2001-11-24 17:16:41 +03:00
/*
2002-01-30 09:08:46 +03:00
Unix SMB / CIFS implementation .
2001-11-24 17:16:41 +03:00
kerberos utility library
Copyright ( C ) Andrew Tridgell 2001
2001-12-20 06:54:52 +03:00
Copyright ( C ) Remus Koos 2001
2005-01-14 22:26:13 +03:00
Copyright ( C ) Nalin Dahyabhai < nalin @ redhat . com > 2004.
2004-10-30 02:38:10 +04:00
Copyright ( C ) Jeremy Allison 2004.
2006-07-11 22:45:22 +04:00
Copyright ( C ) Gerald Carter 2006.
2004-10-30 02:38:10 +04:00
2001-11-24 17:16:41 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
the Free Software Foundation ; either version 3 of the License , or
2001-11-24 17:16:41 +03:00
( at your option ) any later version .
2011-02-26 14:36:19 +03:00
2001-11-24 17:16:41 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2011-02-26 14:36:19 +03:00
2001-11-24 17:16:41 +03:00
You should have received a copy of the GNU General Public License
2007-07-10 04:52:41 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2001-11-24 17:16:41 +03:00
*/
# include "includes.h"
2011-02-26 01:20:06 +03:00
# include "system/filesys.h"
2009-11-27 17:52:57 +03:00
# include "smb_krb5.h"
2010-05-28 04:20:02 +04:00
# include "../librpc/gen_ndr/ndr_misc.h"
2010-07-02 02:32:52 +04:00
# include "libads/kerberos_proto.h"
2011-10-12 21:41:45 +04:00
# include "libads/cldap.h"
2010-08-05 04:25:37 +04:00
# include "secrets.h"
2011-10-12 21:41:45 +04:00
# include "../lib/tsocket/tsocket.h"
2016-08-25 18:07:01 +03:00
# include "lib/util/asn1.h"
2001-11-24 17:16:41 +03:00
# ifdef HAVE_KRB5
2004-10-30 02:38:10 +04:00
# define LIBADS_CCACHE_NAME "MEMORY:libads"
2002-07-15 14:35:28 +04:00
/*
we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy . . .
*/
static krb5_error_code
kerb_prompter ( krb5_context ctx , void * data ,
const char * name ,
const char * banner ,
int num_prompts ,
krb5_prompt prompts [ ] )
{
if ( num_prompts = = 0 ) return 0 ;
2016-02-15 14:58:07 +03:00
if ( num_prompts = = 2 ) {
2015-08-28 13:33:13 +03:00
/*
2016-02-15 14:58:07 +03:00
* only heimdal has a prompt type and we need to deal with it here to
* avoid loops .
*
* removing the prompter completely is not an option as at least these
* versions would crash : heimdal - 1.0 .2 and heimdal - 1.1 . Later heimdal
* version have looping detection and return with a proper error code .
2015-08-28 13:33:13 +03:00
*/
2016-02-15 14:58:07 +03:00
# if HAVE_KRB5_PROMPT_TYPE /* Heimdal */
if ( prompts [ 0 ] . type = = KRB5_PROMPT_TYPE_NEW_PASSWORD & &
prompts [ 1 ] . type = = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN ) {
/*
* We don ' t want to change passwords here . We ' re
* called from heimal when the KDC returns
* KRB5KDC_ERR_KEY_EXPIRED , but at this point we don ' t
* have the chance to ask the user for a new
* password . If we return 0 ( i . e . success ) , we will be
* spinning in the endless for - loop in
* change_password ( ) in
* source4 / heimdal / lib / krb5 / init_creds_pw . c : 526ff
*/
return KRB5KDC_ERR_KEY_EXPIRED ;
}
# elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
krb5_prompt_type * prompt_types = NULL ;
prompt_types = krb5_get_prompt_types ( ctx ) ;
if ( prompt_types ! = NULL ) {
if ( prompt_types [ 0 ] = = KRB5_PROMPT_TYPE_NEW_PASSWORD & &
prompt_types [ 1 ] = = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN ) {
return KRB5KDC_ERR_KEY_EXP ;
}
}
# endif
2015-08-28 13:33:13 +03:00
}
2016-02-15 14:58:07 +03:00
2004-10-30 02:38:10 +04:00
memset ( prompts [ 0 ] . reply - > data , ' \0 ' , prompts [ 0 ] . reply - > length ) ;
2002-07-15 14:35:28 +04:00
if ( prompts [ 0 ] . reply - > length > 0 ) {
2002-10-24 05:05:30 +04:00
if ( data ) {
2009-11-06 12:25:53 +03:00
strncpy ( ( char * ) prompts [ 0 ] . reply - > data , ( const char * ) data ,
2006-08-01 00:51:55 +04:00
prompts [ 0 ] . reply - > length - 1 ) ;
2009-11-06 12:25:53 +03:00
prompts [ 0 ] . reply - > length = strlen ( ( const char * ) prompts [ 0 ] . reply - > data ) ;
2002-10-24 05:05:30 +04:00
} else {
prompts [ 0 ] . reply - > length = 0 ;
}
2002-07-15 14:35:28 +04:00
}
return 0 ;
}
2016-08-25 18:07:01 +03:00
static bool unwrap_edata_ntstatus ( TALLOC_CTX * mem_ctx ,
DATA_BLOB * edata ,
DATA_BLOB * edata_out )
{
DATA_BLOB edata_contents ;
ASN1_DATA * data ;
int edata_type ;
if ( ! edata - > length ) {
return false ;
}
data = asn1_init ( mem_ctx ) ;
if ( data = = NULL ) {
return false ;
}
if ( ! asn1_load ( data , * edata ) ) goto err ;
if ( ! asn1_start_tag ( data , ASN1_SEQUENCE ( 0 ) ) ) goto err ;
if ( ! asn1_start_tag ( data , ASN1_CONTEXT ( 1 ) ) ) goto err ;
if ( ! asn1_read_Integer ( data , & edata_type ) ) goto err ;
if ( edata_type ! = KRB5_PADATA_PW_SALT ) {
DEBUG ( 0 , ( " edata is not of required type %d but of type %d \n " ,
KRB5_PADATA_PW_SALT , edata_type ) ) ;
goto err ;
}
if ( ! asn1_start_tag ( data , ASN1_CONTEXT ( 2 ) ) ) goto err ;
if ( ! asn1_read_OctetString ( data , talloc_tos ( ) , & edata_contents ) ) goto err ;
if ( ! asn1_end_tag ( data ) ) goto err ;
if ( ! asn1_end_tag ( data ) ) goto err ;
if ( ! asn1_end_tag ( data ) ) goto err ;
asn1_free ( data ) ;
* edata_out = data_blob_talloc ( mem_ctx , edata_contents . data , edata_contents . length ) ;
data_blob_free ( & edata_contents ) ;
return true ;
err :
asn1_free ( data ) ;
return false ;
}
2007-10-19 04:40:25 +04:00
static bool smb_krb5_get_ntstatus_from_krb5_error ( krb5_error * error ,
2007-05-04 13:55:40 +04:00
NTSTATUS * nt_status )
{
DATA_BLOB edata ;
DATA_BLOB unwrapped_edata ;
TALLOC_CTX * mem_ctx ;
2009-02-05 04:08:40 +03:00
struct KRB5_EDATA_NTSTATUS parsed_edata ;
enum ndr_err_code ndr_err ;
2007-05-04 13:55:40 +04:00
# ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
edata = data_blob ( error - > e_data - > data , error - > e_data - > length ) ;
# else
edata = data_blob ( error - > e_data . data , error - > e_data . length ) ;
# endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
# ifdef DEVELOPER
dump_data ( 10 , edata . data , edata . length ) ;
# endif /* DEVELOPER */
mem_ctx = talloc_init ( " smb_krb5_get_ntstatus_from_krb5_error " ) ;
if ( mem_ctx = = NULL ) {
data_blob_free ( & edata ) ;
return False ;
}
if ( ! unwrap_edata_ntstatus ( mem_ctx , & edata , & unwrapped_edata ) ) {
data_blob_free ( & edata ) ;
TALLOC_FREE ( mem_ctx ) ;
return False ;
}
data_blob_free ( & edata ) ;
2010-05-10 02:42:06 +04:00
ndr_err = ndr_pull_struct_blob_all ( & unwrapped_edata , mem_ctx ,
& parsed_edata , ( ndr_pull_flags_fn_t ) ndr_pull_KRB5_EDATA_NTSTATUS ) ;
2009-02-05 04:08:40 +03:00
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
2007-05-04 13:55:40 +04:00
data_blob_free ( & unwrapped_edata ) ;
TALLOC_FREE ( mem_ctx ) ;
return False ;
}
data_blob_free ( & unwrapped_edata ) ;
if ( nt_status ) {
* nt_status = parsed_edata . ntstatus ;
}
TALLOC_FREE ( mem_ctx ) ;
return True ;
}
2016-08-26 17:44:05 +03:00
static bool smb_krb5_get_ntstatus_from_init_creds ( krb5_context ctx ,
2016-08-30 13:33:39 +03:00
krb5_principal client ,
2016-08-26 17:44:05 +03:00
krb5_get_init_creds_opt * opt ,
NTSTATUS * nt_status )
2007-05-04 13:55:40 +04:00
{
2016-08-30 13:33:39 +03:00
krb5_init_creds_context icc ;
krb5_error_code code ;
2016-08-30 13:38:46 +03:00
# ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
/* HEIMDAL */
2016-08-30 13:33:39 +03:00
krb5_error error ;
2016-08-30 13:38:46 +03:00
# else
krb5_error * error = NULL ;
# endif
2016-08-30 13:33:39 +03:00
bool ok ;
code = krb5_init_creds_init ( ctx ,
client ,
NULL ,
NULL ,
0 ,
opt ,
& icc ) ;
if ( code ! = 0 ) {
DBG_WARNING ( " krb5_init_creds_init failed with: %s \n " ,
error_message ( code ) ) ;
return false ;
2007-05-04 13:55:40 +04:00
}
2016-08-30 13:33:39 +03:00
code = krb5_init_creds_get_error ( ctx ,
icc ,
& error ) ;
if ( code ! = 0 ) {
DBG_WARNING ( " krb5_init_creds_get_error failed with: %s \n " ,
error_message ( code ) ) ;
return false ;
2007-05-04 13:55:40 +04:00
}
2016-08-30 13:33:39 +03:00
krb5_init_creds_free ( ctx , icc ) ;
2007-05-04 13:55:40 +04:00
2016-08-30 13:38:46 +03:00
# ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
2016-08-30 13:33:39 +03:00
ok = smb_krb5_get_ntstatus_from_krb5_error ( & error , nt_status ) ;
2007-05-04 13:55:40 +04:00
2016-08-30 13:33:39 +03:00
krb5_free_error_contents ( ctx , & error ) ;
# else
2016-08-30 13:38:46 +03:00
ok = smb_krb5_get_ntstatus_from_krb5_error ( error , nt_status ) ;
krb5_free_error ( ctx , error ) ;
2016-08-30 13:33:39 +03:00
# endif
2016-08-30 13:38:46 +03:00
return ok ;
2007-05-04 13:55:40 +04:00
}
2001-12-06 08:41:53 +03:00
/*
2004-10-30 02:38:10 +04:00
simulate a kinit , putting the tgt in the given cache location . If cache_name = = NULL
place in default cache location .
2001-12-06 08:41:53 +03:00
remus @ snapserver . com
*/
2006-03-20 22:05:44 +03:00
int kerberos_kinit_password_ext ( const char * principal ,
2004-10-30 02:38:10 +04:00
const char * password ,
int time_offset ,
time_t * expire_time ,
2006-02-04 01:19:41 +03:00
time_t * renew_till_time ,
const char * cache_name ,
2007-10-19 04:40:25 +04:00
bool request_pac ,
bool add_netbios_addr ,
2007-05-04 14:21:39 +04:00
time_t renewable_time ,
NTSTATUS * ntstatus )
2001-12-06 08:41:53 +03:00
{
2004-05-07 06:48:03 +04:00
krb5_context ctx = NULL ;
2001-12-06 08:41:53 +03:00
krb5_error_code code = 0 ;
2004-05-07 06:48:03 +04:00
krb5_ccache cc = NULL ;
2007-05-04 13:46:17 +04:00
krb5_principal me = NULL ;
2016-02-15 14:09:59 +03:00
krb5_principal canon_princ = NULL ;
2001-12-06 08:41:53 +03:00
krb5_creds my_creds ;
2007-02-01 18:10:13 +03:00
krb5_get_init_creds_opt * opt = NULL ;
2006-04-25 16:24:25 +04:00
smb_krb5_addresses * addr = NULL ;
2001-12-13 14:30:13 +03:00
2007-05-04 13:46:17 +04:00
ZERO_STRUCT ( my_creds ) ;
2005-11-07 17:16:50 +03:00
initialize_krb5_error_table ( ) ;
2001-12-06 08:41:53 +03:00
if ( ( code = krb5_init_context ( & ctx ) ) )
2007-05-04 13:46:17 +04:00
goto out ;
2002-09-25 19:19:00 +04:00
if ( time_offset ! = 0 ) {
krb5_set_real_time ( ctx , time ( NULL ) + time_offset , 0 ) ;
}
2006-02-04 01:19:41 +03:00
2008-01-14 16:18:53 +03:00
DEBUG ( 10 , ( " kerberos_kinit_password: as %s using [%s] as ccache and config [%s] \n " ,
principal ,
2006-09-14 14:21:46 +04:00
cache_name ? cache_name : krb5_cc_default_name ( ctx ) ,
getenv ( " KRB5_CONFIG " ) ) ) ;
2006-02-04 01:19:41 +03:00
if ( ( code = krb5_cc_resolve ( ctx , cache_name ? cache_name : krb5_cc_default_name ( ctx ) , & cc ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2001-12-06 08:41:53 +03:00
}
2011-02-26 14:36:19 +03:00
2006-04-24 19:57:54 +04:00
if ( ( code = smb_krb5_parse_name ( ctx , principal , & me ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2001-12-06 08:41:53 +03:00
}
2006-02-04 01:19:41 +03:00
2016-08-29 10:12:38 +03:00
if ( ( code = krb5_get_init_creds_opt_alloc ( ctx , & opt ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2007-02-01 18:10:13 +03:00
}
krb5_get_init_creds_opt_set_renew_life ( opt , renewable_time ) ;
krb5_get_init_creds_opt_set_forwardable ( opt , True ) ;
2016-02-15 14:09:59 +03:00
/* Turn on canonicalization for lower case realm support */
# ifndef SAMBA4_USES_HEIMDAL /* MIT */
krb5_get_init_creds_opt_set_canonicalize ( opt , true ) ;
# endif /* MIT */
2007-02-08 20:02:39 +03:00
#if 0
/* insane testing */
krb5_get_init_creds_opt_set_tkt_life ( opt , 60 ) ;
# endif
2007-02-01 18:10:13 +03:00
2006-02-04 01:19:41 +03:00
# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
2007-02-01 18:10:13 +03:00
if ( request_pac ) {
2007-05-04 13:46:17 +04:00
if ( ( code = krb5_get_init_creds_opt_set_pac_request ( ctx , opt , ( krb5_boolean ) request_pac ) ) ) {
goto out ;
2006-04-25 16:24:25 +04:00
}
2006-02-04 01:19:41 +03:00
}
2007-02-01 18:10:13 +03:00
# endif
2006-04-25 16:24:25 +04:00
if ( add_netbios_addr ) {
2012-04-22 01:26:18 +04:00
if ( ( code = smb_krb5_gen_netbios_krb5_address ( & addr ,
lp_netbios_name ( ) ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2006-04-25 16:24:25 +04:00
}
2007-02-01 18:10:13 +03:00
krb5_get_init_creds_opt_set_address_list ( opt , addr - > addrs ) ;
2006-04-25 16:24:25 +04:00
}
2011-05-06 00:42:05 +04:00
if ( ( code = krb5_get_init_creds_password ( ctx , & my_creds , me , discard_const_p ( char , password ) ,
kerb_prompter , discard_const_p ( char , password ) ,
2007-05-26 02:04:03 +04:00
0 , NULL , opt ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2001-12-06 08:41:53 +03:00
}
2007-02-01 18:10:13 +03:00
2016-02-15 14:09:59 +03:00
canon_princ = me ;
# ifndef SAMBA4_USES_HEIMDAL /* MIT */
canon_princ = my_creds . client ;
# endif /* MIT */
if ( ( code = krb5_cc_initialize ( ctx , cc , canon_princ ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2001-12-06 08:41:53 +03:00
}
2011-02-26 14:36:19 +03:00
2001-12-06 08:41:53 +03:00
if ( ( code = krb5_cc_store_cred ( ctx , cc , & my_creds ) ) ) {
2007-05-04 13:46:17 +04:00
goto out ;
2001-12-06 08:41:53 +03:00
}
2006-02-04 01:19:41 +03:00
if ( expire_time ) {
2004-03-24 20:32:55 +03:00
* expire_time = ( time_t ) my_creds . times . endtime ;
2006-02-04 01:19:41 +03:00
}
if ( renew_till_time ) {
* renew_till_time = ( time_t ) my_creds . times . renew_till ;
}
2007-05-04 13:46:17 +04:00
out :
2007-05-04 14:21:39 +04:00
if ( ntstatus ) {
NTSTATUS status ;
/* fast path */
if ( code = = 0 ) {
* ntstatus = NT_STATUS_OK ;
goto cleanup ;
}
/* try to get ntstatus code out of krb5_error when we have it
* inside the krb5_get_init_creds_opt - gd */
2016-08-26 17:44:05 +03:00
if ( opt ! = NULL ) {
bool ok ;
ok = smb_krb5_get_ntstatus_from_init_creds ( ctx ,
2016-08-30 13:33:39 +03:00
me ,
2016-08-26 17:44:05 +03:00
opt ,
& status ) ;
if ( ok ) {
* ntstatus = status ;
goto cleanup ;
}
2007-05-04 14:21:39 +04:00
}
/* fall back to self-made-mapping */
* ntstatus = krb5_to_nt_status ( code ) ;
}
cleanup :
2001-12-06 08:41:53 +03:00
krb5_free_cred_contents ( ctx , & my_creds ) ;
2007-05-04 13:46:17 +04:00
if ( me ) {
krb5_free_principal ( ctx , me ) ;
}
if ( addr ) {
smb_krb5_free_addresses ( ctx , addr ) ;
}
2016-08-29 10:13:51 +03:00
if ( opt ) {
krb5_get_init_creds_opt_free ( ctx , opt ) ;
2007-05-04 13:46:17 +04:00
}
if ( cc ) {
krb5_cc_close ( ctx , cc ) ;
}
if ( ctx ) {
krb5_free_context ( ctx ) ;
}
return code ;
2001-12-06 08:41:53 +03:00
}
2004-03-24 20:32:55 +03:00
int ads_kdestroy ( const char * cc_name )
{
krb5_error_code code ;
2004-05-07 06:48:03 +04:00
krb5_context ctx = NULL ;
krb5_ccache cc = NULL ;
2004-03-24 20:32:55 +03:00
2005-11-07 17:16:50 +03:00
initialize_krb5_error_table ( ) ;
2004-03-24 20:32:55 +03:00
if ( ( code = krb5_init_context ( & ctx ) ) ) {
2004-08-21 00:18:28 +04:00
DEBUG ( 3 , ( " ads_kdestroy: kdb5_init_context failed: %s \n " ,
error_message ( code ) ) ) ;
2004-03-24 20:32:55 +03:00
return code ;
}
2011-02-26 14:36:19 +03:00
2004-03-24 20:32:55 +03:00
if ( ! cc_name ) {
if ( ( code = krb5_cc_default ( ctx , & cc ) ) ) {
krb5_free_context ( ctx ) ;
return code ;
}
} else {
if ( ( code = krb5_cc_resolve ( ctx , cc_name , & cc ) ) ) {
2004-08-21 00:18:28 +04:00
DEBUG ( 3 , ( " ads_kdestroy: krb5_cc_resolve failed: %s \n " ,
error_message ( code ) ) ) ;
2004-03-24 20:32:55 +03:00
krb5_free_context ( ctx ) ;
return code ;
}
}
if ( ( code = krb5_cc_destroy ( ctx , cc ) ) ) {
2004-08-21 00:18:28 +04:00
DEBUG ( 3 , ( " ads_kdestroy: krb5_cc_destroy failed: %s \n " ,
error_message ( code ) ) ) ;
2004-03-24 20:32:55 +03:00
}
krb5_free_context ( ctx ) ;
return code ;
}
2001-11-24 17:16:41 +03:00
2004-10-30 02:38:10 +04:00
/************************************************************************
Routine to fetch the salting principal for a service . Active
Directory may use a non - obvious principal name to generate the salt
when it determines the key to use for encrypting tickets for a service ,
and hopefully we detected that when we joined the domain .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static char * kerberos_secrets_fetch_salting_principal ( const char * service , int enctype )
{
char * key = NULL ;
char * ret = NULL ;
2008-02-25 17:24:49 +03:00
if ( asprintf ( & key , " %s/%s/enctype=%d " ,
SECRETS_SALTING_PRINCIPAL , service , enctype ) = = - 1 ) {
2004-10-30 02:38:10 +04:00
return NULL ;
}
ret = ( char * ) secrets_fetch ( key , NULL ) ;
SAFE_FREE ( key ) ;
return ret ;
}
/************************************************************************
2006-07-11 22:45:22 +04:00
Return the standard DES salt key
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
char * kerberos_standard_des_salt ( void )
{
fstring salt ;
2011-06-09 09:31:03 +04:00
fstr_sprintf ( salt , " host/%s.%s@ " , lp_netbios_name ( ) , lp_realm ( ) ) ;
2012-08-09 04:01:00 +04:00
( void ) strlower_m ( salt ) ;
2006-07-11 22:45:22 +04:00
fstrcat ( salt , lp_realm ( ) ) ;
return SMB_STRDUP ( salt ) ;
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static char * des_salt_key ( void )
{
char * key ;
2008-02-25 17:24:49 +03:00
if ( asprintf ( & key , " %s/DES/%s " , SECRETS_SALTING_PRINCIPAL ,
lp_realm ( ) ) = = - 1 ) {
return NULL ;
}
2006-07-11 22:45:22 +04:00
return key ;
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool kerberos_secrets_store_des_salt ( const char * salt )
2006-07-11 22:45:22 +04:00
{
char * key ;
2007-10-19 04:40:25 +04:00
bool ret ;
2006-07-11 22:45:22 +04:00
if ( ( key = des_salt_key ( ) ) = = NULL ) {
DEBUG ( 0 , ( " kerberos_secrets_store_des_salt: failed to generate key! \n " ) ) ;
return False ;
}
if ( ! salt ) {
DEBUG ( 8 , ( " kerberos_secrets_store_des_salt: deleting salt \n " ) ) ;
secrets_delete ( key ) ;
2006-07-13 04:11:34 +04:00
return True ;
2006-07-11 22:45:22 +04:00
}
DEBUG ( 3 , ( " kerberos_secrets_store_des_salt: Storing salt \" %s \" \n " , salt ) ) ;
ret = secrets_store ( key , salt , strlen ( salt ) + 1 ) ;
SAFE_FREE ( key ) ;
return ret ;
}
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2012-04-22 01:26:18 +04:00
static
2006-07-11 22:45:22 +04:00
char * kerberos_secrets_fetch_des_salt ( void )
{
char * salt , * key ;
if ( ( key = des_salt_key ( ) ) = = NULL ) {
DEBUG ( 0 , ( " kerberos_secrets_fetch_des_salt: failed to generate key! \n " ) ) ;
2011-12-20 13:25:05 +04:00
return NULL ;
2006-07-11 22:45:22 +04:00
}
2006-07-12 00:50:50 +04:00
salt = ( char * ) secrets_fetch ( key , NULL ) ;
2006-07-11 22:45:22 +04:00
SAFE_FREE ( key ) ;
return salt ;
}
/************************************************************************
Routine to get the salting principal for this service . This is
maintained for backwards compatibilty with releases prior to 3.0 .24 .
Since we store the salting principal string only at join , we may have
to look for the older tdb keys . Caller must free if return is not null .
2004-10-30 02:38:10 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2016-02-29 18:21:56 +03:00
char * kerberos_fetch_salt_princ_for_host_princ ( krb5_context context ,
const char * host_princ_s ,
int enctype )
2004-10-30 02:38:10 +04:00
{
2016-02-29 18:21:56 +03:00
char * salt_princ_s ;
2006-07-11 22:45:22 +04:00
/* lookup new key first */
2004-10-30 02:38:10 +04:00
2016-02-29 18:21:56 +03:00
salt_princ_s = kerberos_secrets_fetch_des_salt ( ) ;
if ( salt_princ_s = = NULL ) {
2011-02-26 14:36:19 +03:00
2006-07-11 22:45:22 +04:00
/* look under the old key. If this fails, just use the standard key */
2016-02-29 18:21:56 +03:00
salt_princ_s = kerberos_secrets_fetch_salting_principal ( host_princ_s ,
enctype ) ;
if ( salt_princ_s = = NULL ) {
2006-07-11 22:45:22 +04:00
/* fall back to host/machine.realm@REALM */
salt_princ_s = kerberos_standard_des_salt ( ) ;
}
2004-10-30 02:38:10 +04:00
}
2016-02-29 18:21:56 +03:00
return salt_princ_s ;
2004-10-30 02:38:10 +04:00
}
2012-04-22 01:26:18 +04:00
int create_kerberos_key_from_string ( krb5_context context ,
krb5_principal host_princ ,
2016-02-29 18:21:56 +03:00
krb5_principal salt_princ ,
2012-04-22 01:26:18 +04:00
krb5_data * password ,
krb5_keyblock * key ,
krb5_enctype enctype ,
bool no_salt )
{
int ret ;
/*
* Check if we ' ve determined that the KDC is salting keys for this
* principal / enctype in a non - obvious way . If it is , try to match
* its behavior .
*/
if ( no_salt ) {
KRB5_KEY_DATA ( key ) = ( KRB5_KEY_DATA_CAST * ) SMB_MALLOC ( password - > length ) ;
if ( ! KRB5_KEY_DATA ( key ) ) {
return ENOMEM ;
}
memcpy ( KRB5_KEY_DATA ( key ) , password - > data , password - > length ) ;
KRB5_KEY_LENGTH ( key ) = password - > length ;
KRB5_KEY_TYPE ( key ) = enctype ;
return 0 ;
}
2014-04-25 16:14:20 +04:00
ret = smb_krb5_create_key_from_string ( context ,
2015-03-26 13:21:06 +03:00
salt_princ ? salt_princ : host_princ ,
2014-04-25 16:14:20 +04:00
NULL ,
password ,
enctype ,
key ) ;
2012-04-22 01:26:18 +04:00
return ret ;
}
2004-10-30 02:38:10 +04:00
/************************************************************************
Routine to set the salting principal for this service . Active
Directory may use a non - obvious principal name to generate the salt
when it determines the key to use for encrypting tickets for a service ,
and hopefully we detected that when we joined the domain .
Setting principal to NULL deletes this entry .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-10-19 04:40:25 +04:00
bool kerberos_secrets_store_salting_principal ( const char * service ,
2004-10-30 02:38:10 +04:00
int enctype ,
const char * principal )
{
char * key = NULL ;
2007-10-19 04:40:25 +04:00
bool ret = False ;
2004-10-30 02:38:10 +04:00
krb5_context context = NULL ;
krb5_principal princ = NULL ;
char * princ_s = NULL ;
char * unparsed_name = NULL ;
2008-03-15 01:26:28 +03:00
krb5_error_code code ;
2004-10-30 02:38:10 +04:00
2008-03-15 01:26:28 +03:00
if ( ( ( code = krb5_init_context ( & context ) ) ! = 0 ) | | ( context = = NULL ) ) {
DEBUG ( 5 , ( " kerberos_secrets_store_salting_pricipal: kdb5_init_context failed: %s \n " ,
error_message ( code ) ) ) ;
2004-10-30 02:38:10 +04:00
return False ;
}
if ( strchr_m ( service , ' @ ' ) ) {
2008-02-25 17:24:49 +03:00
if ( asprintf ( & princ_s , " %s " , service ) = = - 1 ) {
goto out ;
}
2004-10-30 02:38:10 +04:00
} else {
2008-02-25 17:24:49 +03:00
if ( asprintf ( & princ_s , " %s@%s " , service , lp_realm ( ) ) = = - 1 ) {
goto out ;
}
2004-10-30 02:38:10 +04:00
}
2006-04-24 19:57:54 +04:00
if ( smb_krb5_parse_name ( context , princ_s , & princ ) ! = 0 ) {
2004-10-30 02:38:10 +04:00
goto out ;
}
2009-03-18 08:23:27 +03:00
if ( smb_krb5_unparse_name ( talloc_tos ( ) , context , princ , & unparsed_name ) ! = 0 ) {
2004-10-30 02:38:10 +04:00
goto out ;
}
2008-02-25 17:24:49 +03:00
if ( asprintf ( & key , " %s/%s/enctype=%d " ,
SECRETS_SALTING_PRINCIPAL , unparsed_name , enctype )
= = - 1 ) {
2004-10-30 02:38:10 +04:00
goto out ;
}
if ( ( principal ! = NULL ) & & ( strlen ( principal ) > 0 ) ) {
ret = secrets_store ( key , principal , strlen ( principal ) + 1 ) ;
} else {
ret = secrets_delete ( key ) ;
}
out :
SAFE_FREE ( key ) ;
SAFE_FREE ( princ_s ) ;
2009-03-18 08:23:27 +03:00
TALLOC_FREE ( unparsed_name ) ;
2004-10-30 02:38:10 +04:00
2008-05-27 23:27:57 +04:00
if ( princ ) {
krb5_free_principal ( context , princ ) ;
}
2004-10-30 02:38:10 +04:00
if ( context ) {
krb5_free_context ( context ) ;
}
return ret ;
}
/************************************************************************
2006-07-11 22:45:22 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-03-20 22:05:44 +03:00
int kerberos_kinit_password ( const char * principal ,
const char * password ,
int time_offset ,
const char * cache_name )
{
return kerberos_kinit_password_ext ( principal ,
password ,
time_offset ,
0 ,
0 ,
cache_name ,
False ,
2006-04-25 16:24:25 +04:00
False ,
2007-05-04 14:21:39 +04:00
0 ,
NULL ) ;
2006-03-20 22:05:44 +03:00
}
2008-01-17 00:21:46 +03:00
/************************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-09-02 23:27:44 +04:00
/************************************************************************
Create a string list of available kdc ' s , possibly searching by sitename .
Does DNS queries .
2008-05-19 04:48:09 +04:00
If " sitename " is given , the DC ' s in that site are listed first .
2006-09-02 23:27:44 +04:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2011-10-12 21:41:45 +04:00
static void add_sockaddr_unique ( struct sockaddr_storage * addrs , int * num_addrs ,
const struct sockaddr_storage * addr )
{
int i ;
for ( i = 0 ; i < * num_addrs ; i + + ) {
if ( sockaddr_equal ( ( const struct sockaddr * ) & addrs [ i ] ,
( const struct sockaddr * ) addr ) ) {
return ;
}
}
addrs [ i ] = * addr ;
* num_addrs + = 1 ;
}
2014-04-02 21:37:34 +04:00
/* print_canonical_sockaddr prints an ipv6 addr in the form of
* [ ipv6 . addr ] . This string , when put in a generated krb5 . conf file is not
* always properly dealt with by some older krb5 libraries . Adding the hard - coded
* portnumber workarounds the issue . - gd */
static char * print_canonical_sockaddr_with_port ( TALLOC_CTX * mem_ctx ,
const struct sockaddr_storage * pss )
{
char * str = NULL ;
str = print_canonical_sockaddr ( mem_ctx , pss ) ;
if ( str = = NULL ) {
return NULL ;
}
if ( pss - > ss_family ! = AF_INET6 ) {
return str ;
}
# if defined(HAVE_IPV6)
str = talloc_asprintf_append ( str , " :88 " ) ;
# endif
return str ;
}
2007-10-25 01:16:54 +04:00
static char * get_kdc_ip_string ( char * mem_ctx ,
const char * realm ,
const char * sitename ,
2014-03-07 17:47:31 +04:00
const struct sockaddr_storage * pss )
2006-09-02 23:27:44 +04:00
{
2011-10-12 21:41:45 +04:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
2007-08-31 17:39:51 +04:00
int i ;
struct ip_service * ip_srv_site = NULL ;
2008-01-17 00:21:46 +03:00
struct ip_service * ip_srv_nonsite = NULL ;
2007-08-31 17:39:51 +04:00
int count_site = 0 ;
2007-09-08 17:53:08 +04:00
int count_nonsite ;
2011-10-12 21:41:45 +04:00
int num_dcs ;
struct sockaddr_storage * dc_addrs ;
struct tsocket_address * * dc_addrs2 = NULL ;
const struct tsocket_address * const * dc_addrs3 = NULL ;
char * result = NULL ;
struct netlogon_samlogon_response * * responses = NULL ;
NTSTATUS status ;
2015-05-21 08:40:24 +03:00
char * kdc_str = talloc_asprintf ( mem_ctx , " %s \t \t kdc = %s \n " , " " ,
2014-04-02 21:37:34 +04:00
print_canonical_sockaddr_with_port ( mem_ctx , pss ) ) ;
2006-09-02 23:27:44 +04:00
if ( kdc_str = = NULL ) {
2012-11-05 02:46:49 +04:00
TALLOC_FREE ( frame ) ;
2006-09-02 23:27:44 +04:00
return NULL ;
}
2008-05-19 04:48:09 +04:00
/*
* First get the KDC ' s only in this site , the rest will be
* appended later
*/
2007-01-17 21:25:35 +03:00
2007-01-17 22:11:45 +03:00
if ( sitename ) {
get_kdc_list ( realm , sitename , & ip_srv_site , & count_site ) ;
2015-05-18 13:36:46 +03:00
DEBUG ( 10 , ( " got %d addresses from site %s search \n " , count_site ,
sitename ) ) ;
2006-09-02 23:27:44 +04:00
}
2007-01-17 21:25:35 +03:00
/* Get all KDC's. */
get_kdc_list ( realm , NULL , & ip_srv_nonsite , & count_nonsite ) ;
2015-05-18 13:36:46 +03:00
DEBUG ( 10 , ( " got %d addresses from site-less search \n " , count_nonsite ) ) ;
2007-01-17 21:25:35 +03:00
2011-10-12 21:41:45 +04:00
dc_addrs = talloc_array ( talloc_tos ( ) , struct sockaddr_storage ,
2015-05-18 13:36:46 +03:00
count_site + count_nonsite ) ;
2011-10-12 21:41:45 +04:00
if ( dc_addrs = = NULL ) {
2015-05-18 13:36:46 +03:00
goto out ;
2011-10-12 21:41:45 +04:00
}
2007-01-17 21:25:35 +03:00
2015-05-18 13:36:46 +03:00
num_dcs = 0 ;
2011-10-12 21:41:45 +04:00
2015-05-18 13:36:46 +03:00
for ( i = 0 ; i < count_site ; i + + ) {
if ( ! sockaddr_equal (
( const struct sockaddr * ) pss ,
( const struct sockaddr * ) & ip_srv_site [ i ] . ss ) ) {
add_sockaddr_unique ( dc_addrs , & num_dcs ,
& ip_srv_site [ i ] . ss ) ;
}
2011-10-12 21:41:45 +04:00
}
2015-05-18 13:36:46 +03:00
for ( i = 0 ; i < count_nonsite ; i + + ) {
if ( ! sockaddr_equal (
( const struct sockaddr * ) pss ,
( const struct sockaddr * ) & ip_srv_nonsite [ i ] . ss ) ) {
add_sockaddr_unique ( dc_addrs , & num_dcs ,
& ip_srv_nonsite [ i ] . ss ) ;
}
2011-10-12 21:41:45 +04:00
}
dc_addrs2 = talloc_zero_array ( talloc_tos ( ) ,
struct tsocket_address * ,
num_dcs ) ;
2015-05-18 13:36:46 +03:00
DEBUG ( 10 , ( " %d additional KDCs to test \n " , num_dcs ) ) ;
if ( num_dcs = = 0 ) {
goto out ;
}
2011-10-12 21:41:45 +04:00
if ( dc_addrs2 = = NULL ) {
2015-05-18 13:36:46 +03:00
goto out ;
2011-10-12 21:41:45 +04:00
}
2007-01-17 21:25:35 +03:00
2011-10-12 21:41:45 +04:00
for ( i = 0 ; i < num_dcs ; i + + ) {
char addr [ INET6_ADDRSTRLEN ] ;
int ret ;
print_sockaddr ( addr , sizeof ( addr ) , & dc_addrs [ i ] ) ;
ret = tsocket_address_inet_from_strings ( dc_addrs2 , " ip " ,
addr , LDAP_PORT ,
& dc_addrs2 [ i ] ) ;
if ( ret ! = 0 ) {
status = map_nt_error_from_unix ( errno ) ;
DEBUG ( 2 , ( " Failed to create tsocket_address for %s - %s \n " ,
addr , nt_errstr ( status ) ) ) ;
2015-05-18 13:36:46 +03:00
goto out ;
2007-01-17 21:25:35 +03:00
}
2011-10-12 21:41:45 +04:00
}
dc_addrs3 = ( const struct tsocket_address * const * ) dc_addrs2 ;
status = cldap_multi_netlogon ( talloc_tos ( ) ,
dc_addrs3 , num_dcs ,
realm , lp_netbios_name ( ) ,
NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX ,
MIN ( num_dcs , 3 ) , timeval_current_ofs ( 3 , 0 ) , & responses ) ;
TALLOC_FREE ( dc_addrs2 ) ;
dc_addrs3 = NULL ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 10 , ( " get_kdc_ip_string: cldap_multi_netlogon failed: "
" %s \n " , nt_errstr ( status ) ) ) ;
2015-05-18 13:36:46 +03:00
goto out ;
2011-10-12 21:41:45 +04:00
}
for ( i = 0 ; i < num_dcs ; i + + ) {
char * new_kdc_str ;
if ( responses [ i ] = = NULL ) {
2007-01-17 21:25:35 +03:00
continue ;
}
2006-09-02 23:27:44 +04:00
/* Append to the string - inefficient but not done often. */
2015-05-21 08:40:24 +03:00
new_kdc_str = talloc_asprintf ( mem_ctx , " %s \t \t kdc = %s \n " ,
2014-01-13 18:59:26 +04:00
kdc_str ,
2014-04-02 21:37:34 +04:00
print_canonical_sockaddr_with_port ( mem_ctx , & dc_addrs [ i ] ) ) ;
2011-10-12 21:41:45 +04:00
if ( new_kdc_str = = NULL ) {
2015-05-18 13:36:46 +03:00
goto out ;
2006-09-02 23:27:44 +04:00
}
2011-10-12 21:41:45 +04:00
TALLOC_FREE ( kdc_str ) ;
kdc_str = new_kdc_str ;
2006-09-02 23:27:44 +04:00
}
2015-05-18 13:36:46 +03:00
out :
DEBUG ( 10 , ( " get_kdc_ip_string: Returning %s \n " , kdc_str ) ) ;
2006-09-02 23:27:44 +04:00
2011-10-12 21:41:45 +04:00
result = kdc_str ;
SAFE_FREE ( ip_srv_site ) ;
SAFE_FREE ( ip_srv_nonsite ) ;
TALLOC_FREE ( frame ) ;
return result ;
2006-09-02 23:27:44 +04:00
}
2006-08-31 05:20:21 +04:00
/************************************************************************
Create a specific krb5 . conf file in the private directory pointing
at a specific kdc for a realm . Keyed off domain name . Sets
KRB5_CONFIG environment variable to point to this file . Must be
run as root or will fail ( which is a good thing : - ) .
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2016-05-30 21:21:41 +03:00
# if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */
static char * get_enctypes ( TALLOC_CTX * mem_ctx )
{
char * aes_enctypes = NULL ;
const char * legacy_enctypes = " " ;
char * enctypes = NULL ;
aes_enctypes = talloc_strdup ( mem_ctx , " " ) ;
if ( aes_enctypes = = NULL ) {
goto done ;
}
if ( lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_ALL | |
lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_STRONG ) {
# ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append (
aes_enctypes , " %s " , " aes256-cts-hmac-sha1-96 " ) ;
if ( aes_enctypes = = NULL ) {
goto done ;
}
# endif
# ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append (
aes_enctypes , " %s " , " aes128-cts-hmac-sha1-96 " ) ;
if ( aes_enctypes = = NULL ) {
goto done ;
}
# endif
}
if ( lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_ALL | |
lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_LEGACY ) {
legacy_enctypes = " RC4-HMAC DES-CBC-CRC DES-CBC-MD5 " ;
}
enctypes =
talloc_asprintf ( mem_ctx , " \t default_tgs_enctypes = %s %s \n "
" \t default_tkt_enctypes = %s %s \n "
" \t preferred_enctypes = %s %s \n " ,
aes_enctypes , legacy_enctypes , aes_enctypes ,
legacy_enctypes , aes_enctypes , legacy_enctypes ) ;
done :
TALLOC_FREE ( aes_enctypes ) ;
return enctypes ;
}
# else /* Heimdal version */
static char * get_enctypes ( TALLOC_CTX * mem_ctx )
{
const char * aes_enctypes = " " ;
const char * legacy_enctypes = " " ;
char * enctypes = NULL ;
if ( lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_ALL | |
lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_STRONG ) {
aes_enctypes =
" aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 " ;
}
if ( lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_ALL | |
lp_kerberos_encryption_types ( ) = = KERBEROS_ETYPES_LEGACY ) {
legacy_enctypes = " arcfour-hmac-md5 des-cbc-crc des-cbc-md5 " ;
}
enctypes = talloc_asprintf ( mem_ctx , " \t default_etypes = %s %s \n " ,
aes_enctypes , legacy_enctypes ) ;
return enctypes ;
}
# endif
2007-10-25 01:16:54 +04:00
bool create_local_private_krb5_conf_for_domain ( const char * realm ,
const char * domain ,
const char * sitename ,
2014-03-07 17:47:31 +04:00
const struct sockaddr_storage * pss )
2006-08-31 05:20:21 +04:00
{
2009-08-26 16:56:41 +04:00
char * dname ;
2006-09-07 08:01:11 +04:00
char * tmpname = NULL ;
2006-09-02 05:33:13 +04:00
char * fname = NULL ;
2006-08-31 05:20:21 +04:00
char * file_contents = NULL ;
2006-09-07 08:17:23 +04:00
char * kdc_ip_string = NULL ;
2006-08-31 05:20:21 +04:00
size_t flen = 0 ;
2006-09-07 08:01:11 +04:00
ssize_t ret ;
int fd ;
2006-08-31 08:14:08 +04:00
char * realm_upper = NULL ;
2009-01-16 02:10:29 +03:00
bool result = false ;
2016-05-30 21:21:41 +03:00
char * enctypes = NULL ;
2016-11-23 16:40:42 +03:00
const char * include_system_krb5 = " " ;
2013-02-25 20:34:21 +04:00
mode_t mask ;
2006-08-31 05:20:21 +04:00
2009-08-26 16:56:41 +04:00
if ( ! lp_create_krb5_conf ( ) ) {
return false ;
}
2013-08-05 11:25:11 +04:00
if ( realm = = NULL ) {
DEBUG ( 0 , ( " No realm has been specified! Do you really want to "
" join an Active Directory server? \n " ) ) ;
return false ;
}
2014-03-07 17:47:31 +04:00
if ( domain = = NULL | | pss = = NULL ) {
2013-05-17 17:14:35 +04:00
return false ;
}
2009-08-26 16:56:41 +04:00
dname = lock_path ( " smb_krb5 " ) ;
2006-09-02 05:33:13 +04:00
if ( ! dname ) {
2009-01-16 02:10:29 +03:00
return false ;
2006-09-02 05:33:13 +04:00
}
2006-09-02 09:55:47 +04:00
if ( ( mkdir ( dname , 0755 ) = = - 1 ) & & ( errno ! = EEXIST ) ) {
2006-09-02 05:33:13 +04:00
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: "
" failed to create directory %s. Error was %s \n " ,
dname , strerror ( errno ) ) ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-09-02 05:33:13 +04:00
}
2009-01-16 02:17:51 +03:00
tmpname = lock_path ( " smb_tmp_krb5.XXXXXX " ) ;
2006-09-07 08:01:11 +04:00
if ( ! tmpname ) {
2009-01-16 02:10:29 +03:00
goto done ;
2006-09-07 08:01:11 +04:00
}
2006-09-02 05:33:13 +04:00
fname = talloc_asprintf ( dname , " %s/krb5.conf.%s " , dname , domain ) ;
2006-08-31 05:20:21 +04:00
if ( ! fname ) {
2009-01-16 02:10:29 +03:00
goto done ;
2006-08-31 05:20:21 +04:00
}
2006-09-02 05:23:08 +04:00
DEBUG ( 10 , ( " create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s \n " ,
fname , realm , domain ) ) ;
2006-08-31 08:14:08 +04:00
realm_upper = talloc_strdup ( fname , realm ) ;
2012-08-09 02:35:28 +04:00
if ( ! strupper_m ( realm_upper ) ) {
goto done ;
}
2006-08-31 08:14:08 +04:00
2014-03-07 17:47:31 +04:00
kdc_ip_string = get_kdc_ip_string ( dname , realm , sitename , pss ) ;
2006-09-02 23:27:44 +04:00
if ( ! kdc_ip_string ) {
2009-01-16 02:10:29 +03:00
goto done ;
2006-09-02 23:27:44 +04:00
}
2007-10-25 01:16:54 +04:00
2016-05-30 21:21:41 +03:00
enctypes = get_enctypes ( fname ) ;
if ( enctypes = = NULL ) {
2011-12-19 13:52:58 +04:00
goto done ;
}
2016-11-23 16:40:42 +03:00
# if !defined(SAMBA4_USES_HEIMDAL)
if ( lp_include_system_krb5_conf ( ) ) {
include_system_krb5 = " include /etc/krb5.conf " ;
}
# endif
2016-05-30 21:21:41 +03:00
file_contents =
2016-11-23 16:40:42 +03:00
talloc_asprintf ( fname ,
" [libdefaults] \n \t default_realm = %s \n "
" %s "
" \t dns_lookup_realm = false \n \n "
" [realms] \n \t %s = { \n "
" %s \t } \n "
" %s \n " ,
realm_upper ,
enctypes ,
realm_upper ,
kdc_ip_string ,
include_system_krb5 ) ;
2006-08-31 05:20:21 +04:00
if ( ! file_contents ) {
2009-01-16 02:10:29 +03:00
goto done ;
2006-08-31 05:20:21 +04:00
}
flen = strlen ( file_contents ) ;
2006-08-31 05:27:51 +04:00
2013-02-25 20:34:21 +04:00
mask = umask ( S_IRWXO | S_IRWXG ) ;
2009-04-21 01:58:26 +04:00
fd = mkstemp ( tmpname ) ;
2013-02-25 20:34:21 +04:00
umask ( mask ) ;
2006-09-07 08:01:11 +04:00
if ( fd = = - 1 ) {
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: smb_mkstemp failed, "
" for file %s. Errno %s \n " ,
tmpname , strerror ( errno ) ) ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-08-31 05:20:21 +04:00
}
2006-09-08 05:16:01 +04:00
if ( fchmod ( fd , 0644 ) = = - 1 ) {
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: fchmod failed for %s. "
" Errno %s \n " ,
tmpname , strerror ( errno ) ) ) ;
unlink ( tmpname ) ;
close ( fd ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-09-08 05:16:01 +04:00
}
2006-09-07 08:01:11 +04:00
ret = write ( fd , file_contents , flen ) ;
2006-09-02 08:50:08 +04:00
if ( flen ! = ret ) {
2006-09-07 08:01:11 +04:00
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: write failed, "
" returned %d (should be %u). Errno %s \n " ,
( int ) ret , ( unsigned int ) flen , strerror ( errno ) ) ) ;
unlink ( tmpname ) ;
close ( fd ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-08-31 05:20:21 +04:00
}
2006-09-07 08:01:11 +04:00
if ( close ( fd ) = = - 1 ) {
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: close failed. "
2006-09-02 08:50:08 +04:00
" Errno %s \n " , strerror ( errno ) ) ) ;
2006-09-07 08:01:11 +04:00
unlink ( tmpname ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-09-07 08:01:11 +04:00
}
if ( rename ( tmpname , fname ) = = - 1 ) {
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: rename "
" of %s to %s failed. Errno %s \n " ,
tmpname , fname , strerror ( errno ) ) ) ;
unlink ( tmpname ) ;
2009-01-16 02:10:29 +03:00
goto done ;
2006-08-31 05:20:21 +04:00
}
2006-08-31 08:14:08 +04:00
DEBUG ( 5 , ( " create_local_private_krb5_conf_for_domain: wrote "
2008-01-17 00:21:46 +03:00
" file %s with realm %s KDC list = %s \n " ,
fname , realm_upper , kdc_ip_string ) ) ;
2006-08-31 08:14:08 +04:00
2006-09-02 05:34:37 +04:00
/* Set the environment variable to this file. */
setenv ( " KRB5_CONFIG " , fname , 1 ) ;
2006-09-07 08:01:11 +04:00
2009-01-16 02:10:29 +03:00
result = true ;
2006-09-07 08:01:11 +04:00
# if defined(OVERWRITE_SYSTEM_KRB5_CONF)
2006-09-07 21:29:23 +04:00
# define SYSTEM_KRB5_CONF_PATH " / etc / krb5.conf"
2006-09-07 08:01:11 +04:00
/* Insanity, sheer insanity..... */
2006-09-07 22:34:02 +04:00
if ( strequal ( realm , lp_realm ( ) ) ) {
2011-06-02 03:40:05 +04:00
SMB_STRUCT_STAT sbuf ;
if ( sys_lstat ( SYSTEM_KRB5_CONF_PATH , & sbuf , false ) = = 0 ) {
if ( S_ISLNK ( sbuf . st_ex_mode ) & & sbuf . st_ex_size ) {
int lret ;
size_t alloc_size = sbuf . st_ex_size + 1 ;
2011-06-07 05:30:12 +04:00
char * linkpath = talloc_array ( talloc_tos ( ) , char ,
2011-06-02 03:40:05 +04:00
alloc_size ) ;
if ( ! linkpath ) {
goto done ;
}
lret = readlink ( SYSTEM_KRB5_CONF_PATH , linkpath ,
alloc_size - 1 ) ;
if ( lret = = - 1 ) {
TALLOC_FREE ( linkpath ) ;
goto done ;
}
linkpath [ lret ] = ' \0 ' ;
if ( strcmp ( linkpath , fname ) = = 0 ) {
/* Symlink already exists. */
TALLOC_FREE ( linkpath ) ;
goto done ;
}
TALLOC_FREE ( linkpath ) ;
}
2006-09-07 08:01:11 +04:00
}
2006-09-07 21:29:23 +04:00
/* Try and replace with a symlink. */
if ( symlink ( fname , SYSTEM_KRB5_CONF_PATH ) = = - 1 ) {
2011-06-02 03:40:05 +04:00
const char * newpath = SYSTEM_KRB5_CONF_PATH " .saved " ;
2006-09-07 21:29:23 +04:00
if ( errno ! = EEXIST ) {
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: symlink "
" of %s to %s failed. Errno %s \n " ,
fname , SYSTEM_KRB5_CONF_PATH , strerror ( errno ) ) ) ;
2009-01-16 02:10:29 +03:00
goto done ; /* Not a fatal error. */
2006-09-07 21:29:23 +04:00
}
/* Yes, this is a race conditon... too bad. */
2007-11-21 05:55:36 +03:00
if ( rename ( SYSTEM_KRB5_CONF_PATH , newpath ) = = - 1 ) {
2006-09-07 21:29:23 +04:00
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: rename "
" of %s to %s failed. Errno %s \n " ,
2007-11-21 05:55:36 +03:00
SYSTEM_KRB5_CONF_PATH , newpath ,
2006-09-07 21:29:23 +04:00
strerror ( errno ) ) ) ;
2009-01-16 02:10:29 +03:00
goto done ; /* Not a fatal error. */
2006-09-07 21:29:23 +04:00
}
2007-11-21 05:55:36 +03:00
if ( symlink ( fname , SYSTEM_KRB5_CONF_PATH ) = = - 1 ) {
2006-09-07 21:29:23 +04:00
DEBUG ( 0 , ( " create_local_private_krb5_conf_for_domain: "
" forced symlink of %s to /etc/krb5.conf failed. Errno %s \n " ,
fname , strerror ( errno ) ) ) ;
2009-01-16 02:10:29 +03:00
goto done ; /* Not a fatal error. */
2006-09-07 21:29:23 +04:00
}
2006-09-07 08:01:11 +04:00
}
}
# endif
2009-01-16 02:10:29 +03:00
done :
2009-01-16 02:17:51 +03:00
TALLOC_FREE ( tmpname ) ;
2006-09-02 05:34:37 +04:00
TALLOC_FREE ( dname ) ;
2009-01-16 02:10:29 +03:00
return result ;
2006-08-31 05:20:21 +04:00
}
2001-11-24 17:16:41 +03:00
# endif
