4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #define TEVENT_DEPRECATED 1
23 #include "param/param.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "system/kerberos.h"
27 #include "mit_samba_interface.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "kdc/samba_kdc.h"
30 #include "kdc/pac-glue.h"
31 #include "kdc/db-glue.h"
33 const int mit_samba_interface_version
= MIT_SAMBA_INTERFACE_VERSION
;
35 struct mit_samba_context
{
36 struct auth_session_info
*session_info
;
38 /* for compat with hdb plugin common code */
40 struct samba_kdc_db_context
*db_ctx
;
43 static void mit_samba_context_free(struct mit_samba_context
*ctx
)
45 /* free heimdal's krb5_context */
47 krb5_free_context(ctx
->context
);
50 /* then free everything else */
54 static int mit_samba_context_init(struct mit_samba_context
**_ctx
)
57 struct mit_samba_context
*ctx
;
58 const char *s4_conf_file
;
60 struct samba_kdc_base_context base_ctx
;
62 ctx
= talloc(NULL
, struct mit_samba_context
);
68 base_ctx
.ev_ctx
= tevent_context_init(ctx
);
69 if (!base_ctx
.ev_ctx
) {
73 tevent_loop_allow_nesting(base_ctx
.ev_ctx
);
74 base_ctx
.lp_ctx
= loadparm_init_global(false);
75 if (!base_ctx
.lp_ctx
) {
79 /* init s4 configuration */
80 s4_conf_file
= lpcfg_configfile(base_ctx
.lp_ctx
);
82 lpcfg_load(base_ctx
.lp_ctx
, s4_conf_file
);
84 lpcfg_load_default(base_ctx
.lp_ctx
);
87 status
= samba_kdc_setup_db_ctx(ctx
, &base_ctx
, &ctx
->db_ctx
);
88 if (!NT_STATUS_IS_OK(status
)) {
93 /* init heimdal's krb_context and log facilities */
94 ret
= smb_krb5_init_context_basic(ctx
,
105 mit_samba_context_free(ctx
);
113 static int mit_samba_get_principal(struct mit_samba_context
*ctx
,
114 char *principal_string
,
116 hdb_entry_ex
**_hentry
)
118 krb5_principal principal
;
119 hdb_entry_ex
*hentry
;
122 hentry
= talloc(ctx
, hdb_entry_ex
);
127 ret
= krb5_parse_name(ctx
->context
, principal_string
, &principal
);
132 ret
= samba_kdc_fetch(ctx
->context
, ctx
->db_ctx
,
133 principal
, flags
, 0, hentry
);
135 krb5_free_principal(ctx
->context
, principal
);
141 talloc_steal(hentry
->ctx
, hentry
);
147 static int mit_samba_get_firstkey(struct mit_samba_context
*ctx
,
148 hdb_entry_ex
**_hentry
)
150 hdb_entry_ex
*hentry
;
153 hentry
= talloc(ctx
, hdb_entry_ex
);
158 ret
= samba_kdc_firstkey(ctx
->context
, ctx
->db_ctx
, hentry
);
163 talloc_steal(hentry
->ctx
, hentry
);
169 static int mit_samba_get_nextkey(struct mit_samba_context
*ctx
,
170 hdb_entry_ex
**_hentry
)
172 hdb_entry_ex
*hentry
;
175 hentry
= talloc(ctx
, hdb_entry_ex
);
180 ret
= samba_kdc_nextkey(ctx
->context
, ctx
->db_ctx
, hentry
);
185 talloc_steal(hentry
->ctx
, hentry
);
191 static int mit_samba_get_pac_data(struct mit_samba_context
*ctx
,
192 hdb_entry_ex
*client
,
198 struct samba_kdc_entry
*skdc_entry
;
200 skdc_entry
= talloc_get_type_abort(client
->ctx
,
201 struct samba_kdc_entry
);
203 tmp_ctx
= talloc_named(ctx
, 0, "mit_samba_get_pac_data context");
208 nt_status
= samba_kdc_get_pac_blob(tmp_ctx
, skdc_entry
, &pac_blob
);
209 if (!NT_STATUS_IS_OK(nt_status
)) {
210 talloc_free(tmp_ctx
);
214 data
->data
= (uint8_t *)malloc(pac_blob
->length
);
216 talloc_free(tmp_ctx
);
219 memcpy(data
->data
, pac_blob
->data
, pac_blob
->length
);
220 data
->length
= pac_blob
->length
;
222 talloc_free(tmp_ctx
);
226 static int mit_samba_update_pac_data(struct mit_samba_context
*ctx
,
227 hdb_entry_ex
*client
,
229 DATA_BLOB
*logon_data
)
232 DATA_BLOB
*logon_blob
;
233 krb5_error_code code
;
237 struct samba_kdc_entry
*skdc_entry
= NULL
;
240 skdc_entry
= talloc_get_type_abort(client
->ctx
,
241 struct samba_kdc_entry
);
244 /* The user account may be set not to want the PAC */
245 if (client
&& !samba_princ_needs_pac(skdc_entry
)) {
249 tmp_ctx
= talloc_named(ctx
, 0, "mit_samba_update_pac_data context");
254 logon_blob
= talloc_zero(tmp_ctx
, DATA_BLOB
);
260 code
= krb5_pac_parse(ctx
->context
,
261 pac_data
->data
, pac_data
->length
, &pac
);
267 /* TODO: An implementation-specific decision will need to be
268 * made as to when to check the KDC pac signature, and how to
269 * untrust untrusted RODCs */
270 nt_status
= samba_kdc_update_pac_blob(tmp_ctx
, ctx
->context
,
271 pac
, logon_blob
, NULL
, NULL
);
272 if (!NT_STATUS_IS_OK(nt_status
)) {
273 DEBUG(0, ("Building PAC failed: %s\n",
274 nt_errstr(nt_status
)));
279 logon_data
->data
= (uint8_t *)malloc(logon_blob
->length
);
280 if (!logon_data
->data
) {
284 memcpy(logon_data
->data
, logon_blob
->data
, logon_blob
->length
);
285 logon_data
->length
= logon_blob
->length
;
290 if (pac
) krb5_pac_free(ctx
->context
, pac
);
291 talloc_free(tmp_ctx
);
295 /* provide header, function is exported but there are no public headers */
297 krb5_error_code
encode_krb5_padata_sequence(krb5_pa_data
*const *rep
, krb5_data
**code
);
299 /* this function allocates 'data' using malloc.
300 * The caller is responsible for freeing it */
301 static void samba_kdc_build_edata_reply(NTSTATUS nt_status
, DATA_BLOB
*e_data
)
303 krb5_error_code ret
= 0;
304 krb5_pa_data pa
, *ppa
= NULL
;
313 pa
.magic
= KV5M_PA_DATA
;
314 pa
.pa_type
= KRB5_PADATA_PW_SALT
;
316 pa
.contents
= malloc(pa
.length
);
321 SIVAL(pa
.contents
, 0, NT_STATUS_V(nt_status
));
322 SIVAL(pa
.contents
, 4, 0);
323 SIVAL(pa
.contents
, 8, 1);
327 ret
= encode_krb5_padata_sequence(&ppa
, &d
);
333 e_data
->data
= (uint8_t *)d
->data
;
334 e_data
->length
= d
->length
;
336 /* free d, not d->data - gd */
342 static int mit_samba_check_client_access(struct mit_samba_context
*ctx
,
343 hdb_entry_ex
*client
,
344 const char *client_name
,
345 hdb_entry_ex
*server
,
346 const char *server_name
,
347 const char *netbios_name
,
348 bool password_change
,
351 struct samba_kdc_entry
*kdc_entry
;
354 kdc_entry
= talloc_get_type(client
->ctx
, struct samba_kdc_entry
);
356 nt_status
= samba_kdc_check_client_access(kdc_entry
,
361 if (!NT_STATUS_IS_OK(nt_status
)) {
362 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_MEMORY
)) {
366 samba_kdc_build_edata_reply(nt_status
, e_data
);
368 return samba_kdc_map_policy_err(nt_status
);
374 static int mit_samba_check_s4u2proxy(struct mit_samba_context
*ctx
,
376 const char *target_name
,
377 bool is_nt_enterprise_name
)
381 * This is disabled because mit_samba_update_pac_data() does not handle
382 * S4U_DELEGATION_INFO
385 return KRB5KDC_ERR_BADOPTION
;
387 krb5_principal target_principal
;
391 if (is_nt_enterprise_name
) {
392 flags
= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
395 ret
= krb5_parse_name_flags(ctx
->context
, target_name
,
396 flags
, &target_principal
);
401 ret
= samba_kdc_check_s4u2proxy(ctx
->context
,
406 krb5_free_principal(ctx
->context
, target_principal
);
412 struct mit_samba_function_table mit_samba_function_table
= {
413 mit_samba_context_init
,
414 mit_samba_context_free
,
415 mit_samba_get_principal
,
416 mit_samba_get_firstkey
,
417 mit_samba_get_nextkey
,
418 mit_samba_get_pac_data
,
419 mit_samba_update_pac_data
,
420 mit_samba_check_client_access
,
421 mit_samba_check_s4u2proxy