search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool: refuse to demote if the current DC has still roles
[Samba/gebeck_regimport.git] / source4 / auth / kerberos / kerberos_pac.c
blob8ce970e48677b2dd16db1df6f8ee75469f2f0632
1 /*
2 Unix SMB/CIFS implementation.
3
4 Create and parse the krb5 PAC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005,2008
7 Copyright (C) Andrew Tridgell 2001
8 Copyright (C) Luke Howard 2002-2003
9 Copyright (C) Stefan Metzmacher 2004-2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 3 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "auth/auth.h"
29 #include "auth/kerberos/kerberos.h"
30 #include "librpc/gen_ndr/ndr_krb5pac.h"
31 #include <ldb.h>
32 #include "auth/auth_sam_reply.h"
33
34 _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
35 DATA_BLOB blob,
36 krb5_context context,
37 const krb5_keyblock *krbtgt_keyblock,
38 const krb5_keyblock *service_keyblock,
39 krb5_const_principal client_principal,
40 time_t tgs_authtime,
41 struct PAC_LOGON_INFO **logon_info)
42 {
43 NTSTATUS nt_status;
44 struct PAC_DATA *pac_data;
45 int i;
46 nt_status = kerberos_decode_pac(mem_ctx,
47 blob,
48 context,
49 krbtgt_keyblock,
50 service_keyblock,
51 client_principal,
52 tgs_authtime,
53 &pac_data);
54 if (!NT_STATUS_IS_OK(nt_status)) {
55 return nt_status;
56 }
57
58 *logon_info = NULL;
59 for (i=0; i < pac_data->num_buffers; i++) {
60 if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
61 continue;
62 }
63 *logon_info = pac_data->buffers[i].info->logon_info.info;
64 }
65 if (!*logon_info) {
66 return NT_STATUS_INVALID_PARAMETER;
67 }
68 return NT_STATUS_OK;
69 }
70
71 static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
72 DATA_BLOB *pac_data,
73 struct PAC_SIGNATURE_DATA *sig,
74 krb5_context context,
75 const krb5_keyblock *keyblock)
76 {
77 krb5_error_code ret;
78 krb5_crypto crypto;
79 Checksum cksum;
80
81
82 ret = krb5_crypto_init(context,
83 keyblock,
84 0,
85 &crypto);
86 if (ret) {
87 DEBUG(0,("krb5_crypto_init() failed: %s\n",
88 smb_get_krb5_error_message(context, ret, mem_ctx)));
89 return ret;
90 }
91 ret = krb5_create_checksum(context,
92 crypto,
93 KRB5_KU_OTHER_CKSUM,
94 0,
95 pac_data->data,
96 pac_data->length,
97 &cksum);
98 if (ret) {
99 DEBUG(2, ("PAC Verification failed: %s\n",
100 smb_get_krb5_error_message(context, ret, mem_ctx)));
101 }
102
103 krb5_crypto_destroy(context, crypto);
104
105 if (ret) {
106 return ret;
107 }
108
109 sig->type = cksum.cksumtype;
110 sig->signature = data_blob_talloc(mem_ctx, cksum.checksum.data, cksum.checksum.length);
111 free_Checksum(&cksum);
112
113 return 0;
114 }
115
116 krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
117 struct PAC_DATA *pac_data,
118 krb5_context context,
119 const krb5_keyblock *krbtgt_keyblock,
120 const krb5_keyblock *service_keyblock,
121 DATA_BLOB *pac)
122 {
123 NTSTATUS nt_status;
124 krb5_error_code ret;
125 enum ndr_err_code ndr_err;
126 DATA_BLOB zero_blob = data_blob(NULL, 0);
127 DATA_BLOB tmp_blob = data_blob(NULL, 0);
128 struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
129 struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
130 int i;
131
132 /* First, just get the keytypes filled in (and lengths right, eventually) */
133 for (i=0; i < pac_data->num_buffers; i++) {
134 if (pac_data->buffers[i].type != PAC_TYPE_KDC_CHECKSUM) {
135 continue;
136 }
137 kdc_checksum = &pac_data->buffers[i].info->kdc_cksum,
138 ret = make_pac_checksum(mem_ctx, &zero_blob,
139 kdc_checksum,
140 context, krbtgt_keyblock);
141 if (ret) {
142 DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
143 smb_get_krb5_error_message(context, ret, mem_ctx)));
144 talloc_free(pac_data);
145 return ret;
146 }
147 }
148
149 for (i=0; i < pac_data->num_buffers; i++) {
150 if (pac_data->buffers[i].type != PAC_TYPE_SRV_CHECKSUM) {
151 continue;
152 }
153 srv_checksum = &pac_data->buffers[i].info->srv_cksum;
154 ret = make_pac_checksum(mem_ctx, &zero_blob,
155 srv_checksum,
156 context, service_keyblock);
157 if (ret) {
158 DEBUG(2, ("making service PAC checksum failed: %s\n",
159 smb_get_krb5_error_message(context, ret, mem_ctx)));
160 talloc_free(pac_data);
161 return ret;
162 }
163 }
164
165 if (!kdc_checksum) {
166 DEBUG(2, ("Invalid PAC constructed for signing, no KDC checksum present!"));
167 return EINVAL;
168 }
169 if (!srv_checksum) {
170 DEBUG(2, ("Invalid PAC constructed for signing, no SRV checksum present!"));
171 return EINVAL;
172 }
173
174 /* But wipe out the actual signatures */
175 memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
176 memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
177
178 ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
179 pac_data,
180 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
181 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
182 nt_status = ndr_map_error2ntstatus(ndr_err);
183 DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status)));
184 talloc_free(pac_data);
185 return EINVAL;
186 }
187
188 /* Then sign the result of the previous push, where the sig was zero'ed out */
189 ret = make_pac_checksum(mem_ctx, &tmp_blob, srv_checksum,
190 context, service_keyblock);
191
192 /* Then sign Server checksum */
193 ret = make_pac_checksum(mem_ctx, &srv_checksum->signature, kdc_checksum, context, krbtgt_keyblock);
194 if (ret) {
195 DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
196 smb_get_krb5_error_message(context, ret, mem_ctx)));
197 talloc_free(pac_data);
198 return ret;
199 }
200
201 /* And push it out again, this time to the world. This relies on determanistic pointer values */
202 ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
203 pac_data,
204 (ndr_push_flags_fn_t)ndr_push_PAC_DATA);
205 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
206 nt_status = ndr_map_error2ntstatus(ndr_err);
207 DEBUG(1, ("PAC (final) push failed: %s\n", nt_errstr(nt_status)));
208 talloc_free(pac_data);
209 return EINVAL;
210 }
211
212 *pac = tmp_blob;
213
214 return ret;
215 }
216
217
218 krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
219 struct auth_user_info_dc *user_info_dc,
220 krb5_context context,
221 const krb5_keyblock *krbtgt_keyblock,
222 const krb5_keyblock *service_keyblock,
223 krb5_principal client_principal,
224 time_t tgs_authtime,
225 DATA_BLOB *pac)
226 {
227 NTSTATUS nt_status;
228 krb5_error_code ret;
229 struct PAC_DATA *pac_data = talloc(mem_ctx, struct PAC_DATA);
230 struct netr_SamInfo3 *sam3;
231 union PAC_INFO *u_LOGON_INFO;
232 struct PAC_LOGON_INFO *LOGON_INFO;
233 union PAC_INFO *u_LOGON_NAME;
234 struct PAC_LOGON_NAME *LOGON_NAME;
235 union PAC_INFO *u_KDC_CHECKSUM;
236 union PAC_INFO *u_SRV_CHECKSUM;
237
238 char *name;
239
240 enum {
241 PAC_BUF_LOGON_INFO = 0,
242 PAC_BUF_LOGON_NAME = 1,
243 PAC_BUF_SRV_CHECKSUM = 2,
244 PAC_BUF_KDC_CHECKSUM = 3,
245 PAC_BUF_NUM_BUFFERS = 4
246 };
247
248 if (!pac_data) {
249 return ENOMEM;
250 }
251
252 pac_data->num_buffers = PAC_BUF_NUM_BUFFERS;
253 pac_data->version = 0;
254
255 pac_data->buffers = talloc_array(pac_data,
256 struct PAC_BUFFER,
257 pac_data->num_buffers);
258 if (!pac_data->buffers) {
259 talloc_free(pac_data);
260 return ENOMEM;
261 }
262
263 /* LOGON_INFO */
264 u_LOGON_INFO = talloc_zero(pac_data->buffers, union PAC_INFO);
265 if (!u_LOGON_INFO) {
266 talloc_free(pac_data);
267 return ENOMEM;
268 }
269 pac_data->buffers[PAC_BUF_LOGON_INFO].type = PAC_TYPE_LOGON_INFO;
270 pac_data->buffers[PAC_BUF_LOGON_INFO].info = u_LOGON_INFO;
271
272 /* LOGON_NAME */
273 u_LOGON_NAME = talloc_zero(pac_data->buffers, union PAC_INFO);
274 if (!u_LOGON_NAME) {
275 talloc_free(pac_data);
276 return ENOMEM;
277 }
278 pac_data->buffers[PAC_BUF_LOGON_NAME].type = PAC_TYPE_LOGON_NAME;
279 pac_data->buffers[PAC_BUF_LOGON_NAME].info = u_LOGON_NAME;
280 LOGON_NAME = &u_LOGON_NAME->logon_name;
281
282 /* SRV_CHECKSUM */
283 u_SRV_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO);
284 if (!u_SRV_CHECKSUM) {
285 talloc_free(pac_data);
286 return ENOMEM;
287 }
288 pac_data->buffers[PAC_BUF_SRV_CHECKSUM].type = PAC_TYPE_SRV_CHECKSUM;
289 pac_data->buffers[PAC_BUF_SRV_CHECKSUM].info = u_SRV_CHECKSUM;
290
291 /* KDC_CHECKSUM */
292 u_KDC_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO);
293 if (!u_KDC_CHECKSUM) {
294 talloc_free(pac_data);
295 return ENOMEM;
296 }
297 pac_data->buffers[PAC_BUF_KDC_CHECKSUM].type = PAC_TYPE_KDC_CHECKSUM;
298 pac_data->buffers[PAC_BUF_KDC_CHECKSUM].info = u_KDC_CHECKSUM;
299
300 /* now the real work begins... */
301
302 LOGON_INFO = talloc_zero(u_LOGON_INFO, struct PAC_LOGON_INFO);
303 if (!LOGON_INFO) {
304 talloc_free(pac_data);
305 return ENOMEM;
306 }
307 nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
308 if (!NT_STATUS_IS_OK(nt_status)) {
309 DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
310 talloc_free(pac_data);
311 return EINVAL;
312 }
313
314 u_LOGON_INFO->logon_info.info = LOGON_INFO;
315 LOGON_INFO->info3 = *sam3;
316
317 ret = krb5_unparse_name_flags(context, client_principal,
318 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
319 if (ret) {
320 return ret;
321 }
322 LOGON_NAME->account_name = talloc_strdup(LOGON_NAME, name);
323 free(name);
324 /*
325 this logon_time field is absolutely critical. This is what
326 caused all our PAC troubles :-)
327 */
328 unix_to_nt_time(&LOGON_NAME->logon_time, tgs_authtime);
329
330 ret = kerberos_encode_pac(mem_ctx,
331 pac_data,
332 context,
333 krbtgt_keyblock,
334 service_keyblock,
335 pac);
336 talloc_free(pac_data);
337 return ret;
338 }
339
340 krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
341 krb5_pac pac,
342 krb5_context context,
343 struct auth_user_info_dc **user_info_dc,
344 struct PAC_SIGNATURE_DATA *pac_srv_sig,
345 struct PAC_SIGNATURE_DATA *pac_kdc_sig)
346 {
347 NTSTATUS nt_status;
348 enum ndr_err_code ndr_err;
349 krb5_error_code ret;
350
351 DATA_BLOB pac_logon_info_in, pac_srv_checksum_in, pac_kdc_checksum_in;
352 krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
353
354 union PAC_INFO info;
355 struct auth_user_info_dc *user_info_dc_out;
356
357 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
358
359 if (!tmp_ctx) {
360 return ENOMEM;
361 }
362
363 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_LOGON_INFO, &k5pac_logon_info_in);
364 if (ret != 0) {
365 talloc_free(tmp_ctx);
366 return EINVAL;
367 }
368
369 pac_logon_info_in = data_blob_const(k5pac_logon_info_in.data, k5pac_logon_info_in.length);
370
371 ndr_err = ndr_pull_union_blob(&pac_logon_info_in, tmp_ctx, &info,
372 PAC_TYPE_LOGON_INFO,
373 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
374 krb5_data_free(&k5pac_logon_info_in);
375 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err) || !info.logon_info.info) {
376 nt_status = ndr_map_error2ntstatus(ndr_err);
377 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
378 talloc_free(tmp_ctx);
379 return EINVAL;
380 }
381
382 /* Pull this right into the normal auth sysstem structures */
383 nt_status = make_user_info_dc_pac(mem_ctx,
384 info.logon_info.info,
385 &user_info_dc_out);
386 if (!NT_STATUS_IS_OK(nt_status)) {
387 talloc_free(tmp_ctx);
388 return EINVAL;
389 }
390
391 if (pac_srv_sig) {
392 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
393 if (ret != 0) {
394 talloc_free(tmp_ctx);
395 return ret;
396 }
397
398 pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
399
400 ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
401 pac_srv_sig,
402 (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
403 krb5_data_free(&k5pac_srv_checksum_in);
404 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
405 nt_status = ndr_map_error2ntstatus(ndr_err);
406 DEBUG(0,("can't parse the KDC signature: %s\n",
407 nt_errstr(nt_status)));
408 return EINVAL;
409 }
410 }
411
412 if (pac_kdc_sig) {
413 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
414 if (ret != 0) {
415 talloc_free(tmp_ctx);
416 return ret;
417 }
418
419 pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
420
421 ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
422 pac_kdc_sig,
423 (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
424 krb5_data_free(&k5pac_kdc_checksum_in);
425 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
426 nt_status = ndr_map_error2ntstatus(ndr_err);
427 DEBUG(0,("can't parse the KDC signature: %s\n",
428 nt_errstr(nt_status)));
429 return EINVAL;
430 }
431 }
432 *user_info_dc = user_info_dc_out;
433
434 return 0;
435 }
436
437
438 NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx,
439 DATA_BLOB pac_blob,
440 krb5_context context,
441 struct auth_user_info_dc **user_info_dc,
442 struct PAC_SIGNATURE_DATA *pac_srv_sig,
443 struct PAC_SIGNATURE_DATA *pac_kdc_sig)
444 {
445 krb5_error_code ret;
446 krb5_pac pac;
447 ret = krb5_pac_parse(context,
448 pac_blob.data, pac_blob.length,
449 &pac);
450 if (ret) {
451 return map_nt_error_from_unix_common(ret);
452 }
453
454
455 ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig);
456 krb5_pac_free(context, pac);
457 if (ret) {
458 return map_nt_error_from_unix_common(ret);
459 }
460 return NT_STATUS_OK;
461 }
reg import