search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Talloc doc: Fix a cut&paste error
[Samba/gebeck_regimport.git] / source3 / libsmb / clikrb5.c
blob792400b3ce238a06f9f263c291e9628b833f65b3
1 /*
2 Unix SMB/CIFS implementation.
3 simple kerberos5 routines for active directory
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Luke Howard 2002-2003
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Guenther Deschner 2005-2009
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "smb_krb5.h"
25 #include "../librpc/gen_ndr/krb5pac.h"
26 #include "../lib/util/asn1.h"
27 #include "libsmb/nmblib.h"
28
29 #ifndef KRB5_AUTHDATA_WIN2K_PAC
30 #define KRB5_AUTHDATA_WIN2K_PAC 128
31 #endif
32
33 #ifndef KRB5_AUTHDATA_IF_RELEVANT
34 #define KRB5_AUTHDATA_IF_RELEVANT 1
35 #endif
36
37 #ifdef HAVE_KRB5
38
39 #define GSSAPI_CHECKSUM 0x8003 /* Checksum type value for Kerberos */
40 #define GSSAPI_BNDLENGTH 16 /* Bind Length (rfc-1964 pg.3) */
41 #define GSSAPI_CHECKSUM_SIZE (4+GSSAPI_BNDLENGTH+4) /* Length of bind length,
42 bind field, flags field. */
43
44 /* MIT krb5 1.7beta3 (in Ubuntu Karmic) is missing the prototype,
45 but still has the symbol */
46 #if !HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE
47 krb5_error_code krb5_auth_con_set_req_cksumtype(
48 krb5_context context,
49 krb5_auth_context auth_context,
50 krb5_cksumtype cksumtype);
51 #endif
52
53 #if !defined(HAVE_KRB5_SET_DEFAULT_TGS_KTYPES)
54
55 #if defined(HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES)
56
57 /* With MIT kerberos, we should use krb5_set_default_tgs_enctypes in preference
58 * to krb5_set_default_tgs_ktypes. See
59 * http://lists.samba.org/archive/samba-technical/2006-July/048271.html
60 *
61 * If the MIT libraries are not exporting internal symbols, we will end up in
62 * this branch, which is correct. Otherwise we will continue to use the
63 * internal symbol
64 */
65 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
66 {
67 return krb5_set_default_tgs_enctypes(ctx, enc);
68 }
69
70 #elif defined(HAVE_KRB5_SET_DEFAULT_IN_TKT_ETYPES)
71
72 /* Heimdal */
73 krb5_error_code krb5_set_default_tgs_ktypes(krb5_context ctx, const krb5_enctype *enc)
74 {
75 return krb5_set_default_in_tkt_etypes(ctx, enc);
76 }
77
78 #endif /* HAVE_KRB5_SET_DEFAULT_TGS_ENCTYPES */
79
80 #endif /* HAVE_KRB5_SET_DEFAULT_TGS_KTYPES */
81
82 #if defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS)
83 /* HEIMDAL */
84 bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
85 {
86 memset(pkaddr, '\0', sizeof(krb5_address));
87 #if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6)
88 if (paddr->ss_family == AF_INET6) {
89 pkaddr->addr_type = KRB5_ADDRESS_INET6;
90 pkaddr->address.length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
91 pkaddr->address.data = (char *)&(((struct sockaddr_in6 *)paddr)->sin6_addr);
92 return true;
93 }
94 #endif
95 if (paddr->ss_family == AF_INET) {
96 pkaddr->addr_type = KRB5_ADDRESS_INET;
97 pkaddr->address.length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
98 pkaddr->address.data = (char *)&(((struct sockaddr_in *)paddr)->sin_addr);
99 return true;
100 }
101 return false;
102 }
103 #elif defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS)
104 /* MIT */
105 bool setup_kaddr( krb5_address *pkaddr, struct sockaddr_storage *paddr)
106 {
107 memset(pkaddr, '\0', sizeof(krb5_address));
108 #if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6)
109 if (paddr->ss_family == AF_INET6) {
110 pkaddr->addrtype = ADDRTYPE_INET6;
111 pkaddr->length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
112 pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in6 *)paddr)->sin6_addr);
113 return true;
114 }
115 #endif
116 if (paddr->ss_family == AF_INET) {
117 pkaddr->addrtype = ADDRTYPE_INET;
118 pkaddr->length = sizeof(((struct sockaddr_in *)paddr)->sin_addr);
119 pkaddr->contents = (krb5_octet *)&(((struct sockaddr_in *)paddr)->sin_addr);
120 return true;
121 }
122 return false;
123 }
124 #else
125 #error UNKNOWN_ADDRTYPE
126 #endif
127
128 int create_kerberos_key_from_string(krb5_context context,
129 krb5_principal host_princ,
130 krb5_data *password,
131 krb5_keyblock *key,
132 krb5_enctype enctype,
133 bool no_salt)
134 {
135 krb5_principal salt_princ = NULL;
136 int ret;
137 /*
138 * Check if we've determined that the KDC is salting keys for this
139 * principal/enctype in a non-obvious way. If it is, try to match
140 * its behavior.
141 */
142 if (no_salt) {
143 KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
144 if (!KRB5_KEY_DATA(key)) {
145 return ENOMEM;
146 }
147 memcpy(KRB5_KEY_DATA(key), password->data, password->length);
148 KRB5_KEY_LENGTH(key) = password->length;
149 KRB5_KEY_TYPE(key) = enctype;
150 return 0;
151 }
152 salt_princ = kerberos_fetch_salt_princ_for_host_princ(context, host_princ, enctype);
153 ret = create_kerberos_key_from_string_direct(context, salt_princ ? salt_princ : host_princ, password, key, enctype);
154 if (salt_princ) {
155 krb5_free_principal(context, salt_princ);
156 }
157 return ret;
158 }
159
160 #if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
161 krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
162 krb5_enctype **enctypes)
163 {
164 return krb5_get_permitted_enctypes(context, enctypes);
165 }
166 #elif defined(HAVE_KRB5_GET_DEFAULT_IN_TKT_ETYPES)
167 krb5_error_code get_kerberos_allowed_etypes(krb5_context context,
168 krb5_enctype **enctypes)
169 {
170 #ifdef HAVE_KRB5_PDU_NONE_DECL
171 return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, enctypes);
172 #else
173 return krb5_get_default_in_tkt_etypes(context, enctypes);
174 #endif
175 }
176 #else
177 #error UNKNOWN_GET_ENCTYPES_FUNCTIONS
178 #endif
179
180 #if defined(HAVE_KRB5_AUTH_CON_SETKEY) && !defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY)
181 krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context,
182 krb5_auth_context auth_context,
183 krb5_keyblock *keyblock)
184 {
185 return krb5_auth_con_setkey(context, auth_context, keyblock);
186 }
187 #endif
188
189 bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
190 DATA_BLOB *edata,
191 DATA_BLOB *edata_out)
192 {
193 DATA_BLOB edata_contents;
194 ASN1_DATA *data;
195 int edata_type;
196
197 if (!edata->length) {
198 return False;
199 }
200
201 data = asn1_init(mem_ctx);
202 if (data == NULL) {
203 return false;
204 }
205
206 asn1_load(data, *edata);
207 asn1_start_tag(data, ASN1_SEQUENCE(0));
208 asn1_start_tag(data, ASN1_CONTEXT(1));
209 asn1_read_Integer(data, &edata_type);
210
211 if (edata_type != KRB5_PADATA_PW_SALT) {
212 DEBUG(0,("edata is not of required type %d but of type %d\n",
213 KRB5_PADATA_PW_SALT, edata_type));
214 asn1_free(data);
215 return False;
216 }
217
218 asn1_start_tag(data, ASN1_CONTEXT(2));
219 asn1_read_OctetString(data, talloc_tos(), &edata_contents);
220 asn1_end_tag(data);
221 asn1_end_tag(data);
222 asn1_end_tag(data);
223 asn1_free(data);
224
225 *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
226
227 data_blob_free(&edata_contents);
228
229 return True;
230 }
231
232
233 static bool ads_cleanup_expired_creds(krb5_context context,
234 krb5_ccache ccache,
235 krb5_creds *credsp)
236 {
237 krb5_error_code retval;
238 const char *cc_type = krb5_cc_get_type(context, ccache);
239
240 DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
241 cc_type, krb5_cc_get_name(context, ccache),
242 http_timestring(talloc_tos(), credsp->times.endtime)));
243
244 /* we will probably need new tickets if the current ones
245 will expire within 10 seconds.
246 */
247 if (credsp->times.endtime >= (time(NULL) + 10))
248 return False;
249
250 /* heimdal won't remove creds from a file ccache, and
251 perhaps we shouldn't anyway, since internally we
252 use memory ccaches, and a FILE one probably means that
253 we're using creds obtained outside of our exectuable
254 */
255 if (strequal(cc_type, "FILE")) {
256 DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
257 return False;
258 }
259
260 retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
261 if (retval) {
262 DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
263 error_message(retval)));
264 /* If we have an error in this, we want to display it,
265 but continue as though we deleted it */
266 }
267 return True;
268 }
269
270 /* Allocate and setup the auth context into the state we need. */
271
272 static krb5_error_code setup_auth_context(krb5_context context,
273 krb5_auth_context *auth_context)
274 {
275 krb5_error_code retval;
276
277 retval = krb5_auth_con_init(context, auth_context );
278 if (retval) {
279 DEBUG(1,("krb5_auth_con_init failed (%s)\n",
280 error_message(retval)));
281 return retval;
282 }
283
284 /* Ensure this is an addressless ticket. */
285 retval = krb5_auth_con_setaddrs(context, *auth_context, NULL, NULL);
286 if (retval) {
287 DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n",
288 error_message(retval)));
289 }
290
291 return retval;
292 }
293
294 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
295 static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
296 uint32_t gss_flags)
297 {
298 unsigned int orig_length = in_data->length;
299 unsigned int base_cksum_size = GSSAPI_CHECKSUM_SIZE;
300 char *gss_cksum = NULL;
301
302 if (orig_length) {
303 /* Extra length field for delgated ticket. */
304 base_cksum_size += 4;
305 }
306
307 if ((unsigned int)base_cksum_size + orig_length <
308 (unsigned int)base_cksum_size) {
309 return EINVAL;
310 }
311
312 gss_cksum = (char *)SMB_MALLOC(base_cksum_size + orig_length);
313 if (gss_cksum == NULL) {
314 return ENOMEM;
315 }
316
317 memset(gss_cksum, '\0', base_cksum_size + orig_length);
318 SIVAL(gss_cksum, 0, GSSAPI_BNDLENGTH);
319
320 /*
321 * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes.
322 * This matches the behavior of heimdal and mit.
323 *
324 * And it is needed to work against some closed source
325 * SMB servers.
326 *
327 * See bug #7883
328 */
329 memset(&gss_cksum[4], 0x00, GSSAPI_BNDLENGTH);
330
331 SIVAL(gss_cksum, 20, gss_flags);
332
333 if (orig_length) {
334 SSVAL(gss_cksum, 24, 1); /* The Delegation Option identifier */
335 SSVAL(gss_cksum, 26, orig_length);
336 /* Copy the kerberos KRB_CRED data */
337 memcpy(gss_cksum + 28, in_data->data, orig_length);
338 free(in_data->data);
339 in_data->data = NULL;
340 in_data->length = 0;
341 }
342 in_data->data = gss_cksum;
343 in_data->length = base_cksum_size + orig_length;
344 return 0;
345 }
346 #endif
347
348 /*
349 we can't use krb5_mk_req because w2k wants the service to be in a particular format
350 */
351 static krb5_error_code ads_krb5_mk_req(krb5_context context,
352 krb5_auth_context *auth_context,
353 const krb5_flags ap_req_options,
354 const char *principal,
355 krb5_ccache ccache,
356 krb5_data *outbuf,
357 time_t *expire_time,
358 const char *impersonate_princ_s)
359 {
360 krb5_error_code retval;
361 krb5_principal server;
362 krb5_principal impersonate_princ = NULL;
363 krb5_creds * credsp;
364 krb5_creds creds;
365 krb5_data in_data;
366 bool creds_ready = False;
367 int i = 0, maxtries = 3;
368
369 ZERO_STRUCT(in_data);
370
371 retval = smb_krb5_parse_name(context, principal, &server);
372 if (retval) {
373 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", principal));
374 return retval;
375 }
376
377 if (impersonate_princ_s) {
378 retval = smb_krb5_parse_name(context, impersonate_princ_s,
379 &impersonate_princ);
380 if (retval) {
381 DEBUG(1,("ads_krb5_mk_req: Failed to parse principal %s\n", impersonate_princ_s));
382 goto cleanup_princ;
383 }
384 }
385
386 /* obtain ticket & session key */
387 ZERO_STRUCT(creds);
388 if ((retval = krb5_copy_principal(context, server, &creds.server))) {
389 DEBUG(1,("ads_krb5_mk_req: krb5_copy_principal failed (%s)\n",
390 error_message(retval)));
391 goto cleanup_princ;
392 }
393
394 if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) {
395 /* This can commonly fail on smbd startup with no ticket in the cache.
396 * Report at higher level than 1. */
397 DEBUG(3,("ads_krb5_mk_req: krb5_cc_get_principal failed (%s)\n",
398 error_message(retval)));
399 goto cleanup_creds;
400 }
401
402 while (!creds_ready && (i < maxtries)) {
403
404 if ((retval = smb_krb5_get_credentials(context, ccache,
405 creds.client,
406 creds.server,
407 impersonate_princ,
408 &credsp))) {
409 DEBUG(1,("ads_krb5_mk_req: smb_krb5_get_credentials failed for %s (%s)\n",
410 principal, error_message(retval)));
411 goto cleanup_creds;
412 }
413
414 /* cope with ticket being in the future due to clock skew */
415 if ((unsigned)credsp->times.starttime > time(NULL)) {
416 time_t t = time(NULL);
417 int time_offset =(int)((unsigned)credsp->times.starttime-t);
418 DEBUG(4,("ads_krb5_mk_req: Advancing clock by %d seconds to cope with clock skew\n", time_offset));
419 krb5_set_real_time(context, t + time_offset + 1, 0);
420 }
421
422 if (!ads_cleanup_expired_creds(context, ccache, credsp)) {
423 creds_ready = True;
424 }
425
426 i++;
427 }
428
429 DEBUG(10,("ads_krb5_mk_req: Ticket (%s) in ccache (%s:%s) is valid until: (%s - %u)\n",
430 principal, krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache),
431 http_timestring(talloc_tos(), (unsigned)credsp->times.endtime),
432 (unsigned)credsp->times.endtime));
433
434 if (expire_time) {
435 *expire_time = (time_t)credsp->times.endtime;
436 }
437
438 /* Allocate the auth_context. */
439 retval = setup_auth_context(context, auth_context);
440 if (retval) {
441 DEBUG(1,("setup_auth_context failed (%s)\n",
442 error_message(retval)));
443 goto cleanup_creds;
444 }
445
446 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
447 {
448 uint32_t gss_flags = 0;
449
450 if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
451 /* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
452 as part of the kerberos exchange. */
453
454 DEBUG( 3, ("ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT\n") );
455
456 retval = krb5_auth_con_setuseruserkey(context,
457 *auth_context,
458 &credsp->keyblock );
459 if (retval) {
460 DEBUG(1,("krb5_auth_con_setuseruserkey failed (%s)\n",
461 error_message(retval)));
462 goto cleanup_creds;
463 }
464
465 /* Must use a subkey for forwarded tickets. */
466 retval = krb5_auth_con_setflags(context,
467 *auth_context,
468 KRB5_AUTH_CONTEXT_USE_SUBKEY);
469 if (retval) {
470 DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
471 error_message(retval)));
472 goto cleanup_creds;
473 }
474
475 retval = krb5_fwd_tgt_creds(context,/* Krb5 context [in] */
476 *auth_context, /* Authentication context [in] */
477 discard_const_p(char, KRB5_TGS_NAME), /* Ticket service name ("krbtgt") [in] */
478 credsp->client, /* Client principal for the tgt [in] */
479 credsp->server, /* Server principal for the tgt [in] */
480 ccache, /* Credential cache to use for storage [in] */
481 1, /* Turn on for "Forwardable ticket" [in] */
482 &in_data ); /* Resulting response [out] */
483
484 if (retval) {
485 DEBUG( 3, ("krb5_fwd_tgt_creds failed (%s)\n",
486 error_message( retval ) ) );
487
488 /*
489 * This is not fatal. Delete the *auth_context and continue
490 * with krb5_mk_req_extended to get a non-forwardable ticket.
491 */
492
493 if (in_data.data) {
494 free( in_data.data );
495 in_data.data = NULL;
496 in_data.length = 0;
497 }
498 krb5_auth_con_free(context, *auth_context);
499 *auth_context = NULL;
500 retval = setup_auth_context(context, auth_context);
501 if (retval) {
502 DEBUG(1,("setup_auth_context failed (%s)\n",
503 error_message(retval)));
504 goto cleanup_creds;
505 }
506 } else {
507 /* We got a delegated ticket. */
508 gss_flags |= GSS_C_DELEG_FLAG;
509 }
510 }
511
512 /* Frees and reallocates in_data into a GSS checksum blob. */
513 retval = create_gss_checksum(&in_data, gss_flags);
514 if (retval) {
515 goto cleanup_data;
516 }
517
518 /* We always want GSS-checksum types. */
519 retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
520 if (retval) {
521 DEBUG(1,("krb5_auth_con_set_req_cksumtype failed (%s)\n",
522 error_message(retval)));
523 goto cleanup_data;
524 }
525 }
526 #endif
527
528 retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
529 &in_data, credsp, outbuf);
530 if (retval) {
531 DEBUG(1,("ads_krb5_mk_req: krb5_mk_req_extended failed (%s)\n",
532 error_message(retval)));
533 }
534
535 #if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
536 cleanup_data:
537 #endif
538
539 if (in_data.data) {
540 free( in_data.data );
541 in_data.length = 0;
542 }
543
544 krb5_free_creds(context, credsp);
545
546 cleanup_creds:
547 krb5_free_cred_contents(context, &creds);
548
549 cleanup_princ:
550 krb5_free_principal(context, server);
551 if (impersonate_princ) {
552 krb5_free_principal(context, impersonate_princ);
553 }
554
555 return retval;
556 }
557
558 /*
559 get a kerberos5 ticket for the given service
560 */
561 int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
562 const char *principal, time_t time_offset,
563 DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
564 uint32_t extra_ap_opts, const char *ccname,
565 time_t *tgs_expire,
566 const char *impersonate_princ_s)
567
568 {
569 krb5_error_code retval;
570 krb5_data packet;
571 krb5_context context = NULL;
572 krb5_ccache ccdef = NULL;
573 krb5_auth_context auth_context = NULL;
574 krb5_enctype enc_types[] = {
575 ENCTYPE_ARCFOUR_HMAC,
576 ENCTYPE_DES_CBC_MD5,
577 ENCTYPE_DES_CBC_CRC,
578 ENCTYPE_NULL};
579
580 initialize_krb5_error_table();
581 retval = krb5_init_context(&context);
582 if (retval) {
583 DEBUG(1, ("krb5_init_context failed (%s)\n",
584 error_message(retval)));
585 goto failed;
586 }
587
588 if (time_offset != 0) {
589 krb5_set_real_time(context, time(NULL) + time_offset, 0);
590 }
591
592 if ((retval = krb5_cc_resolve(context, ccname ?
593 ccname : krb5_cc_default_name(context), &ccdef))) {
594 DEBUG(1, ("krb5_cc_default failed (%s)\n",
595 error_message(retval)));
596 goto failed;
597 }
598
599 if ((retval = krb5_set_default_tgs_ktypes(context, enc_types))) {
600 DEBUG(1, ("krb5_set_default_tgs_ktypes failed (%s)\n",
601 error_message(retval)));
602 goto failed;
603 }
604
605 retval = ads_krb5_mk_req(context, &auth_context,
606 AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts,
607 principal, ccdef, &packet,
608 tgs_expire, impersonate_princ_s);
609 if (retval) {
610 goto failed;
611 }
612
613 get_krb5_smb_session_key(mem_ctx, context, auth_context,
614 session_key_krb5, false);
615
616 *ticket = data_blob_talloc(mem_ctx, packet.data, packet.length);
617
618 kerberos_free_data_contents(context, &packet);
619
620 failed:
621
622 if (context) {
623 if (ccdef)
624 krb5_cc_close(context, ccdef);
625 if (auth_context)
626 krb5_auth_con_free(context, auth_context);
627 krb5_free_context(context);
628 }
629
630 return retval;
631 }
632
633 bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
634 krb5_context context,
635 krb5_auth_context auth_context,
636 DATA_BLOB *session_key, bool remote)
637 {
638 krb5_keyblock *skey = NULL;
639 krb5_error_code err = 0;
640 bool ret = false;
641
642 if (remote) {
643 err = krb5_auth_con_getremotesubkey(context,
644 auth_context, &skey);
645 } else {
646 err = krb5_auth_con_getlocalsubkey(context,
647 auth_context, &skey);
648 }
649
650 if (err || skey == NULL) {
651 DEBUG(10, ("KRB5 error getting session key %d\n", err));
652 goto done;
653 }
654
655 DEBUG(10, ("Got KRB5 session key of length %d\n",
656 (int)KRB5_KEY_LENGTH(skey)));
657
658 *session_key = data_blob_talloc(mem_ctx,
659 KRB5_KEY_DATA(skey),
660 KRB5_KEY_LENGTH(skey));
661 dump_data_pw("KRB5 Session Key:\n",
662 session_key->data,
663 session_key->length);
664
665 ret = true;
666
667 done:
668 if (skey) {
669 krb5_free_keyblock(context, skey);
670 }
671
672 return ret;
673 }
674
675
676 #if defined(HAVE_KRB5_PRINCIPAL_GET_COMP_STRING) && !defined(HAVE_KRB5_PRINC_COMPONENT)
677 const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i );
678
679 const krb5_data *krb5_princ_component(krb5_context context, krb5_principal principal, int i )
680 {
681 static krb5_data kdata;
682
683 kdata.data = discard_const_p(char, krb5_principal_get_comp_string(context, principal, i));
684 kdata.length = strlen((const char *)kdata.data);
685 return &kdata;
686 }
687 #endif
688
689 /* Prototypes */
690
691 krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, /* FILE:/tmp/krb5cc_0 */
692 const char *client_string, /* gd@BER.SUSE.DE */
693 const char *service_string, /* krbtgt/BER.SUSE.DE@BER.SUSE.DE */
694 time_t *expire_time)
695 {
696 krb5_error_code ret;
697 krb5_context context = NULL;
698 krb5_ccache ccache = NULL;
699 krb5_principal client = NULL;
700 krb5_creds creds, creds_in, *creds_out = NULL;
701
702 ZERO_STRUCT(creds);
703 ZERO_STRUCT(creds_in);
704
705 initialize_krb5_error_table();
706 ret = krb5_init_context(&context);
707 if (ret) {
708 goto done;
709 }
710
711 if (!ccache_string) {
712 ccache_string = krb5_cc_default_name(context);
713 }
714
715 if (!ccache_string) {
716 ret = EINVAL;
717 goto done;
718 }
719
720 DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
721
722 /* FIXME: we should not fall back to defaults */
723 ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
724 if (ret) {
725 goto done;
726 }
727
728 if (client_string) {
729 ret = smb_krb5_parse_name(context, client_string, &client);
730 if (ret) {
731 goto done;
732 }
733 } else {
734 ret = krb5_cc_get_principal(context, ccache, &client);
735 if (ret) {
736 goto done;
737 }
738 }
739
740 ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
741 if (ret) {
742 DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
743 goto done;
744 }
745
746 /* hm, doesn't that create a new one if the old one wasn't there? - Guenther */
747 ret = krb5_cc_initialize(context, ccache, client);
748 if (ret) {
749 goto done;
750 }
751
752 ret = krb5_cc_store_cred(context, ccache, &creds);
753
754 if (expire_time) {
755 *expire_time = (time_t) creds.times.endtime;
756 }
757
758 done:
759 krb5_free_cred_contents(context, &creds_in);
760
761 if (creds_out) {
762 krb5_free_creds(context, creds_out);
763 } else {
764 krb5_free_cred_contents(context, &creds);
765 }
766
767 if (client) {
768 krb5_free_principal(context, client);
769 }
770 if (ccache) {
771 krb5_cc_close(context, ccache);
772 }
773 if (context) {
774 krb5_free_context(context);
775 }
776
777 return ret;
778 }
779
780 krb5_error_code smb_krb5_free_addresses(krb5_context context, smb_krb5_addresses *addr)
781 {
782 krb5_error_code ret = 0;
783 if (addr == NULL) {
784 return ret;
785 }
786 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
787 krb5_free_addresses(context, addr->addrs);
788 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
789 ret = krb5_free_addresses(context, addr->addrs);
790 SAFE_FREE(addr->addrs);
791 #endif
792 SAFE_FREE(addr);
793 addr = NULL;
794 return ret;
795 }
796
797 krb5_error_code smb_krb5_gen_netbios_krb5_address(smb_krb5_addresses **kerb_addr)
798 {
799 krb5_error_code ret = 0;
800 nstring buf;
801 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
802 krb5_address **addrs = NULL;
803 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
804 krb5_addresses *addrs = NULL;
805 #endif
806
807 *kerb_addr = (smb_krb5_addresses *)SMB_MALLOC(sizeof(smb_krb5_addresses));
808 if (*kerb_addr == NULL) {
809 return ENOMEM;
810 }
811
812 put_name(buf, lp_netbios_name(), ' ', 0x20);
813
814 #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
815 {
816 int num_addr = 2;
817
818 addrs = (krb5_address **)SMB_MALLOC(sizeof(krb5_address *) * num_addr);
819 if (addrs == NULL) {
820 SAFE_FREE(*kerb_addr);
821 return ENOMEM;
822 }
823
824 memset(addrs, 0, sizeof(krb5_address *) * num_addr);
825
826 addrs[0] = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
827 if (addrs[0] == NULL) {
828 SAFE_FREE(addrs);
829 SAFE_FREE(*kerb_addr);
830 return ENOMEM;
831 }
832
833 addrs[0]->magic = KV5M_ADDRESS;
834 addrs[0]->addrtype = KRB5_ADDR_NETBIOS;
835 addrs[0]->length = MAX_NETBIOSNAME_LEN;
836 addrs[0]->contents = (unsigned char *)SMB_MALLOC(addrs[0]->length);
837 if (addrs[0]->contents == NULL) {
838 SAFE_FREE(addrs[0]);
839 SAFE_FREE(addrs);
840 SAFE_FREE(*kerb_addr);
841 return ENOMEM;
842 }
843
844 memcpy(addrs[0]->contents, buf, addrs[0]->length);
845
846 addrs[1] = NULL;
847 }
848 #elif defined(HAVE_ADDR_TYPE_IN_KRB5_ADDRESS) /* Heimdal */
849 {
850 addrs = (krb5_addresses *)SMB_MALLOC(sizeof(krb5_addresses));
851 if (addrs == NULL) {
852 SAFE_FREE(*kerb_addr);
853 return ENOMEM;
854 }
855
856 memset(addrs, 0, sizeof(krb5_addresses));
857
858 addrs->len = 1;
859 addrs->val = (krb5_address *)SMB_MALLOC(sizeof(krb5_address));
860 if (addrs->val == NULL) {
861 SAFE_FREE(addrs);
862 SAFE_FREE(kerb_addr);
863 return ENOMEM;
864 }
865
866 addrs->val[0].addr_type = KRB5_ADDR_NETBIOS;
867 addrs->val[0].address.length = MAX_NETBIOSNAME_LEN;
868 addrs->val[0].address.data = (unsigned char *)SMB_MALLOC(addrs->val[0].address.length);
869 if (addrs->val[0].address.data == NULL) {
870 SAFE_FREE(addrs->val);
871 SAFE_FREE(addrs);
872 SAFE_FREE(*kerb_addr);
873 return ENOMEM;
874 }
875
876 memcpy(addrs->val[0].address.data, buf, addrs->val[0].address.length);
877 }
878 #else
879 #error UNKNOWN_KRB5_ADDRESS_FORMAT
880 #endif
881 (*kerb_addr)->addrs = addrs;
882
883 return ret;
884 }
885
886 void smb_krb5_free_error(krb5_context context, krb5_error *krberror)
887 {
888 #ifdef HAVE_KRB5_FREE_ERROR_CONTENTS /* Heimdal */
889 krb5_free_error_contents(context, krberror);
890 #else /* MIT */
891 krb5_free_error(context, krberror);
892 #endif
893 }
894
895 krb5_error_code handle_krberror_packet(krb5_context context,
896 krb5_data *packet)
897 {
898 krb5_error_code ret;
899 bool got_error_code = False;
900
901 DEBUG(10,("handle_krberror_packet: got error packet\n"));
902
903 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR /* Heimdal */
904 {
905 krb5_error krberror;
906
907 if ((ret = krb5_rd_error(context, packet, &krberror))) {
908 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
909 error_message(ret)));
910 return ret;
911 }
912
913 if (krberror.e_data == NULL || krberror.e_data->data == NULL) {
914 ret = (krb5_error_code) krberror.error_code;
915 got_error_code = True;
916 }
917
918 smb_krb5_free_error(context, &krberror);
919 }
920 #else /* MIT */
921 {
922 krb5_error *krberror;
923
924 if ((ret = krb5_rd_error(context, packet, &krberror))) {
925 DEBUG(10,("handle_krberror_packet: krb5_rd_error failed with: %s\n",
926 error_message(ret)));
927 return ret;
928 }
929
930 if (krberror->e_data.data == NULL) {
931 #if defined(ERROR_TABLE_BASE_krb5)
932 ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error;
933 #else
934 ret = (krb5_error_code)krberror->error;
935 #endif
936 got_error_code = True;
937 }
938 smb_krb5_free_error(context, krberror);
939 }
940 #endif
941 if (got_error_code) {
942 DEBUG(5,("handle_krberror_packet: got KERBERR from kpasswd: %s (%d)\n",
943 error_message(ret), ret));
944 }
945 return ret;
946 }
947
948 krb5_error_code smb_krb5_get_init_creds_opt_alloc(krb5_context context,
949 krb5_get_init_creds_opt **opt)
950 {
951 /* Heimdal or modern MIT version */
952 return krb5_get_init_creds_opt_alloc(context, opt);
953 }
954
955 void smb_krb5_get_init_creds_opt_free(krb5_context context,
956 krb5_get_init_creds_opt *opt)
957 {
958 /* Modern MIT or Heimdal version */
959 krb5_get_init_creds_opt_free(context, opt);
960 }
961
962 krb5_enctype smb_get_enctype_from_kt_entry(krb5_keytab_entry *kt_entry)
963 {
964 return KRB5_KEY_TYPE(KRB5_KT_KEY(kt_entry));
965 }
966
967
968 /* caller needs to free etype_s */
969 krb5_error_code smb_krb5_enctype_to_string(krb5_context context,
970 krb5_enctype enctype,
971 char **etype_s)
972 {
973 #ifdef HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG
974 return krb5_enctype_to_string(context, enctype, etype_s); /* Heimdal */
975 #elif defined(HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG)
976 char buf[256];
977 krb5_error_code ret = krb5_enctype_to_string(enctype, buf, 256); /* MIT */
978 if (ret) {
979 return ret;
980 }
981 *etype_s = SMB_STRDUP(buf);
982 if (!*etype_s) {
983 return ENOMEM;
984 }
985 return ret;
986 #else
987 #error UNKNOWN_KRB5_ENCTYPE_TO_STRING_FUNCTION
988 #endif
989 }
990
991 /**********************************************************************
992 * Open a krb5 keytab with flags, handles readonly or readwrite access and
993 * allows to process non-default keytab names.
994 * @param context krb5_context
995 * @param keytab_name_req string
996 * @param write_access bool if writable keytab is required
997 * @param krb5_keytab pointer to krb5_keytab (close with krb5_kt_close())
998 * @return krb5_error_code
999 **********************************************************************/
1000
1001 /* This MAX_NAME_LEN is a constant defined in krb5.h */
1002 #ifndef MAX_KEYTAB_NAME_LEN
1003 #define MAX_KEYTAB_NAME_LEN 1100
1004 #endif
1005
1006 krb5_error_code smb_krb5_open_keytab(krb5_context context,
1007 const char *keytab_name_req,
1008 bool write_access,
1009 krb5_keytab *keytab)
1010 {
1011 krb5_error_code ret = 0;
1012 TALLOC_CTX *mem_ctx;
1013 char keytab_string[MAX_KEYTAB_NAME_LEN];
1014 char *kt_str = NULL;
1015 bool found_valid_name = False;
1016 const char *pragma = "FILE";
1017 const char *tmp = NULL;
1018
1019 if (!write_access && !keytab_name_req) {
1020 /* caller just wants to read the default keytab readonly, so be it */
1021 return krb5_kt_default(context, keytab);
1022 }
1023
1024 mem_ctx = talloc_init("smb_krb5_open_keytab");
1025 if (!mem_ctx) {
1026 return ENOMEM;
1027 }
1028
1029 #ifdef HAVE_WRFILE_KEYTAB
1030 if (write_access) {
1031 pragma = "WRFILE";
1032 }
1033 #endif
1034
1035 if (keytab_name_req) {
1036
1037 if (strlen(keytab_name_req) > MAX_KEYTAB_NAME_LEN) {
1038 ret = KRB5_CONFIG_NOTENUFSPACE;
1039 goto out;
1040 }
1041
1042 if ((strncmp(keytab_name_req, "WRFILE:/", 8) == 0) ||
1043 (strncmp(keytab_name_req, "FILE:/", 6) == 0)) {
1044 tmp = keytab_name_req;
1045 goto resolve;
1046 }
1047
1048 if (keytab_name_req[0] != '/') {
1049 ret = KRB5_KT_BADNAME;
1050 goto out;
1051 }
1052
1053 tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, keytab_name_req);
1054 if (!tmp) {
1055 ret = ENOMEM;
1056 goto out;
1057 }
1058
1059 goto resolve;
1060 }
1061
1062 /* we need to handle more complex keytab_strings, like:
1063 * "ANY:FILE:/etc/krb5.keytab,krb4:/etc/srvtab" */
1064
1065 ret = krb5_kt_default_name(context, &keytab_string[0], MAX_KEYTAB_NAME_LEN - 2);
1066 if (ret) {
1067 goto out;
1068 }
1069
1070 DEBUG(10,("smb_krb5_open_keytab: krb5_kt_default_name returned %s\n", keytab_string));
1071
1072 tmp = talloc_strdup(mem_ctx, keytab_string);
1073 if (!tmp) {
1074 ret = ENOMEM;
1075 goto out;
1076 }
1077
1078 if (strncmp(tmp, "ANY:", 4) == 0) {
1079 tmp += 4;
1080 }
1081
1082 memset(&keytab_string, '\0', sizeof(keytab_string));
1083
1084 while (next_token_talloc(mem_ctx, &tmp, &kt_str, ",")) {
1085 if (strncmp(kt_str, "WRFILE:", 7) == 0) {
1086 found_valid_name = True;
1087 tmp = kt_str;
1088 tmp += 7;
1089 }
1090
1091 if (strncmp(kt_str, "FILE:", 5) == 0) {
1092 found_valid_name = True;
1093 tmp = kt_str;
1094 tmp += 5;
1095 }
1096
1097 if (tmp[0] == '/') {
1098 /* Treat as a FILE: keytab definition. */
1099 found_valid_name = true;
1100 }
1101
1102 if (found_valid_name) {
1103 if (tmp[0] != '/') {
1104 ret = KRB5_KT_BADNAME;
1105 goto out;
1106 }
1107
1108 tmp = talloc_asprintf(mem_ctx, "%s:%s", pragma, tmp);
1109 if (!tmp) {
1110 ret = ENOMEM;
1111 goto out;
1112 }
1113 break;
1114 }
1115 }
1116
1117 if (!found_valid_name) {
1118 ret = KRB5_KT_UNKNOWN_TYPE;
1119 goto out;
1120 }
1121
1122 resolve:
1123 DEBUG(10,("smb_krb5_open_keytab: resolving: %s\n", tmp));
1124 ret = krb5_kt_resolve(context, tmp, keytab);
1125
1126 out:
1127 TALLOC_FREE(mem_ctx);
1128 return ret;
1129 }
1130
1131 krb5_error_code smb_krb5_keytab_name(TALLOC_CTX *mem_ctx,
1132 krb5_context context,
1133 krb5_keytab keytab,
1134 const char **keytab_name)
1135 {
1136 char keytab_string[MAX_KEYTAB_NAME_LEN];
1137 krb5_error_code ret = 0;
1138
1139 ret = krb5_kt_get_name(context, keytab,
1140 keytab_string, MAX_KEYTAB_NAME_LEN - 2);
1141 if (ret) {
1142 return ret;
1143 }
1144
1145 *keytab_name = talloc_strdup(mem_ctx, keytab_string);
1146 if (!*keytab_name) {
1147 return ENOMEM;
1148 }
1149
1150 return ret;
1151 }
1152
1153 #if defined(HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE) && \
1154 defined(HAVE_KRB5_GET_CREDS_OPT_ALLOC) && \
1155 defined(HAVE_KRB5_GET_CREDS)
1156 static krb5_error_code smb_krb5_get_credentials_for_user_opt(krb5_context context,
1157 krb5_ccache ccache,
1158 krb5_principal me,
1159 krb5_principal server,
1160 krb5_principal impersonate_princ,
1161 krb5_creds **out_creds)
1162 {
1163 krb5_error_code ret;
1164 krb5_get_creds_opt opt;
1165
1166 ret = krb5_get_creds_opt_alloc(context, &opt);
1167 if (ret) {
1168 goto done;
1169 }
1170 krb5_get_creds_opt_add_options(context, opt, KRB5_GC_FORWARDABLE);
1171
1172 if (impersonate_princ) {
1173 ret = krb5_get_creds_opt_set_impersonate(context, opt,
1174 impersonate_princ);
1175 if (ret) {
1176 goto done;
1177 }
1178 }
1179
1180 ret = krb5_get_creds(context, opt, ccache, server, out_creds);
1181 if (ret) {
1182 goto done;
1183 }
1184
1185 done:
1186 if (opt) {
1187 krb5_get_creds_opt_free(context, opt);
1188 }
1189 return ret;
1190 }
1191 #endif /* HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE */
1192
1193 #ifdef HAVE_KRB5_GET_CREDENTIALS_FOR_USER
1194 static krb5_error_code smb_krb5_get_credentials_for_user(krb5_context context,
1195 krb5_ccache ccache,
1196 krb5_principal me,
1197 krb5_principal server,
1198 krb5_principal impersonate_princ,
1199 krb5_creds **out_creds)
1200 {
1201 krb5_error_code ret;
1202 krb5_creds in_creds;
1203
1204 #if !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER
1205 krb5_error_code KRB5_CALLCONV
1206 krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
1207 krb5_ccache ccache, krb5_creds *in_creds,
1208 krb5_data *subject_cert,
1209 krb5_creds **out_creds);
1210 #endif /* !HAVE_DECL_KRB5_GET_CREDENTIALS_FOR_USER */
1211
1212 ZERO_STRUCT(in_creds);
1213
1214 if (impersonate_princ) {
1215
1216 in_creds.server = me;
1217 in_creds.client = impersonate_princ;
1218
1219 ret = krb5_get_credentials_for_user(context,
1220 0, /* krb5_flags options */
1221 ccache,
1222 &in_creds,
1223 NULL, /* krb5_data *subject_cert */
1224 out_creds);
1225 } else {
1226 in_creds.client = me;
1227 in_creds.server = server;
1228
1229 ret = krb5_get_credentials(context, 0, ccache,
1230 &in_creds, out_creds);
1231 }
1232
1233 return ret;
1234 }
1235 #endif /* HAVE_KRB5_GET_CREDENTIALS_FOR_USER */
1236
1237 /*
1238 * smb_krb5_get_credentials
1239 *
1240 * @brief Get krb5 credentials for a server
1241 *
1242 * @param[in] context An initialized krb5_context
1243 * @param[in] ccache An initialized krb5_ccache
1244 * @param[in] me The krb5_principal of the caller
1245 * @param[in] server The krb5_principal of the requested service
1246 * @param[in] impersonate_princ The krb5_principal of a user to impersonate as (optional)
1247 * @param[out] out_creds The returned krb5_creds structure
1248 * @return krb5_error_code
1249 *
1250 */
1251 krb5_error_code smb_krb5_get_credentials(krb5_context context,
1252 krb5_ccache ccache,
1253 krb5_principal me,
1254 krb5_principal server,
1255 krb5_principal impersonate_princ,
1256 krb5_creds **out_creds)
1257 {
1258 krb5_error_code ret;
1259 krb5_creds *creds = NULL;
1260
1261 *out_creds = NULL;
1262
1263 if (impersonate_princ) {
1264 #ifdef HAVE_KRB5_GET_CREDS_OPT_SET_IMPERSONATE /* Heimdal */
1265 ret = smb_krb5_get_credentials_for_user_opt(context, ccache, me, server, impersonate_princ, &creds);
1266 #elif defined(HAVE_KRB5_GET_CREDENTIALS_FOR_USER) /* MIT */
1267 ret = smb_krb5_get_credentials_for_user(context, ccache, me, server, impersonate_princ, &creds);
1268 #else
1269 ret = ENOTSUP;
1270 #endif
1271 } else {
1272 krb5_creds in_creds;
1273
1274 ZERO_STRUCT(in_creds);
1275
1276 in_creds.client = me;
1277 in_creds.server = server;
1278
1279 ret = krb5_get_credentials(context, 0, ccache,
1280 &in_creds, &creds);
1281 }
1282 if (ret) {
1283 goto done;
1284 }
1285
1286 if (out_creds) {
1287 *out_creds = creds;
1288 }
1289
1290 done:
1291 if (creds && ret) {
1292 krb5_free_creds(context, creds);
1293 }
1294
1295 return ret;
1296 }
1297
1298 /*
1299 * smb_krb5_get_creds
1300 *
1301 * @brief Get krb5 credentials for a server
1302 *
1303 * @param[in] server_s The string name of the service
1304 * @param[in] time_offset The offset to the KDCs time in seconds (optional)
1305 * @param[in] cc The krb5 credential cache string name (optional)
1306 * @param[in] impersonate_princ_s The string principal name to impersonate (optional)
1307 * @param[out] creds_p The returned krb5_creds structure
1308 * @return krb5_error_code
1309 *
1310 */
1311 krb5_error_code smb_krb5_get_creds(const char *server_s,
1312 time_t time_offset,
1313 const char *cc,
1314 const char *impersonate_princ_s,
1315 krb5_creds **creds_p)
1316 {
1317 krb5_error_code ret;
1318 krb5_context context = NULL;
1319 krb5_principal me = NULL;
1320 krb5_principal server = NULL;
1321 krb5_principal impersonate_princ = NULL;
1322 krb5_creds *creds = NULL;
1323 krb5_ccache ccache = NULL;
1324
1325 *creds_p = NULL;
1326
1327 initialize_krb5_error_table();
1328 ret = krb5_init_context(&context);
1329 if (ret) {
1330 goto done;
1331 }
1332
1333 if (time_offset != 0) {
1334 krb5_set_real_time(context, time(NULL) + time_offset, 0);
1335 }
1336
1337 ret = krb5_cc_resolve(context, cc ? cc :
1338 krb5_cc_default_name(context), &ccache);
1339 if (ret) {
1340 goto done;
1341 }
1342
1343 ret = krb5_cc_get_principal(context, ccache, &me);
1344 if (ret) {
1345 goto done;
1346 }
1347
1348 ret = smb_krb5_parse_name(context, server_s, &server);
1349 if (ret) {
1350 goto done;
1351 }
1352
1353 if (impersonate_princ_s) {
1354 ret = smb_krb5_parse_name(context, impersonate_princ_s,
1355 &impersonate_princ);
1356 if (ret) {
1357 goto done;
1358 }
1359 }
1360
1361 ret = smb_krb5_get_credentials(context, ccache,
1362 me, server, impersonate_princ,
1363 &creds);
1364 if (ret) {
1365 goto done;
1366 }
1367
1368 ret = krb5_cc_store_cred(context, ccache, creds);
1369 if (ret) {
1370 goto done;
1371 }
1372
1373 if (creds_p) {
1374 *creds_p = creds;
1375 }
1376
1377 DEBUG(1,("smb_krb5_get_creds: got ticket for %s\n",
1378 server_s));
1379
1380 if (impersonate_princ_s) {
1381 char *client = NULL;
1382
1383 ret = smb_krb5_unparse_name(talloc_tos(), context, creds->client, &client);
1384 if (ret) {
1385 goto done;
1386 }
1387 DEBUGADD(1,("smb_krb5_get_creds: using S4U2SELF impersonation as %s\n",
1388 client));
1389 TALLOC_FREE(client);
1390 }
1391
1392 done:
1393 if (!context) {
1394 return ret;
1395 }
1396
1397 if (creds && ret) {
1398 krb5_free_creds(context, creds);
1399 }
1400 if (server) {
1401 krb5_free_principal(context, server);
1402 }
1403 if (me) {
1404 krb5_free_principal(context, me);
1405 }
1406 if (impersonate_princ) {
1407 krb5_free_principal(context, impersonate_princ);
1408 }
1409 if (ccache) {
1410 krb5_cc_close(context, ccache);
1411 }
1412 krb5_free_context(context);
1413
1414 return ret;
1415 }
1416
1417 /*
1418 * smb_krb5_principal_get_realm
1419 *
1420 * @brief Get realm of a principal
1421 *
1422 * @param[in] context The krb5_context
1423 * @param[in] principal The principal
1424 * @return pointer to the realm
1425 *
1426 */
1427
1428 char *smb_krb5_principal_get_realm(krb5_context context,
1429 krb5_principal principal)
1430 {
1431 #ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
1432 return discard_const_p(char, krb5_principal_get_realm(context, principal));
1433 #elif defined(krb5_princ_realm) /* MIT */
1434 krb5_data *realm;
1435 realm = krb5_princ_realm(context, principal);
1436 return discard_const_p(char, realm->data);
1437 #else
1438 return NULL;
1439 #endif
1440 }
1441
1442 /************************************************************************
1443 Routine to get the default realm from the kerberos credentials cache.
1444 Caller must free if the return value is not NULL.
1445 ************************************************************************/
1446
1447 static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
1448 {
1449 char *realm = NULL;
1450 krb5_context ctx = NULL;
1451 krb5_ccache cc = NULL;
1452 krb5_principal princ = NULL;
1453
1454 initialize_krb5_error_table();
1455 if (krb5_init_context(&ctx)) {
1456 return NULL;
1457 }
1458
1459 DEBUG(5,("kerberos_get_default_realm_from_ccache: "
1460 "Trying to read krb5 cache: %s\n",
1461 krb5_cc_default_name(ctx)));
1462 if (krb5_cc_default(ctx, &cc)) {
1463 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
1464 "failed to read default cache\n"));
1465 goto out;
1466 }
1467 if (krb5_cc_get_principal(ctx, cc, &princ)) {
1468 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
1469 "failed to get default principal\n"));
1470 goto out;
1471 }
1472
1473 #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
1474 realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
1475 #elif defined(HAVE_KRB5_PRINC_REALM)
1476 {
1477 krb5_data *realm_data = krb5_princ_realm(ctx, princ);
1478 realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
1479 }
1480 #endif
1481
1482 out:
1483
1484 if (ctx) {
1485 if (princ) {
1486 krb5_free_principal(ctx, princ);
1487 }
1488 if (cc) {
1489 krb5_cc_close(ctx, cc);
1490 }
1491 krb5_free_context(ctx);
1492 }
1493
1494 return realm;
1495 }
1496
1497 /************************************************************************
1498 Routine to get the realm from a given DNS name.
1499 ************************************************************************/
1500
1501 static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
1502 const char *hostname)
1503 {
1504 #if defined(HAVE_KRB5_REALM_TYPE)
1505 /* Heimdal. */
1506 krb5_realm *realm_list = NULL;
1507 #else
1508 /* MIT */
1509 char **realm_list = NULL;
1510 #endif
1511 char *realm = NULL;
1512 krb5_error_code kerr;
1513 krb5_context ctx = NULL;
1514
1515 initialize_krb5_error_table();
1516 if (krb5_init_context(&ctx)) {
1517 return NULL;
1518 }
1519
1520 kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
1521 if (kerr != 0) {
1522 DEBUG(3,("kerberos_get_realm_from_hostname %s: "
1523 "failed %s\n",
1524 hostname ? hostname : "(NULL)",
1525 error_message(kerr) ));
1526 goto out;
1527 }
1528
1529 if (realm_list && realm_list[0]) {
1530 realm = talloc_strdup(mem_ctx, realm_list[0]);
1531 }
1532
1533 out:
1534
1535 if (ctx) {
1536 if (realm_list) {
1537 krb5_free_host_realm(ctx, realm_list);
1538 realm_list = NULL;
1539 }
1540 krb5_free_context(ctx);
1541 ctx = NULL;
1542 }
1543 return realm;
1544 }
1545
1546 char *kerberos_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
1547 const char *service,
1548 const char *remote_name)
1549 {
1550 char *realm = NULL;
1551 char *host = NULL;
1552 char *principal;
1553 host = strchr_m(remote_name, '.');
1554 if (host) {
1555 /* DNS name. */
1556 realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
1557 remote_name);
1558 } else {
1559 /* NetBIOS name - use our realm. */
1560 realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
1561 }
1562
1563 if (realm == NULL || *realm == '\0') {
1564 realm = talloc_strdup(talloc_tos(), lp_realm());
1565 if (!realm) {
1566 return NULL;
1567 }
1568 DEBUG(3,("kerberos_get_principal_from_service_hostname: "
1569 "cannot get realm from, "
1570 "desthost %s or default ccache. Using default "
1571 "smb.conf realm %s\n",
1572 remote_name,
1573 realm));
1574 }
1575
1576 principal = talloc_asprintf(mem_ctx,
1577 "%s/%s@%s",
1578 service, remote_name,
1579 realm);
1580 TALLOC_FREE(realm);
1581 return principal;
1582 }
1583
1584 #else /* HAVE_KRB5 */
1585 /* this saves a few linking headaches */
1586 int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
1587 const char *principal, time_t time_offset,
1588 DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
1589 uint32_t extra_ap_opts,
1590 const char *ccname, time_t *tgs_expire,
1591 const char *impersonate_princ_s)
1592 {
1593 DEBUG(0,("NO KERBEROS SUPPORT\n"));
1594 return 1;
1595 }
1596
1597 #endif /* HAVE_KRB5 */
reg import