sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code
b8c219a270
samba-mirror/source4/heimdal/kdc/default_config.c
Andrew Bartlett d5bbd817fe r20988: Call out to Heimdal's krb5.conf processing to configure many aspects 
of KDC behaviour.  This should allow PKINIT to be turned on and
managed with reasonable sanity.

This also means that the krb5.conf in the same directory as the
smb.conf will always have priority in Samba4, which I think will be
useful.

Andrew Bartlett
(This used to be commit a50bbde81b)
2007-10-10 14:44:18 -05:00

371 lines
10 KiB
C
Raw Blame History

/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "kdc_locl.h"
int require_preauth = -1; /* 1 == require preauth for all principals */
const char *trpolicy_str;
int disable_des = -1;
int enable_v4 = -1;
int enable_kaserver = -1;
int enable_524 = -1;
int enable_v4_cross_realm = -1;
int detach_from_console = -1;
char *v4_realm;
/*
* Setup some of the defaults for the KDC configuration.
*
* Note: Caller must also fill in:
* - db
* - num_db
* - logf
*
*/
void
krb5_kdc_default_config(krb5_kdc_configuration *config)
{
memset(config, 0, sizeof(*config));
config->require_preauth = TRUE;
config->kdc_warn_pwexpire = 0;
config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */
config->check_ticket_addresses = TRUE;
config->allow_null_ticket_addresses = TRUE;
config->allow_anonymous = FALSE;
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
config->enable_v4 = FALSE;
config->enable_kaserver = FALSE;
config->enable_524 = FALSE; /* overriden by enable_v4 in configure()) */
config->enable_v4_cross_realm = FALSE;
config->enable_pkinit = FALSE;
config->enable_pkinit_princ_in_cert = TRUE;
config->db = NULL;
config->num_db = 0;
config->logf = NULL;
}
/*
* Setup some valudes for the KDC configuration, from the config file
*
* Note: Caller must also fill in:
* - db
* - num_db
* - logf
*
*/
void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
{
const char *p;
if(require_preauth == -1) {
config->require_preauth = krb5_config_get_bool_default(context, NULL,
config->require_preauth,
"kdc",
"require-preauth", NULL);
} else {
config->require_preauth = require_preauth;
}
if(enable_v4 == -1) {
config->enable_v4 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc",
"enable-kerberos4",
NULL);
} else {
config->enable_v4 = enable_v4;
}
if(enable_v4_cross_realm == -1) {
config->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
config->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm",
NULL);
} else {
config->enable_v4_cross_realm = enable_v4_cross_realm;
}
if(enable_524 == -1) {
config->enable_524 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc", "enable-524",
NULL);
} else {
config->enable_524 = enable_524;
}
config->enable_digest =
krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"enable-digest", NULL);
{
const char *digests;
digests = krb5_config_get_string(context, NULL,
"kdc",
"digests_allowed", NULL);
if (digests == NULL)
digests = "ntlm-v2";
config->digests_allowed = parse_flags(digests,
_kdc_digestunits,
0);
if (config->digests_allowed == -1) {
kdc_log(context, config, 0,
"unparsable digest units (%s), turning off digest",
digests);
config->enable_digest = 0;
} else if (config->digests_allowed == 0) {
kdc_log(context, config, 0,
"no digest enable, turning digest off",
digests);
config->enable_digest = 0;
}
}
config->enable_kx509 =
krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"enable-kx509", NULL);
config->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->check_ticket_addresses,
"kdc",
"check-ticket-addresses", NULL);
config->allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->allow_null_ticket_addresses,
"kdc",
"allow-null-ticket-addresses", NULL);
config->allow_anonymous =
krb5_config_get_bool_default(context, NULL,
config->allow_anonymous,
"kdc",
"allow-anonymous", NULL);
config->max_datagram_reply_length =
krb5_config_get_int_default(context,
NULL,
1400,
"kdc",
"max-kdc-datagram-reply-length",
NULL);
trpolicy_str =
krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
"transited-policy", NULL);
if(strcasecmp(trpolicy_str, "always-check") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
/* default */
} else {
kdc_log(context, config,
0, "unknown transited-policy: %s, reverting to default (always-check)",
trpolicy_str);
}
if (krb5_config_get_string(context, NULL, "kdc",
"enforce-transited-policy", NULL))
krb5_errx(context, 1, "enforce-transited-policy deprecated, "
"use [kdc]transited-policy instead");
if(v4_realm == NULL){
p = krb5_config_get_string (context, NULL,
"kdc",
"v4-realm",
NULL);
if(p != NULL) {
config->v4_realm = strdup(p);
if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
} else {
config->v4_realm = NULL;
}
} else {
config->v4_realm = v4_realm;
}
if (enable_kaserver == -1) {
config->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
config->enable_kaserver,
"kdc",
"enable-kaserver",
NULL);
} else {
config->enable_kaserver = enable_kaserver;
}
config->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
config->encode_as_rep_as_tgs_rep,
"kdc",
"encode_as_rep_as_tgs_rep",
NULL);
config->kdc_warn_pwexpire =
krb5_config_get_time_default (context, NULL,
config->kdc_warn_pwexpire,
"kdc",
"kdc_warn_pwexpire",
NULL);
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL,
DETACH_IS_DEFAULT,
"kdc",
"detach", NULL);
#ifdef PKINIT
config->enable_pkinit =
krb5_config_get_bool_default(context,
NULL,
config->enable_pkinit,
"kdc",
"enable-pkinit",
NULL);
if (config->enable_pkinit) {
const char *user_id, *anchors, *ocsp_file;
char **pool_list, **revoke_list;
user_id = krb5_config_get_string(context, NULL,
"kdc",
"pkinit_identity",
NULL);
if (user_id == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
anchors = krb5_config_get_string(context, NULL,
"kdc",
"pkinit_anchors",
NULL);
if (anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
pool_list = krb5_config_get_strings(context, NULL,
"kdc",
"pkinit_pool",
NULL);
revoke_list = krb5_config_get_strings(context, NULL,
"kdc",
"pkinit_revoke",
NULL);
ocsp_file =
krb5_config_get_string(context, NULL,
"kdc",
"pkinit_kdc_ocsp",
NULL);
if (ocsp_file) {
config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
if (config->pkinit_kdc_ocsp_file == NULL)
krb5_errx(context, 1, "out of memory");
}
_kdc_pk_initialize(context, config, user_id, anchors,
pool_list, revoke_list);
krb5_config_free_strings(pool_list);
krb5_config_free_strings(revoke_list);
config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context,
NULL,
config->enable_pkinit_princ_in_cert,
"kdc",
"pkinit_principal_in_certificate",
NULL);
}
config->pkinit_dh_min_bits =
krb5_config_get_int_default(context,
NULL,
0,
"kdc",
"pkinit_dh_min_bits",
NULL);
#endif
if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
#ifdef KRB4
config->v4_realm = malloc(40); /* REALM_SZ */
if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
krb_get_lrealm(config->v4_realm, 1);
#else
krb5_errx(context, 1, "No Kerberos 4 realm configured");
#endif
}
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"disable-des", NULL);
if(disable_des) {
krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
config->enable_v4 = 0;
config->enable_524 = 0;
config->enable_kaserver = 0;
}
_kdc_windc_init(context);
}
View Git Blame Copy Permalink