search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r19633: Merge to lorikeet-heimdal, removing krb5_rd_req_return_keyblock in favour...
[Samba/ekacnet.git] / source / auth / gensec / gensec_krb5.c
blob044c7df1de2497e3eacee032f38ae4d721ceff5d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Kerberos backend for GENSEC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Luke Howard 2002-2003
9 Copyright (C) Stefan Metzmacher 2004-2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21
22 You should have received a copy of the GNU General Public License
23 along with this program; if not, write to the Free Software
24 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 */
26
27 #include "includes.h"
28 #include "system/kerberos.h"
29 #include "auth/kerberos/kerberos.h"
30 #include "librpc/gen_ndr/krb5pac.h"
31 #include "auth/auth.h"
32 #include "lib/ldb/include/ldb.h"
33 #include "auth/auth_sam.h"
34 #include "system/network.h"
35 #include "lib/socket/socket.h"
36 #include "librpc/rpc/dcerpc.h"
37 #include "auth/credentials/credentials.h"
38 #include "auth/credentials/credentials_krb5.h"
39 #include "auth/gensec/gensec.h"
40
41 enum GENSEC_KRB5_STATE {
42 GENSEC_KRB5_SERVER_START,
43 GENSEC_KRB5_CLIENT_START,
44 GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
45 GENSEC_KRB5_DONE
46 };
47
48 struct gensec_krb5_state {
49 DATA_BLOB session_key;
50 DATA_BLOB pac;
51 enum GENSEC_KRB5_STATE state_position;
52 struct smb_krb5_context *smb_krb5_context;
53 krb5_auth_context auth_context;
54 krb5_data enc_ticket;
55 krb5_keyblock *keyblock;
56 krb5_ticket *ticket;
57 BOOL gssapi;
58 };
59
60 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
61 {
62 if (!gensec_krb5_state->smb_krb5_context) {
63 /* We can't clean anything else up unless we started up this far */
64 return 0;
65 }
66 if (gensec_krb5_state->enc_ticket.length) {
67 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
68 &gensec_krb5_state->enc_ticket);
69 }
70
71 if (gensec_krb5_state->ticket) {
72 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context,
73 gensec_krb5_state->ticket);
74 }
75
76 /* ccache freed in a child destructor */
77
78 krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context,
79 gensec_krb5_state->keyblock);
80
81 if (gensec_krb5_state->auth_context) {
82 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
83 gensec_krb5_state->auth_context);
84 }
85
86 return 0;
87 }
88
89 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
90 {
91 krb5_error_code ret;
92 struct gensec_krb5_state *gensec_krb5_state;
93 struct cli_credentials *creds;
94 const struct socket_address *my_addr, *peer_addr;
95 krb5_address my_krb5_addr, peer_krb5_addr;
96
97 creds = gensec_get_credentials(gensec_security);
98 if (!creds) {
99 return NT_STATUS_INVALID_PARAMETER;
100 }
101
102 gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
103 if (!gensec_krb5_state) {
104 return NT_STATUS_NO_MEMORY;
105 }
106
107 gensec_security->private_data = gensec_krb5_state;
108 gensec_krb5_state->smb_krb5_context = NULL;
109 gensec_krb5_state->auth_context = NULL;
110 gensec_krb5_state->ticket = NULL;
111 ZERO_STRUCT(gensec_krb5_state->enc_ticket);
112 gensec_krb5_state->keyblock = NULL;
113 gensec_krb5_state->session_key = data_blob(NULL, 0);
114 gensec_krb5_state->pac = data_blob(NULL, 0);
115 gensec_krb5_state->gssapi = False;
116
117 talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
118
119 if (cli_credentials_get_krb5_context(creds, &gensec_krb5_state->smb_krb5_context)) {
120 talloc_free(gensec_krb5_state);
121 return NT_STATUS_INTERNAL_ERROR;
122 }
123
124 ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
125 if (ret) {
126 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
127 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
128 ret, gensec_krb5_state)));
129 talloc_free(gensec_krb5_state);
130 return NT_STATUS_INTERNAL_ERROR;
131 }
132
133 ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
134 gensec_krb5_state->auth_context,
135 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
136 if (ret) {
137 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
138 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
139 ret, gensec_krb5_state)));
140 talloc_free(gensec_krb5_state);
141 return NT_STATUS_INTERNAL_ERROR;
142 }
143
144 my_addr = gensec_get_my_addr(gensec_security);
145 if (my_addr && my_addr->sockaddr) {
146 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
147 my_addr->sockaddr, &my_krb5_addr);
148 if (ret) {
149 DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
150 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
151 ret, gensec_krb5_state)));
152 talloc_free(gensec_krb5_state);
153 return NT_STATUS_INTERNAL_ERROR;
154 }
155 }
156
157 peer_addr = gensec_get_peer_addr(gensec_security);
158 if (peer_addr && peer_addr->sockaddr) {
159 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
160 peer_addr->sockaddr, &peer_krb5_addr);
161 if (ret) {
162 DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
163 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
164 ret, gensec_krb5_state)));
165 talloc_free(gensec_krb5_state);
166 return NT_STATUS_INTERNAL_ERROR;
167 }
168 }
169
170 ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
171 gensec_krb5_state->auth_context,
172 my_addr ? &my_krb5_addr : NULL,
173 peer_addr ? &peer_krb5_addr : NULL);
174 if (ret) {
175 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
176 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
177 ret, gensec_krb5_state)));
178 talloc_free(gensec_krb5_state);
179 return NT_STATUS_INTERNAL_ERROR;
180 }
181
182 return NT_STATUS_OK;
183 }
184
185 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
186 {
187 NTSTATUS nt_status;
188 struct gensec_krb5_state *gensec_krb5_state;
189
190 nt_status = gensec_krb5_start(gensec_security);
191 if (!NT_STATUS_IS_OK(nt_status)) {
192 return nt_status;
193 }
194
195 gensec_krb5_state = gensec_security->private_data;
196 gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
197
198 return NT_STATUS_OK;
199 }
200
201 static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
202 {
203 NTSTATUS nt_status = gensec_krb5_server_start(gensec_security);
204
205 if (NT_STATUS_IS_OK(nt_status)) {
206 struct gensec_krb5_state *gensec_krb5_state;
207 gensec_krb5_state = gensec_security->private_data;
208 gensec_krb5_state->gssapi = True;
209 }
210 return nt_status;
211 }
212
213 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
214 {
215 struct gensec_krb5_state *gensec_krb5_state;
216 krb5_error_code ret;
217 NTSTATUS nt_status;
218 struct ccache_container *ccache_container;
219 const char *hostname;
220 krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
221
222 const char *principal;
223 krb5_data in_data;
224
225 hostname = gensec_get_target_hostname(gensec_security);
226 if (!hostname) {
227 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
228 return NT_STATUS_INVALID_PARAMETER;
229 }
230 if (is_ipaddress(hostname)) {
231 DEBUG(2, ("Cannot do krb5 to an IP address"));
232 return NT_STATUS_INVALID_PARAMETER;
233 }
234 if (strcmp(hostname, "localhost") == 0) {
235 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
236 return NT_STATUS_INVALID_PARAMETER;
237 }
238
239 nt_status = gensec_krb5_start(gensec_security);
240 if (!NT_STATUS_IS_OK(nt_status)) {
241 return nt_status;
242 }
243
244 gensec_krb5_state = gensec_security->private_data;
245 gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
246
247 ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
248 if (ret) {
249 DEBUG(1,("gensec_krb5_start: cli_credentials_get_ccache failed: %s\n",
250 error_message(ret)));
251 return NT_STATUS_UNSUCCESSFUL;
252 }
253
254 in_data.length = 0;
255
256 principal = gensec_get_target_principal(gensec_security);
257 if (principal && lp_client_use_spnego_principal()) {
258 krb5_principal target_principal;
259 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
260 &target_principal);
261 if (ret == 0) {
262 ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
263 &gensec_krb5_state->auth_context,
264 ap_req_options,
265 target_principal,
266 &in_data, ccache_container->ccache,
267 &gensec_krb5_state->enc_ticket);
268 krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
269 target_principal);
270 }
271 } else {
272 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
273 &gensec_krb5_state->auth_context,
274 ap_req_options,
275 gensec_get_target_service(gensec_security),
276 hostname,
277 &in_data, ccache_container->ccache,
278 &gensec_krb5_state->enc_ticket);
279 }
280 switch (ret) {
281 case 0:
282 return NT_STATUS_OK;
283 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
284 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
285 hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
286 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
287 case KRB5_KDC_UNREACH:
288 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
289 hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
290 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
291 case KRB5KDC_ERR_PREAUTH_FAILED:
292 case KRB5KRB_AP_ERR_TKT_EXPIRED:
293 case KRB5_CC_END:
294 /* Too much clock skew - we will need to kinit to re-skew the clock */
295 case KRB5KRB_AP_ERR_SKEW:
296 case KRB5_KDCREP_SKEW:
297 {
298 DEBUG(3, ("kerberos (mk_req) failed: %s\n",
299 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
300 /*fall through*/
301 }
302
303 /* just don't print a message for these really ordinary messages */
304 case KRB5_FCC_NOFILE:
305 case KRB5_CC_NOTFOUND:
306 case ENOENT:
307
308 return NT_STATUS_UNSUCCESSFUL;
309 break;
310
311 default:
312 DEBUG(0, ("kerberos: %s\n",
313 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
314 return NT_STATUS_UNSUCCESSFUL;
315 }
316 }
317
318 static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
319 {
320 NTSTATUS nt_status = gensec_krb5_client_start(gensec_security);
321
322 if (NT_STATUS_IS_OK(nt_status)) {
323 struct gensec_krb5_state *gensec_krb5_state;
324 gensec_krb5_state = gensec_security->private_data;
325 gensec_krb5_state->gssapi = True;
326 }
327 return nt_status;
328 }
329
330 /**
331 * Check if the packet is one for this mechansim
332 *
333 * @param gensec_security GENSEC state
334 * @param in The request, as a DATA_BLOB
335 * @return Error, INVALID_PARAMETER if it's not a packet for us
336 * or NT_STATUS_OK if the packet is ok.
337 */
338
339 static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security,
340 const DATA_BLOB *in)
341 {
342 if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
343 return NT_STATUS_OK;
344 } else {
345 return NT_STATUS_INVALID_PARAMETER;
346 }
347 }
348
349
350 /**
351 * Next state function for the Krb5 GENSEC mechanism
352 *
353 * @param gensec_krb5_state KRB5 State
354 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
355 * @param in The request, as a DATA_BLOB
356 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
357 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
358 * or NT_STATUS_OK if the user is authenticated.
359 */
360
361 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
362 TALLOC_CTX *out_mem_ctx,
363 const DATA_BLOB in, DATA_BLOB *out)
364 {
365 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
366 krb5_error_code ret = 0;
367 NTSTATUS nt_status;
368
369 switch (gensec_krb5_state->state_position) {
370 case GENSEC_KRB5_CLIENT_START:
371 {
372 DATA_BLOB unwrapped_out;
373
374 if (gensec_krb5_state->gssapi) {
375 unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
376
377 /* wrap that up in a nice GSS-API wrapping */
378 *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
379 } else {
380 *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
381 }
382 gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
383 nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
384 return nt_status;
385 }
386
387 case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
388 {
389 DATA_BLOB unwrapped_in;
390 krb5_data inbuf;
391 krb5_ap_rep_enc_part *repl = NULL;
392 uint8_t tok_id[2];
393
394 if (gensec_krb5_state->gssapi) {
395 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
396 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
397 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
398 return NT_STATUS_INVALID_PARAMETER;
399 }
400 } else {
401 unwrapped_in = in;
402 }
403 /* TODO: check the tok_id */
404
405 inbuf.data = unwrapped_in.data;
406 inbuf.length = unwrapped_in.length;
407 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
408 gensec_krb5_state->auth_context,
409 &inbuf, &repl);
410 if (ret) {
411 DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
412 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
413 dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
414 nt_status = NT_STATUS_ACCESS_DENIED;
415 } else {
416 *out = data_blob(NULL, 0);
417 nt_status = NT_STATUS_OK;
418 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
419 }
420 if (repl) {
421 krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
422 }
423 return nt_status;
424 }
425
426 case GENSEC_KRB5_SERVER_START:
427 {
428 DATA_BLOB unwrapped_in;
429 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
430 krb5_data inbuf, outbuf;
431 uint8_t tok_id[2];
432 struct keytab_container *keytab;
433 krb5_principal server_in_keytab;
434
435 if (!in.data) {
436 return NT_STATUS_INVALID_PARAMETER;
437 }
438
439 /* Grab the keytab, however generated */
440 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
441 if (ret) {
442 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
443 }
444
445 /* This ensures we lookup the correct entry in that keytab */
446 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
447 gensec_krb5_state->smb_krb5_context,
448 &server_in_keytab);
449
450 if (ret) {
451 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
452 }
453
454 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
455 if (gensec_krb5_state->gssapi
456 && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
457 inbuf.data = unwrapped_in.data;
458 inbuf.length = unwrapped_in.length;
459 } else {
460 inbuf.data = in.data;
461 inbuf.length = in.length;
462 }
463
464 ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
465 &gensec_krb5_state->auth_context,
466 &inbuf, keytab->keytab, server_in_keytab,
467 &outbuf,
468 &gensec_krb5_state->ticket,
469 &gensec_krb5_state->keyblock);
470
471 if (ret) {
472 return NT_STATUS_LOGON_FAILURE;
473 }
474 unwrapped_out.data = outbuf.data;
475 unwrapped_out.length = outbuf.length;
476 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
477 /* wrap that up in a nice GSS-API wrapping */
478 if (gensec_krb5_state->gssapi) {
479 *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
480 } else {
481 *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
482 }
483 krb5_data_free(&outbuf);
484 return NT_STATUS_OK;
485 }
486
487 case GENSEC_KRB5_DONE:
488 default:
489 /* Asking too many times... */
490 return NT_STATUS_INVALID_PARAMETER;
491 }
492 }
493
494 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
495 DATA_BLOB *session_key)
496 {
497 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
498 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
499 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
500 krb5_keyblock *skey;
501 krb5_error_code err = -1;
502
503 if (gensec_krb5_state->session_key.data) {
504 *session_key = gensec_krb5_state->session_key;
505 return NT_STATUS_OK;
506 }
507
508 switch (gensec_security->gensec_role) {
509 case GENSEC_CLIENT:
510 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
511 break;
512 case GENSEC_SERVER:
513 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
514 break;
515 }
516 if (err == 0 && skey != NULL) {
517 DEBUG(10, ("Got KRB5 session key of length %d\n",
518 (int)KRB5_KEY_LENGTH(skey)));
519 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state,
520 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
521 *session_key = gensec_krb5_state->session_key;
522 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
523
524 krb5_free_keyblock(context, skey);
525 return NT_STATUS_OK;
526 } else {
527 DEBUG(10, ("KRB5 error getting session key %d\n", err));
528 return NT_STATUS_NO_USER_SESSION_KEY;
529 }
530 }
531
532 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
533 struct auth_session_info **_session_info)
534 {
535 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
536 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
537 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
538 struct auth_serversupplied_info *server_info = NULL;
539 struct auth_session_info *session_info = NULL;
540 struct PAC_LOGON_INFO *logon_info;
541
542 krb5_principal client_principal;
543 char *principal_string;
544
545 DATA_BLOB pac;
546 krb5_data pac_data;
547
548 krb5_error_code ret;
549
550 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
551 if (!mem_ctx) {
552 return NT_STATUS_NO_MEMORY;
553 }
554
555 ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
556 if (ret) {
557 DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
558 smb_get_krb5_error_message(context,
559 ret, mem_ctx)));
560 talloc_free(mem_ctx);
561 return NT_STATUS_NO_MEMORY;
562 }
563
564 ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
565 client_principal, &principal_string);
566 if (ret) {
567 DEBUG(1, ("Unable to parse client principal: %s\n",
568 smb_get_krb5_error_message(context,
569 ret, mem_ctx)));
570 talloc_free(mem_ctx);
571 return NT_STATUS_NO_MEMORY;
572 }
573
574 ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
575 KRB5_AUTHDATA_WIN2K_PAC,
576 &pac_data);
577
578 if (ret && lp_parm_bool(-1, "gensec", "require_pac", False)) {
579 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
580 principal_string,
581 smb_get_krb5_error_message(context,
582 ret, mem_ctx)));
583 krb5_free_principal(context, client_principal);
584 free(principal_string);
585 return NT_STATUS_ACCESS_DENIED;
586 } else if (ret) {
587 /* NO pac */
588 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
589 smb_get_krb5_error_message(context,
590 ret, mem_ctx)));
591 nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
592 &server_info);
593 krb5_free_principal(context, client_principal);
594 free(principal_string);
595
596 if (!NT_STATUS_IS_OK(nt_status)) {
597 talloc_free(mem_ctx);
598 return nt_status;
599 }
600 } else {
601 /* Found pac */
602 union netr_Validation validation;
603 free(principal_string);
604
605 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
606 if (!pac.data) {
607 krb5_free_principal(context, client_principal);
608 talloc_free(mem_ctx);
609 return NT_STATUS_NO_MEMORY;
610 }
611
612 /* decode and verify the pac */
613 nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac,
614 gensec_krb5_state->smb_krb5_context->krb5_context,
615 NULL, gensec_krb5_state->keyblock,
616 client_principal,
617 gensec_krb5_state->ticket->ticket.authtime, NULL);
618 krb5_free_principal(context, client_principal);
619
620 if (!NT_STATUS_IS_OK(nt_status)) {
621 talloc_free(mem_ctx);
622 return nt_status;
623 }
624
625 validation.sam3 = &logon_info->info3;
626 nt_status = make_server_info_netlogon_validation(mem_ctx,
627 NULL,
628 3, &validation,
629 &server_info);
630 if (!NT_STATUS_IS_OK(nt_status)) {
631 talloc_free(mem_ctx);
632 return nt_status;
633 }
634 }
635
636 /* references the server_info into the session_info */
637 nt_status = auth_generate_session_info(mem_ctx, server_info, &session_info);
638
639 if (!NT_STATUS_IS_OK(nt_status)) {
640 talloc_free(mem_ctx);
641 return nt_status;
642 }
643
644 nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
645
646 if (!NT_STATUS_IS_OK(nt_status)) {
647 talloc_free(mem_ctx);
648 return nt_status;
649 }
650
651 *_session_info = session_info;
652
653 talloc_steal(gensec_krb5_state, session_info);
654 talloc_free(mem_ctx);
655 return NT_STATUS_OK;
656 }
657
658 static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security,
659 TALLOC_CTX *mem_ctx,
660 const DATA_BLOB *in,
661 DATA_BLOB *out)
662 {
663 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
664 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
665 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
666 krb5_error_code ret;
667 krb5_data input, output;
668 input.length = in->length;
669 input.data = in->data;
670
671 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
672 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
673 if (ret) {
674 DEBUG(1, ("krb5_mk_priv failed: %s\n",
675 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
676 ret, mem_ctx)));
677 return NT_STATUS_ACCESS_DENIED;
678 }
679 *out = data_blob_talloc(mem_ctx, output.data, output.length);
680
681 krb5_data_free(&output);
682 } else {
683 return NT_STATUS_ACCESS_DENIED;
684 }
685 return NT_STATUS_OK;
686 }
687
688 static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
689 TALLOC_CTX *mem_ctx,
690 const DATA_BLOB *in,
691 DATA_BLOB *out)
692 {
693 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
694 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
695 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
696 krb5_error_code ret;
697 krb5_data input, output;
698 krb5_replay_data replay;
699 input.length = in->length;
700 input.data = in->data;
701
702 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
703 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
704 if (ret) {
705 DEBUG(1, ("krb5_rd_priv failed: %s\n",
706 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
707 ret, mem_ctx)));
708 return NT_STATUS_ACCESS_DENIED;
709 }
710 *out = data_blob_talloc(mem_ctx, output.data, output.length);
711
712 krb5_data_free(&output);
713 } else {
714 return NT_STATUS_ACCESS_DENIED;
715 }
716 return NT_STATUS_OK;
717 }
718
719 static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security,
720 uint32_t feature)
721 {
722 struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
723 if (feature & GENSEC_FEATURE_SESSION_KEY) {
724 return True;
725 }
726 if (!gensec_krb5_state->gssapi &&
727 (feature & GENSEC_FEATURE_SEAL)) {
728 return True;
729 }
730
731 return False;
732 }
733
734 static const char *gensec_krb5_oids[] = {
735 GENSEC_OID_KERBEROS5,
736 GENSEC_OID_KERBEROS5_OLD,
737 NULL
738 };
739
740 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
741 .name = "fake_gssapi_krb5",
742 .auth_type = DCERPC_AUTH_TYPE_KRB5,
743 .oid = gensec_krb5_oids,
744 .client_start = gensec_fake_gssapi_krb5_client_start,
745 .server_start = gensec_fake_gssapi_krb5_server_start,
746 .update = gensec_krb5_update,
747 .magic = gensec_fake_gssapi_krb5_magic,
748 .session_key = gensec_krb5_session_key,
749 .session_info = gensec_krb5_session_info,
750 .have_feature = gensec_krb5_have_feature,
751 .enabled = False,
752 .kerberos = True,
753 .priority = GENSEC_KRB5
754 };
755
756 static const struct gensec_security_ops gensec_krb5_security_ops = {
757 .name = "krb5",
758 .client_start = gensec_krb5_client_start,
759 .server_start = gensec_krb5_server_start,
760 .update = gensec_krb5_update,
761 .session_key = gensec_krb5_session_key,
762 .session_info = gensec_krb5_session_info,
763 .have_feature = gensec_krb5_have_feature,
764 .wrap = gensec_krb5_wrap,
765 .unwrap = gensec_krb5_unwrap,
766 .enabled = True,
767 .kerberos = True,
768 .priority = GENSEC_KRB5
769 };
770
771 NTSTATUS gensec_krb5_init(void)
772 {
773 NTSTATUS ret;
774
775 auth_init();
776
777 ret = gensec_register(&gensec_krb5_security_ops);
778 if (!NT_STATUS_IS_OK(ret)) {
779 DEBUG(0,("Failed to register '%s' gensec backend!\n",
780 gensec_krb5_security_ops.name));
781 return ret;
782 }
783
784 ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
785 if (!NT_STATUS_IS_OK(ret)) {
786 DEBUG(0,("Failed to register '%s' gensec backend!\n",
787 gensec_krb5_security_ops.name));
788 return ret;
789 }
790
791 return ret;
792 }