search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dssync keytab: support storing kerberos keys from supplemental credentials.
[Samba.git] / source / libnet / libnet_dssync_keytab.c
blobd74ee3dbdb0a8791b471a70eaff140645a56dafd
1 /*
2 Unix SMB/CIFS implementation.
3
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "libnet/libnet.h"
22 #include "librpc/gen_ndr/ndr_drsblobs.h"
23
24 #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
25
26 static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx,
27 struct libnet_keytab_context *ctx,
28 uint32_t kvno,
29 const char *name,
30 const char *prefix,
31 const krb5_enctype enctype,
32 DATA_BLOB blob)
33 {
34 struct libnet_keytab_entry entry;
35
36 entry.kvno = kvno;
37 entry.name = talloc_strdup(mem_ctx, name);
38 entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
39 prefix ? prefix : "",
40 prefix ? "/" : "",
41 name, ctx->dns_domain_name);
42 entry.enctype = enctype;
43 entry.password = blob;
44 NT_STATUS_HAVE_NO_MEMORY(entry.name);
45 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
46 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
47
48 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
49 &ctx->entries, &ctx->count);
50 NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
51
52 return NT_STATUS_OK;
53 }
54
55 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
56 struct replUpToDateVectorBlob **pold_utdv)
57 {
58 krb5_error_code ret = 0;
59 struct libnet_keytab_context *keytab_ctx;
60 struct libnet_keytab_entry *entry;
61 struct replUpToDateVectorBlob *old_utdv = NULL;
62 char *principal;
63
64 ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
65 if (ret) {
66 return krb5_to_nt_status(ret);
67 }
68
69 keytab_ctx->dns_domain_name = ctx->dns_domain_name;
70 ctx->private_data = keytab_ctx;
71
72 principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
73 ctx->nc_dn, ctx->dns_domain_name);
74 NT_STATUS_HAVE_NO_MEMORY(principal);
75
76 entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
77 mem_ctx);
78 if (entry) {
79 enum ndr_err_code ndr_err;
80 old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
81
82 ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv,
83 old_utdv,
84 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
85 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
86 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
87 ctx->error_message = talloc_asprintf(mem_ctx,
88 "Failed to pull UpToDateVector: %s",
89 nt_errstr(status));
90 return status;
91 }
92
93 if (DEBUGLEVEL >= 10) {
94 NDR_PRINT_DEBUG(replUpToDateVectorBlob, old_utdv);
95 }
96 }
97
98 if (pold_utdv) {
99 *pold_utdv = old_utdv;
100 }
101
102 return NT_STATUS_OK;
103 }
104
105 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
106 struct replUpToDateVectorBlob *new_utdv)
107 {
108 NTSTATUS status = NT_STATUS_OK;
109 krb5_error_code ret = 0;
110 struct libnet_keytab_context *keytab_ctx =
111 (struct libnet_keytab_context *)ctx->private_data;
112
113 if (new_utdv) {
114 enum ndr_err_code ndr_err;
115 DATA_BLOB blob;
116
117 if (DEBUGLEVEL >= 10) {
118 NDR_PRINT_DEBUG(replUpToDateVectorBlob, new_utdv);
119 }
120
121 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, new_utdv,
122 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
123 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
124 status = ndr_map_error2ntstatus(ndr_err);
125 ctx->error_message = talloc_asprintf(mem_ctx,
126 "Failed to push UpToDateVector: %s",
127 nt_errstr(status));
128 goto done;
129 }
130
131 status = add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
132 ctx->nc_dn, "UTDV",
133 ENCTYPE_NULL,
134 blob);
135 if (!NT_STATUS_IS_OK(status)) {
136 goto done;
137 }
138 }
139
140 ret = libnet_keytab_add(keytab_ctx);
141 if (ret) {
142 status = krb5_to_nt_status(ret);
143 ctx->error_message = talloc_asprintf(mem_ctx,
144 "Failed to add entries to keytab %s: %s",
145 keytab_ctx->keytab_name, error_message(ret));
146 goto done;
147 }
148
149 ctx->result_message = talloc_asprintf(mem_ctx,
150 "Vampired %d accounts to keytab %s",
151 keytab_ctx->count,
152 keytab_ctx->keytab_name);
153
154 done:
155 TALLOC_FREE(keytab_ctx);
156 return status;
157 }
158
159 /****************************************************************
160 ****************************************************************/
161
162 static NTSTATUS parse_supplemental_credentials(TALLOC_CTX *mem_ctx,
163 const DATA_BLOB *blob,
164 struct package_PrimaryKerberosCtr3 **pkb3,
165 struct package_PrimaryKerberosCtr4 **pkb4)
166 {
167 NTSTATUS status;
168 enum ndr_err_code ndr_err;
169 struct supplementalCredentialsBlob scb;
170 struct supplementalCredentialsPackage *scpk = NULL;
171 DATA_BLOB scpk_blob;
172 struct package_PrimaryKerberosBlob *pkb;
173 bool newer_keys = false;
174 uint32_t j;
175
176 ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, &scb,
177 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
178 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
179 status = ndr_map_error2ntstatus(ndr_err);
180 goto done;
181 }
182 if (scb.sub.signature !=
183 SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
184 {
185 if (DEBUGLEVEL >= 10) {
186 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
187 }
188 status = NT_STATUS_INVALID_PARAMETER;
189 goto done;
190 }
191 for (j=0; j < scb.sub.num_packages; j++) {
192 if (strcmp("Primary:Kerberos-Newer-Keys",
193 scb.sub.packages[j].name) == 0)
194 {
195 scpk = &scb.sub.packages[j];
196 if (!scpk->data || !scpk->data[0]) {
197 scpk = NULL;
198 continue;
199 }
200 newer_keys = true;
201 break;
202 } else if (strcmp("Primary:Kerberos",
203 scb.sub.packages[j].name) == 0)
204 {
205 /*
206 * grab this but don't break here:
207 * there might still be newer-keys ...
208 */
209 scpk = &scb.sub.packages[j];
210 if (!scpk->data || !scpk->data[0]) {
211 scpk = NULL;
212 }
213 }
214 }
215
216 if (!scpk) {
217 /* no data */
218 status = NT_STATUS_OK;
219 goto done;
220 }
221
222 scpk_blob = strhex_to_data_blob(mem_ctx, scpk->data);
223 if (!scpk_blob.data) {
224 status = NT_STATUS_NO_MEMORY;
225 goto done;
226 }
227
228 pkb = TALLOC_ZERO_P(mem_ctx, struct package_PrimaryKerberosBlob);
229 if (!pkb) {
230 status = NT_STATUS_NO_MEMORY;
231 goto done;
232 }
233 ndr_err = ndr_pull_struct_blob(&scpk_blob, mem_ctx, pkb,
234 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
235 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
236 status = ndr_map_error2ntstatus(ndr_err);
237 goto done;
238 }
239
240 if (!newer_keys && pkb->version != 3) {
241 status = NT_STATUS_INVALID_PARAMETER;
242 goto done;
243 }
244
245 if (newer_keys && pkb->version != 4) {
246 status = NT_STATUS_INVALID_PARAMETER;
247 goto done;
248 }
249
250 if (pkb->version == 4 && pkb4) {
251 *pkb4 = &pkb->ctr.ctr4;
252 } else if (pkb->version == 3 && pkb3) {
253 *pkb3 = &pkb->ctr.ctr3;
254 }
255
256 status = NT_STATUS_OK;
257
258 done:
259 return status;
260 }
261
262 static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
263 struct libnet_keytab_context *ctx,
264 struct drsuapi_DsReplicaObjectListItemEx *cur)
265 {
266 NTSTATUS status = NT_STATUS_OK;
267 uchar nt_passwd[16];
268 DATA_BLOB *blob;
269 int i = 0;
270 struct drsuapi_DsReplicaAttribute *attr;
271 bool got_pwd = false;
272
273 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
274 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
275
276 char *object_dn = NULL;
277 char *upn = NULL;
278 char **spn = NULL;
279 uint32_t num_spns = 0;
280 char *name = NULL;
281 uint32_t kvno = 0;
282 uint32_t uacc = 0;
283 uint32_t sam_type = 0;
284
285 uint32_t pwd_history_len = 0;
286 uint8_t *pwd_history = NULL;
287
288 ZERO_STRUCT(nt_passwd);
289
290 object_dn = talloc_strdup(mem_ctx, cur->object.identifier->dn);
291 if (!object_dn) {
292 return NT_STATUS_NO_MEMORY;
293 }
294
295 DEBUG(3, ("parsing object '%s'\n", object_dn));
296
297 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
298
299 attr = &cur->object.attribute_ctr.attributes[i];
300
301 if (attr->attid == DRSUAPI_ATTRIBUTE_servicePrincipalName) {
302 uint32_t count;
303 num_spns = attr->value_ctr.num_values;
304 spn = TALLOC_ARRAY(mem_ctx, char *, num_spns);
305 for (count = 0; count < num_spns; count++) {
306 blob = attr->value_ctr.values[count].blob;
307 pull_string_talloc(spn, NULL, 0,
308 &spn[count],
309 blob->data, blob->length,
310 STR_UNICODE);
311 }
312 }
313
314 if (attr->value_ctr.num_values != 1) {
315 continue;
316 }
317
318 if (!attr->value_ctr.values[0].blob) {
319 continue;
320 }
321
322 blob = attr->value_ctr.values[0].blob;
323
324 switch (attr->attid) {
325 case DRSUAPI_ATTRIBUTE_unicodePwd:
326
327 if (blob->length != 16) {
328 break;
329 }
330
331 memcpy(&nt_passwd, blob->data, 16);
332 got_pwd = true;
333
334 /* pick the kvno from the meta_data version,
335 * thanks, metze, for explaining this */
336
337 if (!cur->meta_data_ctr) {
338 break;
339 }
340 if (cur->meta_data_ctr->count !=
341 cur->object.attribute_ctr.num_attributes) {
342 break;
343 }
344 kvno = cur->meta_data_ctr->meta_data[i].version;
345 break;
346 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
347 pwd_history_len = blob->length / 16;
348 pwd_history = blob->data;
349 break;
350 case DRSUAPI_ATTRIBUTE_userPrincipalName:
351 pull_string_talloc(mem_ctx, NULL, 0, &upn,
352 blob->data, blob->length,
353 STR_UNICODE);
354 break;
355 case DRSUAPI_ATTRIBUTE_sAMAccountName:
356 pull_string_talloc(mem_ctx, NULL, 0, &name,
357 blob->data, blob->length,
358 STR_UNICODE);
359 break;
360 case DRSUAPI_ATTRIBUTE_sAMAccountType:
361 sam_type = IVAL(blob->data, 0);
362 break;
363 case DRSUAPI_ATTRIBUTE_userAccountControl:
364 uacc = IVAL(blob->data, 0);
365 break;
366 case DRSUAPI_ATTRIBUTE_supplementalCredentials:
367 status = parse_supplemental_credentials(mem_ctx,
368 blob,
369 &pkb3,
370 &pkb4);
371 if (!NT_STATUS_IS_OK(status)) {
372 DEBUG(2, ("parsing of supplemental "
373 "credentials failed: %s\n",
374 nt_errstr(status)));
375 }
376 break;
377 default:
378 break;
379 }
380 }
381
382 if (!got_pwd) {
383 DEBUG(10, ("no password (unicodePwd) found - skipping.\n"));
384 return NT_STATUS_OK;
385 }
386
387 if (name) {
388 status = add_to_keytab_entries(mem_ctx, ctx, 0, object_dn,
389 "SAMACCOUNTNAME",
390 ENCTYPE_NULL,
391 data_blob_talloc(mem_ctx, name,
392 strlen(name) + 1));
393 if (!NT_STATUS_IS_OK(status)) {
394 return status;
395 }
396 } else {
397 /* look into keytab ... */
398 struct libnet_keytab_entry *entry = NULL;
399 char *principal = NULL;
400
401 DEBUG(10, ("looking for SAMACCOUNTNAME/%s@%s in keytayb...\n",
402 object_dn, ctx->dns_domain_name));
403
404 principal = talloc_asprintf(mem_ctx, "%s/%s@%s",
405 "SAMACCOUNTNAME",
406 object_dn,
407 ctx->dns_domain_name);
408 if (!principal) {
409 DEBUG(1, ("talloc failed\n"));
410 return NT_STATUS_NO_MEMORY;
411 }
412 entry = libnet_keytab_search(ctx, principal, 0, ENCTYPE_NULL,
413 mem_ctx);
414 if (entry) {
415 name = (char *)TALLOC_MEMDUP(mem_ctx,
416 entry->password.data,
417 entry->password.length);
418 if (!name) {
419 DEBUG(1, ("talloc failed!"));
420 return NT_STATUS_NO_MEMORY;
421 } else {
422 DEBUG(10, ("found name %s\n", name));
423 }
424 TALLOC_FREE(entry);
425 } else {
426 DEBUG(10, ("entry not found\n"));
427 }
428 TALLOC_FREE(principal);
429 }
430
431 if (!name) {
432 DEBUG(10, ("no name (sAMAccountName) found - skipping.\n"));
433 return NT_STATUS_OK;
434 }
435
436 DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
437 DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x",
438 sam_type, uacc));
439 if (upn) {
440 DEBUGADD(1,(", upn: %s", upn));
441 }
442 if (num_spns > 0) {
443 DEBUGADD(1, (", spns: ["));
444 for (i = 0; i < num_spns; i++) {
445 DEBUGADD(1, ("%s%s", spn[i],
446 (i+1 == num_spns)?"]":", "));
447 }
448 }
449 DEBUGADD(1,("\n"));
450
451 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
452 ENCTYPE_ARCFOUR_HMAC,
453 data_blob_talloc(mem_ctx, nt_passwd, 16));
454
455 if (!NT_STATUS_IS_OK(status)) {
456 return status;
457 }
458
459 /* add kerberos keys (if any) */
460
461 if (pkb4) {
462 for (i=0; i < pkb4->num_keys; i++) {
463 if (!pkb4->keys[i].value) {
464 continue;
465 }
466 status = add_to_keytab_entries(mem_ctx, ctx, kvno,
467 name,
468 NULL,
469 pkb4->keys[i].keytype,
470 *pkb4->keys[i].value);
471 if (!NT_STATUS_IS_OK(status)) {
472 return status;
473 }
474 }
475 for (i=0; i < pkb4->num_old_keys; i++) {
476 if (!pkb4->old_keys[i].value) {
477 continue;
478 }
479 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
480 name,
481 NULL,
482 pkb4->old_keys[i].keytype,
483 *pkb4->old_keys[i].value);
484 if (!NT_STATUS_IS_OK(status)) {
485 return status;
486 }
487 }
488 for (i=0; i < pkb4->num_older_keys; i++) {
489 if (!pkb4->older_keys[i].value) {
490 continue;
491 }
492 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 2,
493 name,
494 NULL,
495 pkb4->older_keys[i].keytype,
496 *pkb4->older_keys[i].value);
497 if (!NT_STATUS_IS_OK(status)) {
498 return status;
499 }
500 }
501 }
502
503 if (pkb3) {
504 for (i=0; i < pkb3->num_keys; i++) {
505 if (!pkb3->keys[i].value) {
506 continue;
507 }
508 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name,
509 NULL,
510 pkb3->keys[i].keytype,
511 *pkb3->keys[i].value);
512 if (!NT_STATUS_IS_OK(status)) {
513 return status;
514 }
515 }
516 for (i=0; i < pkb3->num_old_keys; i++) {
517 if (!pkb3->old_keys[i].value) {
518 continue;
519 }
520 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
521 name,
522 NULL,
523 pkb3->old_keys[i].keytype,
524 *pkb3->old_keys[i].value);
525 if (!NT_STATUS_IS_OK(status)) {
526 return status;
527 }
528 }
529 }
530
531 if ((kvno < 0) && (kvno < pwd_history_len)) {
532 return status;
533 }
534
535 /* add password history */
536
537 /* skip first entry */
538 if (got_pwd) {
539 kvno--;
540 i = 1;
541 } else {
542 i = 0;
543 }
544
545 for (; i<pwd_history_len; i++) {
546 status = add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
547 ENCTYPE_ARCFOUR_HMAC,
548 data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
549 if (!NT_STATUS_IS_OK(status)) {
550 break;
551 }
552 }
553
554 return status;
555 }
556
557 /****************************************************************
558 ****************************************************************/
559
560 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
561 TALLOC_CTX *mem_ctx,
562 struct drsuapi_DsReplicaObjectListItemEx *cur,
563 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
564 {
565 NTSTATUS status = NT_STATUS_OK;
566 struct libnet_keytab_context *keytab_ctx =
567 (struct libnet_keytab_context *)ctx->private_data;
568
569 for (; cur; cur = cur->next_object) {
570 status = parse_object(mem_ctx, keytab_ctx, cur);
571 if (!NT_STATUS_IS_OK(status)) {
572 goto out;
573 }
574 }
575
576 out:
577 return status;
578 }
579
580 #else
581
582 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
583 struct replUpToDateVectorBlob **pold_utdv)
584 {
585 return NT_STATUS_NOT_SUPPORTED;
586 }
587
588 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
589 struct replUpToDateVectorBlob *new_utdv)
590 {
591 return NT_STATUS_NOT_SUPPORTED;
592 }
593
594 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
595 TALLOC_CTX *mem_ctx,
596 struct drsuapi_DsReplicaObjectListItemEx *cur,
597 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
598 {
599 return NT_STATUS_NOT_SUPPORTED;
600 }
601 #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
602
603 const struct dssync_ops libnet_dssync_keytab_ops = {
604 .startup = keytab_startup,
605 .process_objects = keytab_process_objects,
606 .finish = keytab_finish,
607 };
Samba GIT mirror