1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Remove support code for older versions of MIT Kerberos

The oldest version we now support is 1.21. For every supported version
we can be certain that KRB5_KDB_API_VERSION >= 10 and
KRB5_KDB_DAL_MAJOR_VERSION >= 9.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-08-15 15:16:57 +12:00 committed by Andrew Bartlett
parent 6b580f7368
commit bbfa98ec05
3 changed files with 1 additions and 552 deletions

View File

@ -140,7 +140,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
kdb_vftabl kdb_function_table = { kdb_vftabl kdb_function_table = {
.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
.min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, .min_ver = 0,
.init_library = kdb_samba_init_library, .init_library = kdb_samba_init_library,
.fini_library = kdb_samba_fini_library, .fini_library = kdb_samba_fini_library,
@ -173,10 +173,6 @@ kdb_vftabl kdb_function_table = {
.free_principal_e_data = kdb_samba_db_free_principal_e_data, .free_principal_e_data = kdb_samba_db_free_principal_e_data,
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
.allowed_to_delegate_from = kdb_samba_db_allowed_to_delegate_from, .allowed_to_delegate_from = kdb_samba_db_allowed_to_delegate_from,
.issue_pac = kdb_samba_db_issue_pac, .issue_pac = kdb_samba_db_issue_pac,
#else
.sign_authdata = kdb_samba_db_sign_auth_data,
#endif
}; };

View File

@ -194,377 +194,6 @@ static krb5_error_code ks_get_pac(krb5_context context,
return code; return code;
} }
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
static krb5_error_code ks_verify_pac(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
krb5_pac *pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
krb5_pac ipac = NULL;
DATA_BLOB logon_data = { NULL, 0 };
krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
/* find the existing PAC, if present */
code = krb5_find_authdata(context,
tgt_auth_data,
NULL,
KRB5_AUTHDATA_WIN2K_PAC,
&authdata);
if (code != 0) {
return code;
}
/* no pac data */
if (authdata == NULL) {
return 0;
}
SMB_ASSERT(authdata[0] != NULL);
if (authdata[1] != NULL) {
code = KRB5KDC_ERR_BADOPTION; /* XXX */
goto done;
}
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
&ipac);
if (code != 0) {
goto done;
}
/* TODO: verify this is correct
*
* In the constrained delegation case, the PAC is from a service
* ticket rather than a TGT; we must verify the server and KDC
* signatures to assert that the server did not forge the PAC.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
code = krb5_pac_verify(context,
ipac,
authtime,
client_princ,
server_key,
krbtgt_key);
} else {
code = krb5_pac_verify(context,
ipac,
authtime,
client_princ,
krbtgt_key,
NULL);
}
if (code != 0) {
goto done;
}
/* check and update PAC */
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
pac);
if (code != 0) {
goto done;
}
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
client_princ,
client,
server,
krbtgt,
krbtgt_key,
pac);
done:
krb5_free_authdata(context, authdata);
krb5_pac_free(context, ipac);
free(logon_data.data);
return code;
}
krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
unsigned int flags,
krb5_const_principal client_princ,
krb5_const_principal server_princ,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_db_entry *local_krbtgt,
krb5_keyblock *client_key,
krb5_keyblock *server_key,
krb5_keyblock *krbtgt_key,
krb5_keyblock *local_krbtgt_key,
krb5_keyblock *session_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
void *authdata_info,
krb5_data ***auth_indicators,
krb5_authdata ***signed_auth_data)
{
krb5_const_principal ks_client_princ = NULL;
krb5_db_entry *client_entry = NULL;
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
bool with_pac = false;
bool generate_pac = false;
char *client_name = NULL;
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
/* FIXME: We don't support S4U yet */
if (flags & KRB5_KDB_FLAGS_S4U) {
return KRB5_KDB_DBTYPE_NOSUP;
}
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
* When using s4u2proxy client_princ actually refers to the proxied user
* while client->princ to the proxy service asking for the TGS on behalf
* of the proxied user. So always use client_princ in preference.
*
* Note that when client principal is not NULL, client entry might be
* NULL for cross-realm case, so we need to make sure to not
* dereference NULL pointer here.
*/
if (client_princ != NULL) {
ks_client_princ = client_princ;
if (!is_as_req) {
krb5_boolean is_equal = false;
if (client != NULL && client->princ != NULL) {
is_equal =
krb5_principal_compare(context,
client_princ,
client->princ);
}
/*
* When client principal is the same as supplied client
* entry, don't fetch it.
*/
if (!is_equal) {
code = ks_get_principal(context,
ks_client_princ,
0,
&client_entry);
if (code != 0) {
(void)krb5_unparse_name(context,
ks_client_princ,
&client_name);
DBG_DEBUG("We didn't find the client "
"principal [%s] in our "
"database.\n",
client_name);
SAFE_FREE(client_name);
/*
* If we didn't find client_princ in our
* database it might be from another
* realm.
*/
client_entry = NULL;
}
}
}
} else {
if (client == NULL) {
*signed_auth_data = NULL;
return 0;
}
ks_client_princ = client->princ;
}
if (client_entry == NULL) {
client_entry = client;
}
if (is_as_req) {
with_pac = mit_samba_princ_needs_pac(client_entry);
} else {
with_pac = mit_samba_princ_needs_pac(server);
}
code = krb5_unparse_name(context,
client_princ,
&client_name);
if (code != 0) {
goto done;
}
if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC) != 0) {
generate_pac = true;
}
DBG_DEBUG("*** Sign data for client principal: %s [%s %s%s]\n",
client_name,
is_as_req ? "AS-REQ" : "TGS_REQ",
with_pac ? is_as_req ? "WITH_PAC" : "FIND_PAC" : "NO_PAC",
generate_pac ? " GENERATE_PAC" : "");
/*
* Generate PAC for the AS-REQ or check or generate one for the TGS if
* needed.
*/
if (with_pac && generate_pac) {
DBG_DEBUG("Generate PAC for AS-REQ [%s]\n", client_name);
code = krb5_pac_init(context, &pac);
if (code != 0) {
goto done;
}
code = ks_get_pac(context,
flags,
client_entry,
server,
NULL,
&pac);
if (code != 0) {
goto done;
}
} else if (with_pac && !is_as_req) {
/*
* Find the PAC in the TGS, if one exists.
*/
code = krb5_find_authdata(context,
tgt_auth_data,
NULL,
KRB5_AUTHDATA_WIN2K_PAC,
&pac_auth_data);
if (code != 0) {
DBG_ERR("krb5_find_authdata failed: %d\n", code);
goto done;
}
DBG_DEBUG("Found PAC data for TGS-REQ [%s]\n", client_name);
if (pac_auth_data != NULL && pac_auth_data[0] != NULL) {
if (pac_auth_data[1] != NULL) {
DBG_ERR("Invalid PAC data!\n");
code = KRB5KDC_ERR_BADOPTION;
goto done;
}
DBG_DEBUG("Verify PAC for TGS [%s]\n",
client_name);
code = ks_verify_pac(context,
flags,
ks_client_princ,
client_entry,
server,
krbtgt,
server_key,
krbtgt_key,
authtime,
tgt_auth_data,
&pac);
if (code != 0) {
goto done;
}
} else {
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
DBG_DEBUG("Generate PAC for constrained"
"delegation TGS [%s]\n",
client_name);
code = krb5_pac_init(context, &pac);
if (code != 0) {
goto done;
}
code = ks_get_pac(context,
flags,
client_entry,
server,
NULL,
&pac);
if (code != 0 && code != ENOENT) {
goto done;
}
}
}
}
if (pac == NULL) {
DBG_DEBUG("No PAC data - we're done [%s]\n", client_name);
*signed_auth_data = NULL;
code = 0;
goto done;
}
DBG_DEBUG("Signing PAC for %s [%s]\n",
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
}
authdata = calloc(2, sizeof(krb5_authdata *));
if (authdata == NULL) {
goto done;
}
authdata[0] = malloc(sizeof(krb5_authdata));
if (authdata[0] == NULL) {
goto done;
}
/* put in signed data */
authdata[0]->magic = KV5M_AUTHDATA;
authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
authdata[0]->contents = (krb5_octet *)pac_data.data;
authdata[0]->length = pac_data.length;
code = krb5_encode_authdata_container(context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
if (code != 0) {
goto done;
}
code = 0;
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
}
SAFE_FREE(client_name);
krb5_free_authdata(context, authdata);
krb5_pac_free(context, pac);
return code;
}
#else /* KRB5_KDB_DAL_MAJOR_VERSION >= 9 */
static krb5_error_code ks_update_pac(krb5_context context, static krb5_error_code ks_update_pac(krb5_context context,
int flags, int flags,
krb5_db_entry *client, krb5_db_entry *client,
@ -686,7 +315,6 @@ krb5_error_code kdb_samba_db_issue_pac(krb5_context context,
return code; return code;
} }
#endif /* KRB5_KDB_DAL_MAJOR_VERSION */
krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
krb5_const_principal client, krb5_const_principal client,
@ -707,7 +335,6 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
} }
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
krb5_error_code kdb_samba_db_allowed_to_delegate_from( krb5_error_code kdb_samba_db_allowed_to_delegate_from(
krb5_context context, krb5_context context,
krb5_const_principal client_principal, krb5_const_principal client_principal,
@ -731,7 +358,6 @@ krb5_error_code kdb_samba_db_allowed_to_delegate_from(
return code; return code;
} }
#endif
static void samba_bad_password_count(krb5_db_entry *client, static void samba_bad_password_count(krb5_db_entry *client,

View File

@ -220,15 +220,12 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
return ENOMEM; return ENOMEM;
} }
#if KRB5_KDB_API_VERSION >= 10
/* /*
* The MIT KDC code that wants the canonical name in all lookups, and * The MIT KDC code that wants the canonical name in all lookups, and
* takes care to canonicalize only when appropriate. * takes care to canonicalize only when appropriate.
*/ */
sflags |= SDB_F_FORCE_CANON; sflags |= SDB_F_FORCE_CANON;
#endif
#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) { if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
sflags |= SDB_F_CANON; sflags |= SDB_F_CANON;
} }
@ -249,33 +246,6 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
sflags |= SDB_F_FOR_TGS_REQ; sflags |= SDB_F_FOR_TGS_REQ;
} }
} }
#else /* KRB5_KDB_DAL_MAJOR_VERSION < 9 */
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
* KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
* SDB_F_FOR_AS_REQ
*
* We use ANY to also allow AS_REQ for service principal names
* This is supported by Windows.
*/
sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
} else {
int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
if (equal == -1) {
return ENOMEM;
}
if (equal) {
sflags |= SDB_F_GET_KRBTGT;
} else {
sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
}
}
#endif /* KRB5_KDB_DAL_MAJOR_VERSION */
/* always set this or the created_by data will not be populated by samba's /* always set this or the created_by data will not be populated by samba's
* backend and we will fail to parse the entry later */ * backend and we will fail to parse the entry later */
@ -617,140 +587,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
return code; return code;
} }
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int kdc_flags,
krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
krb5_keyblock *krbtgt_keyblock,
krb5_pac *pac)
{
TALLOC_CTX *tmp_ctx;
krb5_error_code code;
struct samba_kdc_entry *client_skdc_entry = NULL;
struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
struct samba_kdc_entry *server_skdc_entry = NULL;
struct samba_kdc_entry *delegated_proxy_entry = NULL;
krb5_principal delegated_proxy_principal = NULL;
krb5_pac new_pac = NULL;
bool is_in_db = false;
bool is_trusted = false;
uint32_t flags = SAMBA_KDC_FLAG_SKIP_PAC_BUFFER;
/* Create a memory context early so code can use talloc_stackframe() */
tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
if (tmp_ctx == NULL) {
return ENOMEM;
}
if (client != NULL) {
client_skdc_entry =
talloc_get_type_abort(client->e_data,
struct samba_kdc_entry);
}
if (server == NULL) {
code = EINVAL;
goto done;
}
server_skdc_entry =
talloc_get_type_abort(server->e_data,
struct samba_kdc_entry);
if (krbtgt == NULL) {
code = EINVAL;
goto done;
}
krbtgt_skdc_entry =
talloc_get_type_abort(krbtgt->e_data,
struct samba_kdc_entry);
code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
&is_in_db,
&is_trusted);
if (code != 0) {
goto done;
}
if (is_trusted) {
flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
}
if (is_in_db) {
flags |= SAMBA_KDC_FLAG_KRBTGT_IN_DB;
}
if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
}
if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
delegated_proxy_entry = client_skdc_entry;
delegated_proxy_principal = discard_const(client_principal);
}
code = samba_kdc_verify_pac(tmp_ctx,
context,
flags,
client_skdc_entry,
krbtgt_skdc_entry,
NULL /* device */,
NULL /* device_pac */,
*pac);
if (code != 0) {
goto done;
}
/* Build an updated PAC */
code = krb5_pac_init(context, &new_pac);
if (code != 0) {
goto done;
}
code = samba_kdc_update_pac(tmp_ctx,
context,
krbtgt_skdc_entry->kdc_db_ctx->samdb,
krbtgt_skdc_entry->kdc_db_ctx->lp_ctx,
flags,
krbtgt_skdc_entry,
client_skdc_entry,
server->princ,
server_skdc_entry,
delegated_proxy_principal,
delegated_proxy_entry,
NULL /* delegated_proxy_pac */,
NULL /* device_krbtgt */,
NULL /* device */,
NULL /* device_pac */,
*pac,
new_pac,
NULL /* server_audit_info_out */,
NULL /* status_out */);
if (code != 0) {
krb5_pac_free(context, new_pac);
if (code == ENOATTR) {
krb5_pac_free(context, *pac);
*pac = NULL;
code = 0;
}
goto done;
}
/* We now replace the pac */
krb5_pac_free(context, *pac);
*pac = new_pac;
done:
talloc_free(tmp_ctx);
return code;
}
#else
krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx, krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
krb5_context context, krb5_context context,
int kdc_flags, int kdc_flags,
@ -871,7 +707,6 @@ done:
talloc_free(tmp_ctx); talloc_free(tmp_ctx);
return code; return code;
} }
#endif
/* provide header, function is exported but there are no public headers */ /* provide header, function is exported but there are no public headers */
@ -957,9 +792,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
const krb5_db_entry *server, const krb5_db_entry *server,
krb5_const_principal target_principal) krb5_const_principal target_principal)
{ {
#if KRB5_KDB_DAL_MAJOR_VERSION < 9
return KRB5KDC_ERR_BADOPTION;
#else
struct samba_kdc_entry *server_skdc_entry = struct samba_kdc_entry *server_skdc_entry =
talloc_get_type_abort(server->e_data, struct samba_kdc_entry); talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
krb5_error_code code; krb5_error_code code;
@ -970,7 +802,6 @@ int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
target_principal); target_principal);
return code; return code;
#endif
} }
krb5_error_code mit_samba_check_allowed_to_delegate_from( krb5_error_code mit_samba_check_allowed_to_delegate_from(
@ -980,9 +811,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
krb5_pac header_pac, krb5_pac header_pac,
const krb5_db_entry *proxy) const krb5_db_entry *proxy)
{ {
#if KRB5_KDB_DAL_MAJOR_VERSION < 8
return KRB5KDC_ERR_POLICY;
#else
struct samba_kdc_entry *proxy_skdc_entry = struct samba_kdc_entry *proxy_skdc_entry =
talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry); talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
krb5_error_code code; krb5_error_code code;
@ -995,7 +823,6 @@ krb5_error_code mit_samba_check_allowed_to_delegate_from(
proxy_skdc_entry); proxy_skdc_entry);
return code; return code;
#endif
} }
static krb5_error_code mit_samba_change_pwd_error(krb5_context context, static krb5_error_code mit_samba_change_pwd_error(krb5_context context,