search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
pylibsmb: clang-format for the calls to Py_BuildValue()
[Samba.git] / source4 / kdc / kdc-heimdal.c
blobcbef2e66b7bbeacaaca803fbeba437874e59854c
1 /*
2 Unix SMB/CIFS implementation.
3
4 KDC Server startup
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "samba/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "lib/messaging/irpc.h"
28 #include "librpc/gen_ndr/ndr_irpc.h"
29 #include "librpc/gen_ndr/ndr_krb5pac.h"
30 #include "lib/socket/netif.h"
31 #include "param/param.h"
32 #include "kdc/kdc-server.h"
33 #include "kdc/kdc-proxy.h"
34 #include "kdc/kdc-glue.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/kpasswd-service.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "auth/session.h"
39 #include "libds/common/roles.h"
40 #include <kdc.h>
41 #include <hdb.h>
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_KERBEROS
45
46 NTSTATUS server_service_kdc_init(TALLOC_CTX *);
47
48 extern struct krb5plugin_kdc_ftable kdc_plugin_table;
49
50 /**
51 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
52 calling conventions
53 */
54
55 static kdc_code kdc_process(struct kdc_server *kdc,
56 TALLOC_CTX *mem_ctx,
57 DATA_BLOB *input,
58 DATA_BLOB *reply,
59 struct tsocket_address *peer_addr,
60 struct tsocket_address *my_addr,
61 int datagram_reply)
62 {
63 int ret;
64 char *pa;
65 struct sockaddr_storage ss;
66 krb5_data k5_reply;
67 krb5_kdc_configuration *kdc_config = kdc->private_data;
68
69 krb5_data_zero(&k5_reply);
70
71 krb5_kdc_update_time(NULL);
72
73 ret = tsocket_address_bsd_sockaddr(peer_addr, (struct sockaddr *) &ss,
74 sizeof(struct sockaddr_storage));
75 if (ret < 0) {
76 return KDC_ERROR;
77 }
78 pa = tsocket_address_string(peer_addr, mem_ctx);
79 if (pa == NULL) {
80 return KDC_ERROR;
81 }
82
83 DBG_DEBUG("Received KDC packet of length %zu from %s\n",
84 input->length, pa);
85
86 ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
87 kdc_config,
88 input->data, input->length,
89 &k5_reply,
90 pa,
91 (struct sockaddr *) &ss,
92 datagram_reply);
93 if (ret == -1) {
94 *reply = data_blob(NULL, 0);
95 return KDC_ERROR;
96 }
97
98 if (ret == HDB_ERR_NOT_FOUND_HERE) {
99 *reply = data_blob(NULL, 0);
100 return KDC_PROXY_REQUEST;
101 }
102
103 if (k5_reply.length) {
104 *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
105 krb5_data_free(&k5_reply);
106 } else {
107 *reply = data_blob(NULL, 0);
108 }
109 return KDC_OK;
110 }
111
112 /*
113 setup our listening sockets on the configured network interfaces
114 */
115 static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc,
116 struct loadparm_context *lp_ctx,
117 struct interface *ifaces,
118 const struct model_ops *model_ops)
119 {
120 int num_interfaces;
121 TALLOC_CTX *tmp_ctx = talloc_new(kdc);
122 NTSTATUS status;
123 int i;
124 uint16_t kdc_port = lpcfg_krb5_port(lp_ctx);
125 uint16_t kpasswd_port = lpcfg_kpasswd_port(lp_ctx);
126 bool done_wildcard = false;
127
128 num_interfaces = iface_list_count(ifaces);
129
130 /* if we are allowing incoming packets from any address, then
131 we need to bind to the wildcard address */
132 if (!lpcfg_bind_interfaces_only(lp_ctx)) {
133 size_t num_binds = 0;
134 char **wcard = iface_list_wildcard(kdc);
135 NT_STATUS_HAVE_NO_MEMORY(wcard);
136 for (i=0; wcard[i]; i++) {
137 if (kdc_port) {
138 status = kdc_add_socket(kdc, model_ops,
139 "kdc", wcard[i], kdc_port,
140 kdc_process, false);
141 if (NT_STATUS_IS_OK(status)) {
142 num_binds++;
143 }
144 }
145
146 if (kpasswd_port) {
147 status = kdc_add_socket(kdc, model_ops,
148 "kpasswd", wcard[i], kpasswd_port,
149 kpasswd_process, false);
150 if (NT_STATUS_IS_OK(status)) {
151 num_binds++;
152 }
153 }
154 }
155 talloc_free(wcard);
156 if (num_binds == 0) {
157 return NT_STATUS_INVALID_PARAMETER_MIX;
158 }
159 done_wildcard = true;
160 }
161
162 for (i=0; i<num_interfaces; i++) {
163 const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i));
164
165 if (kdc_port) {
166 status = kdc_add_socket(kdc, model_ops,
167 "kdc", address, kdc_port,
168 kdc_process, done_wildcard);
169 NT_STATUS_NOT_OK_RETURN(status);
170 }
171
172 if (kpasswd_port) {
173 status = kdc_add_socket(kdc, model_ops,
174 "kpasswd", address, kpasswd_port,
175 kpasswd_process, done_wildcard);
176 NT_STATUS_NOT_OK_RETURN(status);
177 }
178 }
179
180 talloc_free(tmp_ctx);
181
182 return NT_STATUS_OK;
183 }
184
185 static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
186 struct kdc_check_generic_kerberos *r)
187 {
188 struct PAC_Validate pac_validate;
189 DATA_BLOB srv_sig;
190 struct PAC_SIGNATURE_DATA kdc_sig;
191 struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server);
192 krb5_kdc_configuration *kdc_config =
193 (krb5_kdc_configuration *)kdc->private_data;
194 enum ndr_err_code ndr_err;
195 int ret;
196 hdb_entry ent;
197 krb5_principal principal;
198
199
200 /* There is no reply to this request */
201 r->out.generic_reply = data_blob(NULL, 0);
202
203 ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, &pac_validate,
204 (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
205 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
206 return NT_STATUS_INVALID_PARAMETER;
207 }
208
209 if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) {
210 /* We don't implement any other message types - such as certificate validation - yet */
211 return NT_STATUS_INVALID_PARAMETER;
212 }
213
214 if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength)
215 || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength
216 || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
217 return NT_STATUS_INVALID_PARAMETER;
218 }
219
220 srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
221 pac_validate.ChecksumLength);
222
223 ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
224 lpcfg_realm(kdc->task->lp_ctx),
225 "krbtgt", lpcfg_realm(kdc->task->lp_ctx),
226 NULL);
227
228 if (ret != 0) {
229 return NT_STATUS_NO_MEMORY;
230 }
231
232 ret = kdc_config->db[0]->hdb_fetch_kvno(kdc->smb_krb5_context->krb5_context,
233 kdc_config->db[0],
234 principal,
235 HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
236 0,
237 &ent);
238
239 if (ret != 0) {
240 hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
241 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
242
243 return NT_STATUS_LOGON_FAILURE;
244 }
245
246 kdc_sig.type = pac_validate.SignatureType;
247 kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
248 pac_validate.SignatureLength);
249
250 ret = kdc_check_pac(kdc->smb_krb5_context->krb5_context, srv_sig, &kdc_sig, &ent);
251
252 hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
253 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
254
255 if (ret != 0) {
256 return NT_STATUS_LOGON_FAILURE;
257 }
258
259 return NT_STATUS_OK;
260 }
261
262
263 /*
264 startup the kdc task
265 */
266 static NTSTATUS kdc_task_init(struct task_server *task)
267 {
268 struct kdc_server *kdc;
269 NTSTATUS status;
270 struct interface *ifaces;
271
272 switch (lpcfg_server_role(task->lp_ctx)) {
273 case ROLE_STANDALONE:
274 task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
275 return NT_STATUS_INVALID_DOMAIN_ROLE;
276 case ROLE_DOMAIN_MEMBER:
277 task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
278 return NT_STATUS_INVALID_DOMAIN_ROLE;
279 case ROLE_DOMAIN_PDC:
280 case ROLE_DOMAIN_BDC:
281 case ROLE_IPA_DC:
282 task_server_terminate(
283 task, "Cannot start KDC as a 'classic Samba' DC", false);
284 return NT_STATUS_INVALID_DOMAIN_ROLE;
285 case ROLE_ACTIVE_DIRECTORY_DC:
286 /* Yes, we want a KDC */
287 break;
288 }
289
290 load_interface_list(task, task->lp_ctx, &ifaces);
291
292 if (iface_list_count(ifaces) == 0) {
293 task_server_terminate(task, "kdc: no network interfaces configured", false);
294 return NT_STATUS_UNSUCCESSFUL;
295 }
296
297 task_server_set_title(task, "task[kdc]");
298
299 kdc = talloc_zero(task, struct kdc_server);
300 if (kdc == NULL) {
301 task_server_terminate(task, "kdc: out of memory", true);
302 return NT_STATUS_NO_MEMORY;
303 }
304
305 kdc->task = task;
306 task->private_data = kdc;
307
308 /* start listening on the configured network interfaces */
309 status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces,
310 task->model_ops);
311 if (!NT_STATUS_IS_OK(status)) {
312 task_server_terminate(task, "kdc failed to setup interfaces", true);
313 return status;
314 }
315
316
317 return NT_STATUS_OK;
318 }
319
320 /*
321 initialise the kdc task after a fork
322 */
323 static void kdc_post_fork(struct task_server *task, struct process_details *pd)
324 {
325 struct kdc_server *kdc;
326 krb5_kdc_configuration *kdc_config = NULL;
327 NTSTATUS status;
328 krb5_error_code ret;
329 int ldb_ret;
330
331 if (task == NULL) {
332 task_server_terminate(task, "kdc: Null task", true);
333 return;
334 }
335 if (task->private_data == NULL) {
336 task_server_terminate(task, "kdc: No kdc_server info", true);
337 return;
338 }
339 kdc = talloc_get_type_abort(task->private_data, struct kdc_server);
340
341 /* get a samdb connection */
342 kdc->samdb = samdb_connect(kdc,
343 kdc->task->event_ctx,
344 kdc->task->lp_ctx,
345 system_session(kdc->task->lp_ctx),
346 NULL,
347 0);
348 if (!kdc->samdb) {
349 DBG_WARNING("kdc_task_init: unable to connect to samdb\n");
350 task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
351 return;
352 }
353
354 ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
355 if (ldb_ret != LDB_SUCCESS) {
356 DBG_WARNING("kdc_task_init: "
357 "Cannot determine if we are an RODC: %s\n",
358 ldb_errstring(kdc->samdb));
359 task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
360 return;
361 }
362
363 kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
364
365 initialize_krb5_error_table();
366
367 ret = smb_krb5_init_context(kdc, task->lp_ctx, &kdc->smb_krb5_context);
368 if (ret) {
369 DBG_WARNING("kdc_task_init: krb5_init_context failed (%s)\n",
370 error_message(ret));
371 task_server_terminate(task, "kdc: krb5_init_context failed", true);
372 return;
373 }
374
375 krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
376
377 ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
378 &kdc_config);
379 if(ret) {
380 task_server_terminate(task, "kdc: failed to get KDC configuration", true);
381 return;
382 }
383
384 kdc_config->logf = (krb5_log_facility *)kdc->smb_krb5_context->pvt_log_data;
385 kdc_config->db = talloc(kdc, struct HDB *);
386 if (!kdc_config->db) {
387 task_server_terminate(task, "kdc: out of memory", true);
388 return;
389 }
390 kdc_config->num_db = 1;
391
392 /*
393 * Note with the CVE-2022-37966 patches,
394 * see https://bugzilla.samba.org/show_bug.cgi?id=15219
395 * and https://bugzilla.samba.org/show_bug.cgi?id=15237
396 * we want to use the strongest keys for everything.
397 *
398 * Some of these don't have any real effect anymore,
399 * but it is better to have them as true...
400 */
401 kdc_config->tgt_use_strongest_session_key = true;
402 kdc_config->preauth_use_strongest_session_key = true;
403 kdc_config->svc_use_strongest_session_key = true;
404 kdc_config->use_strongest_server_key = true;
405
406 kdc_config->force_include_pa_etype_salt = true;
407
408 /*
409 * For Samba CVE-2020-25719 Require PAC to be present
410 * This instructs Heimdal to match AD behaviour,
411 * as seen after Microsoft's CVE-2021-42287 when
412 * PacRequestorEnforcement is set to 2.
413 *
414 * Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
415 * REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
416 */
417
418 kdc_config->require_pac = true;
419
420 /*
421 * By default we enable RFC6113/FAST support,
422 * but we have an option to disable in order to
423 * test against a KDC with FAST support.
424 */
425 kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
426
427 {
428 static const char *dummy_string = "Microsoft";
429
430 /*
431 * The FAST cookie is not cryptographically required,
432 * provided that the non-AD gss-preauth authentication
433 * method is removed (as this is the only multi-step
434 * authentication method).
435 *
436 * gss-preauth has been disabled both by not being
437 * configured and by being made dependent
438 * configuration for a "real" fast cookie.
439 *
440 * The hide_client_names feature in Heimdal is the
441 * only other state that is persisted in the cookie,
442 * and this does not need to be in the cookie for
443 * single-shot authentication protocols such as ENC-TS
444 * and ENC-CHAL, the standard password protocols in
445 * AD.
446 *
447 * Furthermore, the Heimdal KDC does not fail if the
448 * client does not supply a FAST cookie, showing that
449 * the presence of the cookie is not required.
450 */
451 kdc_config->enable_fast_cookie = false;
452 kdc_config->dummy_fast_cookie = smb_krb5_make_data(discard_const_p(char, dummy_string),
453 strlen(dummy_string));
454 }
455
456 /*
457 * Match Windows and RFC6113 and Windows but break older
458 * Heimdal clients.
459 */
460 kdc_config->enable_armored_pa_enc_timestamp = false;
461
462 /* Register hdb-samba4 hooks for use as a keytab */
463
464 kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
465 if (!kdc->base_ctx) {
466 task_server_terminate(task, "kdc: out of memory", true);
467 return;
468 }
469
470 kdc->base_ctx->ev_ctx = task->event_ctx;
471 kdc->base_ctx->lp_ctx = task->lp_ctx;
472 kdc->base_ctx->msg_ctx = task->msg_ctx;
473
474 status = hdb_samba4_create_kdc(kdc->base_ctx,
475 kdc->smb_krb5_context->krb5_context,
476 &kdc_config->db[0]);
477 if (!NT_STATUS_IS_OK(status)) {
478 task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
479 return;
480 }
481
482 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
483 PLUGIN_TYPE_DATA, "hdb_samba4_interface",
484 &hdb_samba4_interface);
485 if(ret) {
486 task_server_terminate(task, "kdc: failed to register hdb plugin", true);
487 return;
488 }
489
490 kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "HDBGET:samba4:&%p", kdc->base_ctx);
491 if (kdc->kpasswd_keytab_name == NULL) {
492 task_server_terminate(task,
493 "kdc: Failed to set keytab name",
494 true);
495 return;
496 }
497
498 ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_get_kt_ops);
499 if(ret) {
500 task_server_terminate(task, "kdc: failed to register keytab plugin", true);
501 return;
502 }
503
504 /* Register KDC hooks */
505 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
506 PLUGIN_TYPE_DATA, "kdc",
507 &kdc_plugin_table);
508 if(ret) {
509 task_server_terminate(task, "kdc: failed to register kdc plugin", true);
510 return;
511 }
512
513 ret = krb5_kdc_plugin_init(kdc->smb_krb5_context->krb5_context);
514
515 if(ret) {
516 task_server_terminate(task, "kdc: failed to init kdc plugin", true);
517 return;
518 }
519
520 ret = krb5_kdc_pkinit_config(kdc->smb_krb5_context->krb5_context, kdc_config);
521
522 if(ret) {
523 task_server_terminate(task, "kdc: failed to init kdc pkinit subsystem", true);
524 return;
525 }
526 kdc->private_data = kdc_config;
527
528 status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
529 kdc_check_generic_kerberos, kdc);
530 if (!NT_STATUS_IS_OK(status)) {
531 task_server_terminate(task, "kdc failed to setup monitoring", true);
532 return;
533 }
534
535 irpc_add_name(task->msg_ctx, "kdc_server");
536 }
537
538
539 /* called at smbd startup - register ourselves as a server service */
540 NTSTATUS server_service_kdc_init(TALLOC_CTX *ctx)
541 {
542 static const struct service_details details = {
543 .inhibit_fork_on_accept = true,
544 .inhibit_pre_fork = false,
545 .task_init = kdc_task_init,
546 .post_fork = kdc_post_fork
547 };
548 return register_server_service(ctx, "kdc", &details);
549 }
Samba GIT mirror