2010-01-26 11:56:16 -05:00
/*
Unix SMB / CIFS implementation .
PAC Glue between Samba and the KDC
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005 - 2009
Copyright ( C ) Simo Sorce < idra @ samba . org > 2010
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
2010-11-11 14:09:41 +11:00
# include "kdc/kdc-glue.h"
2021-10-08 16:08:39 +13:00
# include "kdc/db-glue.h"
2010-01-26 11:56:16 -05:00
# include "kdc/pac-glue.h"
2021-10-08 16:08:39 +13:00
# include "sdb.h"
# include "sdb_hdb.h"
2021-10-01 16:14:37 +13:00
# include "librpc/gen_ndr/auth.h"
2022-02-21 19:25:06 +13:00
# include <krb5_locl.h>
2010-01-26 11:56:16 -05:00
2021-10-11 14:47:25 +02:00
static bool samba_wdc_is_s4u2self_req ( astgs_request_t r )
{
krb5_kdc_configuration * config = kdc_request_get_config ( ( kdc_request_t ) r ) ;
const KDC_REQ * req = kdc_request_get_req ( r ) ;
const PA_DATA * pa_for_user = NULL ;
if ( req - > msg_type ! = krb_tgs_req ) {
return false ;
}
if ( config - > enable_fast & & req - > padata ! = NULL ) {
const PA_DATA * pa_fx_fast = NULL ;
int idx = 0 ;
pa_fx_fast = krb5_find_padata ( req - > padata - > val ,
req - > padata - > len ,
KRB5_PADATA_FX_FAST ,
& idx ) ;
if ( pa_fx_fast ! = NULL ) {
/*
* We ' re in the outer request
* with KRB5_PADATA_FX_FAST
* if fast is enabled we ' ll
* process the s4u2self
* request only in the
* inner request .
*/
return false ;
}
}
if ( req - > padata ! = NULL ) {
int idx = 0 ;
pa_for_user = krb5_find_padata ( req - > padata - > val ,
req - > padata - > len ,
KRB5_PADATA_FOR_USER ,
& idx ) ;
}
if ( pa_for_user ! = NULL ) {
return true ;
}
return false ;
}
2016-05-20 09:48:41 +02:00
/*
* Given the right private pointer from hdb_samba4 ,
* get a PAC from the attached ldb messages .
*
* For PKINIT we also get pk_reply_key and can add PAC_CREDENTIAL_INFO .
*/
2022-02-24 21:31:52 +01:00
static krb5_error_code samba_wdc_get_pac ( void * priv ,
astgs_request_t r ,
2022-02-22 19:41:14 +13:00
hdb_entry * client ,
hdb_entry * server ,
2016-05-20 09:48:41 +02:00
const krb5_keyblock * pk_reply_key ,
2021-12-22 17:08:43 +13:00
uint64_t pac_attributes ,
2010-01-26 11:56:16 -05:00
krb5_pac * pac )
{
2022-02-24 21:31:52 +01:00
krb5_context context = kdc_request_get_context ( ( kdc_request_t ) r ) ;
2010-01-26 11:56:16 -05:00
TALLOC_CTX * mem_ctx ;
2016-05-12 23:20:39 +02:00
DATA_BLOB * logon_blob = NULL ;
DATA_BLOB * cred_ndr = NULL ;
DATA_BLOB * * cred_ndr_ptr = NULL ;
DATA_BLOB _cred_blob = data_blob_null ;
DATA_BLOB * cred_blob = NULL ;
2016-05-13 00:13:33 +02:00
DATA_BLOB * upn_blob = NULL ;
2021-10-26 20:41:31 +13:00
DATA_BLOB * pac_attrs_blob = NULL ;
2021-10-26 20:42:41 +13:00
DATA_BLOB * requester_sid_blob = NULL ;
2010-01-26 11:56:16 -05:00
krb5_error_code ret ;
NTSTATUS nt_status ;
2014-05-10 00:26:21 +02:00
struct samba_kdc_entry * skdc_entry =
2022-02-22 19:41:14 +13:00
talloc_get_type_abort ( client - > context ,
2014-05-10 00:26:21 +02:00
struct samba_kdc_entry ) ;
2021-11-23 19:38:35 +13:00
bool is_krbtgt ;
2010-01-26 11:56:16 -05:00
2022-02-22 19:41:14 +13:00
mem_ctx = talloc_named ( client - > context , 0 , " samba_get_pac context " ) ;
2010-01-26 11:56:16 -05:00
if ( ! mem_ctx ) {
return ENOMEM ;
}
2016-05-12 23:20:39 +02:00
if ( pk_reply_key ! = NULL ) {
cred_ndr_ptr = & cred_ndr ;
}
2022-02-22 19:41:14 +13:00
is_krbtgt = krb5_principal_is_krbtgt ( context , server - > principal ) ;
2021-11-23 19:38:35 +13:00
2016-05-12 23:20:39 +02:00
nt_status = samba_kdc_get_pac_blobs ( mem_ctx , skdc_entry ,
& logon_blob ,
2016-05-13 00:13:33 +02:00
cred_ndr_ptr ,
2021-10-26 20:41:31 +13:00
& upn_blob ,
2021-11-23 19:38:35 +13:00
is_krbtgt ? & pac_attrs_blob : NULL ,
2021-12-22 17:08:43 +13:00
pac_attributes ,
2022-03-18 11:13:40 +13:00
is_krbtgt ? & requester_sid_blob : NULL ) ;
2010-01-26 11:56:16 -05:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( mem_ctx ) ;
return EINVAL ;
}
2016-05-12 23:20:39 +02:00
if ( pk_reply_key ! = NULL & & cred_ndr ! = NULL ) {
ret = samba_kdc_encrypt_pac_credentials ( context ,
pk_reply_key ,
cred_ndr ,
mem_ctx ,
& _cred_blob ) ;
if ( ret ! = 0 ) {
talloc_free ( mem_ctx ) ;
return ret ;
}
cred_blob = & _cred_blob ;
}
2021-10-07 15:12:35 +02:00
ret = krb5_pac_init ( context , pac ) ;
if ( ret ! = 0 ) {
talloc_free ( mem_ctx ) ;
return ret ;
}
2016-05-12 23:20:39 +02:00
ret = samba_make_krb5_pac ( context , logon_blob , cred_blob ,
2021-10-26 20:41:31 +13:00
upn_blob , pac_attrs_blob ,
2021-10-07 15:12:35 +02:00
requester_sid_blob , NULL , * pac ) ;
2010-01-26 11:56:16 -05:00
talloc_free ( mem_ctx ) ;
return ret ;
}
2021-10-11 14:47:25 +02:00
static krb5_error_code samba_wdc_reget_pac2 ( astgs_request_t r ,
2021-10-08 16:08:39 +13:00
const krb5_principal delegated_proxy_principal ,
2022-02-22 19:41:14 +13:00
hdb_entry * client ,
hdb_entry * server ,
hdb_entry * krbtgt ,
2021-10-08 16:08:39 +13:00
krb5_pac * pac ,
krb5_cksumtype ctype )
2010-01-26 11:56:16 -05:00
{
2021-10-11 14:47:25 +02:00
krb5_context context = kdc_request_get_context ( ( kdc_request_t ) r ) ;
2022-03-07 10:41:41 +01:00
struct samba_kdc_entry * client_skdc_entry = NULL ;
2021-10-18 16:00:45 +13:00
struct samba_kdc_entry * server_skdc_entry =
2022-03-07 10:41:41 +01:00
talloc_get_type_abort ( server - > context , struct samba_kdc_entry ) ;
2014-05-10 00:49:44 +02:00
struct samba_kdc_entry * krbtgt_skdc_entry =
2022-03-07 10:41:41 +01:00
talloc_get_type_abort ( krbtgt - > context , struct samba_kdc_entry ) ;
TALLOC_CTX * mem_ctx = NULL ;
2016-01-07 17:25:26 +01:00
krb5_pac new_pac = NULL ;
2010-01-26 11:56:16 -05:00
krb5_error_code ret ;
2021-10-11 14:47:25 +02:00
bool is_s4u2self = samba_wdc_is_s4u2self_req ( r ) ;
2022-03-07 10:41:41 +01:00
bool is_in_db = false ;
bool is_untrusted = false ;
uint32_t flags = 0 ;
2010-01-26 11:56:16 -05:00
2022-03-07 10:41:41 +01:00
mem_ctx = talloc_named ( NULL , 0 , " samba_kdc_reget_pac2 context " ) ;
if ( mem_ctx = = NULL ) {
2010-01-26 11:56:16 -05:00
return ENOMEM ;
}
2021-08-09 17:20:31 +02:00
if ( client ! = NULL ) {
2022-02-22 19:41:14 +13:00
client_skdc_entry = talloc_get_type_abort ( client - > context ,
2021-08-09 17:20:31 +02:00
struct samba_kdc_entry ) ;
}
2021-10-01 16:14:37 +13:00
/*
* If the krbtgt was generated by an RODC , and we are not that
2010-09-28 13:13:28 +10:00
* RODC , then we need to regenerate the PAC - we can ' t trust
2021-10-01 16:14:37 +13:00
* it , and confirm that the RODC was permitted to print this ticket
*
* Becasue of the samba_kdc_validate_pac_blob ( ) step we can be
* sure that the record in ' client ' matches the SID in the
* original PAC .
*/
2014-05-10 00:49:44 +02:00
ret = samba_krbtgt_is_in_db ( krbtgt_skdc_entry , & is_in_db , & is_untrusted ) ;
2012-01-11 18:06:55 +11:00
if ( ret ! = 0 ) {
2022-03-07 10:41:41 +01:00
goto out ;
2012-01-11 18:06:55 +11:00
}
2021-10-11 14:47:25 +02:00
if ( is_s4u2self ) {
flags | = SAMBA_KDC_FLAG_PROTOCOL_TRANSITION ;
}
2021-10-08 16:08:39 +13:00
if ( delegated_proxy_principal ! = NULL ) {
krb5_enctype etype ;
Key * key = NULL ;
if ( ! is_in_db ) {
/*
* The RODC - issued PAC was signed by a KDC entry that we
* don ' t have a key for . The server signature is not
* trustworthy , since it could have been created by the
* server we got the ticket from . We must not proceed as
* otherwise the ticket signature is unchecked .
*/
2022-03-07 10:41:41 +01:00
ret = HDB_ERR_NOT_FOUND_HERE ;
goto out ;
2021-10-08 16:08:39 +13:00
}
/* Fetch the correct key depending on the checksum type. */
if ( ctype = = CKSUMTYPE_HMAC_MD5 ) {
etype = ENCTYPE_ARCFOUR_HMAC ;
} else {
ret = krb5_cksumtype_to_enctype ( context ,
ctype ,
& etype ) ;
if ( ret ! = 0 ) {
2022-03-07 10:41:41 +01:00
goto out ;
2021-10-08 16:08:39 +13:00
}
}
2022-02-22 19:41:14 +13:00
ret = hdb_enctype2key ( context , krbtgt , NULL , etype , & key ) ;
2021-10-08 16:08:39 +13:00
if ( ret ! = 0 ) {
2022-03-07 10:41:41 +01:00
goto out ;
2021-10-08 16:08:39 +13:00
}
/* Check the KDC and ticket signatures. */
ret = krb5_pac_verify ( context ,
* pac ,
0 ,
NULL ,
NULL ,
& key - > key ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( " PAC KDC signature failed to verify \n " ) ) ;
2022-03-07 10:41:41 +01:00
goto out ;
2021-10-08 16:08:39 +13:00
}
2022-03-07 10:41:41 +01:00
flags | = SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION ;
2021-10-08 16:08:39 +13:00
}
2012-01-11 18:06:55 +11:00
if ( is_untrusted ) {
2022-03-07 10:41:41 +01:00
flags | = SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED ;
2016-01-07 17:25:26 +01:00
}
2010-01-26 11:56:16 -05:00
2022-03-07 10:41:41 +01:00
if ( is_in_db ) {
flags | = SAMBA_KDC_FLAG_KRBTGT_IN_DB ;
2016-01-07 17:25:26 +01:00
}
ret = krb5_pac_init ( context , & new_pac ) ;
if ( ret ! = 0 ) {
2021-10-18 16:00:45 +13:00
new_pac = NULL ;
goto out ;
2016-01-07 17:25:26 +01:00
}
2022-03-07 10:41:41 +01:00
ret = samba_kdc_update_pac ( mem_ctx ,
context ,
krbtgt_skdc_entry - > kdc_db_ctx - > samdb ,
flags ,
client_skdc_entry ,
server - > principal ,
server_skdc_entry ,
krbtgt_skdc_entry ,
delegated_proxy_principal ,
* pac ,
new_pac ) ;
if ( ret ! = 0 ) {
krb5_pac_free ( context , new_pac ) ;
if ( ret = = ENODATA ) {
krb5_pac_free ( context , * pac ) ;
* pac = NULL ;
ret = 0 ;
2016-01-07 17:25:26 +01:00
}
2022-03-07 10:41:41 +01:00
goto out ;
2016-01-07 17:25:26 +01:00
}
2022-03-07 10:41:41 +01:00
/* Replace the pac */
2016-01-07 17:25:26 +01:00
krb5_pac_free ( context , * pac ) ;
* pac = new_pac ;
2010-01-26 11:56:16 -05:00
2022-03-07 10:41:41 +01:00
out :
2010-01-26 11:56:16 -05:00
talloc_free ( mem_ctx ) ;
return ret ;
}
2021-10-08 16:08:39 +13:00
/* Resign (and reform, including possibly new groups) a PAC */
2022-02-24 21:31:52 +01:00
static krb5_error_code samba_wdc_reget_pac ( void * priv , astgs_request_t r ,
2021-10-08 16:08:39 +13:00
const krb5_principal client_principal ,
const krb5_principal delegated_proxy_principal ,
2022-02-22 19:41:14 +13:00
hdb_entry * client ,
hdb_entry * server ,
hdb_entry * krbtgt ,
2021-10-08 16:08:39 +13:00
krb5_pac * pac )
{
2022-02-24 21:31:52 +01:00
krb5_context context = kdc_request_get_context ( ( kdc_request_t ) r ) ;
krb5_kdc_configuration * config = kdc_request_get_config ( ( kdc_request_t ) r ) ;
2021-10-08 16:08:39 +13:00
struct samba_kdc_entry * krbtgt_skdc_entry =
2022-02-22 19:41:14 +13:00
talloc_get_type_abort ( krbtgt - > context ,
2021-10-08 16:08:39 +13:00
struct samba_kdc_entry ) ;
krb5_error_code ret ;
krb5_cksumtype ctype = CKSUMTYPE_NONE ;
2022-02-22 19:41:14 +13:00
hdb_entry signing_krbtgt_hdb ;
2021-10-08 16:08:39 +13:00
if ( delegated_proxy_principal ) {
uint16_t rodc_id ;
unsigned int my_krbtgt_number ;
/*
* We ' re using delegated_proxy_principal for the moment to
* indicate cases where the ticket was encrypted with the server
* key , and not a krbtgt key . This cannot be trusted , so we need
* to find a krbtgt key that signs the PAC in order to trust the
* ticket .
*
* The krbtgt passed in to this function refers to the krbtgt
* used to decrypt the ticket of the server requesting
* S4U2Proxy .
*
* When we implement service ticket renewal , we need to check
* the PAC , and this will need to be updated .
*/
ret = krb5_pac_get_kdc_checksum_info ( context ,
* pac ,
& ctype ,
& rodc_id ) ;
if ( ret ! = 0 ) {
DEBUG ( 1 , ( " Failed to get PAC checksum info \n " ) ) ;
return ret ;
}
/*
* We need to check the KDC and ticket signatures , fetching the
* correct key based on the enctype .
*/
my_krbtgt_number = krbtgt_skdc_entry - > kdc_db_ctx - > my_krbtgt_number ;
if ( my_krbtgt_number ! = 0 ) {
/*
* If we are an RODC , and we are not the KDC that signed
* the evidence ticket , then we need to proxy the
* request .
*/
if ( rodc_id ! = my_krbtgt_number ) {
return HDB_ERR_NOT_FOUND_HERE ;
}
} else {
/*
* If we are a DC , the ticket may have been signed by a
* different KDC than the one that issued the header
* ticket .
*/
2022-02-22 19:41:14 +13:00
if ( rodc_id ! = krbtgt - > kvno > > 16 ) {
2022-03-23 04:17:01 +01:00
struct sdb_entry signing_krbtgt_sdb ;
2021-10-08 16:08:39 +13:00
/*
* If we didn ' t sign the ticket , then return an
* error .
*/
if ( rodc_id ! = 0 ) {
return KRB5KRB_AP_ERR_MODIFIED ;
}
/*
* Fetch our key from the database . To support
* key rollover , we ' re going to need to try
* multiple keys by trial and error . For now ,
* krbtgt keys aren ' t assumed to change .
*/
ret = samba_kdc_fetch ( context ,
krbtgt_skdc_entry - > kdc_db_ctx ,
2022-02-22 19:41:14 +13:00
krbtgt - > principal ,
2021-10-08 16:08:39 +13:00
SDB_F_GET_KRBTGT | SDB_F_CANON ,
0 ,
2022-03-23 04:17:01 +01:00
& signing_krbtgt_sdb ) ;
2021-10-08 16:08:39 +13:00
if ( ret ! = 0 ) {
return ret ;
}
2022-03-23 03:57:38 +01:00
ret = sdb_entry_to_hdb_entry ( context ,
2022-03-23 04:17:01 +01:00
& signing_krbtgt_sdb ,
2022-03-23 03:57:38 +01:00
& signing_krbtgt_hdb ) ;
2022-03-23 04:17:01 +01:00
sdb_entry_free ( & signing_krbtgt_sdb ) ;
2021-10-08 16:08:39 +13:00
if ( ret ! = 0 ) {
return ret ;
}
/*
* Replace the krbtgt entry with our own entry
* for further processing .
*/
krbtgt = & signing_krbtgt_hdb ;
}
}
}
2021-10-11 14:47:25 +02:00
ret = samba_wdc_reget_pac2 ( r ,
2021-10-08 16:08:39 +13:00
delegated_proxy_principal ,
client ,
server ,
krbtgt ,
pac ,
ctype ) ;
if ( krbtgt = = & signing_krbtgt_hdb ) {
2022-02-22 19:41:14 +13:00
hdb_free_entry ( context , config - > db [ 0 ] , & signing_krbtgt_hdb ) ;
2021-10-08 16:08:39 +13:00
}
return ret ;
}
2010-01-31 12:49:07 -05:00
static char * get_netbios_name ( TALLOC_CTX * mem_ctx , HostAddresses * addrs )
{
char * nb_name = NULL ;
2010-04-11 23:22:01 +02:00
size_t len ;
unsigned int i ;
2010-01-31 12:49:07 -05:00
for ( i = 0 ; addrs & & i < addrs - > len ; i + + ) {
if ( addrs - > val [ i ] . addr_type ! = KRB5_ADDRESS_NETBIOS ) {
continue ;
}
len = MIN ( addrs - > val [ i ] . address . length , 15 ) ;
nb_name = talloc_strndup ( mem_ctx ,
addrs - > val [ i ] . address . data , len ) ;
if ( nb_name ) {
break ;
}
}
2012-08-13 20:17:20 +02:00
if ( ( nb_name = = NULL ) | | ( nb_name [ 0 ] = = ' \0 ' ) ) {
2010-01-31 12:49:07 -05:00
return NULL ;
}
/* Strip space padding */
2012-08-13 20:17:20 +02:00
for ( len = strlen ( nb_name ) - 1 ;
( len > 0 ) & & ( nb_name [ len ] = = ' ' ) ;
- - len ) {
nb_name [ len ] = ' \0 ' ;
2010-01-31 12:49:07 -05:00
}
return nb_name ;
}
2014-05-15 09:13:06 +02:00
/* this function allocates 'data' using malloc.
* The caller is responsible for freeing it */
2015-05-20 14:12:59 +02:00
static void samba_kdc_build_edata_reply ( NTSTATUS nt_status , krb5_data * e_data )
2014-05-15 09:13:06 +02:00
{
2014-05-15 09:13:06 +02:00
e_data - > data = malloc ( 12 ) ;
if ( e_data - > data = = NULL ) {
2014-05-15 09:13:06 +02:00
e_data - > length = 0 ;
e_data - > data = NULL ;
return ;
}
2014-05-15 09:13:06 +02:00
e_data - > length = 12 ;
2014-05-15 09:13:06 +02:00
2014-05-15 09:13:06 +02:00
SIVAL ( e_data - > data , 0 , NT_STATUS_V ( nt_status ) ) ;
SIVAL ( e_data - > data , 4 , 0 ) ;
SIVAL ( e_data - > data , 8 , 1 ) ;
2014-05-15 09:13:06 +02:00
return ;
}
2010-01-26 11:56:16 -05:00
static krb5_error_code samba_wdc_check_client_access ( void * priv ,
2021-12-24 16:58:22 +13:00
astgs_request_t r )
2010-01-26 11:56:16 -05:00
{
2010-01-31 12:49:07 -05:00
struct samba_kdc_entry * kdc_entry ;
2010-01-26 11:56:16 -05:00
bool password_change ;
2010-01-31 12:49:07 -05:00
char * workstation ;
NTSTATUS nt_status ;
2010-01-26 11:56:16 -05:00
2022-02-23 09:53:27 +13:00
kdc_entry = talloc_get_type ( kdc_request_get_client ( r ) - > context , struct samba_kdc_entry ) ;
password_change = ( kdc_request_get_server ( r ) & & kdc_request_get_server ( r ) - > flags . change_pw ) ;
workstation = get_netbios_name ( ( TALLOC_CTX * ) kdc_request_get_client ( r ) - > context ,
kdc_request_get_req ( r ) - > req_body . addresses ) ;
2010-01-26 11:56:16 -05:00
2010-01-31 12:49:07 -05:00
nt_status = samba_kdc_check_client_access ( kdc_entry ,
2022-02-23 09:53:27 +13:00
kdc_request_get_cname ( ( kdc_request_t ) r ) ,
2010-01-31 12:49:07 -05:00
workstation ,
password_change ) ;
2010-01-26 11:56:16 -05:00
2010-01-31 12:49:07 -05:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_NO_MEMORY ) ) {
return ENOMEM ;
2010-01-26 11:56:16 -05:00
}
2022-02-23 09:53:27 +13:00
if ( kdc_request_get_rep ( r ) - > padata ) {
2015-05-20 14:12:59 +02:00
int ret ;
krb5_data kd ;
2010-01-26 11:56:16 -05:00
2015-05-20 14:12:59 +02:00
samba_kdc_build_edata_reply ( nt_status , & kd ) ;
2022-02-23 09:53:27 +13:00
ret = krb5_padata_add ( kdc_request_get_context ( ( kdc_request_t ) r ) , kdc_request_get_rep ( r ) - > padata ,
2015-05-20 14:12:59 +02:00
KRB5_PADATA_PW_SALT ,
kd . data , kd . length ) ;
if ( ret ! = 0 ) {
/*
* So we do not leak the allocated
2022-03-07 13:15:08 +01:00
* memory on kd in the error case
2015-05-20 14:12:59 +02:00
*/
krb5_data_free ( & kd ) ;
}
2010-01-31 12:49:07 -05:00
}
2010-01-26 11:56:16 -05:00
2010-01-31 12:49:07 -05:00
return samba_kdc_map_policy_err ( nt_status ) ;
2010-01-26 11:56:16 -05:00
}
2010-01-31 12:49:07 -05:00
/* Now do the standard Heimdal check */
2021-06-23 12:08:34 +12:00
return KRB5_PLUGIN_NO_HANDLE ;
2010-01-26 11:56:16 -05:00
}
2021-12-24 16:59:42 +13:00
/* this function allocates 'data' using malloc.
* The caller is responsible for freeing it */
static krb5_error_code samba_kdc_build_supported_etypes ( uint32_t supported_etypes ,
krb5_data * e_data )
{
e_data - > data = malloc ( 4 ) ;
if ( e_data - > data = = NULL ) {
return ENOMEM ;
}
e_data - > length = 4 ;
PUSH_LE_U32 ( e_data - > data , 0 , supported_etypes ) ;
return 0 ;
}
static krb5_error_code samba_wdc_finalize_reply ( void * priv ,
astgs_request_t r )
{
struct samba_kdc_entry * server_kdc_entry ;
uint32_t supported_enctypes ;
2022-02-23 09:53:27 +13:00
server_kdc_entry = talloc_get_type ( kdc_request_get_server ( r ) - > context , struct samba_kdc_entry ) ;
2021-12-24 16:59:42 +13:00
/*
* If the canonicalize flag is set , add PA - SUPPORTED - ENCTYPES padata
* type to indicate what encryption types the server supports .
*/
supported_enctypes = server_kdc_entry - > supported_enctypes ;
2022-02-23 09:53:27 +13:00
if ( kdc_request_get_req ( r ) - > req_body . kdc_options . canonicalize & & supported_enctypes ! = 0 ) {
2021-12-24 16:59:42 +13:00
krb5_error_code ret ;
2022-02-23 09:53:27 +13:00
PA_DATA md ;
2021-12-24 16:59:42 +13:00
2022-02-23 09:53:27 +13:00
ret = samba_kdc_build_supported_etypes ( supported_enctypes , & md . padata_value ) ;
2021-12-24 16:59:42 +13:00
if ( ret ! = 0 ) {
return ret ;
}
2022-02-23 09:53:27 +13:00
md . padata_type = KRB5_PADATA_SUPPORTED_ETYPES ;
ret = kdc_request_add_encrypted_padata ( r , & md ) ;
2021-12-24 16:59:42 +13:00
if ( ret ! = 0 ) {
/*
* So we do not leak the allocated
* memory on kd in the error case
*/
2022-02-23 09:53:27 +13:00
krb5_data_free ( & md . padata_value ) ;
2021-12-24 16:59:42 +13:00
}
}
return 0 ;
}
2010-01-26 11:56:16 -05:00
static krb5_error_code samba_wdc_plugin_init ( krb5_context context , void * * ptr )
{
* ptr = NULL ;
return 0 ;
}
static void samba_wdc_plugin_fini ( void * ptr )
{
return ;
}
2022-02-21 19:25:06 +13:00
static krb5_error_code samba_wdc_referral_policy ( void * priv ,
astgs_request_t r )
{
2022-02-23 09:53:27 +13:00
return kdc_request_get_error_code ( ( kdc_request_t ) r ) ;
2022-02-21 19:25:06 +13:00
}
2022-02-22 14:39:13 +13:00
struct krb5plugin_kdc_ftable kdc_plugin_table = {
2022-02-22 19:41:14 +13:00
. minor_version = KRB5_PLUGIN_KDC_VERSION_10 ,
2010-01-26 11:56:16 -05:00
. init = samba_wdc_plugin_init ,
. fini = samba_wdc_plugin_fini ,
. pac_verify = samba_wdc_reget_pac ,
. client_access = samba_wdc_check_client_access ,
2021-12-24 16:59:42 +13:00
. finalize_reply = samba_wdc_finalize_reply ,
2021-12-02 11:34:24 +13:00
. pac_generate = samba_wdc_get_pac ,
2022-02-21 19:25:06 +13:00
. referral_policy = samba_wdc_referral_policy ,
2010-01-26 11:56:16 -05:00
} ;
