2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Volker Lendecke 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #ifdef WITH_FAKE_KASERVER
24 #define NO_ASN1_TYPEDEFS 1
29 #include "../librpc/gen_ndr/ndr_netlogon.h"
31 #include <afs/param.h>
35 #include <afs/venus.h>
36 #include <asm/unistd.h>
37 #include <openssl/des.h>
43 uint32 BeginTimestamp
;
47 static char *afs_encode_token(const char *cell
, const DATA_BLOB ticket
,
48 const struct ClearToken
*ct
)
53 DATA_BLOB key
= data_blob(ct
->HandShakeKey
, 8);
57 mem_ctx
= talloc_stackframe();
61 base64_ticket
= base64_encode_data_blob(mem_ctx
, ticket
);
62 if (base64_ticket
== NULL
)
65 base64_key
= base64_encode_data_blob(mem_ctx
, key
);
66 if (base64_key
== NULL
)
69 asprintf(&result
, "%s\n%u\n%s\n%u\n%u\n%u\n%s\n", cell
,
70 ct
->AuthHandle
, base64_key
, ct
->ViceId
, ct
->BeginTimestamp
,
71 ct
->EndTimestamp
, base64_ticket
);
73 DEBUG(10, ("Got ticket string:\n%s\n", result
));
81 /* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
82 * ViceId set, this should be set by the caller. */
84 static bool afs_createtoken(const char *username
, const char *cell
,
85 DATA_BLOB
*ticket
, struct ClearToken
*ct
)
88 char *p
= clear_ticket
;
93 des_key_schedule key_schedule
;
98 if (!secrets_fetch_afs_key(cell
, &key
)) {
99 DEBUG(1, ("Could not fetch AFS service key\n"));
103 ct
->AuthHandle
= key
.kvno
;
105 /* Build the ticket. This is going to be encrypted, so in our
106 way we fill in ct while we still have the unencrypted
115 /* "Alice", the client username */
116 strncpy(p
, username
, sizeof(clear_ticket
)-PTR_DIFF(p
,clear_ticket
)-1);
118 strncpy(p
, "", sizeof(clear_ticket
)-PTR_DIFF(p
,clear_ticket
)-1);
120 strncpy(p
, cell
, sizeof(clear_ticket
)-PTR_DIFF(p
,clear_ticket
)-1);
123 /* Alice's network layer address. At least Openafs-1.2.10
124 ignores this, so we fill in a dummy value here. */
128 /* We need to create a session key */
129 generate_random_buffer((uint8_t *)p
, 8);
131 /* Our client code needs the the key in the clear, it does not
132 know the server-key ... */
133 memcpy(ct
->HandShakeKey
, p
, 8);
137 /* This is a kerberos 4 life time. The life time is expressed
138 * in units of 5 minute intervals up to 38400 seconds, after
139 * that a table is used up to lifetime 0xBF. Values between
140 * 0xC0 and 0xFF is undefined. 0xFF is defined to be the
141 * infinite time that never expire.
143 * So here we cheat and use the infinite time */
147 /* Ticket creation time */
150 ct
->BeginTimestamp
= now
;
152 if(lp_afs_token_lifetime() == 0)
153 ct
->EndTimestamp
= NEVERDATE
;
155 ct
->EndTimestamp
= now
+ lp_afs_token_lifetime();
157 if (((ct
->EndTimestamp
- ct
->BeginTimestamp
) & 1) == 1) {
158 ct
->BeginTimestamp
+= 1; /* Lifetime must be even */
162 /* And here comes Bob's name and instance, in this case the
164 strncpy(p
, "afs", sizeof(clear_ticket
)-PTR_DIFF(p
,clear_ticket
)-1);
166 strncpy(p
, "", sizeof(clear_ticket
)-PTR_DIFF(p
,clear_ticket
)-1);
169 /* And zero-pad to a multiple of 8 bytes */
170 len
= PTR_DIFF(p
, clear_ticket
);
172 uint32 extra_space
= 8-(len
& 7);
173 memset(p
, 0, extra_space
);
176 len
= PTR_DIFF(p
, clear_ticket
);
178 des_key_sched((const_des_cblock
*)key
.key
, key_schedule
);
179 des_pcbc_encrypt((const unsigned char*) clear_ticket
,
180 (unsigned char*) clear_ticket
,
181 len
, key_schedule
, (C_Block
*)key
.key
, 1);
185 *ticket
= data_blob(clear_ticket
, len
);
190 char *afs_createtoken_str(const char *username
, const char *cell
)
193 struct ClearToken ct
;
196 if (!afs_createtoken(username
, cell
, &ticket
, &ct
))
199 result
= afs_encode_token(cell
, ticket
, &ct
);
201 data_blob_free(&ticket
);
207 This routine takes a radical approach completely bypassing the
208 Kerberos idea of security and using AFS simply as an intelligent
209 file backend. Samba has persuaded itself somehow that the user is
210 actually correctly identified and then we create a ticket that the
211 AFS server hopefully accepts using its KeyFile that the admin has
212 kindly stored to our secrets.tdb.
214 Thanks to the book "Network Security -- PRIVATE Communication in a
215 PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
216 Kerberos 4 tickets are not really hard to construct.
218 For the comments "Alice" is the User to be auth'ed, and "Bob" is the
221 bool afs_login(connection_struct
*conn
)
224 char *afs_username
= NULL
;
227 char *ticket_str
= NULL
;
228 const struct dom_sid
*user_sid
;
229 TALLOC_CTX
*ctx
= talloc_tos();
231 struct ClearToken ct
;
233 afs_username
= talloc_strdup(ctx
,
234 lp_afs_username_map());
239 afs_username
= talloc_sub_advanced(ctx
,
240 lp_servicename(SNUM(conn
)),
241 conn
->session_info
->unix_info
->unix_name
,
243 conn
->session_info
->unix_token
->gid
,
244 conn
->session_info
->unix_info
->sanitized_username
,
245 conn
->session_info
->info
->domain_name
,
251 user_sid
= &conn
->session_info
->security_token
->sids
[0];
252 afs_username
= talloc_string_sub(talloc_tos(),
255 sid_string_tos(user_sid
));
260 /* The pts command always generates completely lower-case user
262 if (!strlower_m(afs_username
)) {
266 cell
= strchr(afs_username
, '@');
269 DEBUG(1, ("AFS username doesn't contain a @, "
270 "could not find cell\n"));
277 DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
278 afs_username
, cell
));
280 if (!afs_createtoken(afs_username
, cell
, &ticket
, &ct
))
283 /* For which Unix-UID do we want to set the token? */
284 ct
.ViceId
= getuid();
286 ticket_str
= afs_encode_token(cell
, ticket
, &ct
);
288 result
= afs_settoken_str(ticket_str
);
290 SAFE_FREE(ticket_str
);
292 data_blob_free(&ticket
);
299 bool afs_login(connection_struct
*conn
)
304 char *afs_createtoken_str(const char *username
, const char *cell
)
309 #endif /* WITH_FAKE_KASERVER */