search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ldb: new ldb version 1.1.29
[Samba.git] / source4 / kdc / mit_samba.c
blobf5015840055d2ffbc40e1d58b54e6a2bab4955ba
1 /*
2 MIT-Samba4 library
3
4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include <kdb.h>
29 #include <kadm5/kadm_err.h>
30 #include "kdc/sdb.h"
31 #include "kdc/sdb_kdb.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "kdc/samba_kdc.h"
34 #include "kdc/pac-glue.h"
35 #include "kdc/db-glue.h"
36 #include "auth/auth.h"
37 #include "kdc/kpasswd_glue.h"
38 #include "auth/auth_sam.h"
39
40 #include "mit_samba.h"
41
42 void mit_samba_context_free(struct mit_samba_context *ctx)
43 {
44 /* free heimdal's krb5_context */
45 if (ctx->context) {
46 krb5_free_context(ctx->context);
47 }
48
49 /* then free everything else */
50 talloc_free(ctx);
51 }
52
53 int mit_samba_context_init(struct mit_samba_context **_ctx)
54 {
55 NTSTATUS status;
56 struct mit_samba_context *ctx;
57 const char *s4_conf_file;
58 int ret;
59 struct samba_kdc_base_context base_ctx;
60
61 ctx = talloc_zero(NULL, struct mit_samba_context);
62 if (!ctx) {
63 ret = ENOMEM;
64 goto done;
65 }
66
67 base_ctx.ev_ctx = tevent_context_init(ctx);
68 if (!base_ctx.ev_ctx) {
69 ret = ENOMEM;
70 goto done;
71 }
72 tevent_loop_allow_nesting(base_ctx.ev_ctx);
73 base_ctx.lp_ctx = loadparm_init_global(false);
74 if (!base_ctx.lp_ctx) {
75 ret = ENOMEM;
76 goto done;
77 }
78
79 setup_logging("mitkdc", DEBUG_STDOUT);
80
81 /* init s4 configuration */
82 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
83 if (s4_conf_file) {
84 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
85 } else {
86 lpcfg_load_default(base_ctx.lp_ctx);
87 }
88
89 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
90 if (!NT_STATUS_IS_OK(status)) {
91 ret = EINVAL;
92 goto done;
93 }
94
95 /* init heimdal's krb_context and log facilities */
96 ret = smb_krb5_init_context_basic(ctx,
97 ctx->db_ctx->lp_ctx,
98 &ctx->context);
99 if (ret) {
100 goto done;
101 }
102
103 ret = 0;
104
105 done:
106 if (ret) {
107 mit_samba_context_free(ctx);
108 } else {
109 *_ctx = ctx;
110 }
111 return ret;
112 }
113
114 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
115 krb5_const_principal principal)
116 {
117 char *p;
118 int eq = -1;
119
120 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
121
122 eq = krb5_princ_size(ctx->context, principal) == 2 &&
123 (strcmp(p, KRB5_TGS_NAME) == 0);
124
125 talloc_free(p);
126
127 return eq;
128 }
129
130 int mit_samba_generate_salt(krb5_data *salt)
131 {
132 if (salt == NULL) {
133 return EINVAL;
134 }
135
136 salt->length = 16;
137 salt->data = malloc(salt->length);
138 if (salt->data == NULL) {
139 return ENOMEM;
140 }
141
142 generate_random_buffer((uint8_t *)salt->data, salt->length);
143
144 return 0;
145 }
146
147 int mit_samba_generate_random_password(krb5_data *pwd)
148 {
149 TALLOC_CTX *tmp_ctx;
150 char *password;
151
152 if (pwd == NULL) {
153 return EINVAL;
154 }
155 pwd->length = 24;
156
157 tmp_ctx = talloc_named(NULL,
158 0,
159 "mit_samba_create_principal_password context");
160 if (tmp_ctx == NULL) {
161 return ENOMEM;
162 }
163
164 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
165 if (password == NULL) {
166 talloc_free(tmp_ctx);
167 return ENOMEM;
168 }
169
170 pwd->data = strdup(password);
171 talloc_free(tmp_ctx);
172 if (pwd->data == NULL) {
173 return ENOMEM;
174 }
175
176 return 0;
177 }
178
179 int mit_samba_get_principal(struct mit_samba_context *ctx,
180 krb5_const_principal principal,
181 unsigned int kflags,
182 krb5_db_entry **_kentry)
183 {
184 struct sdb_entry_ex sentry = {
185 .free_entry = NULL,
186 };
187 krb5_db_entry *kentry;
188 int ret;
189 int sflags = 0;
190
191 kentry = malloc(sizeof(krb5_db_entry));
192 if (kentry == NULL) {
193 return ENOMEM;
194 }
195
196 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
197 sflags |= SDB_F_CANON;
198 }
199 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
200 KRB5_KDB_FLAG_INCLUDE_PAC)) {
201 /*
202 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
203 * SDB_F_FOR_AS_REQ
204 *
205 * We use ANY to also allow AS_REQ for service principal names
206 * This is supported by Windows.
207 */
208 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
209 } else if (ks_is_tgs_principal(ctx, principal)) {
210 sflags |= SDB_F_GET_KRBTGT;
211 } else {
212 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
213 }
214
215 /* always set this or the created_by data will not be populated by samba's
216 * backend and we will fail to parse the entry later */
217 sflags |= SDB_F_ADMIN_DATA;
218
219 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
220 principal, sflags, 0, &sentry);
221 switch (ret) {
222 case 0:
223 break;
224 case SDB_ERR_NOENTRY:
225 ret = KRB5_KDB_NOENTRY;
226 goto done;
227 case SDB_ERR_WRONG_REALM:
228 /*
229 * If we have a wrong realm e.g. if we try get a cross forest
230 * ticket, we return a ticket with the correct realm. The KDC
231 * will detect this an return the appropriate return code.
232 */
233 ret = 0;
234 break;
235 case SDB_ERR_NOT_FOUND_HERE:
236 /* FIXME: RODC support */
237 default:
238 goto done;
239 }
240
241 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
242
243 sdb_free_entry(&sentry);
244
245 done:
246 if (ret) {
247 free(kentry);
248 } else {
249 *_kentry = kentry;
250 }
251 return ret;
252 }
253
254 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
255 krb5_db_entry **_kentry)
256 {
257 struct sdb_entry_ex sentry = {
258 .free_entry = NULL,
259 };
260 krb5_db_entry *kentry;
261 int ret;
262
263 kentry = malloc(sizeof(krb5_db_entry));
264 if (kentry == NULL) {
265 return ENOMEM;
266 }
267
268 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
269 switch (ret) {
270 case 0:
271 break;
272 case SDB_ERR_NOENTRY:
273 free(kentry);
274 return KRB5_KDB_NOENTRY;
275 case SDB_ERR_NOT_FOUND_HERE:
276 /* FIXME: RODC support */
277 default:
278 free(kentry);
279 return ret;
280 }
281
282 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
283
284 sdb_free_entry(&sentry);
285
286 if (ret) {
287 free(kentry);
288 } else {
289 *_kentry = kentry;
290 }
291 return ret;
292 }
293
294 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
295 krb5_db_entry **_kentry)
296 {
297 struct sdb_entry_ex sentry = {
298 .free_entry = NULL,
299 };
300 krb5_db_entry *kentry;
301 int ret;
302
303 kentry = malloc(sizeof(krb5_db_entry));
304 if (kentry == NULL) {
305 return ENOMEM;
306 }
307
308 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
309 switch (ret) {
310 case 0:
311 break;
312 case SDB_ERR_NOENTRY:
313 free(kentry);
314 return KRB5_KDB_NOENTRY;
315 case SDB_ERR_NOT_FOUND_HERE:
316 /* FIXME: RODC support */
317 default:
318 free(kentry);
319 return ret;
320 }
321
322 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
323
324 sdb_free_entry(&sentry);
325
326 if (ret) {
327 free(kentry);
328 } else {
329 *_kentry = kentry;
330 }
331 return ret;
332 }
333
334 int mit_samba_get_pac_data(struct mit_samba_context *ctx,
335 krb5_db_entry *client,
336 DATA_BLOB *data)
337 {
338 TALLOC_CTX *tmp_ctx;
339 DATA_BLOB *pac_blob;
340 NTSTATUS nt_status;
341 struct samba_kdc_entry *skdc_entry;
342
343 skdc_entry = talloc_get_type_abort(client->e_data,
344 struct samba_kdc_entry);
345
346 tmp_ctx = talloc_named(ctx, 0, "mit_samba_get_pac_data context");
347 if (!tmp_ctx) {
348 return ENOMEM;
349 }
350
351 nt_status = samba_kdc_get_pac_blob(tmp_ctx, skdc_entry, &pac_blob);
352 if (!NT_STATUS_IS_OK(nt_status)) {
353 talloc_free(tmp_ctx);
354 return EINVAL;
355 }
356
357 data->data = (uint8_t *)malloc(pac_blob->length);
358 if (!data->data) {
359 talloc_free(tmp_ctx);
360 return ENOMEM;
361 }
362 memcpy(data->data, pac_blob->data, pac_blob->length);
363 data->length = pac_blob->length;
364
365 talloc_free(tmp_ctx);
366 return 0;
367 }
368
369 int mit_samba_update_pac_data(struct mit_samba_context *ctx,
370 krb5_db_entry *client,
371 DATA_BLOB *pac_data,
372 DATA_BLOB *logon_data)
373 {
374 TALLOC_CTX *tmp_ctx;
375 DATA_BLOB *logon_blob;
376 krb5_error_code code;
377 NTSTATUS nt_status;
378 krb5_pac pac = NULL;
379 int ret;
380 struct samba_kdc_entry *skdc_entry = NULL;
381
382 if (client) {
383 skdc_entry = talloc_get_type_abort(client->e_data,
384 struct samba_kdc_entry);
385 }
386
387 /* The user account may be set not to want the PAC */
388 if (client && !samba_princ_needs_pac(skdc_entry)) {
389 return EINVAL;
390 }
391
392 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context");
393 if (!tmp_ctx) {
394 return ENOMEM;
395 }
396
397 logon_blob = talloc_zero(tmp_ctx, DATA_BLOB);
398 if (!logon_blob) {
399 ret = ENOMEM;
400 goto done;
401 }
402
403 code = krb5_pac_parse(ctx->context,
404 pac_data->data, pac_data->length, &pac);
405 if (code) {
406 ret = EINVAL;
407 goto done;
408 }
409
410 /* TODO: An implementation-specific decision will need to be
411 * made as to when to check the KDC pac signature, and how to
412 * untrust untrusted RODCs */
413 nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context,
414 pac, logon_blob, NULL, NULL);
415 if (!NT_STATUS_IS_OK(nt_status)) {
416 DEBUG(0, ("Building PAC failed: %s\n",
417 nt_errstr(nt_status)));
418 ret = EINVAL;
419 goto done;
420 }
421
422 logon_data->data = (uint8_t *)malloc(logon_blob->length);
423 if (!logon_data->data) {
424 ret = ENOMEM;
425 goto done;
426 }
427 memcpy(logon_data->data, logon_blob->data, logon_blob->length);
428 logon_data->length = logon_blob->length;
429
430 ret = 0;
431
432 done:
433 if (pac) krb5_pac_free(ctx->context, pac);
434 talloc_free(tmp_ctx);
435 return ret;
436 }
437
438 /* provide header, function is exported but there are no public headers */
439
440 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
441
442 /* this function allocates 'data' using malloc.
443 * The caller is responsible for freeing it */
444 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
445 {
446 krb5_error_code ret = 0;
447 krb5_pa_data pa, *ppa = NULL;
448 krb5_data *d = NULL;
449
450 if (!e_data)
451 return;
452
453 e_data->data = NULL;
454 e_data->length = 0;
455
456 pa.magic = KV5M_PA_DATA;
457 pa.pa_type = KRB5_PADATA_PW_SALT;
458 pa.length = 12;
459 pa.contents = malloc(pa.length);
460 if (!pa.contents) {
461 return;
462 }
463
464 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
465 SIVAL(pa.contents, 4, 0);
466 SIVAL(pa.contents, 8, 1);
467
468 ppa = &pa;
469
470 ret = encode_krb5_padata_sequence(&ppa, &d);
471 free(pa.contents);
472 if (ret) {
473 return;
474 }
475
476 e_data->data = (uint8_t *)d->data;
477 e_data->length = d->length;
478
479 /* free d, not d->data - gd */
480 free(d);
481
482 return;
483 }
484
485 int mit_samba_check_client_access(struct mit_samba_context *ctx,
486 krb5_db_entry *client,
487 const char *client_name,
488 krb5_db_entry *server,
489 const char *server_name,
490 const char *netbios_name,
491 bool password_change,
492 DATA_BLOB *e_data)
493 {
494 struct samba_kdc_entry *skdc_entry;
495 NTSTATUS nt_status;
496
497 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
498
499 nt_status = samba_kdc_check_client_access(skdc_entry,
500 client_name,
501 netbios_name,
502 password_change);
503
504 if (!NT_STATUS_IS_OK(nt_status)) {
505 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
506 return ENOMEM;
507 }
508
509 samba_kdc_build_edata_reply(nt_status, e_data);
510
511 return samba_kdc_map_policy_err(nt_status);
512 }
513
514 return 0;
515 }
516
517 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
518 krb5_db_entry *kentry,
519 const char *target_name,
520 bool is_nt_enterprise_name)
521 {
522 #if 1
523 /*
524 * This is disabled because mit_samba_update_pac_data() does not handle
525 * S4U_DELEGATION_INFO
526 */
527
528 return KRB5KDC_ERR_BADOPTION;
529 #else
530 krb5_principal target_principal;
531 int flags = 0;
532 int ret;
533
534 if (is_nt_enterprise_name) {
535 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
536 }
537
538 ret = krb5_parse_name_flags(ctx->context, target_name,
539 flags, &target_principal);
540 if (ret) {
541 return ret;
542 }
543
544 ret = samba_kdc_check_s4u2proxy(ctx->context,
545 ctx->db_ctx,
546 skdc_entry,
547 target_principal);
548
549 krb5_free_principal(ctx->context, target_principal);
550
551 return ret;
552 #endif
553 }
554
555 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
556 NTSTATUS result,
557 enum samPwdChangeReason reject_reason,
558 struct samr_DomInfo1 *dominfo)
559 {
560 krb5_error_code code = KADM5_PASS_Q_GENERIC;
561
562 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
563 code = KADM5_BAD_PRINCIPAL;
564 krb5_set_error_message(context,
565 code,
566 "No such user when changing password");
567 }
568 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
569 code = KADM5_PASS_Q_GENERIC;
570 krb5_set_error_message(context,
571 code,
572 "Not permitted to change password");
573 }
574 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
575 dominfo != NULL) {
576 switch (reject_reason) {
577 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
578 code = KADM5_PASS_Q_TOOSHORT;
579 krb5_set_error_message(context,
580 code,
581 "Password too short, password "
582 "must be at least %d characters "
583 "long.",
584 dominfo->min_password_length);
585 break;
586 case SAM_PWD_CHANGE_NOT_COMPLEX:
587 code = KADM5_PASS_Q_DICT;
588 krb5_set_error_message(context,
589 code,
590 "Password does not meet "
591 "complexity requirements");
592 break;
593 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
594 code = KADM5_PASS_TOOSOON;
595 krb5_set_error_message(context,
596 code,
597 "Password is already in password "
598 "history. New password must not "
599 "match any of your %d previous "
600 "passwords.",
601 dominfo->password_history_length);
602 break;
603 default:
604 code = KADM5_PASS_Q_GENERIC;
605 krb5_set_error_message(context,
606 code,
607 "Password change rejected, "
608 "password changes may not be "
609 "permitted on this account, or "
610 "the minimum password age may "
611 "not have elapsed.");
612 break;
613 }
614 }
615
616 return code;
617 }
618
619 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
620 char *pwd,
621 krb5_db_entry *db_entry)
622 {
623 NTSTATUS status;
624 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
625 TALLOC_CTX *tmp_ctx;
626 DATA_BLOB password;
627 enum samPwdChangeReason reject_reason;
628 struct samr_DomInfo1 *dominfo;
629 const char *error_string = NULL;
630 struct auth_user_info_dc *user_info_dc;
631 struct samba_kdc_entry *p;
632 krb5_error_code code = 0;
633
634 #ifdef DEBUG_PASSWORD
635 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
636 #endif
637
638 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
639 if (tmp_ctx == NULL) {
640 return ENOMEM;
641 }
642
643 p = (struct samba_kdc_entry *)db_entry->e_data;
644
645 status = authsam_make_user_info_dc(tmp_ctx,
646 ctx->db_ctx->samdb,
647 lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
648 lpcfg_sam_name(ctx->db_ctx->lp_ctx),
649 lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
650 p->realm_dn,
651 p->msg,
652 data_blob(NULL, 0),
653 data_blob(NULL, 0),
654 &user_info_dc);
655 if (!NT_STATUS_IS_OK(status)) {
656 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
657 nt_errstr(status)));
658 talloc_free(tmp_ctx);
659 return EINVAL;
660 }
661
662 status = auth_generate_session_info(tmp_ctx,
663 ctx->db_ctx->lp_ctx,
664 ctx->db_ctx->samdb,
665 user_info_dc,
666 0, /* session_info_flags */
667 &ctx->session_info);
668
669 if (!NT_STATUS_IS_OK(status)) {
670 DEBUG(1,("auth_generate_session_info failed: %s\n",
671 nt_errstr(status)));
672 talloc_free(tmp_ctx);
673 return EINVAL;
674 }
675
676 /* password is expected as UTF16 */
677
678 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
679 pwd, strlen(pwd),
680 &password.data, &password.length)) {
681 DEBUG(1,("convert_string_talloc failed\n"));
682 talloc_free(tmp_ctx);
683 return EINVAL;
684 }
685
686 status = samdb_kpasswd_change_password(tmp_ctx,
687 ctx->db_ctx->lp_ctx,
688 ctx->db_ctx->ev_ctx,
689 ctx->db_ctx->samdb,
690 ctx->session_info,
691 &password,
692 &reject_reason,
693 &dominfo,
694 &error_string,
695 &result);
696 if (!NT_STATUS_IS_OK(status)) {
697 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
698 nt_errstr(status)));
699 code = KADM5_PASS_Q_GENERIC;
700 krb5_set_error_message(ctx->context, code, "%s", error_string);
701 goto out;
702 }
703
704 if (!NT_STATUS_IS_OK(result)) {
705 code = mit_samba_change_pwd_error(ctx->context,
706 result,
707 reject_reason,
708 dominfo);
709 }
710
711 out:
712 talloc_free(tmp_ctx);
713
714 return code;
715 }
716
717 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
718 {
719 struct samba_kdc_entry *p;
720 struct ldb_dn *domain_dn;
721
722 p = (struct samba_kdc_entry *)db_entry->e_data;
723
724 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
725
726 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
727 p->msg,
728 domain_dn,
729 true);
730 }
731
732
733 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
734 {
735 struct samba_kdc_entry *p;
736
737 p = (struct samba_kdc_entry *)db_entry->e_data;
738
739 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
740 p->msg,
741 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
742 }
Samba GIT mirror