2 Unix SMB/CIFS implementation.
4 Database Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "libcli/security/security.h"
26 #include "auth/auth.h"
27 #include "auth/auth_sam.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "dsdb/common/util.h"
30 #include "librpc/gen_ndr/ndr_drsblobs.h"
31 #include "param/param.h"
32 #include "../lib/crypto/md4.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
36 #include "kdc/samba_kdc.h"
37 #include "kdc/db-glue.h"
38 #include "librpc/gen_ndr/ndr_irpc_c.h"
39 #include "lib/messaging/irpc.h"
44 #define SAMBA_KVNO_GET_KRBTGT(kvno) \
45 ((uint16_t)(((uint32_t)kvno) >> 16))
47 #define SAMBA_KVNO_GET_VALUE(kvno) \
48 ((uint16_t)(((uint32_t)kvno) & 0xFFFF))
50 #define SAMBA_KVNO_AND_KRBTGT(kvno, krbtgt) \
51 ((krb5_kvno)((((uint32_t)kvno) & 0xFFFF) | \
52 ((((uint32_t)krbtgt) << 16) & 0xFFFF0000)))
54 enum samba_kdc_ent_type
55 { SAMBA_KDC_ENT_TYPE_CLIENT
, SAMBA_KDC_ENT_TYPE_SERVER
,
56 SAMBA_KDC_ENT_TYPE_KRBTGT
, SAMBA_KDC_ENT_TYPE_TRUST
, SAMBA_KDC_ENT_TYPE_ANY
};
58 enum trust_direction
{
60 INBOUND
= LSA_TRUST_DIRECTION_INBOUND
,
61 OUTBOUND
= LSA_TRUST_DIRECTION_OUTBOUND
64 static const char *trust_attrs
[] = {
71 "msDS-TrustForestTrustInfo",
75 "msDS-SupportedEncryptionTypes",
80 send a message to the drepl server telling it to initiate a
81 REPL_SECRET getncchanges extended op to fetch the users secrets
83 static void auth_sam_trigger_repl_secret(TALLOC_CTX
*mem_ctx
,
84 struct imessaging_context
*msg_ctx
,
85 struct tevent_context
*event_ctx
,
86 struct ldb_dn
*user_dn
)
88 struct dcerpc_binding_handle
*irpc_handle
;
89 struct drepl_trigger_repl_secret r
;
90 struct tevent_req
*req
;
93 tmp_ctx
= talloc_new(mem_ctx
);
94 if (tmp_ctx
== NULL
) {
98 irpc_handle
= irpc_binding_handle_by_name(tmp_ctx
, msg_ctx
,
101 if (irpc_handle
== NULL
) {
102 DEBUG(1,(__location__
": Unable to get binding handle for dreplsrv\n"));
103 TALLOC_FREE(tmp_ctx
);
107 r
.in
.user_dn
= ldb_dn_get_linearized(user_dn
);
110 * This seem to rely on the current IRPC implementation,
111 * which delivers the message in the _send function.
113 * TODO: we need a ONE_WAY IRPC handle and register
114 * a callback and wait for it to be triggered!
116 req
= dcerpc_drepl_trigger_repl_secret_r_send(tmp_ctx
,
121 /* we aren't interested in a reply */
123 TALLOC_FREE(tmp_ctx
);
126 static time_t ldb_msg_find_krb5time_ldap_time(struct ldb_message
*msg
, const char *attr
, time_t default_val
)
132 gentime
= ldb_msg_find_attr_as_string(msg
, attr
, NULL
);
136 tmp
= strptime(gentime
, "%Y%m%d%H%M%SZ", &tm
);
144 static struct SDBFlags
uf2SDBFlags(krb5_context context
, uint32_t userAccountControl
, enum samba_kdc_ent_type ent_type
)
146 struct SDBFlags flags
= int2SDBFlags(0);
148 /* we don't allow kadmin deletes */
151 /* mark the principal as invalid to start with */
156 /* All accounts are servers, but this may be disabled again in the caller */
159 /* Account types - clear the invalid bit if it turns out to be valid */
160 if (userAccountControl
& UF_NORMAL_ACCOUNT
) {
161 if (ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
|| ent_type
== SAMBA_KDC_ENT_TYPE_ANY
) {
167 if (userAccountControl
& UF_INTERDOMAIN_TRUST_ACCOUNT
) {
168 if (ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
|| ent_type
== SAMBA_KDC_ENT_TYPE_ANY
) {
173 if (userAccountControl
& UF_WORKSTATION_TRUST_ACCOUNT
) {
174 if (ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
|| ent_type
== SAMBA_KDC_ENT_TYPE_ANY
) {
179 if (userAccountControl
& UF_SERVER_TRUST_ACCOUNT
) {
180 if (ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
|| ent_type
== SAMBA_KDC_ENT_TYPE_ANY
) {
186 /* Not permitted to act as a client if disabled */
187 if (userAccountControl
& UF_ACCOUNTDISABLE
) {
190 if (userAccountControl
& UF_LOCKOUT
) {
191 flags
.locked_out
= 1;
194 if (userAccountControl & UF_PASSWORD_NOTREQD) {
199 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
201 if (userAccountControl
& UF_TEMP_DUPLICATE_ACCOUNT
) {
205 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
208 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
212 if (userAccountControl
& UF_SMARTCARD_REQUIRED
) {
213 flags
.require_hwauth
= 1;
215 if (userAccountControl
& UF_TRUSTED_FOR_DELEGATION
) {
216 flags
.ok_as_delegate
= 1;
218 if (userAccountControl
& UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
) {
220 * this is confusing...
222 * UF_TRUSTED_FOR_DELEGATION
227 * UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
228 * => trusted_for_delegation
230 flags
.trusted_for_delegation
= 1;
232 if (!(userAccountControl
& UF_NOT_DELEGATED
)) {
233 flags
.forwardable
= 1;
237 if (userAccountControl
& UF_DONT_REQUIRE_PREAUTH
) {
238 flags
.require_preauth
= 0;
240 flags
.require_preauth
= 1;
246 static int samba_kdc_entry_destructor(struct samba_kdc_entry
*p
)
248 if (p
->entry_ex
!= NULL
) {
249 struct sdb_entry_ex
*entry_ex
= p
->entry_ex
;
250 free_sdb_entry(&entry_ex
->entry
);
257 * Sort keys in descending order of strength.
259 * Explanaton from Greg Hudson:
261 * To encrypt tickets only the first returned key is used by the MIT KDC. The
262 * other keys just communicate support for session key enctypes, and aren't
263 * really used. The encryption key for the ticket enc part doesn't have
264 * to be of a type requested by the client. The session key enctype is chosen
265 * based on the client preference order, limited by the set of enctypes present
266 * in the server keys (unless the string attribute is set on the server
267 * principal overriding that set).
269 static int samba_kdc_sort_encryption_keys(struct sdb_entry_ex
*entry_ex
)
271 unsigned int i
, j
, idx
= 0;
272 static const krb5_enctype etype_list
[] = {
273 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
274 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
275 ENCTYPE_DES3_CBC_SHA1
,
276 ENCTYPE_ARCFOUR_HMAC
,
282 size_t etype_len
= ARRAY_SIZE(etype_list
);
283 size_t keys_size
= entry_ex
->entry
.keys
.len
;
284 struct sdb_key
*keys
= entry_ex
->entry
.keys
.val
;
285 struct sdb_key
*sorted_keys
;
287 sorted_keys
= calloc(keys_size
, sizeof(struct sdb_key
));
288 if (sorted_keys
== NULL
) {
292 for (i
= 0; i
< etype_len
; i
++) {
293 for (j
= 0; j
< keys_size
; j
++) {
294 const struct sdb_key skey
= keys
[j
];
296 if (idx
== keys_size
) {
300 if (KRB5_KEY_TYPE(&skey
.key
) == etype_list
[i
]) {
301 sorted_keys
[idx
] = skey
;
307 /* Paranoia: Something went wrong during data copy */
308 if (idx
!= keys_size
) {
313 free(entry_ex
->entry
.keys
.val
);
314 entry_ex
->entry
.keys
.val
= sorted_keys
;
319 static krb5_error_code
samba_kdc_message2entry_keys(krb5_context context
,
320 struct samba_kdc_db_context
*kdc_db_ctx
,
322 struct ldb_message
*msg
,
325 uint32_t userAccountControl
,
326 enum samba_kdc_ent_type ent_type
,
327 struct sdb_entry_ex
*entry_ex
)
329 struct sdb_entry
*entry
= &entry_ex
->entry
;
330 krb5_error_code ret
= 0;
331 enum ndr_err_code ndr_err
;
332 struct samr_Password
*hash
;
333 const struct ldb_val
*sc_val
;
334 struct supplementalCredentialsBlob scb
;
335 struct supplementalCredentialsPackage
*scpk
= NULL
;
336 bool newer_keys
= false;
337 struct package_PrimaryKerberosBlob _pkb
;
338 struct package_PrimaryKerberosCtr3
*pkb3
= NULL
;
339 struct package_PrimaryKerberosCtr4
*pkb4
= NULL
;
340 bool is_krbtgt
= false;
341 int krbtgt_number
= 0;
342 uint32_t current_kvno
;
343 uint32_t returned_kvno
= 0;
345 uint16_t allocated_keys
= 0;
346 uint32_t supported_enctypes
347 = ldb_msg_find_attr_as_uint(msg
,
348 "msDS-SupportedEncryptionTypes",
351 if (rid
== DOMAIN_RID_KRBTGT
|| is_rodc
) {
352 /* KDCs (and KDCs on RODCs) use AES */
353 supported_enctypes
|= ENC_HMAC_SHA1_96_AES128
| ENC_HMAC_SHA1_96_AES256
;
355 } else if (userAccountControl
& (UF_PARTIAL_SECRETS_ACCOUNT
|UF_SERVER_TRUST_ACCOUNT
)) {
356 /* DCs and RODCs comptuer accounts use AES */
357 supported_enctypes
|= ENC_HMAC_SHA1_96_AES128
| ENC_HMAC_SHA1_96_AES256
;
358 } else if (ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
||
359 (ent_type
== SAMBA_KDC_ENT_TYPE_ANY
)) {
360 /* for AS-REQ the client chooses the enc types it
361 * supports, and this will vary between computers a
364 * likewise for 'any' return as much as is supported,
365 * to export into a keytab */
366 supported_enctypes
= ENC_ALL_TYPES
;
369 /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
370 if (userAccountControl
& UF_USE_DES_KEY_ONLY
) {
371 supported_enctypes
= 0;
373 /* Otherwise, add in the default enc types */
374 supported_enctypes
|= ENC_RC4_HMAC_MD5
;
377 /* Is this the krbtgt or a RODC krbtgt */
379 krbtgt_number
= ldb_msg_find_attr_as_int(msg
, "msDS-SecondaryKrbTgtNumber", -1);
381 if (krbtgt_number
== -1) {
384 if (krbtgt_number
== 0) {
389 entry_ex
->entry
.keys
.val
= NULL
;
390 entry_ex
->entry
.keys
.len
= 0;
391 entry_ex
->entry
.kvno
= 0;
393 if ((ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
)
394 && (userAccountControl
& UF_SMARTCARD_REQUIRED
)) {
395 uint8_t secretbuffer
[32];
398 * Fake keys until we have a better way to reject
399 * non-pkinit requests.
401 * We just need to indicate which encryption types are
404 generate_secret_buffer(secretbuffer
, sizeof(secretbuffer
));
407 entry_ex
->entry
.keys
.len
= 0;
408 entry_ex
->entry
.keys
.val
= calloc(allocated_keys
, sizeof(struct sdb_key
));
409 if (entry_ex
->entry
.keys
.val
== NULL
) {
410 ZERO_STRUCT(secretbuffer
);
415 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES256
) {
416 struct sdb_key key
= {};
418 ret
= smb_krb5_keyblock_init_contents(context
,
419 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
423 ZERO_STRUCT(secretbuffer
);
427 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
428 entry_ex
->entry
.keys
.len
++;
431 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES128
) {
432 struct sdb_key key
= {};
434 ret
= smb_krb5_keyblock_init_contents(context
,
435 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
439 ZERO_STRUCT(secretbuffer
);
443 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
444 entry_ex
->entry
.keys
.len
++;
447 if (supported_enctypes
& ENC_RC4_HMAC_MD5
) {
448 struct sdb_key key
= {};
450 ret
= smb_krb5_keyblock_init_contents(context
,
451 ENCTYPE_ARCFOUR_HMAC
,
455 ZERO_STRUCT(secretbuffer
);
459 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
460 entry_ex
->entry
.keys
.len
++;
467 current_kvno
= ldb_msg_find_attr_as_int(msg
, "msDS-KeyVersionNumber", 0);
470 * Even for the main krbtgt account
471 * we have to strictly split the kvno into
472 * two 16-bit parts and the upper 16-bit
473 * need to be all zero, even if
474 * the msDS-KeyVersionNumber has a value
477 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
479 current_kvno
= SAMBA_KVNO_GET_VALUE(current_kvno
);
482 /* Get keys from the db */
484 hash
= samdb_result_hash(mem_ctx
, msg
, "unicodePwd");
485 sc_val
= ldb_msg_find_ldb_val(msg
, "supplementalCredentials");
487 /* unicodePwd for enctype 0x17 (23) if present */
492 /* supplementalCredentials if present */
494 ndr_err
= ndr_pull_struct_blob_all(sc_val
, mem_ctx
, &scb
,
495 (ndr_pull_flags_fn_t
)ndr_pull_supplementalCredentialsBlob
);
496 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
497 dump_data(0, sc_val
->data
, sc_val
->length
);
502 if (scb
.sub
.signature
!= SUPPLEMENTAL_CREDENTIALS_SIGNATURE
) {
503 if (scb
.sub
.num_packages
!= 0) {
504 NDR_PRINT_DEBUG(supplementalCredentialsBlob
, &scb
);
510 for (i
=0; i
< scb
.sub
.num_packages
; i
++) {
511 if (strcmp("Primary:Kerberos-Newer-Keys", scb
.sub
.packages
[i
].name
) == 0) {
512 scpk
= &scb
.sub
.packages
[i
];
513 if (!scpk
->data
|| !scpk
->data
[0]) {
519 } else if (strcmp("Primary:Kerberos", scb
.sub
.packages
[i
].name
) == 0) {
520 scpk
= &scb
.sub
.packages
[i
];
521 if (!scpk
->data
|| !scpk
->data
[0]) {
525 * we don't break here in hope to find
526 * a Kerberos-Newer-Keys package
532 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
533 * of supplementalCredentials
538 blob
= strhex_to_data_blob(mem_ctx
, scpk
->data
);
544 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
545 ndr_err
= ndr_pull_struct_blob(&blob
, mem_ctx
, &_pkb
,
546 (ndr_pull_flags_fn_t
)ndr_pull_package_PrimaryKerberosBlob
);
547 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
549 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
550 krb5_warnx(context
, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
554 if (newer_keys
&& _pkb
.version
!= 4) {
556 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
557 krb5_warnx(context
, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
561 if (!newer_keys
&& _pkb
.version
!= 3) {
563 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
564 krb5_warnx(context
, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
568 if (_pkb
.version
== 4) {
569 pkb4
= &_pkb
.ctr
.ctr4
;
570 allocated_keys
+= pkb4
->num_keys
;
571 } else if (_pkb
.version
== 3) {
572 pkb3
= &_pkb
.ctr
.ctr3
;
573 allocated_keys
+= pkb3
->num_keys
;
577 if (allocated_keys
== 0) {
578 if (kdc_db_ctx
->rodc
) {
579 /* We are on an RODC, but don't have keys for this account. Signal this to the caller */
580 auth_sam_trigger_repl_secret(kdc_db_ctx
, kdc_db_ctx
->msg_ctx
,
581 kdc_db_ctx
->ev_ctx
, msg
->dn
);
582 return SDB_ERR_NOT_FOUND_HERE
;
585 /* oh, no password. Apparently (comment in
586 * hdb-ldap.c) this violates the ASN.1, but this
587 * allows an entry with no keys (yet). */
591 /* allocate space to decode into */
592 entry_ex
->entry
.keys
.len
= 0;
593 entry_ex
->entry
.keys
.val
= calloc(allocated_keys
, sizeof(struct sdb_key
));
594 if (entry_ex
->entry
.keys
.val
== NULL
) {
599 if (hash
&& (supported_enctypes
& ENC_RC4_HMAC_MD5
)) {
600 struct sdb_key key
= {};
602 ret
= smb_krb5_keyblock_init_contents(context
,
603 ENCTYPE_ARCFOUR_HMAC
,
611 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
612 entry_ex
->entry
.keys
.len
++;
616 for (i
=0; i
< pkb4
->num_keys
; i
++) {
617 struct sdb_key key
= {};
619 if (!pkb4
->keys
[i
].value
) continue;
621 if (!(kerberos_enctype_to_bitmap(pkb4
->keys
[i
].keytype
) & supported_enctypes
)) {
625 if (pkb4
->salt
.string
) {
628 salt
= data_blob_string_const(pkb4
->salt
.string
);
630 key
.salt
= calloc(1, sizeof(*key
.salt
));
631 if (key
.salt
== NULL
) {
636 key
.salt
->type
= KRB5_PW_SALT
;
638 ret
= smb_krb5_copy_data_contents(&key
.salt
->salt
,
648 /* TODO: maybe pass the iteration_count somehow... */
650 ret
= smb_krb5_keyblock_init_contents(context
,
651 pkb4
->keys
[i
].keytype
,
652 pkb4
->keys
[i
].value
->data
,
653 pkb4
->keys
[i
].value
->length
,
657 smb_krb5_free_data_contents(context
, &key
.salt
->salt
);
661 if (ret
== KRB5_PROG_ETYPE_NOSUPP
) {
662 DEBUG(2,("Unsupported keytype ignored - type %u\n",
663 pkb4
->keys
[i
].keytype
));
670 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
671 entry_ex
->entry
.keys
.len
++;
674 for (i
=0; i
< pkb3
->num_keys
; i
++) {
675 struct sdb_key key
= {};
677 if (!pkb3
->keys
[i
].value
) continue;
679 if (!(kerberos_enctype_to_bitmap(pkb3
->keys
[i
].keytype
) & supported_enctypes
)) {
683 if (pkb3
->salt
.string
) {
686 salt
= data_blob_string_const(pkb3
->salt
.string
);
688 key
.salt
= calloc(1, sizeof(*key
.salt
));
689 if (key
.salt
== NULL
) {
694 key
.salt
->type
= KRB5_PW_SALT
;
696 ret
= smb_krb5_copy_data_contents(&key
.salt
->salt
,
706 ret
= smb_krb5_keyblock_init_contents(context
,
707 pkb3
->keys
[i
].keytype
,
708 pkb3
->keys
[i
].value
->data
,
709 pkb3
->keys
[i
].value
->length
,
713 smb_krb5_free_data_contents(context
, &key
.salt
->salt
);
717 if (ret
== KRB5_PROG_ETYPE_NOSUPP
) {
718 DEBUG(2,("Unsupported keytype ignored - type %u\n",
719 pkb3
->keys
[i
].keytype
));
726 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
727 entry_ex
->entry
.keys
.len
++;
731 returned_kvno
= current_kvno
;
734 * Even for the main krbtgt account
735 * we have to strictly split the kvno into
736 * two 16-bit parts and the upper 16-bit
737 * need to be all zero, even if
738 * the msDS-KeyVersionNumber has a value
741 * See https://bugzilla.samba.org/show_bug.cgi?id=14951
743 returned_kvno
= SAMBA_KVNO_AND_KRBTGT(returned_kvno
, krbtgt_number
);
745 entry
->kvno
= returned_kvno
;
749 entry_ex
->entry
.keys
.len
= 0;
750 } else if (entry_ex
->entry
.keys
.len
> 0 &&
751 entry_ex
->entry
.keys
.val
!= NULL
) {
752 ret
= samba_kdc_sort_encryption_keys(entry_ex
);
754 entry_ex
->entry
.keys
.len
= 0;
758 if (entry_ex
->entry
.keys
.len
== 0 && entry_ex
->entry
.keys
.val
) {
759 free(entry_ex
->entry
.keys
.val
);
760 entry_ex
->entry
.keys
.val
= NULL
;
765 static int principal_comp_strcmp_int(krb5_context context
,
766 krb5_const_principal principal
,
767 unsigned int component
,
774 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING)
775 p
= krb5_principal_get_comp_string(context
, principal
, component
);
782 if (component
>= krb5_princ_size(context
, principal
)) {
786 d
= krb5_princ_component(context
, principal
, component
);
795 return strncasecmp(p
, string
, len
);
797 return strncmp(p
, string
, len
);
801 static int principal_comp_strcasecmp(krb5_context context
,
802 krb5_const_principal principal
,
803 unsigned int component
,
806 return principal_comp_strcmp_int(context
, principal
,
807 component
, string
, true);
810 static int principal_comp_strcmp(krb5_context context
,
811 krb5_const_principal principal
,
812 unsigned int component
,
815 return principal_comp_strcmp_int(context
, principal
,
816 component
, string
, false);
819 static bool is_kadmin_changepw(krb5_context context
,
820 krb5_const_principal principal
)
822 return krb5_princ_size(context
, principal
) == 2 &&
823 (principal_comp_strcmp(context
, principal
, 0, "kadmin") == 0) &&
824 (principal_comp_strcmp(context
, principal
, 1, "changepw") == 0);
827 static krb5_error_code
samba_kdc_get_entry_principal(
828 krb5_context context
,
829 struct samba_kdc_db_context
*kdc_db_ctx
,
830 const char *samAccountName
,
831 enum samba_kdc_ent_type ent_type
,
833 bool is_kadmin_changepw
,
834 krb5_const_principal in_princ
,
835 krb5_principal
*out_princ
)
837 struct loadparm_context
*lp_ctx
= kdc_db_ctx
->lp_ctx
;
838 krb5_error_code code
= 0;
839 bool canon
= flags
& (SDB_F_CANON
|SDB_F_FORCE_CANON
);
842 * If we are set to canonicalize, we get back the fixed UPPER
843 * case realm, and the real username (ie matching LDAP
846 * Otherwise, if we are set to enterprise, we
847 * get back the whole principal as-sent
849 * Finally, if we are not set to canonicalize, we get back the
850 * fixed UPPER case realm, but the as-sent username
854 * We need to ensure that the kadmin/changepw principal isn't able to
855 * issue krbtgt tickets, even if canonicalization is turned on.
857 if (!is_kadmin_changepw
) {
858 if (ent_type
== SAMBA_KDC_ENT_TYPE_KRBTGT
&& canon
) {
860 * When requested to do so, ensure that the
861 * both realm values in the principal are set
862 * to the upper case, canonical realm
864 code
= smb_krb5_make_principal(context
,
873 smb_krb5_principal_set_type(context
,
880 if ((canon
&& flags
& (SDB_F_FORCE_CANON
|SDB_F_FOR_AS_REQ
)) ||
881 (ent_type
== SAMBA_KDC_ENT_TYPE_ANY
&& in_princ
== NULL
)) {
883 * SDB_F_CANON maps from the canonicalize flag in the
884 * packet, and has a different meaning between AS-REQ
885 * and TGS-REQ. We only change the principal in the
888 * The SDB_F_FORCE_CANON if for new MIT KDC code that
889 * wants the canonical name in all lookups, and takes
890 * care to canonicalize only when appropriate.
892 code
= smb_krb5_make_principal(context
,
902 * For a krbtgt entry, this appears to be required regardless of the
903 * canonicalize flag from the client.
905 code
= krb5_copy_principal(context
, in_princ
, out_princ
);
911 * While we have copied the client principal, tests show that Win2k3
912 * returns the 'corrected' realm, not the client-specified realm. This
913 * code attempts to replace the client principal's realm with the one
914 * we determine from our records
916 code
= smb_krb5_principal_set_realm(context
,
918 lpcfg_realm(lp_ctx
));
924 * Construct an hdb_entry from a directory entry.
926 static krb5_error_code
samba_kdc_message2entry(krb5_context context
,
927 struct samba_kdc_db_context
*kdc_db_ctx
,
929 krb5_const_principal principal
,
930 enum samba_kdc_ent_type ent_type
,
932 struct ldb_dn
*realm_dn
,
933 struct ldb_message
*msg
,
934 struct sdb_entry_ex
*entry_ex
)
936 struct loadparm_context
*lp_ctx
= kdc_db_ctx
->lp_ctx
;
937 uint32_t userAccountControl
;
938 uint32_t msDS_User_Account_Control_Computed
;
939 krb5_error_code ret
= 0;
940 krb5_boolean is_computer
= FALSE
;
942 struct samba_kdc_entry
*p
;
947 bool is_rodc
= false;
948 struct ldb_message_element
*objectclasses
;
949 struct ldb_val computer_val
;
950 const char *samAccountName
= ldb_msg_find_attr_as_string(msg
, "samAccountName", NULL
);
951 computer_val
.data
= discard_const_p(uint8_t,"computer");
952 computer_val
.length
= strlen((const char *)computer_val
.data
);
954 if (ldb_msg_find_element(msg
, "msDS-SecondaryKrbTgtNumber")) {
958 if (!samAccountName
) {
960 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry: no samAccountName present");
964 objectclasses
= ldb_msg_find_element(msg
, "objectClass");
966 if (objectclasses
&& ldb_msg_find_val(objectclasses
, &computer_val
)) {
970 ZERO_STRUCTP(entry_ex
);
972 p
= talloc_zero(mem_ctx
, struct samba_kdc_entry
);
978 p
->is_rodc
= is_rodc
;
979 p
->kdc_db_ctx
= kdc_db_ctx
;
980 p
->realm_dn
= talloc_reference(p
, realm_dn
);
986 talloc_set_destructor(p
, samba_kdc_entry_destructor
);
990 userAccountControl
= ldb_msg_find_attr_as_uint(msg
, "userAccountControl", 0);
992 msDS_User_Account_Control_Computed
993 = ldb_msg_find_attr_as_uint(msg
,
994 "msDS-User-Account-Control-Computed",
998 * This brings in the lockout flag, block the account if not
999 * found. We need the weird UF_ACCOUNTDISABLE check because
1000 * we do not want to fail open if the value is not returned,
1001 * but 0 is a valid value (all OK)
1003 if (msDS_User_Account_Control_Computed
== UF_ACCOUNTDISABLE
) {
1005 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry: "
1006 "no msDS-User-Account-Control-Computed present");
1009 userAccountControl
|= msDS_User_Account_Control_Computed
;
1012 if (ent_type
== SAMBA_KDC_ENT_TYPE_KRBTGT
) {
1013 p
->is_krbtgt
= true;
1016 /* First try and figure out the flags based on the userAccountControl */
1017 entry_ex
->entry
.flags
= uf2SDBFlags(context
, userAccountControl
, ent_type
);
1019 /* Windows 2008 seems to enforce this (very sensible) rule by
1020 * default - don't allow offline attacks on a user's password
1021 * by asking for a ticket to them as a service (encrypted with
1022 * their probably patheticly insecure password) */
1024 if (entry_ex
->entry
.flags
.server
1025 && lpcfg_parm_bool(lp_ctx
, NULL
, "kdc", "require spn for service", true)) {
1026 if (!is_computer
&& !ldb_msg_find_attr_as_string(msg
, "servicePrincipalName", NULL
)) {
1027 entry_ex
->entry
.flags
.server
= 0;
1032 * We restrict a 3-part SPN ending in my domain/realm to full
1033 * domain controllers.
1035 * This avoids any cases where (eg) a demoted DC still has
1036 * these more restricted SPNs.
1038 if (krb5_princ_size(context
, principal
) > 2) {
1040 = smb_krb5_principal_get_comp_string(mem_ctx
,
1045 lpcfg_is_my_domain_or_realm(lp_ctx
,
1047 bool is_dc
= userAccountControl
&
1048 (UF_SERVER_TRUST_ACCOUNT
| UF_PARTIAL_SECRETS_ACCOUNT
);
1049 if (is_our_realm
&& !is_dc
) {
1050 entry_ex
->entry
.flags
.server
= 0;
1054 * To give the correct type of error to the client, we must
1055 * not just return the entry without .server set, we must
1056 * pretend the principal does not exist. Otherwise we may
1057 * return ERR_POLICY instead of
1058 * KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
1060 if (ent_type
== SAMBA_KDC_ENT_TYPE_SERVER
&& entry_ex
->entry
.flags
.server
== 0) {
1061 ret
= SDB_ERR_NOENTRY
;
1062 krb5_set_error_message(context
, ret
, "samba_kdc_message2entry: no servicePrincipalName present for this server, refusing with no-such-entry");
1065 if (flags
& SDB_F_ADMIN_DATA
) {
1066 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
1067 * of the Heimdal KDC. They are stored in a the traditional
1068 * DB for audit purposes, and still form part of the structure
1071 /* use 'whenCreated' */
1072 entry_ex
->entry
.created_by
.time
= ldb_msg_find_krb5time_ldap_time(msg
, "whenCreated", 0);
1073 /* use 'kadmin' for now (needed by mit_samba) */
1075 ret
= smb_krb5_make_principal(context
,
1076 &entry_ex
->entry
.created_by
.principal
,
1077 lpcfg_realm(lp_ctx
), "kadmin", NULL
);
1079 krb5_clear_error_message(context
);
1083 entry_ex
->entry
.modified_by
= (struct sdb_event
*) malloc(sizeof(struct sdb_event
));
1084 if (entry_ex
->entry
.modified_by
== NULL
) {
1086 krb5_set_error_message(context
, ret
, "malloc: out of memory");
1090 /* use 'whenChanged' */
1091 entry_ex
->entry
.modified_by
->time
= ldb_msg_find_krb5time_ldap_time(msg
, "whenChanged", 0);
1092 /* use 'kadmin' for now (needed by mit_samba) */
1093 ret
= smb_krb5_make_principal(context
,
1094 &entry_ex
->entry
.modified_by
->principal
,
1095 lpcfg_realm(lp_ctx
), "kadmin", NULL
);
1097 krb5_clear_error_message(context
);
1103 /* The lack of password controls etc applies to krbtgt by
1104 * virtue of being that particular RID */
1105 status
= dom_sid_split_rid(NULL
, samdb_result_dom_sid(mem_ctx
, msg
, "objectSid"), NULL
, &rid
);
1107 if (!NT_STATUS_IS_OK(status
)) {
1112 if (rid
== DOMAIN_RID_KRBTGT
) {
1115 entry_ex
->entry
.valid_end
= NULL
;
1116 entry_ex
->entry
.pw_end
= NULL
;
1118 entry_ex
->entry
.flags
.invalid
= 0;
1119 entry_ex
->entry
.flags
.server
= 1;
1121 realm
= smb_krb5_principal_get_realm(
1122 mem_ctx
, context
, principal
);
1123 if (realm
== NULL
) {
1128 /* Don't mark all requests for the krbtgt/realm as
1129 * 'change password', as otherwise we could get into
1130 * trouble, and not enforce the password expirty.
1131 * Instead, only do it when request is for the kpasswd service */
1132 if (ent_type
== SAMBA_KDC_ENT_TYPE_SERVER
&&
1133 is_kadmin_changepw(context
, principal
) &&
1134 lpcfg_is_my_domain_or_realm(lp_ctx
, realm
)) {
1135 entry_ex
->entry
.flags
.change_pw
= 1;
1140 entry_ex
->entry
.flags
.client
= 0;
1141 entry_ex
->entry
.flags
.forwardable
= 1;
1142 entry_ex
->entry
.flags
.ok_as_delegate
= 1;
1143 } else if (is_rodc
) {
1144 /* The RODC krbtgt account is like the main krbtgt,
1145 * but it does not have a changepw or kadmin
1148 entry_ex
->entry
.valid_end
= NULL
;
1149 entry_ex
->entry
.pw_end
= NULL
;
1151 /* Also don't allow the RODC krbtgt to be a client (it should not be needed) */
1152 entry_ex
->entry
.flags
.client
= 0;
1153 entry_ex
->entry
.flags
.invalid
= 0;
1154 entry_ex
->entry
.flags
.server
= 1;
1156 entry_ex
->entry
.flags
.client
= 0;
1157 entry_ex
->entry
.flags
.forwardable
= 1;
1158 entry_ex
->entry
.flags
.ok_as_delegate
= 0;
1159 } else if (entry_ex
->entry
.flags
.server
&& ent_type
== SAMBA_KDC_ENT_TYPE_SERVER
) {
1160 /* The account/password expiry only applies when the account is used as a
1161 * client (ie password login), not when used as a server */
1163 /* Make very well sure we don't use this for a client,
1164 * it could bypass the password restrictions */
1165 entry_ex
->entry
.flags
.client
= 0;
1167 entry_ex
->entry
.valid_end
= NULL
;
1168 entry_ex
->entry
.pw_end
= NULL
;
1171 NTTIME must_change_time
1172 = samdb_result_nttime(msg
,
1173 "msDS-UserPasswordExpiryTimeComputed",
1175 if (must_change_time
== 0x7FFFFFFFFFFFFFFFULL
) {
1176 entry_ex
->entry
.pw_end
= NULL
;
1178 entry_ex
->entry
.pw_end
= malloc(sizeof(*entry_ex
->entry
.pw_end
));
1179 if (entry_ex
->entry
.pw_end
== NULL
) {
1183 *entry_ex
->entry
.pw_end
= nt_time_to_unix(must_change_time
);
1186 acct_expiry
= samdb_result_account_expires(msg
);
1187 if (acct_expiry
== 0x7FFFFFFFFFFFFFFFULL
) {
1188 entry_ex
->entry
.valid_end
= NULL
;
1190 entry_ex
->entry
.valid_end
= malloc(sizeof(*entry_ex
->entry
.valid_end
));
1191 if (entry_ex
->entry
.valid_end
== NULL
) {
1195 *entry_ex
->entry
.valid_end
= nt_time_to_unix(acct_expiry
);
1199 ret
= samba_kdc_get_entry_principal(context
,
1204 entry_ex
->entry
.flags
.change_pw
,
1206 &entry_ex
->entry
.principal
);
1208 krb5_clear_error_message(context
);
1212 entry_ex
->entry
.valid_start
= NULL
;
1214 entry_ex
->entry
.max_life
= malloc(sizeof(*entry_ex
->entry
.max_life
));
1215 if (entry_ex
->entry
.max_life
== NULL
) {
1220 if (ent_type
== SAMBA_KDC_ENT_TYPE_SERVER
) {
1221 *entry_ex
->entry
.max_life
= kdc_db_ctx
->policy
.svc_tkt_lifetime
;
1222 } else if (ent_type
== SAMBA_KDC_ENT_TYPE_KRBTGT
|| ent_type
== SAMBA_KDC_ENT_TYPE_CLIENT
) {
1223 *entry_ex
->entry
.max_life
= kdc_db_ctx
->policy
.usr_tkt_lifetime
;
1225 *entry_ex
->entry
.max_life
= MIN(kdc_db_ctx
->policy
.svc_tkt_lifetime
,
1226 kdc_db_ctx
->policy
.usr_tkt_lifetime
);
1229 if (entry_ex
->entry
.flags
.change_pw
) {
1230 /* Limit lifetime of kpasswd tickets to two minutes or less. */
1231 *entry_ex
->entry
.max_life
= MIN(*entry_ex
->entry
.max_life
, CHANGEPW_LIFETIME
);
1234 entry_ex
->entry
.max_renew
= malloc(sizeof(*entry_ex
->entry
.max_life
));
1235 if (entry_ex
->entry
.max_renew
== NULL
) {
1240 *entry_ex
->entry
.max_renew
= kdc_db_ctx
->policy
.renewal_lifetime
;
1242 /* Get keys from the db */
1243 ret
= samba_kdc_message2entry_keys(context
, kdc_db_ctx
, p
, msg
,
1244 rid
, is_rodc
, userAccountControl
,
1245 ent_type
, entry_ex
);
1247 /* Could be bogus data in the entry, or out of memory */
1251 p
->msg
= talloc_steal(p
, msg
);
1255 /* This doesn't free ent itself, that is for the eventual caller to do */
1256 sdb_free_entry(entry_ex
);
1257 ZERO_STRUCTP(entry_ex
);
1259 talloc_steal(kdc_db_ctx
, entry_ex
->ctx
);
1266 * Construct an hdb_entry from a directory entry.
1267 * The kvno is what the remote client asked for
1269 static krb5_error_code
samba_kdc_trust_message2entry(krb5_context context
,
1270 struct samba_kdc_db_context
*kdc_db_ctx
,
1271 TALLOC_CTX
*mem_ctx
, krb5_const_principal principal
,
1272 enum trust_direction direction
,
1273 struct ldb_dn
*realm_dn
,
1276 struct ldb_message
*msg
,
1277 struct sdb_entry_ex
*entry_ex
)
1279 struct loadparm_context
*lp_ctx
= kdc_db_ctx
->lp_ctx
;
1280 const char *our_realm
= lpcfg_realm(lp_ctx
);
1281 char *partner_realm
= NULL
;
1282 const char *realm
= NULL
;
1283 const char *krbtgt_realm
= NULL
;
1284 DATA_BLOB password_utf16
= data_blob_null
;
1285 DATA_BLOB password_utf8
= data_blob_null
;
1286 struct samr_Password _password_hash
;
1287 const struct samr_Password
*password_hash
= NULL
;
1288 const struct ldb_val
*password_val
;
1289 struct trustAuthInOutBlob password_blob
;
1290 struct samba_kdc_entry
*p
;
1291 bool use_previous
= false;
1292 uint32_t current_kvno
;
1293 uint32_t previous_kvno
;
1294 uint32_t num_keys
= 0;
1295 enum ndr_err_code ndr_err
;
1298 struct AuthenticationInformationArray
*auth_array
;
1301 uint32_t *auth_kvno
;
1302 bool preferr_current
= false;
1303 uint32_t supported_enctypes
= ENC_RC4_HMAC_MD5
;
1304 struct lsa_TrustDomainInfoInfoEx
*tdo
= NULL
;
1307 if (dsdb_functional_level(kdc_db_ctx
->samdb
) >= DS_DOMAIN_FUNCTION_2008
) {
1308 supported_enctypes
= ldb_msg_find_attr_as_uint(msg
,
1309 "msDS-SupportedEncryptionTypes",
1310 supported_enctypes
);
1313 status
= dsdb_trust_parse_tdo_info(mem_ctx
, msg
, &tdo
);
1314 if (!NT_STATUS_IS_OK(status
)) {
1315 krb5_clear_error_message(context
);
1320 if (!(tdo
->trust_direction
& direction
)) {
1321 krb5_clear_error_message(context
);
1322 ret
= SDB_ERR_NOENTRY
;
1326 if (tdo
->trust_type
!= LSA_TRUST_TYPE_UPLEVEL
) {
1328 * Only UPLEVEL domains support kerberos here,
1329 * as we don't support LSA_TRUST_TYPE_MIT.
1331 krb5_clear_error_message(context
);
1332 ret
= SDB_ERR_NOENTRY
;
1336 if (tdo
->trust_attributes
& LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
) {
1338 * We don't support selective authentication yet.
1340 krb5_clear_error_message(context
);
1341 ret
= SDB_ERR_NOENTRY
;
1345 if (tdo
->domain_name
.string
== NULL
) {
1346 krb5_clear_error_message(context
);
1347 ret
= SDB_ERR_NOENTRY
;
1350 partner_realm
= strupper_talloc(mem_ctx
, tdo
->domain_name
.string
);
1351 if (partner_realm
== NULL
) {
1352 krb5_clear_error_message(context
);
1357 if (direction
== INBOUND
) {
1359 krbtgt_realm
= partner_realm
;
1361 password_val
= ldb_msg_find_ldb_val(msg
, "trustAuthIncoming");
1362 } else { /* OUTBOUND */
1363 realm
= partner_realm
;
1364 krbtgt_realm
= our_realm
;
1366 password_val
= ldb_msg_find_ldb_val(msg
, "trustAuthOutgoing");
1369 if (password_val
== NULL
) {
1370 krb5_clear_error_message(context
);
1371 ret
= SDB_ERR_NOENTRY
;
1375 ndr_err
= ndr_pull_struct_blob(password_val
, mem_ctx
, &password_blob
,
1376 (ndr_pull_flags_fn_t
)ndr_pull_trustAuthInOutBlob
);
1377 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1378 krb5_clear_error_message(context
);
1383 p
= talloc_zero(mem_ctx
, struct samba_kdc_entry
);
1390 p
->kdc_db_ctx
= kdc_db_ctx
;
1391 p
->realm_dn
= realm_dn
;
1393 talloc_set_destructor(p
, samba_kdc_entry_destructor
);
1395 /* make sure we do not have bogus data in there */
1396 memset(&entry_ex
->entry
, 0, sizeof(struct sdb_entry
));
1400 /* use 'whenCreated' */
1401 entry_ex
->entry
.created_by
.time
= ldb_msg_find_krb5time_ldap_time(msg
, "whenCreated", 0);
1402 /* use 'kadmin' for now (needed by mit_samba) */
1403 ret
= smb_krb5_make_principal(context
,
1404 &entry_ex
->entry
.created_by
.principal
,
1405 realm
, "kadmin", NULL
);
1407 krb5_clear_error_message(context
);
1412 * We always need to generate the canonicalized principal
1413 * with the values of our database.
1415 ret
= smb_krb5_make_principal(context
, &entry_ex
->entry
.principal
, realm
,
1416 "krbtgt", krbtgt_realm
, NULL
);
1418 krb5_clear_error_message(context
);
1421 smb_krb5_principal_set_type(context
, entry_ex
->entry
.principal
,
1424 entry_ex
->entry
.valid_start
= NULL
;
1426 /* we need to work out if we are going to use the current or
1427 * the previous password hash.
1428 * We base this on the kvno the client passes in. If the kvno
1429 * passed in is equal to the current kvno in our database then
1430 * we use the current structure. If it is the current kvno-1,
1431 * then we use the previous substrucure.
1435 * Windows preferrs the previous key for one hour.
1437 tv
= timeval_current();
1438 if (tv
.tv_sec
> 3600) {
1441 an_hour_ago
= timeval_to_nttime(&tv
);
1443 /* first work out the current kvno */
1445 for (i
=0; i
< password_blob
.count
; i
++) {
1446 struct AuthenticationInformation
*a
=
1447 &password_blob
.current
.array
[i
];
1449 if (a
->LastUpdateTime
<= an_hour_ago
) {
1450 preferr_current
= true;
1453 if (a
->AuthType
== TRUST_AUTH_TYPE_VERSION
) {
1454 current_kvno
= a
->AuthInfo
.version
.version
;
1457 if (current_kvno
== 0) {
1458 previous_kvno
= 255;
1460 previous_kvno
= current_kvno
- 1;
1462 for (i
=0; i
< password_blob
.count
; i
++) {
1463 struct AuthenticationInformation
*a
=
1464 &password_blob
.previous
.array
[i
];
1466 if (a
->AuthType
== TRUST_AUTH_TYPE_VERSION
) {
1467 previous_kvno
= a
->AuthInfo
.version
.version
;
1471 /* work out whether we will use the previous or current
1473 if (password_blob
.previous
.count
== 0) {
1474 /* there is no previous password */
1475 use_previous
= false;
1476 } else if (!(flags
& SDB_F_KVNO_SPECIFIED
)) {
1478 * If not specified we use the lowest kvno
1479 * for the first hour after an update.
1481 if (preferr_current
) {
1482 use_previous
= false;
1483 } else if (previous_kvno
< current_kvno
) {
1484 use_previous
= true;
1486 use_previous
= false;
1488 } else if (kvno
== current_kvno
) {
1492 use_previous
= false;
1493 } else if (kvno
== previous_kvno
) {
1497 use_previous
= true;
1500 * Fallback to the current one for anything else
1502 use_previous
= false;
1506 auth_array
= &password_blob
.previous
;
1507 auth_kvno
= &previous_kvno
;
1509 auth_array
= &password_blob
.current
;
1510 auth_kvno
= ¤t_kvno
;
1513 /* use the kvno the client specified, if available */
1514 if (flags
& SDB_F_KVNO_SPECIFIED
) {
1515 entry_ex
->entry
.kvno
= kvno
;
1517 entry_ex
->entry
.kvno
= *auth_kvno
;
1520 for (i
=0; i
< auth_array
->count
; i
++) {
1521 if (auth_array
->array
[i
].AuthType
== TRUST_AUTH_TYPE_CLEAR
) {
1524 password_utf16
= data_blob_const(auth_array
->array
[i
].AuthInfo
.clear
.password
,
1525 auth_array
->array
[i
].AuthInfo
.clear
.size
);
1526 if (password_utf16
.length
== 0) {
1530 if (supported_enctypes
& ENC_RC4_HMAC_MD5
) {
1531 mdfour(_password_hash
.hash
, password_utf16
.data
, password_utf16
.length
);
1532 if (password_hash
== NULL
) {
1535 password_hash
= &_password_hash
;
1538 if (!(supported_enctypes
& (ENC_HMAC_SHA1_96_AES128
|ENC_HMAC_SHA1_96_AES256
))) {
1542 ok
= convert_string_talloc(mem_ctx
,
1543 CH_UTF16MUNGED
, CH_UTF8
,
1544 password_utf16
.data
,
1545 password_utf16
.length
,
1546 (void *)&password_utf8
.data
,
1547 &password_utf8
.length
);
1549 krb5_clear_error_message(context
);
1554 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES128
) {
1557 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES256
) {
1561 } else if (auth_array
->array
[i
].AuthType
== TRUST_AUTH_TYPE_NT4OWF
) {
1562 if (supported_enctypes
& ENC_RC4_HMAC_MD5
) {
1563 password_hash
= &auth_array
->array
[i
].AuthInfo
.nt4owf
.password
;
1569 /* Must have found a cleartext or MD4 password */
1570 if (num_keys
== 0) {
1571 DEBUG(1,(__location__
": no usable key found\n"));
1572 krb5_clear_error_message(context
);
1573 ret
= SDB_ERR_NOENTRY
;
1577 entry_ex
->entry
.keys
.val
= calloc(num_keys
, sizeof(struct sdb_key
));
1578 if (entry_ex
->entry
.keys
.val
== NULL
) {
1579 krb5_clear_error_message(context
);
1584 if (password_utf8
.length
!= 0) {
1585 struct sdb_key key
= {};
1586 krb5_const_principal salt_principal
= entry_ex
->entry
.principal
;
1588 krb5_data cleartext_data
;
1590 cleartext_data
.data
= discard_const_p(char, password_utf8
.data
);
1591 cleartext_data
.length
= password_utf8
.length
;
1593 ret
= smb_krb5_get_pw_salt(context
,
1600 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES256
) {
1601 ret
= smb_krb5_create_key_from_string(context
,
1605 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
1608 smb_krb5_free_data_contents(context
, &salt
);
1612 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
1613 entry_ex
->entry
.keys
.len
++;
1616 if (supported_enctypes
& ENC_HMAC_SHA1_96_AES128
) {
1617 ret
= smb_krb5_create_key_from_string(context
,
1621 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
1624 smb_krb5_free_data_contents(context
, &salt
);
1628 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
1629 entry_ex
->entry
.keys
.len
++;
1632 smb_krb5_free_data_contents(context
, &salt
);
1635 if (password_hash
!= NULL
) {
1636 struct sdb_key key
= {};
1638 ret
= smb_krb5_keyblock_init_contents(context
,
1639 ENCTYPE_ARCFOUR_HMAC
,
1640 password_hash
->hash
,
1641 sizeof(password_hash
->hash
),
1647 entry_ex
->entry
.keys
.val
[entry_ex
->entry
.keys
.len
] = key
;
1648 entry_ex
->entry
.keys
.len
++;
1651 entry_ex
->entry
.flags
= int2SDBFlags(0);
1652 entry_ex
->entry
.flags
.immutable
= 1;
1653 entry_ex
->entry
.flags
.invalid
= 0;
1654 entry_ex
->entry
.flags
.server
= 1;
1655 entry_ex
->entry
.flags
.require_preauth
= 1;
1657 entry_ex
->entry
.pw_end
= NULL
;
1659 entry_ex
->entry
.max_life
= NULL
;
1661 entry_ex
->entry
.max_renew
= NULL
;
1663 /* Match Windows behavior and allow forwardable flag in cross-realm. */
1664 entry_ex
->entry
.flags
.forwardable
= 1;
1666 ret
= samba_kdc_sort_encryption_keys(entry_ex
);
1668 krb5_clear_error_message(context
);
1673 p
->msg
= talloc_steal(p
, msg
);
1676 TALLOC_FREE(partner_realm
);
1679 /* This doesn't free ent itself, that is for the eventual caller to do */
1680 sdb_free_entry(entry_ex
);
1682 talloc_steal(kdc_db_ctx
, entry_ex
->ctx
);
1689 static krb5_error_code
samba_kdc_lookup_trust(krb5_context context
, struct ldb_context
*ldb_ctx
,
1690 TALLOC_CTX
*mem_ctx
,
1692 struct ldb_dn
*realm_dn
,
1693 struct ldb_message
**pmsg
)
1696 const char * const *attrs
= trust_attrs
;
1698 status
= dsdb_trust_search_tdo(ldb_ctx
, realm
, realm
,
1699 attrs
, mem_ctx
, pmsg
);
1700 if (NT_STATUS_IS_OK(status
)) {
1702 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_OBJECT_NAME_NOT_FOUND
)) {
1703 return SDB_ERR_NOENTRY
;
1704 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_MEMORY
)) {
1706 krb5_set_error_message(context
, ret
, "get_sam_result_trust: out of memory");
1710 krb5_set_error_message(context
, ret
, "get_sam_result_trust: %s", nt_errstr(status
));
1715 static krb5_error_code
samba_kdc_lookup_client(krb5_context context
,
1716 struct samba_kdc_db_context
*kdc_db_ctx
,
1717 TALLOC_CTX
*mem_ctx
,
1718 krb5_const_principal principal
,
1720 struct ldb_dn
**realm_dn
,
1721 struct ldb_message
**msg
)
1724 char *principal_string
= NULL
;
1726 if (smb_krb5_principal_get_type(context
, principal
) == KRB5_NT_ENTERPRISE_PRINCIPAL
) {
1727 principal_string
= smb_krb5_principal_get_comp_string(mem_ctx
, context
,
1729 if (principal_string
== NULL
) {
1733 char *principal_string_m
= NULL
;
1734 krb5_error_code ret
;
1736 ret
= krb5_unparse_name(context
, principal
, &principal_string_m
);
1741 principal_string
= talloc_strdup(mem_ctx
, principal_string_m
);
1742 SAFE_FREE(principal_string_m
);
1743 if (principal_string
== NULL
) {
1748 nt_status
= sam_get_results_principal(kdc_db_ctx
->samdb
,
1749 mem_ctx
, principal_string
, attrs
,
1751 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_SUCH_USER
)) {
1752 krb5_principal fallback_principal
= NULL
;
1753 unsigned int num_comp
;
1754 char *fallback_realm
= NULL
;
1755 char *fallback_account
= NULL
;
1756 krb5_error_code ret
;
1758 ret
= krb5_parse_name(context
, principal_string
,
1759 &fallback_principal
);
1760 TALLOC_FREE(principal_string
);
1765 num_comp
= krb5_princ_size(context
, fallback_principal
);
1766 fallback_realm
= smb_krb5_principal_get_realm(
1767 mem_ctx
, context
, fallback_principal
);
1768 if (fallback_realm
== NULL
) {
1769 krb5_free_principal(context
, fallback_principal
);
1773 if (num_comp
== 1) {
1776 fallback_account
= smb_krb5_principal_get_comp_string(mem_ctx
,
1777 context
, fallback_principal
, 0);
1778 if (fallback_account
== NULL
) {
1779 krb5_free_principal(context
, fallback_principal
);
1780 TALLOC_FREE(fallback_realm
);
1784 len
= strlen(fallback_account
);
1785 if (len
>= 2 && fallback_account
[len
- 1] == '$') {
1786 TALLOC_FREE(fallback_account
);
1789 krb5_free_principal(context
, fallback_principal
);
1790 fallback_principal
= NULL
;
1792 if (fallback_account
!= NULL
) {
1795 with_dollar
= talloc_asprintf(mem_ctx
, "%s$",
1797 if (with_dollar
== NULL
) {
1798 TALLOC_FREE(fallback_realm
);
1801 TALLOC_FREE(fallback_account
);
1803 ret
= smb_krb5_make_principal(context
,
1804 &fallback_principal
,
1807 TALLOC_FREE(with_dollar
);
1809 TALLOC_FREE(fallback_realm
);
1813 TALLOC_FREE(fallback_realm
);
1815 if (fallback_principal
!= NULL
) {
1816 char *fallback_string
= NULL
;
1818 ret
= krb5_unparse_name(context
,
1822 krb5_free_principal(context
, fallback_principal
);
1826 nt_status
= sam_get_results_principal(kdc_db_ctx
->samdb
,
1831 SAFE_FREE(fallback_string
);
1833 krb5_free_principal(context
, fallback_principal
);
1834 fallback_principal
= NULL
;
1836 TALLOC_FREE(principal_string
);
1838 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_SUCH_USER
)) {
1839 return SDB_ERR_NOENTRY
;
1840 } else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_MEMORY
)) {
1842 } else if (!NT_STATUS_IS_OK(nt_status
)) {
1849 static krb5_error_code
samba_kdc_fetch_client(krb5_context context
,
1850 struct samba_kdc_db_context
*kdc_db_ctx
,
1851 TALLOC_CTX
*mem_ctx
,
1852 krb5_const_principal principal
,
1854 struct sdb_entry_ex
*entry_ex
) {
1855 struct ldb_dn
*realm_dn
;
1856 krb5_error_code ret
;
1857 struct ldb_message
*msg
= NULL
;
1859 ret
= samba_kdc_lookup_client(context
, kdc_db_ctx
,
1860 mem_ctx
, principal
, user_attrs
,
1866 ret
= samba_kdc_message2entry(context
, kdc_db_ctx
, mem_ctx
,
1867 principal
, SAMBA_KDC_ENT_TYPE_CLIENT
,
1869 realm_dn
, msg
, entry_ex
);
1873 static krb5_error_code
samba_kdc_fetch_krbtgt(krb5_context context
,
1874 struct samba_kdc_db_context
*kdc_db_ctx
,
1875 TALLOC_CTX
*mem_ctx
,
1876 krb5_const_principal principal
,
1879 struct sdb_entry_ex
*entry_ex
)
1881 struct loadparm_context
*lp_ctx
= kdc_db_ctx
->lp_ctx
;
1882 krb5_error_code ret
;
1883 struct ldb_message
*msg
= NULL
;
1884 struct ldb_dn
*realm_dn
= ldb_get_default_basedn(kdc_db_ctx
->samdb
);
1885 char *realm_from_princ
;
1886 char *realm_princ_comp
= smb_krb5_principal_get_comp_string(mem_ctx
, context
, principal
, 1);
1888 realm_from_princ
= smb_krb5_principal_get_realm(
1889 mem_ctx
, context
, principal
);
1890 if (realm_from_princ
== NULL
) {
1892 return SDB_ERR_NOENTRY
;
1895 if (krb5_princ_size(context
, principal
) != 2
1896 || (principal_comp_strcmp(context
, principal
, 0, KRB5_TGS_NAME
) != 0)) {
1898 return SDB_ERR_NOENTRY
;
1901 /* krbtgt case. Either us or a trusted realm */
1903 if (lpcfg_is_my_domain_or_realm(lp_ctx
, realm_from_princ
)
1904 && lpcfg_is_my_domain_or_realm(lp_ctx
, realm_princ_comp
)) {
1905 /* us, or someone quite like us */
1906 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
1907 * is in our db, then direct the caller at our primary
1911 unsigned int krbtgt_number
;
1912 /* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
1913 trust tickets. We don't yet know what this means, but we do
1914 seem to need to treat it as unspecified */
1915 if (flags
& SDB_F_KVNO_SPECIFIED
) {
1916 krbtgt_number
= SAMBA_KVNO_GET_KRBTGT(kvno
);
1917 if (kdc_db_ctx
->rodc
) {
1918 if (krbtgt_number
!= kdc_db_ctx
->my_krbtgt_number
) {
1919 return SDB_ERR_NOT_FOUND_HERE
;
1923 krbtgt_number
= kdc_db_ctx
->my_krbtgt_number
;
1926 if (krbtgt_number
== kdc_db_ctx
->my_krbtgt_number
) {
1927 lret
= dsdb_search_one(kdc_db_ctx
->samdb
, mem_ctx
,
1928 &msg
, kdc_db_ctx
->krbtgt_dn
, LDB_SCOPE_BASE
,
1929 krbtgt_attrs
, DSDB_SEARCH_NO_GLOBAL_CATALOG
,
1930 "(objectClass=user)");
1932 /* We need to look up an RODC krbtgt (perhaps
1933 * ours, if we are an RODC, perhaps another
1934 * RODC if we are a read-write DC */
1935 lret
= dsdb_search_one(kdc_db_ctx
->samdb
, mem_ctx
,
1936 &msg
, realm_dn
, LDB_SCOPE_SUBTREE
,
1938 DSDB_SEARCH_SHOW_EXTENDED_DN
| DSDB_SEARCH_NO_GLOBAL_CATALOG
,
1939 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=%u))", (unsigned)(krbtgt_number
));
1942 if (lret
== LDB_ERR_NO_SUCH_OBJECT
) {
1943 krb5_warnx(context
, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1944 (unsigned)(krbtgt_number
));
1945 krb5_set_error_message(context
, SDB_ERR_NOENTRY
,
1946 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1947 (unsigned)(krbtgt_number
));
1948 return SDB_ERR_NOENTRY
;
1949 } else if (lret
!= LDB_SUCCESS
) {
1950 krb5_warnx(context
, "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1951 (unsigned)(krbtgt_number
));
1952 krb5_set_error_message(context
, SDB_ERR_NOENTRY
,
1953 "samba_kdc_fetch: could not find KRBTGT number %u in DB!",
1954 (unsigned)(krbtgt_number
));
1955 return SDB_ERR_NOENTRY
;
1958 ret
= samba_kdc_message2entry(context
, kdc_db_ctx
, mem_ctx
,
1959 principal
, SAMBA_KDC_ENT_TYPE_KRBTGT
,
1960 flags
, realm_dn
, msg
, entry_ex
);
1962 krb5_warnx(context
, "samba_kdc_fetch: self krbtgt message2entry failed");
1967 enum trust_direction direction
= UNKNOWN
;
1968 const char *realm
= NULL
;
1970 /* Either an inbound or outbound trust */
1972 if (strcasecmp(lpcfg_realm(lp_ctx
), realm_from_princ
) == 0) {
1973 /* look for inbound trust */
1974 direction
= INBOUND
;
1975 realm
= realm_princ_comp
;
1976 } else if (principal_comp_strcasecmp(context
, principal
, 1, lpcfg_realm(lp_ctx
)) == 0) {
1977 /* look for outbound trust */
1978 direction
= OUTBOUND
;
1979 realm
= realm_from_princ
;
1981 krb5_warnx(context
, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
1984 krb5_set_error_message(context
, SDB_ERR_NOENTRY
, "samba_kdc_fetch: not our realm for trusts ('%s', '%s')",
1987 return SDB_ERR_NOENTRY
;
1990 /* Trusted domains are under CN=system */
1992 ret
= samba_kdc_lookup_trust(context
, kdc_db_ctx
->samdb
,
1994 realm
, realm_dn
, &msg
);
1997 krb5_warnx(context
, "samba_kdc_fetch: could not find principal in DB");
1998 krb5_set_error_message(context
, ret
, "samba_kdc_fetch: could not find principal in DB");
2002 ret
= samba_kdc_trust_message2entry(context
, kdc_db_ctx
, mem_ctx
,
2003 principal
, direction
,
2004 realm_dn
, flags
, kvno
, msg
, entry_ex
);
2006 krb5_warnx(context
, "samba_kdc_fetch: trust_message2entry failed for %s",
2007 ldb_dn_get_linearized(msg
->dn
));
2008 krb5_set_error_message(context
, ret
, "samba_kdc_fetch: "
2009 "trust_message2entry failed for %s",
2010 ldb_dn_get_linearized(msg
->dn
));
2017 static krb5_error_code
samba_kdc_lookup_server(krb5_context context
,
2018 struct samba_kdc_db_context
*kdc_db_ctx
,
2019 TALLOC_CTX
*mem_ctx
,
2020 krb5_const_principal principal
,
2023 struct ldb_dn
**realm_dn
,
2024 struct ldb_message
**msg
)
2026 krb5_error_code ret
;
2027 if ((smb_krb5_principal_get_type(context
, principal
) != KRB5_NT_ENTERPRISE_PRINCIPAL
)
2028 && krb5_princ_size(context
, principal
) >= 2) {
2029 /* 'normal server' case */
2032 struct ldb_dn
*user_dn
;
2033 char *principal_string
;
2035 ret
= krb5_unparse_name_flags(context
, principal
,
2036 KRB5_PRINCIPAL_UNPARSE_NO_REALM
,
2042 /* At this point we may find the host is known to be
2043 * in a different realm, so we should generate a
2044 * referral instead */
2045 nt_status
= crack_service_principal_name(kdc_db_ctx
->samdb
,
2046 mem_ctx
, principal_string
,
2047 &user_dn
, realm_dn
);
2048 free(principal_string
);
2050 if (!NT_STATUS_IS_OK(nt_status
)) {
2051 return SDB_ERR_NOENTRY
;
2054 ldb_ret
= dsdb_search_one(kdc_db_ctx
->samdb
,
2056 msg
, user_dn
, LDB_SCOPE_BASE
,
2058 DSDB_SEARCH_SHOW_EXTENDED_DN
| DSDB_SEARCH_NO_GLOBAL_CATALOG
,
2060 if (ldb_ret
!= LDB_SUCCESS
) {
2061 return SDB_ERR_NOENTRY
;
2064 } else if (!(flags
& SDB_F_FOR_AS_REQ
)
2065 && smb_krb5_principal_get_type(context
, principal
) == KRB5_NT_ENTERPRISE_PRINCIPAL
) {
2067 * The behaviour of accepting an
2068 * KRB5_NT_ENTERPRISE_PRINCIPAL server principal
2069 * containing a UPN only applies to TGS-REQ packets,
2070 * not AS-REQ packets.
2072 return samba_kdc_lookup_client(context
, kdc_db_ctx
,
2073 mem_ctx
, principal
, attrs
,
2078 * - the AS-REQ, where we only accept
2079 * samAccountName based lookups for the server, no
2080 * matter if the name is an
2081 * KRB5_NT_ENTERPRISE_PRINCIPAL or not
2082 * - for the TGS-REQ when we are not given an
2083 * KRB5_NT_ENTERPRISE_PRINCIPAL, which also must
2084 * only lookup samAccountName based names.
2088 krb5_principal enterprise_principal
= NULL
;
2089 krb5_const_principal used_principal
= NULL
;
2092 char *filter
= NULL
;
2094 if (smb_krb5_principal_get_type(context
, principal
) == KRB5_NT_ENTERPRISE_PRINCIPAL
) {
2096 /* Need to reparse the enterprise principal to find the real target */
2097 if (krb5_princ_size(context
, principal
) != 1) {
2098 ret
= KRB5_PARSE_MALFORMED
;
2099 krb5_set_error_message(context
, ret
, "samba_kdc_lookup_server: request for an "
2100 "enterprise principal with wrong (%d) number of components",
2101 krb5_princ_size(context
, principal
));
2104 str
= smb_krb5_principal_get_comp_string(mem_ctx
, context
, principal
, 0);
2106 return KRB5_PARSE_MALFORMED
;
2108 ret
= krb5_parse_name(context
, str
,
2109 &enterprise_principal
);
2114 used_principal
= enterprise_principal
;
2116 used_principal
= principal
;
2119 /* server as client principal case, but we must not lookup userPrincipalNames */
2120 *realm_dn
= ldb_get_default_basedn(kdc_db_ctx
->samdb
);
2122 /* TODO: Check if it is our realm, otherwise give referral */
2124 ret
= krb5_unparse_name_flags(context
, used_principal
,
2125 KRB5_PRINCIPAL_UNPARSE_NO_REALM
|
2126 KRB5_PRINCIPAL_UNPARSE_DISPLAY
,
2128 used_principal
= NULL
;
2129 krb5_free_principal(context
, enterprise_principal
);
2130 enterprise_principal
= NULL
;
2133 krb5_set_error_message(context
, ret
, "samba_kdc_lookup_principal: could not parse principal");
2134 krb5_warnx(context
, "samba_kdc_lookup_principal: could not parse principal");
2138 name1
= ldb_binary_encode_string(mem_ctx
, short_princ
);
2139 SAFE_FREE(short_princ
);
2140 if (name1
== NULL
) {
2143 len1
= strlen(name1
);
2144 if (len1
>= 1 && name1
[len1
- 1] != '$') {
2145 filter
= talloc_asprintf(mem_ctx
,
2146 "(&(objectClass=user)(|(samAccountName=%s)(samAccountName=%s$)))",
2148 if (filter
== NULL
) {
2152 filter
= talloc_asprintf(mem_ctx
,
2153 "(&(objectClass=user)(samAccountName=%s))",
2155 if (filter
== NULL
) {
2160 lret
= dsdb_search_one(kdc_db_ctx
->samdb
, mem_ctx
, msg
,
2161 *realm_dn
, LDB_SCOPE_SUBTREE
,
2163 DSDB_SEARCH_SHOW_EXTENDED_DN
| DSDB_SEARCH_NO_GLOBAL_CATALOG
,
2165 if (lret
== LDB_ERR_NO_SUCH_OBJECT
) {
2166 DEBUG(10, ("Failed to find an entry for %s filter:%s\n",
2168 return SDB_ERR_NOENTRY
;
2170 if (lret
== LDB_ERR_CONSTRAINT_VIOLATION
) {
2171 DEBUG(10, ("Failed to find unique entry for %s filter:%s\n",
2173 return SDB_ERR_NOENTRY
;
2175 if (lret
!= LDB_SUCCESS
) {
2176 DEBUG(0, ("Failed single search for %s - %s\n",
2177 name1
, ldb_errstring(kdc_db_ctx
->samdb
)));
2178 return SDB_ERR_NOENTRY
;
2182 return SDB_ERR_NOENTRY
;
2187 static krb5_error_code
samba_kdc_fetch_server(krb5_context context
,
2188 struct samba_kdc_db_context
*kdc_db_ctx
,
2189 TALLOC_CTX
*mem_ctx
,
2190 krb5_const_principal principal
,
2192 struct sdb_entry_ex
*entry_ex
)
2194 krb5_error_code ret
;
2195 struct ldb_dn
*realm_dn
;
2196 struct ldb_message
*msg
;
2198 ret
= samba_kdc_lookup_server(context
, kdc_db_ctx
, mem_ctx
, principal
,
2199 flags
, server_attrs
, &realm_dn
, &msg
);
2204 ret
= samba_kdc_message2entry(context
, kdc_db_ctx
, mem_ctx
,
2205 principal
, SAMBA_KDC_ENT_TYPE_SERVER
,
2207 realm_dn
, msg
, entry_ex
);
2209 krb5_warnx(context
, "samba_kdc_fetch: message2entry failed");
2215 static krb5_error_code
samba_kdc_lookup_realm(krb5_context context
,
2216 struct samba_kdc_db_context
*kdc_db_ctx
,
2217 TALLOC_CTX
*mem_ctx
,
2218 krb5_const_principal principal
,
2220 struct sdb_entry_ex
*entry_ex
)
2222 TALLOC_CTX
*frame
= talloc_stackframe();
2224 krb5_error_code ret
;
2225 bool check_realm
= false;
2226 const char *realm
= NULL
;
2227 struct dsdb_trust_routing_table
*trt
= NULL
;
2228 const struct lsa_TrustDomainInfoInfoEx
*tdo
= NULL
;
2229 unsigned int num_comp
;
2233 num_comp
= krb5_princ_size(context
, principal
);
2235 if (flags
& SDB_F_GET_CLIENT
) {
2236 if (flags
& SDB_F_FOR_AS_REQ
) {
2240 if (flags
& SDB_F_GET_SERVER
) {
2241 if (flags
& SDB_F_FOR_TGS_REQ
) {
2251 realm
= smb_krb5_principal_get_realm(frame
, context
, principal
);
2252 if (realm
== NULL
) {
2258 * The requested realm needs to be our own
2260 ok
= lpcfg_is_my_domain_or_realm(kdc_db_ctx
->lp_ctx
, realm
);
2263 * The request is not for us...
2266 return SDB_ERR_NOENTRY
;
2269 if (smb_krb5_principal_get_type(context
, principal
) == KRB5_NT_ENTERPRISE_PRINCIPAL
) {
2270 char *principal_string
= NULL
;
2271 krb5_principal enterprise_principal
= NULL
;
2272 char *enterprise_realm
= NULL
;
2274 if (num_comp
!= 1) {
2276 return SDB_ERR_NOENTRY
;
2279 principal_string
= smb_krb5_principal_get_comp_string(frame
, context
,
2281 if (principal_string
== NULL
) {
2286 ret
= krb5_parse_name(context
, principal_string
,
2287 &enterprise_principal
);
2288 TALLOC_FREE(principal_string
);
2294 enterprise_realm
= smb_krb5_principal_get_realm(
2295 frame
, context
, enterprise_principal
);
2296 krb5_free_principal(context
, enterprise_principal
);
2297 if (enterprise_realm
!= NULL
) {
2298 realm
= enterprise_realm
;
2302 if (flags
& SDB_F_GET_SERVER
) {
2303 char *service_realm
= NULL
;
2305 ret
= principal_comp_strcmp(context
, principal
, 0, KRB5_TGS_NAME
);
2308 * we need to search krbtgt/ locally
2315 * We need to check the last component against the routing table.
2317 * Note this works only with 2 or 3 component principals, e.g:
2319 * servicePrincipalName: ldap/W2K8R2-219.bla.base
2320 * servicePrincipalName: ldap/W2K8R2-219.bla.base/bla.base
2321 * servicePrincipalName: ldap/W2K8R2-219.bla.base/ForestDnsZones.bla.base
2322 * servicePrincipalName: ldap/W2K8R2-219.bla.base/DomainDnsZones.bla.base
2325 if (num_comp
== 2 || num_comp
== 3) {
2326 service_realm
= smb_krb5_principal_get_comp_string(frame
,
2332 if (service_realm
!= NULL
) {
2333 realm
= service_realm
;
2337 ok
= lpcfg_is_my_domain_or_realm(kdc_db_ctx
->lp_ctx
, realm
);
2340 * skip the expensive routing lookup
2346 status
= dsdb_trust_routing_table_load(kdc_db_ctx
->samdb
,
2348 if (!NT_STATUS_IS_OK(status
)) {
2353 tdo
= dsdb_trust_routing_by_name(trt
, realm
);
2356 * This principal has to be local
2362 if (tdo
->trust_attributes
& LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
) {
2364 * TODO: handle the routing within the forest
2366 * This should likely be handled in
2367 * samba_kdc_message2entry() in case we're
2368 * a global catalog. We'd need to check
2369 * if realm_dn is our own domain and derive
2370 * the dns domain name from realm_dn and check that
2371 * against the routing table or fallback to
2372 * the tdo we found here.
2374 * But for now we don't support multiple domains
2375 * in our forest correctly anyway.
2377 * Just search in our local database.
2383 ZERO_STRUCT(entry_ex
->entry
);
2385 ret
= krb5_copy_principal(context
, principal
,
2386 &entry_ex
->entry
.principal
);
2392 upper
= strupper_talloc(frame
, tdo
->domain_name
.string
);
2393 if (upper
== NULL
) {
2398 ret
= smb_krb5_principal_set_realm(context
,
2399 entry_ex
->entry
.principal
,
2407 return SDB_ERR_WRONG_REALM
;
2410 krb5_error_code
samba_kdc_fetch(krb5_context context
,
2411 struct samba_kdc_db_context
*kdc_db_ctx
,
2412 krb5_const_principal principal
,
2415 struct sdb_entry_ex
*entry_ex
)
2417 krb5_error_code ret
= SDB_ERR_NOENTRY
;
2418 TALLOC_CTX
*mem_ctx
;
2420 mem_ctx
= talloc_named(kdc_db_ctx
, 0, "samba_kdc_fetch context");
2423 krb5_set_error_message(context
, ret
, "samba_kdc_fetch: talloc_named() failed!");
2427 ret
= samba_kdc_lookup_realm(context
, kdc_db_ctx
, mem_ctx
,
2428 principal
, flags
, entry_ex
);
2433 ret
= SDB_ERR_NOENTRY
;
2435 if (flags
& SDB_F_GET_CLIENT
) {
2436 ret
= samba_kdc_fetch_client(context
, kdc_db_ctx
, mem_ctx
, principal
, flags
, entry_ex
);
2437 if (ret
!= SDB_ERR_NOENTRY
) goto done
;
2439 if (flags
& SDB_F_GET_SERVER
) {
2440 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
2441 ret
= samba_kdc_fetch_krbtgt(context
, kdc_db_ctx
, mem_ctx
, principal
, flags
, kvno
, entry_ex
);
2442 if (ret
!= SDB_ERR_NOENTRY
) goto done
;
2444 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
2445 ret
= samba_kdc_fetch_server(context
, kdc_db_ctx
, mem_ctx
, principal
, flags
, entry_ex
);
2446 if (ret
!= SDB_ERR_NOENTRY
) goto done
;
2448 if (flags
& SDB_F_GET_KRBTGT
) {
2449 ret
= samba_kdc_fetch_krbtgt(context
, kdc_db_ctx
, mem_ctx
, principal
, flags
, kvno
, entry_ex
);
2450 if (ret
!= SDB_ERR_NOENTRY
) goto done
;
2454 talloc_free(mem_ctx
);
2458 struct samba_kdc_seq
{
2461 struct ldb_message
**msgs
;
2462 struct ldb_dn
*realm_dn
;
2465 static krb5_error_code
samba_kdc_seq(krb5_context context
,
2466 struct samba_kdc_db_context
*kdc_db_ctx
,
2467 struct sdb_entry_ex
*entry
)
2469 krb5_error_code ret
;
2470 struct samba_kdc_seq
*priv
= kdc_db_ctx
->seq_ctx
;
2471 const char *realm
= lpcfg_realm(kdc_db_ctx
->lp_ctx
);
2472 struct ldb_message
*msg
= NULL
;
2473 const char *sAMAccountName
= NULL
;
2474 krb5_principal principal
= NULL
;
2475 TALLOC_CTX
*mem_ctx
;
2478 return SDB_ERR_NOENTRY
;
2481 mem_ctx
= talloc_named(priv
, 0, "samba_kdc_seq context");
2485 krb5_set_error_message(context
, ret
, "samba_kdc_seq: talloc_named() failed!");
2489 while (priv
->index
< priv
->count
) {
2490 msg
= priv
->msgs
[priv
->index
++];
2492 sAMAccountName
= ldb_msg_find_attr_as_string(msg
, "sAMAccountName", NULL
);
2493 if (sAMAccountName
!= NULL
) {
2498 if (sAMAccountName
== NULL
) {
2499 ret
= SDB_ERR_NOENTRY
;
2503 ret
= smb_krb5_make_principal(context
, &principal
,
2504 realm
, sAMAccountName
, NULL
);
2509 ret
= samba_kdc_message2entry(context
, kdc_db_ctx
, mem_ctx
,
2510 principal
, SAMBA_KDC_ENT_TYPE_ANY
,
2511 SDB_F_ADMIN_DATA
|SDB_F_GET_ANY
,
2512 priv
->realm_dn
, msg
, entry
);
2515 if (principal
!= NULL
) {
2516 krb5_free_principal(context
, principal
);
2521 kdc_db_ctx
->seq_ctx
= NULL
;
2523 talloc_free(mem_ctx
);
2529 krb5_error_code
samba_kdc_firstkey(krb5_context context
,
2530 struct samba_kdc_db_context
*kdc_db_ctx
,
2531 struct sdb_entry_ex
*entry
)
2533 struct ldb_context
*ldb_ctx
= kdc_db_ctx
->samdb
;
2534 struct samba_kdc_seq
*priv
= kdc_db_ctx
->seq_ctx
;
2536 struct ldb_result
*res
= NULL
;
2537 krb5_error_code ret
;
2538 TALLOC_CTX
*mem_ctx
;
2543 kdc_db_ctx
->seq_ctx
= NULL
;
2546 priv
= (struct samba_kdc_seq
*) talloc(kdc_db_ctx
, struct samba_kdc_seq
);
2549 krb5_set_error_message(context
, ret
, "talloc: out of memory");
2555 priv
->realm_dn
= ldb_get_default_basedn(ldb_ctx
);
2558 mem_ctx
= talloc_named(priv
, 0, "samba_kdc_firstkey context");
2562 krb5_set_error_message(context
, ret
, "samba_kdc_firstkey: talloc_named() failed!");
2566 ret
= krb5_get_default_realm(context
, &realm
);
2571 krb5_free_default_realm(context
, realm
);
2573 lret
= dsdb_search(ldb_ctx
, priv
, &res
,
2574 priv
->realm_dn
, LDB_SCOPE_SUBTREE
, user_attrs
,
2575 DSDB_SEARCH_NO_GLOBAL_CATALOG
,
2576 "(objectClass=user)");
2578 if (lret
!= LDB_SUCCESS
) {
2580 return SDB_ERR_NOENTRY
;
2583 priv
->count
= res
->count
;
2584 priv
->msgs
= talloc_steal(priv
, res
->msgs
);
2587 kdc_db_ctx
->seq_ctx
= priv
;
2589 ret
= samba_kdc_seq(context
, kdc_db_ctx
, entry
);
2593 kdc_db_ctx
->seq_ctx
= NULL
;
2595 talloc_free(mem_ctx
);
2600 krb5_error_code
samba_kdc_nextkey(krb5_context context
,
2601 struct samba_kdc_db_context
*kdc_db_ctx
,
2602 struct sdb_entry_ex
*entry
)
2604 return samba_kdc_seq(context
, kdc_db_ctx
, entry
);
2607 /* Check if a given entry may delegate or do s4u2self to this target principal
2609 * The safest way to determine 'self' is to check the DB record made at
2610 * the time the principal was presented to the KDC.
2613 samba_kdc_check_s4u2self(krb5_context context
,
2614 struct samba_kdc_entry
*skdc_entry_client
,
2615 struct samba_kdc_entry
*skdc_entry_server_target
)
2617 struct dom_sid
*orig_sid
;
2618 struct dom_sid
*target_sid
;
2619 TALLOC_CTX
*frame
= talloc_stackframe();
2621 orig_sid
= samdb_result_dom_sid(frame
,
2622 skdc_entry_client
->msg
,
2624 target_sid
= samdb_result_dom_sid(frame
,
2625 skdc_entry_server_target
->msg
,
2629 * Allow delegation to the same record (representing a
2630 * principal), even if by a different name. The easy and safe
2631 * way to prove this is by SID comparison
2633 if (!(orig_sid
&& target_sid
&& dom_sid_equal(orig_sid
, target_sid
))) {
2635 return KRB5KRB_AP_ERR_BADMATCH
;
2642 /* Certificates printed by a the Certificate Authority might have a
2643 * slightly different form of the user principal name to that in the
2644 * database. Allow a mismatch where they both refer to the same
2648 samba_kdc_check_pkinit_ms_upn_match(krb5_context context
,
2649 struct samba_kdc_db_context
*kdc_db_ctx
,
2650 struct samba_kdc_entry
*skdc_entry
,
2651 krb5_const_principal certificate_principal
)
2653 krb5_error_code ret
;
2654 struct ldb_dn
*realm_dn
;
2655 struct ldb_message
*msg
;
2656 struct dom_sid
*orig_sid
;
2657 struct dom_sid
*target_sid
;
2658 const char *ms_upn_check_attrs
[] = {
2662 TALLOC_CTX
*mem_ctx
= talloc_named(kdc_db_ctx
, 0, "samba_kdc_check_pkinit_ms_upn_match");
2666 krb5_set_error_message(context
, ret
, "samba_kdc_fetch: talloc_named() failed!");
2670 ret
= samba_kdc_lookup_client(context
, kdc_db_ctx
,
2671 mem_ctx
, certificate_principal
,
2672 ms_upn_check_attrs
, &realm_dn
, &msg
);
2675 talloc_free(mem_ctx
);
2679 orig_sid
= samdb_result_dom_sid(mem_ctx
, skdc_entry
->msg
, "objectSid");
2680 target_sid
= samdb_result_dom_sid(mem_ctx
, msg
, "objectSid");
2682 /* Consider these to be the same principal, even if by a different
2683 * name. The easy and safe way to prove this is by SID
2685 if (!(orig_sid
&& target_sid
&& dom_sid_equal(orig_sid
, target_sid
))) {
2686 talloc_free(mem_ctx
);
2687 #if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
2688 return KRB5KDC_ERR_CLIENT_NAME_MISMATCH
;
2689 #else /* Heimdal (where this is an enum) */
2690 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH
;
2694 talloc_free(mem_ctx
);
2699 * Check if a given entry may delegate to this target principal
2703 samba_kdc_check_s4u2proxy(krb5_context context
,
2704 struct samba_kdc_db_context
*kdc_db_ctx
,
2705 struct samba_kdc_entry
*skdc_entry
,
2706 krb5_const_principal target_principal
)
2708 krb5_error_code ret
;
2710 const char *client_dn
= NULL
;
2711 const char *target_principal_name
= NULL
;
2712 struct ldb_message_element
*el
;
2717 TALLOC_CTX
*mem_ctx
= talloc_named(kdc_db_ctx
, 0, "samba_kdc_check_s4u2proxy");
2721 krb5_set_error_message(context
, ret
,
2722 "samba_kdc_check_s4u2proxy:"
2723 " talloc_named() failed!");
2727 client_dn
= ldb_dn_get_linearized(skdc_entry
->msg
->dn
);
2733 krb5_set_error_message(context
, ret
,
2734 "samba_kdc_check_s4u2proxy:"
2735 " ldb_dn_get_linearized() failed!");
2740 * The main heimdal code already checked that the target_principal
2741 * belongs to the same realm as the client.
2743 * So we just need the principal without the realm,
2744 * as that is what is configured in the "msDS-AllowedToDelegateTo"
2747 ret
= krb5_unparse_name_flags(context
, target_principal
,
2748 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &tmp
);
2750 talloc_free(mem_ctx
);
2751 krb5_set_error_message(context
, ret
,
2752 "samba_kdc_check_s4u2proxy:"
2753 " krb5_unparse_name() failed!");
2756 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] for target[%s]\n",
2759 target_principal_name
= talloc_strdup(mem_ctx
, tmp
);
2761 if (target_principal_name
== NULL
) {
2763 krb5_set_error_message(context
, ret
,
2764 "samba_kdc_check_s4u2proxy:"
2765 " talloc_strdup() failed!");
2769 el
= ldb_msg_find_element(skdc_entry
->msg
, "msDS-AllowedToDelegateTo");
2774 val
= data_blob_string_const(target_principal_name
);
2776 for (i
=0; i
<el
->num_values
; i
++) {
2777 struct ldb_val
*val1
= &val
;
2778 struct ldb_val
*val2
= &el
->values
[i
];
2781 if (val1
->length
!= val2
->length
) {
2785 cmp
= strncasecmp((const char *)val1
->data
,
2786 (const char *)val2
->data
,
2800 DEBUG(10,("samba_kdc_check_s4u2proxy: client[%s] allowed target[%s]\n",
2802 talloc_free(mem_ctx
);
2806 krb5_set_error_message(context
, ret
,
2807 "samba_kdc_check_s4u2proxy: client[%s] "
2808 "not allowed for delegation to target[%s]",
2810 target_principal_name
);
2811 talloc_free(mem_ctx
);
2812 return KRB5KDC_ERR_BADOPTION
;
2815 NTSTATUS
samba_kdc_setup_db_ctx(TALLOC_CTX
*mem_ctx
, struct samba_kdc_base_context
*base_ctx
,
2816 struct samba_kdc_db_context
**kdc_db_ctx_out
)
2819 struct ldb_message
*msg
;
2820 struct auth_session_info
*session_info
;
2821 struct samba_kdc_db_context
*kdc_db_ctx
;
2822 /* The idea here is very simple. Using Kerberos to
2823 * authenticate the KDC to the LDAP server is higly likely to
2826 * In future we may set this up to use EXERNAL and SSL
2827 * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME
2830 kdc_db_ctx
= talloc_zero(mem_ctx
, struct samba_kdc_db_context
);
2831 if (kdc_db_ctx
== NULL
) {
2832 return NT_STATUS_NO_MEMORY
;
2834 kdc_db_ctx
->ev_ctx
= base_ctx
->ev_ctx
;
2835 kdc_db_ctx
->lp_ctx
= base_ctx
->lp_ctx
;
2836 kdc_db_ctx
->msg_ctx
= base_ctx
->msg_ctx
;
2838 /* get default kdc policy */
2839 lpcfg_default_kdc_policy(mem_ctx
,
2841 &kdc_db_ctx
->policy
.svc_tkt_lifetime
,
2842 &kdc_db_ctx
->policy
.usr_tkt_lifetime
,
2843 &kdc_db_ctx
->policy
.renewal_lifetime
);
2845 session_info
= system_session(kdc_db_ctx
->lp_ctx
);
2846 if (session_info
== NULL
) {
2847 return NT_STATUS_INTERNAL_ERROR
;
2850 /* Setup the link to LDB */
2851 kdc_db_ctx
->samdb
= samdb_connect(kdc_db_ctx
,
2857 if (kdc_db_ctx
->samdb
== NULL
) {
2858 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot open samdb for KDC backend!"));
2859 talloc_free(kdc_db_ctx
);
2860 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2863 /* Find out our own krbtgt kvno */
2864 ldb_ret
= samdb_rodc(kdc_db_ctx
->samdb
, &kdc_db_ctx
->rodc
);
2865 if (ldb_ret
!= LDB_SUCCESS
) {
2866 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine if we are an RODC in KDC backend: %s\n",
2867 ldb_errstring(kdc_db_ctx
->samdb
)));
2868 talloc_free(kdc_db_ctx
);
2869 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2871 if (kdc_db_ctx
->rodc
) {
2872 int my_krbtgt_number
;
2873 const char *secondary_keytab
[] = { "msDS-SecondaryKrbTgtNumber", NULL
};
2874 struct ldb_dn
*account_dn
;
2875 struct ldb_dn
*server_dn
= samdb_server_dn(kdc_db_ctx
->samdb
, kdc_db_ctx
);
2877 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine server DN in KDC backend: %s\n",
2878 ldb_errstring(kdc_db_ctx
->samdb
)));
2879 talloc_free(kdc_db_ctx
);
2880 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2883 ldb_ret
= samdb_reference_dn(kdc_db_ctx
->samdb
, kdc_db_ctx
, server_dn
,
2884 "serverReference", &account_dn
);
2885 if (ldb_ret
!= LDB_SUCCESS
) {
2886 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine server account in KDC backend: %s\n",
2887 ldb_errstring(kdc_db_ctx
->samdb
)));
2888 talloc_free(kdc_db_ctx
);
2889 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2892 ldb_ret
= samdb_reference_dn(kdc_db_ctx
->samdb
, kdc_db_ctx
, account_dn
,
2893 "msDS-KrbTgtLink", &kdc_db_ctx
->krbtgt_dn
);
2894 talloc_free(account_dn
);
2895 if (ldb_ret
!= LDB_SUCCESS
) {
2896 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot determine RODC krbtgt account in KDC backend: %s\n",
2897 ldb_errstring(kdc_db_ctx
->samdb
)));
2898 talloc_free(kdc_db_ctx
);
2899 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2902 ldb_ret
= dsdb_search_one(kdc_db_ctx
->samdb
, kdc_db_ctx
,
2903 &msg
, kdc_db_ctx
->krbtgt_dn
, LDB_SCOPE_BASE
,
2905 DSDB_SEARCH_NO_GLOBAL_CATALOG
,
2906 "(&(objectClass=user)(msDS-SecondaryKrbTgtNumber=*))");
2907 if (ldb_ret
!= LDB_SUCCESS
) {
2908 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot read krbtgt account %s in KDC backend to get msDS-SecondaryKrbTgtNumber: %s: %s\n",
2909 ldb_dn_get_linearized(kdc_db_ctx
->krbtgt_dn
),
2910 ldb_errstring(kdc_db_ctx
->samdb
),
2911 ldb_strerror(ldb_ret
)));
2912 talloc_free(kdc_db_ctx
);
2913 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2915 my_krbtgt_number
= ldb_msg_find_attr_as_int(msg
, "msDS-SecondaryKrbTgtNumber", -1);
2916 if (my_krbtgt_number
== -1) {
2917 DEBUG(1, ("samba_kdc_setup_db_ctx: Cannot read msDS-SecondaryKrbTgtNumber from krbtgt account %s in KDC backend: got %d\n",
2918 ldb_dn_get_linearized(kdc_db_ctx
->krbtgt_dn
),
2920 talloc_free(kdc_db_ctx
);
2921 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2923 kdc_db_ctx
->my_krbtgt_number
= my_krbtgt_number
;
2926 kdc_db_ctx
->my_krbtgt_number
= 0;
2927 ldb_ret
= dsdb_search_one(kdc_db_ctx
->samdb
, kdc_db_ctx
,
2929 ldb_get_default_basedn(kdc_db_ctx
->samdb
),
2932 DSDB_SEARCH_NO_GLOBAL_CATALOG
,
2933 "(&(objectClass=user)(samAccountName=krbtgt))");
2935 if (ldb_ret
!= LDB_SUCCESS
) {
2936 DEBUG(1, ("samba_kdc_fetch: could not find own KRBTGT in DB: %s\n", ldb_errstring(kdc_db_ctx
->samdb
)));
2937 talloc_free(kdc_db_ctx
);
2938 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO
;
2940 kdc_db_ctx
->krbtgt_dn
= talloc_steal(kdc_db_ctx
, msg
->dn
);
2941 kdc_db_ctx
->my_krbtgt_number
= 0;
2944 *kdc_db_ctx_out
= kdc_db_ctx
;
2945 return NT_STATUS_OK
;