2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Gerald Carter 2006.
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #define LIBADS_CCACHE_NAME "MEMORY:libads"
31 we use a prompter to avoid a crash bug in the kerberos libs when
32 dealing with empty passwords
33 this prompter is just a string copy ...
35 static krb5_error_code
36 kerb_prompter(krb5_context ctx
, void *data
,
40 krb5_prompt prompts
[])
42 if (num_prompts
== 0) return 0;
44 memset(prompts
[0].reply
->data
, '\0', prompts
[0].reply
->length
);
45 if (prompts
[0].reply
->length
> 0) {
47 strncpy(prompts
[0].reply
->data
, (const char *)data
,
48 prompts
[0].reply
->length
-1);
49 prompts
[0].reply
->length
= strlen(prompts
[0].reply
->data
);
51 prompts
[0].reply
->length
= 0;
57 static bool smb_krb5_err_io_nstatus(TALLOC_CTX
*mem_ctx
,
58 DATA_BLOB
*edata_blob
,
59 KRB5_EDATA_NTSTATUS
*edata
)
64 if (!mem_ctx
|| !edata_blob
|| !edata
)
67 if (!prs_init(&ps
, edata_blob
->length
, mem_ctx
, UNMARSHALL
))
70 if (!prs_copy_data_in(&ps
, (char *)edata_blob
->data
, edata_blob
->length
))
73 prs_set_offset(&ps
, 0);
75 if (!prs_ntstatus("ntstatus", &ps
, 1, &edata
->ntstatus
))
78 if (!prs_uint32("unknown1", &ps
, 1, &edata
->unknown1
))
81 if (!prs_uint32("unknown2", &ps
, 1, &edata
->unknown2
)) /* only seen 00000001 here */
91 static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error
*error
,
95 DATA_BLOB unwrapped_edata
;
97 KRB5_EDATA_NTSTATUS parsed_edata
;
99 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
100 edata
= data_blob(error
->e_data
->data
, error
->e_data
->length
);
102 edata
= data_blob(error
->e_data
.data
, error
->e_data
.length
);
103 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
106 dump_data(10, edata
.data
, edata
.length
);
107 #endif /* DEVELOPER */
109 mem_ctx
= talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
110 if (mem_ctx
== NULL
) {
111 data_blob_free(&edata
);
115 if (!unwrap_edata_ntstatus(mem_ctx
, &edata
, &unwrapped_edata
)) {
116 data_blob_free(&edata
);
117 TALLOC_FREE(mem_ctx
);
121 data_blob_free(&edata
);
123 if (!smb_krb5_err_io_nstatus(mem_ctx
, &unwrapped_edata
, &parsed_edata
)) {
124 data_blob_free(&unwrapped_edata
);
125 TALLOC_FREE(mem_ctx
);
129 data_blob_free(&unwrapped_edata
);
132 *nt_status
= parsed_edata
.ntstatus
;
135 TALLOC_FREE(mem_ctx
);
140 static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx
,
141 krb5_get_init_creds_opt
*opt
,
145 krb5_error
*error
= NULL
;
147 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
148 ret
= krb5_get_init_creds_opt_get_error(ctx
, opt
, &error
);
150 DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
151 error_message(ret
)));
154 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
157 DEBUG(1,("no krb5_error\n"));
161 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
162 if (!error
->e_data
) {
164 if (error
->e_data
.data
== NULL
) {
165 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
166 DEBUG(1,("no edata in krb5_error\n"));
167 krb5_free_error(ctx
, error
);
171 ret
= smb_krb5_get_ntstatus_from_krb5_error(error
, nt_status
);
173 krb5_free_error(ctx
, error
);
179 simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
180 place in default cache location.
183 int kerberos_kinit_password_ext(const char *principal
,
184 const char *password
,
187 time_t *renew_till_time
,
188 const char *cache_name
,
190 bool add_netbios_addr
,
191 time_t renewable_time
,
194 krb5_context ctx
= NULL
;
195 krb5_error_code code
= 0;
196 krb5_ccache cc
= NULL
;
197 krb5_principal me
= NULL
;
199 krb5_get_init_creds_opt
*opt
= NULL
;
200 smb_krb5_addresses
*addr
= NULL
;
202 ZERO_STRUCT(my_creds
);
204 initialize_krb5_error_table();
205 if ((code
= krb5_init_context(&ctx
)))
208 if (time_offset
!= 0) {
209 krb5_set_real_time(ctx
, time(NULL
) + time_offset
, 0);
212 DEBUG(10,("kerberos_kinit_password: using [%s] as ccache and config [%s]\n",
213 cache_name
? cache_name
: krb5_cc_default_name(ctx
),
214 getenv("KRB5_CONFIG")));
216 if ((code
= krb5_cc_resolve(ctx
, cache_name
? cache_name
: krb5_cc_default_name(ctx
), &cc
))) {
220 if ((code
= smb_krb5_parse_name(ctx
, principal
, &me
))) {
224 if ((code
= smb_krb5_get_init_creds_opt_alloc(ctx
, &opt
))) {
228 krb5_get_init_creds_opt_set_renew_life(opt
, renewable_time
);
229 krb5_get_init_creds_opt_set_forwardable(opt
, True
);
232 krb5_get_init_creds_opt_set_tkt_life(opt
, 60);
235 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
237 if ((code
= krb5_get_init_creds_opt_set_pac_request(ctx
, opt
, (krb5_boolean
)request_pac
))) {
242 if (add_netbios_addr
) {
243 if ((code
= smb_krb5_gen_netbios_krb5_address(&addr
))) {
246 krb5_get_init_creds_opt_set_address_list(opt
, addr
->addrs
);
249 if ((code
= krb5_get_init_creds_password(ctx
, &my_creds
, me
, CONST_DISCARD(char *,password
),
250 kerb_prompter
, CONST_DISCARD(char *,password
),
255 if ((code
= krb5_cc_initialize(ctx
, cc
, me
))) {
259 if ((code
= krb5_cc_store_cred(ctx
, cc
, &my_creds
))) {
264 *expire_time
= (time_t) my_creds
.times
.endtime
;
267 if (renew_till_time
) {
268 *renew_till_time
= (time_t) my_creds
.times
.renew_till
;
277 *ntstatus
= NT_STATUS_OK
;
281 /* try to get ntstatus code out of krb5_error when we have it
282 * inside the krb5_get_init_creds_opt - gd */
284 if (opt
&& smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx
, opt
, &status
)) {
289 /* fall back to self-made-mapping */
290 *ntstatus
= krb5_to_nt_status(code
);
294 krb5_free_cred_contents(ctx
, &my_creds
);
296 krb5_free_principal(ctx
, me
);
299 smb_krb5_free_addresses(ctx
, addr
);
302 smb_krb5_get_init_creds_opt_free(ctx
, opt
);
305 krb5_cc_close(ctx
, cc
);
308 krb5_free_context(ctx
);
315 /* run kinit to setup our ccache */
316 int ads_kinit_password(ADS_STRUCT
*ads
)
320 const char *account_name
;
324 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
325 account_name
= lp_workgroup();
327 /* always use the sAMAccountName for security = domain */
328 /* global_myname()$@REA.LM */
329 if ( lp_security() == SEC_DOMAIN
) {
330 fstr_sprintf( acct_name
, "%s$", global_myname() );
331 account_name
= acct_name
;
334 /* This looks like host/global_myname()@REA.LM */
335 account_name
= ads
->auth
.user_name
;
338 if (asprintf(&s
, "%s@%s", account_name
, ads
->auth
.realm
) == -1) {
339 return KRB5_CC_NOMEM
;
342 if (!ads
->auth
.password
) {
344 return KRB5_LIBOS_CANTREADPWD
;
347 ret
= kerberos_kinit_password_ext(s
, ads
->auth
.password
, ads
->auth
.time_offset
,
348 &ads
->auth
.tgt_expire
, NULL
, NULL
, False
, False
, ads
->auth
.renewable
,
352 DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
353 s
, error_message(ret
)));
359 int ads_kdestroy(const char *cc_name
)
361 krb5_error_code code
;
362 krb5_context ctx
= NULL
;
363 krb5_ccache cc
= NULL
;
365 initialize_krb5_error_table();
366 if ((code
= krb5_init_context (&ctx
))) {
367 DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
368 error_message(code
)));
373 if ((code
= krb5_cc_default(ctx
, &cc
))) {
374 krb5_free_context(ctx
);
378 if ((code
= krb5_cc_resolve(ctx
, cc_name
, &cc
))) {
379 DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
380 error_message(code
)));
381 krb5_free_context(ctx
);
386 if ((code
= krb5_cc_destroy (ctx
, cc
))) {
387 DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
388 error_message(code
)));
391 krb5_free_context (ctx
);
395 /************************************************************************
396 Routine to fetch the salting principal for a service. Active
397 Directory may use a non-obvious principal name to generate the salt
398 when it determines the key to use for encrypting tickets for a service,
399 and hopefully we detected that when we joined the domain.
400 ************************************************************************/
402 static char *kerberos_secrets_fetch_salting_principal(const char *service
, int enctype
)
407 asprintf(&key
, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL
, service
, enctype
);
411 ret
= (char *)secrets_fetch(key
, NULL
);
416 /************************************************************************
417 Return the standard DES salt key
418 ************************************************************************/
420 char* kerberos_standard_des_salt( void )
424 fstr_sprintf( salt
, "host/%s.%s@", global_myname(), lp_realm() );
426 fstrcat( salt
, lp_realm() );
428 return SMB_STRDUP( salt
);
431 /************************************************************************
432 ************************************************************************/
434 static char* des_salt_key( void )
438 asprintf(&key
, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL
, lp_realm());
443 /************************************************************************
444 ************************************************************************/
446 bool kerberos_secrets_store_des_salt( const char* salt
)
451 if ( (key
= des_salt_key()) == NULL
) {
452 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
457 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
458 secrets_delete( key
);
462 DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt
));
464 ret
= secrets_store( key
, salt
, strlen(salt
)+1 );
471 /************************************************************************
472 ************************************************************************/
474 char* kerberos_secrets_fetch_des_salt( void )
478 if ( (key
= des_salt_key()) == NULL
) {
479 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
483 salt
= (char*)secrets_fetch( key
, NULL
);
490 /************************************************************************
491 Routine to get the default realm from the kerberos credentials cache.
492 Caller must free if the return value is not NULL.
493 ************************************************************************/
495 char *kerberos_get_default_realm_from_ccache( void )
498 krb5_context ctx
= NULL
;
499 krb5_ccache cc
= NULL
;
500 krb5_principal princ
= NULL
;
502 initialize_krb5_error_table();
503 if (krb5_init_context(&ctx
)) {
507 DEBUG(5,("kerberos_get_default_realm_from_ccache: "
508 "Trying to read krb5 cache: %s\n",
509 krb5_cc_default_name(ctx
)));
510 if (krb5_cc_default(ctx
, &cc
)) {
511 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
512 "failed to read default cache\n"));
515 if (krb5_cc_get_principal(ctx
, cc
, &princ
)) {
516 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
517 "failed to get default principal\n"));
521 #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
522 realm
= SMB_STRDUP(krb5_principal_get_realm(ctx
, princ
));
523 #elif defined(HAVE_KRB5_PRINC_REALM)
524 realm
= SMB_STRDUP(krb5_princ_realm(ctx
, princ
)->data
);
530 krb5_free_principal(ctx
, princ
);
533 krb5_cc_close(ctx
, cc
);
536 krb5_free_context(ctx
);
543 /************************************************************************
544 Routine to get the salting principal for this service. This is
545 maintained for backwards compatibilty with releases prior to 3.0.24.
546 Since we store the salting principal string only at join, we may have
547 to look for the older tdb keys. Caller must free if return is not null.
548 ************************************************************************/
550 krb5_principal
kerberos_fetch_salt_princ_for_host_princ(krb5_context context
,
551 krb5_principal host_princ
,
554 char *unparsed_name
= NULL
, *salt_princ_s
= NULL
;
555 krb5_principal ret_princ
= NULL
;
557 /* lookup new key first */
559 if ( (salt_princ_s
= kerberos_secrets_fetch_des_salt()) == NULL
) {
561 /* look under the old key. If this fails, just use the standard key */
563 if (smb_krb5_unparse_name(context
, host_princ
, &unparsed_name
) != 0) {
564 return (krb5_principal
)NULL
;
566 if ((salt_princ_s
= kerberos_secrets_fetch_salting_principal(unparsed_name
, enctype
)) == NULL
) {
567 /* fall back to host/machine.realm@REALM */
568 salt_princ_s
= kerberos_standard_des_salt();
572 if (smb_krb5_parse_name(context
, salt_princ_s
, &ret_princ
) != 0) {
576 SAFE_FREE(unparsed_name
);
577 SAFE_FREE(salt_princ_s
);
582 /************************************************************************
583 Routine to set the salting principal for this service. Active
584 Directory may use a non-obvious principal name to generate the salt
585 when it determines the key to use for encrypting tickets for a service,
586 and hopefully we detected that when we joined the domain.
587 Setting principal to NULL deletes this entry.
588 ************************************************************************/
590 bool kerberos_secrets_store_salting_principal(const char *service
,
592 const char *principal
)
596 krb5_context context
= NULL
;
597 krb5_principal princ
= NULL
;
598 char *princ_s
= NULL
;
599 char *unparsed_name
= NULL
;
601 krb5_init_context(&context
);
605 if (strchr_m(service
, '@')) {
606 asprintf(&princ_s
, "%s", service
);
608 asprintf(&princ_s
, "%s@%s", service
, lp_realm());
611 if (smb_krb5_parse_name(context
, princ_s
, &princ
) != 0) {
615 if (smb_krb5_unparse_name(context
, princ
, &unparsed_name
) != 0) {
619 asprintf(&key
, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL
, unparsed_name
, enctype
);
624 if ((principal
!= NULL
) && (strlen(principal
) > 0)) {
625 ret
= secrets_store(key
, principal
, strlen(principal
) + 1);
627 ret
= secrets_delete(key
);
634 SAFE_FREE(unparsed_name
);
637 krb5_free_context(context
);
644 /************************************************************************
645 ************************************************************************/
647 int kerberos_kinit_password(const char *principal
,
648 const char *password
,
650 const char *cache_name
)
652 return kerberos_kinit_password_ext(principal
,
664 /************************************************************************
665 Create a string list of available kdc's, possibly searching by sitename.
667 ************************************************************************/
669 static char *get_kdc_ip_string(char *mem_ctx
,
671 const char *sitename
,
672 struct sockaddr_storage
*pss
)
675 struct ip_service
*ip_srv_site
= NULL
;
676 struct ip_service
*ip_srv_nonsite
;
679 char *kdc_str
= talloc_asprintf(mem_ctx
, "\tkdc = %s\n",
680 print_canonical_sockaddr(mem_ctx
,
683 if (kdc_str
== NULL
) {
687 /* Get the KDC's only in this site. */
691 get_kdc_list(realm
, sitename
, &ip_srv_site
, &count_site
);
693 for (i
= 0; i
< count_site
; i
++) {
694 if (addr_equal(&ip_srv_site
[i
].ss
, pss
)) {
697 /* Append to the string - inefficient
698 * but not done often. */
699 kdc_str
= talloc_asprintf(mem_ctx
, "%s\tkdc = %s\n",
701 print_canonical_sockaddr(mem_ctx
,
702 &ip_srv_site
[i
].ss
));
704 SAFE_FREE(ip_srv_site
);
712 get_kdc_list(realm
, NULL
, &ip_srv_nonsite
, &count_nonsite
);
714 for (i
= 0; i
< count_nonsite
; i
++) {
717 if (addr_equal(&ip_srv_nonsite
[i
].ss
, pss
)) {
721 /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
722 for (j
= 0; j
< count_site
; j
++) {
723 if (addr_equal(&ip_srv_nonsite
[i
].ss
,
724 &ip_srv_site
[j
].ss
)) {
727 /* As the lists are sorted we can break early if nonsite > site. */
728 if (ip_service_compare(&ip_srv_nonsite
[i
], &ip_srv_site
[j
]) > 0) {
736 /* Append to the string - inefficient but not done often. */
737 kdc_str
= talloc_asprintf(mem_ctx
, "%s\tkdc = %s\n",
739 print_canonical_sockaddr(mem_ctx
,
740 &ip_srv_nonsite
[i
].ss
));
742 SAFE_FREE(ip_srv_site
);
743 SAFE_FREE(ip_srv_nonsite
);
749 SAFE_FREE(ip_srv_site
);
750 SAFE_FREE(ip_srv_nonsite
);
752 DEBUG(10,("get_kdc_ip_string: Returning %s\n",
758 /************************************************************************
759 Create a specific krb5.conf file in the private directory pointing
760 at a specific kdc for a realm. Keyed off domain name. Sets
761 KRB5_CONFIG environment variable to point to this file. Must be
762 run as root or will fail (which is a good thing :-).
763 ************************************************************************/
765 bool create_local_private_krb5_conf_for_domain(const char *realm
,
767 const char *sitename
,
768 struct sockaddr_storage
*pss
)
770 char *dname
= talloc_asprintf(NULL
, "%s/smb_krb5", lp_lockdir());
771 char *tmpname
= NULL
;
773 char *file_contents
= NULL
;
774 char *kdc_ip_string
= NULL
;
778 char *realm_upper
= NULL
;
783 if ((mkdir(dname
, 0755)==-1) && (errno
!= EEXIST
)) {
784 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
785 "failed to create directory %s. Error was %s\n",
786 dname
, strerror(errno
) ));
791 tmpname
= talloc_asprintf(dname
, "%s/smb_tmp_krb5.XXXXXX", lp_lockdir());
797 fname
= talloc_asprintf(dname
, "%s/krb5.conf.%s", dname
, domain
);
803 DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
804 fname
, realm
, domain
));
806 realm_upper
= talloc_strdup(fname
, realm
);
807 strupper_m(realm_upper
);
809 kdc_ip_string
= get_kdc_ip_string(dname
, realm
, sitename
, pss
);
810 if (!kdc_ip_string
) {
815 file_contents
= talloc_asprintf(fname
, "[libdefaults]\n\tdefault_realm = %s\n\n"
816 "[realms]\n\t%s = {\n"
818 realm_upper
, realm_upper
, kdc_ip_string
);
820 if (!file_contents
) {
825 flen
= strlen(file_contents
);
827 fd
= smb_mkstemp(tmpname
);
829 DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
830 " for file %s. Errno %s\n",
831 tmpname
, strerror(errno
) ));
834 if (fchmod(fd
, 0644)==-1) {
835 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
837 tmpname
, strerror(errno
) ));
844 ret
= write(fd
, file_contents
, flen
);
846 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
847 " returned %d (should be %u). Errno %s\n",
848 (int)ret
, (unsigned int)flen
, strerror(errno
) ));
855 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
856 " Errno %s\n", strerror(errno
) ));
862 if (rename(tmpname
, fname
) == -1) {
863 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
864 "of %s to %s failed. Errno %s\n",
865 tmpname
, fname
, strerror(errno
) ));
871 DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
872 "file %s with realm %s KDC = %s\n",
873 fname
, realm_upper
, print_canonical_sockaddr(dname
, pss
) ));
875 /* Set the environment variable to this file. */
876 setenv("KRB5_CONFIG", fname
, 1);
878 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
880 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
881 /* Insanity, sheer insanity..... */
883 if (strequal(realm
, lp_realm())) {
884 char linkpath
[PATH_MAX
+1];
887 lret
= readlink(SYSTEM_KRB5_CONF_PATH
, linkpath
, sizeof(linkpath
)-1);
889 linkpath
[lret
] = '\0';
892 if (lret
!= -1 || strcmp(linkpath
, fname
) == 0) {
893 /* Symlink already exists. */
898 /* Try and replace with a symlink. */
899 if (symlink(fname
, SYSTEM_KRB5_CONF_PATH
) == -1) {
900 const char *newpath
= SYSTEM_KRB5_CONF_PATH
## ".saved";
901 if (errno
!= EEXIST
) {
902 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
903 "of %s to %s failed. Errno %s\n",
904 fname
, SYSTEM_KRB5_CONF_PATH
, strerror(errno
) ));
906 return True
; /* Not a fatal error. */
909 /* Yes, this is a race conditon... too bad. */
910 if (rename(SYSTEM_KRB5_CONF_PATH
, newpath
) == -1) {
911 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
912 "of %s to %s failed. Errno %s\n",
913 SYSTEM_KRB5_CONF_PATH
, newpath
,
916 return True
; /* Not a fatal error. */
919 if (symlink(fname
, SYSTEM_KRB5_CONF_PATH
) == -1) {
920 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
921 "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
922 fname
, strerror(errno
) ));
924 return True
; /* Not a fatal error. */