/* * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd. * Copyright (c) 2004-2009, Andrew Bartlett . * Copyright (c) 2004, Stefan Metzmacher * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of PADL Software nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "includes.h" #include "kdc/kdc-glue.h" #include "kdc/db-glue.h" #include "kdc/pac-glue.h" #include "auth/auth_sam.h" #include "auth/common_auth.h" #include "auth/authn_policy.h" #include #include "sdb.h" #include "sdb_hdb.h" #include "dsdb/samdb/samdb.h" #include "param/param.h" #include "../lib/tsocket/tsocket.h" #include "librpc/gen_ndr/ndr_winbind_c.h" #include "lib/messaging/irpc.h" #include "hdb.h" #include #include #undef DBGC_CLASS #define DBGC_CLASS DBGC_KERBEROS static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode) { if (db->hdb_master_key_set) { krb5_error_code ret = HDB_ERR_NOENTRY; krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n"); krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n"); return ret; } return 0; } static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db) { return 0; } static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation) { return 0; } static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db) { return 0; } static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name) { return HDB_ERR_DB_INUSE; } static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { return HDB_ERR_DB_INUSE; } /* * If we ever want kadmin to work fast, we might try and reopen the * ldb with LDB_NOSYNC */ static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync) { return 0; } static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry) { /* * This function is now called for every HDB entry, not just those with * 'context' set, so we have to check that the context is not NULL. */ if (entry->context != NULL) { struct samba_kdc_entry *skdc_entry = talloc_get_type_abort(entry->context, struct samba_kdc_entry); /* this function is called only from hdb_free_entry(). * Make sure we neutralize the destructor or we will * get a double free later when hdb_free_entry() will * try to call free_hdb_entry() */ entry->context = NULL; skdc_entry->kdc_entry = NULL; TALLOC_FREE(skdc_entry); } } static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context, struct samba_kdc_db_context *kdc_db_ctx, hdb_entry *entry) { DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n"); return HDB_ERR_NOENTRY; } static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal principal, unsigned flags, krb5_kvno kvno, hdb_entry *entry) { struct samba_kdc_db_context *kdc_db_ctx; struct sdb_entry sentry = {}; krb5_error_code code, ret; uint32_t sflags; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); if (flags & HDB_F_GET_FAST_COOKIE) { return hdb_samba4_fetch_fast_cookie(context, kdc_db_ctx, entry); } sflags = (flags & SDB_F_HDB_MASK); ret = samba_kdc_fetch(context, kdc_db_ctx, principal, sflags, kvno, &sentry); switch (ret) { case 0: code = 0; break; case SDB_ERR_WRONG_REALM: /* * If SDB_ERR_WRONG_REALM is returned we need to process the * sdb_entry to fill the principal in the HDB entry. */ code = HDB_ERR_WRONG_REALM; break; case SDB_ERR_NOENTRY: return HDB_ERR_NOENTRY; case SDB_ERR_NOT_FOUND_HERE: return HDB_ERR_NOT_FOUND_HERE; default: return ret; } ret = sdb_entry_to_hdb_entry(context, &sentry, entry); sdb_entry_free(&sentry); if (code == 0) { code = ret; } return code; } static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal _principal, unsigned flags, krb5_kvno _kvno, hdb_entry *entry) { struct samba_kdc_db_context *kdc_db_ctx = NULL; krb5_error_code ret; krb5_principal kpasswd_principal = NULL; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); ret = smb_krb5_make_principal(context, &kpasswd_principal, lpcfg_realm(kdc_db_ctx->lp_ctx), "kadmin", "changepw", NULL); if (ret) { return ret; } smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST); /* * For the kpasswd service, always ensure we get the latest kvno. This * also means we (correctly) refuse RODC-issued tickets. */ flags &= ~HDB_F_KVNO_SPECIFIED; /* Don't bother looking up a client or krbtgt. */ flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT); ret = hdb_samba4_fetch_kvno(context, db, kpasswd_principal, flags, 0, entry); krb5_free_principal(context, kpasswd_principal); return ret; } static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { struct samba_kdc_db_context *kdc_db_ctx; struct sdb_entry sentry = {}; krb5_error_code ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); ret = samba_kdc_firstkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry); switch (ret) { case 0: break; case SDB_ERR_WRONG_REALM: return HDB_ERR_WRONG_REALM; case SDB_ERR_NOENTRY: return HDB_ERR_NOENTRY; case SDB_ERR_NOT_FOUND_HERE: return HDB_ERR_NOT_FOUND_HERE; default: return ret; } ret = sdb_entry_to_hdb_entry(context, &sentry, entry); sdb_entry_free(&sentry); return ret; } static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { struct samba_kdc_db_context *kdc_db_ctx; struct sdb_entry sentry = {}; krb5_error_code ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); ret = samba_kdc_nextkey(context, kdc_db_ctx, SDB_F_ADMIN_DATA, &sentry); switch (ret) { case 0: break; case SDB_ERR_WRONG_REALM: return HDB_ERR_WRONG_REALM; case SDB_ERR_NOENTRY: return HDB_ERR_NOENTRY; case SDB_ERR_NOT_FOUND_HERE: return HDB_ERR_NOT_FOUND_HERE; default: return ret; } ret = sdb_entry_to_hdb_entry(context, &sentry, entry); sdb_entry_free(&sentry); return ret; } static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry) { DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n"); smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab"); } static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) { talloc_free(db); return 0; } static krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, hdb_entry *entry, krb5_const_principal target_principal) { struct samba_kdc_db_context *kdc_db_ctx = NULL; struct samba_kdc_entry *skdc_entry = NULL; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); skdc_entry = talloc_get_type_abort(entry->context, struct samba_kdc_entry); return samba_kdc_check_s4u2proxy(context, kdc_db_ctx, skdc_entry, target_principal); } static krb5_error_code hdb_samba4_check_rbcd(krb5_context context, HDB *db, const hdb_entry *client_krbtgt, const hdb_entry *client, const hdb_entry *device_krbtgt, const hdb_entry *device, krb5_const_principal server_principal, krb5_const_pac header_pac, krb5_const_pac device_pac, const hdb_entry *proxy) { struct samba_kdc_db_context *kdc_db_ctx = NULL; struct samba_kdc_entry *client_skdc_entry = NULL; const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL; struct samba_kdc_entry *proxy_skdc_entry = NULL; const struct auth_user_info_dc *client_info = NULL; const struct auth_user_info_dc *device_info = NULL; struct samba_kdc_entry_pac client_pac_entry = {}; struct auth_claims auth_claims = {}; TALLOC_CTX *mem_ctx = NULL; krb5_error_code code; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); client_skdc_entry = talloc_get_type_abort(client->context, struct samba_kdc_entry); client_krbtgt_skdc_entry = talloc_get_type_abort(client_krbtgt->context, struct samba_kdc_entry); proxy_skdc_entry = talloc_get_type_abort(proxy->context, struct samba_kdc_entry); mem_ctx = talloc_new(kdc_db_ctx); if (mem_ctx == NULL) { return ENOMEM; } client_pac_entry = samba_kdc_entry_pac(header_pac, client_skdc_entry, samba_kdc_entry_is_trust(client_krbtgt_skdc_entry)); code = samba_kdc_get_user_info_dc(mem_ctx, context, kdc_db_ctx->samdb, client_pac_entry, &client_info, NULL /* resource_groups_out */); if (code != 0) { goto out; } code = samba_kdc_get_claims_data(mem_ctx, context, kdc_db_ctx->samdb, client_pac_entry, &auth_claims.user_claims); if (code) { goto out; } if (device != NULL) { struct samba_kdc_entry *device_skdc_entry = NULL; const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL; struct samba_kdc_entry_pac device_pac_entry = {}; device_skdc_entry = talloc_get_type_abort(device->context, struct samba_kdc_entry); if (device_krbtgt != NULL) { device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context, struct samba_kdc_entry); } device_pac_entry = samba_kdc_entry_pac(device_pac, device_skdc_entry, samba_kdc_entry_is_trust(device_krbtgt_skdc_entry)); code = samba_kdc_get_user_info_dc(mem_ctx, context, kdc_db_ctx->samdb, device_pac_entry, &device_info, NULL /* resource_groups_out */); if (code) { goto out; } code = samba_kdc_get_claims_data(mem_ctx, context, kdc_db_ctx->samdb, device_pac_entry, &auth_claims.device_claims); if (code) { goto out; } } code = samba_kdc_check_s4u2proxy_rbcd(context, kdc_db_ctx, client->principal, server_principal, client_info, device_info, auth_claims, proxy_skdc_entry); out: talloc_free(mem_ctx); return code; } static krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, hdb_entry *entry, krb5_const_principal certificate_principal) { struct samba_kdc_db_context *kdc_db_ctx; struct samba_kdc_entry *skdc_entry; krb5_error_code ret; kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); skdc_entry = talloc_get_type_abort(entry->context, struct samba_kdc_entry); ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx, skdc_entry, certificate_principal); switch (ret) { case 0: break; case SDB_ERR_WRONG_REALM: ret = HDB_ERR_WRONG_REALM; break; case SDB_ERR_NOENTRY: ret = HDB_ERR_NOENTRY; break; case SDB_ERR_NOT_FOUND_HERE: ret = HDB_ERR_NOT_FOUND_HERE; break; default: break; } return ret; } static krb5_error_code hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db, hdb_entry *client_entry, hdb_entry *server_target_entry) { struct samba_kdc_entry *skdc_client_entry = talloc_get_type_abort(client_entry->context, struct samba_kdc_entry); struct samba_kdc_entry *skdc_server_target_entry = talloc_get_type_abort(server_target_entry->context, struct samba_kdc_entry); return samba_kdc_check_client_matches_target_service(context, skdc_client_entry, skdc_server_target_entry); } static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, struct samba_kdc_db_context *kdc_db_ctx, struct netr_SendToSamBase *send_to_sam) { struct dcerpc_binding_handle *irpc_handle; struct winbind_SendToSam req; struct tevent_req *subreq = NULL; irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx, "winbind_server", &ndr_table_winbind); if (irpc_handle == NULL) { DBG_ERR("No winbind_server running!\n"); return; } req.in.message = *send_to_sam; /* * This seem to rely on the current IRPC implementation, * which delivers the message in the _send function. * * TODO: we need a ONE_WAY IRPC handle and register * a callback and wait for it to be triggered! */ subreq = dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx, irpc_handle, &req); /* we aren't interested in a reply */ TALLOC_FREE(subreq); } #define SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ "samba:authn_audit_info_obj" #define SAMBA_HDB_CLIENT_AUDIT_INFO "samba:client_audit_info" #define SAMBA_HDB_SERVER_AUDIT_INFO "samba:server_audit_info" #define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj" #define SAMBA_HDB_NT_STATUS "samba:nt_status" struct hdb_audit_info_obj { struct authn_audit_info *audit_info; }; static void hdb_audit_info_obj_dealloc(void *ptr) { struct hdb_audit_info_obj *audit_info_obj = ptr; if (audit_info_obj == NULL) { return; } TALLOC_FREE(audit_info_obj->audit_info); } /* * Set talloc-allocated auditing information of the KDC request. On success, * ‘audit_info’ is invalidated and may no longer be used by the caller. */ static krb5_error_code hdb_samba4_set_steal_audit_info(astgs_request_t r, const char *key, struct authn_audit_info *audit_info) { struct hdb_audit_info_obj *audit_info_obj = NULL; audit_info_obj = kdc_object_alloc(sizeof (*audit_info_obj), SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ, hdb_audit_info_obj_dealloc); if (audit_info_obj == NULL) { return ENOMEM; } /* * Steal a handle to the audit information onto the NULL context — * Heimdal will be responsible for the deallocation of the object. */ audit_info_obj->audit_info = talloc_steal(NULL, audit_info); heim_audit_setkv_object((heim_svc_req_desc)r, key, audit_info_obj); heim_release(audit_info_obj); return 0; } /* * Set talloc-allocated client auditing information of the KDC request. On * success, ‘client_audit_info’ is invalidated and may no longer be used by the * caller. */ krb5_error_code hdb_samba4_set_steal_client_audit_info(astgs_request_t r, struct authn_audit_info *client_audit_info) { return hdb_samba4_set_steal_audit_info(r, SAMBA_HDB_CLIENT_AUDIT_INFO, client_audit_info); } static const struct authn_audit_info *hdb_samba4_get_client_audit_info(hdb_request_t r) { const struct hdb_audit_info_obj *audit_info_obj = NULL; audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_CLIENT_AUDIT_INFO); if (audit_info_obj == NULL) { return NULL; } return audit_info_obj->audit_info; } /* * Set talloc-allocated server auditing information of the KDC request. On * success, ‘server_audit_info’ is invalidated and may no longer be used by the * caller. */ krb5_error_code hdb_samba4_set_steal_server_audit_info(astgs_request_t r, struct authn_audit_info *server_audit_info) { return hdb_samba4_set_steal_audit_info(r, SAMBA_HDB_SERVER_AUDIT_INFO, server_audit_info); } static const struct authn_audit_info *hdb_samba4_get_server_audit_info(hdb_request_t r) { const struct hdb_audit_info_obj *audit_info_obj = NULL; audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_SERVER_AUDIT_INFO); if (audit_info_obj == NULL) { return NULL; } return audit_info_obj->audit_info; } struct hdb_ntstatus_obj { NTSTATUS status; krb5_error_code current_error; }; /* * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we * want to return to the client. When it comes time to generating the error * request, we shall compare this error value to whatever error we are about to * return; if the two match, we shall replace the ‘e-data’ field in the reply * with the NTSTATUS code. */ krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r, const NTSTATUS status, const krb5_error_code error) { struct hdb_ntstatus_obj *status_obj = NULL; status_obj = kdc_object_alloc(sizeof (*status_obj), SAMBA_HDB_NT_STATUS_OBJ, NULL); if (status_obj == NULL) { return ENOMEM; } *status_obj = (struct hdb_ntstatus_obj) { .status = status, .current_error = error, }; heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj); heim_release(status_obj); return 0; } static krb5_error_code hdb_samba4_make_nt_status_edata(const NTSTATUS status, const uint32_t flags, krb5_data *edata_out) { const uint32_t status_code = NT_STATUS_V(status); const uint32_t zero = 0; KERB_ERROR_DATA error_data; krb5_data e_data; krb5_error_code ret; size_t size; /* The raw KERB-ERR-TYPE-EXTENDED structure. */ uint8_t data[12]; PUSH_LE_U32(data, 0, status_code); PUSH_LE_U32(data, 4, zero); PUSH_LE_U32(data, 8, flags); e_data = (krb5_data) { .data = &data, .length = sizeof(data), }; error_data = (KERB_ERROR_DATA) { .data_type = kERB_ERR_TYPE_EXTENDED, .data_value = &e_data, }; ASN1_MALLOC_ENCODE(KERB_ERROR_DATA, edata_out->data, edata_out->length, &error_data, &size, ret); if (ret) { return ret; } if (size != edata_out->length) { /* Internal ASN.1 encoder error */ krb5_data_free(edata_out); return KRB5KRB_ERR_GENERIC; } return 0; } static krb5_error_code hdb_samba4_set_edata_from_ntstatus(hdb_request_t r, const NTSTATUS status) { const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r); krb5_error_code ret = 0; krb5_data e_data; uint32_t flags = 1; if (req->msg_type == krb_tgs_req) { /* This flag is used to indicate a TGS-REQ. */ flags |= 2; } ret = hdb_samba4_make_nt_status_edata(status, flags, &e_data); if (ret) { return ret; } ret = kdc_request_set_e_data((astgs_request_t)r, e_data); if (ret) { krb5_data_free(&e_data); } return ret; } static NTSTATUS hdb_samba4_get_ntstatus(hdb_request_t r) { struct hdb_ntstatus_obj *status_obj = NULL; status_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS); if (status_obj == NULL) { return NT_STATUS_OK; } if (r->error_code != status_obj->current_error) { /* * The error code has changed from what we expect. Consider the * NTSTATUS to be invalidated. */ return NT_STATUS_OK; } return status_obj->status; } static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *kdc_db_ctx, const hdb_entry *entry, hdb_request_t r) { TALLOC_CTX *frame = talloc_stackframe(); const struct authn_audit_info *server_audit_info = NULL; struct tsocket_address *remote_host = NULL; struct samba_kdc_entry *client_entry = NULL; struct dom_sid sid_buf = {}; const char *account_name = NULL; const char *domain_name = NULL; const struct dom_sid *sid = NULL; size_t sa_socklen = 0; NTSTATUS auth_status = NT_STATUS_OK; krb5_error_code ret = 0; krb5_error_code final_ret = 0; /* Have we got a status code indicating an error? */ auth_status = hdb_samba4_get_ntstatus(r); if (!NT_STATUS_IS_OK(auth_status)) { /* * Include this status code in the ‘e-data’ field of the reply. */ ret = hdb_samba4_set_edata_from_ntstatus(r, auth_status); if (ret) { final_ret = ret; } } else if (entry == NULL) { auth_status = NT_STATUS_NO_SUCH_USER; } else if (r->error_code) { /* * Don’t include a status code in the reply. Just log the * request as being unsuccessful. */ auth_status = NT_STATUS_UNSUCCESSFUL; } switch (r->addr->sa_family) { case AF_INET: sa_socklen = sizeof(struct sockaddr_in); break; #ifdef HAVE_IPV6 case AF_INET6: sa_socklen = sizeof(struct sockaddr_in6); break; #endif } ret = tsocket_address_bsd_from_sockaddr(frame, r->addr, sa_socklen, &remote_host); if (ret != 0) { remote_host = NULL; /* Ignore the error. */ } server_audit_info = hdb_samba4_get_server_audit_info(r); if (entry != NULL) { client_entry = talloc_get_type_abort(entry->context, struct samba_kdc_entry); ret = samdb_result_dom_sid_buf(client_entry->msg, "objectSid", &sid_buf); if (ret) { /* Ignore the error. */ } else { sid = &sid_buf; } account_name = ldb_msg_find_attr_as_string(client_entry->msg, "sAMAccountName", NULL); domain_name = lpcfg_sam_name(kdc_db_ctx->lp_ctx); } log_authz_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, remote_host, NULL /* local */, server_audit_info, r->sname, "TGS-REQ with Ticket-Granting Ticket", domain_name, account_name, sid, lpcfg_netbios_name(kdc_db_ctx->lp_ctx), krb5_kdc_get_time(), auth_status); talloc_free(frame); if (final_ret) { r->error_code = final_ret; } return final_ret; } static krb5_error_code hdb_samba4_audit(krb5_context context, HDB *db, hdb_entry *entry, hdb_request_t r) { struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); heim_object_t auth_details_obj = NULL; const char *auth_details = NULL; char *etype_str = NULL; heim_object_t hdb_auth_status_obj = NULL; int hdb_auth_status; heim_object_t pa_type_obj = NULL; const char *pa_type = NULL; struct auth_usersupplied_info ui; size_t sa_socklen = 0; const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r); krb5_error_code final_ret = 0; NTSTATUS edata_status; if (req->msg_type == krb_tgs_req) { return hdb_samba4_tgs_audit(kdc_db_ctx, entry, r); } if (r->error_code == KRB5KDC_ERR_PREAUTH_REQUIRED) { /* Let’s not log PREAUTH_REQUIRED errors. */ return 0; } edata_status = hdb_samba4_get_ntstatus(r); hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT); if (hdb_auth_status_obj == NULL) { /* No status code found, so just return. */ return 0; } hdb_auth_status = heim_number_get_int(hdb_auth_status_obj); pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_NAME); if (pa_type_obj != NULL) { pa_type = heim_string_get_utf8(pa_type_obj); } auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT); if (auth_details_obj != NULL) { auth_details = heim_string_get_utf8(auth_details_obj); } else { auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR); if (auth_details_obj != NULL) { auth_details = heim_string_get_utf8(auth_details_obj); } else { heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE); if (etype_obj != NULL) { int etype = heim_number_get_int(etype_obj); krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str); if (ret == 0) { auth_details = etype_str; } else { auth_details = "unknown enctype"; } } } } /* * Forcing this via the NTLM auth structure is not ideal, but * it is the most practical option right now, and ensures the * logs are consistent, even if some elements are always NULL. */ ui = (struct auth_usersupplied_info) { .was_mapped = true, .client = { .account_name = r->cname, .domain_name = NULL, }, .service_description = "Kerberos KDC", .auth_description = "Unknown Auth Description", .password_type = auth_details, .logon_id = generate_random_u64(), }; switch (r->addr->sa_family) { case AF_INET: sa_socklen = sizeof(struct sockaddr_in); break; #ifdef HAVE_IPV6 case AF_INET6: sa_socklen = sizeof(struct sockaddr_in6); break; #endif } switch (hdb_auth_status) { default: { TALLOC_CTX *frame = talloc_stackframe(); struct samba_kdc_entry *p = talloc_get_type_abort(entry->context, struct samba_kdc_entry); struct dom_sid *sid = samdb_result_dom_sid(frame, p->msg, "objectSid"); const char *account_name = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL); const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx); struct tsocket_address *remote_host; const char *auth_description = NULL; const struct authn_audit_info *client_audit_info = NULL; const struct authn_audit_info *server_audit_info = NULL; NTSTATUS status; int ret; bool rwdc_fallback = false; ret = tsocket_address_bsd_from_sockaddr(frame, r->addr, sa_socklen, &remote_host); if (ret != 0) { ui.remote_host = NULL; } else { ui.remote_host = remote_host; } ui.mapped.account_name = account_name; ui.mapped.domain_name = domain_name; if (pa_type != NULL) { auth_description = talloc_asprintf(frame, "%s Pre-authentication", pa_type); if (auth_description == NULL) { auth_description = pa_type; } } else { auth_description = "Unknown Pre-authentication"; } ui.auth_description = auth_description; if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) { struct netr_SendToSamBase *send_to_sam = NULL; /* * TODO: We could log the AS-REQ authorization success here as * well. However before we do that, we need to pass * in the PAC here or re-calculate it. */ status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg, domain_dn, true, frame, &send_to_sam); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) { edata_status = status; r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED; rwdc_fallback = kdc_db_ctx->rodc; } else if (!NT_STATUS_IS_OK(status)) { r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED; rwdc_fallback = kdc_db_ctx->rodc; } else { if (r->error_code == KRB5KDC_ERR_NEVER_VALID) { edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC; } else { status = krb5_to_nt_status(r->error_code); } if (kdc_db_ctx->rodc && send_to_sam != NULL) { reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam); } } /* This is the final success */ } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { /* * This was only a pre-authentication success, * but we didn't reach the final * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, * so consult the error code. */ if (r->error_code == 0) { DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY " "with error=0 => INTERNAL_ERROR\n"); status = NT_STATUS_INTERNAL_ERROR; r->error_code = final_ret = KRB5KRB_ERR_GENERIC; } else if (!NT_STATUS_IS_OK(p->reject_status)) { status = p->reject_status; } else { status = krb5_to_nt_status(r->error_code); } } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) { /* * This was only a pre-authentication success, * but we didn't reach the final * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, * so consult the error code. */ if (r->error_code == 0) { DBG_ERR("ERROR: PREAUTH_SUCCEEDED " "with error=0 => INTERNAL_ERROR\n"); status = NT_STATUS_INTERNAL_ERROR; r->error_code = final_ret = KRB5KRB_ERR_GENERIC; } else if (!NT_STATUS_IS_OK(p->reject_status)) { status = p->reject_status; } else { status = krb5_to_nt_status(r->error_code); } } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_FOUND) { /* * We found the client principal, * but we didn’t reach the final * KDC_AUTH_EVENT_CLIENT_AUTHORIZED, * so consult the error code. */ if (r->error_code == 0) { DBG_ERR("ERROR: CLIENT_FOUND " "with error=0 => INTERNAL_ERROR\n"); status = NT_STATUS_INTERNAL_ERROR; r->error_code = final_ret = KRB5KRB_ERR_GENERIC; } else if (!NT_STATUS_IS_OK(p->reject_status)) { status = p->reject_status; } else { status = krb5_to_nt_status(r->error_code); } } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) { status = NT_STATUS_TIME_DIFFERENCE_AT_DC; } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) { status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) { edata_status = status; r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED; } else { status = NT_STATUS_WRONG_PASSWORD; } rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) { /* * The pre-authentication succeeds with a password * from the password history, so we don't * update the badPwdCount, but still return * PREAUTH_FAILED and need to forward to * a RWDC in order to produce an authoritative * response for the client. */ status = NT_STATUS_WRONG_PASSWORD; rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) { edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT; rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) { if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { status = NT_STATUS_PKINIT_NAME_MISMATCH; } else { status = NT_STATUS_ACCOUNT_RESTRICTION; } rwdc_fallback = kdc_db_ctx->rodc; } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) { if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { status = NT_STATUS_PKINIT_FAILURE; } else { status = NT_STATUS_GENERIC_COMMAND_FAILED; } rwdc_fallback = kdc_db_ctx->rodc; } else { DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n", hdb_auth_status); status = NT_STATUS_INTERNAL_ERROR; r->error_code = final_ret = KRB5KRB_ERR_GENERIC; } if (!NT_STATUS_IS_OK(edata_status)) { krb5_error_code code; code = hdb_samba4_set_edata_from_ntstatus(r, edata_status); if (code) { r->error_code = final_ret = code; } } if (rwdc_fallback) { /* * Forward the request to an RWDC in order * to give an authoritative answer to the client. */ auth_description = talloc_asprintf(frame, "%s,Forward-To-RWDC", ui.auth_description); if (auth_description != NULL) { ui.auth_description = auth_description; } final_ret = HDB_ERR_NOT_FOUND_HERE; } client_audit_info = hdb_samba4_get_client_audit_info(r); server_audit_info = hdb_samba4_get_server_audit_info(r); log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &r->tv_start, &ui, status, domain_name, account_name, sid, client_audit_info, server_audit_info); if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) { /* * If we're running under make test * just panic */ DBG_ERR("Unexpected situation => PANIC\n"); smb_panic("hdb_samba4_audit: Unexpected situation"); } TALLOC_FREE(frame); break; } case KDC_AUTH_EVENT_CLIENT_UNKNOWN: { struct tsocket_address *remote_host; int ret; TALLOC_CTX *frame = talloc_stackframe(); ret = tsocket_address_bsd_from_sockaddr(frame, r->addr, sa_socklen, &remote_host); if (ret != 0) { ui.remote_host = NULL; } else { ui.remote_host = remote_host; } if (pa_type == NULL) { pa_type = "AS-REQ"; } ui.auth_description = pa_type; /* Note this is not forwarded to an RWDC */ log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, &r->tv_start, &ui, NT_STATUS_NO_SUCH_USER, NULL, NULL, NULL, NULL /* client_audit_info */, NULL /* server_audit_info */); TALLOC_FREE(frame); break; } } free(etype_str); return final_ret; } /* This interface is to be called by the KDC and libnet_keytab_dump, * which is expecting Samba calling conventions. * It is also called by a wrapper (hdb_samba4_create) from the * kpasswdd -> krb5 -> keytab_hdb -> hdb code */ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, krb5_context context, struct HDB **db, struct samba_kdc_db_context **kdc_db_ctx) { NTSTATUS nt_status; if (hdb_interface_version != HDB_INTERFACE_VERSION) { krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!"); return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION; } *db = talloc_zero(base_ctx, HDB); if (!*db) { krb5_set_error_message(context, ENOMEM, "talloc_zero: out of memory"); return NT_STATUS_NO_MEMORY; } (*db)->hdb_master_key_set = 0; (*db)->hdb_db = NULL; (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL; nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, kdc_db_ctx); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(*db); return nt_status; } (*db)->hdb_db = *kdc_db_ctx; (*db)->hdb_dbc = NULL; (*db)->hdb_open = hdb_samba4_open; (*db)->hdb_close = hdb_samba4_close; (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context; (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno; (*db)->hdb_store = hdb_samba4_store; (*db)->hdb_firstkey = hdb_samba4_firstkey; (*db)->hdb_nextkey = hdb_samba4_nextkey; (*db)->hdb_lock = hdb_samba4_lock; (*db)->hdb_unlock = hdb_samba4_unlock; (*db)->hdb_set_sync = hdb_samba4_set_sync; (*db)->hdb_rename = hdb_samba4_rename; /* we don't implement these, as we are not a lockable database */ (*db)->hdb__get = NULL; (*db)->hdb__put = NULL; /* kadmin should not be used for deletes - use other tools instead */ (*db)->hdb__del = NULL; (*db)->hdb_destroy = hdb_samba4_destroy; (*db)->hdb_audit = hdb_samba4_audit; (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd; (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match; (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service; return NT_STATUS_OK; } NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx, krb5_context context, struct HDB **db) { NTSTATUS nt_status; /* This is only used in other callers */ struct samba_kdc_db_context *kdc_db_ctx = NULL; nt_status = hdb_samba4_create_kdc(base_ctx, context, db, &kdc_db_ctx); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno; (*db)->hdb_firstkey = hdb_samba4_nextkey_panic; (*db)->hdb_nextkey = hdb_samba4_nextkey_panic; return NT_STATUS_OK; }