search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mit-kdb: support MIT Kerberos 1.16 KDB API changes
[Samba.git] / source4 / kdc / mit-kdb / kdb_samba_policies.c
blobde5813bde2f847a7a5613f115cc826ab3eaed676
1 /*
2 Unix SMB/CIFS implementation.
3
4 Samba KDB plugin for MIT Kerberos
5
6 Copyright (c) 2010 Simo Sorce <idra@samba.org>.
7 Copyright (c) 2014 Andreas Schneider <asn@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24
25 #include "system/kerberos.h"
26
27 #include <profile.h>
28 #include <kdb.h>
29
30 #include "kdc/mit_samba.h"
31 #include "kdb_samba.h"
32
33 /* FIXME: This is a krb5 function which is exported, but in no header */
34 extern krb5_error_code decode_krb5_padata_sequence(const krb5_data *output,
35 krb5_pa_data ***rep);
36
37 static krb5_error_code ks_get_netbios_name(krb5_address **addrs, char **name)
38 {
39 char *nb_name = NULL;
40 int len, i;
41
42 for (i = 0; addrs[i]; i++) {
43 if (addrs[i]->addrtype != ADDRTYPE_NETBIOS) {
44 continue;
45 }
46 len = MIN(addrs[i]->length, 15);
47 nb_name = strndup((const char *)addrs[i]->contents, len);
48 if (!nb_name) {
49 return ENOMEM;
50 }
51 break;
52 }
53
54 if (nb_name) {
55 /* Strip space padding */
56 i = strlen(nb_name) - 1;
57 for (i = strlen(nb_name) - 1;
58 i > 0 && nb_name[i] == ' ';
59 i--) {
60 nb_name[i] = '\0';
61 }
62 }
63
64 *name = nb_name;
65
66 return 0;
67 }
68
69 krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
70 krb5_kdc_req *kdcreq,
71 krb5_db_entry *client,
72 krb5_db_entry *server,
73 krb5_timestamp kdc_time,
74 const char **status,
75 krb5_pa_data ***e_data_out)
76 {
77 struct mit_samba_context *mit_ctx;
78 krb5_error_code code;
79 char *client_name = NULL;
80 char *server_name = NULL;
81 char *netbios_name = NULL;
82 char *realm = NULL;
83 bool password_change = false;
84 DATA_BLOB int_data = { NULL, 0 };
85 krb5_data d;
86 krb5_pa_data **e_data;
87
88 mit_ctx = ks_get_context(context);
89 if (mit_ctx == NULL) {
90 return KRB5_KDB_DBNOTINITED;
91 }
92
93 if (ks_is_kadmin(context, kdcreq->client)) {
94 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
95 }
96
97 if (krb5_princ_size(context, kdcreq->server) == 2 &&
98 ks_is_kadmin_changepw(context, kdcreq->server)) {
99 code = krb5_get_default_realm(context, &realm);
100 if (code) {
101 goto done;
102 }
103
104 if (ks_data_eq_string(kdcreq->server->realm, realm)) {
105 password_change = true;
106 }
107 }
108
109 code = krb5_unparse_name(context, kdcreq->server, &server_name);
110 if (code) {
111 goto done;
112 }
113
114 code = krb5_unparse_name(context, kdcreq->client, &client_name);
115 if (code) {
116 goto done;
117 }
118
119 if (kdcreq->addresses) {
120 code = ks_get_netbios_name(kdcreq->addresses, &netbios_name);
121 if (code) {
122 goto done;
123 }
124 }
125
126 code = mit_samba_check_client_access(mit_ctx,
127 client,
128 client_name,
129 server,
130 server_name,
131 netbios_name,
132 password_change,
133 &int_data);
134
135 if (int_data.length && int_data.data) {
136
137 /* make sure the mapped return code is returned - gd */
138 int code_tmp;
139
140 d = ks_make_data(int_data.data, int_data.length);
141
142 code_tmp = decode_krb5_padata_sequence(&d, &e_data);
143 if (code_tmp == 0) {
144 *e_data_out = e_data;
145 }
146 }
147 done:
148 free(realm);
149 free(server_name);
150 free(client_name);
151 free(netbios_name);
152
153 return code;
154 }
155
156 static krb5_error_code ks_get_pac(krb5_context context,
157 krb5_db_entry *client,
158 krb5_keyblock *client_key,
159 krb5_pac *pac)
160 {
161 struct mit_samba_context *mit_ctx;
162 krb5_error_code code;
163
164 mit_ctx = ks_get_context(context);
165 if (mit_ctx == NULL) {
166 return KRB5_KDB_DBNOTINITED;
167 }
168
169 code = mit_samba_get_pac(mit_ctx,
170 context,
171 client,
172 client_key,
173 pac);
174 if (code != 0) {
175 return code;
176 }
177
178 return code;
179 }
180
181 static krb5_error_code ks_verify_pac(krb5_context context,
182 unsigned int flags,
183 krb5_const_principal client_princ,
184 krb5_db_entry *client,
185 krb5_db_entry *server,
186 krb5_db_entry *krbtgt,
187 krb5_keyblock *server_key,
188 krb5_keyblock *krbtgt_key,
189 krb5_timestamp authtime,
190 krb5_authdata **tgt_auth_data,
191 krb5_pac *pac)
192 {
193 struct mit_samba_context *mit_ctx;
194 krb5_authdata **authdata = NULL;
195 krb5_pac ipac = NULL;
196 DATA_BLOB logon_data = { NULL, 0 };
197 krb5_error_code code;
198
199 mit_ctx = ks_get_context(context);
200 if (mit_ctx == NULL) {
201 return KRB5_KDB_DBNOTINITED;
202 }
203
204 /* find the existing PAC, if present */
205 code = krb5_find_authdata(context,
206 tgt_auth_data,
207 NULL,
208 KRB5_AUTHDATA_WIN2K_PAC,
209 &authdata);
210 if (code != 0) {
211 return code;
212 }
213
214 /* no pac data */
215 if (authdata == NULL) {
216 return 0;
217 }
218
219 SMB_ASSERT(authdata[0] != NULL);
220
221 if (authdata[1] != NULL) {
222 code = KRB5KDC_ERR_BADOPTION; /* XXX */
223 goto done;
224 }
225
226 code = krb5_pac_parse(context,
227 authdata[0]->contents,
228 authdata[0]->length,
229 &ipac);
230 if (code != 0) {
231 goto done;
232 }
233
234 /* TODO: verify this is correct
235 *
236 * In the constrained delegation case, the PAC is from a service
237 * ticket rather than a TGT; we must verify the server and KDC
238 * signatures to assert that the server did not forge the PAC.
239 */
240 if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
241 code = krb5_pac_verify(context,
242 ipac,
243 authtime,
244 client_princ,
245 server_key,
246 krbtgt_key);
247 } else {
248 code = krb5_pac_verify(context,
249 ipac,
250 authtime,
251 client_princ,
252 krbtgt_key,
253 NULL);
254 }
255 if (code != 0) {
256 goto done;
257 }
258
259 /* check and update PAC */
260 code = krb5_pac_parse(context,
261 authdata[0]->contents,
262 authdata[0]->length,
263 pac);
264 if (code != 0) {
265 goto done;
266 }
267
268 code = mit_samba_reget_pac(mit_ctx,
269 context,
270 flags,
271 client_princ,
272 client,
273 server,
274 krbtgt,
275 krbtgt_key,
276 pac);
277
278 done:
279 krb5_free_authdata(context, authdata);
280 krb5_pac_free(context, ipac);
281 free(logon_data.data);
282
283 return code;
284 }
285
286 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
287 unsigned int flags,
288 krb5_const_principal client_princ,
289 krb5_db_entry *client,
290 krb5_db_entry *server,
291 krb5_db_entry *krbtgt,
292 krb5_keyblock *client_key,
293 krb5_keyblock *server_key,
294 krb5_keyblock *krbtgt_key,
295 krb5_keyblock *session_key,
296 krb5_timestamp authtime,
297 krb5_authdata **tgt_auth_data,
298 krb5_authdata ***signed_auth_data)
299 {
300 krb5_const_principal ks_client_princ;
301 krb5_authdata **authdata = NULL;
302 krb5_boolean is_as_req;
303 krb5_error_code code;
304 krb5_pac pac = NULL;
305 krb5_data pac_data;
306
307 /* Prefer canonicalised name from client entry */
308 if (client != NULL) {
309 ks_client_princ = client->princ;
310 } else {
311 ks_client_princ = client_princ;
312 }
313
314 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
315
316 if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
317 code = ks_get_pac(context, client, client_key, &pac);
318 if (code != 0) {
319 goto done;
320 }
321 }
322
323 if (!is_as_req) {
324 code = ks_verify_pac(context,
325 flags,
326 ks_client_princ,
327 client,
328 server,
329 krbtgt,
330 server_key,
331 krbtgt_key,
332 authtime,
333 tgt_auth_data,
334 &pac);
335 if (code != 0) {
336 goto done;
337 }
338 }
339
340 if (pac == NULL && client != NULL) {
341
342 code = ks_get_pac(context, client, client_key, &pac);
343 if (code != 0) {
344 goto done;
345 }
346 }
347
348 if (pac == NULL) {
349 code = KRB5_KDB_DBTYPE_NOSUP;
350 goto done;
351 }
352
353 code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
354 server_key, krbtgt_key, &pac_data);
355 if (code != 0) {
356 DBG_ERR("krb5_pac_sign failed: %d\n", code);
357 goto done;
358 }
359
360 authdata = calloc(2, sizeof(krb5_authdata *));
361 if (authdata == NULL) {
362 goto done;
363 }
364
365 authdata[0] = malloc(sizeof(krb5_authdata));
366 if (authdata[0] == NULL) {
367 goto done;
368 }
369
370 /* put in signed data */
371 authdata[0]->magic = KV5M_AUTHDATA;
372 authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
373 authdata[0]->contents = (krb5_octet *)pac_data.data;
374 authdata[0]->length = pac_data.length;
375
376 code = krb5_encode_authdata_container(context,
377 KRB5_AUTHDATA_IF_RELEVANT,
378 authdata,
379 signed_auth_data);
380 if (code != 0) {
381 goto done;
382 }
383
384 code = 0;
385
386 done:
387 krb5_pac_free(context, pac);
388 krb5_free_authdata(context, authdata);
389
390 return code;
391 }
392
393 krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
394 krb5_const_principal client,
395 const krb5_db_entry *server,
396 krb5_const_principal proxy)
397 {
398 struct mit_samba_context *mit_ctx;
399
400 /*
401 * Names are quite odd and confusing in the current implementation.
402 * The following mappings should help understanding what is what.
403 * client -> client to impersonate
404 * server; -> delegating service
405 * proxy; -> target principal
406 */
407 krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
408
409 char *target_name = NULL;
410 bool is_enterprise;
411 krb5_error_code code;
412
413 mit_ctx = ks_get_context(context);
414 if (mit_ctx == NULL) {
415 return KRB5_KDB_DBNOTINITED;
416 }
417
418 code = krb5_unparse_name(context, proxy, &target_name);
419 if (code) {
420 goto done;
421 }
422
423 is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
424
425 code = mit_samba_check_s4u2proxy(mit_ctx,
426 delegating_service,
427 target_name,
428 is_enterprise);
429
430 done:
431 free(target_name);
432 return code;
433 }
434
435
436 static void samba_bad_password_count(krb5_db_entry *client,
437 krb5_error_code error_code)
438 {
439 switch (error_code) {
440 case 0:
441 mit_samba_zero_bad_password_count(client);
442 break;
443 case KRB5KDC_ERR_PREAUTH_FAILED:
444 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
445 mit_samba_update_bad_password_count(client);
446 break;
447 }
448 }
449
450 #if KRB5_KDB_API_VERSION >= 9
451 void kdb_samba_db_audit_as_req(krb5_context context,
452 krb5_kdc_req *request,
453 const krb5_address *local_addr,
454 const krb5_address *remote_addr,
455 krb5_db_entry *client,
456 krb5_db_entry *server,
457 krb5_timestamp authtime,
458 krb5_error_code error_code)
459 {
460 samba_bad_password_count(client, error_code);
461
462 /* TODO: perform proper audit logging for addresses */
463 }
464 #else
465 void kdb_samba_db_audit_as_req(krb5_context context,
466 krb5_kdc_req *request,
467 krb5_db_entry *client,
468 krb5_db_entry *server,
469 krb5_timestamp authtime,
470 krb5_error_code error_code)
471 {
472 samba_bad_password_count(client, error_code);
473 }
474 #endif
Samba GIT mirror