2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "lib/messaging/irpc.h"
29 #include "librpc/gen_ndr/ndr_irpc.h"
30 #include "librpc/gen_ndr/ndr_krb5pac.h"
31 #include "lib/stream/packet.h"
32 #include "lib/socket/netif.h"
33 #include "param/param.h"
34 #include "kdc/kdc-glue.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "auth/session.h"
38 extern struct krb5plugin_windc_ftable windc_plugin_table
;
39 extern struct hdb_method hdb_samba4
;
41 static NTSTATUS
kdc_proxy_unavailable_error(struct kdc_server
*kdc
,
46 krb5_data k5_error_blob
;
48 kret
= krb5_mk_error(kdc
->smb_krb5_context
->krb5_context
,
49 KRB5KDC_ERR_SVC_UNAVAILABLE
, NULL
, NULL
,
50 NULL
, NULL
, NULL
, NULL
, &k5_error_blob
);
52 DEBUG(2,(__location__
": Unable to form krb5 error reply\n"));
53 return NT_STATUS_INTERNAL_ERROR
;
56 *out
= data_blob_talloc(mem_ctx
, k5_error_blob
.data
, k5_error_blob
.length
);
57 krb5_data_free(&k5_error_blob
);
59 return NT_STATUS_NO_MEMORY
;
65 typedef enum kdc_process_ret (*kdc_process_fn_t
)(struct kdc_server
*kdc
,
69 struct tsocket_address
*peer_addr
,
70 struct tsocket_address
*my_addr
,
73 /* hold information about one kdc socket */
75 struct kdc_server
*kdc
;
76 struct tsocket_address
*local_address
;
77 kdc_process_fn_t process
;
81 struct kdc_tcp_connection
*kdc_conn
;
85 struct iovec out_iov
[2];
89 state of an open tcp connection
91 struct kdc_tcp_connection
{
92 /* stream connection we belong to */
93 struct stream_connection
*conn
;
95 /* the kdc_server the connection belongs to */
96 struct kdc_socket
*kdc_socket
;
98 struct tstream_context
*tstream
;
100 struct tevent_queue
*send_queue
;
104 static void kdc_tcp_terminate_connection(struct kdc_tcp_connection
*kdcconn
, const char *reason
)
106 stream_terminate_connection(kdcconn
->conn
, reason
);
109 static void kdc_tcp_recv(struct stream_connection
*conn
, uint16_t flags
)
111 struct kdc_tcp_connection
*kdcconn
= talloc_get_type(conn
->private_data
,
112 struct kdc_tcp_connection
);
113 /* this should never be triggered! */
114 kdc_tcp_terminate_connection(kdcconn
, "kdc_tcp_recv: called");
117 static void kdc_tcp_send(struct stream_connection
*conn
, uint16_t flags
)
119 struct kdc_tcp_connection
*kdcconn
= talloc_get_type(conn
->private_data
,
120 struct kdc_tcp_connection
);
121 /* this should never be triggered! */
122 kdc_tcp_terminate_connection(kdcconn
, "kdc_tcp_send: called");
126 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
130 static enum kdc_process_ret
kdc_process(struct kdc_server
*kdc
,
134 struct tsocket_address
*peer_addr
,
135 struct tsocket_address
*my_addr
,
140 struct sockaddr_storage ss
;
142 krb5_data_zero(&k5_reply
);
144 krb5_kdc_update_time(NULL
);
146 ret
= tsocket_address_bsd_sockaddr(peer_addr
, (struct sockaddr
*) &ss
,
147 sizeof(struct sockaddr_storage
));
149 return KDC_PROCESS_FAILED
;
151 pa
= tsocket_address_string(peer_addr
, mem_ctx
);
153 return KDC_PROCESS_FAILED
;
156 DEBUG(10,("Received KDC packet of length %lu from %s\n",
157 (long)input
->length
- 4, pa
));
159 ret
= krb5_kdc_process_krb5_request(kdc
->smb_krb5_context
->krb5_context
,
161 input
->data
, input
->length
,
164 (struct sockaddr
*) &ss
,
167 *reply
= data_blob(NULL
, 0);
168 return KDC_PROCESS_FAILED
;
171 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
172 *reply
= data_blob(NULL
, 0);
173 return KDC_PROCESS_PROXY
;
176 if (k5_reply
.length
) {
177 *reply
= data_blob_talloc(mem_ctx
, k5_reply
.data
, k5_reply
.length
);
178 krb5_data_free(&k5_reply
);
180 *reply
= data_blob(NULL
, 0);
182 return KDC_PROCESS_OK
;
185 static void kdc_tcp_call_proxy_done(struct tevent_req
*subreq
);
186 static void kdc_tcp_call_writev_done(struct tevent_req
*subreq
);
188 static void kdc_tcp_call_loop(struct tevent_req
*subreq
)
190 struct kdc_tcp_connection
*kdc_conn
= tevent_req_callback_data(subreq
,
191 struct kdc_tcp_connection
);
192 struct kdc_tcp_call
*call
;
194 enum kdc_process_ret ret
;
196 call
= talloc(kdc_conn
, struct kdc_tcp_call
);
198 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_call_loop: "
199 "no memory for kdc_tcp_call");
202 call
->kdc_conn
= kdc_conn
;
204 status
= tstream_read_pdu_blob_recv(subreq
,
208 if (!NT_STATUS_IS_OK(status
)) {
211 reason
= talloc_asprintf(call
, "kdc_tcp_call_loop: "
212 "tstream_read_pdu_blob_recv() - %s",
215 reason
= nt_errstr(status
);
218 kdc_tcp_terminate_connection(kdc_conn
, reason
);
222 DEBUG(10,("Received krb5 TCP packet of length %lu from %s\n",
223 (long) call
->in
.length
,
224 tsocket_address_string(kdc_conn
->conn
->remote_address
, call
)));
226 /* skip length header */
228 call
->in
.length
-= 4;
231 ret
= kdc_conn
->kdc_socket
->process(kdc_conn
->kdc_socket
->kdc
,
235 kdc_conn
->conn
->remote_address
,
236 kdc_conn
->conn
->local_address
,
238 if (ret
== KDC_PROCESS_FAILED
) {
239 kdc_tcp_terminate_connection(kdc_conn
,
240 "kdc_tcp_call_loop: process function failed");
244 if (ret
== KDC_PROCESS_PROXY
) {
247 if (!kdc_conn
->kdc_socket
->kdc
->am_rodc
) {
248 kdc_tcp_terminate_connection(kdc_conn
,
249 "kdc_tcp_call_loop: proxying requested when not RODC");
252 port
= tsocket_address_inet_port(kdc_conn
->conn
->local_address
);
254 subreq
= kdc_tcp_proxy_send(call
,
255 kdc_conn
->conn
->event
.ctx
,
256 kdc_conn
->kdc_socket
->kdc
,
259 if (subreq
== NULL
) {
260 kdc_tcp_terminate_connection(kdc_conn
,
261 "kdc_tcp_call_loop: kdc_tcp_proxy_send failed");
264 tevent_req_set_callback(subreq
, kdc_tcp_call_proxy_done
, call
);
268 /* First add the length of the out buffer */
269 RSIVAL(call
->out_hdr
, 0, call
->out
.length
);
270 call
->out_iov
[0].iov_base
= (char *) call
->out_hdr
;
271 call
->out_iov
[0].iov_len
= 4;
273 call
->out_iov
[1].iov_base
= (char *) call
->out
.data
;
274 call
->out_iov
[1].iov_len
= call
->out
.length
;
276 subreq
= tstream_writev_queue_send(call
,
277 kdc_conn
->conn
->event
.ctx
,
279 kdc_conn
->send_queue
,
281 if (subreq
== NULL
) {
282 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_call_loop: "
283 "no memory for tstream_writev_queue_send");
286 tevent_req_set_callback(subreq
, kdc_tcp_call_writev_done
, call
);
289 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
290 * packet_full_request_u32 provides the pdu length then.
292 subreq
= tstream_read_pdu_blob_send(kdc_conn
,
293 kdc_conn
->conn
->event
.ctx
,
295 4, /* initial_read_size */
296 packet_full_request_u32
,
298 if (subreq
== NULL
) {
299 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_call_loop: "
300 "no memory for tstream_read_pdu_blob_send");
303 tevent_req_set_callback(subreq
, kdc_tcp_call_loop
, kdc_conn
);
306 static void kdc_tcp_call_proxy_done(struct tevent_req
*subreq
)
308 struct kdc_tcp_call
*call
= tevent_req_callback_data(subreq
,
309 struct kdc_tcp_call
);
310 struct kdc_tcp_connection
*kdc_conn
= call
->kdc_conn
;
313 status
= kdc_tcp_proxy_recv(subreq
, call
, &call
->out
);
315 if (!NT_STATUS_IS_OK(status
)) {
316 /* generate an error packet */
317 status
= kdc_proxy_unavailable_error(kdc_conn
->kdc_socket
->kdc
,
321 if (!NT_STATUS_IS_OK(status
)) {
324 reason
= talloc_asprintf(call
, "kdc_tcp_call_proxy_done: "
325 "kdc_proxy_unavailable_error - %s",
328 reason
= "kdc_tcp_call_proxy_done: kdc_proxy_unavailable_error() failed";
331 kdc_tcp_terminate_connection(call
->kdc_conn
, reason
);
335 /* First add the length of the out buffer */
336 RSIVAL(call
->out_hdr
, 0, call
->out
.length
);
337 call
->out_iov
[0].iov_base
= (char *) call
->out_hdr
;
338 call
->out_iov
[0].iov_len
= 4;
340 call
->out_iov
[1].iov_base
= (char *) call
->out
.data
;
341 call
->out_iov
[1].iov_len
= call
->out
.length
;
343 subreq
= tstream_writev_queue_send(call
,
344 kdc_conn
->conn
->event
.ctx
,
346 kdc_conn
->send_queue
,
348 if (subreq
== NULL
) {
349 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_call_loop: "
350 "no memory for tstream_writev_queue_send");
353 tevent_req_set_callback(subreq
, kdc_tcp_call_writev_done
, call
);
356 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
357 * packet_full_request_u32 provides the pdu length then.
359 subreq
= tstream_read_pdu_blob_send(kdc_conn
,
360 kdc_conn
->conn
->event
.ctx
,
362 4, /* initial_read_size */
363 packet_full_request_u32
,
365 if (subreq
== NULL
) {
366 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_call_loop: "
367 "no memory for tstream_read_pdu_blob_send");
370 tevent_req_set_callback(subreq
, kdc_tcp_call_loop
, kdc_conn
);
373 static void kdc_tcp_call_writev_done(struct tevent_req
*subreq
)
375 struct kdc_tcp_call
*call
= tevent_req_callback_data(subreq
,
376 struct kdc_tcp_call
);
380 rc
= tstream_writev_queue_recv(subreq
, &sys_errno
);
385 reason
= talloc_asprintf(call
, "kdc_tcp_call_writev_done: "
386 "tstream_writev_queue_recv() - %d:%s",
387 sys_errno
, strerror(sys_errno
));
389 reason
= "kdc_tcp_call_writev_done: tstream_writev_queue_recv() failed";
392 kdc_tcp_terminate_connection(call
->kdc_conn
, reason
);
396 /* We don't care about errors */
402 called when we get a new connection
404 static void kdc_tcp_accept(struct stream_connection
*conn
)
406 struct kdc_socket
*kdc_socket
;
407 struct kdc_tcp_connection
*kdc_conn
;
408 struct tevent_req
*subreq
;
411 kdc_conn
= talloc_zero(conn
, struct kdc_tcp_connection
);
412 if (kdc_conn
== NULL
) {
413 stream_terminate_connection(conn
,
414 "kdc_tcp_accept: out of memory");
418 kdc_conn
->send_queue
= tevent_queue_create(conn
, "kdc_tcp_accept");
419 if (kdc_conn
->send_queue
== NULL
) {
420 stream_terminate_connection(conn
,
421 "kdc_tcp_accept: out of memory");
425 kdc_socket
= talloc_get_type(conn
->private_data
, struct kdc_socket
);
427 TALLOC_FREE(conn
->event
.fde
);
429 rc
= tstream_bsd_existing_socket(kdc_conn
,
430 socket_get_fd(conn
->socket
),
433 stream_terminate_connection(conn
,
434 "kdc_tcp_accept: out of memory");
438 kdc_conn
->conn
= conn
;
439 kdc_conn
->kdc_socket
= kdc_socket
;
440 conn
->private_data
= kdc_conn
;
443 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
444 * packet_full_request_u32 provides the pdu length then.
446 subreq
= tstream_read_pdu_blob_send(kdc_conn
,
447 kdc_conn
->conn
->event
.ctx
,
449 4, /* initial_read_size */
450 packet_full_request_u32
,
452 if (subreq
== NULL
) {
453 kdc_tcp_terminate_connection(kdc_conn
, "kdc_tcp_accept: "
454 "no memory for tstream_read_pdu_blob_send");
457 tevent_req_set_callback(subreq
, kdc_tcp_call_loop
, kdc_conn
);
460 static const struct stream_server_ops kdc_tcp_stream_ops
= {
462 .accept_connection
= kdc_tcp_accept
,
463 .recv_handler
= kdc_tcp_recv
,
464 .send_handler
= kdc_tcp_send
467 /* hold information about one kdc/kpasswd udp socket */
468 struct kdc_udp_socket
{
469 struct kdc_socket
*kdc_socket
;
470 struct tdgram_context
*dgram
;
471 struct tevent_queue
*send_queue
;
474 struct kdc_udp_call
{
475 struct kdc_udp_socket
*sock
;
476 struct tsocket_address
*src
;
481 static void kdc_udp_call_proxy_done(struct tevent_req
*subreq
);
482 static void kdc_udp_call_sendto_done(struct tevent_req
*subreq
);
484 static void kdc_udp_call_loop(struct tevent_req
*subreq
)
486 struct kdc_udp_socket
*sock
= tevent_req_callback_data(subreq
,
487 struct kdc_udp_socket
);
488 struct kdc_udp_call
*call
;
492 enum kdc_process_ret ret
;
494 call
= talloc(sock
, struct kdc_udp_call
);
501 len
= tdgram_recvfrom_recv(subreq
, &sys_errno
,
502 call
, &buf
, &call
->src
);
510 call
->in
.length
= len
;
512 DEBUG(10,("Received krb5 UDP packet of length %lu from %s\n",
513 (long)call
->in
.length
,
514 tsocket_address_string(call
->src
, call
)));
517 ret
= sock
->kdc_socket
->process(sock
->kdc_socket
->kdc
,
522 sock
->kdc_socket
->local_address
,
524 if (ret
== KDC_PROCESS_FAILED
) {
529 if (ret
== KDC_PROCESS_PROXY
) {
532 if (!sock
->kdc_socket
->kdc
->am_rodc
) {
533 DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC"));
538 port
= tsocket_address_inet_port(sock
->kdc_socket
->local_address
);
540 subreq
= kdc_udp_proxy_send(call
,
541 sock
->kdc_socket
->kdc
->task
->event_ctx
,
542 sock
->kdc_socket
->kdc
,
545 if (subreq
== NULL
) {
549 tevent_req_set_callback(subreq
, kdc_udp_call_proxy_done
, call
);
553 subreq
= tdgram_sendto_queue_send(call
,
554 sock
->kdc_socket
->kdc
->task
->event_ctx
,
560 if (subreq
== NULL
) {
564 tevent_req_set_callback(subreq
, kdc_udp_call_sendto_done
, call
);
567 subreq
= tdgram_recvfrom_send(sock
,
568 sock
->kdc_socket
->kdc
->task
->event_ctx
,
570 if (subreq
== NULL
) {
571 task_server_terminate(sock
->kdc_socket
->kdc
->task
,
572 "no memory for tdgram_recvfrom_send",
576 tevent_req_set_callback(subreq
, kdc_udp_call_loop
, sock
);
579 static void kdc_udp_call_proxy_done(struct tevent_req
*subreq
)
581 struct kdc_udp_call
*call
=
582 tevent_req_callback_data(subreq
,
583 struct kdc_udp_call
);
586 status
= kdc_udp_proxy_recv(subreq
, call
, &call
->out
);
588 if (!NT_STATUS_IS_OK(status
)) {
589 /* generate an error packet */
590 status
= kdc_proxy_unavailable_error(call
->sock
->kdc_socket
->kdc
,
594 if (!NT_STATUS_IS_OK(status
)) {
599 subreq
= tdgram_sendto_queue_send(call
,
600 call
->sock
->kdc_socket
->kdc
->task
->event_ctx
,
602 call
->sock
->send_queue
,
606 if (subreq
== NULL
) {
611 tevent_req_set_callback(subreq
, kdc_udp_call_sendto_done
, call
);
614 static void kdc_udp_call_sendto_done(struct tevent_req
*subreq
)
616 struct kdc_udp_call
*call
= tevent_req_callback_data(subreq
,
617 struct kdc_udp_call
);
621 ret
= tdgram_sendto_queue_recv(subreq
, &sys_errno
);
623 /* We don't care about errors */
629 start listening on the given address
631 static NTSTATUS
kdc_add_socket(struct kdc_server
*kdc
,
632 const struct model_ops
*model_ops
,
636 kdc_process_fn_t process
,
639 struct kdc_socket
*kdc_socket
;
640 struct kdc_udp_socket
*kdc_udp_socket
;
641 struct tevent_req
*udpsubreq
;
645 kdc_socket
= talloc(kdc
, struct kdc_socket
);
646 NT_STATUS_HAVE_NO_MEMORY(kdc_socket
);
648 kdc_socket
->kdc
= kdc
;
649 kdc_socket
->process
= process
;
651 ret
= tsocket_address_inet_from_strings(kdc_socket
, "ip",
653 &kdc_socket
->local_address
);
655 status
= map_nt_error_from_unix(errno
);
660 status
= stream_setup_socket(kdc
->task
,
661 kdc
->task
->event_ctx
,
665 "ip", address
, &port
,
666 lpcfg_socket_options(kdc
->task
->lp_ctx
),
668 if (!NT_STATUS_IS_OK(status
)) {
669 DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
670 address
, port
, nt_errstr(status
)));
671 talloc_free(kdc_socket
);
676 kdc_udp_socket
= talloc(kdc_socket
, struct kdc_udp_socket
);
677 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket
);
679 kdc_udp_socket
->kdc_socket
= kdc_socket
;
681 ret
= tdgram_inet_udp_socket(kdc_socket
->local_address
,
684 &kdc_udp_socket
->dgram
);
686 status
= map_nt_error_from_unix(errno
);
687 DEBUG(0,("Failed to bind to %s:%u UDP - %s\n",
688 address
, port
, nt_errstr(status
)));
692 kdc_udp_socket
->send_queue
= tevent_queue_create(kdc_udp_socket
,
693 "kdc_udp_send_queue");
694 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket
->send_queue
);
696 udpsubreq
= tdgram_recvfrom_send(kdc_udp_socket
,
697 kdc
->task
->event_ctx
,
698 kdc_udp_socket
->dgram
);
699 NT_STATUS_HAVE_NO_MEMORY(udpsubreq
);
700 tevent_req_set_callback(udpsubreq
, kdc_udp_call_loop
, kdc_udp_socket
);
707 setup our listening sockets on the configured network interfaces
709 static NTSTATUS
kdc_startup_interfaces(struct kdc_server
*kdc
, struct loadparm_context
*lp_ctx
,
710 struct interface
*ifaces
)
712 const struct model_ops
*model_ops
;
714 TALLOC_CTX
*tmp_ctx
= talloc_new(kdc
);
717 uint16_t kdc_port
= lpcfg_krb5_port(lp_ctx
);
718 uint16_t kpasswd_port
= lpcfg_kpasswd_port(lp_ctx
);
719 bool done_wildcard
= false;
721 /* within the kdc task we want to be a single process, so
722 ask for the single process model ops and pass these to the
723 stream_setup_socket() call. */
724 model_ops
= process_model_startup("single");
726 DEBUG(0,("Can't find 'single' process model_ops\n"));
727 return NT_STATUS_INTERNAL_ERROR
;
730 num_interfaces
= iface_count(ifaces
);
732 /* if we are allowing incoming packets from any address, then
733 we need to bind to the wildcard address */
734 if (!lpcfg_bind_interfaces_only(lp_ctx
)) {
736 status
= kdc_add_socket(kdc
, model_ops
,
737 "kdc", "0.0.0.0", kdc_port
,
739 NT_STATUS_NOT_OK_RETURN(status
);
743 status
= kdc_add_socket(kdc
, model_ops
,
744 "kpasswd", "0.0.0.0", kpasswd_port
,
745 kpasswdd_process
, false);
746 NT_STATUS_NOT_OK_RETURN(status
);
748 done_wildcard
= true;
751 for (i
=0; i
<num_interfaces
; i
++) {
752 const char *address
= talloc_strdup(tmp_ctx
, iface_n_ip(ifaces
, i
));
755 status
= kdc_add_socket(kdc
, model_ops
,
756 "kdc", address
, kdc_port
,
757 kdc_process
, done_wildcard
);
758 NT_STATUS_NOT_OK_RETURN(status
);
762 status
= kdc_add_socket(kdc
, model_ops
,
763 "kpasswd", address
, kpasswd_port
,
764 kpasswdd_process
, done_wildcard
);
765 NT_STATUS_NOT_OK_RETURN(status
);
769 talloc_free(tmp_ctx
);
775 static NTSTATUS
kdc_check_generic_kerberos(struct irpc_message
*msg
,
776 struct kdc_check_generic_kerberos
*r
)
778 struct PAC_Validate pac_validate
;
780 struct PAC_SIGNATURE_DATA kdc_sig
;
781 struct kdc_server
*kdc
= talloc_get_type(msg
->private_data
, struct kdc_server
);
782 enum ndr_err_code ndr_err
;
786 krb5_principal principal
;
787 krb5_keyblock keyblock
;
790 /* There is no reply to this request */
791 r
->out
.generic_reply
= data_blob(NULL
, 0);
793 ndr_err
= ndr_pull_struct_blob(&r
->in
.generic_request
, msg
, &pac_validate
,
794 (ndr_pull_flags_fn_t
)ndr_pull_PAC_Validate
);
795 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
796 return NT_STATUS_INVALID_PARAMETER
;
799 if (pac_validate
.MessageType
!= 3) {
800 /* We don't implement any other message types - such as certificate validation - yet */
801 return NT_STATUS_INVALID_PARAMETER
;
804 if (pac_validate
.ChecksumAndSignature
.length
!= (pac_validate
.ChecksumLength
+ pac_validate
.SignatureLength
)
805 || pac_validate
.ChecksumAndSignature
.length
< pac_validate
.ChecksumLength
806 || pac_validate
.ChecksumAndSignature
.length
< pac_validate
.SignatureLength
) {
807 return NT_STATUS_INVALID_PARAMETER
;
810 srv_sig
= data_blob_const(pac_validate
.ChecksumAndSignature
.data
,
811 pac_validate
.ChecksumLength
);
813 if (pac_validate
.SignatureType
== CKSUMTYPE_HMAC_MD5
) {
814 etype
= ETYPE_ARCFOUR_HMAC_MD5
;
816 ret
= krb5_cksumtype_to_enctype(kdc
->smb_krb5_context
->krb5_context
, pac_validate
.SignatureType
,
819 return NT_STATUS_LOGON_FAILURE
;
823 ret
= krb5_make_principal(kdc
->smb_krb5_context
->krb5_context
, &principal
,
824 lpcfg_realm(kdc
->task
->lp_ctx
),
825 "krbtgt", lpcfg_realm(kdc
->task
->lp_ctx
),
829 return NT_STATUS_NO_MEMORY
;
832 ret
= kdc
->config
->db
[0]->hdb_fetch_kvno(kdc
->smb_krb5_context
->krb5_context
,
835 HDB_F_GET_KRBTGT
| HDB_F_DECRYPT
,
840 hdb_free_entry(kdc
->smb_krb5_context
->krb5_context
, &ent
);
841 krb5_free_principal(kdc
->smb_krb5_context
->krb5_context
, principal
);
843 return NT_STATUS_LOGON_FAILURE
;
846 ret
= hdb_enctype2key(kdc
->smb_krb5_context
->krb5_context
, &ent
.entry
, etype
, &key
);
849 hdb_free_entry(kdc
->smb_krb5_context
->krb5_context
, &ent
);
850 krb5_free_principal(kdc
->smb_krb5_context
->krb5_context
, principal
);
851 return NT_STATUS_LOGON_FAILURE
;
856 kdc_sig
.type
= pac_validate
.SignatureType
;
857 kdc_sig
.signature
= data_blob_const(&pac_validate
.ChecksumAndSignature
.data
[pac_validate
.ChecksumLength
],
858 pac_validate
.SignatureLength
);
859 ret
= check_pac_checksum(msg
, srv_sig
, &kdc_sig
,
860 kdc
->smb_krb5_context
->krb5_context
, &keyblock
);
862 hdb_free_entry(kdc
->smb_krb5_context
->krb5_context
, &ent
);
863 krb5_free_principal(kdc
->smb_krb5_context
->krb5_context
, principal
);
866 return NT_STATUS_LOGON_FAILURE
;
876 static void kdc_task_init(struct task_server
*task
)
878 struct kdc_server
*kdc
;
881 struct interface
*ifaces
;
884 switch (lpcfg_server_role(task
->lp_ctx
)) {
885 case ROLE_STANDALONE
:
886 task_server_terminate(task
, "kdc: no KDC required in standalone configuration", false);
888 case ROLE_DOMAIN_MEMBER
:
889 task_server_terminate(task
, "kdc: no KDC required in member server configuration", false);
891 case ROLE_DOMAIN_CONTROLLER
:
892 /* Yes, we want a KDC */
896 load_interfaces(task
, lpcfg_interfaces(task
->lp_ctx
), &ifaces
);
898 if (iface_count(ifaces
) == 0) {
899 task_server_terminate(task
, "kdc: no network interfaces configured", false);
903 task_server_set_title(task
, "task[kdc]");
905 kdc
= talloc_zero(task
, struct kdc_server
);
907 task_server_terminate(task
, "kdc: out of memory", true);
914 /* get a samdb connection */
915 kdc
->samdb
= samdb_connect(kdc
, kdc
->task
->event_ctx
, kdc
->task
->lp_ctx
,
916 system_session(kdc
->task
->lp_ctx
), 0);
918 DEBUG(1,("kdc_task_init: unable to connect to samdb\n"));
919 task_server_terminate(task
, "kdc: krb5_init_context samdb connect failed", true);
923 ldb_ret
= samdb_rodc(kdc
->samdb
, &kdc
->am_rodc
);
924 if (ldb_ret
!= LDB_SUCCESS
) {
925 DEBUG(1, ("kdc_task_init: Cannot determine if we are an RODC: %s\n",
926 ldb_errstring(kdc
->samdb
)));
927 task_server_terminate(task
, "kdc: krb5_init_context samdb RODC connect failed", true);
931 kdc
->proxy_timeout
= lpcfg_parm_int(kdc
->task
->lp_ctx
, NULL
, "kdc", "proxy timeout", 5);
933 initialize_krb5_error_table();
935 ret
= smb_krb5_init_context(kdc
, task
->event_ctx
, task
->lp_ctx
, &kdc
->smb_krb5_context
);
937 DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
938 error_message(ret
)));
939 task_server_terminate(task
, "kdc: krb5_init_context failed", true);
943 krb5_add_et_list(kdc
->smb_krb5_context
->krb5_context
, initialize_hdb_error_table_r
);
945 ret
= krb5_kdc_get_config(kdc
->smb_krb5_context
->krb5_context
,
948 task_server_terminate(task
, "kdc: failed to get KDC configuration", true);
952 kdc
->config
->logf
= kdc
->smb_krb5_context
->logf
;
953 kdc
->config
->db
= talloc(kdc
, struct HDB
*);
954 if (!kdc
->config
->db
) {
955 task_server_terminate(task
, "kdc: out of memory", true);
958 kdc
->config
->num_db
= 1;
960 /* Register hdb-samba4 hooks for use as a keytab */
962 kdc
->base_ctx
= talloc_zero(kdc
, struct samba_kdc_base_context
);
963 if (!kdc
->base_ctx
) {
964 task_server_terminate(task
, "kdc: out of memory", true);
968 kdc
->base_ctx
->ev_ctx
= task
->event_ctx
;
969 kdc
->base_ctx
->lp_ctx
= task
->lp_ctx
;
971 status
= hdb_samba4_create_kdc(kdc
->base_ctx
,
972 kdc
->smb_krb5_context
->krb5_context
,
973 &kdc
->config
->db
[0]);
974 if (!NT_STATUS_IS_OK(status
)) {
975 task_server_terminate(task
, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
979 ret
= krb5_plugin_register(kdc
->smb_krb5_context
->krb5_context
,
980 PLUGIN_TYPE_DATA
, "hdb",
983 task_server_terminate(task
, "kdc: failed to register hdb plugin", true);
987 ret
= krb5_kt_register(kdc
->smb_krb5_context
->krb5_context
, &hdb_kt_ops
);
989 task_server_terminate(task
, "kdc: failed to register keytab plugin", true);
993 /* Register WinDC hooks */
994 ret
= krb5_plugin_register(kdc
->smb_krb5_context
->krb5_context
,
995 PLUGIN_TYPE_DATA
, "windc",
996 &windc_plugin_table
);
998 task_server_terminate(task
, "kdc: failed to register windc plugin", true);
1002 ret
= krb5_kdc_windc_init(kdc
->smb_krb5_context
->krb5_context
);
1005 task_server_terminate(task
, "kdc: failed to init windc plugin", true);
1009 ret
= krb5_kdc_pkinit_config(kdc
->smb_krb5_context
->krb5_context
, kdc
->config
);
1012 task_server_terminate(task
, "kdc: failed to init kdc pkinit subsystem", true);
1016 /* start listening on the configured network interfaces */
1017 status
= kdc_startup_interfaces(kdc
, task
->lp_ctx
, ifaces
);
1018 if (!NT_STATUS_IS_OK(status
)) {
1019 task_server_terminate(task
, "kdc failed to setup interfaces", true);
1023 status
= IRPC_REGISTER(task
->msg_ctx
, irpc
, KDC_CHECK_GENERIC_KERBEROS
,
1024 kdc_check_generic_kerberos
, kdc
);
1025 if (!NT_STATUS_IS_OK(status
)) {
1026 task_server_terminate(task
, "kdc failed to setup monitoring", true);
1030 irpc_add_name(task
->msg_ctx
, "kdc_server");
1034 /* called at smbd startup - register ourselves as a server service */
1035 NTSTATUS
server_service_kdc_init(void)
1037 return register_server_service("kdc", kdc_task_init
);