search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:utils: Fix the auth function to print correct values to the user
[Samba.git] / source4 / kdc / pac-glue.h
bloba3f7f8ce42148058d5863c1fa2f94fb999904292
1 /*
2 Unix SMB/CIFS implementation.
3
4 PAC Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "system/kerberos.h"
25 #include "auth/kerberos/kerberos.h"
26 #include <krb5/krb5.h>
27
28 #include "lib/util/data_blob.h"
29 #include "lib/util/time.h"
30 #include "libcli/util/ntstatus.h"
31 #include "libcli/util/werror.h"
32 #include "librpc/gen_ndr/auth.h"
33 #include "kdc/samba_kdc.h"
34
35 enum samba_asserted_identity {
36 SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
37 SAMBA_ASSERTED_IDENTITY_SERVICE,
38 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
39 };
40
41 enum samba_claims_valid {
42 SAMBA_CLAIMS_VALID_EXCLUDE = 0,
43 SAMBA_CLAIMS_VALID_INCLUDE,
44 };
45
46 enum samba_compounded_auth {
47 SAMBA_COMPOUNDED_AUTH_EXCLUDE = 0,
48 SAMBA_COMPOUNDED_AUTH_INCLUDE,
49 };
50
51 enum {
52 SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001,
53 SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
54 SAMBA_KDC_FLAG_KRBTGT_IN_DB = 0x00000004,
55 SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED = 0x00000008,
56 SAMBA_KDC_FLAG_SKIP_PAC_BUFFER = 0x00000010,
57 SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED = 0x00000020,
58 SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED = 0x00000040,
59 };
60
61 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
62 const krb5_keyblock *pkreplykey,
63 const DATA_BLOB *cred_ndr_blob,
64 TALLOC_CTX *mem_ctx,
65 DATA_BLOB *cred_info_blob);
66
67 krb5_error_code samba_make_krb5_pac(krb5_context context,
68 const DATA_BLOB *logon_blob,
69 const DATA_BLOB *cred_blob,
70 const DATA_BLOB *upn_blob,
71 const DATA_BLOB *pac_attrs_blob,
72 const DATA_BLOB *requester_sid_blob,
73 const DATA_BLOB *deleg_blob,
74 const DATA_BLOB *client_claims_blob,
75 const DATA_BLOB *device_info_blob,
76 const DATA_BLOB *device_claims_blob,
77 krb5_pac pac);
78
79 bool samba_princ_needs_pac(const struct samba_kdc_entry *skdc_entry);
80
81 int samba_client_requested_pac(krb5_context context,
82 krb5_const_pac pac,
83 TALLOC_CTX *mem_ctx,
84 bool *requested_pac);
85
86 int samba_krbtgt_is_in_db(struct samba_kdc_entry *skdc_entry,
87 bool *is_in_db,
88 bool *is_trusted);
89
90 NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
91 const struct ldb_message *msg,
92 const struct auth_user_info_dc **user_info_dc);
93
94 NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
95 struct samba_kdc_entry *skdc_entry,
96 enum samba_asserted_identity asserted_identity,
97 enum samba_claims_valid claims_valid,
98 enum samba_compounded_auth compounded_auth,
99 struct auth_user_info_dc **user_info_dc_out);
100
101 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status);
102
103 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
104 const char *client_name,
105 const char *workstation,
106 bool password_change);
107
108 krb5_error_code samba_kdc_validate_pac_blob(
109 krb5_context context,
110 const struct samba_kdc_entry *client_skdc_entry,
111 krb5_const_pac pac);
112
113 /*
114 * In the RODC case, to confirm that the returned user is permitted to
115 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
116 */
117 struct dom_sid;
118 WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_sids,
119 const struct dom_sid *object_sids,
120 const struct samba_kdc_entry *rodc,
121 const struct samba_kdc_entry *object);
122
123 krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
124 krb5_context context,
125 uint32_t flags,
126 struct samba_kdc_entry *client,
127 const struct samba_kdc_entry *krbtgt,
128 const struct samba_kdc_entry *device,
129 const krb5_const_pac *device_pac,
130 krb5_const_pac pac);
131
132 struct authn_audit_info;
133 krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
134 krb5_context context,
135 struct ldb_context *samdb,
136 struct loadparm_context *lp_ctx,
137 uint32_t flags,
138 const struct samba_kdc_entry *client_krbtgt,
139 struct samba_kdc_entry *client,
140 const krb5_const_principal server_principal,
141 const struct samba_kdc_entry *server,
142 const krb5_const_principal delegated_proxy_principal,
143 struct samba_kdc_entry *delegated_proxy,
144 const krb5_const_pac delegated_proxy_pac,
145 const struct samba_kdc_entry *device_krbtgt,
146 struct samba_kdc_entry *device,
147 const krb5_const_pac device_pac,
148 const krb5_const_pac old_pac,
149 krb5_pac new_pac,
150 struct authn_audit_info **server_audit_info_out,
151 NTSTATUS *status_out);
152
153 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
154 const struct auth_user_info_dc *user_info_dc,
155 enum auth_group_inclusion group_inclusion,
156 DATA_BLOB **_logon_info_blob);
157 NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx,
158 const struct samba_kdc_entry *p,
159 DATA_BLOB **_cred_ndr_blob);
160 NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx,
161 const struct auth_user_info_dc *user_info_dc,
162 DATA_BLOB **_upn_info_blob);
163 NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
164 uint64_t pac_attributes,
165 DATA_BLOB **_pac_attrs_blob);
166 NTSTATUS samba_kdc_get_requester_sid_blob(TALLOC_CTX *mem_ctx,
167 const struct auth_user_info_dc *user_info_dc,
168 DATA_BLOB **_requester_sid_blob);
169 NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
170 const struct samba_kdc_entry *p,
171 const DATA_BLOB **_claims_blob);
172
173 krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx,
174 struct ldb_context *samdb,
175 struct loadparm_context *lp_ctx,
176 const struct samba_kdc_entry *client,
177 const struct auth_user_info_dc *client_info,
178 const struct samba_kdc_entry *server,
179 struct authn_audit_info **server_audit_info_out,
180 NTSTATUS *status_out);
181
182 krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
183 krb5_context context,
184 struct ldb_context *samdb,
185 struct loadparm_context *lp_ctx,
186 struct samba_kdc_entry *device,
187 krb5_const_pac device_pac,
188 bool device_pac_is_trusted,
189 const struct authn_kerberos_client_policy *client_policy,
190 struct authn_audit_info **client_audit_info_out,
191 NTSTATUS *status_out);
Samba GIT mirror