search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: re-run make samba3-idl.
[Samba/nascimento.git] / source4 / kdc / db-glue.c
blobc434ccb89a196eef4f0a9a7f5ab0417a15322ee0
1 /*
2 Unix SMB/CIFS implementation.
3
4 Database Glue between Samba and the KDC
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/time.h"
26 #include "../libds/common/flags.h"
27 #include "lib/ldb/include/ldb.h"
28 #include "librpc/gen_ndr/netlogon.h"
29 #include "libcli/security/security.h"
30 #include "auth/auth.h"
31 #include "auth/credentials/credentials.h"
32 #include "auth/auth_sam.h"
33 #include "../lib/util/util_ldb.h"
34 #include "dsdb/samdb/samdb.h"
35 #include "librpc/ndr/libndr.h"
36 #include "librpc/gen_ndr/ndr_drsblobs.h"
37 #include "librpc/gen_ndr/lsa.h"
38 #include "libcli/auth/libcli_auth.h"
39 #include "param/param.h"
40 #include "../lib/crypto/md4.h"
41 #include "system/kerberos.h"
42 #include <hdb.h>
43 #include "kdc/samba_kdc.h"
44 #include "kdc/db-glue.h"
45
46 enum samba_kdc_ent_type
47 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
48 SAMBA_KDC_ENT_TYPE_KRBTGT, SAMBA_KDC_ENT_TYPE_TRUST, SAMBA_KDC_ENT_TYPE_ANY };
49
50 enum trust_direction {
51 UNKNOWN = 0,
52 INBOUND = LSA_TRUST_DIRECTION_INBOUND,
53 OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND
54 };
55
56 static const char *trust_attrs[] = {
57 "trustPartner",
58 "trustAuthIncoming",
59 "trustAuthOutgoing",
60 "whenCreated",
61 "msDS-SupportedEncryptionTypes",
62 "trustAttributes",
63 "trustDirection",
64 "trustType",
65 NULL
66 };
67
68 static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, const char *attr, KerberosTime default_val)
69 {
70 const char *tmp;
71 const char *gentime;
72 struct tm tm;
73
74 gentime = ldb_msg_find_attr_as_string(msg, attr, NULL);
75 if (!gentime)
76 return default_val;
77
78 tmp = strptime(gentime, "%Y%m%d%H%M%SZ", &tm);
79 if (tmp == NULL) {
80 return default_val;
81 }
82
83 return timegm(&tm);
84 }
85
86 static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum samba_kdc_ent_type ent_type)
87 {
88 HDBFlags flags = int2HDBFlags(0);
89
90 /* we don't allow kadmin deletes */
91 flags.immutable = 1;
92
93 /* mark the principal as invalid to start with */
94 flags.invalid = 1;
95
96 flags.renewable = 1;
97
98 /* All accounts are servers, but this may be disabled again in the caller */
99 flags.server = 1;
100
101 /* Account types - clear the invalid bit if it turns out to be valid */
102 if (userAccountControl & UF_NORMAL_ACCOUNT) {
103 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
104 flags.client = 1;
105 }
106 flags.invalid = 0;
107 }
108
109 if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) {
110 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
111 flags.client = 1;
112 }
113 flags.invalid = 0;
114 }
115 if (userAccountControl & UF_WORKSTATION_TRUST_ACCOUNT) {
116 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
117 flags.client = 1;
118 }
119 flags.invalid = 0;
120 }
121 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
122 if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || ent_type == SAMBA_KDC_ENT_TYPE_ANY) {
123 flags.client = 1;
124 }
125 flags.invalid = 0;
126 }
127
128 /* Not permitted to act as a client if disabled */
129 if (userAccountControl & UF_ACCOUNTDISABLE) {
130 flags.client = 0;
131 }
132 if (userAccountControl & UF_LOCKOUT) {
133 flags.invalid = 1;
134 }
135 /*
136 if (userAccountControl & UF_PASSWORD_NOTREQD) {
137 flags.invalid = 1;
138 }
139 */
140 /*
141 UF_PASSWORD_CANT_CHANGE and UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED are irrelevent
142 */
143 if (userAccountControl & UF_TEMP_DUPLICATE_ACCOUNT) {
144 flags.invalid = 1;
145 }
146
147 /* UF_DONT_EXPIRE_PASSWD and UF_USE_DES_KEY_ONLY handled in samba_kdc_message2entry() */
148
149 /*
150 if (userAccountControl & UF_MNS_LOGON_ACCOUNT) {
151 flags.invalid = 1;
152 }
153 */
154 if (userAccountControl & UF_SMARTCARD_REQUIRED) {
155 flags.require_hwauth = 1;
156 }
157 if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) {
158 flags.ok_as_delegate = 1;
159 }
160 if (!(userAccountControl & UF_NOT_DELEGATED)) {
161 flags.forwardable = 1;
162 flags.proxiable = 1;
163 }
164
165 if (userAccountControl & UF_DONT_REQUIRE_PREAUTH) {
166 flags.require_preauth = 0;
167 } else {
168 flags.require_preauth = 1;
169
170 }
171 return flags;
172 }
173
174 static int samba_kdc_entry_destructor(struct samba_kdc_entry *p)
175 {
176 hdb_entry_ex *entry_ex = p->entry_ex;
177 free_hdb_entry(&entry_ex->entry);
178 return 0;
179 }
180
181 static void samba_kdc_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
182 {
183 talloc_free(entry_ex->ctx);
184 }
185
186 static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
187 struct smb_iconv_convenience *iconv_convenience,
188 TALLOC_CTX *mem_ctx,
189 struct ldb_message *msg,
190 unsigned int userAccountControl,
191 hdb_entry_ex *entry_ex)
192 {
193 krb5_error_code ret = 0;
194 enum ndr_err_code ndr_err;
195 struct samr_Password *hash;
196 const struct ldb_val *sc_val;
197 struct supplementalCredentialsBlob scb;
198 struct supplementalCredentialsPackage *scpk = NULL;
199 bool newer_keys = false;
200 struct package_PrimaryKerberosBlob _pkb;
201 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
202 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
203 uint32_t i;
204 uint32_t allocated_keys = 0;
205
206 entry_ex->entry.keys.val = NULL;
207 entry_ex->entry.keys.len = 0;
208
209 entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
210
211 /* Get keys from the db */
212
213 hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
214 sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
215
216 /* unicodePwd for enctype 0x17 (23) if present */
217 if (hash) {
218 allocated_keys++;
219 }
220
221 /* supplementalCredentials if present */
222 if (sc_val) {
223 ndr_err = ndr_pull_struct_blob_all(sc_val, mem_ctx, iconv_convenience, &scb,
224 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
225 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
226 dump_data(0, sc_val->data, sc_val->length);
227 ret = EINVAL;
228 goto out;
229 }
230
231 if (scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
232 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
233 ret = EINVAL;
234 goto out;
235 }
236
237 for (i=0; i < scb.sub.num_packages; i++) {
238 if (strcmp("Primary:Kerberos-Newer-Keys", scb.sub.packages[i].name) == 0) {
239 scpk = &scb.sub.packages[i];
240 if (!scpk->data || !scpk->data[0]) {
241 scpk = NULL;
242 continue;
243 }
244 newer_keys = true;
245 break;
246 } else if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) == 0) {
247 scpk = &scb.sub.packages[i];
248 if (!scpk->data || !scpk->data[0]) {
249 scpk = NULL;
250 }
251 /*
252 * we don't break here in hope to find
253 * a Kerberos-Newer-Keys package
254 */
255 }
256 }
257 }
258 /*
259 * Primary:Kerberos-Newer-Keys or Primary:Kerberos element
260 * of supplementalCredentials
261 */
262 if (scpk) {
263 DATA_BLOB blob;
264
265 blob = strhex_to_data_blob(mem_ctx, scpk->data);
266 if (!blob.data) {
267 ret = ENOMEM;
268 goto out;
269 }
270
271 /* we cannot use ndr_pull_struct_blob_all() here, as w2k and w2k3 add padding bytes */
272 ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, iconv_convenience, &_pkb,
273 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
274 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
275 ret = EINVAL;
276 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
277 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse package_PrimaryKerberosBlob");
278 goto out;
279 }
280
281 if (newer_keys && _pkb.version != 4) {
282 ret = EINVAL;
283 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
284 krb5_warnx(context, "samba_kdc_message2entry_keys: Primary:Kerberos-Newer-Keys not version 4");
285 goto out;
286 }
287
288 if (!newer_keys && _pkb.version != 3) {
289 ret = EINVAL;
290 krb5_set_error_message(context, ret, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
291 krb5_warnx(context, "samba_kdc_message2entry_keys: could not parse Primary:Kerberos not version 3");
292 goto out;
293 }
294
295 if (_pkb.version == 4) {
296 pkb4 = &_pkb.ctr.ctr4;
297 allocated_keys += pkb4->num_keys;
298 } else if (_pkb.version == 3) {
299 pkb3 = &_pkb.ctr.ctr3;
300 allocated_keys += pkb3->num_keys;
301 }
302 }
303
304 if (allocated_keys == 0) {
305 /* oh, no password. Apparently (comment in
306 * hdb-ldap.c) this violates the ASN.1, but this
307 * allows an entry with no keys (yet). */
308 return 0;
309 }
310
311 /* allocate space to decode into */
312 entry_ex->entry.keys.len = 0;
313 entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
314 if (entry_ex->entry.keys.val == NULL) {
315 ret = ENOMEM;
316 goto out;
317 }
318
319 if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
320 Key key;
321
322 key.mkvno = 0;
323 key.salt = NULL; /* No salt for this enc type */
324
325 ret = krb5_keyblock_init(context,
326 ENCTYPE_ARCFOUR_HMAC,
327 hash->hash, sizeof(hash->hash),
328 &key.key);
329 if (ret) {
330 goto out;
331 }
332
333 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
334 entry_ex->entry.keys.len++;
335 }
336
337 if (pkb4) {
338 for (i=0; i < pkb4->num_keys; i++) {
339 bool use = true;
340 Key key;
341
342 if (!pkb4->keys[i].value) continue;
343
344 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
345 switch (pkb4->keys[i].keytype) {
346 case ENCTYPE_DES_CBC_CRC:
347 case ENCTYPE_DES_CBC_MD5:
348 break;
349 default:
350 use = false;
351 break;
352 }
353 }
354
355 if (!use) continue;
356
357 key.mkvno = 0;
358 key.salt = NULL;
359
360 if (pkb4->salt.string) {
361 DATA_BLOB salt;
362
363 salt = data_blob_string_const(pkb4->salt.string);
364
365 key.salt = calloc(1, sizeof(*key.salt));
366 if (key.salt == NULL) {
367 ret = ENOMEM;
368 goto out;
369 }
370
371 key.salt->type = hdb_pw_salt;
372
373 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
374 if (ret) {
375 free(key.salt);
376 key.salt = NULL;
377 goto out;
378 }
379 }
380
381 /* TODO: maybe pass the iteration_count somehow... */
382
383 ret = krb5_keyblock_init(context,
384 pkb4->keys[i].keytype,
385 pkb4->keys[i].value->data,
386 pkb4->keys[i].value->length,
387 &key.key);
388 if (ret == KRB5_PROG_ETYPE_NOSUPP) {
389 DEBUG(2,("Unsupported keytype ignored - type %u\n",
390 pkb4->keys[i].keytype));
391 ret = 0;
392 continue;
393 }
394 if (ret) {
395 if (key.salt) {
396 free_Salt(key.salt);
397 free(key.salt);
398 key.salt = NULL;
399 }
400 goto out;
401 }
402
403 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
404 entry_ex->entry.keys.len++;
405 }
406 } else if (pkb3) {
407 for (i=0; i < pkb3->num_keys; i++) {
408 bool use = true;
409 Key key;
410
411 if (!pkb3->keys[i].value) continue;
412
413 if (userAccountControl & UF_USE_DES_KEY_ONLY) {
414 switch (pkb3->keys[i].keytype) {
415 case ENCTYPE_DES_CBC_CRC:
416 case ENCTYPE_DES_CBC_MD5:
417 break;
418 default:
419 use = false;
420 break;
421 }
422 }
423
424 if (!use) continue;
425
426 key.mkvno = 0;
427 key.salt = NULL;
428
429 if (pkb3->salt.string) {
430 DATA_BLOB salt;
431
432 salt = data_blob_string_const(pkb3->salt.string);
433
434 key.salt = calloc(1, sizeof(*key.salt));
435 if (key.salt == NULL) {
436 ret = ENOMEM;
437 goto out;
438 }
439
440 key.salt->type = hdb_pw_salt;
441
442 ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
443 if (ret) {
444 free(key.salt);
445 key.salt = NULL;
446 goto out;
447 }
448 }
449
450 ret = krb5_keyblock_init(context,
451 pkb3->keys[i].keytype,
452 pkb3->keys[i].value->data,
453 pkb3->keys[i].value->length,
454 &key.key);
455 if (ret) {
456 if (key.salt) {
457 free_Salt(key.salt);
458 free(key.salt);
459 key.salt = NULL;
460 }
461 goto out;
462 }
463
464 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
465 entry_ex->entry.keys.len++;
466 }
467 }
468
469 out:
470 if (ret != 0) {
471 entry_ex->entry.keys.len = 0;
472 }
473 if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
474 free(entry_ex->entry.keys.val);
475 entry_ex->entry.keys.val = NULL;
476 }
477 return ret;
478 }
479
480 /*
481 * Construct an hdb_entry from a directory entry.
482 */
483 static krb5_error_code samba_kdc_message2entry(krb5_context context,
484 struct samba_kdc_db_context *kdc_db_ctx,
485 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
486 enum samba_kdc_ent_type ent_type,
487 struct ldb_dn *realm_dn,
488 struct ldb_message *msg,
489 hdb_entry_ex *entry_ex)
490 {
491 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
492 unsigned int userAccountControl;
493 int i;
494 krb5_error_code ret = 0;
495 krb5_boolean is_computer = FALSE;
496 char *realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
497
498 struct samba_kdc_entry *p;
499 NTTIME acct_expiry;
500 NTSTATUS status;
501
502 uint32_t rid;
503 struct ldb_message_element *objectclasses;
504 struct ldb_val computer_val;
505 const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
506 computer_val.data = discard_const_p(uint8_t,"computer");
507 computer_val.length = strlen((const char *)computer_val.data);
508
509 if (!samAccountName) {
510 ret = ENOENT;
511 krb5_set_error_message(context, ret, "samba_kdc_message2entry: no samAccountName present");
512 goto out;
513 }
514
515 objectclasses = ldb_msg_find_element(msg, "objectClass");
516
517 if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) {
518 is_computer = TRUE;
519 }
520
521 memset(entry_ex, 0, sizeof(*entry_ex));
522
523 if (!realm) {
524 ret = ENOMEM;
525 krb5_set_error_message(context, ret, "talloc_strdup: out of memory");
526 goto out;
527 }
528
529 p = talloc(mem_ctx, struct samba_kdc_entry);
530 if (!p) {
531 ret = ENOMEM;
532 goto out;
533 }
534
535 p->kdc_db_ctx = kdc_db_ctx;
536 p->entry_ex = entry_ex;
537 p->realm_dn = talloc_reference(p, realm_dn);
538 if (!p->realm_dn) {
539 ret = ENOMEM;
540 goto out;
541 }
542
543 talloc_set_destructor(p, samba_kdc_entry_destructor);
544
545 entry_ex->ctx = p;
546 entry_ex->free_entry = samba_kdc_free_entry;
547
548 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
549
550
551 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
552 if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
553 krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL);
554 } else {
555 ret = copy_Principal(principal, entry_ex->entry.principal);
556 if (ret) {
557 krb5_clear_error_message(context);
558 goto out;
559 }
560
561 /* While we have copied the client principal, tests
562 * show that Win2k3 returns the 'corrected' realm, not
563 * the client-specified realm. This code attempts to
564 * replace the client principal's realm with the one
565 * we determine from our records */
566
567 /* this has to be with malloc() */
568 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
569 }
570
571 /* First try and figure out the flags based on the userAccountControl */
572 entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
573
574 /* Windows 2008 seems to enforce this (very sensible) rule by
575 * default - don't allow offline attacks on a user's password
576 * by asking for a ticket to them as a service (encrypted with
577 * their probably patheticly insecure password) */
578
579 if (entry_ex->entry.flags.server
580 && lp_parm_bool(lp_ctx, NULL, "kdc", "require spn for service", true)) {
581 if (!is_computer && !ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL)) {
582 entry_ex->entry.flags.server = 0;
583 }
584 }
585
586 {
587 /* These (created_by, modified_by) parts of the entry are not relevant for Samba4's use
588 * of the Heimdal KDC. They are stored in a the traditional
589 * DB for audit purposes, and still form part of the structure
590 * we must return */
591
592 /* use 'whenCreated' */
593 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
594 /* use 'kadmin' for now (needed by mit_samba) */
595 krb5_make_principal(context,
596 &entry_ex->entry.created_by.principal,
597 realm, "kadmin", NULL);
598
599 entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event));
600 if (entry_ex->entry.modified_by == NULL) {
601 ret = ENOMEM;
602 krb5_set_error_message(context, ret, "malloc: out of memory");
603 goto out;
604 }
605
606 /* use 'whenChanged' */
607 entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0);
608 /* use 'kadmin' for now (needed by mit_samba) */
609 krb5_make_principal(context,
610 &entry_ex->entry.modified_by->principal,
611 realm, "kadmin", NULL);
612 }
613
614
615 /* The lack of password controls etc applies to krbtgt by
616 * virtue of being that particular RID */
617 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, msg, "objectSid"), NULL, &rid);
618
619 if (!NT_STATUS_IS_OK(status)) {
620 ret = EINVAL;
621 goto out;
622 }
623
624 if (rid == DOMAIN_RID_KRBTGT) {
625 entry_ex->entry.valid_end = NULL;
626 entry_ex->entry.pw_end = NULL;
627
628 entry_ex->entry.flags.invalid = 0;
629 entry_ex->entry.flags.server = 1;
630
631 /* Don't mark all requests for the krbtgt/realm as
632 * 'change password', as otherwise we could get into
633 * trouble, and not enforce the password expirty.
634 * Instead, only do it when request is for the kpasswd service */
635 if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER
636 && principal->name.name_string.len == 2
637 && (strcmp(principal->name.name_string.val[0], "kadmin") == 0)
638 && (strcmp(principal->name.name_string.val[1], "changepw") == 0)
639 && lp_is_my_domain_or_realm(lp_ctx, principal->realm)) {
640 entry_ex->entry.flags.change_pw = 1;
641 }
642 entry_ex->entry.flags.client = 0;
643 entry_ex->entry.flags.forwardable = 1;
644 entry_ex->entry.flags.ok_as_delegate = 1;
645 } else if (entry_ex->entry.flags.server && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
646 /* The account/password expiry only applies when the account is used as a
647 * client (ie password login), not when used as a server */
648
649 /* Make very well sure we don't use this for a client,
650 * it could bypass the password restrictions */
651 entry_ex->entry.flags.client = 0;
652
653 entry_ex->entry.valid_end = NULL;
654 entry_ex->entry.pw_end = NULL;
655
656 } else {
657 NTTIME must_change_time
658 = samdb_result_force_password_change(kdc_db_ctx->samdb, mem_ctx,
659 realm_dn, msg);
660 if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
661 entry_ex->entry.pw_end = NULL;
662 } else {
663 entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
664 if (entry_ex->entry.pw_end == NULL) {
665 ret = ENOMEM;
666 goto out;
667 }
668 *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
669 }
670
671 acct_expiry = samdb_result_account_expires(msg);
672 if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) {
673 entry_ex->entry.valid_end = NULL;
674 } else {
675 entry_ex->entry.valid_end = malloc(sizeof(*entry_ex->entry.valid_end));
676 if (entry_ex->entry.valid_end == NULL) {
677 ret = ENOMEM;
678 goto out;
679 }
680 *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
681 }
682 }
683
684 entry_ex->entry.valid_start = NULL;
685
686 entry_ex->entry.max_life = NULL;
687
688 entry_ex->entry.max_renew = NULL;
689
690 entry_ex->entry.generation = NULL;
691
692 /* Get keys from the db */
693 ret = samba_kdc_message2entry_keys(context, p->kdc_db_ctx->ic_ctx, p,
694 msg, userAccountControl, entry_ex);
695 if (ret) {
696 /* Could be bougus data in the entry, or out of memory */
697 goto out;
698 }
699
700 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
701 if (entry_ex->entry.etypes == NULL) {
702 krb5_clear_error_message(context);
703 ret = ENOMEM;
704 goto out;
705 }
706 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
707 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
708 if (entry_ex->entry.etypes->val == NULL) {
709 krb5_clear_error_message(context);
710 ret = ENOMEM;
711 goto out;
712 }
713 for (i=0; i < entry_ex->entry.etypes->len; i++) {
714 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
715 }
716
717
718 p->msg = talloc_steal(p, msg);
719
720 out:
721 if (ret != 0) {
722 /* This doesn't free ent itself, that is for the eventual caller to do */
723 hdb_free_entry(context, entry_ex);
724 } else {
725 talloc_steal(kdc_db_ctx, entry_ex->ctx);
726 }
727
728 return ret;
729 }
730
731 /*
732 * Construct an hdb_entry from a directory entry.
733 */
734 static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
735 struct samba_kdc_db_context *kdc_db_ctx,
736 TALLOC_CTX *mem_ctx, krb5_const_principal principal,
737 enum trust_direction direction,
738 struct ldb_dn *realm_dn,
739 struct ldb_message *msg,
740 hdb_entry_ex *entry_ex)
741 {
742 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
743 const char *dnsdomain;
744 char *realm;
745 DATA_BLOB password_utf16;
746 struct samr_Password password_hash;
747 const struct ldb_val *password_val;
748 struct trustAuthInOutBlob password_blob;
749 struct samba_kdc_entry *p;
750
751 enum ndr_err_code ndr_err;
752 int i, ret, trust_direction_flags;
753
754 p = talloc(mem_ctx, struct samba_kdc_entry);
755 if (!p) {
756 ret = ENOMEM;
757 goto out;
758 }
759
760 p->kdc_db_ctx = kdc_db_ctx;
761 p->entry_ex = entry_ex;
762 p->realm_dn = realm_dn;
763
764 talloc_set_destructor(p, samba_kdc_entry_destructor);
765
766 entry_ex->ctx = p;
767 entry_ex->free_entry = samba_kdc_free_entry;
768
769 /* use 'whenCreated' */
770 entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0);
771 /* use '???' */
772 entry_ex->entry.created_by.principal = NULL;
773
774 entry_ex->entry.valid_start = NULL;
775
776 trust_direction_flags = ldb_msg_find_attr_as_int(msg, "trustDirection", 0);
777
778 if (direction == INBOUND) {
779 realm = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
780 password_val = ldb_msg_find_ldb_val(msg, "trustAuthIncoming");
781
782 } else { /* OUTBOUND */
783 dnsdomain = ldb_msg_find_attr_as_string(msg, "trustPartner", NULL);
784 realm = strupper_talloc(mem_ctx, dnsdomain);
785 password_val = ldb_msg_find_ldb_val(msg, "trustAuthOutgoing");
786 }
787
788 if (!password_val || !(trust_direction_flags & direction)) {
789 ret = ENOENT;
790 goto out;
791 }
792
793 ndr_err = ndr_pull_struct_blob(password_val, mem_ctx, p->kdc_db_ctx->ic_ctx, &password_blob,
794 (ndr_pull_flags_fn_t)ndr_pull_trustAuthInOutBlob);
795 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
796 ret = EINVAL;
797 goto out;
798 }
799
800 entry_ex->entry.kvno = -1;
801 for (i=0; i < password_blob.count; i++) {
802 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_VERSION) {
803 entry_ex->entry.kvno = password_blob.current->array[i].AuthInfo.version.version;
804 }
805 }
806
807 for (i=0; i < password_blob.count; i++) {
808 if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_CLEAR) {
809 password_utf16 = data_blob_const(password_blob.current->array[i].AuthInfo.clear.password,
810 password_blob.current->array[i].AuthInfo.clear.size);
811 /* In the future, generate all sorts of
812 * hashes, but for now we can't safely convert
813 * the random strings windows uses into
814 * utf8 */
815
816 /* but as it is utf16 already, we can get the NT password/arcfour-hmac-md5 key */
817 mdfour(password_hash.hash, password_utf16.data, password_utf16.length);
818 break;
819 } else if (password_blob.current->array[i].AuthType == TRUST_AUTH_TYPE_NT4OWF) {
820 password_hash = password_blob.current->array[i].AuthInfo.nt4owf.password;
821 break;
822 }
823 }
824 entry_ex->entry.keys.len = 0;
825 entry_ex->entry.keys.val = NULL;
826
827 if (i < password_blob.count) {
828 Key key;
829 /* Must have found a cleartext or MD4 password */
830 entry_ex->entry.keys.val = calloc(1, sizeof(Key));
831
832 key.mkvno = 0;
833 key.salt = NULL; /* No salt for this enc type */
834
835 if (entry_ex->entry.keys.val == NULL) {
836 ret = ENOMEM;
837 goto out;
838 }
839
840 ret = krb5_keyblock_init(context,
841 ENCTYPE_ARCFOUR_HMAC,
842 password_hash.hash, sizeof(password_hash.hash),
843 &key.key);
844
845 entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
846 entry_ex->entry.keys.len++;
847 }
848
849 entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal)));
850
851 ret = copy_Principal(principal, entry_ex->entry.principal);
852 if (ret) {
853 krb5_clear_error_message(context);
854 goto out;
855 }
856
857 /* While we have copied the client principal, tests
858 * show that Win2k3 returns the 'corrected' realm, not
859 * the client-specified realm. This code attempts to
860 * replace the client principal's realm with the one
861 * we determine from our records */
862
863 krb5_principal_set_realm(context, entry_ex->entry.principal, realm);
864 entry_ex->entry.flags = int2HDBFlags(0);
865 entry_ex->entry.flags.immutable = 1;
866 entry_ex->entry.flags.invalid = 0;
867 entry_ex->entry.flags.server = 1;
868 entry_ex->entry.flags.require_preauth = 1;
869
870 entry_ex->entry.pw_end = NULL;
871
872 entry_ex->entry.max_life = NULL;
873
874 entry_ex->entry.max_renew = NULL;
875
876 entry_ex->entry.generation = NULL;
877
878 entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
879 if (entry_ex->entry.etypes == NULL) {
880 krb5_clear_error_message(context);
881 ret = ENOMEM;
882 goto out;
883 }
884 entry_ex->entry.etypes->len = entry_ex->entry.keys.len;
885 entry_ex->entry.etypes->val = calloc(entry_ex->entry.etypes->len, sizeof(int));
886 if (entry_ex->entry.etypes->val == NULL) {
887 krb5_clear_error_message(context);
888 ret = ENOMEM;
889 goto out;
890 }
891 for (i=0; i < entry_ex->entry.etypes->len; i++) {
892 entry_ex->entry.etypes->val[i] = entry_ex->entry.keys.val[i].key.keytype;
893 }
894
895
896 p->msg = talloc_steal(p, msg);
897
898 out:
899 if (ret != 0) {
900 /* This doesn't free ent itself, that is for the eventual caller to do */
901 hdb_free_entry(context, entry_ex);
902 } else {
903 talloc_steal(kdc_db_ctx, entry_ex->ctx);
904 }
905
906 return ret;
907
908 }
909
910 static krb5_error_code samba_kdc_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx,
911 TALLOC_CTX *mem_ctx,
912 const char *realm,
913 struct ldb_dn *realm_dn,
914 struct ldb_message **pmsg)
915 {
916 int lret;
917 krb5_error_code ret;
918 char *filter = NULL;
919 const char * const *attrs = trust_attrs;
920
921 struct ldb_result *res = NULL;
922 filter = talloc_asprintf(mem_ctx, "(&(objectClass=trustedDomain)(|(flatname=%s)(trustPartner=%s)))", realm, realm);
923
924 if (!filter) {
925 ret = ENOMEM;
926 krb5_set_error_message(context, ret, "talloc_asprintf: out of memory");
927 return ret;
928 }
929
930 lret = ldb_search(ldb_ctx, mem_ctx, &res,
931 ldb_get_default_basedn(ldb_ctx),
932 LDB_SCOPE_SUBTREE, attrs, "%s", filter);
933 if (lret != LDB_SUCCESS) {
934 DEBUG(3, ("Failed to search for %s: %s\n", filter, ldb_errstring(ldb_ctx)));
935 return HDB_ERR_NOENTRY;
936 } else if (res->count == 0 || res->count > 1) {
937 DEBUG(3, ("Failed find a single entry for %s: got %d\n", filter, res->count));
938 talloc_free(res);
939 return HDB_ERR_NOENTRY;
940 }
941 talloc_steal(mem_ctx, res->msgs);
942 *pmsg = res->msgs[0];
943 talloc_free(res);
944 return 0;
945 }
946
947 static krb5_error_code samba_kdc_lookup_client(krb5_context context,
948 struct samba_kdc_db_context *kdc_db_ctx,
949 TALLOC_CTX *mem_ctx,
950 krb5_const_principal principal,
951 const char **attrs,
952 struct ldb_dn **realm_dn,
953 struct ldb_message **msg) {
954 NTSTATUS nt_status;
955 char *principal_string;
956 krb5_error_code ret;
957
958 ret = krb5_unparse_name(context, principal, &principal_string);
959
960 if (ret != 0) {
961 return ret;
962 }
963
964 nt_status = sam_get_results_principal(kdc_db_ctx->samdb,
965 mem_ctx, principal_string, attrs,
966 realm_dn, msg);
967 free(principal_string);
968 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
969 return HDB_ERR_NOENTRY;
970 } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
971 return ENOMEM;
972 } else if (!NT_STATUS_IS_OK(nt_status)) {
973 return EINVAL;
974 }
975
976 return ret;
977 }
978
979 static krb5_error_code samba_kdc_fetch_client(krb5_context context,
980 struct samba_kdc_db_context *kdc_db_ctx,
981 TALLOC_CTX *mem_ctx,
982 krb5_const_principal principal,
983 hdb_entry_ex *entry_ex) {
984 struct ldb_dn *realm_dn;
985 krb5_error_code ret;
986 struct ldb_message *msg = NULL;
987
988 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
989 mem_ctx, principal, user_attrs,
990 &realm_dn, &msg);
991 if (ret != 0) {
992 return ret;
993 }
994
995 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
996 principal, SAMBA_KDC_ENT_TYPE_CLIENT,
997 realm_dn, msg, entry_ex);
998 return ret;
999 }
1000
1001 static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
1002 struct samba_kdc_db_context *kdc_db_ctx,
1003 TALLOC_CTX *mem_ctx,
1004 krb5_const_principal principal,
1005 hdb_entry_ex *entry_ex)
1006 {
1007 struct loadparm_context *lp_ctx = kdc_db_ctx->lp_ctx;
1008 krb5_error_code ret;
1009 struct ldb_message *msg = NULL;
1010 struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1011 const char *realm;
1012
1013 krb5_principal alloc_principal = NULL;
1014 if (principal->name.name_string.len != 2
1015 || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
1016 /* Not a krbtgt */
1017 return HDB_ERR_NOENTRY;
1018 }
1019
1020 /* krbtgt case. Either us or a trusted realm */
1021
1022 if (lp_is_my_domain_or_realm(lp_ctx, principal->realm)
1023 && lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) {
1024 /* us */
1025 /* Cludge, cludge cludge. If the realm part of krbtgt/realm,
1026 * is in our db, then direct the caller at our primary
1027 * krbtgt */
1028
1029 int lret;
1030 char *realm_fixed;
1031
1032 lret = gendb_search_single_extended_dn(kdc_db_ctx->samdb, mem_ctx,
1033 realm_dn, LDB_SCOPE_SUBTREE,
1034 &msg, krbtgt_attrs,
1035 "(&(objectClass=user)(samAccountName=krbtgt))");
1036 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1037 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1038 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB!");
1039 return HDB_ERR_NOENTRY;
1040 } else if (lret != LDB_SUCCESS) {
1041 krb5_warnx(context, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1042 krb5_set_error_message(context, HDB_ERR_NOENTRY, "samba_kdc_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(kdc_db_ctx->samdb));
1043 return HDB_ERR_NOENTRY;
1044 }
1045
1046 realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx));
1047 if (!realm_fixed) {
1048 ret = ENOMEM;
1049 krb5_set_error_message(context, ret, "strupper_talloc: out of memory");
1050 return ret;
1051 }
1052
1053 ret = krb5_copy_principal(context, principal, &alloc_principal);
1054 if (ret) {
1055 return ret;
1056 }
1057
1058 free(alloc_principal->name.name_string.val[1]);
1059 alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
1060 talloc_free(realm_fixed);
1061 if (!alloc_principal->name.name_string.val[1]) {
1062 ret = ENOMEM;
1063 krb5_set_error_message(context, ret, "samba_kdc_fetch: strdup() failed!");
1064 return ret;
1065 }
1066 principal = alloc_principal;
1067
1068 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1069 principal, SAMBA_KDC_ENT_TYPE_KRBTGT,
1070 realm_dn, msg, entry_ex);
1071 if (ret != 0) {
1072 krb5_warnx(context, "samba_kdc_fetch: self krbtgt message2entry failed");
1073 }
1074 return ret;
1075
1076 } else {
1077 enum trust_direction direction = UNKNOWN;
1078
1079 /* Either an inbound or outbound trust */
1080
1081 if (strcasecmp(lp_realm(lp_ctx), principal->realm) == 0) {
1082 /* look for inbound trust */
1083 direction = INBOUND;
1084 realm = principal->name.name_string.val[1];
1085 }
1086
1087 if (strcasecmp(lp_realm(lp_ctx), principal->name.name_string.val[1]) == 0) {
1088 /* look for outbound trust */
1089 direction = OUTBOUND;
1090 realm = principal->realm;
1091 }
1092
1093 /* Trusted domains are under CN=system */
1094
1095 ret = samba_kdc_lookup_trust(context, kdc_db_ctx->samdb,
1096 mem_ctx,
1097 realm, realm_dn, &msg);
1098
1099 if (ret != 0) {
1100 krb5_warnx(context, "samba_kdc_fetch: could not find principal in DB");
1101 krb5_set_error_message(context, ret, "samba_kdc_fetch: could not find principal in DB");
1102 return ret;
1103 }
1104
1105 ret = samba_kdc_trust_message2entry(context, kdc_db_ctx, mem_ctx,
1106 principal, direction,
1107 realm_dn, msg, entry_ex);
1108 if (ret != 0) {
1109 krb5_warnx(context, "samba_kdc_fetch: trust_message2entry failed");
1110 }
1111 return ret;
1112
1113
1114 /* we should lookup trusted domains */
1115 return HDB_ERR_NOENTRY;
1116 }
1117
1118 }
1119
1120 static krb5_error_code samba_kdc_lookup_server(krb5_context context,
1121 struct samba_kdc_db_context *kdc_db_ctx,
1122 TALLOC_CTX *mem_ctx,
1123 krb5_const_principal principal,
1124 const char **attrs,
1125 struct ldb_dn **realm_dn,
1126 struct ldb_message **msg)
1127 {
1128 krb5_error_code ret;
1129 const char *realm;
1130 if (principal->name.name_string.len >= 2) {
1131 /* 'normal server' case */
1132 int ldb_ret;
1133 NTSTATUS nt_status;
1134 struct ldb_dn *user_dn;
1135 char *principal_string;
1136
1137 ret = krb5_unparse_name_flags(context, principal,
1138 KRB5_PRINCIPAL_UNPARSE_NO_REALM,
1139 &principal_string);
1140 if (ret != 0) {
1141 return ret;
1142 }
1143
1144 /* At this point we may find the host is known to be
1145 * in a different realm, so we should generate a
1146 * referral instead */
1147 nt_status = crack_service_principal_name(kdc_db_ctx->samdb,
1148 mem_ctx, principal_string,
1149 &user_dn, realm_dn);
1150 free(principal_string);
1151
1152 if (!NT_STATUS_IS_OK(nt_status)) {
1153 return HDB_ERR_NOENTRY;
1154 }
1155
1156 ldb_ret = gendb_search_single_extended_dn(kdc_db_ctx->samdb,
1157 mem_ctx,
1158 user_dn, LDB_SCOPE_BASE,
1159 msg, attrs,
1160 "(objectClass=*)");
1161 if (ldb_ret != LDB_SUCCESS) {
1162 return HDB_ERR_NOENTRY;
1163 }
1164
1165 } else {
1166 int lret;
1167 char *filter = NULL;
1168 char *short_princ;
1169 /* server as client principal case, but we must not lookup userPrincipalNames */
1170 *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
1171 realm = krb5_principal_get_realm(context, principal);
1172
1173 /* TODO: Check if it is our realm, otherwise give referall */
1174
1175 ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ);
1176
1177 if (ret != 0) {
1178 krb5_set_error_message(context, ret, "samba_kdc_lookup_principal: could not parse principal");
1179 krb5_warnx(context, "samba_kdc_lookup_principal: could not parse principal");
1180 return ret;
1181 }
1182
1183 lret = gendb_search_single_extended_dn(kdc_db_ctx->samdb, mem_ctx,
1184 *realm_dn, LDB_SCOPE_SUBTREE,
1185 msg, attrs, "(&(objectClass=user)(samAccountName=%s))",
1186 ldb_binary_encode_string(mem_ctx, short_princ));
1187 free(short_princ);
1188 if (lret == LDB_ERR_NO_SUCH_OBJECT) {
1189 DEBUG(3, ("Failed find a entry for %s\n", filter));
1190 return HDB_ERR_NOENTRY;
1191 }
1192 if (lret != LDB_SUCCESS) {
1193 DEBUG(3, ("Failed single search for for %s - %s\n",
1194 filter, ldb_errstring(kdc_db_ctx->samdb)));
1195 return HDB_ERR_NOENTRY;
1196 }
1197 }
1198
1199 return 0;
1200 }
1201
1202 static krb5_error_code samba_kdc_fetch_server(krb5_context context,
1203 struct samba_kdc_db_context *kdc_db_ctx,
1204 TALLOC_CTX *mem_ctx,
1205 krb5_const_principal principal,
1206 hdb_entry_ex *entry_ex)
1207 {
1208 krb5_error_code ret;
1209 struct ldb_dn *realm_dn;
1210 struct ldb_message *msg;
1211
1212 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, principal,
1213 server_attrs, &realm_dn, &msg);
1214 if (ret != 0) {
1215 return ret;
1216 }
1217
1218 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1219 principal, SAMBA_KDC_ENT_TYPE_SERVER,
1220 realm_dn, msg, entry_ex);
1221 if (ret != 0) {
1222 krb5_warnx(context, "samba_kdc_fetch: message2entry failed");
1223 }
1224
1225 return ret;
1226 }
1227
1228 krb5_error_code samba_kdc_fetch(krb5_context context,
1229 struct samba_kdc_db_context *kdc_db_ctx,
1230 krb5_const_principal principal,
1231 unsigned flags,
1232 hdb_entry_ex *entry_ex)
1233 {
1234 krb5_error_code ret = HDB_ERR_NOENTRY;
1235 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
1236
1237 if (!mem_ctx) {
1238 ret = ENOMEM;
1239 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1240 return ret;
1241 }
1242
1243 if (flags & HDB_F_GET_CLIENT) {
1244 ret = samba_kdc_fetch_client(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1245 if (ret != HDB_ERR_NOENTRY) goto done;
1246 }
1247 if (flags & HDB_F_GET_SERVER) {
1248 /* krbtgt fits into this situation for trusted realms, and for resolving different versions of our own realm name */
1249 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1250 if (ret != HDB_ERR_NOENTRY) goto done;
1251
1252 /* We return 'no entry' if it does not start with krbtgt/, so move to the common case quickly */
1253 ret = samba_kdc_fetch_server(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1254 if (ret != HDB_ERR_NOENTRY) goto done;
1255 }
1256 if (flags & HDB_F_GET_KRBTGT) {
1257 ret = samba_kdc_fetch_krbtgt(context, kdc_db_ctx, mem_ctx, principal, entry_ex);
1258 if (ret != HDB_ERR_NOENTRY) goto done;
1259 }
1260
1261 done:
1262 talloc_free(mem_ctx);
1263 return ret;
1264 }
1265
1266 struct samba_kdc_seq {
1267 int index;
1268 int count;
1269 struct ldb_message **msgs;
1270 struct ldb_dn *realm_dn;
1271 };
1272
1273 static krb5_error_code samba_kdc_seq(krb5_context context,
1274 struct samba_kdc_db_context *kdc_db_ctx,
1275 hdb_entry_ex *entry)
1276 {
1277 krb5_error_code ret;
1278 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1279 TALLOC_CTX *mem_ctx;
1280 hdb_entry_ex entry_ex;
1281 memset(&entry_ex, '\0', sizeof(entry_ex));
1282
1283 if (!priv) {
1284 return HDB_ERR_NOENTRY;
1285 }
1286
1287 mem_ctx = talloc_named(priv, 0, "samba_kdc_seq context");
1288
1289 if (!mem_ctx) {
1290 ret = ENOMEM;
1291 krb5_set_error_message(context, ret, "samba_kdc_seq: talloc_named() failed!");
1292 return ret;
1293 }
1294
1295 if (priv->index < priv->count) {
1296 ret = samba_kdc_message2entry(context, kdc_db_ctx, mem_ctx,
1297 NULL, SAMBA_KDC_ENT_TYPE_ANY,
1298 priv->realm_dn, priv->msgs[priv->index++], entry);
1299 } else {
1300 ret = HDB_ERR_NOENTRY;
1301 }
1302
1303 if (ret != 0) {
1304 talloc_free(priv);
1305 kdc_db_ctx->seq_ctx = NULL;
1306 } else {
1307 talloc_free(mem_ctx);
1308 }
1309
1310 return ret;
1311 }
1312
1313 krb5_error_code samba_kdc_firstkey(krb5_context context,
1314 struct samba_kdc_db_context *kdc_db_ctx,
1315 hdb_entry_ex *entry)
1316 {
1317 struct ldb_context *ldb_ctx = kdc_db_ctx->samdb;
1318 struct samba_kdc_seq *priv = kdc_db_ctx->seq_ctx;
1319 char *realm;
1320 struct ldb_result *res = NULL;
1321 krb5_error_code ret;
1322 TALLOC_CTX *mem_ctx;
1323 int lret;
1324
1325 if (priv) {
1326 talloc_free(priv);
1327 kdc_db_ctx->seq_ctx = NULL;
1328 }
1329
1330 priv = (struct samba_kdc_seq *) talloc(kdc_db_ctx, struct samba_kdc_seq);
1331 if (!priv) {
1332 ret = ENOMEM;
1333 krb5_set_error_message(context, ret, "talloc: out of memory");
1334 return ret;
1335 }
1336
1337 priv->index = 0;
1338 priv->msgs = NULL;
1339 priv->realm_dn = ldb_get_default_basedn(ldb_ctx);
1340 priv->count = 0;
1341
1342 mem_ctx = talloc_named(priv, 0, "samba_kdc_firstkey context");
1343
1344 if (!mem_ctx) {
1345 ret = ENOMEM;
1346 krb5_set_error_message(context, ret, "samba_kdc_firstkey: talloc_named() failed!");
1347 return ret;
1348 }
1349
1350 ret = krb5_get_default_realm(context, &realm);
1351 if (ret != 0) {
1352 talloc_free(priv);
1353 return ret;
1354 }
1355
1356 lret = ldb_search(ldb_ctx, priv, &res,
1357 priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs,
1358 "(objectClass=user)");
1359
1360 if (lret != LDB_SUCCESS) {
1361 talloc_free(priv);
1362 return HDB_ERR_NOENTRY;
1363 }
1364
1365 priv->count = res->count;
1366 priv->msgs = talloc_steal(priv, res->msgs);
1367 talloc_free(res);
1368
1369 kdc_db_ctx->seq_ctx = priv;
1370
1371 ret = samba_kdc_seq(context, kdc_db_ctx, entry);
1372
1373 if (ret != 0) {
1374 talloc_free(priv);
1375 kdc_db_ctx->seq_ctx = NULL;
1376 } else {
1377 talloc_free(mem_ctx);
1378 }
1379 return ret;
1380 }
1381
1382 krb5_error_code samba_kdc_nextkey(krb5_context context,
1383 struct samba_kdc_db_context *kdc_db_ctx,
1384 hdb_entry_ex *entry)
1385 {
1386 return samba_kdc_seq(context, kdc_db_ctx, entry);
1387 }
1388
1389 /* Check if a given entry may delegate to this target principal
1390 *
1391 * This is currently a very nasty hack - allowing only delegation to itself.
1392 */
1393 krb5_error_code
1394 samba_kdc_check_constrained_delegation(krb5_context context,
1395 struct samba_kdc_db_context *kdc_db_ctx,
1396 hdb_entry_ex *entry,
1397 krb5_const_principal target_principal)
1398 {
1399 krb5_error_code ret;
1400 krb5_principal enterprise_prinicpal = NULL;
1401 struct ldb_dn *realm_dn;
1402 struct ldb_message *msg;
1403 struct dom_sid *orig_sid;
1404 struct dom_sid *target_sid;
1405 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1406 const char *delegation_check_attrs[] = {
1407 "objectSid", NULL
1408 };
1409
1410 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation");
1411
1412 if (!mem_ctx) {
1413 ret = ENOMEM;
1414 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1415 return ret;
1416 }
1417
1418 if (target_principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
1419 /* Need to reparse the enterprise principal to find the real target */
1420 if (target_principal->name.name_string.len != 1) {
1421 ret = KRB5_PARSE_MALFORMED;
1422 krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components",
1423 target_principal->name.name_string.len);
1424 talloc_free(mem_ctx);
1425 return ret;
1426 }
1427 ret = krb5_parse_name(context, target_principal->name.name_string.val[0],
1428 &enterprise_prinicpal);
1429 if (ret) {
1430 talloc_free(mem_ctx);
1431 return ret;
1432 }
1433 target_principal = enterprise_prinicpal;
1434 }
1435
1436 ret = samba_kdc_lookup_server(context, kdc_db_ctx, mem_ctx, target_principal,
1437 delegation_check_attrs, &realm_dn, &msg);
1438
1439 krb5_free_principal(context, enterprise_prinicpal);
1440
1441 if (ret != 0) {
1442 talloc_free(mem_ctx);
1443 return ret;
1444 }
1445
1446 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1447 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1448
1449 /* Allow delegation to the same principal, even if by a different
1450 * name. The easy and safe way to prove this is by SID
1451 * comparison */
1452 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1453 talloc_free(mem_ctx);
1454 return KRB5KDC_ERR_BADOPTION;
1455 }
1456
1457 talloc_free(mem_ctx);
1458 return ret;
1459 }
1460
1461 /* Certificates printed by a the Certificate Authority might have a
1462 * slightly different form of the user principal name to that in the
1463 * database. Allow a mismatch where they both refer to the same
1464 * SID */
1465
1466 krb5_error_code
1467 samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
1468 struct samba_kdc_db_context *kdc_db_ctx,
1469 hdb_entry_ex *entry,
1470 krb5_const_principal certificate_principal)
1471 {
1472 krb5_error_code ret;
1473 struct ldb_dn *realm_dn;
1474 struct ldb_message *msg;
1475 struct dom_sid *orig_sid;
1476 struct dom_sid *target_sid;
1477 struct samba_kdc_entry *p = talloc_get_type(entry->ctx, struct samba_kdc_entry);
1478 const char *ms_upn_check_attrs[] = {
1479 "objectSid", NULL
1480 };
1481
1482 TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_pkinit_ms_upn_match");
1483
1484 if (!mem_ctx) {
1485 ret = ENOMEM;
1486 krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
1487 return ret;
1488 }
1489
1490 ret = samba_kdc_lookup_client(context, kdc_db_ctx,
1491 mem_ctx, certificate_principal,
1492 ms_upn_check_attrs, &realm_dn, &msg);
1493
1494 if (ret != 0) {
1495 talloc_free(mem_ctx);
1496 return ret;
1497 }
1498
1499 orig_sid = samdb_result_dom_sid(mem_ctx, p->msg, "objectSid");
1500 target_sid = samdb_result_dom_sid(mem_ctx, msg, "objectSid");
1501
1502 /* Consider these to be the same principal, even if by a different
1503 * name. The easy and safe way to prove this is by SID
1504 * comparison */
1505 if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
1506 talloc_free(mem_ctx);
1507 return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
1508 }
1509
1510 talloc_free(mem_ctx);
1511 return ret;
1512 }
1513