2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Luke Howard 2003
7 Copyright (C) Guenther Deschner 2003, 2005
8 Copyright (C) Jim McDonough (jmcd@us.ibm.com) 2003
9 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
10 Copyright (C) Jeremy Allison 2007
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "libads/kerberos_proto.h"
30 #include "../librpc/gen_ndr/krb5pac.h"
34 #if !defined(HAVE_KRB5_PRINC_COMPONENT)
35 const krb5_data
*krb5_princ_component(krb5_context
, krb5_principal
, int );
38 static bool ads_dedicated_keytab_verify_ticket(krb5_context context
,
39 krb5_auth_context auth_context
,
40 const DATA_BLOB
*ticket
,
42 krb5_keyblock
**keyblock
,
43 krb5_error_code
*perr
)
45 krb5_error_code ret
= 0;
47 krb5_keytab keytab
= NULL
;
48 krb5_keytab_entry kt_entry
;
49 krb5_ticket
*dec_ticket
= NULL
;
59 ZERO_STRUCT(kt_entry
);
61 ret
= smb_krb5_open_keytab(context
, lp_dedicated_keytab_file(), true,
64 DEBUG(1, ("smb_krb5_open_keytab failed (%s)\n",
69 packet
.length
= ticket
->length
;
70 packet
.data
= (char *)ticket
->data
;
72 ret
= krb5_rd_req(context
, &auth_context
, &packet
, NULL
, keytab
,
75 DEBUG(0, ("krb5_rd_req failed (%s)\n", error_message(ret
)));
79 #ifdef HAVE_ETYPE_IN_ENCRYPTEDDATA /* Heimdal */
80 enctype
= dec_ticket
->ticket
.key
.keytype
;
82 enctype
= dec_ticket
->enc_part
.enctype
;
83 kvno
= dec_ticket
->enc_part
.kvno
;
86 /* Get the key for checking the pac signature */
87 ret
= krb5_kt_get_entry(context
, keytab
, dec_ticket
->server
,
88 kvno
, enctype
, &kt_entry
);
90 DEBUG(0, ("krb5_kt_get_entry failed (%s)\n",
95 ret
= krb5_copy_keyblock(context
, KRB5_KT_KEY(&kt_entry
), keyblock
);
96 smb_krb5_kt_free_entry(context
, &kt_entry
);
99 DEBUG(0, ("failed to copy key: %s\n",
100 error_message(ret
)));
105 *pp_tkt
= dec_ticket
;
110 krb5_free_ticket(context
, dec_ticket
);
113 krb5_kt_close(context
, keytab
);
119 /******************************************************************************
120 Try to verify a ticket using the system keytab... the system keytab has
121 kvno -1 entries, so it's more like what microsoft does... see comment in
122 utils/net_ads.c in the ads_keytab_add_entry function for details.
123 ******************************************************************************/
125 static bool ads_keytab_verify_ticket(krb5_context context
,
126 krb5_auth_context auth_context
,
127 const DATA_BLOB
*ticket
,
128 krb5_ticket
**pp_tkt
,
129 krb5_keyblock
**keyblock
,
130 krb5_error_code
*perr
)
132 krb5_error_code ret
= 0;
133 bool auth_ok
= False
;
134 krb5_keytab keytab
= NULL
;
135 krb5_kt_cursor kt_cursor
;
136 krb5_keytab_entry kt_entry
;
137 char *valid_princ_formats
[7] = { NULL
, NULL
, NULL
,
138 NULL
, NULL
, NULL
, NULL
};
139 char *entry_princ_s
= NULL
;
140 fstring my_name
, my_fqdn
;
142 int number_matched_principals
= 0;
150 /* Generate the list of principal names which we expect
151 * clients might want to use for authenticating to the file
152 * service. We allow name$,{host,cifs}/{name,fqdn,name.REALM}. */
154 fstrcpy(my_name
, lp_netbios_name());
157 name_to_fqdn(my_fqdn
, lp_netbios_name());
159 err
= asprintf(&valid_princ_formats
[0],
160 "%s$@%s", my_name
, lp_realm());
164 err
= asprintf(&valid_princ_formats
[1],
165 "host/%s@%s", my_name
, lp_realm());
169 err
= asprintf(&valid_princ_formats
[2],
170 "host/%s@%s", my_fqdn
, lp_realm());
174 err
= asprintf(&valid_princ_formats
[3],
175 "host/%s.%s@%s", my_name
, lp_realm(), lp_realm());
179 err
= asprintf(&valid_princ_formats
[4],
180 "cifs/%s@%s", my_name
, lp_realm());
184 err
= asprintf(&valid_princ_formats
[5],
185 "cifs/%s@%s", my_fqdn
, lp_realm());
189 err
= asprintf(&valid_princ_formats
[6],
190 "cifs/%s.%s@%s", my_name
, lp_realm(), lp_realm());
195 ZERO_STRUCT(kt_entry
);
196 ZERO_STRUCT(kt_cursor
);
198 ret
= smb_krb5_open_keytab(context
, NULL
, False
, &keytab
);
200 DEBUG(1, (__location__
": smb_krb5_open_keytab failed (%s)\n",
201 error_message(ret
)));
205 /* Iterate through the keytab. For each key, if the principal
206 * name case-insensitively matches one of the allowed formats,
207 * try verifying the ticket using that principal. */
209 ret
= krb5_kt_start_seq_get(context
, keytab
, &kt_cursor
);
211 DEBUG(1, (__location__
": krb5_kt_start_seq_get failed (%s)\n",
212 error_message(ret
)));
217 (krb5_kt_next_entry(context
, keytab
,
218 &kt_entry
, &kt_cursor
) == 0)) {
219 ret
= smb_krb5_unparse_name(talloc_tos(), context
,
223 DEBUG(1, (__location__
": smb_krb5_unparse_name "
224 "failed (%s)\n", error_message(ret
)));
228 for (i
= 0; i
< ARRAY_SIZE(valid_princ_formats
); i
++) {
230 if (!strequal(entry_princ_s
, valid_princ_formats
[i
])) {
234 number_matched_principals
++;
235 packet
.length
= ticket
->length
;
236 packet
.data
= (char *)ticket
->data
;
239 ret
= krb5_rd_req_return_keyblock_from_keytab(context
,
240 &auth_context
, &packet
,
241 kt_entry
.principal
, keytab
,
242 NULL
, pp_tkt
, keyblock
);
245 DEBUG(10, (__location__
": krb5_rd_req_return"
246 "_keyblock_from_keytab(%s) "
247 "failed: %s\n", entry_princ_s
,
248 error_message(ret
)));
250 /* workaround for MIT:
251 * as krb5_ktfile_get_entry will explicitly
252 * close the krb5_keytab as soon as krb5_rd_req
253 * has successfully decrypted the ticket but the
254 * ticket is not valid yet (due to clockskew)
255 * there is no point in querying more keytab
256 * entries - Guenther */
258 if (ret
== KRB5KRB_AP_ERR_TKT_NYV
||
259 ret
== KRB5KRB_AP_ERR_TKT_EXPIRED
||
260 ret
== KRB5KRB_AP_ERR_SKEW
) {
264 DEBUG(3, (__location__
": krb5_rd_req_return"
265 "_keyblock_from_keytab succeeded "
266 "for principal %s\n",
273 /* Free the name we parsed. */
274 TALLOC_FREE(entry_princ_s
);
276 /* Free the entry we just read. */
277 smb_krb5_kt_free_entry(context
, &kt_entry
);
278 ZERO_STRUCT(kt_entry
);
280 krb5_kt_end_seq_get(context
, keytab
, &kt_cursor
);
282 ZERO_STRUCT(kt_cursor
);
286 for (i
= 0; i
< ARRAY_SIZE(valid_princ_formats
); i
++) {
287 SAFE_FREE(valid_princ_formats
[i
]);
291 if (!number_matched_principals
) {
292 DEBUG(3, (__location__
": no keytab principals "
293 "matched expected file service name.\n"));
295 DEBUG(3, (__location__
": krb5_rd_req failed for "
296 "all %d matched keytab principals\n",
297 number_matched_principals
));
301 SAFE_FREE(entry_princ_s
);
304 krb5_keytab_entry zero_kt_entry
;
305 ZERO_STRUCT(zero_kt_entry
);
306 if (memcmp(&zero_kt_entry
, &kt_entry
,
307 sizeof(krb5_keytab_entry
))) {
308 smb_krb5_kt_free_entry(context
, &kt_entry
);
313 krb5_kt_cursor zero_csr
;
314 ZERO_STRUCT(zero_csr
);
315 if ((memcmp(&kt_cursor
, &zero_csr
,
316 sizeof(krb5_kt_cursor
)) != 0) && keytab
) {
317 krb5_kt_end_seq_get(context
, keytab
, &kt_cursor
);
322 krb5_kt_close(context
, keytab
);
328 /*****************************************************************************
329 Try to verify a ticket using the secrets.tdb.
330 ******************************************************************************/
332 static krb5_error_code
ads_secrets_verify_ticket(krb5_context context
,
333 krb5_auth_context auth_context
,
334 krb5_principal host_princ
,
335 const DATA_BLOB
*ticket
,
336 krb5_ticket
**pp_tkt
,
337 krb5_keyblock
**keyblock
,
338 krb5_error_code
*perr
)
340 krb5_error_code ret
= 0;
341 bool auth_ok
= False
;
343 char *password_s
= NULL
;
344 /* Let's make some room for 2 password (old and new)*/
345 krb5_data passwords
[2];
346 krb5_enctype enctypes
[] = {
347 ENCTYPE_ARCFOUR_HMAC
,
359 ZERO_STRUCT(passwords
);
361 if (!secrets_init()) {
362 DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
363 *perr
= KRB5_CONFIG_CANTOPEN
;
367 password_s
= secrets_fetch_machine_password(lp_workgroup(),
370 DEBUG(1,(__location__
": failed to fetch machine password\n"));
371 *perr
= KRB5_LIBOS_CANTREADPWD
;
375 passwords
[0].data
= password_s
;
376 passwords
[0].length
= strlen(password_s
);
378 password_s
= secrets_fetch_prev_machine_password(lp_workgroup());
380 DEBUG(10, (__location__
": found previous password\n"));
381 passwords
[1].data
= password_s
;
382 passwords
[1].length
= strlen(password_s
);
385 /* CIFS doesn't use addresses in tickets. This would break NAT. JRA */
387 packet
.length
= ticket
->length
;
388 packet
.data
= (char *)ticket
->data
;
390 /* We need to setup a auth context with each possible encoding type
392 for (j
=0; j
<2 && passwords
[j
].length
; j
++) {
394 for (i
=0;enctypes
[i
];i
++) {
395 krb5_keyblock
*key
= NULL
;
397 if (!(key
= SMB_MALLOC_P(krb5_keyblock
))) {
402 if (create_kerberos_key_from_string(context
,
403 host_princ
, &passwords
[j
],
404 key
, enctypes
[i
], false)) {
409 krb5_auth_con_setuseruserkey(context
,
412 if (!(ret
= krb5_rd_req(context
, &auth_context
,
415 DEBUG(10, (__location__
": enc type [%u] "
416 "decrypted message !\n",
417 (unsigned int)enctypes
[i
]));
420 krb5_copy_keyblock(context
, key
, keyblock
);
421 krb5_free_keyblock(context
, key
);
425 DEBUG((ret
!= KRB5_BAD_ENCTYPE
) ? 3 : 10,
426 (__location__
": enc type [%u] failed to "
427 "decrypt with error %s\n",
428 (unsigned int)enctypes
[i
],
429 error_message(ret
)));
431 /* successfully decrypted but ticket is just not
432 * valid at the moment */
433 if (ret
== KRB5KRB_AP_ERR_TKT_NYV
||
434 ret
== KRB5KRB_AP_ERR_TKT_EXPIRED
||
435 ret
== KRB5KRB_AP_ERR_SKEW
) {
436 krb5_free_keyblock(context
, key
);
441 krb5_free_keyblock(context
, key
);
444 /* If we found a valid pass then no need to try
445 * the next one or we have invalid ticket so no need
446 * to try next password*/
452 SAFE_FREE(passwords
[0].data
);
453 SAFE_FREE(passwords
[1].data
);
458 /*****************************************************************************
459 Verify an incoming ticket and parse out the principal name and
460 authorization_data if available.
461 ******************************************************************************/
463 NTSTATUS
ads_verify_ticket(TALLOC_CTX
*mem_ctx
,
466 const DATA_BLOB
*ticket
,
468 struct PAC_LOGON_INFO
**logon_info
,
470 DATA_BLOB
*session_key
,
471 bool use_replay_cache
)
473 NTSTATUS sret
= NT_STATUS_LOGON_FAILURE
;
476 krb5_context context
= NULL
;
477 krb5_auth_context auth_context
= NULL
;
479 krb5_ticket
*tkt
= NULL
;
480 krb5_rcache rcache
= NULL
;
481 krb5_keyblock
*keyblock
= NULL
;
483 krb5_error_code ret
= 0;
485 krb5_principal host_princ
= NULL
;
486 krb5_const_principal client_principal
= NULL
;
487 char *host_princ_s
= NULL
;
488 bool auth_ok
= False
;
489 bool got_auth_data
= False
;
490 struct named_mutex
*mutex
= NULL
;
493 ZERO_STRUCT(auth_data
);
497 *ap_rep
= data_blob_null
;
498 *session_key
= data_blob_null
;
500 initialize_krb5_error_table();
501 ret
= krb5_init_context(&context
);
503 DEBUG(1, (__location__
": krb5_init_context failed (%s)\n",
504 error_message(ret
)));
505 return NT_STATUS_LOGON_FAILURE
;
508 if (time_offset
!= 0) {
509 krb5_set_real_time(context
, time(NULL
) + time_offset
, 0);
512 ret
= krb5_set_default_realm(context
, realm
);
514 DEBUG(1, (__location__
": krb5_set_default_realm "
515 "failed (%s)\n", error_message(ret
)));
519 /* This whole process is far more complex than I would
520 like. We have to go through all this to allow us to store
521 the secret internally, instead of using /etc/krb5.keytab */
523 ret
= krb5_auth_con_init(context
, &auth_context
);
525 DEBUG(1, (__location__
": krb5_auth_con_init failed (%s)\n",
526 error_message(ret
)));
530 krb5_auth_con_getflags( context
, auth_context
, &flags
);
531 if ( !use_replay_cache
) {
532 /* Disable default use of a replay cache */
533 flags
&= ~KRB5_AUTH_CONTEXT_DO_TIME
;
534 krb5_auth_con_setflags( context
, auth_context
, flags
);
537 if (asprintf(&host_princ_s
, "%s$", lp_netbios_name()) == -1) {
541 strlower_m(host_princ_s
);
542 ret
= smb_krb5_parse_name(context
, host_princ_s
, &host_princ
);
544 DEBUG(1, (__location__
": smb_krb5_parse_name(%s) "
545 "failed (%s)\n", host_princ_s
, error_message(ret
)));
550 if (use_replay_cache
) {
552 /* Lock a mutex surrounding the replay as there is no
553 locking in the MIT krb5 code surrounding the replay
556 mutex
= grab_named_mutex(talloc_tos(),
557 "replay cache mutex", 10);
559 DEBUG(1, (__location__
": unable to protect replay "
560 "cache with mutex.\n"));
565 /* JRA. We must set the rcache here. This will prevent
568 ret
= krb5_get_server_rcache(
570 krb5_princ_component(context
, host_princ
, 0),
573 DEBUG(1, (__location__
": krb5_get_server_rcache "
574 "failed (%s)\n", error_message(ret
)));
578 ret
= krb5_auth_con_setrcache(context
, auth_context
, rcache
);
580 DEBUG(1, (__location__
": krb5_auth_con_setrcache "
581 "failed (%s)\n", error_message(ret
)));
586 switch (lp_kerberos_method()) {
588 case KERBEROS_VERIFY_SECRETS
:
589 auth_ok
= ads_secrets_verify_ticket(context
, auth_context
,
590 host_princ
, ticket
, &tkt
, &keyblock
, &ret
);
592 case KERBEROS_VERIFY_SYSTEM_KEYTAB
:
593 auth_ok
= ads_keytab_verify_ticket(context
, auth_context
,
594 ticket
, &tkt
, &keyblock
, &ret
);
596 case KERBEROS_VERIFY_DEDICATED_KEYTAB
:
597 auth_ok
= ads_dedicated_keytab_verify_ticket(context
,
598 auth_context
, ticket
, &tkt
, &keyblock
, &ret
);
600 case KERBEROS_VERIFY_SECRETS_AND_KEYTAB
:
601 /* First try secrets.tdb and fallback to the krb5.keytab if
602 necessary. This is the pre 3.4 behavior when
603 "use kerberos keytab" was true.*/
604 auth_ok
= ads_secrets_verify_ticket(context
, auth_context
,
605 host_princ
, ticket
, &tkt
, &keyblock
, &ret
);
608 /* Only fallback if we failed to decrypt the ticket */
609 if (ret
!= KRB5KRB_AP_ERR_TKT_NYV
&&
610 ret
!= KRB5KRB_AP_ERR_TKT_EXPIRED
&&
611 ret
!= KRB5KRB_AP_ERR_SKEW
) {
612 auth_ok
= ads_keytab_verify_ticket(context
,
613 auth_context
, ticket
, &tkt
, &keyblock
,
620 if (use_replay_cache
) {
623 /* Heimdal leaks here, if we fix the leak, MIT crashes */
625 krb5_rc_close(context
, rcache
);
631 DEBUG(3, (__location__
": krb5_rd_req with auth "
632 "failed (%s)\n", error_message(ret
)));
633 /* Try map the error return in case it's something like
634 * a clock skew error.
636 sret
= krb5_to_nt_status(ret
);
637 if (NT_STATUS_IS_OK(sret
) ||
638 NT_STATUS_EQUAL(sret
,NT_STATUS_UNSUCCESSFUL
)) {
639 sret
= NT_STATUS_LOGON_FAILURE
;
641 DEBUG(10, (__location__
": returning error %s\n",
646 authtime
= get_authtime_from_tkt(tkt
);
647 client_principal
= get_principal_from_tkt(tkt
);
649 ret
= krb5_mk_rep(context
, auth_context
, &packet
);
651 DEBUG(3, (__location__
": Failed to generate mutual "
652 "authentication reply (%s)\n", error_message(ret
)));
656 *ap_rep
= data_blob(packet
.data
, packet
.length
);
658 kerberos_free_data_contents(context
, &packet
);
662 get_krb5_smb_session_key(mem_ctx
, context
,
663 auth_context
, session_key
, true);
664 dump_data_pw("SMB session key (from ticket)\n",
665 session_key
->data
, session_key
->length
);
668 file_save("/tmp/ticket.dat", ticket
->data
, ticket
->length
);
671 /* continue when no PAC is retrieved or we couldn't decode the PAC
672 (like accounts that have the UF_NO_AUTH_DATA_REQUIRED flag set, or
673 Kerberos tickets encrypted using a DES key) - Guenther */
675 got_auth_data
= get_auth_data_from_tkt(mem_ctx
, &auth_data
, tkt
);
676 if (!got_auth_data
) {
677 DEBUG(3, (__location__
": did not retrieve auth data. "
678 "continuing without PAC\n"));
682 struct PAC_DATA
*pac_data
;
683 pac_ret
= kerberos_decode_pac(mem_ctx
, auth_data
, context
,
684 NULL
, keyblock
, client_principal
,
685 authtime
, &pac_data
);
686 data_blob_free(&auth_data
);
687 if (!NT_STATUS_IS_OK(pac_ret
)) {
688 DEBUG(3, (__location__
": failed to decode "
689 "PAC_DATA: %s\n", nt_errstr(pac_ret
)));
692 for (i
= 0; i
< pac_data
->num_buffers
; i
++) {
694 if (pac_data
->buffers
[i
].type
!= PAC_TYPE_LOGON_INFO
) {
698 *logon_info
= pac_data
->buffers
[i
].info
->logon_info
.info
;
702 DEBUG(1, ("correctly decoded PAC but found "
704 "This should not happen\n"));
705 return NT_STATUS_INVALID_USER_BUFFER
;
711 #if defined(HAVE_KRB5_TKT_ENC_PART2)
713 if (tkt
->enc_part2
) {
714 file_save("/tmp/authdata.dat",
715 tkt
->enc_part2
->authorization_data
[0]->contents
,
716 tkt
->enc_part2
->authorization_data
[0]->length
);
720 if (tkt
->ticket
.authorization_data
) {
721 file_save("/tmp/authdata.dat",
722 tkt
->ticket
.authorization_data
->val
->ad_data
.data
,
723 tkt
->ticket
.authorization_data
->val
->ad_data
.length
);
728 ret
= smb_krb5_unparse_name(mem_ctx
, context
,
729 client_principal
, principal
);
731 DEBUG(3, (__location__
": smb_krb5_unparse_name "
732 "failed (%s)\n", error_message(ret
)));
733 sret
= NT_STATUS_LOGON_FAILURE
;
743 if (!NT_STATUS_IS_OK(sret
)) {
744 data_blob_free(&auth_data
);
747 if (!NT_STATUS_IS_OK(sret
)) {
748 data_blob_free(ap_rep
);
752 krb5_free_principal(context
, host_princ
);
756 krb5_free_keyblock(context
, keyblock
);
760 krb5_free_ticket(context
, tkt
);
763 SAFE_FREE(host_princ_s
);
766 krb5_auth_con_free(context
, auth_context
);
770 krb5_free_context(context
);
776 #endif /* HAVE_KRB5 */