search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kdc: Add TODO to remind us where we need to hook for RODC to get secrets
[Samba.git] / source4 / kdc / db-glue.c
blobad522843b6c2822347f77fa124c341ace859140e
1 /*
2 Unix SMB/CIFS implementation.
3
4 Database Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libcli/security/security.h"
26 #include "auth/auth.h"
27 #include "auth/auth_sam.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "dsdb/common/util.h"
30 #include "librpc/gen_ndr/ndr_drsblobs.h"
31 #include "param/param.h"
32 #include "../lib/crypto/md4.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
35 #include <hdb.h>
36 #include "kdc/samba_kdc.h"
37 #include "kdc/kdc-glue.h"
38 #include "kdc/db-glue.h"
39
40 #define SAMBA_KVNO_GET_KRBTGT(kvno) \
41 ((uint16_t)(((uint32_t)kvno) >> 16))
42
43 #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
44 ((krb5_kvno)((((uint32_t)kvno) & 0xFFFF) | \
45 ((((uint32_t)krbtgt) << 16) & 0xFFFF0000)))
46
47 enum samba_kdc_ent_type
48 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
49 SAMBA_KDC_ENT_TYPE_KRBTGT, SAMBA_KDC_ENT_TYPE_TRUST, SAMBA_KDC_ENT_TYPE_ANY };
50
51 enum trust_direction {
52 UNKNOWN = 0,
53 INBOUND = LSA_TRUST_DIRECTION_INBOUND,
54 OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
55 };
56
57 static const char *trust_attrs[] = {
58 "trustPartner",
59 "trustAuthIncoming",
60 "trustAuthOutgoing",
61 "whenCreated",
62 "msDS-SupportedEncryptionTypes",
63 "trustAttributes",
64 "trustDirection",
65 "trustType",
66 NULL
67 };
68
69
70 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
71 {
72 const char *tmp;
73 const char *gentime;
74 struct tm tm;
75
76 gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
77 if (!gentime)
78 return default_val;
79
80 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
81 if (tmp == NULL) {
82 return default_val;
83 }
84
85 return timegm(&tm);
86 }
87
88 static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type)
89 {
90 HDBFlags flags = int2HDBFlags(0);
91
92 /* we don't allow kadmin deletes */
93 flags.immutable = 1;
94
95 /* mark the principal as invalid to start with */
96 flags.invalid = 1;
97
98 flags.renewable = 1;
99
100 /* All accounts are servers, but this may be disabled again in the caller */
101 flags.server = 1;
102
103 /* Account types - clear the invalid bit if it turns out to be valid */
104 if (userAccountControl & UF_NORMAL_ACCOUNT) {
105 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
106 flags.client = 1;
107 }
108 flags.invalid = 0;
109 }
110
111 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
112 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
113 flags.client = 1;
114 }
115 flags.invalid = 0;
116 }
117 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
118 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
119 flags.client = 1;
120 }
121 flags.invalid = 0;
122 }
123 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
124 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
125 flags.client = 1;
126 }
127 flags.invalid = 0;
128 }
129
130 /* Not permitted to act as a client if disabled */
131 if (userAccountControl & UF_ACCOUNTDISABLE) {
132 flags.client = 0;
133 }
134 if (userAccountControl & UF_LOCKOUT) {
135 flags.locked_out = 1;
136 }
137 /*
138 if (userAccountControl & UF_PASSWORD_NOTREQD) {
139 flags.invalid = 1;
140 }
141 */
142 /*
143 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
144 */
145 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
146 flags.invalid = 1;
147 }
148
149 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
150
151 /*
152 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
153 flags.invalid = 1;
154 }
155 */
156 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
157 flags.require_hwauth = 1;
158 }
159 if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
160 flags.ok_as_delegate = 1;
161 }
162 if (userAccountControl & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) {
163 /*
164 * this is confusing...
165 *
166 * UF_TRUSTED_FOR_DELEGATION
167 * => ok_as_delegate
168 *
169 * and
170 *
171 * UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
172 * => trusted_for_delegation
173 */
174 flags.trusted_for_delegation = 1;
175 }
176 if (!(userAccountControl & UF_NOT_DELEGATED)) {
177 flags.forwardable = 1;
178 flags.proxiable = 1;
179 }
180
181 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
182 flags.require_preauth = 0;
183 } else {
184 flags.require_preauth = 1;
185
186 }
187 return flags;
188 }
189
190 static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
191 {
192 hdb_entry_ex *entry_ex = p->entry_ex;
193 free_hdb_entry(&entry_ex->entry);
194 return 0;
195 }
196
197 static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
198 {
199 /* this function is called only from hdb_free_entry().
200 * Make sure we neutralize the destructor or we will
201 * get a double free later when hdb_free_entry() will
202 * try to call free_hdb_entry() */
203 talloc_set_destructor(entry_ex->ctx, NULL);
204
205 /* now proceed to free the talloc part */
206 talloc_free(entry_ex->ctx);
207 }
208
209 static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
210 struct samba_kdc_db_context *kdc_db_ctx,
211 TALLOC_CTX *mem_ctx,
212 struct ldb_message *msg,
213 uint32_t rid,
214 bool is_rodc,
215 uint32_t userAccountControl,
216 enum samba_kdc_ent_type ent_type,
217 hdb_entry_ex *entry_ex)
218 {
219 krb5_error_code ret = 0;
220 enum ndr_err_code ndr_err;
221 struct samr_Password *hash;
222 const struct ldb_val *sc_val;
223 struct supplementalCredentialsBlob scb;
224 struct supplementalCredentialsPackage *scpk = NULL;
225 bool newer_keys = false;
226 struct package_PrimaryKerberosBlob _pkb;
227 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
228 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
229 uint16_t i;
230 uint16_t allocated_keys = 0;
231 int rodc_krbtgt_number = 0;
232 int kvno = 0;
233 uint32_t supported_enctypes
234 = ldb_msg_find_attr_as_uint(msg,
235 "msDS-SupportedEncryptionTypes",
236 0);
237
238 if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
239 /* KDCs (and KDCs on RODCs) use AES */
240 supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
241 } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
242 /* DCs and RODCs comptuer accounts use AES */
243 supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
244 } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
245 (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
246 /* for AS-REQ the client chooses the enc types it
247 * supports, and this will vary between computers a
248 * user logs in from.
249 *
250 * likewise for 'any' return as much as is supported,
251 * to export into a keytab */
252 supported_enctypes = ENC_ALL_TYPES;
253 }
254
255 /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
256 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
257 supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
258 } else {
259 /* Otherwise, add in the default enc types */
260 supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
261 }
262
263 /* Is this the krbtgt or a RODC krbtgt */
264 if (is_rodc) {
265 rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
266
267 if (rodc_krbtgt_number == -1) {
268 return EINVAL;
269 }
270 }
271
272 entry_ex->entry.keys.val = NULL;
273 entry_ex->entry.keys.len = 0;
274
275 kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
276 if (is_rodc) {
277 kvno = SAMBA_KVNO_AND_KRBTGT(kvno, rodc_krbtgt_number);
278 }
279 entry_ex->entry.kvno = kvno;
280
281 /* Get keys from the db */
282
283 hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
284 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
285
286 /* unicodePwd for enctype 0x17 (23) if present */
287 if (hash) {
288 allocated_keys++;
289 }
290
291 /* supplementalCredentials if present */
292 if (sc_val) {
293 ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, &scb,
294 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
295 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
296 dump_data(0, sc_val->data, sc_val->length);
297 ret = EINVAL;
298 goto out;
299 }
300
301 if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
302 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
303 ret = EINVAL;
304 goto out;
305 }
306
307 for (i=0; i < scb.sub.num_packages; i++) {
308 if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
309 scpk = &scb.sub.packages[i];
310 if (!scpk->data || !scpk->data[0]) {
311 scpk = NULL;
312 continue;
313 }
314 newer_keys = true;
315 break;
316 } else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
317 scpk = &scb.sub.packages[i];
318 if (!scpk->data || !scpk->data[0]) {
319 scpk = NULL;
320 }
321 /*
322 * we don't break here in hope to find
323 * a Kerberos-Newer-Keys package
324 */
325 }
326 }
327 }
328 /*
329 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
330 * of supplementalCredentials
331 */
332 if (scpk) {
333 DATA_BLOB blob;
334
335 blob = strhex_to_data_blob(mem_ctx, scpk->data);
336 if (!blob.data) {
337 ret = ENOMEM;
338 goto out;
339 }
340
341 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
342 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &_pkb,
343 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
344 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
345 ret = EINVAL;
346 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
347 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
348 goto out;
349 }
350
351 if (newer_keys && _pkb.version != 4) {
352 ret = EINVAL;
353 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
354 krb5_warnx(context, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
355 goto out;
356 }
357
358 if (!newer_keys && _pkb.version != 3) {
359 ret = EINVAL;
360 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
361 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
362 goto out;
363 }
364
365 if (_pkb.version == 4) {
366 pkb4 = &_pkb.ctr.ctr4;
367 allocated_keys += pkb4->num_keys;
368 } else if (_pkb.version == 3) {
369 pkb3 = &_pkb.ctr.ctr3;
370 allocated_keys += pkb3->num_keys;
371 }
372 }
373
374 if (allocated_keys == 0) {
375 if (kdc_db_ctx->rodc) {
376 /* We are on an RODC, but don't have keys for this account. Signal this to the caller */
377 /* TODO: We need to call a generalised version of auth_sam_trigger_repl_secret from here */
378 return HDB_ERR_NOT_FOUND_HERE;
379 }
380
381 /* oh, no password. Apparently (comment in
382 * hdb-ldap.c) this violates the ASN.1, but this
383 * allows an entry with no keys (yet). */
384 return 0;
385 }
386
387 /* allocate space to decode into */
388 entry_ex->entry.keys.len = 0;
389 entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
390 if (entry_ex->entry.keys.val == NULL) {
391 ret = ENOMEM;
392 goto out;
393 }
394
395 if (hash && (supported_enctypes & ENC_RC4_HMAC_MD5)) {
396 Key key;
397
398 key.mkvno = 0;
399 key.salt = NULL; /* No salt for this enc type */
400
401 ret = krb5_keyblock_init(context,
402 ENCTYPE_ARCFOUR_HMAC,
403 hash->hash, sizeof(hash->hash),
404 &key.key);
405 if (ret) {
406 goto out;
407 }
408
409 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
410 entry_ex->entry.keys.len++;
411 }
412
413 if (pkb4) {
414 for (i=0; i < pkb4->num_keys; i++) {
415 Key key;
416
417 if (!pkb4->keys[i].value) continue;
418
419 if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) {
420 continue;
421 }
422
423 key.mkvno = 0;
424 key.salt = NULL;
425
426 if (pkb4->salt.string) {
427 DATA_BLOB salt;
428
429 salt = data_blob_string_const(pkb4->salt.string);
430
431 key.salt = calloc(1, sizeof(*key.salt));
432 if (key.salt == NULL) {
433 ret = ENOMEM;
434 goto out;
435 }
436
437 key.salt->type = hdb_pw_salt;
438
439 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
440 if (ret) {
441 free(key.salt);
442 key.salt = NULL;
443 goto out;
444 }
445 }
446
447 /* TODO: maybe pass the iteration_count somehow... */
448
449 ret = krb5_keyblock_init(context,
450 pkb4->keys[i].keytype,
451 pkb4->keys[i].value->data,
452 pkb4->keys[i].value->length,
453 &key.key);
454 if (ret == KRB5_PROG_ETYPE_NOSUPP) {
455 DEBUG(2,("Unsupported keytype ignored - type %u\n",
456 pkb4->keys[i].keytype));
457 ret = 0;
458 continue;
459 }
460 if (ret) {
461 if (key.salt) {
462 free_Salt(key.salt);
463 free(key.salt);
464 key.salt = NULL;
465 }
466 goto out;
467 }
468
469 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
470 entry_ex->entry.keys.len++;
471 }
472 } else if (pkb3) {
473 for (i=0; i < pkb3->num_keys; i++) {
474 Key key;
475
476 if (!pkb3->keys[i].value) continue;
477
478 if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) {
479 continue;
480 }
481
482 key.mkvno = 0;
483 key.salt = NULL;
484
485 if (pkb3->salt.string) {
486 DATA_BLOB salt;
487
488 salt = data_blob_string_const(pkb3->salt.string);
489
490 key.salt = calloc(1, sizeof(*key.salt));
491 if (key.salt == NULL) {
492 ret = ENOMEM;
493 goto out;
494 }
495
496 key.salt->type = hdb_pw_salt;
497
498 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
499 if (ret) {
500 free(key.salt);
501 key.salt = NULL;
502 goto out;
503 }
504 }
505
506 ret = krb5_keyblock_init(context,
507 pkb3->keys[i].keytype,
508 pkb3->keys[i].value->data,
509 pkb3->keys[i].value->length,
510 &key.key);
511 if (ret) {
512 if (key.salt) {
513 free_Salt(key.salt);
514 free(key.salt);
515 key.salt = NULL;
516 }
517 goto out;
518 }
519
520 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
521 entry_ex->entry.keys.len++;
522 }
523 }
524
525 out:
526 if (ret != 0) {
527 entry_ex->entry.keys.len = 0;
528 }
529 if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
530 free(entry_ex->entry.keys.val);
531 entry_ex->entry.keys.val = NULL;
532 }
533 return ret;
534 }
535
536 /*
537 * Construct an hdb_entry from a directory entry.
538 */
539 static krb5_error_code samba_kdc_message2entry(krb5_context context,
540 struct samba_kdc_db_context *kdc_db_ctx,
541 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
542 enum samba_kdc_ent_type ent_type,
543 unsigned flags,
544 struct ldb_dn *realm_dn,
545 struct ldb_message *msg,
546 hdb_entry_ex *entry_ex)
547 {
548 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
549 uint32_t userAccountControl;
550 uint32_t msDS_User_Account_Control_Computed;
551 unsigned int i;
552 krb5_error_code ret = 0;
553 krb5_boolean is_computer = FALSE;
554
555 struct samba_kdc_entry *p;
556 NTTIME acct_expiry;
557 NTSTATUS status;
558
559 uint32_t rid;
560 bool is_rodc = false;
561 struct ldb_message_element *objectclasses;
562 struct ldb_val computer_val;
563 const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
564 computer_val.data = discard_const_p(uint8_t,"computer");
565 computer_val.length = strlen((const char *)computer_val.data);
566
567 if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
568 is_rodc = true;
569 }
570
571 if (!samAccountName) {
572 ret = ENOENT;
573 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
574 goto out;
575 }
576
577 objectclasses = ldb_msg_find_element(msg, "objectClass");
578
579 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
580 is_computer = TRUE;
581 }
582
583 memset(entry_ex, 0, sizeof(*entry_ex));
584
585 p = talloc(mem_ctx, struct samba_kdc_entry);
586 if (!p) {
587 ret = ENOMEM;
588 goto out;
589 }
590
591 p->kdc_db_ctx = kdc_db_ctx;
592 p->entry_ex = entry_ex;
593 p->realm_dn = talloc_reference(p, realm_dn);
594 if (!p->realm_dn) {
595 ret = ENOMEM;
596 goto out;
597 }
598
599 talloc_set_destructor(p, samba_kdc_entry_destructor);
600
601 /* make sure we do not have bogus data in there */
602 memset(&entry_ex->entry, 0, sizeof(hdb_entry));
603
604 entry_ex->ctx = p;
605 entry_ex->free_entry = samba_kdc_free_entry;
606
607 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
608
609 msDS_User_Account_Control_Computed
610 = ldb_msg_find_attr_as_uint(msg,
611 "msDS-User-Account-Control-Computed",
612 UF_ACCOUNTDISABLE);
613
614 /*
615 * This brings in the lockout flag, block the account if not
616 * found. We need the weird UF_ACCOUNTDISABLE check because
617 * we do not want to fail open if the value is not returned,
618 * but 0 is a valid value (all OK)
619 */
620 if (msDS_User_Account_Control_Computed == UF_ACCOUNTDISABLE) {
621 ret = EINVAL;
622 krb5_set_error_message(context, ret, "samba_kdc_message2entry: "
623 "no msDS-User-Account-Control-Computed present");
624 goto out;
625 } else {
626 userAccountControl |= msDS_User_Account_Control_Computed;
627 }
628
629 /*
630 * If we are set to canonicalize, we get back the fixed UPPER
631 * case realm, and the real username (ie matching LDAP
632 * samAccountName)
633 *
634 * Otherwise, if we are set to enterprise, we
635 * get back the whole principal as-sent
636 *
637 * Finally, if we are not set to canonicalize, we get back the
638 * fixed UPPER case realm, but the as-sent username
639 */
640
641 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
642 if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
643 krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
644 } else if (flags & HDB_F_CANON) {
645 krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
646 } else {
647 ret = copy_Principal(principal, entry_ex->entry.principal);
648 if (ret) {
649 krb5_clear_error_message(context);
650 goto out;
651 }
652
653 if (principal->name.name_type != KRB5_NT_ENTERPRISE_PRINCIPAL) {
654 /* While we have copied the client principal, tests
655 * show that Win2k3 returns the 'corrected' realm, not
656 * the client-specified realm. This code attempts to
657 * replace the client principal's realm with the one
658 * we determine from our records */
659
660 /* this has to be with malloc() */
661 krb5_principal_set_realm(context, entry_ex->entry.principal, lpcfg_realm(lp_ctx));
662 }
663 }
664
665 /* First try and figure out the flags based on the userAccountControl */
666 entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
667
668 /* Windows 2008 seems to enforce this (very sensible) rule by
669 * default - don't allow offline attacks on a user's password
670 * by asking for a ticket to them as a service (encrypted with
671 * their probably patheticly insecure password) */
672
673 if (entry_ex->entry.flags.server
674 && lpcfg_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
675 if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
676 entry_ex->entry.flags.server = 0;
677 }
678 }
679
680 if (flags & HDB_F_ADMIN_DATA) {
681 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
682 * of the Heimdal KDC. They are stored in a the traditional
683 * DB for audit purposes, and still form part of the structure
684 * we must return */
685
686 /* use 'whenCreated' */
687 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
688 /* use 'kadmin' for now (needed by mit_samba) */
689 krb5_make_principal(context,
690 &entry_ex->entry.created_by.principal,
691 lpcfg_realm(lp_ctx), "kadmin", NULL);
692
693 entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
694 if (entry_ex->entry.modified_by == NULL) {
695 ret = ENOMEM;
696 krb5_set_error_message(context, ret, "malloc: out of memory");
697 goto out;
698 }
699
700 /* use 'whenChanged' */
701 entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
702 /* use 'kadmin' for now (needed by mit_samba) */
703 krb5_make_principal(context,
704 &entry_ex->entry.modified_by->principal,
705 lpcfg_realm(lp_ctx), "kadmin", NULL);
706 }
707
708
709 /* The lack of password controls etc applies to krbtgt by
710 * virtue of being that particular RID */
711 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid);
712
713 if (!NT_STATUS_IS_OK(status)) {
714 ret = EINVAL;
715 goto out;
716 }
717
718 if (rid == DOMAIN_RID_KRBTGT) {
719 entry_ex->entry.valid_end = NULL;
720 entry_ex->entry.pw_end = NULL;
721
722 entry_ex->entry.flags.invalid = 0;
723 entry_ex->entry.flags.server = 1;
724
725 /* Don't mark all requests for the krbtgt/realm as
726 * 'change password', as otherwise we could get into
727 * trouble, and not enforce the password expirty.
728 * Instead, only do it when request is for the kpasswd service */
729 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
730 && principal->name.name_string.len == 2
731 && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
732 && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
733 && lpcfg_is_my_domain_or_realm(lp_ctx, principal->realm)) {
734 entry_ex->entry.flags.change_pw = 1;
735 }
736 entry_ex->entry.flags.client = 0;
737 entry_ex->entry.flags.forwardable = 1;
738 entry_ex->entry.flags.ok_as_delegate = 1;
739 } else if (is_rodc) {
740 /* The RODC krbtgt account is like the main krbtgt,
741 * but it does not have a changepw or kadmin
742 * service */
743
744 entry_ex->entry.valid_end = NULL;
745 entry_ex->entry.pw_end = NULL;
746
747 /* Also don't allow the RODC krbtgt to be a client (it should not be needed) */
748 entry_ex->entry.flags.client = 0;
749 entry_ex->entry.flags.invalid = 0;
750 entry_ex->entry.flags.server = 1;
751
752 entry_ex->entry.flags.client = 0;
753 entry_ex->entry.flags.forwardable = 1;
754 entry_ex->entry.flags.ok_as_delegate = 0;
755 } else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
756 /* The account/password expiry only applies when the account is used as a
757 * client (ie password login), not when used as a server */
758
759 /* Make very well sure we don't use this for a client,
760 * it could bypass the password restrictions */
761 entry_ex->entry.flags.client = 0;
762
763 entry_ex->entry.valid_end = NULL;
764 entry_ex->entry.pw_end = NULL;
765
766 } else {
767 NTTIME must_change_time
768 = samdb_result_force_password_change(kdc_db_ctx->samdb, mem_ctx,
769 realm_dn, msg);
770 if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
771 entry_ex->entry.pw_end = NULL;
772 } else {
773 entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
774 if (entry_ex->entry.pw_end == NULL) {
775 ret = ENOMEM;
776 goto out;
777 }
778 *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
779 }
780
781 acct_expiry = samdb_result_account_expires(msg);
782 if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
783 entry_ex->entry.valid_end = NULL;
784 } else {
785 entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
786 if (entry_ex->entry.valid_end == NULL) {
787 ret = ENOMEM;
788 goto out;
789 }
790 *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
791 }
792 }
793
794 entry_ex->entry.valid_start = NULL;
795
796 entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life));
797 if (entry_ex->entry.max_life == NULL) {
798 ret = ENOMEM;
799 goto out;
800 }
801
802 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
803 *entry_ex->entry.max_life = kdc_db_ctx->policy.svc_tkt_lifetime;
804 } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
805 *entry_ex->entry.max_life = kdc_db_ctx->policy.usr_tkt_lifetime;
806 } else {
807 *entry_ex->entry.max_life = MIN(kdc_db_ctx->policy.svc_tkt_lifetime,
808 kdc_db_ctx->policy.usr_tkt_lifetime);
809 }
810
811 entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
812 if (entry_ex->entry.max_renew == NULL) {
813 ret = ENOMEM;
814 goto out;
815 }
816
817 *entry_ex->entry.max_renew = kdc_db_ctx->policy.renewal_lifetime;
818
819 entry_ex->entry.generation = NULL;
820
821 /* Get keys from the db */
822 ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
823 rid, is_rodc, userAccountControl,
824 ent_type, entry_ex);
825 if (ret) {
826 /* Could be bougus data in the entry, or out of memory */
827 goto out;
828 }
829
830 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
831 if (entry_ex->entry.etypes == NULL) {
832 krb5_clear_error_message(context);
833 ret = ENOMEM;
834 goto out;
835 }
836 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
837 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
838 if (entry_ex->entry.etypes->val == NULL) {
839 krb5_clear_error_message(context);
840 ret = ENOMEM;
841 goto out;
842 }
843 for (i=0; i < entry_ex->entry.etypes->len; i++) {
844 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
845 }
846
847
848 p->msg = talloc_steal(p, msg);
849
850 out:
851 if (ret != 0) {
852 /* This doesn't free ent itself, that is for the eventual caller to do */
853 hdb_free_entry(context, entry_ex);
854 } else {
855 talloc_steal(kdc_db_ctx, entry_ex->ctx);
856 }
857
858 return ret;
859 }
860
861 /*
862 * Construct an hdb_entry from a directory entry.
863 * The kvno is what the remote client asked for
864 */
865 static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
866 struct samba_kdc_db_context *kdc_db_ctx,
867 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
868 enum trust_direction direction,
869 struct ldb_dn *realm_dn,
870 unsigned flags,
871 uint32_t kvno,
872 struct ldb_message *msg,
873 hdb_entry_ex *entry_ex)
874 {
875 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
876 const char *dnsdomain;
877 const char *realm = lpcfg_realm(lp_ctx);
878 DATA_BLOB password_utf16 = data_blob_null;
879 DATA_BLOB password_utf8 = data_blob_null;
880 struct samr_Password _password_hash;
881 const struct samr_Password *password_hash = NULL;
882 const struct ldb_val *password_val;
883 struct trustAuthInOutBlob password_blob;
884 struct samba_kdc_entry *p;
885 bool use_previous;
886 uint32_t current_kvno;
887 uint32_t num_keys = 0;
888 enum ndr_err_code ndr_err;
889 int ret, trust_direction_flags;
890 unsigned int i;
891 struct AuthenticationInformationArray *auth_array;
892 uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
893
894 if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
895 supported_enctypes = ldb_msg_find_attr_as_uint(msg,
896 "msDS-SupportedEncryptionTypes",
897 supported_enctypes);
898 }
899
900 p = talloc(mem_ctx, struct samba_kdc_entry);
901 if (!p) {
902 ret = ENOMEM;
903 goto out;
904 }
905
906 p->kdc_db_ctx = kdc_db_ctx;
907 p->entry_ex = entry_ex;
908 p->realm_dn = realm_dn;
909
910 talloc_set_destructor(p, samba_kdc_entry_destructor);
911
912 /* make sure we do not have bogus data in there */
913 memset(&entry_ex->entry, 0, sizeof(hdb_entry));
914
915 entry_ex->ctx = p;
916 entry_ex->free_entry = samba_kdc_free_entry;
917
918 /* use 'whenCreated' */
919 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
920 /* use 'kadmin' for now (needed by mit_samba) */
921 krb5_make_principal(context,
922 &entry_ex->entry.created_by.principal,
923 realm, "kadmin", NULL);
924
925 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
926 if (entry_ex->entry.principal == NULL) {
927 krb5_clear_error_message(context);
928 ret = ENOMEM;
929 goto out;
930 }
931
932 ret = copy_Principal(principal, entry_ex->entry.principal);
933 if (ret) {
934 krb5_clear_error_message(context);
935 goto out;
936 }
937
938 /*
939 * While we have copied the client principal, tests
940 * show that Win2k3 returns the 'corrected' realm, not
941 * the client-specified realm. This code attempts to
942 * replace the client principal's realm with the one
943 * we determine from our records
944 */
945
946 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
947
948 entry_ex->entry.valid_start = NULL;
949
950 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
951
952 if (direction == INBOUND) {
953 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
954
955 } else { /* OUTBOUND */
956 dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
957 /* replace realm */
958 realm = strupper_talloc(mem_ctx, dnsdomain);
959 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
960 }
961
962 if (!password_val || !(trust_direction_flags & direction)) {
963 krb5_clear_error_message(context);
964 ret = HDB_ERR_NOENTRY;
965 goto out;
966 }
967
968 ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, &password_blob,
969 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
970 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
971 krb5_clear_error_message(context);
972 ret = EINVAL;
973 goto out;
974 }
975
976
977 /* we need to work out if we are going to use the current or
978 * the previous password hash.
979 * We base this on the kvno the client passes in. If the kvno
980 * passed in is equal to the current kvno in our database then
981 * we use the current structure. If it is the current kvno-1,
982 * then we use the previous substrucure.
983 */
984
985 /* first work out the current kvno */
986 current_kvno = 0;
987 for (i=0; i < password_blob.count; i++) {
988 if (password_blob.current.array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
989 current_kvno = password_blob.current.array[i].AuthInfo.version.version;
990 }
991 }
992
993 /* work out whether we will use the previous or current
994 password */
995 if (password_blob.previous.count == 0) {
996 /* there is no previous password */
997 use_previous = false;
998 } else if (!(flags & HDB_F_KVNO_SPECIFIED) ||
999 kvno == current_kvno) {
1000 use_previous = false;
1001 } else if ((kvno+1 == current_kvno) ||
1002 (kvno == 255 && current_kvno == 0)) {
1003 use_previous = true;
1004 } else {
1005 DEBUG(1,(__location__ ": Request for unknown kvno %u - current kvno is %u\n",
1006 kvno, current_kvno));
1007 krb5_clear_error_message(context);
1008 ret = HDB_ERR_NOENTRY;
1009 goto out;
1010 }
1011
1012 if (use_previous) {
1013 auth_array = &password_blob.previous;
1014 } else {
1015 auth_array = &password_blob.current;
1016 }
1017
1018 /* use the kvno the client specified, if available */
1019 if (flags & HDB_F_KVNO_SPECIFIED) {
1020 entry_ex->entry.kvno = kvno;
1021 } else {
1022 entry_ex->entry.kvno = current_kvno;
1023 }
1024
1025 for (i=0; i < auth_array->count; i++) {
1026 if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
1027 bool ok;
1028
1029 password_utf16 = data_blob_const(auth_array->array[i].AuthInfo.clear.password,
1030 auth_array->array[i].AuthInfo.clear.size);
1031 if (password_utf16.length == 0) {
1032 break;
1033 }
1034
1035 if (supported_enctypes & ENC_RC4_HMAC_MD5) {
1036 mdfour(_password_hash.hash, password_utf16.data, password_utf16.length);
1037 if (password_hash == NULL) {
1038 num_keys += 1;
1039 }
1040 password_hash = &_password_hash;
1041 }
1042
1043 if (!(supported_enctypes & (ENC_HMAC_SHA1_96_AES128|ENC_HMAC_SHA1_96_AES256))) {
1044 break;
1045 }
1046
1047 ok = convert_string_talloc(mem_ctx,
1048 CH_UTF16MUNGED, CH_UTF8,
1049 password_utf16.data,
1050 password_utf16.length,
1051 (void *)&password_utf8.data,
1052 &password_utf8.length);
1053 if (!ok) {
1054 krb5_clear_error_message(context);
1055 ret = ENOMEM;
1056 goto out;
1057 }
1058
1059 if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
1060 num_keys += 1;
1061 }
1062 if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
1063 num_keys += 1;
1064 }
1065 break;
1066 } else if (auth_array->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
1067 if (supported_enctypes & ENC_RC4_HMAC_MD5) {
1068 password_hash = &auth_array->array[i].AuthInfo.nt4owf.password;
1069 num_keys += 1;
1070 }
1071 }
1072 }
1073
1074 /* Must have found a cleartext or MD4 password */
1075 if (num_keys == 0) {
1076 DEBUG(1,(__location__ ": no usable key found\n"));
1077 krb5_clear_error_message(context);
1078 ret = HDB_ERR_NOENTRY;
1079 goto out;
1080 }
1081
1082 entry_ex->entry.keys.val = calloc(num_keys, sizeof(Key));
1083 if (entry_ex->entry.keys.val == NULL) {
1084 krb5_clear_error_message(context);
1085 ret = ENOMEM;
1086 goto out;
1087 }
1088
1089 if (password_utf8.length != 0) {
1090 Key key = {};
1091 krb5_const_principal salt_principal = principal;
1092 krb5_salt salt;
1093 krb5_data cleartext_data;
1094
1095 cleartext_data.data = password_utf8.data;
1096 cleartext_data.length = password_utf8.length;
1097
1098 ret = krb5_get_pw_salt(context,
1099 salt_principal,
1100 &salt);
1101 if (ret != 0) {
1102 goto out;
1103 }
1104
1105 if (supported_enctypes & ENC_HMAC_SHA1_96_AES256) {
1106 ret = krb5_string_to_key_data_salt(context,
1107 ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1108 cleartext_data,
1109 salt,
1110 &key.key);
1111 if (ret != 0) {
1112 krb5_free_salt(context, salt);
1113 goto out;
1114 }
1115
1116 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
1117 entry_ex->entry.keys.len++;
1118 }
1119
1120 if (supported_enctypes & ENC_HMAC_SHA1_96_AES128) {
1121 ret = krb5_string_to_key_data_salt(context,
1122 ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1123 cleartext_data,
1124 salt,
1125 &key.key);
1126 if (ret != 0) {
1127 krb5_free_salt(context, salt);
1128 goto out;
1129 }
1130
1131 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
1132 entry_ex->entry.keys.len++;
1133 }
1134
1135 krb5_free_salt(context, salt);
1136 }
1137
1138 if (password_hash != NULL) {
1139 Key key = {};
1140
1141 ret = krb5_keyblock_init(context,
1142 ENCTYPE_ARCFOUR_HMAC,
1143 password_hash->hash,
1144 sizeof(password_hash->hash),
1145 &key.key);
1146 if (ret != 0) {
1147 goto out;
1148 }
1149
1150 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
1151 entry_ex->entry.keys.len++;
1152 }
1153
1154 entry_ex->entry.flags = int2HDBFlags(0);
1155 entry_ex->entry.flags.immutable = 1;
1156 entry_ex->entry.flags.invalid = 0;
1157 entry_ex->entry.flags.server = 1;
1158 entry_ex->entry.flags.require_preauth = 1;
1159
1160 entry_ex->entry.pw_end = NULL;
1161
1162 entry_ex->entry.max_life = NULL;
1163
1164 entry_ex->entry.max_renew = NULL;
1165
1166 entry_ex->entry.generation = NULL;
1167
1168 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
1169 if (entry_ex->entry.etypes == NULL) {
1170 krb5_clear_error_message(context);
1171 ret = ENOMEM;
1172 goto out;
1173 }
1174 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
1175 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
1176 if (entry_ex->entry.etypes->val == NULL) {
1177 krb5_clear_error_message(context);
1178 ret = ENOMEM;
1179 goto out;
1180 }
1181 for (i=0; i < entry_ex->entry.etypes->len; i++) {
1182 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
1183 }
1184
1185
1186 p->msg = talloc_steal(p, msg);
1187
1188 out:
1189 if (ret != 0) {
1190 /* This doesn't free ent itself, that is for the eventual caller to do */
1191 hdb_free_entry(context, entry_ex);
1192 } else {
1193 talloc_steal(kdc_db_ctx, entry_ex->ctx);
1194 }
1195
1196 return ret;
1197
1198 }
1199
1200 static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
1201 TALLOC_CTX *mem_ctx,
1202 const char *realm,
1203 struct ldb_dn *realm_dn,
1204 struct ldb_message **pmsg)
1205 {
1206 NTSTATUS status;
1207 const char * const *attrs = trust_attrs;
1208
1209 status = sam_get_results_trust(ldb_ctx,
1210 mem_ctx, realm, realm, attrs,
1211 pmsg);
1212 if (NT_STATUS_IS_OK(status)) {
1213 return 0;
1214 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1215 return HDB_ERR_NOENTRY;
1216 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
1217 int ret = ENOMEM;
1218 krb5_set_error_message(context, ret, "get_sam_result_trust: out of memory");
1219 return ret;
1220 } else {
1221 int ret = EINVAL;
1222 krb5_set_error_message(context, ret, "get_sam_result_trust: %s", nt_errstr(status));
1223 return ret;
1224 }
1225 }
1226
1227 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
1228 struct samba_kdc_db_context *kdc_db_ctx,
1229 TALLOC_CTX *mem_ctx,
1230 krb5_const_principal principal,
1231 const char **attrs,
1232 struct ldb_dn **realm_dn,
1233 struct ldb_message **msg) {
1234 NTSTATUS nt_status;
1235 char *principal_string;
1236
1237 if (principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1238 principal_string = smb_krb5_principal_get_comp_string(mem_ctx, context,
1239 principal, 0);
1240 if (principal_string == NULL) {
1241 return ENOMEM;
1242 }
1243 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
1244 mem_ctx, principal_string, attrs,
1245 realm_dn, msg);
1246 TALLOC_FREE(principal_string);
1247 } else {
1248 krb5_error_code ret;
1249 ret = krb5_unparse_name(context, principal, &principal_string);
1250 if (ret != 0) {
1251 return ret;
1252 }
1253 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
1254 mem_ctx, principal_string, attrs,
1255 realm_dn, msg);
1256 free(principal_string);
1257 }
1258
1259 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
1260 return HDB_ERR_NOENTRY;
1261 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
1262 return ENOMEM;
1263 } else if (!NT_STATUS_IS_OK(nt_status)) {
1264 return EINVAL;
1265 }
1266
1267 return 0;
1268 }
1269
1270 static krb5_error_code samba_kdc_fetch_client(krb5_context context,
1271 struct samba_kdc_db_context *kdc_db_ctx,
1272 TALLOC_CTX *mem_ctx,
1273 krb5_const_principal principal,
1274 unsigned flags,
1275 hdb_entry_ex *entry_ex) {
1276 struct ldb_dn *realm_dn;
1277 krb5_error_code ret;
1278 struct ldb_message *msg = NULL;
1279
1280 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1281 mem_ctx, principal, user_attrs,
1282 &realm_dn, &msg);
1283 if (ret != 0) {
1284 return ret;
1285 }
1286
1287 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1288 principal, SAMBA_KDC_ENT_TYPE_CLIENT,
1289 flags,
1290 realm_dn, msg, entry_ex);
1291 return ret;
1292 }
1293
1294 static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
1295 struct samba_kdc_db_context *kdc_db_ctx,
1296 TALLOC_CTX *mem_ctx,
1297 krb5_const_principal principal,
1298 unsigned flags,
1299 uint32_t kvno,
1300 hdb_entry_ex *entry_ex)
1301 {
1302 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1303 krb5_error_code ret;
1304 struct ldb_message *msg = NULL;
1305 struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1306
1307 krb5_principal alloc_principal = NULL;
1308 if (principal->name.name_string.len != 2
1309 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
1310 /* Not a krbtgt */
1311 return HDB_ERR_NOENTRY;
1312 }
1313
1314 /* krbtgt case. Either us or a trusted realm */
1315
1316 if (lpcfg_is_my_domain_or_realm(lp_ctx, principal->realm)
1317 && lpcfg_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) {
1318 /* us, or someone quite like us */
1319 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
1320 * is in our db, then direct the caller at our primary
1321 * krbtgt */
1322
1323 int lret;
1324 unsigned int krbtgt_number;
1325 /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
1326 trust tickets. We don't yet know what this means, but we do
1327 seem to need to treat it as unspecified */
1328 if (flags & HDB_F_KVNO_SPECIFIED) {
1329 krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
1330 if (kdc_db_ctx->rodc) {
1331 if (krbtgt_number != kdc_db_ctx->my_krbtgt_number) {
1332 return HDB_ERR_NOT_FOUND_HERE;
1333 }
1334 }
1335 } else {
1336 krbtgt_number = kdc_db_ctx->my_krbtgt_number;
1337 }
1338
1339 if (krbtgt_number == kdc_db_ctx->my_krbtgt_number) {
1340 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
1341 &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
1342 krbtgt_attrs, DSDB_SEARCH_NO_GLOBAL_CATALOG,
1343 "(objectClass=user)");
1344 } else {
1345 /* We need to look up an RODC krbtgt (perhaps
1346 * ours, if we are an RODC, perhaps another
1347 * RODC if we are a read-write DC */
1348 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
1349 &msg, realm_dn, LDB_SCOPE_SUBTREE,
1350 krbtgt_attrs,
1351 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
1352 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number));
1353 }
1354
1355 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1356 krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1357 (unsigned)(krbtgt_number));
1358 krb5_set_error_message(context, HDB_ERR_NOENTRY,
1359 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1360 (unsigned)(krbtgt_number));
1361 return HDB_ERR_NOENTRY;
1362 } else if (lret != LDB_SUCCESS) {
1363 krb5_warnx(context, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1364 (unsigned)(krbtgt_number));
1365 krb5_set_error_message(context, HDB_ERR_NOENTRY,
1366 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1367 (unsigned)(krbtgt_number));
1368 return HDB_ERR_NOENTRY;
1369 }
1370
1371 /*
1372 * Windows seems to canonicalize the principal
1373 * in a TGS REP even if the client did not specify
1374 * the canonicalize flag.
1375 */
1376 if (flags & (HDB_F_CANON|HDB_F_FOR_TGS_REQ)) {
1377 ret = krb5_copy_principal(context, principal, &alloc_principal);
1378 if (ret) {
1379 return ret;
1380 }
1381
1382 /* When requested to do so, ensure that the
1383 * both realm values in the principal are set
1384 * to the upper case, canonical realm */
1385 free(alloc_principal->name.name_string.val[1]);
1386 alloc_principal->name.name_string.val[1] = strdup(lpcfg_realm(lp_ctx));
1387 if (!alloc_principal->name.name_string.val[1]) {
1388 ret = ENOMEM;
1389 krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
1390 return ret;
1391 }
1392 principal = alloc_principal;
1393 }
1394
1395 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1396 principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
1397 flags, realm_dn, msg, entry_ex);
1398 if (alloc_principal) {
1399 /* This is again copied in the message2entry call */
1400 krb5_free_principal(context, alloc_principal);
1401 }
1402 if (ret != 0) {
1403 krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
1404 }
1405 return ret;
1406
1407 } else {
1408 enum trust_direction direction = UNKNOWN;
1409 const char *realm = NULL;
1410
1411 /* Either an inbound or outbound trust */
1412
1413 if (strcasecmp(lpcfg_realm(lp_ctx), principal->realm) == 0) {
1414 /* look for inbound trust */
1415 direction = INBOUND;
1416 realm = principal->name.name_string.val[1];
1417 } else if (strcasecmp(lpcfg_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
1418 /* look for outbound trust */
1419 direction = OUTBOUND;
1420 realm = principal->realm;
1421 } else {
1422 krb5_warnx(context, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
1423 principal->realm, principal->name.name_string.val[1]);
1424 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
1425 principal->realm, principal->name.name_string.val[1]);
1426 return HDB_ERR_NOENTRY;
1427 }
1428
1429 /* Trusted domains are under CN=system */
1430
1431 ret = samba_kdc_lookup_trust(context, kdc_db_ctx->samdb,
1432 mem_ctx,
1433 realm, realm_dn, &msg);
1434
1435 if (ret != 0) {
1436 krb5_warnx(context, "samba_kdc_fetch: could not find principal in DB");
1437 krb5_set_error_message(context, ret, "samba_kdc_fetch: could not find principal in DB");
1438 return ret;
1439 }
1440
1441 ret = samba_kdc_trust_message2entry(context, kdc_db_ctx, mem_ctx,
1442 principal, direction,
1443 realm_dn, flags, kvno, msg, entry_ex);
1444 if (ret != 0) {
1445 krb5_warnx(context, "samba_kdc_fetch: trust_message2entry failed for %s",
1446 ldb_dn_get_linearized(msg->dn));
1447 krb5_set_error_message(context, ret, "samba_kdc_fetch: "
1448 "trust_message2entry failed for %s",
1449 ldb_dn_get_linearized(msg->dn));
1450 }
1451 return ret;
1452 }
1453
1454 }
1455
1456 static krb5_error_code samba_kdc_lookup_server(krb5_context context,
1457 struct samba_kdc_db_context *kdc_db_ctx,
1458 TALLOC_CTX *mem_ctx,
1459 krb5_const_principal principal,
1460 const char **attrs,
1461 struct ldb_dn **realm_dn,
1462 struct ldb_message **msg)
1463 {
1464 krb5_error_code ret;
1465 if (principal->name.name_string.len >= 2) {
1466 /* 'normal server' case */
1467 int ldb_ret;
1468 NTSTATUS nt_status;
1469 struct ldb_dn *user_dn;
1470 char *principal_string;
1471
1472 ret = krb5_unparse_name_flags(context, principal,
1473 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
1474 &principal_string);
1475 if (ret != 0) {
1476 return ret;
1477 }
1478
1479 /* At this point we may find the host is known to be
1480 * in a different realm, so we should generate a
1481 * referral instead */
1482 nt_status = crack_service_principal_name(kdc_db_ctx->samdb,
1483 mem_ctx, principal_string,
1484 &user_dn, realm_dn);
1485 free(principal_string);
1486
1487 if (!NT_STATUS_IS_OK(nt_status)) {
1488 return HDB_ERR_NOENTRY;
1489 }
1490
1491 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb,
1492 mem_ctx,
1493 msg, user_dn, LDB_SCOPE_BASE,
1494 attrs,
1495 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
1496 "(objectClass=*)");
1497 if (ldb_ret != LDB_SUCCESS) {
1498 return HDB_ERR_NOENTRY;
1499 }
1500
1501 } else {
1502 int lret;
1503 char *short_princ;
1504 /* const char *realm; */
1505 /* server as client principal case, but we must not lookup userPrincipalNames */
1506 *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1507 /* realm = krb5_principal_get_realm(context, principal); */
1508
1509 /* TODO: Check if it is our realm, otherwise give referral */
1510
1511 ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
1512
1513 if (ret != 0) {
1514 krb5_set_error_message(context, ret, "samba_kdc_lookup_principal: could not parse principal");
1515 krb5_warnx(context, "samba_kdc_lookup_principal: could not parse principal");
1516 return ret;
1517 }
1518
1519 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
1520 *realm_dn, LDB_SCOPE_SUBTREE,
1521 attrs,
1522 DSDB_SEARCH_SHOW_EXTENDED_DN | DSDB_SEARCH_NO_GLOBAL_CATALOG,
1523 "(&(objectClass=user)(samAccountName=%s))",
1524 ldb_binary_encode_string(mem_ctx, short_princ));
1525 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1526 DEBUG(3, ("Failed to find an entry for %s\n", short_princ));
1527 free(short_princ);
1528 return HDB_ERR_NOENTRY;
1529 }
1530 if (lret != LDB_SUCCESS) {
1531 DEBUG(3, ("Failed single search for %s - %s\n",
1532 short_princ, ldb_errstring(kdc_db_ctx->samdb)));
1533 free(short_princ);
1534 return HDB_ERR_NOENTRY;
1535 }
1536 free(short_princ);
1537 }
1538
1539 return 0;
1540 }
1541
1542 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
1543 struct samba_kdc_db_context *kdc_db_ctx,
1544 TALLOC_CTX *mem_ctx,
1545 krb5_const_principal principal,
1546 unsigned flags,
1547 hdb_entry_ex *entry_ex)
1548 {
1549 krb5_error_code ret;
1550 struct ldb_dn *realm_dn;
1551 struct ldb_message *msg;
1552
1553 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
1554 server_attrs, &realm_dn, &msg);
1555 if (ret != 0) {
1556 return ret;
1557 }
1558
1559 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1560 principal, SAMBA_KDC_ENT_TYPE_SERVER,
1561 flags,
1562 realm_dn, msg, entry_ex);
1563 if (ret != 0) {
1564 krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
1565 }
1566
1567 return ret;
1568 }
1569
1570 krb5_error_code samba_kdc_fetch(krb5_context context,
1571 struct samba_kdc_db_context *kdc_db_ctx,
1572 krb5_const_principal principal,
1573 unsigned flags,
1574 krb5_kvno kvno,
1575 hdb_entry_ex *entry_ex)
1576 {
1577 krb5_error_code ret = HDB_ERR_NOENTRY;
1578 TALLOC_CTX *mem_ctx;
1579
1580 mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
1581 if (!mem_ctx) {
1582 ret = ENOMEM;
1583 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1584 return ret;
1585 }
1586
1587 if (flags & HDB_F_GET_CLIENT) {
1588 ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
1589 if (ret != HDB_ERR_NOENTRY) goto done;
1590 }
1591 if (flags & HDB_F_GET_SERVER) {
1592 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
1593 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex);
1594 if (ret != HDB_ERR_NOENTRY) goto done;
1595
1596 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
1597 ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, flags, entry_ex);
1598 if (ret != HDB_ERR_NOENTRY) goto done;
1599 }
1600 if (flags & HDB_F_GET_KRBTGT) {
1601 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, flags, kvno, entry_ex);
1602 if (ret != HDB_ERR_NOENTRY) goto done;
1603 }
1604
1605 done:
1606 talloc_free(mem_ctx);
1607 return ret;
1608 }
1609
1610 struct samba_kdc_seq {
1611 unsigned int index;
1612 unsigned int count;
1613 struct ldb_message **msgs;
1614 struct ldb_dn *realm_dn;
1615 };
1616
1617 static krb5_error_code samba_kdc_seq(krb5_context context,
1618 struct samba_kdc_db_context *kdc_db_ctx,
1619 hdb_entry_ex *entry)
1620 {
1621 krb5_error_code ret;
1622 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1623 TALLOC_CTX *mem_ctx;
1624 hdb_entry_ex entry_ex;
1625 memset(&entry_ex, '\0', sizeof(entry_ex));
1626
1627 if (!priv) {
1628 return HDB_ERR_NOENTRY;
1629 }
1630
1631 mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
1632
1633 if (!mem_ctx) {
1634 ret = ENOMEM;
1635 krb5_set_error_message(context, ret, "samba_kdc_seq: talloc_named() failed!");
1636 return ret;
1637 }
1638
1639 if (priv->index < priv->count) {
1640 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1641 NULL, SAMBA_KDC_ENT_TYPE_ANY,
1642 HDB_F_ADMIN_DATA|HDB_F_GET_ANY,
1643 priv->realm_dn, priv->msgs[priv->index++], entry);
1644 } else {
1645 ret = HDB_ERR_NOENTRY;
1646 }
1647
1648 if (ret != 0) {
1649 TALLOC_FREE(priv);
1650 kdc_db_ctx->seq_ctx = NULL;
1651 } else {
1652 talloc_free(mem_ctx);
1653 }
1654
1655 return ret;
1656 }
1657
1658 krb5_error_code samba_kdc_firstkey(krb5_context context,
1659 struct samba_kdc_db_context *kdc_db_ctx,
1660 hdb_entry_ex *entry)
1661 {
1662 struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
1663 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1664 char *realm;
1665 struct ldb_result *res = NULL;
1666 krb5_error_code ret;
1667 TALLOC_CTX *mem_ctx;
1668 int lret;
1669
1670 if (priv) {
1671 TALLOC_FREE(priv);
1672 kdc_db_ctx->seq_ctx = NULL;
1673 }
1674
1675 priv = (struct samba_kdc_seq *) talloc(kdc_db_ctx, struct samba_kdc_seq);
1676 if (!priv) {
1677 ret = ENOMEM;
1678 krb5_set_error_message(context, ret, "talloc: out of memory");
1679 return ret;
1680 }
1681
1682 priv->index = 0;
1683 priv->msgs = NULL;
1684 priv->realm_dn = ldb_get_default_basedn(ldb_ctx);
1685 priv->count = 0;
1686
1687 mem_ctx = talloc_named(priv, 0, "samba_kdc_firstkey context");
1688
1689 if (!mem_ctx) {
1690 ret = ENOMEM;
1691 krb5_set_error_message(context, ret, "samba_kdc_firstkey: talloc_named() failed!");
1692 return ret;
1693 }
1694
1695 ret = krb5_get_default_realm(context, &realm);
1696 if (ret != 0) {
1697 TALLOC_FREE(priv);
1698 return ret;
1699 }
1700 krb5_free_default_realm(context, realm);
1701
1702 lret = dsdb_search(ldb_ctx, priv, &res,
1703 priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
1704 DSDB_SEARCH_NO_GLOBAL_CATALOG,
1705 "(objectClass=user)");
1706
1707 if (lret != LDB_SUCCESS) {
1708 TALLOC_FREE(priv);
1709 return HDB_ERR_NOENTRY;
1710 }
1711
1712 priv->count = res->count;
1713 priv->msgs = talloc_steal(priv, res->msgs);
1714 talloc_free(res);
1715
1716 kdc_db_ctx->seq_ctx = priv;
1717
1718 ret = samba_kdc_seq(context, kdc_db_ctx, entry);
1719
1720 if (ret != 0) {
1721 TALLOC_FREE(priv);
1722 kdc_db_ctx->seq_ctx = NULL;
1723 } else {
1724 talloc_free(mem_ctx);
1725 }
1726 return ret;
1727 }
1728
1729 krb5_error_code samba_kdc_nextkey(krb5_context context,
1730 struct samba_kdc_db_context *kdc_db_ctx,
1731 hdb_entry_ex *entry)
1732 {
1733 return samba_kdc_seq(context, kdc_db_ctx, entry);
1734 }
1735
1736 /* Check if a given entry may delegate or do s4u2self to this target principal
1737 *
1738 * This is currently a very nasty hack - allowing only delegation to itself.
1739 */
1740 krb5_error_code
1741 samba_kdc_check_s4u2self(krb5_context context,
1742 struct samba_kdc_db_context *kdc_db_ctx,
1743 hdb_entry_ex *entry,
1744 krb5_const_principal target_principal)
1745 {
1746 krb5_error_code ret;
1747 krb5_principal enterprise_prinicpal = NULL;
1748 struct ldb_dn *realm_dn;
1749 struct ldb_message *msg;
1750 struct dom_sid *orig_sid;
1751 struct dom_sid *target_sid;
1752 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1753 const char *delegation_check_attrs[] = {
1754 "objectSid", NULL
1755 };
1756
1757 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2self");
1758
1759 if (!mem_ctx) {
1760 ret = ENOMEM;
1761 krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: talloc_named() failed!");
1762 return ret;
1763 }
1764
1765 if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1766 /* Need to reparse the enterprise principal to find the real target */
1767 if (target_principal->name.name_string.len != 1) {
1768 ret = KRB5_PARSE_MALFORMED;
1769 krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components",
1770 target_principal->name.name_string.len);
1771 talloc_free(mem_ctx);
1772 return ret;
1773 }
1774 ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
1775 &enterprise_prinicpal);
1776 if (ret) {
1777 talloc_free(mem_ctx);
1778 return ret;
1779 }
1780 target_principal = enterprise_prinicpal;
1781 }
1782
1783 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
1784 delegation_check_attrs, &realm_dn, &msg);
1785
1786 krb5_free_principal(context, enterprise_prinicpal);
1787
1788 if (ret != 0) {
1789 talloc_free(mem_ctx);
1790 return ret;
1791 }
1792
1793 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1794 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1795
1796 /* Allow delegation to the same principal, even if by a different
1797 * name. The easy and safe way to prove this is by SID
1798 * comparison */
1799 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1800 talloc_free(mem_ctx);
1801 return KRB5KDC_ERR_BADOPTION;
1802 }
1803
1804 talloc_free(mem_ctx);
1805 return ret;
1806 }
1807
1808 /* Certificates printed by a the Certificate Authority might have a
1809 * slightly different form of the user principal name to that in the
1810 * database. Allow a mismatch where they both refer to the same
1811 * SID */
1812
1813 krb5_error_code
1814 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
1815 struct samba_kdc_db_context *kdc_db_ctx,
1816 hdb_entry_ex *entry,
1817 krb5_const_principal certificate_principal)
1818 {
1819 krb5_error_code ret;
1820 struct ldb_dn *realm_dn;
1821 struct ldb_message *msg;
1822 struct dom_sid *orig_sid;
1823 struct dom_sid *target_sid;
1824 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1825 const char *ms_upn_check_attrs[] = {
1826 "objectSid", NULL
1827 };
1828
1829 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_pkinit_ms_upn_match");
1830
1831 if (!mem_ctx) {
1832 ret = ENOMEM;
1833 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1834 return ret;
1835 }
1836
1837 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1838 mem_ctx, certificate_principal,
1839 ms_upn_check_attrs, &realm_dn, &msg);
1840
1841 if (ret != 0) {
1842 talloc_free(mem_ctx);
1843 return ret;
1844 }
1845
1846 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1847 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1848
1849 /* Consider these to be the same principal, even if by a different
1850 * name. The easy and safe way to prove this is by SID
1851 * comparison */
1852 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1853 talloc_free(mem_ctx);
1854 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1855 }
1856
1857 talloc_free(mem_ctx);
1858 return ret;
1859 }
1860
1861 /*
1862 * Check if a given entry may delegate to this target principal
1863 * with S4U2Proxy.
1864 */
1865 krb5_error_code
1866 samba_kdc_check_s4u2proxy(krb5_context context,
1867 struct samba_kdc_db_context *kdc_db_ctx,
1868 hdb_entry_ex *entry,
1869 krb5_const_principal target_principal)
1870 {
1871 krb5_error_code ret;
1872 char *tmp = NULL;
1873 const char *client_dn = NULL;
1874 const char *target_principal_name = NULL;
1875 struct ldb_message_element *el;
1876 struct ldb_val val;
1877 unsigned int i;
1878 bool found = false;
1879 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1880
1881 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2proxy");
1882
1883 if (!mem_ctx) {
1884 ret = ENOMEM;
1885 krb5_set_error_message(context, ret,
1886 "samba_kdc_check_s4u2proxy:"
1887 " talloc_named() failed!");
1888 return ret;
1889 }
1890
1891 client_dn = ldb_dn_get_linearized(p->msg->dn);
1892 if (!client_dn) {
1893 if (errno == 0) {
1894 errno = ENOMEM;
1895 }
1896 ret = errno;
1897 krb5_set_error_message(context, ret,
1898 "samba_kdc_check_s4u2proxy:"
1899 " ldb_dn_get_linearized() failed!");
1900 return ret;
1901 }
1902
1903 /*
1904 * The main heimdal code already checked that the target_principal
1905 * belongs to the same realm as the client.
1906 *
1907 * So we just need the principal without the realm,
1908 * as that is what is configured in the "msDS-AllowedToDelegateTo"
1909 * attribute.
1910 */
1911 ret = krb5_unparse_name_flags(context, target_principal,
1912 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &tmp);
1913 if (ret) {
1914 talloc_free(mem_ctx);
1915 krb5_set_error_message(context, ret,
1916 "samba_kdc_check_s4u2proxy:"
1917 " krb5_unparse_name() failed!");
1918 return ret;
1919 }
1920 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] for target[%s]\n",
1921 client_dn, tmp));
1922
1923 target_principal_name = talloc_strdup(mem_ctx, tmp);
1924 SAFE_FREE(tmp);
1925 if (target_principal_name == NULL) {
1926 ret = ENOMEM;
1927 krb5_set_error_message(context, ret,
1928 "samba_kdc_check_s4u2proxy:"
1929 " talloc_strdup() failed!");
1930 return ret;
1931 }
1932
1933 el = ldb_msg_find_element(p->msg, "msDS-AllowedToDelegateTo");
1934 if (el == NULL) {
1935 goto bad_option;
1936 }
1937
1938 val = data_blob_string_const(target_principal_name);
1939
1940 for (i=0; i<el->num_values; i++) {
1941 struct ldb_val *val1 = &val;
1942 struct ldb_val *val2 = &el->values[i];
1943 int cmp;
1944
1945 if (val1->length != val2->length) {
1946 continue;
1947 }
1948
1949 cmp = strncasecmp((const char *)val1->data,
1950 (const char *)val2->data,
1951 val1->length);
1952 if (cmp != 0) {
1953 continue;
1954 }
1955
1956 found = true;
1957 break;
1958 }
1959
1960 if (!found) {
1961 goto bad_option;
1962 }
1963
1964 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] allowed target[%s]\n",
1965 client_dn, tmp));
1966 talloc_free(mem_ctx);
1967 return 0;
1968
1969 bad_option:
1970 krb5_set_error_message(context, ret,
1971 "samba_kdc_check_s4u2proxy: client[%s] "
1972 "not allowed for delegation to target[%s]",
1973 client_dn,
1974 target_principal_name);
1975 talloc_free(mem_ctx);
1976 return KRB5KDC_ERR_BADOPTION;
1977 }
1978
1979 NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
1980 struct samba_kdc_db_context **kdc_db_ctx_out)
1981 {
1982 int ldb_ret;
1983 struct ldb_message *msg;
1984 struct auth_session_info *session_info;
1985 struct samba_kdc_db_context *kdc_db_ctx;
1986 /* The idea here is very simple. Using Kerberos to
1987 * authenticate the KDC to the LDAP server is higly likely to
1988 * be circular.
1989 *
1990 * In future we may set this up to use EXERNAL and SSL
1991 * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
1992 */
1993
1994 kdc_db_ctx = talloc_zero(mem_ctx, struct samba_kdc_db_context);
1995 if (kdc_db_ctx == NULL) {
1996 return NT_STATUS_NO_MEMORY;
1997 }
1998 kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
1999 kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
2000
2001 /* get default kdc policy */
2002 lpcfg_default_kdc_policy(base_ctx->lp_ctx,
2003 &kdc_db_ctx->policy.svc_tkt_lifetime,
2004 &kdc_db_ctx->policy.usr_tkt_lifetime,
2005 &kdc_db_ctx->policy.renewal_lifetime);
2006
2007 session_info = system_session(kdc_db_ctx->lp_ctx);
2008 if (session_info == NULL) {
2009 return NT_STATUS_INTERNAL_ERROR;
2010 }
2011
2012 /* Setup the link to LDB */
2013 kdc_db_ctx->samdb = samdb_connect(kdc_db_ctx, base_ctx->ev_ctx,
2014 base_ctx->lp_ctx, session_info, 0);
2015 if (kdc_db_ctx->samdb == NULL) {
2016 DEBUG(1, ("hdb_samba4_create: Cannot open samdb for KDC backend!"));
2017 talloc_free(kdc_db_ctx);
2018 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2019 }
2020
2021 /* Find out our own krbtgt kvno */
2022 ldb_ret = samdb_rodc(kdc_db_ctx->samdb, &kdc_db_ctx->rodc);
2023 if (ldb_ret != LDB_SUCCESS) {
2024 DEBUG(1, ("hdb_samba4_create: Cannot determine if we are an RODC in KDC backend: %s\n",
2025 ldb_errstring(kdc_db_ctx->samdb)));
2026 talloc_free(kdc_db_ctx);
2027 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2028 }
2029 if (kdc_db_ctx->rodc) {
2030 int my_krbtgt_number;
2031 const char *secondary_keytab[] = { "msDS-SecondaryKrbTgtNumber", NULL };
2032 struct ldb_dn *account_dn;
2033 struct ldb_dn *server_dn = samdb_server_dn(kdc_db_ctx->samdb, kdc_db_ctx);
2034 if (!server_dn) {
2035 DEBUG(1, ("hdb_samba4_create: Cannot determine server DN in KDC backend: %s\n",
2036 ldb_errstring(kdc_db_ctx->samdb)));
2037 talloc_free(kdc_db_ctx);
2038 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2039 }
2040
2041 ldb_ret = samdb_reference_dn(kdc_db_ctx->samdb, kdc_db_ctx, server_dn,
2042 "serverReference", &account_dn);
2043 if (ldb_ret != LDB_SUCCESS) {
2044 DEBUG(1, ("hdb_samba4_create: Cannot determine server account in KDC backend: %s\n",
2045 ldb_errstring(kdc_db_ctx->samdb)));
2046 talloc_free(kdc_db_ctx);
2047 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2048 }
2049
2050 ldb_ret = samdb_reference_dn(kdc_db_ctx->samdb, kdc_db_ctx, account_dn,
2051 "msDS-KrbTgtLink", &kdc_db_ctx->krbtgt_dn);
2052 talloc_free(account_dn);
2053 if (ldb_ret != LDB_SUCCESS) {
2054 DEBUG(1, ("hdb_samba4_create: Cannot determine RODC krbtgt account in KDC backend: %s\n",
2055 ldb_errstring(kdc_db_ctx->samdb)));
2056 talloc_free(kdc_db_ctx);
2057 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2058 }
2059
2060 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
2061 &msg, kdc_db_ctx->krbtgt_dn, LDB_SCOPE_BASE,
2062 secondary_keytab,
2063 DSDB_SEARCH_NO_GLOBAL_CATALOG,
2064 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
2065 if (ldb_ret != LDB_SUCCESS) {
2066 DEBUG(1, ("hdb_samba4_create: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
2067 ldb_dn_get_linearized(kdc_db_ctx->krbtgt_dn),
2068 ldb_errstring(kdc_db_ctx->samdb),
2069 ldb_strerror(ldb_ret)));
2070 talloc_free(kdc_db_ctx);
2071 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2072 }
2073 my_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
2074 if (my_krbtgt_number == -1) {
2075 DEBUG(1, ("hdb_samba4_create: Cannot read msDS-SecondaryKrbTgtNumber from krbtgt account %s in KDC backend: got %d\n",
2076 ldb_dn_get_linearized(kdc_db_ctx->krbtgt_dn),
2077 my_krbtgt_number));
2078 talloc_free(kdc_db_ctx);
2079 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2080 }
2081 kdc_db_ctx->my_krbtgt_number = my_krbtgt_number;
2082
2083 } else {
2084 kdc_db_ctx->my_krbtgt_number = 0;
2085 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb, kdc_db_ctx,
2086 &msg,
2087 ldb_get_default_basedn(kdc_db_ctx->samdb),
2088 LDB_SCOPE_SUBTREE,
2089 krbtgt_attrs,
2090 DSDB_SEARCH_NO_GLOBAL_CATALOG,
2091 "(&(objectClass=user)(samAccountName=krbtgt))");
2092
2093 if (ldb_ret != LDB_SUCCESS) {
2094 DEBUG(1, ("samba_kdc_fetch: could not find own KRBTGT in DB: %s\n", ldb_errstring(kdc_db_ctx->samdb)));
2095 talloc_free(kdc_db_ctx);
2096 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
2097 }
2098 kdc_db_ctx->krbtgt_dn = talloc_steal(kdc_db_ctx, msg->dn);
2099 kdc_db_ctx->my_krbtgt_number = 0;
2100 talloc_free(msg);
2101 }
2102 *kdc_db_ctx_out = kdc_db_ctx;
2103 return NT_STATUS_OK;
2104 }
Samba GIT mirror