ldb: version 1.1.20
[Samba.git] / source3 / libads / krb5_setpw.c
blob5b33e2eaadc023c71e9bc26d584da3cbd797e9fb
1 /*
2 Unix SMB/CIFS implementation.
3 krb5 set password implementation
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "smb_krb5.h"
23 #include "libads/kerberos_proto.h"
24 #include "../lib/util/asn1.h"
26 #ifdef HAVE_KRB5
28 /* Those are defined by kerberos-set-passwd-02.txt and are probably
29 * not supported by M$ implementation */
30 #define KRB5_KPASSWD_POLICY_REJECT 8
31 #define KRB5_KPASSWD_BAD_PRINCIPAL 9
32 #define KRB5_KPASSWD_ETYPE_NOSUPP 10
35 * we've got to be able to distinguish KRB_ERRORs from other
36 * requests - valid response for CHPW v2 replies.
39 static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
41 switch(res_code) {
42 case KRB5_KPASSWD_ACCESSDENIED:
43 return KRB5KDC_ERR_BADOPTION;
44 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
45 return KRB5KDC_ERR_BADOPTION;
46 /* return KV5M_ALT_METHOD; MIT-only define */
47 case KRB5_KPASSWD_ETYPE_NOSUPP:
48 return KRB5KDC_ERR_ETYPE_NOSUPP;
49 case KRB5_KPASSWD_BAD_PRINCIPAL:
50 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
51 case KRB5_KPASSWD_POLICY_REJECT:
52 case KRB5_KPASSWD_SOFTERROR:
53 return KRB5KDC_ERR_POLICY;
54 default:
55 return KRB5KRB_ERR_GENERIC;
59 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
60 const char *newpw, int time_offset)
63 ADS_STATUS aret;
64 krb5_error_code ret = 0;
65 krb5_context context = NULL;
66 krb5_principal princ = NULL;
67 krb5_ccache ccache = NULL;
68 int result_code;
69 krb5_data result_code_string = { 0 };
70 krb5_data result_string = { 0 };
72 initialize_krb5_error_table();
73 ret = krb5_init_context(&context);
74 if (ret) {
75 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
76 return ADS_ERROR_KRB5(ret);
79 if (principal) {
80 ret = smb_krb5_parse_name(context, principal, &princ);
81 if (ret) {
82 krb5_free_context(context);
83 DEBUG(1, ("Failed to parse %s (%s)\n", principal,
84 error_message(ret)));
85 return ADS_ERROR_KRB5(ret);
89 if (time_offset != 0) {
90 krb5_set_real_time(context, time(NULL) + time_offset, 0);
93 ret = krb5_cc_default(context, &ccache);
94 if (ret) {
95 krb5_free_principal(context, princ);
96 krb5_free_context(context);
97 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
98 return ADS_ERROR_KRB5(ret);
101 ret = krb5_set_password_using_ccache(context, ccache, newpw, princ,
102 &result_code,
103 &result_code_string,
104 &result_string);
105 if (ret) {
106 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
107 aret = ADS_ERROR_KRB5(ret);
108 goto done;
111 if (result_code != KRB5_KPASSWD_SUCCESS) {
112 ret = kpasswd_err_to_krb5_err(result_code);
113 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
114 aret = ADS_ERROR_KRB5(ret);
115 goto done;
118 aret = ADS_SUCCESS;
120 done:
121 kerberos_free_data_contents(context, &result_code_string);
122 kerberos_free_data_contents(context, &result_string);
123 krb5_free_principal(context, princ);
124 krb5_cc_close(context, ccache);
125 krb5_free_context(context);
127 return aret;
131 we use a prompter to avoid a crash bug in the kerberos libs when
132 dealing with empty passwords
133 this prompter is just a string copy ...
135 static krb5_error_code
136 kerb_prompter(krb5_context ctx, void *data,
137 const char *name,
138 const char *banner,
139 int num_prompts,
140 krb5_prompt prompts[])
142 if (num_prompts == 0) return 0;
144 memset(prompts[0].reply->data, 0, prompts[0].reply->length);
145 if (prompts[0].reply->length > 0) {
146 if (data) {
147 strncpy((char *)prompts[0].reply->data,
148 (const char *)data,
149 prompts[0].reply->length-1);
150 prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
151 } else {
152 prompts[0].reply->length = 0;
155 return 0;
158 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
159 const char *principal,
160 const char *oldpw,
161 const char *newpw,
162 int time_offset)
164 ADS_STATUS aret;
165 krb5_error_code ret;
166 krb5_context context = NULL;
167 krb5_principal princ;
168 krb5_get_init_creds_opt opts;
169 krb5_creds creds;
170 char *chpw_princ = NULL, *password;
171 char *realm = NULL;
172 int result_code;
173 krb5_data result_code_string = { 0 };
174 krb5_data result_string = { 0 };
175 smb_krb5_addresses *addr = NULL;
177 initialize_krb5_error_table();
178 ret = krb5_init_context(&context);
179 if (ret) {
180 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
181 return ADS_ERROR_KRB5(ret);
184 if ((ret = smb_krb5_parse_name(context, principal,
185 &princ))) {
186 krb5_free_context(context);
187 DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
188 return ADS_ERROR_KRB5(ret);
191 krb5_get_init_creds_opt_init(&opts);
193 krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
194 krb5_get_init_creds_opt_set_renew_life(&opts, 0);
195 krb5_get_init_creds_opt_set_forwardable(&opts, 0);
196 krb5_get_init_creds_opt_set_proxiable(&opts, 0);
198 /* note that heimdal will fill in the local addresses if the addresses
199 * in the creds_init_opt are all empty and then later fail with invalid
200 * address, sending our local netbios krb5 address - just like windows
201 * - avoids this - gd */
202 ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name());
203 if (ret) {
204 krb5_free_principal(context, princ);
205 krb5_free_context(context);
206 return ADS_ERROR_KRB5(ret);
208 krb5_get_init_creds_opt_set_address_list(&opts, addr->addrs);
210 realm = smb_krb5_principal_get_realm(context, princ);
212 /* We have to obtain an INITIAL changepw ticket for changing password */
213 if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
214 krb5_free_context(context);
215 free(realm);
216 DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
217 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
220 free(realm);
221 password = SMB_STRDUP(oldpw);
222 ret = krb5_get_init_creds_password(context, &creds, princ, password,
223 kerb_prompter, NULL,
224 0, chpw_princ, &opts);
225 SAFE_FREE(chpw_princ);
226 SAFE_FREE(password);
228 if (ret) {
229 if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
230 DEBUG(1,("Password incorrect while getting initial ticket"));
231 else
232 DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
234 krb5_free_principal(context, princ);
235 krb5_free_context(context);
236 return ADS_ERROR_KRB5(ret);
239 ret = krb5_change_password(context, &creds, newpw, &result_code,
240 &result_code_string, &result_string);
241 if (ret) {
242 DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
243 aret = ADS_ERROR_KRB5(ret);
244 goto done;
247 if (result_code != KRB5_KPASSWD_SUCCESS) {
248 ret = kpasswd_err_to_krb5_err(result_code);
249 DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
250 aret = ADS_ERROR_KRB5(ret);
251 goto done;
254 aret = ADS_SUCCESS;
256 done:
257 kerberos_free_data_contents(context, &result_code_string);
258 kerberos_free_data_contents(context, &result_string);
259 krb5_free_principal(context, princ);
260 krb5_free_context(context);
262 return aret;
266 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
267 const char *auth_principal, const char *auth_password,
268 const char *target_principal, const char *new_password,
269 int time_offset)
271 int ret;
273 if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
274 DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
275 return ADS_ERROR_KRB5(ret);
278 if (!strcmp(auth_principal, target_principal))
279 return ads_krb5_chg_password(kpasswd_server, target_principal,
280 auth_password, new_password, time_offset);
281 else
282 return ads_krb5_set_password(kpasswd_server, target_principal,
283 new_password, time_offset);
286 #endif