2 Unix SMB/CIFS implementation.
3 krb5 set password implementation
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "libads/kerberos_proto.h"
24 #include "../lib/util/asn1.h"
28 /* Those are defined by kerberos-set-passwd-02.txt and are probably
29 * not supported by M$ implementation */
30 #define KRB5_KPASSWD_POLICY_REJECT 8
31 #define KRB5_KPASSWD_BAD_PRINCIPAL 9
32 #define KRB5_KPASSWD_ETYPE_NOSUPP 10
35 * we've got to be able to distinguish KRB_ERRORs from other
36 * requests - valid response for CHPW v2 replies.
39 static krb5_error_code
kpasswd_err_to_krb5_err(krb5_error_code res_code
)
42 case KRB5_KPASSWD_ACCESSDENIED
:
43 return KRB5KDC_ERR_BADOPTION
;
44 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED
:
45 return KRB5KDC_ERR_BADOPTION
;
46 /* return KV5M_ALT_METHOD; MIT-only define */
47 case KRB5_KPASSWD_ETYPE_NOSUPP
:
48 return KRB5KDC_ERR_ETYPE_NOSUPP
;
49 case KRB5_KPASSWD_BAD_PRINCIPAL
:
50 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
;
51 case KRB5_KPASSWD_POLICY_REJECT
:
52 case KRB5_KPASSWD_SOFTERROR
:
53 return KRB5KDC_ERR_POLICY
;
55 return KRB5KRB_ERR_GENERIC
;
59 ADS_STATUS
ads_krb5_set_password(const char *kdc_host
, const char *principal
,
60 const char *newpw
, int time_offset
)
64 krb5_error_code ret
= 0;
65 krb5_context context
= NULL
;
66 krb5_principal princ
= NULL
;
67 krb5_ccache ccache
= NULL
;
69 krb5_data result_code_string
= { 0 };
70 krb5_data result_string
= { 0 };
72 ret
= smb_krb5_init_context_common(&context
);
74 DBG_ERR("kerberos init context failed (%s)\n",
76 return ADS_ERROR_KRB5(ret
);
80 ret
= smb_krb5_parse_name(context
, principal
, &princ
);
82 krb5_free_context(context
);
83 DEBUG(1, ("Failed to parse %s (%s)\n", principal
,
85 return ADS_ERROR_KRB5(ret
);
89 if (time_offset
!= 0) {
90 krb5_set_real_time(context
, time(NULL
) + time_offset
, 0);
93 ret
= krb5_cc_default(context
, &ccache
);
95 krb5_free_principal(context
, princ
);
96 krb5_free_context(context
);
97 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret
)));
98 return ADS_ERROR_KRB5(ret
);
101 ret
= krb5_set_password_using_ccache(context
,
103 discard_const_p(char, newpw
),
109 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret
)));
110 aret
= ADS_ERROR_KRB5(ret
);
114 if (result_code
!= KRB5_KPASSWD_SUCCESS
) {
115 ret
= kpasswd_err_to_krb5_err(result_code
);
116 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret
)));
117 aret
= ADS_ERROR_KRB5(ret
);
124 smb_krb5_free_data_contents(context
, &result_code_string
);
125 smb_krb5_free_data_contents(context
, &result_string
);
126 krb5_free_principal(context
, princ
);
127 krb5_cc_close(context
, ccache
);
128 krb5_free_context(context
);
134 we use a prompter to avoid a crash bug in the kerberos libs when
135 dealing with empty passwords
136 this prompter is just a string copy ...
138 static krb5_error_code
139 kerb_prompter(krb5_context ctx
, void *data
,
143 krb5_prompt prompts
[])
145 if (num_prompts
== 0) return 0;
147 memset(prompts
[0].reply
->data
, 0, prompts
[0].reply
->length
);
148 if (prompts
[0].reply
->length
> 0) {
150 strncpy((char *)prompts
[0].reply
->data
,
152 prompts
[0].reply
->length
-1);
153 prompts
[0].reply
->length
= strlen((const char *)prompts
[0].reply
->data
);
155 prompts
[0].reply
->length
= 0;
161 static ADS_STATUS
ads_krb5_chg_password(const char *kdc_host
,
162 const char *principal
,
169 krb5_context context
= NULL
;
170 krb5_principal princ
;
171 krb5_get_init_creds_opt
*opts
= NULL
;
173 char *chpw_princ
= NULL
, *password
;
176 krb5_data result_code_string
= { 0 };
177 krb5_data result_string
= { 0 };
178 smb_krb5_addresses
*addr
= NULL
;
180 ret
= smb_krb5_init_context_common(&context
);
182 DBG_ERR("kerberos init context failed (%s)\n",
184 return ADS_ERROR_KRB5(ret
);
187 if ((ret
= smb_krb5_parse_name(context
, principal
, &princ
))) {
188 krb5_free_context(context
);
189 DEBUG(1,("Failed to parse %s (%s)\n", principal
, error_message(ret
)));
190 return ADS_ERROR_KRB5(ret
);
193 ret
= krb5_get_init_creds_opt_alloc(context
, &opts
);
195 krb5_free_context(context
);
196 DBG_WARNING("krb5_get_init_creds_opt_alloc failed: %s\n",
198 return ADS_ERROR_KRB5(ret
);
201 krb5_get_init_creds_opt_set_tkt_life(opts
, 5 * 60);
202 krb5_get_init_creds_opt_set_renew_life(opts
, 0);
203 krb5_get_init_creds_opt_set_forwardable(opts
, 0);
204 krb5_get_init_creds_opt_set_proxiable(opts
, 0);
205 #ifdef SAMBA4_USES_HEIMDAL
206 krb5_get_init_creds_opt_set_win2k(context
, opts
, true);
207 krb5_get_init_creds_opt_set_canonicalize(context
, opts
, true);
213 * Due to an upstream MIT Kerberos bug, this feature is not
214 * not working. Affection versions (2019-10-09): <= 1.17
217 * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM
219 * This is NOT a problem if the service is a krbtgt.
221 * https://bugzilla.samba.org/show_bug.cgi?id=14155
223 krb5_get_init_creds_opt_set_canonicalize(opts
, true);
227 /* note that heimdal will fill in the local addresses if the addresses
228 * in the creds_init_opt are all empty and then later fail with invalid
229 * address, sending our local netbios krb5 address - just like windows
230 * - avoids this - gd */
231 ret
= smb_krb5_gen_netbios_krb5_address(&addr
, lp_netbios_name());
233 krb5_free_principal(context
, princ
);
234 krb5_get_init_creds_opt_free(context
, opts
);
235 krb5_free_context(context
);
236 return ADS_ERROR_KRB5(ret
);
238 krb5_get_init_creds_opt_set_address_list(opts
, addr
->addrs
);
240 realm
= smb_krb5_principal_get_realm(NULL
, context
, princ
);
242 /* We have to obtain an INITIAL changepw ticket for changing password */
243 if (asprintf(&chpw_princ
, "kadmin/changepw@%s", realm
) == -1) {
244 krb5_free_principal(context
, princ
);
245 krb5_get_init_creds_opt_free(context
, opts
);
246 smb_krb5_free_addresses(context
, addr
);
247 krb5_free_context(context
);
249 DEBUG(1, ("ads_krb5_chg_password: asprintf fail\n"));
250 return ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
254 password
= SMB_STRDUP(oldpw
);
255 ret
= krb5_get_init_creds_password(context
, &creds
, princ
, password
,
257 0, chpw_princ
, opts
);
258 krb5_get_init_creds_opt_free(context
, opts
);
259 smb_krb5_free_addresses(context
, addr
);
260 SAFE_FREE(chpw_princ
);
264 if (ret
== KRB5KRB_AP_ERR_BAD_INTEGRITY
) {
265 DEBUG(1,("Password incorrect while getting initial ticket\n"));
267 DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret
)));
269 krb5_free_principal(context
, princ
);
270 krb5_free_context(context
);
271 return ADS_ERROR_KRB5(ret
);
274 ret
= krb5_set_password(context
,
276 discard_const_p(char, newpw
),
283 DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret
)));
284 aret
= ADS_ERROR_KRB5(ret
);
288 if (result_code
!= KRB5_KPASSWD_SUCCESS
) {
289 ret
= kpasswd_err_to_krb5_err(result_code
);
290 DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret
)));
291 aret
= ADS_ERROR_KRB5(ret
);
298 smb_krb5_free_data_contents(context
, &result_code_string
);
299 smb_krb5_free_data_contents(context
, &result_string
);
300 krb5_free_principal(context
, princ
);
301 krb5_free_context(context
);
306 ADS_STATUS
kerberos_set_password(const char *kpasswd_server
,
307 const char *auth_principal
,
308 const char *auth_password
,
309 const char *target_principal
,
310 const char *new_password
, int time_offset
)
314 if ((ret
= kerberos_kinit_password(auth_principal
, auth_password
, time_offset
, NULL
))) {
315 DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal
, error_message(ret
)));
316 return ADS_ERROR_KRB5(ret
);
319 if (!strcmp(auth_principal
, target_principal
)) {
320 return ads_krb5_chg_password(kpasswd_server
, target_principal
,
321 auth_password
, new_password
,
324 return ads_krb5_set_password(kpasswd_server
, target_principal
,
325 new_password
, time_offset
);