search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool: Test gpo Security list
[Samba.git] / source4 / kdc / mit_samba.c
blob54dcd545ea12df70a0a257ae7c3e6719879e86cb
1 /*
2 MIT-Samba4 library
3
4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include <kdb.h>
29 #include <kadm5/kadm_err.h>
30 #include "kdc/sdb.h"
31 #include "kdc/sdb_kdb.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "kdc/samba_kdc.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/db-glue.h"
37 #include "auth/auth.h"
38 #include "kdc/kpasswd_glue.h"
39 #include "auth/auth_sam.h"
40
41 #include "mit_samba.h"
42
43 void mit_samba_context_free(struct mit_samba_context *ctx)
44 {
45 /* free heimdal's krb5_context */
46 if (ctx->context) {
47 krb5_free_context(ctx->context);
48 }
49
50 /* then free everything else */
51 talloc_free(ctx);
52 }
53
54 int mit_samba_context_init(struct mit_samba_context **_ctx)
55 {
56 NTSTATUS status;
57 struct mit_samba_context *ctx;
58 const char *s4_conf_file;
59 int ret;
60 struct samba_kdc_base_context base_ctx;
61
62 ctx = talloc_zero(NULL, struct mit_samba_context);
63 if (!ctx) {
64 ret = ENOMEM;
65 goto done;
66 }
67
68 base_ctx.ev_ctx = tevent_context_init(ctx);
69 if (!base_ctx.ev_ctx) {
70 ret = ENOMEM;
71 goto done;
72 }
73 tevent_loop_allow_nesting(base_ctx.ev_ctx);
74 base_ctx.lp_ctx = loadparm_init_global(false);
75 if (!base_ctx.lp_ctx) {
76 ret = ENOMEM;
77 goto done;
78 }
79
80 setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT);
81
82 /* init s4 configuration */
83 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
84 if (s4_conf_file) {
85 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
86 } else {
87 lpcfg_load_default(base_ctx.lp_ctx);
88 }
89
90 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
91 if (!NT_STATUS_IS_OK(status)) {
92 ret = EINVAL;
93 goto done;
94 }
95
96 /* init heimdal's krb_context and log facilities */
97 ret = smb_krb5_init_context_basic(ctx,
98 ctx->db_ctx->lp_ctx,
99 &ctx->context);
100 if (ret) {
101 goto done;
102 }
103
104 ret = 0;
105
106 done:
107 if (ret) {
108 mit_samba_context_free(ctx);
109 } else {
110 *_ctx = ctx;
111 }
112 return ret;
113 }
114
115 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
116 krb5_const_principal principal)
117 {
118 char *p;
119 int eq = -1;
120
121 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
122
123 eq = krb5_princ_size(ctx->context, principal) == 2 &&
124 (strcmp(p, KRB5_TGS_NAME) == 0);
125
126 talloc_free(p);
127
128 return eq;
129 }
130
131 int mit_samba_generate_salt(krb5_data *salt)
132 {
133 if (salt == NULL) {
134 return EINVAL;
135 }
136
137 salt->length = 16;
138 salt->data = malloc(salt->length);
139 if (salt->data == NULL) {
140 return ENOMEM;
141 }
142
143 generate_random_buffer((uint8_t *)salt->data, salt->length);
144
145 return 0;
146 }
147
148 int mit_samba_generate_random_password(krb5_data *pwd)
149 {
150 TALLOC_CTX *tmp_ctx;
151 char *password;
152
153 if (pwd == NULL) {
154 return EINVAL;
155 }
156 pwd->length = 24;
157
158 tmp_ctx = talloc_named(NULL,
159 0,
160 "mit_samba_create_principal_password context");
161 if (tmp_ctx == NULL) {
162 return ENOMEM;
163 }
164
165 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
166 if (password == NULL) {
167 talloc_free(tmp_ctx);
168 return ENOMEM;
169 }
170
171 pwd->data = strdup(password);
172 talloc_free(tmp_ctx);
173 if (pwd->data == NULL) {
174 return ENOMEM;
175 }
176
177 return 0;
178 }
179
180 int mit_samba_get_principal(struct mit_samba_context *ctx,
181 krb5_const_principal principal,
182 unsigned int kflags,
183 krb5_db_entry **_kentry)
184 {
185 struct sdb_entry_ex sentry = {
186 .free_entry = NULL,
187 };
188 krb5_db_entry *kentry;
189 int ret;
190 int sflags = 0;
191 krb5_principal referral_principal = NULL;
192
193 kentry = calloc(1, sizeof(krb5_db_entry));
194 if (kentry == NULL) {
195 return ENOMEM;
196 }
197
198 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
199 sflags |= SDB_F_CANON;
200 }
201 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
202 KRB5_KDB_FLAG_INCLUDE_PAC)) {
203 /*
204 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
205 * SDB_F_FOR_AS_REQ
206 *
207 * We use ANY to also allow AS_REQ for service principal names
208 * This is supported by Windows.
209 */
210 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
211 } else if (ks_is_tgs_principal(ctx, principal)) {
212 sflags |= SDB_F_GET_KRBTGT;
213 } else {
214 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
215 }
216
217 /* always set this or the created_by data will not be populated by samba's
218 * backend and we will fail to parse the entry later */
219 sflags |= SDB_F_ADMIN_DATA;
220
221
222 fetch_referral_principal:
223 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
224 principal, sflags, 0, &sentry);
225 switch (ret) {
226 case 0:
227 break;
228 case SDB_ERR_NOENTRY:
229 ret = KRB5_KDB_NOENTRY;
230 goto done;
231 case SDB_ERR_WRONG_REALM: {
232 char *dest_realm = NULL;
233 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
234
235 if (sflags & SDB_F_FOR_AS_REQ) {
236 /*
237 * If this is a request for a TGT, we are done. The KDC
238 * will return the correct error to the client.
239 */
240 ret = 0;
241 break;
242 }
243
244 if (referral_principal != NULL) {
245 sdb_free_entry(&sentry);
246 ret = KRB5_KDB_NOENTRY;
247 goto done;
248 }
249
250 /*
251 * We get a TGS request
252 *
253 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
254 *
255 * to our DC for the realm
256 *
257 * ADDOM.SAMBA.EXAMPLE.COM
258 *
259 * We look up if we have and entry in the database and get an
260 * entry with the pricipal:
261 *
262 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
263 *
264 * and the error: SDB_ERR_WRONG_REALM.
265 *
266 * In the case of a TGS-REQ we need to return a referral ticket
267 * fo the next trust hop to the client. This ticket will have
268 * the following principal:
269 *
270 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
271 *
272 * We just redo the lookup in the database with the referral
273 * principal and return success.
274 */
275 dest_realm = smb_krb5_principal_get_realm(
276 ctx, ctx->context, sentry.entry.principal);
277 sdb_free_entry(&sentry);
278 if (dest_realm == NULL) {
279 ret = KRB5_KDB_NOENTRY;
280 goto done;
281 }
282
283 ret = smb_krb5_make_principal(ctx->context,
284 &referral_principal,
285 our_realm,
286 KRB5_TGS_NAME,
287 dest_realm,
288 NULL);
289 TALLOC_FREE(dest_realm);
290 if (ret != 0) {
291 goto done;
292 }
293
294 principal = referral_principal;
295 goto fetch_referral_principal;
296 }
297 case SDB_ERR_NOT_FOUND_HERE:
298 /* FIXME: RODC support */
299 default:
300 goto done;
301 }
302
303 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
304
305 sdb_free_entry(&sentry);
306
307 done:
308 krb5_free_principal(ctx->context, referral_principal);
309 referral_principal = NULL;
310
311 if (ret) {
312 free(kentry);
313 } else {
314 *_kentry = kentry;
315 }
316 return ret;
317 }
318
319 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
320 krb5_db_entry **_kentry)
321 {
322 struct sdb_entry_ex sentry = {
323 .free_entry = NULL,
324 };
325 krb5_db_entry *kentry;
326 int ret;
327
328 kentry = malloc(sizeof(krb5_db_entry));
329 if (kentry == NULL) {
330 return ENOMEM;
331 }
332
333 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
334 switch (ret) {
335 case 0:
336 break;
337 case SDB_ERR_NOENTRY:
338 free(kentry);
339 return KRB5_KDB_NOENTRY;
340 case SDB_ERR_NOT_FOUND_HERE:
341 /* FIXME: RODC support */
342 default:
343 free(kentry);
344 return ret;
345 }
346
347 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
348
349 sdb_free_entry(&sentry);
350
351 if (ret) {
352 free(kentry);
353 } else {
354 *_kentry = kentry;
355 }
356 return ret;
357 }
358
359 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
360 krb5_db_entry **_kentry)
361 {
362 struct sdb_entry_ex sentry = {
363 .free_entry = NULL,
364 };
365 krb5_db_entry *kentry;
366 int ret;
367
368 kentry = malloc(sizeof(krb5_db_entry));
369 if (kentry == NULL) {
370 return ENOMEM;
371 }
372
373 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
374 switch (ret) {
375 case 0:
376 break;
377 case SDB_ERR_NOENTRY:
378 free(kentry);
379 return KRB5_KDB_NOENTRY;
380 case SDB_ERR_NOT_FOUND_HERE:
381 /* FIXME: RODC support */
382 default:
383 free(kentry);
384 return ret;
385 }
386
387 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
388
389 sdb_free_entry(&sentry);
390
391 if (ret) {
392 free(kentry);
393 } else {
394 *_kentry = kentry;
395 }
396 return ret;
397 }
398
399 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
400 krb5_context context,
401 krb5_db_entry *client,
402 krb5_keyblock *client_key,
403 krb5_pac *pac)
404 {
405 TALLOC_CTX *tmp_ctx;
406 DATA_BLOB *logon_info_blob = NULL;
407 DATA_BLOB *upn_dns_info_blob = NULL;
408 DATA_BLOB *cred_ndr = NULL;
409 DATA_BLOB **cred_ndr_ptr = NULL;
410 DATA_BLOB cred_blob = data_blob_null;
411 DATA_BLOB *pcred_blob = NULL;
412 NTSTATUS nt_status;
413 krb5_error_code code;
414 struct samba_kdc_entry *skdc_entry;
415
416 skdc_entry = talloc_get_type_abort(client->e_data,
417 struct samba_kdc_entry);
418
419 tmp_ctx = talloc_named(smb_ctx,
420 0,
421 "mit_samba_get_pac_data_blobs context");
422 if (tmp_ctx == NULL) {
423 return ENOMEM;
424 }
425
426 #if 0 /* TODO Find out if this is a pkinit_reply key */
427 /* Check if we have a PREAUTH key */
428 if (client_key != NULL) {
429 cred_ndr_ptr = &cred_ndr;
430 }
431 #endif
432
433 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
434 skdc_entry,
435 &logon_info_blob,
436 cred_ndr_ptr,
437 &upn_dns_info_blob);
438 if (!NT_STATUS_IS_OK(nt_status)) {
439 talloc_free(tmp_ctx);
440 return EINVAL;
441 }
442
443 if (cred_ndr != NULL) {
444 code = samba_kdc_encrypt_pac_credentials(context,
445 client_key,
446 cred_ndr,
447 tmp_ctx,
448 &cred_blob);
449 if (code != 0) {
450 talloc_free(tmp_ctx);
451 return code;
452 }
453 pcred_blob = &cred_blob;
454 }
455
456 code = samba_make_krb5_pac(context,
457 logon_info_blob,
458 pcred_blob,
459 upn_dns_info_blob,
460 NULL,
461 pac);
462
463 talloc_free(tmp_ctx);
464 return code;
465 }
466
467 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
468 krb5_context context,
469 int flags,
470 krb5_const_principal client_principal,
471 krb5_db_entry *client,
472 krb5_db_entry *server,
473 krb5_db_entry *krbtgt,
474 krb5_keyblock *krbtgt_keyblock,
475 krb5_pac *pac)
476 {
477 TALLOC_CTX *tmp_ctx;
478 krb5_error_code code;
479 NTSTATUS nt_status;
480 DATA_BLOB *pac_blob = NULL;
481 DATA_BLOB *upn_blob = NULL;
482 DATA_BLOB *deleg_blob = NULL;
483 struct samba_kdc_entry *client_skdc_entry = NULL;
484 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
485 struct samba_kdc_entry *server_skdc_entry = NULL;
486 bool is_in_db = false;
487 bool is_untrusted = false;
488 size_t num_types = 0;
489 uint32_t *types = NULL;
490 uint32_t forced_next_type = 0;
491 size_t i = 0;
492 ssize_t logon_info_idx = -1;
493 ssize_t delegation_idx = -1;
494 ssize_t logon_name_idx = -1;
495 ssize_t upn_dns_info_idx = -1;
496 ssize_t srv_checksum_idx = -1;
497 ssize_t kdc_checksum_idx = -1;
498 krb5_pac new_pac = NULL;
499 bool ok;
500
501 if (client != NULL) {
502 client_skdc_entry =
503 talloc_get_type_abort(client->e_data,
504 struct samba_kdc_entry);
505
506 /* The user account may be set not to want the PAC */
507 ok = samba_princ_needs_pac(client_skdc_entry);
508 if (!ok) {
509 return EINVAL;
510 }
511 }
512
513 if (server == NULL) {
514 return EINVAL;
515 }
516 server_skdc_entry =
517 talloc_get_type_abort(server->e_data,
518 struct samba_kdc_entry);
519
520 if (krbtgt == NULL) {
521 return EINVAL;
522 }
523 krbtgt_skdc_entry =
524 talloc_get_type_abort(krbtgt->e_data,
525 struct samba_kdc_entry);
526
527 tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
528 if (tmp_ctx == NULL) {
529 return ENOMEM;
530 }
531
532 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
533 &is_in_db,
534 &is_untrusted);
535 if (code != 0) {
536 goto done;
537 }
538
539 if (is_untrusted) {
540 if (client == NULL) {
541 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
542 goto done;
543 }
544
545 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
546 client_skdc_entry,
547 &pac_blob,
548 NULL,
549 &upn_blob);
550 if (!NT_STATUS_IS_OK(nt_status)) {
551 code = EINVAL;
552 goto done;
553 }
554 } else {
555 struct PAC_SIGNATURE_DATA *pac_srv_sig;
556 struct PAC_SIGNATURE_DATA *pac_kdc_sig;
557
558 pac_blob = talloc_zero(tmp_ctx, DATA_BLOB);
559 if (pac_blob == NULL) {
560 code = ENOMEM;
561 goto done;
562 }
563
564 pac_srv_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
565 if (pac_srv_sig == NULL) {
566 code = ENOMEM;
567 goto done;
568 }
569
570 pac_kdc_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
571 if (pac_kdc_sig == NULL) {
572 code = ENOMEM;
573 goto done;
574 }
575
576 nt_status = samba_kdc_update_pac_blob(tmp_ctx,
577 context,
578 krbtgt_skdc_entry,
579 server_skdc_entry,
580 *pac,
581 pac_blob,
582 pac_srv_sig,
583 pac_kdc_sig);
584 if (!NT_STATUS_IS_OK(nt_status)) {
585 DEBUG(0, ("Update PAC blob failed: %s\n",
586 nt_errstr(nt_status)));
587 code = EINVAL;
588 goto done;
589 }
590
591 if (is_in_db) {
592 /*
593 * Now check the KDC signature, fetching the correct
594 * key based on the enc type.
595 */
596 code = check_pac_checksum(pac_srv_sig->signature,
597 pac_kdc_sig,
598 context,
599 krbtgt_keyblock);
600 if (code != 0) {
601 DBG_INFO("PAC KDC signature failed to verify\n");
602 goto done;
603 }
604 }
605 }
606
607 if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
608 deleg_blob = talloc_zero(tmp_ctx, DATA_BLOB);
609 if (deleg_blob == NULL) {
610 code = ENOMEM;
611 goto done;
612 }
613
614 nt_status = samba_kdc_update_delegation_info_blob(tmp_ctx,
615 context,
616 *pac,
617 server->princ,
618 discard_const(client_principal),
619 deleg_blob);
620 if (!NT_STATUS_IS_OK(nt_status)) {
621 DEBUG(0, ("Update delegation info failed: %s\n",
622 nt_errstr(nt_status)));
623 code = EINVAL;
624 goto done;
625 }
626 }
627
628 /* Check the types of the given PAC */
629 code = krb5_pac_get_types(context, *pac, &num_types, &types);
630 if (code != 0) {
631 goto done;
632 }
633
634 for (i = 0; i < num_types; i++) {
635 switch (types[i]) {
636 case PAC_TYPE_LOGON_INFO:
637 if (logon_info_idx != -1) {
638 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
639 types[i],
640 logon_info_idx,
641 i);
642 SAFE_FREE(types);
643 code = EINVAL;
644 goto done;
645 }
646 logon_info_idx = i;
647 break;
648 case PAC_TYPE_CONSTRAINED_DELEGATION:
649 if (delegation_idx != -1) {
650 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
651 types[i],
652 delegation_idx,
653 i);
654 SAFE_FREE(types);
655 code = EINVAL;
656 goto done;
657 }
658 delegation_idx = i;
659 break;
660 case PAC_TYPE_LOGON_NAME:
661 if (logon_name_idx != -1) {
662 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
663 types[i],
664 logon_name_idx,
665 i);
666 SAFE_FREE(types);
667 code = EINVAL;
668 goto done;
669 }
670 logon_name_idx = i;
671 break;
672 case PAC_TYPE_UPN_DNS_INFO:
673 if (upn_dns_info_idx != -1) {
674 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
675 types[i],
676 upn_dns_info_idx,
677 i);
678 SAFE_FREE(types);
679 code = EINVAL;
680 goto done;
681 }
682 upn_dns_info_idx = i;
683 break;
684 case PAC_TYPE_SRV_CHECKSUM:
685 if (srv_checksum_idx != -1) {
686 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
687 types[i],
688 srv_checksum_idx,
689 i);
690 SAFE_FREE(types);
691 code = EINVAL;
692 goto done;
693 }
694 srv_checksum_idx = i;
695 break;
696 case PAC_TYPE_KDC_CHECKSUM:
697 if (kdc_checksum_idx != -1) {
698 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
699 types[i],
700 kdc_checksum_idx,
701 i);
702 SAFE_FREE(types);
703 code = EINVAL;
704 goto done;
705 }
706 kdc_checksum_idx = i;
707 break;
708 default:
709 continue;
710 }
711 }
712
713 if (logon_info_idx == -1) {
714 DEBUG(1, ("PAC_TYPE_LOGON_INFO missing\n"));
715 SAFE_FREE(types);
716 code = EINVAL;
717 goto done;
718 }
719 if (logon_name_idx == -1) {
720 DEBUG(1, ("PAC_TYPE_LOGON_NAME missing\n"));
721 SAFE_FREE(types);
722 code = EINVAL;
723 goto done;
724 }
725 if (srv_checksum_idx == -1) {
726 DEBUG(1, ("PAC_TYPE_SRV_CHECKSUM missing\n"));
727 SAFE_FREE(types);
728 code = EINVAL;
729 goto done;
730 }
731 if (kdc_checksum_idx == -1) {
732 DEBUG(1, ("PAC_TYPE_KDC_CHECKSUM missing\n"));
733 SAFE_FREE(types);
734 code = EINVAL;
735 goto done;
736 }
737
738 /* Build an updated PAC */
739 code = krb5_pac_init(context, &new_pac);
740 if (code != 0) {
741 SAFE_FREE(types);
742 goto done;
743 }
744
745 for (i = 0;;) {
746 krb5_data type_data;
747 DATA_BLOB type_blob = data_blob_null;
748 uint32_t type;
749
750 if (forced_next_type != 0) {
751 /*
752 * We need to inject possible missing types
753 */
754 type = forced_next_type;
755 forced_next_type = 0;
756 } else if (i < num_types) {
757 type = types[i];
758 i++;
759 } else {
760 break;
761 }
762
763 switch (type) {
764 case PAC_TYPE_LOGON_INFO:
765 type_blob = *pac_blob;
766
767 if (delegation_idx == -1 && deleg_blob != NULL) {
768 /* inject CONSTRAINED_DELEGATION behind */
769 forced_next_type = PAC_TYPE_CONSTRAINED_DELEGATION;
770 }
771 break;
772 case PAC_TYPE_CONSTRAINED_DELEGATION:
773 if (deleg_blob != NULL) {
774 type_blob = *deleg_blob;
775 }
776 break;
777 case PAC_TYPE_CREDENTIAL_INFO:
778 /*
779 * Note that we copy the credential blob,
780 * as it's only usable with the PKINIT based
781 * AS-REP reply key, it's only available on the
782 * host which did the AS-REQ/AS-REP exchange.
783 *
784 * This matches Windows 2008R2...
785 */
786 break;
787 case PAC_TYPE_LOGON_NAME:
788 /*
789 * This is generated in the main KDC code
790 */
791 continue;
792 case PAC_TYPE_UPN_DNS_INFO:
793 /*
794 * Replace in the RODC case, otherwise
795 * upn_blob is NULL and we just copy.
796 */
797 if (upn_blob != NULL) {
798 type_blob = *upn_blob;
799 }
800 break;
801 case PAC_TYPE_SRV_CHECKSUM:
802 /*
803 * This is generated in the main KDC code
804 */
805 continue;
806 case PAC_TYPE_KDC_CHECKSUM:
807 /*
808 * This is generated in the main KDC code
809 */
810 continue;
811 default:
812 /* just copy... */
813 break;
814 }
815
816 if (type_blob.length != 0) {
817 code = smb_krb5_copy_data_contents(&type_data,
818 type_blob.data,
819 type_blob.length);
820 if (code != 0) {
821 SAFE_FREE(types);
822 krb5_pac_free(context, new_pac);
823 goto done;
824 }
825 } else {
826 code = krb5_pac_get_buffer(context,
827 *pac,
828 type,
829 &type_data);
830 if (code != 0) {
831 SAFE_FREE(types);
832 krb5_pac_free(context, new_pac);
833 goto done;
834 }
835 }
836
837 code = krb5_pac_add_buffer(context,
838 new_pac,
839 type,
840 &type_data);
841 smb_krb5_free_data_contents(context, &type_data);
842 if (code != 0) {
843 SAFE_FREE(types);
844 krb5_pac_free(context, new_pac);
845 goto done;
846 }
847 }
848
849 SAFE_FREE(types);
850
851 /* We now replace the pac */
852 krb5_pac_free(context, *pac);
853 *pac = new_pac;
854 done:
855 talloc_free(tmp_ctx);
856 return code;
857 }
858
859 /* provide header, function is exported but there are no public headers */
860
861 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
862
863 /* this function allocates 'data' using malloc.
864 * The caller is responsible for freeing it */
865 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
866 {
867 krb5_error_code ret = 0;
868 krb5_pa_data pa, *ppa[2];
869 krb5_data *d = NULL;
870
871 if (!e_data)
872 return;
873
874 e_data->data = NULL;
875 e_data->length = 0;
876
877 pa.magic = KV5M_PA_DATA;
878 pa.pa_type = KRB5_PADATA_PW_SALT;
879 pa.length = 12;
880 pa.contents = malloc(pa.length);
881 if (!pa.contents) {
882 return;
883 }
884
885 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
886 SIVAL(pa.contents, 4, 0);
887 SIVAL(pa.contents, 8, 1);
888
889 ppa[0] = &pa;
890 ppa[1] = NULL;
891
892 ret = encode_krb5_padata_sequence(ppa, &d);
893 free(pa.contents);
894 if (ret) {
895 return;
896 }
897
898 e_data->data = (uint8_t *)d->data;
899 e_data->length = d->length;
900
901 /* free d, not d->data - gd */
902 free(d);
903
904 return;
905 }
906
907 int mit_samba_check_client_access(struct mit_samba_context *ctx,
908 krb5_db_entry *client,
909 const char *client_name,
910 krb5_db_entry *server,
911 const char *server_name,
912 const char *netbios_name,
913 bool password_change,
914 DATA_BLOB *e_data)
915 {
916 struct samba_kdc_entry *skdc_entry;
917 NTSTATUS nt_status;
918
919 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
920
921 nt_status = samba_kdc_check_client_access(skdc_entry,
922 client_name,
923 netbios_name,
924 password_change);
925
926 if (!NT_STATUS_IS_OK(nt_status)) {
927 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
928 return ENOMEM;
929 }
930
931 samba_kdc_build_edata_reply(nt_status, e_data);
932
933 return samba_kdc_map_policy_err(nt_status);
934 }
935
936 return 0;
937 }
938
939 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
940 krb5_db_entry *kentry,
941 const char *target_name,
942 bool is_nt_enterprise_name)
943 {
944 #if 1
945 /*
946 * This is disabled because mit_samba_update_pac_data() does not handle
947 * S4U_DELEGATION_INFO
948 */
949
950 return KRB5KDC_ERR_BADOPTION;
951 #else
952 krb5_principal target_principal;
953 int flags = 0;
954 int ret;
955
956 if (is_nt_enterprise_name) {
957 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
958 }
959
960 ret = krb5_parse_name_flags(ctx->context, target_name,
961 flags, &target_principal);
962 if (ret) {
963 return ret;
964 }
965
966 ret = samba_kdc_check_s4u2proxy(ctx->context,
967 ctx->db_ctx,
968 skdc_entry,
969 target_principal);
970
971 krb5_free_principal(ctx->context, target_principal);
972
973 return ret;
974 #endif
975 }
976
977 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
978 NTSTATUS result,
979 enum samPwdChangeReason reject_reason,
980 struct samr_DomInfo1 *dominfo)
981 {
982 krb5_error_code code = KADM5_PASS_Q_GENERIC;
983
984 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
985 code = KADM5_BAD_PRINCIPAL;
986 krb5_set_error_message(context,
987 code,
988 "No such user when changing password");
989 }
990 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
991 code = KADM5_PASS_Q_GENERIC;
992 krb5_set_error_message(context,
993 code,
994 "Not permitted to change password");
995 }
996 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
997 dominfo != NULL) {
998 switch (reject_reason) {
999 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
1000 code = KADM5_PASS_Q_TOOSHORT;
1001 krb5_set_error_message(context,
1002 code,
1003 "Password too short, password "
1004 "must be at least %d characters "
1005 "long.",
1006 dominfo->min_password_length);
1007 break;
1008 case SAM_PWD_CHANGE_NOT_COMPLEX:
1009 code = KADM5_PASS_Q_DICT;
1010 krb5_set_error_message(context,
1011 code,
1012 "Password does not meet "
1013 "complexity requirements");
1014 break;
1015 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
1016 code = KADM5_PASS_TOOSOON;
1017 krb5_set_error_message(context,
1018 code,
1019 "Password is already in password "
1020 "history. New password must not "
1021 "match any of your %d previous "
1022 "passwords.",
1023 dominfo->password_history_length);
1024 break;
1025 default:
1026 code = KADM5_PASS_Q_GENERIC;
1027 krb5_set_error_message(context,
1028 code,
1029 "Password change rejected, "
1030 "password changes may not be "
1031 "permitted on this account, or "
1032 "the minimum password age may "
1033 "not have elapsed.");
1034 break;
1035 }
1036 }
1037
1038 return code;
1039 }
1040
1041 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
1042 char *pwd,
1043 krb5_db_entry *db_entry)
1044 {
1045 NTSTATUS status;
1046 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1047 TALLOC_CTX *tmp_ctx;
1048 DATA_BLOB password;
1049 enum samPwdChangeReason reject_reason;
1050 struct samr_DomInfo1 *dominfo;
1051 const char *error_string = NULL;
1052 struct auth_user_info_dc *user_info_dc;
1053 struct samba_kdc_entry *p;
1054 krb5_error_code code = 0;
1055
1056 #ifdef DEBUG_PASSWORD
1057 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
1058 #endif
1059
1060 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
1061 if (tmp_ctx == NULL) {
1062 return ENOMEM;
1063 }
1064
1065 p = (struct samba_kdc_entry *)db_entry->e_data;
1066
1067 status = authsam_make_user_info_dc(tmp_ctx,
1068 ctx->db_ctx->samdb,
1069 lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
1070 lpcfg_sam_name(ctx->db_ctx->lp_ctx),
1071 lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
1072 p->realm_dn,
1073 p->msg,
1074 data_blob(NULL, 0),
1075 data_blob(NULL, 0),
1076 &user_info_dc);
1077 if (!NT_STATUS_IS_OK(status)) {
1078 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
1079 nt_errstr(status)));
1080 talloc_free(tmp_ctx);
1081 return EINVAL;
1082 }
1083
1084 status = auth_generate_session_info(tmp_ctx,
1085 ctx->db_ctx->lp_ctx,
1086 ctx->db_ctx->samdb,
1087 user_info_dc,
1088 0, /* session_info_flags */
1089 &ctx->session_info);
1090
1091 if (!NT_STATUS_IS_OK(status)) {
1092 DEBUG(1,("auth_generate_session_info failed: %s\n",
1093 nt_errstr(status)));
1094 talloc_free(tmp_ctx);
1095 return EINVAL;
1096 }
1097
1098 /* password is expected as UTF16 */
1099
1100 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1101 pwd, strlen(pwd),
1102 &password.data, &password.length)) {
1103 DEBUG(1,("convert_string_talloc failed\n"));
1104 talloc_free(tmp_ctx);
1105 return EINVAL;
1106 }
1107
1108 status = samdb_kpasswd_change_password(tmp_ctx,
1109 ctx->db_ctx->lp_ctx,
1110 ctx->db_ctx->ev_ctx,
1111 ctx->db_ctx->samdb,
1112 ctx->session_info,
1113 &password,
1114 &reject_reason,
1115 &dominfo,
1116 &error_string,
1117 &result);
1118 if (!NT_STATUS_IS_OK(status)) {
1119 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1120 nt_errstr(status)));
1121 code = KADM5_PASS_Q_GENERIC;
1122 krb5_set_error_message(ctx->context, code, "%s", error_string);
1123 goto out;
1124 }
1125
1126 if (!NT_STATUS_IS_OK(result)) {
1127 code = mit_samba_change_pwd_error(ctx->context,
1128 result,
1129 reject_reason,
1130 dominfo);
1131 }
1132
1133 out:
1134 talloc_free(tmp_ctx);
1135
1136 return code;
1137 }
1138
1139 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1140 {
1141 struct netr_SendToSamBase *send_to_sam = NULL;
1142 struct samba_kdc_entry *p;
1143 struct ldb_dn *domain_dn;
1144
1145 p = (struct samba_kdc_entry *)db_entry->e_data;
1146
1147 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1148
1149 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1150 p->msg,
1151 domain_dn,
1152 true,
1153 &send_to_sam);
1154 /* TODO: RODC support */
1155 }
1156
1157
1158 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1159 {
1160 struct samba_kdc_entry *p;
1161
1162 p = (struct samba_kdc_entry *)db_entry->e_data;
1163
1164 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1165 p->msg,
1166 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1167 }
Samba GIT mirror