sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
e8632e2af5
samba-mirror/source4/kdc/kpasswd-heimdal.c

630 lines
18 KiB
C
Raw Normal View History

s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
/*
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
Unix SMB/CIFS implementation.
kpasswd Server implementation
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
Copyright (C) Andrew Tridgell 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
the Free Software Foundation; either version 3 of the License, or
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
(at your option) any later version.
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
You should have received a copy of the GNU General Public License
r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-07-10 06:07:03 +04:00
along with this program. If not, see <http://www.gnu.org/licenses/>.
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
*/
#include "includes.h"
#include "smbd/service_task.h"
r19598: Ahead of a merge to current lorikeet-heimdal: Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2006-11-07 03:48:36 +03:00
#include "auth/gensec/gensec.h"
#include "auth/credentials/credentials.h"
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
#include "auth/auth.h"
r12542: Move some more prototypes out to seperate headers (This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2005-12-28 18:38:36 +03:00
#include "dsdb/samdb/samdb.h"
Revert "s4:remove "util_ldb" submodule and integrate the three gendb_* calls in "dsdb/common/util.c"" This reverts commit 8a2ce5c47cee499f90b125ebde83de5f9f1a9aa0. Jelmer pointed out that these are also in use by other LDB databases - not only SAMDB ones. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sun Oct 17 13:37:16 UTC 2010 on sn-devel-104
2010-10-17 16:27:18 +04:00
#include "../lib/util/util_ldb.h"
r15328: Move some functions around, remove dependencies. Remove some autogenerated headers (which had prototypes now autogenerated by pidl) Remove ndr_security.h from a few places - it's no longer necessary (This used to be commit c19c2b51d3e1ad347120b06a22bda5ec586c22e8)
2006-04-29 21:34:49 +04:00
#include "libcli/security/security.h"
r25398: Parse loadparm context to all lp_*() functions. (This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
2007-09-28 05:17:46 +04:00
#include "param/param.h"
s4-kdc: Move definitions to kdc-server.h Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 12:10:50 +03:00
#include "kdc/kdc-server.h"
s4-kdc: rename kdc/kdc.h to kdc/kdc-glue.h kdc.h conflicts with a heimdal header name
2010-11-11 06:09:41 +03:00
#include "kdc/kdc-glue.h"
s4-kdc: don't look at global catalog NCs in the kdc the kdc should not be looking for users in GC partial replicas, as these users do not have all of the attributes needed for the KDC to operate Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-09-28 23:23:38 +04:00
#include "dsdb/common/util.h"
s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. This can then be easier shared with MIT's kadmin services for kpasswd services. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-08-05 19:49:55 +04:00
#include "kdc/kpasswd_glue.h"
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
/* Return true if there is a valid error packet formed in the error_blob */
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
static bool kpasswdd_make_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
{
char *error_string_utf8;
Use common header file for character set handling in Samba 3 and Samba 4.
2009-03-02 00:24:34 +03:00
size_t len;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
Use common header file for character set handling in Samba 3 and Samba 4.
2009-03-02 00:24:34 +03:00
if (!push_utf8_talloc(mem_ctx, &error_string_utf8, error_string, &len)) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
*error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
if (!error_blob->data) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
RSSVAL(error_blob->data, 0, result_code);
memcpy(error_blob->data + 2, error_string_utf8, len + 1);
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return true;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
/* Return true if there is a valid error packet formed in the error_blob */
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
{
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
bool ret;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
int kret;
DATA_BLOB error_bytes;
krb5_data k5_error_bytes, k5_error_blob;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
&error_bytes);
if (!ret) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
k5_error_bytes.data = error_bytes.data;
k5_error_bytes.length = error_bytes.length;
s4-kdc: Use smb_krb5_mk_error() in kpasswd implementation Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-14 17:31:32 +03:00
kret = smb_krb5_mk_error(kdc->smb_krb5_context->krb5_context,
result_code,
NULL,
&k5_error_bytes,
&k5_error_blob);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (kret) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
*error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
krb5_wrap: Rename kerberos_free_data_contents() Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-08-26 12:51:52 +03:00
smb_krb5_free_data_contents(kdc->smb_krb5_context->krb5_context,
s4-kdc: Use smb_krb5_mk_error() in kpasswd implementation Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-14 17:31:32 +03:00
&k5_error_blob);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (!error_blob->data) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return true;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
NTSTATUS status,
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
enum samPwdChangeReason reject_reason,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
struct samr_DomInfo1 *dominfo,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
DATA_BLOB *error_blob)
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
{
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_ACCESSDENIED,
"No such user when changing password",
error_blob);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_ACCESSDENIED,
"Not permitted to change password",
error_blob);
}
r14856: fix bugs noticed by the ibm code checker metze (This used to be commit f72e7d9dcd02f1f983b457163dee0a8df0186c79)
2006-04-02 15:15:59 +04:00
if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
const char *reject_string;
switch (reject_reason) {
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
s4-kdc: Improve grammer and clarity of password change failure messages. This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett
2012-09-01 05:34:33 +04:00
reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long.",
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
dominfo->min_password_length);
break;
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
case SAM_PWD_CHANGE_NOT_COMPLEX:
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reject_string = "Password does not meet complexity requirements";
break;
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
case SAM_PWD_CHANGE_PWD_IN_HISTORY:
s4-kdc: Improve grammer and clarity of password change failure messages. This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett
2012-09-01 05:34:33 +04:00
reject_string = talloc_asprintf(mem_ctx, "Password is already in password history. New password must not match any of your %d previous passwords.",
s4-kdc: Give information on how long the password history is Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Aug 31 08:06:17 CEST 2012 on sn-devel-104
2012-08-31 08:02:28 +04:00
dominfo->password_history_length);
r18636: Excessive testing with pam_winbind within Samba3 revealed a new samr reject reason code while password changing: SAMR_REJECT_IN_HISTORY which is different from SAMR_REJECT_COMPLEXITY. torture test to follow as well. Guenther (This used to be commit 7513748208214339e764cc990aa1dbbcf864975a)
2006-09-19 01:00:00 +04:00
break;
r11437: Fix (valid!) use of uninitialised value warnings. Andrew Bartlett (This used to be commit 64b9ea642bb7443f804e71bb2a6ccad94522d057)
2005-11-01 16:29:22 +03:00
default:
s4-kdc: Improve grammer and clarity of password change failure messages. This can still be improved further, but avoid mentioning reasons that clearly do not apply in this case. Andrew Bartlett
2012-09-01 05:34:33 +04:00
reject_string = "Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.";
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
break;
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_SOFTERROR,
reject_string,
error_blob);
}
if (!NT_STATUS_IS_OK(status)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
error_blob);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
"Password changed",
error_blob);
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
/*
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
A user password change
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
More spelling fixes across source4/ Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-02-21 09:46:46 +03:00
Return true if there is a valid error packet (or success) formed in
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
the error_blob
*/
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
static bool kpasswdd_change_password(struct kdc_server *kdc,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
TALLOC_CTX *mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
struct auth_session_info *session_info,
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
const DATA_BLOB *password,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
DATA_BLOB *reply)
{
NTSTATUS status;
s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. This can then be easier shared with MIT's kadmin services for kpasswd services. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-08-05 19:49:55 +04:00
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
enum samPwdChangeReason reject_reason;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
struct samr_DomInfo1 *dominfo;
s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. This can then be easier shared with MIT's kadmin services for kpasswd services. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-08-05 19:49:55 +04:00
const char *error_string;
status = samdb_kpasswd_change_password(mem_ctx,
kdc->task->lp_ctx,
kdc->task->event_ctx,
kdc->samdb,
session_info,
password,
&reject_reason,
&dominfo,
&error_string,
&result);
s4:kdc/kpasswdd.c - let the user change his own password with his own rights Now it's finally possible that the user can change his password with a DSDB connection using his credentials. NOTICE: I had to extract the old password from the SAMDB since I was unable to find it somewhere else (authinfo for example).
2010-07-06 20:16:32 +04:00
if (!NT_STATUS_IS_OK(status)) {
s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. This can then be easier shared with MIT's kadmin services for kpasswd services. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-08-05 19:49:55 +04:00
return kpasswdd_make_error_reply(kdc,
mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
error_string,
reply);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem. This can then be easier shared with MIT's kadmin services for kpasswd services. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
2014-08-05 19:49:55 +04:00
return kpasswd_make_pwchange_reply(kdc,
mem_ctx,
result,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reject_reason,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
dominfo,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reply);
}
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
static bool kpasswd_process_request(struct kdc_server *kdc,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
TALLOC_CTX *mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
struct gensec_security *gensec_security,
uint16_t version,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
DATA_BLOB *input,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
s4: Use same function signature for convert_* as s3.
2009-03-01 21:55:46 +03:00
size_t pw_len;
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
gensec: clarify memory ownership for gensec_session_info() and gensec_session_key() This is slightly less efficient, because we no longer keep a cache on the gensec structures, but much clearer in terms of memory ownership. Both gensec_session_info() and gensec_session_key() now take a mem_ctx and put the result only on that context. Some duplication of memory in the callers (who were rightly uncertain about who was the rightful owner of the returned memory) has been removed to compensate for the internal copy. Andrew Bartlett
2011-08-01 09:39:01 +04:00
mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
&session_info))) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
"gensec_session_info failed!",
reply);
}
switch (version) {
case KRB5_KPASSWD_VERS_CHANGEPW:
{
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
DATA_BLOB password;
lib/util/charset rename iconv_convenience to iconv_handle This better reflects what this structure is Andrew Bartlett
2011-03-25 00:37:00 +03:00
if (!convert_string_talloc_handle(mem_ctx, lpcfg_iconv_handle(kdc->task->lp_ctx),
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
CH_UTF8, CH_UTF16,
(const char *)input->data,
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
input->length,
charcnv: removed the allow_badcharcnv and allow_bad_conv options to convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
2011-03-24 02:59:41 +03:00
(void **)&password.data, &pw_len)) {
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
password.length = pw_len;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_change_password(kdc, mem_ctx, session_info,
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
&password, reply);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
case KRB5_KPASSWD_VERS_SETPW:
{
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
NTSTATUS status;
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR;
r14856: fix bugs noticed by the ibm code checker metze (This used to be commit f72e7d9dcd02f1f983b457163dee0a8df0186c79)
2006-04-02 15:15:59 +04:00
struct samr_DomInfo1 *dominfo = NULL;
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
struct ldb_context *samdb;
krb5_context context = kdc->smb_krb5_context->krb5_context;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
ChangePasswdDataMS chpw;
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
DATA_BLOB password;
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
s4:kdc Add support for changing password of a servicePrincipalName Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-03-25 08:27:40 +03:00
bool service_principal_name = false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
size_t len;
int ret;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
if (ret) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_MALFORMED,
"failed to decode password change structure",
reply);
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
lib/util/charset rename iconv_convenience to iconv_handle This better reflects what this structure is Andrew Bartlett
2011-03-25 00:37:00 +03:00
if (!convert_string_talloc_handle(mem_ctx, lpcfg_iconv_handle(kdc->task->lp_ctx),
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
CH_UTF8, CH_UTF16,
(const char *)chpw.newpasswd.data,
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
chpw.newpasswd.length,
charcnv: removed the allow_badcharcnv and allow_bad_conv options to convert_string*() we shouldn't accept bad multi-byte strings, it just hides problems Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Thu Mar 24 01:47:26 CET 2011 on sn-devel-104
2011-03-24 02:59:41 +03:00
(void **)&password.data, &pw_len)) {
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
free_ChangePasswdDataMS(&chpw);
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
return false;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
password.length = pw_len;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
if ((chpw.targname && !chpw.targrealm)
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
|| (!chpw.targname && chpw.targrealm)) {
s4:kdc/kpasswdd.c - fix memory leaks
2010-12-04 18:38:45 +03:00
free_ChangePasswdDataMS(&chpw);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_MALFORMED,
"Realm and principal must be both present, or neither present",
reply);
}
if (chpw.targname && chpw.targrealm) {
s4:kdc/kpasswdd.c - fix memory leaks
2010-12-04 18:38:45 +03:00
ret = krb5_build_principal_ext(kdc->smb_krb5_context->krb5_context,
&principal,
strlen(*chpw.targrealm),
*chpw.targrealm, 0);
if (ret) {
free_ChangePasswdDataMS(&chpw);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to get principal",
reply);
}
s4-kdc Remove use of heimdal private headers in kpasswd server. This remains an abuse, because it relies on setting into the krb5_principal structure, but at least it causes less trouble for the server. Andrew Bartlett
2010-11-12 07:37:07 +03:00
if (copy_PrincipalName(chpw.targname, &principal->name)) {
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
free_ChangePasswdDataMS(&chpw);
s4:kdc/kpasswdd.c - fix memory leaks
2010-12-04 18:38:45 +03:00
krb5_free_principal(context, principal);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_MALFORMED,
"failed to extract principal to set",
reply);
}
} else {
free_ChangePasswdDataMS(&chpw);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_change_password(kdc, mem_ctx, session_info,
Create a 'straight paper path' for UTF16 passwords. This uses a virtual attribute 'clearTextPassword' (name chosen to match references in MS-SAMR) that contains the length-limited blob containing an allegidly UTF16 password. This ensures we do no validation or filtering of the password before we get a chance to MD4 it. We can then do the required munging into UTF8, and in future implement the rules Microsoft has provided us with for invalid inputs. All layers in the process now deal with the strings as length-limited inputs, incluing the krb5 string2key calls. This commit also includes a small change to samdb_result_passwords() to ensure that LM passwords are not returned to the application logic if LM authentication is disabled. The objectClass module has been modified to allow the clearTextPassword attribute to pass down the stack. Andrew Bartlett
2008-10-16 05:48:16 +04:00
&password, reply);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
free_ChangePasswdDataMS(&chpw);
s4:kdc Add support for changing password of a servicePrincipalName Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-03-25 08:27:40 +03:00
if (principal->name.name_string.len >= 2) {
service_principal_name = true;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
s4:kdc Add support for changing password of a servicePrincipalName Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-03-25 08:27:40 +03:00
/* We use this, rather than 'no realm' flag,
* as we don't want to accept a password
* change on a principal from another realm */
if (krb5_unparse_name_short(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
} else {
if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
}
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
krb5_free_principal(context, principal);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
samdb: Add flags argument to samdb_connect().
2010-10-10 19:00:45 +04:00
samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, session_info, 0);
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (!samdb) {
s4:kdc/kpasswdd.c - fix memory leaks
2010-12-04 18:38:45 +03:00
free(set_password_on_princ);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
KRB5_KPASSWD_HARDERROR,
"Unable to open database!",
reply);
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
session_info->info->domain_name,
session_info->info->account_name,
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
set_password_on_princ));
ret = ldb_transaction_start(samdb);
s4:samdb_set_password/samdb_set_password_sid - Rework Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2009-09-26 14:09:07 +04:00
if (ret != LDB_SUCCESS) {
s4:kdc/kpasswdd.c - fix memory leaks
2010-12-04 18:38:45 +03:00
free(set_password_on_princ);
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
status = NT_STATUS_TRANSACTION_ABORTED;
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
status,
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
SAM_PWD_CHANGE_NO_ERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
NULL,
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
reply);
}
s4:kdc Add support for changing password of a servicePrincipalName Apparently AD supports setting a password on a servicePrincipalName, not just a user principal name. This should fix (part of) the join of OpenSolaris's internal CIFS server to Samba4 as reported by Bug #7273 Andrew Bartlett
2010-03-25 08:27:40 +03:00
if (service_principal_name) {
status = crack_service_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
} else {
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
}
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
ldb_transaction_cancel(samdb);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
status,
s3/s4 - Adapt the IDL changes on various locations
2009-09-26 00:44:00 +04:00
SAM_PWD_CHANGE_NO_ERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
NULL,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reply);
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (NT_STATUS_IS_OK(status)) {
/* Admin password set */
status = samdb_set_password(samdb, mem_ctx,
set_password_on_dn, NULL,
s4:samdb_set_password/samdb_set_password_sid - Rework Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2009-09-26 14:09:07 +04:00
&password, NULL, NULL,
s4:kdc/rpc server - adapt the "samdb_set_password" calls which perform password sets
2010-08-15 23:06:11 +04:00
NULL, NULL, /* this is not a user password change */
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
&reject_reason, &dominfo);
}
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (NT_STATUS_IS_OK(status)) {
ret = ldb_transaction_commit(samdb);
s4:samdb_set_password/samdb_set_password_sid - Rework Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2009-09-26 14:09:07 +04:00
if (ret != LDB_SUCCESS) {
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
s4:samdb_set_password/samdb_set_password_sid - Rework Adapt the two functions for the restructured "password_hash" module. This means that basically all checks are now performed in the mentioned module. An exception consists in the SAMR password change calls since they need very precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
2009-09-26 14:09:07 +04:00
ldb_dn_get_linearized(set_password_on_dn),
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
ldb_errstring(samdb)));
status = NT_STATUS_TRANSACTION_ABORTED;
}
} else {
ldb_transaction_cancel(samdb);
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
status,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
reject_reason,
dominfo,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reply);
}
default:
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
return kpasswdd_make_error_reply(kdc, mem_ctx,
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
KRB5_KPASSWD_BAD_VERSION,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
talloc_asprintf(mem_ctx,
"Protocol version %u not supported",
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
version),
reply);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
}
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
kdc_code kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct tsocket_address *peer_addr,
struct tsocket_address *my_addr,
int datagram_reply)
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
{
r25548: Convert to standard bool type. (This used to be commit 190d73b44b9b9c6dabbd26212d596d985b25edab)
2007-10-07 01:42:58 +04:00
bool ret;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
const uint16_t header_len = 6;
uint16_t len;
uint16_t ap_req_len;
uint16_t krb_priv_len;
uint16_t version;
NTSTATUS nt_status;
r14856: fix bugs noticed by the ibm code checker metze (This used to be commit f72e7d9dcd02f1f983b457163dee0a8df0186c79)
2006-04-02 15:15:59 +04:00
DATA_BLOB ap_req, krb_priv_req;
DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
DATA_BLOB ap_rep = data_blob(NULL, 0);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 10:09:25 +04:00
char *keytab_name;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (!tmp_ctx) {
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4-kdc: added proxying of kdc requests for RODCs when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 09:23:34 +03:00
if (kdc->am_rodc) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_PROXY_REQUEST;
s4-kdc: added proxying of kdc requests for RODCs when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 09:23:34 +03:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* Be parinoid. We need to ensure we don't just let the
* caller lead us into a buffer overflow */
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (input->length <= header_len) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
len = RSVAL(input->data, 0);
if (input->length != len) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* There are two different versions of this protocol so far,
* plus others in the standards pipe. Fortunetly they all
* take a very similar framing */
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
version = RSVAL(input->data, 2);
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
krb_priv_len = len - ap_req_len;
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r17341: pass a messaging context to auth_context_create() and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2006-07-31 18:05:08 +04:00
server_credentials = cli_credentials_init(tmp_ctx);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
s4-kdc: added proxying of kdc requests for RODCs when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 09:23:34 +03:00
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2006-01-24 08:31:08 +03:00
/* We want the credentials subsystem to use the krb5 context
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
* we already have, rather than a new context */
r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in our case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2006-01-24 08:31:08 +03:00
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
r26252: Specify loadparm_context explicitly when creating sessions. (This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-03 17:53:28 +03:00
cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx);
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 10:09:25 +04:00
s4:kdc Use better db context structure This allows to use a common structure not tied to hdb_samba4 Also allows to avoid many casts within hdb_samba4 functions This is the first step to abstract samba kdc databse functions so they can be used by the MIT forthcoming plugin.
2010-01-28 08:08:36 +03:00
keytab_name = talloc_asprintf(server_credentials, "HDB:samba4&%p", kdc->base_ctx);
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 10:09:25 +04:00
cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED);
s4-credentials Add explicit event context handling to Kerberos calls (only) By setting the event context to use for this operation (only) onto the krb5_context just before we call that operation, we can try and emulate the specification of an event context to the actual send_to_kdc() This eliminates the specification of an event context to many other cli_credentials calls, and the last use of event_context_find() Special care is taken to restore the event context in the event of nesting in the send_to_kdc function. Andrew Bartlett
2010-10-11 09:53:08 +04:00
ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED);
s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB This overloads the 'name' part of the keytab name to supply a context pointer, and so avoids 3 global variables! To do this, we had to stop putting the entry for kpasswd into the secrets.ldb. (I don't consider this a big loss, and any entry left there by an upgrade will be harmless). Andrew Bartlett
2009-07-27 10:09:25 +04:00
if (ret != 0) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
talloc_asprintf(mem_ctx,
s4:kdc/kpasswdd.c - don't return an uninitialised NT_STATUS Discovered by Tru64 build
2010-12-12 13:58:59 +03:00
"Failed to obtain server credentials for kadmin/changepw!"),
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
/* We don't strictly need to call this wrapper, and could call
* gensec_server_start directly, as we have no need for NTLM
* and we have a PAC, but this ensures that the wrapper can be
* safely extended for other helpful things in future */
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
kdc->task->msg_ctx,
kdc->task->lp_ctx,
server_credentials,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
"kpasswd",
Remove auth/ntlm as a dependency of GENSEC by means of function pointers. When starting GENSEC on the server, the auth subsystem context must be passed in, which now includes function pointers to the key elements. This should (when the other dependencies are fixed up) allow GENSEC to exist as a client or server library without bundling in too much of our server code. Andrew Bartlett
2009-02-13 02:24:16 +03:00
&gensec_security);
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
}
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
s4:kdc In the kpasswd server, don't use the client address in mk_priv This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-09-16 09:02:36 +04:00
#if 0
/* Skip this part for now, it breaks with a NetAPP filer and
* in any case where the client address is behind NAT. If
* older MIT clients need this, we might have to insert more
* complex code */
Fix commented out code in kpasswd server to use correct function The fix in ac2d31e24cfa24f6674b645b3661a1a2ce9ab060 picked the wrong function name. This is meant to be the remote address, not the local one, if we ever have to re-instate this code. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-22 10:38:10 +04:00
nt_status = gensec_set_remote_address(gensec_security, peer_addr);
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
}
s4:kdc In the kpasswd server, don't use the client address in mk_priv This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
2009-09-16 09:02:36 +04:00
#endif
s4-gensec: Replace gensec_set_my_addr() with new tsocket based fn.
2009-12-16 17:52:30 +03:00
nt_status = gensec_set_local_address(gensec_security, my_addr);
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
}
/* We want the GENSEC wrap calls to generate PRIV tokens */
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
s4:kdc: make use of gensec_update_ev() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-12-13 22:35:34 +04:00
nt_status = gensec_update_ev(gensec_security, tmp_ctx, kdc->task->event_ctx, ap_req, &ap_rep);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
talloc_asprintf(mem_ctx,
"gensec_update failed: %s",
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* Extract the data from the KRB-PRIV half of the message */
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
talloc_asprintf(mem_ctx,
"gensec_unwrap failed: %s",
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* Figure out something to do with it (probably changing a password...) */
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswd_process_request(kdc, tmp_ctx,
gensec_security,
version,
&kpasswd_req, &kpasswd_rep);
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
if (!ret) {
/* Argh! */
s4-kdc: added proxying of kdc requests for RODCs when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 09:23:34 +03:00
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
r12682: This patch finally fixes our kpasswdd implementation to be compatible with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
2006-01-03 01:00:40 +03:00
/* And wrap up the reply: This ensures that the error message
* or success can be verified by the client */
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
nt_status = gensec_wrap(gensec_security, tmp_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
KRB5_KPASSWD_HARDERROR,
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
talloc_asprintf(mem_ctx,
"gensec_wrap failed: %s",
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
reply:
*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
if (!reply->data) {
s4-kdc: added proxying of kdc requests for RODCs when we are an RODC and we get a request for a principal that we don't have the right secrets for, we need to proxy the request to a writeable DC. This happens for both TCP and UDP requests, for both krb5 and kpasswd Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Fri Nov 12 08:03:20 UTC 2010 on sn-devel-104
2010-11-12 09:23:34 +03:00
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_ERROR;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
RSSVAL(reply->data, 0, reply->length);
RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
RSSVAL(reply->data, 4, ap_rep.length);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
memcpy(reply->data + header_len,
ap_rep.data,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
ap_rep.length);
s4:cleanups More trailing spaces and tabs
2009-12-23 23:17:16 +03:00
memcpy(reply->data + header_len + ap_rep.length,
krb_priv_rep.data,
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
krb_priv_rep.length);
talloc_free(tmp_ctx);
s4-kdc: Use better and simpler names for the kdc_process_ret enum Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-10 10:50:45 +03:00
return KDC_OK;
r11239: Use ${REALM} for the realm in rootdse.ldif Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2005-10-21 05:25:55 +04:00
}
Copy Permalink