2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/kerberos.h"
25 #include "auth/kerberos/kerberos.h"
26 #include <krb5/krb5.h>
28 #include "lib/util/data_blob.h"
29 #include "lib/util/time.h"
30 #include "libcli/util/ntstatus.h"
31 #include "libcli/util/werror.h"
32 #include "librpc/gen_ndr/auth.h"
33 #include "kdc/samba_kdc.h"
35 enum samba_asserted_identity
{
36 SAMBA_ASSERTED_IDENTITY_IGNORE
= 0,
37 SAMBA_ASSERTED_IDENTITY_SERVICE
,
38 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
,
41 enum samba_claims_valid
{
42 SAMBA_CLAIMS_VALID_EXCLUDE
= 0,
43 SAMBA_CLAIMS_VALID_INCLUDE
,
46 enum samba_compounded_auth
{
47 SAMBA_COMPOUNDED_AUTH_EXCLUDE
= 0,
48 SAMBA_COMPOUNDED_AUTH_INCLUDE
,
52 SAMBA_KDC_FLAG_PROTOCOL_TRANSITION
= 0x00000001,
53 SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
= 0x00000002,
54 SAMBA_KDC_FLAG_KRBTGT_IN_DB
= 0x00000004,
55 SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED
= 0x00000008,
56 SAMBA_KDC_FLAG_SKIP_PAC_BUFFER
= 0x00000010,
57 SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED
= 0x00000020,
58 SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED
= 0x00000040,
61 krb5_error_code
samba_kdc_encrypt_pac_credentials(krb5_context context
,
62 const krb5_keyblock
*pkreplykey
,
63 const DATA_BLOB
*cred_ndr_blob
,
65 DATA_BLOB
*cred_info_blob
);
67 krb5_error_code
samba_make_krb5_pac(krb5_context context
,
68 const DATA_BLOB
*logon_blob
,
69 const DATA_BLOB
*cred_blob
,
70 const DATA_BLOB
*upn_blob
,
71 const DATA_BLOB
*pac_attrs_blob
,
72 const DATA_BLOB
*requester_sid_blob
,
73 const DATA_BLOB
*deleg_blob
,
74 const DATA_BLOB
*client_claims_blob
,
75 const DATA_BLOB
*device_info_blob
,
76 const DATA_BLOB
*device_claims_blob
,
79 bool samba_princ_needs_pac(const struct samba_kdc_entry
*skdc_entry
);
81 int samba_client_requested_pac(krb5_context context
,
86 int samba_krbtgt_is_in_db(struct samba_kdc_entry
*skdc_entry
,
90 NTSTATUS
samba_kdc_get_user_info_from_db(struct samba_kdc_entry
*skdc_entry
,
91 const struct ldb_message
*msg
,
92 const struct auth_user_info_dc
**user_info_dc
);
94 NTSTATUS
samba_kdc_get_user_info_dc(TALLOC_CTX
*mem_ctx
,
95 struct samba_kdc_entry
*skdc_entry
,
96 enum samba_asserted_identity asserted_identity
,
97 enum samba_claims_valid claims_valid
,
98 enum samba_compounded_auth compounded_auth
,
99 struct auth_user_info_dc
**user_info_dc_out
);
101 krb5_error_code
samba_kdc_map_policy_err(NTSTATUS nt_status
);
103 NTSTATUS
samba_kdc_check_client_access(struct samba_kdc_entry
*kdc_entry
,
104 const char *client_name
,
105 const char *workstation
,
106 bool password_change
);
108 krb5_error_code
samba_kdc_validate_pac_blob(
109 krb5_context context
,
110 const struct samba_kdc_entry
*client_skdc_entry
,
114 * In the RODC case, to confirm that the returned user is permitted to
115 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
118 WERROR
samba_rodc_confirm_user_is_allowed(uint32_t num_sids
,
119 const struct dom_sid
*object_sids
,
120 const struct samba_kdc_entry
*rodc
,
121 const struct samba_kdc_entry
*object
);
123 krb5_error_code
samba_kdc_verify_pac(TALLOC_CTX
*mem_ctx
,
124 krb5_context context
,
126 struct samba_kdc_entry
*client
,
127 const struct samba_kdc_entry
*krbtgt
,
128 const struct samba_kdc_entry
*device
,
129 const krb5_const_pac
*device_pac
,
132 struct authn_audit_info
;
133 krb5_error_code
samba_kdc_update_pac(TALLOC_CTX
*mem_ctx
,
134 krb5_context context
,
135 struct ldb_context
*samdb
,
136 struct loadparm_context
*lp_ctx
,
138 const struct samba_kdc_entry
*client_krbtgt
,
139 struct samba_kdc_entry
*client
,
140 const krb5_const_principal server_principal
,
141 const struct samba_kdc_entry
*server
,
142 const krb5_const_principal delegated_proxy_principal
,
143 struct samba_kdc_entry
*delegated_proxy
,
144 const krb5_const_pac delegated_proxy_pac
,
145 const struct samba_kdc_entry
*device_krbtgt
,
146 struct samba_kdc_entry
*device
,
147 const krb5_const_pac device_pac
,
148 const krb5_const_pac old_pac
,
150 struct authn_audit_info
**server_audit_info_out
,
151 NTSTATUS
*status_out
);
153 NTSTATUS
samba_kdc_get_logon_info_blob(TALLOC_CTX
*mem_ctx
,
154 const struct auth_user_info_dc
*user_info_dc
,
155 enum auth_group_inclusion group_inclusion
,
156 DATA_BLOB
**_logon_info_blob
);
157 NTSTATUS
samba_kdc_get_cred_ndr_blob(TALLOC_CTX
*mem_ctx
,
158 const struct samba_kdc_entry
*p
,
159 DATA_BLOB
**_cred_ndr_blob
);
160 NTSTATUS
samba_kdc_get_upn_info_blob(TALLOC_CTX
*mem_ctx
,
161 const struct auth_user_info_dc
*user_info_dc
,
162 DATA_BLOB
**_upn_info_blob
);
163 NTSTATUS
samba_kdc_get_pac_attrs_blob(TALLOC_CTX
*mem_ctx
,
164 uint64_t pac_attributes
,
165 DATA_BLOB
**_pac_attrs_blob
);
166 NTSTATUS
samba_kdc_get_requester_sid_blob(TALLOC_CTX
*mem_ctx
,
167 const struct auth_user_info_dc
*user_info_dc
,
168 DATA_BLOB
**_requester_sid_blob
);
169 NTSTATUS
samba_kdc_get_claims_blob(TALLOC_CTX
*mem_ctx
,
170 const struct samba_kdc_entry
*p
,
171 const DATA_BLOB
**_claims_blob
);
173 krb5_error_code
samba_kdc_allowed_to_authenticate_to(TALLOC_CTX
*mem_ctx
,
174 struct ldb_context
*samdb
,
175 struct loadparm_context
*lp_ctx
,
176 const struct samba_kdc_entry
*client
,
177 const struct auth_user_info_dc
*client_info
,
178 const struct samba_kdc_entry
*server
,
179 struct authn_audit_info
**server_audit_info_out
,
180 NTSTATUS
*status_out
);
182 krb5_error_code
samba_kdc_check_device(TALLOC_CTX
*mem_ctx
,
183 krb5_context context
,
184 struct ldb_context
*samdb
,
185 struct loadparm_context
*lp_ctx
,
186 struct samba_kdc_entry
*device
,
187 krb5_const_pac device_pac
,
188 bool device_pac_is_trusted
,
189 const struct authn_kerberos_client_policy
*client_policy
,
190 struct authn_audit_info
**client_audit_info_out
,
191 NTSTATUS
*status_out
);