2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "dsdb/common/flags.h"
25 #include "lib/ldb/include/ldb.h"
26 #include "librpc/gen_ndr/ndr_krb5pac.h"
27 #include "librpc/gen_ndr/krb5pac.h"
28 #include "auth/auth.h"
29 #include "auth/auth_sam.h"
30 #include "auth/auth_sam_reply.h"
33 struct krb5_dh_moduli
;
34 struct _krb5_krb_auth_data
;
36 krb5_error_code
samba_kdc_plugin_init(krb5_context context
, void **ptr
)
42 void samba_kdc_plugin_fini(void *ptr
)
47 static krb5_error_code
make_pac(krb5_context context
,
49 struct smb_iconv_convenience
*iconv_convenience
,
50 struct auth_serversupplied_info
*server_info
,
54 struct netr_SamInfo3
*info3
;
57 enum ndr_err_code ndr_err
;
63 nt_status
= auth_convert_server_info_saminfo3(mem_ctx
, server_info
, &info3
);
64 if (!NT_STATUS_IS_OK(nt_status
)) {
65 DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status
)));
69 info
.logon_info
.info
= talloc_zero(mem_ctx
, struct PAC_LOGON_INFO
);
74 info
.logon_info
.info
->info3
= *info3
;
76 ndr_err
= ndr_push_union_blob(&pac_out
, mem_ctx
, iconv_convenience
, &info
,
78 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
79 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
80 nt_status
= ndr_map_error2ntstatus(ndr_err
);
81 DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status
)));
85 ret
= krb5_data_copy(&pac_data
, pac_out
.data
, pac_out
.length
);
90 ret
= krb5_pac_init(context
, pac
);
92 krb5_data_free(&pac_data
);
96 ret
= krb5_pac_add_buffer(context
, *pac
, PAC_TYPE_LOGON_INFO
, &pac_data
);
97 krb5_data_free(&pac_data
);
105 /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
106 krb5_error_code
samba_kdc_get_pac(void *priv
,
107 krb5_context context
,
108 struct hdb_entry_ex
*client
,
113 struct auth_serversupplied_info
*server_info
;
114 struct hdb_ldb_private
*p
= talloc_get_type(client
->ctx
, struct hdb_ldb_private
);
115 TALLOC_CTX
*mem_ctx
= talloc_named(p
, 0, "samba_get_pac context");
116 unsigned int userAccountControl
;
122 /* The user account may be set not to want the PAC */
123 userAccountControl
= ldb_msg_find_attr_as_uint(p
->msg
, "userAccountControl", 0);
124 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
129 nt_status
= authsam_make_server_info(mem_ctx
, p
->samdb
,
136 if (!NT_STATUS_IS_OK(nt_status
)) {
137 DEBUG(0, ("Getting user info for PAC failed: %s\n",
138 nt_errstr(nt_status
)));
142 ret
= make_pac(context
, mem_ctx
, p
->iconv_convenience
, server_info
, pac
);
144 talloc_free(mem_ctx
);
148 /* Resign (and reform, including possibly new groups) a PAC */
150 krb5_error_code
samba_kdc_reget_pac(void *priv
, krb5_context context
,
151 const krb5_principal client_principal
,
152 struct hdb_entry_ex
*client
,
153 struct hdb_entry_ex
*server
, krb5_pac
*pac
)
157 unsigned int userAccountControl
;
159 struct hdb_ldb_private
*p
= talloc_get_type(server
->ctx
, struct hdb_ldb_private
);
161 struct auth_serversupplied_info
*server_info_out
;
163 TALLOC_CTX
*mem_ctx
= talloc_named(p
, 0, "samba_get_pac context");
169 /* The service account may be set not to want the PAC */
170 userAccountControl
= ldb_msg_find_attr_as_uint(p
->msg
, "userAccountControl", 0);
171 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
172 talloc_free(mem_ctx
);
177 ret
= kerberos_pac_to_server_info(mem_ctx
, p
->iconv_convenience
,
178 *pac
, context
, &server_info_out
);
180 /* We will compleatly regenerate this pac */
181 krb5_pac_free(context
, *pac
);
184 talloc_free(mem_ctx
);
188 ret
= make_pac(context
, mem_ctx
, p
->iconv_convenience
, server_info_out
, pac
);
190 talloc_free(mem_ctx
);
194 static void samba_kdc_build_edata_reply(TALLOC_CTX
*tmp_ctx
, krb5_data
*e_data
,
200 krb5_error_code ret
= 0;
205 pa
.padata_type
= KRB5_PADATA_PW_SALT
;
206 pa
.padata_value
.length
= 12;
207 pa
.padata_value
.data
= malloc(pa
.padata_value
.length
);
208 if (!pa
.padata_value
.data
) {
214 SIVAL(pa
.padata_value
.data
, 0, NT_STATUS_V(nt_status
));
215 SIVAL(pa
.padata_value
.data
, 4, 0);
216 SIVAL(pa
.padata_value
.data
, 8, 1);
218 ASN1_MALLOC_ENCODE(PA_DATA
, buf
, len
, &pa
, &len
, ret
);
219 free(pa
.padata_value
.data
);
222 e_data
->length
= len
;
227 /* Given an hdb entry (and in particular it's private member), consult
228 * the account_ok routine in auth/auth_sam.c for consistancy */
231 krb5_error_code
samba_kdc_check_client_access(void *priv
,
232 krb5_context context
, hdb_entry_ex
*entry_ex
,
238 TALLOC_CTX
*tmp_ctx
= talloc_new(entry_ex
->ctx
);
239 struct hdb_ldb_private
*p
= talloc_get_type(entry_ex
->ctx
, struct hdb_ldb_private
);
240 char *name
, *workstation
= NULL
;
241 HostAddresses
*addresses
= req
->req_body
.addresses
;
248 ret
= krb5_unparse_name(context
, entry_ex
->entry
.principal
, &name
);
250 talloc_free(tmp_ctx
);
255 for (i
=0; i
< addresses
->len
; i
++) {
256 if (addresses
->val
->addr_type
== KRB5_ADDRESS_NETBIOS
) {
257 workstation
= talloc_strndup(tmp_ctx
, addresses
->val
->address
.data
, MIN(addresses
->val
->address
.length
, 15));
265 /* Strip space padding */
267 i
= MIN(strlen(workstation
), 15);
268 for (; i
> 0 && workstation
[i
- 1] == ' '; i
--) {
269 workstation
[i
- 1] = '\0';
273 /* we allow all kinds of trusts here */
274 nt_status
= authsam_account_ok(tmp_ctx
,
276 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
283 if (NT_STATUS_IS_OK(nt_status
))
286 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_MUST_CHANGE
))
287 ret
= KRB5KDC_ERR_KEY_EXPIRED
;
288 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_EXPIRED
))
289 ret
= KRB5KDC_ERR_KEY_EXPIRED
;
290 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_EXPIRED
))
291 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
292 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_DISABLED
))
293 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
294 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_LOGON_HOURS
))
295 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
296 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_LOCKED_OUT
))
297 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
298 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_WORKSTATION
))
299 ret
= KRB5KDC_ERR_POLICY
;
301 ret
= KRB5KDC_ERR_POLICY
;
303 samba_kdc_build_edata_reply(tmp_ctx
, e_data
, nt_status
);