search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:kdc: Make functions static
[Samba.git] / source4 / kdc / pac-glue.c
blob33479081c780241cde9a9ce6c0cc6b619d9b6d11
1 /*
2 Unix SMB/CIFS implementation.
3
4 PAC Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "lib/replace/replace.h"
25 #include "lib/replace/system/kerberos.h"
26 #include "lib/replace/system/filesys.h"
27 #include "lib/util/debug.h"
28 #include "lib/util/samba_util.h"
29 #include "lib/util/talloc_stack.h"
30
31 #include "auth/auth_sam_reply.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "libcli/security/security.h"
35 #include "libds/common/flags.h"
36 #include "librpc/gen_ndr/ndr_krb5pac.h"
37 #include "param/param.h"
38 #include "source4/auth/auth.h"
39 #include "source4/dsdb/common/util.h"
40 #include "source4/dsdb/samdb/samdb.h"
41 #include "source4/kdc/samba_kdc.h"
42 #include "source4/kdc/pac-glue.h"
43 #include "source4/kdc/ad_claims.h"
44 #include "source4/kdc/pac-blobs.h"
45
46 #include <ldb.h>
47
48 #undef DBGC_CLASS
49 #define DBGC_CLASS DBGC_KERBEROS
50
51 static
52 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
53 const struct auth_user_info_dc *info,
54 const struct PAC_DOMAIN_GROUP_MEMBERSHIP *override_resource_groups,
55 const enum auth_group_inclusion group_inclusion,
56 DATA_BLOB *pac_data)
57 {
58 struct netr_SamInfo3 *info3 = NULL;
59 struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL;
60 struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups = NULL;
61 union PAC_INFO pac_info;
62 enum ndr_err_code ndr_err;
63 NTSTATUS nt_status;
64
65 ZERO_STRUCT(pac_info);
66
67 *pac_data = data_blob_null;
68
69 if (override_resource_groups == NULL) {
70 resource_groups = &_resource_groups;
71 } else if (group_inclusion != AUTH_EXCLUDE_RESOURCE_GROUPS) {
72 /*
73 * It doesn't make sense to override resource groups if we claim
74 * to want resource groups from user_info_dc.
75 */
76 DBG_ERR("supplied resource groups with invalid group inclusion parameter: %u\n",
77 group_inclusion);
78 return NT_STATUS_INVALID_PARAMETER;
79 }
80
81 nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info,
82 group_inclusion,
83 &info3,
84 resource_groups);
85 if (!NT_STATUS_IS_OK(nt_status)) {
86 DEBUG(1, ("Getting Samba info failed: %s\n",
87 nt_errstr(nt_status)));
88 return nt_status;
89 }
90
91 pac_info.logon_info.info = talloc_zero(mem_ctx, struct PAC_LOGON_INFO);
92 if (!pac_info.logon_info.info) {
93 return NT_STATUS_NO_MEMORY;
94 }
95
96 pac_info.logon_info.info->info3 = *info3;
97 if (_resource_groups != NULL) {
98 pac_info.logon_info.info->resource_groups = *_resource_groups;
99 }
100
101 if (override_resource_groups != NULL) {
102 pac_info.logon_info.info->resource_groups = *override_resource_groups;
103 }
104
105 if (group_inclusion != AUTH_EXCLUDE_RESOURCE_GROUPS) {
106 /*
107 * Set the resource groups flag based on whether any groups are
108 * present. Otherwise, the flag is propagated from the
109 * originating PAC.
110 */
111 if (pac_info.logon_info.info->resource_groups.groups.count > 0) {
112 pac_info.logon_info.info->info3.base.user_flags |= NETLOGON_RESOURCE_GROUPS;
113 } else {
114 pac_info.logon_info.info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS;
115 }
116 }
117
118 ndr_err = ndr_push_union_blob(pac_data, mem_ctx, &pac_info,
119 PAC_TYPE_LOGON_INFO,
120 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
121 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
122 nt_status = ndr_map_error2ntstatus(ndr_err);
123 DEBUG(1, ("PAC_LOGON_INFO (presig) push failed: %s\n",
124 nt_errstr(nt_status)));
125 return nt_status;
126 }
127
128 return NT_STATUS_OK;
129 }
130
131 static
132 NTSTATUS samba_get_requester_sid_pac_blob(TALLOC_CTX *mem_ctx,
133 const struct auth_user_info_dc *info,
134 DATA_BLOB *requester_sid_blob)
135 {
136 enum ndr_err_code ndr_err;
137 NTSTATUS nt_status;
138
139 if (requester_sid_blob != NULL) {
140 *requester_sid_blob = data_blob_null;
141 }
142
143 if (requester_sid_blob != NULL && info->num_sids > 0) {
144 union PAC_INFO pac_requester_sid;
145
146 ZERO_STRUCT(pac_requester_sid);
147
148 pac_requester_sid.requester_sid.sid = info->sids[PRIMARY_USER_SID_INDEX].sid;
149
150 ndr_err = ndr_push_union_blob(requester_sid_blob, mem_ctx,
151 &pac_requester_sid,
152 PAC_TYPE_REQUESTER_SID,
153 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
154 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
155 nt_status = ndr_map_error2ntstatus(ndr_err);
156 DEBUG(1, ("PAC_REQUESTER_SID (presig) push failed: %s\n",
157 nt_errstr(nt_status)));
158 return nt_status;
159 }
160 }
161
162 return NT_STATUS_OK;
163 }
164
165 static
166 NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
167 const struct auth_user_info_dc *info,
168 DATA_BLOB *upn_data)
169 {
170 union PAC_INFO pac_upn;
171 enum ndr_err_code ndr_err;
172 NTSTATUS nt_status;
173 bool ok;
174
175 ZERO_STRUCT(pac_upn);
176
177 *upn_data = data_blob_null;
178
179 pac_upn.upn_dns_info.upn_name = info->info->user_principal_name;
180 pac_upn.upn_dns_info.dns_domain_name = strupper_talloc(mem_ctx,
181 info->info->dns_domain_name);
182 if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
183 return NT_STATUS_NO_MEMORY;
184 }
185 if (info->info->user_principal_constructed) {
186 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
187 }
188
189 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID;
190
191 pac_upn.upn_dns_info.ex.sam_name_and_sid.samaccountname
192 = info->info->account_name;
193
194 pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid
195 = &info->sids[PRIMARY_USER_SID_INDEX].sid;
196
197 ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn,
198 PAC_TYPE_UPN_DNS_INFO,
199 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
200 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
201 nt_status = ndr_map_error2ntstatus(ndr_err);
202 DEBUG(1, ("PAC UPN_DNS_INFO (presig) push failed: %s\n",
203 nt_errstr(nt_status)));
204 return nt_status;
205 }
206
207 ok = data_blob_pad(mem_ctx, upn_data, 8);
208 if (!ok) {
209 return NT_STATUS_NO_MEMORY;
210 }
211
212 return NT_STATUS_OK;
213 }
214
215 static
216 NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
217 uint64_t pac_attributes,
218 DATA_BLOB *pac_attrs_data)
219 {
220 union PAC_INFO pac_attrs;
221 enum ndr_err_code ndr_err;
222 NTSTATUS nt_status;
223
224 ZERO_STRUCT(pac_attrs);
225
226 *pac_attrs_data = data_blob_null;
227
228 /* Set the length of the flags in bits. */
229 pac_attrs.attributes_info.flags_length = 2;
230 pac_attrs.attributes_info.flags = pac_attributes;
231
232 ndr_err = ndr_push_union_blob(pac_attrs_data, mem_ctx, &pac_attrs,
233 PAC_TYPE_ATTRIBUTES_INFO,
234 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
235 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
236 nt_status = ndr_map_error2ntstatus(ndr_err);
237 DEBUG(1, ("PAC ATTRIBUTES_INFO (presig) push failed: %s\n",
238 nt_errstr(nt_status)));
239 return nt_status;
240 }
241
242 return NT_STATUS_OK;
243 }
244
245 static
246 NTSTATUS samba_get_claims_blob(TALLOC_CTX *mem_ctx,
247 struct ldb_context *samdb,
248 const struct ldb_message *principal,
249 DATA_BLOB *client_claims_data)
250 {
251 union PAC_INFO client_claims;
252 int ret;
253
254 ZERO_STRUCT(client_claims);
255
256 *client_claims_data = data_blob_null;
257
258 ret = get_claims_for_principal(samdb,
259 mem_ctx,
260 principal,
261 client_claims_data);
262 if (ret != LDB_SUCCESS) {
263 return dsdb_ldb_err_to_ntstatus(ret);
264 }
265
266 return NT_STATUS_OK;
267 }
268
269 static
270 NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
271 const struct ldb_message *msg,
272 DATA_BLOB *cred_blob)
273 {
274 enum ndr_err_code ndr_err;
275 NTSTATUS nt_status;
276 struct samr_Password *lm_hash = NULL;
277 struct samr_Password *nt_hash = NULL;
278 struct PAC_CREDENTIAL_NTLM_SECPKG ntlm_secpkg = {
279 .version = 0,
280 };
281 DATA_BLOB ntlm_blob = data_blob_null;
282 struct PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG secpkgs[1] = {{
283 .credential_size = 0,
284 }};
285 struct PAC_CREDENTIAL_DATA cred_data = {
286 .credential_count = 0,
287 };
288 struct PAC_CREDENTIAL_DATA_NDR cred_ndr;
289
290 ZERO_STRUCT(cred_ndr);
291
292 *cred_blob = data_blob_null;
293
294 lm_hash = samdb_result_hash(mem_ctx, msg, "dBCSPwd");
295 if (lm_hash != NULL) {
296 bool zero = all_zero(lm_hash->hash, 16);
297 if (zero) {
298 lm_hash = NULL;
299 }
300 }
301 if (lm_hash != NULL) {
302 DEBUG(5, ("Passing LM password hash through credentials set\n"));
303 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_LM_HASH;
304 ntlm_secpkg.lm_password = *lm_hash;
305 ZERO_STRUCTP(lm_hash);
306 TALLOC_FREE(lm_hash);
307 }
308
309 nt_hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
310 if (nt_hash != NULL) {
311 bool zero = all_zero(nt_hash->hash, 16);
312 if (zero) {
313 nt_hash = NULL;
314 }
315 }
316 if (nt_hash != NULL) {
317 DEBUG(5, ("Passing LM password hash through credentials set\n"));
318 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_NT_HASH;
319 ntlm_secpkg.nt_password = *nt_hash;
320 ZERO_STRUCTP(nt_hash);
321 TALLOC_FREE(nt_hash);
322 }
323
324 if (ntlm_secpkg.flags == 0) {
325 return NT_STATUS_OK;
326 }
327
328 #ifdef DEBUG_PASSWORD
329 if (DEBUGLVL(11)) {
330 NDR_PRINT_DEBUG(PAC_CREDENTIAL_NTLM_SECPKG, &ntlm_secpkg);
331 }
332 #endif
333
334 ndr_err = ndr_push_struct_blob(&ntlm_blob, mem_ctx, &ntlm_secpkg,
335 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_NTLM_SECPKG);
336 ZERO_STRUCT(ntlm_secpkg);
337 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
338 nt_status = ndr_map_error2ntstatus(ndr_err);
339 DEBUG(1, ("PAC_CREDENTIAL_NTLM_SECPKG (presig) push failed: %s\n",
340 nt_errstr(nt_status)));
341 return nt_status;
342 }
343
344 DEBUG(10, ("NTLM credential BLOB (len %zu) for user\n",
345 ntlm_blob.length));
346 dump_data_pw("PAC_CREDENTIAL_NTLM_SECPKG",
347 ntlm_blob.data, ntlm_blob.length);
348
349 secpkgs[0].package_name.string = discard_const_p(char, "NTLM");
350 secpkgs[0].credential_size = ntlm_blob.length;
351 secpkgs[0].credential = ntlm_blob.data;
352
353 cred_data.credential_count = ARRAY_SIZE(secpkgs);
354 cred_data.credentials = secpkgs;
355
356 #ifdef DEBUG_PASSWORD
357 if (DEBUGLVL(11)) {
358 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA, &cred_data);
359 }
360 #endif
361
362 cred_ndr.ctr.data = &cred_data;
363
364 #ifdef DEBUG_PASSWORD
365 if (DEBUGLVL(11)) {
366 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA_NDR, &cred_ndr);
367 }
368 #endif
369
370 ndr_err = ndr_push_struct_blob(cred_blob, mem_ctx, &cred_ndr,
371 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_DATA_NDR);
372 data_blob_clear(&ntlm_blob);
373 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
374 nt_status = ndr_map_error2ntstatus(ndr_err);
375 DEBUG(1, ("PAC_CREDENTIAL_DATA_NDR (presig) push failed: %s\n",
376 nt_errstr(nt_status)));
377 return nt_status;
378 }
379
380 DEBUG(10, ("Created credential BLOB (len %zu) for user\n",
381 cred_blob->length));
382 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
383 cred_blob->data, cred_blob->length);
384
385 return NT_STATUS_OK;
386 }
387
388 #ifdef SAMBA4_USES_HEIMDAL
389 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
390 const krb5_keyblock *pkreplykey,
391 const DATA_BLOB *cred_ndr_blob,
392 TALLOC_CTX *mem_ctx,
393 DATA_BLOB *cred_info_blob)
394 {
395 krb5_crypto cred_crypto;
396 krb5_enctype cred_enctype;
397 krb5_data cred_ndr_crypt;
398 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
399 krb5_error_code ret;
400 const char *krb5err;
401 enum ndr_err_code ndr_err;
402 NTSTATUS nt_status;
403
404 *cred_info_blob = data_blob_null;
405
406 ret = krb5_crypto_init(context, pkreplykey, ETYPE_NULL,
407 &cred_crypto);
408 if (ret != 0) {
409 krb5err = krb5_get_error_message(context, ret);
410 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
411 krb5_free_error_message(context, krb5err);
412 return ret;
413 }
414
415 ret = krb5_crypto_getenctype(context, cred_crypto, &cred_enctype);
416 if (ret != 0) {
417 DEBUG(1, ("Failed getting crypto type for key\n"));
418 krb5_crypto_destroy(context, cred_crypto);
419 return ret;
420 }
421
422 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
423 cred_ndr_blob->length));
424 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
425 cred_ndr_blob->data, cred_ndr_blob->length);
426
427 ret = krb5_encrypt(context, cred_crypto,
428 KRB5_KU_OTHER_ENCRYPTED,
429 cred_ndr_blob->data, cred_ndr_blob->length,
430 &cred_ndr_crypt);
431 krb5_crypto_destroy(context, cred_crypto);
432 if (ret != 0) {
433 krb5err = krb5_get_error_message(context, ret);
434 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
435 krb5_free_error_message(context, krb5err);
436 return ret;
437 }
438
439 pac_cred_info.encryption_type = cred_enctype;
440 pac_cred_info.encrypted_data.length = cred_ndr_crypt.length;
441 pac_cred_info.encrypted_data.data = (uint8_t *)cred_ndr_crypt.data;
442
443 if (DEBUGLVL(10)) {
444 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
445 }
446
447 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
448 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
449 krb5_data_free(&cred_ndr_crypt);
450 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
451 nt_status = ndr_map_error2ntstatus(ndr_err);
452 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
453 nt_errstr(nt_status)));
454 return KRB5KDC_ERR_SVC_UNAVAILABLE;
455 }
456
457 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
458 cred_info_blob->length, (int)pac_cred_info.encryption_type));
459 dump_data_pw("PAC_CREDENTIAL_INFO",
460 cred_info_blob->data, cred_info_blob->length);
461
462 return 0;
463 }
464 #else /* SAMBA4_USES_HEIMDAL */
465 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
466 const krb5_keyblock *pkreplykey,
467 const DATA_BLOB *cred_ndr_blob,
468 TALLOC_CTX *mem_ctx,
469 DATA_BLOB *cred_info_blob)
470 {
471 krb5_key cred_key;
472 krb5_enctype cred_enctype;
473 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
474 krb5_error_code code;
475 const char *krb5err;
476 enum ndr_err_code ndr_err;
477 NTSTATUS nt_status;
478 krb5_data cred_ndr_data;
479 krb5_enc_data cred_ndr_crypt;
480 size_t enc_len = 0;
481
482 *cred_info_blob = data_blob_null;
483
484 code = krb5_k_create_key(context,
485 pkreplykey,
486 &cred_key);
487 if (code != 0) {
488 krb5err = krb5_get_error_message(context, code);
489 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
490 krb5_free_error_message(context, krb5err);
491 return code;
492 }
493
494 cred_enctype = krb5_k_key_enctype(context, cred_key);
495
496 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
497 cred_ndr_blob->length));
498 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
499 cred_ndr_blob->data, cred_ndr_blob->length);
500
501 pac_cred_info.encryption_type = cred_enctype;
502
503 cred_ndr_data.magic = 0;
504 cred_ndr_data.data = (char *)cred_ndr_blob->data;
505 cred_ndr_data.length = cred_ndr_blob->length;
506
507 code = krb5_c_encrypt_length(context,
508 cred_enctype,
509 cred_ndr_data.length,
510 &enc_len);
511 if (code != 0) {
512 krb5err = krb5_get_error_message(context, code);
513 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
514 krb5_free_error_message(context, krb5err);
515 return code;
516 }
517
518 pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len);
519 if (pac_cred_info.encrypted_data.data == NULL) {
520 DBG_ERR("Out of memory\n");
521 return ENOMEM;
522 }
523
524 cred_ndr_crypt.ciphertext.length = enc_len;
525 cred_ndr_crypt.ciphertext.data = (char *)pac_cred_info.encrypted_data.data;
526
527 code = krb5_k_encrypt(context,
528 cred_key,
529 KRB5_KU_OTHER_ENCRYPTED,
530 NULL,
531 &cred_ndr_data,
532 &cred_ndr_crypt);
533 krb5_k_free_key(context, cred_key);
534 if (code != 0) {
535 krb5err = krb5_get_error_message(context, code);
536 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
537 krb5_free_error_message(context, krb5err);
538 return code;
539 }
540
541 if (DEBUGLVL(10)) {
542 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
543 }
544
545 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
546 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
547 TALLOC_FREE(pac_cred_info.encrypted_data.data);
548 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
549 nt_status = ndr_map_error2ntstatus(ndr_err);
550 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
551 nt_errstr(nt_status)));
552 return KRB5KDC_ERR_SVC_UNAVAILABLE;
553 }
554
555 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
556 cred_info_blob->length, (int)pac_cred_info.encryption_type));
557 dump_data_pw("PAC_CREDENTIAL_INFO",
558 cred_info_blob->data, cred_info_blob->length);
559
560 return 0;
561 }
562 #endif /* SAMBA4_USES_HEIMDAL */
563
564
565 /**
566 * @brief Create a PAC with the given blobs (logon, credentials, upn and
567 * delegation).
568 *
569 * @param[in] context The KRB5 context to use.
570 *
571 * @param[in] logon_blob Fill the logon info PAC buffer with the given blob,
572 * use NULL to ignore it.
573 *
574 * @param[in] cred_blob Fill the credentials info PAC buffer with the given
575 * blob, use NULL to ignore it.
576 *
577 * @param[in] upn_blob Fill the UPN info PAC buffer with the given blob, use
578 * NULL to ignore it.
579 *
580 * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
581 * blob, use NULL to ignore it.
582 *
583 * @param[in] client_claims_blob Fill the client claims info PAC buffer with the
584 * given blob, use NULL to ignore it.
585 *
586 * @param[in] device_info_blob Fill the device info PAC buffer with the given
587 * blob, use NULL to ignore it.
588 *
589 * @param[in] device_claims_blob Fill the device claims info PAC buffer with the given
590 * blob, use NULL to ignore it.
591 *
592 * @param[in] pac The pac buffer to fill. This should be allocated with
593 * krb5_pac_init() already.
594 *
595 * @returns 0 on success or a corresponding KRB5 error.
596 */
597 krb5_error_code samba_make_krb5_pac(krb5_context context,
598 const DATA_BLOB *logon_blob,
599 const DATA_BLOB *cred_blob,
600 const DATA_BLOB *upn_blob,
601 const DATA_BLOB *pac_attrs_blob,
602 const DATA_BLOB *requester_sid_blob,
603 const DATA_BLOB *deleg_blob,
604 const DATA_BLOB *client_claims_blob,
605 const DATA_BLOB *device_info_blob,
606 const DATA_BLOB *device_claims_blob,
607 krb5_pac pac)
608 {
609 krb5_data logon_data;
610 krb5_error_code ret;
611 char null_byte = '\0';
612 krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
613
614 /* The user account may be set not to want the PAC */
615 if (logon_blob == NULL) {
616 return 0;
617 }
618
619 logon_data = smb_krb5_data_from_blob(*logon_blob);
620 ret = krb5_pac_add_buffer(context, pac, PAC_TYPE_LOGON_INFO, &logon_data);
621 if (ret != 0) {
622 return ret;
623 }
624
625 if (device_info_blob != NULL) {
626 krb5_data device_info_data = smb_krb5_data_from_blob(*device_info_blob);
627 ret = krb5_pac_add_buffer(context, pac,
628 PAC_TYPE_DEVICE_INFO,
629 &device_info_data);
630 if (ret != 0) {
631 return ret;
632 }
633 }
634
635 if (client_claims_blob != NULL) {
636 krb5_data client_claims_data;
637 krb5_data *data = NULL;
638
639 if (client_claims_blob->length != 0) {
640 client_claims_data = smb_krb5_data_from_blob(*client_claims_blob);
641 data = &client_claims_data;
642 } else {
643 data = &null_data;
644 }
645
646 ret = krb5_pac_add_buffer(context, pac,
647 PAC_TYPE_CLIENT_CLAIMS_INFO,
648 data);
649 if (ret != 0) {
650 return ret;
651 }
652 }
653
654 if (device_claims_blob != NULL) {
655 krb5_data device_claims_data = smb_krb5_data_from_blob(*device_claims_blob);
656 ret = krb5_pac_add_buffer(context, pac,
657 PAC_TYPE_DEVICE_CLAIMS_INFO,
658 &device_claims_data);
659 if (ret != 0) {
660 return ret;
661 }
662 }
663
664 if (cred_blob != NULL) {
665 krb5_data cred_data = smb_krb5_data_from_blob(*cred_blob);
666 ret = krb5_pac_add_buffer(context, pac,
667 PAC_TYPE_CREDENTIAL_INFO,
668 &cred_data);
669 if (ret != 0) {
670 return ret;
671 }
672 }
673
674 #ifdef SAMBA4_USES_HEIMDAL
675 /*
676 * null_data will be filled by the generic KDC code in the caller
677 * here we just add it in order to have it before
678 * PAC_TYPE_UPN_DNS_INFO
679 *
680 * Not needed with MIT Kerberos - asn
681 */
682 ret = krb5_pac_add_buffer(context, pac,
683 PAC_TYPE_LOGON_NAME,
684 &null_data);
685 if (ret != 0) {
686 return ret;
687 }
688 #endif
689
690 if (upn_blob != NULL) {
691 krb5_data upn_data = smb_krb5_data_from_blob(*upn_blob);
692 ret = krb5_pac_add_buffer(context, pac,
693 PAC_TYPE_UPN_DNS_INFO,
694 &upn_data);
695 if (ret != 0) {
696 return ret;
697 }
698 }
699
700 if (pac_attrs_blob != NULL) {
701 krb5_data pac_attrs_data = smb_krb5_data_from_blob(*pac_attrs_blob);
702 ret = krb5_pac_add_buffer(context, pac,
703 PAC_TYPE_ATTRIBUTES_INFO,
704 &pac_attrs_data);
705 if (ret != 0) {
706 return ret;
707 }
708 }
709
710 if (requester_sid_blob != NULL) {
711 krb5_data requester_sid_data = smb_krb5_data_from_blob(*requester_sid_blob);
712 ret = krb5_pac_add_buffer(context, pac,
713 PAC_TYPE_REQUESTER_SID,
714 &requester_sid_data);
715 if (ret != 0) {
716 return ret;
717 }
718 }
719
720 if (deleg_blob != NULL) {
721 krb5_data deleg_data = smb_krb5_data_from_blob(*deleg_blob);
722 ret = krb5_pac_add_buffer(context, pac,
723 PAC_TYPE_CONSTRAINED_DELEGATION,
724 &deleg_data);
725 if (ret != 0) {
726 return ret;
727 }
728 }
729
730 return ret;
731 }
732
733 bool samba_princ_needs_pac(const struct samba_kdc_entry *skdc_entry)
734 {
735
736 uint32_t userAccountControl;
737
738 /* The service account may be set not to want the PAC */
739 userAccountControl = ldb_msg_find_attr_as_uint(skdc_entry->msg, "userAccountControl", 0);
740 if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
741 return false;
742 }
743
744 return true;
745 }
746
747 int samba_client_requested_pac(krb5_context context,
748 const krb5_const_pac pac,
749 TALLOC_CTX *mem_ctx,
750 bool *requested_pac)
751 {
752 enum ndr_err_code ndr_err;
753 krb5_data k5pac_attrs_in;
754 DATA_BLOB pac_attrs_in;
755 union PAC_INFO pac_attrs;
756 int ret;
757
758 *requested_pac = true;
759
760 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_ATTRIBUTES_INFO,
761 &k5pac_attrs_in);
762 if (ret != 0) {
763 return ret == ENOENT ? 0 : ret;
764 }
765
766 pac_attrs_in = data_blob_const(k5pac_attrs_in.data,
767 k5pac_attrs_in.length);
768
769 ndr_err = ndr_pull_union_blob(&pac_attrs_in, mem_ctx, &pac_attrs,
770 PAC_TYPE_ATTRIBUTES_INFO,
771 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
772 smb_krb5_free_data_contents(context, &k5pac_attrs_in);
773 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
774 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
775 DEBUG(0,("can't parse the PAC ATTRIBUTES_INFO: %s\n", nt_errstr(nt_status)));
776 return EINVAL;
777 }
778
779 if (pac_attrs.attributes_info.flags & (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
780 | PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED)) {
781 *requested_pac = true;
782 } else {
783 *requested_pac = false;
784 }
785
786 return 0;
787 }
788
789 /* Was the krbtgt in this DB (ie, should we check the incoming signature) and was it an RODC */
790 int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
791 bool *is_in_db,
792 bool *is_trusted)
793 {
794 NTSTATUS status;
795 int rodc_krbtgt_number, trust_direction;
796 uint32_t rid;
797
798 TALLOC_CTX *mem_ctx = talloc_new(NULL);
799 if (!mem_ctx) {
800 return ENOMEM;
801 }
802
803 trust_direction = ldb_msg_find_attr_as_int(p->msg, "trustDirection", 0);
804
805 if (trust_direction != 0) {
806 /* Domain trust - we cannot check the sig, but we trust it for a correct PAC
807
808 This is exactly where we should flag for SID
809 validation when we do inter-foreest trusts
810 */
811 talloc_free(mem_ctx);
812 *is_trusted = true;
813 *is_in_db = false;
814 return 0;
815 }
816
817 /* The lack of password controls etc applies to krbtgt by
818 * virtue of being that particular RID */
819 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, p->msg, "objectSid"), NULL, &rid);
820
821 if (!NT_STATUS_IS_OK(status)) {
822 talloc_free(mem_ctx);
823 return EINVAL;
824 }
825
826 rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
827
828 if (p->kdc_db_ctx->my_krbtgt_number == 0) {
829 if (rid == DOMAIN_RID_KRBTGT) {
830 *is_trusted = true;
831 *is_in_db = true;
832 talloc_free(mem_ctx);
833 return 0;
834 } else if (rodc_krbtgt_number != -1) {
835 *is_in_db = true;
836 *is_trusted = false;
837 talloc_free(mem_ctx);
838 return 0;
839 }
840 } else if ((rid != DOMAIN_RID_KRBTGT) && (rodc_krbtgt_number == p->kdc_db_ctx->my_krbtgt_number)) {
841 talloc_free(mem_ctx);
842 *is_trusted = true;
843 *is_in_db = true;
844 return 0;
845 } else if (rid == DOMAIN_RID_KRBTGT) {
846 /* krbtgt viewed from an RODC */
847 talloc_free(mem_ctx);
848 *is_trusted = true;
849 *is_in_db = false;
850 return 0;
851 }
852
853 /* Another RODC */
854 talloc_free(mem_ctx);
855 *is_trusted = false;
856 *is_in_db = false;
857 return 0;
858 }
859
860 /*
861 * Because the KDC does not limit protocol transition, two new well-known SIDs
862 * were introduced to give this control to the resource administrator. These
863 * SIDs identify whether protocol transition has occurred, and can be used with
864 * standard access control lists to grant or limit access as needed.
865 *
866 * https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
867 */
868 static NTSTATUS samba_add_asserted_identity(enum samba_asserted_identity ai,
869 struct auth_user_info_dc *user_info_dc)
870 {
871 struct dom_sid ai_sid;
872 const char *sid_str = NULL;
873
874 switch (ai) {
875 case SAMBA_ASSERTED_IDENTITY_SERVICE:
876 sid_str = SID_SERVICE_ASSERTED_IDENTITY;
877 break;
878 case SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY:
879 sid_str = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY;
880 break;
881 case SAMBA_ASSERTED_IDENTITY_IGNORE:
882 return NT_STATUS_OK;
883 }
884
885 dom_sid_parse(sid_str, &ai_sid);
886
887 return add_sid_to_array_attrs_unique(
888 user_info_dc,
889 &ai_sid,
890 SE_GROUP_DEFAULT_FLAGS,
891 &user_info_dc->sids,
892 &user_info_dc->num_sids);
893 }
894
895 static NTSTATUS samba_add_claims_valid(enum samba_claims_valid claims_valid,
896 struct auth_user_info_dc *user_info_dc)
897 {
898 switch (claims_valid) {
899 case SAMBA_CLAIMS_VALID_EXCLUDE:
900 return NT_STATUS_OK;
901 case SAMBA_CLAIMS_VALID_INCLUDE:
902 {
903 struct dom_sid claims_valid_sid;
904
905 if (!dom_sid_parse(SID_CLAIMS_VALID, &claims_valid_sid)) {
906 return NT_STATUS_UNSUCCESSFUL;
907 }
908
909 return add_sid_to_array_attrs_unique(
910 user_info_dc,
911 &claims_valid_sid,
912 SE_GROUP_DEFAULT_FLAGS,
913 &user_info_dc->sids,
914 &user_info_dc->num_sids);
915 }
916 }
917
918 return NT_STATUS_INVALID_PARAMETER;
919 }
920
921 static NTSTATUS samba_add_compounded_auth(enum samba_compounded_auth compounded_auth,
922 struct auth_user_info_dc *user_info_dc)
923 {
924 switch (compounded_auth) {
925 case SAMBA_COMPOUNDED_AUTH_EXCLUDE:
926 return NT_STATUS_OK;
927 case SAMBA_COMPOUNDED_AUTH_INCLUDE:
928 {
929 struct dom_sid compounded_auth_sid;
930
931 if (!dom_sid_parse(SID_COMPOUNDED_AUTHENTICATION, &compounded_auth_sid)) {
932 return NT_STATUS_UNSUCCESSFUL;
933 }
934
935 return add_sid_to_array_attrs_unique(
936 user_info_dc,
937 &compounded_auth_sid,
938 SE_GROUP_DEFAULT_FLAGS,
939 &user_info_dc->sids,
940 &user_info_dc->num_sids);
941 }
942 }
943
944 return NT_STATUS_INVALID_PARAMETER;
945 }
946
947 /*
948 * Look up the user's info in the database and create a auth_user_info_dc
949 * structure. If the resulting structure is not talloc_free()d, it will be
950 * reused on future calls to this function.
951 */
952 NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
953 const struct ldb_message *msg,
954 const struct auth_user_info_dc **user_info_dc)
955 {
956 if (skdc_entry->user_info_dc == NULL) {
957 NTSTATUS nt_status;
958 struct loadparm_context *lp_ctx = skdc_entry->kdc_db_ctx->lp_ctx;
959
960 nt_status = authsam_make_user_info_dc(skdc_entry,
961 skdc_entry->kdc_db_ctx->samdb,
962 lpcfg_netbios_name(lp_ctx),
963 lpcfg_sam_name(lp_ctx),
964 lpcfg_sam_dnsname(lp_ctx),
965 skdc_entry->realm_dn,
966 msg,
967 data_blob_null,
968 data_blob_null,
969 &skdc_entry->user_info_dc);
970 if (!NT_STATUS_IS_OK(nt_status)) {
971 return nt_status;
972 }
973 }
974
975 *user_info_dc = skdc_entry->user_info_dc;
976 return NT_STATUS_OK;
977 }
978
979 NTSTATUS samba_kdc_get_logon_info_blob(TALLOC_CTX *mem_ctx,
980 const struct auth_user_info_dc *user_info_dc,
981 const enum auth_group_inclusion group_inclusion,
982 DATA_BLOB **_logon_info_blob)
983 {
984 DATA_BLOB *logon_blob = NULL;
985 NTSTATUS nt_status;
986
987 *_logon_info_blob = NULL;
988
989 logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
990 if (logon_blob == NULL) {
991 return NT_STATUS_NO_MEMORY;
992 }
993
994 nt_status = samba_get_logon_info_pac_blob(logon_blob,
995 user_info_dc,
996 NULL,
997 group_inclusion,
998 logon_blob);
999 if (!NT_STATUS_IS_OK(nt_status)) {
1000 DBG_ERR("Building PAC LOGON INFO failed: %s\n",
1001 nt_errstr(nt_status));
1002 return nt_status;
1003 }
1004
1005 *_logon_info_blob = logon_blob;
1006
1007 return NT_STATUS_OK;
1008 }
1009
1010 NTSTATUS samba_kdc_get_cred_ndr_blob(TALLOC_CTX *mem_ctx,
1011 const struct samba_kdc_entry *p,
1012 DATA_BLOB **_cred_ndr_blob)
1013 {
1014 DATA_BLOB *cred_blob = NULL;
1015 NTSTATUS nt_status;
1016
1017 SMB_ASSERT(_cred_ndr_blob != NULL);
1018
1019 *_cred_ndr_blob = NULL;
1020
1021 cred_blob = talloc_zero(mem_ctx, DATA_BLOB);
1022 if (cred_blob == NULL) {
1023 return NT_STATUS_NO_MEMORY;
1024 }
1025
1026 nt_status = samba_get_cred_info_ndr_blob(cred_blob,
1027 p->msg,
1028 cred_blob);
1029 if (!NT_STATUS_IS_OK(nt_status)) {
1030 DBG_ERR("Building PAC CRED INFO failed: %s\n",
1031 nt_errstr(nt_status));
1032 return nt_status;
1033 }
1034
1035 *_cred_ndr_blob = cred_blob;
1036
1037 return NT_STATUS_OK;
1038 }
1039
1040 NTSTATUS samba_kdc_get_upn_info_blob(TALLOC_CTX *mem_ctx,
1041 const struct auth_user_info_dc *user_info_dc,
1042 DATA_BLOB **_upn_info_blob)
1043 {
1044 DATA_BLOB *upn_blob = NULL;
1045 NTSTATUS nt_status;
1046
1047 *_upn_info_blob = NULL;
1048
1049 upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
1050 if (upn_blob == NULL) {
1051 return NT_STATUS_NO_MEMORY;
1052 }
1053
1054 nt_status = samba_get_upn_info_pac_blob(upn_blob,
1055 user_info_dc,
1056 upn_blob);
1057 if (!NT_STATUS_IS_OK(nt_status)) {
1058 DEBUG(0, ("Building PAC UPN INFO failed: %s\n",
1059 nt_errstr(nt_status)));
1060 return nt_status;
1061 }
1062
1063 *_upn_info_blob = upn_blob;
1064
1065 return NT_STATUS_OK;
1066 }
1067
1068 NTSTATUS samba_kdc_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
1069 uint64_t pac_attributes,
1070 DATA_BLOB **_pac_attrs_blob)
1071 {
1072 DATA_BLOB *pac_attrs_blob = NULL;
1073 NTSTATUS nt_status;
1074
1075 SMB_ASSERT(_pac_attrs_blob != NULL);
1076
1077 *_pac_attrs_blob = NULL;
1078
1079 pac_attrs_blob = talloc_zero(mem_ctx, DATA_BLOB);
1080 if (pac_attrs_blob == NULL) {
1081 return NT_STATUS_NO_MEMORY;
1082 }
1083
1084 nt_status = samba_get_pac_attrs_blob(pac_attrs_blob,
1085 pac_attributes,
1086 pac_attrs_blob);
1087
1088 if (!NT_STATUS_IS_OK(nt_status)) {
1089 DBG_ERR("Building PAC ATTRIBUTES failed: %s\n",
1090 nt_errstr(nt_status));
1091 return nt_status;
1092 }
1093
1094 *_pac_attrs_blob = pac_attrs_blob;
1095
1096 return NT_STATUS_OK;
1097 }
1098
1099 NTSTATUS samba_kdc_get_requester_sid_blob(TALLOC_CTX *mem_ctx,
1100 const struct auth_user_info_dc *user_info_dc,
1101 DATA_BLOB **_requester_sid_blob)
1102 {
1103 DATA_BLOB *requester_sid_blob = NULL;
1104 NTSTATUS nt_status;
1105
1106 SMB_ASSERT(_requester_sid_blob != NULL);
1107
1108 *_requester_sid_blob = NULL;
1109
1110 requester_sid_blob = talloc_zero(mem_ctx, DATA_BLOB);
1111 if (requester_sid_blob == NULL) {
1112 return NT_STATUS_NO_MEMORY;
1113 }
1114
1115 nt_status = samba_get_requester_sid_pac_blob(mem_ctx,
1116 user_info_dc,
1117 requester_sid_blob);
1118 if (!NT_STATUS_IS_OK(nt_status)) {
1119 DBG_ERR("Building PAC LOGON INFO failed: %s\n",
1120 nt_errstr(nt_status));
1121 return nt_status;
1122 }
1123
1124 *_requester_sid_blob = requester_sid_blob;
1125
1126 return NT_STATUS_OK;
1127 }
1128
1129 NTSTATUS samba_kdc_get_claims_blob(TALLOC_CTX *mem_ctx,
1130 const struct samba_kdc_entry *p,
1131 DATA_BLOB **_claims_blob)
1132 {
1133 DATA_BLOB *claims_blob = NULL;
1134 NTSTATUS nt_status;
1135
1136 SMB_ASSERT(_claims_blob != NULL);
1137
1138 *_claims_blob = NULL;
1139
1140 claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
1141 if (claims_blob == NULL) {
1142 return NT_STATUS_NO_MEMORY;
1143 }
1144
1145 nt_status = samba_get_claims_blob(mem_ctx,
1146 p->kdc_db_ctx->samdb,
1147 p->msg,
1148 claims_blob);
1149 if (!NT_STATUS_IS_OK(nt_status)) {
1150 DBG_ERR("Building claims failed: %s\n",
1151 nt_errstr(nt_status));
1152 return nt_status;
1153 }
1154
1155 *_claims_blob = claims_blob;
1156
1157 return NT_STATUS_OK;
1158 }
1159
1160 NTSTATUS samba_kdc_get_user_info_dc(TALLOC_CTX *mem_ctx,
1161 struct samba_kdc_entry *skdc_entry,
1162 enum samba_asserted_identity asserted_identity,
1163 enum samba_claims_valid claims_valid,
1164 enum samba_compounded_auth compounded_auth,
1165 struct auth_user_info_dc **user_info_dc_out)
1166 {
1167 NTSTATUS nt_status;
1168 const struct auth_user_info_dc *user_info_dc_from_db = NULL;
1169 struct auth_user_info_dc *user_info_dc = NULL;
1170
1171 nt_status = samba_kdc_get_user_info_from_db(skdc_entry, skdc_entry->msg, &user_info_dc_from_db);
1172 if (!NT_STATUS_IS_OK(nt_status)) {
1173 DBG_ERR("Getting user info for PAC failed: %s\n",
1174 nt_errstr(nt_status));
1175 return nt_status;
1176 }
1177
1178 /* Make a shallow copy of the user_info_dc structure. */
1179 nt_status = authsam_shallow_copy_user_info_dc(mem_ctx, user_info_dc_from_db, &user_info_dc);
1180 if (!NT_STATUS_IS_OK(nt_status)) {
1181 DBG_ERR("Failed to allocate user_info_dc SIDs: %s\n",
1182 nt_errstr(nt_status));
1183 return nt_status;
1184 }
1185
1186 /* Here we modify the SIDs to add the Asserted Identity SID. */
1187 nt_status = samba_add_asserted_identity(asserted_identity,
1188 user_info_dc);
1189 if (!NT_STATUS_IS_OK(nt_status)) {
1190 DBG_ERR("Failed to add asserted identity: %s\n",
1191 nt_errstr(nt_status));
1192 return nt_status;
1193 }
1194
1195 nt_status = samba_add_claims_valid(claims_valid,
1196 user_info_dc);
1197 if (!NT_STATUS_IS_OK(nt_status)) {
1198 DBG_ERR("Failed to add Claims Valid: %s\n",
1199 nt_errstr(nt_status));
1200 return nt_status;
1201 }
1202
1203 nt_status = samba_add_compounded_auth(compounded_auth,
1204 user_info_dc);
1205 if (!NT_STATUS_IS_OK(nt_status)) {
1206 DBG_ERR("Failed to add Compounded Authentication: %s\n",
1207 nt_errstr(nt_status));
1208 return nt_status;
1209 }
1210
1211 *user_info_dc_out = user_info_dc;
1212
1213 return NT_STATUS_OK;
1214 }
1215
1216 static NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
1217 krb5_context context,
1218 struct ldb_context *samdb,
1219 const enum auth_group_inclusion group_inclusion,
1220 const enum samba_compounded_auth compounded_auth,
1221 const krb5_const_pac pac, DATA_BLOB *pac_blob,
1222 struct PAC_SIGNATURE_DATA *pac_srv_sig,
1223 struct PAC_SIGNATURE_DATA *pac_kdc_sig)
1224 {
1225 struct auth_user_info_dc *user_info_dc;
1226 krb5_error_code ret;
1227 NTSTATUS nt_status;
1228 struct PAC_DOMAIN_GROUP_MEMBERSHIP *_resource_groups = NULL;
1229 struct PAC_DOMAIN_GROUP_MEMBERSHIP **resource_groups = NULL;
1230
1231 if (group_inclusion == AUTH_EXCLUDE_RESOURCE_GROUPS) {
1232 /*
1233 * Since we are creating a TGT, resource groups from our domain
1234 * are not to be put into the PAC. Instead, we take the resource
1235 * groups directly from the original PAC and copy them
1236 * unmodified into the new one.
1237 */
1238 resource_groups = &_resource_groups;
1239 }
1240
1241 ret = kerberos_pac_to_user_info_dc(mem_ctx,
1242 pac,
1243 context,
1244 &user_info_dc,
1245 AUTH_EXCLUDE_RESOURCE_GROUPS,
1246 pac_srv_sig,
1247 pac_kdc_sig,
1248 resource_groups);
1249 if (ret) {
1250 return NT_STATUS_UNSUCCESSFUL;
1251 }
1252
1253 /*
1254 * We need to expand group memberships within our local domain,
1255 * as the token might be generated by a trusted domain.
1256 */
1257 nt_status = authsam_update_user_info_dc(mem_ctx,
1258 samdb,
1259 user_info_dc);
1260 if (!NT_STATUS_IS_OK(nt_status)) {
1261 TALLOC_FREE(user_info_dc);
1262 return nt_status;
1263 }
1264
1265 nt_status = samba_add_compounded_auth(compounded_auth,
1266 user_info_dc);
1267 if (!NT_STATUS_IS_OK(nt_status)) {
1268 DBG_ERR("Failed to add Compounded Authentication: %s\n",
1269 nt_errstr(nt_status));
1270 return nt_status;
1271 }
1272
1273 nt_status = samba_get_logon_info_pac_blob(mem_ctx,
1274 user_info_dc,
1275 _resource_groups,
1276 group_inclusion,
1277 pac_blob);
1278
1279 /*
1280 * The infomation from this is now in the PAC, this memory is
1281 * not used any longer and not passed to the caller
1282 */
1283 TALLOC_FREE(user_info_dc);
1284
1285 return nt_status;
1286 }
1287
1288 static NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
1289 krb5_context context,
1290 const krb5_const_pac pac,
1291 const krb5_principal server_principal,
1292 const krb5_principal proxy_principal,
1293 DATA_BLOB *new_blob)
1294 {
1295 krb5_data old_data;
1296 DATA_BLOB old_blob;
1297 krb5_error_code ret;
1298 NTSTATUS nt_status;
1299 enum ndr_err_code ndr_err;
1300 union PAC_INFO info;
1301 struct PAC_CONSTRAINED_DELEGATION _d;
1302 struct PAC_CONSTRAINED_DELEGATION *d = NULL;
1303 char *server = NULL;
1304 char *proxy = NULL;
1305 uint32_t i;
1306 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1307
1308 if (tmp_ctx == NULL) {
1309 return NT_STATUS_NO_MEMORY;
1310 }
1311
1312 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_CONSTRAINED_DELEGATION, &old_data);
1313 if (ret == ENOENT) {
1314 ZERO_STRUCT(old_data);
1315 } else if (ret) {
1316 talloc_free(tmp_ctx);
1317 return NT_STATUS_UNSUCCESSFUL;
1318 }
1319
1320 old_blob.length = old_data.length;
1321 old_blob.data = (uint8_t *)old_data.data;
1322
1323 ZERO_STRUCT(info);
1324 if (old_blob.length > 0) {
1325 ndr_err = ndr_pull_union_blob(&old_blob, mem_ctx,
1326 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1327 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1328 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1329 smb_krb5_free_data_contents(context, &old_data);
1330 nt_status = ndr_map_error2ntstatus(ndr_err);
1331 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
1332 talloc_free(tmp_ctx);
1333 return nt_status;
1334 }
1335 } else {
1336 ZERO_STRUCT(_d);
1337 info.constrained_delegation.info = &_d;
1338 }
1339 smb_krb5_free_data_contents(context, &old_data);
1340
1341 ret = krb5_unparse_name_flags(context, server_principal,
1342 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server);
1343 if (ret) {
1344 talloc_free(tmp_ctx);
1345 return NT_STATUS_INTERNAL_ERROR;
1346 }
1347
1348 ret = krb5_unparse_name(context, proxy_principal, &proxy);
1349 if (ret) {
1350 SAFE_FREE(server);
1351 talloc_free(tmp_ctx);
1352 return NT_STATUS_INTERNAL_ERROR;
1353 }
1354
1355 d = info.constrained_delegation.info;
1356 i = d->num_transited_services;
1357 d->proxy_target.string = server;
1358 d->transited_services = talloc_realloc(mem_ctx, d->transited_services,
1359 struct lsa_String, i + 1);
1360 d->transited_services[i].string = proxy;
1361 d->num_transited_services = i + 1;
1362
1363 ndr_err = ndr_push_union_blob(new_blob, mem_ctx,
1364 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1365 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1366 SAFE_FREE(server);
1367 SAFE_FREE(proxy);
1368 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1369 smb_krb5_free_data_contents(context, &old_data);
1370 nt_status = ndr_map_error2ntstatus(ndr_err);
1371 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
1372 talloc_free(tmp_ctx);
1373 return nt_status;
1374 }
1375
1376 talloc_free(tmp_ctx);
1377 return NT_STATUS_OK;
1378 }
1379
1380 /* function to map policy errors */
1381 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status)
1382 {
1383 krb5_error_code ret;
1384
1385 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
1386 ret = KRB5KDC_ERR_KEY_EXP;
1387 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
1388 ret = KRB5KDC_ERR_KEY_EXP;
1389 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
1390 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1391 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
1392 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1393 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
1394 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1395 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
1396 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1397 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
1398 ret = KRB5KDC_ERR_POLICY;
1399 else
1400 ret = KRB5KDC_ERR_POLICY;
1401
1402 return ret;
1403 }
1404
1405 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
1406 * for consistency */
1407 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
1408 const char *client_name,
1409 const char *workstation,
1410 bool password_change)
1411 {
1412 TALLOC_CTX *tmp_ctx;
1413 NTSTATUS nt_status;
1414
1415 tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access");
1416 if (!tmp_ctx) {
1417 return NT_STATUS_NO_MEMORY;
1418 }
1419
1420 /* we allow all kinds of trusts here */
1421 nt_status = authsam_account_ok(tmp_ctx,
1422 kdc_entry->kdc_db_ctx->samdb,
1423 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
1424 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
1425 kdc_entry->realm_dn, kdc_entry->msg,
1426 workstation, client_name,
1427 true, password_change);
1428
1429 kdc_entry->reject_status = nt_status;
1430 talloc_free(tmp_ctx);
1431 return nt_status;
1432 }
1433
1434 static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
1435 krb5_const_pac pac,
1436 krb5_context context,
1437 struct dom_sid *sid)
1438 {
1439 NTSTATUS nt_status;
1440 enum ndr_err_code ndr_err;
1441 krb5_error_code ret;
1442
1443 DATA_BLOB pac_requester_sid_in;
1444 krb5_data k5pac_requester_sid_in;
1445
1446 union PAC_INFO info;
1447
1448 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1449 if (tmp_ctx == NULL) {
1450 return ENOMEM;
1451 }
1452
1453 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_REQUESTER_SID,
1454 &k5pac_requester_sid_in);
1455 if (ret != 0) {
1456 talloc_free(tmp_ctx);
1457 return ret;
1458 }
1459
1460 pac_requester_sid_in = data_blob_const(k5pac_requester_sid_in.data,
1461 k5pac_requester_sid_in.length);
1462
1463 ndr_err = ndr_pull_union_blob(&pac_requester_sid_in, tmp_ctx, &info,
1464 PAC_TYPE_REQUESTER_SID,
1465 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1466 smb_krb5_free_data_contents(context, &k5pac_requester_sid_in);
1467 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1468 nt_status = ndr_map_error2ntstatus(ndr_err);
1469 DEBUG(0,("can't parse the PAC REQUESTER_SID: %s\n", nt_errstr(nt_status)));
1470 talloc_free(tmp_ctx);
1471 return EINVAL;
1472 }
1473
1474 *sid = info.requester_sid.sid;
1475
1476 talloc_free(tmp_ctx);
1477 return 0;
1478 }
1479
1480 /* Does a parse and SID check, but no crypto. */
1481 krb5_error_code samba_kdc_validate_pac_blob(
1482 krb5_context context,
1483 const struct samba_kdc_entry *client_skdc_entry,
1484 const krb5_const_pac pac)
1485 {
1486 TALLOC_CTX *frame = talloc_stackframe();
1487 struct auth_user_info_dc *pac_user_info = NULL;
1488 struct dom_sid *client_sid = NULL;
1489 struct dom_sid pac_sid;
1490 krb5_error_code code;
1491 bool ok;
1492
1493 /*
1494 * First, try to get the SID from the requester SID buffer in the PAC.
1495 */
1496 code = samba_get_requester_sid(frame, pac, context, &pac_sid);
1497
1498 if (code == ENOENT) {
1499 /*
1500 * If the requester SID buffer isn't present, fall back to the
1501 * SID in the LOGON_INFO PAC buffer.
1502 */
1503 code = kerberos_pac_to_user_info_dc(frame,
1504 pac,
1505 context,
1506 &pac_user_info,
1507 AUTH_EXCLUDE_RESOURCE_GROUPS,
1508 NULL,
1509 NULL,
1510 NULL);
1511 if (code != 0) {
1512 goto out;
1513 }
1514
1515 if (pac_user_info->num_sids == 0) {
1516 code = EINVAL;
1517 goto out;
1518 }
1519
1520 pac_sid = pac_user_info->sids[PRIMARY_USER_SID_INDEX].sid;
1521 } else if (code != 0) {
1522 goto out;
1523 }
1524
1525 client_sid = samdb_result_dom_sid(frame,
1526 client_skdc_entry->msg,
1527 "objectSid");
1528
1529 ok = dom_sid_equal(&pac_sid, client_sid);
1530 if (!ok) {
1531 struct dom_sid_buf buf1;
1532 struct dom_sid_buf buf2;
1533
1534 DBG_ERR("SID mismatch between PAC and looked up client: "
1535 "PAC[%s] != CLI[%s]\n",
1536 dom_sid_str_buf(&pac_sid, &buf1),
1537 dom_sid_str_buf(client_sid, &buf2));
1538 code = KRB5KDC_ERR_TGT_REVOKED;
1539 goto out;
1540 }
1541
1542 code = 0;
1543 out:
1544 TALLOC_FREE(frame);
1545 return code;
1546 }
1547
1548
1549 /*
1550 * In the RODC case, to confirm that the returned user is permitted to
1551 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
1552 */
1553 WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
1554 const struct dom_sid *object_sids,
1555 const struct samba_kdc_entry *rodc,
1556 const struct samba_kdc_entry *object)
1557 {
1558 int ret;
1559 WERROR werr;
1560 TALLOC_CTX *frame = talloc_stackframe();
1561 const char *rodc_attrs[] = { "msDS-KrbTgtLink",
1562 "msDS-NeverRevealGroup",
1563 "msDS-RevealOnDemandGroup",
1564 "userAccountControl",
1565 "objectSid",
1566 NULL };
1567 struct ldb_result *rodc_machine_account = NULL;
1568 struct ldb_dn *rodc_machine_account_dn = samdb_result_dn(rodc->kdc_db_ctx->samdb,
1569 frame,
1570 rodc->msg,
1571 "msDS-KrbTgtLinkBL",
1572 NULL);
1573 const struct dom_sid *rodc_machine_account_sid = NULL;
1574
1575 if (rodc_machine_account_dn == NULL) {
1576 DBG_ERR("krbtgt account %s has no msDS-KrbTgtLinkBL to find RODC machine account for allow/deny list\n",
1577 ldb_dn_get_linearized(rodc->msg->dn));
1578 TALLOC_FREE(frame);
1579 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1580 }
1581
1582 /*
1583 * Follow the link and get the RODC account (the krbtgt
1584 * account is the krbtgt_XXX account, but the
1585 * msDS-NeverRevealGroup and msDS-RevealOnDemandGroup is on
1586 * the RODC$ account)
1587 *
1588 * We need DSDB_SEARCH_SHOW_EXTENDED_DN as we get a SID lists
1589 * out of the extended DNs
1590 */
1591
1592 ret = dsdb_search_dn(rodc->kdc_db_ctx->samdb,
1593 frame,
1594 &rodc_machine_account,
1595 rodc_machine_account_dn,
1596 rodc_attrs,
1597 DSDB_SEARCH_SHOW_EXTENDED_DN);
1598 if (ret != LDB_SUCCESS) {
1599 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: %s\n",
1600 ldb_dn_get_linearized(rodc_machine_account_dn),
1601 ldb_dn_get_linearized(rodc->msg->dn),
1602 ldb_errstring(rodc->kdc_db_ctx->samdb));
1603 TALLOC_FREE(frame);
1604 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1605 }
1606
1607 if (rodc_machine_account->count != 1) {
1608 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: (%d)\n",
1609 ldb_dn_get_linearized(rodc_machine_account_dn),
1610 ldb_dn_get_linearized(rodc->msg->dn),
1611 rodc_machine_account->count);
1612 TALLOC_FREE(frame);
1613 return WERR_DS_DRA_BAD_DN;
1614 }
1615
1616 /* if the object SID is equal to the user_sid, allow */
1617 rodc_machine_account_sid = samdb_result_dom_sid(frame,
1618 rodc_machine_account->msgs[0],
1619 "objectSid");
1620 if (rodc_machine_account_sid == NULL) {
1621 TALLOC_FREE(frame);
1622 return WERR_DS_DRA_BAD_DN;
1623 }
1624
1625 werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(rodc->kdc_db_ctx->samdb,
1626 rodc_machine_account_sid,
1627 rodc_machine_account->msgs[0],
1628 object->msg,
1629 num_object_sids,
1630 object_sids);
1631
1632 TALLOC_FREE(frame);
1633 return werr;
1634 }
1635
1636 static krb5_error_code samba_kdc_add_domain_group_sid(TALLOC_CTX *mem_ctx,
1637 struct PAC_DEVICE_INFO *info,
1638 const struct netr_SidAttr *sid)
1639 {
1640 uint32_t i;
1641 uint32_t rid;
1642 NTSTATUS status;
1643
1644 struct PAC_DOMAIN_GROUP_MEMBERSHIP *domain_group = NULL;
1645
1646 for (i = 0; i < info->domain_group_count; ++i) {
1647 struct PAC_DOMAIN_GROUP_MEMBERSHIP *this_domain_group
1648 = &info->domain_groups[i];
1649
1650 if (dom_sid_in_domain(this_domain_group->domain_sid, sid->sid)) {
1651 domain_group = this_domain_group;
1652 break;
1653 }
1654 }
1655
1656 if (domain_group == NULL) {
1657 info->domain_groups = talloc_realloc(
1658 mem_ctx,
1659 info->domain_groups,
1660 struct PAC_DOMAIN_GROUP_MEMBERSHIP,
1661 info->domain_group_count + 1);
1662 if (info->domain_groups == NULL) {
1663 return ENOMEM;
1664 }
1665
1666 domain_group = &info->domain_groups[
1667 info->domain_group_count++];
1668
1669 domain_group->domain_sid = NULL;
1670
1671 domain_group->groups.count = 0;
1672 domain_group->groups.rids = NULL;
1673
1674 status = dom_sid_split_rid(info->domain_groups,
1675 sid->sid,
1676 &domain_group->domain_sid,
1677 &rid);
1678 if (!NT_STATUS_IS_OK(status)) {
1679 return EINVAL;
1680 }
1681 } else {
1682 status = dom_sid_split_rid(NULL,
1683 sid->sid,
1684 NULL,
1685 &rid);
1686 if (!NT_STATUS_IS_OK(status)) {
1687 return EINVAL;
1688 }
1689 }
1690
1691 domain_group->groups.rids = talloc_realloc(info->domain_groups,
1692 domain_group->groups.rids,
1693 struct samr_RidWithAttribute,
1694 domain_group->groups.count + 1);
1695 if (domain_group->groups.rids == NULL) {
1696 return ENOMEM;
1697 }
1698
1699 domain_group->groups.rids[domain_group->groups.count].rid = rid;
1700 domain_group->groups.rids[domain_group->groups.count].attributes = sid->attributes;
1701
1702 ++domain_group->groups.count;
1703
1704 return 0;
1705 }
1706
1707 static krb5_error_code samba_kdc_make_device_info(TALLOC_CTX *mem_ctx,
1708 const struct netr_SamInfo3 *info3,
1709 struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
1710 union PAC_INFO *info)
1711 {
1712 struct PAC_DEVICE_INFO *device_info = NULL;
1713 uint32_t i;
1714
1715 ZERO_STRUCT(*info);
1716
1717 info->device_info.info = NULL;
1718
1719 device_info = talloc(mem_ctx, struct PAC_DEVICE_INFO);
1720 if (device_info == NULL) {
1721 return ENOMEM;
1722 }
1723
1724 device_info->rid = info3->base.rid;
1725 device_info->primary_gid = info3->base.primary_gid;
1726 device_info->domain_sid = info3->base.domain_sid;
1727 device_info->groups = info3->base.groups;
1728
1729 device_info->sid_count = 0;
1730 device_info->sids = NULL;
1731
1732 if (resource_groups != NULL) {
1733 /*
1734 * The account's resource groups all belong to the same domain,
1735 * so we can add them all in one go.
1736 */
1737 device_info->domain_group_count = 1;
1738 device_info->domain_groups = talloc_move(mem_ctx, &resource_groups);
1739 } else {
1740 device_info->domain_group_count = 0;
1741 device_info->domain_groups = NULL;
1742 }
1743
1744 for (i = 0; i < info3->sidcount; ++i) {
1745 const struct netr_SidAttr *device_sid = &info3->sids[i];
1746
1747 if (dom_sid_has_account_domain(device_sid->sid)) {
1748 krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, device_sid);
1749 if (ret != 0) {
1750 return ret;
1751 }
1752 } else {
1753 device_info->sids = talloc_realloc(mem_ctx, device_info->sids,
1754 struct netr_SidAttr,
1755 device_info->sid_count + 1);
1756 if (device_info->sids == NULL) {
1757 return ENOMEM;
1758 }
1759
1760 device_info->sids[device_info->sid_count].sid = dom_sid_dup(device_info->sids, device_sid->sid);
1761 if (device_info->sids[device_info->sid_count].sid == NULL) {
1762 return ENOMEM;
1763 }
1764
1765 device_info->sids[device_info->sid_count].attributes = device_sid->attributes;
1766
1767 ++device_info->sid_count;
1768 }
1769 }
1770
1771 info->device_info.info = device_info;
1772
1773 return 0;
1774 }
1775
1776 static krb5_error_code samba_kdc_update_device_info(TALLOC_CTX *mem_ctx,
1777 struct ldb_context *samdb,
1778 const union PAC_INFO *logon_info,
1779 struct PAC_DEVICE_INFO *device_info)
1780 {
1781 NTSTATUS nt_status;
1782 struct auth_user_info_dc *device_info_dc = NULL;
1783 union netr_Validation validation;
1784 uint32_t i;
1785 uint32_t num_existing_sids;
1786
1787 /*
1788 * This does a bit of unnecessary work, setting up fields we don't care
1789 * about -- we only want the SIDs.
1790 */
1791 validation.sam3 = &logon_info->logon_info.info->info3;
1792 nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
1793 true, /* This user was authenticated */
1794 &device_info_dc);
1795 if (!NT_STATUS_IS_OK(nt_status)) {
1796 return EINVAL;
1797 }
1798
1799 num_existing_sids = device_info_dc->num_sids;
1800
1801 /*
1802 * We need to expand group memberships within our local domain,
1803 * as the token might be generated by a trusted domain.
1804 */
1805 nt_status = authsam_update_user_info_dc(mem_ctx,
1806 samdb,
1807 device_info_dc);
1808 if (!NT_STATUS_IS_OK(nt_status)) {
1809 return EINVAL;
1810 }
1811
1812 for (i = num_existing_sids; i < device_info_dc->num_sids; ++i) {
1813 struct auth_SidAttr *device_sid = &device_info_dc->sids[i];
1814 const struct netr_SidAttr sid = (struct netr_SidAttr) {
1815 .sid = &device_sid->sid,
1816 .attributes = device_sid->attrs,
1817 };
1818
1819 krb5_error_code ret = samba_kdc_add_domain_group_sid(mem_ctx, device_info, &sid);
1820 if (ret != 0) {
1821 return ret;
1822 }
1823 }
1824
1825 return 0;
1826 }
1827
1828 static krb5_error_code samba_kdc_get_device_info_pac_blob(TALLOC_CTX *mem_ctx,
1829 union PAC_INFO *info,
1830 DATA_BLOB **device_info_blob)
1831 {
1832 enum ndr_err_code ndr_err;
1833
1834 *device_info_blob = talloc_zero(mem_ctx, DATA_BLOB);
1835 if (*device_info_blob == NULL) {
1836 DBG_ERR("Out of memory\n");
1837 return ENOMEM;
1838 }
1839
1840 ndr_err = ndr_push_union_blob(*device_info_blob, mem_ctx,
1841 info, PAC_TYPE_DEVICE_INFO,
1842 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1843 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1844 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
1845 DBG_WARNING("PAC_DEVICE_INFO (presig) push failed: %s\n",
1846 nt_errstr(nt_status));
1847 return EINVAL;
1848 }
1849
1850 return 0;
1851 }
1852
1853 static krb5_error_code samba_kdc_create_device_info_blob(TALLOC_CTX *mem_ctx,
1854 krb5_context context,
1855 struct ldb_context *samdb,
1856 const krb5_const_pac device_pac,
1857 DATA_BLOB **device_info_blob)
1858 {
1859 TALLOC_CTX *frame = NULL;
1860 krb5_data device_logon_info;
1861 krb5_error_code code = EINVAL;
1862 NTSTATUS nt_status;
1863
1864 union PAC_INFO info;
1865 enum ndr_err_code ndr_err;
1866 DATA_BLOB device_logon_info_blob;
1867
1868 union PAC_INFO logon_info;
1869
1870 code = krb5_pac_get_buffer(context, device_pac,
1871 PAC_TYPE_LOGON_INFO,
1872 &device_logon_info);
1873 if (code != 0) {
1874 if (code == ENOENT) {
1875 DBG_ERR("Device PAC is missing LOGON_INFO\n");
1876 } else {
1877 DBG_ERR("Error getting LOGON_INFO from device PAC\n");
1878 }
1879 return code;
1880 }
1881
1882 frame = talloc_stackframe();
1883
1884 device_logon_info_blob = data_blob_const(device_logon_info.data,
1885 device_logon_info.length);
1886
1887 ndr_err = ndr_pull_union_blob(&device_logon_info_blob, frame, &logon_info,
1888 PAC_TYPE_LOGON_INFO,
1889 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1890 smb_krb5_free_data_contents(context, &device_logon_info);
1891 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1892 nt_status = ndr_map_error2ntstatus(ndr_err);
1893 DBG_ERR("can't parse device PAC LOGON_INFO: %s\n",
1894 nt_errstr(nt_status));
1895 talloc_free(frame);
1896 return EINVAL;
1897 }
1898
1899 /*
1900 * When creating the device info structure, existing resource groups are
1901 * discarded.
1902 */
1903 code = samba_kdc_make_device_info(frame,
1904 &logon_info.logon_info.info->info3,
1905 NULL, /* resource_groups */
1906 &info);
1907 if (code != 0) {
1908 talloc_free(frame);
1909 return code;
1910 }
1911
1912 code = samba_kdc_update_device_info(frame,
1913 samdb,
1914 &logon_info,
1915 info.device_info.info);
1916 if (code != 0) {
1917 talloc_free(frame);
1918 return code;
1919 }
1920
1921 code = samba_kdc_get_device_info_pac_blob(mem_ctx,
1922 &info,
1923 device_info_blob);
1924
1925 talloc_free(frame);
1926 return code;
1927 }
1928
1929 static krb5_error_code samba_kdc_get_device_info_blob(TALLOC_CTX *mem_ctx,
1930 struct samba_kdc_entry *device,
1931 DATA_BLOB **device_info_blob)
1932 {
1933 TALLOC_CTX *frame = NULL;
1934 krb5_error_code code = EINVAL;
1935 NTSTATUS nt_status;
1936
1937 struct auth_user_info_dc *device_info_dc = NULL;
1938 struct netr_SamInfo3 *info3 = NULL;
1939 struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
1940
1941 union PAC_INFO info;
1942
1943 enum samba_asserted_identity asserted_identity =
1944 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
1945 const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_INCLUDE;
1946 const enum samba_compounded_auth compounded_auth = SAMBA_COMPOUNDED_AUTH_EXCLUDE;
1947
1948 frame = talloc_stackframe();
1949
1950 nt_status = samba_kdc_get_user_info_dc(frame,
1951 device,
1952 asserted_identity,
1953 claims_valid,
1954 compounded_auth,
1955 &device_info_dc);
1956 if (!NT_STATUS_IS_OK(nt_status)) {
1957 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
1958 nt_errstr(nt_status));
1959 talloc_free(frame);
1960 return KRB5KDC_ERR_TGT_REVOKED;
1961 }
1962
1963 nt_status = auth_convert_user_info_dc_saminfo3(frame, device_info_dc,
1964 AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED,
1965 &info3,
1966 &resource_groups);
1967 if (!NT_STATUS_IS_OK(nt_status)) {
1968 DEBUG(1, ("Getting Samba info failed: %s\n",
1969 nt_errstr(nt_status)));
1970 talloc_free(frame);
1971 return nt_status_to_krb5(nt_status);
1972 }
1973
1974 code = samba_kdc_make_device_info(frame,
1975 info3,
1976 resource_groups,
1977 &info);
1978 if (code != 0) {
1979 talloc_free(frame);
1980 return code;
1981 }
1982
1983 code = samba_kdc_get_device_info_pac_blob(mem_ctx,
1984 &info,
1985 device_info_blob);
1986
1987 talloc_free(frame);
1988 return code;
1989 }
1990
1991 /**
1992 * @brief Verify a PAC
1993 *
1994 * @param mem_ctx A talloc memory context
1995 *
1996 * @param context A krb5 context
1997 *
1998 * @param flags Bitwise OR'ed flags
1999 *
2000 * @param client The client samba kdc entry.
2001
2002 * @param krbtgt The krbtgt samba kdc entry.
2003 *
2004 * @param device The computer's samba kdc entry; used for compound
2005 * authentication.
2006
2007 * @param device_pac The PAC from the computer's TGT; used
2008 * for compound authentication.
2009
2010 * @param pac The PAC
2011
2012 * @return A Kerberos error code.
2013 */
2014 krb5_error_code samba_kdc_verify_pac(TALLOC_CTX *mem_ctx,
2015 krb5_context context,
2016 uint32_t flags,
2017 struct samba_kdc_entry *client,
2018 const struct samba_kdc_entry *krbtgt,
2019 const struct samba_kdc_entry *device,
2020 const krb5_const_pac *device_pac,
2021 const krb5_const_pac pac)
2022 {
2023 krb5_error_code code = EINVAL;
2024 NTSTATUS nt_status;
2025 bool is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
2026
2027 struct pac_blobs pac_blobs;
2028 pac_blobs_init(&pac_blobs);
2029
2030 if (client != NULL) {
2031 /*
2032 * Check the objectSID of the client and pac data are the same.
2033 * Does a parse and SID check, but no crypto.
2034 */
2035 code = samba_kdc_validate_pac_blob(context,
2036 client,
2037 pac);
2038 if (code != 0) {
2039 goto done;
2040 }
2041 }
2042
2043 if (device != NULL) {
2044 SMB_ASSERT(*device_pac != NULL);
2045
2046 /*
2047 * Check the objectSID of the device and pac data are the same.
2048 * Does a parse and SID check, but no crypto.
2049 */
2050 code = samba_kdc_validate_pac_blob(context,
2051 device,
2052 *device_pac);
2053 if (code != 0) {
2054 goto done;
2055 }
2056 }
2057
2058 if (!is_trusted) {
2059 const struct auth_user_info_dc *user_info_dc = NULL;
2060 WERROR werr;
2061
2062 struct dom_sid *object_sids = NULL;
2063 uint32_t j;
2064
2065 if (client == NULL) {
2066 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2067 goto done;
2068 }
2069
2070 nt_status = samba_kdc_get_user_info_from_db(client, client->msg, &user_info_dc);
2071 if (!NT_STATUS_IS_OK(nt_status)) {
2072 DBG_ERR("Getting user info for PAC failed: %s\n",
2073 nt_errstr(nt_status));
2074 code = KRB5KDC_ERR_TGT_REVOKED;
2075 goto done;
2076 }
2077
2078 /*
2079 * Check if the SID list in the user_info_dc intersects
2080 * correctly with the RODC allow/deny lists.
2081 */
2082 object_sids = talloc_array(mem_ctx, struct dom_sid, user_info_dc->num_sids);
2083 if (object_sids == NULL) {
2084 code = ENOMEM;
2085 goto done;
2086 }
2087
2088 for (j = 0; j < user_info_dc->num_sids; ++j) {
2089 object_sids[j] = user_info_dc->sids[j].sid;
2090 }
2091
2092 werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids,
2093 object_sids,
2094 krbtgt,
2095 client);
2096 TALLOC_FREE(object_sids);
2097 if (!W_ERROR_IS_OK(werr)) {
2098 code = KRB5KDC_ERR_TGT_REVOKED;
2099 if (W_ERROR_EQUAL(werr,
2100 WERR_DOMAIN_CONTROLLER_NOT_FOUND)) {
2101 code = KRB5KDC_ERR_POLICY;
2102 }
2103 goto done;
2104 }
2105
2106 /*
2107 * The RODC PAC data isn't trusted for authorization as it may
2108 * be stale. The only thing meaningful we can do with an RODC
2109 * account on a full DC is exchange the RODC TGT for a 'real'
2110 * TGT.
2111 *
2112 * So we match Windows (at least server 2022) and
2113 * don't allow S4U2Self.
2114 *
2115 * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
2116 */
2117 if (flags & SAMBA_KDC_FLAG_PROTOCOL_TRANSITION) {
2118 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2119 goto done;
2120 }
2121 }
2122
2123 /* Check the types of the given PAC */
2124
2125 code = pac_blobs_from_krb5_pac(&pac_blobs,
2126 mem_ctx,
2127 context,
2128 pac);
2129 if (code != 0) {
2130 goto done;
2131 }
2132
2133 code = pac_blobs_ensure_exists(&pac_blobs,
2134 PAC_TYPE_LOGON_INFO);
2135 if (code != 0) {
2136 goto done;
2137 }
2138
2139 code = pac_blobs_ensure_exists(&pac_blobs,
2140 PAC_TYPE_LOGON_NAME);
2141 if (code != 0) {
2142 goto done;
2143 }
2144
2145 code = pac_blobs_ensure_exists(&pac_blobs,
2146 PAC_TYPE_SRV_CHECKSUM);
2147 if (code != 0) {
2148 goto done;
2149 }
2150
2151 code = pac_blobs_ensure_exists(&pac_blobs,
2152 PAC_TYPE_KDC_CHECKSUM);
2153 if (code != 0) {
2154 goto done;
2155 }
2156
2157 if (!(flags & SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION)) {
2158 code = pac_blobs_ensure_exists(&pac_blobs,
2159 PAC_TYPE_REQUESTER_SID);
2160 if (code != 0) {
2161 code = KRB5KDC_ERR_TGT_REVOKED;
2162 goto done;
2163 }
2164 }
2165
2166 code = 0;
2167
2168 done:
2169 pac_blobs_destroy(&pac_blobs);
2170
2171 return code;
2172 }
2173
2174 /**
2175 * @brief Update a PAC
2176 *
2177 * @param mem_ctx A talloc memory context
2178 *
2179 * @param context A krb5 context
2180 *
2181 * @param samdb An open samdb connection.
2182 *
2183 * @param flags Bitwise OR'ed flags
2184 *
2185 * @param device_pac_is_trusted Whether the device's PAC was issued by a trusted server,
2186 * as opposed to an RODC.
2187 *
2188 * @param client The client samba kdc entry.
2189
2190 * @param server_principal The server principal
2191
2192 * @param server The server samba kdc entry.
2193
2194 * @param delegated_proxy_principal The delegated proxy principal used for
2195 * updating the constrained delegation PAC
2196 * buffer.
2197
2198 * @param device The computer's samba kdc entry; used for compound
2199 * authentication.
2200
2201 * @param device_pac The PAC from the computer's TGT; used
2202 * for compound authentication.
2203
2204 * @param old_pac The old PAC
2205
2206 * @param new_pac The new already allocated PAC
2207
2208 * @return A Kerberos error code. If no PAC should be returned, the code will be
2209 * ENOATTR!
2210 */
2211 krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
2212 krb5_context context,
2213 struct ldb_context *samdb,
2214 uint32_t flags,
2215 struct samba_kdc_entry *client,
2216 const krb5_principal server_principal,
2217 const struct samba_kdc_entry *server,
2218 const krb5_principal delegated_proxy_principal,
2219 struct samba_kdc_entry *device,
2220 const krb5_const_pac device_pac,
2221 const krb5_const_pac old_pac,
2222 krb5_pac new_pac)
2223 {
2224 krb5_error_code code = EINVAL;
2225 NTSTATUS nt_status;
2226 DATA_BLOB *pac_blob = NULL;
2227 DATA_BLOB *upn_blob = NULL;
2228 DATA_BLOB *deleg_blob = NULL;
2229 DATA_BLOB *requester_sid_blob = NULL;
2230 DATA_BLOB *client_claims_blob = NULL;
2231 bool client_pac_is_trusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
2232 bool device_pac_is_trusted = flags & SAMBA_KDC_FLAG_DEVICE_KRBTGT_IS_TRUSTED;
2233 DATA_BLOB *device_claims_blob = NULL;
2234 DATA_BLOB *device_info_blob = NULL;
2235 int is_tgs = false;
2236 struct auth_user_info_dc *user_info_dc = NULL;
2237 enum auth_group_inclusion group_inclusion;
2238 size_t i = 0;
2239
2240 struct pac_blobs pac_blobs;
2241 pac_blobs_init(&pac_blobs);
2242
2243 is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
2244 if (is_tgs == -1) {
2245 code = ENOMEM;
2246 goto done;
2247 }
2248
2249 /* Only include resource groups in a service ticket. */
2250 if (is_tgs) {
2251 group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
2252 } else if (server->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
2253 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
2254 } else {
2255 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
2256 }
2257
2258 if (device != NULL && !is_tgs) {
2259 SMB_ASSERT(device_pac != NULL);
2260
2261 if (device_pac_is_trusted) {
2262 krb5_data device_claims_data;
2263 code = krb5_pac_get_buffer(context, device_pac,
2264 PAC_TYPE_CLIENT_CLAIMS_INFO,
2265 &device_claims_data);
2266 if (code == ENOENT) {
2267 /* no-op */
2268 } else if (code != 0) {
2269 goto done;
2270 } else {
2271 device_claims_blob = talloc_zero(mem_ctx, DATA_BLOB);
2272 if (device_claims_blob == NULL) {
2273 smb_krb5_free_data_contents(context, &device_claims_data);
2274 code = ENOMEM;
2275 goto done;
2276 }
2277
2278 *device_claims_blob = data_blob_talloc(mem_ctx,
2279 device_claims_data.data,
2280 device_claims_data.length);
2281 if (device_claims_blob->data == NULL && device_claims_data.length != 0) {
2282 smb_krb5_free_data_contents(context, &device_claims_data);
2283 code = ENOMEM;
2284 goto done;
2285 }
2286
2287 smb_krb5_free_data_contents(context, &device_claims_data);
2288 }
2289
2290 code = samba_kdc_create_device_info_blob(mem_ctx,
2291 context,
2292 samdb,
2293 device_pac,
2294 &device_info_blob);
2295 if (code != 0) {
2296 goto done;
2297 }
2298 } else {
2299 /* Don't trust RODC-issued claims. Regenerate them. */
2300 nt_status = samba_kdc_get_claims_blob(mem_ctx,
2301 device,
2302 &device_claims_blob);
2303 if (!NT_STATUS_IS_OK(nt_status)) {
2304 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2305 nt_errstr(nt_status));
2306 code = EINVAL;
2307 goto done;
2308 }
2309
2310 /* Also regenerate device info. */
2311 code = samba_kdc_get_device_info_blob(mem_ctx,
2312 device,
2313 &device_info_blob);
2314 if (code != 0) {
2315 goto done;
2316 }
2317 }
2318 }
2319
2320 if (delegated_proxy_principal != NULL) {
2321 deleg_blob = talloc_zero(mem_ctx, DATA_BLOB);
2322 if (deleg_blob == NULL) {
2323 code = ENOMEM;
2324 goto done;
2325 }
2326
2327 nt_status = samba_kdc_update_delegation_info_blob(
2328 mem_ctx,
2329 context,
2330 old_pac,
2331 server_principal,
2332 delegated_proxy_principal,
2333 deleg_blob);
2334 if (!NT_STATUS_IS_OK(nt_status)) {
2335 DBG_ERR("update delegation info blob failed: %s\n",
2336 nt_errstr(nt_status));
2337 code = EINVAL;
2338 goto done;
2339 }
2340 }
2341
2342 if (!client_pac_is_trusted) {
2343 /*
2344 * In this case the RWDC discards the PAC an RODC generated.
2345 * Windows adds the asserted_identity in this case too.
2346 *
2347 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
2348 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
2349 * So we can always use
2350 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
2351 * here.
2352 */
2353 enum samba_asserted_identity asserted_identity =
2354 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
2355 const enum samba_claims_valid claims_valid = SAMBA_CLAIMS_VALID_EXCLUDE;
2356 const enum samba_compounded_auth compounded_auth =
2357 (device != NULL && !is_tgs) ?
2358 SAMBA_COMPOUNDED_AUTH_INCLUDE :
2359 SAMBA_COMPOUNDED_AUTH_EXCLUDE;
2360
2361 if (client == NULL) {
2362 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
2363 goto done;
2364 }
2365
2366 nt_status = samba_kdc_get_user_info_dc(mem_ctx,
2367 client,
2368 asserted_identity,
2369 claims_valid,
2370 compounded_auth,
2371 &user_info_dc);
2372 if (!NT_STATUS_IS_OK(nt_status)) {
2373 DBG_ERR("samba_kdc_get_user_info_dc failed: %s\n",
2374 nt_errstr(nt_status));
2375 code = KRB5KDC_ERR_TGT_REVOKED;
2376 goto done;
2377 }
2378
2379 nt_status = samba_kdc_get_logon_info_blob(mem_ctx,
2380 user_info_dc,
2381 group_inclusion,
2382 &pac_blob);
2383 if (!NT_STATUS_IS_OK(nt_status)) {
2384 DBG_ERR("samba_kdc_get_logon_info_blob failed: %s\n",
2385 nt_errstr(nt_status));
2386 code = KRB5KDC_ERR_TGT_REVOKED;
2387 goto done;
2388 }
2389
2390 nt_status = samba_kdc_get_upn_info_blob(mem_ctx,
2391 user_info_dc,
2392 &upn_blob);
2393 if (!NT_STATUS_IS_OK(nt_status)) {
2394 DBG_ERR("samba_kdc_get_upn_info_blob failed: %s\n",
2395 nt_errstr(nt_status));
2396 code = KRB5KDC_ERR_TGT_REVOKED;
2397 goto done;
2398 }
2399
2400 nt_status = samba_kdc_get_requester_sid_blob(mem_ctx,
2401 user_info_dc,
2402 &requester_sid_blob);
2403 if (!NT_STATUS_IS_OK(nt_status)) {
2404 DBG_ERR("samba_kdc_get_requester_sid_blob failed: %s\n",
2405 nt_errstr(nt_status));
2406 code = KRB5KDC_ERR_TGT_REVOKED;
2407 goto done;
2408 }
2409
2410 /* Don't trust RODC-issued claims. Regenerate them. */
2411 nt_status = samba_kdc_get_claims_blob(mem_ctx,
2412 client,
2413 &client_claims_blob);
2414 if (!NT_STATUS_IS_OK(nt_status)) {
2415 DBG_ERR("samba_kdc_get_claims_blob failed: %s\n",
2416 nt_errstr(nt_status));
2417 code = EINVAL;
2418 goto done;
2419 }
2420 } else {
2421 const enum samba_compounded_auth compounded_auth =
2422 (device != NULL && !is_tgs) ?
2423 SAMBA_COMPOUNDED_AUTH_INCLUDE :
2424 SAMBA_COMPOUNDED_AUTH_EXCLUDE;
2425 pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
2426 if (pac_blob == NULL) {
2427 code = ENOMEM;
2428 goto done;
2429 }
2430
2431 nt_status = samba_kdc_update_pac_blob(mem_ctx,
2432 context,
2433 samdb,
2434 group_inclusion,
2435 compounded_auth,
2436 old_pac,
2437 pac_blob,
2438 NULL,
2439 NULL);
2440 if (!NT_STATUS_IS_OK(nt_status)) {
2441 DBG_ERR("samba_kdc_update_pac_blob failed: %s\n",
2442 nt_errstr(nt_status));
2443 code = EINVAL;
2444 goto done;
2445 }
2446 }
2447
2448 /* Check the types of the given PAC */
2449 code = pac_blobs_from_krb5_pac(&pac_blobs,
2450 mem_ctx,
2451 context,
2452 old_pac);
2453 if (code != 0) {
2454 goto done;
2455 }
2456
2457 code = pac_blobs_replace_existing(&pac_blobs,
2458 PAC_TYPE_LOGON_INFO,
2459 pac_blob);
2460 if (code != 0) {
2461 goto done;
2462 }
2463
2464 #ifdef SAMBA4_USES_HEIMDAL
2465 /* Not needed with MIT Kerberos */
2466 code = pac_blobs_replace_existing(&pac_blobs,
2467 PAC_TYPE_LOGON_NAME,
2468 &data_blob_null);
2469 if (code != 0) {
2470 goto done;
2471 }
2472
2473 code = pac_blobs_replace_existing(&pac_blobs,
2474 PAC_TYPE_SRV_CHECKSUM,
2475 &data_blob_null);
2476 if (code != 0) {
2477 goto done;
2478 }
2479
2480 code = pac_blobs_replace_existing(&pac_blobs,
2481 PAC_TYPE_KDC_CHECKSUM,
2482 &data_blob_null);
2483 if (code != 0) {
2484 goto done;
2485 }
2486 #endif
2487
2488 code = pac_blobs_add_blob(&pac_blobs,
2489 mem_ctx,
2490 PAC_TYPE_CONSTRAINED_DELEGATION,
2491 deleg_blob);
2492 if (code != 0) {
2493 goto done;
2494 }
2495
2496 code = pac_blobs_add_blob(&pac_blobs,
2497 mem_ctx,
2498 PAC_TYPE_UPN_DNS_INFO,
2499 upn_blob);
2500 if (code != 0) {
2501 goto done;
2502 }
2503
2504 code = pac_blobs_add_blob(&pac_blobs,
2505 mem_ctx,
2506 PAC_TYPE_CLIENT_CLAIMS_INFO,
2507 client_claims_blob);
2508 if (code != 0) {
2509 goto done;
2510 }
2511
2512 code = pac_blobs_add_blob(&pac_blobs,
2513 mem_ctx,
2514 PAC_TYPE_DEVICE_INFO,
2515 device_info_blob);
2516 if (code != 0) {
2517 goto done;
2518 }
2519
2520 if (device_claims_blob != NULL) {
2521 code = pac_blobs_add_blob(&pac_blobs,
2522 mem_ctx,
2523 PAC_TYPE_DEVICE_CLAIMS_INFO,
2524 device_claims_blob);
2525 if (code != 0) {
2526 goto done;
2527 }
2528 }
2529
2530 if (!client_pac_is_trusted || !is_tgs) {
2531 code = pac_blobs_remove_blob(&pac_blobs,
2532 mem_ctx,
2533 PAC_TYPE_ATTRIBUTES_INFO);
2534 if (code != 0) {
2535 goto done;
2536 }
2537 }
2538
2539 if (!is_tgs) {
2540 code = pac_blobs_remove_blob(&pac_blobs,
2541 mem_ctx,
2542 PAC_TYPE_REQUESTER_SID);
2543 if (code != 0) {
2544 goto done;
2545 }
2546 } else {
2547 code = pac_blobs_add_blob(&pac_blobs,
2548 mem_ctx,
2549 PAC_TYPE_REQUESTER_SID,
2550 requester_sid_blob);
2551 if (code != 0) {
2552 goto done;
2553 }
2554 }
2555
2556 /*
2557 * The server account may be set not to want the PAC.
2558 *
2559 * While this is wasteful if the above calculations were done
2560 * and now thrown away, this is cleaner as we do any ticket
2561 * signature checking etc always.
2562 *
2563 * UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the
2564 * time (eg not accepting a ticket from the RODC) we do not
2565 * need to re-generate anything anyway.
2566 */
2567 if (!samba_princ_needs_pac(server)) {
2568 code = ENOATTR;
2569 goto done;
2570 }
2571
2572 if (client_pac_is_trusted && !is_tgs) {
2573 /*
2574 * The client may have requested no PAC when obtaining the
2575 * TGT.
2576 */
2577 bool requested_pac = false;
2578
2579 code = samba_client_requested_pac(context,
2580 old_pac,
2581 mem_ctx,
2582 &requested_pac);
2583 if (code != 0 || !requested_pac) {
2584 if (!requested_pac) {
2585 code = ENOATTR;
2586 }
2587 goto done;
2588 }
2589 }
2590
2591 for (i = 0; i < pac_blobs.num_types; ++i) {
2592 krb5_data type_data;
2593 const DATA_BLOB *type_blob = pac_blobs.type_blobs[i].data;
2594 uint32_t type = pac_blobs.type_blobs[i].type;
2595
2596 static char null_byte = '\0';
2597 const krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
2598
2599 #ifndef SAMBA4_USES_HEIMDAL
2600 /* Not needed with MIT Kerberos */
2601 switch(type) {
2602 case PAC_TYPE_LOGON_NAME:
2603 case PAC_TYPE_SRV_CHECKSUM:
2604 case PAC_TYPE_KDC_CHECKSUM:
2605 case PAC_TYPE_FULL_CHECKSUM:
2606 continue;
2607 default:
2608 break;
2609 }
2610 #endif
2611
2612 if (type_blob != NULL) {
2613 type_data = smb_krb5_data_from_blob(*type_blob);
2614 /*
2615 * Passing a NULL pointer into krb5_pac_add_buffer() is
2616 * not allowed, so pass null_data instead if needed.
2617 */
2618 code = krb5_pac_add_buffer(context,
2619 new_pac,
2620 type,
2621 (type_data.data != NULL) ? &type_data : &null_data);
2622 } else {
2623 code = krb5_pac_get_buffer(context,
2624 old_pac,
2625 type,
2626 &type_data);
2627 if (code != 0) {
2628 goto done;
2629 }
2630 /*
2631 * Passing a NULL pointer into krb5_pac_add_buffer() is
2632 * not allowed, so pass null_data instead if needed.
2633 */
2634 code = krb5_pac_add_buffer(context,
2635 new_pac,
2636 type,
2637 (type_data.data != NULL) ? &type_data : &null_data);
2638 smb_krb5_free_data_contents(context, &type_data);
2639 }
2640
2641 if (code != 0) {
2642 goto done;
2643 }
2644 }
2645
2646 code = 0;
2647 done:
2648 pac_blobs_destroy(&pac_blobs);
2649 TALLOC_FREE(pac_blob);
2650 TALLOC_FREE(upn_blob);
2651 TALLOC_FREE(deleg_blob);
2652 /* Release our handle to user_info_dc. */
2653 talloc_unlink(mem_ctx, user_info_dc);
2654 return code;
2655 }
Samba GIT mirror