search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2022-32744 s4:kdc: Don't allow HDB keytab iteration
[Samba.git] / source4 / kdc / kdc-heimdal.c
blob542986c5ad3d307ab3931a944af9c962d52e6a3d
1 /*
2 Unix SMB/CIFS implementation.
3
4 KDC Server startup
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "samba/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "lib/messaging/irpc.h"
28 #include "librpc/gen_ndr/ndr_irpc.h"
29 #include "librpc/gen_ndr/ndr_krb5pac.h"
30 #include "lib/socket/netif.h"
31 #include "param/param.h"
32 #include "kdc/kdc-server.h"
33 #include "kdc/kdc-proxy.h"
34 #include "kdc/kdc-glue.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/kpasswd-service.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "auth/session.h"
39 #include "libds/common/roles.h"
40 #include <kdc.h>
41 #include <hdb.h>
42
43 NTSTATUS server_service_kdc_init(TALLOC_CTX *);
44
45 extern struct krb5plugin_kdc_ftable kdc_plugin_table;
46
47 /**
48 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
49 calling conventions
50 */
51
52 static kdc_code kdc_process(struct kdc_server *kdc,
53 TALLOC_CTX *mem_ctx,
54 DATA_BLOB *input,
55 DATA_BLOB *reply,
56 struct tsocket_address *peer_addr,
57 struct tsocket_address *my_addr,
58 int datagram_reply)
59 {
60 int ret;
61 char *pa;
62 struct sockaddr_storage ss;
63 krb5_data k5_reply;
64 krb5_kdc_configuration *kdc_config =
65 (krb5_kdc_configuration *)kdc->private_data;
66
67 krb5_data_zero(&k5_reply);
68
69 krb5_kdc_update_time(NULL);
70
71 ret = tsocket_address_bsd_sockaddr(peer_addr, (struct sockaddr *) &ss,
72 sizeof(struct sockaddr_storage));
73 if (ret < 0) {
74 return KDC_ERROR;
75 }
76 pa = tsocket_address_string(peer_addr, mem_ctx);
77 if (pa == NULL) {
78 return KDC_ERROR;
79 }
80
81 DBG_DEBUG("Received KDC packet of length %lu from %s\n",
82 (long)input->length - 4, pa);
83
84 ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
85 kdc_config,
86 input->data, input->length,
87 &k5_reply,
88 pa,
89 (struct sockaddr *) &ss,
90 datagram_reply);
91 if (ret == -1) {
92 *reply = data_blob(NULL, 0);
93 return KDC_ERROR;
94 }
95
96 if (ret == HDB_ERR_NOT_FOUND_HERE) {
97 *reply = data_blob(NULL, 0);
98 return KDC_PROXY_REQUEST;
99 }
100
101 if (k5_reply.length) {
102 *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
103 krb5_data_free(&k5_reply);
104 } else {
105 *reply = data_blob(NULL, 0);
106 }
107 return KDC_OK;
108 }
109
110 /*
111 setup our listening sockets on the configured network interfaces
112 */
113 static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc,
114 struct loadparm_context *lp_ctx,
115 struct interface *ifaces,
116 const struct model_ops *model_ops)
117 {
118 int num_interfaces;
119 TALLOC_CTX *tmp_ctx = talloc_new(kdc);
120 NTSTATUS status;
121 int i;
122 uint16_t kdc_port = lpcfg_krb5_port(lp_ctx);
123 uint16_t kpasswd_port = lpcfg_kpasswd_port(lp_ctx);
124 bool done_wildcard = false;
125
126 num_interfaces = iface_list_count(ifaces);
127
128 /* if we are allowing incoming packets from any address, then
129 we need to bind to the wildcard address */
130 if (!lpcfg_bind_interfaces_only(lp_ctx)) {
131 size_t num_binds = 0;
132 char **wcard = iface_list_wildcard(kdc);
133 NT_STATUS_HAVE_NO_MEMORY(wcard);
134 for (i=0; wcard[i]; i++) {
135 if (kdc_port) {
136 status = kdc_add_socket(kdc, model_ops,
137 "kdc", wcard[i], kdc_port,
138 kdc_process, false);
139 if (NT_STATUS_IS_OK(status)) {
140 num_binds++;
141 }
142 }
143
144 if (kpasswd_port) {
145 status = kdc_add_socket(kdc, model_ops,
146 "kpasswd", wcard[i], kpasswd_port,
147 kpasswd_process, false);
148 if (NT_STATUS_IS_OK(status)) {
149 num_binds++;
150 }
151 }
152 }
153 talloc_free(wcard);
154 if (num_binds == 0) {
155 return NT_STATUS_INVALID_PARAMETER_MIX;
156 }
157 done_wildcard = true;
158 }
159
160 for (i=0; i<num_interfaces; i++) {
161 const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i));
162
163 if (kdc_port) {
164 status = kdc_add_socket(kdc, model_ops,
165 "kdc", address, kdc_port,
166 kdc_process, done_wildcard);
167 NT_STATUS_NOT_OK_RETURN(status);
168 }
169
170 if (kpasswd_port) {
171 status = kdc_add_socket(kdc, model_ops,
172 "kpasswd", address, kpasswd_port,
173 kpasswd_process, done_wildcard);
174 NT_STATUS_NOT_OK_RETURN(status);
175 }
176 }
177
178 talloc_free(tmp_ctx);
179
180 return NT_STATUS_OK;
181 }
182
183 static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
184 struct kdc_check_generic_kerberos *r)
185 {
186 struct PAC_Validate pac_validate;
187 DATA_BLOB srv_sig;
188 struct PAC_SIGNATURE_DATA kdc_sig;
189 struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server);
190 krb5_kdc_configuration *kdc_config =
191 (krb5_kdc_configuration *)kdc->private_data;
192 enum ndr_err_code ndr_err;
193 int ret;
194 hdb_entry ent;
195 krb5_principal principal;
196
197
198 /* There is no reply to this request */
199 r->out.generic_reply = data_blob(NULL, 0);
200
201 ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, &pac_validate,
202 (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
203 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
204 return NT_STATUS_INVALID_PARAMETER;
205 }
206
207 if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) {
208 /* We don't implement any other message types - such as certificate validation - yet */
209 return NT_STATUS_INVALID_PARAMETER;
210 }
211
212 if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength)
213 || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength
214 || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
215 return NT_STATUS_INVALID_PARAMETER;
216 }
217
218 srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
219 pac_validate.ChecksumLength);
220
221 ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
222 lpcfg_realm(kdc->task->lp_ctx),
223 "krbtgt", lpcfg_realm(kdc->task->lp_ctx),
224 NULL);
225
226 if (ret != 0) {
227 return NT_STATUS_NO_MEMORY;
228 }
229
230 ret = kdc_config->db[0]->hdb_fetch_kvno(kdc->smb_krb5_context->krb5_context,
231 kdc_config->db[0],
232 principal,
233 HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
234 0,
235 &ent);
236
237 if (ret != 0) {
238 hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
239 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
240
241 return NT_STATUS_LOGON_FAILURE;
242 }
243
244 kdc_sig.type = pac_validate.SignatureType;
245 kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
246 pac_validate.SignatureLength);
247
248 ret = kdc_check_pac(kdc->smb_krb5_context->krb5_context, srv_sig, &kdc_sig, &ent);
249
250 hdb_free_entry(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], &ent);
251 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
252
253 if (ret != 0) {
254 return NT_STATUS_LOGON_FAILURE;
255 }
256
257 return NT_STATUS_OK;
258 }
259
260
261 /*
262 startup the kdc task
263 */
264 static NTSTATUS kdc_task_init(struct task_server *task)
265 {
266 struct kdc_server *kdc;
267 NTSTATUS status;
268 struct interface *ifaces;
269
270 switch (lpcfg_server_role(task->lp_ctx)) {
271 case ROLE_STANDALONE:
272 task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
273 return NT_STATUS_INVALID_DOMAIN_ROLE;
274 case ROLE_DOMAIN_MEMBER:
275 task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
276 return NT_STATUS_INVALID_DOMAIN_ROLE;
277 case ROLE_DOMAIN_PDC:
278 case ROLE_DOMAIN_BDC:
279 case ROLE_IPA_DC:
280 task_server_terminate(
281 task, "Cannot start KDC as a 'classic Samba' DC", false);
282 return NT_STATUS_INVALID_DOMAIN_ROLE;
283 case ROLE_ACTIVE_DIRECTORY_DC:
284 /* Yes, we want a KDC */
285 break;
286 }
287
288 load_interface_list(task, task->lp_ctx, &ifaces);
289
290 if (iface_list_count(ifaces) == 0) {
291 task_server_terminate(task, "kdc: no network interfaces configured", false);
292 return NT_STATUS_UNSUCCESSFUL;
293 }
294
295 task_server_set_title(task, "task[kdc]");
296
297 kdc = talloc_zero(task, struct kdc_server);
298 if (kdc == NULL) {
299 task_server_terminate(task, "kdc: out of memory", true);
300 return NT_STATUS_NO_MEMORY;
301 }
302
303 kdc->task = task;
304 task->private_data = kdc;
305
306 /* start listening on the configured network interfaces */
307 status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces,
308 task->model_ops);
309 if (!NT_STATUS_IS_OK(status)) {
310 task_server_terminate(task, "kdc failed to setup interfaces", true);
311 return status;
312 }
313
314
315 return NT_STATUS_OK;
316 }
317
318 /*
319 initialise the kdc task after a fork
320 */
321 static void kdc_post_fork(struct task_server *task, struct process_details *pd)
322 {
323 struct kdc_server *kdc;
324 krb5_kdc_configuration *kdc_config = NULL;
325 NTSTATUS status;
326 krb5_error_code ret;
327 int ldb_ret;
328
329 if (task == NULL) {
330 task_server_terminate(task, "kdc: Null task", true);
331 return;
332 }
333 if (task->private_data == NULL) {
334 task_server_terminate(task, "kdc: No kdc_server info", true);
335 return;
336 }
337 kdc = talloc_get_type_abort(task->private_data, struct kdc_server);
338
339 /* get a samdb connection */
340 kdc->samdb = samdb_connect(kdc,
341 kdc->task->event_ctx,
342 kdc->task->lp_ctx,
343 system_session(kdc->task->lp_ctx),
344 NULL,
345 0);
346 if (!kdc->samdb) {
347 DBG_WARNING("kdc_task_init: unable to connect to samdb\n");
348 task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
349 return;
350 }
351
352 ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
353 if (ldb_ret != LDB_SUCCESS) {
354 DBG_WARNING("kdc_task_init: "
355 "Cannot determine if we are an RODC: %s\n",
356 ldb_errstring(kdc->samdb));
357 task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
358 return;
359 }
360
361 kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
362
363 initialize_krb5_error_table();
364
365 ret = smb_krb5_init_context(kdc, task->lp_ctx, &kdc->smb_krb5_context);
366 if (ret) {
367 DBG_WARNING("kdc_task_init: krb5_init_context failed (%s)\n",
368 error_message(ret));
369 task_server_terminate(task, "kdc: krb5_init_context failed", true);
370 return;
371 }
372
373 krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
374
375 ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
376 &kdc_config);
377 if(ret) {
378 task_server_terminate(task, "kdc: failed to get KDC configuration", true);
379 return;
380 }
381
382 kdc_config->logf = (krb5_log_facility *)kdc->smb_krb5_context->pvt_log_data;
383 kdc_config->db = talloc(kdc, struct HDB *);
384 if (!kdc_config->db) {
385 task_server_terminate(task, "kdc: out of memory", true);
386 return;
387 }
388 kdc_config->num_db = 1;
389
390 /*
391 * This restores the behavior before
392 * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
393 * s4:heimdal: import lorikeet-heimdal-201107150856
394 * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
395 *
396 * as_use_strongest_session_key,preauth_use_strongest_session_key
397 * and tgs_use_strongest_session_key are input to the
398 * _kdc_find_etype() function. The old bahavior is in
399 * the use_strongest_session_key=FALSE code path.
400 * (The only remaining difference in _kdc_find_etype()
401 * is the is_preauth parameter.)
402 *
403 * The old behavior in the _kdc_get_preferred_key()
404 * function is use_strongest_server_key=TRUE.
405 */
406 kdc_config->tgt_use_strongest_session_key = false;
407 kdc_config->preauth_use_strongest_session_key = true;
408 kdc_config->svc_use_strongest_session_key = false;
409 kdc_config->use_strongest_server_key = true;
410
411 kdc_config->force_include_pa_etype_salt = true;
412
413 /*
414 * For Samba CVE-2020-25719 Require PAC to be present
415 * This instructs Heimdal to match AD behaviour,
416 * as seen after Microsoft's CVE-2021-42287 when
417 * PacRequestorEnforcement is set to 2.
418 *
419 * Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
420 * REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
421 */
422
423 kdc_config->require_pac = true;
424
425 /*
426 * By default we enable RFC6113/FAST support,
427 * but we have an option to disable in order to
428 * test against a KDC with FAST support.
429 */
430 kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
431
432 /*
433 * Match Windows and RFC6113 and Windows but break older
434 * Heimdal clients.
435 */
436 kdc_config->enable_armored_pa_enc_timestamp = false;
437
438 /* Register hdb-samba4 hooks for use as a keytab */
439
440 kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
441 if (!kdc->base_ctx) {
442 task_server_terminate(task, "kdc: out of memory", true);
443 return;
444 }
445
446 kdc->base_ctx->ev_ctx = task->event_ctx;
447 kdc->base_ctx->lp_ctx = task->lp_ctx;
448 kdc->base_ctx->msg_ctx = task->msg_ctx;
449
450 status = hdb_samba4_create_kdc(kdc->base_ctx,
451 kdc->smb_krb5_context->krb5_context,
452 &kdc_config->db[0]);
453 if (!NT_STATUS_IS_OK(status)) {
454 task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
455 return;
456 }
457
458 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
459 PLUGIN_TYPE_DATA, "hdb_samba4_interface",
460 &hdb_samba4_interface);
461 if(ret) {
462 task_server_terminate(task, "kdc: failed to register hdb plugin", true);
463 return;
464 }
465
466 kdc->keytab_name = talloc_asprintf(kdc, "HDBGET:samba4:&%p", kdc->base_ctx);
467 if (kdc->keytab_name == NULL) {
468 task_server_terminate(task,
469 "kdc: Failed to set keytab name",
470 true);
471 return;
472 }
473
474 ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_get_kt_ops);
475 if(ret) {
476 task_server_terminate(task, "kdc: failed to register keytab plugin", true);
477 return;
478 }
479
480 /* Register KDC hooks */
481 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
482 PLUGIN_TYPE_DATA, "kdc",
483 &kdc_plugin_table);
484 if(ret) {
485 task_server_terminate(task, "kdc: failed to register kdc plugin", true);
486 return;
487 }
488
489 ret = krb5_kdc_plugin_init(kdc->smb_krb5_context->krb5_context);
490
491 if(ret) {
492 task_server_terminate(task, "kdc: failed to init kdc plugin", true);
493 return;
494 }
495
496 ret = krb5_kdc_pkinit_config(kdc->smb_krb5_context->krb5_context, kdc_config);
497
498 if(ret) {
499 task_server_terminate(task, "kdc: failed to init kdc pkinit subsystem", true);
500 return;
501 }
502 kdc->private_data = kdc_config;
503
504 status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
505 kdc_check_generic_kerberos, kdc);
506 if (!NT_STATUS_IS_OK(status)) {
507 task_server_terminate(task, "kdc failed to setup monitoring", true);
508 return;
509 }
510
511 irpc_add_name(task->msg_ctx, "kdc_server");
512 }
513
514
515 /* called at smbd startup - register ourselves as a server service */
516 NTSTATUS server_service_kdc_init(TALLOC_CTX *ctx)
517 {
518 static const struct service_details details = {
519 .inhibit_fork_on_accept = true,
520 .inhibit_pre_fork = false,
521 .task_init = kdc_task_init,
522 .post_fork = kdc_post_fork
523 };
524 return register_server_service(ctx, "kdc", &details);
525 }
Samba GIT mirror