Forward port of Richard Sharpe's <realrichardsharpe@gmail.com> fix for bug #8970...
[Samba.git] / source4 / kdc / wdc-samba4.c
blob805772f47fd4154c348a380de8e51a8e17876f30
1 /*
2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "includes.h"
25 #include "kdc/kdc-glue.h"
26 #include "kdc/pac-glue.h"
28 /* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
29 static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context,
30 struct hdb_entry_ex *client,
31 krb5_pac *pac)
33 TALLOC_CTX *mem_ctx;
34 DATA_BLOB *pac_blob;
35 krb5_error_code ret;
36 NTSTATUS nt_status;
38 mem_ctx = talloc_named(client->ctx, 0, "samba_get_pac context");
39 if (!mem_ctx) {
40 return ENOMEM;
43 nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
44 if (!NT_STATUS_IS_OK(nt_status)) {
45 talloc_free(mem_ctx);
46 return EINVAL;
49 ret = samba_make_krb5_pac(context, pac_blob, pac);
51 talloc_free(mem_ctx);
52 return ret;
55 /* Resign (and reform, including possibly new groups) a PAC */
57 static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context,
58 const krb5_principal client_principal,
59 struct hdb_entry_ex *client,
60 struct hdb_entry_ex *server,
61 struct hdb_entry_ex *krbtgt,
62 krb5_pac *pac)
64 struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry);
65 TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context");
66 DATA_BLOB *pac_blob;
67 krb5_error_code ret;
68 NTSTATUS nt_status;
70 if (!mem_ctx) {
71 return ENOMEM;
74 /* The user account may be set not to want the PAC */
75 if (!samba_princ_needs_pac(server)) {
76 talloc_free(mem_ctx);
77 return EINVAL;
80 /* If the krbtgt was generated by an RODC, and we are not that
81 * RODC, then we need to regenerate the PAC - we can't trust
82 * it */
83 if (samba_krbtgt_was_untrusted_rodc(krbtgt)) {
84 if (client == NULL) {
85 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
87 nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob);
88 if (!NT_STATUS_IS_OK(nt_status)) {
89 talloc_free(mem_ctx);
90 return EINVAL;
92 } else {
93 pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
94 if (!pac_blob) {
95 talloc_free(mem_ctx);
96 return ENOMEM;
99 nt_status = samba_kdc_update_pac_blob(mem_ctx, context,
100 pac, pac_blob);
101 if (!NT_STATUS_IS_OK(nt_status)) {
102 DEBUG(0, ("Building PAC failed: %s\n",
103 nt_errstr(nt_status)));
104 talloc_free(mem_ctx);
105 return EINVAL;
108 /* We now completely regenerate this pac */
109 krb5_pac_free(context, *pac);
111 ret = samba_make_krb5_pac(context, pac_blob, pac);
113 talloc_free(mem_ctx);
114 return ret;
117 static char *get_netbios_name(TALLOC_CTX *mem_ctx, HostAddresses *addrs)
119 char *nb_name = NULL;
120 size_t len;
121 unsigned int i;
123 for (i = 0; addrs && i < addrs->len; i++) {
124 if (addrs->val[i].addr_type != KRB5_ADDRESS_NETBIOS) {
125 continue;
127 len = MIN(addrs->val[i].address.length, 15);
128 nb_name = talloc_strndup(mem_ctx,
129 addrs->val[i].address.data, len);
130 if (nb_name) {
131 break;
135 if (nb_name == NULL) {
136 return NULL;
139 /* Strip space padding */
140 i = strlen(nb_name) - 1;
141 while (i > 0 && nb_name[i] == ' ') {
142 nb_name[i] = '\0';
145 return nb_name;
148 static krb5_data fill_krb5_data(void *data, size_t length)
150 krb5_data kdata;
152 kdata.data = data;
153 kdata.length = length;
155 return kdata;
158 static krb5_error_code samba_wdc_check_client_access(void *priv,
159 krb5_context context,
160 krb5_kdc_configuration *config,
161 hdb_entry_ex *client_ex, const char *client_name,
162 hdb_entry_ex *server_ex, const char *server_name,
163 KDC_REQ *req,
164 krb5_data *e_data)
166 struct samba_kdc_entry *kdc_entry;
167 bool password_change;
168 char *workstation;
169 NTSTATUS nt_status;
171 kdc_entry = talloc_get_type(client_ex->ctx, struct samba_kdc_entry);
172 password_change = (server_ex && server_ex->entry.flags.change_pw);
173 workstation = get_netbios_name((TALLOC_CTX *)client_ex->ctx,
174 req->req_body.addresses);
176 nt_status = samba_kdc_check_client_access(kdc_entry,
177 client_name,
178 workstation,
179 password_change);
181 if (!NT_STATUS_IS_OK(nt_status)) {
182 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
183 return ENOMEM;
186 if (e_data) {
187 DATA_BLOB data;
189 samba_kdc_build_edata_reply(nt_status, &data);
190 *e_data = fill_krb5_data(data.data, data.length);
193 return samba_kdc_map_policy_err(nt_status);
196 /* Now do the standard Heimdal check */
197 return kdc_check_flags(context, config,
198 client_ex, client_name,
199 server_ex, server_name,
200 req->msg_type == krb_as_req);
203 static krb5_error_code samba_wdc_plugin_init(krb5_context context, void **ptr)
205 *ptr = NULL;
206 return 0;
209 static void samba_wdc_plugin_fini(void *ptr)
211 return;
214 struct krb5plugin_windc_ftable windc_plugin_table = {
215 .minor_version = KRB5_WINDC_PLUGING_MINOR,
216 .init = samba_wdc_plugin_init,
217 .fini = samba_wdc_plugin_fini,
218 .pac_generate = samba_wdc_get_pac,
219 .pac_verify = samba_wdc_reget_pac,
220 .client_access = samba_wdc_check_client_access,