2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "../libds/common/flags.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "librpc/gen_ndr/ndr_krb5pac.h"
28 #include "librpc/gen_ndr/krb5pac.h"
29 #include "auth/auth.h"
30 #include "auth/auth_sam.h"
31 #include "auth/auth_sam_reply.h"
33 #include "param/param.h"
35 struct krb5_dh_moduli
;
36 struct _krb5_krb_auth_data
;
38 static krb5_error_code
samba_kdc_plugin_init(krb5_context context
, void **ptr
)
44 static void samba_kdc_plugin_fini(void *ptr
)
50 get_logon_info_pac_blob(TALLOC_CTX
*mem_ctx
,
51 struct smb_iconv_convenience
*ic
,
52 struct auth_serversupplied_info
*info
,
55 struct netr_SamInfo3
*info3
;
56 union PAC_INFO pac_info
;
57 enum ndr_err_code ndr_err
;
60 ZERO_STRUCT(pac_info
);
62 nt_status
= auth_convert_server_info_saminfo3(mem_ctx
, info
, &info3
);
63 if (!NT_STATUS_IS_OK(nt_status
)) {
64 DEBUG(1, ("Getting Samba info failed: %s\n",
65 nt_errstr(nt_status
)));
69 pac_info
.logon_info
.info
= talloc_zero(mem_ctx
, struct PAC_LOGON_INFO
);
71 return NT_STATUS_NO_MEMORY
;
74 pac_info
.logon_info
.info
->info3
= *info3
;
76 ndr_err
= ndr_push_union_blob(&pac_data
, mem_ctx
, ic
, &pac_info
,
78 (ndr_push_flags_fn_t
)ndr_push_PAC_INFO
);
79 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
80 nt_status
= ndr_map_error2ntstatus(ndr_err
);
81 DEBUG(1, ("PAC (presig) push failed: %s\n",
82 nt_errstr(nt_status
)));
89 static krb5_error_code
make_pac(krb5_context context
,
91 struct smb_iconv_convenience
*iconv_convenience
,
92 struct auth_serversupplied_info
*server_info
,
100 nt_status
= get_logon_info_pac_blob(mem_ctx
,
102 server_info
, pac_out
);
103 if (!NT_STATUS_IS_OK(nt_status
)) {
107 ret
= krb5_data_copy(&pac_data
, pac_out
.data
, pac_out
.length
);
112 ret
= krb5_pac_init(context
, pac
);
114 krb5_data_free(&pac_data
);
118 ret
= krb5_pac_add_buffer(context
, *pac
, PAC_TYPE_LOGON_INFO
, &pac_data
);
119 krb5_data_free(&pac_data
);
127 /* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
128 static krb5_error_code
samba_kdc_get_pac(void *priv
,
129 krb5_context context
,
130 struct hdb_entry_ex
*client
,
135 struct auth_serversupplied_info
*server_info
;
136 struct hdb_samba4_private
*p
= talloc_get_type(client
->ctx
, struct hdb_samba4_private
);
137 TALLOC_CTX
*mem_ctx
= talloc_named(p
, 0, "samba_get_pac context");
138 unsigned int userAccountControl
;
144 /* The user account may be set not to want the PAC */
145 userAccountControl
= ldb_msg_find_attr_as_uint(p
->msg
, "userAccountControl", 0);
146 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
151 nt_status
= authsam_make_server_info(mem_ctx
, p
->samdb
,
152 lp_netbios_name(p
->lp_ctx
),
153 lp_sam_name(p
->lp_ctx
),
159 if (!NT_STATUS_IS_OK(nt_status
)) {
160 DEBUG(0, ("Getting user info for PAC failed: %s\n",
161 nt_errstr(nt_status
)));
165 ret
= make_pac(context
, mem_ctx
, p
->iconv_convenience
, server_info
, pac
);
167 talloc_free(mem_ctx
);
171 /* Resign (and reform, including possibly new groups) a PAC */
173 static krb5_error_code
samba_kdc_reget_pac(void *priv
, krb5_context context
,
174 const krb5_principal client_principal
,
175 struct hdb_entry_ex
*client
,
176 struct hdb_entry_ex
*server
, krb5_pac
*pac
)
180 unsigned int userAccountControl
;
182 struct hdb_samba4_private
*p
= talloc_get_type(server
->ctx
, struct hdb_samba4_private
);
184 struct auth_serversupplied_info
*server_info_out
;
186 TALLOC_CTX
*mem_ctx
= talloc_named(p
, 0, "samba_get_pac context");
192 /* The service account may be set not to want the PAC */
193 userAccountControl
= ldb_msg_find_attr_as_uint(p
->msg
, "userAccountControl", 0);
194 if (userAccountControl
& UF_NO_AUTH_DATA_REQUIRED
) {
195 talloc_free(mem_ctx
);
200 ret
= kerberos_pac_to_server_info(mem_ctx
, p
->iconv_convenience
,
201 *pac
, context
, &server_info_out
);
203 /* We will compleatly regenerate this pac */
204 krb5_pac_free(context
, *pac
);
207 talloc_free(mem_ctx
);
211 ret
= make_pac(context
, mem_ctx
, p
->iconv_convenience
, server_info_out
, pac
);
213 talloc_free(mem_ctx
);
217 static void samba_kdc_build_edata_reply(TALLOC_CTX
*tmp_ctx
, krb5_data
*e_data
,
223 krb5_error_code ret
= 0;
228 pa
.padata_type
= KRB5_PADATA_PW_SALT
;
229 pa
.padata_value
.length
= 12;
230 pa
.padata_value
.data
= malloc(pa
.padata_value
.length
);
231 if (!pa
.padata_value
.data
) {
237 SIVAL(pa
.padata_value
.data
, 0, NT_STATUS_V(nt_status
));
238 SIVAL(pa
.padata_value
.data
, 4, 0);
239 SIVAL(pa
.padata_value
.data
, 8, 1);
241 ASN1_MALLOC_ENCODE(PA_DATA
, buf
, len
, &pa
, &len
, ret
);
242 free(pa
.padata_value
.data
);
245 e_data
->length
= len
;
250 /* Given an hdb entry (and in particular it's private member), consult
251 * the account_ok routine in auth/auth_sam.c for consistancy */
254 static krb5_error_code
samba_kdc_check_client_access(void *priv
,
255 krb5_context context
,
256 krb5_kdc_configuration
*config
,
257 hdb_entry_ex
*client_ex
, const char *client_name
,
258 hdb_entry_ex
*server_ex
, const char *server_name
,
265 struct hdb_samba4_private
*p
;
266 char *workstation
= NULL
;
267 HostAddresses
*addresses
= req
->req_body
.addresses
;
269 bool password_change
;
271 tmp_ctx
= talloc_new(client_ex
->ctx
);
272 p
= talloc_get_type(client_ex
->ctx
, struct hdb_samba4_private
);
279 for (i
=0; i
< addresses
->len
; i
++) {
280 if (addresses
->val
->addr_type
== KRB5_ADDRESS_NETBIOS
) {
281 workstation
= talloc_strndup(tmp_ctx
, addresses
->val
->address
.data
, MIN(addresses
->val
->address
.length
, 15));
289 /* Strip space padding */
291 i
= MIN(strlen(workstation
), 15);
292 for (; i
> 0 && workstation
[i
- 1] == ' '; i
--) {
293 workstation
[i
- 1] = '\0';
297 password_change
= (server_ex
&& server_ex
->entry
.flags
.change_pw
);
299 /* we allow all kinds of trusts here */
300 nt_status
= authsam_account_ok(tmp_ctx
,
302 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
| MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT
,
306 client_name
, true, password_change
);
308 if (NT_STATUS_IS_OK(nt_status
)) {
309 /* Now do the standard Heimdal check */
310 ret
= kdc_check_flags(context
, config
,
311 client_ex
, client_name
,
312 server_ex
, server_name
,
313 req
->msg_type
== krb_as_req
);
315 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_MUST_CHANGE
))
316 ret
= KRB5KDC_ERR_KEY_EXPIRED
;
317 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_PASSWORD_EXPIRED
))
318 ret
= KRB5KDC_ERR_KEY_EXPIRED
;
319 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_EXPIRED
))
320 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
321 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_DISABLED
))
322 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
323 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_LOGON_HOURS
))
324 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
325 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_ACCOUNT_LOCKED_OUT
))
326 ret
= KRB5KDC_ERR_CLIENT_REVOKED
;
327 else if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_INVALID_WORKSTATION
))
328 ret
= KRB5KDC_ERR_POLICY
;
330 ret
= KRB5KDC_ERR_POLICY
;
332 samba_kdc_build_edata_reply(tmp_ctx
, e_data
, nt_status
);
338 struct krb5plugin_windc_ftable windc_plugin_table
= {
339 .minor_version
= KRB5_WINDC_PLUGING_MINOR
,
340 .init
= samba_kdc_plugin_init
,
341 .fini
= samba_kdc_plugin_fini
,
342 .pac_generate
= samba_kdc_get_pac
,
343 .pac_verify
= samba_kdc_reget_pac
,
344 .client_access
= samba_kdc_check_client_access
,