2014-05-12 12:49:24 +04:00
/*
Unix SMB / CIFS implementation .
Samba KDB plugin for MIT Kerberos
Copyright ( c ) 2010 Simo Sorce < idra @ samba . org > .
2021-07-12 15:00:19 +03:00
Copyright ( c ) 2014 - 2021 Andreas Schneider < asn @ samba . org >
2014-05-12 12:49:24 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
2021-11-23 09:43:05 +03:00
# include "lib/replace/replace.h"
# include "lib/replace/system/kerberos.h"
# include "lib/util/data_blob.h"
# include "lib/util/debug.h"
# include "lib/util/fault.h"
# include "lib/util/memory.h"
2014-05-12 12:49:24 +04:00
# include <profile.h>
# include <kdb.h>
# include "kdc/mit_samba.h"
# include "kdb_samba.h"
2021-07-14 13:49:11 +03:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_KERBEROS
2014-05-12 12:49:24 +04:00
/* FIXME: This is a krb5 function which is exported, but in no header */
extern krb5_error_code decode_krb5_padata_sequence ( const krb5_data * output ,
krb5_pa_data * * * rep ) ;
static krb5_error_code ks_get_netbios_name ( krb5_address * * addrs , char * * name )
{
char * nb_name = NULL ;
int len , i ;
for ( i = 0 ; addrs [ i ] ; i + + ) {
if ( addrs [ i ] - > addrtype ! = ADDRTYPE_NETBIOS ) {
continue ;
}
len = MIN ( addrs [ i ] - > length , 15 ) ;
nb_name = strndup ( ( const char * ) addrs [ i ] - > contents , len ) ;
if ( ! nb_name ) {
return ENOMEM ;
}
break ;
}
if ( nb_name ) {
/* Strip space padding */
i = strlen ( nb_name ) - 1 ;
for ( i = strlen ( nb_name ) - 1 ;
i > 0 & & nb_name [ i ] = = ' ' ;
i - - ) {
nb_name [ i ] = ' \0 ' ;
}
}
* name = nb_name ;
return 0 ;
}
krb5_error_code kdb_samba_db_check_policy_as ( krb5_context context ,
krb5_kdc_req * kdcreq ,
krb5_db_entry * client ,
krb5_db_entry * server ,
krb5_timestamp kdc_time ,
const char * * status ,
krb5_pa_data * * * e_data_out )
{
struct mit_samba_context * mit_ctx ;
krb5_error_code code ;
char * client_name = NULL ;
char * server_name = NULL ;
char * netbios_name = NULL ;
char * realm = NULL ;
bool password_change = false ;
2018-08-18 00:40:30 +03:00
krb5_const_principal client_princ ;
2014-05-12 12:49:24 +04:00
DATA_BLOB int_data = { NULL , 0 } ;
krb5_data d ;
krb5_pa_data * * e_data ;
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
2018-08-18 00:40:30 +03:00
/* Prefer canonicalised name from client entry */
client_princ = client ? client - > princ : kdcreq - > client ;
if ( client_princ = = NULL | | ks_is_kadmin ( context , client_princ ) ) {
2014-08-06 17:32:13 +04:00
return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN ;
}
2014-05-12 12:49:24 +04:00
if ( krb5_princ_size ( context , kdcreq - > server ) = = 2 & &
ks_is_kadmin_changepw ( context , kdcreq - > server ) ) {
code = krb5_get_default_realm ( context , & realm ) ;
if ( code ) {
goto done ;
}
if ( ks_data_eq_string ( kdcreq - > server - > realm , realm ) ) {
password_change = true ;
}
}
code = krb5_unparse_name ( context , kdcreq - > server , & server_name ) ;
if ( code ) {
goto done ;
}
2018-08-18 00:40:30 +03:00
code = krb5_unparse_name ( context , client_princ , & client_name ) ;
2014-05-12 12:49:24 +04:00
if ( code ) {
goto done ;
}
if ( kdcreq - > addresses ) {
code = ks_get_netbios_name ( kdcreq - > addresses , & netbios_name ) ;
if ( code ) {
goto done ;
}
}
code = mit_samba_check_client_access ( mit_ctx ,
client ,
client_name ,
server ,
server_name ,
netbios_name ,
password_change ,
& int_data ) ;
2014-05-15 11:05:25 +04:00
if ( int_data . length & & int_data . data ) {
2014-05-12 12:49:24 +04:00
2014-05-15 11:05:25 +04:00
/* make sure the mapped return code is returned - gd */
int code_tmp ;
2014-05-12 12:49:24 +04:00
2014-05-15 11:05:25 +04:00
d = ks_make_data ( int_data . data , int_data . length ) ;
code_tmp = decode_krb5_padata_sequence ( & d , & e_data ) ;
if ( code_tmp = = 0 ) {
* e_data_out = e_data ;
}
}
2014-05-12 12:49:24 +04:00
done :
free ( realm ) ;
free ( server_name ) ;
free ( client_name ) ;
free ( netbios_name ) ;
return code ;
}
static krb5_error_code ks_get_pac ( krb5_context context ,
krb5_db_entry * client ,
2021-12-13 10:33:05 +03:00
krb5_db_entry * server ,
2016-09-29 03:04:00 +03:00
krb5_keyblock * client_key ,
2014-05-12 12:49:24 +04:00
krb5_pac * pac )
{
struct mit_samba_context * mit_ctx ;
krb5_error_code code ;
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
2016-09-29 03:04:00 +03:00
code = mit_samba_get_pac ( mit_ctx ,
context ,
client ,
2021-12-13 10:33:05 +03:00
server ,
2016-09-29 03:04:00 +03:00
client_key ,
pac ) ;
2014-05-12 12:49:24 +04:00
if ( code ! = 0 ) {
return code ;
}
return code ;
}
2021-10-04 12:53:55 +03:00
# if KRB5_KDB_DAL_MAJOR_VERSION < 9
2014-05-12 12:49:24 +04:00
static krb5_error_code ks_verify_pac ( krb5_context context ,
unsigned int flags ,
krb5_const_principal client_princ ,
krb5_db_entry * client ,
2016-09-30 08:43:47 +03:00
krb5_db_entry * server ,
krb5_db_entry * krbtgt ,
2014-05-12 12:49:24 +04:00
krb5_keyblock * server_key ,
krb5_keyblock * krbtgt_key ,
krb5_timestamp authtime ,
krb5_authdata * * tgt_auth_data ,
krb5_pac * pac )
{
struct mit_samba_context * mit_ctx ;
krb5_authdata * * authdata = NULL ;
krb5_pac ipac = NULL ;
DATA_BLOB logon_data = { NULL , 0 } ;
krb5_error_code code ;
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
/* find the existing PAC, if present */
code = krb5_find_authdata ( context ,
tgt_auth_data ,
NULL ,
KRB5_AUTHDATA_WIN2K_PAC ,
& authdata ) ;
if ( code ! = 0 ) {
return code ;
}
/* no pac data */
if ( authdata = = NULL ) {
return 0 ;
}
SMB_ASSERT ( authdata [ 0 ] ! = NULL ) ;
if ( authdata [ 1 ] ! = NULL ) {
code = KRB5KDC_ERR_BADOPTION ; /* XXX */
goto done ;
}
code = krb5_pac_parse ( context ,
authdata [ 0 ] - > contents ,
authdata [ 0 ] - > length ,
& ipac ) ;
if ( code ! = 0 ) {
goto done ;
}
/* TODO: verify this is correct
*
* In the constrained delegation case , the PAC is from a service
* ticket rather than a TGT ; we must verify the server and KDC
* signatures to assert that the server did not forge the PAC .
*/
if ( flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) {
code = krb5_pac_verify ( context ,
ipac ,
authtime ,
client_princ ,
server_key ,
krbtgt_key ) ;
} else {
code = krb5_pac_verify ( context ,
ipac ,
authtime ,
client_princ ,
krbtgt_key ,
NULL ) ;
}
if ( code ! = 0 ) {
goto done ;
}
/* check and update PAC */
2016-09-30 08:43:47 +03:00
code = krb5_pac_parse ( context ,
authdata [ 0 ] - > contents ,
authdata [ 0 ] - > length ,
pac ) ;
2014-05-12 12:49:24 +04:00
if ( code ! = 0 ) {
goto done ;
}
2016-09-30 08:43:47 +03:00
code = mit_samba_reget_pac ( mit_ctx ,
context ,
flags ,
client_princ ,
client ,
server ,
krbtgt ,
krbtgt_key ,
pac ) ;
2014-05-12 12:49:24 +04:00
done :
krb5_free_authdata ( context , authdata ) ;
krb5_pac_free ( context , ipac ) ;
free ( logon_data . data ) ;
return code ;
}
2019-09-16 16:40:12 +03:00
krb5_error_code kdb_samba_db_sign_auth_data ( krb5_context context ,
unsigned int flags ,
krb5_const_principal client_princ ,
krb5_const_principal server_princ ,
krb5_db_entry * client ,
krb5_db_entry * server ,
krb5_db_entry * krbtgt ,
krb5_db_entry * local_krbtgt ,
krb5_keyblock * client_key ,
krb5_keyblock * server_key ,
krb5_keyblock * krbtgt_key ,
krb5_keyblock * local_krbtgt_key ,
krb5_keyblock * session_key ,
krb5_timestamp authtime ,
krb5_authdata * * tgt_auth_data ,
void * authdata_info ,
krb5_data * * * auth_indicators ,
krb5_authdata * * * signed_auth_data )
2021-07-15 09:48:37 +03:00
{
2021-07-12 12:20:29 +03:00
krb5_const_principal ks_client_princ = NULL ;
krb5_db_entry * client_entry = NULL ;
2021-07-12 15:00:19 +03:00
krb5_authdata * * pac_auth_data = NULL ;
2014-05-12 12:49:24 +04:00
krb5_authdata * * authdata = NULL ;
krb5_boolean is_as_req ;
krb5_error_code code ;
krb5_pac pac = NULL ;
krb5_data pac_data ;
2021-07-12 15:00:19 +03:00
bool with_pac = false ;
bool generate_pac = false ;
char * client_name = NULL ;
2014-05-12 12:49:24 +04:00
2019-09-16 16:40:12 +03:00
krbtgt = krbtgt = = NULL ? local_krbtgt : krbtgt ;
krbtgt_key = krbtgt_key = = NULL ? local_krbtgt_key : krbtgt_key ;
2020-02-01 00:34:21 +03:00
/* FIXME: We don't support S4U yet */
if ( flags & KRB5_KDB_FLAGS_S4U ) {
return KRB5_KDB_DBTYPE_NOSUP ;
}
2014-05-12 12:49:24 +04:00
is_as_req = ( ( flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY ) ! = 0 ) ;
2021-07-12 12:20:29 +03:00
/*
* When using s4u2proxy client_princ actually refers to the proxied user
* while client - > princ to the proxy service asking for the TGS on behalf
* of the proxied user . So always use client_princ in preference .
*
* Note that when client principal is not NULL , client entry might be
* NULL for cross - realm case , so we need to make sure to not
* dereference NULL pointer here .
*/
if ( client_princ ! = NULL ) {
ks_client_princ = client_princ ;
if ( ! is_as_req ) {
krb5_boolean is_equal = false ;
if ( client ! = NULL & & client - > princ ! = NULL ) {
is_equal =
krb5_principal_compare ( context ,
client_princ ,
client - > princ ) ;
}
/*
* When client principal is the same as supplied client
* entry , don ' t fetch it .
*/
if ( ! is_equal ) {
code = ks_get_principal ( context ,
ks_client_princ ,
0 ,
& client_entry ) ;
if ( code ! = 0 ) {
( void ) krb5_unparse_name ( context ,
ks_client_princ ,
& client_name ) ;
DBG_DEBUG ( " We didn't find the client "
" principal [%s] in our "
" database. \n " ,
client_name ) ;
SAFE_FREE ( client_name ) ;
/*
* If we didn ' t find client_princ in our
* database it might be from another
* realm .
*/
client_entry = NULL ;
}
}
}
} else {
if ( client = = NULL ) {
* signed_auth_data = NULL ;
return 0 ;
}
ks_client_princ = client - > princ ;
}
if ( client_entry = = NULL ) {
client_entry = client ;
}
2021-07-12 15:00:19 +03:00
if ( is_as_req ) {
with_pac = mit_samba_princ_needs_pac ( client_entry ) ;
} else {
with_pac = mit_samba_princ_needs_pac ( server ) ;
}
code = krb5_unparse_name ( context ,
client_princ ,
& client_name ) ;
if ( code ! = 0 ) {
goto done ;
}
if ( is_as_req & & ( flags & KRB5_KDB_FLAG_INCLUDE_PAC ) ! = 0 ) {
generate_pac = true ;
}
DBG_DEBUG ( " *** Sign data for client principal: %s [%s %s%s] \n " ,
client_name ,
is_as_req ? " AS-REQ " : " TGS_REQ " ,
with_pac ? is_as_req ? " WITH_PAC " : " FIND_PAC " : " NO_PAC " ,
generate_pac ? " GENERATE_PAC " : " " ) ;
/*
* Generate PAC for the AS - REQ or check or generate one for the TGS if
* needed .
*/
if ( with_pac & & generate_pac ) {
DBG_DEBUG ( " Generate PAC for AS-REQ [%s] \n " , client_name ) ;
2021-12-13 10:31:49 +03:00
code = krb5_pac_init ( context , & pac ) ;
if ( code ! = 0 ) {
goto done ;
}
2021-12-13 10:33:05 +03:00
code = ks_get_pac ( context ,
client_entry ,
server ,
2021-12-13 17:48:08 +03:00
NULL ,
2021-12-13 10:33:05 +03:00
& pac ) ;
2014-05-12 12:49:24 +04:00
if ( code ! = 0 ) {
goto done ;
}
2021-07-12 15:00:19 +03:00
} else if ( with_pac & & ! is_as_req ) {
/*
* Find the PAC in the TGS , if one exists .
*/
code = krb5_find_authdata ( context ,
tgt_auth_data ,
NULL ,
KRB5_AUTHDATA_WIN2K_PAC ,
& pac_auth_data ) ;
2014-05-12 12:49:24 +04:00
if ( code ! = 0 ) {
2021-07-12 15:00:19 +03:00
DBG_ERR ( " krb5_find_authdata failed: %d \n " , code ) ;
2014-05-12 12:49:24 +04:00
goto done ;
}
2021-07-12 15:00:19 +03:00
DBG_DEBUG ( " Found PAC data for TGS-REQ [%s] \n " , client_name ) ;
2014-05-12 12:49:24 +04:00
2021-07-12 15:00:19 +03:00
if ( pac_auth_data ! = NULL & & pac_auth_data [ 0 ] ! = NULL ) {
if ( pac_auth_data [ 1 ] ! = NULL ) {
DBG_ERR ( " Invalid PAC data! \n " ) ;
code = KRB5KDC_ERR_BADOPTION ;
goto done ;
}
2014-05-12 12:49:24 +04:00
2021-07-12 15:00:19 +03:00
DBG_DEBUG ( " Verify PAC for TGS [%s] \n " ,
client_name ) ;
code = ks_verify_pac ( context ,
flags ,
ks_client_princ ,
client_entry ,
server ,
krbtgt ,
server_key ,
krbtgt_key ,
authtime ,
tgt_auth_data ,
& pac ) ;
if ( code ! = 0 ) {
goto done ;
}
} else {
if ( flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION ) {
DBG_DEBUG ( " Generate PAC for constrained "
" delegation TGS [%s] \n " ,
client_name ) ;
2021-12-13 10:31:49 +03:00
code = krb5_pac_init ( context , & pac ) ;
if ( code ! = 0 ) {
goto done ;
}
2021-07-12 15:00:19 +03:00
code = ks_get_pac ( context ,
client_entry ,
2021-12-13 10:33:05 +03:00
server ,
2021-12-13 17:48:08 +03:00
NULL ,
2021-07-12 15:00:19 +03:00
& pac ) ;
if ( code ! = 0 & & code ! = ENOENT ) {
goto done ;
}
}
2014-05-12 12:49:24 +04:00
}
}
if ( pac = = NULL ) {
2021-07-12 15:00:19 +03:00
DBG_DEBUG ( " No PAC data - we're done [%s] \n " , client_name ) ;
* signed_auth_data = NULL ;
code = 0 ;
2014-05-12 12:49:24 +04:00
goto done ;
}
2021-07-12 15:00:19 +03:00
DBG_DEBUG ( " Signing PAC for %s [%s] \n " ,
is_as_req ? " AS-REQ " : " TGS-REQ " ,
client_name ) ;
2021-07-12 12:20:29 +03:00
code = krb5_pac_sign ( context , pac , authtime , ks_client_princ ,
2014-05-12 12:49:24 +04:00
server_key , krbtgt_key , & pac_data ) ;
if ( code ! = 0 ) {
2016-09-30 08:43:47 +03:00
DBG_ERR ( " krb5_pac_sign failed: %d \n " , code ) ;
2014-05-12 12:49:24 +04:00
goto done ;
}
2014-05-16 16:37:39 +04:00
authdata = calloc ( 2 , sizeof ( krb5_authdata * ) ) ;
2014-05-12 12:49:24 +04:00
if ( authdata = = NULL ) {
goto done ;
}
authdata [ 0 ] = malloc ( sizeof ( krb5_authdata ) ) ;
if ( authdata [ 0 ] = = NULL ) {
goto done ;
}
/* put in signed data */
authdata [ 0 ] - > magic = KV5M_AUTHDATA ;
authdata [ 0 ] - > ad_type = KRB5_AUTHDATA_WIN2K_PAC ;
authdata [ 0 ] - > contents = ( krb5_octet * ) pac_data . data ;
authdata [ 0 ] - > length = pac_data . length ;
code = krb5_encode_authdata_container ( context ,
KRB5_AUTHDATA_IF_RELEVANT ,
authdata ,
signed_auth_data ) ;
if ( code ! = 0 ) {
goto done ;
}
code = 0 ;
done :
2021-07-12 12:20:29 +03:00
if ( client_entry ! = NULL & & client_entry ! = client ) {
ks_free_principal ( context , client_entry ) ;
}
2021-07-12 15:00:19 +03:00
SAFE_FREE ( client_name ) ;
2014-05-12 12:49:24 +04:00
krb5_free_authdata ( context , authdata ) ;
2021-07-12 15:00:19 +03:00
krb5_pac_free ( context , pac ) ;
2014-05-12 12:49:24 +04:00
return code ;
}
2021-10-04 12:53:55 +03:00
# else /* KRB5_KDB_DAL_MAJOR_VERSION >= 9 */
static krb5_error_code ks_update_pac ( krb5_context context ,
int flags ,
krb5_db_entry * client ,
krb5_db_entry * server ,
krb5_db_entry * signing_krbtgt ,
krb5_pac old_pac ,
krb5_pac new_pac )
{
struct mit_samba_context * mit_ctx = NULL ;
krb5_error_code code ;
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
code = mit_samba_update_pac ( mit_ctx ,
context ,
flags ,
client ,
server ,
signing_krbtgt ,
old_pac ,
new_pac ) ;
if ( code ! = 0 ) {
return code ;
}
return code ;
}
krb5_error_code kdb_samba_db_issue_pac ( krb5_context context ,
unsigned int flags ,
krb5_db_entry * client ,
krb5_keyblock * replaced_reply_key ,
krb5_db_entry * server ,
krb5_db_entry * signing_krbtgt ,
krb5_timestamp authtime ,
krb5_pac old_pac ,
krb5_pac new_pac ,
krb5_data * * * auth_indicators )
{
char * client_name = NULL ;
char * server_name = NULL ;
krb5_error_code code = EINVAL ;
/* The KDC handles both signing and verification for us. */
if ( client ! = NULL ) {
code = krb5_unparse_name ( context ,
client - > princ ,
& client_name ) ;
if ( code ! = 0 ) {
return code ;
}
}
if ( server ! = NULL ) {
code = krb5_unparse_name ( context ,
server - > princ ,
& server_name ) ;
if ( code ! = 0 ) {
SAFE_FREE ( client_name ) ;
return code ;
}
}
/*
* Get a new PAC for AS - REQ or S4U2Self for our realm .
*
* For a simple cross - realm S4U2Proxy there will be the following TGS
* requests after the client realm is identified :
*
* 1. server @ SREALM to SREALM for krbtgt / CREALM @ SREALM - - a regular TGS
* request with server ' s normal TGT and no S4U2Self padata .
* 2. server @ SREALM to CREALM for server @ SREALM ( expressed as an
* enterprise principal ) , with the TGT from # 1 as header ticket and
* S4U2Self padata identifying the client .
* 3. server @ SREALM to SREALM for server @ SREALM with S4U2Self padata ,
* with the referral TGT from # 2 as header ticket
*
* In request 2 the PROTOCOL_TRANSITION and CROSS_REALM flags are set ,
* and the request is for a local client ( so client ! = NULL ) and we
* want to make a new PAC .
*
* In request 3 the PROTOCOL_TRANSITION and CROSS_REALM flags are also
* set , but the request is for a non - local client ( so client = = NULL )
* and we want to copy the subject PAC contained in the referral TGT .
*/
if ( old_pac = = NULL | |
( client ! = NULL & & ( flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION ) ) ) {
DBG_NOTICE ( " Generate PAC for AS-REQ [client=%s, flags=%#08x] \n " ,
client_name ! = NULL ? client_name : " <unknown> " ,
flags ) ;
code = ks_get_pac ( context ,
client ,
server ,
replaced_reply_key ,
& new_pac ) ;
} else {
DBG_NOTICE ( " Update PAC for TGS-REQ [client=%s, server=%s, "
" flags=%#08x] \n " ,
client_name ! = NULL ? client_name : " <unknown> " ,
server_name ! = NULL ? server_name : " <unknown> " ,
flags ) ;
code = ks_update_pac ( context ,
flags ,
client ,
server ,
signing_krbtgt ,
old_pac ,
new_pac ) ;
}
SAFE_FREE ( client_name ) ;
SAFE_FREE ( server_name ) ;
return code ;
}
# endif /* KRB5_KDB_DAL_MAJOR_VERSION */
2014-05-12 12:49:24 +04:00
krb5_error_code kdb_samba_db_check_allowed_to_delegate ( krb5_context context ,
krb5_const_principal client ,
const krb5_db_entry * server ,
krb5_const_principal proxy )
{
2021-11-22 22:09:31 +03:00
struct mit_samba_context * mit_ctx = NULL ;
2014-05-12 12:49:24 +04:00
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
2021-11-22 22:09:31 +03:00
return mit_samba_check_s4u2proxy ( mit_ctx ,
server ,
proxy ) ;
2014-05-12 12:49:24 +04:00
}
2015-05-20 18:20:13 +03:00
2021-12-07 18:02:35 +03:00
# if KRB5_KDB_DAL_MAJOR_VERSION >= 9
krb5_error_code kdb_samba_db_allowed_to_delegate_from (
krb5_context context ,
krb5_const_principal client_principal ,
krb5_const_principal server_principal ,
krb5_pac header_pac ,
const krb5_db_entry * proxy )
{
struct mit_samba_context * mit_ctx = NULL ;
krb5_error_code code ;
mit_ctx = ks_get_context ( context ) ;
if ( mit_ctx = = NULL ) {
return KRB5_KDB_DBNOTINITED ;
}
code = mit_samba_check_allowed_to_delegate_from ( mit_ctx ,
client_principal ,
server_principal ,
header_pac ,
proxy ) ;
return code ;
}
# endif
2017-10-24 12:01:39 +03:00
static void samba_bad_password_count ( krb5_db_entry * client ,
krb5_error_code error_code )
{
2015-05-20 18:20:13 +03:00
switch ( error_code ) {
case 0 :
mit_samba_zero_bad_password_count ( client ) ;
break ;
case KRB5KDC_ERR_PREAUTH_FAILED :
case KRB5KRB_AP_ERR_BAD_INTEGRITY :
mit_samba_update_bad_password_count ( client ) ;
break ;
}
}
2017-10-24 12:01:39 +03:00
void kdb_samba_db_audit_as_req ( krb5_context context ,
krb5_kdc_req * request ,
const krb5_address * local_addr ,
const krb5_address * remote_addr ,
krb5_db_entry * client ,
krb5_db_entry * server ,
krb5_timestamp authtime ,
krb5_error_code error_code )
{
2016-09-28 08:22:32 +03:00
/*
* FIXME : This segfaulted with a FAST test
* FIND_FAST : < unknown client > for < unknown server > , Unknown FAST armor type 0
*/
if ( client = = NULL ) {
return ;
}
2017-10-24 12:01:39 +03:00
samba_bad_password_count ( client , error_code ) ;
/* TODO: perform proper audit logging for addresses */
2022-03-16 17:40:28 +03:00
}
