search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Fix CID 1504457 Resource leak
[Samba.git] / source4 / kdc / mit_samba.c
blobc264191bf6b862ff4ba9e6d1a26d951a5caa9be7
1 /*
2 MIT-Samba4 library
3
4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include <com_err.h>
29 #include <kdb.h>
30 #include <kadm5/kadm_err.h>
31 #include "kdc/sdb.h"
32 #include "kdc/sdb_kdb.h"
33 #include "auth/kerberos/kerberos.h"
34 #include "auth/kerberos/pac_utils.h"
35 #include "kdc/samba_kdc.h"
36 #include "kdc/pac-glue.h"
37 #include "kdc/db-glue.h"
38 #include "auth/auth.h"
39 #include "kdc/kpasswd_glue.h"
40 #include "auth/auth_sam.h"
41
42 #include "mit_samba.h"
43
44 #undef DBGC_CLASS
45 #define DBGC_CLASS DBGC_KERBEROS
46
47 void mit_samba_context_free(struct mit_samba_context *ctx)
48 {
49 /* free heimdal's krb5_context */
50 if (ctx->context) {
51 krb5_free_context(ctx->context);
52 }
53
54 /* then free everything else */
55 talloc_free(ctx);
56 }
57
58 /*
59 * Implemant a callback to log to the MIT KDC log facility
60 *
61 * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
62 */
63 static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
64 {
65 int is_error = errno;
66
67 if (msg_level > 0) {
68 is_error = 0;
69 }
70
71 com_err("", is_error, "%s", msg);
72 }
73
74 int mit_samba_context_init(struct mit_samba_context **_ctx)
75 {
76 NTSTATUS status;
77 struct mit_samba_context *ctx;
78 const char *s4_conf_file;
79 int ret;
80 struct samba_kdc_base_context base_ctx;
81
82 ctx = talloc_zero(NULL, struct mit_samba_context);
83 if (!ctx) {
84 ret = ENOMEM;
85 goto done;
86 }
87
88 base_ctx.ev_ctx = tevent_context_init(ctx);
89 if (!base_ctx.ev_ctx) {
90 ret = ENOMEM;
91 goto done;
92 }
93 tevent_loop_allow_nesting(base_ctx.ev_ctx);
94 base_ctx.lp_ctx = loadparm_init_global(false);
95 if (!base_ctx.lp_ctx) {
96 ret = ENOMEM;
97 goto done;
98 }
99
100 debug_set_callback(NULL, mit_samba_debug);
101
102 /* init s4 configuration */
103 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
104 if (s4_conf_file != NULL) {
105 char *p = talloc_strdup(ctx, s4_conf_file);
106 if (p == NULL) {
107 ret = ENOMEM;
108 goto done;
109 }
110 lpcfg_load(base_ctx.lp_ctx, p);
111 TALLOC_FREE(p);
112 } else {
113 lpcfg_load_default(base_ctx.lp_ctx);
114 }
115
116 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
117 if (!NT_STATUS_IS_OK(status)) {
118 ret = EINVAL;
119 goto done;
120 }
121
122 /* init heimdal's krb_context and log facilities */
123 ret = smb_krb5_init_context_basic(ctx,
124 ctx->db_ctx->lp_ctx,
125 &ctx->context);
126 if (ret) {
127 goto done;
128 }
129
130 ret = 0;
131
132 done:
133 if (ret) {
134 mit_samba_context_free(ctx);
135 } else {
136 *_ctx = ctx;
137 }
138 return ret;
139 }
140
141 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
142 krb5_const_principal principal)
143 {
144 char *p;
145 int eq = -1;
146
147 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
148
149 eq = krb5_princ_size(ctx->context, principal) == 2 &&
150 (strcmp(p, KRB5_TGS_NAME) == 0);
151
152 talloc_free(p);
153
154 return eq;
155 }
156
157 int mit_samba_generate_salt(krb5_data *salt)
158 {
159 if (salt == NULL) {
160 return EINVAL;
161 }
162
163 salt->length = 16;
164 salt->data = malloc(salt->length);
165 if (salt->data == NULL) {
166 return ENOMEM;
167 }
168
169 generate_random_buffer((uint8_t *)salt->data, salt->length);
170
171 return 0;
172 }
173
174 int mit_samba_generate_random_password(krb5_data *pwd)
175 {
176 TALLOC_CTX *tmp_ctx;
177 char *password;
178
179 if (pwd == NULL) {
180 return EINVAL;
181 }
182 pwd->length = 24;
183
184 tmp_ctx = talloc_named(NULL,
185 0,
186 "mit_samba_create_principal_password context");
187 if (tmp_ctx == NULL) {
188 return ENOMEM;
189 }
190
191 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
192 if (password == NULL) {
193 talloc_free(tmp_ctx);
194 return ENOMEM;
195 }
196
197 pwd->data = strdup(password);
198 talloc_free(tmp_ctx);
199 if (pwd->data == NULL) {
200 return ENOMEM;
201 }
202
203 return 0;
204 }
205
206 int mit_samba_get_principal(struct mit_samba_context *ctx,
207 krb5_const_principal principal,
208 unsigned int kflags,
209 krb5_db_entry **_kentry)
210 {
211 struct sdb_entry sentry = {};
212 krb5_db_entry *kentry;
213 int ret;
214 uint32_t sflags = 0;
215 krb5_principal referral_principal = NULL;
216
217 kentry = calloc(1, sizeof(krb5_db_entry));
218 if (kentry == NULL) {
219 return ENOMEM;
220 }
221
222 #if KRB5_KDB_API_VERSION >= 10
223 /*
224 * The MIT KDC code that wants the canonical name in all lookups, and
225 * takes care to canonicalize only when appropriate.
226 */
227 sflags |= SDB_F_FORCE_CANON;
228 #endif
229
230 #if KRB5_KDB_DAL_MAJOR_VERSION >= 9
231 if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
232 sflags |= SDB_F_CANON;
233 }
234
235 if (kflags & KRB5_KDB_FLAG_CLIENT) {
236 sflags |= SDB_F_GET_CLIENT;
237
238 if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
239 sflags |= SDB_F_FOR_AS_REQ;
240 }
241 } else {
242 int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
243 if (equal == -1) {
244 return ENOMEM;
245 }
246
247 if (equal) {
248 sflags |= SDB_F_GET_KRBTGT;
249 } else {
250 sflags |= SDB_F_GET_SERVER;
251
252 if (!(kflags & KRB5_KDB_FLAG_REFERRAL_OK)) {
253 sflags |= SDB_F_FOR_TGS_REQ;
254 }
255 }
256 }
257 #else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */
258 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
259 sflags |= SDB_F_CANON;
260 }
261 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
262 KRB5_KDB_FLAG_INCLUDE_PAC)) {
263 /*
264 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
265 * SDB_F_FOR_AS_REQ
266 *
267 * We use ANY to also allow AS_REQ for service principal names
268 * This is supported by Windows.
269 */
270 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
271 } else {
272 int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
273 if (equal == -1) {
274 return ENOMEM;
275 }
276
277 if (equal) {
278 sflags |= SDB_F_GET_KRBTGT;
279 } else {
280 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
281 }
282 }
283 #endif /* KRB5_KDB_DAL_MAJOR_VERSION */
284
285 /* always set this or the created_by data will not be populated by samba's
286 * backend and we will fail to parse the entry later */
287 sflags |= SDB_F_ADMIN_DATA;
288
289
290 fetch_referral_principal:
291 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
292 principal, sflags, 0, &sentry);
293 switch (ret) {
294 case 0:
295 break;
296 case SDB_ERR_NOENTRY:
297 ret = KRB5_KDB_NOENTRY;
298 goto done;
299 case SDB_ERR_WRONG_REALM: {
300 char *dest_realm = NULL;
301 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
302
303 if (sflags & SDB_F_FOR_AS_REQ) {
304 /*
305 * If this is a request for a TGT, we are done. The KDC
306 * will return the correct error to the client.
307 */
308 ret = 0;
309 break;
310 }
311
312 if (referral_principal != NULL) {
313 sdb_entry_free(&sentry);
314 ret = KRB5_KDB_NOENTRY;
315 goto done;
316 }
317
318 /*
319 * We get a TGS request
320 *
321 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
322 *
323 * to our DC for the realm
324 *
325 * ADDOM.SAMBA.EXAMPLE.COM
326 *
327 * We look up if we have and entry in the database and get an
328 * entry with the pricipal:
329 *
330 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
331 *
332 * and the error: SDB_ERR_WRONG_REALM.
333 *
334 * In the case of a TGS-REQ we need to return a referral ticket
335 * fo the next trust hop to the client. This ticket will have
336 * the following principal:
337 *
338 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
339 *
340 * We just redo the lookup in the database with the referral
341 * principal and return success.
342 */
343 dest_realm = smb_krb5_principal_get_realm(
344 ctx, ctx->context, sentry.principal);
345 sdb_entry_free(&sentry);
346 if (dest_realm == NULL) {
347 ret = KRB5_KDB_NOENTRY;
348 goto done;
349 }
350
351 ret = smb_krb5_make_principal(ctx->context,
352 &referral_principal,
353 our_realm,
354 KRB5_TGS_NAME,
355 dest_realm,
356 NULL);
357 TALLOC_FREE(dest_realm);
358 if (ret != 0) {
359 goto done;
360 }
361
362 principal = referral_principal;
363 goto fetch_referral_principal;
364 }
365 case SDB_ERR_NOT_FOUND_HERE:
366 /* FIXME: RODC support */
367 default:
368 goto done;
369 }
370
371 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
372
373 sdb_entry_free(&sentry);
374
375 done:
376 krb5_free_principal(ctx->context, referral_principal);
377 referral_principal = NULL;
378
379 if (ret) {
380 free(kentry);
381 } else {
382 *_kentry = kentry;
383 }
384 return ret;
385 }
386
387 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
388 krb5_db_entry **_kentry)
389 {
390 struct sdb_entry sentry = {};
391 krb5_db_entry *kentry;
392 int ret;
393
394 kentry = malloc(sizeof(krb5_db_entry));
395 if (kentry == NULL) {
396 return ENOMEM;
397 }
398
399 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
400 switch (ret) {
401 case 0:
402 break;
403 case SDB_ERR_NOENTRY:
404 free(kentry);
405 return KRB5_KDB_NOENTRY;
406 case SDB_ERR_NOT_FOUND_HERE:
407 /* FIXME: RODC support */
408 default:
409 free(kentry);
410 return ret;
411 }
412
413 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
414
415 sdb_entry_free(&sentry);
416
417 if (ret) {
418 free(kentry);
419 } else {
420 *_kentry = kentry;
421 }
422 return ret;
423 }
424
425 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
426 krb5_db_entry **_kentry)
427 {
428 struct sdb_entry sentry = {};
429 krb5_db_entry *kentry;
430 int ret;
431
432 kentry = malloc(sizeof(krb5_db_entry));
433 if (kentry == NULL) {
434 return ENOMEM;
435 }
436
437 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
438 switch (ret) {
439 case 0:
440 break;
441 case SDB_ERR_NOENTRY:
442 free(kentry);
443 return KRB5_KDB_NOENTRY;
444 case SDB_ERR_NOT_FOUND_HERE:
445 /* FIXME: RODC support */
446 default:
447 free(kentry);
448 return ret;
449 }
450
451 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
452
453 sdb_entry_free(&sentry);
454
455 if (ret) {
456 free(kentry);
457 } else {
458 *_kentry = kentry;
459 }
460 return ret;
461 }
462
463 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
464 krb5_context context,
465 uint32_t flags,
466 krb5_db_entry *client,
467 krb5_db_entry *server,
468 krb5_keyblock *replaced_reply_key,
469 krb5_pac *pac)
470 {
471 TALLOC_CTX *tmp_ctx;
472 DATA_BLOB *logon_info_blob = NULL;
473 DATA_BLOB *upn_dns_info_blob = NULL;
474 DATA_BLOB *cred_ndr = NULL;
475 DATA_BLOB **cred_ndr_ptr = NULL;
476 DATA_BLOB cred_blob = data_blob_null;
477 DATA_BLOB *pcred_blob = NULL;
478 DATA_BLOB *pac_attrs_blob = NULL;
479 DATA_BLOB *requester_sid_blob = NULL;
480 NTSTATUS nt_status;
481 krb5_error_code code;
482 struct samba_kdc_entry *skdc_entry;
483 bool is_krbtgt;
484 enum samba_asserted_identity asserted_identity =
485 (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
486 SAMBA_ASSERTED_IDENTITY_SERVICE :
487 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
488
489 skdc_entry = talloc_get_type_abort(client->e_data,
490 struct samba_kdc_entry);
491
492 tmp_ctx = talloc_named(smb_ctx,
493 0,
494 "mit_samba_get_pac_data_blobs context");
495 if (tmp_ctx == NULL) {
496 return ENOMEM;
497 }
498
499 /* Check if we have a PREAUTH key */
500 if (replaced_reply_key != NULL) {
501 cred_ndr_ptr = &cred_ndr;
502 }
503
504 is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ);
505
506 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
507 skdc_entry,
508 asserted_identity,
509 &logon_info_blob,
510 cred_ndr_ptr,
511 &upn_dns_info_blob,
512 is_krbtgt ? &pac_attrs_blob : NULL,
513 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
514 is_krbtgt ? &requester_sid_blob : NULL);
515 if (!NT_STATUS_IS_OK(nt_status)) {
516 talloc_free(tmp_ctx);
517 if (NT_STATUS_EQUAL(nt_status,
518 NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
519 return ENOENT;
520 }
521 return EINVAL;
522 }
523
524 if (replaced_reply_key != NULL && cred_ndr != NULL) {
525 code = samba_kdc_encrypt_pac_credentials(context,
526 replaced_reply_key,
527 cred_ndr,
528 tmp_ctx,
529 &cred_blob);
530 if (code != 0) {
531 talloc_free(tmp_ctx);
532 return code;
533 }
534 pcred_blob = &cred_blob;
535 }
536
537 code = samba_make_krb5_pac(context,
538 logon_info_blob,
539 pcred_blob,
540 upn_dns_info_blob,
541 pac_attrs_blob,
542 requester_sid_blob,
543 NULL,
544 *pac);
545
546 talloc_free(tmp_ctx);
547 return code;
548 }
549
550 #if KRB5_KDB_DAL_MAJOR_VERSION < 9
551 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
552 krb5_context context,
553 int kdc_flags,
554 krb5_const_principal client_principal,
555 krb5_db_entry *client,
556 krb5_db_entry *server,
557 krb5_db_entry *krbtgt,
558 krb5_keyblock *krbtgt_keyblock,
559 krb5_pac *pac)
560 {
561 TALLOC_CTX *tmp_ctx;
562 krb5_error_code code;
563 struct samba_kdc_entry *client_skdc_entry = NULL;
564 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
565 struct samba_kdc_entry *server_skdc_entry = NULL;
566 krb5_principal delegated_proxy_principal = NULL;
567 krb5_pac new_pac = NULL;
568 bool is_in_db = false;
569 bool is_untrusted = false;
570 uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
571
572 /* Create a memory context early so code can use talloc_stackframe() */
573 tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
574 if (tmp_ctx == NULL) {
575 return ENOMEM;
576 }
577
578 if (client != NULL) {
579 client_skdc_entry =
580 talloc_get_type_abort(client->e_data,
581 struct samba_kdc_entry);
582 }
583
584 if (server == NULL) {
585 code = EINVAL;
586 goto done;
587 }
588
589 server_skdc_entry =
590 talloc_get_type_abort(server->e_data,
591 struct samba_kdc_entry);
592
593 if (krbtgt == NULL) {
594 code = EINVAL;
595 goto done;
596 }
597 krbtgt_skdc_entry =
598 talloc_get_type_abort(krbtgt->e_data,
599 struct samba_kdc_entry);
600
601 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
602 &is_in_db,
603 &is_untrusted);
604 if (code != 0) {
605 goto done;
606 }
607
608 if (is_untrusted) {
609 flags |= SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
610 }
611
612 if (is_in_db) {
613 flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
614
615 }
616
617 if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
618 flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
619 }
620
621 if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
622 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
623 delegated_proxy_principal = discard_const(client_principal);
624 }
625
626 /* Build an updated PAC */
627 code = krb5_pac_init(context, &new_pac);
628 if (code != 0) {
629 goto done;
630 }
631
632 code = samba_kdc_update_pac(tmp_ctx,
633 context,
634 krbtgt_skdc_entry->kdc_db_ctx->samdb,
635 flags,
636 client_skdc_entry,
637 server->princ,
638 server_skdc_entry,
639 krbtgt_skdc_entry,
640 delegated_proxy_principal,
641 *pac,
642 new_pac);
643 if (code != 0) {
644 krb5_pac_free(context, new_pac);
645 if (code == ENODATA) {
646 krb5_pac_free(context, *pac);
647 *pac = NULL;
648 code = 0;
649 }
650 goto done;
651 }
652
653 /* We now replace the pac */
654 krb5_pac_free(context, *pac);
655 *pac = new_pac;
656
657 done:
658 talloc_free(tmp_ctx);
659 return code;
660 }
661 #else
662 krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
663 krb5_context context,
664 int kdc_flags,
665 krb5_db_entry *client,
666 krb5_db_entry *server,
667 krb5_db_entry *krbtgt,
668 krb5_pac old_pac,
669 krb5_pac new_pac)
670 {
671 TALLOC_CTX *tmp_ctx = NULL;
672 krb5_error_code code;
673 struct samba_kdc_entry *client_skdc_entry = NULL;
674 struct samba_kdc_entry *server_skdc_entry = NULL;
675 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
676 bool is_in_db = false;
677 bool is_untrusted = false;
678 uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
679
680 /* Create a memory context early so code can use talloc_stackframe() */
681 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context");
682 if (tmp_ctx == NULL) {
683 return ENOMEM;
684 }
685
686 if (client != NULL) {
687 client_skdc_entry =
688 talloc_get_type_abort(client->e_data,
689 struct samba_kdc_entry);
690 }
691
692 if (krbtgt == NULL) {
693 code = EINVAL;
694 goto done;
695 }
696 krbtgt_skdc_entry =
697 talloc_get_type_abort(krbtgt->e_data,
698 struct samba_kdc_entry);
699
700 server_skdc_entry =
701 talloc_get_type_abort(server->e_data,
702 struct samba_kdc_entry);
703
704 /*
705 * If the krbtgt was generated by an RODC, and we are not that
706 * RODC, then we need to regenerate the PAC - we can't trust
707 * it, and confirm that the RODC was permitted to print this ticket
708 *
709 * Because of the samba_kdc_validate_pac_blob() step we can be
710 * sure that the record in 'client' or 'server' matches the SID in the
711 * original PAC.
712 */
713 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
714 &is_in_db,
715 &is_untrusted);
716 if (code != 0) {
717 goto done;
718 }
719
720 if (is_untrusted) {
721 flags |= SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
722 }
723
724 if (is_in_db) {
725 flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
726
727 }
728
729 if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
730 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
731 }
732
733 code = samba_kdc_update_pac(tmp_ctx,
734 context,
735 krbtgt_skdc_entry->kdc_db_ctx->samdb,
736 flags,
737 client_skdc_entry,
738 server->princ,
739 server_skdc_entry,
740 krbtgt_skdc_entry,
741 NULL,
742 old_pac,
743 new_pac);
744 if (code != 0) {
745 if (code == ENODATA) {
746 /*
747 * We can't tell the KDC to not issue a PAC. It will
748 * just return the newly allocated empty PAC.
749 */
750 code = 0;
751 }
752 }
753
754 done:
755 talloc_free(tmp_ctx);
756 return code;
757 }
758 #endif
759
760 /* provide header, function is exported but there are no public headers */
761
762 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
763
764 /* this function allocates 'data' using malloc.
765 * The caller is responsible for freeing it */
766 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
767 {
768 krb5_error_code ret = 0;
769 krb5_pa_data pa, *ppa[2];
770 krb5_data *d = NULL;
771
772 if (!e_data)
773 return;
774
775 e_data->data = NULL;
776 e_data->length = 0;
777
778 pa.magic = KV5M_PA_DATA;
779 pa.pa_type = KRB5_PADATA_PW_SALT;
780 pa.length = 12;
781 pa.contents = malloc(pa.length);
782 if (!pa.contents) {
783 return;
784 }
785
786 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
787 SIVAL(pa.contents, 4, 0);
788 SIVAL(pa.contents, 8, 1);
789
790 ppa[0] = &pa;
791 ppa[1] = NULL;
792
793 ret = encode_krb5_padata_sequence(ppa, &d);
794 free(pa.contents);
795 if (ret) {
796 return;
797 }
798
799 e_data->data = (uint8_t *)d->data;
800 e_data->length = d->length;
801
802 /* free d, not d->data - gd */
803 free(d);
804
805 return;
806 }
807
808 int mit_samba_check_client_access(struct mit_samba_context *ctx,
809 krb5_db_entry *client,
810 const char *client_name,
811 krb5_db_entry *server,
812 const char *server_name,
813 const char *netbios_name,
814 bool password_change,
815 DATA_BLOB *e_data)
816 {
817 struct samba_kdc_entry *skdc_entry;
818 NTSTATUS nt_status;
819
820 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
821
822 nt_status = samba_kdc_check_client_access(skdc_entry,
823 client_name,
824 netbios_name,
825 password_change);
826
827 if (!NT_STATUS_IS_OK(nt_status)) {
828 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
829 return ENOMEM;
830 }
831
832 samba_kdc_build_edata_reply(nt_status, e_data);
833
834 return samba_kdc_map_policy_err(nt_status);
835 }
836
837 return 0;
838 }
839
840 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
841 const krb5_db_entry *server,
842 krb5_const_principal target_principal)
843 {
844 #if KRB5_KDB_DAL_MAJOR_VERSION < 9
845 return KRB5KDC_ERR_BADOPTION;
846 #else
847 struct samba_kdc_entry *server_skdc_entry =
848 talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
849 krb5_error_code code;
850
851 code = samba_kdc_check_s4u2proxy(ctx->context,
852 ctx->db_ctx,
853 server_skdc_entry,
854 target_principal);
855
856 return code;
857 #endif
858 }
859
860 krb5_error_code mit_samba_check_allowed_to_delegate_from(
861 struct mit_samba_context *ctx,
862 krb5_const_principal client_principal,
863 krb5_const_principal server_principal,
864 krb5_pac header_pac,
865 const krb5_db_entry *proxy)
866 {
867 #if KRB5_KDB_DAL_MAJOR_VERSION < 8
868 return KRB5KDC_ERR_POLICY;
869 #else
870 struct samba_kdc_entry *proxy_skdc_entry =
871 talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
872 krb5_error_code code;
873
874 code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
875 ctx->db_ctx,
876 client_principal,
877 server_principal,
878 header_pac,
879 proxy_skdc_entry);
880
881 return code;
882 #endif
883 }
884
885 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
886 NTSTATUS result,
887 enum samPwdChangeReason reject_reason,
888 struct samr_DomInfo1 *dominfo)
889 {
890 krb5_error_code code = KADM5_PASS_Q_GENERIC;
891
892 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
893 code = KADM5_BAD_PRINCIPAL;
894 krb5_set_error_message(context,
895 code,
896 "No such user when changing password");
897 }
898 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
899 code = KADM5_PASS_Q_GENERIC;
900 krb5_set_error_message(context,
901 code,
902 "Not permitted to change password");
903 }
904 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
905 dominfo != NULL) {
906 switch (reject_reason) {
907 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
908 code = KADM5_PASS_Q_TOOSHORT;
909 krb5_set_error_message(context,
910 code,
911 "Password too short, password "
912 "must be at least %d characters "
913 "long.",
914 dominfo->min_password_length);
915 break;
916 case SAM_PWD_CHANGE_NOT_COMPLEX:
917 code = KADM5_PASS_Q_DICT;
918 krb5_set_error_message(context,
919 code,
920 "Password does not meet "
921 "complexity requirements");
922 break;
923 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
924 code = KADM5_PASS_TOOSOON;
925 krb5_set_error_message(context,
926 code,
927 "Password is already in password "
928 "history. New password must not "
929 "match any of your %d previous "
930 "passwords.",
931 dominfo->password_history_length);
932 break;
933 default:
934 code = KADM5_PASS_Q_GENERIC;
935 krb5_set_error_message(context,
936 code,
937 "Password change rejected, "
938 "password changes may not be "
939 "permitted on this account, or "
940 "the minimum password age may "
941 "not have elapsed.");
942 break;
943 }
944 }
945
946 return code;
947 }
948
949 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
950 char *pwd,
951 krb5_db_entry *db_entry)
952 {
953 NTSTATUS status;
954 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
955 TALLOC_CTX *tmp_ctx;
956 DATA_BLOB password;
957 enum samPwdChangeReason reject_reason;
958 struct samr_DomInfo1 *dominfo;
959 const char *error_string = NULL;
960 struct auth_user_info_dc *user_info_dc;
961 struct samba_kdc_entry *p =
962 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
963 krb5_error_code code = 0;
964
965 #ifdef DEBUG_PASSWORD
966 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
967 #endif
968
969 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
970 if (tmp_ctx == NULL) {
971 return ENOMEM;
972 }
973
974 status = samba_kdc_get_user_info_from_db(p,
975 p->msg,
976 &user_info_dc);
977 if (!NT_STATUS_IS_OK(status)) {
978 DEBUG(1,("samba_kdc_get_user_info_from_db failed: %s\n",
979 nt_errstr(status)));
980 talloc_free(tmp_ctx);
981 return EINVAL;
982 }
983
984 status = auth_generate_session_info(tmp_ctx,
985 ctx->db_ctx->lp_ctx,
986 ctx->db_ctx->samdb,
987 user_info_dc,
988 0, /* session_info_flags */
989 &ctx->session_info);
990
991 if (!NT_STATUS_IS_OK(status)) {
992 DEBUG(1,("auth_generate_session_info failed: %s\n",
993 nt_errstr(status)));
994 talloc_free(tmp_ctx);
995 return EINVAL;
996 }
997
998 /* password is expected as UTF16 */
999
1000 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1001 pwd, strlen(pwd),
1002 &password.data, &password.length)) {
1003 DEBUG(1,("convert_string_talloc failed\n"));
1004 talloc_free(tmp_ctx);
1005 return EINVAL;
1006 }
1007
1008 status = samdb_kpasswd_change_password(tmp_ctx,
1009 ctx->db_ctx->lp_ctx,
1010 ctx->db_ctx->ev_ctx,
1011 ctx->session_info,
1012 &password,
1013 &reject_reason,
1014 &dominfo,
1015 &error_string,
1016 &result);
1017 if (!NT_STATUS_IS_OK(status)) {
1018 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1019 nt_errstr(status)));
1020 code = KADM5_PASS_Q_GENERIC;
1021 krb5_set_error_message(ctx->context, code, "%s", error_string);
1022 goto out;
1023 }
1024
1025 if (!NT_STATUS_IS_OK(result)) {
1026 code = mit_samba_change_pwd_error(ctx->context,
1027 result,
1028 reject_reason,
1029 dominfo);
1030 }
1031
1032 out:
1033 talloc_free(tmp_ctx);
1034
1035 return code;
1036 }
1037
1038 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1039 {
1040 struct netr_SendToSamBase *send_to_sam = NULL;
1041 struct samba_kdc_entry *p =
1042 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1043 struct ldb_dn *domain_dn;
1044
1045 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1046
1047 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1048 p->msg,
1049 domain_dn,
1050 true,
1051 &send_to_sam);
1052 /* TODO: RODC support */
1053 }
1054
1055
1056 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1057 {
1058 struct samba_kdc_entry *p =
1059 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1060
1061 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1062 p->msg,
1063 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1064 }
1065
1066 bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1067 {
1068 struct samba_kdc_entry *skdc_entry =
1069 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1070
1071 return samba_princ_needs_pac(skdc_entry);
1072 }
Samba GIT mirror