2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Guenther Deschner 2003, 2005
8 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
9 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10 Copyright (C) Jeremy Allison 2007
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "libads/kerberos_proto.h"
30 #include "../librpc/gen_ndr/krb5pac.h"
34 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
35 const krb5_data
*krb5_princ_component(krb5_context
, krb5_principal
, int );
38 static bool ads_dedicated_keytab_verify_ticket(krb5_context context
,
39 krb5_auth_context auth_context
,
40 const DATA_BLOB
*ticket
,
42 krb5_keyblock
**keyblock
,
43 krb5_error_code
*perr
)
45 krb5_error_code ret
= 0;
47 krb5_keytab keytab
= NULL
;
48 krb5_keytab_entry kt_entry
;
49 krb5_ticket
*dec_ticket
= NULL
;
59 ZERO_STRUCT(kt_entry
);
61 ret
= smb_krb5_open_keytab(context
, lp_dedicated_keytab_file(), true,
64 DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
69 packet
.length
= ticket
->length
;
70 packet
.data
= (char *)ticket
->data
;
72 ret
= krb5_rd_req(context
, &auth_context
, &packet
, NULL
, keytab
,
75 DEBUG(0, ("krb5_rd_req failed (%s)\n", error_message(ret
)));
79 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
80 enctype
= dec_ticket
->ticket
.key
.keytype
;
82 enctype
= dec_ticket
->enc_part
.enctype
;
83 kvno
= dec_ticket
->enc_part
.kvno
;
86 /* Get the key for checking the pac signature */
87 ret
= krb5_kt_get_entry(context
, keytab
, dec_ticket
->server
,
88 kvno
, enctype
, &kt_entry
);
90 DEBUG(0, ("krb5_kt_get_entry failed (%s)\n",
95 ret
= krb5_copy_keyblock(context
, KRB5_KT_KEY(&kt_entry
), keyblock
);
96 smb_krb5_kt_free_entry(context
, &kt_entry
);
99 DEBUG(0, ("failed to copy key: %s\n",
100 error_message(ret
)));
105 *pp_tkt
= dec_ticket
;
110 krb5_free_ticket(context
, dec_ticket
);
113 krb5_kt_close(context
, keytab
);
119 /******************************************************************************
120 Try to verify a ticket using the system keytab... the system keytab has
121 kvno -1 entries, so it's more like what microsoft does... see comment in
122 utils/net_ads.c in the ads_keytab_add_entry function for details.
123 ******************************************************************************/
125 static bool ads_keytab_verify_ticket(krb5_context context
,
126 krb5_auth_context auth_context
,
127 const DATA_BLOB
*ticket
,
128 krb5_ticket
**pp_tkt
,
129 krb5_keyblock
**keyblock
,
130 krb5_error_code
*perr
)
132 krb5_error_code ret
= 0;
133 bool auth_ok
= False
;
134 krb5_keytab keytab
= NULL
;
135 krb5_kt_cursor kt_cursor
;
136 krb5_keytab_entry kt_entry
;
137 char *valid_princ_formats
[7] = { NULL
, NULL
, NULL
,
138 NULL
, NULL
, NULL
, NULL
};
139 char *entry_princ_s
= NULL
;
140 fstring my_name
, my_fqdn
;
142 int number_matched_principals
= 0;
150 /* Generate the list of principal names which we expect
151 * clients might want to use for authenticating to the file
152 * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
154 fstrcpy(my_name
, global_myname());
157 name_to_fqdn(my_fqdn
, global_myname());
159 err
= asprintf(&valid_princ_formats
[0],
160 "%s$@%s", my_name
, lp_realm());
164 err
= asprintf(&valid_princ_formats
[1],
165 "host/%s@%s", my_name
, lp_realm());
169 err
= asprintf(&valid_princ_formats
[2],
170 "host/%s@%s", my_fqdn
, lp_realm());
174 err
= asprintf(&valid_princ_formats
[3],
175 "host/%s.%s@%s", my_name
, lp_realm(), lp_realm());
179 err
= asprintf(&valid_princ_formats
[4],
180 "cifs/%s@%s", my_name
, lp_realm());
184 err
= asprintf(&valid_princ_formats
[5],
185 "cifs/%s@%s", my_fqdn
, lp_realm());
189 err
= asprintf(&valid_princ_formats
[6],
190 "cifs/%s.%s@%s", my_name
, lp_realm(), lp_realm());
195 ZERO_STRUCT(kt_entry
);
196 ZERO_STRUCT(kt_cursor
);
198 ret
= smb_krb5_open_keytab(context
, NULL
, False
, &keytab
);
200 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
201 error_message(ret
)));
205 /* Iterate through the keytab. For each key, if the principal
206 * name case-insensitively matches one of the allowed formats,
207 * try verifying the ticket using that principal. */
209 ret
= krb5_kt_start_seq_get(context
, keytab
, &kt_cursor
);
211 DEBUG(1, (__location__
": krb5_kt_start_seq_get failed (%s)\n",
212 error_message(ret
)));
217 (krb5_kt_next_entry(context
, keytab
,
218 &kt_entry
, &kt_cursor
) == 0)) {
219 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
223 DEBUG(1, (__location__
": smb_krb5_unparse_name "
224 "failed (%s)\n", error_message(ret
)));
228 for (i
= 0; i
< ARRAY_SIZE(valid_princ_formats
); i
++) {
230 if (!strequal(entry_princ_s
, valid_princ_formats
[i
])) {
234 number_matched_principals
++;
235 packet
.length
= ticket
->length
;
236 packet
.data
= (char *)ticket
->data
;
239 ret
= krb5_rd_req_return_keyblock_from_keytab(context
,
240 &auth_context
, &packet
,
241 kt_entry
.principal
, keytab
,
242 NULL
, pp_tkt
, keyblock
);
245 DEBUG(10, (__location__
": krb5_rd_req_return"
246 "_keyblock_from_keytab(%s) "
247 "failed: %s\n", entry_princ_s
,
248 error_message(ret
)));
250 /* workaround for MIT:
251 * as krb5_ktfile_get_entry will explicitly
252 * close the krb5_keytab as soon as krb5_rd_req
253 * has successfully decrypted the ticket but the
254 * ticket is not valid yet (due to clockskew)
255 * there is no point in querying more keytab
256 * entries - Guenther */
258 if (ret
== KRB5KRB_AP_ERR_TKT_NYV
||
259 ret
== KRB5KRB_AP_ERR_TKT_EXPIRED
||
260 ret
== KRB5KRB_AP_ERR_SKEW
) {
264 DEBUG(3, (__location__
": krb5_rd_req_return"
265 "_keyblock_from_keytab succeeded "
266 "for principal %s\n",
273 /* Free the name we parsed. */
274 TALLOC_FREE(entry_princ_s
);
276 /* Free the entry we just read. */
277 smb_krb5_kt_free_entry(context
, &kt_entry
);
278 ZERO_STRUCT(kt_entry
);
280 krb5_kt_end_seq_get(context
, keytab
, &kt_cursor
);
282 ZERO_STRUCT(kt_cursor
);
286 for (i
= 0; i
< ARRAY_SIZE(valid_princ_formats
); i
++) {
287 SAFE_FREE(valid_princ_formats
[i
]);
291 if (!number_matched_principals
) {
292 DEBUG(3, (__location__
": no keytab principals "
293 "matched expected file service name.\n"));
295 DEBUG(3, (__location__
": krb5_rd_req failed for "
296 "all %d matched keytab principals\n",
297 number_matched_principals
));
301 TALLOC_FREE(entry_princ_s
);
304 krb5_keytab_entry zero_kt_entry
;
305 ZERO_STRUCT(zero_kt_entry
);
306 if (memcmp(&zero_kt_entry
, &kt_entry
,
307 sizeof(krb5_keytab_entry
))) {
308 smb_krb5_kt_free_entry(context
, &kt_entry
);
313 krb5_kt_cursor zero_csr
;
314 ZERO_STRUCT(zero_csr
);
315 if ((memcmp(&kt_cursor
, &zero_csr
,
316 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
317 krb5_kt_end_seq_get(context
, keytab
, &kt_cursor
);
322 krb5_kt_close(context
, keytab
);
328 /*****************************************************************************
329 Try to verify a ticket using the secrets.tdb.
330 ******************************************************************************/
332 static krb5_error_code
ads_secrets_verify_ticket(krb5_context context
,
333 krb5_auth_context auth_context
,
334 krb5_principal host_princ
,
335 const DATA_BLOB
*ticket
,
336 krb5_ticket
**pp_tkt
,
337 krb5_keyblock
**keyblock
,
338 krb5_error_code
*perr
)
340 krb5_error_code ret
= 0;
341 bool auth_ok
= False
;
343 char *password_s
= NULL
;
344 /* Let's make some room for 2 password (old and new)*/
345 krb5_data passwords
[2];
346 krb5_enctype enctypes
[] = {
347 #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
348 ENCTYPE_AES256_CTS_HMAC_SHA1_96
,
350 #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
351 ENCTYPE_AES128_CTS_HMAC_SHA1_96
,
353 ENCTYPE_ARCFOUR_HMAC
,
365 ZERO_STRUCT(passwords
);
367 if (!secrets_init()) {
368 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
369 *perr
= KRB5_CONFIG_CANTOPEN
;
373 password_s
= secrets_fetch_machine_password(lp_workgroup(),
376 DEBUG(1,(__location__
": failed to fetch machine password\n"));
377 *perr
= KRB5_LIBOS_CANTREADPWD
;
381 passwords
[0].data
= password_s
;
382 passwords
[0].length
= strlen(password_s
);
384 password_s
= secrets_fetch_prev_machine_password(lp_workgroup());
386 DEBUG(10, (__location__
": found previous password\n"));
387 passwords
[1].data
= password_s
;
388 passwords
[1].length
= strlen(password_s
);
391 /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
393 packet
.length
= ticket
->length
;
394 packet
.data
= (char *)ticket
->data
;
396 /* We need to setup a auth context with each possible encoding type
398 for (j
=0; j
<2 && passwords
[j
].length
; j
++) {
400 for (i
=0;enctypes
[i
];i
++) {
401 krb5_keyblock
*key
= NULL
;
403 if (!(key
= SMB_MALLOC_P(krb5_keyblock
))) {
408 if (create_kerberos_key_from_string(context
,
409 host_princ
, &passwords
[j
],
410 key
, enctypes
[i
], false)) {
415 krb5_auth_con_setuseruserkey(context
,
418 if (!(ret
= krb5_rd_req(context
, &auth_context
,
421 DEBUG(10, (__location__
": enc type [%u] "
422 "decrypted message !\n",
423 (unsigned int)enctypes
[i
]));
426 krb5_copy_keyblock(context
, key
, keyblock
);
427 krb5_free_keyblock(context
, key
);
431 DEBUG((ret
!= KRB5_BAD_ENCTYPE
) ? 3 : 10,
432 (__location__
": enc type [%u] failed to "
433 "decrypt with error %s\n",
434 (unsigned int)enctypes
[i
],
435 error_message(ret
)));
437 /* successfully decrypted but ticket is just not
438 * valid at the moment */
439 if (ret
== KRB5KRB_AP_ERR_TKT_NYV
||
440 ret
== KRB5KRB_AP_ERR_TKT_EXPIRED
||
441 ret
== KRB5KRB_AP_ERR_SKEW
) {
442 krb5_free_keyblock(context
, key
);
447 krb5_free_keyblock(context
, key
);
450 /* If we found a valid pass then no need to try
451 * the next one or we have invalid ticket so no need
452 * to try next password*/
458 SAFE_FREE(passwords
[0].data
);
459 SAFE_FREE(passwords
[1].data
);
464 /*****************************************************************************
465 Verify an incoming ticket and parse out the principal name and
466 authorization_data if available.
467 ******************************************************************************/
469 NTSTATUS
ads_verify_ticket(TALLOC_CTX
*mem_ctx
,
472 const DATA_BLOB
*ticket
,
474 struct PAC_LOGON_INFO
**logon_info
,
476 DATA_BLOB
*session_key
,
477 bool use_replay_cache
)
479 NTSTATUS sret
= NT_STATUS_LOGON_FAILURE
;
482 krb5_context context
= NULL
;
483 krb5_auth_context auth_context
= NULL
;
485 krb5_ticket
*tkt
= NULL
;
486 krb5_rcache rcache
= NULL
;
487 krb5_keyblock
*keyblock
= NULL
;
489 krb5_error_code ret
= 0;
491 krb5_principal host_princ
= NULL
;
492 krb5_const_principal client_principal
= NULL
;
493 char *host_princ_s
= NULL
;
494 bool auth_ok
= False
;
495 bool got_auth_data
= False
;
496 struct named_mutex
*mutex
= NULL
;
499 ZERO_STRUCT(auth_data
);
503 *ap_rep
= data_blob_null
;
504 *session_key
= data_blob_null
;
506 initialize_krb5_error_table();
507 ret
= krb5_init_context(&context
);
509 DEBUG(1, (__location__
": krb5_init_context failed (%s)\n",
510 error_message(ret
)));
511 return NT_STATUS_LOGON_FAILURE
;
514 if (time_offset
!= 0) {
515 krb5_set_real_time(context
, time(NULL
) + time_offset
, 0);
518 ret
= krb5_set_default_realm(context
, realm
);
520 DEBUG(1, (__location__
": krb5_set_default_realm "
521 "failed (%s)\n", error_message(ret
)));
525 /* This whole process is far more complex than I would
526 like. We have to go through all this to allow us to store
527 the secret internally, instead of using /etc/krb5.keytab */
529 ret
= krb5_auth_con_init(context
, &auth_context
);
531 DEBUG(1, (__location__
": krb5_auth_con_init failed (%s)\n",
532 error_message(ret
)));
536 krb5_auth_con_getflags( context
, auth_context
, &flags
);
537 if ( !use_replay_cache
) {
538 /* Disable default use of a replay cache */
539 flags
&= ~KRB5_AUTH_CONTEXT_DO_TIME
;
540 krb5_auth_con_setflags( context
, auth_context
, flags
);
543 if (asprintf(&host_princ_s
, "%s$", global_myname()) == -1) {
547 strlower_m(host_princ_s
);
548 ret
= smb_krb5_parse_name(context
, host_princ_s
, &host_princ
);
550 DEBUG(1, (__location__
": smb_krb5_parse_name(%s) "
551 "failed (%s)\n", host_princ_s
, error_message(ret
)));
556 if (use_replay_cache
) {
558 /* Lock a mutex surrounding the replay as there is no
559 locking in the MIT krb5 code surrounding the replay
562 mutex
= grab_named_mutex(talloc_tos(),
563 "replay cache mutex", 10);
565 DEBUG(1, (__location__
": unable to protect replay "
566 "cache with mutex.\n"));
571 /* JRA. We must set the rcache here. This will prevent
574 ret
= krb5_get_server_rcache(
576 krb5_princ_component(context
, host_princ
, 0),
579 DEBUG(1, (__location__
": krb5_get_server_rcache "
580 "failed (%s)\n", error_message(ret
)));
584 ret
= krb5_auth_con_setrcache(context
, auth_context
, rcache
);
586 DEBUG(1, (__location__
": krb5_auth_con_setrcache "
587 "failed (%s)\n", error_message(ret
)));
592 switch (lp_kerberos_method()) {
594 case KERBEROS_VERIFY_SECRETS
:
595 auth_ok
= ads_secrets_verify_ticket(context
, auth_context
,
596 host_princ
, ticket
, &tkt
, &keyblock
, &ret
);
598 case KERBEROS_VERIFY_SYSTEM_KEYTAB
:
599 auth_ok
= ads_keytab_verify_ticket(context
, auth_context
,
600 ticket
, &tkt
, &keyblock
, &ret
);
602 case KERBEROS_VERIFY_DEDICATED_KEYTAB
:
603 auth_ok
= ads_dedicated_keytab_verify_ticket(context
,
604 auth_context
, ticket
, &tkt
, &keyblock
, &ret
);
606 case KERBEROS_VERIFY_SECRETS_AND_KEYTAB
:
607 /* First try secrets.tdb and fallback to the krb5.keytab if
608 necessary. This is the pre 3.4 behavior when
609 "use kerberos keytab" was true.*/
610 auth_ok
= ads_secrets_verify_ticket(context
, auth_context
,
611 host_princ
, ticket
, &tkt
, &keyblock
, &ret
);
614 /* Only fallback if we failed to decrypt the ticket */
615 if (ret
!= KRB5KRB_AP_ERR_TKT_NYV
&&
616 ret
!= KRB5KRB_AP_ERR_TKT_EXPIRED
&&
617 ret
!= KRB5KRB_AP_ERR_SKEW
) {
618 auth_ok
= ads_keytab_verify_ticket(context
,
619 auth_context
, ticket
, &tkt
, &keyblock
,
626 if (use_replay_cache
) {
629 /* Heimdal leaks here, if we fix the leak, MIT crashes */
631 krb5_rc_close(context
, rcache
);
637 DEBUG(3, (__location__
": krb5_rd_req with auth "
638 "failed (%s)\n", error_message(ret
)));
639 /* Try map the error return in case it's something like
640 * a clock skew error.
642 sret
= krb5_to_nt_status(ret
);
643 if (NT_STATUS_IS_OK(sret
) ||
644 NT_STATUS_EQUAL(sret
,NT_STATUS_UNSUCCESSFUL
)) {
645 sret
= NT_STATUS_LOGON_FAILURE
;
647 DEBUG(10, (__location__
": returning error %s\n",
652 authtime
= get_authtime_from_tkt(tkt
);
653 client_principal
= get_principal_from_tkt(tkt
);
655 ret
= krb5_mk_rep(context
, auth_context
, &packet
);
657 DEBUG(3, (__location__
": Failed to generate mutual "
658 "authentication reply (%s)\n", error_message(ret
)));
662 *ap_rep
= data_blob(packet
.data
, packet
.length
);
664 kerberos_free_data_contents(context
, &packet
);
668 get_krb5_smb_session_key(mem_ctx
, context
,
669 auth_context
, session_key
, true);
670 dump_data_pw("SMB session key (from ticket)\n",
671 session_key
->data
, session_key
->length
);
674 file_save("/tmp/ticket.dat", ticket
->data
, ticket
->length
);
677 /* continue when no PAC is retrieved or we couldn't decode the PAC
678 (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
679 Kerberos tickets encrypted using a DES key) - Guenther */
681 got_auth_data
= get_auth_data_from_tkt(mem_ctx
, &auth_data
, tkt
);
682 if (!got_auth_data
) {
683 DEBUG(3, (__location__
": did not retrieve auth data. "
684 "continuing without PAC\n"));
688 struct PAC_DATA
*pac_data
;
689 pac_ret
= decode_pac_data(mem_ctx
, &auth_data
, context
,
690 keyblock
, client_principal
,
691 authtime
, &pac_data
);
692 data_blob_free(&auth_data
);
693 if (!NT_STATUS_IS_OK(pac_ret
)) {
694 DEBUG(3, (__location__
": failed to decode "
695 "PAC_DATA: %s\n", nt_errstr(pac_ret
)));
698 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
700 if (pac_data
->buffers
[i
].type
!= PAC_TYPE_LOGON_INFO
) {
704 *logon_info
= pac_data
->buffers
[i
].info
->logon_info
.info
;
708 DEBUG(1, ("correctly decoded PAC but found "
710 "This should not happen\n"));
711 return NT_STATUS_INVALID_USER_BUFFER
;
717 #if defined(HAVE_KRB5_TKT_ENC_PART2)
719 if (tkt
->enc_part2
) {
720 file_save("/tmp/authdata.dat",
721 tkt
->enc_part2
->authorization_data
[0]->contents
,
722 tkt
->enc_part2
->authorization_data
[0]->length
);
726 if (tkt
->ticket
.authorization_data
) {
727 file_save("/tmp/authdata.dat",
728 tkt
->ticket
.authorization_data
->val
->ad_data
.data
,
729 tkt
->ticket
.authorization_data
->val
->ad_data
.length
);
734 ret
= smb_krb5_unparse_name(mem_ctx
, context
,
735 client_principal
, principal
);
737 DEBUG(3, (__location__
": smb_krb5_unparse_name "
738 "failed (%s)\n", error_message(ret
)));
739 sret
= NT_STATUS_LOGON_FAILURE
;
749 if (!NT_STATUS_IS_OK(sret
)) {
750 data_blob_free(&auth_data
);
753 if (!NT_STATUS_IS_OK(sret
)) {
754 data_blob_free(ap_rep
);
758 krb5_free_principal(context
, host_princ
);
762 krb5_free_keyblock(context
, keyblock
);
766 krb5_free_ticket(context
, tkt
);
769 SAFE_FREE(host_princ_s
);
772 krb5_auth_con_free(context
, auth_context
);
776 krb5_free_context(context
);
782 #endif /* HAVE_KRB5 */