2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "samba/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "lib/messaging/irpc.h"
28 #include "librpc/gen_ndr/ndr_irpc.h"
29 #include "librpc/gen_ndr/ndr_krb5pac.h"
30 #include "lib/socket/netif.h"
31 #include "param/param.h"
32 #include "kdc/kdc-server.h"
33 #include "kdc/kdc-proxy.h"
34 #include "kdc/kdc-glue.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/kpasswd-service.h"
37 #include "dsdb/samdb/samdb.h"
38 #include "auth/session.h"
39 #include "libds/common/roles.h"
44 #define DBGC_CLASS DBGC_KERBEROS
46 NTSTATUS
server_service_kdc_init(TALLOC_CTX
*);
48 extern struct krb5plugin_kdc_ftable kdc_plugin_table
;
51 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
55 static kdc_code
kdc_process(struct kdc_server
*kdc
,
59 struct tsocket_address
*peer_addr
,
60 struct tsocket_address
*my_addr
,
65 struct sockaddr_storage ss
;
67 krb5_kdc_configuration
*kdc_config
= kdc
->private_data
;
68 struct timespec now_timespec
= timespec_current();
69 struct timeval now_timeval
= convert_timespec_to_timeval(now_timespec
);
71 krb5_data_zero(&k5_reply
);
73 krb5_kdc_update_time(&now_timeval
);
75 /* This sets the time into the DSDB opaque */
76 *kdc
->base_ctx
->current_nttime_ull
= full_timespec_to_nt_time(&now_timespec
);
78 ret
= tsocket_address_bsd_sockaddr(peer_addr
, (struct sockaddr
*) &ss
,
79 sizeof(struct sockaddr_storage
));
83 pa
= tsocket_address_string(peer_addr
, mem_ctx
);
88 DBG_DEBUG("Received KDC packet of length %zu from %s\n",
91 ret
= krb5_kdc_process_krb5_request(kdc
->smb_krb5_context
->krb5_context
,
93 input
->data
, input
->length
,
96 (struct sockaddr
*) &ss
,
99 *reply
= data_blob(NULL
, 0);
103 if (ret
== HDB_ERR_NOT_FOUND_HERE
) {
104 *reply
= data_blob(NULL
, 0);
105 return KDC_PROXY_REQUEST
;
108 if (k5_reply
.length
) {
109 *reply
= data_blob_talloc(mem_ctx
, k5_reply
.data
, k5_reply
.length
);
110 krb5_data_free(&k5_reply
);
112 *reply
= data_blob(NULL
, 0);
118 setup our listening sockets on the configured network interfaces
120 static NTSTATUS
kdc_startup_interfaces(struct kdc_server
*kdc
,
121 struct loadparm_context
*lp_ctx
,
122 struct interface
*ifaces
,
123 const struct model_ops
*model_ops
)
126 TALLOC_CTX
*tmp_ctx
= talloc_new(kdc
);
129 uint16_t kdc_port
= lpcfg_krb5_port(lp_ctx
);
130 uint16_t kpasswd_port
= lpcfg_kpasswd_port(lp_ctx
);
131 bool done_wildcard
= false;
133 num_interfaces
= iface_list_count(ifaces
);
135 /* if we are allowing incoming packets from any address, then
136 we need to bind to the wildcard address */
137 if (!lpcfg_bind_interfaces_only(lp_ctx
)) {
138 size_t num_binds
= 0;
139 char **wcard
= iface_list_wildcard(kdc
);
140 NT_STATUS_HAVE_NO_MEMORY(wcard
);
141 for (i
=0; wcard
[i
]; i
++) {
143 status
= kdc_add_socket(kdc
, model_ops
,
144 "kdc", wcard
[i
], kdc_port
,
146 if (NT_STATUS_IS_OK(status
)) {
152 status
= kdc_add_socket(kdc
, model_ops
,
153 "kpasswd", wcard
[i
], kpasswd_port
,
154 kpasswd_process
, false);
155 if (NT_STATUS_IS_OK(status
)) {
161 if (num_binds
== 0) {
162 return NT_STATUS_INVALID_PARAMETER_MIX
;
164 done_wildcard
= true;
167 for (i
=0; i
<num_interfaces
; i
++) {
168 const char *address
= talloc_strdup(tmp_ctx
, iface_list_n_ip(ifaces
, i
));
171 status
= kdc_add_socket(kdc
, model_ops
,
172 "kdc", address
, kdc_port
,
173 kdc_process
, done_wildcard
);
174 NT_STATUS_NOT_OK_RETURN(status
);
178 status
= kdc_add_socket(kdc
, model_ops
,
179 "kpasswd", address
, kpasswd_port
,
180 kpasswd_process
, done_wildcard
);
181 NT_STATUS_NOT_OK_RETURN(status
);
185 talloc_free(tmp_ctx
);
190 static NTSTATUS
kdc_check_generic_kerberos(struct irpc_message
*msg
,
191 struct kdc_check_generic_kerberos
*r
)
193 struct PAC_Validate pac_validate
;
195 struct PAC_SIGNATURE_DATA kdc_sig
;
196 struct kdc_server
*kdc
= talloc_get_type(msg
->private_data
, struct kdc_server
);
197 krb5_kdc_configuration
*kdc_config
=
198 (krb5_kdc_configuration
*)kdc
->private_data
;
199 enum ndr_err_code ndr_err
;
202 krb5_principal principal
;
205 /* There is no reply to this request */
206 r
->out
.generic_reply
= data_blob(NULL
, 0);
208 ndr_err
= ndr_pull_struct_blob(&r
->in
.generic_request
, msg
, &pac_validate
,
209 (ndr_pull_flags_fn_t
)ndr_pull_PAC_Validate
);
210 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
211 return NT_STATUS_INVALID_PARAMETER
;
214 if (pac_validate
.MessageType
!= NETLOGON_GENERIC_KRB5_PAC_VALIDATE
) {
215 /* We don't implement any other message types - such as certificate validation - yet */
216 return NT_STATUS_INVALID_PARAMETER
;
219 if (pac_validate
.ChecksumAndSignature
.length
!= (pac_validate
.ChecksumLength
+ pac_validate
.SignatureLength
)
220 || pac_validate
.ChecksumAndSignature
.length
< pac_validate
.ChecksumLength
221 || pac_validate
.ChecksumAndSignature
.length
< pac_validate
.SignatureLength
) {
222 return NT_STATUS_INVALID_PARAMETER
;
225 srv_sig
= data_blob_const(pac_validate
.ChecksumAndSignature
.data
,
226 pac_validate
.ChecksumLength
);
228 ret
= krb5_make_principal(kdc
->smb_krb5_context
->krb5_context
, &principal
,
229 lpcfg_realm(kdc
->task
->lp_ctx
),
230 "krbtgt", lpcfg_realm(kdc
->task
->lp_ctx
),
234 return NT_STATUS_NO_MEMORY
;
237 ret
= kdc_config
->db
[0]->hdb_fetch_kvno(kdc
->smb_krb5_context
->krb5_context
,
240 HDB_F_GET_KRBTGT
| HDB_F_DECRYPT
,
245 hdb_free_entry(kdc
->smb_krb5_context
->krb5_context
, kdc_config
->db
[0], &ent
);
246 krb5_free_principal(kdc
->smb_krb5_context
->krb5_context
, principal
);
248 return NT_STATUS_LOGON_FAILURE
;
251 kdc_sig
.type
= pac_validate
.SignatureType
;
252 kdc_sig
.signature
= data_blob_const(&pac_validate
.ChecksumAndSignature
.data
[pac_validate
.ChecksumLength
],
253 pac_validate
.SignatureLength
);
255 ret
= kdc_check_pac(kdc
->smb_krb5_context
->krb5_context
, srv_sig
, &kdc_sig
, &ent
);
257 hdb_free_entry(kdc
->smb_krb5_context
->krb5_context
, kdc_config
->db
[0], &ent
);
258 krb5_free_principal(kdc
->smb_krb5_context
->krb5_context
, principal
);
261 return NT_STATUS_LOGON_FAILURE
;
271 static NTSTATUS
kdc_task_init(struct task_server
*task
)
273 struct kdc_server
*kdc
;
275 struct interface
*ifaces
;
277 switch (lpcfg_server_role(task
->lp_ctx
)) {
278 case ROLE_STANDALONE
:
279 task_server_terminate(task
, "kdc: no KDC required in standalone configuration", false);
280 return NT_STATUS_INVALID_DOMAIN_ROLE
;
281 case ROLE_DOMAIN_MEMBER
:
282 task_server_terminate(task
, "kdc: no KDC required in member server configuration", false);
283 return NT_STATUS_INVALID_DOMAIN_ROLE
;
284 case ROLE_DOMAIN_PDC
:
285 case ROLE_DOMAIN_BDC
:
287 task_server_terminate(
288 task
, "Cannot start KDC as a 'classic Samba' DC", false);
289 return NT_STATUS_INVALID_DOMAIN_ROLE
;
290 case ROLE_ACTIVE_DIRECTORY_DC
:
291 /* Yes, we want a KDC */
295 load_interface_list(task
, task
->lp_ctx
, &ifaces
);
297 if (iface_list_count(ifaces
) == 0) {
298 task_server_terminate(task
, "kdc: no network interfaces configured", false);
299 return NT_STATUS_UNSUCCESSFUL
;
302 task_server_set_title(task
, "task[kdc]");
304 kdc
= talloc_zero(task
, struct kdc_server
);
306 task_server_terminate(task
, "kdc: out of memory", true);
307 return NT_STATUS_NO_MEMORY
;
311 task
->private_data
= kdc
;
313 /* start listening on the configured network interfaces */
314 status
= kdc_startup_interfaces(kdc
, task
->lp_ctx
, ifaces
,
316 if (!NT_STATUS_IS_OK(status
)) {
317 task_server_terminate(task
, "kdc failed to setup interfaces", true);
326 initialise the kdc task after a fork
328 static void kdc_post_fork(struct task_server
*task
, struct process_details
*pd
)
330 struct kdc_server
*kdc
;
331 krb5_kdc_configuration
*kdc_config
= NULL
;
337 task_server_terminate(task
, "kdc: Null task", true);
340 if (task
->private_data
== NULL
) {
341 task_server_terminate(task
, "kdc: No kdc_server info", true);
344 kdc
= talloc_get_type_abort(task
->private_data
, struct kdc_server
);
346 kdc
->proxy_timeout
= lpcfg_parm_int(kdc
->task
->lp_ctx
, NULL
, "kdc", "proxy timeout", 5);
348 initialize_krb5_error_table();
350 ret
= smb_krb5_init_context(kdc
, task
->lp_ctx
, &kdc
->smb_krb5_context
);
352 DBG_WARNING("kdc_task_init: krb5_init_context failed (%s)\n",
354 task_server_terminate(task
, "kdc: krb5_init_context failed", true);
358 krb5_add_et_list(kdc
->smb_krb5_context
->krb5_context
, initialize_hdb_error_table_r
);
360 ret
= krb5_kdc_get_config(kdc
->smb_krb5_context
->krb5_context
,
363 task_server_terminate(task
, "kdc: failed to get KDC configuration", true);
367 kdc_config
->logf
= (krb5_log_facility
*)kdc
->smb_krb5_context
->pvt_log_data
;
368 kdc_config
->db
= talloc(kdc
, struct HDB
*);
369 if (!kdc_config
->db
) {
370 task_server_terminate(task
, "kdc: out of memory", true);
373 kdc_config
->num_db
= 1;
376 * Note with the CVE-2022-37966 patches,
377 * see https://bugzilla.samba.org/show_bug.cgi?id=15219
378 * and https://bugzilla.samba.org/show_bug.cgi?id=15237
379 * we want to use the strongest keys for everything.
381 * Some of these don't have any real effect anymore,
382 * but it is better to have them as true...
384 kdc_config
->tgt_use_strongest_session_key
= true;
385 kdc_config
->preauth_use_strongest_session_key
= true;
386 kdc_config
->svc_use_strongest_session_key
= true;
387 kdc_config
->use_strongest_server_key
= true;
389 kdc_config
->force_include_pa_etype_salt
= true;
392 * For Samba CVE-2020-25719 Require PAC to be present
393 * This instructs Heimdal to match AD behaviour,
394 * as seen after Microsoft's CVE-2021-42287 when
395 * PacRequestorEnforcement is set to 2.
397 * Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
398 * REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
401 kdc_config
->require_pac
= true;
404 * By default we enable RFC6113/FAST support,
405 * but we have an option to disable in order to
406 * test against a KDC with FAST support.
408 kdc_config
->enable_fast
= lpcfg_kdc_enable_fast(task
->lp_ctx
);
411 static const char *dummy_string
= "Microsoft";
414 * The FAST cookie is not cryptographically required,
415 * provided that the non-AD gss-preauth authentication
416 * method is removed (as this is the only multi-step
417 * authentication method).
419 * gss-preauth has been disabled both by not being
420 * configured and by being made dependent
421 * configuration for a "real" fast cookie.
423 * The hide_client_names feature in Heimdal is the
424 * only other state that is persisted in the cookie,
425 * and this does not need to be in the cookie for
426 * single-shot authentication protocols such as ENC-TS
427 * and ENC-CHAL, the standard password protocols in
430 * Furthermore, the Heimdal KDC does not fail if the
431 * client does not supply a FAST cookie, showing that
432 * the presence of the cookie is not required.
434 kdc_config
->enable_fast_cookie
= false;
435 kdc_config
->dummy_fast_cookie
= smb_krb5_make_data(discard_const_p(char, dummy_string
),
436 strlen(dummy_string
));
440 * Match Windows and RFC6113 and Windows but break older
443 kdc_config
->enable_armored_pa_enc_timestamp
= false;
445 /* Register hdb-samba4 hooks for use as a keytab */
447 kdc
->base_ctx
= talloc_zero(kdc
, struct samba_kdc_base_context
);
448 if (!kdc
->base_ctx
) {
449 task_server_terminate(task
, "kdc: out of memory", true);
453 kdc
->base_ctx
->ev_ctx
= task
->event_ctx
;
454 kdc
->base_ctx
->lp_ctx
= task
->lp_ctx
;
455 kdc
->base_ctx
->msg_ctx
= task
->msg_ctx
;
457 kdc
->base_ctx
->current_nttime_ull
= talloc_zero(kdc
, unsigned long long);
458 if (kdc
->base_ctx
->current_nttime_ull
== NULL
) {
459 task_server_terminate(task
, "kdc: out of memory creating time variable", true);
463 status
= hdb_samba4_create_kdc(kdc
->base_ctx
,
464 kdc
->smb_krb5_context
->krb5_context
,
467 if (!NT_STATUS_IS_OK(status
)) {
468 task_server_terminate(task
, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
472 ldb_ret
= samdb_rodc(kdc
->kdc_db_ctx
->samdb
, &kdc
->am_rodc
);
473 if (ldb_ret
!= LDB_SUCCESS
) {
474 DBG_WARNING("kdc_task_init: "
475 "Cannot determine if we are an RODC: %s\n",
476 ldb_errstring(kdc
->kdc_db_ctx
->samdb
));
477 task_server_terminate(task
, "kdc: krb5_init_context samdb RODC query failed", true);
481 ret
= krb5_plugin_register(kdc
->smb_krb5_context
->krb5_context
,
482 PLUGIN_TYPE_DATA
, "hdb_samba4_interface",
483 &hdb_samba4_interface
);
485 task_server_terminate(task
, "kdc: failed to register hdb plugin", true);
489 kdc
->kpasswd_keytab_name
= talloc_asprintf(kdc
, "HDBGET:samba4:&%p", kdc
->base_ctx
);
490 if (kdc
->kpasswd_keytab_name
== NULL
) {
491 task_server_terminate(task
,
492 "kdc: Failed to set keytab name",
497 ret
= krb5_kt_register(kdc
->smb_krb5_context
->krb5_context
, &hdb_get_kt_ops
);
499 task_server_terminate(task
, "kdc: failed to register keytab plugin", true);
503 /* Register KDC hooks */
504 ret
= krb5_plugin_register(kdc
->smb_krb5_context
->krb5_context
,
505 PLUGIN_TYPE_DATA
, "kdc",
508 task_server_terminate(task
, "kdc: failed to register kdc plugin", true);
512 ret
= krb5_kdc_plugin_init(kdc
->smb_krb5_context
->krb5_context
);
515 task_server_terminate(task
, "kdc: failed to init kdc plugin", true);
519 ret
= krb5_kdc_pkinit_config(kdc
->smb_krb5_context
->krb5_context
, kdc_config
);
522 task_server_terminate(task
, "kdc: failed to init kdc pkinit subsystem", true);
525 kdc
->private_data
= kdc_config
;
527 status
= IRPC_REGISTER(task
->msg_ctx
, irpc
, KDC_CHECK_GENERIC_KERBEROS
,
528 kdc_check_generic_kerberos
, kdc
);
529 if (!NT_STATUS_IS_OK(status
)) {
530 task_server_terminate(task
, "kdc failed to setup monitoring", true);
534 irpc_add_name(task
->msg_ctx
, "kdc_server");
538 /* called at smbd startup - register ourselves as a server service */
539 NTSTATUS
server_service_kdc_init(TALLOC_CTX
*ctx
)
541 static const struct service_details details
= {
542 .inhibit_fork_on_accept
= true,
543 .inhibit_pre_fork
= false,
544 .task_init
= kdc_task_init
,
545 .post_fork
= kdc_post_fork
547 return register_server_service(ctx
, "kdc", &details
);
