search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Final fix for #7331 - Compound async SMB 2 requests don't work right.
[Samba/ekacnet.git] / source4 / kdc / db-glue.c
blob33c4c8cdf66fc511b7c9785e37ad9cd7508ad2b2
1 /*
2 Unix SMB/CIFS implementation.
3
4 Database Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/time.h"
26 #include "../libds/common/flags.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "librpc/gen_ndr/netlogon.h"
29 #include "libcli/security/security.h"
30 #include "auth/auth.h"
31 #include "auth/credentials/credentials.h"
32 #include "auth/auth_sam.h"
33 #include "../lib/util/util_ldb.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "dsdb/common/util.h"
36 #include "librpc/ndr/libndr.h"
37 #include "librpc/gen_ndr/ndr_drsblobs.h"
38 #include "librpc/gen_ndr/lsa.h"
39 #include "libcli/auth/libcli_auth.h"
40 #include "param/param.h"
41 #include "../lib/crypto/md4.h"
42 #include "system/kerberos.h"
43 #include <hdb.h>
44 #include "kdc/samba_kdc.h"
45 #include "kdc/db-glue.h"
46
47 enum samba_kdc_ent_type
48 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
49 SAMBA_KDC_ENT_TYPE_KRBTGT, SAMBA_KDC_ENT_TYPE_TRUST, SAMBA_KDC_ENT_TYPE_ANY };
50
51 enum trust_direction {
52 UNKNOWN = 0,
53 INBOUND = LSA_TRUST_DIRECTION_INBOUND,
54 OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
55 };
56
57 static const char *trust_attrs[] = {
58 "trustPartner",
59 "trustAuthIncoming",
60 "trustAuthOutgoing",
61 "whenCreated",
62 "msDS-SupportedEncryptionTypes",
63 "trustAttributes",
64 "trustDirection",
65 "trustType",
66 NULL
67 };
68
69 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
70 {
71 const char *tmp;
72 const char *gentime;
73 struct tm tm;
74
75 gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
76 if (!gentime)
77 return default_val;
78
79 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
80 if (tmp == NULL) {
81 return default_val;
82 }
83
84 return timegm(&tm);
85 }
86
87 static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum samba_kdc_ent_type ent_type)
88 {
89 HDBFlags flags = int2HDBFlags(0);
90
91 /* we don't allow kadmin deletes */
92 flags.immutable = 1;
93
94 /* mark the principal as invalid to start with */
95 flags.invalid = 1;
96
97 flags.renewable = 1;
98
99 /* All accounts are servers, but this may be disabled again in the caller */
100 flags.server = 1;
101
102 /* Account types - clear the invalid bit if it turns out to be valid */
103 if (userAccountControl & UF_NORMAL_ACCOUNT) {
104 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
105 flags.client = 1;
106 }
107 flags.invalid = 0;
108 }
109
110 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
111 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
112 flags.client = 1;
113 }
114 flags.invalid = 0;
115 }
116 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
117 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
118 flags.client = 1;
119 }
120 flags.invalid = 0;
121 }
122 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
123 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
124 flags.client = 1;
125 }
126 flags.invalid = 0;
127 }
128
129 /* Not permitted to act as a client if disabled */
130 if (userAccountControl & UF_ACCOUNTDISABLE) {
131 flags.client = 0;
132 }
133 if (userAccountControl & UF_LOCKOUT) {
134 flags.invalid = 1;
135 }
136 /*
137 if (userAccountControl & UF_PASSWORD_NOTREQD) {
138 flags.invalid = 1;
139 }
140 */
141 /*
142 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
143 */
144 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
145 flags.invalid = 1;
146 }
147
148 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
149
150 /*
151 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
152 flags.invalid = 1;
153 }
154 */
155 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
156 flags.require_hwauth = 1;
157 }
158 if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
159 flags.ok_as_delegate = 1;
160 }
161 if (!(userAccountControl & UF_NOT_DELEGATED)) {
162 flags.forwardable = 1;
163 flags.proxiable = 1;
164 }
165
166 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
167 flags.require_preauth = 0;
168 } else {
169 flags.require_preauth = 1;
170
171 }
172 return flags;
173 }
174
175 static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
176 {
177 hdb_entry_ex *entry_ex = p->entry_ex;
178 free_hdb_entry(&entry_ex->entry);
179 return 0;
180 }
181
182 static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
183 {
184 /* this function is called only from hdb_free_entry().
185 * Make sure we neutralize the destructor or we will
186 * get a double free later when hdb_free_entry() will
187 * try to call free_hdb_entry() */
188 talloc_set_destructor(entry_ex->ctx, NULL);
189
190 /* now proceed to free the talloc part */
191 talloc_free(entry_ex->ctx);
192 }
193
194 static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
195 struct smb_iconv_convenience *iconv_convenience,
196 TALLOC_CTX *mem_ctx,
197 struct ldb_message *msg,
198 unsigned int userAccountControl,
199 hdb_entry_ex *entry_ex)
200 {
201 krb5_error_code ret = 0;
202 enum ndr_err_code ndr_err;
203 struct samr_Password *hash;
204 const struct ldb_val *sc_val;
205 struct supplementalCredentialsBlob scb;
206 struct supplementalCredentialsPackage *scpk = NULL;
207 bool newer_keys = false;
208 struct package_PrimaryKerberosBlob _pkb;
209 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
210 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
211 uint16_t i;
212 uint16_t allocated_keys = 0;
213
214 entry_ex->entry.keys.val = NULL;
215 entry_ex->entry.keys.len = 0;
216
217 entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
218
219 /* Get keys from the db */
220
221 hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
222 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
223
224 /* unicodePwd for enctype 0x17 (23) if present */
225 if (hash) {
226 allocated_keys++;
227 }
228
229 /* supplementalCredentials if present */
230 if (sc_val) {
231 ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, iconv_convenience, &scb,
232 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
233 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
234 dump_data(0, sc_val->data, sc_val->length);
235 ret = EINVAL;
236 goto out;
237 }
238
239 if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
240 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
241 ret = EINVAL;
242 goto out;
243 }
244
245 for (i=0; i < scb.sub.num_packages; i++) {
246 if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
247 scpk = &scb.sub.packages[i];
248 if (!scpk->data || !scpk->data[0]) {
249 scpk = NULL;
250 continue;
251 }
252 newer_keys = true;
253 break;
254 } else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
255 scpk = &scb.sub.packages[i];
256 if (!scpk->data || !scpk->data[0]) {
257 scpk = NULL;
258 }
259 /*
260 * we don't break here in hope to find
261 * a Kerberos-Newer-Keys package
262 */
263 }
264 }
265 }
266 /*
267 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
268 * of supplementalCredentials
269 */
270 if (scpk) {
271 DATA_BLOB blob;
272
273 blob = strhex_to_data_blob(mem_ctx, scpk->data);
274 if (!blob.data) {
275 ret = ENOMEM;
276 goto out;
277 }
278
279 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
280 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pkb,
281 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
282 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
283 ret = EINVAL;
284 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
285 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
286 goto out;
287 }
288
289 if (newer_keys && _pkb.version != 4) {
290 ret = EINVAL;
291 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
292 krb5_warnx(context, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
293 goto out;
294 }
295
296 if (!newer_keys && _pkb.version != 3) {
297 ret = EINVAL;
298 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
299 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
300 goto out;
301 }
302
303 if (_pkb.version == 4) {
304 pkb4 = &_pkb.ctr.ctr4;
305 allocated_keys += pkb4->num_keys;
306 } else if (_pkb.version == 3) {
307 pkb3 = &_pkb.ctr.ctr3;
308 allocated_keys += pkb3->num_keys;
309 }
310 }
311
312 if (allocated_keys == 0) {
313 /* oh, no password. Apparently (comment in
314 * hdb-ldap.c) this violates the ASN.1, but this
315 * allows an entry with no keys (yet). */
316 return 0;
317 }
318
319 /* allocate space to decode into */
320 entry_ex->entry.keys.len = 0;
321 entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
322 if (entry_ex->entry.keys.val == NULL) {
323 ret = ENOMEM;
324 goto out;
325 }
326
327 if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
328 Key key;
329
330 key.mkvno = 0;
331 key.salt = NULL; /* No salt for this enc type */
332
333 ret = krb5_keyblock_init(context,
334 ENCTYPE_ARCFOUR_HMAC,
335 hash->hash, sizeof(hash->hash),
336 &key.key);
337 if (ret) {
338 goto out;
339 }
340
341 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
342 entry_ex->entry.keys.len++;
343 }
344
345 if (pkb4) {
346 for (i=0; i < pkb4->num_keys; i++) {
347 bool use = true;
348 Key key;
349
350 if (!pkb4->keys[i].value) continue;
351
352 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
353 switch (pkb4->keys[i].keytype) {
354 case ENCTYPE_DES_CBC_CRC:
355 case ENCTYPE_DES_CBC_MD5:
356 break;
357 default:
358 use = false;
359 break;
360 }
361 }
362
363 if (!use) continue;
364
365 key.mkvno = 0;
366 key.salt = NULL;
367
368 if (pkb4->salt.string) {
369 DATA_BLOB salt;
370
371 salt = data_blob_string_const(pkb4->salt.string);
372
373 key.salt = calloc(1, sizeof(*key.salt));
374 if (key.salt == NULL) {
375 ret = ENOMEM;
376 goto out;
377 }
378
379 key.salt->type = hdb_pw_salt;
380
381 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
382 if (ret) {
383 free(key.salt);
384 key.salt = NULL;
385 goto out;
386 }
387 }
388
389 /* TODO: maybe pass the iteration_count somehow... */
390
391 ret = krb5_keyblock_init(context,
392 pkb4->keys[i].keytype,
393 pkb4->keys[i].value->data,
394 pkb4->keys[i].value->length,
395 &key.key);
396 if (ret == KRB5_PROG_ETYPE_NOSUPP) {
397 DEBUG(2,("Unsupported keytype ignored - type %u\n",
398 pkb4->keys[i].keytype));
399 ret = 0;
400 continue;
401 }
402 if (ret) {
403 if (key.salt) {
404 free_Salt(key.salt);
405 free(key.salt);
406 key.salt = NULL;
407 }
408 goto out;
409 }
410
411 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
412 entry_ex->entry.keys.len++;
413 }
414 } else if (pkb3) {
415 for (i=0; i < pkb3->num_keys; i++) {
416 bool use = true;
417 Key key;
418
419 if (!pkb3->keys[i].value) continue;
420
421 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
422 switch (pkb3->keys[i].keytype) {
423 case ENCTYPE_DES_CBC_CRC:
424 case ENCTYPE_DES_CBC_MD5:
425 break;
426 default:
427 use = false;
428 break;
429 }
430 }
431
432 if (!use) continue;
433
434 key.mkvno = 0;
435 key.salt = NULL;
436
437 if (pkb3->salt.string) {
438 DATA_BLOB salt;
439
440 salt = data_blob_string_const(pkb3->salt.string);
441
442 key.salt = calloc(1, sizeof(*key.salt));
443 if (key.salt == NULL) {
444 ret = ENOMEM;
445 goto out;
446 }
447
448 key.salt->type = hdb_pw_salt;
449
450 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
451 if (ret) {
452 free(key.salt);
453 key.salt = NULL;
454 goto out;
455 }
456 }
457
458 ret = krb5_keyblock_init(context,
459 pkb3->keys[i].keytype,
460 pkb3->keys[i].value->data,
461 pkb3->keys[i].value->length,
462 &key.key);
463 if (ret) {
464 if (key.salt) {
465 free_Salt(key.salt);
466 free(key.salt);
467 key.salt = NULL;
468 }
469 goto out;
470 }
471
472 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
473 entry_ex->entry.keys.len++;
474 }
475 }
476
477 out:
478 if (ret != 0) {
479 entry_ex->entry.keys.len = 0;
480 }
481 if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
482 free(entry_ex->entry.keys.val);
483 entry_ex->entry.keys.val = NULL;
484 }
485 return ret;
486 }
487
488 /*
489 * Construct an hdb_entry from a directory entry.
490 */
491 static krb5_error_code samba_kdc_message2entry(krb5_context context,
492 struct samba_kdc_db_context *kdc_db_ctx,
493 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
494 enum samba_kdc_ent_type ent_type,
495 struct ldb_dn *realm_dn,
496 struct ldb_message *msg,
497 hdb_entry_ex *entry_ex)
498 {
499 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
500 unsigned int userAccountControl;
501 unsigned int i;
502 krb5_error_code ret = 0;
503 krb5_boolean is_computer = FALSE;
504 char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
505
506 struct samba_kdc_entry *p;
507 NTTIME acct_expiry;
508 NTSTATUS status;
509
510 uint32_t rid;
511 struct ldb_message_element *objectclasses;
512 struct ldb_val computer_val;
513 const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
514 computer_val.data = discard_const_p(uint8_t,"computer");
515 computer_val.length = strlen((const char *)computer_val.data);
516
517 if (!samAccountName) {
518 ret = ENOENT;
519 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
520 goto out;
521 }
522
523 objectclasses = ldb_msg_find_element(msg, "objectClass");
524
525 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
526 is_computer = TRUE;
527 }
528
529 memset(entry_ex, 0, sizeof(*entry_ex));
530
531 if (!realm) {
532 ret = ENOMEM;
533 krb5_set_error_message(context, ret, "talloc_strdup: out of memory");
534 goto out;
535 }
536
537 p = talloc(mem_ctx, struct samba_kdc_entry);
538 if (!p) {
539 ret = ENOMEM;
540 goto out;
541 }
542
543 p->kdc_db_ctx = kdc_db_ctx;
544 p->entry_ex = entry_ex;
545 p->realm_dn = talloc_reference(p, realm_dn);
546 if (!p->realm_dn) {
547 ret = ENOMEM;
548 goto out;
549 }
550
551 talloc_set_destructor(p, samba_kdc_entry_destructor);
552
553 /* make sure we do not have bogus data in there */
554 memset(&entry_ex->entry, 0, sizeof(hdb_entry));
555
556 entry_ex->ctx = p;
557 entry_ex->free_entry = samba_kdc_free_entry;
558
559 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
560
561
562 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
563 if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
564 krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL);
565 } else {
566 ret = copy_Principal(principal, entry_ex->entry.principal);
567 if (ret) {
568 krb5_clear_error_message(context);
569 goto out;
570 }
571
572 /* While we have copied the client principal, tests
573 * show that Win2k3 returns the 'corrected' realm, not
574 * the client-specified realm. This code attempts to
575 * replace the client principal's realm with the one
576 * we determine from our records */
577
578 /* this has to be with malloc() */
579 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
580 }
581
582 /* First try and figure out the flags based on the userAccountControl */
583 entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
584
585 /* Windows 2008 seems to enforce this (very sensible) rule by
586 * default - don't allow offline attacks on a user's password
587 * by asking for a ticket to them as a service (encrypted with
588 * their probably patheticly insecure password) */
589
590 if (entry_ex->entry.flags.server
591 && lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
592 if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
593 entry_ex->entry.flags.server = 0;
594 }
595 }
596
597 {
598 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
599 * of the Heimdal KDC. They are stored in a the traditional
600 * DB for audit purposes, and still form part of the structure
601 * we must return */
602
603 /* use 'whenCreated' */
604 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
605 /* use 'kadmin' for now (needed by mit_samba) */
606 krb5_make_principal(context,
607 &entry_ex->entry.created_by.principal,
608 realm, "kadmin", NULL);
609
610 entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
611 if (entry_ex->entry.modified_by == NULL) {
612 ret = ENOMEM;
613 krb5_set_error_message(context, ret, "malloc: out of memory");
614 goto out;
615 }
616
617 /* use 'whenChanged' */
618 entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
619 /* use 'kadmin' for now (needed by mit_samba) */
620 krb5_make_principal(context,
621 &entry_ex->entry.modified_by->principal,
622 realm, "kadmin", NULL);
623 }
624
625
626 /* The lack of password controls etc applies to krbtgt by
627 * virtue of being that particular RID */
628 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid);
629
630 if (!NT_STATUS_IS_OK(status)) {
631 ret = EINVAL;
632 goto out;
633 }
634
635 if (rid == DOMAIN_RID_KRBTGT) {
636 entry_ex->entry.valid_end = NULL;
637 entry_ex->entry.pw_end = NULL;
638
639 entry_ex->entry.flags.invalid = 0;
640 entry_ex->entry.flags.server = 1;
641
642 /* Don't mark all requests for the krbtgt/realm as
643 * 'change password', as otherwise we could get into
644 * trouble, and not enforce the password expirty.
645 * Instead, only do it when request is for the kpasswd service */
646 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
647 && principal->name.name_string.len == 2
648 && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
649 && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
650 && lp_is_my_domain_or_realm(lp_ctx, principal->realm)) {
651 entry_ex->entry.flags.change_pw = 1;
652 }
653 entry_ex->entry.flags.client = 0;
654 entry_ex->entry.flags.forwardable = 1;
655 entry_ex->entry.flags.ok_as_delegate = 1;
656 } else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
657 /* The account/password expiry only applies when the account is used as a
658 * client (ie password login), not when used as a server */
659
660 /* Make very well sure we don't use this for a client,
661 * it could bypass the password restrictions */
662 entry_ex->entry.flags.client = 0;
663
664 entry_ex->entry.valid_end = NULL;
665 entry_ex->entry.pw_end = NULL;
666
667 } else {
668 NTTIME must_change_time
669 = samdb_result_force_password_change(kdc_db_ctx->samdb, mem_ctx,
670 realm_dn, msg);
671 if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
672 entry_ex->entry.pw_end = NULL;
673 } else {
674 entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
675 if (entry_ex->entry.pw_end == NULL) {
676 ret = ENOMEM;
677 goto out;
678 }
679 *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
680 }
681
682 acct_expiry = samdb_result_account_expires(msg);
683 if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
684 entry_ex->entry.valid_end = NULL;
685 } else {
686 entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
687 if (entry_ex->entry.valid_end == NULL) {
688 ret = ENOMEM;
689 goto out;
690 }
691 *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
692 }
693 }
694
695 entry_ex->entry.valid_start = NULL;
696
697 entry_ex->entry.max_life = NULL;
698
699 entry_ex->entry.max_renew = NULL;
700
701 entry_ex->entry.generation = NULL;
702
703 /* Get keys from the db */
704 ret = samba_kdc_message2entry_keys(context, p->kdc_db_ctx->ic_ctx, p,
705 msg, userAccountControl, entry_ex);
706 if (ret) {
707 /* Could be bougus data in the entry, or out of memory */
708 goto out;
709 }
710
711 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
712 if (entry_ex->entry.etypes == NULL) {
713 krb5_clear_error_message(context);
714 ret = ENOMEM;
715 goto out;
716 }
717 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
718 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
719 if (entry_ex->entry.etypes->val == NULL) {
720 krb5_clear_error_message(context);
721 ret = ENOMEM;
722 goto out;
723 }
724 for (i=0; i < entry_ex->entry.etypes->len; i++) {
725 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
726 }
727
728
729 p->msg = talloc_steal(p, msg);
730
731 out:
732 if (ret != 0) {
733 /* This doesn't free ent itself, that is for the eventual caller to do */
734 hdb_free_entry(context, entry_ex);
735 } else {
736 talloc_steal(kdc_db_ctx, entry_ex->ctx);
737 }
738
739 return ret;
740 }
741
742 /*
743 * Construct an hdb_entry from a directory entry.
744 */
745 static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
746 struct samba_kdc_db_context *kdc_db_ctx,
747 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
748 enum trust_direction direction,
749 struct ldb_dn *realm_dn,
750 struct ldb_message *msg,
751 hdb_entry_ex *entry_ex)
752 {
753 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
754 const char *dnsdomain;
755 char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
756 DATA_BLOB password_utf16;
757 struct samr_Password password_hash;
758 const struct ldb_val *password_val;
759 struct trustAuthInOutBlob password_blob;
760 struct samba_kdc_entry *p;
761
762 enum ndr_err_code ndr_err;
763 int ret, trust_direction_flags;
764 unsigned int i;
765
766 p = talloc(mem_ctx, struct samba_kdc_entry);
767 if (!p) {
768 ret = ENOMEM;
769 goto out;
770 }
771
772 p->kdc_db_ctx = kdc_db_ctx;
773 p->entry_ex = entry_ex;
774 p->realm_dn = realm_dn;
775
776 talloc_set_destructor(p, samba_kdc_entry_destructor);
777
778 /* make sure we do not have bogus data in there */
779 memset(&entry_ex->entry, 0, sizeof(hdb_entry));
780
781 entry_ex->ctx = p;
782 entry_ex->free_entry = samba_kdc_free_entry;
783
784 /* use 'whenCreated' */
785 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
786 /* use 'kadmin' for now (needed by mit_samba) */
787 krb5_make_principal(context,
788 &entry_ex->entry.created_by.principal,
789 realm, "kadmin", NULL);
790
791 entry_ex->entry.valid_start = NULL;
792
793 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
794
795 if (direction == INBOUND) {
796 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
797
798 } else { /* OUTBOUND */
799 dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
800 /* replace realm */
801 talloc_free(realm);
802 realm = strupper_talloc(mem_ctx, dnsdomain);
803 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
804 }
805
806 if (!password_val || !(trust_direction_flags & direction)) {
807 ret = ENOENT;
808 goto out;
809 }
810
811 ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, p->kdc_db_ctx->ic_ctx, &password_blob,
812 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
813 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
814 ret = EINVAL;
815 goto out;
816 }
817
818 entry_ex->entry.kvno = -1;
819 for (i=0; i < password_blob.count; i++) {
820 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
821 entry_ex->entry.kvno = password_blob.current->array[i].AuthInfo.version.version;
822 }
823 }
824
825 for (i=0; i < password_blob.count; i++) {
826 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
827 password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
828 password_blob.current->array[i].AuthInfo.clear.size);
829 /* In the future, generate all sorts of
830 * hashes, but for now we can't safely convert
831 * the random strings windows uses into
832 * utf8 */
833
834 /* but as it is utf16 already, we can get the NT password/arcfour-hmac-md5 key */
835 mdfour(password_hash.hash, password_utf16.data, password_utf16.length);
836 break;
837 } else if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
838 password_hash = password_blob.current->array[i].AuthInfo.nt4owf.password;
839 break;
840 }
841 }
842
843 if (i < password_blob.count) {
844 Key key;
845 /* Must have found a cleartext or MD4 password */
846 entry_ex->entry.keys.val = calloc(1, sizeof(Key));
847
848 key.mkvno = 0;
849 key.salt = NULL; /* No salt for this enc type */
850
851 if (entry_ex->entry.keys.val == NULL) {
852 ret = ENOMEM;
853 goto out;
854 }
855
856 ret = krb5_keyblock_init(context,
857 ENCTYPE_ARCFOUR_HMAC,
858 password_hash.hash, sizeof(password_hash.hash),
859 &key.key);
860
861 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
862 entry_ex->entry.keys.len++;
863 }
864
865 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
866
867 ret = copy_Principal(principal, entry_ex->entry.principal);
868 if (ret) {
869 krb5_clear_error_message(context);
870 goto out;
871 }
872
873 /* While we have copied the client principal, tests
874 * show that Win2k3 returns the 'corrected' realm, not
875 * the client-specified realm. This code attempts to
876 * replace the client principal's realm with the one
877 * we determine from our records */
878
879 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
880 entry_ex->entry.flags = int2HDBFlags(0);
881 entry_ex->entry.flags.immutable = 1;
882 entry_ex->entry.flags.invalid = 0;
883 entry_ex->entry.flags.server = 1;
884 entry_ex->entry.flags.require_preauth = 1;
885
886 entry_ex->entry.pw_end = NULL;
887
888 entry_ex->entry.max_life = NULL;
889
890 entry_ex->entry.max_renew = NULL;
891
892 entry_ex->entry.generation = NULL;
893
894 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
895 if (entry_ex->entry.etypes == NULL) {
896 krb5_clear_error_message(context);
897 ret = ENOMEM;
898 goto out;
899 }
900 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
901 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
902 if (entry_ex->entry.etypes->val == NULL) {
903 krb5_clear_error_message(context);
904 ret = ENOMEM;
905 goto out;
906 }
907 for (i=0; i < entry_ex->entry.etypes->len; i++) {
908 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
909 }
910
911
912 p->msg = talloc_steal(p, msg);
913
914 out:
915 if (ret != 0) {
916 /* This doesn't free ent itself, that is for the eventual caller to do */
917 hdb_free_entry(context, entry_ex);
918 } else {
919 talloc_steal(kdc_db_ctx, entry_ex->ctx);
920 }
921
922 return ret;
923
924 }
925
926 static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
927 TALLOC_CTX *mem_ctx,
928 const char *realm,
929 struct ldb_dn *realm_dn,
930 struct ldb_message **pmsg)
931 {
932 int lret;
933 krb5_error_code ret;
934 char *filter = NULL;
935 const char * const *attrs = trust_attrs;
936
937 struct ldb_result *res = NULL;
938 filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", realm, realm);
939
940 if (!filter) {
941 ret = ENOMEM;
942 krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
943 return ret;
944 }
945
946 lret = ldb_search(ldb_ctx, mem_ctx, &res,
947 ldb_get_default_basedn(ldb_ctx),
948 LDB_SCOPE_SUBTREE, attrs, "%s", filter);
949 if (lret != LDB_SUCCESS) {
950 DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
951 return HDB_ERR_NOENTRY;
952 } else if (res->count == 0 || res->count > 1) {
953 DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
954 talloc_free(res);
955 return HDB_ERR_NOENTRY;
956 }
957 talloc_steal(mem_ctx, res->msgs);
958 *pmsg = res->msgs[0];
959 talloc_free(res);
960 return 0;
961 }
962
963 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
964 struct samba_kdc_db_context *kdc_db_ctx,
965 TALLOC_CTX *mem_ctx,
966 krb5_const_principal principal,
967 const char **attrs,
968 struct ldb_dn **realm_dn,
969 struct ldb_message **msg) {
970 NTSTATUS nt_status;
971 char *principal_string;
972 krb5_error_code ret;
973
974 ret = krb5_unparse_name(context, principal, &principal_string);
975
976 if (ret != 0) {
977 return ret;
978 }
979
980 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
981 mem_ctx, principal_string, attrs,
982 realm_dn, msg);
983 free(principal_string);
984 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
985 return HDB_ERR_NOENTRY;
986 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
987 return ENOMEM;
988 } else if (!NT_STATUS_IS_OK(nt_status)) {
989 return EINVAL;
990 }
991
992 return ret;
993 }
994
995 static krb5_error_code samba_kdc_fetch_client(krb5_context context,
996 struct samba_kdc_db_context *kdc_db_ctx,
997 TALLOC_CTX *mem_ctx,
998 krb5_const_principal principal,
999 hdb_entry_ex *entry_ex) {
1000 struct ldb_dn *realm_dn;
1001 krb5_error_code ret;
1002 struct ldb_message *msg = NULL;
1003
1004 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1005 mem_ctx, principal, user_attrs,
1006 &realm_dn, &msg);
1007 if (ret != 0) {
1008 return ret;
1009 }
1010
1011 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1012 principal, SAMBA_KDC_ENT_TYPE_CLIENT,
1013 realm_dn, msg, entry_ex);
1014 return ret;
1015 }
1016
1017 static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
1018 struct samba_kdc_db_context *kdc_db_ctx,
1019 TALLOC_CTX *mem_ctx,
1020 krb5_const_principal principal,
1021 hdb_entry_ex *entry_ex)
1022 {
1023 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1024 krb5_error_code ret;
1025 struct ldb_message *msg = NULL;
1026 struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1027 const char *realm;
1028
1029 krb5_principal alloc_principal = NULL;
1030 if (principal->name.name_string.len != 2
1031 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
1032 /* Not a krbtgt */
1033 return HDB_ERR_NOENTRY;
1034 }
1035
1036 /* krbtgt case. Either us or a trusted realm */
1037
1038 if (lp_is_my_domain_or_realm(lp_ctx, principal->realm)
1039 && lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) {
1040 /* us */
1041 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
1042 * is in our db, then direct the caller at our primary
1043 * krbtgt */
1044
1045 int lret;
1046 char *realm_fixed;
1047
1048 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx,
1049 &msg, realm_dn, LDB_SCOPE_SUBTREE,
1050 krbtgt_attrs,
1051 DSDB_SEARCH_SHOW_EXTENDED_DN,
1052 "(&(objectClass=user)(samAccountName=krbtgt))");
1053 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1054 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1055 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1056 return HDB_ERR_NOENTRY;
1057 } else if (lret != LDB_SUCCESS) {
1058 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1059 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1060 return HDB_ERR_NOENTRY;
1061 }
1062
1063 realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
1064 if (!realm_fixed) {
1065 ret = ENOMEM;
1066 krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
1067 return ret;
1068 }
1069
1070 ret = krb5_copy_principal(context, principal, &alloc_principal);
1071 if (ret) {
1072 return ret;
1073 }
1074
1075 free(alloc_principal->name.name_string.val[1]);
1076 alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
1077 talloc_free(realm_fixed);
1078 if (!alloc_principal->name.name_string.val[1]) {
1079 ret = ENOMEM;
1080 krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
1081 return ret;
1082 }
1083 principal = alloc_principal;
1084
1085 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1086 principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
1087 realm_dn, msg, entry_ex);
1088 if (ret != 0) {
1089 krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
1090 }
1091 return ret;
1092
1093 } else {
1094 enum trust_direction direction = UNKNOWN;
1095
1096 /* Either an inbound or outbound trust */
1097
1098 if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
1099 /* look for inbound trust */
1100 direction = INBOUND;
1101 realm = principal->name.name_string.val[1];
1102 }
1103
1104 if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
1105 /* look for outbound trust */
1106 direction = OUTBOUND;
1107 realm = principal->realm;
1108 }
1109
1110 /* Trusted domains are under CN=system */
1111
1112 ret = samba_kdc_lookup_trust(context, kdc_db_ctx->samdb,
1113 mem_ctx,
1114 realm, realm_dn, &msg);
1115
1116 if (ret != 0) {
1117 krb5_warnx(context, "samba_kdc_fetch: could not find principal in DB");
1118 krb5_set_error_message(context, ret, "samba_kdc_fetch: could not find principal in DB");
1119 return ret;
1120 }
1121
1122 ret = samba_kdc_trust_message2entry(context, kdc_db_ctx, mem_ctx,
1123 principal, direction,
1124 realm_dn, msg, entry_ex);
1125 if (ret != 0) {
1126 krb5_warnx(context, "samba_kdc_fetch: trust_message2entry failed");
1127 }
1128 return ret;
1129
1130
1131 /* we should lookup trusted domains */
1132 return HDB_ERR_NOENTRY;
1133 }
1134
1135 }
1136
1137 static krb5_error_code samba_kdc_lookup_server(krb5_context context,
1138 struct samba_kdc_db_context *kdc_db_ctx,
1139 TALLOC_CTX *mem_ctx,
1140 krb5_const_principal principal,
1141 const char **attrs,
1142 struct ldb_dn **realm_dn,
1143 struct ldb_message **msg)
1144 {
1145 krb5_error_code ret;
1146 const char *realm;
1147 if (principal->name.name_string.len >= 2) {
1148 /* 'normal server' case */
1149 int ldb_ret;
1150 NTSTATUS nt_status;
1151 struct ldb_dn *user_dn;
1152 char *principal_string;
1153
1154 ret = krb5_unparse_name_flags(context, principal,
1155 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
1156 &principal_string);
1157 if (ret != 0) {
1158 return ret;
1159 }
1160
1161 /* At this point we may find the host is known to be
1162 * in a different realm, so we should generate a
1163 * referral instead */
1164 nt_status = crack_service_principal_name(kdc_db_ctx->samdb,
1165 mem_ctx, principal_string,
1166 &user_dn, realm_dn);
1167 free(principal_string);
1168
1169 if (!NT_STATUS_IS_OK(nt_status)) {
1170 return HDB_ERR_NOENTRY;
1171 }
1172
1173 ldb_ret = dsdb_search_one(kdc_db_ctx->samdb,
1174 mem_ctx,
1175 msg, user_dn, LDB_SCOPE_BASE,
1176 attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
1177 if (ldb_ret != LDB_SUCCESS) {
1178 return HDB_ERR_NOENTRY;
1179 }
1180
1181 } else {
1182 int lret;
1183 char *filter = NULL;
1184 char *short_princ;
1185 /* server as client principal case, but we must not lookup userPrincipalNames */
1186 *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1187 realm = krb5_principal_get_realm(context, principal);
1188
1189 /* TODO: Check if it is our realm, otherwise give referall */
1190
1191 ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
1192
1193 if (ret != 0) {
1194 krb5_set_error_message(context, ret, "samba_kdc_lookup_principal: could not parse principal");
1195 krb5_warnx(context, "samba_kdc_lookup_principal: could not parse principal");
1196 return ret;
1197 }
1198
1199 lret = dsdb_search_one(kdc_db_ctx->samdb, mem_ctx, msg,
1200 *realm_dn, LDB_SCOPE_SUBTREE,
1201 attrs,
1202 DSDB_SEARCH_SHOW_EXTENDED_DN,
1203 "(&(objectClass=user)(samAccountName=%s))",
1204 ldb_binary_encode_string(mem_ctx, short_princ));
1205 free(short_princ);
1206 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1207 DEBUG(3, ("Failed find a entry for %s\n", filter));
1208 return HDB_ERR_NOENTRY;
1209 }
1210 if (lret != LDB_SUCCESS) {
1211 DEBUG(3, ("Failed single search for for %s - %s\n",
1212 filter, ldb_errstring(kdc_db_ctx->samdb)));
1213 return HDB_ERR_NOENTRY;
1214 }
1215 }
1216
1217 return 0;
1218 }
1219
1220 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
1221 struct samba_kdc_db_context *kdc_db_ctx,
1222 TALLOC_CTX *mem_ctx,
1223 krb5_const_principal principal,
1224 hdb_entry_ex *entry_ex)
1225 {
1226 krb5_error_code ret;
1227 struct ldb_dn *realm_dn;
1228 struct ldb_message *msg;
1229
1230 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
1231 server_attrs, &realm_dn, &msg);
1232 if (ret != 0) {
1233 return ret;
1234 }
1235
1236 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1237 principal, SAMBA_KDC_ENT_TYPE_SERVER,
1238 realm_dn, msg, entry_ex);
1239 if (ret != 0) {
1240 krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
1241 }
1242
1243 return ret;
1244 }
1245
1246 krb5_error_code samba_kdc_fetch(krb5_context context,
1247 struct samba_kdc_db_context *kdc_db_ctx,
1248 krb5_const_principal principal,
1249 unsigned flags,
1250 hdb_entry_ex *entry_ex)
1251 {
1252 krb5_error_code ret = HDB_ERR_NOENTRY;
1253 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
1254
1255 if (!mem_ctx) {
1256 ret = ENOMEM;
1257 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1258 return ret;
1259 }
1260
1261 if (flags & HDB_F_GET_CLIENT) {
1262 ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1263 if (ret != HDB_ERR_NOENTRY) goto done;
1264 }
1265 if (flags & HDB_F_GET_SERVER) {
1266 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
1267 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1268 if (ret != HDB_ERR_NOENTRY) goto done;
1269
1270 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
1271 ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1272 if (ret != HDB_ERR_NOENTRY) goto done;
1273 }
1274 if (flags & HDB_F_GET_KRBTGT) {
1275 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1276 if (ret != HDB_ERR_NOENTRY) goto done;
1277 }
1278
1279 done:
1280 talloc_free(mem_ctx);
1281 return ret;
1282 }
1283
1284 struct samba_kdc_seq {
1285 unsigned int index;
1286 unsigned int count;
1287 struct ldb_message **msgs;
1288 struct ldb_dn *realm_dn;
1289 };
1290
1291 static krb5_error_code samba_kdc_seq(krb5_context context,
1292 struct samba_kdc_db_context *kdc_db_ctx,
1293 hdb_entry_ex *entry)
1294 {
1295 krb5_error_code ret;
1296 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1297 TALLOC_CTX *mem_ctx;
1298 hdb_entry_ex entry_ex;
1299 memset(&entry_ex, '\0', sizeof(entry_ex));
1300
1301 if (!priv) {
1302 return HDB_ERR_NOENTRY;
1303 }
1304
1305 mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
1306
1307 if (!mem_ctx) {
1308 ret = ENOMEM;
1309 krb5_set_error_message(context, ret, "samba_kdc_seq: talloc_named() failed!");
1310 return ret;
1311 }
1312
1313 if (priv->index < priv->count) {
1314 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1315 NULL, SAMBA_KDC_ENT_TYPE_ANY,
1316 priv->realm_dn, priv->msgs[priv->index++], entry);
1317 } else {
1318 ret = HDB_ERR_NOENTRY;
1319 }
1320
1321 if (ret != 0) {
1322 TALLOC_FREE(priv);
1323 kdc_db_ctx->seq_ctx = NULL;
1324 } else {
1325 talloc_free(mem_ctx);
1326 }
1327
1328 return ret;
1329 }
1330
1331 krb5_error_code samba_kdc_firstkey(krb5_context context,
1332 struct samba_kdc_db_context *kdc_db_ctx,
1333 hdb_entry_ex *entry)
1334 {
1335 struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
1336 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1337 char *realm;
1338 struct ldb_result *res = NULL;
1339 krb5_error_code ret;
1340 TALLOC_CTX *mem_ctx;
1341 int lret;
1342
1343 if (priv) {
1344 TALLOC_FREE(priv);
1345 kdc_db_ctx->seq_ctx = NULL;
1346 }
1347
1348 priv = (struct samba_kdc_seq *) talloc(kdc_db_ctx, struct samba_kdc_seq);
1349 if (!priv) {
1350 ret = ENOMEM;
1351 krb5_set_error_message(context, ret, "talloc: out of memory");
1352 return ret;
1353 }
1354
1355 priv->index = 0;
1356 priv->msgs = NULL;
1357 priv->realm_dn = ldb_get_default_basedn(ldb_ctx);
1358 priv->count = 0;
1359
1360 mem_ctx = talloc_named(priv, 0, "samba_kdc_firstkey context");
1361
1362 if (!mem_ctx) {
1363 ret = ENOMEM;
1364 krb5_set_error_message(context, ret, "samba_kdc_firstkey: talloc_named() failed!");
1365 return ret;
1366 }
1367
1368 ret = krb5_get_default_realm(context, &realm);
1369 if (ret != 0) {
1370 TALLOC_FREE(priv);
1371 return ret;
1372 }
1373
1374 lret = ldb_search(ldb_ctx, priv, &res,
1375 priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
1376 "(objectClass=user)");
1377
1378 if (lret != LDB_SUCCESS) {
1379 TALLOC_FREE(priv);
1380 return HDB_ERR_NOENTRY;
1381 }
1382
1383 priv->count = res->count;
1384 priv->msgs = talloc_steal(priv, res->msgs);
1385 talloc_free(res);
1386
1387 kdc_db_ctx->seq_ctx = priv;
1388
1389 ret = samba_kdc_seq(context, kdc_db_ctx, entry);
1390
1391 if (ret != 0) {
1392 TALLOC_FREE(priv);
1393 kdc_db_ctx->seq_ctx = NULL;
1394 } else {
1395 talloc_free(mem_ctx);
1396 }
1397 return ret;
1398 }
1399
1400 krb5_error_code samba_kdc_nextkey(krb5_context context,
1401 struct samba_kdc_db_context *kdc_db_ctx,
1402 hdb_entry_ex *entry)
1403 {
1404 return samba_kdc_seq(context, kdc_db_ctx, entry);
1405 }
1406
1407 /* Check if a given entry may delegate or do s4u2self to this target principal
1408 *
1409 * This is currently a very nasty hack - allowing only delegation to itself.
1410 *
1411 * This is shared between the constrained delegation and S4U2Self code.
1412 */
1413 krb5_error_code
1414 samba_kdc_check_identical_client_and_server(krb5_context context,
1415 struct samba_kdc_db_context *kdc_db_ctx,
1416 hdb_entry_ex *entry,
1417 krb5_const_principal target_principal)
1418 {
1419 krb5_error_code ret;
1420 krb5_principal enterprise_prinicpal = NULL;
1421 struct ldb_dn *realm_dn;
1422 struct ldb_message *msg;
1423 struct dom_sid *orig_sid;
1424 struct dom_sid *target_sid;
1425 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1426 const char *delegation_check_attrs[] = {
1427 "objectSid", NULL
1428 };
1429
1430 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation");
1431
1432 if (!mem_ctx) {
1433 ret = ENOMEM;
1434 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1435 return ret;
1436 }
1437
1438 if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1439 /* Need to reparse the enterprise principal to find the real target */
1440 if (target_principal->name.name_string.len != 1) {
1441 ret = KRB5_PARSE_MALFORMED;
1442 krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
1443 target_principal->name.name_string.len);
1444 talloc_free(mem_ctx);
1445 return ret;
1446 }
1447 ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
1448 &enterprise_prinicpal);
1449 if (ret) {
1450 talloc_free(mem_ctx);
1451 return ret;
1452 }
1453 target_principal = enterprise_prinicpal;
1454 }
1455
1456 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
1457 delegation_check_attrs, &realm_dn, &msg);
1458
1459 krb5_free_principal(context, enterprise_prinicpal);
1460
1461 if (ret != 0) {
1462 talloc_free(mem_ctx);
1463 return ret;
1464 }
1465
1466 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1467 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1468
1469 /* Allow delegation to the same principal, even if by a different
1470 * name. The easy and safe way to prove this is by SID
1471 * comparison */
1472 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1473 talloc_free(mem_ctx);
1474 return KRB5KDC_ERR_BADOPTION;
1475 }
1476
1477 talloc_free(mem_ctx);
1478 return ret;
1479 }
1480
1481 /* Certificates printed by a the Certificate Authority might have a
1482 * slightly different form of the user principal name to that in the
1483 * database. Allow a mismatch where they both refer to the same
1484 * SID */
1485
1486 krb5_error_code
1487 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
1488 struct samba_kdc_db_context *kdc_db_ctx,
1489 hdb_entry_ex *entry,
1490 krb5_const_principal certificate_principal)
1491 {
1492 krb5_error_code ret;
1493 struct ldb_dn *realm_dn;
1494 struct ldb_message *msg;
1495 struct dom_sid *orig_sid;
1496 struct dom_sid *target_sid;
1497 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1498 const char *ms_upn_check_attrs[] = {
1499 "objectSid", NULL
1500 };
1501
1502 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_pkinit_ms_upn_match");
1503
1504 if (!mem_ctx) {
1505 ret = ENOMEM;
1506 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1507 return ret;
1508 }
1509
1510 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1511 mem_ctx, certificate_principal,
1512 ms_upn_check_attrs, &realm_dn, &msg);
1513
1514 if (ret != 0) {
1515 talloc_free(mem_ctx);
1516 return ret;
1517 }
1518
1519 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1520 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1521
1522 /* Consider these to be the same principal, even if by a different
1523 * name. The easy and safe way to prove this is by SID
1524 * comparison */
1525 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1526 talloc_free(mem_ctx);
1527 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1528 }
1529
1530 talloc_free(mem_ctx);
1531 return ret;
1532 }
1533