search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:kdc: Allocate contents of PAC blobs on blob talloc contexts
[Samba.git] / source4 / kdc / pac-glue.c
blob8c7601984ddbd86fa1af436ed87729351b8a0878
1 /*
2 Unix SMB/CIFS implementation.
3
4 PAC Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "lib/replace/replace.h"
25 #include "lib/replace/system/kerberos.h"
26 #include "lib/replace/system/filesys.h"
27 #include "lib/util/debug.h"
28 #include "lib/util/samba_util.h"
29 #include "lib/util/talloc_stack.h"
30
31 #include "auth/auth_sam_reply.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "auth/authn_policy.h"
35 #include "libcli/security/security.h"
36 #include "libds/common/flags.h"
37 #include "librpc/gen_ndr/ndr_krb5pac.h"
38 #include "param/param.h"
39 #include "source4/auth/auth.h"
40 #include "source4/dsdb/common/util.h"
41 #include "source4/dsdb/samdb/samdb.h"
42 #include "source4/kdc/authn_policy_util.h"
43 #include "source4/kdc/samba_kdc.h"
44 #include "source4/kdc/pac-glue.h"
45 #include "source4/kdc/ad_claims.h"
46 #include "source4/kdc/pac-blobs.h"
47
48 #include <ldb.h>
49
50 #undef DBGC_CLASS
51 #define DBGC_CLASS DBGC_KERBEROS
52
53 static
54 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
55 const struct auth_user_info_dc *info,
56 const struct PAC_DOMAIN_GROUP_MEMBERSHIP *override_resource_groups,
57 const enum auth_group_inclusion group_inclusion,
58 DATA_BLOB *pac_data)
59 {
60 struct netr_SamInfo3 *info3 = NULL;
61 struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL;
62 struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups = NULL;
63 union PAC_INFO pac_info = {};
64 enum ndr_err_code ndr_err;
65 NTSTATUS nt_status;
66
67 *pac_data = data_blob_null;
68
69 if (override_resource_groups == NULL) {
70 resource_groups = &_resource_groups;
71 } else if (group_inclusion != AUTH_EXCLUDE_RESOURCE_GROUPS) {
72 /*
73 * It doesn't make sense to override resource groups if we claim
74 * to want resource groups from user_info_dc.
75 */
76 DBG_ERR("supplied resource groups with invalid group inclusion parameter: %u\n",
77 group_inclusion);
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80
81 nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info,
82 group_inclusion,
83 &info3,
84 resource_groups);
85 if (!NT_STATUS_IS_OK(nt_status)) {
86 DBG_WARNING("Getting Samba info failed: %s\n",
87 nt_errstr(nt_status));
88 return nt_status;
89 }
90
91 pac_info.logon_info.info = talloc_zero(mem_ctx, struct PAC_LOGON_INFO);
92 if (!pac_info.logon_info.info) {
93 return NT_STATUS_NO_MEMORY;
94 }
95
96 pac_info.logon_info.info->info3 = *info3;
97 if (_resource_groups != NULL) {
98 pac_info.logon_info.info->resource_groups = *_resource_groups;
99 }
100
101 if (override_resource_groups != NULL) {
102 pac_info.logon_info.info->resource_groups = *override_resource_groups;
103 }
104
105 if (group_inclusion != AUTH_EXCLUDE_RESOURCE_GROUPS) {
106 /*
107 * Set the resource groups flag based on whether any groups are
108 * present. Otherwise, the flag is propagated from the
109 * originating PAC.
110 */
111 if (pac_info.logon_info.info->resource_groups.groups.count > 0) {
112 pac_info.logon_info.info->info3.base.user_flags |= NETLOGON_RESOURCE_GROUPS;
113 } else {
114 pac_info.logon_info.info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS;
115 }
116 }
117
118 ndr_err = ndr_push_union_blob(pac_data, mem_ctx, &pac_info,
119 PAC_TYPE_LOGON_INFO,
120 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
122 nt_status = ndr_map_error2ntstatus(ndr_err);
123 DBG_WARNING("PAC_LOGON_INFO (presig) push failed: %s\n",
124 nt_errstr(nt_status));
125 return nt_status;
126 }
127
128 return NT_STATUS_OK;
129 }
130
131 static
132 NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
133 const struct auth_user_info_dc *info,
134 DATA_BLOB *upn_data)
135 {
136 union PAC_INFO pac_upn = {};
137 enum ndr_err_code ndr_err;
138 NTSTATUS nt_status;
139 bool ok;
140
141 *upn_data = data_blob_null;
142
143 pac_upn.upn_dns_info.upn_name = info->info->user_principal_name;
144 pac_upn.upn_dns_info.dns_domain_name = strupper_talloc(mem_ctx,
145 info->info->dns_domain_name);
146 if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
147 return NT_STATUS_NO_MEMORY;
148 }
149 if (info->info->user_principal_constructed) {
150 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
151 }
152
153 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID;
154
155 pac_upn.upn_dns_info.ex.sam_name_and_sid.samaccountname
156 = info->info->account_name;
157
158 pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid
159 = &info->sids[PRIMARY_USER_SID_INDEX].sid;
160
161 ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn,
162 PAC_TYPE_UPN_DNS_INFO,
163 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
164 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
165 nt_status = ndr_map_error2ntstatus(ndr_err);
166 DBG_WARNING("PAC UPN_DNS_INFO (presig) push failed: %s\n",
167 nt_errstr(nt_status));
168 return nt_status;
169 }
170
171 ok = data_blob_pad(mem_ctx, upn_data, 8);
172 if (!ok) {
173 return NT_STATUS_NO_MEMORY;
174 }
175
176 return NT_STATUS_OK;
177 }
178
179 static
180 NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
181 uint64_t pac_attributes,
182 DATA_BLOB *pac_attrs_data)
183 {
184 union PAC_INFO pac_attrs = {};
185 enum ndr_err_code ndr_err;
186 NTSTATUS nt_status;
187
188 *pac_attrs_data = data_blob_null;
189
190 /* Set the length of the flags in bits. */
191 pac_attrs.attributes_info.flags_length = 2;
192 pac_attrs.attributes_info.flags = pac_attributes;
193
194 ndr_err = ndr_push_union_blob(pac_attrs_data, mem_ctx, &pac_attrs,
195 PAC_TYPE_ATTRIBUTES_INFO,
196 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
197 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
198 nt_status = ndr_map_error2ntstatus(ndr_err);
199 DBG_WARNING("PAC ATTRIBUTES_INFO (presig) push failed: %s\n",
200 nt_errstr(nt_status));
201 return nt_status;
202 }
203
204 return NT_STATUS_OK;
205 }
206
207 static
208 NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
209 const struct ldb_message *msg,
210 DATA_BLOB *cred_blob)
211 {
212 enum ndr_err_code ndr_err;
213 NTSTATUS nt_status;
214 struct samr_Password *lm_hash = NULL;
215 struct samr_Password *nt_hash = NULL;
216 struct PAC_CREDENTIAL_NTLM_SECPKG ntlm_secpkg = {
217 .version = 0,
218 };
219 DATA_BLOB ntlm_blob = data_blob_null;
220 struct PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG secpkgs[1] = {{
221 .credential_size = 0,
222 }};
223 struct PAC_CREDENTIAL_DATA cred_data = {
224 .credential_count = 0,
225 };
226 struct PAC_CREDENTIAL_DATA_NDR cred_ndr = {};
227
228 *cred_blob = data_blob_null;
229
230 lm_hash = samdb_result_hash(mem_ctx, msg, "dBCSPwd");
231 if (lm_hash != NULL) {
232 bool zero = all_zero(lm_hash->hash, 16);
233 if (zero) {
234 lm_hash = NULL;
235 }
236 }
237 if (lm_hash != NULL) {
238 DBG_INFO("Passing LM password hash through credentials set\n");
239 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_LM_HASH;
240 ntlm_secpkg.lm_password = *lm_hash;
241 ZERO_STRUCTP(lm_hash);
242 TALLOC_FREE(lm_hash);
243 }
244
245 nt_hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
246 if (nt_hash != NULL) {
247 bool zero = all_zero(nt_hash->hash, 16);
248 if (zero) {
249 nt_hash = NULL;
250 }
251 }
252 if (nt_hash != NULL) {
253 DBG_INFO("Passing NT password hash through credentials set\n");
254 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_NT_HASH;
255 ntlm_secpkg.nt_password = *nt_hash;
256 ZERO_STRUCTP(nt_hash);
257 TALLOC_FREE(nt_hash);
258 }
259
260 if (ntlm_secpkg.flags == 0) {
261 return NT_STATUS_OK;
262 }
263
264 #ifdef DEBUG_PASSWORD
265 if (DEBUGLVL(11)) {
266 NDR_PRINT_DEBUG(PAC_CREDENTIAL_NTLM_SECPKG, &ntlm_secpkg);
267 }
268 #endif
269
270 ndr_err = ndr_push_struct_blob(&ntlm_blob, mem_ctx, &ntlm_secpkg,
271 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_NTLM_SECPKG);
272 ZERO_STRUCT(ntlm_secpkg);
273 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
274 nt_status = ndr_map_error2ntstatus(ndr_err);
275 DBG_WARNING("PAC_CREDENTIAL_NTLM_SECPKG (presig) push failed: %s\n",
276 nt_errstr(nt_status));
277 return nt_status;
278 }
279
280 DBG_DEBUG("NTLM credential BLOB (len %zu) for user\n",
281 ntlm_blob.length);
282 dump_data_pw("PAC_CREDENTIAL_NTLM_SECPKG",
283 ntlm_blob.data, ntlm_blob.length);
284
285 secpkgs[0].package_name.string = discard_const_p(char, "NTLM");
286 secpkgs[0].credential_size = ntlm_blob.length;
287 secpkgs[0].credential = ntlm_blob.data;
288
289 cred_data.credential_count = ARRAY_SIZE(secpkgs);
290 cred_data.credentials = secpkgs;
291
292 #ifdef DEBUG_PASSWORD
293 if (DEBUGLVL(11)) {
294 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA, &cred_data);
295 }
296 #endif
297
298 cred_ndr.ctr.data = &cred_data;
299
300 #ifdef DEBUG_PASSWORD
301 if (DEBUGLVL(11)) {
302 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA_NDR, &cred_ndr);
303 }
304 #endif
305
306 ndr_err = ndr_push_struct_blob(cred_blob, mem_ctx, &cred_ndr,
307 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_DATA_NDR);
308 data_blob_clear(&ntlm_blob);
309 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
310 nt_status = ndr_map_error2ntstatus(ndr_err);
311 DBG_WARNING("PAC_CREDENTIAL_DATA_NDR (presig) push failed: %s\n",
312 nt_errstr(nt_status));
313 return nt_status;
314 }
315
316 DBG_DEBUG("Created credential BLOB (len %zu) for user\n",
317 cred_blob->length);
318 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
319 cred_blob->data, cred_blob->length);
320
321 return NT_STATUS_OK;
322 }
323
324 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
325 const krb5_keyblock *pkreplykey,
326 const DATA_BLOB *cred_ndr_blob,
327 TALLOC_CTX *mem_ctx,
328 DATA_BLOB *cred_info_blob)
329 {
330 #ifdef SAMBA4_USES_HEIMDAL
331 krb5_crypto cred_crypto;
332 krb5_enctype cred_enctype;
333 krb5_data cred_ndr_crypt;
334 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
335 krb5_error_code ret;
336 const char *krb5err;
337 enum ndr_err_code ndr_err;
338 NTSTATUS nt_status;
339
340 *cred_info_blob = data_blob_null;
341
342 ret = krb5_crypto_init(context, pkreplykey, ETYPE_NULL,
343 &cred_crypto);
344 if (ret != 0) {
345 krb5err = krb5_get_error_message(context, ret);
346 DBG_WARNING("Failed initializing cred data crypto: %s\n", krb5err);
347 krb5_free_error_message(context, krb5err);
348 return ret;
349 }
350
351 ret = krb5_crypto_getenctype(context, cred_crypto, &cred_enctype);
352 if (ret != 0) {
353 DBG_WARNING("Failed getting crypto type for key\n");
354 krb5_crypto_destroy(context, cred_crypto);
355 return ret;
356 }
357
358 DBG_DEBUG("Plain cred_ndr_blob (len %zu)\n",
359 cred_ndr_blob->length);
360 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
361 cred_ndr_blob->data, cred_ndr_blob->length);
362
363 ret = krb5_encrypt(context, cred_crypto,
364 KRB5_KU_OTHER_ENCRYPTED,
365 cred_ndr_blob->data, cred_ndr_blob->length,
366 &cred_ndr_crypt);
367 krb5_crypto_destroy(context, cred_crypto);
368 if (ret != 0) {
369 krb5err = krb5_get_error_message(context, ret);
370 DBG_WARNING("Failed crypt of cred data: %s\n", krb5err);
371 krb5_free_error_message(context, krb5err);
372 return ret;
373 }
374
375 pac_cred_info.encryption_type = cred_enctype;
376 pac_cred_info.encrypted_data.length = cred_ndr_crypt.length;
377 pac_cred_info.encrypted_data.data = (uint8_t *)cred_ndr_crypt.data;
378
379 if (DEBUGLVL(10)) {
380 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
381 }
382
383 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
384 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
385 krb5_data_free(&cred_ndr_crypt);
386 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
387 nt_status = ndr_map_error2ntstatus(ndr_err);
388 DBG_WARNING("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
389 nt_errstr(nt_status));
390 return KRB5KDC_ERR_SVC_UNAVAILABLE;
391 }
392
393 DBG_DEBUG("Encrypted credential BLOB (len %zu) with alg %"PRId32"\n",
394 cred_info_blob->length, pac_cred_info.encryption_type);
395 dump_data_pw("PAC_CREDENTIAL_INFO",
396 cred_info_blob->data, cred_info_blob->length);
397
398 return 0;
399 #else /* SAMBA4_USES_HEIMDAL */
400 krb5_key cred_key;
401 krb5_enctype cred_enctype;
402 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
403 krb5_error_code code;
404 const char *krb5err;
405 enum ndr_err_code ndr_err;
406 NTSTATUS nt_status;
407 krb5_data cred_ndr_data;
408 krb5_enc_data cred_ndr_crypt;
409 size_t enc_len = 0;
410
411 *cred_info_blob = data_blob_null;
412
413 code = krb5_k_create_key(context,
414 pkreplykey,
415 &cred_key);
416 if (code != 0) {
417 krb5err = krb5_get_error_message(context, code);
418 DBG_WARNING("Failed initializing cred data crypto: %s\n", krb5err);
419 krb5_free_error_message(context, krb5err);
420 return code;
421 }
422
423 cred_enctype = krb5_k_key_enctype(context, cred_key);
424
425 DBG_DEBUG("Plain cred_ndr_blob (len %zu)\n",
426 cred_ndr_blob->length);
427 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
428 cred_ndr_blob->data, cred_ndr_blob->length);
429
430 pac_cred_info.encryption_type = cred_enctype;
431
432 cred_ndr_data = smb_krb5_data_from_blob(*cred_ndr_blob);
433
434 code = krb5_c_encrypt_length(context,
435 cred_enctype,
436 cred_ndr_data.length,
437 &enc_len);
438 if (code != 0) {
439 krb5err = krb5_get_error_message(context, code);
440 DBG_WARNING("Failed initializing cred data crypto: %s\n", krb5err);
441 krb5_free_error_message(context, krb5err);
442 return code;
443 }
444
445 pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len);
446 if (pac_cred_info.encrypted_data.data == NULL) {
447 DBG_ERR("Out of memory\n");
448 return ENOMEM;
449 }
450
451 cred_ndr_crypt.ciphertext = smb_krb5_data_from_blob(pac_cred_info.encrypted_data);
452
453 code = krb5_k_encrypt(context,
454 cred_key,
455 KRB5_KU_OTHER_ENCRYPTED,
456 NULL,
457 &cred_ndr_data,
458 &cred_ndr_crypt);
459 krb5_k_free_key(context, cred_key);
460 if (code != 0) {
461 krb5err = krb5_get_error_message(context, code);
462 DBG_WARNING("Failed crypt of cred data: %s\n", krb5err);
463 krb5_free_error_message(context, krb5err);
464 return code;
465 }
466
467 if (DEBUGLVL(10)) {
468 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
469 }
470
471 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
472 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
473 TALLOC_FREE(pac_cred_info.encrypted_data.data);
474 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
475 nt_status = ndr_map_error2ntstatus(ndr_err);
476 DBG_WARNING("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
477 nt_errstr(nt_status));
478 return KRB5KDC_ERR_SVC_UNAVAILABLE;
479 }
480
481 DBG_DEBUG("Encrypted credential BLOB (len %zu) with alg %"PRId32"\n",
482 cred_info_blob->length, pac_cred_info.encryption_type);
483 dump_data_pw("PAC_CREDENTIAL_INFO",
484 cred_info_blob->data, cred_info_blob->length);
485
486 return 0;
487 #endif /* SAMBA4_USES_HEIMDAL */
488 }
489
490
491 /**
492 * @brief Create a PAC with the given blobs (logon, credentials, upn and
493 * delegation).
494 *
495 * @param[in] context The KRB5 context to use.
496 *
497 * @param[in] logon_blob Fill the logon info PAC buffer with the given blob,
498 * use NULL to ignore it.
499 *
500 * @param[in] cred_blob Fill the credentials info PAC buffer with the given
501 * blob, use NULL to ignore it.
502 *
503 * @param[in] upn_blob Fill the UPN info PAC buffer with the given blob, use
504 * NULL to ignore it.
505 *
506 * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
507 * blob, use NULL to ignore it.
508 *
509 * @param[in] client_claims_blob Fill the client claims info PAC buffer with the
510 * given blob, use NULL to ignore it.
511 *
512 * @param[in] device_info_blob Fill the device info PAC buffer with the given
513 * blob, use NULL to ignore it.
514 *
515 * @param[in] device_claims_blob Fill the device claims info PAC buffer with the given
516 * blob, use NULL to ignore it.
517 *
518 * @param[in] pac The pac buffer to fill. This should be allocated with
519 * krb5_pac_init() already.
520 *
521 * @returns 0 on success or a corresponding KRB5 error.
522 */
523 krb5_error_code samba_make_krb5_pac(krb5_context context,
524 const DATA_BLOB *logon_blob,
525 const DATA_BLOB *cred_blob,
526 const DATA_BLOB *upn_blob,
527 const DATA_BLOB *pac_attrs_blob,
528 const DATA_BLOB *requester_sid_blob,
529 const DATA_BLOB *deleg_blob,
530 const DATA_BLOB *client_claims_blob,
531 const DATA_BLOB *device_info_blob,
532 const DATA_BLOB *device_claims_blob,
533 krb5_pac pac)
534 {
535 krb5_data logon_data;
536 krb5_error_code ret;
537 char null_byte = '\0';
538 krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
539
540 /* The user account may be set not to want the PAC */
541 if (logon_blob == NULL) {
542 return 0;
543 }
544
545 logon_data = smb_krb5_data_from_blob(*logon_blob);
546 ret = krb5_pac_add_buffer(context, pac, PAC_TYPE_LOGON_INFO, &logon_data);
547 if (ret != 0) {
548 return ret;
549 }
550
551 if (device_info_blob != NULL) {
552 krb5_data device_info_data = smb_krb5_data_from_blob(*device_info_blob);
553 ret = krb5_pac_add_buffer(context, pac,
554 PAC_TYPE_DEVICE_INFO,
555 &device_info_data);
556 if (ret != 0) {
557 return ret;
558 }
559 }
560
561 if (client_claims_blob != NULL) {
562 krb5_data client_claims_data;
563 krb5_data *data = NULL;
564
565 if (client_claims_blob->length != 0) {
566 client_claims_data = smb_krb5_data_from_blob(*client_claims_blob);
567 data = &client_claims_data;
568 } else {
569 data = &null_data;
570 }
571
572 ret = krb5_pac_add_buffer(context, pac,
573 PAC_TYPE_CLIENT_CLAIMS_INFO,
574 data);
575 if (ret != 0) {
576 return ret;
577 }
578 }
579
580 if (device_claims_blob != NULL) {
581 krb5_data device_claims_data = smb_krb5_data_from_blob(*device_claims_blob);
582 ret = krb5_pac_add_buffer(context, pac,
583 PAC_TYPE_DEVICE_CLAIMS_INFO,
584 &device_claims_data);
585 if (ret != 0) {
586 return ret;
587 }
588 }
589
590 if (cred_blob != NULL) {
591 krb5_data cred_data = smb_krb5_data_from_blob(*cred_blob);
592 ret = krb5_pac_add_buffer(context, pac,
593 PAC_TYPE_CREDENTIAL_INFO,
594 &cred_data);
595 if (ret != 0) {
596 return ret;
597 }
598 }
599
600 #ifdef SAMBA4_USES_HEIMDAL
601 /*
602 * null_data will be filled by the generic KDC code in the caller
603 * here we just add it in order to have it before
604 * PAC_TYPE_UPN_DNS_INFO
605 *
606 * Not needed with MIT Kerberos - asn
607 */
608 ret = krb5_pac_add_buffer(context, pac,
609 PAC_TYPE_LOGON_NAME,
610 &null_data);
611 if (ret != 0) {
612 return ret;
613 }
614 #endif
615
616 if (upn_blob != NULL) {
617 krb5_data upn_data = smb_krb5_data_from_blob(*upn_blob);
618 ret = krb5_pac_add_buffer(context, pac,
619 PAC_TYPE_UPN_DNS_INFO,
620 &upn_data);
621 if (ret != 0) {
622 return ret;
623 }
624 }
625
626 if (pac_attrs_blob != NULL) {
627 krb5_data pac_attrs_data = smb_krb5_data_from_blob(*pac_attrs_blob);
628 ret = krb5_pac_add_buffer(context, pac,
629 PAC_TYPE_ATTRIBUTES_INFO,
630 &pac_attrs_data);
631 if (ret != 0) {
632 return ret;
633 }
634 }
635
636 if (requester_sid_blob != NULL) {
637 krb5_data requester_sid_data = smb_krb5_data_from_blob(*requester_sid_blob);
638 ret = krb5_pac_add_buffer(context, pac,
639 PAC_TYPE_REQUESTER_SID,
640 &requester_sid_data);
641 if (ret != 0) {
642 return ret;
643 }
644 }
645
646 if (deleg_blob != NULL) {
647 krb5_data deleg_data = smb_krb5_data_from_blob(*deleg_blob);
648 ret = krb5_pac_add_buffer(context, pac,
649 PAC_TYPE_CONSTRAINED_DELEGATION,
650 &deleg_data);
651 if (ret != 0) {
652 return ret;
653 }
654 }
655
656 return ret;
657 }
658
659 bool samba_princ_needs_pac(const struct samba_kdc_entry *skdc_entry)
660 {
661
662 uint32_t userAccountControl;
663
664 /* The service account may be set not to want the PAC */
665 userAccountControl = ldb_msg_find_attr_as_uint(skdc_entry->msg, "userAccountControl", 0);
666 if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
667 return false;
668 }
669
670 return true;
671 }
672
673 static krb5_error_code samba_client_requested_pac(krb5_context context,
674 const krb5_const_pac pac,
675 TALLOC_CTX *mem_ctx,
676 bool *requested_pac)
677 {
678 enum ndr_err_code ndr_err;
679 krb5_data k5pac_attrs_in;
680 DATA_BLOB pac_attrs_in;
681 union PAC_INFO pac_attrs;
682 krb5_error_code ret;
683
684 *requested_pac = true;
685
686 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_ATTRIBUTES_INFO,
687 &k5pac_attrs_in);
688 if (ret != 0) {
689 return ret == ENOENT ? 0 : ret;
690 }
691
692 pac_attrs_in = data_blob_const(k5pac_attrs_in.data,
693 k5pac_attrs_in.length);
694
695 ndr_err = ndr_pull_union_blob(&pac_attrs_in, mem_ctx, &pac_attrs,
696 PAC_TYPE_ATTRIBUTES_INFO,
697 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
698 smb_krb5_free_data_contents(context, &k5pac_attrs_in);
699 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
700 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
701 DBG_ERR("can't parse the PAC ATTRIBUTES_INFO: %s\n", nt_errstr(nt_status));
702 return map_errno_from_nt_status(nt_status);
703 }
704
705 if (pac_attrs.attributes_info.flags & (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
706 | PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED)) {
707 *requested_pac = true;
708 } else {
709 *requested_pac = false;
710 }
711
712 return 0;
713 }
714
715 /* Was the krbtgt in this DB (ie, should we check the incoming signature) and was it an RODC */
716 int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
717 bool *is_in_db,
718 bool *is_trusted)
719 {
720 NTSTATUS status;
721 krb5_error_code ret;
722 int rodc_krbtgt_number, trust_direction;
723 struct dom_sid sid;
724 uint32_t rid;
725
726 trust_direction = ldb_msg_find_attr_as_int(p->msg, "trustDirection", 0);
727
728 if (trust_direction != 0) {
729 /* Domain trust - we cannot check the sig, but we trust it for a correct PAC
730
731 This is exactly where we should flag for SID
732 validation when we do inter-forest trusts
733 */
734 *is_trusted = true;
735 *is_in_db = false;
736 return 0;
737 }
738
739 /* The lack of password controls etc applies to krbtgt by
740 * virtue of being that particular RID */
741 ret = samdb_result_dom_sid_buf(p->msg, "objectSid", &sid);
742 if (ret) {
743 return ret;
744 }
745
746 status = dom_sid_split_rid(NULL, &sid, NULL, &rid);
747 if (!NT_STATUS_IS_OK(status)) {
748 return map_errno_from_nt_status(status);
749 }
750
751 rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
752
753 if (p->kdc_db_ctx->my_krbtgt_number == 0) {
754 if (rid == DOMAIN_RID_KRBTGT) {
755 *is_trusted = true;
756 *is_in_db = true;
757 return 0;
758 } else if (rodc_krbtgt_number != -1) {
759 *is_in_db = true;
760 *is_trusted = false;
761 return 0;
762 }
763 } else if ((rid != DOMAIN_RID_KRBTGT) && (rodc_krbtgt_number == p->kdc_db_ctx->my_krbtgt_number)) {
764 *is_trusted = true;
765 *is_in_db = true;
766 return 0;
767 } else if (rid == DOMAIN_RID_KRBTGT) {
768 /* krbtgt viewed from an RODC */
769 *is_trusted = true;
770 *is_in_db = false;
771 return 0;
772 }
773
774 /* Another RODC */
775 *is_trusted = false;
776 *is_in_db = false;
777 return 0;
778 }
779
780 /*
781 * Because the KDC does not limit protocol transition, two new well-known SIDs
782 * were introduced to give this control to the resource administrator. These
783 * SIDs identify whether protocol transition has occurred, and can be used with
784 * standard access control lists to grant or limit access as needed.
785 *
786 * https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
787 */
788 NTSTATUS samba_kdc_add_asserted_identity(enum samba_asserted_identity ai,
789 struct auth_user_info_dc *user_info_dc)
790 {
791 struct dom_sid ai_sid;
792 const char *sid_str = NULL;
793
794 switch (ai) {
795 case SAMBA_ASSERTED_IDENTITY_SERVICE:
796 sid_str = SID_SERVICE_ASSERTED_IDENTITY;
797 break;
798 case SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY:
799 sid_str = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY;
800 break;
801 case SAMBA_ASSERTED_IDENTITY_IGNORE:
802 return NT_STATUS_OK;
803 default:
804 return NT_STATUS_INVALID_PARAMETER;
805 }
806
807 if (!dom_sid_parse(sid_str, &ai_sid)) {
808 return NT_STATUS_UNSUCCESSFUL;
809 }
810
811 return add_sid_to_array_attrs_unique(
812 user_info_dc,
813 &ai_sid,
814 SE_GROUP_DEFAULT_FLAGS,
815 &user_info_dc->sids,
816 &user_info_dc->num_sids);
817 }
818
819 NTSTATUS samba_kdc_add_claims_valid(enum samba_claims_valid claims_valid,
820 struct auth_user_info_dc *user_info_dc)
821 {
822 switch (claims_valid) {
823 case SAMBA_CLAIMS_VALID_EXCLUDE:
824 return NT_STATUS_OK;
825 case SAMBA_CLAIMS_VALID_INCLUDE:
826 {
827 struct dom_sid claims_valid_sid;
828
829 if (!dom_sid_parse(SID_CLAIMS_VALID, &claims_valid_sid)) {
830 return NT_STATUS_UNSUCCESSFUL;
831 }
832
833 return add_sid_to_array_attrs_unique(
834 user_info_dc,
835 &claims_valid_sid,
836 SE_GROUP_DEFAULT_FLAGS,
837 &user_info_dc->sids,
838 &user_info_dc->num_sids);
839 }
840 }
841
842 return NT_STATUS_INVALID_PARAMETER;
843 }
844
845 NTSTATUS samba_kdc_add_compounded_auth(enum samba_compounded_auth compounded_auth,
846 struct auth_user_info_dc *user_info_dc)
847 {
848 switch (compounded_auth) {
849 case SAMBA_COMPOUNDED_AUTH_EXCLUDE:
850 return NT_STATUS_OK;
851 case SAMBA_COMPOUNDED_AUTH_INCLUDE:
852 {
853 struct dom_sid compounded_auth_sid;
854
855 if (!dom_sid_parse(SID_COMPOUNDED_AUTHENTICATION, &compounded_auth_sid)) {
856 return NT_STATUS_UNSUCCESSFUL;
857 }
858
859 return add_sid_to_array_attrs_unique(
860 user_info_dc,
861 &compounded_auth_sid,
862 SE_GROUP_DEFAULT_FLAGS,
863 &user_info_dc->sids,
864 &user_info_dc->num_sids);
865 }
866 }
867
868 return NT_STATUS_INVALID_PARAMETER;
869 }
870
871 /*
872 * Look up the user's info in the database and create a auth_user_info_dc
873 * structure. If the resulting structure is not talloc_free()d, it will be
874 * reused on future calls to this function.
875 */
876 NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
877 const struct ldb_message *msg,
878 const struct auth_user_info_dc **user_info_dc)
879 {
880 if (skdc_entry->user_info_dc == NULL) {
881 NTSTATUS nt_status;
882 struct loadparm_context *lp_ctx = skdc_entry->kdc_db_ctx->lp_ctx;
883
884 nt_status = authsam_make_user_info_dc(skdc_entry,
885 skdc_entry->kdc_db_ctx->samdb,
886 lpcfg_netbios_name(lp_ctx),
887 lpcfg_sam_name(lp_ctx),
888 lpcfg_sam_dnsname(lp_ctx),
889 skdc_entry->realm_dn,
890 msg,
891 data_blob_null,
892 data_blob_null,
893 &skdc_entry->user_info_dc);
894 if (!NT_STATUS_IS_OK(nt_status)) {
895 return nt_status;
896 }
897 }
898
899 *user_info_dc = skdc_entry->user_info_dc;
900 return NT_STATUS_OK;
901 }
902
903 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
904 const struct auth_user_info_dc *user_info_dc,
905 const enum auth_group_inclusion group_inclusion,
906 DATA_BLOB **_logon_info_blob)
907 {
908 DATA_BLOB *logon_blob = NULL;
909 NTSTATUS nt_status;
910
911 *_logon_info_blob = NULL;
912
913 logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
914 if (logon_blob == NULL) {
915 return NT_STATUS_NO_MEMORY;
916 }
917
918 nt_status = samba_get_logon_info_pac_blob(logon_blob,
919 user_info_dc,
920 NULL,
921 group_inclusion,
922 logon_blob);
923 if (!NT_STATUS_IS_OK(nt_status)) {
924 DBG_ERR("Building PAC LOGON INFO failed: %s\n",
925 nt_errstr(nt_status));
926 return nt_status;
927 }
928
929 *_logon_info_blob = logon_blob;
930
931 return NT_STATUS_OK;
932 }
933
934 NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx,
935 const struct samba_kdc_entry *p,
936 DATA_BLOB **_cred_ndr_blob)
937 {
938 DATA_BLOB *cred_blob = NULL;
939 NTSTATUS nt_status;
940
941 SMB_ASSERT(_cred_ndr_blob != NULL);
942
943 *_cred_ndr_blob = NULL;
944
945 cred_blob = talloc_zero(mem_ctx, DATA_BLOB);
946 if (cred_blob == NULL) {
947 return NT_STATUS_NO_MEMORY;
948 }
949
950 nt_status = samba_get_cred_info_ndr_blob(cred_blob,
951 p->msg,
952 cred_blob);
953 if (!NT_STATUS_IS_OK(nt_status)) {
954 DBG_ERR("Building PAC CRED INFO failed: %s\n",
955 nt_errstr(nt_status));
956 return nt_status;
957 }
958
959 *_cred_ndr_blob = cred_blob;
960
961 return NT_STATUS_OK;
962 }
963
964 NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx,
965 const struct auth_user_info_dc *user_info_dc,
966 DATA_BLOB **_upn_info_blob)
967 {
968 DATA_BLOB *upn_blob = NULL;
969 NTSTATUS nt_status;
970
971 *_upn_info_blob = NULL;
972
973 upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
974 if (upn_blob == NULL) {
975 return NT_STATUS_NO_MEMORY;
976 }
977
978 nt_status = samba_get_upn_info_pac_blob(upn_blob,
979 user_info_dc,
980 upn_blob);
981 if (!NT_STATUS_IS_OK(nt_status)) {
982 DBG_ERR("Building PAC UPN INFO failed: %s\n",
983 nt_errstr(nt_status));
984 return nt_status;
985 }
986
987 *_upn_info_blob = upn_blob;
988
989 return NT_STATUS_OK;
990 }
991
992 NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
993 uint64_t pac_attributes,
994 DATA_BLOB **_pac_attrs_blob)
995 {
996 DATA_BLOB *pac_attrs_blob = NULL;
997 NTSTATUS nt_status;
998
999 SMB_ASSERT(_pac_attrs_blob != NULL);
1000
1001 *_pac_attrs_blob = NULL;
1002
1003 pac_attrs_blob = talloc_zero(mem_ctx, DATA_BLOB);
1004 if (pac_attrs_blob == NULL) {
1005 return NT_STATUS_NO_MEMORY;
1006 }
1007
1008 nt_status = samba_get_pac_attrs_blob(pac_attrs_blob,
1009 pac_attributes,
1010 pac_attrs_blob);
1011
1012 if (!NT_STATUS_IS_OK(nt_status)) {
1013 DBG_ERR("Building PAC ATTRIBUTES failed: %s\n",
1014 nt_errstr(nt_status));
1015 return nt_status;
1016 }
1017
1018 *_pac_attrs_blob = pac_attrs_blob;
1019
1020 return NT_STATUS_OK;
1021 }
1022
1023 NTSTATUS samba_kdc_get_requester_sid_blob(TALLOC_CTX *mem_ctx,
1024 const struct auth_user_info_dc *user_info_dc,
1025 DATA_BLOB **_requester_sid_blob)
1026 {
1027 DATA_BLOB *requester_sid_blob = NULL;
1028 NTSTATUS nt_status;
1029
1030 SMB_ASSERT(_requester_sid_blob != NULL);
1031
1032 *_requester_sid_blob = NULL;
1033
1034 requester_sid_blob = talloc_zero(mem_ctx, DATA_BLOB);
1035 if (requester_sid_blob == NULL) {
1036 return NT_STATUS_NO_MEMORY;
1037 }
1038
1039 if (user_info_dc->num_sids > 0) {
1040 union PAC_INFO pac_requester_sid = {};
1041 enum ndr_err_code ndr_err;
1042
1043 pac_requester_sid.requester_sid.sid = user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid;
1044
1045 ndr_err = ndr_push_union_blob(requester_sid_blob, requester_sid_blob,
1046 &pac_requester_sid,
1047 PAC_TYPE_REQUESTER_SID,
1048 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1049 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1050 nt_status = ndr_map_error2ntstatus(ndr_err);
1051 DBG_WARNING("PAC_REQUESTER_SID (presig) push failed: %s\n",
1052 nt_errstr(nt_status));
1053 DBG_ERR("Building PAC REQUESTER SID failed: %s\n",
1054 nt_errstr(nt_status));
1055
1056 return nt_status;
1057 }
1058 }
1059
1060 *_requester_sid_blob = requester_sid_blob;
1061
1062 return NT_STATUS_OK;
1063 }
1064
1065 NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
1066 const struct samba_kdc_entry *p,
1067 const DATA_BLOB **_claims_blob)
1068 {
1069 DATA_BLOB *claims_blob = NULL;
1070 NTSTATUS nt_status;
1071 int ret;
1072
1073 SMB_ASSERT(_claims_blob != NULL);
1074
1075 *_claims_blob = NULL;
1076
1077 claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
1078 if (claims_blob == NULL) {
1079 return NT_STATUS_NO_MEMORY;
1080 }
1081
1082 ret = get_claims_blob_for_principal(p->kdc_db_ctx->samdb,
1083 claims_blob,
1084 p->msg,
1085 claims_blob);
1086 if (ret != LDB_SUCCESS) {
1087 nt_status = dsdb_ldb_err_to_ntstatus(ret);
1088 DBG_ERR("Building claims failed: %s\n",
1089 nt_errstr(nt_status));
1090 return nt_status;
1091 }
1092
1093 *_claims_blob = claims_blob;
1094
1095 return NT_STATUS_OK;
1096 }
1097
1098 NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
1099 struct samba_kdc_entry *skdc_entry,
1100 enum samba_asserted_identity asserted_identity,
1101 enum samba_claims_valid claims_valid,
1102 enum samba_compounded_auth compounded_auth,
1103 struct auth_user_info_dc **user_info_dc_out)
1104 {
1105 NTSTATUS nt_status;
1106 const struct auth_user_info_dc *user_info_dc_from_db = NULL;
1107 struct auth_user_info_dc *user_info_dc = NULL;
1108
1109 nt_status = samba_kdc_get_user_info_from_db(skdc_entry, skdc_entry->msg, &user_info_dc_from_db);
1110 if (!NT_STATUS_IS_OK(nt_status)) {
1111 DBG_ERR("Getting user info for PAC failed: %s\n",
1112 nt_errstr(nt_status));
1113 return nt_status;
1114 }
1115
1116 /* Make a shallow copy of the user_info_dc structure. */
1117 nt_status = authsam_shallow_copy_user_info_dc(mem_ctx, user_info_dc_from_db, &user_info_dc);
1118 if (!NT_STATUS_IS_OK(nt_status)) {
1119 DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n",
1120 nt_errstr(nt_status));
1121 return nt_status;
1122 }
1123
1124 /* Here we modify the SIDs to add the Asserted Identity SID. */
1125 nt_status = samba_kdc_add_asserted_identity(asserted_identity,
1126 user_info_dc);
1127 if (!NT_STATUS_IS_OK(nt_status)) {
1128 DBG_ERR("Failed to add asserted identity: %s\n",
1129 nt_errstr(nt_status));
1130 return nt_status;
1131 }
1132
1133 nt_status = samba_kdc_add_claims_valid(claims_valid,
1134 user_info_dc);
1135 if (!NT_STATUS_IS_OK(nt_status)) {
1136 DBG_ERR("Failed to add Claims Valid: %s\n",
1137 nt_errstr(nt_status));
1138 return nt_status;
1139 }
1140
1141 nt_status = samba_kdc_add_compounded_auth(compounded_auth,
1142 user_info_dc);
1143 if (!NT_STATUS_IS_OK(nt_status)) {
1144 DBG_ERR("Failed to add Compounded Authentication: %s\n",
1145 nt_errstr(nt_status));
1146 return nt_status;
1147 }
1148
1149 *user_info_dc_out = user_info_dc;
1150
1151 return NT_STATUS_OK;
1152 }
1153
1154 static krb5_error_code samba_kdc_obtain_user_info_dc(TALLOC_CTX *mem_ctx,
1155 krb5_context context,
1156 struct ldb_context *samdb,
1157 const enum auth_group_inclusion group_inclusion,
1158 struct samba_kdc_entry *skdc_entry,
1159 const krb5_const_pac pac,
1160 const bool pac_is_trusted,
1161 struct auth_user_info_dc **user_info_dc_out,
1162 struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out)
1163 {
1164 struct auth_user_info_dc *user_info_dc = NULL;
1165 krb5_error_code ret = 0;
1166 NTSTATUS nt_status;
1167
1168 *user_info_dc_out = NULL;
1169 if (resource_groups_out != NULL) {
1170 *resource_groups_out = NULL;
1171 }
1172
1173 if (pac != NULL && pac_is_trusted) {
1174 struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups = NULL;
1175
1176 if (group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
1177 /*
1178 * Since we are creating a TGT, resource groups from our domain
1179 * are not to be put into the PAC. Instead, we take the resource
1180 * groups directly from the original PAC and copy them
1181 * unmodified into the new one.
1182 */
1183 resource_groups = resource_groups_out;
1184 }
1185
1186 ret = kerberos_pac_to_user_info_dc(mem_ctx,
1187 pac,
1188 context,
1189 &user_info_dc,
1190 AUTH_EXCLUDE_RESOURCE_GROUPS,
1191 NULL,
1192 NULL,
1193 resource_groups);
1194 if (ret) {
1195 const char *krb5err = krb5_get_error_message(context, ret);
1196 DBG_ERR("kerberos_pac_to_user_info_dc failed: %s\n",
1197 krb5err != NULL ? krb5err : "?");
1198 krb5_free_error_message(context, krb5err);
1199
1200 goto out;
1201 }
1202
1203 /*
1204 * We need to expand group memberships within our local domain,
1205 * as the token might be generated by a trusted domain.
1206 */
1207 nt_status = authsam_update_user_info_dc(mem_ctx,
1208 samdb,
1209 user_info_dc);
1210 if (!NT_STATUS_IS_OK(nt_status)) {
1211 DBG_ERR("authsam_update_user_info_dc failed: %s\n",
1212 nt_errstr(nt_status));
1213
1214 ret = map_errno_from_nt_status(nt_status);
1215 goto out;
1216 }
1217 } else {
1218 if (skdc_entry == NULL) {
1219 ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1220 goto out;
1221 }
1222
1223 /*
1224 * In this case the RWDC discards the PAC an RODC generated.
1225 * Windows adds the asserted_identity in this case too.
1226 *
1227 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
1228 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
1229 * So we can always use
1230 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
1231 * here.
1232 */
1233 nt_status = samba_kdc_get_user_info_dc(mem_ctx,
1234 skdc_entry,
1235 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
1236 SAMBA_CLAIMS_VALID_EXCLUDE,
1237 SAMBA_COMPOUNDED_AUTH_EXCLUDE,
1238 &user_info_dc);
1239 if (!NT_STATUS_IS_OK(nt_status)) {
1240 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
1241 nt_errstr(nt_status));
1242 ret = KRB5KDC_ERR_TGT_REVOKED;
1243 goto out;
1244 }
1245 }
1246
1247 *user_info_dc_out = user_info_dc;
1248 user_info_dc = NULL;
1249
1250 out:
1251 TALLOC_FREE(user_info_dc);
1252
1253 return ret;
1254 }
1255
1256 static NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
1257 krb5_context context,
1258 const krb5_const_pac pac,
1259 const krb5_const_principal server_principal,
1260 const krb5_const_principal proxy_principal,
1261 DATA_BLOB *new_blob)
1262 {
1263 krb5_data old_data = {};
1264 DATA_BLOB old_blob;
1265 krb5_error_code ret;
1266 NTSTATUS nt_status;
1267 enum ndr_err_code ndr_err;
1268 union PAC_INFO info = {};
1269 struct PAC_CONSTRAINED_DELEGATION _d = {};
1270 struct PAC_CONSTRAINED_DELEGATION *d = NULL;
1271 char *server = NULL;
1272 char *proxy = NULL;
1273 uint32_t i;
1274 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1275
1276 if (tmp_ctx == NULL) {
1277 return NT_STATUS_NO_MEMORY;
1278 }
1279
1280 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_CONSTRAINED_DELEGATION, &old_data);
1281 if (ret == ENOENT) {
1282 /* OK. */
1283 } else if (ret) {
1284 talloc_free(tmp_ctx);
1285 return NT_STATUS_UNSUCCESSFUL;
1286 }
1287
1288 old_blob.length = old_data.length;
1289 old_blob.data = (uint8_t *)old_data.data;
1290
1291 if (old_blob.length > 0) {
1292 ndr_err = ndr_pull_union_blob(&old_blob, mem_ctx,
1293 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1294 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1296 smb_krb5_free_data_contents(context, &old_data);
1297 nt_status = ndr_map_error2ntstatus(ndr_err);
1298 DBG_ERR("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status));
1299 talloc_free(tmp_ctx);
1300 return nt_status;
1301 }
1302 } else {
1303 info.constrained_delegation.info = &_d;
1304 }
1305 smb_krb5_free_data_contents(context, &old_data);
1306
1307 ret = krb5_unparse_name_flags(context, server_principal,
1308 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server);
1309 if (ret) {
1310 talloc_free(tmp_ctx);
1311 return NT_STATUS_INTERNAL_ERROR;
1312 }
1313
1314 ret = krb5_unparse_name(context, proxy_principal, &proxy);
1315 if (ret) {
1316 SAFE_FREE(server);
1317 talloc_free(tmp_ctx);
1318 return NT_STATUS_INTERNAL_ERROR;
1319 }
1320
1321 d = info.constrained_delegation.info;
1322 i = d->num_transited_services;
1323 d->proxy_target.string = server;
1324 d->transited_services = talloc_realloc(mem_ctx, d->transited_services,
1325 struct lsa_String, i + 1);
1326 if (d->transited_services == NULL) {
1327 SAFE_FREE(server);
1328 SAFE_FREE(proxy);
1329 talloc_free(tmp_ctx);
1330 return NT_STATUS_INTERNAL_ERROR;
1331 }
1332 d->transited_services[i].string = proxy;
1333 d->num_transited_services = i + 1;
1334
1335 ndr_err = ndr_push_union_blob(new_blob, mem_ctx,
1336 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1337 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1338 SAFE_FREE(server);
1339 SAFE_FREE(proxy);
1340 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1341 smb_krb5_free_data_contents(context, &old_data);
1342 nt_status = ndr_map_error2ntstatus(ndr_err);
1343 DBG_ERR("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status));
1344 talloc_free(tmp_ctx);
1345 return nt_status;
1346 }
1347
1348 talloc_free(tmp_ctx);
1349 return NT_STATUS_OK;
1350 }
1351
1352 /* function to map policy errors */
1353 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status)
1354 {
1355 krb5_error_code ret;
1356
1357 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
1358 ret = KRB5KDC_ERR_KEY_EXP;
1359 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
1360 ret = KRB5KDC_ERR_KEY_EXP;
1361 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
1362 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1363 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
1364 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1365 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
1366 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1367 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
1368 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1369 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
1370 ret = KRB5KDC_ERR_POLICY;
1371 else
1372 ret = KRB5KDC_ERR_POLICY;
1373
1374 return ret;
1375 }
1376
1377 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
1378 * for consistency */
1379 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
1380 const char *client_name,
1381 const char *workstation,
1382 bool password_change)
1383 {
1384 TALLOC_CTX *tmp_ctx;
1385 NTSTATUS nt_status;
1386
1387 tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access");
1388 if (!tmp_ctx) {
1389 return NT_STATUS_NO_MEMORY;
1390 }
1391
1392 /* we allow all kinds of trusts here */
1393 nt_status = authsam_account_ok(tmp_ctx,
1394 kdc_entry->kdc_db_ctx->samdb,
1395 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
1396 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
1397 kdc_entry->realm_dn, kdc_entry->msg,
1398 workstation, client_name,
1399 true, password_change);
1400
1401 kdc_entry->reject_status = nt_status;
1402 talloc_free(tmp_ctx);
1403 return nt_status;
1404 }
1405
1406 static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
1407 krb5_const_pac pac,
1408 krb5_context context,
1409 struct dom_sid *sid)
1410 {
1411 NTSTATUS nt_status;
1412 enum ndr_err_code ndr_err;
1413 krb5_error_code ret;
1414
1415 DATA_BLOB pac_requester_sid_in;
1416 krb5_data k5pac_requester_sid_in;
1417
1418 union PAC_INFO info;
1419
1420 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1421 if (tmp_ctx == NULL) {
1422 return ENOMEM;
1423 }
1424
1425 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_REQUESTER_SID,
1426 &k5pac_requester_sid_in);
1427 if (ret != 0) {
1428 talloc_free(tmp_ctx);
1429 return ret;
1430 }
1431
1432 pac_requester_sid_in = data_blob_const(k5pac_requester_sid_in.data,
1433 k5pac_requester_sid_in.length);
1434
1435 ndr_err = ndr_pull_union_blob(&pac_requester_sid_in, tmp_ctx, &info,
1436 PAC_TYPE_REQUESTER_SID,
1437 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1438 smb_krb5_free_data_contents(context, &k5pac_requester_sid_in);
1439 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1440 nt_status = ndr_map_error2ntstatus(ndr_err);
1441 DBG_ERR("can't parse the PAC REQUESTER_SID: %s\n", nt_errstr(nt_status));
1442 talloc_free(tmp_ctx);
1443 return map_errno_from_nt_status(nt_status);
1444 }
1445
1446 *sid = info.requester_sid.sid;
1447
1448 talloc_free(tmp_ctx);
1449 return 0;
1450 }
1451
1452 /* Does a parse and SID check, but no crypto. */
1453 static krb5_error_code samba_kdc_validate_pac_blob(
1454 krb5_context context,
1455 const struct samba_kdc_entry *client_skdc_entry,
1456 const krb5_const_pac pac)
1457 {
1458 TALLOC_CTX *frame = talloc_stackframe();
1459 struct auth_user_info_dc *pac_user_info = NULL;
1460 struct dom_sid client_sid;
1461 struct dom_sid pac_sid;
1462 krb5_error_code code;
1463 bool ok;
1464
1465 /*
1466 * First, try to get the SID from the requester SID buffer in the PAC.
1467 */
1468 code = samba_get_requester_sid(frame, pac, context, &pac_sid);
1469
1470 if (code == ENOENT) {
1471 /*
1472 * If the requester SID buffer isn't present, fall back to the
1473 * SID in the LOGON_INFO PAC buffer.
1474 */
1475 code = kerberos_pac_to_user_info_dc(frame,
1476 pac,
1477 context,
1478 &pac_user_info,
1479 AUTH_EXCLUDE_RESOURCE_GROUPS,
1480 NULL,
1481 NULL,
1482 NULL);
1483 if (code != 0) {
1484 goto out;
1485 }
1486
1487 if (pac_user_info->num_sids == 0) {
1488 code = EINVAL;
1489 goto out;
1490 }
1491
1492 pac_sid = pac_user_info->sids[PRIMARY_USER_SID_INDEX].sid;
1493 } else if (code != 0) {
1494 goto out;
1495 }
1496
1497 code = samdb_result_dom_sid_buf(client_skdc_entry->msg,
1498 "objectSid",
1499 &client_sid);
1500 if (code) {
1501 goto out;
1502 }
1503
1504 ok = dom_sid_equal(&pac_sid, &client_sid);
1505 if (!ok) {
1506 struct dom_sid_buf buf1;
1507 struct dom_sid_buf buf2;
1508
1509 DBG_ERR("SID mismatch between PAC and looked up client: "
1510 "PAC[%s] != CLI[%s]\n",
1511 dom_sid_str_buf(&pac_sid, &buf1),
1512 dom_sid_str_buf(&client_sid, &buf2));
1513 code = KRB5KDC_ERR_TGT_REVOKED;
1514 goto out;
1515 }
1516
1517 code = 0;
1518 out:
1519 TALLOC_FREE(frame);
1520 return code;
1521 }
1522
1523
1524 /*
1525 * In the RODC case, to confirm that the returned user is permitted to
1526 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
1527 */
1528 static WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
1529 const struct dom_sid *object_sids,
1530 const struct samba_kdc_entry *rodc,
1531 const struct samba_kdc_entry *object)
1532 {
1533 int ret;
1534 WERROR werr;
1535 TALLOC_CTX *frame = talloc_stackframe();
1536 const char *rodc_attrs[] = { "msDS-KrbTgtLink",
1537 "msDS-NeverRevealGroup",
1538 "msDS-RevealOnDemandGroup",
1539 "userAccountControl",
1540 "objectSid",
1541 NULL };
1542 struct ldb_result *rodc_machine_account = NULL;
1543 struct ldb_dn *rodc_machine_account_dn = samdb_result_dn(rodc->kdc_db_ctx->samdb,
1544 frame,
1545 rodc->msg,
1546 "msDS-KrbTgtLinkBL",
1547 NULL);
1548 const struct dom_sid *rodc_machine_account_sid = NULL;
1549
1550 if (rodc_machine_account_dn == NULL) {
1551 DBG_ERR("krbtgt account %s has no msDS-KrbTgtLinkBL to find RODC machine account for allow/deny list\n",
1552 ldb_dn_get_linearized(rodc->msg->dn));
1553 TALLOC_FREE(frame);
1554 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1555 }
1556
1557 /*
1558 * Follow the link and get the RODC account (the krbtgt
1559 * account is the krbtgt_XXX account, but the
1560 * msDS-NeverRevealGroup and msDS-RevealOnDemandGroup is on
1561 * the RODC$ account)
1562 *
1563 * We need DSDB_SEARCH_SHOW_EXTENDED_DN as we get a SID lists
1564 * out of the extended DNs
1565 */
1566
1567 ret = dsdb_search_dn(rodc->kdc_db_ctx->samdb,
1568 frame,
1569 &rodc_machine_account,
1570 rodc_machine_account_dn,
1571 rodc_attrs,
1572 DSDB_SEARCH_SHOW_EXTENDED_DN);
1573 if (ret != LDB_SUCCESS) {
1574 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: %s\n",
1575 ldb_dn_get_linearized(rodc_machine_account_dn),
1576 ldb_dn_get_linearized(rodc->msg->dn),
1577 ldb_errstring(rodc->kdc_db_ctx->samdb));
1578 TALLOC_FREE(frame);
1579 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1580 }
1581
1582 if (rodc_machine_account->count != 1) {
1583 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: (%d)\n",
1584 ldb_dn_get_linearized(rodc_machine_account_dn),
1585 ldb_dn_get_linearized(rodc->msg->dn),
1586 rodc_machine_account->count);
1587 TALLOC_FREE(frame);
1588 return WERR_DS_DRA_BAD_DN;
1589 }
1590
1591 /* if the object SID is equal to the user_sid, allow */
1592 rodc_machine_account_sid = samdb_result_dom_sid(frame,
1593 rodc_machine_account->msgs[0],
1594 "objectSid");
1595 if (rodc_machine_account_sid == NULL) {
1596 TALLOC_FREE(frame);
1597 return WERR_DS_DRA_BAD_DN;
1598 }
1599
1600 werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(rodc->kdc_db_ctx->samdb,
1601 rodc_machine_account_sid,
1602 rodc_machine_account->msgs[0],
1603 object->msg,
1604 num_object_sids,
1605 object_sids);
1606
1607 TALLOC_FREE(frame);
1608 return werr;
1609 }
1610
1611 /*
1612 * Perform an access check for the client attempting to authenticate to the
1613 * server. ‘client_info’ must be talloc-allocated so that we can make a
1614 * reference to it.
1615 */
1616 krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx,
1617 struct ldb_context *samdb,
1618 struct loadparm_context *lp_ctx,
1619 const struct samba_kdc_entry *client,
1620 const struct auth_user_info_dc *client_info,
1621 const struct samba_kdc_entry *server,
1622 struct authn_audit_info **server_audit_info_out,
1623 NTSTATUS *status_out)
1624 {
1625 krb5_error_code ret = 0;
1626 NTSTATUS status;
1627 _UNUSED_ NTSTATUS _status;
1628 struct dom_sid server_sid = {};
1629 const struct authn_server_policy *server_policy = server->server_policy;
1630
1631 if (status_out != NULL) {
1632 *status_out = NT_STATUS_OK;
1633 }
1634
1635 ret = samdb_result_dom_sid_buf(server->msg, "objectSid", &server_sid);
1636 if (ret) {
1637 /*
1638 * Ignore the return status — we are already in an error path,
1639 * and overwriting the real error code with the audit info
1640 * status is unhelpful.
1641 */
1642 _status = authn_server_policy_audit_info(mem_ctx,
1643 server_policy,
1644 client_info,
1645 AUTHN_AUDIT_EVENT_OTHER_ERROR,
1646 AUTHN_AUDIT_REASON_NONE,
1647 dsdb_ldb_err_to_ntstatus(ret),
1648 server_audit_info_out);
1649 goto out;
1650 }
1651
1652 if (dom_sid_equal(&client_info->sids[PRIMARY_USER_SID_INDEX].sid, &server_sid)) {
1653 /* Authenticating to ourselves is always allowed. */
1654 status = authn_server_policy_audit_info(mem_ctx,
1655 server_policy,
1656 client_info,
1657 AUTHN_AUDIT_EVENT_OK,
1658 AUTHN_AUDIT_REASON_NONE,
1659 NT_STATUS_OK,
1660 server_audit_info_out);
1661 if (!NT_STATUS_IS_OK(status)) {
1662 ret = KRB5KRB_ERR_GENERIC;
1663 }
1664 goto out;
1665 }
1666
1667 status = authn_policy_authenticate_to_service(mem_ctx,
1668 samdb,
1669 lp_ctx,
1670 AUTHN_POLICY_AUTH_TYPE_KERBEROS,
1671 client_info,
1672 server_policy,
1673 server_audit_info_out);
1674 if (!NT_STATUS_IS_OK(status)) {
1675 if (status_out != NULL) {
1676 *status_out = status;
1677 }
1678 if (NT_STATUS_EQUAL(status, NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)) {
1679 ret = KRB5KDC_ERR_POLICY;
1680 } else if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
1681 ret = KRB5KDC_ERR_POLICY;
1682 } else {
1683 ret = KRB5KRB_ERR_GENERIC;
1684 }
1685 }
1686
1687 out:
1688 return ret;
1689 }
1690
1691 static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
1692 struct PAC_DEVICE_INFO *info,
1693 const struct netr_SidAttr *sid)
1694 {
1695 uint32_t i;
1696 uint32_t rid;
1697 NTSTATUS status;
1698
1699 struct PAC_DOMAIN_GROUP_MEMBERSHIP *domain_group = NULL;
1700
1701 for (i = 0; i < info->domain_group_count; ++i) {
1702 struct PAC_DOMAIN_GROUP_MEMBERSHIP *this_domain_group
1703 = &info->domain_groups[i];
1704
1705 if (dom_sid_in_domain(this_domain_group->domain_sid, sid->sid)) {
1706 domain_group = this_domain_group;
1707 break;
1708 }
1709 }
1710
1711 if (domain_group == NULL) {
1712 info->domain_groups = talloc_realloc(
1713 mem_ctx,
1714 info->domain_groups,
1715 struct PAC_DOMAIN_GROUP_MEMBERSHIP,
1716 info->domain_group_count + 1);
1717 if (info->domain_groups == NULL) {
1718 return ENOMEM;
1719 }
1720
1721 domain_group = &info->domain_groups[
1722 info->domain_group_count++];
1723
1724 domain_group->domain_sid = NULL;
1725
1726 domain_group->groups.count = 0;
1727 domain_group->groups.rids = NULL;
1728
1729 status = dom_sid_split_rid(info->domain_groups,
1730 sid->sid,
1731 &domain_group->domain_sid,
1732 &rid);
1733 if (!NT_STATUS_IS_OK(status)) {
1734 return map_errno_from_nt_status(status);
1735 }
1736 } else {
1737 status = dom_sid_split_rid(NULL,
1738 sid->sid,
1739 NULL,
1740 &rid);
1741 if (!NT_STATUS_IS_OK(status)) {
1742 return map_errno_from_nt_status(status);
1743 }
1744 }
1745
1746 domain_group->groups.rids = talloc_realloc(info->domain_groups,
1747 domain_group->groups.rids,
1748 struct samr_RidWithAttribute,
1749 domain_group->groups.count + 1);
1750 if (domain_group->groups.rids == NULL) {
1751 return ENOMEM;
1752 }
1753
1754 domain_group->groups.rids[domain_group->groups.count].rid = rid;
1755 domain_group->groups.rids[domain_group->groups.count].attributes = sid->attributes;
1756
1757 ++domain_group->groups.count;
1758
1759 return 0;
1760 }
1761
1762 static krb5_error_code samba_kdc_make_device_info(TALLOC_CTX *mem_ctx,
1763 const struct netr_SamInfo3 *info3,
1764 struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
1765 union PAC_INFO *info)
1766 {
1767 struct PAC_DEVICE_INFO *device_info = NULL;
1768 uint32_t i;
1769
1770 *info = (union PAC_INFO) {};
1771
1772 info->device_info.info = NULL;
1773
1774 device_info = talloc(mem_ctx, struct PAC_DEVICE_INFO);
1775 if (device_info == NULL) {
1776 return ENOMEM;
1777 }
1778
1779 device_info->rid = info3->base.rid;
1780 device_info->primary_gid = info3->base.primary_gid;
1781 device_info->domain_sid = info3->base.domain_sid;
1782 device_info->groups = info3->base.groups;
1783
1784 device_info->sid_count = 0;
1785 device_info->sids = NULL;
1786
1787 if (resource_groups != NULL) {
1788 /*
1789 * The account's resource groups all belong to the same domain,
1790 * so we can add them all in one go.
1791 */
1792 device_info->domain_group_count = 1;
1793 device_info->domain_groups = talloc_move(mem_ctx, &resource_groups);
1794 } else {
1795 device_info->domain_group_count = 0;
1796 device_info->domain_groups = NULL;
1797 }
1798
1799 for (i = 0; i < info3->sidcount; ++i) {
1800 const struct netr_SidAttr *device_sid = &info3->sids[i];
1801
1802 if (dom_sid_has_account_domain(device_sid->sid)) {
1803 krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, device_sid);
1804 if (ret != 0) {
1805 return ret;
1806 }
1807 } else {
1808 device_info->sids = talloc_realloc(mem_ctx, device_info->sids,
1809 struct netr_SidAttr,
1810 device_info->sid_count + 1);
1811 if (device_info->sids == NULL) {
1812 return ENOMEM;
1813 }
1814
1815 device_info->sids[device_info->sid_count].sid = dom_sid_dup(device_info->sids, device_sid->sid);
1816 if (device_info->sids[device_info->sid_count].sid == NULL) {
1817 return ENOMEM;
1818 }
1819
1820 device_info->sids[device_info->sid_count].attributes = device_sid->attributes;
1821
1822 ++device_info->sid_count;
1823 }
1824 }
1825
1826 info->device_info.info = device_info;
1827
1828 return 0;
1829 }
1830
1831 static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
1832 struct ldb_context *samdb,
1833 const union PAC_INFO *logon_info,
1834 struct PAC_DEVICE_INFO *device_info)
1835 {
1836 NTSTATUS nt_status;
1837 struct auth_user_info_dc *device_info_dc = NULL;
1838 union netr_Validation validation;
1839 uint32_t i;
1840 uint32_t num_existing_sids;
1841
1842 /*
1843 * This does a bit of unnecessary work, setting up fields we don't care
1844 * about -- we only want the SIDs.
1845 */
1846 validation.sam3 = &logon_info->logon_info.info->info3;
1847 nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
1848 true, /* This user was authenticated */
1849 &device_info_dc);
1850 if (!NT_STATUS_IS_OK(nt_status)) {
1851 return map_errno_from_nt_status(nt_status);
1852 }
1853
1854 num_existing_sids = device_info_dc->num_sids;
1855
1856 /*
1857 * We need to expand group memberships within our local domain,
1858 * as the token might be generated by a trusted domain.
1859 */
1860 nt_status = authsam_update_user_info_dc(mem_ctx,
1861 samdb,
1862 device_info_dc);
1863 if (!NT_STATUS_IS_OK(nt_status)) {
1864 return map_errno_from_nt_status(nt_status);
1865 }
1866
1867 for (i = num_existing_sids; i < device_info_dc->num_sids; ++i) {
1868 struct auth_SidAttr *device_sid = &device_info_dc->sids[i];
1869 const struct netr_SidAttr sid = (struct netr_SidAttr) {
1870 .sid = &device_sid->sid,
1871 .attributes = device_sid->attrs,
1872 };
1873
1874 krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, &sid);
1875 if (ret != 0) {
1876 return ret;
1877 }
1878 }
1879
1880 return 0;
1881 }
1882
1883 static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx,
1884 union PAC_INFO *info,
1885 DATA_BLOB **device_info_blob)
1886 {
1887 enum ndr_err_code ndr_err;
1888
1889 *device_info_blob = talloc_zero(mem_ctx, DATA_BLOB);
1890 if (*device_info_blob == NULL) {
1891 DBG_ERR("Out of memory\n");
1892 return ENOMEM;
1893 }
1894
1895 ndr_err = ndr_push_union_blob(*device_info_blob, *device_info_blob,
1896 info, PAC_TYPE_DEVICE_INFO,
1897 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1898 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1899 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
1900 DBG_WARNING("PAC_DEVICE_INFO (presig) push failed: %s\n",
1901 nt_errstr(nt_status));
1902 return map_errno_from_nt_status(nt_status);
1903 }
1904
1905 return 0;
1906 }
1907
1908 static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx,
1909 krb5_context context,
1910 struct ldb_context *samdb,
1911 const krb5_const_pac device_pac,
1912 DATA_BLOB **device_info_blob)
1913 {
1914 TALLOC_CTX *frame = NULL;
1915 krb5_data device_logon_info;
1916 krb5_error_code code = EINVAL;
1917 NTSTATUS nt_status;
1918
1919 union PAC_INFO info;
1920 enum ndr_err_code ndr_err;
1921 DATA_BLOB device_logon_info_blob;
1922
1923 union PAC_INFO logon_info;
1924
1925 code = krb5_pac_get_buffer(context, device_pac,
1926 PAC_TYPE_LOGON_INFO,
1927 &device_logon_info);
1928 if (code != 0) {
1929 if (code == ENOENT) {
1930 DBG_ERR("Device PAC is missing LOGON_INFO\n");
1931 } else {
1932 DBG_ERR("Error getting LOGON_INFO from device PAC\n");
1933 }
1934 return code;
1935 }
1936
1937 frame = talloc_stackframe();
1938
1939 device_logon_info_blob = data_blob_const(device_logon_info.data,
1940 device_logon_info.length);
1941
1942 ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &logon_info,
1943 PAC_TYPE_LOGON_INFO,
1944 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1945 smb_krb5_free_data_contents(context, &device_logon_info);
1946 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1947 nt_status = ndr_map_error2ntstatus(ndr_err);
1948 DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
1949 nt_errstr(nt_status));
1950 talloc_free(frame);
1951 return map_errno_from_nt_status(nt_status);
1952 }
1953
1954 /*
1955 * When creating the device info structure, existing resource groups are
1956 * discarded.
1957 */
1958 code = samba_kdc_make_device_info(frame,
1959 &logon_info.logon_info.info->info3,
1960 NULL, /* resource_groups */
1961 &info);
1962 if (code != 0) {
1963 talloc_free(frame);
1964 return code;
1965 }
1966
1967 code = samba_kdc_update_device_info(frame,
1968 samdb,
1969 &logon_info,
1970 info.device_info.info);
1971 if (code != 0) {
1972 talloc_free(frame);
1973 return code;
1974 }
1975
1976 code = samba_kdc_get_device_info_pac_blob(mem_ctx,
1977 &info,
1978 device_info_blob);
1979
1980 talloc_free(frame);
1981 return code;
1982 }
1983
1984 static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
1985 struct samba_kdc_entry *device,
1986 DATA_BLOB **device_info_blob)
1987 {
1988 TALLOC_CTX *frame = NULL;
1989 krb5_error_code code = EINVAL;
1990 NTSTATUS nt_status;
1991
1992 struct auth_user_info_dc *device_info_dc = NULL;
1993 struct netr_SamInfo3 *info3 = NULL;
1994 struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
1995
1996 union PAC_INFO info;
1997
1998 frame = talloc_stackframe();
1999
2000 nt_status = samba_kdc_get_user_info_dc(frame,
2001 device,
2002 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
2003 SAMBA_CLAIMS_VALID_INCLUDE,
2004 SAMBA_COMPOUNDED_AUTH_EXCLUDE,
2005 &device_info_dc);
2006 if (!NT_STATUS_IS_OK(nt_status)) {
2007 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
2008 nt_errstr(nt_status));
2009 talloc_free(frame);
2010 return KRB5KDC_ERR_TGT_REVOKED;
2011 }
2012
2013 nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc,
2014 AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
2015 &info3,
2016 &resource_groups);
2017 if (!NT_STATUS_IS_OK(nt_status)) {
2018 DBG_WARNING("Getting Samba info failed: %s\n",
2019 nt_errstr(nt_status));
2020 talloc_free(frame);
2021 return nt_status_to_krb5(nt_status);
2022 }
2023
2024 code = samba_kdc_make_device_info(frame,
2025 info3,
2026 resource_groups,
2027 &info);
2028 if (code != 0) {
2029 talloc_free(frame);
2030 return code;
2031 }
2032
2033 code = samba_kdc_get_device_info_pac_blob(mem_ctx,
2034 &info,
2035 device_info_blob);
2036
2037 talloc_free(frame);
2038 return code;
2039 }
2040
2041 /**
2042 * @brief Verify a PAC
2043 *
2044 * @param mem_ctx A talloc memory context
2045 *
2046 * @param context A krb5 context
2047 *
2048 * @param flags Bitwise OR'ed flags
2049 *
2050 * @param client The client samba kdc entry.
2051
2052 * @param krbtgt The krbtgt samba kdc entry.
2053 *
2054 * @param device The computer's samba kdc entry; used for compound
2055 * authentication.
2056
2057 * @param device_pac The PAC from the computer's TGT; used
2058 * for compound authentication.
2059
2060 * @param pac The PAC
2061
2062 * @return A Kerberos error code.
2063 */
2064 krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
2065 krb5_context context,
2066 uint32_t flags,
2067 struct samba_kdc_entry *client,
2068 const struct samba_kdc_entry *krbtgt,
2069 const struct samba_kdc_entry *device,
2070 const krb5_const_pac *device_pac,
2071 const krb5_const_pac pac)
2072 {
2073 krb5_error_code code = EINVAL;
2074 NTSTATUS nt_status;
2075 bool is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
2076
2077 struct pac_blobs pac_blobs;
2078 pac_blobs_init(&pac_blobs);
2079
2080 if (client != NULL) {
2081 /*
2082 * Check the objectSID of the client and pac data are the same.
2083 * Does a parse and SID check, but no crypto.
2084 */
2085 code = samba_kdc_validate_pac_blob(context,
2086 client,
2087 pac);
2088 if (code != 0) {
2089 goto done;
2090 }
2091 }
2092
2093 if (device != NULL) {
2094 SMB_ASSERT(*device_pac != NULL);
2095
2096 /*
2097 * Check the objectSID of the device and pac data are the same.
2098 * Does a parse and SID check, but no crypto.
2099 */
2100 code = samba_kdc_validate_pac_blob(context,
2101 device,
2102 *device_pac);
2103 if (code != 0) {
2104 goto done;
2105 }
2106 }
2107
2108 if (!is_trusted) {
2109 const struct auth_user_info_dc *user_info_dc = NULL;
2110 WERROR werr;
2111
2112 struct dom_sid *object_sids = NULL;
2113 uint32_t j;
2114
2115 if (client == NULL) {
2116 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2117 goto done;
2118 }
2119
2120 nt_status = samba_kdc_get_user_info_from_db(client, client->msg, &user_info_dc);
2121 if (!NT_STATUS_IS_OK(nt_status)) {
2122 DBG_ERR("Getting user info for PAC failed: %s\n",
2123 nt_errstr(nt_status));
2124 code = KRB5KDC_ERR_TGT_REVOKED;
2125 goto done;
2126 }
2127
2128 /*
2129 * Check if the SID list in the user_info_dc intersects
2130 * correctly with the RODC allow/deny lists.
2131 */
2132 object_sids = talloc_array(mem_ctx, struct dom_sid, user_info_dc->num_sids);
2133 if (object_sids == NULL) {
2134 code = ENOMEM;
2135 goto done;
2136 }
2137
2138 for (j = 0; j < user_info_dc->num_sids; ++j) {
2139 object_sids[j] = user_info_dc->sids[j].sid;
2140 }
2141
2142 werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids,
2143 object_sids,
2144 krbtgt,
2145 client);
2146 TALLOC_FREE(object_sids);
2147 if (!W_ERROR_IS_OK(werr)) {
2148 code = KRB5KDC_ERR_TGT_REVOKED;
2149 if (W_ERROR_EQUAL(werr,
2150 WERR_DOMAIN_CONTROLLER_NOT_FOUND)) {
2151 code = KRB5KDC_ERR_POLICY;
2152 }
2153 goto done;
2154 }
2155
2156 /*
2157 * The RODC PAC data isn't trusted for authorization as it may
2158 * be stale. The only thing meaningful we can do with an RODC
2159 * account on a full DC is exchange the RODC TGT for a 'real'
2160 * TGT.
2161 *
2162 * So we match Windows (at least server 2022) and
2163 * don't allow S4U2Self.
2164 *
2165 * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
2166 */
2167 if (flags & SAMBA_KDC_FLAG_PROTOCOL_TRANSITION) {
2168 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2169 goto done;
2170 }
2171 }
2172
2173 /* Check the types of the given PAC */
2174
2175 code = pac_blobs_from_krb5_pac(&pac_blobs,
2176 mem_ctx,
2177 context,
2178 pac);
2179 if (code != 0) {
2180 goto done;
2181 }
2182
2183 code = pac_blobs_ensure_exists(&pac_blobs,
2184 PAC_TYPE_LOGON_INFO);
2185 if (code != 0) {
2186 goto done;
2187 }
2188
2189 code = pac_blobs_ensure_exists(&pac_blobs,
2190 PAC_TYPE_LOGON_NAME);
2191 if (code != 0) {
2192 goto done;
2193 }
2194
2195 code = pac_blobs_ensure_exists(&pac_blobs,
2196 PAC_TYPE_SRV_CHECKSUM);
2197 if (code != 0) {
2198 goto done;
2199 }
2200
2201 code = pac_blobs_ensure_exists(&pac_blobs,
2202 PAC_TYPE_KDC_CHECKSUM);
2203 if (code != 0) {
2204 goto done;
2205 }
2206
2207 if (!(flags & SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION)) {
2208 code = pac_blobs_ensure_exists(&pac_blobs,
2209 PAC_TYPE_REQUESTER_SID);
2210 if (code != 0) {
2211 code = KRB5KDC_ERR_TGT_REVOKED;
2212 goto done;
2213 }
2214 }
2215
2216 code = 0;
2217
2218 done:
2219 pac_blobs_destroy(&pac_blobs);
2220
2221 return code;
2222 }
2223
2224 /**
2225 * @brief Update a PAC
2226 *
2227 * @param mem_ctx A talloc memory context
2228 *
2229 * @param context A krb5 context
2230 *
2231 * @param samdb An open samdb connection.
2232 *
2233 * @param lp_ctx A loadparm context.
2234 *
2235 * @param flags Bitwise OR'ed flags
2236 *
2237 * @param device_pac_is_trusted Whether the device's PAC was issued by a trusted server,
2238 * as opposed to an RODC.
2239 *
2240 * @param client The client samba kdc entry.
2241 *
2242 * @param client_krbtgt The krbtgt samba kdc entry that verified the client
2243 *
2244 * @param server_principal The server principal
2245 *
2246 * @param server The server samba kdc entry.
2247 *
2248 * @param delegated_proxy_principal The delegated proxy principal used for
2249 * updating the constrained delegation PAC
2250 * buffer.
2251 *
2252 * @param delegated_proxy The delegated proxy kdc entry.
2253 *
2254 * @param delegated_proxy_pac The PAC from the primary TGT (i.e., that of
2255 * the delegating service) during a constrained
2256 * delegation request.
2257 *
2258 * @param device The computer's samba kdc entry; used for compound
2259 * authentication.
2260 *
2261 * @param device_krbtgt The krbtgt samba kdc entry that verified the device
2262 *
2263 * @param device_pac The PAC from the computer's TGT; used
2264 * for compound authentication.
2265 *
2266 * @param old_pac The old PAC
2267 *
2268 * @param new_pac The new already allocated PAC
2269 *
2270 * @return A Kerberos error code. If no PAC should be returned, the code will be
2271 * ENOATTR!
2272 */
2273 krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
2274 krb5_context context,
2275 struct ldb_context *samdb,
2276 struct loadparm_context *lp_ctx,
2277 uint32_t flags,
2278 const struct samba_kdc_entry *client_krbtgt,
2279 struct samba_kdc_entry *client,
2280 const krb5_const_principal server_principal,
2281 const struct samba_kdc_entry *server,
2282 const krb5_const_principal delegated_proxy_principal,
2283 struct samba_kdc_entry *delegated_proxy,
2284 const krb5_const_pac delegated_proxy_pac,
2285 const struct samba_kdc_entry *device_krbtgt,
2286 struct samba_kdc_entry *device,
2287 const krb5_const_pac device_pac,
2288 const krb5_const_pac old_pac,
2289 krb5_pac new_pac,
2290 struct authn_audit_info **server_audit_info_out,
2291 NTSTATUS *status_out)
2292 {
2293 krb5_error_code code = EINVAL;
2294 NTSTATUS nt_status;
2295 DATA_BLOB *pac_blob = NULL;
2296 DATA_BLOB *upn_blob = NULL;
2297 DATA_BLOB *deleg_blob = NULL;
2298 DATA_BLOB *requester_sid_blob = NULL;
2299 const DATA_BLOB *client_claims_blob = NULL;
2300 bool client_pac_is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
2301 bool device_pac_is_trusted = flags & SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED;
2302 bool delegated_proxy_pac_is_trusted = flags & SAMBA_KDC_FLAG_DELEGATED_PROXY_IS_TRUSTED;
2303 const DATA_BLOB *device_claims_blob = NULL;
2304 DATA_BLOB *device_info_blob = NULL;
2305 bool is_tgs = false;
2306 struct auth_user_info_dc *user_info_dc = NULL;
2307 struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL;
2308 enum auth_group_inclusion group_inclusion;
2309 enum samba_compounded_auth compounded_auth;
2310 size_t i = 0;
2311
2312 struct pac_blobs pac_blobs;
2313 pac_blobs_init(&pac_blobs);
2314
2315 if (server_audit_info_out != NULL) {
2316 *server_audit_info_out = NULL;
2317 }
2318
2319 if (status_out != NULL) {
2320 *status_out = NT_STATUS_OK;
2321 }
2322
2323 {
2324 int result = smb_krb5_principal_is_tgs(context, server_principal);
2325 if (result == -1) {
2326 code = ENOMEM;
2327 goto done;
2328 }
2329
2330 is_tgs = result;
2331 }
2332
2333 /* Only include resource groups in a service ticket. */
2334 if (is_tgs) {
2335 group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
2336 } else if (server->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
2337 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
2338 } else {
2339 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
2340 }
2341
2342 if (device != NULL && !is_tgs) {
2343 compounded_auth = SAMBA_COMPOUNDED_AUTH_INCLUDE;
2344 } else {
2345 compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
2346 }
2347
2348 if (device != NULL && !is_tgs) {
2349 SMB_ASSERT(device_pac != NULL);
2350
2351 if (device_pac_is_trusted) {
2352 krb5_data device_claims_data;
2353
2354 /*
2355 * [MS-KILE] 3.3.5.7.4 Compound Identity: the client
2356 * claims from the device PAC become the device claims
2357 * in the new PAC.
2358 */
2359 code = krb5_pac_get_buffer(context, device_pac,
2360 PAC_TYPE_CLIENT_CLAIMS_INFO,
2361 &device_claims_data);
2362 if (code == ENOENT) {
2363 /* no-op */
2364 } else if (code != 0) {
2365 goto done;
2366 } else if (device_krbtgt->is_trust) {
2367 /*
2368 * TODO: we need claim translation over trusts,
2369 * for now we just clear them...
2370 */
2371 device_claims_blob = &data_blob_null;
2372 } else {
2373 DATA_BLOB *device_claims = NULL;
2374
2375 device_claims = talloc_zero(mem_ctx, DATA_BLOB);
2376 if (device_claims == NULL) {
2377 smb_krb5_free_data_contents(context, &device_claims_data);
2378 code = ENOMEM;
2379 goto done;
2380 }
2381
2382 *device_claims = data_blob_talloc(mem_ctx,
2383 device_claims_data.data,
2384 device_claims_data.length);
2385 if (device_claims->data == NULL && device_claims_data.length != 0) {
2386 smb_krb5_free_data_contents(context, &device_claims_data);
2387 code = ENOMEM;
2388 goto done;
2389 }
2390
2391 smb_krb5_free_data_contents(context, &device_claims_data);
2392
2393 device_claims_blob = device_claims;
2394 }
2395
2396 code = samba_kdc_create_device_info_blob(mem_ctx,
2397 context,
2398 samdb,
2399 device_pac,
2400 &device_info_blob);
2401 if (code != 0) {
2402 goto done;
2403 }
2404 } else {
2405 /* Don't trust RODC-issued claims. Regenerate them. */
2406 nt_status = samba_kdc_get_claims_blob(mem_ctx,
2407 device,
2408 &device_claims_blob);
2409 if (!NT_STATUS_IS_OK(nt_status)) {
2410 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2411 nt_errstr(nt_status));
2412 code = map_errno_from_nt_status(nt_status);
2413 goto done;
2414 }
2415
2416 /* Also regenerate device info. */
2417 code = samba_kdc_get_device_info_blob(mem_ctx,
2418 device,
2419 &device_info_blob);
2420 if (code != 0) {
2421 goto done;
2422 }
2423 }
2424 }
2425
2426 if (delegated_proxy_principal != NULL) {
2427 deleg_blob = talloc_zero(mem_ctx, DATA_BLOB);
2428 if (deleg_blob == NULL) {
2429 code = ENOMEM;
2430 goto done;
2431 }
2432
2433 nt_status = samba_kdc_update_delegation_info_blob(
2434 deleg_blob,
2435 context,
2436 old_pac,
2437 server_principal,
2438 delegated_proxy_principal,
2439 deleg_blob);
2440 if (!NT_STATUS_IS_OK(nt_status)) {
2441 DBG_ERR("update delegation info blob failed: %s\n",
2442 nt_errstr(nt_status));
2443 code = map_errno_from_nt_status(nt_status);
2444 goto done;
2445 }
2446 }
2447
2448 code = samba_kdc_obtain_user_info_dc(mem_ctx,
2449 context,
2450 samdb,
2451 group_inclusion,
2452 client,
2453 old_pac,
2454 client_pac_is_trusted,
2455 &user_info_dc,
2456 &_resource_groups);
2457 if (code != 0) {
2458 const char *err_str = krb5_get_error_message(context, code);
2459 DBG_ERR("samba_kdc_obtain_user_info_dc failed: %s\n",
2460 err_str != NULL ? err_str : "<unknown>");
2461 krb5_free_error_message(context, err_str);
2462
2463 goto done;
2464 }
2465
2466 /*
2467 * Enforce the AllowedToAuthenticateTo part of an authentication policy,
2468 * if one is present.
2469 */
2470 if (!is_tgs && authn_policy_restrictions_present(server->server_policy)) {
2471 const struct samba_kdc_entry *auth_entry = NULL;
2472 struct auth_user_info_dc *auth_user_info_dc = NULL;
2473
2474 if (delegated_proxy != NULL) {
2475 auth_entry = delegated_proxy;
2476
2477 code = samba_kdc_obtain_user_info_dc(mem_ctx,
2478 context,
2479 samdb,
2480 AUTH_INCLUDE_RESOURCE_GROUPS,
2481 delegated_proxy,
2482 delegated_proxy_pac,
2483 delegated_proxy_pac_is_trusted,
2484 &auth_user_info_dc,
2485 NULL);
2486 if (code) {
2487 goto done;
2488 }
2489 } else {
2490 auth_entry = client;
2491 auth_user_info_dc = user_info_dc;
2492 }
2493
2494 code = samba_kdc_allowed_to_authenticate_to(mem_ctx,
2495 samdb,
2496 lp_ctx,
2497 auth_entry,
2498 auth_user_info_dc,
2499 server,
2500 server_audit_info_out,
2501 status_out);
2502 if (auth_user_info_dc != user_info_dc) {
2503 talloc_unlink(mem_ctx, auth_user_info_dc);
2504 }
2505 if (code) {
2506 goto done;
2507 }
2508 }
2509
2510 nt_status = samba_kdc_add_compounded_auth(compounded_auth,
2511 user_info_dc);
2512 if (!NT_STATUS_IS_OK(nt_status)) {
2513 DBG_ERR("Failed to add Compounded Authentication: %s\n",
2514 nt_errstr(nt_status));
2515
2516 code = KRB5KDC_ERR_TGT_REVOKED;
2517 goto done;
2518 }
2519
2520 if (client_pac_is_trusted) {
2521 pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
2522 if (pac_blob == NULL) {
2523 code = ENOMEM;
2524 goto done;
2525 }
2526
2527 nt_status = samba_get_logon_info_pac_blob(mem_ctx,
2528 user_info_dc,
2529 _resource_groups,
2530 group_inclusion,
2531 pac_blob);
2532 if (!NT_STATUS_IS_OK(nt_status)) {
2533 DBG_ERR("samba_get_logon_info_pac_blob failed: %s\n",
2534 nt_errstr(nt_status));
2535
2536 code = map_errno_from_nt_status(nt_status);
2537 goto done;
2538 }
2539
2540 /*
2541 * TODO: we need claim translation over trusts,
2542 * for now we just clear them...
2543 */
2544 if (client_krbtgt->is_trust) {
2545 client_claims_blob = &data_blob_null;
2546 }
2547 } else {
2548 nt_status = samba_kdc_get_logon_info_blob(mem_ctx,
2549 user_info_dc,
2550 group_inclusion,
2551 &pac_blob);
2552 if (!NT_STATUS_IS_OK(nt_status)) {
2553 DBG_ERR("samba_kdc_get_logon_info_blob failed: %s\n",
2554 nt_errstr(nt_status));
2555 code = KRB5KDC_ERR_TGT_REVOKED;
2556 goto done;
2557 }
2558
2559 nt_status = samba_kdc_get_upn_info_blob(mem_ctx,
2560 user_info_dc,
2561 &upn_blob);
2562 if (!NT_STATUS_IS_OK(nt_status)) {
2563 DBG_ERR("samba_kdc_get_upn_info_blob failed: %s\n",
2564 nt_errstr(nt_status));
2565 code = KRB5KDC_ERR_TGT_REVOKED;
2566 goto done;
2567 }
2568
2569 nt_status = samba_kdc_get_requester_sid_blob(mem_ctx,
2570 user_info_dc,
2571 &requester_sid_blob);
2572 if (!NT_STATUS_IS_OK(nt_status)) {
2573 DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
2574 nt_errstr(nt_status));
2575 code = KRB5KDC_ERR_TGT_REVOKED;
2576 goto done;
2577 }
2578
2579 /* Don't trust RODC-issued claims. Regenerate them. */
2580 nt_status = samba_kdc_get_claims_blob(mem_ctx,
2581 client,
2582 &client_claims_blob);
2583 if (!NT_STATUS_IS_OK(nt_status)) {
2584 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2585 nt_errstr(nt_status));
2586 code = map_errno_from_nt_status(nt_status);
2587 goto done;
2588 }
2589 }
2590
2591 /* Check the types of the given PAC */
2592 code = pac_blobs_from_krb5_pac(&pac_blobs,
2593 mem_ctx,
2594 context,
2595 old_pac);
2596 if (code != 0) {
2597 goto done;
2598 }
2599
2600 code = pac_blobs_replace_existing(&pac_blobs,
2601 PAC_TYPE_LOGON_INFO,
2602 pac_blob);
2603 if (code != 0) {
2604 goto done;
2605 }
2606
2607 #ifdef SAMBA4_USES_HEIMDAL
2608 /* Not needed with MIT Kerberos */
2609 code = pac_blobs_replace_existing(&pac_blobs,
2610 PAC_TYPE_LOGON_NAME,
2611 &data_blob_null);
2612 if (code != 0) {
2613 goto done;
2614 }
2615
2616 code = pac_blobs_replace_existing(&pac_blobs,
2617 PAC_TYPE_SRV_CHECKSUM,
2618 &data_blob_null);
2619 if (code != 0) {
2620 goto done;
2621 }
2622
2623 code = pac_blobs_replace_existing(&pac_blobs,
2624 PAC_TYPE_KDC_CHECKSUM,
2625 &data_blob_null);
2626 if (code != 0) {
2627 goto done;
2628 }
2629 #endif
2630
2631 code = pac_blobs_add_blob(&pac_blobs,
2632 mem_ctx,
2633 PAC_TYPE_CONSTRAINED_DELEGATION,
2634 deleg_blob);
2635 if (code != 0) {
2636 goto done;
2637 }
2638
2639 code = pac_blobs_add_blob(&pac_blobs,
2640 mem_ctx,
2641 PAC_TYPE_UPN_DNS_INFO,
2642 upn_blob);
2643 if (code != 0) {
2644 goto done;
2645 }
2646
2647 code = pac_blobs_add_blob(&pac_blobs,
2648 mem_ctx,
2649 PAC_TYPE_CLIENT_CLAIMS_INFO,
2650 client_claims_blob);
2651 if (code != 0) {
2652 goto done;
2653 }
2654
2655 code = pac_blobs_add_blob(&pac_blobs,
2656 mem_ctx,
2657 PAC_TYPE_DEVICE_INFO,
2658 device_info_blob);
2659 if (code != 0) {
2660 goto done;
2661 }
2662
2663 code = pac_blobs_add_blob(&pac_blobs,
2664 mem_ctx,
2665 PAC_TYPE_DEVICE_CLAIMS_INFO,
2666 device_claims_blob);
2667 if (code != 0) {
2668 goto done;
2669 }
2670
2671 if (!client_pac_is_trusted || !is_tgs) {
2672 code = pac_blobs_remove_blob(&pac_blobs,
2673 mem_ctx,
2674 PAC_TYPE_ATTRIBUTES_INFO);
2675 if (code != 0) {
2676 goto done;
2677 }
2678 }
2679
2680 if (!is_tgs) {
2681 code = pac_blobs_remove_blob(&pac_blobs,
2682 mem_ctx,
2683 PAC_TYPE_REQUESTER_SID);
2684 if (code != 0) {
2685 goto done;
2686 }
2687 } else {
2688 code = pac_blobs_add_blob(&pac_blobs,
2689 mem_ctx,
2690 PAC_TYPE_REQUESTER_SID,
2691 requester_sid_blob);
2692 if (code != 0) {
2693 goto done;
2694 }
2695 }
2696
2697 /*
2698 * The server account may be set not to want the PAC.
2699 *
2700 * While this is wasteful if the above calculations were done
2701 * and now thrown away, this is cleaner as we do any ticket
2702 * signature checking etc always.
2703 *
2704 * UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the
2705 * time (eg not accepting a ticket from the RODC) we do not
2706 * need to re-generate anything anyway.
2707 */
2708 if (!samba_princ_needs_pac(server)) {
2709 code = ENOATTR;
2710 goto done;
2711 }
2712
2713 if (client_pac_is_trusted && !is_tgs) {
2714 /*
2715 * The client may have requested no PAC when obtaining the
2716 * TGT.
2717 */
2718 bool requested_pac = false;
2719
2720 code = samba_client_requested_pac(context,
2721 old_pac,
2722 mem_ctx,
2723 &requested_pac);
2724 if (code != 0 || !requested_pac) {
2725 if (!requested_pac) {
2726 code = ENOATTR;
2727 }
2728 goto done;
2729 }
2730 }
2731
2732 for (i = 0; i < pac_blobs.num_types; ++i) {
2733 krb5_data type_data;
2734 const DATA_BLOB *type_blob = pac_blobs.type_blobs[i].data;
2735 uint32_t type = pac_blobs.type_blobs[i].type;
2736
2737 static char null_byte = '\0';
2738 const krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
2739
2740 #ifndef SAMBA4_USES_HEIMDAL
2741 /* Not needed with MIT Kerberos */
2742 switch(type) {
2743 case PAC_TYPE_LOGON_NAME:
2744 case PAC_TYPE_SRV_CHECKSUM:
2745 case PAC_TYPE_KDC_CHECKSUM:
2746 case PAC_TYPE_FULL_CHECKSUM:
2747 continue;
2748 default:
2749 break;
2750 }
2751 #endif
2752
2753 if (type_blob != NULL) {
2754 type_data = smb_krb5_data_from_blob(*type_blob);
2755 /*
2756 * Passing a NULL pointer into krb5_pac_add_buffer() is
2757 * not allowed, so pass null_data instead if needed.
2758 */
2759 code = krb5_pac_add_buffer(context,
2760 new_pac,
2761 type,
2762 (type_data.data != NULL) ? &type_data : &null_data);
2763 } else {
2764 code = krb5_pac_get_buffer(context,
2765 old_pac,
2766 type,
2767 &type_data);
2768 if (code != 0) {
2769 goto done;
2770 }
2771 /*
2772 * Passing a NULL pointer into krb5_pac_add_buffer() is
2773 * not allowed, so pass null_data instead if needed.
2774 */
2775 code = krb5_pac_add_buffer(context,
2776 new_pac,
2777 type,
2778 (type_data.data != NULL) ? &type_data : &null_data);
2779 smb_krb5_free_data_contents(context, &type_data);
2780 }
2781
2782 if (code != 0) {
2783 goto done;
2784 }
2785 }
2786
2787 code = 0;
2788 done:
2789 pac_blobs_destroy(&pac_blobs);
2790 TALLOC_FREE(pac_blob);
2791 TALLOC_FREE(upn_blob);
2792 TALLOC_FREE(deleg_blob);
2793 /*
2794 * Release our handle to user_info_dc. ‘server_audit_info_out’, if
2795 * non-NULL, becomes the new parent.
2796 */
2797 talloc_unlink(mem_ctx, user_info_dc);
2798 return code;
2799 }
2800
2801 krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
2802 krb5_context context,
2803 struct ldb_context *samdb,
2804 struct loadparm_context *lp_ctx,
2805 struct samba_kdc_entry *device,
2806 const krb5_const_pac device_pac,
2807 const bool device_pac_is_trusted,
2808 const struct authn_kerberos_client_policy *client_policy,
2809 struct authn_audit_info **client_audit_info_out,
2810 NTSTATUS *status_out)
2811 {
2812 TALLOC_CTX *frame = NULL;
2813 krb5_error_code code = 0;
2814 NTSTATUS nt_status;
2815 struct auth_user_info_dc *device_info = NULL;
2816 struct authn_audit_info *client_audit_info = NULL;
2817
2818 if (status_out != NULL) {
2819 *status_out = NT_STATUS_OK;
2820 }
2821
2822 if (!authn_policy_device_restrictions_present(client_policy)) {
2823 return 0;
2824 }
2825
2826 if (device == NULL || device_pac == NULL) {
2827 NTSTATUS out_status = NT_STATUS_INVALID_WORKSTATION;
2828
2829 nt_status = authn_kerberos_client_policy_audit_info(mem_ctx,
2830 client_policy,
2831 NULL /* client_info */,
2832 AUTHN_AUDIT_EVENT_KERBEROS_DEVICE_RESTRICTION,
2833 AUTHN_AUDIT_REASON_FAST_REQUIRED,
2834 out_status,
2835 client_audit_info_out);
2836 if (!NT_STATUS_IS_OK(nt_status)) {
2837 code = KRB5KRB_ERR_GENERIC;
2838 } else if (authn_kerberos_client_policy_is_enforced(client_policy)) {
2839 code = KRB5KDC_ERR_POLICY;
2840
2841 if (status_out != NULL) {
2842 *status_out = out_status;
2843 }
2844 } else {
2845 /* OK. */
2846 code = 0;
2847 }
2848
2849 goto out;
2850 }
2851
2852 frame = talloc_stackframe();
2853
2854 if (device_pac_is_trusted) {
2855 krb5_data device_logon_info;
2856
2857 enum ndr_err_code ndr_err;
2858 DATA_BLOB device_logon_info_blob;
2859
2860 union PAC_INFO pac_logon_info;
2861 union netr_Validation validation;
2862
2863 code = krb5_pac_get_buffer(context, device_pac,
2864 PAC_TYPE_LOGON_INFO,
2865 &device_logon_info);
2866 if (code != 0) {
2867 if (code == ENOENT) {
2868 DBG_ERR("Device PAC is missing LOGON_INFO\n");
2869 } else {
2870 DBG_ERR("Error getting LOGON_INFO from device PAC\n");
2871 }
2872
2873 goto out;
2874 }
2875
2876 device_logon_info_blob = data_blob_const(device_logon_info.data,
2877 device_logon_info.length);
2878
2879 ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &pac_logon_info,
2880 PAC_TYPE_LOGON_INFO,
2881 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
2882 smb_krb5_free_data_contents(context, &device_logon_info);
2883 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
2884 nt_status = ndr_map_error2ntstatus(ndr_err);
2885 DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
2886 nt_errstr(nt_status));
2887
2888 code = ndr_map_error2errno(ndr_err);
2889 goto out;
2890 }
2891
2892 /*
2893 * This does a bit of unnecessary work, setting up fields we
2894 * don’t care about — we only want the SIDs.
2895 */
2896 validation.sam3 = &pac_logon_info.logon_info.info->info3;
2897 nt_status = make_user_info_dc_netlogon_validation(frame, "", 3, &validation,
2898 true, /* This user was authenticated */
2899 &device_info);
2900 if (!NT_STATUS_IS_OK(nt_status)) {
2901 code = map_errno_from_nt_status(nt_status);
2902 goto out;
2903 }
2904
2905 /*
2906 * We need to expand group memberships within our local domain,
2907 * as the token might be generated by a trusted domain.
2908 */
2909 nt_status = authsam_update_user_info_dc(frame,
2910 samdb,
2911 device_info);
2912 if (!NT_STATUS_IS_OK(nt_status)) {
2913 code = map_errno_from_nt_status(nt_status);
2914 goto out;
2915 }
2916 } else {
2917 nt_status = samba_kdc_get_user_info_dc(frame,
2918 device,
2919 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
2920 SAMBA_CLAIMS_VALID_INCLUDE,
2921 SAMBA_COMPOUNDED_AUTH_EXCLUDE,
2922 &device_info);
2923 if (!NT_STATUS_IS_OK(nt_status)) {
2924 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
2925 nt_errstr(nt_status));
2926
2927 code = KRB5KDC_ERR_TGT_REVOKED;
2928 goto out;
2929 }
2930 }
2931
2932 nt_status = authn_policy_authenticate_from_device(frame,
2933 samdb,
2934 lp_ctx,
2935 device_info,
2936 client_policy,
2937 &client_audit_info);
2938 if (client_audit_info != NULL) {
2939 *client_audit_info_out = talloc_move(mem_ctx, &client_audit_info);
2940 }
2941 if (!NT_STATUS_IS_OK(nt_status)) {
2942 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)) {
2943 code = KRB5KDC_ERR_POLICY;
2944 } else {
2945 code = KRB5KRB_ERR_GENERIC;
2946 }
2947
2948 goto out;
2949 }
2950
2951 out:
2952 talloc_free(frame);
2953 return code;
2954 }
Samba GIT mirror