2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Gerald Carter 2006.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/filesys.h"
27 #include "../librpc/gen_ndr/ndr_misc.h"
28 #include "libads/kerberos_proto.h"
29 #include "libads/cldap.h"
31 #include "../lib/tsocket/tsocket.h"
32 #include "lib/util/asn1.h"
36 #define LIBADS_CCACHE_NAME "MEMORY:libads"
39 we use a prompter to avoid a crash bug in the kerberos libs when
40 dealing with empty passwords
41 this prompter is just a string copy ...
43 static krb5_error_code
44 kerb_prompter(krb5_context ctx
, void *data
,
48 krb5_prompt prompts
[])
50 if (num_prompts
== 0) return 0;
51 if (num_prompts
== 2) {
53 * only heimdal has a prompt type and we need to deal with it here to
56 * removing the prompter completely is not an option as at least these
57 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
58 * version have looping detection and return with a proper error code.
61 #if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
62 if (prompts
[0].type
== KRB5_PROMPT_TYPE_NEW_PASSWORD
&&
63 prompts
[1].type
== KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
) {
65 * We don't want to change passwords here. We're
66 * called from heimal when the KDC returns
67 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
68 * have the chance to ask the user for a new
69 * password. If we return 0 (i.e. success), we will be
70 * spinning in the endless for-loop in
71 * change_password() in
72 * source4/heimdal/lib/krb5/init_creds_pw.c:526ff
74 return KRB5KDC_ERR_KEY_EXPIRED
;
76 #elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
77 krb5_prompt_type
*prompt_types
= NULL
;
79 prompt_types
= krb5_get_prompt_types(ctx
);
80 if (prompt_types
!= NULL
) {
81 if (prompt_types
[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD
&&
82 prompt_types
[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
) {
83 return KRB5KDC_ERR_KEY_EXP
;
89 memset(prompts
[0].reply
->data
, '\0', prompts
[0].reply
->length
);
90 if (prompts
[0].reply
->length
> 0) {
92 strncpy((char *)prompts
[0].reply
->data
, (const char *)data
,
93 prompts
[0].reply
->length
-1);
94 prompts
[0].reply
->length
= strlen((const char *)prompts
[0].reply
->data
);
96 prompts
[0].reply
->length
= 0;
103 simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
104 place in default cache location.
107 int kerberos_kinit_password_ext(const char *principal
,
108 const char *password
,
111 time_t *renew_till_time
,
112 const char *cache_name
,
114 bool add_netbios_addr
,
115 time_t renewable_time
,
118 krb5_context ctx
= NULL
;
119 krb5_error_code code
= 0;
120 krb5_ccache cc
= NULL
;
121 krb5_principal me
= NULL
;
122 krb5_principal canon_princ
= NULL
;
124 krb5_get_init_creds_opt
*opt
= NULL
;
125 smb_krb5_addresses
*addr
= NULL
;
127 ZERO_STRUCT(my_creds
);
129 initialize_krb5_error_table();
130 if ((code
= krb5_init_context(&ctx
)))
133 if (time_offset
!= 0) {
134 krb5_set_real_time(ctx
, time(NULL
) + time_offset
, 0);
137 DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
139 cache_name
? cache_name
: krb5_cc_default_name(ctx
),
140 getenv("KRB5_CONFIG")));
142 if ((code
= krb5_cc_resolve(ctx
, cache_name
? cache_name
: krb5_cc_default_name(ctx
), &cc
))) {
146 if ((code
= smb_krb5_parse_name(ctx
, principal
, &me
))) {
150 if ((code
= krb5_get_init_creds_opt_alloc(ctx
, &opt
))) {
154 krb5_get_init_creds_opt_set_renew_life(opt
, renewable_time
);
155 krb5_get_init_creds_opt_set_forwardable(opt
, True
);
157 /* Turn on canonicalization for lower case realm support */
158 #ifndef SAMBA4_USES_HEIMDAL /* MIT */
159 krb5_get_init_creds_opt_set_canonicalize(opt
, true);
163 krb5_get_init_creds_opt_set_tkt_life(opt
, 60);
166 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
168 if ((code
= krb5_get_init_creds_opt_set_pac_request(ctx
, opt
, (krb5_boolean
)request_pac
))) {
173 if (add_netbios_addr
) {
174 if ((code
= smb_krb5_gen_netbios_krb5_address(&addr
,
175 lp_netbios_name()))) {
178 krb5_get_init_creds_opt_set_address_list(opt
, addr
->addrs
);
181 if ((code
= krb5_get_init_creds_password(ctx
, &my_creds
, me
, discard_const_p(char,password
),
182 kerb_prompter
, discard_const_p(char, password
),
188 #ifndef SAMBA4_USES_HEIMDAL /* MIT */
189 canon_princ
= my_creds
.client
;
192 if ((code
= krb5_cc_initialize(ctx
, cc
, canon_princ
))) {
196 if ((code
= krb5_cc_store_cred(ctx
, cc
, &my_creds
))) {
201 *expire_time
= (time_t) my_creds
.times
.endtime
;
204 if (renew_till_time
) {
205 *renew_till_time
= (time_t) my_creds
.times
.renew_till
;
211 *ntstatus
= NT_STATUS_OK
;
215 /* fall back to self-made-mapping */
216 *ntstatus
= krb5_to_nt_status(code
);
220 krb5_free_cred_contents(ctx
, &my_creds
);
222 krb5_free_principal(ctx
, me
);
225 smb_krb5_free_addresses(ctx
, addr
);
228 krb5_get_init_creds_opt_free(ctx
, opt
);
231 krb5_cc_close(ctx
, cc
);
234 krb5_free_context(ctx
);
239 int ads_kdestroy(const char *cc_name
)
241 krb5_error_code code
;
242 krb5_context ctx
= NULL
;
243 krb5_ccache cc
= NULL
;
245 initialize_krb5_error_table();
246 if ((code
= krb5_init_context (&ctx
))) {
247 DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
248 error_message(code
)));
253 if ((code
= krb5_cc_default(ctx
, &cc
))) {
254 krb5_free_context(ctx
);
258 if ((code
= krb5_cc_resolve(ctx
, cc_name
, &cc
))) {
259 DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
260 error_message(code
)));
261 krb5_free_context(ctx
);
266 if ((code
= krb5_cc_destroy (ctx
, cc
))) {
267 DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
268 error_message(code
)));
271 krb5_free_context (ctx
);
275 int create_kerberos_key_from_string(krb5_context context
,
276 krb5_principal host_princ
,
277 krb5_principal salt_princ
,
280 krb5_enctype enctype
,
285 * Check if we've determined that the KDC is salting keys for this
286 * principal/enctype in a non-obvious way. If it is, try to match
290 KRB5_KEY_DATA(key
) = (KRB5_KEY_DATA_CAST
*)SMB_MALLOC(password
->length
);
291 if (!KRB5_KEY_DATA(key
)) {
294 memcpy(KRB5_KEY_DATA(key
), password
->data
, password
->length
);
295 KRB5_KEY_LENGTH(key
) = password
->length
;
296 KRB5_KEY_TYPE(key
) = enctype
;
299 ret
= smb_krb5_create_key_from_string(context
,
300 salt_princ
? salt_princ
: host_princ
,
308 /************************************************************************
309 ************************************************************************/
311 int kerberos_kinit_password(const char *principal
,
312 const char *password
,
314 const char *cache_name
)
316 return kerberos_kinit_password_ext(principal
,
328 /************************************************************************
329 ************************************************************************/
331 /************************************************************************
332 Create a string list of available kdc's, possibly searching by sitename.
335 If "sitename" is given, the DC's in that site are listed first.
337 ************************************************************************/
339 static void add_sockaddr_unique(struct sockaddr_storage
*addrs
, int *num_addrs
,
340 const struct sockaddr_storage
*addr
)
344 for (i
=0; i
<*num_addrs
; i
++) {
345 if (sockaddr_equal((const struct sockaddr
*)&addrs
[i
],
346 (const struct sockaddr
*)addr
)) {
354 /* print_canonical_sockaddr prints an ipv6 addr in the form of
355 * [ipv6.addr]. This string, when put in a generated krb5.conf file is not
356 * always properly dealt with by some older krb5 libraries. Adding the hard-coded
357 * portnumber workarounds the issue. - gd */
359 static char *print_canonical_sockaddr_with_port(TALLOC_CTX
*mem_ctx
,
360 const struct sockaddr_storage
*pss
)
364 str
= print_canonical_sockaddr(mem_ctx
, pss
);
369 if (pss
->ss_family
!= AF_INET6
) {
373 #if defined(HAVE_IPV6)
374 str
= talloc_asprintf_append(str
, ":88");
379 static char *get_kdc_ip_string(char *mem_ctx
,
381 const char *sitename
,
382 const struct sockaddr_storage
*pss
)
384 TALLOC_CTX
*frame
= talloc_stackframe();
386 struct ip_service
*ip_srv_site
= NULL
;
387 struct ip_service
*ip_srv_nonsite
= NULL
;
391 struct sockaddr_storage
*dc_addrs
;
392 struct tsocket_address
**dc_addrs2
= NULL
;
393 const struct tsocket_address
* const *dc_addrs3
= NULL
;
395 struct netlogon_samlogon_response
**responses
= NULL
;
397 char *kdc_str
= talloc_asprintf(mem_ctx
, "%s\t\tkdc = %s\n", "",
398 print_canonical_sockaddr_with_port(mem_ctx
, pss
));
400 if (kdc_str
== NULL
) {
406 * First get the KDC's only in this site, the rest will be
411 get_kdc_list(realm
, sitename
, &ip_srv_site
, &count_site
);
412 DEBUG(10, ("got %d addresses from site %s search\n", count_site
,
418 get_kdc_list(realm
, NULL
, &ip_srv_nonsite
, &count_nonsite
);
419 DEBUG(10, ("got %d addresses from site-less search\n", count_nonsite
));
421 dc_addrs
= talloc_array(talloc_tos(), struct sockaddr_storage
,
422 count_site
+ count_nonsite
);
423 if (dc_addrs
== NULL
) {
429 for (i
= 0; i
< count_site
; i
++) {
431 (const struct sockaddr
*)pss
,
432 (const struct sockaddr
*)&ip_srv_site
[i
].ss
)) {
433 add_sockaddr_unique(dc_addrs
, &num_dcs
,
438 for (i
= 0; i
< count_nonsite
; i
++) {
440 (const struct sockaddr
*)pss
,
441 (const struct sockaddr
*)&ip_srv_nonsite
[i
].ss
)) {
442 add_sockaddr_unique(dc_addrs
, &num_dcs
,
443 &ip_srv_nonsite
[i
].ss
);
447 dc_addrs2
= talloc_zero_array(talloc_tos(),
448 struct tsocket_address
*,
451 DEBUG(10, ("%d additional KDCs to test\n", num_dcs
));
455 if (dc_addrs2
== NULL
) {
459 for (i
=0; i
<num_dcs
; i
++) {
460 char addr
[INET6_ADDRSTRLEN
];
463 print_sockaddr(addr
, sizeof(addr
), &dc_addrs
[i
]);
465 ret
= tsocket_address_inet_from_strings(dc_addrs2
, "ip",
469 status
= map_nt_error_from_unix(errno
);
470 DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
471 addr
, nt_errstr(status
)));
476 dc_addrs3
= (const struct tsocket_address
* const *)dc_addrs2
;
478 status
= cldap_multi_netlogon(talloc_tos(),
480 realm
, lp_netbios_name(),
481 NETLOGON_NT_VERSION_5
| NETLOGON_NT_VERSION_5EX
,
482 MIN(num_dcs
, 3), timeval_current_ofs(3, 0), &responses
);
483 TALLOC_FREE(dc_addrs2
);
486 if (!NT_STATUS_IS_OK(status
)) {
487 DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
488 "%s\n", nt_errstr(status
)));
492 for (i
=0; i
<num_dcs
; i
++) {
495 if (responses
[i
] == NULL
) {
499 /* Append to the string - inefficient but not done often. */
500 new_kdc_str
= talloc_asprintf(mem_ctx
, "%s\t\tkdc = %s\n",
502 print_canonical_sockaddr_with_port(mem_ctx
, &dc_addrs
[i
]));
503 if (new_kdc_str
== NULL
) {
506 TALLOC_FREE(kdc_str
);
507 kdc_str
= new_kdc_str
;
511 DEBUG(10, ("get_kdc_ip_string: Returning %s\n", kdc_str
));
514 SAFE_FREE(ip_srv_site
);
515 SAFE_FREE(ip_srv_nonsite
);
520 /************************************************************************
521 Create a specific krb5.conf file in the private directory pointing
522 at a specific kdc for a realm. Keyed off domain name. Sets
523 KRB5_CONFIG environment variable to point to this file. Must be
524 run as root or will fail (which is a good thing :-).
525 ************************************************************************/
527 #if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */
528 static char *get_enctypes(TALLOC_CTX
*mem_ctx
)
530 char *aes_enctypes
= NULL
;
531 const char *legacy_enctypes
= "";
532 char *enctypes
= NULL
;
534 aes_enctypes
= talloc_strdup(mem_ctx
, "");
535 if (aes_enctypes
== NULL
) {
539 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL
||
540 lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG
) {
541 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
542 aes_enctypes
= talloc_asprintf_append(
543 aes_enctypes
, "%s", "aes256-cts-hmac-sha1-96 ");
544 if (aes_enctypes
== NULL
) {
548 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
549 aes_enctypes
= talloc_asprintf_append(
550 aes_enctypes
, "%s", "aes128-cts-hmac-sha1-96");
551 if (aes_enctypes
== NULL
) {
557 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL
||
558 lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY
) {
559 legacy_enctypes
= "RC4-HMAC DES-CBC-CRC DES-CBC-MD5";
563 talloc_asprintf(mem_ctx
, "\tdefault_tgs_enctypes = %s %s\n"
564 "\tdefault_tkt_enctypes = %s %s\n"
565 "\tpreferred_enctypes = %s %s\n",
566 aes_enctypes
, legacy_enctypes
, aes_enctypes
,
567 legacy_enctypes
, aes_enctypes
, legacy_enctypes
);
569 TALLOC_FREE(aes_enctypes
);
572 #else /* Heimdal version */
573 static char *get_enctypes(TALLOC_CTX
*mem_ctx
)
575 const char *aes_enctypes
= "";
576 const char *legacy_enctypes
= "";
577 char *enctypes
= NULL
;
579 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL
||
580 lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG
) {
582 "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96";
585 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL
||
586 lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY
) {
587 legacy_enctypes
= "arcfour-hmac-md5 des-cbc-crc des-cbc-md5";
590 enctypes
= talloc_asprintf(mem_ctx
, "\tdefault_etypes = %s %s\n",
591 aes_enctypes
, legacy_enctypes
);
597 bool create_local_private_krb5_conf_for_domain(const char *realm
,
599 const char *sitename
,
600 const struct sockaddr_storage
*pss
)
603 char *tmpname
= NULL
;
605 char *file_contents
= NULL
;
606 char *kdc_ip_string
= NULL
;
610 char *realm_upper
= NULL
;
612 char *enctypes
= NULL
;
613 const char *include_system_krb5
= "";
616 if (!lp_create_krb5_conf()) {
621 DEBUG(0, ("No realm has been specified! Do you really want to "
622 "join an Active Directory server?\n"));
626 if (domain
== NULL
|| pss
== NULL
) {
630 dname
= lock_path("smb_krb5");
634 if ((mkdir(dname
, 0755)==-1) && (errno
!= EEXIST
)) {
635 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
636 "failed to create directory %s. Error was %s\n",
637 dname
, strerror(errno
) ));
641 tmpname
= lock_path("smb_tmp_krb5.XXXXXX");
646 fname
= talloc_asprintf(dname
, "%s/krb5.conf.%s", dname
, domain
);
651 DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
652 fname
, realm
, domain
));
654 realm_upper
= talloc_strdup(fname
, realm
);
655 if (!strupper_m(realm_upper
)) {
659 kdc_ip_string
= get_kdc_ip_string(dname
, realm
, sitename
, pss
);
660 if (!kdc_ip_string
) {
664 enctypes
= get_enctypes(fname
);
665 if (enctypes
== NULL
) {
669 #if !defined(SAMBA4_USES_HEIMDAL)
670 if (lp_include_system_krb5_conf()) {
671 include_system_krb5
= "include /etc/krb5.conf";
676 talloc_asprintf(fname
,
677 "[libdefaults]\n\tdefault_realm = %s\n"
679 "\tdns_lookup_realm = false\n\n"
680 "[realms]\n\t%s = {\n"
687 include_system_krb5
);
689 if (!file_contents
) {
693 flen
= strlen(file_contents
);
695 mask
= umask(S_IRWXO
| S_IRWXG
);
696 fd
= mkstemp(tmpname
);
699 DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
700 " for file %s. Errno %s\n",
701 tmpname
, strerror(errno
) ));
705 if (fchmod(fd
, 0644)==-1) {
706 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
708 tmpname
, strerror(errno
) ));
714 ret
= write(fd
, file_contents
, flen
);
716 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
717 " returned %d (should be %u). Errno %s\n",
718 (int)ret
, (unsigned int)flen
, strerror(errno
) ));
724 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
725 " Errno %s\n", strerror(errno
) ));
730 if (rename(tmpname
, fname
) == -1) {
731 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
732 "of %s to %s failed. Errno %s\n",
733 tmpname
, fname
, strerror(errno
) ));
738 DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
739 "file %s with realm %s KDC list = %s\n",
740 fname
, realm_upper
, kdc_ip_string
));
742 /* Set the environment variable to this file. */
743 setenv("KRB5_CONFIG", fname
, 1);
747 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
749 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
750 /* Insanity, sheer insanity..... */
752 if (strequal(realm
, lp_realm())) {
753 SMB_STRUCT_STAT sbuf
;
755 if (sys_lstat(SYSTEM_KRB5_CONF_PATH
, &sbuf
, false) == 0) {
756 if (S_ISLNK(sbuf
.st_ex_mode
) && sbuf
.st_ex_size
) {
758 size_t alloc_size
= sbuf
.st_ex_size
+ 1;
759 char *linkpath
= talloc_array(talloc_tos(), char,
764 lret
= readlink(SYSTEM_KRB5_CONF_PATH
, linkpath
,
767 TALLOC_FREE(linkpath
);
770 linkpath
[lret
] = '\0';
772 if (strcmp(linkpath
, fname
) == 0) {
773 /* Symlink already exists. */
774 TALLOC_FREE(linkpath
);
777 TALLOC_FREE(linkpath
);
781 /* Try and replace with a symlink. */
782 if (symlink(fname
, SYSTEM_KRB5_CONF_PATH
) == -1) {
783 const char *newpath
= SYSTEM_KRB5_CONF_PATH
".saved";
784 if (errno
!= EEXIST
) {
785 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
786 "of %s to %s failed. Errno %s\n",
787 fname
, SYSTEM_KRB5_CONF_PATH
, strerror(errno
) ));
788 goto done
; /* Not a fatal error. */
791 /* Yes, this is a race conditon... too bad. */
792 if (rename(SYSTEM_KRB5_CONF_PATH
, newpath
) == -1) {
793 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
794 "of %s to %s failed. Errno %s\n",
795 SYSTEM_KRB5_CONF_PATH
, newpath
,
797 goto done
; /* Not a fatal error. */
800 if (symlink(fname
, SYSTEM_KRB5_CONF_PATH
) == -1) {
801 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
802 "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
803 fname
, strerror(errno
) ));
804 goto done
; /* Not a fatal error. */
811 TALLOC_FREE(tmpname
);