < password_blob.count; i++) {
1692 struct AuthenticationInformation *a =
1693 &password_blob.previous.array[i];
1694
1695 if (a->AuthType == TRUST_AUTH_TYPE_VERSION) {
1696 previous_kvno = a->AuthInfo.version.version;
1697 }
1698 }
1699
1700 /* work out whether we will use the previous or current
1701 password */
1702 if (password_blob.previous.count == 0) {
1703 /* there is no previous password */
1704 use_previous = false;
1705 } else if (!(flags & SDB_F_KVNO_SPECIFIED)) {
1706 /*
1707 * If not specified we use the lowest kvno
1708 * for the first hour after an update.
1709 */
1710 if (preferr_current) {
1711 use_previous = false;
1712 } else if (previous_kvno < current_kvno) {
1713 use_previous = true;
1714 } else {
1715 use_previous = false;
1716 }
1717 } else if (kvno == current_kvno) {
1718 /*
1719 * Exact match ...
1720 */
1721 use_previous = false;
1722 } else if (kvno == previous_kvno) {
1723 /*
1724 * Exact match ...
1725 */
1726 use_previous = true;
1727 } else {
1728 /*
1729 * Fallback to the current one for anything else
1730 */
1731 use_previous = false;
1732 }
1733
1734 if (use_previous) {
1735 auth_array = &password_blob.previous;
1736 auth_kvno = &previous_kvno;
1737 } else {
1738 auth_array = &password_blob.current;
1739 auth_kvno = &current_kvno;
1740 }
1741
1742 /* use the kvno the client specified, if available */
1743 if (flags & SDB_F_KVNO_SPECIFIED) {
1744 entry->kvno = kvno;
1745 } else {
1746 entry->kvno = *auth_kvno;
1747 }
1748
1749 for (i=0; i < auth_array->count; i++) {
1750 if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
1751 bool ok;
1752
1753 password_utf16 = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
1754 auth_array->array[i].AuthInfo.clear.size);
1755 if (password_utf16.length == 0) {
1756 break;
1757 }
1758
1759 if (supported_enctypes & ENC_RC4_HMAC_MD5) {
1760 mdfour(_password_hash.hash, password_utf16.data, password_utf16.length);
1761 if (password_hash == NULL) {
1762 num_keys += 1;
1763 }
1764 password_hash = &_password_hash;
1765 }
1766
1767 if (!(supported_enctypes & (ENC_HMAC_SHA1_96_AES128|ENC_HMAC_SHA1_96_AES256))) {
1768 break;
1769 }
1770
1771 ok = convert_string_talloc(mem_ctx,
1772 CH_UTF16MUNGED, CH_UTF8,
1773 password_utf16.data,
1774 password_utf16.length,
1775 (void *)&password_utf8.data,
1776 &password_utf8.length);
1777 if (!ok) {
1778 krb5_clear_error_message(context);
1779 ret = ENOMEM;
1780 goto out;
1781 }
1782
1783 if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
1784 num_keys += 1;
1785 }
1786 if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
1787 num_keys += 1;
1788 }
1789 break;
1790 } else if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
1791 if (supported_enctypes & ENC_RC4_HMAC_MD5) {
1792 password_hash = &auth_array->array[i].AuthInfo.nt4owf.password;
1793 num_keys += 1;
1794 }
1795 }
1796 }
1797
1798 /* Must have found a cleartext or MD4 password */
1799 if (num_keys == 0) {
1800 DEBUG(1,(__location__ ": no usable key found\n"));
1801 krb5_clear_error_message(context);
1802 ret = SDB_ERR_NOENTRY;
1803 goto out;
1804 }
1805
1806 entry->keys.val = calloc(num_keys, sizeof(struct sdb_key));
1807 if (entry->keys.val == NULL) {
1808 krb5_clear_error_message(context);
1809 ret = ENOMEM;
1810 goto out;
1811 }
1812
1813 if (password_utf8.length != 0) {
1814 struct sdb_key key = {};
1815 krb5_const_principal salt_principal = entry->principal;
1816 krb5_data salt;
1817 krb5_data cleartext_data;
1818
1819 cleartext_data.data = discard_const_p(char, password_utf8.data);
1820 cleartext_data.length = password_utf8.length;
1821
1822 ret = smb_krb5_get_pw_salt(context,
1823 salt_principal,
1824 &salt);
1825 if (ret != 0) {
1826 goto out;
1827 }
1828
1829 if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
1830 ret = smb_krb5_create_key_from_string(context,
1831 salt_principal,
1832 &salt,
1833 &cleartext_data,
1834 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1835 &key.key);
1836 if (ret != 0) {
1837 smb_krb5_free_data_contents(context, &salt);
1838 goto out;
1839 }
1840
1841 entry->keys.val[entry->keys.len] = key;
1842 entry->keys.len++;
1843 }
1844
1845 if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
1846 ret = smb_krb5_create_key_from_string(context,
1847 salt_principal,
1848 &salt,
1849 &cleartext_data,
1850 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1851 &key.key);
1852 if (ret != 0) {
1853 smb_krb5_free_data_contents(context, &salt);
1854 goto out;
1855 }
1856
1857 entry->keys.val[entry->keys.len] = key;
1858 entry->keys.len++;
1859 }
1860
1861 smb_krb5_free_data_contents(context, &salt);
1862 }
1863
1864 if (password_hash != NULL) {
1865 struct sdb_key key = {};
1866
1867 ret = smb_krb5_keyblock_init_contents(context,
1868 ENCTYPE_ARCFOUR_HMAC,
1869 password_hash->hash,
1870 sizeof(password_hash->hash),
1871 &key.key);
1872 if (ret != 0) {
1873 goto out;
1874 }
1875
1876 entry->keys.val[entry->keys.len] = key;
1877 entry->keys.len++;
1878 }
1879
1880 entry->flags = int2SDBFlags(0);
1881 entry->flags.immutable = 1;
1882 entry->flags.invalid = 0;
1883 entry->flags.server = 1;
1884 entry->flags.require_preauth = 1;
1885
1886 entry->pw_end = NULL;
1887
1888 entry->max_life = NULL;
1889
1890 entry->max_renew = NULL;
1891
1892 /* Match Windows behavior and allow forwardable flag in cross-realm. */
1893 entry->flags.forwardable = 1;
1894
1895 samba_kdc_sort_keys(&entry->keys);
1896
1897 p->msg = talloc_steal(p, msg);
1898
1899 out:
1900 TALLOC_FREE(partner_realm);
1901
1902 if (ret != 0) {
1903 /* This doesn't free ent itself, that is for the eventual caller to do */
1904 sdb_entry_free(entry);
1905 } else {
1906 talloc_steal(kdc_db_ctx, p);
1907 }
1908
1909 return ret;
1910
1911 }
1912
1913 static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
1914 TALLOC_CTX *mem_ctx,
1915 const char *realm,
1916 struct ldb_dn *realm_dn,
1917 struct ldb_message **pmsg)
1918 {
1919 NTSTATUS status;
1920 const char * const *attrs = trust_attrs;
1921
1922 status = dsdb_trust_search_tdo(ldb_ctx, realm, realm,
1923 attrs, mem_ctx, pmsg);
1924 if (NT_STATUS_IS_OK(status)) {
1925 return 0;
1926 } else if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
1927 return SDB_ERR_NOENTRY;
1928 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
1929 int ret = ENOMEM;
1930 krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
1931 return ret;
1932 } else {
1933 int ret = EINVAL;
1934 krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
1935 return ret;
1936 }
1937 }
1938
1939 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
1940 struct samba_kdc_db_context *kdc_db_ctx,
1941 TALLOC_CTX *mem_ctx,
1942 krb5_const_principal principal,
1943 const char **attrs,
1944 struct ldb_dn **realm_dn,
1945 struct ldb_message **msg)
1946 {
1947 NTSTATUS nt_status;
1948 char *principal_string = NULL;
1949
1950 if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1951 principal_string = smb_krb5_principal_get_comp_string(mem_ctx, context,
1952 principal, 0);
1953 if (principal_string == NULL) {
1954 return ENOMEM;
1955 }
1956 } else {
1957 char *principal_string_m = NULL;
1958 krb5_error_code ret;
1959
1960 ret = krb5_unparse_name(context, principal, &principal_string_m);
1961 if (ret != 0) {
1962 return ret;
1963 }
1964
1965 principal_string = talloc_strdup(mem_ctx, principal_string_m);
1966 SAFE_FREE(principal_string_m);
1967 if (principal_string == NULL) {
1968 return ENOMEM;
1969 }
1970 }
1971
1972 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
1973 mem_ctx, principal_string, attrs,
1974 realm_dn, msg);
1975 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
1976 krb5_principal fallback_principal = NULL;
1977 unsigned int num_comp;
1978 char *fallback_realm = NULL;
1979 char *fallback_account = NULL;
1980 krb5_error_code ret;
1981
1982 ret = krb5_parse_name(context, principal_string,
1983 &fallback_principal);
1984 TALLOC_FREE(principal_string);
1985 if (ret != 0) {
1986 return ret;
1987 }
1988
1989 num_comp = krb5_princ_size(context, fallback_principal);
1990 fallback_realm = smb_krb5_principal_get_realm(
1991 mem_ctx, context, fallback_principal);
1992 if (fallback_realm == NULL) {
1993 krb5_free_principal(context, fallback_principal);
1994 return ENOMEM;
1995 }
1996
1997 if (num_comp == 1) {
1998 size_t len;
1999
2000 fallback_account = smb_krb5_principal_get_comp_string(mem_ctx,
2001 context, fallback_principal, 0);
2002 if (fallback_account == NULL) {
2003 krb5_free_principal(context, fallback_principal);
2004 TALLOC_FREE(fallback_realm);
2005 return ENOMEM;
2006 }
2007
2008 len = strlen(fallback_account);
2009 if (len >= 2 && fallback_account[len - 1] == '$') {
2010 TALLOC_FREE(fallback_account);
2011 }
2012 }
2013 krb5_free_principal(context, fallback_principal);
2014 fallback_principal = NULL;
2015
2016 if (fallback_account != NULL) {
2017 char *with_dollar;
2018
2019 with_dollar = talloc_asprintf(mem_ctx, "%s$",
2020 fallback_account);
2021 if (with_dollar == NULL) {
2022 TALLOC_FREE(fallback_realm);
2023 return ENOMEM;
2024 }
2025 TALLOC_FREE(fallback_account);
2026
2027 ret = smb_krb5_make_principal(context,
2028 &fallback_principal,
2029 fallback_realm,
2030 with_dollar, NULL);
2031 TALLOC_FREE(with_dollar);
2032 if (ret != 0) {
2033 TALLOC_FREE(fallback_realm);
2034 return ret;
2035 }
2036 }
2037 TALLOC_FREE(fallback_realm);
2038
2039 if (fallback_principal != NULL) {
2040 char *fallback_string = NULL;
2041
2042 ret = krb5_unparse_name(context,
2043 fallback_principal,
2044 &fallback_string);
2045 if (ret != 0) {
2046 krb5_free_principal(context, fallback_principal);
2047 return ret;
2048 }
2049
2050 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
2051 mem_ctx,
2052 fallback_string,
2053 attrs,
2054 realm_dn, msg);
2055 SAFE_FREE(fallback_string);
2056 }
2057 krb5_free_principal(context, fallback_principal);
2058 fallback_principal = NULL;
2059 }
2060 TALLOC_FREE(principal_string);
2061
2062 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
2063 return SDB_ERR_NOENTRY;
2064 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
2065 return ENOMEM;
2066 } else if (!NT_STATUS_IS_OK(nt_status)) {
2067 return EINVAL;
2068 }
2069
2070 return 0;
2071 }
2072
2073 static krb5_error_code samba_kdc_fetch_client(krb5_context context,
2074 struct samba_kdc_db_context *kdc_db_ctx,
2075 TALLOC_CTX *mem_ctx,
2076 krb5_const_principal principal,
2077 unsigned flags,
2078 krb5_kvno kvno,
2079 struct sdb_entry *entry)
2080 {
2081 struct ldb_dn *realm_dn;
2082 krb5_error_code ret;
2083 struct ldb_message *msg = NULL;
2084
2085 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
2086 mem_ctx, principal, user_attrs,
2087 &realm_dn, &msg);
2088 if (ret != 0) {
2089 return ret;
2090 }
2091
2092 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
2093 principal, SAMBA_KDC_ENT_TYPE_CLIENT,
2094 flags, kvno,
2095 realm_dn, msg, entry);
2096 return ret;
2097 }
2098
2099 static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
2100 struct samba_kdc_db_context *kdc_db_ctx,
2101 TALLOC_CTX *mem_ctx,
2102 krb5_const_principal principal,
2103 unsigned flags,
2104 uint32_t kvno,
2105 struct sdb_entry *entry)
2106 {
2107 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
2108 krb5_error_code ret;
2109 struct ldb_message *msg = NULL;
2110 struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
2111 char *realm_from_princ;
2112 char *realm_princ_comp = smb_krb5_principal_get_comp_string(mem_ctx, context, principal, 1);
2113
2114 realm_from_princ = smb_krb5_principal_get_realm(
2115 mem_ctx, context, principal);
2116 if (realm_from_princ == NULL) {
2117 /* can't happen */
2118 return SDB_ERR_NOENTRY;
2119 }
2120
2121 if (krb5_princ_size(context, principal) != 2
2122 || (principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME) != 0)) {
2123 /* Not a krbtgt */
2124 return SDB_ERR_NOENTRY;
2125 }
2126
2127 /* krbtgt case. Either us or a trusted realm */
2128
2129 if (lpcfg_is_my_domain_or_realm(lp_ctx, realm_from_princ)
2130 && lpcfg_is_my_domain_or_realm(lp_ctx, realm_princ_comp)) {
2131 /* us, or someone quite like us */
2132 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
2133 * is in our db, then direct the caller at our primary
2134 * krbtgt */
2135
2136 int lret;
2137 unsigned int krbtgt_number;
2138 /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
2139 trust tickets. We don't yet know what this means, but we do
2140 seem to need to treat it as unspecified */
2141 if (flags & SDB_F_KVNO_SPECIFIED) {
2142 krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
2143 if (kdc_db_ctx->rodc) {
2144 if (krbtgt_number != kdc_db_ctx->my_krbtgt_number) {
2145 return SDB_ERR_NOT_FOUND_HERE;
2146 }
2147 }
2148 } else {
2149 krbtgt_number = kdc_db_ctx->my_krbtgt_number;
2150 }
2151
2152 if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
2153 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
2154 &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
2155 krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
2156 "(objectClass=user)");
2157 } else {
2158 /* We need to look up an RODC krbtgt (perhaps
2159 * ours, if we are an RODC, perhaps another
2160 * RODC if we are a read-write DC */
2161 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
2162 &msg, realm_dn, LDB_SCOPE_SUBTREE,
2163 krbtgt_attrs,
2164 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
2165 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
2166 }
2167
2168 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
2169 krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
2170 (unsigned)(krbtgt_number));
2171 krb5_set_error_message(context, SDB_ERR_NOENTRY,
2172 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
2173 (unsigned)(krbtgt_number));
2174 return SDB_ERR_NOENTRY;
2175 } else if (lret != LDB_SUCCESS) {
2176 krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
2177 (unsigned)(krbtgt_number));
2178 krb5_set_error_message(context, SDB_ERR_NOENTRY,
2179 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
2180 (unsigned)(krbtgt_number));
2181 return SDB_ERR_NOENTRY;
2182 }
2183
2184 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
2185 principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
2186 flags, kvno, realm_dn, msg, entry);
2187 if (ret != 0) {
2188 krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
2189 }
2190 return ret;
2191
2192 } else {
2193 enum trust_direction direction = UNKNOWN;
2194 const char *realm = NULL;
2195
2196 /* Either an inbound or outbound trust */
2197
2198 if (strcasecmp(lpcfg_realm(lp_ctx), realm_from_princ) == 0) {
2199 /* look for inbound trust */
2200 direction = INBOUND;
2201 realm = realm_princ_comp;
2202 } else if (principal_comp_strcasecmp(context, principal, 1, lpcfg_realm(lp_ctx)) == 0) {
2203 /* look for outbound trust */
2204 direction = OUTBOUND;
2205 realm = realm_from_princ;
2206 } else {
2207 krb5_warnx(context, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
2208 realm_from_princ,
2209 realm_princ_comp);
2210 krb5_set_error_message(context, SDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
2211 realm_from_princ,
2212 realm_princ_comp);
2213 return SDB_ERR_NOENTRY;
2214 }
2215
2216 /* Trusted domains are under CN=system */
2217
2218 ret = samba_kdc_lookup_trust(context, kdc_db_ctx->samdb,
2219 mem_ctx,
2220 realm, realm_dn, &msg);
2221
2222 if (ret != 0) {
2223 krb5_warnx(context, "samba_kdc_fetch: could not find principal in DB");
2224 krb5_set_error_message(context, ret, "samba_kdc_fetch: could not find principal in DB");
2225 return ret;
2226 }
2227
2228 ret = samba_kdc_trust_message2entry(context, kdc_db_ctx, mem_ctx,
2229 direction,
2230 realm_dn, flags, kvno, msg, entry);
2231 if (ret != 0) {
2232 krb5_warnx(context, "samba_kdc_fetch: trust_message2entry failed for %s",
2233 ldb_dn_get_linearized(msg->dn));
2234 krb5_set_error_message(context, ret, "samba_kdc_fetch: "
2235 "trust_message2entry failed for %s",
2236 ldb_dn_get_linearized(msg->dn));
2237 }
2238 return ret;
2239 }
2240
2241 }
2242
2243 static krb5_error_code samba_kdc_lookup_server(krb5_context context,
2244 struct samba_kdc_db_context *kdc_db_ctx,
2245 TALLOC_CTX *mem_ctx,
2246 krb5_const_principal principal,
2247 unsigned flags,
2248 const char **attrs,
2249 struct ldb_dn **realm_dn,
2250 struct ldb_message **msg)
2251 {
2252 krb5_error_code ret;
2253 if ((smb_krb5_principal_get_type(context, principal) != KRB5_NT_ENTERPRISE_PRINCIPAL)
2254 && krb5_princ_size(context, principal) >= 2) {
2255 /* 'normal server' case */
2256 int ldb_ret;
2257 NTSTATUS nt_status;
2258 struct ldb_dn *user_dn;
2259 char *principal_string;
2260
2261 ret = krb5_unparse_name_flags(context, principal,
2262 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
2263 &principal_string);
2264 if (ret != 0) {
2265 return ret;
2266 }
2267
2268 /* At this point we may find the host is known to be
2269 * in a different realm, so we should generate a
2270 * referral instead */
2271 nt_status = crack_service_principal_name(kdc_db_ctx->samdb,
2272 mem_ctx, principal_string,
2273 &user_dn, realm_dn);
2274 free(principal_string);
2275
2276 if (!NT_STATUS_IS_OK(nt_status)) {
2277 return SDB_ERR_NOENTRY;
2278 }
2279
2280 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb,
2281 mem_ctx,
2282 msg, user_dn, LDB_SCOPE_BASE,
2283 attrs,
2284 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
2285 "(objectClass=*)");
2286 if (ldb_ret != LDB_SUCCESS) {
2287 return SDB_ERR_NOENTRY;
2288 }
2289 return 0;
2290 } else if (!(flags & SDB_F_FOR_AS_REQ)
2291 && smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
2292 /*
2293 * The behaviour of accepting an
2294 * KRB5_NT_ENTERPRISE_PRINCIPAL server principal
2295 * containing a UPN only applies to TGS-REQ packets,
2296 * not AS-REQ packets.
2297 */
2298 return samba_kdc_lookup_client(context, kdc_db_ctx,
2299 mem_ctx, principal, attrs,
2300 realm_dn, msg);
2301 } else {
2302 /*
2303 * This case is for:
2304 * - the AS-REQ, where we only accept
2305 * samAccountName based lookups for the server, no
2306 * matter if the name is an
2307 * KRB5_NT_ENTERPRISE_PRINCIPAL or not
2308 * - for the TGS-REQ when we are not given an
2309 * KRB5_NT_ENTERPRISE_PRINCIPAL, which also must
2310 * only lookup samAccountName based names.
2311 */
2312 int lret;
2313 char *short_princ;
2314 krb5_principal enterprise_principal = NULL;
2315 krb5_const_principal used_principal = NULL;
2316 char *name1 = NULL;
2317 size_t len1 = 0;
2318 char *filter = NULL;
2319
2320 if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
2321 char *str = NULL;
2322 /* Need to reparse the enterprise principal to find the real target */
2323 if (krb5_princ_size(context, principal) != 1) {
2324 ret = KRB5_PARSE_MALFORMED;
2325 krb5_set_error_message(context, ret, "samba_kdc_lookup_server: request for an "
2326 "enterprise principal with wrong (%d) number of components",
2327 krb5_princ_size(context, principal));
2328 return ret;
2329 }
2330 str = smb_krb5_principal_get_comp_string(mem_ctx, context, principal, 0);
2331 if (str == NULL) {
2332 return KRB5_PARSE_MALFORMED;
2333 }
2334 ret = krb5_parse_name(context, str,
2335 &enterprise_principal);
2336 talloc_free(str);
2337 if (ret) {
2338 return ret;
2339 }
2340 used_principal = enterprise_principal;
2341 } else {
2342 used_principal = principal;
2343 }
2344
2345 /* server as client principal case, but we must not lookup userPrincipalNames */
2346 *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
2347
2348 /* TODO: Check if it is our realm, otherwise give referral */
2349
2350 ret = krb5_unparse_name_flags(context, used_principal,
2351 KRB5_PRINCIPAL_UNPARSE_NO_REALM |
2352 KRB5_PRINCIPAL_UNPARSE_DISPLAY,
2353 &short_princ);
2354 used_principal = NULL;
2355 krb5_free_principal(context, enterprise_principal);
2356 enterprise_principal = NULL;
2357
2358 if (ret != 0) {
2359 krb5_set_error_message(context, ret, "samba_kdc_lookup_principal: could not parse principal");
2360 krb5_warnx(context, "samba_kdc_lookup_principal: could not parse principal");
2361 return ret;
2362 }
2363
2364 name1 = ldb_binary_encode_string(mem_ctx, short_princ);
2365 SAFE_FREE(short_princ);
2366 if (name1 == NULL) {
2367 return ENOMEM;
2368 }
2369 len1 = strlen(name1);
2370 if (len1 >= 1 && name1[len1 - 1] != '$') {
2371 filter = talloc_asprintf(mem_ctx,
2372 "(&(objectClass=user)(|(samAccountName=%s)(samAccountName=%s$)))",
2373 name1, name1);
2374 if (filter == NULL) {
2375 return ENOMEM;
2376 }
2377 } else {
2378 filter = talloc_asprintf(mem_ctx,
2379 "(&(objectClass=user)(samAccountName=%s))",
2380 name1);
2381 if (filter == NULL) {
2382 return ENOMEM;
2383 }
2384 }
2385
2386 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
2387 *realm_dn, LDB_SCOPE_SUBTREE,
2388 attrs,
2389 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
2390 "%s", filter);
2391 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
2392 DEBUG(10, ("Failed to find an entry for %s filter:%s\n",
2393 name1, filter));
2394 return SDB_ERR_NOENTRY;
2395 }
2396 if (lret == LDB_ERR_CONSTRAINT_VIOLATION) {
2397 DEBUG(10, ("Failed to find unique entry for %s filter:%s\n",
2398 name1, filter));
2399 return SDB_ERR_NOENTRY;
2400 }
2401 if (lret != LDB_SUCCESS) {
2402 DEBUG(0, ("Failed single search for %s - %s\n",
2403 name1, ldb_errstring(kdc_db_ctx->samdb)));
2404 return SDB_ERR_NOENTRY;
2405 }
2406 return 0;
2407 }
2408 return SDB_ERR_NOENTRY;
2409 }
2410
2411
2412
2413 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
2414 struct samba_kdc_db_context *kdc_db_ctx,
2415 TALLOC_CTX *mem_ctx,
2416 krb5_const_principal principal,
2417 unsigned flags,
2418 krb5_kvno kvno,
2419 struct sdb_entry *entry)
2420 {
2421 krb5_error_code ret;
2422 struct ldb_dn *realm_dn;
2423 struct ldb_message *msg;
2424
2425 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
2426 flags, server_attrs, &realm_dn, &msg);
2427 if (ret != 0) {
2428 return ret;
2429 }
2430
2431 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
2432 principal, SAMBA_KDC_ENT_TYPE_SERVER,
2433 flags, kvno,
2434 realm_dn, msg, entry);
2435 if (ret != 0) {
2436 char *client_name = NULL;
2437 krb5_error_code code;
2438
2439 code = krb5_unparse_name(context, principal, &client_name);
2440 if (code == 0) {
2441 krb5_warnx(context,
2442 "samba_kdc_fetch: message2entry failed for "
2443 "%s",
2444 client_name);
2445 } else {
2446 krb5_warnx(context,
2447 "samba_kdc_fetch: message2entry and "
2448 "krb5_unparse_name failed");
2449 }
2450 SAFE_FREE(client_name);
2451 }
2452
2453 return ret;
2454 }
2455
2456 static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
2457 struct samba_kdc_db_context *kdc_db_ctx,
2458 TALLOC_CTX *mem_ctx,
2459 krb5_const_principal principal,
2460 unsigned flags,
2461 struct sdb_entry *entry)
2462 {
2463 TALLOC_CTX *frame = talloc_stackframe();
2464 NTSTATUS status;
2465 krb5_error_code ret;
2466 bool check_realm = false;
2467 const char *realm = NULL;
2468 struct dsdb_trust_routing_table *trt = NULL;
2469 const struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
2470 unsigned int num_comp;
2471 bool ok;
2472 char *upper = NULL;
2473
2474 num_comp = krb5_princ_size(context, principal);
2475
2476 if (flags & SDB_F_GET_CLIENT) {
2477 if (flags & SDB_F_FOR_AS_REQ) {
2478 check_realm = true;
2479 }
2480 }
2481 if (flags & SDB_F_GET_SERVER) {
2482 if (flags & SDB_F_FOR_TGS_REQ) {
2483 check_realm = true;
2484 }
2485 }
2486
2487 if (!check_realm) {
2488 TALLOC_FREE(frame);
2489 return 0;
2490 }
2491
2492 realm = smb_krb5_principal_get_realm(frame, context, principal);
2493 if (realm == NULL) {
2494 TALLOC_FREE(frame);
2495 return ENOMEM;
2496 }
2497
2498 /*
2499 * The requested realm needs to be our own
2500 */
2501 ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, realm);
2502 if (!ok) {
2503 /*
2504 * The request is not for us...
2505 */
2506 TALLOC_FREE(frame);
2507 return SDB_ERR_NOENTRY;
2508 }
2509
2510 if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
2511 char *principal_string = NULL;
2512 krb5_principal enterprise_principal = NULL;
2513 char *enterprise_realm = NULL;
2514
2515 if (num_comp != 1) {
2516 TALLOC_FREE(frame);
2517 return SDB_ERR_NOENTRY;
2518 }
2519
2520 principal_string = smb_krb5_principal_get_comp_string(frame, context,
2521 principal, 0);
2522 if (principal_string == NULL) {
2523 TALLOC_FREE(frame);
2524 return ENOMEM;
2525 }
2526
2527 ret = krb5_parse_name(context, principal_string,
2528 &enterprise_principal);
2529 TALLOC_FREE(principal_string);
2530 if (ret) {
2531 TALLOC_FREE(frame);
2532 return ret;
2533 }
2534
2535 enterprise_realm = smb_krb5_principal_get_realm(
2536 frame, context, enterprise_principal);
2537 krb5_free_principal(context, enterprise_principal);
2538 if (enterprise_realm != NULL) {
2539 realm = enterprise_realm;
2540 }
2541 }
2542
2543 if (flags & SDB_F_GET_SERVER) {
2544 char *service_realm = NULL;
2545
2546 ret = principal_comp_strcmp(context, principal, 0, KRB5_TGS_NAME);
2547 if (ret == 0) {
2548 /*
2549 * we need to search krbtgt/ locally
2550 */
2551 TALLOC_FREE(frame);
2552 return 0;
2553 }
2554
2555 /*
2556 * We need to check the last component against the routing table.
2557 *
2558 * Note this works only with 2 or 3 component principals, e.g:
2559 *
2560 * servicePrincipalName: ldap/W2K8R2-219.bla.base
2561 * servicePrincipalName: ldap/W2K8R2-219.bla.base/bla.base
2562 * servicePrincipalName: ldap/W2K8R2-219.bla.base/ForestDnsZones.bla.base
2563 * servicePrincipalName: ldap/W2K8R2-219.bla.base/DomainDnsZones.bla.base
2564 */
2565
2566 if (num_comp == 2 || num_comp == 3) {
2567 service_realm = smb_krb5_principal_get_comp_string(frame,
2568 context,
2569 principal,
2570 num_comp - 1);
2571 }
2572
2573 if (service_realm != NULL) {
2574 realm = service_realm;
2575 }
2576 }
2577
2578 ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, realm);
2579 if (ok) {
2580 /*
2581 * skip the expensive routing lookup
2582 */
2583 TALLOC_FREE(frame);
2584 return 0;
2585 }
2586
2587 status = dsdb_trust_routing_table_load(kdc_db_ctx->samdb,
2588 frame, &trt);
2589 if (!NT_STATUS_IS_OK(status)) {
2590 TALLOC_FREE(frame);
2591 return EINVAL;
2592 }
2593
2594 tdo = dsdb_trust_routing_by_name(trt, realm);
2595 if (tdo == NULL) {
2596 /*
2597 * This principal has to be local
2598 */
2599 TALLOC_FREE(frame);
2600 return 0;
2601 }
2602
2603 if (tdo->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) {
2604 /*
2605 * TODO: handle the routing within the forest
2606 *
2607 * This should likely be handled in
2608 * samba_kdc_message2entry() in case we're
2609 * a global catalog. We'd need to check
2610 * if realm_dn is our own domain and derive
2611 * the dns domain name from realm_dn and check that
2612 * against the routing table or fallback to
2613 * the tdo we found here.
2614 *
2615 * But for now we don't support multiple domains
2616 * in our forest correctly anyway.
2617 *
2618 * Just search in our local database.
2619 */
2620 TALLOC_FREE(frame);
2621 return 0;
2622 }
2623
2624 ZERO_STRUCTP(entry);
2625
2626 ret = krb5_copy_principal(context, principal,
2627 &entry->principal);
2628 if (ret) {
2629 TALLOC_FREE(frame);
2630 return ret;
2631 }
2632
2633 upper = strupper_talloc(frame, tdo->domain_name.string);
2634 if (upper == NULL) {
2635 TALLOC_FREE(frame);
2636 return ENOMEM;
2637 }
2638
2639 ret = smb_krb5_principal_set_realm(context,
2640 entry->principal,
2641 upper);
2642 if (ret) {
2643 TALLOC_FREE(frame);
2644 return ret;
2645 }
2646
2647 TALLOC_FREE(frame);
2648 return SDB_ERR_WRONG_REALM;
2649 }
2650
2651 krb5_error_code samba_kdc_fetch(krb5_context context,
2652 struct samba_kdc_db_context *kdc_db_ctx,
2653 krb5_const_principal principal,
2654 unsigned flags,
2655 krb5_kvno kvno,
2656 struct sdb_entry *entry)
2657 {
2658 krb5_error_code ret = SDB_ERR_NOENTRY;
2659 TALLOC_CTX *mem_ctx;
2660
2661 mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
2662 if (!mem_ctx) {
2663 ret = ENOMEM;
2664 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
2665 return ret;
2666 }
2667
2668 ret = samba_kdc_lookup_realm(context, kdc_db_ctx, mem_ctx,
2669 principal, flags, entry);
2670 if (ret != 0) {
2671 goto done;
2672 }
2673
2674 ret = SDB_ERR_NOENTRY;
2675
2676 if (flags & SDB_F_GET_CLIENT) {
2677 ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry);
2678 if (ret != SDB_ERR_NOENTRY) goto done;
2679 }
2680 if (flags & SDB_F_GET_SERVER) {
2681 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
2682 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry);
2683 if (ret != SDB_ERR_NOENTRY) goto done;
2684
2685 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
2686 ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry);
2687 if (ret != SDB_ERR_NOENTRY) goto done;
2688 }
2689 if (flags & SDB_F_GET_KRBTGT) {
2690 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry);
2691 if (ret != SDB_ERR_NOENTRY) goto done;
2692 }
2693
2694 done:
2695 talloc_free(mem_ctx);
2696 return ret;
2697 }
2698
2699 struct samba_kdc_seq {
2700 unsigned int index;
2701 unsigned int count;
2702 struct ldb_message **msgs;
2703 struct ldb_dn *realm_dn;
2704 };
2705
2706 static krb5_error_code samba_kdc_seq(krb5_context context,
2707 struct samba_kdc_db_context *kdc_db_ctx,
2708 struct sdb_entry *entry)
2709 {
2710 krb5_error_code ret;
2711 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
2712 const char *realm = lpcfg_realm(kdc_db_ctx->lp_ctx);
2713 struct ldb_message *msg = NULL;
2714 const char *sAMAccountName = NULL;
2715 krb5_principal principal = NULL;
2716 TALLOC_CTX *mem_ctx;
2717
2718 if (!priv) {
2719 return SDB_ERR_NOENTRY;
2720 }
2721
2722 mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
2723
2724 if (!mem_ctx) {
2725 ret = ENOMEM;
2726 krb5_set_error_message(context, ret, "samba_kdc_seq: talloc_named() failed!");
2727 return ret;
2728 }
2729
2730 while (priv->index < priv->count) {
2731 msg = priv->msgs[priv->index++];
2732
2733 sAMAccountName = ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL);
2734 if (sAMAccountName != NULL) {
2735 break;
2736 }
2737 }
2738
2739 if (sAMAccountName == NULL) {
2740 ret = SDB_ERR_NOENTRY;
2741 goto out;
2742 }
2743
2744 ret = smb_krb5_make_principal(context, &principal,
2745 realm, sAMAccountName, NULL);
2746 if (ret != 0) {
2747 goto out;
2748 }
2749
2750 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
2751 principal, SAMBA_KDC_ENT_TYPE_ANY,
2752 SDB_F_ADMIN_DATA|SDB_F_GET_ANY,
2753 0 /* kvno */,
2754 priv->realm_dn, msg, entry);
2755
2756 out:
2757 if (principal != NULL) {
2758 krb5_free_principal(context, principal);
2759 }
2760
2761 if (ret != 0) {
2762 TALLOC_FREE(priv);
2763 kdc_db_ctx->seq_ctx = NULL;
2764 } else {
2765 talloc_free(mem_ctx);
2766 }
2767
2768 return ret;
2769 }
2770
2771 krb5_error_code samba_kdc_firstkey(krb5_context context,
2772 struct samba_kdc_db_context *kdc_db_ctx,
2773 struct sdb_entry *entry)
2774 {
2775 struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
2776 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
2777 char *realm;
2778 struct ldb_result *res = NULL;
2779 krb5_error_code ret;
2780 TALLOC_CTX *mem_ctx;
2781 int lret;
2782
2783 if (priv) {
2784 TALLOC_FREE(priv);
2785 kdc_db_ctx->seq_ctx = NULL;
2786 }
2787
2788 priv = (struct samba_kdc_seq *) talloc(kdc_db_ctx, struct samba_kdc_seq);
2789 if (!priv) {
2790 ret = ENOMEM;
2791 krb5_set_error_message(context, ret, "talloc: out of memory");
2792 return ret;
2793 }
2794
2795 priv->index = 0;
2796 priv->msgs = NULL;
2797 priv->realm_dn = ldb_get_default_basedn(ldb_ctx);
2798 priv->count = 0;
2799
2800 mem_ctx = talloc_named(priv, 0, "samba_kdc_firstkey context");
2801
2802 if (!mem_ctx) {
2803 ret = ENOMEM;
2804 krb5_set_error_message(context, ret, "samba_kdc_firstkey: talloc_named() failed!");
2805 return ret;
2806 }
2807
2808 ret = krb5_get_default_realm(context, &realm);
2809 if (ret != 0) {
2810 TALLOC_FREE(priv);
2811 return ret;
2812 }
2813 krb5_free_default_realm(context, realm);
2814
2815 lret = dsdb_search(ldb_ctx, priv, &res,
2816 priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
2817 DSDB_SEARCH_NO_GLOBAL_CATALOG,
2818 "(objectClass=user)");
2819
2820 if (lret != LDB_SUCCESS) {
2821 TALLOC_FREE(priv);
2822 return SDB_ERR_NOENTRY;
2823 }
2824
2825 priv->count = res->count;
2826 priv->msgs = talloc_steal(priv, res->msgs);
2827 talloc_free(res);
2828
2829 kdc_db_ctx->seq_ctx = priv;
2830
2831 ret = samba_kdc_seq(context, kdc_db_ctx, entry);
2832
2833 if (ret != 0) {
2834 TALLOC_FREE(priv);
2835 kdc_db_ctx->seq_ctx = NULL;
2836 } else {
2837 talloc_free(mem_ctx);
2838 }
2839 return ret;
2840 }
2841
2842 krb5_error_code samba_kdc_nextkey(krb5_context context,
2843 struct samba_kdc_db_context *kdc_db_ctx,
2844 struct sdb_entry *entry)
2845 {
2846 return samba_kdc_seq(context, kdc_db_ctx, entry);
2847 }
2848
2849 /* Check if a given entry may delegate or do s4u2self to this target principal
2850 *
2851 * The safest way to determine 'self' is to check the DB record made at
2852 * the time the principal was presented to the KDC.
2853 */
2854 krb5_error_code
2855 samba_kdc_check_client_matches_target_service(krb5_context context,
2856 struct samba_kdc_entry *skdc_entry_client,
2857 struct samba_kdc_entry *skdc_entry_server_target)
2858 {
2859 struct dom_sid *orig_sid;
2860 struct dom_sid *target_sid;
2861 TALLOC_CTX *frame = talloc_stackframe();
2862
2863 orig_sid = samdb_result_dom_sid(frame,
2864 skdc_entry_client->msg,
2865 "objectSid");
2866 target_sid = samdb_result_dom_sid(frame,
2867 skdc_entry_server_target->msg,
2868 "objectSid");
2869
2870 /*
2871 * Allow delegation to the same record (representing a
2872 * principal), even if by a different name. The easy and safe
2873 * way to prove this is by SID comparison
2874 */
2875 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
2876 talloc_free(frame);
2877 return KRB5KRB_AP_ERR_BADMATCH;
2878 }
2879
2880 talloc_free(frame);
2881 return 0;
2882 }
2883
2884 /* Certificates printed by a the Certificate Authority might have a
2885 * slightly different form of the user principal name to that in the
2886 * database. Allow a mismatch where they both refer to the same
2887 * SID */
2888
2889 krb5_error_code
2890 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
2891 struct samba_kdc_db_context *kdc_db_ctx,
2892 struct samba_kdc_entry *skdc_entry,
2893 krb5_const_principal certificate_principal)
2894 {
2895 krb5_error_code ret;
2896 struct ldb_dn *realm_dn;
2897 struct ldb_message *msg;
2898 struct dom_sid *orig_sid;
2899 struct dom_sid *target_sid;
2900 const char *ms_upn_check_attrs[] = {
2901 "objectSid", NULL
2902 };
2903
2904 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_pkinit_ms_upn_match");
2905
2906 if (!mem_ctx) {
2907 ret = ENOMEM;
2908 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
2909 return ret;
2910 }
2911
2912 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
2913 mem_ctx, certificate_principal,
2914 ms_upn_check_attrs, &realm_dn, &msg);
2915
2916 if (ret != 0) {
2917 talloc_free(mem_ctx);
2918 return ret;
2919 }
2920
2921 orig_sid = samdb_result_dom_sid(mem_ctx, skdc_entry->msg, "objectSid");
2922 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
2923
2924 /* Consider these to be the same principal, even if by a different
2925 * name. The easy and safe way to prove this is by SID
2926 * comparison */
2927 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
2928 talloc_free(mem_ctx);
2929 #if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
2930 return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
2931 #else /* Heimdal (where this is an enum) */
2932 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
2933 #endif
2934 }
2935
2936 talloc_free(mem_ctx);
2937 return ret;
2938 }
2939
2940 /*
2941 * Check if a given entry may delegate to this target principal
2942 * with S4U2Proxy.
2943 */
2944 krb5_error_code
2945 samba_kdc_check_s4u2proxy(krb5_context context,
2946 struct samba_kdc_db_context *kdc_db_ctx,
2947 struct samba_kdc_entry *skdc_entry,
2948 krb5_const_principal target_principal)
2949 {
2950 krb5_error_code ret;
2951 char *tmp = NULL;
2952 const char *client_dn = NULL;
2953 const char *target_principal_name = NULL;
2954 struct ldb_message_element *el;
2955 struct ldb_val val;
2956 unsigned int i;
2957 bool found = false;
2958
2959 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2proxy");
2960
2961 if (!mem_ctx) {
2962 ret = ENOMEM;
2963 krb5_set_error_message(context, ret,
2964 "samba_kdc_check_s4u2proxy:"
2965 " talloc_named() failed!");
2966 return ret;
2967 }
2968
2969 client_dn = ldb_dn_get_linearized(skdc_entry->msg->dn);
2970 if (!client_dn) {
2971 if (errno == 0) {
2972 errno = ENOMEM;
2973 }
2974 ret = errno;
2975 krb5_set_error_message(context, ret,
2976 "samba_kdc_check_s4u2proxy:"
2977 " ldb_dn_get_linearized() failed!");
2978 return ret;
2979 }
2980
2981 el = ldb_msg_find_element(skdc_entry->msg, "msDS-AllowedToDelegateTo");
2982 if (el == NULL) {
2983 ret = ENOENT;
2984 goto bad_option;
2985 }
2986 SMB_ASSERT(el->num_values != 0);
2987
2988 /*
2989 * This is the Microsoft forwardable flag behavior.
2990 *
2991 * If the proxy (target) principal is NULL, and we have any authorized
2992 * delegation target, allow to forward.
2993 */
2994 if (target_principal == NULL) {
2995 return 0;
2996 }
2997
2998
2999 /*
3000 * The main heimdal code already checked that the target_principal
3001 * belongs to the same realm as the client.
3002 *
3003 * So we just need the principal without the realm,
3004 * as that is what is configured in the "msDS-AllowedToDelegateTo"
3005 * attribute.
3006 */
3007 ret = krb5_unparse_name_flags(context, target_principal,
3008 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &tmp);
3009 if (ret) {
3010 talloc_free(mem_ctx);
3011 krb5_set_error_message(context, ret,
3012 "samba_kdc_check_s4u2proxy:"
3013 " krb5_unparse_name() failed!");
3014 return ret;
3015 }
3016 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] for target[%s]\n",
3017 client_dn, tmp));
3018
3019 target_principal_name = talloc_strdup(mem_ctx, tmp);
3020 SAFE_FREE(tmp);
3021 if (target_principal_name == NULL) {
3022 ret = ENOMEM;
3023 krb5_set_error_message(context, ret,
3024 "samba_kdc_check_s4u2proxy:"
3025 " talloc_strdup() failed!");
3026 return ret;
3027 }
3028
3029 val = data_blob_string_const(target_principal_name);
3030
3031 for (i=0; i<el->num_values; i++) {
3032 struct ldb_val *val1 = &val;
3033 struct ldb_val *val2 = &el->values[i];
3034 int cmp;
3035
3036 if (val1->length != val2->length) {
3037 continue;
3038 }
3039
3040 cmp = strncasecmp((const char *)val1->data,
3041 (const char *)val2->data,
3042 val1->length);
3043 if (cmp != 0) {
3044 continue;
3045 }
3046
3047 found = true;
3048 break;
3049 }
3050
3051 if (!found) {
3052 ret = ENOENT;
3053 goto bad_option;
3054 }
3055
3056 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] allowed target[%s]\n",
3057 client_dn, tmp));
3058 talloc_free(mem_ctx);
3059 return 0;
3060
3061 bad_option:
3062 krb5_set_error_message(context, ret,
3063 "samba_kdc_check_s4u2proxy: client[%s] "
3064 "not allowed for delegation to target[%s]",
3065 client_dn,
3066 target_principal_name);
3067 talloc_free(mem_ctx);
3068 return KRB5KDC_ERR_BADOPTION;
3069 }
3070
3071 /*
3072 * This method is called for S4U2Proxy requests and implements the
3073 * resource-based constrained delegation variant, which can support
3074 * cross-realm delegation.
3075 */
3076 krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
3077 krb5_context context,
3078 struct samba_kdc_db_context *kdc_db_ctx,
3079 krb5_const_principal client_principal,
3080 krb5_const_principal server_principal,
3081 krb5_pac header_pac,
3082 struct samba_kdc_entry *proxy_skdc_entry)
3083 {
3084 krb5_error_code code;
3085 enum ndr_err_code ndr_err;
3086 char *client_name = NULL;
3087 char *server_name = NULL;
3088 const char *proxy_dn = NULL;
3089 const DATA_BLOB *data = NULL;
3090 struct security_descriptor *rbcd_security_descriptor = NULL;
3091 struct auth_user_info_dc *user_info_dc = NULL;
3092 struct auth_session_info *session_info = NULL;
3093 uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
3094 /*
3095 * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
3096 * in security descriptors it creates for RBCD, its KDC only requires
3097 * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
3098 */
3099 uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
3100 uint32_t access_granted = 0;
3101 NTSTATUS nt_status;
3102 TALLOC_CTX *mem_ctx = NULL;
3103
3104 mem_ctx = talloc_named(kdc_db_ctx,
3105 0,
3106 "samba_kdc_check_s4u2proxy_rbcd");
3107 if (mem_ctx == NULL) {
3108 errno = ENOMEM;
3109 code = errno;
3110
3111 return code;
3112 }
3113
3114 proxy_dn = ldb_dn_get_linearized(proxy_skdc_entry->msg->dn);
3115 if (proxy_dn == NULL) {
3116 DBG_ERR("ldb_dn_get_linearized failed for proxy_dn!\n");
3117 TALLOC_FREE(mem_ctx);
3118 if (errno == 0) {
3119 errno = ENOMEM;
3120 }
3121 code = errno;
3122
3123 goto out;
3124 }
3125
3126 rbcd_security_descriptor = talloc_zero(mem_ctx,
3127 struct security_descriptor);
3128 if (rbcd_security_descriptor == NULL) {
3129 errno = ENOMEM;
3130 code = errno;
3131
3132 goto out;
3133 }
3134
3135 code = krb5_unparse_name_flags(context,
3136 client_principal,
3137 KRB5_PRINCIPAL_UNPARSE_DISPLAY,
3138 &client_name);
3139 if (code != 0) {
3140 DBG_ERR("Unable to parse client_principal!\n");
3141 goto out;
3142 }
3143
3144 code = krb5_unparse_name_flags(context,
3145 server_principal,
3146 KRB5_PRINCIPAL_UNPARSE_DISPLAY,
3147 &server_name);
3148 if (code != 0) {
3149 DBG_ERR("Unable to parse server_principal!\n");
3150 SAFE_FREE(client_name);
3151 goto out;
3152 }
3153
3154 DBG_INFO("Check delegation from client[%s] to server[%s] via "
3155 "proxy[%s]\n",
3156 client_name,
3157 server_name,
3158 proxy_dn);
3159
3160 code = kerberos_pac_to_user_info_dc(mem_ctx,
3161 header_pac,
3162 context,
3163 &user_info_dc,
3164 NULL,
3165 NULL);
3166 if (code != 0) {
3167 goto out;
3168 }
3169
3170 if (user_info_dc->info->authenticated) {
3171 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
3172 }
3173
3174 nt_status = auth_generate_session_info(mem_ctx,
3175 kdc_db_ctx->lp_ctx,
3176 kdc_db_ctx->samdb,
3177 user_info_dc,
3178 session_info_flags,
3179 &session_info);
3180 if (!NT_STATUS_IS_OK(nt_status)) {
3181 code = map_errno_from_nt_status(nt_status);
3182 goto out;
3183 }
3184
3185 data = ldb_msg_find_ldb_val(proxy_skdc_entry->msg,
3186 "msDS-AllowedToActOnBehalfOfOtherIdentity");
3187 if (data == NULL) {
3188 DBG_ERR("Could not find security descriptor "
3189 "msDS-AllowedToActOnBehalfOfOtherIdentity in "
3190 "proxy[%s]\n",
3191 proxy_dn);
3192 code = KRB5KDC_ERR_BADOPTION;
3193 goto out;
3194 }
3195
3196 ndr_err = ndr_pull_struct_blob(
3197 data,
3198 mem_ctx,
3199 rbcd_security_descriptor,
3200 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
3201 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
3202 errno = ndr_map_error2errno(ndr_err);
3203 DBG_ERR("Failed to unmarshall "
3204 "msDS-AllowedToActOnBehalfOfOtherIdentity "
3205 "security descriptor of proxy[%s]\n",
3206 proxy_dn);
3207 code = KRB5KDC_ERR_BADOPTION;
3208 goto out;
3209 }
3210
3211 if (DEBUGLEVEL >= 10) {
3212 NDR_PRINT_DEBUG(security_token, session_info->security_token);
3213 NDR_PRINT_DEBUG(security_descriptor, rbcd_security_descriptor);
3214 }
3215
3216 nt_status = sec_access_check_ds(rbcd_security_descriptor,
3217 session_info->security_token,
3218 access_desired,
3219 &access_granted,
3220 NULL,
3221 NULL);
3222
3223 if (!NT_STATUS_IS_OK(nt_status)) {
3224 DBG_WARNING("RBCD: sec_access_check_ds(access_desired=%#08x, "
3225 "access_granted:%#08x) failed with: %s\n",
3226 access_desired,
3227 access_granted,
3228 nt_errstr(nt_status));
3229
3230 code = KRB5KDC_ERR_BADOPTION;
3231 goto out;
3232 }
3233
3234 DBG_NOTICE("RBCD: Access granted for client[%s]\n", client_name);
3235
3236 code = 0;
3237 out:
3238 SAFE_FREE(client_name);
3239 SAFE_FREE(server_name);
3240
3241 TALLOC_FREE(mem_ctx);
3242 return code;
3243 }
3244
3245 NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
3246 struct samba_kdc_db_context **kdc_db_ctx_out)
3247 {
3248 int ldb_ret;
3249 struct ldb_message *msg;
3250 struct auth_session_info *session_info;
3251 struct samba_kdc_db_context *kdc_db_ctx;
3252 /* The idea here is very simple. Using Kerberos to
3253 * authenticate the KDC to the LDAP server is higly likely to
3254 * be circular.
3255 *
3256 * In future we may set this up to use EXERNAL and SSL
3257 * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
3258 */
3259
3260 kdc_db_ctx = talloc_zero(mem_ctx, struct samba_kdc_db_context);
3261 if (kdc_db_ctx == NULL) {
3262 return NT_STATUS_NO_MEMORY;
3263 }
3264 kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
3265 kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
3266 kdc_db_ctx->msg_ctx = base_ctx->msg_ctx;
3267
3268 /* get default kdc policy */
3269 lpcfg_default_kdc_policy(mem_ctx,
3270 base_ctx->lp_ctx,
3271 &kdc_db_ctx->policy.svc_tkt_lifetime,
3272 &kdc_db_ctx->policy.usr_tkt_lifetime,
3273 &kdc_db_ctx->policy.renewal_lifetime);
3274
3275 session_info = system_session(kdc_db_ctx->lp_ctx);
3276 if (session_info == NULL) {
3277 return NT_STATUS_INTERNAL_ERROR;
3278 }
3279
3280 /* Setup the link to secrets.ldb */
3281
3282 kdc_db_ctx->secrets_db = secrets_db_connect(kdc_db_ctx,
3283 base_ctx->lp_ctx);
3284 if (kdc_db_ctx->secrets_db == NULL) {
3285 DEBUG(1, ("samba_kdc_setup_db_ctx: "
3286 "Cannot open secrets.ldb for KDC backend!"));
3287 talloc_free(kdc_db_ctx);
3288 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3289 }
3290
3291 kdc_db_ctx->fx_cookie_dn = ldb_dn_new(kdc_db_ctx,
3292 kdc_db_ctx->secrets_db,
3293 "CN=FX Cookie");
3294
3295 /* Setup the link to LDB */
3296 kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx,
3297 base_ctx->ev_ctx,
3298 base_ctx->lp_ctx,
3299 session_info,
3300 NULL,
3301 0);
3302 if (kdc_db_ctx->samdb == NULL) {
3303 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot open samdb for KDC backend!"));
3304 talloc_free(kdc_db_ctx);
3305 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3306 }
3307
3308 /* Find out our own krbtgt kvno */
3309 ldb_ret = samdb_rodc(kdc_db_ctx->samdb, &kdc_db_ctx->rodc);
3310 if (ldb_ret != LDB_SUCCESS) {
3311 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine if we are an RODC in KDC backend: %s\n",
3312 ldb_errstring(kdc_db_ctx->samdb)));
3313 talloc_free(kdc_db_ctx);
3314 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3315 }
3316 if (kdc_db_ctx->rodc) {
3317 int my_krbtgt_number;
3318 const char *secondary_keytab[] = { "msDS-SecondaryKrbTgtNumber", NULL };
3319 struct ldb_dn *account_dn;
3320 struct ldb_dn *server_dn = samdb_server_dn(kdc_db_ctx->samdb, kdc_db_ctx);
3321 if (!server_dn) {
3322 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine server DN in KDC backend: %s\n",
3323 ldb_errstring(kdc_db_ctx->samdb)));
3324 talloc_free(kdc_db_ctx);
3325 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3326 }
3327
3328 ldb_ret = samdb_reference_dn(kdc_db_ctx->samdb, kdc_db_ctx, server_dn,
3329 "serverReference", &account_dn);
3330 if (ldb_ret != LDB_SUCCESS) {
3331 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine server account in KDC backend: %s\n",
3332 ldb_errstring(kdc_db_ctx->samdb)));
3333 talloc_free(kdc_db_ctx);
3334 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3335 }
3336
3337 ldb_ret = samdb_reference_dn(kdc_db_ctx->samdb, kdc_db_ctx, account_dn,
3338 "msDS-KrbTgtLink", &kdc_db_ctx->krbtgt_dn);
3339 talloc_free(account_dn);
3340 if (ldb_ret != LDB_SUCCESS) {
3341 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine RODC krbtgt account in KDC backend: %s\n",
3342 ldb_errstring(kdc_db_ctx->samdb)));
3343 talloc_free(kdc_db_ctx);
3344 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3345 }
3346
3347 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
3348 &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
3349 secondary_keytab,
3350 DSDB_SEARCH_NO_GLOBAL_CATALOG,
3351 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
3352 if (ldb_ret != LDB_SUCCESS) {
3353 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
3354 ldb_dn_get_linearized(kdc_db_ctx->krbtgt_dn),
3355 ldb_errstring(kdc_db_ctx->samdb),
3356 ldb_strerror(ldb_ret)));
3357 talloc_free(kdc_db_ctx);
3358 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3359 }
3360 my_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
3361 if (my_krbtgt_number == -1) {
3362 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot read msDS-SecondaryKrbTgtNumber from krbtgt account %s in KDC backend: got %d\n",
3363 ldb_dn_get_linearized(kdc_db_ctx->krbtgt_dn),
3364 my_krbtgt_number));
3365 talloc_free(kdc_db_ctx);
3366 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3367 }
3368 kdc_db_ctx->my_krbtgt_number = my_krbtgt_number;
3369
3370 } else {
3371 kdc_db_ctx->my_krbtgt_number = 0;
3372 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
3373 &msg,
3374 ldb_get_default_basedn(kdc_db_ctx->samdb),
3375 LDB_SCOPE_SUBTREE,
3376 krbtgt_attrs,
3377 DSDB_SEARCH_NO_GLOBAL_CATALOG,
3378 "(&(objectClass=user)(samAccountName=krbtgt))");
3379
3380 if (ldb_ret != LDB_SUCCESS) {
3381 DEBUG(1, ("samba_kdc_fetch: could not find own KRBTGT in DB: %s\n", ldb_errstring(kdc_db_ctx->samdb)));
3382 talloc_free(kdc_db_ctx);
3383 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
3384 }
3385 kdc_db_ctx->krbtgt_dn = talloc_steal(kdc_db_ctx, msg->dn);
3386 kdc_db_ctx->my_krbtgt_number = 0;
3387 talloc_free(msg);
3388 }
3389 *kdc_db_ctx_out = kdc_db_ctx;
3390 return NT_STATUS_OK;
3391 }
3392
3393 krb5_error_code dsdb_extract_aes_256_key(krb5_context context,
3394 TALLOC_CTX *mem_ctx,
3395 const struct ldb_message *msg,
3396 uint32_t user_account_control,
3397 const uint32_t *kvno,
3398 uint32_t *kvno_out,
3399 DATA_BLOB *aes_256_key,
3400 DATA_BLOB *salt)
3401 {
3402 krb5_error_code krb5_ret;
3403 uint32_t supported_enctypes;
3404 unsigned flags = SDB_F_GET_CLIENT;
3405 struct sdb_entry sentry = {};
3406
3407 if (kvno != NULL) {
3408 flags |= SDB_F_KVNO_SPECIFIED;
3409 }
3410
3411 krb5_ret = samba_kdc_message2entry_keys(context,
3412 mem_ctx,
3413 msg,
3414 false, /* is_krbtgt */
3415 false, /* is_rodc */
3416 user_account_control,
3417 SAMBA_KDC_ENT_TYPE_CLIENT,
3418 flags,
3419 (kvno != NULL) ? *kvno : 0,
3420 &sentry,
3421 ENC_HMAC_SHA1_96_AES256,
3422 &supported_enctypes);
3423 if (krb5_ret != 0) {
3424 DBG_ERR("Failed to parse supplementalCredentials "
3425 "of %s with %s kvno using "
3426 "ENCTYPE_HMAC_SHA1_96_AES256 "
3427 "Kerberos Key: %s\n",
3428 ldb_dn_get_linearized(msg->dn),
3429 (kvno != NULL) ? "previous" : "current",
3430 krb5_get_error_message(context,
3431 krb5_ret));
3432 return krb5_ret;
3433 }
3434
3435 if ((supported_enctypes & ENC_HMAC_SHA1_96_AES256) == 0 ||
3436 sentry.keys.len != 1) {
3437 DBG_INFO("Failed to find a ENCTYPE_HMAC_SHA1_96_AES256 "
3438 "key in supplementalCredentials "
3439 "of %s at KVNO %u (got %u keys, expected 1)\n",
3440 ldb_dn_get_linearized(msg->dn),
3441 sentry.kvno,
3442 sentry.keys.len);
3443 sdb_entry_free(&sentry);
3444 return ENOENT;
3445 }
3446
3447 if (sentry.keys.val[0].salt == NULL) {
3448 DBG_INFO("Failed to find a salt in "
3449 "supplementalCredentials "
3450 "of %s at KVNO %u\n",
3451 ldb_dn_get_linearized(msg->dn),
3452 sentry.kvno);
3453 sdb_entry_free(&sentry);
3454 return ENOENT;
3455 }
3456
3457 if (aes_256_key != NULL) {
3458 *aes_256_key = data_blob_talloc(mem_ctx,
3459 KRB5_KEY_DATA(&sentry.keys.val[0].key),
3460 KRB5_KEY_LENGTH(&sentry.keys.val[0].key));
3461 if (aes_256_key->data == NULL) {
3462 sdb_entry_free(&sentry);
3463 return ENOMEM;
3464 }
3465 talloc_keep_secret(aes_256_key->data);
3466 }
3467
3468 if (salt != NULL) {
3469 *salt = data_blob_talloc(mem_ctx,
3470 sentry.keys.val[0].salt->salt.data,
3471 sentry.keys.val[0].salt->salt.length);
3472 if (salt->data == NULL) {
3473 sdb_entry_free(&sentry);
3474 return ENOMEM;
3475 }
3476 }
3477
3478 if (kvno_out != NULL) {
3479 *kvno_out = sentry.kvno;
3480 }
3481
3482 sdb_entry_free(&sentry);
3483
3484 return 0;
3485 }
Samba GIT mirror