search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
xattr.id: Fix a typo
[Samba.git] / source4 / kdc / hdb-samba4.c
blob552eeeedf6b378fb85c6bd522c8eea73f513adb2
1 /*
2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
4 * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 *
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 */
34
35 #include "includes.h"
36 #include "kdc/kdc-glue.h"
37 #include "kdc/db-glue.h"
38 #include "auth/auth_sam.h"
39 #include "auth/common_auth.h"
40 #include <ldb.h>
41 #include "sdb.h"
42 #include "sdb_hdb.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "param/param.h"
45 #include "../lib/tsocket/tsocket.h"
46 #include "librpc/gen_ndr/ndr_winbind_c.h"
47 #include "lib/messaging/irpc.h"
48
49 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
50 {
51 if (db->hdb_master_key_set) {
52 krb5_error_code ret = HDB_ERR_NOENTRY;
53 krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
54 krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
55 return ret;
56 }
57
58 return 0;
59 }
60
61 static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
62 {
63 return 0;
64 }
65
66 static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
67 {
68 return 0;
69 }
70
71 static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
72 {
73 return 0;
74 }
75
76 static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
77 {
78 return HDB_ERR_DB_INUSE;
79 }
80
81 static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
82 {
83 return HDB_ERR_DB_INUSE;
84 }
85
86 static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
87 {
88 return HDB_ERR_DB_INUSE;
89 }
90
91 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
92 krb5_const_principal principal,
93 unsigned flags,
94 krb5_kvno kvno,
95 hdb_entry_ex *entry_ex)
96 {
97 struct samba_kdc_db_context *kdc_db_ctx;
98 struct sdb_entry_ex sdb_entry_ex = {};
99 krb5_error_code code, ret;
100
101 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
102 struct samba_kdc_db_context);
103
104 ret = samba_kdc_fetch(context,
105 kdc_db_ctx,
106 principal,
107 flags,
108 kvno,
109 &sdb_entry_ex);
110 switch (ret) {
111 case 0:
112 code = 0;
113 break;
114 case SDB_ERR_WRONG_REALM:
115 /*
116 * If SDB_ERR_WRONG_REALM is returned we need to process the
117 * sdb_entry to fill the principal in the HDB entry.
118 */
119 code = HDB_ERR_WRONG_REALM;
120 break;
121 case SDB_ERR_NOENTRY:
122 return HDB_ERR_NOENTRY;
123 default:
124 return HDB_ERR_NOT_FOUND_HERE;
125 }
126
127 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
128 sdb_free_entry(&sdb_entry_ex);
129
130 if (code != 0 && ret != 0) {
131 code = ret;
132 }
133
134 return code;
135 }
136
137 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
138 hdb_entry_ex *entry)
139 {
140 struct samba_kdc_db_context *kdc_db_ctx;
141 struct sdb_entry_ex sdb_entry_ex = {};
142 krb5_error_code ret;
143
144 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
145 struct samba_kdc_db_context);
146
147 ret = samba_kdc_firstkey(context, kdc_db_ctx, &sdb_entry_ex);
148 switch (ret) {
149 case 0:
150 break;
151 case SDB_ERR_WRONG_REALM:
152 return HDB_ERR_WRONG_REALM;
153 case SDB_ERR_NOENTRY:
154 return HDB_ERR_NOENTRY;
155 default:
156 return HDB_ERR_NOT_FOUND_HERE;
157 }
158
159 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
160 sdb_free_entry(&sdb_entry_ex);
161 return ret;
162 }
163
164 static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
165 hdb_entry_ex *entry)
166 {
167 struct samba_kdc_db_context *kdc_db_ctx;
168 struct sdb_entry_ex sdb_entry_ex = {};
169 krb5_error_code ret;
170
171 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
172 struct samba_kdc_db_context);
173
174 ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex);
175 switch (ret) {
176 case 0:
177 break;
178 case SDB_ERR_WRONG_REALM:
179 return HDB_ERR_WRONG_REALM;
180 case SDB_ERR_NOENTRY:
181 return HDB_ERR_NOENTRY;
182 default:
183 return HDB_ERR_NOT_FOUND_HERE;
184 }
185
186 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
187 sdb_free_entry(&sdb_entry_ex);
188 return ret;
189 }
190
191 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
192 {
193 talloc_free(db);
194 return 0;
195 }
196
197 static krb5_error_code
198 hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
199 hdb_entry_ex *entry,
200 krb5_const_principal target_principal)
201 {
202 struct samba_kdc_db_context *kdc_db_ctx;
203 struct samba_kdc_entry *skdc_entry;
204 krb5_error_code ret;
205
206 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
207 struct samba_kdc_db_context);
208 skdc_entry = talloc_get_type_abort(entry->ctx,
209 struct samba_kdc_entry);
210
211 ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
212 skdc_entry,
213 target_principal);
214 switch (ret) {
215 case 0:
216 break;
217 case SDB_ERR_WRONG_REALM:
218 ret = HDB_ERR_WRONG_REALM;
219 break;
220 case SDB_ERR_NOENTRY:
221 ret = HDB_ERR_NOENTRY;
222 break;
223 default:
224 ret = HDB_ERR_NOT_FOUND_HERE;
225 break;
226 }
227
228 return ret;
229 }
230
231 static krb5_error_code
232 hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
233 hdb_entry_ex *entry,
234 krb5_const_principal certificate_principal)
235 {
236 struct samba_kdc_db_context *kdc_db_ctx;
237 struct samba_kdc_entry *skdc_entry;
238 krb5_error_code ret;
239
240 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
241 struct samba_kdc_db_context);
242 skdc_entry = talloc_get_type_abort(entry->ctx,
243 struct samba_kdc_entry);
244
245 ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
246 skdc_entry,
247 certificate_principal);
248 switch (ret) {
249 case 0:
250 break;
251 case SDB_ERR_WRONG_REALM:
252 ret = HDB_ERR_WRONG_REALM;
253 break;
254 case SDB_ERR_NOENTRY:
255 ret = HDB_ERR_NOENTRY;
256 break;
257 default:
258 ret = HDB_ERR_NOT_FOUND_HERE;
259 break;
260 }
261
262 return ret;
263 }
264
265 static krb5_error_code
266 hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
267 hdb_entry_ex *entry,
268 krb5_const_principal target_principal)
269 {
270 struct samba_kdc_db_context *kdc_db_ctx;
271 struct samba_kdc_entry *skdc_entry;
272 krb5_error_code ret;
273
274 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
275 struct samba_kdc_db_context);
276 skdc_entry = talloc_get_type_abort(entry->ctx,
277 struct samba_kdc_entry);
278
279 ret = samba_kdc_check_s4u2self(context, kdc_db_ctx,
280 skdc_entry,
281 target_principal);
282 switch (ret) {
283 case 0:
284 break;
285 case SDB_ERR_WRONG_REALM:
286 ret = HDB_ERR_WRONG_REALM;
287 break;
288 case SDB_ERR_NOENTRY:
289 ret = HDB_ERR_NOENTRY;
290 break;
291 default:
292 ret = HDB_ERR_NOT_FOUND_HERE;
293 break;
294 }
295
296 return ret;
297 }
298
299 static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
300 struct samba_kdc_db_context *kdc_db_ctx,
301 struct netr_SendToSamBase *send_to_sam)
302 {
303 struct dcerpc_binding_handle *irpc_handle;
304 struct winbind_SendToSam req;
305
306 irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
307 "winbind_server",
308 &ndr_table_winbind);
309
310 if (irpc_handle == NULL) {
311 DEBUG(0, ("No winbind_server running!\n"));
312 return;
313 }
314
315 req.in.message = *send_to_sam;
316
317 dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
318 irpc_handle, &req);
319 }
320
321 static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx,
322 struct samba_kdc_db_context *kdc_db_ctx,
323 struct auth_usersupplied_info *user_info)
324 {
325 struct dcerpc_binding_handle *irpc_handle;
326 struct winbind_SamLogon req;
327 struct netr_IdentityInfo *identity_info;
328 struct netr_NetworkInfo *network_info;
329
330 irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
331 "winbind_server",
332 &ndr_table_winbind);
333 if (irpc_handle == NULL) {
334 DEBUG(0, ("Winbind fowarding for [%s]\\[%s] failed, "
335 "no winbind_server running!\n",
336 user_info->mapped.domain_name, user_info->mapped.account_name));
337 return;
338 }
339
340 network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
341 if (network_info == NULL) {
342 DEBUG(0, ("Winbind forwarding failed: No memory\n"));
343 return;
344 }
345
346 identity_info = &network_info->identity_info;
347 req.in.logon_level = 2;
348 req.in.logon.network = network_info;
349
350 identity_info->domain_name.string = user_info->mapped.domain_name;
351 identity_info->parameter_control = user_info->logon_parameters; /* TODO */
352 identity_info->logon_id_low = 0;
353 identity_info->logon_id_high = 0;
354 identity_info->account_name.string = user_info->mapped.account_name;
355 identity_info->workstation.string
356 = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s",
357 tsocket_address_string(user_info->remote_host,
358 identity_info));
359 if (identity_info->workstation.string == NULL) {
360 DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n"));
361 return;
362 }
363
364 req.in.validation_level = 3;
365
366 /*
367 * The memory in identity_info and user_info only needs to be
368 * valid until the end of this function call, as it will be
369 * pushed to NDR during this call
370 */
371
372 dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
373 irpc_handle, &req);
374 }
375
376 static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
377 hdb_entry_ex *entry,
378 struct sockaddr *from_addr,
379 const char *original_client_name,
380 const char *auth_type,
381 int hdb_auth_status)
382 {
383 struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
384 struct samba_kdc_db_context);
385
386 struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
387
388 /*
389 * Forcing this via the NTLM auth structure is not ideal, but
390 * it is the most practical option right now, and ensures the
391 * logs are consistent, even if some elements are always NULL.
392 */
393 struct auth_usersupplied_info ui = {
394 .mapped_state = true,
395 .was_mapped = true,
396 .client = {
397 .account_name = original_client_name,
398 .domain_name = NULL,
399 },
400 .service_description = "Kerberos KDC",
401 .auth_description = "ENC-TS Pre-authentication",
402 .password_type = auth_type
403 };
404
405 size_t sa_socklen = 0;
406
407 switch (from_addr->sa_family) {
408 case AF_INET:
409 sa_socklen = sizeof(struct sockaddr_in);
410 break;
411 #ifdef HAVE_IPV6
412 case AF_INET6:
413 sa_socklen = sizeof(struct sockaddr_in6);
414 break;
415 #endif
416 }
417
418 switch (hdb_auth_status) {
419 case HDB_AUTHZ_SUCCESS:
420 {
421 TALLOC_CTX *frame = talloc_stackframe();
422 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
423 struct samba_kdc_entry);
424 struct netr_SendToSamBase *send_to_sam = NULL;
425
426 /*
427 * TODO: We could log the AS-REQ authorization success here as
428 * well. However before we do that, we need to pass
429 * in the PAC here or re-calculate it.
430 */
431 authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
432 domain_dn, true, &send_to_sam);
433 if (kdc_db_ctx->rodc && send_to_sam != NULL) {
434 reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
435 }
436 talloc_free(frame);
437 break;
438 }
439 case HDB_AUTH_INVALID_SIGNATURE:
440 break;
441 case HDB_AUTH_CORRECT_PASSWORD:
442 case HDB_AUTH_WRONG_PASSWORD:
443 {
444 TALLOC_CTX *frame = talloc_stackframe();
445 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
446 struct samba_kdc_entry);
447 struct dom_sid *sid
448 = samdb_result_dom_sid(frame, p->msg, "objectSid");
449 const char *account_name
450 = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
451 const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
452 struct tsocket_address *remote_host;
453 NTSTATUS status;
454 int ret;
455
456 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
457 sa_socklen,
458 &remote_host);
459 if (ret != 0) {
460 ui.remote_host = NULL;
461 } else {
462 ui.remote_host = remote_host;
463 }
464
465 ui.mapped.account_name = account_name;
466 ui.mapped.domain_name = domain_name;
467
468 if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
469 authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
470 status = NT_STATUS_WRONG_PASSWORD;
471 /*
472 * TODO We currently send a bad password via NETLOGON,
473 * however, it should probably forward the ticket to
474 * another KDC to allow login after password changes.
475 */
476 if (kdc_db_ctx->rodc) {
477 send_bad_password_netlogon(frame, kdc_db_ctx, &ui);
478 }
479 } else {
480 status = NT_STATUS_OK;
481 }
482
483 log_authentication_event(kdc_db_ctx->msg_ctx,
484 kdc_db_ctx->lp_ctx,
485 &ui,
486 status,
487 domain_name,
488 account_name,
489 NULL,
490 sid);
491 TALLOC_FREE(frame);
492 break;
493 }
494 case HDB_AUTH_CLIENT_UNKNOWN:
495 {
496 struct tsocket_address *remote_host;
497 int ret;
498 TALLOC_CTX *frame = talloc_stackframe();
499 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
500 sa_socklen,
501 &remote_host);
502 if (ret != 0) {
503 ui.remote_host = NULL;
504 } else {
505 ui.remote_host = remote_host;
506 }
507
508 log_authentication_event(kdc_db_ctx->msg_ctx,
509 kdc_db_ctx->lp_ctx,
510 &ui,
511 NT_STATUS_NO_SUCH_USER,
512 NULL, NULL,
513 NULL, NULL);
514 TALLOC_FREE(frame);
515 break;
516 }
517 }
518 return 0;
519 }
520
521 /* This interface is to be called by the KDC and libnet_keytab_dump,
522 * which is expecting Samba calling conventions.
523 * It is also called by a wrapper (hdb_samba4_create) from the
524 * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
525
526 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
527 krb5_context context, struct HDB **db)
528 {
529 struct samba_kdc_db_context *kdc_db_ctx;
530 NTSTATUS nt_status;
531
532 if (hdb_interface_version != HDB_INTERFACE_VERSION) {
533 krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
534 return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
535 }
536
537 *db = talloc(base_ctx, HDB);
538 if (!*db) {
539 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
540 return NT_STATUS_NO_MEMORY;
541 }
542
543 (*db)->hdb_master_key_set = 0;
544 (*db)->hdb_db = NULL;
545 (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
546
547 nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
548 if (!NT_STATUS_IS_OK(nt_status)) {
549 talloc_free(*db);
550 return nt_status;
551 }
552 (*db)->hdb_db = kdc_db_ctx;
553
554 (*db)->hdb_dbc = NULL;
555 (*db)->hdb_open = hdb_samba4_open;
556 (*db)->hdb_close = hdb_samba4_close;
557 (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
558 (*db)->hdb_store = hdb_samba4_store;
559 (*db)->hdb_remove = hdb_samba4_remove;
560 (*db)->hdb_firstkey = hdb_samba4_firstkey;
561 (*db)->hdb_nextkey = hdb_samba4_nextkey;
562 (*db)->hdb_lock = hdb_samba4_lock;
563 (*db)->hdb_unlock = hdb_samba4_unlock;
564 (*db)->hdb_rename = hdb_samba4_rename;
565 /* we don't implement these, as we are not a lockable database */
566 (*db)->hdb__get = NULL;
567 (*db)->hdb__put = NULL;
568 /* kadmin should not be used for deletes - use other tools instead */
569 (*db)->hdb__del = NULL;
570 (*db)->hdb_destroy = hdb_samba4_destroy;
571
572 (*db)->hdb_auth_status = hdb_samba4_auth_status;
573 (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
574 (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
575 (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
576
577 return NT_STATUS_OK;
578 }
Samba GIT mirror