search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-failover: Split statd_callout add-client/del-client
[Samba.git] / auth / credentials / credentials_secrets.c
blob906f3ff1a2134ac8be9b46abb4cab503d46f470f
1 /*
2 Unix SMB/CIFS implementation.
3
4 User credentials handling (as regards on-disk files)
5
6 Copyright (C) Jelmer Vernooij 2005
7 Copyright (C) Tim Potter 2001
8 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "lib/events/events.h"
26 #include <ldb.h>
27 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
28 #include "param/secrets.h"
29 #include "system/filesys.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/credentials/credentials_internal.h"
32 #include "auth/credentials/credentials_krb5.h"
33 #include "auth/kerberos/kerberos_util.h"
34 #include "param/param.h"
35 #include "lib/events/events.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "source3/include/secrets.h"
38 #include "dbwrap/dbwrap.h"
39 #include "dbwrap/dbwrap_open.h"
40 #include "lib/util/util_tdb.h"
41 #include "libds/common/roles.h"
42
43 #undef DBGC_CLASS
44 #define DBGC_CLASS DBGC_AUTH
45
46 /**
47 * Fill in credentials for the machine trust account, from the secrets database.
48 *
49 * @param cred Credentials structure to fill in
50 * @retval NTSTATUS error detailing any failure
51 */
52 static NTSTATUS cli_credentials_set_secrets_lct(struct cli_credentials *cred,
53 struct loadparm_context *lp_ctx,
54 struct ldb_context *ldb,
55 const char *base,
56 const char *filter,
57 time_t secrets_tdb_last_change_time,
58 const char *secrets_tdb_password,
59 char **error_string)
60 {
61 TALLOC_CTX *mem_ctx;
62
63 int ldb_ret;
64 struct ldb_message *msg;
65
66 const char *machine_account;
67 const char *password;
68 const char *domain;
69 const char *realm;
70 enum netr_SchannelType sct;
71 const char *salt_principal;
72 char *keytab;
73 const struct ldb_val *whenChanged;
74 time_t lct;
75
76 /* ok, we are going to get it now, don't recurse back here */
77 cred->machine_account_pending = false;
78
79 /* some other parts of the system will key off this */
80 cred->machine_account = true;
81
82 mem_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
83
84 if (!ldb) {
85 /* Local secrets are stored in secrets.ldb */
86 ldb = secrets_db_connect(mem_ctx, lp_ctx);
87 if (!ldb) {
88 *error_string = talloc_strdup(cred, "Could not open secrets.ldb");
89 talloc_free(mem_ctx);
90 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
91 }
92 }
93
94 ldb_ret = dsdb_search_one(ldb, mem_ctx, &msg,
95 ldb_dn_new(mem_ctx, ldb, base),
96 LDB_SCOPE_SUBTREE,
97 NULL, 0, "%s", filter);
98
99 if (ldb_ret != LDB_SUCCESS) {
100 *error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s",
101 filter, base ? base : "",
102 ldb_strerror(ldb_ret), ldb_errstring(ldb));
103 talloc_free(mem_ctx);
104 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
105 }
106
107 password = ldb_msg_find_attr_as_string(msg, "secret", NULL);
108
109 whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
110 if (!whenChanged || ldb_val_to_time(whenChanged, &lct) != LDB_SUCCESS) {
111 /* This attribute is mandatory */
112 talloc_free(mem_ctx);
113 return NT_STATUS_NOT_FOUND;
114 }
115
116 /* Don't set secrets.ldb info if the secrets.tdb entry was more recent */
117 if (lct < secrets_tdb_last_change_time) {
118 talloc_free(mem_ctx);
119 return NT_STATUS_NOT_FOUND;
120 }
121
122 if ((lct == secrets_tdb_last_change_time) &&
123 (secrets_tdb_password != NULL) &&
124 (password != NULL) &&
125 (strcmp(password, secrets_tdb_password) != 0)) {
126 talloc_free(mem_ctx);
127 return NT_STATUS_NOT_FOUND;
128 }
129
130 cli_credentials_set_password_last_changed_time(cred, lct);
131
132 machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
133
134 if (!machine_account) {
135 machine_account = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL);
136
137 if (!machine_account) {
138 const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msg, "ldapBindDn", NULL);
139 if (!ldap_bind_dn) {
140 *error_string = talloc_asprintf(cred,
141 "Could not find 'samAccountName', "
142 "'servicePrincipalName' or "
143 "'ldapBindDn' in secrets record: %s",
144 ldb_dn_get_linearized(msg->dn));
145 talloc_free(mem_ctx);
146 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
147 } else {
148 /* store bind dn in credentials */
149 cli_credentials_set_bind_dn(cred, ldap_bind_dn);
150 }
151 }
152 }
153
154 salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
155 cli_credentials_set_salt_principal(cred, salt_principal);
156
157 sct = ldb_msg_find_attr_as_int(msg, "secureChannelType", 0);
158 if (sct) {
159 cli_credentials_set_secure_channel_type(cred, sct);
160 }
161
162 if (!password) {
163 const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msg, "unicodePwd");
164 struct samr_Password hash;
165 ZERO_STRUCT(hash);
166 if (nt_password_hash) {
167 memcpy(hash.hash, nt_password_hash->data,
168 MIN(nt_password_hash->length, sizeof(hash.hash)));
169
170 cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
171 } else {
172 cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
173 }
174 } else {
175 cli_credentials_set_password(cred, password, CRED_SPECIFIED);
176 }
177
178 domain = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
179 if (domain) {
180 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
181 }
182
183 realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
184 if (realm) {
185 cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
186 }
187
188 if (machine_account) {
189 cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
190 }
191
192 cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0));
193
194 /* If there was an external keytab specified by reference in
195 * the LDB, then use this. Otherwise we will make one up
196 * (chewing CPU time) from the password */
197 keytab = keytab_name_from_msg(cred, ldb, msg);
198 if (keytab) {
199 cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED);
200 talloc_free(keytab);
201 }
202 talloc_free(mem_ctx);
203
204 return NT_STATUS_OK;
205 }
206
207
208 /**
209 * Fill in credentials for the machine trust account, from the secrets database.
210 *
211 * @param cred Credentials structure to fill in
212 * @retval NTSTATUS error detailing any failure
213 */
214 _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
215 struct loadparm_context *lp_ctx,
216 struct ldb_context *ldb,
217 const char *base,
218 const char *filter,
219 char **error_string)
220 {
221 NTSTATUS status = cli_credentials_set_secrets_lct(cred, lp_ctx, ldb, base, filter, 0, NULL, error_string);
222 if (!NT_STATUS_IS_OK(status)) {
223 /* set anonymous as the fallback, if the machine account won't work */
224 cli_credentials_set_anonymous(cred);
225 }
226 return status;
227 }
228
229 /**
230 * Fill in credentials for the machine trust account, from the secrets database.
231 *
232 * @param cred Credentials structure to fill in
233 * @retval NTSTATUS error detailing any failure
234 */
235 _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
236 struct loadparm_context *lp_ctx)
237 {
238 struct db_context *db_ctx;
239 char *secrets_tdb_path;
240 int hash_size, tdb_flags;
241
242 secrets_tdb_path = lpcfg_private_db_path(cred, lp_ctx, "secrets");
243 if (secrets_tdb_path == NULL) {
244 return NT_STATUS_NO_MEMORY;
245 }
246
247 hash_size = lpcfg_tdb_hash_size(lp_ctx, secrets_tdb_path);
248 tdb_flags = lpcfg_tdb_flags(lp_ctx, TDB_DEFAULT);
249
250 db_ctx = dbwrap_local_open(
251 cred,
252 secrets_tdb_path,
253 hash_size,
254 tdb_flags,
255 O_RDWR,
256 0600,
257 DBWRAP_LOCK_ORDER_1,
258 DBWRAP_FLAG_NONE);
259 TALLOC_FREE(secrets_tdb_path);
260
261 /*
262 * We do not check for errors here, we might not have a
263 * secrets.tdb at all, and so we just need to check the
264 * secrets.ldb
265 */
266 return cli_credentials_set_machine_account_db_ctx(cred, lp_ctx, db_ctx);
267 }
268
269 /**
270 * Fill in credentials for the machine trust account, from the
271 * secrets.ldb or passed in handle to secrets.tdb (perhaps in CTDB).
272 *
273 * This version is used in parts of the code that can link in the
274 * CTDB dbwrap backend, by passing down the already open handle.
275 *
276 * @param cred Credentials structure to fill in
277 * @param db_ctx dbwrap context for secrets.tdb
278 * @retval NTSTATUS error detailing any failure
279 */
280 _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credentials *cred,
281 struct loadparm_context *lp_ctx,
282 struct db_context *db_ctx)
283 {
284 NTSTATUS status;
285 char *filter;
286 char *error_string = NULL;
287 const char *domain;
288 bool secrets_tdb_password_more_recent;
289 time_t secrets_tdb_lct = 0;
290 char *secrets_tdb_password = NULL;
291 char *secrets_tdb_old_password = NULL;
292 uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
293 int server_role = lpcfg_server_role(lp_ctx);
294 int security = lpcfg_security(lp_ctx);
295 char *keystr;
296 char *keystr_upper = NULL;
297 TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
298 if (!tmp_ctx) {
299 return NT_STATUS_NO_MEMORY;
300 }
301
302 /* Bleh, nasty recursion issues: We are setting a machine
303 * account here, so we don't want the 'pending' flag around
304 * any more */
305 cred->machine_account_pending = false;
306
307 /* We have to do this, as the fallback in
308 * cli_credentials_set_secrets is to run as anonymous, so the domain is wiped */
309 domain = cli_credentials_get_domain(cred);
310
311 if (db_ctx) {
312 TDB_DATA dbuf;
313 keystr = talloc_asprintf(tmp_ctx, "%s/%s",
314 SECRETS_MACHINE_LAST_CHANGE_TIME,
315 domain);
316 keystr_upper = strupper_talloc(tmp_ctx, keystr);
317 status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
318 &dbuf);
319 if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
320 secrets_tdb_lct = IVAL(dbuf.dptr,0);
321 }
322
323 keystr = talloc_asprintf(tmp_ctx, "%s/%s",
324 SECRETS_MACHINE_PASSWORD,
325 domain);
326 keystr_upper = strupper_talloc(tmp_ctx, keystr);
327 status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
328 &dbuf);
329 if (NT_STATUS_IS_OK(status)) {
330 secrets_tdb_password = (char *)dbuf.dptr;
331 }
332
333 keystr = talloc_asprintf(tmp_ctx, "%s/%s",
334 SECRETS_MACHINE_PASSWORD_PREV,
335 domain);
336 keystr_upper = strupper_talloc(tmp_ctx, keystr);
337 status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
338 &dbuf);
339 if (NT_STATUS_IS_OK(status)) {
340 secrets_tdb_old_password = (char *)dbuf.dptr;
341 }
342
343 keystr = talloc_asprintf(tmp_ctx, "%s/%s",
344 SECRETS_MACHINE_SEC_CHANNEL_TYPE,
345 domain);
346 keystr_upper = strupper_talloc(tmp_ctx, keystr);
347 status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
348 &dbuf);
349 if (NT_STATUS_IS_OK(status) && dbuf.dsize == 4) {
350 secrets_tdb_secure_channel_type = IVAL(dbuf.dptr,0);
351 }
352 }
353
354 filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
355 domain);
356 status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
357 SECRETS_PRIMARY_DOMAIN_DN,
358 filter, secrets_tdb_lct, secrets_tdb_password, &error_string);
359 if (secrets_tdb_password == NULL) {
360 secrets_tdb_password_more_recent = false;
361 } else if (NT_STATUS_EQUAL(NT_STATUS_CANT_ACCESS_DOMAIN_INFO, status)
362 || NT_STATUS_EQUAL(NT_STATUS_NOT_FOUND, status)) {
363 secrets_tdb_password_more_recent = true;
364 } else if (secrets_tdb_lct > cli_credentials_get_password_last_changed_time(cred)) {
365 secrets_tdb_password_more_recent = true;
366 } else if (secrets_tdb_lct == cli_credentials_get_password_last_changed_time(cred)) {
367 secrets_tdb_password_more_recent = strcmp(secrets_tdb_password, cli_credentials_get_password(cred)) != 0;
368 } else {
369 secrets_tdb_password_more_recent = false;
370 }
371
372 if (secrets_tdb_password_more_recent) {
373 char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
374 cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
375 cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
376 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
377 if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
378 enum credentials_use_kerberos use_kerberos =
379 cli_credentials_get_kerberos_state(cred);
380 enum credentials_obtained use_kerberos_obtained =
381 cli_credentials_get_kerberos_state_obtained(cred);
382 bool is_ad = false;
383
384 cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
385
386 switch (server_role) {
387 case ROLE_DOMAIN_MEMBER:
388 if (security != SEC_ADS) {
389 break;
390 }
391
392 FALL_THROUGH;
393 case ROLE_ACTIVE_DIRECTORY_DC:
394 case ROLE_IPA_DC:
395 is_ad = true;
396 break;
397 }
398
399 if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
400 /*
401 * Keep an explicit selection
402 *
403 * For AD domains we also keep
404 * CRED_USE_KERBEROS_DESIRED
405 */
406 } else if (use_kerberos_obtained <= CRED_SMB_CONF) {
407 /*
408 * Disable kerberos by default within
409 * an NT4 domain.
410 */
411 cli_credentials_set_kerberos_state(cred,
412 CRED_USE_KERBEROS_DISABLED,
413 CRED_SMB_CONF);
414 }
415 }
416
417 cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
418 cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
419 cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
420 status = NT_STATUS_OK;
421 } else if (!NT_STATUS_IS_OK(status)) {
422 if (db_ctx) {
423 error_string
424 = talloc_asprintf(cred,
425 "Failed to fetch machine account password for %s from both "
426 "secrets.ldb (%s) and from %s",
427 domain,
428 error_string == NULL ? "error" : error_string,
429 dbwrap_name(db_ctx));
430 } else {
431 char *secrets_tdb_path;
432
433 secrets_tdb_path = lpcfg_private_db_path(tmp_ctx,
434 lp_ctx,
435 "secrets");
436 if (secrets_tdb_path == NULL) {
437 return NT_STATUS_NO_MEMORY;
438 }
439
440 error_string = talloc_asprintf(cred,
441 "Failed to fetch machine account password from "
442 "secrets.ldb: %s and failed to open %s",
443 error_string == NULL ? "error" : error_string,
444 secrets_tdb_path);
445 }
446 DEBUG(1, ("Could not find machine account in secrets database: %s: %s\n",
447 error_string == NULL ? "error" : error_string,
448 nt_errstr(status)));
449 /* set anonymous as the fallback, if the machine account won't work */
450 cli_credentials_set_anonymous(cred);
451 }
452
453 TALLOC_FREE(tmp_ctx);
454 return status;
455 }
456
457 /**
458 * Fill in credentials for a particular principal, from the secrets database.
459 *
460 * @param cred Credentials structure to fill in
461 * @retval NTSTATUS error detailing any failure
462 */
463 _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
464 struct loadparm_context *lp_ctx,
465 const char *serviceprincipal)
466 {
467 NTSTATUS status;
468 char *filter;
469 char *error_string = NULL;
470 /* Bleh, nasty recursion issues: We are setting a machine
471 * account here, so we don't want the 'pending' flag around
472 * any more */
473 cred->machine_account_pending = false;
474 filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
475 cli_credentials_get_realm(cred),
476 cli_credentials_get_domain(cred),
477 serviceprincipal);
478 status = cli_credentials_set_secrets_lct(cred, lp_ctx, NULL,
479 SECRETS_PRINCIPALS_DN, filter,
480 0, NULL, &error_string);
481 if (!NT_STATUS_IS_OK(status)) {
482 DEBUG(1, ("Could not find %s principal in secrets database: %s: %s\n",
483 serviceprincipal, nt_errstr(status),
484 error_string ? error_string : "<no error>"));
485 }
486 return status;
487 }
488
489 /**
490 * Ask that when required, the credentials system will be filled with
491 * machine trust account, from the secrets database.
492 *
493 * @param cred Credentials structure to fill in
494 * @note This function is used to call the above function after, rather
495 * than during, popt processing.
496 *
497 */
498 _PUBLIC_ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
499 struct loadparm_context *lp_ctx)
500 {
501 cred->machine_account_pending = true;
502 cred->machine_account_pending_lp_ctx = lp_ctx;
503 }
504
505
Samba GIT mirror