sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
Code
9567d753ac
samba-mirror/source4/kdc/db-glue.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

118 lines
3.8 KiB
C
Raw Normal View History

s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
/*
Unix SMB/CIFS implementation.
Database Glue between Samba and the KDC
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
Copyright (C) Simo Sorce <idra@samba.org> 2010
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys() This prepares the removal of sdb_entry_ex. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-22 20:09:33 +03:00
struct sdb_keys;
s4:kdc: samba_kdc_fetch() only needs sdb_entry sdb_entry_ex will be removed shortly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-23 05:43:25 +03:00
struct sdb_entry;
s4-kdc: Use sdb in db-glue and hdb-samba4 Guenther Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
2014-05-08 19:13:04 +04:00
s4:kdc: Expose samba_kdc_message2entry_keys() This allows the KDC to share the supplementalCredentials parsing code with other parts of Samba that could use it. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184
2022-03-08 12:49:31 +03:00
struct samba_kdc_base_context;
struct samba_kdc_db_context;
struct samba_kdc_entry;
enum samba_kdc_ent_type {
SAMBA_KDC_ENT_TYPE_CLIENT,
SAMBA_KDC_ENT_TYPE_SERVER,
SAMBA_KDC_ENT_TYPE_KRBTGT,
SAMBA_KDC_ENT_TYPE_TRUST,
SAMBA_KDC_ENT_TYPE_ANY
};
/*
* This allows DSDB to parse Kerberos keys without duplicating this
* difficulty
*/
krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
TALLOC_CTX *mem_ctx,
s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() This ldb context can be used to query the current gMSA time. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-15 05:39:45 +03:00
struct ldb_context *ldb,
s4:kdc: Expose samba_kdc_message2entry_keys() This allows the KDC to share the supplementalCredentials parsing code with other parts of Samba that could use it. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Mar 24 10:17:32 UTC 2022 on sn-devel-184
2022-03-08 12:49:31 +03:00
const struct ldb_message *msg,
bool is_krbtgt,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type,
unsigned flags,
krb5_kvno requested_kvno,
struct sdb_entry *entry,
const uint32_t supported_enctypes_in,
uint32_t *supported_enctypes_out);
s4:kdc/hdb: Store and retrieve a FX-COOKIE value Note Windows uses the string "MICROSOFT" as cookie, so it's wrong to have a per DC cookie, but we need to adjust the Heimdal logic to support that. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-09-20 05:24:11 +03:00
int samba_kdc_set_fixed_keys(krb5_context context,
const struct ldb_val *secretbuffer,
s4:kdc: Pass supported enctypes to samba_kdc_set_fixed_keys() Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
2022-03-22 23:47:53 +03:00
uint32_t supported_enctypes,
s4:kdc: only pass sdb_keys to samba_kdc_set_fixed_keys() This prepares the removal of sdb_entry_ex. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-22 20:09:33 +03:00
struct sdb_keys *keys);
s4:kdc/hdb: Store and retrieve a FX-COOKIE value Note Windows uses the string "MICROSOFT" as cookie, so it's wrong to have a per DC cookie, but we need to adjust the Heimdal logic to support that. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-09-20 05:24:11 +03:00
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_error_code samba_kdc_fetch(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal principal,
unsigned flags,
s4/kdc - fix a warning regarding a changed parameter type (kvno) Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Fri Dec 3 23:56:15 CET 2010 on sn-devel-104
2010-12-04 01:06:53 +03:00
krb5_kvno kvno,
s4:kdc: samba_kdc_fetch() only needs sdb_entry sdb_entry_ex will be removed shortly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-23 05:43:25 +03:00
struct sdb_entry *entry);
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_error_code samba_kdc_firstkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry() This will allow us to specify whether to specify this flag for a keytab export. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 04:45:08 +03:00
const unsigned sdb_flags,
s4:kdc: samba_kdc_{first,next}key() only need sdb_entry sdb_entry_ex will be removed shortly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-23 05:43:25 +03:00
struct sdb_entry *entry);
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_error_code samba_kdc_nextkey(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
s4:libnet: Pass SDB_F_ADMIN_DATA flag through to samba_kdc_message2entry() This will allow us to specify whether to specify this flag for a keytab export. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-24 04:45:08 +03:00
const unsigned sdb_flags,
s4:kdc: samba_kdc_{first,next}key() only need sdb_entry sdb_entry_ex will be removed shortly. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-23 05:43:25 +03:00
struct sdb_entry *entry);
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_error_code
s4:kdc: Update to match updated Heimdal's new HDB version Including updates to hook into the improved hdb_auth_status by Stefan Metzmacher <metze@samba.org> from his Heimdal upgrade branch. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2016-01-08 04:08:18 +03:00
samba_kdc_check_client_matches_target_service(krb5_context context,
CVE-2020-25719 kdc: Avoid races and multiple DB lookups in s4u2self check Looking up the DB twice is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. The client record has already been bound to the the original client by the SID check in the PAC. Likewise by looking up server only once we ensure that the keys looked up originally are in the record we confirm the SID for here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-10-07 22:29:51 +03:00
struct samba_kdc_entry *skdc_entry_client,
struct samba_kdc_entry *skdc_entry_server_target);
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_error_code
samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_pkinit_ms_upn_match(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-05-09 16:56:22 +04:00
struct samba_kdc_entry *skdc_entry,
s4:kdc move db functions in their own file Keep all heimdal related plugin code within hdb_samba4.c Move interfaces needed by multiple plugins in db-glue.c Move sequence context in main db context so that we do not depend on db->hdb_dbc in the common code. Remove unnecessary paremeters from function prototypes
2010-01-28 09:27:11 +03:00
krb5_const_principal certificate_principal);
s4-kdc Add common setup, handle RODC setup case This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-28 07:05:37 +04:00
s4:kdc: split s4u2self and s4u2proxy checks metze
2011-04-07 13:16:55 +04:00
krb5_error_code
samba_kdc_check_s4u2proxy(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
s4-kdc/db_glue: pass down only a samba_kdc_entry to samba_kdc_check_s4u2proxy(). Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-05-09 16:58:08 +04:00
struct samba_kdc_entry *skdc_entry,
s4:kdc: split s4u2self and s4u2proxy checks metze
2011-04-07 13:16:55 +04:00
krb5_const_principal target_principal);
s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() This will be used by the MIT KDB plugin in the next commits. A security descriptor created by Windows looks like this: security_descriptor: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8004 (32772) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-32-544 group_sid : NULL sacl : NULL dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x002c (44) num_aces : 0x00000001 (1) aces: ARRAY(1) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-3001743926-1909451141-602466370-1108 Created with the following powershell code: $host1 = Get-ADComputer -Identity ServerA $host2 = Get-ADComputer -Identity ServerB Set-ADComputer $host2 -PrincipalsAllowedToDelegateToAccount $host1 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-14 13:16:12 +03:00
krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
krb5_const_principal client_principal,
krb5_const_principal server_principal,
s4:kdc: Factor creation of user_info_dc out of samba_kdc_check_s4u2proxy_rbcd() into its callers Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 05:12:30 +03:00
const struct auth_user_info_dc *user_info_dc,
s4:kdc: Pass claims and device info into samba_kdc_check_s4u2proxy_rbcd() Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-10-10 05:38:29 +03:00
const struct auth_user_info_dc *device_info_dc,
const struct auth_claims auth_claims,
s4:kdc: Implement samba_kdc_check_s4u2proxy_rbcd() This will be used by the MIT KDB plugin in the next commits. A security descriptor created by Windows looks like this: security_descriptor: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8004 (32772) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-32-544 group_sid : NULL sacl : NULL dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x002c (44) num_aces : 0x00000001 (1) aces: ARRAY(1) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-3001743926-1909451141-602466370-1108 Created with the following powershell code: $host1 = Get-ADComputer -Identity ServerA $host2 = Get-ADComputer -Identity ServerB Set-ADComputer $host2 -PrincipalsAllowedToDelegateToAccount $host1 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-14 13:16:12 +03:00
struct samba_kdc_entry *proxy_skdc_entry);
s4-kdc Add common setup, handle RODC setup case This means we just set up the system_session etc in one place and don't diverge between the MIT and Heimdal plugins. We also now determine if we are an RODC and store some details that we will need later. Andrew Bartlett
2010-09-28 07:05:37 +04:00
NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx,
struct samba_kdc_db_context **kdc_db_ctx_out);
s4:kdc: Add helper function to extract AES256 key and salt Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-05-18 11:12:36 +03:00
krb5_error_code dsdb_extract_aes_256_key(krb5_context context,
TALLOC_CTX *mem_ctx,
s4:kdc: Pass ldb context into samba_kdc_message2entry_keys() This ldb context can be used to query the current gMSA time. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-15 05:39:45 +03:00
struct ldb_context *ldb,
s4:kdc: Add helper function to extract AES256 key and salt Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-05-18 11:12:36 +03:00
const struct ldb_message *msg,
uint32_t user_account_control,
const uint32_t *kvno,
uint32_t *kvno_out,
DATA_BLOB *aes_256_key,
DATA_BLOB *salt);
Copy Permalink