3 * DCERPC Server functions
4 * Copyright (C) Simo Sorce 2010.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 #include "rpc_server/dcesrv_gssapi.h"
23 #include "../librpc/gen_ndr/ndr_krb5pac.h"
24 #include "../lib/tsocket/tsocket.h"
25 #include "librpc/crypto/gse.h"
28 #include "libcli/auth/krb5_wrap.h"
30 NTSTATUS
gssapi_server_auth_start(TALLOC_CTX
*mem_ctx
,
36 struct gse_context
**ctx
)
38 struct gse_context
*gse_ctx
= NULL
;
39 uint32_t add_flags
= 0;
43 add_flags
= GSS_C_DCE_STYLE
;
46 /* Let's init the gssapi machinery for this connection */
47 /* passing a NULL server name means the server will try
48 * to accept any connection regardless of the name used as
49 * long as it can find a decryption key */
50 /* by passing NULL, the code will attempt to set a default
51 * keytab based on configuration options */
52 status
= gse_init_server(mem_ctx
, do_sign
, do_seal
,
54 if (!NT_STATUS_IS_OK(status
)) {
55 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
60 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
62 if (!NT_STATUS_IS_OK(status
)) {
63 DEBUG(0, ("Failed to parse initial client token (%s)\n",
69 status
= NT_STATUS_OK
;
72 if (!NT_STATUS_IS_OK(status
)) {
79 NTSTATUS
gssapi_server_step(struct gse_context
*gse_ctx
,
86 status
= gse_get_server_auth_token(mem_ctx
, gse_ctx
,
88 if (!NT_STATUS_IS_OK(status
)) {
92 if (gse_require_more_processing(gse_ctx
)) {
93 /* ask for next leg */
94 return NT_STATUS_MORE_PROCESSING_REQUIRED
;
100 NTSTATUS
gssapi_server_check_flags(struct gse_context
*gse_ctx
)
102 return gse_verify_server_auth_flags(gse_ctx
);
105 NTSTATUS
gssapi_server_get_user_info(struct gse_context
*gse_ctx
,
107 const struct tsocket_address
*remote_address
,
108 struct auth_session_info
**session_info
)
112 struct PAC_DATA
*pac_data
= NULL
;
113 struct PAC_LOGON_INFO
*logon_info
= NULL
;
126 tmp_ctx
= talloc_new(mem_ctx
);
128 return NT_STATUS_NO_MEMORY
;
131 status
= gse_get_pac_blob(gse_ctx
, tmp_ctx
, &pac_blob
);
132 if (NT_STATUS_EQUAL(status
, NT_STATUS_NOT_FOUND
)) {
133 /* TODO: Fetch user by principal name ? */
134 status
= NT_STATUS_ACCESS_DENIED
;
137 if (!NT_STATUS_IS_OK(status
)) {
142 status
= kerberos_decode_pac(tmp_ctx
,
144 NULL
, NULL
, NULL
, NULL
, 0, &pac_data
);
146 status
= NT_STATUS_ACCESS_DENIED
;
148 data_blob_free(&pac_blob
);
149 if (!NT_STATUS_IS_OK(status
)) {
153 status
= gse_get_client_name(gse_ctx
, tmp_ctx
, &princ_name
);
154 if (!NT_STATUS_IS_OK(status
)) {
158 /* get logon name and logon info */
159 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
160 struct PAC_BUFFER
*data_buf
= &pac_data
->buffers
[i
];
162 switch (data_buf
->type
) {
163 case PAC_TYPE_LOGON_INFO
:
164 if (!data_buf
->info
) {
167 logon_info
= data_buf
->info
->logon_info
.info
;
174 DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
175 status
= NT_STATUS_NOT_FOUND
;
179 rc
= get_remote_hostname(remote_address
,
183 status
= NT_STATUS_NO_MEMORY
;
186 if (strequal(rhost
, "UNKNOWN")) {
187 rhost
= tsocket_address_inet_addr_string(remote_address
,
190 status
= NT_STATUS_NO_MEMORY
;
195 status
= get_user_from_kerberos_info(tmp_ctx
, rhost
,
196 princ_name
, logon_info
,
197 &is_mapped
, &is_guest
,
200 if (!NT_STATUS_IS_OK(status
)) {
201 DEBUG(1, ("Failed to map kerberos principal to system user "
202 "(%s)\n", nt_errstr(status
)));
203 status
= NT_STATUS_ACCESS_DENIED
;
207 /* TODO: save PAC data in netsamlogon cache ? */
209 status
= make_session_info_krb5(mem_ctx
,
210 ntuser
, ntdomain
, username
, pw
,
211 logon_info
, is_guest
, is_mapped
, NULL
/* No session key for now */,
213 if (!NT_STATUS_IS_OK(status
)) {
214 DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
216 status
= NT_STATUS_ACCESS_DENIED
;
220 DEBUG(5, (__location__
"OK: user: %s domain: %s client: %s\n",
221 ntuser
, ntdomain
, rhost
));
223 status
= NT_STATUS_OK
;
226 TALLOC_FREE(tmp_ctx
);