3 * DCERPC Server functions
4 * Copyright (C) Simo Sorce 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "rpc_server/dcesrv_gssapi.h"
23 #include "../librpc/gen_ndr/ndr_krb5pac.h"
24 #include "librpc/crypto/gse.h"
27 #include "libcli/auth/krb5_wrap.h"
29 NTSTATUS
gssapi_server_auth_start(TALLOC_CTX
*mem_ctx
,
35 struct gse_context
**ctx
)
37 struct gse_context
*gse_ctx
= NULL
;
38 uint32_t add_flags
= 0;
42 add_flags
= GSS_C_DCE_STYLE
;
45 /* Let's init the gssapi machinery for this connection */
46 /* passing a NULL server name means the server will try
47 * to accept any connection regardless of the name used as
48 * long as it can find a decryption key */
49 /* by passing NULL, the code will attempt to set a default
50 * keytab based on configuration options */
51 status
= gse_init_server(mem_ctx
, do_sign
, do_seal
,
53 if (!NT_STATUS_IS_OK(status
)) {
54 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
59 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
61 if (!NT_STATUS_IS_OK(status
)) {
62 DEBUG(0, ("Failed to parse initial client token (%s)\n",
68 status
= NT_STATUS_OK
;
71 if (!NT_STATUS_IS_OK(status
)) {
78 NTSTATUS
gssapi_server_step(struct gse_context
*gse_ctx
,
85 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
87 if (!NT_STATUS_IS_OK(status
)) {
91 if (gse_require_more_processing(gse_ctx
)) {
92 /* ask for next leg */
93 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
99 NTSTATUS
gssapi_server_check_flags(struct gse_context
*gse_ctx
)
101 return gse_verify_server_auth_flags(gse_ctx
);
104 NTSTATUS
gssapi_server_get_user_info(struct gse_context
*gse_ctx
,
106 struct client_address
*client_id
,
107 struct auth_serversupplied_info
**server_info
)
111 struct PAC_DATA
*pac_data
= NULL
;
112 struct PAC_LOGON_INFO
*logon_info
= NULL
;
123 tmp_ctx
= talloc_new(mem_ctx
);
125 return NT_STATUS_NO_MEMORY
;
128 status
= gse_get_pac_blob(gse_ctx
, tmp_ctx
, &pac_blob
);
129 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_FOUND
)) {
130 /* TODO: Fetch user by principal name ? */
131 status
= NT_STATUS_ACCESS_DENIED
;
134 if (!NT_STATUS_IS_OK(status
)) {
139 status
= kerberos_decode_pac(tmp_ctx
,
141 NULL
, NULL
, NULL
, NULL
, 0, &pac_data
);
143 status
= NT_STATUS_ACCESS_DENIED
;
145 data_blob_free(&pac_blob
);
146 if (!NT_STATUS_IS_OK(status
)) {
150 status
= gse_get_client_name(gse_ctx
, tmp_ctx
, &princ_name
);
151 if (!NT_STATUS_IS_OK(status
)) {
155 /* get logon name and logon info */
156 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
157 struct PAC_BUFFER
*data_buf
= &pac_data
->buffers
[i
];
159 switch (data_buf
->type
) {
160 case PAC_TYPE_LOGON_INFO
:
161 if (!data_buf
->info
) {
164 logon_info
= data_buf
->info
->logon_info
.info
;
171 DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
172 status
= NT_STATUS_NOT_FOUND
;
176 status
= get_user_from_kerberos_info(tmp_ctx
, client_id
->name
,
177 princ_name
, logon_info
,
178 &is_mapped
, &is_guest
,
181 if (!NT_STATUS_IS_OK(status
)) {
182 DEBUG(1, ("Failed to map kerberos principal to system user "
183 "(%s)\n", nt_errstr(status
)));
184 status
= NT_STATUS_ACCESS_DENIED
;
188 /* TODO: save PAC data in netsamlogon cache ? */
190 status
= make_session_info_krb5(mem_ctx
,
191 ntuser
, ntdomain
, username
, pw
,
192 logon_info
, is_guest
, is_mapped
, NULL
/* No session key for now */,
194 if (!NT_STATUS_IS_OK(status
)) {
195 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
197 status
= NT_STATUS_ACCESS_DENIED
;
201 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
202 ntuser
, ntdomain
, client_id
->name
));
204 status
= NT_STATUS_OK
;
207 TALLOC_FREE(tmp_ctx
);