2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #include "include/ads.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29 #include "auth/auth.h"
30 #include "auth/auth_sam.h"
32 struct krb5_dh_moduli
;
33 struct _krb5_krb_auth_data
;
35 #include "heimdal/lib/krb5/krb5-private.h"
37 /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
38 static krb5_error_code
samba_get_pac(krb5_context context
,
39 struct hdb_ldb_private
*private,
40 krb5_principal client
,
41 krb5_keyblock
*krbtgt_keyblock
,
42 krb5_keyblock
*server_keyblock
,
48 struct auth_serversupplied_info
*server_info
;
50 TALLOC_CTX
*mem_ctx
= talloc_named(private, 0, "samba_get_pac context");
56 nt_status
= authsam_make_server_info(mem_ctx
, private->samdb
,
58 private->realm_ref_msg
,
62 if (!NT_STATUS_IS_OK(nt_status
)) {
63 DEBUG(0, ("Getting user info for PAC failed: %s\n",
64 nt_errstr(nt_status
)));
68 ret
= kerberos_create_pac(mem_ctx
, server_info
,
77 DEBUG(1, ("PAC encoding failed: %s\n",
78 smb_get_krb5_error_message(context
, ret
, mem_ctx
)));
83 ret
= krb5_data_copy(pac
, tmp_blob
.data
, tmp_blob
.length
);
88 /* Wrap the PAC in the right ASN.1. Will always free 'pac', on success or failure */
89 static krb5_error_code
wrap_pac(krb5_context context
, krb5_data
*pac
, AuthorizationData
**out
)
97 AD_IF_RELEVANT if_relevant
;
98 AuthorizationData
*auth_data
;
101 if_relevant
.val
= malloc(sizeof(*if_relevant
.val
));
102 if (!if_relevant
.val
) {
108 if_relevant
.val
[0].ad_type
= KRB5_AUTHDATA_WIN2K_PAC
;
109 if_relevant
.val
[0].ad_data
.data
= NULL
;
110 if_relevant
.val
[0].ad_data
.length
= 0;
112 /* pac.data will be freed with this */
113 if_relevant
.val
[0].ad_data
.data
= pac
->data
;
114 if_relevant
.val
[0].ad_data
.length
= pac
->length
;
116 ASN1_MALLOC_ENCODE(AuthorizationData
, buf
, buf_size
, &if_relevant
, &len
, ret
);
117 free_AuthorizationData(&if_relevant
);
123 auth_data
= malloc(sizeof(*auth_data
));
130 auth_data
->val
= malloc(sizeof(*auth_data
->val
));
131 if (!auth_data
->val
) {
137 auth_data
->val
[0].ad_type
= KRB5_AUTHDATA_IF_RELEVANT
;
138 auth_data
->val
[0].ad_data
.length
= len
;
139 auth_data
->val
[0].ad_data
.data
= buf
;
146 /* Given a hdb_entry, create a PAC out of the private data
148 Don't create it if the client has the UF_NO_AUTH_DATA_REQUIRED bit
149 set, or if they specificaly asked not to get it.
152 krb5_error_code
hdb_ldb_authz_data_as_req(krb5_context context
, struct hdb_entry_ex
*entry_ex
,
153 METHOD_DATA
* pa_data_seq
,
155 EncryptionKey
*tgtkey
,
156 EncryptionKey
*sessionkey
,
157 AuthorizationData
**out
)
162 krb5_boolean pac_wanted
= TRUE
;
163 unsigned int userAccountControl
;
164 struct PA_PAC_REQUEST pac_request
;
165 struct hdb_ldb_private
*private = talloc_get_type(entry_ex
->ctx
, struct hdb_ldb_private
);
167 /* The user account may be set not to want the PAC */
168 userAccountControl
= ldb_msg_find_attr_as_uint(private->msg
, "userAccountControl", 0);
169 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
174 /* The user may not want a PAC */
175 for (i
=0; i
<pa_data_seq
->len
; i
++) {
176 if (pa_data_seq
->val
[i
].padata_type
== KRB5_PADATA_PA_PAC_REQUEST
) {
177 ret
= decode_PA_PAC_REQUEST(pa_data_seq
->val
[i
].padata_value
.data
,
178 pa_data_seq
->val
[i
].padata_value
.length
,
181 pac_wanted
= !!pac_request
.include_pac
;
183 free_PA_PAC_REQUEST(&pac_request
);
193 /* Get PAC from Samba */
194 ret
= samba_get_pac(context
,
196 entry_ex
->entry
.principal
,
207 return wrap_pac(context
, &pac
, out
);
210 /* Resign (and reform, including possibly new groups) a PAC */
212 krb5_error_code
hdb_ldb_authz_data_tgs_req(krb5_context context
, struct hdb_entry_ex
*entry_ex
,
213 krb5_principal client
,
214 AuthorizationData
*in
,
216 EncryptionKey
*tgtkey
,
217 EncryptionKey
*servicekey
,
218 EncryptionKey
*sessionkey
,
219 AuthorizationData
**out
)
224 unsigned int userAccountControl
;
226 struct hdb_ldb_private
*private = talloc_get_type(entry_ex
->ctx
, struct hdb_ldb_private
);
227 krb5_data k5pac_in
, k5pac_out
;
228 DATA_BLOB pac_in
, pac_out
;
230 struct PAC_LOGON_INFO
*logon_info
;
231 union netr_Validation validation
;
232 struct auth_serversupplied_info
*server_info_out
;
234 krb5_boolean found
= FALSE
;
237 /* The service account may be set not to want the PAC */
238 userAccountControl
= ldb_msg_find_attr_as_uint(private->msg
, "userAccountControl", 0);
239 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
244 ret
= _krb5_find_type_in_ad(context
, KRB5_AUTHDATA_WIN2K_PAC
,
245 &k5pac_in
, &found
, sessionkey
, in
);
251 mem_ctx
= talloc_new(private);
253 krb5_data_free(&k5pac_in
);
258 pac_in
= data_blob_talloc(mem_ctx
, k5pac_in
.data
, k5pac_in
.length
);
259 krb5_data_free(&k5pac_in
);
261 talloc_free(mem_ctx
);
266 /* Parse the PAC again, for the logon info */
267 nt_status
= kerberos_pac_logon_info(mem_ctx
, &logon_info
,
275 if (!NT_STATUS_IS_OK(nt_status
)) {
276 DEBUG(1, ("Failed to parse PAC in TGT: %s/%s\n",
277 nt_errstr(nt_status
), error_message(ret
)));
278 talloc_free(mem_ctx
);
283 /* Pull this right into the normal auth sysstem structures */
284 validation
.sam3
= &logon_info
->info3
;
285 nt_status
= make_server_info_netlogon_validation(mem_ctx
,
289 if (!NT_STATUS_IS_OK(nt_status
)) {
290 talloc_free(mem_ctx
);
295 /* And make a new PAC, possibly containing new groups */
296 ret
= kerberos_create_pac(mem_ctx
,
306 talloc_free(mem_ctx
);
311 ret
= krb5_data_copy(&k5pac_out
, pac_out
.data
, pac_out
.length
);
313 talloc_free(mem_ctx
);
318 return wrap_pac(context
, &k5pac_out
, out
);
321 /* Given an hdb entry (and in particular it's private member), consult
322 * the account_ok routine in auth/auth_sam.c for consistancy */
324 krb5_error_code
hdb_ldb_check_client_access(krb5_context context
, hdb_entry_ex
*entry_ex
,
325 HostAddresses
*addresses
)
329 TALLOC_CTX
*tmp_ctx
= talloc_new(entry_ex
->ctx
);
330 struct hdb_ldb_private
*private = talloc_get_type(entry_ex
->ctx
, struct hdb_ldb_private
);
331 char *name
, *workstation
= NULL
;
338 ret
= krb5_unparse_name(context
, entry_ex
->entry
.principal
, &name
);
340 talloc_free(tmp_ctx
);
345 for (i
=0; i
< addresses
->len
; i
++) {
346 if (addresses
->val
->addr_type
== KRB5_ADDRESS_NETBIOS
) {
347 workstation
= talloc_strndup(tmp_ctx
, addresses
->val
->address
.data
, MIN(addresses
->val
->address
.length
, 15));
355 /* Strip space padding */
357 i
= MIN(strlen(workstation
), 15);
358 for (; i
> 0 && workstation
[i
- 1] == ' '; i
--) {
359 workstation
[i
- 1] = '\0';
363 nt_status
= authsam_account_ok(tmp_ctx
,
365 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
367 private->realm_ref_msg
,
372 /* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */
374 if (!NT_STATUS_IS_OK(nt_status
)) {
375 return KRB5KDC_ERR_POLICY
;