1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

78 Commits

Author SHA1 Message Date
Andrew Bartlett
1e1c80656f kdc: Detect (about to) expire UF_SMARTCARD_REQUIRED accounts and rotate passwords
This ensures that before the KDC starts to process the entry
we check if it is expired and rotate it.  As an account with
UF_SMARTCARD_REQUIRED simply can not expire unless
msDS-ExpirePasswordsOnSmartCardOnlyAccounts is set and
the Domain Functional Level is >= 2016 we do not need
to do configuration checks here.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Pair-programmed-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Jo Sutton
460b1935b9 s4:kdc: Fix grammar
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-21 22:10:36 +00:00
Joseph Sutton
cf139d1421 s4:kdc: Return NTSTATUS and auditing information from samba_kdc_update_pac() to be logged
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
071ad174d9 s4:kdc: Add helper function to determine whether authentication to a server is allowed
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-25 23:29:33 +00:00
Joseph Sutton
b3a8565582 auth: Move authn_policy code into auth subsystem
This ensures that this code will still be usable by other libraries and
subsystems if Samba is built with ‘--without-ad-dc’.

We also drop dependencies on ‘ldb’ and ‘talloc’ that we shouldn’t have
needed anyway.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-06-15 05:29:28 +00:00
Joseph Sutton
6ee5c80ea9 s4:kdc: Add support for constructed claims (for authentication silos)
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 18 01:58:24 UTC 2023 on atb-devel-224
2023-05-18 01:58:24 +00:00
Joseph Sutton
1fdff37105 s4:kdc: Look up authentication policies for Kerberos clients and servers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
f547cf1db8 s4:kdc: Add helper functions for authentication policies
These functions are not yet used.

They are arranged into two libraries: ‘authn_policy’, containing the
core functions, and ‘authn_policy_util’, containing utility functions
that can access the database. This separation is so that libraries
depended upon by ‘samdb’ or ‘dsdb-module’ can use the core functions
without introducing a dependency cycle.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
bbdb3bf8a6 s4:kdc: Factor out PAC blob functions into new source file
pac-glue.c has become rather large, and can do without these PAC
blob–handling functions.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-05-18 01:03:37 +00:00
Joseph Sutton
e446e5816b s4:kdc: Add support for AD client claims
We now create a client claims blob and add it to the PAC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Joseph Sutton
3afac3f8f7 s4:kdc: Add utility functions for AD claims
get_claims_for_principal() is a new function that creates a claims blob
for a principal based on attributes in the database.

It's not hooked into the KDC yet, so this entails no change in
behaviour.

Constructed claims and certificate claims are not supported yet.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-03-31 08:29:32 +00:00
Joseph Sutton
ce3b7b27a3 CVE-2022-2031 s4:kpasswd: Require an initial ticket
Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-07-27 10:52:36 +00:00
Joseph Sutton
233ce6b2b8 s4:kdc: Add function to get user_info_dc from database
The resulting user_info_dc is kept in the 'samba_kdc_entry' structure,
so it can be reused between calls.

This allows us to simplify samba_kdc_get_pac_blobs(), as it no longer
need to return a user_info_dc structure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Andrew Bartlett
c9b0b4bfc4 s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-03-01 22:34:35 +00:00
Stefan Metzmacher
7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00
Andrew Bartlett
b2c96d927a s4:heimdal_build: changes required to build after import
For libtommath we do this by using the list from makefile.commo
in in libtommath rather than trying to match the list by hand.

This will be easier to maintain over the long term.

Thanks to work over many years by:
 - Gary Lockyer <gary@catalyst.net.nz>
 - Stefan Metzmacher <metze@samba.org>
 - Andrew Bartlett <abartlet@samba.org>

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Andrew Bartlett
98cb41cb35 build: Remove kdc_include except where needed
This include was being set on too many subsystems, including some MIT-related.

This was a problem because it would then trigger the mixing of MIT and Heimdal
krb5.h files.  It is now only set on the plugins and services that use the
embedded Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14924

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-12-06 20:56:33 +00:00
Andreas Schneider
5d8e794551 waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
  105 | typedef bool_t (*xdrproc_t)();
      | ^~~~~~~

This can't be fixed, as the protoype is variadic. It can take up to three
arguments.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-10-20 12:02:33 +00:00
Garming Sam
29cccff500 kdc: Send bad password via NETLOGON in RODC
This means that a RWDC will be collecting the badPwdCount to ensure
domain wide lockout.

TODO The parameters should be better constructed.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Garming Sam
ef0218a512 hdb: Dupe a copy of repl secrets into the KDC
When you have an RODC, this will force the fetch of secrets if not found here

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-30 08:06:06 +02:00
Andreas Schneider
dce438e18e s4-kdc: Start the kpasswd service with MIT KDC
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
a1d9e8814a s4-kdc: Add MIT Kerberos specific kpasswd code
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:10 +02:00
Andreas Schneider
6eb1ff9b47 s4-kdc: Register the MIT irpc PAC validation service
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
6b67a39f9f s4-kdc: Add MIT KRB5 based irpc service for PAC validation
Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Andreas Schneider
32e772b4b9 s4-kdc: Add a MIT Kerberos KDC service
This starts the krb5kdc binary shipped with MIT Kerberos.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2017-04-29 23:31:09 +02:00
Gary Lockyer
8154acfd0d auth: Generate a human readable Authentication log message.
Add a human readable authentication log line, to allow
verification that all required details are being passed.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:26 +02:00
Stefan Metzmacher
4b295b106c wscript: remove executable bits for all wscript* files
These files should not be executable.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 11 20:21:01 CET 2017 on sn-devel-144
2017-01-11 20:21:01 +01:00
Andreas Schneider
510e504a5b s4-kdc: Switch to the new kpasswd service implementation
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:26 +02:00
Andreas Schneider
7e4c996bb1 s4-kdc: Add new kpasswd service Heimdal backend
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
69749b6130 s4-kdc: Add a new kpasswd service implementation
This function is intended to be be passed to kdc_add_socket(). The
function kpasswd_handle_request() which is called by kpasswd_process()
is Kerberos implementation specific and should be implemented in a
kpasswd-service-<kerberos flavour>.c file.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-13 00:19:25 +02:00
Andreas Schneider
f9de99ce9b s4-kdc: Move kpasswd_make_error_reply() to a helper file
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-09-11 02:58:22 +02:00
Andreas Schneider
3de3f643a8 s4-kdc: Move KDC packet handling functions to kdc-server.c
Create an Kerberos implmentation independent KDC-SERVER subsystem so we
can use it to implement a kpasswd server with MIT Kerberos in future.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Jun 19 03:31:32 CEST 2016 on sn-devel-144
2016-06-19 03:31:32 +02:00
Andreas Schneider
379ed08754 s4-kdc: Rename proxy-heimdal.c to kdc-proxy.c
The plan is to have a KDC-SERVER subsystem later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Andreas Schneider
de88bfc770 s4-kdc: Rename heimdal KDC files
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2016-06-18 23:32:26 +02:00
Ralph Boehme
3116e8d3be s4: add a minimal ktutil for selftest
This minimalistic version of ktutil dumps all principal names and
encryption types from a keytab, eg:

./bin/samba4ktutil test.keytab
ktpassuser@HILLHOUSE.SITE (arcfour-hmac-md5)
ktpassuser@HILLHOUSE.SITE (aes256-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (aes128-cts-hmac-sha1-96)
ktpassuser@HILLHOUSE.SITE (des-cbc-md5)
ktpassuser@HILLHOUSE.SITE (des-cbc-crc)

This is all we need to run some tests against keytabs exported with
`samba-tool domain exportkeytab`.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-04-25 10:35:14 +02:00
Andreas Schneider
ade958e20b mit-kdb: Add initial MIT KDB Samba driver
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Simo Sorce <idra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Simo Sorce <idra@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
909e7f9ff6 mit_samba: Add function to change the password
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:28 +01:00
Andreas Schneider
33fcc76aa7 mit_samba: Make mit_samba a shim layer between Samba and KDB
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Günther Deschner
209d4b5b28 mit_samba: Use sdb in the mit_samba plugin
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Günther Deschner
6825a61b0b s4-kdc: Introduce a simple sdb_kdb shim layer
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2016-03-17 04:32:27 +01:00
Andreas Schneider
78075cfcda waf: Add talloc as a dependency
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug  5 04:08:30 CEST 2015 on sn-devel-104
2015-08-05 04:08:30 +02:00
Günther Deschner
d49b4aafa8 s4-kdc: Use sdb in db-glue and hdb-samba4
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul 30 13:29:27 CEST 2015 on sn-devel-104
2015-07-30 13:29:27 +02:00
Günther Deschner
99d3719e7d s4-kdc: Introduce a simple sdb_hdb shim layer
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
85a041bab5 s4-kdc: Introduce sdb a KDC backend abstraction
Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
535035affc s4-kdc: PAC_GLUE does not depend on hdb anymore.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-30 10:24:26 +02:00
Günther Deschner
ae607c0d05 s4-kdc_kpasswd: split out some code to a KPASSWD_GLUE subsystem.
This can then be easier shared with MIT's kadmin services for kpasswd services.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
a7705ad060 s4-kdc: move kdc_check_pac() to a new subsystem KDC-GLUE.
This subsystem should be used to provide shared code between the s4 heimdal kdc
and the s4 heimdal wdc plugin.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Andreas Schneider
52e6d91d34 waf: Make mit_samba a subsystem and do not build with Heimdal
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2015-07-21 19:04:14 +02:00
Günther Deschner
1afd3d3262 s4-kdc: build some kdc components only for Heimdal KDCs.
Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2015-03-27 01:26:16 +01:00
Stefan Metzmacher
4bb9aca900 s4:kdc: remove unused allow_warnings=True for 'MIT_SAMBA'
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2014-11-25 07:25:45 +01:00