2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/replace/replace.h"
25 #include "lib/replace/system/kerberos.h"
26 #include "lib/replace/system/filesys.h"
27 #include "lib/util/debug.h"
28 #include "lib/util/samba_util.h"
29 #include "lib/util/talloc_stack.h"
31 #include "auth/auth_sam_reply.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "libcli/security/security.h"
35 #include "libds/common/flags.h"
36 #include "librpc/gen_ndr/ndr_krb5pac.h"
37 #include "param/param.h"
38 #include "source4/auth/auth.h"
39 #include "source4/dsdb/common/util.h"
40 #include "source4/dsdb/samdb/samdb.h"
41 #include "source4/kdc/samba_kdc.h"
42 #include "source4/kdc/pac-glue.h"
43 #include "source4/kdc/ad_claims.h"
44 #include "source4/kdc/pac-blobs.h"
49 #define DBGC_CLASS DBGC_KERBEROS
52 NTSTATUS
samba_get_logon_info_pac_blob(TALLOC_CTX
*mem_ctx
,
53 const struct auth_user_info_dc
*info
,
54 const struct PAC_DOMAIN_GROUP_MEMBERSHIP
*override_resource_groups
,
55 const enum auth_group_inclusion group_inclusion
,
58 struct netr_SamInfo3
*info3
= NULL
;
59 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*_resource_groups
= NULL
;
60 struct PAC_DOMAIN_GROUP_MEMBERSHIP
**resource_groups
= NULL
;
61 union PAC_INFO pac_info
;
62 enum ndr_err_code ndr_err
;
65 ZERO_STRUCT(pac_info
);
67 *pac_data
= data_blob_null
;
69 if (override_resource_groups
== NULL
) {
70 resource_groups
= &_resource_groups
;
71 } else if (group_inclusion
!= AUTH_EXCLUDE_RESOURCE_GROUPS
) {
73 * It doesn't make sense to override resource groups if we claim
74 * to want resource groups from user_info_dc.
76 DBG_ERR("supplied resource groups with invalid group inclusion parameter: %u\n",
78 return NT_STATUS_INVALID_PARAMETER
;
81 nt_status
= auth_convert_user_info_dc_saminfo3(mem_ctx
, info
,
85 if (!NT_STATUS_IS_OK(nt_status
)) {
86 DEBUG(1, ("Getting Samba info failed: %s\n",
87 nt_errstr(nt_status
)));
91 pac_info
.logon_info
.info
= talloc_zero(mem_ctx
, struct PAC_LOGON_INFO
);
92 if (!pac_info
.logon_info
.info
) {
93 return NT_STATUS_NO_MEMORY
;
96 pac_info
.logon_info
.info
->info3
= *info3
;
97 if (_resource_groups
!= NULL
) {
98 pac_info
.logon_info
.info
->resource_groups
= *_resource_groups
;
101 if (override_resource_groups
!= NULL
) {
102 pac_info
.logon_info
.info
->resource_groups
= *override_resource_groups
;
105 if (group_inclusion
!= AUTH_EXCLUDE_RESOURCE_GROUPS
) {
107 * Set the resource groups flag based on whether any groups are
108 * present. Otherwise, the flag is propagated from the
111 if (pac_info
.logon_info
.info
->resource_groups
.groups
.count
> 0) {
112 pac_info
.logon_info
.info
->info3
.base
.user_flags
|= NETLOGON_RESOURCE_GROUPS
;
114 pac_info
.logon_info
.info
->info3
.base
.user_flags
&= ~NETLOGON_RESOURCE_GROUPS
;
118 ndr_err
= ndr_push_union_blob(pac_data
, mem_ctx
, &pac_info
,
120 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
122 nt_status
= ndr_map_error2ntstatus(ndr_err
);
123 DEBUG(1, ("PAC_LOGON_INFO (presig) push failed: %s\n",
124 nt_errstr(nt_status
)));
132 NTSTATUS
samba_get_requester_sid_pac_blob(TALLOC_CTX
*mem_ctx
,
133 const struct auth_user_info_dc
*info
,
134 DATA_BLOB
*requester_sid_blob
)
136 enum ndr_err_code ndr_err
;
139 if (requester_sid_blob
!= NULL
) {
140 *requester_sid_blob
= data_blob_null
;
143 if (requester_sid_blob
!= NULL
&& info
->num_sids
> 0) {
144 union PAC_INFO pac_requester_sid
;
146 ZERO_STRUCT(pac_requester_sid
);
148 pac_requester_sid
.requester_sid
.sid
= info
->sids
[PRIMARY_USER_SID_INDEX
].sid
;
150 ndr_err
= ndr_push_union_blob(requester_sid_blob
, mem_ctx
,
152 PAC_TYPE_REQUESTER_SID
,
153 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
154 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
155 nt_status
= ndr_map_error2ntstatus(ndr_err
);
156 DEBUG(1, ("PAC_REQUESTER_SID (presig) push failed: %s\n",
157 nt_errstr(nt_status
)));
166 NTSTATUS
samba_get_upn_info_pac_blob(TALLOC_CTX
*mem_ctx
,
167 const struct auth_user_info_dc
*info
,
170 union PAC_INFO pac_upn
;
171 enum ndr_err_code ndr_err
;
175 ZERO_STRUCT(pac_upn
);
177 *upn_data
= data_blob_null
;
179 pac_upn
.upn_dns_info
.upn_name
= info
->info
->user_principal_name
;
180 pac_upn
.upn_dns_info
.dns_domain_name
= strupper_talloc(mem_ctx
,
181 info
->info
->dns_domain_name
);
182 if (pac_upn
.upn_dns_info
.dns_domain_name
== NULL
) {
183 return NT_STATUS_NO_MEMORY
;
185 if (info
->info
->user_principal_constructed
) {
186 pac_upn
.upn_dns_info
.flags
|= PAC_UPN_DNS_FLAG_CONSTRUCTED
;
189 pac_upn
.upn_dns_info
.flags
|= PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID
;
191 pac_upn
.upn_dns_info
.ex
.sam_name_and_sid
.samaccountname
192 = info
->info
->account_name
;
194 pac_upn
.upn_dns_info
.ex
.sam_name_and_sid
.objectsid
195 = &info
->sids
[PRIMARY_USER_SID_INDEX
].sid
;
197 ndr_err
= ndr_push_union_blob(upn_data
, mem_ctx
, &pac_upn
,
198 PAC_TYPE_UPN_DNS_INFO
,
199 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
200 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
201 nt_status
= ndr_map_error2ntstatus(ndr_err
);
202 DEBUG(1, ("PAC UPN_DNS_INFO (presig) push failed: %s\n",
203 nt_errstr(nt_status
)));
207 ok
= data_blob_pad(mem_ctx
, upn_data
, 8);
209 return NT_STATUS_NO_MEMORY
;
216 NTSTATUS
samba_get_pac_attrs_blob(TALLOC_CTX
*mem_ctx
,
217 uint64_t pac_attributes
,
218 DATA_BLOB
*pac_attrs_data
)
220 union PAC_INFO pac_attrs
;
221 enum ndr_err_code ndr_err
;
224 ZERO_STRUCT(pac_attrs
);
226 *pac_attrs_data
= data_blob_null
;
228 /* Set the length of the flags in bits. */
229 pac_attrs
.attributes_info
.flags_length
= 2;
230 pac_attrs
.attributes_info
.flags
= pac_attributes
;
232 ndr_err
= ndr_push_union_blob(pac_attrs_data
, mem_ctx
, &pac_attrs
,
233 PAC_TYPE_ATTRIBUTES_INFO
,
234 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
235 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
236 nt_status
= ndr_map_error2ntstatus(ndr_err
);
237 DEBUG(1, ("PAC ATTRIBUTES_INFO (presig) push failed: %s\n",
238 nt_errstr(nt_status
)));
246 NTSTATUS
samba_get_claims_blob(TALLOC_CTX
*mem_ctx
,
247 struct ldb_context
*samdb
,
248 const struct ldb_message
*principal
,
249 DATA_BLOB
*client_claims_data
)
251 union PAC_INFO client_claims
;
254 ZERO_STRUCT(client_claims
);
256 *client_claims_data
= data_blob_null
;
258 ret
= get_claims_for_principal(samdb
,
262 if (ret
!= LDB_SUCCESS
) {
263 return dsdb_ldb_err_to_ntstatus(ret
);
270 NTSTATUS
samba_get_cred_info_ndr_blob(TALLOC_CTX
*mem_ctx
,
271 const struct ldb_message
*msg
,
272 DATA_BLOB
*cred_blob
)
274 enum ndr_err_code ndr_err
;
276 struct samr_Password
*lm_hash
= NULL
;
277 struct samr_Password
*nt_hash
= NULL
;
278 struct PAC_CREDENTIAL_NTLM_SECPKG ntlm_secpkg
= {
281 DATA_BLOB ntlm_blob
= data_blob_null
;
282 struct PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG secpkgs
[1] = {{
283 .credential_size
= 0,
285 struct PAC_CREDENTIAL_DATA cred_data
= {
286 .credential_count
= 0,
288 struct PAC_CREDENTIAL_DATA_NDR cred_ndr
;
290 ZERO_STRUCT(cred_ndr
);
292 *cred_blob
= data_blob_null
;
294 lm_hash
= samdb_result_hash(mem_ctx
, msg
, "dBCSPwd");
295 if (lm_hash
!= NULL
) {
296 bool zero
= all_zero(lm_hash
->hash
, 16);
301 if (lm_hash
!= NULL
) {
302 DEBUG(5, ("Passing LM password hash through credentials set\n"));
303 ntlm_secpkg
.flags
|= PAC_CREDENTIAL_NTLM_HAS_LM_HASH
;
304 ntlm_secpkg
.lm_password
= *lm_hash
;
305 ZERO_STRUCTP(lm_hash
);
306 TALLOC_FREE(lm_hash
);
309 nt_hash
= samdb_result_hash(mem_ctx
, msg
, "unicodePwd");
310 if (nt_hash
!= NULL
) {
311 bool zero
= all_zero(nt_hash
->hash
, 16);
316 if (nt_hash
!= NULL
) {
317 DEBUG(5, ("Passing LM password hash through credentials set\n"));
318 ntlm_secpkg
.flags
|= PAC_CREDENTIAL_NTLM_HAS_NT_HASH
;
319 ntlm_secpkg
.nt_password
= *nt_hash
;
320 ZERO_STRUCTP(nt_hash
);
321 TALLOC_FREE(nt_hash
);
324 if (ntlm_secpkg
.flags
== 0) {
328 #ifdef DEBUG_PASSWORD
330 NDR_PRINT_DEBUG(PAC_CREDENTIAL_NTLM_SECPKG
, &ntlm_secpkg
);
334 ndr_err
= ndr_push_struct_blob(&ntlm_blob
, mem_ctx
, &ntlm_secpkg
,
335 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_NTLM_SECPKG
);
336 ZERO_STRUCT(ntlm_secpkg
);
337 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
338 nt_status
= ndr_map_error2ntstatus(ndr_err
);
339 DEBUG(1, ("PAC_CREDENTIAL_NTLM_SECPKG (presig) push failed: %s\n",
340 nt_errstr(nt_status
)));
344 DEBUG(10, ("NTLM credential BLOB (len %zu) for user\n",
346 dump_data_pw("PAC_CREDENTIAL_NTLM_SECPKG",
347 ntlm_blob
.data
, ntlm_blob
.length
);
349 secpkgs
[0].package_name
.string
= discard_const_p(char, "NTLM");
350 secpkgs
[0].credential_size
= ntlm_blob
.length
;
351 secpkgs
[0].credential
= ntlm_blob
.data
;
353 cred_data
.credential_count
= ARRAY_SIZE(secpkgs
);
354 cred_data
.credentials
= secpkgs
;
356 #ifdef DEBUG_PASSWORD
358 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA
, &cred_data
);
362 cred_ndr
.ctr
.data
= &cred_data
;
364 #ifdef DEBUG_PASSWORD
366 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA_NDR
, &cred_ndr
);
370 ndr_err
= ndr_push_struct_blob(cred_blob
, mem_ctx
, &cred_ndr
,
371 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_DATA_NDR
);
372 data_blob_clear(&ntlm_blob
);
373 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
374 nt_status
= ndr_map_error2ntstatus(ndr_err
);
375 DEBUG(1, ("PAC_CREDENTIAL_DATA_NDR (presig) push failed: %s\n",
376 nt_errstr(nt_status
)));
380 DEBUG(10, ("Created credential BLOB (len %zu) for user\n",
382 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
383 cred_blob
->data
, cred_blob
->length
);
388 #ifdef SAMBA4_USES_HEIMDAL
389 krb5_error_code
samba_kdc_encrypt_pac_credentials(krb5_context context
,
390 const krb5_keyblock
*pkreplykey
,
391 const DATA_BLOB
*cred_ndr_blob
,
393 DATA_BLOB
*cred_info_blob
)
395 krb5_crypto cred_crypto
;
396 krb5_enctype cred_enctype
;
397 krb5_data cred_ndr_crypt
;
398 struct PAC_CREDENTIAL_INFO pac_cred_info
= { .version
= 0, };
401 enum ndr_err_code ndr_err
;
404 *cred_info_blob
= data_blob_null
;
406 ret
= krb5_crypto_init(context
, pkreplykey
, ETYPE_NULL
,
409 krb5err
= krb5_get_error_message(context
, ret
);
410 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err
));
411 krb5_free_error_message(context
, krb5err
);
415 ret
= krb5_crypto_getenctype(context
, cred_crypto
, &cred_enctype
);
417 DEBUG(1, ("Failed getting crypto type for key\n"));
418 krb5_crypto_destroy(context
, cred_crypto
);
422 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
423 cred_ndr_blob
->length
));
424 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
425 cred_ndr_blob
->data
, cred_ndr_blob
->length
);
427 ret
= krb5_encrypt(context
, cred_crypto
,
428 KRB5_KU_OTHER_ENCRYPTED
,
429 cred_ndr_blob
->data
, cred_ndr_blob
->length
,
431 krb5_crypto_destroy(context
, cred_crypto
);
433 krb5err
= krb5_get_error_message(context
, ret
);
434 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err
));
435 krb5_free_error_message(context
, krb5err
);
439 pac_cred_info
.encryption_type
= cred_enctype
;
440 pac_cred_info
.encrypted_data
.length
= cred_ndr_crypt
.length
;
441 pac_cred_info
.encrypted_data
.data
= (uint8_t *)cred_ndr_crypt
.data
;
444 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO
, &pac_cred_info
);
447 ndr_err
= ndr_push_struct_blob(cred_info_blob
, mem_ctx
, &pac_cred_info
,
448 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_INFO
);
449 krb5_data_free(&cred_ndr_crypt
);
450 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
451 nt_status
= ndr_map_error2ntstatus(ndr_err
);
452 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
453 nt_errstr(nt_status
)));
454 return KRB5KDC_ERR_SVC_UNAVAILABLE
;
457 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
458 cred_info_blob
->length
, (int)pac_cred_info
.encryption_type
));
459 dump_data_pw("PAC_CREDENTIAL_INFO",
460 cred_info_blob
->data
, cred_info_blob
->length
);
464 #else /* SAMBA4_USES_HEIMDAL */
465 krb5_error_code
samba_kdc_encrypt_pac_credentials(krb5_context context
,
466 const krb5_keyblock
*pkreplykey
,
467 const DATA_BLOB
*cred_ndr_blob
,
469 DATA_BLOB
*cred_info_blob
)
472 krb5_enctype cred_enctype
;
473 struct PAC_CREDENTIAL_INFO pac_cred_info
= { .version
= 0, };
474 krb5_error_code code
;
476 enum ndr_err_code ndr_err
;
478 krb5_data cred_ndr_data
;
479 krb5_enc_data cred_ndr_crypt
;
482 *cred_info_blob
= data_blob_null
;
484 code
= krb5_k_create_key(context
,
488 krb5err
= krb5_get_error_message(context
, code
);
489 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err
));
490 krb5_free_error_message(context
, krb5err
);
494 cred_enctype
= krb5_k_key_enctype(context
, cred_key
);
496 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
497 cred_ndr_blob
->length
));
498 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
499 cred_ndr_blob
->data
, cred_ndr_blob
->length
);
501 pac_cred_info
.encryption_type
= cred_enctype
;
503 cred_ndr_data
.magic
= 0;
504 cred_ndr_data
.data
= (char *)cred_ndr_blob
->data
;
505 cred_ndr_data
.length
= cred_ndr_blob
->length
;
507 code
= krb5_c_encrypt_length(context
,
509 cred_ndr_data
.length
,
512 krb5err
= krb5_get_error_message(context
, code
);
513 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err
));
514 krb5_free_error_message(context
, krb5err
);
518 pac_cred_info
.encrypted_data
= data_blob_talloc_zero(mem_ctx
, enc_len
);
519 if (pac_cred_info
.encrypted_data
.data
== NULL
) {
520 DBG_ERR("Out of memory\n");
524 cred_ndr_crypt
.ciphertext
.length
= enc_len
;
525 cred_ndr_crypt
.ciphertext
.data
= (char *)pac_cred_info
.encrypted_data
.data
;
527 code
= krb5_k_encrypt(context
,
529 KRB5_KU_OTHER_ENCRYPTED
,
533 krb5_k_free_key(context
, cred_key
);
535 krb5err
= krb5_get_error_message(context
, code
);
536 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err
));
537 krb5_free_error_message(context
, krb5err
);
542 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO
, &pac_cred_info
);
545 ndr_err
= ndr_push_struct_blob(cred_info_blob
, mem_ctx
, &pac_cred_info
,
546 (ndr_push_flags_fn_t
)ndr_push_PAC_CREDENTIAL_INFO
);
547 TALLOC_FREE(pac_cred_info
.encrypted_data
.data
);
548 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
549 nt_status
= ndr_map_error2ntstatus(ndr_err
);
550 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
551 nt_errstr(nt_status
)));
552 return KRB5KDC_ERR_SVC_UNAVAILABLE
;
555 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
556 cred_info_blob
->length
, (int)pac_cred_info
.encryption_type
));
557 dump_data_pw("PAC_CREDENTIAL_INFO",
558 cred_info_blob
->data
, cred_info_blob
->length
);
562 #endif /* SAMBA4_USES_HEIMDAL */
566 * @brief Create a PAC with the given blobs (logon, credentials, upn and
569 * @param[in] context The KRB5 context to use.
571 * @param[in] logon_blob Fill the logon info PAC buffer with the given blob,
572 * use NULL to ignore it.
574 * @param[in] cred_blob Fill the credentials info PAC buffer with the given
575 * blob, use NULL to ignore it.
577 * @param[in] upn_blob Fill the UPN info PAC buffer with the given blob, use
580 * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
581 * blob, use NULL to ignore it.
583 * @param[in] client_claims_blob Fill the client claims info PAC buffer with the
584 * given blob, use NULL to ignore it.
586 * @param[in] device_info_blob Fill the device info PAC buffer with the given
587 * blob, use NULL to ignore it.
589 * @param[in] device_claims_blob Fill the device claims info PAC buffer with the given
590 * blob, use NULL to ignore it.
592 * @param[in] pac The pac buffer to fill. This should be allocated with
593 * krb5_pac_init() already.
595 * @returns 0 on success or a corresponding KRB5 error.
597 krb5_error_code
samba_make_krb5_pac(krb5_context context
,
598 const DATA_BLOB
*logon_blob
,
599 const DATA_BLOB
*cred_blob
,
600 const DATA_BLOB
*upn_blob
,
601 const DATA_BLOB
*pac_attrs_blob
,
602 const DATA_BLOB
*requester_sid_blob
,
603 const DATA_BLOB
*deleg_blob
,
604 const DATA_BLOB
*client_claims_blob
,
605 const DATA_BLOB
*device_info_blob
,
606 const DATA_BLOB
*device_claims_blob
,
609 krb5_data logon_data
;
611 char null_byte
= '\0';
612 krb5_data null_data
= smb_krb5_make_data(&null_byte
, 0);
614 /* The user account may be set not to want the PAC */
615 if (logon_blob
== NULL
) {
619 logon_data
= smb_krb5_data_from_blob(*logon_blob
);
620 ret
= krb5_pac_add_buffer(context
, pac
, PAC_TYPE_LOGON_INFO
, &logon_data
);
625 if (device_info_blob
!= NULL
) {
626 krb5_data device_info_data
= smb_krb5_data_from_blob(*device_info_blob
);
627 ret
= krb5_pac_add_buffer(context
, pac
,
628 PAC_TYPE_DEVICE_INFO
,
635 if (client_claims_blob
!= NULL
) {
636 krb5_data client_claims_data
;
637 krb5_data
*data
= NULL
;
639 if (client_claims_blob
->length
!= 0) {
640 client_claims_data
= smb_krb5_data_from_blob(*client_claims_blob
);
641 data
= &client_claims_data
;
646 ret
= krb5_pac_add_buffer(context
, pac
,
647 PAC_TYPE_CLIENT_CLAIMS_INFO
,
654 if (device_claims_blob
!= NULL
) {
655 krb5_data device_claims_data
= smb_krb5_data_from_blob(*device_claims_blob
);
656 ret
= krb5_pac_add_buffer(context
, pac
,
657 PAC_TYPE_DEVICE_CLAIMS_INFO
,
658 &device_claims_data
);
664 if (cred_blob
!= NULL
) {
665 krb5_data cred_data
= smb_krb5_data_from_blob(*cred_blob
);
666 ret
= krb5_pac_add_buffer(context
, pac
,
667 PAC_TYPE_CREDENTIAL_INFO
,
674 #ifdef SAMBA4_USES_HEIMDAL
676 * null_data will be filled by the generic KDC code in the caller
677 * here we just add it in order to have it before
678 * PAC_TYPE_UPN_DNS_INFO
680 * Not needed with MIT Kerberos - asn
682 ret
= krb5_pac_add_buffer(context
, pac
,
690 if (upn_blob
!= NULL
) {
691 krb5_data upn_data
= smb_krb5_data_from_blob(*upn_blob
);
692 ret
= krb5_pac_add_buffer(context
, pac
,
693 PAC_TYPE_UPN_DNS_INFO
,
700 if (pac_attrs_blob
!= NULL
) {
701 krb5_data pac_attrs_data
= smb_krb5_data_from_blob(*pac_attrs_blob
);
702 ret
= krb5_pac_add_buffer(context
, pac
,
703 PAC_TYPE_ATTRIBUTES_INFO
,
710 if (requester_sid_blob
!= NULL
) {
711 krb5_data requester_sid_data
= smb_krb5_data_from_blob(*requester_sid_blob
);
712 ret
= krb5_pac_add_buffer(context
, pac
,
713 PAC_TYPE_REQUESTER_SID
,
714 &requester_sid_data
);
720 if (deleg_blob
!= NULL
) {
721 krb5_data deleg_data
= smb_krb5_data_from_blob(*deleg_blob
);
722 ret
= krb5_pac_add_buffer(context
, pac
,
723 PAC_TYPE_CONSTRAINED_DELEGATION
,
733 bool samba_princ_needs_pac(const struct samba_kdc_entry
*skdc_entry
)
736 uint32_t userAccountControl
;
738 /* The service account may be set not to want the PAC */
739 userAccountControl
= ldb_msg_find_attr_as_uint(skdc_entry
->msg
, "userAccountControl", 0);
740 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
747 int samba_client_requested_pac(krb5_context context
,
748 const krb5_const_pac pac
,
752 enum ndr_err_code ndr_err
;
753 krb5_data k5pac_attrs_in
;
754 DATA_BLOB pac_attrs_in
;
755 union PAC_INFO pac_attrs
;
758 *requested_pac
= true;
760 ret
= krb5_pac_get_buffer(context
, pac
, PAC_TYPE_ATTRIBUTES_INFO
,
763 return ret
== ENOENT
? 0 : ret
;
766 pac_attrs_in
= data_blob_const(k5pac_attrs_in
.data
,
767 k5pac_attrs_in
.length
);
769 ndr_err
= ndr_pull_union_blob(&pac_attrs_in
, mem_ctx
, &pac_attrs
,
770 PAC_TYPE_ATTRIBUTES_INFO
,
771 (ndr_pull_flags_fn_t
)ndr_pull_PAC_INFO
);
772 smb_krb5_free_data_contents(context
, &k5pac_attrs_in
);
773 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
774 NTSTATUS nt_status
= ndr_map_error2ntstatus(ndr_err
);
775 DEBUG(0,("can't parse the PAC ATTRIBUTES_INFO: %s\n", nt_errstr(nt_status
)));
779 if (pac_attrs
.attributes_info
.flags
& (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
780 | PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED
)) {
781 *requested_pac
= true;
783 *requested_pac
= false;
789 /* Was the krbtgt in this DB (ie, should we check the incoming signature) and was it an RODC */
790 int samba_krbtgt_is_in_db(struct samba_kdc_entry
*p
,
795 int rodc_krbtgt_number
, trust_direction
;
798 TALLOC_CTX
*mem_ctx
= talloc_new(NULL
);
803 trust_direction
= ldb_msg_find_attr_as_int(p
->msg
, "trustDirection", 0);
805 if (trust_direction
!= 0) {
806 /* Domain trust - we cannot check the sig, but we trust it for a correct PAC
808 This is exactly where we should flag for SID
809 validation when we do inter-foreest trusts
811 talloc_free(mem_ctx
);
817 /* The lack of password controls etc applies to krbtgt by
818 * virtue of being that particular RID */
819 status
= dom_sid_split_rid(NULL
, samdb_result_dom_sid(mem_ctx
, p
->msg
, "objectSid"), NULL
, &rid
);
821 if (!NT_STATUS_IS_OK(status
)) {
822 talloc_free(mem_ctx
);
826 rodc_krbtgt_number
= ldb_msg_find_attr_as_int(p
->msg
, "msDS-SecondaryKrbTgtNumber", -1);
828 if (p
->kdc_db_ctx
->my_krbtgt_number
== 0) {
829 if (rid
== DOMAIN_RID_KRBTGT
) {
832 talloc_free(mem_ctx
);
834 } else if (rodc_krbtgt_number
!= -1) {
837 talloc_free(mem_ctx
);
840 } else if ((rid
!= DOMAIN_RID_KRBTGT
) && (rodc_krbtgt_number
== p
->kdc_db_ctx
->my_krbtgt_number
)) {
841 talloc_free(mem_ctx
);
845 } else if (rid
== DOMAIN_RID_KRBTGT
) {
846 /* krbtgt viewed from an RODC */
847 talloc_free(mem_ctx
);
854 talloc_free(mem_ctx
);
861 * Because the KDC does not limit protocol transition, two new well-known SIDs
862 * were introduced to give this control to the resource administrator. These
863 * SIDs identify whether protocol transition has occurred, and can be used with
864 * standard access control lists to grant or limit access as needed.
866 * https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
868 static NTSTATUS
samba_add_asserted_identity(enum samba_asserted_identity ai
,
869 struct auth_user_info_dc
*user_info_dc
)
871 struct dom_sid ai_sid
;
872 const char *sid_str
= NULL
;
875 case SAMBA_ASSERTED_IDENTITY_SERVICE
:
876 sid_str
= SID_SERVICE_ASSERTED_IDENTITY
;
878 case SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
:
879 sid_str
= SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
;
881 case SAMBA_ASSERTED_IDENTITY_IGNORE
:
885 dom_sid_parse(sid_str
, &ai_sid
);
887 return add_sid_to_array_attrs_unique(
890 SE_GROUP_DEFAULT_FLAGS
,
892 &user_info_dc
->num_sids
);
895 static NTSTATUS
samba_add_claims_valid(enum samba_claims_valid claims_valid
,
896 struct auth_user_info_dc
*user_info_dc
)
898 switch (claims_valid
) {
899 case SAMBA_CLAIMS_VALID_EXCLUDE
:
901 case SAMBA_CLAIMS_VALID_INCLUDE
:
903 struct dom_sid claims_valid_sid
;
905 if (!dom_sid_parse(SID_CLAIMS_VALID
, &claims_valid_sid
)) {
906 return NT_STATUS_UNSUCCESSFUL
;
909 return add_sid_to_array_attrs_unique(
912 SE_GROUP_DEFAULT_FLAGS
,
914 &user_info_dc
->num_sids
);
918 return NT_STATUS_INVALID_PARAMETER
;
921 static NTSTATUS
samba_add_compounded_auth(enum samba_compounded_auth compounded_auth
,
922 struct auth_user_info_dc
*user_info_dc
)
924 switch (compounded_auth
) {
925 case SAMBA_COMPOUNDED_AUTH_EXCLUDE
:
927 case SAMBA_COMPOUNDED_AUTH_INCLUDE
:
929 struct dom_sid compounded_auth_sid
;
931 if (!dom_sid_parse(SID_COMPOUNDED_AUTHENTICATION
, &compounded_auth_sid
)) {
932 return NT_STATUS_UNSUCCESSFUL
;
935 return add_sid_to_array_attrs_unique(
937 &compounded_auth_sid
,
938 SE_GROUP_DEFAULT_FLAGS
,
940 &user_info_dc
->num_sids
);
944 return NT_STATUS_INVALID_PARAMETER
;
948 * Look up the user's info in the database and create a auth_user_info_dc
949 * structure. If the resulting structure is not talloc_free()d, it will be
950 * reused on future calls to this function.
952 NTSTATUS
samba_kdc_get_user_info_from_db(struct samba_kdc_entry
*skdc_entry
,
953 const struct ldb_message
*msg
,
954 const struct auth_user_info_dc
**user_info_dc
)
956 if (skdc_entry
->user_info_dc
== NULL
) {
958 struct loadparm_context
*lp_ctx
= skdc_entry
->kdc_db_ctx
->lp_ctx
;
960 nt_status
= authsam_make_user_info_dc(skdc_entry
,
961 skdc_entry
->kdc_db_ctx
->samdb
,
962 lpcfg_netbios_name(lp_ctx
),
963 lpcfg_sam_name(lp_ctx
),
964 lpcfg_sam_dnsname(lp_ctx
),
965 skdc_entry
->realm_dn
,
969 &skdc_entry
->user_info_dc
);
970 if (!NT_STATUS_IS_OK(nt_status
)) {
975 *user_info_dc
= skdc_entry
->user_info_dc
;
979 NTSTATUS
samba_kdc_get_logon_info_blob(TALLOC_CTX
*mem_ctx
,
980 const struct auth_user_info_dc
*user_info_dc
,
981 const enum auth_group_inclusion group_inclusion
,
982 DATA_BLOB
**_logon_info_blob
)
984 DATA_BLOB
*logon_blob
= NULL
;
987 *_logon_info_blob
= NULL
;
989 logon_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
990 if (logon_blob
== NULL
) {
991 return NT_STATUS_NO_MEMORY
;
994 nt_status
= samba_get_logon_info_pac_blob(logon_blob
,
999 if (!NT_STATUS_IS_OK(nt_status
)) {
1000 DBG_ERR("Building PAC LOGON INFO failed: %s\n",
1001 nt_errstr(nt_status
));
1005 *_logon_info_blob
= logon_blob
;
1007 return NT_STATUS_OK
;
1010 NTSTATUS
samba_kdc_get_cred_ndr_blob(TALLOC_CTX
*mem_ctx
,
1011 const struct samba_kdc_entry
*p
,
1012 DATA_BLOB
**_cred_ndr_blob
)
1014 DATA_BLOB
*cred_blob
= NULL
;
1017 SMB_ASSERT(_cred_ndr_blob
!= NULL
);
1019 *_cred_ndr_blob
= NULL
;
1021 cred_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1022 if (cred_blob
== NULL
) {
1023 return NT_STATUS_NO_MEMORY
;
1026 nt_status
= samba_get_cred_info_ndr_blob(cred_blob
,
1029 if (!NT_STATUS_IS_OK(nt_status
)) {
1030 DBG_ERR("Building PAC CRED INFO failed: %s\n",
1031 nt_errstr(nt_status
));
1035 *_cred_ndr_blob
= cred_blob
;
1037 return NT_STATUS_OK
;
1040 NTSTATUS
samba_kdc_get_upn_info_blob(TALLOC_CTX
*mem_ctx
,
1041 const struct auth_user_info_dc
*user_info_dc
,
1042 DATA_BLOB
**_upn_info_blob
)
1044 DATA_BLOB
*upn_blob
= NULL
;
1047 *_upn_info_blob
= NULL
;
1049 upn_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1050 if (upn_blob
== NULL
) {
1051 return NT_STATUS_NO_MEMORY
;
1054 nt_status
= samba_get_upn_info_pac_blob(upn_blob
,
1057 if (!NT_STATUS_IS_OK(nt_status
)) {
1058 DEBUG(0, ("Building PAC UPN INFO failed: %s\n",
1059 nt_errstr(nt_status
)));
1063 *_upn_info_blob
= upn_blob
;
1065 return NT_STATUS_OK
;
1068 NTSTATUS
samba_kdc_get_pac_attrs_blob(TALLOC_CTX
*mem_ctx
,
1069 uint64_t pac_attributes
,
1070 DATA_BLOB
**_pac_attrs_blob
)
1072 DATA_BLOB
*pac_attrs_blob
= NULL
;
1075 SMB_ASSERT(_pac_attrs_blob
!= NULL
);
1077 *_pac_attrs_blob
= NULL
;
1079 pac_attrs_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1080 if (pac_attrs_blob
== NULL
) {
1081 return NT_STATUS_NO_MEMORY
;
1084 nt_status
= samba_get_pac_attrs_blob(pac_attrs_blob
,
1088 if (!NT_STATUS_IS_OK(nt_status
)) {
1089 DBG_ERR("Building PAC ATTRIBUTES failed: %s\n",
1090 nt_errstr(nt_status
));
1094 *_pac_attrs_blob
= pac_attrs_blob
;
1096 return NT_STATUS_OK
;
1099 NTSTATUS
samba_kdc_get_requester_sid_blob(TALLOC_CTX
*mem_ctx
,
1100 const struct auth_user_info_dc
*user_info_dc
,
1101 DATA_BLOB
**_requester_sid_blob
)
1103 DATA_BLOB
*requester_sid_blob
= NULL
;
1106 SMB_ASSERT(_requester_sid_blob
!= NULL
);
1108 *_requester_sid_blob
= NULL
;
1110 requester_sid_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1111 if (requester_sid_blob
== NULL
) {
1112 return NT_STATUS_NO_MEMORY
;
1115 nt_status
= samba_get_requester_sid_pac_blob(mem_ctx
,
1117 requester_sid_blob
);
1118 if (!NT_STATUS_IS_OK(nt_status
)) {
1119 DBG_ERR("Building PAC LOGON INFO failed: %s\n",
1120 nt_errstr(nt_status
));
1124 *_requester_sid_blob
= requester_sid_blob
;
1126 return NT_STATUS_OK
;
1129 NTSTATUS
samba_kdc_get_claims_blob(TALLOC_CTX
*mem_ctx
,
1130 const struct samba_kdc_entry
*p
,
1131 DATA_BLOB
**_claims_blob
)
1133 DATA_BLOB
*claims_blob
= NULL
;
1136 SMB_ASSERT(_claims_blob
!= NULL
);
1138 *_claims_blob
= NULL
;
1140 claims_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1141 if (claims_blob
== NULL
) {
1142 return NT_STATUS_NO_MEMORY
;
1145 nt_status
= samba_get_claims_blob(mem_ctx
,
1146 p
->kdc_db_ctx
->samdb
,
1149 if (!NT_STATUS_IS_OK(nt_status
)) {
1150 DBG_ERR("Building claims failed: %s\n",
1151 nt_errstr(nt_status
));
1155 *_claims_blob
= claims_blob
;
1157 return NT_STATUS_OK
;
1160 NTSTATUS
samba_kdc_get_user_info_dc(TALLOC_CTX
*mem_ctx
,
1161 struct samba_kdc_entry
*skdc_entry
,
1162 enum samba_asserted_identity asserted_identity
,
1163 enum samba_claims_valid claims_valid
,
1164 enum samba_compounded_auth compounded_auth
,
1165 struct auth_user_info_dc
**user_info_dc_out
)
1168 const struct auth_user_info_dc
*user_info_dc_from_db
= NULL
;
1169 struct auth_user_info_dc
*user_info_dc
= NULL
;
1171 nt_status
= samba_kdc_get_user_info_from_db(skdc_entry
, skdc_entry
->msg
, &user_info_dc_from_db
);
1172 if (!NT_STATUS_IS_OK(nt_status
)) {
1173 DBG_ERR("Getting user info for PAC failed: %s\n",
1174 nt_errstr(nt_status
));
1178 /* Make a shallow copy of the user_info_dc structure. */
1179 nt_status
= authsam_shallow_copy_user_info_dc(mem_ctx
, user_info_dc_from_db
, &user_info_dc
);
1180 if (!NT_STATUS_IS_OK(nt_status
)) {
1181 DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n",
1182 nt_errstr(nt_status
));
1186 /* Here we modify the SIDs to add the Asserted Identity SID. */
1187 nt_status
= samba_add_asserted_identity(asserted_identity
,
1189 if (!NT_STATUS_IS_OK(nt_status
)) {
1190 DBG_ERR("Failed to add asserted identity: %s\n",
1191 nt_errstr(nt_status
));
1195 nt_status
= samba_add_claims_valid(claims_valid
,
1197 if (!NT_STATUS_IS_OK(nt_status
)) {
1198 DBG_ERR("Failed to add Claims Valid: %s\n",
1199 nt_errstr(nt_status
));
1203 nt_status
= samba_add_compounded_auth(compounded_auth
,
1205 if (!NT_STATUS_IS_OK(nt_status
)) {
1206 DBG_ERR("Failed to add Compounded Authentication: %s\n",
1207 nt_errstr(nt_status
));
1211 *user_info_dc_out
= user_info_dc
;
1213 return NT_STATUS_OK
;
1216 static NTSTATUS
samba_kdc_update_pac_blob(TALLOC_CTX
*mem_ctx
,
1217 krb5_context context
,
1218 struct ldb_context
*samdb
,
1219 const enum auth_group_inclusion group_inclusion
,
1220 const enum samba_compounded_auth compounded_auth
,
1221 const krb5_const_pac pac
, DATA_BLOB
*pac_blob
,
1222 struct PAC_SIGNATURE_DATA
*pac_srv_sig
,
1223 struct PAC_SIGNATURE_DATA
*pac_kdc_sig
)
1225 struct auth_user_info_dc
*user_info_dc
;
1226 krb5_error_code ret
;
1228 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*_resource_groups
= NULL
;
1229 struct PAC_DOMAIN_GROUP_MEMBERSHIP
**resource_groups
= NULL
;
1231 if (group_inclusion
== AUTH_EXCLUDE_RESOURCE_GROUPS
) {
1233 * Since we are creating a TGT, resource groups from our domain
1234 * are not to be put into the PAC. Instead, we take the resource
1235 * groups directly from the original PAC and copy them
1236 * unmodified into the new one.
1238 resource_groups
= &_resource_groups
;
1241 ret
= kerberos_pac_to_user_info_dc(mem_ctx
,
1245 AUTH_EXCLUDE_RESOURCE_GROUPS
,
1250 return NT_STATUS_UNSUCCESSFUL
;
1254 * We need to expand group memberships within our local domain,
1255 * as the token might be generated by a trusted domain.
1257 nt_status
= authsam_update_user_info_dc(mem_ctx
,
1260 if (!NT_STATUS_IS_OK(nt_status
)) {
1261 TALLOC_FREE(user_info_dc
);
1265 nt_status
= samba_add_compounded_auth(compounded_auth
,
1267 if (!NT_STATUS_IS_OK(nt_status
)) {
1268 DBG_ERR("Failed to add Compounded Authentication: %s\n",
1269 nt_errstr(nt_status
));
1273 nt_status
= samba_get_logon_info_pac_blob(mem_ctx
,
1280 * The infomation from this is now in the PAC, this memory is
1281 * not used any longer and not passed to the caller
1283 TALLOC_FREE(user_info_dc
);
1288 static NTSTATUS
samba_kdc_update_delegation_info_blob(TALLOC_CTX
*mem_ctx
,
1289 krb5_context context
,
1290 const krb5_const_pac pac
,
1291 const krb5_principal server_principal
,
1292 const krb5_principal proxy_principal
,
1293 DATA_BLOB
*new_blob
)
1297 krb5_error_code ret
;
1299 enum ndr_err_code ndr_err
;
1300 union PAC_INFO info
;
1301 struct PAC_CONSTRAINED_DELEGATION _d
;
1302 struct PAC_CONSTRAINED_DELEGATION
*d
= NULL
;
1303 char *server
= NULL
;
1306 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1308 if (tmp_ctx
== NULL
) {
1309 return NT_STATUS_NO_MEMORY
;
1312 ret
= krb5_pac_get_buffer(context
, pac
, PAC_TYPE_CONSTRAINED_DELEGATION
, &old_data
);
1313 if (ret
== ENOENT
) {
1314 ZERO_STRUCT(old_data
);
1316 talloc_free(tmp_ctx
);
1317 return NT_STATUS_UNSUCCESSFUL
;
1320 old_blob
.length
= old_data
.length
;
1321 old_blob
.data
= (uint8_t *)old_data
.data
;
1324 if (old_blob
.length
> 0) {
1325 ndr_err
= ndr_pull_union_blob(&old_blob
, mem_ctx
,
1326 &info
, PAC_TYPE_CONSTRAINED_DELEGATION
,
1327 (ndr_pull_flags_fn_t
)ndr_pull_PAC_INFO
);
1328 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1329 smb_krb5_free_data_contents(context
, &old_data
);
1330 nt_status
= ndr_map_error2ntstatus(ndr_err
);
1331 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status
)));
1332 talloc_free(tmp_ctx
);
1337 info
.constrained_delegation
.info
= &_d
;
1339 smb_krb5_free_data_contents(context
, &old_data
);
1341 ret
= krb5_unparse_name_flags(context
, server_principal
,
1342 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &server
);
1344 talloc_free(tmp_ctx
);
1345 return NT_STATUS_INTERNAL_ERROR
;
1348 ret
= krb5_unparse_name(context
, proxy_principal
, &proxy
);
1351 talloc_free(tmp_ctx
);
1352 return NT_STATUS_INTERNAL_ERROR
;
1355 d
= info
.constrained_delegation
.info
;
1356 i
= d
->num_transited_services
;
1357 d
->proxy_target
.string
= server
;
1358 d
->transited_services
= talloc_realloc(mem_ctx
, d
->transited_services
,
1359 struct lsa_String
, i
+ 1);
1360 d
->transited_services
[i
].string
= proxy
;
1361 d
->num_transited_services
= i
+ 1;
1363 ndr_err
= ndr_push_union_blob(new_blob
, mem_ctx
,
1364 &info
, PAC_TYPE_CONSTRAINED_DELEGATION
,
1365 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
1368 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1369 smb_krb5_free_data_contents(context
, &old_data
);
1370 nt_status
= ndr_map_error2ntstatus(ndr_err
);
1371 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status
)));
1372 talloc_free(tmp_ctx
);
1376 talloc_free(tmp_ctx
);
1377 return NT_STATUS_OK
;
1380 /* function to map policy errors */
1381 krb5_error_code
samba_kdc_map_policy_err(NTSTATUS nt_status
)
1383 krb5_error_code ret
;
1385 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_MUST_CHANGE
))
1386 ret
= KRB5KDC_ERR_KEY_EXP
;
1387 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_EXPIRED
))
1388 ret
= KRB5KDC_ERR_KEY_EXP
;
1389 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_EXPIRED
))
1390 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
1391 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_DISABLED
))
1392 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
1393 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_LOGON_HOURS
))
1394 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
1395 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_LOCKED_OUT
))
1396 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
1397 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_WORKSTATION
))
1398 ret
= KRB5KDC_ERR_POLICY
;
1400 ret
= KRB5KDC_ERR_POLICY
;
1405 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
1406 * for consistency */
1407 NTSTATUS
samba_kdc_check_client_access(struct samba_kdc_entry
*kdc_entry
,
1408 const char *client_name
,
1409 const char *workstation
,
1410 bool password_change
)
1412 TALLOC_CTX
*tmp_ctx
;
1415 tmp_ctx
= talloc_named(NULL
, 0, "samba_kdc_check_client_access");
1417 return NT_STATUS_NO_MEMORY
;
1420 /* we allow all kinds of trusts here */
1421 nt_status
= authsam_account_ok(tmp_ctx
,
1422 kdc_entry
->kdc_db_ctx
->samdb
,
1423 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
|
1424 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
1425 kdc_entry
->realm_dn
, kdc_entry
->msg
,
1426 workstation
, client_name
,
1427 true, password_change
);
1429 kdc_entry
->reject_status
= nt_status
;
1430 talloc_free(tmp_ctx
);
1434 static krb5_error_code
samba_get_requester_sid(TALLOC_CTX
*mem_ctx
,
1436 krb5_context context
,
1437 struct dom_sid
*sid
)
1440 enum ndr_err_code ndr_err
;
1441 krb5_error_code ret
;
1443 DATA_BLOB pac_requester_sid_in
;
1444 krb5_data k5pac_requester_sid_in
;
1446 union PAC_INFO info
;
1448 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1449 if (tmp_ctx
== NULL
) {
1453 ret
= krb5_pac_get_buffer(context
, pac
, PAC_TYPE_REQUESTER_SID
,
1454 &k5pac_requester_sid_in
);
1456 talloc_free(tmp_ctx
);
1460 pac_requester_sid_in
= data_blob_const(k5pac_requester_sid_in
.data
,
1461 k5pac_requester_sid_in
.length
);
1463 ndr_err
= ndr_pull_union_blob(&pac_requester_sid_in
, tmp_ctx
, &info
,
1464 PAC_TYPE_REQUESTER_SID
,
1465 (ndr_pull_flags_fn_t
)ndr_pull_PAC_INFO
);
1466 smb_krb5_free_data_contents(context
, &k5pac_requester_sid_in
);
1467 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1468 nt_status
= ndr_map_error2ntstatus(ndr_err
);
1469 DEBUG(0,("can't parse the PAC REQUESTER_SID: %s\n", nt_errstr(nt_status
)));
1470 talloc_free(tmp_ctx
);
1474 *sid
= info
.requester_sid
.sid
;
1476 talloc_free(tmp_ctx
);
1480 /* Does a parse and SID check, but no crypto. */
1481 krb5_error_code
samba_kdc_validate_pac_blob(
1482 krb5_context context
,
1483 const struct samba_kdc_entry
*client_skdc_entry
,
1484 const krb5_const_pac pac
)
1486 TALLOC_CTX
*frame
= talloc_stackframe();
1487 struct auth_user_info_dc
*pac_user_info
= NULL
;
1488 struct dom_sid
*client_sid
= NULL
;
1489 struct dom_sid pac_sid
;
1490 krb5_error_code code
;
1494 * First, try to get the SID from the requester SID buffer in the PAC.
1496 code
= samba_get_requester_sid(frame
, pac
, context
, &pac_sid
);
1498 if (code
== ENOENT
) {
1500 * If the requester SID buffer isn't present, fall back to the
1501 * SID in the LOGON_INFO PAC buffer.
1503 code
= kerberos_pac_to_user_info_dc(frame
,
1507 AUTH_EXCLUDE_RESOURCE_GROUPS
,
1515 if (pac_user_info
->num_sids
== 0) {
1520 pac_sid
= pac_user_info
->sids
[PRIMARY_USER_SID_INDEX
].sid
;
1521 } else if (code
!= 0) {
1525 client_sid
= samdb_result_dom_sid(frame
,
1526 client_skdc_entry
->msg
,
1529 ok
= dom_sid_equal(&pac_sid
, client_sid
);
1531 struct dom_sid_buf buf1
;
1532 struct dom_sid_buf buf2
;
1534 DBG_ERR("SID mismatch between PAC and looked up client: "
1535 "PAC[%s] != CLI[%s]\n",
1536 dom_sid_str_buf(&pac_sid
, &buf1
),
1537 dom_sid_str_buf(client_sid
, &buf2
));
1538 code
= KRB5KDC_ERR_TGT_REVOKED
;
1550 * In the RODC case, to confirm that the returned user is permitted to
1551 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
1553 WERROR
samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids
,
1554 const struct dom_sid
*object_sids
,
1555 const struct samba_kdc_entry
*rodc
,
1556 const struct samba_kdc_entry
*object
)
1560 TALLOC_CTX
*frame
= talloc_stackframe();
1561 const char *rodc_attrs
[] = { "msDS-KrbTgtLink",
1562 "msDS-NeverRevealGroup",
1563 "msDS-RevealOnDemandGroup",
1564 "userAccountControl",
1567 struct ldb_result
*rodc_machine_account
= NULL
;
1568 struct ldb_dn
*rodc_machine_account_dn
= samdb_result_dn(rodc
->kdc_db_ctx
->samdb
,
1571 "msDS-KrbTgtLinkBL",
1573 const struct dom_sid
*rodc_machine_account_sid
= NULL
;
1575 if (rodc_machine_account_dn
== NULL
) {
1576 DBG_ERR("krbtgt account %s has no msDS-KrbTgtLinkBL to find RODC machine account for allow/deny list\n",
1577 ldb_dn_get_linearized(rodc
->msg
->dn
));
1579 return WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
1583 * Follow the link and get the RODC account (the krbtgt
1584 * account is the krbtgt_XXX account, but the
1585 * msDS-NeverRevealGroup and msDS-RevealOnDemandGroup is on
1586 * the RODC$ account)
1588 * We need DSDB_SEARCH_SHOW_EXTENDED_DN as we get a SID lists
1589 * out of the extended DNs
1592 ret
= dsdb_search_dn(rodc
->kdc_db_ctx
->samdb
,
1594 &rodc_machine_account
,
1595 rodc_machine_account_dn
,
1597 DSDB_SEARCH_SHOW_EXTENDED_DN
);
1598 if (ret
!= LDB_SUCCESS
) {
1599 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: %s\n",
1600 ldb_dn_get_linearized(rodc_machine_account_dn
),
1601 ldb_dn_get_linearized(rodc
->msg
->dn
),
1602 ldb_errstring(rodc
->kdc_db_ctx
->samdb
));
1604 return WERR_DOMAIN_CONTROLLER_NOT_FOUND
;
1607 if (rodc_machine_account
->count
!= 1) {
1608 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: (%d)\n",
1609 ldb_dn_get_linearized(rodc_machine_account_dn
),
1610 ldb_dn_get_linearized(rodc
->msg
->dn
),
1611 rodc_machine_account
->count
);
1613 return WERR_DS_DRA_BAD_DN
;
1616 /* if the object SID is equal to the user_sid, allow */
1617 rodc_machine_account_sid
= samdb_result_dom_sid(frame
,
1618 rodc_machine_account
->msgs
[0],
1620 if (rodc_machine_account_sid
== NULL
) {
1622 return WERR_DS_DRA_BAD_DN
;
1625 werr
= samdb_confirm_rodc_allowed_to_repl_to_sid_list(rodc
->kdc_db_ctx
->samdb
,
1626 rodc_machine_account_sid
,
1627 rodc_machine_account
->msgs
[0],
1636 static krb5_error_code
samba_kdc_add_domain_group_sid(TALLOC_CTX
*mem_ctx
,
1637 struct PAC_DEVICE_INFO
*info
,
1638 const struct netr_SidAttr
*sid
)
1644 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*domain_group
= NULL
;
1646 for (i
= 0; i
< info
->domain_group_count
; ++i
) {
1647 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*this_domain_group
1648 = &info
->domain_groups
[i
];
1650 if (dom_sid_in_domain(this_domain_group
->domain_sid
, sid
->sid
)) {
1651 domain_group
= this_domain_group
;
1656 if (domain_group
== NULL
) {
1657 info
->domain_groups
= talloc_realloc(
1659 info
->domain_groups
,
1660 struct PAC_DOMAIN_GROUP_MEMBERSHIP
,
1661 info
->domain_group_count
+ 1);
1662 if (info
->domain_groups
== NULL
) {
1666 domain_group
= &info
->domain_groups
[
1667 info
->domain_group_count
++];
1669 domain_group
->domain_sid
= NULL
;
1671 domain_group
->groups
.count
= 0;
1672 domain_group
->groups
.rids
= NULL
;
1674 status
= dom_sid_split_rid(info
->domain_groups
,
1676 &domain_group
->domain_sid
,
1678 if (!NT_STATUS_IS_OK(status
)) {
1682 status
= dom_sid_split_rid(NULL
,
1686 if (!NT_STATUS_IS_OK(status
)) {
1691 domain_group
->groups
.rids
= talloc_realloc(info
->domain_groups
,
1692 domain_group
->groups
.rids
,
1693 struct samr_RidWithAttribute
,
1694 domain_group
->groups
.count
+ 1);
1695 if (domain_group
->groups
.rids
== NULL
) {
1699 domain_group
->groups
.rids
[domain_group
->groups
.count
].rid
= rid
;
1700 domain_group
->groups
.rids
[domain_group
->groups
.count
].attributes
= sid
->attributes
;
1702 ++domain_group
->groups
.count
;
1707 static krb5_error_code
samba_kdc_make_device_info(TALLOC_CTX
*mem_ctx
,
1708 const struct netr_SamInfo3
*info3
,
1709 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*resource_groups
,
1710 union PAC_INFO
*info
)
1712 struct PAC_DEVICE_INFO
*device_info
= NULL
;
1717 info
->device_info
.info
= NULL
;
1719 device_info
= talloc(mem_ctx
, struct PAC_DEVICE_INFO
);
1720 if (device_info
== NULL
) {
1724 device_info
->rid
= info3
->base
.rid
;
1725 device_info
->primary_gid
= info3
->base
.primary_gid
;
1726 device_info
->domain_sid
= info3
->base
.domain_sid
;
1727 device_info
->groups
= info3
->base
.groups
;
1729 device_info
->sid_count
= 0;
1730 device_info
->sids
= NULL
;
1732 if (resource_groups
!= NULL
) {
1734 * The account's resource groups all belong to the same domain,
1735 * so we can add them all in one go.
1737 device_info
->domain_group_count
= 1;
1738 device_info
->domain_groups
= talloc_move(mem_ctx
, &resource_groups
);
1740 device_info
->domain_group_count
= 0;
1741 device_info
->domain_groups
= NULL
;
1744 for (i
= 0; i
< info3
->sidcount
; ++i
) {
1745 const struct netr_SidAttr
*device_sid
= &info3
->sids
[i
];
1747 if (dom_sid_has_account_domain(device_sid
->sid
)) {
1748 krb5_error_code ret
= samba_kdc_add_domain_group_sid(mem_ctx
, device_info
, device_sid
);
1753 device_info
->sids
= talloc_realloc(mem_ctx
, device_info
->sids
,
1754 struct netr_SidAttr
,
1755 device_info
->sid_count
+ 1);
1756 if (device_info
->sids
== NULL
) {
1760 device_info
->sids
[device_info
->sid_count
].sid
= dom_sid_dup(device_info
->sids
, device_sid
->sid
);
1761 if (device_info
->sids
[device_info
->sid_count
].sid
== NULL
) {
1765 device_info
->sids
[device_info
->sid_count
].attributes
= device_sid
->attributes
;
1767 ++device_info
->sid_count
;
1771 info
->device_info
.info
= device_info
;
1776 static krb5_error_code
samba_kdc_update_device_info(TALLOC_CTX
*mem_ctx
,
1777 struct ldb_context
*samdb
,
1778 const union PAC_INFO
*logon_info
,
1779 struct PAC_DEVICE_INFO
*device_info
)
1782 struct auth_user_info_dc
*device_info_dc
= NULL
;
1783 union netr_Validation validation
;
1785 uint32_t num_existing_sids
;
1788 * This does a bit of unnecessary work, setting up fields we don't care
1789 * about -- we only want the SIDs.
1791 validation
.sam3
= &logon_info
->logon_info
.info
->info3
;
1792 nt_status
= make_user_info_dc_netlogon_validation(mem_ctx
, "", 3, &validation
,
1793 true, /* This user was authenticated */
1795 if (!NT_STATUS_IS_OK(nt_status
)) {
1799 num_existing_sids
= device_info_dc
->num_sids
;
1802 * We need to expand group memberships within our local domain,
1803 * as the token might be generated by a trusted domain.
1805 nt_status
= authsam_update_user_info_dc(mem_ctx
,
1808 if (!NT_STATUS_IS_OK(nt_status
)) {
1812 for (i
= num_existing_sids
; i
< device_info_dc
->num_sids
; ++i
) {
1813 struct auth_SidAttr
*device_sid
= &device_info_dc
->sids
[i
];
1814 const struct netr_SidAttr sid
= (struct netr_SidAttr
) {
1815 .sid
= &device_sid
->sid
,
1816 .attributes
= device_sid
->attrs
,
1819 krb5_error_code ret
= samba_kdc_add_domain_group_sid(mem_ctx
, device_info
, &sid
);
1828 static krb5_error_code
samba_kdc_get_device_info_pac_blob(TALLOC_CTX
*mem_ctx
,
1829 union PAC_INFO
*info
,
1830 DATA_BLOB
**device_info_blob
)
1832 enum ndr_err_code ndr_err
;
1834 *device_info_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
1835 if (*device_info_blob
== NULL
) {
1836 DBG_ERR("Out of memory\n");
1840 ndr_err
= ndr_push_union_blob(*device_info_blob
, mem_ctx
,
1841 info
, PAC_TYPE_DEVICE_INFO
,
1842 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
1843 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1844 NTSTATUS nt_status
= ndr_map_error2ntstatus(ndr_err
);
1845 DBG_WARNING("PAC_DEVICE_INFO (presig) push failed: %s\n",
1846 nt_errstr(nt_status
));
1853 static krb5_error_code
samba_kdc_create_device_info_blob(TALLOC_CTX
*mem_ctx
,
1854 krb5_context context
,
1855 struct ldb_context
*samdb
,
1856 const krb5_const_pac device_pac
,
1857 DATA_BLOB
**device_info_blob
)
1859 TALLOC_CTX
*frame
= NULL
;
1860 krb5_data device_logon_info
;
1861 krb5_error_code code
= EINVAL
;
1864 union PAC_INFO info
;
1865 enum ndr_err_code ndr_err
;
1866 DATA_BLOB device_logon_info_blob
;
1868 union PAC_INFO logon_info
;
1870 code
= krb5_pac_get_buffer(context
, device_pac
,
1871 PAC_TYPE_LOGON_INFO
,
1872 &device_logon_info
);
1874 if (code
== ENOENT
) {
1875 DBG_ERR("Device PAC is missing LOGON_INFO\n");
1877 DBG_ERR("Error getting LOGON_INFO from device PAC\n");
1882 frame
= talloc_stackframe();
1884 device_logon_info_blob
= data_blob_const(device_logon_info
.data
,
1885 device_logon_info
.length
);
1887 ndr_err
= ndr_pull_union_blob(&device_logon_info_blob
, frame
, &logon_info
,
1888 PAC_TYPE_LOGON_INFO
,
1889 (ndr_pull_flags_fn_t
)ndr_pull_PAC_INFO
);
1890 smb_krb5_free_data_contents(context
, &device_logon_info
);
1891 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1892 nt_status
= ndr_map_error2ntstatus(ndr_err
);
1893 DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
1894 nt_errstr(nt_status
));
1900 * When creating the device info structure, existing resource groups are
1903 code
= samba_kdc_make_device_info(frame
,
1904 &logon_info
.logon_info
.info
->info3
,
1905 NULL
, /* resource_groups */
1912 code
= samba_kdc_update_device_info(frame
,
1915 info
.device_info
.info
);
1921 code
= samba_kdc_get_device_info_pac_blob(mem_ctx
,
1929 static krb5_error_code
samba_kdc_get_device_info_blob(TALLOC_CTX
*mem_ctx
,
1930 struct samba_kdc_entry
*device
,
1931 DATA_BLOB
**device_info_blob
)
1933 TALLOC_CTX
*frame
= NULL
;
1934 krb5_error_code code
= EINVAL
;
1937 struct auth_user_info_dc
*device_info_dc
= NULL
;
1938 struct netr_SamInfo3
*info3
= NULL
;
1939 struct PAC_DOMAIN_GROUP_MEMBERSHIP
*resource_groups
= NULL
;
1941 union PAC_INFO info
;
1943 enum samba_asserted_identity asserted_identity
=
1944 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
;
1945 const enum samba_claims_valid claims_valid
= SAMBA_CLAIMS_VALID_INCLUDE
;
1946 const enum samba_compounded_auth compounded_auth
= SAMBA_COMPOUNDED_AUTH_EXCLUDE
;
1948 frame
= talloc_stackframe();
1950 nt_status
= samba_kdc_get_user_info_dc(frame
,
1956 if (!NT_STATUS_IS_OK(nt_status
)) {
1957 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
1958 nt_errstr(nt_status
));
1960 return KRB5KDC_ERR_TGT_REVOKED
;
1963 nt_status
= auth_convert_user_info_dc_saminfo3(frame
, device_info_dc
,
1964 AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED
,
1967 if (!NT_STATUS_IS_OK(nt_status
)) {
1968 DEBUG(1, ("Getting Samba info failed: %s\n",
1969 nt_errstr(nt_status
)));
1971 return nt_status_to_krb5(nt_status
);
1974 code
= samba_kdc_make_device_info(frame
,
1983 code
= samba_kdc_get_device_info_pac_blob(mem_ctx
,
1992 * @brief Verify a PAC
1994 * @param mem_ctx A talloc memory context
1996 * @param context A krb5 context
1998 * @param flags Bitwise OR'ed flags
2000 * @param client The client samba kdc entry.
2002 * @param krbtgt The krbtgt samba kdc entry.
2004 * @param device The computer's samba kdc entry; used for compound
2007 * @param device_pac The PAC from the computer's TGT; used
2008 * for compound authentication.
2010 * @param pac The PAC
2012 * @return A Kerberos error code.
2014 krb5_error_code
samba_kdc_verify_pac(TALLOC_CTX
*mem_ctx
,
2015 krb5_context context
,
2017 struct samba_kdc_entry
*client
,
2018 const struct samba_kdc_entry
*krbtgt
,
2019 const struct samba_kdc_entry
*device
,
2020 const krb5_const_pac
*device_pac
,
2021 const krb5_const_pac pac
)
2023 krb5_error_code code
= EINVAL
;
2025 bool is_trusted
= flags
& SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED
;
2027 struct pac_blobs pac_blobs
;
2028 pac_blobs_init(&pac_blobs
);
2030 if (client
!= NULL
) {
2032 * Check the objectSID of the client and pac data are the same.
2033 * Does a parse and SID check, but no crypto.
2035 code
= samba_kdc_validate_pac_blob(context
,
2043 if (device
!= NULL
) {
2044 SMB_ASSERT(*device_pac
!= NULL
);
2047 * Check the objectSID of the device and pac data are the same.
2048 * Does a parse and SID check, but no crypto.
2050 code
= samba_kdc_validate_pac_blob(context
,
2059 const struct auth_user_info_dc
*user_info_dc
= NULL
;
2062 struct dom_sid
*object_sids
= NULL
;
2065 if (client
== NULL
) {
2066 code
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
2070 nt_status
= samba_kdc_get_user_info_from_db(client
, client
->msg
, &user_info_dc
);
2071 if (!NT_STATUS_IS_OK(nt_status
)) {
2072 DBG_ERR("Getting user info for PAC failed: %s\n",
2073 nt_errstr(nt_status
));
2074 code
= KRB5KDC_ERR_TGT_REVOKED
;
2079 * Check if the SID list in the user_info_dc intersects
2080 * correctly with the RODC allow/deny lists.
2082 object_sids
= talloc_array(mem_ctx
, struct dom_sid
, user_info_dc
->num_sids
);
2083 if (object_sids
== NULL
) {
2088 for (j
= 0; j
< user_info_dc
->num_sids
; ++j
) {
2089 object_sids
[j
] = user_info_dc
->sids
[j
].sid
;
2092 werr
= samba_rodc_confirm_user_is_allowed(user_info_dc
->num_sids
,
2096 TALLOC_FREE(object_sids
);
2097 if (!W_ERROR_IS_OK(werr
)) {
2098 code
= KRB5KDC_ERR_TGT_REVOKED
;
2099 if (W_ERROR_EQUAL(werr
,
2100 WERR_DOMAIN_CONTROLLER_NOT_FOUND
)) {
2101 code
= KRB5KDC_ERR_POLICY
;
2107 * The RODC PAC data isn't trusted for authorization as it may
2108 * be stale. The only thing meaningful we can do with an RODC
2109 * account on a full DC is exchange the RODC TGT for a 'real'
2112 * So we match Windows (at least server 2022) and
2113 * don't allow S4U2Self.
2115 * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
2117 if (flags
& SAMBA_KDC_FLAG_PROTOCOL_TRANSITION
) {
2118 code
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
2123 /* Check the types of the given PAC */
2125 code
= pac_blobs_from_krb5_pac(&pac_blobs
,
2133 code
= pac_blobs_ensure_exists(&pac_blobs
,
2134 PAC_TYPE_LOGON_INFO
);
2139 code
= pac_blobs_ensure_exists(&pac_blobs
,
2140 PAC_TYPE_LOGON_NAME
);
2145 code
= pac_blobs_ensure_exists(&pac_blobs
,
2146 PAC_TYPE_SRV_CHECKSUM
);
2151 code
= pac_blobs_ensure_exists(&pac_blobs
,
2152 PAC_TYPE_KDC_CHECKSUM
);
2157 if (!(flags
& SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
)) {
2158 code
= pac_blobs_ensure_exists(&pac_blobs
,
2159 PAC_TYPE_REQUESTER_SID
);
2161 code
= KRB5KDC_ERR_TGT_REVOKED
;
2169 pac_blobs_destroy(&pac_blobs
);
2175 * @brief Update a PAC
2177 * @param mem_ctx A talloc memory context
2179 * @param context A krb5 context
2181 * @param samdb An open samdb connection.
2183 * @param flags Bitwise OR'ed flags
2185 * @param device_pac_is_trusted Whether the device's PAC was issued by a trusted server,
2186 * as opposed to an RODC.
2188 * @param client The client samba kdc entry.
2190 * @param server_principal The server principal
2192 * @param server The server samba kdc entry.
2194 * @param delegated_proxy_principal The delegated proxy principal used for
2195 * updating the constrained delegation PAC
2198 * @param device The computer's samba kdc entry; used for compound
2201 * @param device_pac The PAC from the computer's TGT; used
2202 * for compound authentication.
2204 * @param old_pac The old PAC
2206 * @param new_pac The new already allocated PAC
2208 * @return A Kerberos error code. If no PAC should be returned, the code will be
2211 krb5_error_code
samba_kdc_update_pac(TALLOC_CTX
*mem_ctx
,
2212 krb5_context context
,
2213 struct ldb_context
*samdb
,
2215 struct samba_kdc_entry
*client
,
2216 const krb5_principal server_principal
,
2217 const struct samba_kdc_entry
*server
,
2218 const krb5_principal delegated_proxy_principal
,
2219 struct samba_kdc_entry
*device
,
2220 const krb5_const_pac device_pac
,
2221 const krb5_const_pac old_pac
,
2224 krb5_error_code code
= EINVAL
;
2226 DATA_BLOB
*pac_blob
= NULL
;
2227 DATA_BLOB
*upn_blob
= NULL
;
2228 DATA_BLOB
*deleg_blob
= NULL
;
2229 DATA_BLOB
*requester_sid_blob
= NULL
;
2230 DATA_BLOB
*client_claims_blob
= NULL
;
2231 bool client_pac_is_trusted
= flags
& SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED
;
2232 bool device_pac_is_trusted
= flags
& SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED
;
2233 DATA_BLOB
*device_claims_blob
= NULL
;
2234 DATA_BLOB
*device_info_blob
= NULL
;
2236 struct auth_user_info_dc
*user_info_dc
= NULL
;
2237 enum auth_group_inclusion group_inclusion
;
2240 struct pac_blobs pac_blobs
;
2241 pac_blobs_init(&pac_blobs
);
2243 is_tgs
= smb_krb5_principal_is_tgs(context
, server_principal
);
2249 /* Only include resource groups in a service ticket. */
2251 group_inclusion
= AUTH_EXCLUDE_RESOURCE_GROUPS
;
2252 } else if (server
->supported_enctypes
& KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
) {
2253 group_inclusion
= AUTH_INCLUDE_RESOURCE_GROUPS
;
2255 group_inclusion
= AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED
;
2258 if (device
!= NULL
&& !is_tgs
) {
2259 SMB_ASSERT(device_pac
!= NULL
);
2261 if (device_pac_is_trusted
) {
2262 krb5_data device_claims_data
;
2263 code
= krb5_pac_get_buffer(context
, device_pac
,
2264 PAC_TYPE_CLIENT_CLAIMS_INFO
,
2265 &device_claims_data
);
2266 if (code
== ENOENT
) {
2268 } else if (code
!= 0) {
2271 device_claims_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
2272 if (device_claims_blob
== NULL
) {
2273 smb_krb5_free_data_contents(context
, &device_claims_data
);
2278 *device_claims_blob
= data_blob_talloc(mem_ctx
,
2279 device_claims_data
.data
,
2280 device_claims_data
.length
);
2281 if (device_claims_blob
->data
== NULL
&& device_claims_data
.length
!= 0) {
2282 smb_krb5_free_data_contents(context
, &device_claims_data
);
2287 smb_krb5_free_data_contents(context
, &device_claims_data
);
2290 code
= samba_kdc_create_device_info_blob(mem_ctx
,
2299 /* Don't trust RODC-issued claims. Regenerate them. */
2300 nt_status
= samba_kdc_get_claims_blob(mem_ctx
,
2302 &device_claims_blob
);
2303 if (!NT_STATUS_IS_OK(nt_status
)) {
2304 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2305 nt_errstr(nt_status
));
2310 /* Also regenerate device info. */
2311 code
= samba_kdc_get_device_info_blob(mem_ctx
,
2320 if (delegated_proxy_principal
!= NULL
) {
2321 deleg_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
2322 if (deleg_blob
== NULL
) {
2327 nt_status
= samba_kdc_update_delegation_info_blob(
2332 delegated_proxy_principal
,
2334 if (!NT_STATUS_IS_OK(nt_status
)) {
2335 DBG_ERR("update delegation info blob failed: %s\n",
2336 nt_errstr(nt_status
));
2342 if (!client_pac_is_trusted
) {
2344 * In this case the RWDC discards the PAC an RODC generated.
2345 * Windows adds the asserted_identity in this case too.
2347 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
2348 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
2349 * So we can always use
2350 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
2353 enum samba_asserted_identity asserted_identity
=
2354 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
;
2355 const enum samba_claims_valid claims_valid
= SAMBA_CLAIMS_VALID_EXCLUDE
;
2356 const enum samba_compounded_auth compounded_auth
=
2357 (device
!= NULL
&& !is_tgs
) ?
2358 SAMBA_COMPOUNDED_AUTH_INCLUDE
:
2359 SAMBA_COMPOUNDED_AUTH_EXCLUDE
;
2361 if (client
== NULL
) {
2362 code
= KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
2366 nt_status
= samba_kdc_get_user_info_dc(mem_ctx
,
2372 if (!NT_STATUS_IS_OK(nt_status
)) {
2373 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
2374 nt_errstr(nt_status
));
2375 code
= KRB5KDC_ERR_TGT_REVOKED
;
2379 nt_status
= samba_kdc_get_logon_info_blob(mem_ctx
,
2383 if (!NT_STATUS_IS_OK(nt_status
)) {
2384 DBG_ERR("samba_kdc_get_logon_info_blob failed: %s\n",
2385 nt_errstr(nt_status
));
2386 code
= KRB5KDC_ERR_TGT_REVOKED
;
2390 nt_status
= samba_kdc_get_upn_info_blob(mem_ctx
,
2393 if (!NT_STATUS_IS_OK(nt_status
)) {
2394 DBG_ERR("samba_kdc_get_upn_info_blob failed: %s\n",
2395 nt_errstr(nt_status
));
2396 code
= KRB5KDC_ERR_TGT_REVOKED
;
2400 nt_status
= samba_kdc_get_requester_sid_blob(mem_ctx
,
2402 &requester_sid_blob
);
2403 if (!NT_STATUS_IS_OK(nt_status
)) {
2404 DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
2405 nt_errstr(nt_status
));
2406 code
= KRB5KDC_ERR_TGT_REVOKED
;
2410 /* Don't trust RODC-issued claims. Regenerate them. */
2411 nt_status
= samba_kdc_get_claims_blob(mem_ctx
,
2413 &client_claims_blob
);
2414 if (!NT_STATUS_IS_OK(nt_status
)) {
2415 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2416 nt_errstr(nt_status
));
2421 const enum samba_compounded_auth compounded_auth
=
2422 (device
!= NULL
&& !is_tgs
) ?
2423 SAMBA_COMPOUNDED_AUTH_INCLUDE
:
2424 SAMBA_COMPOUNDED_AUTH_EXCLUDE
;
2425 pac_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
2426 if (pac_blob
== NULL
) {
2431 nt_status
= samba_kdc_update_pac_blob(mem_ctx
,
2440 if (!NT_STATUS_IS_OK(nt_status
)) {
2441 DBG_ERR("samba_kdc_update_pac_blob failed: %s\n",
2442 nt_errstr(nt_status
));
2448 /* Check the types of the given PAC */
2449 code
= pac_blobs_from_krb5_pac(&pac_blobs
,
2457 code
= pac_blobs_replace_existing(&pac_blobs
,
2458 PAC_TYPE_LOGON_INFO
,
2464 #ifdef SAMBA4_USES_HEIMDAL
2465 /* Not needed with MIT Kerberos */
2466 code
= pac_blobs_replace_existing(&pac_blobs
,
2467 PAC_TYPE_LOGON_NAME
,
2473 code
= pac_blobs_replace_existing(&pac_blobs
,
2474 PAC_TYPE_SRV_CHECKSUM
,
2480 code
= pac_blobs_replace_existing(&pac_blobs
,
2481 PAC_TYPE_KDC_CHECKSUM
,
2488 code
= pac_blobs_add_blob(&pac_blobs
,
2490 PAC_TYPE_CONSTRAINED_DELEGATION
,
2496 code
= pac_blobs_add_blob(&pac_blobs
,
2498 PAC_TYPE_UPN_DNS_INFO
,
2504 code
= pac_blobs_add_blob(&pac_blobs
,
2506 PAC_TYPE_CLIENT_CLAIMS_INFO
,
2507 client_claims_blob
);
2512 code
= pac_blobs_add_blob(&pac_blobs
,
2514 PAC_TYPE_DEVICE_INFO
,
2520 if (device_claims_blob
!= NULL
) {
2521 code
= pac_blobs_add_blob(&pac_blobs
,
2523 PAC_TYPE_DEVICE_CLAIMS_INFO
,
2524 device_claims_blob
);
2530 if (!client_pac_is_trusted
|| !is_tgs
) {
2531 code
= pac_blobs_remove_blob(&pac_blobs
,
2533 PAC_TYPE_ATTRIBUTES_INFO
);
2540 code
= pac_blobs_remove_blob(&pac_blobs
,
2542 PAC_TYPE_REQUESTER_SID
);
2547 code
= pac_blobs_add_blob(&pac_blobs
,
2549 PAC_TYPE_REQUESTER_SID
,
2550 requester_sid_blob
);
2557 * The server account may be set not to want the PAC.
2559 * While this is wasteful if the above calculations were done
2560 * and now thrown away, this is cleaner as we do any ticket
2561 * signature checking etc always.
2563 * UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the
2564 * time (eg not accepting a ticket from the RODC) we do not
2565 * need to re-generate anything anyway.
2567 if (!samba_princ_needs_pac(server
)) {
2572 if (client_pac_is_trusted
&& !is_tgs
) {
2574 * The client may have requested no PAC when obtaining the
2577 bool requested_pac
= false;
2579 code
= samba_client_requested_pac(context
,
2583 if (code
!= 0 || !requested_pac
) {
2584 if (!requested_pac
) {
2591 for (i
= 0; i
< pac_blobs
.num_types
; ++i
) {
2592 krb5_data type_data
;
2593 const DATA_BLOB
*type_blob
= pac_blobs
.type_blobs
[i
].data
;
2594 uint32_t type
= pac_blobs
.type_blobs
[i
].type
;
2596 static char null_byte
= '\0';
2597 const krb5_data null_data
= smb_krb5_make_data(&null_byte
, 0);
2599 #ifndef SAMBA4_USES_HEIMDAL
2600 /* Not needed with MIT Kerberos */
2602 case PAC_TYPE_LOGON_NAME
:
2603 case PAC_TYPE_SRV_CHECKSUM
:
2604 case PAC_TYPE_KDC_CHECKSUM
:
2605 case PAC_TYPE_FULL_CHECKSUM
:
2612 if (type_blob
!= NULL
) {
2613 type_data
= smb_krb5_data_from_blob(*type_blob
);
2615 * Passing a NULL pointer into krb5_pac_add_buffer() is
2616 * not allowed, so pass null_data instead if needed.
2618 code
= krb5_pac_add_buffer(context
,
2621 (type_data
.data
!= NULL
) ? &type_data
: &null_data
);
2623 code
= krb5_pac_get_buffer(context
,
2631 * Passing a NULL pointer into krb5_pac_add_buffer() is
2632 * not allowed, so pass null_data instead if needed.
2634 code
= krb5_pac_add_buffer(context
,
2637 (type_data
.data
!= NULL
) ? &type_data
: &null_data
);
2638 smb_krb5_free_data_contents(context
, &type_data
);
2648 pac_blobs_destroy(&pac_blobs
);
2649 TALLOC_FREE(pac_blob
);
2650 TALLOC_FREE(upn_blob
);
2651 TALLOC_FREE(deleg_blob
);
2652 /* Release our handle to user_info_dc. */
2653 talloc_unlink(mem_ctx
, user_info_dc
);