2009-12-23 15:17:16 -05:00
/*
2005-10-21 01:25:55 +00:00
Unix SMB / CIFS implementation .
kpasswd Server implementation
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
Copyright ( C ) Andrew Tridgell 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 02:07:03 +00:00
the Free Software Foundation ; either version 3 of the License , or
2005-10-21 01:25:55 +00:00
( at your option ) any later version .
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 02:07:03 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-10-21 01:25:55 +00:00
*/
# include "includes.h"
# include "smbd/service_task.h"
# include "lib/events/events.h"
# include "lib/socket/socket.h"
2009-12-15 12:58:40 +01:00
# include "lib/tsocket/tsocket.h"
2005-10-21 01:25:55 +00:00
# include "system/network.h"
2008-10-11 21:31:42 +02:00
# include "../lib/util/dlinklist.h"
2005-10-21 01:25:55 +00:00
# include "lib/ldb/include/ldb.h"
2006-11-07 00:48:36 +00:00
# include "auth/gensec/gensec.h"
# include "auth/credentials/credentials.h"
# include "auth/credentials/credentials_krb5.h"
2005-10-21 01:25:55 +00:00
# include "auth/auth.h"
2005-12-28 15:38:36 +00:00
# include "dsdb/samdb/samdb.h"
2010-10-17 14:27:18 +02:00
# include "../lib/util/util_ldb.h"
2006-03-14 15:03:25 +00:00
# include "rpc_server/dcerpc_server.h"
2006-03-06 23:28:18 +00:00
# include "rpc_server/samr/proto.h"
2006-04-29 17:34:49 +00:00
# include "libcli/security/security.h"
2007-09-28 01:17:46 +00:00
# include "param/param.h"
2010-11-11 14:09:41 +11:00
# include "kdc/kdc-glue.h"
2005-10-21 01:25:55 +00:00
/* Return true if there is a valid error packet formed in the error_blob */
2009-12-23 15:17:16 -05:00
static bool kpasswdd_make_error_reply ( struct kdc_server * kdc ,
TALLOC_CTX * mem_ctx ,
uint16_t result_code ,
const char * error_string ,
DATA_BLOB * error_blob )
2005-10-21 01:25:55 +00:00
{
char * error_string_utf8 ;
2009-03-01 22:24:34 +01:00
size_t len ;
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
DEBUG ( result_code ? 3 : 10 , ( " kpasswdd: %s \n " , error_string ) ) ;
2009-03-01 22:24:34 +01:00
if ( ! push_utf8_talloc ( mem_ctx , & error_string_utf8 , error_string , & len ) ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
* error_blob = data_blob_talloc ( mem_ctx , NULL , 2 + len + 1 ) ;
if ( ! error_blob - > data ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
RSSVAL ( error_blob - > data , 0 , result_code ) ;
memcpy ( error_blob - > data + 2 , error_string_utf8 , len + 1 ) ;
2007-10-06 21:42:58 +00:00
return true ;
2005-10-21 01:25:55 +00:00
}
/* Return true if there is a valid error packet formed in the error_blob */
2009-12-23 15:17:16 -05:00
static bool kpasswdd_make_unauth_error_reply ( struct kdc_server * kdc ,
TALLOC_CTX * mem_ctx ,
uint16_t result_code ,
const char * error_string ,
DATA_BLOB * error_blob )
2005-10-21 01:25:55 +00:00
{
2007-10-06 21:42:58 +00:00
bool ret ;
2005-10-21 01:25:55 +00:00
int kret ;
DATA_BLOB error_bytes ;
krb5_data k5_error_bytes , k5_error_blob ;
2009-12-23 15:17:16 -05:00
ret = kpasswdd_make_error_reply ( kdc , mem_ctx , result_code , error_string ,
2005-10-21 01:25:55 +00:00
& error_bytes ) ;
if ( ! ret ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
k5_error_bytes . data = error_bytes . data ;
k5_error_bytes . length = error_bytes . length ;
kret = krb5_mk_error ( kdc - > smb_krb5_context - > krb5_context ,
2009-12-23 15:17:16 -05:00
result_code , NULL , & k5_error_bytes ,
2005-10-21 01:25:55 +00:00
NULL , NULL , NULL , NULL , & k5_error_blob ) ;
if ( kret ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
* error_blob = data_blob_talloc ( mem_ctx , k5_error_blob . data , k5_error_blob . length ) ;
krb5_data_free ( & k5_error_blob ) ;
if ( ! error_blob - > data ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
2007-10-06 21:42:58 +00:00
return true ;
2005-10-21 01:25:55 +00:00
}
2009-12-23 15:17:16 -05:00
static bool kpasswd_make_pwchange_reply ( struct kdc_server * kdc ,
TALLOC_CTX * mem_ctx ,
NTSTATUS status ,
2009-09-25 22:44:00 +02:00
enum samPwdChangeReason reject_reason ,
2005-10-21 01:25:55 +00:00
struct samr_DomInfo1 * dominfo ,
2009-12-23 15:17:16 -05:00
DATA_BLOB * error_blob )
2005-10-21 01:25:55 +00:00
{
if ( NT_STATUS_EQUAL ( status , NT_STATUS_NO_SUCH_USER ) ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_ACCESSDENIED ,
" No such user when changing password " ,
error_blob ) ;
}
if ( NT_STATUS_EQUAL ( status , NT_STATUS_ACCESS_DENIED ) ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_ACCESSDENIED ,
" Not permitted to change password " ,
error_blob ) ;
}
2006-04-02 11:15:59 +00:00
if ( dominfo & & NT_STATUS_EQUAL ( status , NT_STATUS_PASSWORD_RESTRICTION ) ) {
2005-10-21 01:25:55 +00:00
const char * reject_string ;
switch ( reject_reason ) {
2009-09-25 22:44:00 +02:00
case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT :
2005-10-21 01:25:55 +00:00
reject_string = talloc_asprintf ( mem_ctx , " Password too short, password must be at least %d characters long " ,
dominfo - > min_password_length ) ;
break ;
2009-09-25 22:44:00 +02:00
case SAM_PWD_CHANGE_NOT_COMPLEX :
2005-10-21 01:25:55 +00:00
reject_string = " Password does not meet complexity requirements " ;
break ;
2009-09-25 22:44:00 +02:00
case SAM_PWD_CHANGE_PWD_IN_HISTORY :
2006-09-18 21:00:00 +00:00
reject_string = " Password is already in password history " ;
break ;
2005-11-01 13:29:22 +00:00
default :
2005-10-21 01:25:55 +00:00
reject_string = talloc_asprintf ( mem_ctx , " Password must be at least %d characters long, and cannot match any of your %d previous passwords " ,
dominfo - > min_password_length , dominfo - > password_history_length ) ;
break ;
}
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_SOFTERROR ,
reject_string ,
error_blob ) ;
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
talloc_asprintf ( mem_ctx , " failed to set password: %s " , nt_errstr ( status ) ) ,
error_blob ) ;
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
}
return kpasswdd_make_error_reply ( kdc , mem_ctx , KRB5_KPASSWD_SUCCESS ,
" Password changed " ,
error_blob ) ;
}
2009-12-23 15:17:16 -05:00
/*
2005-10-21 01:25:55 +00:00
A user password change
2009-12-23 15:17:16 -05:00
2010-02-21 17:46:46 +11:00
Return true if there is a valid error packet ( or success ) formed in
2005-10-21 01:25:55 +00:00
the error_blob
*/
2007-10-06 21:42:58 +00:00
static bool kpasswdd_change_password ( struct kdc_server * kdc ,
2009-12-23 15:17:16 -05:00
TALLOC_CTX * mem_ctx ,
2005-10-21 01:25:55 +00:00
struct auth_session_info * session_info ,
2008-10-16 12:48:16 +11:00
const DATA_BLOB * password ,
2005-10-21 01:25:55 +00:00
DATA_BLOB * reply )
{
NTSTATUS status ;
2009-09-25 22:44:00 +02:00
enum samPwdChangeReason reject_reason ;
2005-10-21 01:25:55 +00:00
struct samr_DomInfo1 * dominfo ;
2010-07-06 18:16:32 +02:00
struct samr_Password * oldLmHash , * oldNtHash ;
2005-10-21 01:25:55 +00:00
struct ldb_context * samdb ;
2010-07-06 18:16:32 +02:00
const char * const attrs [ ] = { " dBCSPwd " , " unicodePwd " , NULL } ;
struct ldb_message * * res ;
int ret ;
2005-10-21 01:25:55 +00:00
2010-07-06 18:16:32 +02:00
/* Fetch the old hashes to get the old password in order to perform
* the password change operation . Naturally it would be much better to
* have a password hash from an authentication around but this doesn ' t
* seem to be the case here . */
2010-11-12 17:23:34 +11:00
ret = gendb_search ( kdc - > samdb , mem_ctx , NULL , & res , attrs ,
2010-07-06 18:16:32 +02:00
" (&(objectClass=user)(sAMAccountName=%s)) " ,
session_info - > server_info - > account_name ) ;
if ( ret ! = 1 ) {
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
KRB5_KPASSWD_ACCESSDENIED ,
" No such user when changing password " ,
reply ) ;
}
status = samdb_result_passwords ( mem_ctx , kdc - > task - > lp_ctx , res [ 0 ] ,
& oldLmHash , & oldNtHash ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
KRB5_KPASSWD_ACCESSDENIED ,
" Not permitted to change password " ,
reply ) ;
}
/* Start a SAM with user privileges for the password change */
samdb = samdb_connect ( mem_ctx , kdc - > task - > event_ctx , kdc - > task - > lp_ctx ,
2010-10-10 17:00:45 +02:00
session_info , 0 ) ;
2005-10-21 01:25:55 +00:00
if ( ! samdb ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
" Failed to open samdb " ,
reply ) ;
}
2009-12-23 15:17:16 -05:00
DEBUG ( 3 , ( " Changing password of %s \\ %s (%s) \n " ,
2006-01-02 22:00:40 +00:00
session_info - > server_info - > domain_name ,
session_info - > server_info - > account_name ,
2010-08-20 12:15:15 +10:00
dom_sid_string ( mem_ctx , & session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ) ) ) ;
2005-10-21 01:25:55 +00:00
2010-07-06 18:16:32 +02:00
/* Performs the password change */
2009-12-23 15:17:16 -05:00
status = samdb_set_password_sid ( samdb , mem_ctx ,
2010-08-20 12:15:15 +10:00
& session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ,
2009-12-23 15:17:16 -05:00
password , NULL , NULL ,
2010-07-06 18:16:32 +02:00
oldLmHash , oldNtHash , /* this is a user password change */
2005-10-21 01:25:55 +00:00
& reject_reason ,
& dominfo ) ;
2009-12-23 15:17:16 -05:00
return kpasswd_make_pwchange_reply ( kdc , mem_ctx ,
status ,
2005-10-21 01:25:55 +00:00
reject_reason ,
2009-12-23 15:17:16 -05:00
dominfo ,
2005-10-21 01:25:55 +00:00
reply ) ;
}
2007-10-06 21:42:58 +00:00
static bool kpasswd_process_request ( struct kdc_server * kdc ,
2009-12-23 15:17:16 -05:00
TALLOC_CTX * mem_ctx ,
2005-10-21 01:25:55 +00:00
struct gensec_security * gensec_security ,
uint16_t version ,
2009-12-23 15:17:16 -05:00
DATA_BLOB * input ,
2005-10-21 01:25:55 +00:00
DATA_BLOB * reply )
{
struct auth_session_info * session_info ;
2009-03-01 19:55:46 +01:00
size_t pw_len ;
2008-10-16 12:48:16 +11:00
2009-12-23 15:17:16 -05:00
if ( ! NT_STATUS_IS_OK ( gensec_session_info ( gensec_security ,
2005-10-21 01:25:55 +00:00
& session_info ) ) ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
" gensec_session_info failed! " ,
reply ) ;
}
switch ( version ) {
case KRB5_KPASSWD_VERS_CHANGEPW :
{
2008-10-16 12:48:16 +11:00
DATA_BLOB password ;
2010-07-16 14:32:42 +10:00
if ( ! convert_string_talloc_convenience ( mem_ctx , lpcfg_iconv_convenience ( kdc - > task - > lp_ctx ) ,
2009-12-23 15:17:16 -05:00
CH_UTF8 , CH_UTF16 ,
( const char * ) input - > data ,
2008-10-16 12:48:16 +11:00
input - > length ,
2009-03-01 19:55:46 +01:00
( void * * ) & password . data , & pw_len , false ) ) {
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
2008-10-16 12:48:16 +11:00
password . length = pw_len ;
2009-12-23 15:17:16 -05:00
return kpasswdd_change_password ( kdc , mem_ctx , session_info ,
2008-10-16 12:48:16 +11:00
& password , reply ) ;
2005-10-21 01:25:55 +00:00
}
case KRB5_KPASSWD_VERS_SETPW :
{
2006-01-02 22:00:40 +00:00
NTSTATUS status ;
2009-09-25 22:44:00 +02:00
enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR ;
2006-04-02 11:15:59 +00:00
struct samr_DomInfo1 * dominfo = NULL ;
2006-01-02 22:00:40 +00:00
struct ldb_context * samdb ;
krb5_context context = kdc - > smb_krb5_context - > krb5_context ;
2005-10-21 01:25:55 +00:00
ChangePasswdDataMS chpw ;
2008-10-16 12:48:16 +11:00
DATA_BLOB password ;
2006-01-02 22:00:40 +00:00
2005-10-21 01:25:55 +00:00
krb5_principal principal ;
char * set_password_on_princ ;
struct ldb_dn * set_password_on_dn ;
2010-03-25 16:27:40 +11:00
bool service_principal_name = false ;
2005-10-21 01:25:55 +00:00
2006-01-02 22:00:40 +00:00
size_t len ;
int ret ;
2005-10-21 01:25:55 +00:00
ret = decode_ChangePasswdDataMS ( input - > data , input - > length ,
& chpw , & len ) ;
if ( ret ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_MALFORMED ,
" failed to decode password change structure " ,
reply ) ;
}
2009-12-23 15:17:16 -05:00
2010-07-16 14:32:42 +10:00
if ( ! convert_string_talloc_convenience ( mem_ctx , lpcfg_iconv_convenience ( kdc - > task - > lp_ctx ) ,
2009-12-23 15:17:16 -05:00
CH_UTF8 , CH_UTF16 ,
( const char * ) chpw . newpasswd . data ,
2008-10-16 12:48:16 +11:00
chpw . newpasswd . length ,
2009-03-01 19:55:46 +01:00
( void * * ) & password . data , & pw_len , false ) ) {
2005-10-21 01:25:55 +00:00
free_ChangePasswdDataMS ( & chpw ) ;
2007-10-06 21:42:58 +00:00
return false ;
2005-10-21 01:25:55 +00:00
}
2009-12-23 15:17:16 -05:00
2008-10-16 12:48:16 +11:00
password . length = pw_len ;
2009-12-23 15:17:16 -05:00
if ( ( chpw . targname & & ! chpw . targrealm )
2005-10-21 01:25:55 +00:00
| | ( ! chpw . targname & & chpw . targrealm ) ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_MALFORMED ,
" Realm and principal must be both present, or neither present " ,
reply ) ;
}
if ( chpw . targname & & chpw . targrealm ) {
2010-11-12 15:37:07 +11:00
krb5_build_principal_ext ( kdc - > smb_krb5_context - > krb5_context ,
& principal , strlen ( * chpw . targrealm ) , * chpw . targrealm , 0 ) ;
if ( copy_PrincipalName ( chpw . targname , & principal - > name ) ) {
2005-10-21 01:25:55 +00:00
free_ChangePasswdDataMS ( & chpw ) ;
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_MALFORMED ,
" failed to extract principal to set " ,
reply ) ;
}
} else {
free_ChangePasswdDataMS ( & chpw ) ;
2009-12-23 15:17:16 -05:00
return kpasswdd_change_password ( kdc , mem_ctx , session_info ,
2008-10-16 12:48:16 +11:00
& password , reply ) ;
2005-10-21 01:25:55 +00:00
}
free_ChangePasswdDataMS ( & chpw ) ;
2010-03-25 16:27:40 +11:00
if ( principal - > name . name_string . len > = 2 ) {
service_principal_name = true ;
2009-12-23 15:17:16 -05:00
2010-03-25 16:27:40 +11:00
/* We use this, rather than 'no realm' flag,
* as we don ' t want to accept a password
* change on a principal from another realm */
if ( krb5_unparse_name_short ( context , principal , & set_password_on_princ ) ! = 0 ) {
krb5_free_principal ( context , principal ) ;
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
KRB5_KPASSWD_MALFORMED ,
" krb5_unparse_name failed! " ,
reply ) ;
}
} else {
if ( krb5_unparse_name ( context , principal , & set_password_on_princ ) ! = 0 ) {
krb5_free_principal ( context , principal ) ;
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
KRB5_KPASSWD_MALFORMED ,
" krb5_unparse_name failed! " ,
reply ) ;
}
}
2005-10-21 01:25:55 +00:00
krb5_free_principal ( context , principal ) ;
2009-12-23 15:17:16 -05:00
2010-10-10 17:00:45 +02:00
samdb = samdb_connect ( mem_ctx , kdc - > task - > event_ctx , kdc - > task - > lp_ctx , session_info , 0 ) ;
2006-01-02 22:00:40 +00:00
if ( ! samdb ) {
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2006-01-02 22:00:40 +00:00
KRB5_KPASSWD_HARDERROR ,
" Unable to open database! " ,
reply ) ;
}
2009-12-23 15:17:16 -05:00
DEBUG ( 3 , ( " %s \\ %s (%s) is changing password of %s \n " ,
2006-01-02 22:00:40 +00:00
session_info - > server_info - > domain_name ,
session_info - > server_info - > account_name ,
2010-08-20 12:15:15 +10:00
dom_sid_string ( mem_ctx , & session_info - > security_token - > sids [ PRIMARY_USER_SID_INDEX ] ) ,
2006-01-02 22:00:40 +00:00
set_password_on_princ ) ) ;
ret = ldb_transaction_start ( samdb ) ;
2009-09-26 12:09:07 +02:00
if ( ret ! = LDB_SUCCESS ) {
2006-01-02 22:00:40 +00:00
status = NT_STATUS_TRANSACTION_ABORTED ;
2009-12-23 15:17:16 -05:00
return kpasswd_make_pwchange_reply ( kdc , mem_ctx ,
2006-01-02 22:00:40 +00:00
status ,
2009-09-25 22:44:00 +02:00
SAM_PWD_CHANGE_NO_ERROR ,
2009-12-23 15:17:16 -05:00
NULL ,
2006-01-02 22:00:40 +00:00
reply ) ;
}
2010-03-25 16:27:40 +11:00
if ( service_principal_name ) {
status = crack_service_principal_name ( samdb , mem_ctx ,
set_password_on_princ ,
& set_password_on_dn , NULL ) ;
} else {
status = crack_user_principal_name ( samdb , mem_ctx ,
set_password_on_princ ,
& set_password_on_dn , NULL ) ;
}
2005-10-21 01:25:55 +00:00
free ( set_password_on_princ ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2006-01-02 22:00:40 +00:00
ldb_transaction_cancel ( samdb ) ;
2009-12-23 15:17:16 -05:00
return kpasswd_make_pwchange_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
status ,
2009-09-25 22:44:00 +02:00
SAM_PWD_CHANGE_NO_ERROR ,
2009-12-23 15:17:16 -05:00
NULL ,
2005-10-21 01:25:55 +00:00
reply ) ;
}
2006-01-02 22:00:40 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
/* Admin password set */
status = samdb_set_password ( samdb , mem_ctx ,
set_password_on_dn , NULL ,
2009-09-26 12:09:07 +02:00
& password , NULL , NULL ,
2010-08-15 21:06:11 +02:00
NULL , NULL , /* this is not a user password change */
2006-01-02 22:00:40 +00:00
& reject_reason , & dominfo ) ;
}
2005-10-21 01:25:55 +00:00
2006-01-02 22:00:40 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
ret = ldb_transaction_commit ( samdb ) ;
2009-09-26 12:09:07 +02:00
if ( ret ! = LDB_SUCCESS ) {
2006-01-02 22:00:40 +00:00
DEBUG ( 1 , ( " Failed to commit transaction to set password on %s: %s \n " ,
2009-09-26 12:09:07 +02:00
ldb_dn_get_linearized ( set_password_on_dn ) ,
2006-01-02 22:00:40 +00:00
ldb_errstring ( samdb ) ) ) ;
status = NT_STATUS_TRANSACTION_ABORTED ;
}
} else {
ldb_transaction_cancel ( samdb ) ;
}
2009-12-23 15:17:16 -05:00
return kpasswd_make_pwchange_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
status ,
2009-12-23 15:17:16 -05:00
reject_reason ,
dominfo ,
2005-10-21 01:25:55 +00:00
reply ) ;
}
default :
2009-12-23 15:17:16 -05:00
return kpasswdd_make_error_reply ( kdc , mem_ctx ,
2006-01-02 22:00:40 +00:00
KRB5_KPASSWD_BAD_VERSION ,
2009-12-23 15:17:16 -05:00
talloc_asprintf ( mem_ctx ,
" Protocol version %u not supported " ,
2006-01-02 22:00:40 +00:00
version ) ,
reply ) ;
2005-10-21 01:25:55 +00:00
}
}
2010-11-11 14:22:40 +11:00
enum kdc_process_ret kpasswdd_process ( struct kdc_server * kdc ,
TALLOC_CTX * mem_ctx ,
DATA_BLOB * input ,
DATA_BLOB * reply ,
struct tsocket_address * peer_addr ,
struct tsocket_address * my_addr ,
int datagram_reply )
2005-10-21 01:25:55 +00:00
{
2007-10-06 21:42:58 +00:00
bool ret ;
2005-10-21 01:25:55 +00:00
const uint16_t header_len = 6 ;
uint16_t len ;
uint16_t ap_req_len ;
uint16_t krb_priv_len ;
uint16_t version ;
NTSTATUS nt_status ;
2006-04-02 11:15:59 +00:00
DATA_BLOB ap_req , krb_priv_req ;
DATA_BLOB krb_priv_rep = data_blob ( NULL , 0 ) ;
DATA_BLOB ap_rep = data_blob ( NULL , 0 ) ;
2005-10-21 01:25:55 +00:00
DATA_BLOB kpasswd_req , kpasswd_rep ;
struct cli_credentials * server_credentials ;
struct gensec_security * gensec_security ;
TALLOC_CTX * tmp_ctx = talloc_new ( mem_ctx ) ;
2009-07-27 16:09:25 +10:00
char * keytab_name ;
2005-10-21 01:25:55 +00:00
if ( ! tmp_ctx ) {
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2010-11-12 17:23:34 +11:00
if ( kdc - > am_rodc ) {
talloc_free ( tmp_ctx ) ;
return KDC_PROCESS_PROXY ;
}
2006-01-02 22:00:40 +00:00
/* Be parinoid. We need to ensure we don't just let the
* caller lead us into a buffer overflow */
2005-10-21 01:25:55 +00:00
if ( input - > length < = header_len ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
len = RSVAL ( input - > data , 0 ) ;
if ( input - > length ! = len ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-02 22:00:40 +00:00
/* There are two different versions of this protocol so far,
* plus others in the standards pipe . Fortunetly they all
* take a very similar framing */
2005-10-21 01:25:55 +00:00
version = RSVAL ( input - > data , 2 ) ;
ap_req_len = RSVAL ( input - > data , 4 ) ;
if ( ( ap_req_len > = len ) | | ( ap_req_len + header_len ) > = len ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
krb_priv_len = len - ap_req_len ;
ap_req = data_blob_const ( & input - > data [ header_len ] , ap_req_len ) ;
krb_priv_req = data_blob_const ( & input - > data [ header_len + ap_req_len ] , krb_priv_len ) ;
2009-12-23 15:17:16 -05:00
2006-07-31 14:05:08 +00:00
server_credentials = cli_credentials_init ( tmp_ctx ) ;
2005-10-21 01:25:55 +00:00
if ( ! server_credentials ) {
DEBUG ( 1 , ( " Failed to init server credentials \n " ) ) ;
2010-11-12 17:23:34 +11:00
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-24 05:31:08 +00:00
/* We want the credentials subsystem to use the krb5 context
2009-12-23 15:17:16 -05:00
* we already have , rather than a new context */
2006-01-24 05:31:08 +00:00
cli_credentials_set_krb5_context ( server_credentials , kdc - > smb_krb5_context ) ;
2007-12-03 15:53:28 +01:00
cli_credentials_set_conf ( server_credentials , kdc - > task - > lp_ctx ) ;
2009-07-27 16:09:25 +10:00
2010-01-28 00:08:36 -05:00
keytab_name = talloc_asprintf ( server_credentials , " HDB:samba4&%p " , kdc - > base_ctx ) ;
2009-07-27 16:09:25 +10:00
cli_credentials_set_username ( server_credentials , " kadmin/changepw " , CRED_SPECIFIED ) ;
2010-10-11 16:53:08 +11:00
ret = cli_credentials_set_keytab_name ( server_credentials , kdc - > task - > lp_ctx , keytab_name , CRED_SPECIFIED ) ;
2009-07-27 16:09:25 +10:00
if ( ret ! = 0 ) {
2009-12-23 15:17:16 -05:00
ret = kpasswdd_make_unauth_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
2009-12-23 15:17:16 -05:00
talloc_asprintf ( mem_ctx ,
" Failed to obtain server credentials for kadmin/changepw: %s \n " ,
2005-10-21 01:25:55 +00:00
nt_errstr ( nt_status ) ) ,
& krb_priv_rep ) ;
ap_rep . length = 0 ;
if ( ret ) {
goto reply ;
}
talloc_free ( tmp_ctx ) ;
return ret ;
}
2009-12-23 15:17:16 -05:00
2009-02-13 10:24:16 +11:00
/* We don't strictly need to call this wrapper, and could call
* gensec_server_start directly , as we have no need for NTLM
* and we have a PAC , but this ensures that the wrapper can be
* safely extended for other helpful things in future */
2009-12-23 15:17:16 -05:00
nt_status = samba_server_gensec_start ( tmp_ctx , kdc - > task - > event_ctx ,
2009-02-13 10:24:16 +11:00
kdc - > task - > msg_ctx ,
kdc - > task - > lp_ctx ,
server_credentials ,
2009-12-23 15:17:16 -05:00
" kpasswd " ,
2009-02-13 10:24:16 +11:00
& gensec_security ) ;
2006-01-02 22:00:40 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2006-01-02 22:00:40 +00:00
}
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
2009-09-15 22:02:36 -07:00
#if 0
/* Skip this part for now, it breaks with a NetAPP filer and
* in any case where the client address is behind NAT . If
* older MIT clients need this , we might have to insert more
* complex code */
2009-12-16 16:12:13 +01:00
nt_status = gensec_set_local_address ( gensec_security , peer_addr ) ;
2006-01-02 22:00:40 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2006-01-02 22:00:40 +00:00
}
2009-09-15 22:02:36 -07:00
# endif
2009-12-16 15:52:30 +01:00
nt_status = gensec_set_local_address ( gensec_security , my_addr ) ;
2006-01-02 22:00:40 +00:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2006-01-02 22:00:40 +00:00
}
/* We want the GENSEC wrap calls to generate PRIV tokens */
2005-10-21 01:25:55 +00:00
gensec_want_feature ( gensec_security , GENSEC_FEATURE_SEAL ) ;
nt_status = gensec_start_mech_by_name ( gensec_security , " krb5 " ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-02 22:00:40 +00:00
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
2005-10-21 01:25:55 +00:00
nt_status = gensec_update ( gensec_security , tmp_ctx , ap_req , & ap_rep ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) & & ! NT_STATUS_EQUAL ( nt_status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
2009-12-23 15:17:16 -05:00
ret = kpasswdd_make_unauth_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
2009-12-23 15:17:16 -05:00
talloc_asprintf ( mem_ctx ,
" gensec_update failed: %s " ,
2005-10-21 01:25:55 +00:00
nt_errstr ( nt_status ) ) ,
& krb_priv_rep ) ;
ap_rep . length = 0 ;
if ( ret ) {
goto reply ;
}
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-02 22:00:40 +00:00
/* Extract the data from the KRB-PRIV half of the message */
2005-10-21 01:25:55 +00:00
nt_status = gensec_unwrap ( gensec_security , tmp_ctx , & krb_priv_req , & kpasswd_req ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2009-12-23 15:17:16 -05:00
ret = kpasswdd_make_unauth_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
2009-12-23 15:17:16 -05:00
talloc_asprintf ( mem_ctx ,
" gensec_unwrap failed: %s " ,
2005-10-21 01:25:55 +00:00
nt_errstr ( nt_status ) ) ,
& krb_priv_rep ) ;
ap_rep . length = 0 ;
if ( ret ) {
goto reply ;
}
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-02 22:00:40 +00:00
/* Figure out something to do with it (probably changing a password...) */
2009-12-23 15:17:16 -05:00
ret = kpasswd_process_request ( kdc , tmp_ctx ,
gensec_security ,
version ,
& kpasswd_req , & kpasswd_rep ) ;
2005-10-21 01:25:55 +00:00
if ( ! ret ) {
/* Argh! */
2010-11-12 17:23:34 +11:00
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2006-01-02 22:00:40 +00:00
/* And wrap up the reply: This ensures that the error message
* or success can be verified by the client */
2009-12-23 15:17:16 -05:00
nt_status = gensec_wrap ( gensec_security , tmp_ctx ,
2005-10-21 01:25:55 +00:00
& kpasswd_rep , & krb_priv_rep ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2009-12-23 15:17:16 -05:00
ret = kpasswdd_make_unauth_error_reply ( kdc , mem_ctx ,
2005-10-21 01:25:55 +00:00
KRB5_KPASSWD_HARDERROR ,
2009-12-23 15:17:16 -05:00
talloc_asprintf ( mem_ctx ,
" gensec_wrap failed: %s " ,
2005-10-21 01:25:55 +00:00
nt_errstr ( nt_status ) ) ,
& krb_priv_rep ) ;
ap_rep . length = 0 ;
if ( ret ) {
goto reply ;
}
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
2009-12-23 15:17:16 -05:00
2005-10-21 01:25:55 +00:00
reply :
* reply = data_blob_talloc ( mem_ctx , NULL , krb_priv_rep . length + ap_rep . length + header_len ) ;
if ( ! reply - > data ) {
2010-11-12 17:23:34 +11:00
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_FAILED ;
2005-10-21 01:25:55 +00:00
}
RSSVAL ( reply - > data , 0 , reply - > length ) ;
RSSVAL ( reply - > data , 2 , 1 ) ; /* This is a version 1 reply, MS change/set or otherwise */
RSSVAL ( reply - > data , 4 , ap_rep . length ) ;
2009-12-23 15:17:16 -05:00
memcpy ( reply - > data + header_len ,
ap_rep . data ,
2005-10-21 01:25:55 +00:00
ap_rep . length ) ;
2009-12-23 15:17:16 -05:00
memcpy ( reply - > data + header_len + ap_rep . length ,
krb_priv_rep . data ,
2005-10-21 01:25:55 +00:00
krb_priv_rep . length ) ;
talloc_free ( tmp_ctx ) ;
2010-11-11 14:22:40 +11:00
return KDC_PROCESS_OK ;
2005-10-21 01:25:55 +00:00
}