2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 2001
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "../libcli/auth/spnego.h"
22 #include "../libcli/auth/ntlmssp.h"
28 static ADS_STATUS
ads_sasl_ntlmssp_wrap(ADS_STRUCT
*ads
, uint8
*buf
, uint32 len
)
30 struct ntlmssp_state
*ntlmssp_state
=
31 (struct ntlmssp_state
*)ads
->ldap
.wrap_private_data
;
36 uint8
*dptr
= ads
->ldap
.out
.buf
+ (4 + NTLMSSP_SIG_SIZE
);
38 frame
= talloc_stackframe();
39 /* copy the data to the right location */
40 memcpy(dptr
, buf
, len
);
42 /* create the signature and may encrypt the data */
43 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
) {
44 nt_status
= ntlmssp_seal_packet(ntlmssp_state
,
50 nt_status
= ntlmssp_sign_packet(ntlmssp_state
,
56 status
= ADS_ERROR_NT(nt_status
);
57 if (!ADS_ERR_OK(status
)) return status
;
59 /* copy the signature to the right location */
60 memcpy(ads
->ldap
.out
.buf
+ 4,
61 sig
.data
, NTLMSSP_SIG_SIZE
);
65 /* set how many bytes must be written to the underlying socket */
66 ads
->ldap
.out
.left
= 4 + NTLMSSP_SIG_SIZE
+ len
;
71 static ADS_STATUS
ads_sasl_ntlmssp_unwrap(ADS_STRUCT
*ads
)
73 struct ntlmssp_state
*ntlmssp_state
=
74 (struct ntlmssp_state
*)ads
->ldap
.wrap_private_data
;
78 uint8
*dptr
= ads
->ldap
.in
.buf
+ (4 + NTLMSSP_SIG_SIZE
);
79 uint32 dlen
= ads
->ldap
.in
.ofs
- (4 + NTLMSSP_SIG_SIZE
);
81 /* wrap the signature into a DATA_BLOB */
82 sig
= data_blob_const(ads
->ldap
.in
.buf
+ 4, NTLMSSP_SIG_SIZE
);
84 /* verify the signature and maybe decrypt the data */
85 if (ntlmssp_state
->neg_flags
& NTLMSSP_NEGOTIATE_SEAL
) {
86 nt_status
= ntlmssp_unseal_packet(ntlmssp_state
,
91 nt_status
= ntlmssp_check_packet(ntlmssp_state
,
96 status
= ADS_ERROR_NT(nt_status
);
97 if (!ADS_ERR_OK(status
)) return status
;
99 /* set the amount of bytes for the upper layer and set the ofs to the data */
100 ads
->ldap
.in
.left
= dlen
;
101 ads
->ldap
.in
.ofs
= 4 + NTLMSSP_SIG_SIZE
;
106 static void ads_sasl_ntlmssp_disconnect(ADS_STRUCT
*ads
)
108 struct ntlmssp_state
*ntlmssp_state
=
109 (struct ntlmssp_state
*)ads
->ldap
.wrap_private_data
;
111 TALLOC_FREE(ntlmssp_state
);
113 ads
->ldap
.wrap_ops
= NULL
;
114 ads
->ldap
.wrap_private_data
= NULL
;
117 static const struct ads_saslwrap_ops ads_sasl_ntlmssp_ops
= {
119 .wrap
= ads_sasl_ntlmssp_wrap
,
120 .unwrap
= ads_sasl_ntlmssp_unwrap
,
121 .disconnect
= ads_sasl_ntlmssp_disconnect
125 perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
126 we fit on one socket??)
128 static ADS_STATUS
ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT
*ads
)
130 DATA_BLOB msg1
= data_blob_null
;
131 DATA_BLOB blob
= data_blob_null
;
132 DATA_BLOB blob_in
= data_blob_null
;
133 DATA_BLOB blob_out
= data_blob_null
;
134 struct berval cred
, *scred
= NULL
;
141 struct ntlmssp_state
*ntlmssp_state
;
143 nt_status
= ntlmssp_client_start(NULL
,
146 lp_client_ntlmv2_auth(),
148 if (!NT_STATUS_IS_OK(nt_status
)) {
149 return ADS_ERROR_NT(nt_status
);
151 ntlmssp_state
->neg_flags
&= ~NTLMSSP_NEGOTIATE_SIGN
;
153 if (!NT_STATUS_IS_OK(nt_status
= ntlmssp_set_username(ntlmssp_state
, ads
->auth
.user_name
))) {
154 return ADS_ERROR_NT(nt_status
);
156 if (!NT_STATUS_IS_OK(nt_status
= ntlmssp_set_domain(ntlmssp_state
, ads
->auth
.realm
))) {
157 return ADS_ERROR_NT(nt_status
);
159 if (!NT_STATUS_IS_OK(nt_status
= ntlmssp_set_password(ntlmssp_state
, ads
->auth
.password
))) {
160 return ADS_ERROR_NT(nt_status
);
163 switch (ads
->ldap
.wrap_type
) {
164 case ADS_SASLWRAP_TYPE_SEAL
:
165 features
= NTLMSSP_FEATURE_SIGN
| NTLMSSP_FEATURE_SEAL
;
167 case ADS_SASLWRAP_TYPE_SIGN
:
168 if (ads
->auth
.flags
& ADS_AUTH_SASL_FORCE
) {
169 features
= NTLMSSP_FEATURE_SIGN
;
172 * windows servers are broken with sign only,
173 * so we need to use seal here too
175 features
= NTLMSSP_FEATURE_SIGN
| NTLMSSP_FEATURE_SEAL
;
176 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SEAL
;
179 case ADS_SASLWRAP_TYPE_PLAIN
:
183 ntlmssp_want_feature(ntlmssp_state
, features
);
185 blob_in
= data_blob_null
;
188 nt_status
= ntlmssp_update(ntlmssp_state
,
190 data_blob_free(&blob_in
);
191 if ((NT_STATUS_EQUAL(nt_status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)
192 || NT_STATUS_IS_OK(nt_status
))
193 && blob_out
.length
) {
195 const char *OIDs_ntlm
[] = {OID_NTLMSSP
, NULL
};
196 /* and wrap it in a SPNEGO wrapper */
197 msg1
= spnego_gen_negTokenInit(talloc_tos(),
198 OIDs_ntlm
, &blob_out
, NULL
);
200 /* wrap it in SPNEGO */
201 msg1
= spnego_gen_auth(talloc_tos(), blob_out
);
204 data_blob_free(&blob_out
);
206 cred
.bv_val
= (char *)msg1
.data
;
207 cred
.bv_len
= msg1
.length
;
209 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSS-SPNEGO", &cred
, NULL
, NULL
, &scred
);
210 data_blob_free(&msg1
);
211 if ((rc
!= LDAP_SASL_BIND_IN_PROGRESS
) && (rc
!= 0)) {
216 TALLOC_FREE(ntlmssp_state
);
217 return ADS_ERROR(rc
);
220 blob
= data_blob(scred
->bv_val
, scred
->bv_len
);
223 blob
= data_blob_null
;
228 TALLOC_FREE(ntlmssp_state
);
229 data_blob_free(&blob_out
);
230 return ADS_ERROR_NT(nt_status
);
234 (rc
== LDAP_SASL_BIND_IN_PROGRESS
)) {
235 DATA_BLOB tmp_blob
= data_blob_null
;
236 /* the server might give us back two challenges */
237 if (!spnego_parse_challenge(talloc_tos(), blob
, &blob_in
,
240 TALLOC_FREE(ntlmssp_state
);
241 data_blob_free(&blob
);
242 DEBUG(3,("Failed to parse challenges\n"));
243 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
245 data_blob_free(&tmp_blob
);
246 } else if (rc
== LDAP_SASL_BIND_IN_PROGRESS
) {
247 if (!spnego_parse_auth_response(talloc_tos(), blob
, nt_status
, OID_NTLMSSP
,
250 TALLOC_FREE(ntlmssp_state
);
251 data_blob_free(&blob
);
252 DEBUG(3,("Failed to parse auth response\n"));
253 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
256 data_blob_free(&blob
);
257 data_blob_free(&blob_out
);
259 } while (rc
== LDAP_SASL_BIND_IN_PROGRESS
&& !NT_STATUS_IS_OK(nt_status
));
261 /* we have a reference conter on ntlmssp_state, if we are signing
262 then the state will be kept by the signing engine */
264 if (ads
->ldap
.wrap_type
> ADS_SASLWRAP_TYPE_PLAIN
) {
265 ads
->ldap
.out
.max_unwrapped
= ADS_SASL_WRAPPING_OUT_MAX_WRAPPED
- NTLMSSP_SIG_SIZE
;
266 ads
->ldap
.out
.sig_size
= NTLMSSP_SIG_SIZE
;
267 ads
->ldap
.in
.min_wrapped
= ads
->ldap
.out
.sig_size
;
268 ads
->ldap
.in
.max_wrapped
= ADS_SASL_WRAPPING_IN_MAX_WRAPPED
;
269 status
= ads_setup_sasl_wrapping(ads
, &ads_sasl_ntlmssp_ops
, ntlmssp_state
);
270 if (!ADS_ERR_OK(status
)) {
271 DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
272 ads_errstr(status
)));
273 TALLOC_FREE(ntlmssp_state
);
277 TALLOC_FREE(ntlmssp_state
);
280 return ADS_ERROR(rc
);
284 static ADS_STATUS
ads_sasl_gssapi_wrap(ADS_STRUCT
*ads
, uint8
*buf
, uint32 len
)
286 gss_ctx_id_t context_handle
= (gss_ctx_id_t
)ads
->ldap
.wrap_private_data
;
290 gss_buffer_desc unwrapped
, wrapped
;
291 int conf_req_flag
, conf_state
;
293 unwrapped
.value
= buf
;
294 unwrapped
.length
= len
;
296 /* for now request sign and seal */
297 conf_req_flag
= (ads
->ldap
.wrap_type
== ADS_SASLWRAP_TYPE_SEAL
);
299 gss_rc
= gss_wrap(&minor_status
, context_handle
,
300 conf_req_flag
, GSS_C_QOP_DEFAULT
,
301 &unwrapped
, &conf_state
,
303 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
304 if (!ADS_ERR_OK(status
)) return status
;
306 if (conf_req_flag
&& conf_state
== 0) {
307 return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED
);
310 if ((ads
->ldap
.out
.size
- 4) < wrapped
.length
) {
311 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
314 /* copy the wrapped blob to the right location */
315 memcpy(ads
->ldap
.out
.buf
+ 4, wrapped
.value
, wrapped
.length
);
317 /* set how many bytes must be written to the underlying socket */
318 ads
->ldap
.out
.left
= 4 + wrapped
.length
;
320 gss_release_buffer(&minor_status
, &wrapped
);
325 static ADS_STATUS
ads_sasl_gssapi_unwrap(ADS_STRUCT
*ads
)
327 gss_ctx_id_t context_handle
= (gss_ctx_id_t
)ads
->ldap
.wrap_private_data
;
331 gss_buffer_desc unwrapped
, wrapped
;
334 wrapped
.value
= ads
->ldap
.in
.buf
+ 4;
335 wrapped
.length
= ads
->ldap
.in
.ofs
- 4;
337 gss_rc
= gss_unwrap(&minor_status
, context_handle
,
338 &wrapped
, &unwrapped
,
339 &conf_state
, GSS_C_QOP_DEFAULT
);
340 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
341 if (!ADS_ERR_OK(status
)) return status
;
343 if (ads
->ldap
.wrap_type
== ADS_SASLWRAP_TYPE_SEAL
&& conf_state
== 0) {
344 return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED
);
347 if (wrapped
.length
< unwrapped
.length
) {
348 return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
351 /* copy the wrapped blob to the right location */
352 memcpy(ads
->ldap
.in
.buf
+ 4, unwrapped
.value
, unwrapped
.length
);
354 /* set how many bytes must be written to the underlying socket */
355 ads
->ldap
.in
.left
= unwrapped
.length
;
356 ads
->ldap
.in
.ofs
= 4;
358 gss_release_buffer(&minor_status
, &unwrapped
);
363 static void ads_sasl_gssapi_disconnect(ADS_STRUCT
*ads
)
365 gss_ctx_id_t context_handle
= (gss_ctx_id_t
)ads
->ldap
.wrap_private_data
;
368 gss_delete_sec_context(&minor_status
, &context_handle
, GSS_C_NO_BUFFER
);
370 ads
->ldap
.wrap_ops
= NULL
;
371 ads
->ldap
.wrap_private_data
= NULL
;
374 static const struct ads_saslwrap_ops ads_sasl_gssapi_ops
= {
376 .wrap
= ads_sasl_gssapi_wrap
,
377 .unwrap
= ads_sasl_gssapi_unwrap
,
378 .disconnect
= ads_sasl_gssapi_disconnect
382 perform a LDAP/SASL/SPNEGO/GSSKRB5 bind
384 static ADS_STATUS
ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT
*ads
, const gss_name_t serv_name
)
390 gss_OID_desc krb5_mech_type
=
391 {9, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
392 gss_OID mech_type
= &krb5_mech_type
;
393 gss_OID actual_mech_type
= GSS_C_NULL_OID
;
394 const char *spnego_mechs
[] = {OID_KERBEROS5_OLD
, OID_KERBEROS5
, OID_NTLMSSP
, NULL
};
395 gss_ctx_id_t context_handle
= GSS_C_NO_CONTEXT
;
396 gss_buffer_desc input_token
, output_token
;
397 uint32 req_flags
, ret_flags
;
398 uint32 req_tmp
, ret_tmp
;
401 struct berval cred
, *scred
= NULL
;
403 input_token
.value
= NULL
;
404 input_token
.length
= 0;
406 req_flags
= GSS_C_MUTUAL_FLAG
| GSS_C_REPLAY_FLAG
;
407 switch (ads
->ldap
.wrap_type
) {
408 case ADS_SASLWRAP_TYPE_SEAL
:
409 req_flags
|= GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
;
411 case ADS_SASLWRAP_TYPE_SIGN
:
412 req_flags
|= GSS_C_INTEG_FLAG
;
414 case ADS_SASLWRAP_TYPE_PLAIN
:
418 /* Note: here we explicit ask for the krb5 mech_type */
419 gss_rc
= gss_init_sec_context(&minor_status
,
432 if (gss_rc
&& gss_rc
!= GSS_S_CONTINUE_NEEDED
) {
433 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
438 * As some gssapi krb5 mech implementations
439 * automaticly add GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG
440 * to req_flags internaly, it's not possible to
441 * use plain or signing only connection via
442 * the gssapi interface.
444 * Because of this we need to check it the ret_flags
445 * has more flags as req_flags and correct the value
446 * of ads->ldap.wrap_type.
448 * I ads->auth.flags has ADS_AUTH_SASL_FORCE
449 * we need to give an error.
451 req_tmp
= req_flags
& (GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
);
452 ret_tmp
= ret_flags
& (GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
);
454 if (req_tmp
== ret_tmp
) {
455 /* everythings fine... */
457 } else if (req_flags
& GSS_C_CONF_FLAG
) {
459 * here we wanted sealing but didn't got it
460 * from the gssapi library
462 status
= ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
465 } else if ((req_flags
& GSS_C_INTEG_FLAG
) &&
466 !(ret_flags
& GSS_C_INTEG_FLAG
)) {
468 * here we wanted siging but didn't got it
469 * from the gssapi library
471 status
= ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
474 } else if (ret_flags
& GSS_C_CONF_FLAG
) {
476 * here we didn't want sealing
477 * but the gssapi library forces it
478 * so correct the needed wrap_type if
479 * the caller didn't forced siging only
481 if (ads
->auth
.flags
& ADS_AUTH_SASL_FORCE
) {
482 status
= ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
486 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SEAL
;
487 req_flags
= ret_flags
;
489 } else if (ret_flags
& GSS_C_INTEG_FLAG
) {
491 * here we didn't want signing
492 * but the gssapi library forces it
493 * so correct the needed wrap_type if
494 * the caller didn't forced plain
496 if (ads
->auth
.flags
& ADS_AUTH_SASL_FORCE
) {
497 status
= ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
501 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SIGN
;
502 req_flags
= ret_flags
;
505 * This could (should?) not happen
507 status
= ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
512 /* and wrap that in a shiny SPNEGO wrapper */
513 unwrapped
= data_blob_const(output_token
.value
, output_token
.length
);
514 wrapped
= spnego_gen_negTokenInit(talloc_tos(),
515 spnego_mechs
, &unwrapped
, NULL
);
516 gss_release_buffer(&minor_status
, &output_token
);
517 if (unwrapped
.length
> wrapped
.length
) {
518 status
= ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
522 cred
.bv_val
= (char *)wrapped
.data
;
523 cred
.bv_len
= wrapped
.length
;
525 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSS-SPNEGO", &cred
, NULL
, NULL
,
527 data_blob_free(&wrapped
);
528 if (rc
!= LDAP_SUCCESS
) {
529 status
= ADS_ERROR(rc
);
534 wrapped
= data_blob_const(scred
->bv_val
, scred
->bv_len
);
536 wrapped
= data_blob_null
;
539 ok
= spnego_parse_auth_response(talloc_tos(), wrapped
, NT_STATUS_OK
,
542 if (scred
) ber_bvfree(scred
);
544 status
= ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE
);
548 input_token
.value
= unwrapped
.data
;
549 input_token
.length
= unwrapped
.length
;
552 * As we asked for mutal authentication
553 * we need to pass the servers response
556 gss_rc
= gss_init_sec_context(&minor_status
,
569 data_blob_free(&unwrapped
);
571 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
575 gss_release_buffer(&minor_status
, &output_token
);
578 * If we the sign and seal options
579 * doesn't match after getting the response
580 * from the server, we don't want to use the connection
582 req_tmp
= req_flags
& (GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
);
583 ret_tmp
= ret_flags
& (GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
);
585 if (req_tmp
!= ret_tmp
) {
586 /* everythings fine... */
587 status
= ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE
);
591 if (ads
->ldap
.wrap_type
> ADS_SASLWRAP_TYPE_PLAIN
) {
592 uint32 max_msg_size
= ADS_SASL_WRAPPING_OUT_MAX_WRAPPED
;
594 gss_rc
= gss_wrap_size_limit(&minor_status
, context_handle
,
595 (ads
->ldap
.wrap_type
== ADS_SASLWRAP_TYPE_SEAL
),
597 max_msg_size
, &ads
->ldap
.out
.max_unwrapped
);
599 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
603 ads
->ldap
.out
.sig_size
= max_msg_size
- ads
->ldap
.out
.max_unwrapped
;
604 ads
->ldap
.in
.min_wrapped
= 0x2C; /* taken from a capture with LDAP unbind */
605 ads
->ldap
.in
.max_wrapped
= max_msg_size
;
606 status
= ads_setup_sasl_wrapping(ads
, &ads_sasl_gssapi_ops
, context_handle
);
607 if (!ADS_ERR_OK(status
)) {
608 DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
609 ads_errstr(status
)));
612 /* make sure we don't free context_handle */
613 context_handle
= GSS_C_NO_CONTEXT
;
616 status
= ADS_SUCCESS
;
619 if (context_handle
!= GSS_C_NO_CONTEXT
)
620 gss_delete_sec_context(&minor_status
, &context_handle
, GSS_C_NO_BUFFER
);
624 #endif /* HAVE_GSSAPI */
627 struct ads_service_principal
{
634 static void ads_free_service_principal(struct ads_service_principal
*p
)
636 SAFE_FREE(p
->string
);
641 gss_release_name(&minor_status
, &p
->name
);
648 static ADS_STATUS
ads_guess_service_principal(ADS_STRUCT
*ads
,
649 char **returned_principal
)
653 if (ads
->server
.realm
&& ads
->server
.ldap_server
) {
654 char *server
, *server_realm
;
656 server
= SMB_STRDUP(ads
->server
.ldap_server
);
657 server_realm
= SMB_STRDUP(ads
->server
.realm
);
659 if (!server
|| !server_realm
) {
661 SAFE_FREE(server_realm
);
662 return ADS_ERROR(LDAP_NO_MEMORY
);
666 strupper_m(server_realm
);
667 if (asprintf(&princ
, "ldap/%s@%s", server
, server_realm
) == -1) {
669 SAFE_FREE(server_realm
);
670 return ADS_ERROR(LDAP_NO_MEMORY
);
674 SAFE_FREE(server_realm
);
677 return ADS_ERROR(LDAP_NO_MEMORY
);
679 } else if (ads
->config
.realm
&& ads
->config
.ldap_server_name
) {
680 char *server
, *server_realm
;
682 server
= SMB_STRDUP(ads
->config
.ldap_server_name
);
683 server_realm
= SMB_STRDUP(ads
->config
.realm
);
685 if (!server
|| !server_realm
) {
687 SAFE_FREE(server_realm
);
688 return ADS_ERROR(LDAP_NO_MEMORY
);
692 strupper_m(server_realm
);
693 if (asprintf(&princ
, "ldap/%s@%s", server
, server_realm
) == -1) {
695 SAFE_FREE(server_realm
);
696 return ADS_ERROR(LDAP_NO_MEMORY
);
700 SAFE_FREE(server_realm
);
703 return ADS_ERROR(LDAP_NO_MEMORY
);
708 return ADS_ERROR(LDAP_PARAM_ERROR
);
711 *returned_principal
= princ
;
716 static ADS_STATUS
ads_generate_service_principal(ADS_STRUCT
*ads
,
717 const char *given_principal
,
718 struct ads_service_principal
*p
)
722 gss_buffer_desc input_name
;
723 /* GSS_KRB5_NT_PRINCIPAL_NAME */
724 gss_OID_desc nt_principal
=
725 {10, CONST_DISCARD(char *, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x01")};
732 /* I've seen a child Windows 2000 domain not send
733 the principal name back in the first round of
734 the SASL bind reply. So we guess based on server
735 name and realm. --jerry */
736 /* Also try best guess when we get the w2k8 ignore principal
737 back, or when we are configured to ignore it - gd,
740 if (!lp_client_use_spnego_principal() ||
742 strequal(given_principal
, ADS_IGNORE_PRINCIPAL
)) {
744 status
= ads_guess_service_principal(ads
, &p
->string
);
745 if (!ADS_ERR_OK(status
)) {
749 p
->string
= SMB_STRDUP(given_principal
);
751 return ADS_ERROR(LDAP_NO_MEMORY
);
756 input_name
.value
= p
->string
;
757 input_name
.length
= strlen(p
->string
);
759 gss_rc
= gss_import_name(&minor_status
, &input_name
, &nt_principal
, &p
->name
);
761 ads_free_service_principal(p
);
762 return ADS_ERROR_GSS(gss_rc
, minor_status
);
770 perform a LDAP/SASL/SPNEGO/KRB5 bind
772 static ADS_STATUS
ads_sasl_spnego_rawkrb5_bind(ADS_STRUCT
*ads
, const char *principal
)
774 DATA_BLOB blob
= data_blob_null
;
775 struct berval cred
, *scred
= NULL
;
776 DATA_BLOB session_key
= data_blob_null
;
779 if (ads
->ldap
.wrap_type
> ADS_SASLWRAP_TYPE_PLAIN
) {
780 return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
783 rc
= spnego_gen_krb5_negTokenInit(talloc_tos(), principal
,
784 ads
->auth
.time_offset
, &blob
, &session_key
, 0,
785 &ads
->auth
.tgs_expire
);
788 return ADS_ERROR_KRB5(rc
);
791 /* now send the auth packet and we should be done */
792 cred
.bv_val
= (char *)blob
.data
;
793 cred
.bv_len
= blob
.length
;
795 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSS-SPNEGO", &cred
, NULL
, NULL
, &scred
);
797 data_blob_free(&blob
);
798 data_blob_free(&session_key
);
802 return ADS_ERROR(rc
);
805 static ADS_STATUS
ads_sasl_spnego_krb5_bind(ADS_STRUCT
*ads
,
806 struct ads_service_principal
*p
)
810 * we only use the gsskrb5 based implementation
811 * when sasl sign or seal is requested.
813 * This has the following reasons:
814 * - it's likely that the gssapi krb5 mech implementation
815 * doesn't support to negotiate plain connections
816 * - the ads_sasl_spnego_rawkrb5_bind is more robust
817 * against clock skew errors
819 if (ads
->ldap
.wrap_type
> ADS_SASLWRAP_TYPE_PLAIN
) {
820 return ads_sasl_spnego_gsskrb5_bind(ads
, p
->name
);
823 return ads_sasl_spnego_rawkrb5_bind(ads
, p
->string
);
825 #endif /* HAVE_KRB5 */
828 this performs a SASL/SPNEGO bind
830 static ADS_STATUS
ads_sasl_spnego_bind(ADS_STRUCT
*ads
)
832 struct berval
*scred
=NULL
;
836 char *given_principal
= NULL
;
837 char *OIDs
[ASN1_MAX_OIDS
];
839 bool got_kerberos_mechanism
= False
;
842 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSS-SPNEGO", NULL
, NULL
, NULL
, &scred
);
844 if (rc
!= LDAP_SASL_BIND_IN_PROGRESS
) {
845 status
= ADS_ERROR(rc
);
849 blob
= data_blob(scred
->bv_val
, scred
->bv_len
);
854 file_save("sasl_spnego.dat", blob
.data
, blob
.length
);
857 /* the server sent us the first part of the SPNEGO exchange in the negprot
859 if (!spnego_parse_negTokenInit(talloc_tos(), blob
, OIDs
, &given_principal
, NULL
) ||
861 data_blob_free(&blob
);
862 status
= ADS_ERROR(LDAP_OPERATIONS_ERROR
);
865 data_blob_free(&blob
);
867 /* make sure the server understands kerberos */
868 for (i
=0;OIDs
[i
];i
++) {
869 DEBUG(3,("ads_sasl_spnego_bind: got OID=%s\n", OIDs
[i
]));
871 if (strcmp(OIDs
[i
], OID_KERBEROS5_OLD
) == 0 ||
872 strcmp(OIDs
[i
], OID_KERBEROS5
) == 0) {
873 got_kerberos_mechanism
= True
;
876 talloc_free(OIDs
[i
]);
878 DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", given_principal
));
881 if (!(ads
->auth
.flags
& ADS_AUTH_DISABLE_KERBEROS
) &&
882 got_kerberos_mechanism
)
884 struct ads_service_principal p
;
886 status
= ads_generate_service_principal(ads
, given_principal
, &p
);
887 TALLOC_FREE(given_principal
);
888 if (!ADS_ERR_OK(status
)) {
892 status
= ads_sasl_spnego_krb5_bind(ads
, &p
);
893 if (ADS_ERR_OK(status
)) {
894 ads_free_service_principal(&p
);
898 DEBUG(10,("ads_sasl_spnego_krb5_bind failed with: %s, "
899 "calling kinit\n", ads_errstr(status
)));
901 status
= ADS_ERROR_KRB5(ads_kinit_password(ads
));
903 if (ADS_ERR_OK(status
)) {
904 status
= ads_sasl_spnego_krb5_bind(ads
, &p
);
905 if (!ADS_ERR_OK(status
)) {
906 DEBUG(0,("kinit succeeded but "
907 "ads_sasl_spnego_krb5_bind failed: %s\n",
908 ads_errstr(status
)));
912 ads_free_service_principal(&p
);
914 /* only fallback to NTLMSSP if allowed */
915 if (ADS_ERR_OK(status
) ||
916 !(ads
->auth
.flags
& ADS_AUTH_ALLOW_NTLMSSP
)) {
922 TALLOC_FREE(given_principal
);
925 /* lets do NTLMSSP ... this has the big advantage that we don't need
926 to sync clocks, and we don't rely on special versions of the krb5
927 library for HMAC_MD4 encryption */
928 return ads_sasl_spnego_ntlmssp_bind(ads
);
935 #define MAX_GSS_PASSES 3
937 /* this performs a SASL/gssapi bind
938 we avoid using cyrus-sasl to make Samba more robust. cyrus-sasl
939 is very dependent on correctly configured DNS whereas
940 this routine is much less fragile
941 see RFC2078 and RFC2222 for details
943 static ADS_STATUS
ads_sasl_gssapi_do_bind(ADS_STRUCT
*ads
, const gss_name_t serv_name
)
946 gss_ctx_id_t context_handle
= GSS_C_NO_CONTEXT
;
947 gss_OID mech_type
= GSS_C_NULL_OID
;
948 gss_buffer_desc output_token
, input_token
;
949 uint32 req_flags
, ret_flags
;
952 struct berval
*scred
= NULL
;
956 uint32 max_msg_size
= ADS_SASL_WRAPPING_OUT_MAX_WRAPPED
;
957 uint8 wrap_type
= ADS_SASLWRAP_TYPE_PLAIN
;
960 input_token
.value
= NULL
;
961 input_token
.length
= 0;
964 * Note: here we always ask the gssapi for sign and seal
965 * as this is negotiated later after the mutal
968 req_flags
= GSS_C_MUTUAL_FLAG
| GSS_C_REPLAY_FLAG
| GSS_C_INTEG_FLAG
| GSS_C_CONF_FLAG
;
970 for (i
=0; i
< MAX_GSS_PASSES
; i
++) {
971 gss_rc
= gss_init_sec_context(&minor_status
,
988 if (gss_rc
&& gss_rc
!= GSS_S_CONTINUE_NEEDED
) {
989 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
993 cred
.bv_val
= (char *)output_token
.value
;
994 cred
.bv_len
= output_token
.length
;
996 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSSAPI", &cred
, NULL
, NULL
,
998 if (rc
!= LDAP_SASL_BIND_IN_PROGRESS
) {
999 status
= ADS_ERROR(rc
);
1003 if (output_token
.value
) {
1004 gss_release_buffer(&minor_status
, &output_token
);
1008 input_token
.value
= scred
->bv_val
;
1009 input_token
.length
= scred
->bv_len
;
1011 input_token
.value
= NULL
;
1012 input_token
.length
= 0;
1015 if (gss_rc
== 0) break;
1018 gss_rc
= gss_unwrap(&minor_status
,context_handle
,&input_token
,&output_token
,
1025 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
1029 p
= (uint8
*)output_token
.value
;
1032 file_save("sasl_gssapi.dat", output_token
.value
, output_token
.length
);
1036 wrap_type
= CVAL(p
,0);
1038 max_msg_size
= RIVAL(p
,0);
1041 gss_release_buffer(&minor_status
, &output_token
);
1043 if (!(wrap_type
& ads
->ldap
.wrap_type
)) {
1045 * the server doesn't supports the wrap
1048 DEBUG(0,("The ldap sasl wrap type doesn't match wanted[%d] server[%d]\n",
1049 ads
->ldap
.wrap_type
, wrap_type
));
1050 DEBUGADD(0,("You may want to set the 'client ldap sasl wrapping' option\n"));
1051 status
= ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED
);
1055 /* 0x58 is the minimum windows accepts */
1056 if (max_msg_size
< 0x58) {
1057 max_msg_size
= 0x58;
1060 output_token
.length
= 4;
1061 output_token
.value
= SMB_MALLOC(output_token
.length
);
1062 if (!output_token
.value
) {
1063 output_token
.length
= 0;
1064 status
= ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
1067 p
= (uint8
*)output_token
.value
;
1069 RSIVAL(p
,0,max_msg_size
);
1070 SCVAL(p
,0,ads
->ldap
.wrap_type
);
1073 * we used to add sprintf("dn:%s", ads->config.bind_path) here.
1074 * but using ads->config.bind_path is the wrong! It should be
1075 * the DN of the user object!
1077 * w2k3 gives an error when we send an incorrect DN, but sending nothing
1078 * is ok and matches the information flow used in GSS-SPNEGO.
1081 gss_rc
= gss_wrap(&minor_status
, context_handle
,0,GSS_C_QOP_DEFAULT
,
1082 &output_token
, /* used as *input* here. */
1084 &input_token
); /* Used as *output* here. */
1086 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
1087 output_token
.length
= 0;
1088 SAFE_FREE(output_token
.value
);
1092 /* We've finished with output_token. */
1093 SAFE_FREE(output_token
.value
);
1094 output_token
.length
= 0;
1096 cred
.bv_val
= (char *)input_token
.value
;
1097 cred
.bv_len
= input_token
.length
;
1099 rc
= ldap_sasl_bind_s(ads
->ldap
.ld
, NULL
, "GSSAPI", &cred
, NULL
, NULL
,
1101 gss_release_buffer(&minor_status
, &input_token
);
1102 status
= ADS_ERROR(rc
);
1103 if (!ADS_ERR_OK(status
)) {
1107 if (ads
->ldap
.wrap_type
> ADS_SASLWRAP_TYPE_PLAIN
) {
1108 gss_rc
= gss_wrap_size_limit(&minor_status
, context_handle
,
1109 (ads
->ldap
.wrap_type
== ADS_SASLWRAP_TYPE_SEAL
),
1111 max_msg_size
, &ads
->ldap
.out
.max_unwrapped
);
1113 status
= ADS_ERROR_GSS(gss_rc
, minor_status
);
1117 ads
->ldap
.out
.sig_size
= max_msg_size
- ads
->ldap
.out
.max_unwrapped
;
1118 ads
->ldap
.in
.min_wrapped
= 0x2C; /* taken from a capture with LDAP unbind */
1119 ads
->ldap
.in
.max_wrapped
= max_msg_size
;
1120 status
= ads_setup_sasl_wrapping(ads
, &ads_sasl_gssapi_ops
, context_handle
);
1121 if (!ADS_ERR_OK(status
)) {
1122 DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
1123 ads_errstr(status
)));
1126 /* make sure we don't free context_handle */
1127 context_handle
= GSS_C_NO_CONTEXT
;
1132 if (context_handle
!= GSS_C_NO_CONTEXT
)
1133 gss_delete_sec_context(&minor_status
, &context_handle
, GSS_C_NO_BUFFER
);
1140 static ADS_STATUS
ads_sasl_gssapi_bind(ADS_STRUCT
*ads
)
1143 struct ads_service_principal p
;
1145 status
= ads_generate_service_principal(ads
, NULL
, &p
);
1146 if (!ADS_ERR_OK(status
)) {
1150 status
= ads_sasl_gssapi_do_bind(ads
, p
.name
);
1151 if (ADS_ERR_OK(status
)) {
1152 ads_free_service_principal(&p
);
1156 DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, "
1157 "calling kinit\n", ads_errstr(status
)));
1159 status
= ADS_ERROR_KRB5(ads_kinit_password(ads
));
1161 if (ADS_ERR_OK(status
)) {
1162 status
= ads_sasl_gssapi_do_bind(ads
, p
.name
);
1165 ads_free_service_principal(&p
);
1170 #endif /* HAVE_GSSAPI */
1172 /* mapping between SASL mechanisms and functions */
1175 ADS_STATUS (*fn
)(ADS_STRUCT
*);
1176 } sasl_mechanisms
[] = {
1177 {"GSS-SPNEGO", ads_sasl_spnego_bind
},
1179 {"GSSAPI", ads_sasl_gssapi_bind
}, /* doesn't work with .NET RC1. No idea why */
1184 ADS_STATUS
ads_sasl_bind(ADS_STRUCT
*ads
)
1186 const char *attrs
[] = {"supportedSASLMechanisms", NULL
};
1192 /* get a list of supported SASL mechanisms */
1193 status
= ads_do_search(ads
, "", LDAP_SCOPE_BASE
, "(objectclass=*)", attrs
, &res
);
1194 if (!ADS_ERR_OK(status
)) return status
;
1196 values
= ldap_get_values(ads
->ldap
.ld
, res
, "supportedSASLMechanisms");
1198 if (ads
->auth
.flags
& ADS_AUTH_SASL_SEAL
) {
1199 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SEAL
;
1200 } else if (ads
->auth
.flags
& ADS_AUTH_SASL_SIGN
) {
1201 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SIGN
;
1203 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_PLAIN
;
1206 /* try our supported mechanisms in order */
1207 for (i
=0;sasl_mechanisms
[i
].name
;i
++) {
1208 /* see if the server supports it */
1209 for (j
=0;values
&& values
[j
];j
++) {
1210 if (strcmp(values
[j
], sasl_mechanisms
[i
].name
) == 0) {
1211 DEBUG(4,("Found SASL mechanism %s\n", values
[j
]));
1213 status
= sasl_mechanisms
[i
].fn(ads
);
1214 if (status
.error_type
== ENUM_ADS_ERROR_LDAP
&&
1215 status
.err
.rc
== LDAP_STRONG_AUTH_REQUIRED
&&
1216 ads
->ldap
.wrap_type
== ADS_SASLWRAP_TYPE_PLAIN
)
1218 DEBUG(3,("SASL bin got LDAP_STRONG_AUTH_REQUIRED "
1219 "retrying with signing enabled\n"));
1220 ads
->ldap
.wrap_type
= ADS_SASLWRAP_TYPE_SIGN
;
1223 ldap_value_free(values
);
1230 ldap_value_free(values
);
1232 return ADS_ERROR(LDAP_AUTH_METHOD_NOT_SUPPORTED
);
1235 #endif /* HAVE_LDAP */