search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:kdc - Disable KDC port when it's set to 0.
[Samba/ekacnet.git] / source4 / kdc / kdc.c
blob2288e386875a0ba3c70f951c3f28a7bac660bb14
1 /*
2 Unix SMB/CIFS implementation.
3
4 KDC Server startup
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smbd/service_task.h"
26 #include "smbd/service.h"
27 #include "smbd/service_stream.h"
28 #include "smbd/process_model.h"
29 #include "lib/events/events.h"
30 #include "lib/socket/socket.h"
31 #include "system/network.h"
32 #include "../lib/util/dlinklist.h"
33 #include "lib/messaging/irpc.h"
34 #include "lib/stream/packet.h"
35 #include "librpc/gen_ndr/samr.h"
36 #include "librpc/gen_ndr/ndr_irpc.h"
37 #include "librpc/gen_ndr/ndr_krb5pac.h"
38 #include "lib/socket/netif.h"
39 #include "param/param.h"
40 #include "kdc/kdc.h"
41 #include "librpc/gen_ndr/ndr_misc.h"
42
43
44 /* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when
45 * used as a keytab */
46 TALLOC_CTX *hdb_samba4_mem_ctx;
47 struct tevent_context *hdb_samba4_ev_ctx;
48 struct loadparm_context *hdb_samba4_lp_ctx;
49
50 /* hold all the info needed to send a reply */
51 struct kdc_reply {
52 struct kdc_reply *next, *prev;
53 struct socket_address *dest;
54 DATA_BLOB packet;
55 };
56
57 typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc,
58 TALLOC_CTX *mem_ctx,
59 DATA_BLOB *input,
60 DATA_BLOB *reply,
61 struct socket_address *peer_addr,
62 struct socket_address *my_addr,
63 int datagram);
64
65 /* hold information about one kdc socket */
66 struct kdc_socket {
67 struct socket_context *sock;
68 struct kdc_server *kdc;
69 struct tevent_fd *fde;
70
71 /* a queue of outgoing replies that have been deferred */
72 struct kdc_reply *send_queue;
73
74 kdc_process_fn_t process;
75 };
76 /*
77 state of an open tcp connection
78 */
79 struct kdc_tcp_connection {
80 /* stream connection we belong to */
81 struct stream_connection *conn;
82
83 /* the kdc_server the connection belongs to */
84 struct kdc_server *kdc;
85
86 struct packet_context *packet;
87
88 kdc_process_fn_t process;
89 };
90
91 /*
92 handle fd send events on a KDC socket
93 */
94 static void kdc_send_handler(struct kdc_socket *kdc_socket)
95 {
96 while (kdc_socket->send_queue) {
97 struct kdc_reply *rep = kdc_socket->send_queue;
98 NTSTATUS status;
99 size_t sendlen;
100
101 status = socket_sendto(kdc_socket->sock, &rep->packet, &sendlen,
102 rep->dest);
103 if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
104 break;
105 }
106 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_BUFFER_SIZE)) {
107 /* Replace with a krb err, response to big */
108 }
109
110 DLIST_REMOVE(kdc_socket->send_queue, rep);
111 talloc_free(rep);
112 }
113
114 if (kdc_socket->send_queue == NULL) {
115 EVENT_FD_NOT_WRITEABLE(kdc_socket->fde);
116 }
117 }
118
119
120 /*
121 handle fd recv events on a KDC socket
122 */
123 static void kdc_recv_handler(struct kdc_socket *kdc_socket)
124 {
125 NTSTATUS status;
126 TALLOC_CTX *tmp_ctx = talloc_new(kdc_socket);
127 DATA_BLOB blob;
128 struct kdc_reply *rep;
129 DATA_BLOB reply;
130 size_t nread, dsize;
131 struct socket_address *src;
132 struct socket_address *my_addr;
133 int ret;
134
135 status = socket_pending(kdc_socket->sock, &dsize);
136 if (!NT_STATUS_IS_OK(status)) {
137 talloc_free(tmp_ctx);
138 return;
139 }
140
141 blob = data_blob_talloc(tmp_ctx, NULL, dsize);
142 if (blob.data == NULL) {
143 /* hope this is a temporary low memory condition */
144 talloc_free(tmp_ctx);
145 return;
146 }
147
148 status = socket_recvfrom(kdc_socket->sock, blob.data, blob.length, &nread,
149 tmp_ctx, &src);
150 if (!NT_STATUS_IS_OK(status)) {
151 talloc_free(tmp_ctx);
152 return;
153 }
154 blob.length = nread;
155
156 DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n",
157 (long)blob.length, src->addr, (uint16_t)src->port));
158
159 my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx);
160 if (!my_addr) {
161 talloc_free(tmp_ctx);
162 return;
163 }
164
165
166 /* Call krb5 */
167 ret = kdc_socket->process(kdc_socket->kdc,
168 tmp_ctx,
169 &blob,
170 &reply,
171 src, my_addr,
172 1 /* Datagram */);
173 if (!ret) {
174 talloc_free(tmp_ctx);
175 return;
176 }
177
178 /* queue a pending reply */
179 rep = talloc(kdc_socket, struct kdc_reply);
180 if (rep == NULL) {
181 talloc_free(tmp_ctx);
182 return;
183 }
184 rep->dest = talloc_steal(rep, src);
185 rep->packet = reply;
186 talloc_steal(rep, reply.data);
187
188 if (rep->packet.data == NULL) {
189 talloc_free(rep);
190 talloc_free(tmp_ctx);
191 return;
192 }
193
194 DLIST_ADD_END(kdc_socket->send_queue, rep, struct kdc_reply *);
195 EVENT_FD_WRITEABLE(kdc_socket->fde);
196 talloc_free(tmp_ctx);
197 }
198
199 /*
200 handle fd events on a KDC socket
201 */
202 static void kdc_socket_handler(struct tevent_context *ev, struct tevent_fd *fde,
203 uint16_t flags, void *private_data)
204 {
205 struct kdc_socket *kdc_socket = talloc_get_type(private_data, struct kdc_socket);
206 if (flags & EVENT_FD_WRITE) {
207 kdc_send_handler(kdc_socket);
208 }
209 if (flags & EVENT_FD_READ) {
210 kdc_recv_handler(kdc_socket);
211 }
212 }
213
214 static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdcconn, const char *reason)
215 {
216 stream_terminate_connection(kdcconn->conn, reason);
217 }
218
219 /*
220 receive a full packet on a KDC connection
221 */
222 static NTSTATUS kdc_tcp_recv(void *private_data, DATA_BLOB blob)
223 {
224 struct kdc_tcp_connection *kdcconn = talloc_get_type(private_data,
225 struct kdc_tcp_connection);
226 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
227 TALLOC_CTX *tmp_ctx = talloc_new(kdcconn);
228 int ret;
229 DATA_BLOB input, reply;
230 struct socket_address *src_addr;
231 struct socket_address *my_addr;
232
233 talloc_steal(tmp_ctx, blob.data);
234
235 src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx);
236 if (!src_addr) {
237 talloc_free(tmp_ctx);
238 return NT_STATUS_NO_MEMORY;
239 }
240
241 my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx);
242 if (!my_addr) {
243 talloc_free(tmp_ctx);
244 return NT_STATUS_NO_MEMORY;
245 }
246
247 /* Call krb5 */
248 input = data_blob_const(blob.data + 4, blob.length - 4);
249
250 ret = kdcconn->process(kdcconn->kdc,
251 tmp_ctx,
252 &input,
253 &reply,
254 src_addr,
255 my_addr,
256 0 /* Not datagram */);
257 if (!ret) {
258 talloc_free(tmp_ctx);
259 return NT_STATUS_INTERNAL_ERROR;
260 }
261
262 /* and now encode the reply */
263 blob = data_blob_talloc(kdcconn, NULL, reply.length + 4);
264 if (!blob.data) {
265 talloc_free(tmp_ctx);
266 return NT_STATUS_NO_MEMORY;
267 }
268
269 RSIVAL(blob.data, 0, reply.length);
270 memcpy(blob.data + 4, reply.data, reply.length);
271
272 status = packet_send(kdcconn->packet, blob);
273 if (!NT_STATUS_IS_OK(status)) {
274 talloc_free(tmp_ctx);
275 return status;
276 }
277
278 /* the call isn't needed any more */
279 talloc_free(tmp_ctx);
280 return NT_STATUS_OK;
281 }
282
283 /*
284 receive some data on a KDC connection
285 */
286 static void kdc_tcp_recv_handler(struct stream_connection *conn, uint16_t flags)
287 {
288 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
289 struct kdc_tcp_connection);
290 packet_recv(kdcconn->packet);
291 }
292
293 /*
294 called on a tcp recv error
295 */
296 static void kdc_tcp_recv_error(void *private_data, NTSTATUS status)
297 {
298 struct kdc_tcp_connection *kdcconn = talloc_get_type(private_data,
299 struct kdc_tcp_connection);
300 kdc_tcp_terminate_connection(kdcconn, nt_errstr(status));
301 }
302
303 /*
304 called when we can write to a connection
305 */
306 static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
307 {
308 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
309 struct kdc_tcp_connection);
310 packet_queue_run(kdcconn->packet);
311 }
312
313 /**
314 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
315 calling conventions
316 */
317
318 static bool kdc_process(struct kdc_server *kdc,
319 TALLOC_CTX *mem_ctx,
320 DATA_BLOB *input,
321 DATA_BLOB *reply,
322 struct socket_address *peer_addr,
323 struct socket_address *my_addr,
324 int datagram_reply)
325 {
326 int ret;
327 krb5_data k5_reply;
328 krb5_data_zero(&k5_reply);
329
330 krb5_kdc_update_time(NULL);
331
332 DEBUG(10,("Received KDC packet of length %lu from %s:%d\n",
333 (long)input->length - 4, peer_addr->addr, peer_addr->port));
334
335 ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
336 kdc->config,
337 input->data, input->length,
338 &k5_reply,
339 peer_addr->addr,
340 peer_addr->sockaddr,
341 datagram_reply);
342 if (ret == -1) {
343 *reply = data_blob(NULL, 0);
344 return false;
345 }
346 if (k5_reply.length) {
347 *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
348 krb5_data_free(&k5_reply);
349 } else {
350 *reply = data_blob(NULL, 0);
351 }
352 return true;
353 }
354
355 /*
356 called when we get a new connection
357 */
358 static void kdc_tcp_generic_accept(struct stream_connection *conn, kdc_process_fn_t process_fn)
359 {
360 struct kdc_server *kdc = talloc_get_type(conn->private_data, struct kdc_server);
361 struct kdc_tcp_connection *kdcconn;
362
363 kdcconn = talloc_zero(conn, struct kdc_tcp_connection);
364 if (!kdcconn) {
365 stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
366 return;
367 }
368 kdcconn->conn = conn;
369 kdcconn->kdc = kdc;
370 kdcconn->process = process_fn;
371 conn->private_data = kdcconn;
372
373 kdcconn->packet = packet_init(kdcconn);
374 if (kdcconn->packet == NULL) {
375 kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
376 return;
377 }
378 packet_set_private(kdcconn->packet, kdcconn);
379 packet_set_socket(kdcconn->packet, conn->socket);
380 packet_set_callback(kdcconn->packet, kdc_tcp_recv);
381 packet_set_full_request(kdcconn->packet, packet_full_request_u32);
382 packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error);
383 packet_set_event_context(kdcconn->packet, conn->event.ctx);
384 packet_set_fde(kdcconn->packet, conn->event.fde);
385 packet_set_serialise(kdcconn->packet);
386 }
387
388 static void kdc_tcp_accept(struct stream_connection *conn)
389 {
390 kdc_tcp_generic_accept(conn, kdc_process);
391 }
392
393 static const struct stream_server_ops kdc_tcp_stream_ops = {
394 .name = "kdc_tcp",
395 .accept_connection = kdc_tcp_accept,
396 .recv_handler = kdc_tcp_recv_handler,
397 .send_handler = kdc_tcp_send
398 };
399
400 static void kpasswdd_tcp_accept(struct stream_connection *conn)
401 {
402 kdc_tcp_generic_accept(conn, kpasswdd_process);
403 }
404
405 static const struct stream_server_ops kpasswdd_tcp_stream_ops = {
406 .name = "kpasswdd_tcp",
407 .accept_connection = kpasswdd_tcp_accept,
408 .recv_handler = kdc_tcp_recv_handler,
409 .send_handler = kdc_tcp_send
410 };
411
412 /*
413 start listening on the given address
414 */
415 static NTSTATUS kdc_add_kdc_socket(struct kdc_server *kdc,
416 const struct model_ops *model_ops,
417 const char *address,
418 uint16_t kdc_port)
419 {
420 struct kdc_socket *kdc_socket;
421 struct socket_address *kdc_address;
422 NTSTATUS status;
423
424 kdc_socket = talloc(kdc, struct kdc_socket);
425 NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
426
427 status = socket_create("ip", SOCKET_TYPE_DGRAM, &kdc_socket->sock, 0);
428 if (!NT_STATUS_IS_OK(status)) {
429 talloc_free(kdc_socket);
430 return status;
431 }
432
433 kdc_socket->kdc = kdc;
434 kdc_socket->send_queue = NULL;
435 kdc_socket->process = kdc_process;
436
437 talloc_steal(kdc_socket, kdc_socket->sock);
438
439 kdc_socket->fde = event_add_fd(kdc->task->event_ctx, kdc,
440 socket_get_fd(kdc_socket->sock), EVENT_FD_READ,
441 kdc_socket_handler, kdc_socket);
442
443 kdc_address = socket_address_from_strings(kdc_socket, kdc_socket->sock->backend_name,
444 address, kdc_port);
445 NT_STATUS_HAVE_NO_MEMORY(kdc_address);
446
447 status = socket_listen(kdc_socket->sock, kdc_address, 0, 0);
448 if (!NT_STATUS_IS_OK(status)) {
449 DEBUG(0,("Failed to bind to %s:%d UDP for kdc - %s\n",
450 address, kdc_port, nt_errstr(status)));
451 talloc_free(kdc_socket);
452 return status;
453 }
454
455 status = stream_setup_socket(kdc->task->event_ctx,
456 kdc->task->lp_ctx,
457 model_ops,
458 &kdc_tcp_stream_ops,
459 "ip", address, &kdc_port,
460 lp_socket_options(kdc->task->lp_ctx),
461 kdc);
462 if (!NT_STATUS_IS_OK(status)) {
463 DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
464 address, kdc_port, nt_errstr(status)));
465 talloc_free(kdc_socket);
466 return status;
467 }
468
469 return NT_STATUS_OK;
470 }
471
472 static NTSTATUS kdc_add_kpasswd_socket(struct kdc_server *kdc,
473 const struct model_ops *model_ops,
474 const char *address,
475 uint16_t kpasswd_port)
476 {
477 struct kdc_socket *kpasswd_socket;
478 struct socket_address *kpasswd_address;
479 NTSTATUS status;
480
481 kpasswd_socket = talloc(kdc, struct kdc_socket);
482 NT_STATUS_HAVE_NO_MEMORY(kpasswd_socket);
483
484 status = socket_create("ip", SOCKET_TYPE_DGRAM, &kpasswd_socket->sock, 0);
485 if (!NT_STATUS_IS_OK(status)) {
486 talloc_free(kpasswd_socket);
487 return status;
488 }
489
490 kpasswd_socket->kdc = kdc;
491 kpasswd_socket->send_queue = NULL;
492 kpasswd_socket->process = kpasswdd_process;
493
494 talloc_steal(kpasswd_socket, kpasswd_socket->sock);
495
496 kpasswd_socket->fde = event_add_fd(kdc->task->event_ctx, kdc,
497 socket_get_fd(kpasswd_socket->sock), EVENT_FD_READ,
498 kdc_socket_handler, kpasswd_socket);
499
500 kpasswd_address = socket_address_from_strings(kpasswd_socket, kpasswd_socket->sock->backend_name,
501 address, kpasswd_port);
502 NT_STATUS_HAVE_NO_MEMORY(kpasswd_address);
503
504 status = socket_listen(kpasswd_socket->sock, kpasswd_address, 0, 0);
505 if (!NT_STATUS_IS_OK(status)) {
506 DEBUG(0,("Failed to bind to %s:%d UDP for kpasswd - %s\n",
507 address, kpasswd_port, nt_errstr(status)));
508 talloc_free(kpasswd_socket);
509 return status;
510 }
511
512 status = stream_setup_socket(kdc->task->event_ctx,
513 kdc->task->lp_ctx,
514 model_ops,
515 &kpasswdd_tcp_stream_ops,
516 "ip", address, &kpasswd_port,
517 lp_socket_options(kdc->task->lp_ctx),
518 kdc);
519 if (!NT_STATUS_IS_OK(status)) {
520 DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
521 address, kpasswd_port, nt_errstr(status)));
522 talloc_free(kpasswd_socket);
523 return status;
524 }
525
526 return NT_STATUS_OK;
527 }
528
529
530 /*
531 setup our listening sockets on the configured network interfaces
532 */
533 static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_context *lp_ctx,
534 struct interface *ifaces)
535 {
536 const struct model_ops *model_ops;
537 int num_interfaces;
538 TALLOC_CTX *tmp_ctx = talloc_new(kdc);
539 NTSTATUS status;
540 int i;
541
542 /* within the kdc task we want to be a single process, so
543 ask for the single process model ops and pass these to the
544 stream_setup_socket() call. */
545 model_ops = process_model_startup(kdc->task->event_ctx, "single");
546 if (!model_ops) {
547 DEBUG(0,("Can't find 'single' process model_ops\n"));
548 return NT_STATUS_INTERNAL_ERROR;
549 }
550
551 num_interfaces = iface_count(ifaces);
552
553 for (i=0; i<num_interfaces; i++) {
554 const char *address = talloc_strdup(tmp_ctx, iface_n_ip(ifaces, i));
555 uint16_t kdc_port = lp_krb5_port(lp_ctx);
556 uint16_t kpasswd_port = lp_kpasswd_port(lp_ctx);
557
558 if (kdc_port) {
559 status = kdc_add_kdc_socket(kdc, model_ops, address, kdc_port);
560 NT_STATUS_NOT_OK_RETURN(status);
561 }
562
563 if (kpasswd_port) {
564 status = kdc_add_kpasswd_socket(kdc, model_ops, address, kpasswd_port);
565 NT_STATUS_NOT_OK_RETURN(status);
566 }
567 }
568
569 talloc_free(tmp_ctx);
570
571 return NT_STATUS_OK;
572 }
573
574
575 static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
576 struct kdc_check_generic_kerberos *r)
577 {
578 struct PAC_Validate pac_validate;
579 DATA_BLOB srv_sig;
580 struct PAC_SIGNATURE_DATA kdc_sig;
581 struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server);
582 enum ndr_err_code ndr_err;
583 krb5_enctype etype;
584 int ret;
585 hdb_entry_ex ent;
586 krb5_principal principal;
587 krb5_keyblock keyblock;
588 Key *key;
589
590 /* There is no reply to this request */
591 r->out.generic_reply = data_blob(NULL, 0);
592
593 ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg,
594 lp_iconv_convenience(kdc->task->lp_ctx),
595 &pac_validate,
596 (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
597 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
598 return NT_STATUS_INVALID_PARAMETER;
599 }
600
601 if (pac_validate.MessageType != 3) {
602 /* We don't implement any other message types - such as certificate validation - yet */
603 return NT_STATUS_INVALID_PARAMETER;
604 }
605
606 if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength)
607 || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength
608 || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
609 return NT_STATUS_INVALID_PARAMETER;
610 }
611
612 srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
613 pac_validate.ChecksumLength);
614
615 if (pac_validate.SignatureType == CKSUMTYPE_HMAC_MD5) {
616 etype = ETYPE_ARCFOUR_HMAC_MD5;
617 } else {
618 ret = krb5_cksumtype_to_enctype(kdc->smb_krb5_context->krb5_context, pac_validate.SignatureType,
619 &etype);
620 if (ret != 0) {
621 return NT_STATUS_LOGON_FAILURE;
622 }
623 }
624
625 ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
626 lp_realm(kdc->task->lp_ctx),
627 "krbtgt", lp_realm(kdc->task->lp_ctx),
628 NULL);
629
630 if (ret != 0) {
631 return NT_STATUS_NO_MEMORY;
632 }
633
634 ret = kdc->config->db[0]->hdb_fetch(kdc->smb_krb5_context->krb5_context,
635 kdc->config->db[0],
636 principal,
637 HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
638 &ent);
639
640 if (ret != 0) {
641 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
642 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
643
644 return NT_STATUS_LOGON_FAILURE;
645 }
646
647 ret = hdb_enctype2key(kdc->smb_krb5_context->krb5_context, &ent.entry, etype, &key);
648
649 if (ret != 0) {
650 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
651 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
652 return NT_STATUS_LOGON_FAILURE;
653 }
654
655 keyblock = key->key;
656
657 kdc_sig.type = pac_validate.SignatureType;
658 kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
659 pac_validate.SignatureLength);
660 ret = check_pac_checksum(msg, srv_sig, &kdc_sig,
661 kdc->smb_krb5_context->krb5_context, &keyblock);
662
663 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
664 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
665
666 if (ret != 0) {
667 return NT_STATUS_LOGON_FAILURE;
668 }
669
670 return NT_STATUS_OK;
671 }
672
673
674 /*
675 startup the kdc task
676 */
677 static void kdc_task_init(struct task_server *task)
678 {
679 struct kdc_server *kdc;
680 NTSTATUS status;
681 krb5_error_code ret;
682 struct interface *ifaces;
683
684 switch (lp_server_role(task->lp_ctx)) {
685 case ROLE_STANDALONE:
686 task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
687 return;
688 case ROLE_DOMAIN_MEMBER:
689 task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
690 return;
691 case ROLE_DOMAIN_CONTROLLER:
692 /* Yes, we want a KDC */
693 break;
694 }
695
696 load_interfaces(task, lp_interfaces(task->lp_ctx), &ifaces);
697
698 if (iface_count(ifaces) == 0) {
699 task_server_terminate(task, "kdc: no network interfaces configured", false);
700 return;
701 }
702
703 task_server_set_title(task, "task[kdc]");
704
705 kdc = talloc(task, struct kdc_server);
706 if (kdc == NULL) {
707 task_server_terminate(task, "kdc: out of memory", true);
708 return;
709 }
710
711 kdc->task = task;
712
713 initialize_krb5_error_table();
714
715 ret = smb_krb5_init_context(kdc, task->event_ctx, task->lp_ctx, &kdc->smb_krb5_context);
716 if (ret) {
717 DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
718 error_message(ret)));
719 task_server_terminate(task, "kdc: krb5_init_context failed", true);
720 return;
721 }
722
723 krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
724
725 ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
726 &kdc->config);
727 if(ret) {
728 task_server_terminate(task, "kdc: failed to get KDC configuration", true);
729 return;
730 }
731
732 kdc->config->logf = kdc->smb_krb5_context->logf;
733 kdc->config->db = talloc(kdc, struct HDB *);
734 if (!kdc->config->db) {
735 task_server_terminate(task, "kdc: out of memory", true);
736 return;
737 }
738 kdc->config->num_db = 1;
739
740 status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx,
741 kdc->smb_krb5_context->krb5_context,
742 &kdc->config->db[0]);
743 if (!NT_STATUS_IS_OK(status)) {
744 task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
745 return;
746 }
747
748 /* Register hdb-samba4 hooks for use as a keytab */
749
750 kdc->hdb_samba4_context = talloc(kdc, struct hdb_samba4_context);
751 if (!kdc->hdb_samba4_context) {
752 task_server_terminate(task, "kdc: out of memory", true);
753 return;
754 }
755
756 kdc->hdb_samba4_context->ev_ctx = task->event_ctx;
757 kdc->hdb_samba4_context->lp_ctx = task->lp_ctx;
758
759 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
760 PLUGIN_TYPE_DATA, "hdb",
761 &hdb_samba4);
762 if(ret) {
763 task_server_terminate(task, "kdc: failed to register hdb keytab", true);
764 return;
765 }
766
767 ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
768 if(ret) {
769 task_server_terminate(task, "kdc: failed to register hdb keytab", true);
770 return;
771 }
772
773 /* Registar WinDC hooks */
774 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
775 PLUGIN_TYPE_DATA, "windc",
776 &windc_plugin_table);
777 if(ret) {
778 task_server_terminate(task, "kdc: failed to register hdb keytab", true);
779 return;
780 }
781
782 krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context);
783
784 /* start listening on the configured network interfaces */
785 status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces);
786 if (!NT_STATUS_IS_OK(status)) {
787 task_server_terminate(task, "kdc failed to setup interfaces", true);
788 return;
789 }
790
791 status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
792 kdc_check_generic_kerberos, kdc);
793 if (!NT_STATUS_IS_OK(status)) {
794 task_server_terminate(task, "nbtd failed to setup monitoring", true);
795 return;
796 }
797
798 irpc_add_name(task->msg_ctx, "kdc_server");
799 }
800
801
802 /* called at smbd startup - register ourselves as a server service */
803 NTSTATUS server_service_kdc_init(void)
804 {
805 return register_server_service("kdc", kdc_task_init);
806 }