2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "kdc/kdc-glue.h"
26 #include "kdc/pac-glue.h"
28 /* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
29 static krb5_error_code
samba_wdc_get_pac(void *priv
, krb5_context context
,
30 struct hdb_entry_ex
*client
,
38 mem_ctx
= talloc_named(client
->ctx
, 0, "samba_get_pac context");
43 nt_status
= samba_kdc_get_pac_blob(mem_ctx
, client
, &pac_blob
);
44 if (!NT_STATUS_IS_OK(nt_status
)) {
49 ret
= samba_make_krb5_pac(context
, pac_blob
, NULL
, pac
);
55 /* Resign (and reform, including possibly new groups) a PAC */
57 static krb5_error_code
samba_wdc_reget_pac(void *priv
, krb5_context context
,
58 const krb5_principal client_principal
,
59 const krb5_principal delegated_proxy_principal
,
60 struct hdb_entry_ex
*client
,
61 struct hdb_entry_ex
*server
,
62 struct hdb_entry_ex
*krbtgt
,
65 struct samba_kdc_entry
*p
= talloc_get_type(server
->ctx
, struct samba_kdc_entry
);
66 TALLOC_CTX
*mem_ctx
= talloc_named(p
, 0, "samba_kdc_reget_pac context");
68 DATA_BLOB
*deleg_blob
= NULL
;
71 struct PAC_SIGNATURE_DATA
*pac_srv_sig
;
72 struct PAC_SIGNATURE_DATA
*pac_kdc_sig
;
73 bool is_in_db
, is_untrusted
;
79 /* The user account may be set not to want the PAC */
80 if (!samba_princ_needs_pac(server
)) {
85 /* If the krbtgt was generated by an RODC, and we are not that
86 * RODC, then we need to regenerate the PAC - we can't trust
88 ret
= samba_krbtgt_is_in_db(krbtgt
, &is_in_db
, &is_untrusted
);
96 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
98 nt_status
= samba_kdc_get_pac_blob(mem_ctx
, client
, &pac_blob
);
99 if (!NT_STATUS_IS_OK(nt_status
)) {
100 talloc_free(mem_ctx
);
104 pac_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
106 talloc_free(mem_ctx
);
110 pac_srv_sig
= talloc_zero(mem_ctx
, struct PAC_SIGNATURE_DATA
);
112 talloc_free(mem_ctx
);
116 pac_kdc_sig
= talloc_zero(mem_ctx
, struct PAC_SIGNATURE_DATA
);
118 talloc_free(mem_ctx
);
122 nt_status
= samba_kdc_update_pac_blob(mem_ctx
, context
,
124 pac_srv_sig
, pac_kdc_sig
);
125 if (!NT_STATUS_IS_OK(nt_status
)) {
126 DEBUG(0, ("Building PAC failed: %s\n",
127 nt_errstr(nt_status
)));
128 talloc_free(mem_ctx
);
133 /* Now check the KDC signature, fetching the correct key based on the enc type */
134 ret
= kdc_check_pac(context
, pac_srv_sig
->signature
, pac_kdc_sig
, krbtgt
);
136 DEBUG(1, ("PAC KDC signature failed to verify\n"));
137 talloc_free(mem_ctx
);
143 if (delegated_proxy_principal
) {
144 deleg_blob
= talloc_zero(mem_ctx
, DATA_BLOB
);
146 talloc_free(mem_ctx
);
150 nt_status
= samba_kdc_update_delegation_info_blob(mem_ctx
,
152 server
->entry
.principal
,
153 delegated_proxy_principal
,
155 if (!NT_STATUS_IS_OK(nt_status
)) {
156 DEBUG(0, ("Building PAC failed: %s\n",
157 nt_errstr(nt_status
)));
158 talloc_free(mem_ctx
);
163 /* We now completely regenerate this pac */
164 krb5_pac_free(context
, *pac
);
166 ret
= samba_make_krb5_pac(context
, pac_blob
, deleg_blob
, pac
);
168 talloc_free(mem_ctx
);
172 static char *get_netbios_name(TALLOC_CTX
*mem_ctx
, HostAddresses
*addrs
)
174 char *nb_name
= NULL
;
178 for (i
= 0; addrs
&& i
< addrs
->len
; i
++) {
179 if (addrs
->val
[i
].addr_type
!= KRB5_ADDRESS_NETBIOS
) {
182 len
= MIN(addrs
->val
[i
].address
.length
, 15);
183 nb_name
= talloc_strndup(mem_ctx
,
184 addrs
->val
[i
].address
.data
, len
);
190 if (nb_name
== NULL
) {
194 /* Strip space padding */
195 i
= strlen(nb_name
) - 1;
196 while (i
> 0 && nb_name
[i
] == ' ') {
203 static krb5_data
fill_krb5_data(void *data
, size_t length
)
208 kdata
.length
= length
;
213 static krb5_error_code
samba_wdc_check_client_access(void *priv
,
214 krb5_context context
,
215 krb5_kdc_configuration
*config
,
216 hdb_entry_ex
*client_ex
, const char *client_name
,
217 hdb_entry_ex
*server_ex
, const char *server_name
,
221 struct samba_kdc_entry
*kdc_entry
;
222 bool password_change
;
226 kdc_entry
= talloc_get_type(client_ex
->ctx
, struct samba_kdc_entry
);
227 password_change
= (server_ex
&& server_ex
->entry
.flags
.change_pw
);
228 workstation
= get_netbios_name((TALLOC_CTX
*)client_ex
->ctx
,
229 req
->req_body
.addresses
);
231 nt_status
= samba_kdc_check_client_access(kdc_entry
,
236 if (!NT_STATUS_IS_OK(nt_status
)) {
237 if (NT_STATUS_EQUAL(nt_status
, NT_STATUS_NO_MEMORY
)) {
244 samba_kdc_build_edata_reply(nt_status
, &data
);
245 *e_data
= fill_krb5_data(data
.data
, data
.length
);
248 return samba_kdc_map_policy_err(nt_status
);
251 /* Now do the standard Heimdal check */
252 return kdc_check_flags(context
, config
,
253 client_ex
, client_name
,
254 server_ex
, server_name
,
255 req
->msg_type
== krb_as_req
);
258 static krb5_error_code
samba_wdc_plugin_init(krb5_context context
, void **ptr
)
264 static void samba_wdc_plugin_fini(void *ptr
)
269 struct krb5plugin_windc_ftable windc_plugin_table
= {
270 .minor_version
= KRB5_WINDC_PLUGIN_MINOR
,
271 .init
= samba_wdc_plugin_init
,
272 .fini
= samba_wdc_plugin_fini
,
273 .pac_generate
= samba_wdc_get_pac
,
274 .pac_verify
= samba_wdc_reget_pac
,
275 .client_access
= samba_wdc_check_client_access
,