mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
1dcd8be8f0
The MIT KDC has a fallback to a consistent time per fetch call, and both implementations then follow the time in each 'struct samba_kdc_entry'. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
220 lines
5.6 KiB
C
220 lines
5.6 KiB
C
/*
|
|
* Unix SMB/CIFS implementation.
|
|
*
|
|
* Copyright (c) 2015 Andreas Schneider <asn@samba.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "includes.h"
|
|
#include "system/kerberos.h"
|
|
#include "source4/auth/kerberos/kerberos.h"
|
|
#include "auth/kerberos/pac_utils.h"
|
|
|
|
#include "librpc/gen_ndr/irpc.h"
|
|
#include "lib/messaging/irpc.h"
|
|
#include "source4/librpc/gen_ndr/ndr_irpc.h"
|
|
#include "source4/librpc/gen_ndr/irpc.h"
|
|
|
|
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
|
|
|
#include "source4/samba/process_model.h"
|
|
#include "lib/param/param.h"
|
|
|
|
#include "samba_kdc.h"
|
|
#include "db-glue.h"
|
|
#include "sdb.h"
|
|
#include "mit_kdc_irpc.h"
|
|
#include "lib/crypto/gmsa.h"
|
|
|
|
#undef DBGC_CLASS
|
|
#define DBGC_CLASS DBGC_KERBEROS
|
|
|
|
struct mit_kdc_irpc_context {
|
|
struct task_server *task;
|
|
krb5_context krb5_context;
|
|
struct samba_kdc_db_context *db_ctx;
|
|
};
|
|
|
|
static NTSTATUS netr_samlogon_generic_logon(struct irpc_message *msg,
|
|
struct kdc_check_generic_kerberos *r)
|
|
{
|
|
struct PAC_Validate pac_validate;
|
|
DATA_BLOB pac_chksum;
|
|
struct PAC_SIGNATURE_DATA pac_kdc_sig;
|
|
struct mit_kdc_irpc_context *mki_ctx =
|
|
talloc_get_type(msg->private_data,
|
|
struct mit_kdc_irpc_context);
|
|
enum ndr_err_code ndr_err;
|
|
int code;
|
|
krb5_principal principal;
|
|
struct sdb_entry sentry = {};
|
|
struct sdb_keys skeys;
|
|
unsigned int i;
|
|
const uint8_t *d = NULL;
|
|
NTTIME now;
|
|
bool time_ok;
|
|
|
|
time_ok = gmsa_current_time(&now);
|
|
if (!time_ok) {
|
|
return NT_STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
*mki_ctx->db_ctx->current_nttime_ull = now;
|
|
|
|
/* There is no reply to this request */
|
|
r->out.generic_reply = data_blob(NULL, 0);
|
|
|
|
ndr_err =
|
|
ndr_pull_struct_blob(&r->in.generic_request,
|
|
msg,
|
|
&pac_validate,
|
|
(ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
|
|
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) {
|
|
/*
|
|
* We don't implement any other message types - such as
|
|
* certificate validation - yet
|
|
*/
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
if ((pac_validate.ChecksumAndSignature.length !=
|
|
(pac_validate.ChecksumLength + pac_validate.SignatureLength)) ||
|
|
(pac_validate.ChecksumAndSignature.length <
|
|
pac_validate.ChecksumLength) ||
|
|
(pac_validate.ChecksumAndSignature.length <
|
|
pac_validate.SignatureLength)) {
|
|
return NT_STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
/* PAC Checksum */
|
|
pac_chksum = data_blob_const(pac_validate.ChecksumAndSignature.data,
|
|
pac_validate.ChecksumLength);
|
|
|
|
/* Create the krbtgt principal */
|
|
code = smb_krb5_make_principal(mki_ctx->krb5_context,
|
|
&principal,
|
|
lpcfg_realm(mki_ctx->task->lp_ctx),
|
|
"krbtgt",
|
|
lpcfg_realm(mki_ctx->task->lp_ctx),
|
|
NULL);
|
|
if (code != 0) {
|
|
DBG_ERR("Failed to create krbtgt@%s principal!\n",
|
|
lpcfg_realm(mki_ctx->task->lp_ctx));
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* Get the krbtgt from the DB */
|
|
code = samba_kdc_fetch(mki_ctx->krb5_context,
|
|
mki_ctx->db_ctx,
|
|
principal,
|
|
SDB_F_GET_KRBTGT | SDB_F_DECRYPT,
|
|
0,
|
|
&sentry);
|
|
krb5_free_principal(mki_ctx->krb5_context, principal);
|
|
if (code != 0) {
|
|
DBG_ERR("Failed to fetch krbtgt@%s principal entry!\n",
|
|
lpcfg_realm(mki_ctx->task->lp_ctx));
|
|
return NT_STATUS_LOGON_FAILURE;
|
|
}
|
|
|
|
/* PAC Signature */
|
|
pac_kdc_sig.type = pac_validate.SignatureType;
|
|
|
|
d = &pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength];
|
|
pac_kdc_sig.signature =
|
|
data_blob_const(d, pac_validate.SignatureLength);
|
|
|
|
/*
|
|
* Brute force variant because MIT KRB5 doesn't provide a function like
|
|
* krb5_checksum_to_enctype().
|
|
*/
|
|
skeys = sentry.keys;
|
|
|
|
code = EINVAL;
|
|
for (i = 0; i < skeys.len; i++) {
|
|
krb5_keyblock krbtgt_keyblock = skeys.val[i].key;
|
|
|
|
code = check_pac_checksum(pac_chksum,
|
|
&pac_kdc_sig,
|
|
mki_ctx->krb5_context,
|
|
&krbtgt_keyblock);
|
|
if (code == 0) {
|
|
break;
|
|
}
|
|
}
|
|
|
|
sdb_entry_free(&sentry);
|
|
|
|
if (code != 0) {
|
|
return NT_STATUS_LOGON_FAILURE;
|
|
}
|
|
|
|
return NT_STATUS_OK;
|
|
}
|
|
|
|
NTSTATUS samba_setup_mit_kdc_irpc(struct task_server *task)
|
|
{
|
|
struct samba_kdc_base_context base_ctx = {};
|
|
struct mit_kdc_irpc_context *mki_ctx;
|
|
NTSTATUS status;
|
|
int code;
|
|
|
|
mki_ctx = talloc_zero(task, struct mit_kdc_irpc_context);
|
|
if (mki_ctx == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
mki_ctx->task = task;
|
|
|
|
base_ctx.ev_ctx = task->event_ctx;
|
|
base_ctx.lp_ctx = task->lp_ctx;
|
|
|
|
base_ctx.current_nttime_ull = talloc_zero(mki_ctx, unsigned long long);
|
|
if (base_ctx.current_nttime_ull == NULL) {
|
|
return NT_STATUS_NO_MEMORY;
|
|
}
|
|
|
|
/* db-glue.h */
|
|
status = samba_kdc_setup_db_ctx(mki_ctx,
|
|
&base_ctx,
|
|
&mki_ctx->db_ctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
code = smb_krb5_init_context_basic(mki_ctx,
|
|
task->lp_ctx,
|
|
&mki_ctx->krb5_context);
|
|
if (code != 0) {
|
|
return NT_STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
status = IRPC_REGISTER(task->msg_ctx,
|
|
irpc,
|
|
KDC_CHECK_GENERIC_KERBEROS,
|
|
netr_samlogon_generic_logon,
|
|
mki_ctx);
|
|
if (!NT_STATUS_IS_OK(status)) {
|
|
return status;
|
|
}
|
|
|
|
irpc_add_name(task->msg_ctx, "kdc_server");
|
|
|
|
return status;
|
|
}
|