search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:gensec Allow mutual auth to be turned off in 'fake_gssapi_krb5'
[Samba/ekacnet.git] / source4 / auth / gensec / gensec_krb5.c
blobaed6822b898d77492de10b89659671e6f1dbe219
1 /*
2 Unix SMB/CIFS implementation.
3
4 Kerberos backend for GENSEC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Luke Howard 2002-2003
9 Copyright (C) Stefan Metzmacher 2004-2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "librpc/gen_ndr/krb5pac.h"
30 #include "auth/auth.h"
31 #include "lib/ldb/include/ldb.h"
32 #include "auth/auth_sam.h"
33 #include "lib/socket/socket.h"
34 #include "librpc/rpc/dcerpc.h"
35 #include "auth/credentials/credentials.h"
36 #include "auth/credentials/credentials_krb5.h"
37 #include "auth/gensec/gensec.h"
38 #include "auth/gensec/gensec_proto.h"
39 #include "param/param.h"
40 #include "auth/session_proto.h"
41 #include "auth/auth_sam_reply.h"
42
43 enum GENSEC_KRB5_STATE {
44 GENSEC_KRB5_SERVER_START,
45 GENSEC_KRB5_CLIENT_START,
46 GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
47 GENSEC_KRB5_DONE
48 };
49
50 struct gensec_krb5_state {
51 DATA_BLOB session_key;
52 DATA_BLOB pac;
53 enum GENSEC_KRB5_STATE state_position;
54 struct smb_krb5_context *smb_krb5_context;
55 krb5_auth_context auth_context;
56 krb5_data enc_ticket;
57 krb5_keyblock *keyblock;
58 krb5_ticket *ticket;
59 bool gssapi;
60 krb5_flags ap_req_options;
61 };
62
63 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
64 {
65 if (!gensec_krb5_state->smb_krb5_context) {
66 /* We can't clean anything else up unless we started up this far */
67 return 0;
68 }
69 if (gensec_krb5_state->enc_ticket.length) {
70 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context,
71 &gensec_krb5_state->enc_ticket);
72 }
73
74 if (gensec_krb5_state->ticket) {
75 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context,
76 gensec_krb5_state->ticket);
77 }
78
79 /* ccache freed in a child destructor */
80
81 krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context,
82 gensec_krb5_state->keyblock);
83
84 if (gensec_krb5_state->auth_context) {
85 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context,
86 gensec_krb5_state->auth_context);
87 }
88
89 return 0;
90 }
91
92 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
93 {
94 krb5_error_code ret;
95 struct gensec_krb5_state *gensec_krb5_state;
96 struct cli_credentials *creds;
97 const struct socket_address *my_addr, *peer_addr;
98 krb5_address my_krb5_addr, peer_krb5_addr;
99
100 creds = gensec_get_credentials(gensec_security);
101 if (!creds) {
102 return NT_STATUS_INVALID_PARAMETER;
103 }
104
105 gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
106 if (!gensec_krb5_state) {
107 return NT_STATUS_NO_MEMORY;
108 }
109
110 gensec_security->private_data = gensec_krb5_state;
111 gensec_krb5_state->smb_krb5_context = NULL;
112 gensec_krb5_state->auth_context = NULL;
113 gensec_krb5_state->ticket = NULL;
114 ZERO_STRUCT(gensec_krb5_state->enc_ticket);
115 gensec_krb5_state->keyblock = NULL;
116 gensec_krb5_state->session_key = data_blob(NULL, 0);
117 gensec_krb5_state->pac = data_blob(NULL, 0);
118 gensec_krb5_state->gssapi = false;
119
120 talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
121
122 if (cli_credentials_get_krb5_context(creds,
123 gensec_security->event_ctx,
124 gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
125 talloc_free(gensec_krb5_state);
126 return NT_STATUS_INTERNAL_ERROR;
127 }
128
129 ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
130 if (ret) {
131 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
132 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
133 ret, gensec_krb5_state)));
134 talloc_free(gensec_krb5_state);
135 return NT_STATUS_INTERNAL_ERROR;
136 }
137
138 ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
139 gensec_krb5_state->auth_context,
140 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
141 if (ret) {
142 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
143 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
144 ret, gensec_krb5_state)));
145 talloc_free(gensec_krb5_state);
146 return NT_STATUS_INTERNAL_ERROR;
147 }
148
149 my_addr = gensec_get_my_addr(gensec_security);
150 if (my_addr && my_addr->sockaddr) {
151 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
152 my_addr->sockaddr, &my_krb5_addr);
153 if (ret) {
154 DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
155 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
156 ret, gensec_krb5_state)));
157 talloc_free(gensec_krb5_state);
158 return NT_STATUS_INTERNAL_ERROR;
159 }
160 }
161
162 peer_addr = gensec_get_peer_addr(gensec_security);
163 if (peer_addr && peer_addr->sockaddr) {
164 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
165 peer_addr->sockaddr, &peer_krb5_addr);
166 if (ret) {
167 DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
168 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
169 ret, gensec_krb5_state)));
170 talloc_free(gensec_krb5_state);
171 return NT_STATUS_INTERNAL_ERROR;
172 }
173 }
174
175 ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
176 gensec_krb5_state->auth_context,
177 my_addr ? &my_krb5_addr : NULL,
178 peer_addr ? &peer_krb5_addr : NULL);
179 if (ret) {
180 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
181 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
182 ret, gensec_krb5_state)));
183 talloc_free(gensec_krb5_state);
184 return NT_STATUS_INTERNAL_ERROR;
185 }
186
187 return NT_STATUS_OK;
188 }
189
190 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
191 {
192 NTSTATUS nt_status;
193 struct gensec_krb5_state *gensec_krb5_state;
194
195 nt_status = gensec_krb5_start(gensec_security);
196 if (!NT_STATUS_IS_OK(nt_status)) {
197 return nt_status;
198 }
199
200 gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
201 gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
202
203 return NT_STATUS_OK;
204 }
205
206 static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
207 {
208 NTSTATUS nt_status = gensec_krb5_server_start(gensec_security);
209
210 if (NT_STATUS_IS_OK(nt_status)) {
211 struct gensec_krb5_state *gensec_krb5_state;
212 gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
213 gensec_krb5_state->gssapi = true;
214 }
215 return nt_status;
216 }
217
218 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
219 {
220 struct gensec_krb5_state *gensec_krb5_state;
221 krb5_error_code ret;
222 NTSTATUS nt_status;
223 struct ccache_container *ccache_container;
224 const char *hostname;
225
226 const char *principal;
227 krb5_data in_data;
228
229 hostname = gensec_get_target_hostname(gensec_security);
230 if (!hostname) {
231 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
232 return NT_STATUS_INVALID_PARAMETER;
233 }
234 if (is_ipaddress(hostname)) {
235 DEBUG(2, ("Cannot do krb5 to an IP address"));
236 return NT_STATUS_INVALID_PARAMETER;
237 }
238 if (strcmp(hostname, "localhost") == 0) {
239 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
240 return NT_STATUS_INVALID_PARAMETER;
241 }
242
243 nt_status = gensec_krb5_start(gensec_security);
244 if (!NT_STATUS_IS_OK(nt_status)) {
245 return nt_status;
246 }
247
248 gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
249 gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
250 gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
251
252 if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
253 gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
254 }
255
256 principal = gensec_get_target_principal(gensec_security);
257
258 ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
259 gensec_security->event_ctx,
260 gensec_security->settings->lp_ctx, &ccache_container);
261 switch (ret) {
262 case 0:
263 break;
264 case KRB5KDC_ERR_PREAUTH_FAILED:
265 return NT_STATUS_LOGON_FAILURE;
266 case KRB5_KDC_UNREACH:
267 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
268 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
269 default:
270 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_message(ret)));
271 return NT_STATUS_UNSUCCESSFUL;
272 }
273 in_data.length = 0;
274
275 if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
276 krb5_principal target_principal;
277 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
278 &target_principal);
279 if (ret == 0) {
280 ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
281 &gensec_krb5_state->auth_context,
282 gensec_krb5_state->ap_req_options,
283 target_principal,
284 &in_data, ccache_container->ccache,
285 &gensec_krb5_state->enc_ticket);
286 krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
287 target_principal);
288 }
289 } else {
290 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
291 &gensec_krb5_state->auth_context,
292 gensec_krb5_state->ap_req_options,
293 gensec_get_target_service(gensec_security),
294 hostname,
295 &in_data, ccache_container->ccache,
296 &gensec_krb5_state->enc_ticket);
297 }
298 switch (ret) {
299 case 0:
300 return NT_STATUS_OK;
301 case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
302 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
303 hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
304 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
305 case KRB5_KDC_UNREACH:
306 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
307 hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
308 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
309 case KRB5KDC_ERR_PREAUTH_FAILED:
310 case KRB5KRB_AP_ERR_TKT_EXPIRED:
311 case KRB5_CC_END:
312 /* Too much clock skew - we will need to kinit to re-skew the clock */
313 case KRB5KRB_AP_ERR_SKEW:
314 case KRB5_KDCREP_SKEW:
315 {
316 DEBUG(3, ("kerberos (mk_req) failed: %s\n",
317 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
318 /*fall through*/
319 }
320
321 /* just don't print a message for these really ordinary messages */
322 case KRB5_FCC_NOFILE:
323 case KRB5_CC_NOTFOUND:
324 case ENOENT:
325
326 return NT_STATUS_UNSUCCESSFUL;
327 break;
328
329 default:
330 DEBUG(0, ("kerberos: %s\n",
331 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
332 return NT_STATUS_UNSUCCESSFUL;
333 }
334 }
335
336 static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
337 {
338 NTSTATUS nt_status = gensec_krb5_client_start(gensec_security);
339
340 if (NT_STATUS_IS_OK(nt_status)) {
341 struct gensec_krb5_state *gensec_krb5_state;
342 gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
343 gensec_krb5_state->gssapi = true;
344 }
345 return nt_status;
346 }
347
348 /**
349 * Check if the packet is one for this mechansim
350 *
351 * @param gensec_security GENSEC state
352 * @param in The request, as a DATA_BLOB
353 * @return Error, INVALID_PARAMETER if it's not a packet for us
354 * or NT_STATUS_OK if the packet is ok.
355 */
356
357 static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security,
358 const DATA_BLOB *in)
359 {
360 if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
361 return NT_STATUS_OK;
362 } else {
363 return NT_STATUS_INVALID_PARAMETER;
364 }
365 }
366
367
368 /**
369 * Next state function for the Krb5 GENSEC mechanism
370 *
371 * @param gensec_krb5_state KRB5 State
372 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
373 * @param in The request, as a DATA_BLOB
374 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
375 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
376 * or NT_STATUS_OK if the user is authenticated.
377 */
378
379 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
380 TALLOC_CTX *out_mem_ctx,
381 const DATA_BLOB in, DATA_BLOB *out)
382 {
383 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
384 krb5_error_code ret = 0;
385 NTSTATUS nt_status;
386
387 switch (gensec_krb5_state->state_position) {
388 case GENSEC_KRB5_CLIENT_START:
389 {
390 DATA_BLOB unwrapped_out;
391
392 if (gensec_krb5_state->gssapi) {
393 unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
394
395 /* wrap that up in a nice GSS-API wrapping */
396 *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
397 } else {
398 *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
399 }
400 if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
401 gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
402 nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
403 } else {
404 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
405 nt_status = NT_STATUS_OK;
406 }
407 return nt_status;
408 }
409
410 case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
411 {
412 DATA_BLOB unwrapped_in;
413 krb5_data inbuf;
414 krb5_ap_rep_enc_part *repl = NULL;
415 uint8_t tok_id[2];
416
417 if (gensec_krb5_state->gssapi) {
418 if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
419 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
420 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
421 return NT_STATUS_INVALID_PARAMETER;
422 }
423 } else {
424 unwrapped_in = in;
425 }
426 /* TODO: check the tok_id */
427
428 inbuf.data = unwrapped_in.data;
429 inbuf.length = unwrapped_in.length;
430 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
431 gensec_krb5_state->auth_context,
432 &inbuf, &repl);
433 if (ret) {
434 DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
435 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
436 dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
437 nt_status = NT_STATUS_ACCESS_DENIED;
438 } else {
439 *out = data_blob(NULL, 0);
440 nt_status = NT_STATUS_OK;
441 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
442 }
443 if (repl) {
444 krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
445 }
446 return nt_status;
447 }
448
449 case GENSEC_KRB5_SERVER_START:
450 {
451 DATA_BLOB unwrapped_in;
452 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
453 krb5_data inbuf, outbuf;
454 uint8_t tok_id[2];
455 struct keytab_container *keytab;
456 krb5_principal server_in_keytab;
457
458 if (!in.data) {
459 return NT_STATUS_INVALID_PARAMETER;
460 }
461
462 /* Grab the keytab, however generated */
463 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
464 gensec_security->event_ctx,
465 gensec_security->settings->lp_ctx, &keytab);
466 if (ret) {
467 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
468 }
469
470 /* This ensures we lookup the correct entry in that keytab */
471 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
472 gensec_krb5_state->smb_krb5_context,
473 &server_in_keytab);
474
475 if (ret) {
476 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
477 }
478
479 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
480 if (gensec_krb5_state->gssapi
481 && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
482 inbuf.data = unwrapped_in.data;
483 inbuf.length = unwrapped_in.length;
484 } else {
485 inbuf.data = in.data;
486 inbuf.length = in.length;
487 }
488
489 ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
490 &gensec_krb5_state->auth_context,
491 &inbuf, keytab->keytab, server_in_keytab,
492 &outbuf,
493 &gensec_krb5_state->ticket,
494 &gensec_krb5_state->keyblock);
495
496 if (ret) {
497 return NT_STATUS_LOGON_FAILURE;
498 }
499 unwrapped_out.data = (uint8_t *)outbuf.data;
500 unwrapped_out.length = outbuf.length;
501 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
502 /* wrap that up in a nice GSS-API wrapping */
503 if (gensec_krb5_state->gssapi) {
504 *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
505 } else {
506 *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
507 }
508 krb5_data_free(&outbuf);
509 return NT_STATUS_OK;
510 }
511
512 case GENSEC_KRB5_DONE:
513 default:
514 /* Asking too many times... */
515 return NT_STATUS_INVALID_PARAMETER;
516 }
517 }
518
519 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
520 DATA_BLOB *session_key)
521 {
522 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
523 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
524 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
525 krb5_keyblock *skey;
526 krb5_error_code err = -1;
527
528 if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
529 return NT_STATUS_NO_USER_SESSION_KEY;
530 }
531
532 if (gensec_krb5_state->session_key.data) {
533 *session_key = gensec_krb5_state->session_key;
534 return NT_STATUS_OK;
535 }
536
537 switch (gensec_security->gensec_role) {
538 case GENSEC_CLIENT:
539 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
540 break;
541 case GENSEC_SERVER:
542 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
543 break;
544 }
545 if (err == 0 && skey != NULL) {
546 DEBUG(10, ("Got KRB5 session key of length %d\n",
547 (int)KRB5_KEY_LENGTH(skey)));
548 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state,
549 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
550 *session_key = gensec_krb5_state->session_key;
551 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
552
553 krb5_free_keyblock(context, skey);
554 return NT_STATUS_OK;
555 } else {
556 DEBUG(10, ("KRB5 error getting session key %d\n", err));
557 return NT_STATUS_NO_USER_SESSION_KEY;
558 }
559 }
560
561 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
562 struct auth_session_info **_session_info)
563 {
564 NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
565 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
566 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
567 struct auth_serversupplied_info *server_info = NULL;
568 struct auth_session_info *session_info = NULL;
569 struct PAC_LOGON_INFO *logon_info;
570
571 krb5_principal client_principal;
572 char *principal_string;
573
574 DATA_BLOB pac;
575 krb5_data pac_data;
576
577 krb5_error_code ret;
578
579 TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
580 if (!mem_ctx) {
581 return NT_STATUS_NO_MEMORY;
582 }
583
584 ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
585 if (ret) {
586 DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
587 smb_get_krb5_error_message(context,
588 ret, mem_ctx)));
589 talloc_free(mem_ctx);
590 return NT_STATUS_NO_MEMORY;
591 }
592
593 ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
594 client_principal, &principal_string);
595 if (ret) {
596 DEBUG(1, ("Unable to parse client principal: %s\n",
597 smb_get_krb5_error_message(context,
598 ret, mem_ctx)));
599 talloc_free(mem_ctx);
600 return NT_STATUS_NO_MEMORY;
601 }
602
603 ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
604 KRB5_AUTHDATA_WIN2K_PAC,
605 &pac_data);
606
607 if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
608 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
609 principal_string,
610 smb_get_krb5_error_message(context,
611 ret, mem_ctx)));
612 krb5_free_principal(context, client_principal);
613 free(principal_string);
614 return NT_STATUS_ACCESS_DENIED;
615 } else if (ret) {
616 /* NO pac */
617 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
618 smb_get_krb5_error_message(context,
619 ret, mem_ctx)));
620 if (gensec_security->auth_context &&
621 !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
622 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
623 principal_string, smb_get_krb5_error_message(context,
624 ret, mem_ctx)));
625 nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
626 gensec_security->auth_context,
627 principal_string,
628 &server_info);
629 if (!NT_STATUS_IS_OK(nt_status)) {
630 talloc_free(mem_ctx);
631 return nt_status;
632 }
633 } else {
634 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
635 principal_string));
636 return NT_STATUS_ACCESS_DENIED;
637 }
638
639 krb5_free_principal(context, client_principal);
640 free(principal_string);
641
642 if (!NT_STATUS_IS_OK(nt_status)) {
643 talloc_free(mem_ctx);
644 return nt_status;
645 }
646 } else {
647 /* Found pac */
648 union netr_Validation validation;
649 free(principal_string);
650
651 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
652 if (!pac.data) {
653 krb5_free_principal(context, client_principal);
654 talloc_free(mem_ctx);
655 return NT_STATUS_NO_MEMORY;
656 }
657
658 /* decode and verify the pac */
659 nt_status = kerberos_pac_logon_info(gensec_krb5_state,
660 gensec_security->settings->iconv_convenience,
661 &logon_info, pac,
662 gensec_krb5_state->smb_krb5_context->krb5_context,
663 NULL, gensec_krb5_state->keyblock,
664 client_principal,
665 gensec_krb5_state->ticket->ticket.authtime, NULL);
666 krb5_free_principal(context, client_principal);
667
668 if (!NT_STATUS_IS_OK(nt_status)) {
669 talloc_free(mem_ctx);
670 return nt_status;
671 }
672
673 validation.sam3 = &logon_info->info3;
674 nt_status = make_server_info_netlogon_validation(mem_ctx,
675 NULL,
676 3, &validation,
677 &server_info);
678 if (!NT_STATUS_IS_OK(nt_status)) {
679 talloc_free(mem_ctx);
680 return nt_status;
681 }
682 }
683
684 /* references the server_info into the session_info */
685 nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info);
686
687 if (!NT_STATUS_IS_OK(nt_status)) {
688 talloc_free(mem_ctx);
689 return nt_status;
690 }
691
692 nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
693
694 if (!NT_STATUS_IS_OK(nt_status)) {
695 talloc_free(mem_ctx);
696 return nt_status;
697 }
698
699 *_session_info = session_info;
700
701 talloc_steal(gensec_krb5_state, session_info);
702 talloc_free(mem_ctx);
703 return NT_STATUS_OK;
704 }
705
706 static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security,
707 TALLOC_CTX *mem_ctx,
708 const DATA_BLOB *in,
709 DATA_BLOB *out)
710 {
711 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
712 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
713 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
714 krb5_error_code ret;
715 krb5_data input, output;
716 input.length = in->length;
717 input.data = in->data;
718
719 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
720 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
721 if (ret) {
722 DEBUG(1, ("krb5_mk_priv failed: %s\n",
723 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
724 ret, mem_ctx)));
725 return NT_STATUS_ACCESS_DENIED;
726 }
727 *out = data_blob_talloc(mem_ctx, output.data, output.length);
728
729 krb5_data_free(&output);
730 } else {
731 return NT_STATUS_ACCESS_DENIED;
732 }
733 return NT_STATUS_OK;
734 }
735
736 static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security,
737 TALLOC_CTX *mem_ctx,
738 const DATA_BLOB *in,
739 DATA_BLOB *out)
740 {
741 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
742 krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
743 krb5_auth_context auth_context = gensec_krb5_state->auth_context;
744 krb5_error_code ret;
745 krb5_data input, output;
746 krb5_replay_data replay;
747 input.length = in->length;
748 input.data = in->data;
749
750 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
751 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
752 if (ret) {
753 DEBUG(1, ("krb5_rd_priv failed: %s\n",
754 smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
755 ret, mem_ctx)));
756 return NT_STATUS_ACCESS_DENIED;
757 }
758 *out = data_blob_talloc(mem_ctx, output.data, output.length);
759
760 krb5_data_free(&output);
761 } else {
762 return NT_STATUS_ACCESS_DENIED;
763 }
764 return NT_STATUS_OK;
765 }
766
767 static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
768 uint32_t feature)
769 {
770 struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
771 if (feature & GENSEC_FEATURE_SESSION_KEY) {
772 return true;
773 }
774 if (!gensec_krb5_state->gssapi &&
775 (feature & GENSEC_FEATURE_SEAL)) {
776 return true;
777 }
778
779 return false;
780 }
781
782 static const char *gensec_krb5_oids[] = {
783 GENSEC_OID_KERBEROS5,
784 GENSEC_OID_KERBEROS5_OLD,
785 NULL
786 };
787
788 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
789 .name = "fake_gssapi_krb5",
790 .auth_type = DCERPC_AUTH_TYPE_KRB5,
791 .oid = gensec_krb5_oids,
792 .client_start = gensec_fake_gssapi_krb5_client_start,
793 .server_start = gensec_fake_gssapi_krb5_server_start,
794 .update = gensec_krb5_update,
795 .magic = gensec_fake_gssapi_krb5_magic,
796 .session_key = gensec_krb5_session_key,
797 .session_info = gensec_krb5_session_info,
798 .have_feature = gensec_krb5_have_feature,
799 .enabled = false,
800 .kerberos = true,
801 .priority = GENSEC_KRB5
802 };
803
804 static const struct gensec_security_ops gensec_krb5_security_ops = {
805 .name = "krb5",
806 .client_start = gensec_krb5_client_start,
807 .server_start = gensec_krb5_server_start,
808 .update = gensec_krb5_update,
809 .session_key = gensec_krb5_session_key,
810 .session_info = gensec_krb5_session_info,
811 .have_feature = gensec_krb5_have_feature,
812 .wrap = gensec_krb5_wrap,
813 .unwrap = gensec_krb5_unwrap,
814 .enabled = true,
815 .kerberos = true,
816 .priority = GENSEC_KRB5
817 };
818
819 _PUBLIC_ NTSTATUS gensec_krb5_init(void)
820 {
821 NTSTATUS ret;
822
823 ret = gensec_register(&gensec_krb5_security_ops);
824 if (!NT_STATUS_IS_OK(ret)) {
825 DEBUG(0,("Failed to register '%s' gensec backend!\n",
826 gensec_krb5_security_ops.name));
827 return ret;
828 }
829
830 ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
831 if (!NT_STATUS_IS_OK(ret)) {
832 DEBUG(0,("Failed to register '%s' gensec backend!\n",
833 gensec_krb5_security_ops.name));
834 return ret;
835 }
836
837 return ret;
838 }