search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mit-kdb: Return 0 in kdb_samba_db_put_principal()
[Samba.git] / source4 / kdc / mit-kdb / kdb_samba_principals.c
blob1c374975d30ed65524e33ca936ae83aaba876a14
1 /*
2 Unix SMB/CIFS implementation.
3
4 Samba KDB plugin for MIT Kerberos
5
6 Copyright (c) 2010 Simo Sorce <idra@samba.org>.
7 Copyright (c) 2014 Andreas Schneider <asn@samba.org>
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24
25 #include "system/kerberos.h"
26
27 #include <profile.h>
28 #include <kdb.h>
29
30 #include "kdc/mit_samba.h"
31 #include "kdb_samba.h"
32
33 #define ADMIN_LIFETIME 60*60*3 /* 3 hours */
34 #define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
35
36 static krb5_error_code ks_get_principal(krb5_context context,
37 krb5_const_principal principal,
38 unsigned int kflags,
39 krb5_db_entry **kentry)
40 {
41 struct mit_samba_context *mit_ctx;
42 krb5_error_code code;
43
44 mit_ctx = ks_get_context(context);
45 if (mit_ctx == NULL) {
46 return KRB5_KDB_DBNOTINITED;
47 }
48
49 code = mit_samba_get_principal(mit_ctx,
50 principal,
51 kflags,
52 kentry);
53 if (code != 0) {
54 goto cleanup;
55 }
56
57 cleanup:
58
59 return code;
60 }
61
62 static krb5_boolean ks_is_master_key_principal(krb5_context context,
63 krb5_const_principal princ)
64 {
65 return krb5_princ_size(context, princ) == 2 &&
66 ks_data_eq_string(princ->data[0], "K") &&
67 ks_data_eq_string(princ->data[1], "M");
68 }
69
70 static krb5_error_code ks_get_master_key_principal(krb5_context context,
71 krb5_const_principal princ,
72 krb5_db_entry **kentry_ptr)
73 {
74 krb5_error_code code;
75 krb5_key_data *key_data;
76 krb5_timestamp now;
77 krb5_db_entry *kentry;
78
79 *kentry_ptr = NULL;
80
81 kentry = malloc(sizeof(krb5_db_entry));
82 if (kentry == NULL) {
83 return ENOMEM;
84 }
85
86 ZERO_STRUCTP(kentry);
87
88 kentry->magic = KRB5_KDB_MAGIC_NUMBER;
89 kentry->len = KRB5_KDB_V1_BASE_LENGTH;
90 kentry->attributes = KRB5_KDB_DISALLOW_ALL_TIX;
91
92 if (princ == NULL) {
93 code = krb5_parse_name(context, KRB5_KDB_M_NAME, &kentry->princ);
94 } else {
95 code = krb5_copy_principal(context, princ, &kentry->princ);
96 }
97 if (code != 0) {
98 ks_free_krb5_db_entry(context, kentry);
99 return code;
100 }
101
102 now = time(NULL);
103
104 code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
105 if (code != 0) {
106 ks_free_krb5_db_entry(context, kentry);
107 return code;
108 }
109
110 /* Return a dummy key */
111 kentry->n_key_data = 1;
112 kentry->key_data = calloc(1, sizeof(krb5_key_data));
113 if (code != 0) {
114 ks_free_krb5_db_entry(context, kentry);
115 return code;
116 }
117
118 key_data = &kentry->key_data[0];
119
120 key_data->key_data_ver = KRB5_KDB_V1_KEY_DATA_ARRAY;
121 key_data->key_data_kvno = 1;
122 key_data->key_data_type[0] = ENCTYPE_UNKNOWN;
123 if (code != 0) {
124 ks_free_krb5_db_entry(context, kentry);
125 return code;
126 }
127
128 *kentry_ptr = kentry;
129
130 return 0;
131 }
132
133 static krb5_error_code ks_create_principal(krb5_context context,
134 krb5_const_principal princ,
135 int attributes,
136 int max_life,
137 const char *password,
138 krb5_db_entry **kentry_ptr)
139 {
140 krb5_error_code code;
141 krb5_key_data *key_data;
142 krb5_timestamp now;
143 krb5_db_entry *kentry;
144 krb5_keyblock key;
145 krb5_data salt;
146 krb5_data pwd;
147 int enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
148 int sts = KRB5_KDB_SALTTYPE_SPECIAL;
149
150 if (princ == NULL) {
151 return KRB5_KDB_NOENTRY;
152 }
153
154 *kentry_ptr = NULL;
155
156 kentry = calloc(1, sizeof(krb5_db_entry));
157 if (kentry == NULL) {
158 return ENOMEM;
159 }
160
161 ZERO_STRUCTP(kentry);
162
163 kentry->magic = KRB5_KDB_MAGIC_NUMBER;
164 kentry->len = KRB5_KDB_V1_BASE_LENGTH;
165
166 if (attributes > 0) {
167 kentry->attributes = attributes;
168 }
169
170 if (max_life > 0) {
171 kentry->max_life = max_life;
172 }
173
174 code = krb5_copy_principal(context, princ, &kentry->princ);
175 if (code != 0) {
176 ks_free_krb5_db_entry(context, kentry);
177 return code;
178 }
179
180 now = time(NULL);
181
182 code = krb5_dbe_update_mod_princ_data(context, kentry, now, kentry->princ);
183 if (code != 0) {
184 ks_free_krb5_db_entry(context, kentry);
185 return code;
186 }
187
188 code = mit_samba_generate_salt(&salt);
189 if (code != 0) {
190 ks_free_krb5_db_entry(context, kentry);
191 return code;
192 }
193
194 if (password != NULL) {
195 pwd.data = strdup(password);
196 pwd.length = strlen(password);
197 } else {
198 /* create a random password */
199 code = mit_samba_generate_random_password(&pwd);
200 if (code != 0) {
201 ks_free_krb5_db_entry(context, kentry);
202 return code;
203 }
204 }
205
206 code = krb5_c_string_to_key(context, enctype, &pwd, &salt, &key);
207 SAFE_FREE(pwd.data);
208 if (code != 0) {
209 ks_free_krb5_db_entry(context, kentry);
210 return code;
211 }
212
213 kentry->n_key_data = 1;
214 kentry->key_data = calloc(1, sizeof(krb5_key_data));
215 if (code != 0) {
216 ks_free_krb5_db_entry(context, kentry);
217 return code;
218 }
219
220 key_data = &kentry->key_data[0];
221
222 key_data->key_data_ver = KRB5_KDB_V1_KEY_DATA_ARRAY;
223 key_data->key_data_kvno = 1;
224 key_data->key_data_type[0] = key.enctype;
225 key_data->key_data_length[0] = key.length;
226 key_data->key_data_contents[0] = key.contents;
227 key_data->key_data_type[1] = sts;
228 key_data->key_data_length[1] = salt.length;
229 key_data->key_data_contents[1] = (krb5_octet*)salt.data;
230
231 *kentry_ptr = kentry;
232
233 return 0;
234 }
235
236 static krb5_error_code ks_get_admin_principal(krb5_context context,
237 krb5_const_principal princ,
238 krb5_db_entry **kentry_ptr)
239 {
240 krb5_error_code code = EINVAL;
241
242 code = ks_create_principal(context,
243 princ,
244 KRB5_KDB_DISALLOW_TGT_BASED,
245 ADMIN_LIFETIME,
246 NULL,
247 kentry_ptr);
248
249 return code;
250 }
251
252 krb5_error_code kdb_samba_db_get_principal(krb5_context context,
253 krb5_const_principal princ,
254 unsigned int kflags,
255 krb5_db_entry **kentry)
256 {
257 struct mit_samba_context *mit_ctx;
258 krb5_error_code code;
259
260 mit_ctx = ks_get_context(context);
261 if (mit_ctx == NULL) {
262 return KRB5_KDB_DBNOTINITED;
263 }
264
265 if (ks_is_master_key_principal(context, princ)) {
266 return ks_get_master_key_principal(context, princ, kentry);
267 }
268
269 /*
270 * Fake a kadmin/admin and kadmin/history principal so that kadmindd can
271 * start
272 */
273 if (ks_is_kadmin_admin(context, princ) ||
274 ks_is_kadmin_history(context, princ)) {
275 return ks_get_admin_principal(context, princ, kentry);
276 }
277
278 code = ks_get_principal(context, princ, kflags, kentry);
279
280 return code;
281 }
282
283 void kdb_samba_db_free_principal(krb5_context context,
284 krb5_db_entry *entry)
285 {
286 struct mit_samba_context *mit_ctx;
287
288 mit_ctx = ks_get_context(context);
289 if (mit_ctx == NULL) {
290 return;
291 }
292
293 ks_free_krb5_db_entry(context, entry);
294 }
295
296 krb5_error_code kdb_samba_db_put_principal(krb5_context context,
297 krb5_db_entry *entry,
298 char **db_args)
299 {
300
301 /* NOTE: deferred, samba does not allow the KDC to store
302 * principals for now. We should not return KRB5_KDB_DB_INUSE as this
303 * would result in confusing error messages after password changes. */
304 return 0;
305 }
306
307 krb5_error_code kdb_samba_db_delete_principal(krb5_context context,
308 krb5_const_principal princ)
309 {
310
311 /* NOTE: deferred, samba does not allow the KDC to delete
312 * principals for now */
313 return KRB5_KDB_DB_INUSE;
314 }
315
316 krb5_error_code kdb_samba_db_iterate(krb5_context context,
317 char *match_entry,
318 int (*func)(krb5_pointer, krb5_db_entry *),
319 krb5_pointer func_arg)
320 {
321 struct mit_samba_context *mit_ctx;
322 krb5_db_entry *kentry = NULL;
323 krb5_error_code code;
324
325
326 mit_ctx = ks_get_context(context);
327 if (mit_ctx == NULL) {
328 return KRB5_KDB_DBNOTINITED;
329 }
330
331 code = mit_samba_get_firstkey(mit_ctx, &kentry);
332 while (code == 0) {
333 code = (*func)(func_arg, kentry);
334 if (code != 0) {
335 break;
336 }
337
338 code = mit_samba_get_nextkey(mit_ctx, &kentry);
339 }
340
341 if (code == KRB5_KDB_NOENTRY) {
342 code = 0;
343 }
344
345 return code;
346 }
Samba GIT mirror