2005-06-29 17:55:09 +04:00
/*
Unix SMB / CIFS implementation .
PAC Glue between Samba and the KDC
2009-05-26 06:31:39 +04:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005 - 2009
2005-06-29 17:55:09 +04:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-06-29 17:55:09 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-06-29 17:55:09 +04:00
*/
# include "includes.h"
2009-06-12 16:27:19 +04:00
# include "../libds/common/flags.h"
2005-11-07 05:29:37 +03:00
# include "lib/ldb/include/ldb.h"
2007-01-10 04:51:35 +03:00
# include "librpc/gen_ndr/ndr_krb5pac.h"
2005-11-07 05:29:37 +03:00
# include "librpc/gen_ndr/krb5pac.h"
# include "auth/auth.h"
2006-03-07 14:07:23 +03:00
# include "auth/auth_sam.h"
2007-12-10 06:33:29 +03:00
# include "auth/auth_sam_reply.h"
2008-06-04 17:39:17 +04:00
# include "kdc/kdc.h"
2009-05-26 06:31:39 +04:00
# include "param/param.h"
2005-11-07 05:29:37 +03:00
2006-03-11 12:31:59 +03:00
struct krb5_dh_moduli ;
struct _krb5_krb_auth_data ;
2007-01-10 04:51:35 +03:00
krb5_error_code samba_kdc_plugin_init ( krb5_context context , void * * ptr )
{
* ptr = NULL ;
return 0 ;
}
2006-03-11 12:31:59 +03:00
2007-01-10 04:51:35 +03:00
void samba_kdc_plugin_fini ( void * ptr )
2005-06-29 17:55:09 +04:00
{
2007-01-10 04:51:35 +03:00
return ;
}
static krb5_error_code make_pac ( krb5_context context ,
TALLOC_CTX * mem_ctx ,
2008-02-21 16:50:57 +03:00
struct smb_iconv_convenience * iconv_convenience ,
2007-01-10 04:51:35 +03:00
struct auth_serversupplied_info * server_info ,
krb5_pac * pac )
{
2008-08-19 15:23:09 +04:00
union PAC_INFO info ;
2007-01-10 04:51:35 +03:00
struct netr_SamInfo3 * info3 ;
krb5_data pac_data ;
2005-06-29 17:55:09 +04:00
NTSTATUS nt_status ;
2007-11-09 21:24:51 +03:00
enum ndr_err_code ndr_err ;
2007-01-10 04:51:35 +03:00
DATA_BLOB pac_out ;
krb5_error_code ret ;
2005-11-07 05:29:37 +03:00
2008-08-19 15:23:09 +04:00
ZERO_STRUCT ( info ) ;
2007-01-10 04:51:35 +03:00
nt_status = auth_convert_server_info_saminfo3 ( mem_ctx , server_info , & info3 ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
DEBUG ( 1 , ( " Getting Samba info failed: %s \n " , nt_errstr ( nt_status ) ) ) ;
return EINVAL ;
}
2008-08-19 15:23:09 +04:00
info . logon_info . info = talloc_zero ( mem_ctx , struct PAC_LOGON_INFO ) ;
2005-06-29 17:55:09 +04:00
if ( ! mem_ctx ) {
return ENOMEM ;
}
2008-08-19 15:23:09 +04:00
info . logon_info . info - > info3 = * info3 ;
2007-01-10 04:51:35 +03:00
2008-08-19 15:23:09 +04:00
ndr_err = ndr_push_union_blob ( & pac_out , mem_ctx , iconv_convenience , & info ,
PAC_TYPE_LOGON_INFO ,
( ndr_push_flags_fn_t ) ndr_push_PAC_INFO ) ;
2007-11-09 21:24:51 +03:00
if ( ! NDR_ERR_CODE_IS_SUCCESS ( ndr_err ) ) {
nt_status = ndr_map_error2ntstatus ( ndr_err ) ;
2007-01-10 04:51:35 +03:00
DEBUG ( 1 , ( " PAC (presig) push failed: %s \n " , nt_errstr ( nt_status ) ) ) ;
return EINVAL ;
2005-06-29 17:55:09 +04:00
}
2007-01-10 04:51:35 +03:00
ret = krb5_data_copy ( & pac_data , pac_out . data , pac_out . length ) ;
if ( ret ! = 0 ) {
2005-07-04 06:36:16 +04:00
return ret ;
}
2007-01-10 04:51:35 +03:00
ret = krb5_pac_init ( context , pac ) ;
if ( ret ! = 0 ) {
krb5_data_free ( & pac_data ) ;
return ret ;
2005-11-07 05:29:37 +03:00
}
2007-01-10 04:51:35 +03:00
ret = krb5_pac_add_buffer ( context , * pac , PAC_TYPE_LOGON_INFO , & pac_data ) ;
krb5_data_free ( & pac_data ) ;
if ( ret ! = 0 ) {
2005-11-07 05:29:37 +03:00
return ret ;
}
2007-01-10 04:51:35 +03:00
return ret ;
2005-11-07 05:29:37 +03:00
}
2009-07-27 07:48:45 +04:00
/* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */
2007-01-10 04:51:35 +03:00
krb5_error_code samba_kdc_get_pac ( void * priv ,
krb5_context context ,
struct hdb_entry_ex * client ,
krb5_pac * pac )
2005-11-07 05:29:37 +03:00
{
krb5_error_code ret ;
2007-01-10 04:51:35 +03:00
NTSTATUS nt_status ;
struct auth_serversupplied_info * server_info ;
2009-07-27 07:48:45 +04:00
struct hdb_samba4_private * p = talloc_get_type ( client - > ctx , struct hdb_samba4_private ) ;
2009-02-01 01:43:43 +03:00
TALLOC_CTX * mem_ctx = talloc_named ( p , 0 , " samba_get_pac context " ) ;
2005-11-07 05:29:37 +03:00
unsigned int userAccountControl ;
2007-01-10 04:51:35 +03:00
if ( ! mem_ctx ) {
return ENOMEM ;
}
2005-11-07 05:29:37 +03:00
/* The user account may be set not to want the PAC */
2009-02-01 01:43:43 +03:00
userAccountControl = ldb_msg_find_attr_as_uint ( p - > msg , " userAccountControl " , 0 ) ;
2005-11-07 05:29:37 +03:00
if ( userAccountControl & UF_NO_AUTH_DATA_REQUIRED ) {
2007-01-10 04:51:35 +03:00
* pac = NULL ;
2005-11-07 05:29:37 +03:00
return 0 ;
}
2009-02-01 01:43:43 +03:00
nt_status = authsam_make_server_info ( mem_ctx , p - > samdb ,
2009-05-26 06:31:39 +04:00
lp_netbios_name ( p - > lp_ctx ) ,
lp_sam_name ( p - > lp_ctx ) ,
p - > realm_dn ,
2009-02-01 01:43:43 +03:00
p - > msg ,
2007-01-10 04:51:35 +03:00
data_blob ( NULL , 0 ) ,
data_blob ( NULL , 0 ) ,
& server_info ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
DEBUG ( 0 , ( " Getting user info for PAC failed: %s \n " ,
nt_errstr ( nt_status ) ) ) ;
return ENOMEM ;
2005-11-07 05:29:37 +03:00
}
2009-02-01 01:43:43 +03:00
ret = make_pac ( context , mem_ctx , p - > iconv_convenience , server_info , pac ) ;
2007-01-10 04:51:35 +03:00
talloc_free ( mem_ctx ) ;
return ret ;
2005-11-07 05:29:37 +03:00
}
/* Resign (and reform, including possibly new groups) a PAC */
2007-01-10 04:51:35 +03:00
krb5_error_code samba_kdc_reget_pac ( void * priv , krb5_context context ,
const krb5_principal client_principal ,
struct hdb_entry_ex * client ,
struct hdb_entry_ex * server , krb5_pac * pac )
2005-11-07 05:29:37 +03:00
{
krb5_error_code ret ;
unsigned int userAccountControl ;
2009-07-27 07:48:45 +04:00
struct hdb_samba4_private * p = talloc_get_type ( server - > ctx , struct hdb_samba4_private ) ;
2005-11-07 05:29:37 +03:00
struct auth_serversupplied_info * server_info_out ;
2009-02-01 01:43:43 +03:00
TALLOC_CTX * mem_ctx = talloc_named ( p , 0 , " samba_get_pac context " ) ;
2005-11-07 05:29:37 +03:00
2007-01-10 04:51:35 +03:00
if ( ! mem_ctx ) {
return ENOMEM ;
}
2005-11-07 05:29:37 +03:00
/* The service account may be set not to want the PAC */
2009-02-01 01:43:43 +03:00
userAccountControl = ldb_msg_find_attr_as_uint ( p - > msg , " userAccountControl " , 0 ) ;
2005-11-07 05:29:37 +03:00
if ( userAccountControl & UF_NO_AUTH_DATA_REQUIRED ) {
2008-08-28 10:28:47 +04:00
talloc_free ( mem_ctx ) ;
2007-01-10 04:51:35 +03:00
* pac = NULL ;
2005-11-07 05:29:37 +03:00
return 0 ;
}
2009-02-01 01:43:43 +03:00
ret = kerberos_pac_to_server_info ( mem_ctx , p - > iconv_convenience ,
2008-08-28 10:28:47 +04:00
* pac , context , & server_info_out ) ;
2005-11-07 05:29:37 +03:00
2008-08-28 10:28:47 +04:00
/* We will compleatly regenerate this pac */
krb5_pac_free ( context , * pac ) ;
2005-11-07 05:29:37 +03:00
2008-08-28 10:28:47 +04:00
if ( ret ) {
2005-11-07 05:29:37 +03:00
talloc_free ( mem_ctx ) ;
2008-08-28 10:28:47 +04:00
return ret ;
2005-11-07 05:29:37 +03:00
}
2009-02-01 01:43:43 +03:00
ret = make_pac ( context , mem_ctx , p - > iconv_convenience , server_info_out , pac ) ;
2005-11-07 05:29:37 +03:00
2007-01-10 04:51:35 +03:00
talloc_free ( mem_ctx ) ;
return ret ;
2005-11-07 05:29:37 +03:00
}
2008-03-13 07:21:14 +03:00
static void samba_kdc_build_edata_reply ( TALLOC_CTX * tmp_ctx , krb5_data * e_data ,
NTSTATUS nt_status )
{
PA_DATA pa ;
unsigned char * buf ;
size_t len ;
krb5_error_code ret = 0 ;
if ( ! e_data )
return ;
pa . padata_type = KRB5_PADATA_PW_SALT ;
pa . padata_value . length = 12 ;
pa . padata_value . data = malloc ( pa . padata_value . length ) ;
if ( ! pa . padata_value . data ) {
e_data - > length = 0 ;
e_data - > data = NULL ;
return ;
}
SIVAL ( pa . padata_value . data , 0 , NT_STATUS_V ( nt_status ) ) ;
SIVAL ( pa . padata_value . data , 4 , 0 ) ;
SIVAL ( pa . padata_value . data , 8 , 1 ) ;
ASN1_MALLOC_ENCODE ( PA_DATA , buf , len , & pa , & len , ret ) ;
free ( pa . padata_value . data ) ;
e_data - > data = buf ;
e_data - > length = len ;
return ;
}
2005-11-07 05:29:37 +03:00
/* Given an hdb entry (and in particular it's private member), consult
* the account_ok routine in auth / auth_sam . c for consistancy */
2007-01-10 04:51:35 +03:00
krb5_error_code samba_kdc_check_client_access ( void * priv ,
2009-06-18 05:08:46 +04:00
krb5_context context ,
krb5_kdc_configuration * config ,
hdb_entry_ex * client_ex , const char * client_name ,
hdb_entry_ex * server_ex , const char * server_name ,
2008-03-13 07:21:14 +03:00
KDC_REQ * req ,
krb5_data * e_data )
2005-11-07 05:29:37 +03:00
{
krb5_error_code ret ;
NTSTATUS nt_status ;
2009-06-18 05:08:46 +04:00
TALLOC_CTX * tmp_ctx ;
2009-07-27 07:48:45 +04:00
struct hdb_samba4_private * p ;
2009-06-18 05:08:46 +04:00
char * workstation = NULL ;
2007-01-10 04:51:35 +03:00
HostAddresses * addresses = req - > req_body . addresses ;
2005-11-27 05:02:44 +03:00
int i ;
2009-06-18 05:08:46 +04:00
bool password_change ;
tmp_ctx = talloc_new ( client_ex - > ctx ) ;
2009-07-27 07:48:45 +04:00
p = talloc_get_type ( client_ex - > ctx , struct hdb_samba4_private ) ;
2005-11-27 05:02:44 +03:00
2005-11-07 05:29:37 +03:00
if ( ! tmp_ctx ) {
return ENOMEM ;
}
2005-12-20 03:00:48 +03:00
if ( addresses ) {
for ( i = 0 ; i < addresses - > len ; i + + ) {
if ( addresses - > val - > addr_type = = KRB5_ADDRESS_NETBIOS ) {
workstation = talloc_strndup ( tmp_ctx , addresses - > val - > address . data , MIN ( addresses - > val - > address . length , 15 ) ) ;
if ( workstation ) {
break ;
}
2005-11-27 05:02:44 +03:00
}
}
}
/* Strip space padding */
if ( workstation ) {
i = MIN ( strlen ( workstation ) , 15 ) ;
for ( ; i > 0 & & workstation [ i - 1 ] = = ' ' ; i - - ) {
workstation [ i - 1 ] = ' \0 ' ;
}
}
2009-06-18 05:08:46 +04:00
password_change = ( server_ex & & server_ex - > entry . flags . change_pw ) ;
2008-12-04 17:09:21 +03:00
/* we allow all kinds of trusts here */
2005-11-07 05:29:37 +03:00
nt_status = authsam_account_ok ( tmp_ctx ,
2009-02-01 01:43:43 +03:00
p - > samdb ,
2005-11-07 05:29:37 +03:00
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT ,
2009-05-26 06:31:39 +04:00
p - > realm_dn ,
2009-02-01 01:43:43 +03:00
p - > msg ,
2005-11-07 05:29:37 +03:00
workstation ,
2009-06-18 05:08:46 +04:00
client_name , true , password_change ) ;
if ( NT_STATUS_IS_OK ( nt_status ) ) {
/* Now do the standard Heimdal check */
ret = kdc_check_flags ( context , config ,
client_ex , client_name ,
server_ex , server_name ,
req - > msg_type = = krb_as_req ) ;
} else {
if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_PASSWORD_MUST_CHANGE ) )
ret = KRB5KDC_ERR_KEY_EXPIRED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_PASSWORD_EXPIRED ) )
ret = KRB5KDC_ERR_KEY_EXPIRED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCOUNT_EXPIRED ) )
ret = KRB5KDC_ERR_CLIENT_REVOKED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCOUNT_DISABLED ) )
ret = KRB5KDC_ERR_CLIENT_REVOKED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_INVALID_LOGON_HOURS ) )
ret = KRB5KDC_ERR_CLIENT_REVOKED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_ACCOUNT_LOCKED_OUT ) )
ret = KRB5KDC_ERR_CLIENT_REVOKED ;
else if ( NT_STATUS_EQUAL ( nt_status , NT_STATUS_INVALID_WORKSTATION ) )
ret = KRB5KDC_ERR_POLICY ;
else
ret = KRB5KDC_ERR_POLICY ;
samba_kdc_build_edata_reply ( tmp_ctx , e_data , nt_status ) ;
}
2008-03-13 07:21:14 +03:00
return ret ;
2005-11-07 05:29:37 +03:00
}