2011-06-28 20:01:22 +04:00
/*
2003-09-07 20:36:13 +04:00
* Unix SMB / CIFS implementation .
* Generate AFS tickets
* Copyright ( C ) Volker Lendecke 2003
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2003-09-07 20:36:13 +04:00
* ( at your option ) any later version .
2011-06-28 20:01:22 +04:00
*
2003-09-07 20:36:13 +04:00
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
2011-06-28 20:01:22 +04:00
*
2003-09-07 20:36:13 +04:00
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2003-09-07 20:36:13 +04:00
*/
# include "includes.h"
2014-04-15 00:11:12 +04:00
# include "lib/afs/afs_funcs.h"
2003-09-07 20:36:13 +04:00
# ifdef WITH_FAKE_KASERVER
2005-10-14 02:11:18 +04:00
# define NO_ASN1_TYPEDEFS 1
2011-07-15 17:27:07 +04:00
# include "secrets.h"
# include "passdb.h"
# include "auth.h"
# include "../librpc/gen_ndr/ndr_netlogon.h"
2014-04-15 00:35:21 +04:00
# include "lib/afs/afs_settoken.h"
2011-07-15 17:27:07 +04:00
2009-05-04 00:13:36 +04:00
# include <afs/param.h>
2003-09-07 20:36:13 +04:00
# include <afs/stds.h>
# include <afs/auth.h>
# include <afs/venus.h>
# include <asm/unistd.h>
# include <openssl/des.h>
struct ClearToken {
uint32 AuthHandle ;
char HandShakeKey [ 8 ] ;
uint32 ViceId ;
uint32 BeginTimestamp ;
uint32 EndTimestamp ;
} ;
2004-04-01 16:31:50 +04:00
static char * afs_encode_token ( const char * cell , const DATA_BLOB ticket ,
const struct ClearToken * ct )
{
char * base64_ticket ;
2008-01-19 04:12:35 +03:00
char * result = NULL ;
2004-04-01 16:31:50 +04:00
DATA_BLOB key = data_blob ( ct - > HandShakeKey , 8 ) ;
char * base64_key ;
2008-01-19 04:12:35 +03:00
TALLOC_CTX * mem_ctx ;
2004-04-01 16:31:50 +04:00
2008-01-19 14:27:31 +03:00
mem_ctx = talloc_stackframe ( ) ;
2008-01-19 04:12:35 +03:00
if ( mem_ctx = = NULL )
goto done ;
base64_ticket = base64_encode_data_blob ( mem_ctx , ticket ) ;
2004-04-01 16:31:50 +04:00
if ( base64_ticket = = NULL )
2008-01-19 04:12:35 +03:00
goto done ;
2004-04-01 16:31:50 +04:00
2008-01-19 04:12:35 +03:00
base64_key = base64_encode_data_blob ( mem_ctx , key ) ;
if ( base64_key = = NULL )
goto done ;
2004-04-01 16:31:50 +04:00
asprintf ( & result , " %s \n %u \n %s \n %u \n %u \n %u \n %s \n " , cell ,
ct - > AuthHandle , base64_key , ct - > ViceId , ct - > BeginTimestamp ,
ct - > EndTimestamp , base64_ticket ) ;
DEBUG ( 10 , ( " Got ticket string: \n %s \n " , result ) ) ;
2008-01-19 04:12:35 +03:00
done :
TALLOC_FREE ( mem_ctx ) ;
2004-04-01 16:31:50 +04:00
return result ;
}
/* Create a ClearToken and an encrypted ticket. ClearToken has not yet the
* ViceId set , this should be set by the caller . */
2003-09-23 18:52:21 +04:00
2007-10-19 04:40:25 +04:00
static bool afs_createtoken ( const char * username , const char * cell ,
2004-04-01 16:31:50 +04:00
DATA_BLOB * ticket , struct ClearToken * ct )
{
fstring clear_ticket ;
char * p = clear_ticket ;
uint32 len ;
uint32 now ;
struct afs_key key ;
des_key_schedule key_schedule ;
2003-09-07 20:36:13 +04:00
2014-04-15 00:11:12 +04:00
if ( ! secrets_init ( ) )
2011-07-15 17:35:18 +04:00
return false ;
2003-09-07 20:36:13 +04:00
2003-09-23 18:52:21 +04:00
if ( ! secrets_fetch_afs_key ( cell , & key ) ) {
2004-04-01 16:31:50 +04:00
DEBUG ( 1 , ( " Could not fetch AFS service key \n " ) ) ;
2011-07-15 17:35:18 +04:00
return false ;
2003-09-07 20:36:13 +04:00
}
2004-04-01 16:31:50 +04:00
ct - > AuthHandle = key . kvno ;
2003-09-07 20:36:13 +04:00
/* Build the ticket. This is going to be encrypted, so in our
2014-04-15 00:11:12 +04:00
way we fill in ct while we still have the unencrypted
form . */
2003-09-07 20:36:13 +04:00
2004-04-01 16:31:50 +04:00
p = clear_ticket ;
2003-09-07 20:36:13 +04:00
/* The byte-order */
* p = 1 ;
p + = 1 ;
/* "Alice", the client username */
2004-04-01 16:31:50 +04:00
strncpy ( p , username , sizeof ( clear_ticket ) - PTR_DIFF ( p , clear_ticket ) - 1 ) ;
2003-09-07 20:36:13 +04:00
p + = strlen ( p ) + 1 ;
2004-04-01 16:31:50 +04:00
strncpy ( p , " " , sizeof ( clear_ticket ) - PTR_DIFF ( p , clear_ticket ) - 1 ) ;
2003-09-07 20:36:13 +04:00
p + = strlen ( p ) + 1 ;
2004-04-01 16:31:50 +04:00
strncpy ( p , cell , sizeof ( clear_ticket ) - PTR_DIFF ( p , clear_ticket ) - 1 ) ;
2003-09-07 20:36:13 +04:00
p + = strlen ( p ) + 1 ;
/* Alice's network layer address. At least Openafs-1.2.10
2014-04-15 00:11:12 +04:00
ignores this , so we fill in a dummy value here . */
2003-09-07 20:36:13 +04:00
SIVAL ( p , 0 , 0 ) ;
p + = 4 ;
/* We need to create a session key */
2011-07-15 17:30:14 +04:00
generate_random_buffer ( ( uint8_t * ) p , 8 ) ;
2003-09-07 20:36:13 +04:00
/* Our client code needs the the key in the clear, it does not
2014-04-15 00:11:12 +04:00
know the server - key . . . */
2004-04-01 16:31:50 +04:00
memcpy ( ct - > HandShakeKey , p , 8 ) ;
2003-09-07 20:36:13 +04:00
p + = 8 ;
2004-12-17 12:35:54 +03:00
/* This is a kerberos 4 life time. The life time is expressed
* in units of 5 minute intervals up to 38400 seconds , after
* that a table is used up to lifetime 0xBF . Values between
* 0xC0 and 0xFF is undefined . 0xFF is defined to be the
* infinite time that never expire .
*
* So here we cheat and use the infinite time */
2003-09-07 20:36:13 +04:00
* p = 255 ;
p + = 1 ;
/* Ticket creation time */
now = time ( NULL ) ;
SIVAL ( p , 0 , now ) ;
2004-04-01 16:31:50 +04:00
ct - > BeginTimestamp = now ;
2003-09-07 20:36:13 +04:00
2004-12-17 14:42:10 +03:00
if ( lp_afs_token_lifetime ( ) = = 0 )
ct - > EndTimestamp = NEVERDATE ;
else
ct - > EndTimestamp = now + lp_afs_token_lifetime ( ) ;
2004-04-01 16:31:50 +04:00
if ( ( ( ct - > EndTimestamp - ct - > BeginTimestamp ) & 1 ) = = 1 ) {
ct - > BeginTimestamp + = 1 ; /* Lifetime must be even */
2003-09-07 20:36:13 +04:00
}
p + = 4 ;
/* And here comes Bob's name and instance, in this case the
2014-04-15 00:11:12 +04:00
AFS server . */
2004-04-01 16:31:50 +04:00
strncpy ( p , " afs " , sizeof ( clear_ticket ) - PTR_DIFF ( p , clear_ticket ) - 1 ) ;
2003-09-07 20:36:13 +04:00
p + = strlen ( p ) + 1 ;
2004-04-01 16:31:50 +04:00
strncpy ( p , " " , sizeof ( clear_ticket ) - PTR_DIFF ( p , clear_ticket ) - 1 ) ;
2003-09-07 20:36:13 +04:00
p + = strlen ( p ) + 1 ;
/* And zero-pad to a multiple of 8 bytes */
2004-04-01 16:31:50 +04:00
len = PTR_DIFF ( p , clear_ticket ) ;
2003-09-07 20:36:13 +04:00
if ( len & 7 ) {
uint32 extra_space = 8 - ( len & 7 ) ;
memset ( p , 0 , extra_space ) ;
p + = extra_space ;
}
2004-04-01 16:31:50 +04:00
len = PTR_DIFF ( p , clear_ticket ) ;
2003-09-07 20:36:13 +04:00
des_key_sched ( ( const_des_cblock * ) key . key , key_schedule ) ;
2011-07-15 17:30:14 +04:00
des_pcbc_encrypt ( ( const unsigned char * ) clear_ticket ,
( unsigned char * ) clear_ticket ,
2003-09-07 20:36:13 +04:00
len , key_schedule , ( C_Block * ) key . key , 1 ) ;
ZERO_STRUCT ( key ) ;
2004-04-01 16:31:50 +04:00
* ticket = data_blob ( clear_ticket , len ) ;
2011-07-15 17:35:18 +04:00
return true ;
2004-04-01 16:31:50 +04:00
}
char * afs_createtoken_str ( const char * username , const char * cell )
{
DATA_BLOB ticket ;
struct ClearToken ct ;
char * result ;
if ( ! afs_createtoken ( username , cell , & ticket , & ct ) )
return NULL ;
result = afs_encode_token ( cell , ticket , & ct ) ;
data_blob_free ( & ticket ) ;
return result ;
}
/*
This routine takes a radical approach completely bypassing the
Kerberos idea of security and using AFS simply as an intelligent
file backend . Samba has persuaded itself somehow that the user is
actually correctly identified and then we create a ticket that the
AFS server hopefully accepts using its KeyFile that the admin has
kindly stored to our secrets . tdb .
Thanks to the book " Network Security -- PRIVATE Communication in a
PUBLIC World " by Charlie Kaufman, Radia Perlman and Mike Speciner
Kerberos 4 tickets are not really hard to construct .
For the comments " Alice " is the User to be auth ' ed , and " Bob " is the
AFS server . */
2007-10-19 04:40:25 +04:00
bool afs_login ( connection_struct * conn )
2004-04-01 16:31:50 +04:00
{
2019-11-07 13:01:05 +03:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
2004-04-01 16:31:50 +04:00
DATA_BLOB ticket ;
2007-11-16 01:19:52 +03:00
char * afs_username = NULL ;
char * cell = NULL ;
2007-10-19 04:40:25 +04:00
bool result ;
2007-11-16 01:19:52 +03:00
char * ticket_str = NULL ;
2010-05-21 05:25:01 +04:00
const struct dom_sid * user_sid ;
2007-12-07 23:26:32 +03:00
TALLOC_CTX * ctx = talloc_tos ( ) ;
2018-12-08 17:18:38 +03:00
struct dom_sid_buf buf ;
2004-04-01 16:31:50 +04:00
struct ClearToken ct ;
2007-12-07 23:26:32 +03:00
afs_username = talloc_strdup ( ctx ,
lp_afs_username_map ( ) ) ;
if ( ! afs_username ) {
return false ;
}
afs_username = talloc_sub_advanced ( ctx ,
2019-11-07 13:01:05 +03:00
lp_servicename ( ctx , lp_sub , SNUM ( conn ) ) ,
2011-07-15 17:27:07 +04:00
conn - > session_info - > unix_info - > unix_name ,
conn - > connectpath ,
conn - > session_info - > unix_token - > gid ,
2011-07-15 09:55:31 +04:00
conn - > session_info - > unix_info - > sanitized_username ,
2011-07-15 17:27:07 +04:00
conn - > session_info - > info - > domain_name ,
2007-12-07 23:26:32 +03:00
afs_username ) ;
if ( ! afs_username ) {
return false ;
}
2004-04-01 16:31:50 +04:00
2022-12-16 02:08:41 +03:00
user_sid = & conn - > session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ;
2007-11-16 01:19:52 +03:00
afs_username = talloc_string_sub ( talloc_tos ( ) ,
2007-12-07 23:26:32 +03:00
afs_username ,
2007-11-16 01:19:52 +03:00
" %s " ,
2018-12-08 17:18:38 +03:00
dom_sid_str_buf ( user_sid , & buf ) ) ;
2007-11-16 01:19:52 +03:00
if ( ! afs_username ) {
return false ;
}
2005-02-11 13:32:46 +03:00
2004-04-01 16:31:50 +04:00
/* The pts command always generates completely lower-case user
* names . */
2012-08-09 04:01:00 +04:00
if ( ! strlower_m ( afs_username ) ) {
return false ;
}
2004-04-01 16:31:50 +04:00
cell = strchr ( afs_username , ' @ ' ) ;
if ( cell = = NULL ) {
DEBUG ( 1 , ( " AFS username doesn't contain a @, "
" could not find cell \n " ) ) ;
2007-11-16 01:19:52 +03:00
return false ;
2004-04-01 16:31:50 +04:00
}
* cell = ' \0 ' ;
cell + = 1 ;
2007-11-16 01:19:52 +03:00
DEBUG ( 10 , ( " Trying to log into AFS for user %s@%s \n " ,
2004-04-01 16:31:50 +04:00
afs_username , cell ) ) ;
if ( ! afs_createtoken ( afs_username , cell , & ticket , & ct ) )
2011-07-15 17:35:18 +04:00
return false ;
2004-04-01 16:31:50 +04:00
/* For which Unix-UID do we want to set the token? */
ct . ViceId = getuid ( ) ;
2004-05-02 16:13:16 +04:00
ticket_str = afs_encode_token ( cell , ticket , & ct ) ;
2004-04-01 16:31:50 +04:00
2004-05-02 16:13:16 +04:00
result = afs_settoken_str ( ticket_str ) ;
2004-04-01 16:31:50 +04:00
2004-05-02 16:13:16 +04:00
SAFE_FREE ( ticket_str ) ;
2004-04-01 16:31:50 +04:00
data_blob_free ( & ticket ) ;
return result ;
2003-09-07 20:36:13 +04:00
}
# else
2007-10-19 04:40:25 +04:00
bool afs_login ( connection_struct * conn )
2003-09-07 20:36:13 +04:00
{
2011-07-15 17:35:18 +04:00
return true ;
2003-09-07 20:36:13 +04:00
}
2004-04-01 16:31:50 +04:00
char * afs_createtoken_str ( const char * username , const char * cell )
{
2008-05-14 11:02:22 +04:00
return NULL ;
2004-04-01 16:31:50 +04:00
}
2003-09-07 20:36:13 +04:00
# endif /* WITH_FAKE_KASERVER */