search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:kdc move db functions in their own file
[Samba/fernandojvsilva.git] / source4 / kdc / db-glue.c
blobc6398485407da8eddd41cbf7aa2b982182bb8ff0
1 /*
2 Unix SMB/CIFS implementation.
3
4 Database Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/time.h"
26 #include "../libds/common/flags.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "librpc/gen_ndr/netlogon.h"
29 #include "libcli/security/security.h"
30 #include "auth/auth.h"
31 #include "auth/credentials/credentials.h"
32 #include "auth/auth_sam.h"
33 #include "../lib/util/util_ldb.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "librpc/ndr/libndr.h"
36 #include "librpc/gen_ndr/ndr_drsblobs.h"
37 #include "librpc/gen_ndr/lsa.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "param/param.h"
40 #include "../lib/crypto/md4.h"
41 #include "system/kerberos.h"
42 #include <hdb.h>
43 #include "kdc/samba_kdc.h"
44 #include "kdc/db-glue.h"
45
46 enum samba_kdc_ent_type
47 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
48 SAMBA_KDC_ENT_TYPE_KRBTGT, SAMBA_KDC_ENT_TYPE_TRUST, SAMBA_KDC_ENT_TYPE_ANY };
49
50 enum trust_direction {
51 UNKNOWN = 0,
52 INBOUND = LSA_TRUST_DIRECTION_INBOUND,
53 OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
54 };
55
56 static const char *trust_attrs[] = {
57 "trustPartner",
58 "trustAuthIncoming",
59 "trustAuthOutgoing",
60 "whenCreated",
61 "msDS-SupportedEncryptionTypes",
62 "trustAttributes",
63 "trustDirection",
64 "trustType",
65 NULL
66 };
67
68 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
69 {
70 const char *tmp;
71 const char *gentime;
72 struct tm tm;
73
74 gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
75 if (!gentime)
76 return default_val;
77
78 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
79 if (tmp == NULL) {
80 return default_val;
81 }
82
83 return timegm(&tm);
84 }
85
86 static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum samba_kdc_ent_type ent_type)
87 {
88 HDBFlags flags = int2HDBFlags(0);
89
90 /* we don't allow kadmin deletes */
91 flags.immutable = 1;
92
93 /* mark the principal as invalid to start with */
94 flags.invalid = 1;
95
96 flags.renewable = 1;
97
98 /* All accounts are servers, but this may be disabled again in the caller */
99 flags.server = 1;
100
101 /* Account types - clear the invalid bit if it turns out to be valid */
102 if (userAccountControl & UF_NORMAL_ACCOUNT) {
103 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
104 flags.client = 1;
105 }
106 flags.invalid = 0;
107 }
108
109 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
110 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
111 flags.client = 1;
112 }
113 flags.invalid = 0;
114 }
115 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
116 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
117 flags.client = 1;
118 }
119 flags.invalid = 0;
120 }
121 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
122 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
123 flags.client = 1;
124 }
125 flags.invalid = 0;
126 }
127
128 /* Not permitted to act as a client if disabled */
129 if (userAccountControl & UF_ACCOUNTDISABLE) {
130 flags.client = 0;
131 }
132 if (userAccountControl & UF_LOCKOUT) {
133 flags.invalid = 1;
134 }
135 /*
136 if (userAccountControl & UF_PASSWORD_NOTREQD) {
137 flags.invalid = 1;
138 }
139 */
140 /*
141 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
142 */
143 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
144 flags.invalid = 1;
145 }
146
147 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
148
149 /*
150 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
151 flags.invalid = 1;
152 }
153 */
154 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
155 flags.require_hwauth = 1;
156 }
157 if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
158 flags.ok_as_delegate = 1;
159 }
160 if (!(userAccountControl & UF_NOT_DELEGATED)) {
161 flags.forwardable = 1;
162 flags.proxiable = 1;
163 }
164
165 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
166 flags.require_preauth = 0;
167 } else {
168 flags.require_preauth = 1;
169
170 }
171 return flags;
172 }
173
174 static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
175 {
176 hdb_entry_ex *entry_ex = p->entry_ex;
177 free_hdb_entry(&entry_ex->entry);
178 return 0;
179 }
180
181 static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
182 {
183 talloc_free(entry_ex->ctx);
184 }
185
186 static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
187 struct smb_iconv_convenience *iconv_convenience,
188 TALLOC_CTX *mem_ctx,
189 struct ldb_message *msg,
190 unsigned int userAccountControl,
191 hdb_entry_ex *entry_ex)
192 {
193 krb5_error_code ret = 0;
194 enum ndr_err_code ndr_err;
195 struct samr_Password *hash;
196 const struct ldb_val *sc_val;
197 struct supplementalCredentialsBlob scb;
198 struct supplementalCredentialsPackage *scpk = NULL;
199 bool newer_keys = false;
200 struct package_PrimaryKerberosBlob _pkb;
201 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
202 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
203 uint32_t i;
204 uint32_t allocated_keys = 0;
205
206 entry_ex->entry.keys.val = NULL;
207 entry_ex->entry.keys.len = 0;
208
209 entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
210
211 /* Get keys from the db */
212
213 hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
214 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
215
216 /* unicodePwd for enctype 0x17 (23) if present */
217 if (hash) {
218 allocated_keys++;
219 }
220
221 /* supplementalCredentials if present */
222 if (sc_val) {
223 ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, iconv_convenience, &scb,
224 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
225 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
226 dump_data(0, sc_val->data, sc_val->length);
227 ret = EINVAL;
228 goto out;
229 }
230
231 if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
232 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
233 ret = EINVAL;
234 goto out;
235 }
236
237 for (i=0; i < scb.sub.num_packages; i++) {
238 if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
239 scpk = &scb.sub.packages[i];
240 if (!scpk->data || !scpk->data[0]) {
241 scpk = NULL;
242 continue;
243 }
244 newer_keys = true;
245 break;
246 } else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
247 scpk = &scb.sub.packages[i];
248 if (!scpk->data || !scpk->data[0]) {
249 scpk = NULL;
250 }
251 /*
252 * we don't break here in hope to find
253 * a Kerberos-Newer-Keys package
254 */
255 }
256 }
257 }
258 /*
259 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
260 * of supplementalCredentials
261 */
262 if (scpk) {
263 DATA_BLOB blob;
264
265 blob = strhex_to_data_blob(mem_ctx, scpk->data);
266 if (!blob.data) {
267 ret = ENOMEM;
268 goto out;
269 }
270
271 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
272 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pkb,
273 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
274 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
275 ret = EINVAL;
276 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
277 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
278 goto out;
279 }
280
281 if (newer_keys && _pkb.version != 4) {
282 ret = EINVAL;
283 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
284 krb5_warnx(context, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
285 goto out;
286 }
287
288 if (!newer_keys && _pkb.version != 3) {
289 ret = EINVAL;
290 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
291 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
292 goto out;
293 }
294
295 if (_pkb.version == 4) {
296 pkb4 = &_pkb.ctr.ctr4;
297 allocated_keys += pkb4->num_keys;
298 } else if (_pkb.version == 3) {
299 pkb3 = &_pkb.ctr.ctr3;
300 allocated_keys += pkb3->num_keys;
301 }
302 }
303
304 if (allocated_keys == 0) {
305 /* oh, no password. Apparently (comment in
306 * hdb-ldap.c) this violates the ASN.1, but this
307 * allows an entry with no keys (yet). */
308 return 0;
309 }
310
311 /* allocate space to decode into */
312 entry_ex->entry.keys.len = 0;
313 entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
314 if (entry_ex->entry.keys.val == NULL) {
315 ret = ENOMEM;
316 goto out;
317 }
318
319 if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
320 Key key;
321
322 key.mkvno = 0;
323 key.salt = NULL; /* No salt for this enc type */
324
325 ret = krb5_keyblock_init(context,
326 ENCTYPE_ARCFOUR_HMAC,
327 hash->hash, sizeof(hash->hash),
328 &key.key);
329 if (ret) {
330 goto out;
331 }
332
333 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
334 entry_ex->entry.keys.len++;
335 }
336
337 if (pkb4) {
338 for (i=0; i < pkb4->num_keys; i++) {
339 bool use = true;
340 Key key;
341
342 if (!pkb4->keys[i].value) continue;
343
344 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
345 switch (pkb4->keys[i].keytype) {
346 case ENCTYPE_DES_CBC_CRC:
347 case ENCTYPE_DES_CBC_MD5:
348 break;
349 default:
350 use = false;
351 break;
352 }
353 }
354
355 if (!use) continue;
356
357 key.mkvno = 0;
358 key.salt = NULL;
359
360 if (pkb4->salt.string) {
361 DATA_BLOB salt;
362
363 salt = data_blob_string_const(pkb4->salt.string);
364
365 key.salt = calloc(1, sizeof(*key.salt));
366 if (key.salt == NULL) {
367 ret = ENOMEM;
368 goto out;
369 }
370
371 key.salt->type = hdb_pw_salt;
372
373 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
374 if (ret) {
375 free(key.salt);
376 key.salt = NULL;
377 goto out;
378 }
379 }
380
381 /* TODO: maybe pass the iteration_count somehow... */
382
383 ret = krb5_keyblock_init(context,
384 pkb4->keys[i].keytype,
385 pkb4->keys[i].value->data,
386 pkb4->keys[i].value->length,
387 &key.key);
388 if (ret == KRB5_PROG_ETYPE_NOSUPP) {
389 DEBUG(2,("Unsupported keytype ignored - type %u\n",
390 pkb4->keys[i].keytype));
391 ret = 0;
392 continue;
393 }
394 if (ret) {
395 if (key.salt) {
396 free_Salt(key.salt);
397 free(key.salt);
398 key.salt = NULL;
399 }
400 goto out;
401 }
402
403 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
404 entry_ex->entry.keys.len++;
405 }
406 } else if (pkb3) {
407 for (i=0; i < pkb3->num_keys; i++) {
408 bool use = true;
409 Key key;
410
411 if (!pkb3->keys[i].value) continue;
412
413 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
414 switch (pkb3->keys[i].keytype) {
415 case ENCTYPE_DES_CBC_CRC:
416 case ENCTYPE_DES_CBC_MD5:
417 break;
418 default:
419 use = false;
420 break;
421 }
422 }
423
424 if (!use) continue;
425
426 key.mkvno = 0;
427 key.salt = NULL;
428
429 if (pkb3->salt.string) {
430 DATA_BLOB salt;
431
432 salt = data_blob_string_const(pkb3->salt.string);
433
434 key.salt = calloc(1, sizeof(*key.salt));
435 if (key.salt == NULL) {
436 ret = ENOMEM;
437 goto out;
438 }
439
440 key.salt->type = hdb_pw_salt;
441
442 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
443 if (ret) {
444 free(key.salt);
445 key.salt = NULL;
446 goto out;
447 }
448 }
449
450 ret = krb5_keyblock_init(context,
451 pkb3->keys[i].keytype,
452 pkb3->keys[i].value->data,
453 pkb3->keys[i].value->length,
454 &key.key);
455 if (ret) {
456 if (key.salt) {
457 free_Salt(key.salt);
458 free(key.salt);
459 key.salt = NULL;
460 }
461 goto out;
462 }
463
464 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
465 entry_ex->entry.keys.len++;
466 }
467 }
468
469 out:
470 if (ret != 0) {
471 entry_ex->entry.keys.len = 0;
472 }
473 if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
474 free(entry_ex->entry.keys.val);
475 entry_ex->entry.keys.val = NULL;
476 }
477 return ret;
478 }
479
480 /*
481 * Construct an hdb_entry from a directory entry.
482 */
483 static krb5_error_code samba_kdc_message2entry(krb5_context context,
484 struct samba_kdc_db_context *kdc_db_ctx,
485 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
486 enum samba_kdc_ent_type ent_type,
487 struct ldb_dn *realm_dn,
488 struct ldb_message *msg,
489 hdb_entry_ex *entry_ex)
490 {
491 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
492 unsigned int userAccountControl;
493 int i;
494 krb5_error_code ret = 0;
495 krb5_boolean is_computer = FALSE;
496 char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
497
498 struct samba_kdc_entry *p;
499 NTTIME acct_expiry;
500 NTSTATUS status;
501
502 uint32_t rid;
503 struct ldb_message_element *objectclasses;
504 struct ldb_val computer_val;
505 const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
506 computer_val.data = discard_const_p(uint8_t,"computer");
507 computer_val.length = strlen((const char *)computer_val.data);
508
509 if (!samAccountName) {
510 ret = ENOENT;
511 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
512 goto out;
513 }
514
515 objectclasses = ldb_msg_find_element(msg, "objectClass");
516
517 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
518 is_computer = TRUE;
519 }
520
521 memset(entry_ex, 0, sizeof(*entry_ex));
522
523 if (!realm) {
524 ret = ENOMEM;
525 krb5_set_error_message(context, ret, "talloc_strdup: out of memory");
526 goto out;
527 }
528
529 p = talloc(mem_ctx, struct samba_kdc_entry);
530 if (!p) {
531 ret = ENOMEM;
532 goto out;
533 }
534
535 p->kdc_db_ctx = kdc_db_ctx;
536 p->entry_ex = entry_ex;
537 p->realm_dn = talloc_reference(p, realm_dn);
538 if (!p->realm_dn) {
539 ret = ENOMEM;
540 goto out;
541 }
542
543 talloc_set_destructor(p, samba_kdc_entry_destructor);
544
545 entry_ex->ctx = p;
546 entry_ex->free_entry = samba_kdc_free_entry;
547
548 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
549
550
551 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
552 if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
553 krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL);
554 } else {
555 ret = copy_Principal(principal, entry_ex->entry.principal);
556 if (ret) {
557 krb5_clear_error_message(context);
558 goto out;
559 }
560
561 /* While we have copied the client principal, tests
562 * show that Win2k3 returns the 'corrected' realm, not
563 * the client-specified realm. This code attempts to
564 * replace the client principal's realm with the one
565 * we determine from our records */
566
567 /* this has to be with malloc() */
568 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
569 }
570
571 /* First try and figure out the flags based on the userAccountControl */
572 entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
573
574 /* Windows 2008 seems to enforce this (very sensible) rule by
575 * default - don't allow offline attacks on a user's password
576 * by asking for a ticket to them as a service (encrypted with
577 * their probably patheticly insecure password) */
578
579 if (entry_ex->entry.flags.server
580 && lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
581 if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
582 entry_ex->entry.flags.server = 0;
583 }
584 }
585
586 {
587 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
588 * of the Heimdal KDC. They are stored in a the traditional
589 * DB for audit purposes, and still form part of the structure
590 * we must return */
591
592 /* use 'whenCreated' */
593 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
594 /* use '???' */
595 entry_ex->entry.created_by.principal = NULL;
596
597 entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
598 if (entry_ex->entry.modified_by == NULL) {
599 ret = ENOMEM;
600 krb5_set_error_message(context, ret, "malloc: out of memory");
601 goto out;
602 }
603
604 /* use 'whenChanged' */
605 entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
606 /* use '???' */
607 entry_ex->entry.modified_by->principal = NULL;
608 }
609
610
611 /* The lack of password controls etc applies to krbtgt by
612 * virtue of being that particular RID */
613 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid);
614
615 if (!NT_STATUS_IS_OK(status)) {
616 ret = EINVAL;
617 goto out;
618 }
619
620 if (rid == DOMAIN_RID_KRBTGT) {
621 entry_ex->entry.valid_end = NULL;
622 entry_ex->entry.pw_end = NULL;
623
624 entry_ex->entry.flags.invalid = 0;
625 entry_ex->entry.flags.server = 1;
626
627 /* Don't mark all requests for the krbtgt/realm as
628 * 'change password', as otherwise we could get into
629 * trouble, and not enforce the password expirty.
630 * Instead, only do it when request is for the kpasswd service */
631 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
632 && principal->name.name_string.len == 2
633 && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
634 && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
635 && lp_is_my_domain_or_realm(lp_ctx, principal->realm)) {
636 entry_ex->entry.flags.change_pw = 1;
637 }
638 entry_ex->entry.flags.client = 0;
639 entry_ex->entry.flags.forwardable = 1;
640 entry_ex->entry.flags.ok_as_delegate = 1;
641 } else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
642 /* The account/password expiry only applies when the account is used as a
643 * client (ie password login), not when used as a server */
644
645 /* Make very well sure we don't use this for a client,
646 * it could bypass the password restrictions */
647 entry_ex->entry.flags.client = 0;
648
649 entry_ex->entry.valid_end = NULL;
650 entry_ex->entry.pw_end = NULL;
651
652 } else {
653 NTTIME must_change_time
654 = samdb_result_force_password_change(kdc_db_ctx->samdb, mem_ctx,
655 realm_dn, msg);
656 if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
657 entry_ex->entry.pw_end = NULL;
658 } else {
659 entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
660 if (entry_ex->entry.pw_end == NULL) {
661 ret = ENOMEM;
662 goto out;
663 }
664 *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
665 }
666
667 acct_expiry = samdb_result_account_expires(msg);
668 if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
669 entry_ex->entry.valid_end = NULL;
670 } else {
671 entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
672 if (entry_ex->entry.valid_end == NULL) {
673 ret = ENOMEM;
674 goto out;
675 }
676 *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
677 }
678 }
679
680 entry_ex->entry.valid_start = NULL;
681
682 entry_ex->entry.max_life = NULL;
683
684 entry_ex->entry.max_renew = NULL;
685
686 entry_ex->entry.generation = NULL;
687
688 /* Get keys from the db */
689 ret = samba_kdc_message2entry_keys(context, p->kdc_db_ctx->ic_ctx, p,
690 msg, userAccountControl, entry_ex);
691 if (ret) {
692 /* Could be bougus data in the entry, or out of memory */
693 goto out;
694 }
695
696 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
697 if (entry_ex->entry.etypes == NULL) {
698 krb5_clear_error_message(context);
699 ret = ENOMEM;
700 goto out;
701 }
702 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
703 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
704 if (entry_ex->entry.etypes->val == NULL) {
705 krb5_clear_error_message(context);
706 ret = ENOMEM;
707 goto out;
708 }
709 for (i=0; i < entry_ex->entry.etypes->len; i++) {
710 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
711 }
712
713
714 p->msg = talloc_steal(p, msg);
715
716 out:
717 if (ret != 0) {
718 /* This doesn't free ent itself, that is for the eventual caller to do */
719 hdb_free_entry(context, entry_ex);
720 } else {
721 talloc_steal(kdc_db_ctx, entry_ex->ctx);
722 }
723
724 return ret;
725 }
726
727 /*
728 * Construct an hdb_entry from a directory entry.
729 */
730 static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
731 struct samba_kdc_db_context *kdc_db_ctx,
732 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
733 enum trust_direction direction,
734 struct ldb_dn *realm_dn,
735 struct ldb_message *msg,
736 hdb_entry_ex *entry_ex)
737 {
738 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
739 const char *dnsdomain;
740 char *realm;
741 DATA_BLOB password_utf16;
742 struct samr_Password password_hash;
743 const struct ldb_val *password_val;
744 struct trustAuthInOutBlob password_blob;
745 struct samba_kdc_entry *p;
746
747 enum ndr_err_code ndr_err;
748 int i, ret, trust_direction_flags;
749
750 p = talloc(mem_ctx, struct samba_kdc_entry);
751 if (!p) {
752 ret = ENOMEM;
753 goto out;
754 }
755
756 p->kdc_db_ctx = kdc_db_ctx;
757 p->entry_ex = entry_ex;
758 p->realm_dn = realm_dn;
759
760 talloc_set_destructor(p, samba_kdc_entry_destructor);
761
762 entry_ex->ctx = p;
763 entry_ex->free_entry = samba_kdc_free_entry;
764
765 /* use 'whenCreated' */
766 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
767 /* use '???' */
768 entry_ex->entry.created_by.principal = NULL;
769
770 entry_ex->entry.valid_start = NULL;
771
772 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
773
774 if (direction == INBOUND) {
775 realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
776 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
777
778 } else { /* OUTBOUND */
779 dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
780 realm = strupper_talloc(mem_ctx, dnsdomain);
781 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
782 }
783
784 if (!password_val || !(trust_direction_flags & direction)) {
785 ret = ENOENT;
786 goto out;
787 }
788
789 ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, p->kdc_db_ctx->ic_ctx, &password_blob,
790 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
791 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
792 ret = EINVAL;
793 goto out;
794 }
795
796 entry_ex->entry.kvno = -1;
797 for (i=0; i < password_blob.count; i++) {
798 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
799 entry_ex->entry.kvno = password_blob.current->array[i].AuthInfo.version.version;
800 }
801 }
802
803 for (i=0; i < password_blob.count; i++) {
804 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
805 password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
806 password_blob.current->array[i].AuthInfo.clear.size);
807 /* In the future, generate all sorts of
808 * hashes, but for now we can't safely convert
809 * the random strings windows uses into
810 * utf8 */
811
812 /* but as it is utf16 already, we can get the NT password/arcfour-hmac-md5 key */
813 mdfour(password_hash.hash, password_utf16.data, password_utf16.length);
814 break;
815 } else if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
816 password_hash = password_blob.current->array[i].AuthInfo.nt4owf.password;
817 break;
818 }
819 }
820 entry_ex->entry.keys.len = 0;
821 entry_ex->entry.keys.val = NULL;
822
823 if (i < password_blob.count) {
824 Key key;
825 /* Must have found a cleartext or MD4 password */
826 entry_ex->entry.keys.val = calloc(1, sizeof(Key));
827
828 key.mkvno = 0;
829 key.salt = NULL; /* No salt for this enc type */
830
831 if (entry_ex->entry.keys.val == NULL) {
832 ret = ENOMEM;
833 goto out;
834 }
835
836 ret = krb5_keyblock_init(context,
837 ENCTYPE_ARCFOUR_HMAC,
838 password_hash.hash, sizeof(password_hash.hash),
839 &key.key);
840
841 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
842 entry_ex->entry.keys.len++;
843 }
844
845 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
846
847 ret = copy_Principal(principal, entry_ex->entry.principal);
848 if (ret) {
849 krb5_clear_error_message(context);
850 goto out;
851 }
852
853 /* While we have copied the client principal, tests
854 * show that Win2k3 returns the 'corrected' realm, not
855 * the client-specified realm. This code attempts to
856 * replace the client principal's realm with the one
857 * we determine from our records */
858
859 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
860 entry_ex->entry.flags = int2HDBFlags(0);
861 entry_ex->entry.flags.immutable = 1;
862 entry_ex->entry.flags.invalid = 0;
863 entry_ex->entry.flags.server = 1;
864 entry_ex->entry.flags.require_preauth = 1;
865
866 entry_ex->entry.pw_end = NULL;
867
868 entry_ex->entry.max_life = NULL;
869
870 entry_ex->entry.max_renew = NULL;
871
872 entry_ex->entry.generation = NULL;
873
874 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
875 if (entry_ex->entry.etypes == NULL) {
876 krb5_clear_error_message(context);
877 ret = ENOMEM;
878 goto out;
879 }
880 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
881 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
882 if (entry_ex->entry.etypes->val == NULL) {
883 krb5_clear_error_message(context);
884 ret = ENOMEM;
885 goto out;
886 }
887 for (i=0; i < entry_ex->entry.etypes->len; i++) {
888 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
889 }
890
891
892 p->msg = talloc_steal(p, msg);
893
894 out:
895 if (ret != 0) {
896 /* This doesn't free ent itself, that is for the eventual caller to do */
897 hdb_free_entry(context, entry_ex);
898 } else {
899 talloc_steal(kdc_db_ctx, entry_ex->ctx);
900 }
901
902 return ret;
903
904 }
905
906 static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
907 TALLOC_CTX *mem_ctx,
908 const char *realm,
909 struct ldb_dn *realm_dn,
910 struct ldb_message **pmsg)
911 {
912 int lret;
913 krb5_error_code ret;
914 char *filter = NULL;
915 const char * const *attrs = trust_attrs;
916
917 struct ldb_result *res = NULL;
918 filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", realm, realm);
919
920 if (!filter) {
921 ret = ENOMEM;
922 krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
923 return ret;
924 }
925
926 lret = ldb_search(ldb_ctx, mem_ctx, &res,
927 ldb_get_default_basedn(ldb_ctx),
928 LDB_SCOPE_SUBTREE, attrs, "%s", filter);
929 if (lret != LDB_SUCCESS) {
930 DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
931 return HDB_ERR_NOENTRY;
932 } else if (res->count == 0 || res->count > 1) {
933 DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
934 talloc_free(res);
935 return HDB_ERR_NOENTRY;
936 }
937 talloc_steal(mem_ctx, res->msgs);
938 *pmsg = res->msgs[0];
939 talloc_free(res);
940 return 0;
941 }
942
943 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
944 struct samba_kdc_db_context *kdc_db_ctx,
945 TALLOC_CTX *mem_ctx,
946 krb5_const_principal principal,
947 const char **attrs,
948 struct ldb_dn **realm_dn,
949 struct ldb_message **msg) {
950 NTSTATUS nt_status;
951 char *principal_string;
952 krb5_error_code ret;
953
954 ret = krb5_unparse_name(context, principal, &principal_string);
955
956 if (ret != 0) {
957 return ret;
958 }
959
960 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
961 mem_ctx, principal_string, attrs,
962 realm_dn, msg);
963 free(principal_string);
964 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
965 return HDB_ERR_NOENTRY;
966 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
967 return ENOMEM;
968 } else if (!NT_STATUS_IS_OK(nt_status)) {
969 return EINVAL;
970 }
971
972 return ret;
973 }
974
975 static krb5_error_code samba_kdc_fetch_client(krb5_context context,
976 struct samba_kdc_db_context *kdc_db_ctx,
977 TALLOC_CTX *mem_ctx,
978 krb5_const_principal principal,
979 hdb_entry_ex *entry_ex) {
980 struct ldb_dn *realm_dn;
981 krb5_error_code ret;
982 struct ldb_message *msg = NULL;
983
984 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
985 mem_ctx, principal, user_attrs,
986 &realm_dn, &msg);
987 if (ret != 0) {
988 return ret;
989 }
990
991 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
992 principal, SAMBA_KDC_ENT_TYPE_CLIENT,
993 realm_dn, msg, entry_ex);
994 return ret;
995 }
996
997 static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
998 struct samba_kdc_db_context *kdc_db_ctx,
999 TALLOC_CTX *mem_ctx,
1000 krb5_const_principal principal,
1001 hdb_entry_ex *entry_ex)
1002 {
1003 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1004 krb5_error_code ret;
1005 struct ldb_message *msg = NULL;
1006 struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1007 const char *realm;
1008
1009 krb5_principal alloc_principal = NULL;
1010 if (principal->name.name_string.len != 2
1011 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
1012 /* Not a krbtgt */
1013 return HDB_ERR_NOENTRY;
1014 }
1015
1016 /* krbtgt case. Either us or a trusted realm */
1017
1018 if (lp_is_my_domain_or_realm(lp_ctx, principal->realm)
1019 && lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) {
1020 /* us */
1021 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
1022 * is in our db, then direct the caller at our primary
1023 * krbtgt */
1024
1025 int lret;
1026 char *realm_fixed;
1027
1028 lret = gendb_search_single_extended_dn(kdc_db_ctx->samdb, mem_ctx,
1029 realm_dn, LDB_SCOPE_SUBTREE,
1030 &msg, krbtgt_attrs,
1031 "(&(objectClass=user)(samAccountName=krbtgt))");
1032 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1033 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1034 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1035 return HDB_ERR_NOENTRY;
1036 } else if (lret != LDB_SUCCESS) {
1037 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1038 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1039 return HDB_ERR_NOENTRY;
1040 }
1041
1042 realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
1043 if (!realm_fixed) {
1044 ret = ENOMEM;
1045 krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
1046 return ret;
1047 }
1048
1049 ret = krb5_copy_principal(context, principal, &alloc_principal);
1050 if (ret) {
1051 return ret;
1052 }
1053
1054 free(alloc_principal->name.name_string.val[1]);
1055 alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
1056 talloc_free(realm_fixed);
1057 if (!alloc_principal->name.name_string.val[1]) {
1058 ret = ENOMEM;
1059 krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
1060 return ret;
1061 }
1062 principal = alloc_principal;
1063
1064 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1065 principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
1066 realm_dn, msg, entry_ex);
1067 if (ret != 0) {
1068 krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
1069 }
1070 return ret;
1071
1072 } else {
1073 enum trust_direction direction = UNKNOWN;
1074
1075 /* Either an inbound or outbound trust */
1076
1077 if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
1078 /* look for inbound trust */
1079 direction = INBOUND;
1080 realm = principal->name.name_string.val[1];
1081 }
1082
1083 if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
1084 /* look for outbound trust */
1085 direction = OUTBOUND;
1086 realm = principal->realm;
1087 }
1088
1089 /* Trusted domains are under CN=system */
1090
1091 ret = samba_kdc_lookup_trust(context, kdc_db_ctx->samdb,
1092 mem_ctx,
1093 realm, realm_dn, &msg);
1094
1095 if (ret != 0) {
1096 krb5_warnx(context, "samba_kdc_fetch: could not find principal in DB");
1097 krb5_set_error_message(context, ret, "samba_kdc_fetch: could not find principal in DB");
1098 return ret;
1099 }
1100
1101 ret = samba_kdc_trust_message2entry(context, kdc_db_ctx, mem_ctx,
1102 principal, direction,
1103 realm_dn, msg, entry_ex);
1104 if (ret != 0) {
1105 krb5_warnx(context, "samba_kdc_fetch: trust_message2entry failed");
1106 }
1107 return ret;
1108
1109
1110 /* we should lookup trusted domains */
1111 return HDB_ERR_NOENTRY;
1112 }
1113
1114 }
1115
1116 static krb5_error_code samba_kdc_lookup_server(krb5_context context,
1117 struct samba_kdc_db_context *kdc_db_ctx,
1118 TALLOC_CTX *mem_ctx,
1119 krb5_const_principal principal,
1120 const char **attrs,
1121 struct ldb_dn **realm_dn,
1122 struct ldb_message **msg)
1123 {
1124 krb5_error_code ret;
1125 const char *realm;
1126 if (principal->name.name_string.len >= 2) {
1127 /* 'normal server' case */
1128 int ldb_ret;
1129 NTSTATUS nt_status;
1130 struct ldb_dn *user_dn;
1131 char *principal_string;
1132
1133 ret = krb5_unparse_name_flags(context, principal,
1134 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
1135 &principal_string);
1136 if (ret != 0) {
1137 return ret;
1138 }
1139
1140 /* At this point we may find the host is known to be
1141 * in a different realm, so we should generate a
1142 * referral instead */
1143 nt_status = crack_service_principal_name(kdc_db_ctx->samdb,
1144 mem_ctx, principal_string,
1145 &user_dn, realm_dn);
1146 free(principal_string);
1147
1148 if (!NT_STATUS_IS_OK(nt_status)) {
1149 return HDB_ERR_NOENTRY;
1150 }
1151
1152 ldb_ret = gendb_search_single_extended_dn(kdc_db_ctx->samdb,
1153 mem_ctx,
1154 user_dn, LDB_SCOPE_BASE,
1155 msg, attrs,
1156 "(objectClass=*)");
1157 if (ldb_ret != LDB_SUCCESS) {
1158 return HDB_ERR_NOENTRY;
1159 }
1160
1161 } else {
1162 int lret;
1163 char *filter = NULL;
1164 char *short_princ;
1165 /* server as client principal case, but we must not lookup userPrincipalNames */
1166 *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1167 realm = krb5_principal_get_realm(context, principal);
1168
1169 /* TODO: Check if it is our realm, otherwise give referall */
1170
1171 ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
1172
1173 if (ret != 0) {
1174 krb5_set_error_message(context, ret, "samba_kdc_lookup_principal: could not parse principal");
1175 krb5_warnx(context, "samba_kdc_lookup_principal: could not parse principal");
1176 return ret;
1177 }
1178
1179 lret = gendb_search_single_extended_dn(kdc_db_ctx->samdb, mem_ctx,
1180 *realm_dn, LDB_SCOPE_SUBTREE,
1181 msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
1182 ldb_binary_encode_string(mem_ctx, short_princ));
1183 free(short_princ);
1184 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1185 DEBUG(3, ("Failed find a entry for %s\n", filter));
1186 return HDB_ERR_NOENTRY;
1187 }
1188 if (lret != LDB_SUCCESS) {
1189 DEBUG(3, ("Failed single search for for %s - %s\n",
1190 filter, ldb_errstring(kdc_db_ctx->samdb)));
1191 return HDB_ERR_NOENTRY;
1192 }
1193 }
1194
1195 return 0;
1196 }
1197
1198 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
1199 struct samba_kdc_db_context *kdc_db_ctx,
1200 TALLOC_CTX *mem_ctx,
1201 krb5_const_principal principal,
1202 hdb_entry_ex *entry_ex)
1203 {
1204 krb5_error_code ret;
1205 struct ldb_dn *realm_dn;
1206 struct ldb_message *msg;
1207
1208 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
1209 server_attrs, &realm_dn, &msg);
1210 if (ret != 0) {
1211 return ret;
1212 }
1213
1214 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1215 principal, SAMBA_KDC_ENT_TYPE_SERVER,
1216 realm_dn, msg, entry_ex);
1217 if (ret != 0) {
1218 krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
1219 }
1220
1221 return ret;
1222 }
1223
1224 krb5_error_code samba_kdc_fetch(krb5_context context,
1225 struct samba_kdc_db_context *kdc_db_ctx,
1226 krb5_const_principal principal,
1227 unsigned flags,
1228 hdb_entry_ex *entry_ex)
1229 {
1230 krb5_error_code ret = HDB_ERR_NOENTRY;
1231 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
1232
1233 if (!mem_ctx) {
1234 ret = ENOMEM;
1235 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1236 return ret;
1237 }
1238
1239 if (flags & HDB_F_GET_CLIENT) {
1240 ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1241 if (ret != HDB_ERR_NOENTRY) goto done;
1242 }
1243 if (flags & HDB_F_GET_SERVER) {
1244 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
1245 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1246 if (ret != HDB_ERR_NOENTRY) goto done;
1247
1248 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
1249 ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1250 if (ret != HDB_ERR_NOENTRY) goto done;
1251 }
1252 if (flags & HDB_F_GET_KRBTGT) {
1253 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1254 if (ret != HDB_ERR_NOENTRY) goto done;
1255 }
1256
1257 done:
1258 talloc_free(mem_ctx);
1259 return ret;
1260 }
1261
1262 struct samba_kdc_seq {
1263 int index;
1264 int count;
1265 struct ldb_message **msgs;
1266 struct ldb_dn *realm_dn;
1267 };
1268
1269 static krb5_error_code samba_kdc_seq(krb5_context context,
1270 struct samba_kdc_db_context *kdc_db_ctx,
1271 hdb_entry_ex *entry)
1272 {
1273 krb5_error_code ret;
1274 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1275 TALLOC_CTX *mem_ctx;
1276 hdb_entry_ex entry_ex;
1277 memset(&entry_ex, '\0', sizeof(entry_ex));
1278
1279 if (!priv) {
1280 return HDB_ERR_NOENTRY;
1281 }
1282
1283 mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
1284
1285 if (!mem_ctx) {
1286 ret = ENOMEM;
1287 krb5_set_error_message(context, ret, "samba_kdc_seq: talloc_named() failed!");
1288 return ret;
1289 }
1290
1291 if (priv->index < priv->count) {
1292 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1293 NULL, SAMBA_KDC_ENT_TYPE_ANY,
1294 priv->realm_dn, priv->msgs[priv->index++], entry);
1295 } else {
1296 ret = HDB_ERR_NOENTRY;
1297 }
1298
1299 if (ret != 0) {
1300 talloc_free(priv);
1301 kdc_db_ctx->seq_ctx = NULL;
1302 } else {
1303 talloc_free(mem_ctx);
1304 }
1305
1306 return ret;
1307 }
1308
1309 krb5_error_code samba_kdc_firstkey(krb5_context context,
1310 struct samba_kdc_db_context *kdc_db_ctx,
1311 hdb_entry_ex *entry)
1312 {
1313 struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
1314 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1315 char *realm;
1316 struct ldb_result *res = NULL;
1317 krb5_error_code ret;
1318 TALLOC_CTX *mem_ctx;
1319 int lret;
1320
1321 if (priv) {
1322 talloc_free(priv);
1323 kdc_db_ctx->seq_ctx = NULL;
1324 }
1325
1326 priv = (struct samba_kdc_seq *) talloc(kdc_db_ctx, struct samba_kdc_seq);
1327 if (!priv) {
1328 ret = ENOMEM;
1329 krb5_set_error_message(context, ret, "talloc: out of memory");
1330 return ret;
1331 }
1332
1333 priv->index = 0;
1334 priv->msgs = NULL;
1335 priv->realm_dn = ldb_get_default_basedn(ldb_ctx);
1336 priv->count = 0;
1337
1338 mem_ctx = talloc_named(priv, 0, "samba_kdc_firstkey context");
1339
1340 if (!mem_ctx) {
1341 ret = ENOMEM;
1342 krb5_set_error_message(context, ret, "samba_kdc_firstkey: talloc_named() failed!");
1343 return ret;
1344 }
1345
1346 ret = krb5_get_default_realm(context, &realm);
1347 if (ret != 0) {
1348 talloc_free(priv);
1349 return ret;
1350 }
1351
1352 lret = ldb_search(ldb_ctx, priv, &res,
1353 priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
1354 "(objectClass=user)");
1355
1356 if (lret != LDB_SUCCESS) {
1357 talloc_free(priv);
1358 return HDB_ERR_NOENTRY;
1359 }
1360
1361 priv->count = res->count;
1362 priv->msgs = talloc_steal(priv, res->msgs);
1363 talloc_free(res);
1364
1365 kdc_db_ctx->seq_ctx = priv;
1366
1367 ret = samba_kdc_seq(context, kdc_db_ctx, entry);
1368
1369 if (ret != 0) {
1370 talloc_free(priv);
1371 kdc_db_ctx->seq_ctx = NULL;
1372 } else {
1373 talloc_free(mem_ctx);
1374 }
1375 return ret;
1376 }
1377
1378 krb5_error_code samba_kdc_nextkey(krb5_context context,
1379 struct samba_kdc_db_context *kdc_db_ctx,
1380 hdb_entry_ex *entry)
1381 {
1382 return samba_kdc_seq(context, kdc_db_ctx, entry);
1383 }
1384
1385 /* Check if a given entry may delegate to this target principal
1386 *
1387 * This is currently a very nasty hack - allowing only delegation to itself.
1388 */
1389 krb5_error_code
1390 samba_kdc_check_constrained_delegation(krb5_context context,
1391 struct samba_kdc_db_context *kdc_db_ctx,
1392 hdb_entry_ex *entry,
1393 krb5_const_principal target_principal)
1394 {
1395 krb5_error_code ret;
1396 krb5_principal enterprise_prinicpal = NULL;
1397 struct ldb_dn *realm_dn;
1398 struct ldb_message *msg;
1399 struct dom_sid *orig_sid;
1400 struct dom_sid *target_sid;
1401 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1402 const char *delegation_check_attrs[] = {
1403 "objectSid", NULL
1404 };
1405
1406 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation");
1407
1408 if (!mem_ctx) {
1409 ret = ENOMEM;
1410 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1411 return ret;
1412 }
1413
1414 if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1415 /* Need to reparse the enterprise principal to find the real target */
1416 if (target_principal->name.name_string.len != 1) {
1417 ret = KRB5_PARSE_MALFORMED;
1418 krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
1419 target_principal->name.name_string.len);
1420 talloc_free(mem_ctx);
1421 return ret;
1422 }
1423 ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
1424 &enterprise_prinicpal);
1425 if (ret) {
1426 talloc_free(mem_ctx);
1427 return ret;
1428 }
1429 target_principal = enterprise_prinicpal;
1430 }
1431
1432 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
1433 delegation_check_attrs, &realm_dn, &msg);
1434
1435 krb5_free_principal(context, enterprise_prinicpal);
1436
1437 if (ret != 0) {
1438 talloc_free(mem_ctx);
1439 return ret;
1440 }
1441
1442 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1443 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1444
1445 /* Allow delegation to the same principal, even if by a different
1446 * name. The easy and safe way to prove this is by SID
1447 * comparison */
1448 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1449 talloc_free(mem_ctx);
1450 return KRB5KDC_ERR_BADOPTION;
1451 }
1452
1453 talloc_free(mem_ctx);
1454 return ret;
1455 }
1456
1457 /* Certificates printed by a the Certificate Authority might have a
1458 * slightly different form of the user principal name to that in the
1459 * database. Allow a mismatch where they both refer to the same
1460 * SID */
1461
1462 krb5_error_code
1463 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
1464 struct samba_kdc_db_context *kdc_db_ctx,
1465 hdb_entry_ex *entry,
1466 krb5_const_principal certificate_principal)
1467 {
1468 krb5_error_code ret;
1469 struct ldb_dn *realm_dn;
1470 struct ldb_message *msg;
1471 struct dom_sid *orig_sid;
1472 struct dom_sid *target_sid;
1473 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1474 const char *ms_upn_check_attrs[] = {
1475 "objectSid", NULL
1476 };
1477
1478 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_pkinit_ms_upn_match");
1479
1480 if (!mem_ctx) {
1481 ret = ENOMEM;
1482 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1483 return ret;
1484 }
1485
1486 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1487 mem_ctx, certificate_principal,
1488 ms_upn_check_attrs, &realm_dn, &msg);
1489
1490 if (ret != 0) {
1491 talloc_free(mem_ctx);
1492 return ret;
1493 }
1494
1495 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1496 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1497
1498 /* Consider these to be the same principal, even if by a different
1499 * name. The easy and safe way to prove this is by SID
1500 * comparison */
1501 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1502 talloc_free(mem_ctx);
1503 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1504 }
1505
1506 talloc_free(mem_ctx);
1507 return ret;
1508 }
1509
fernandojvsilva's samba4 branch