search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine...
[Samba.git] / source4 / kdc / pac-glue.h
blobaa022f7b00151ef93ccc1d99013f1d7764580edc
1 /*
2 Unix SMB/CIFS implementation.
3
4 PAC Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "system/kerberos.h"
25 #include "auth/kerberos/kerberos.h"
26 #include <krb5/krb5.h>
27
28 #include "lib/util/data_blob.h"
29 #include "lib/util/time.h"
30 #include "libcli/util/ntstatus.h"
31 #include "libcli/util/werror.h"
32 #include "librpc/gen_ndr/auth.h"
33 #include "kdc/samba_kdc.h"
34 #include "lib/krb5_wrap/krb5_samba.h"
35 #include "auth/session.h"
36
37 enum samba_asserted_identity {
38 SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
39 SAMBA_ASSERTED_IDENTITY_SERVICE,
40 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY,
41 };
42
43 enum {
44 SAMBA_KDC_FLAG_PROTOCOL_TRANSITION = 0x00000001,
45 SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION = 0x00000002,
46 };
47
48 bool samba_kdc_entry_is_trust(const struct samba_kdc_entry *entry);
49
50 struct samba_kdc_entry_pac {
51 struct samba_kdc_entry *entry;
52 krb5_const_pac pac; /* NULL indicates that no PAC is present. */
53 bool is_from_trust : 1;
54 #ifndef HAVE_KRB5_PAC_IS_TRUSTED /* MIT */
55 bool pac_is_trusted : 1;
56 #endif /* HAVE_KRB5_PAC_IS_TRUSTED */
57 };
58
59 /*
60 * Return true if this entry has an associated PAC issued or signed by a KDC
61 * that our KDC trusts. We trust the main krbtgt account, but we don’t trust any
62 * RODC krbtgt besides ourselves.
63 */
64 bool samba_krb5_pac_is_trusted(const struct samba_kdc_entry_pac pac);
65
66 #ifdef HAVE_KRB5_PAC_IS_TRUSTED /* Heimdal */
67 struct samba_kdc_entry_pac samba_kdc_entry_pac(krb5_const_pac pac,
68 struct samba_kdc_entry *entry,
69 bool is_from_trust);
70 #else /* MIT */
71 struct samba_kdc_entry_pac samba_kdc_entry_pac_from_trusted(krb5_const_pac pac,
72 struct samba_kdc_entry *entry,
73 bool is_from_trust,
74 bool is_trusted);
75 #endif /* HAVE_KRB5_PAC_IS_TRUSTED */
76
77 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
78 const krb5_keyblock *pkreplykey,
79 const DATA_BLOB *cred_ndr_blob,
80 TALLOC_CTX *mem_ctx,
81 DATA_BLOB *cred_info_blob);
82
83 krb5_error_code samba_make_krb5_pac(krb5_context context,
84 const DATA_BLOB *logon_blob,
85 const DATA_BLOB *cred_blob,
86 const DATA_BLOB *upn_blob,
87 const DATA_BLOB *pac_attrs_blob,
88 const DATA_BLOB *requester_sid_blob,
89 const DATA_BLOB *deleg_blob,
90 const DATA_BLOB *client_claims_blob,
91 const DATA_BLOB *device_info_blob,
92 const DATA_BLOB *device_claims_blob,
93 krb5_pac pac);
94
95 bool samba_princ_needs_pac(const struct samba_kdc_entry *skdc_entry);
96
97 krb5_error_code samba_krbtgt_is_in_db(const struct samba_kdc_entry *skdc_entry,
98 bool *is_in_db,
99 bool *is_trusted);
100
101 krb5_error_code samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
102 krb5_context context,
103 struct ldb_context *samdb,
104 const struct samba_kdc_entry_pac entry,
105 const struct auth_user_info_dc **info_out,
106 const struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups_out);
107
108 krb5_error_code samba_kdc_get_user_info_from_db(TALLOC_CTX *mem_ctx,
109 struct ldb_context *samdb,
110 struct samba_kdc_entry *entry,
111 const struct ldb_message *msg,
112 const struct auth_user_info_dc **info_out);
113
114 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status);
115
116 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
117 const char *client_name,
118 const char *workstation,
119 bool password_change);
120
121 krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
122 krb5_context context,
123 struct ldb_context *samdb,
124 uint32_t flags,
125 const struct samba_kdc_entry_pac client,
126 const struct samba_kdc_entry *krbtgt);
127
128 struct authn_audit_info;
129 krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
130 krb5_context context,
131 struct ldb_context *samdb,
132 struct loadparm_context *lp_ctx,
133 uint32_t flags,
134 const struct samba_kdc_entry_pac client,
135 const krb5_const_principal server_principal,
136 const struct samba_kdc_entry *server,
137 const krb5_const_principal delegated_proxy_principal,
138 const struct samba_kdc_entry_pac delegated_proxy,
139 const struct samba_kdc_entry_pac device,
140 krb5_pac new_pac,
141 struct authn_audit_info **server_audit_info_out,
142 NTSTATUS *status_out);
143
144 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
145 const struct auth_user_info_dc *user_info_dc,
146 enum auth_group_inclusion group_inclusion,
147 DATA_BLOB **_logon_info_blob);
148 NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx,
149 const struct samba_kdc_entry *p,
150 DATA_BLOB **_cred_ndr_blob);
151 NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx,
152 const struct auth_user_info_dc *user_info_dc,
153 DATA_BLOB **_upn_info_blob);
154 NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
155 uint64_t pac_attributes,
156 DATA_BLOB **_pac_attrs_blob);
157 NTSTATUS samba_kdc_get_requester_sid_blob(TALLOC_CTX *mem_ctx,
158 const struct auth_user_info_dc *user_info_dc,
159 DATA_BLOB **_requester_sid_blob);
160 NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
161 struct samba_kdc_entry *p,
162 const DATA_BLOB **_claims_blob);
163
164 krb5_error_code samba_kdc_allowed_to_authenticate_to(TALLOC_CTX *mem_ctx,
165 struct ldb_context *samdb,
166 struct loadparm_context *lp_ctx,
167 const struct samba_kdc_entry *client,
168 const struct auth_user_info_dc *client_info,
169 const struct auth_user_info_dc *device_info,
170 const struct auth_claims auth_claims,
171 const struct samba_kdc_entry *server,
172 struct authn_audit_info **server_audit_info_out,
173 NTSTATUS *status_out);
174
175 krb5_error_code samba_kdc_check_device(TALLOC_CTX *mem_ctx,
176 krb5_context context,
177 struct ldb_context *samdb,
178 struct loadparm_context *lp_ctx,
179 const struct samba_kdc_entry_pac device,
180 const struct authn_kerberos_client_policy *client_policy,
181 struct authn_audit_info **client_audit_info_out,
182 NTSTATUS *status_out);
183
184 krb5_error_code samba_kdc_get_claims_data(TALLOC_CTX *mem_ctx,
185 krb5_context context,
186 struct ldb_context *samdb,
187 struct samba_kdc_entry_pac entry,
188 struct claims_data **claims_data_out);
189
190 krb5_error_code samba_kdc_get_claims_data_from_pac(TALLOC_CTX *mem_ctx,
191 krb5_context context,
192 struct samba_kdc_entry_pac entry,
193 struct claims_data **claims_data_out);
194
195 krb5_error_code samba_kdc_get_claims_data_from_db(struct ldb_context *samdb,
196 struct samba_kdc_entry *entry,
197 struct claims_data **claims_data_out);
198
199 NTSTATUS samba_kdc_add_asserted_identity(enum samba_asserted_identity ai,
200 struct auth_user_info_dc *user_info_dc);
201
202 NTSTATUS samba_kdc_add_claims_valid(struct auth_user_info_dc *user_info_dc);
203 NTSTATUS samba_kdc_add_fresh_public_key_identity(struct auth_user_info_dc *user_info_dc);
Samba GIT mirror