3 * DCERPC Server functions
4 * Copyright (C) Simo Sorce 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "rpc_server/dcesrv_gssapi.h"
23 #include "../librpc/gen_ndr/ndr_krb5pac.h"
24 #include "librpc/crypto/gse.h"
27 NTSTATUS
gssapi_server_auth_start(TALLOC_CTX
*mem_ctx
,
33 struct gse_context
**ctx
)
35 struct gse_context
*gse_ctx
= NULL
;
36 uint32_t add_flags
= 0;
40 add_flags
= GSS_C_DCE_STYLE
;
43 /* Let's init the gssapi machinery for this connection */
44 /* passing a NULL server name means the server will try
45 * to accept any connection regardless of the name used as
46 * long as it can find a decryption key */
47 /* by passing NULL, the code will attempt to set a default
48 * keytab based on configuration options */
49 status
= gse_init_server(mem_ctx
, do_sign
, do_seal
,
50 add_flags
, NULL
, &gse_ctx
);
51 if (!NT_STATUS_IS_OK(status
)) {
52 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
57 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
59 if (!NT_STATUS_IS_OK(status
)) {
60 DEBUG(0, ("Failed to parse initial client token (%s)\n",
66 status
= NT_STATUS_OK
;
69 if (!NT_STATUS_IS_OK(status
)) {
76 NTSTATUS
gssapi_server_step(struct gse_context
*gse_ctx
,
83 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
85 if (!NT_STATUS_IS_OK(status
)) {
89 if (gse_require_more_processing(gse_ctx
)) {
90 /* ask for next leg */
91 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
97 NTSTATUS
gssapi_server_check_flags(struct gse_context
*gse_ctx
)
99 return gse_verify_server_auth_flags(gse_ctx
);
102 NTSTATUS
gssapi_server_get_user_info(struct gse_context
*gse_ctx
,
104 struct client_address
*client_id
,
105 struct auth_serversupplied_info
**server_info
)
110 struct PAC_DATA
*pac_data
;
111 struct PAC_LOGON_INFO
*logon_info
= NULL
;
112 enum ndr_err_code ndr_err
;
123 tmp_ctx
= talloc_new(mem_ctx
);
125 return NT_STATUS_NO_MEMORY
;
128 status
= gse_get_pac_blob(gse_ctx
, tmp_ctx
, &pac
);
129 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_FOUND
)) {
130 /* TODO: Fetch user by principal name ? */
131 status
= NT_STATUS_ACCESS_DENIED
;
134 if (!NT_STATUS_IS_OK(status
)) {
138 pac_data
= talloc_zero(tmp_ctx
, struct PAC_DATA
);
140 status
= NT_STATUS_NO_MEMORY
;
144 ndr_err
= ndr_pull_struct_blob(&pac
, pac_data
, pac_data
,
145 (ndr_pull_flags_fn_t
)ndr_pull_PAC_DATA
);
146 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
147 DEBUG(1, ("Failed to parse the PAC for %s\n", princ_name
));
148 status
= ndr_map_error2ntstatus(ndr_err
);
152 /* get logon name and logon info */
153 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
154 struct PAC_BUFFER
*data_buf
= &pac_data
->buffers
[i
];
156 switch (data_buf
->type
) {
157 case PAC_TYPE_LOGON_INFO
:
158 if (!data_buf
->info
) {
161 logon_info
= data_buf
->info
->logon_info
.info
;
168 DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
169 status
= NT_STATUS_NOT_FOUND
;
173 /* TODO: Should we check princ_name against account_name in
174 * logon_name ? Are they supposed to be identical, or can an
175 * account_name be different from the UPN ? */
177 status
= get_user_from_kerberos_info(tmp_ctx
, client_id
->name
,
178 princ_name
, logon_info
,
179 &is_mapped
, &is_guest
,
182 if (!NT_STATUS_IS_OK(status
)) {
183 DEBUG(1, ("Failed to map kerberos principal to system user "
184 "(%s)\n", nt_errstr(status
)));
185 status
= NT_STATUS_ACCESS_DENIED
;
189 /* TODO: save PAC data in netsamlogon cache ? */
191 status
= make_server_info_krb5(mem_ctx
,
192 ntuser
, ntdomain
, username
, pw
,
193 logon_info
, is_guest
, server_info
);
194 if (!NT_STATUS_IS_OK(status
)) {
195 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
197 status
= NT_STATUS_ACCESS_DENIED
;
201 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
202 ntuser
, ntdomain
, client_id
->name
));
204 status
= NT_STATUS_OK
;
207 TALLOC_FREE(tmp_ctx
);