search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Remove duplicate logic
[samba4-gss.git] / source3 / libads / kerberos.c
blob291cb7b1e01fdba3579c9495b14d443c688c9e67
1 /*
2 Unix SMB/CIFS implementation.
3 kerberos utility library
4 Copyright (C) Andrew Tridgell 2001
5 Copyright (C) Remus Koos 2001
6 Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7 Copyright (C) Jeremy Allison 2004.
8 Copyright (C) Gerald Carter 2006.
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "libsmb/namequery.h"
26 #include "system/filesys.h"
27 #include "smb_krb5.h"
28 #include "../librpc/gen_ndr/ndr_misc.h"
29 #include "libads/kerberos_proto.h"
30 #include "libads/cldap.h"
31 #include "secrets.h"
32 #include "../lib/tsocket/tsocket.h"
33 #include "lib/util/asn1.h"
34
35 #ifdef HAVE_KRB5
36
37 /*
38 we use a prompter to avoid a crash bug in the kerberos libs when
39 dealing with empty passwords
40 this prompter is just a string copy ...
41 */
42 static krb5_error_code
43 kerb_prompter(krb5_context ctx, void *data,
44 const char *name,
45 const char *banner,
46 int num_prompts,
47 krb5_prompt prompts[])
48 {
49 if (num_prompts == 0) return 0;
50 if (num_prompts == 2) {
51 /*
52 * only heimdal has a prompt type and we need to deal with it here to
53 * avoid loops.
54 *
55 * removing the prompter completely is not an option as at least these
56 * versions would crash: heimdal-1.0.2 and heimdal-1.1. Later heimdal
57 * version have looping detection and return with a proper error code.
58 */
59
60 #if defined(HAVE_KRB5_PROMPT_TYPE) /* Heimdal */
61 if (prompts[0].type == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
62 prompts[1].type == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
63 /*
64 * We don't want to change passwords here. We're
65 * called from heimdal when the KDC returns
66 * KRB5KDC_ERR_KEY_EXPIRED, but at this point we don't
67 * have the chance to ask the user for a new
68 * password. If we return 0 (i.e. success), we will be
69 * spinning in the endless for-loop in
70 * change_password() in
71 * third_party/heimdal/lib/krb5/init_creds_pw.c
72 */
73 return KRB5KDC_ERR_KEY_EXPIRED;
74 }
75 #elif defined(HAVE_KRB5_GET_PROMPT_TYPES) /* MIT */
76 krb5_prompt_type *prompt_types = NULL;
77
78 prompt_types = krb5_get_prompt_types(ctx);
79 if (prompt_types != NULL) {
80 if (prompt_types[0] == KRB5_PROMPT_TYPE_NEW_PASSWORD &&
81 prompt_types[1] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN) {
82 return KRB5KDC_ERR_KEY_EXP;
83 }
84 }
85 #endif
86 }
87
88 memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
89 if (prompts[0].reply->length > 0) {
90 if (data) {
91 strncpy((char *)prompts[0].reply->data, (const char *)data,
92 prompts[0].reply->length-1);
93 prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
94 } else {
95 prompts[0].reply->length = 0;
96 }
97 }
98 return 0;
99 }
100
101 /*
102 simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
103 place in default cache location.
104 remus@snapserver.com
105 */
106 int kerberos_kinit_password_ext(const char *given_principal,
107 const char *password,
108 int time_offset,
109 time_t *expire_time,
110 time_t *renew_till_time,
111 const char *cache_name,
112 bool request_pac,
113 bool add_netbios_addr,
114 time_t renewable_time,
115 TALLOC_CTX *mem_ctx,
116 char **_canon_principal,
117 char **_canon_realm,
118 NTSTATUS *ntstatus)
119 {
120 TALLOC_CTX *frame = talloc_stackframe();
121 krb5_context ctx = NULL;
122 krb5_error_code code = 0;
123 krb5_ccache cc = NULL;
124 krb5_principal me = NULL;
125 krb5_principal canon_princ = NULL;
126 krb5_creds my_creds;
127 krb5_get_init_creds_opt *opt = NULL;
128 smb_krb5_addresses *addr = NULL;
129 char *canon_principal = NULL;
130 char *canon_realm = NULL;
131
132 ZERO_STRUCT(my_creds);
133
134 if (cache_name == NULL) {
135 DBG_DEBUG("Missing ccache for [%s] and config [%s]\n",
136 given_principal,
137 getenv("KRB5_CONFIG"));
138 TALLOC_FREE(frame);
139 return EINVAL;
140 }
141
142 code = smb_krb5_init_context_common(&ctx);
143 if (code != 0) {
144 DBG_ERR("kerberos init context failed (%s)\n",
145 error_message(code));
146 TALLOC_FREE(frame);
147 return code;
148 }
149
150 if (time_offset != 0) {
151 krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
152 }
153
154 DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n",
155 given_principal,
156 cache_name,
157 getenv("KRB5_CONFIG"));
158
159 if ((code = krb5_cc_resolve(ctx, cache_name, &cc))) {
160 goto out;
161 }
162
163 if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) {
164 goto out;
165 }
166
167 if ((code = krb5_get_init_creds_opt_alloc(ctx, &opt))) {
168 goto out;
169 }
170
171 krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
172 krb5_get_init_creds_opt_set_forwardable(opt, True);
173
174 /* Turn on canonicalization for lower case realm support */
175 #ifdef SAMBA4_USES_HEIMDAL
176 krb5_get_init_creds_opt_set_win2k(ctx, opt, true);
177 krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true);
178 #else /* MIT */
179 krb5_get_init_creds_opt_set_canonicalize(opt, true);
180 #endif /* MIT */
181 #if 0
182 /* insane testing */
183 krb5_get_init_creds_opt_set_tkt_life(opt, 60);
184 #endif
185
186 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
187 if (request_pac) {
188 if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
189 goto out;
190 }
191 }
192 #endif
193 if (add_netbios_addr) {
194 if ((code = smb_krb5_gen_netbios_krb5_address(&addr,
195 lp_netbios_name()))) {
196 goto out;
197 }
198 krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
199 }
200
201 if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
202 kerb_prompter, discard_const_p(char, password),
203 0, NULL, opt))) {
204 goto out;
205 }
206
207 canon_princ = my_creds.client;
208
209 code = smb_krb5_unparse_name(frame,
210 ctx,
211 canon_princ,
212 &canon_principal);
213 if (code != 0) {
214 goto out;
215 }
216
217 DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal);
218
219 canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ);
220 if (canon_realm == NULL) {
221 code = ENOMEM;
222 goto out;
223 }
224
225 if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
226 goto out;
227 }
228
229 if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
230 goto out;
231 }
232
233 if (expire_time) {
234 *expire_time = (time_t) my_creds.times.endtime;
235 }
236
237 if (renew_till_time) {
238 *renew_till_time = (time_t) my_creds.times.renew_till;
239 }
240
241 if (_canon_principal != NULL) {
242 *_canon_principal = talloc_move(mem_ctx, &canon_principal);
243 }
244 if (_canon_realm != NULL) {
245 *_canon_realm = talloc_move(mem_ctx, &canon_realm);
246 }
247 out:
248 if (ntstatus) {
249 /* fast path */
250 if (code == 0) {
251 *ntstatus = NT_STATUS_OK;
252 goto cleanup;
253 }
254
255 /* fall back to self-made-mapping */
256 *ntstatus = krb5_to_nt_status(code);
257 }
258
259 cleanup:
260 krb5_free_cred_contents(ctx, &my_creds);
261 if (me) {
262 krb5_free_principal(ctx, me);
263 }
264 if (addr) {
265 smb_krb5_free_addresses(ctx, addr);
266 }
267 if (opt) {
268 krb5_get_init_creds_opt_free(ctx, opt);
269 }
270 if (cc) {
271 krb5_cc_close(ctx, cc);
272 }
273 if (ctx) {
274 krb5_free_context(ctx);
275 }
276 TALLOC_FREE(frame);
277 return code;
278 }
279
280 int ads_kdestroy(const char *cc_name)
281 {
282 krb5_error_code code;
283 krb5_context ctx = NULL;
284 krb5_ccache cc = NULL;
285
286 code = smb_krb5_init_context_common(&ctx);
287 if (code != 0) {
288 DBG_ERR("kerberos init context failed (%s)\n",
289 error_message(code));
290 return code;
291 }
292
293 /*
294 * This should not happen, if
295 * we need that behaviour we
296 * should add an ads_kdestroy_default()
297 */
298 SMB_ASSERT(cc_name != NULL);
299
300 code = krb5_cc_resolve(ctx, cc_name, &cc);
301 if (code != 0) {
302 DBG_NOTICE("krb5_cc_resolve(%s) failed: %s\n",
303 cc_name, error_message(code));
304 krb5_free_context(ctx);
305 return code;
306 }
307
308 code = krb5_cc_destroy(ctx, cc);
309 if (code != 0) {
310 DBG_ERR("krb5_cc_destroy(%s) failed: %s\n",
311 cc_name, error_message(code));
312 }
313
314 krb5_free_context (ctx);
315 return code;
316 }
317
318 int create_kerberos_key_from_string(krb5_context context,
319 krb5_principal host_princ,
320 krb5_principal salt_princ,
321 krb5_data *password,
322 krb5_keyblock *key,
323 krb5_enctype enctype,
324 bool no_salt)
325 {
326 int ret;
327 /*
328 * Check if we've determined that the KDC is salting keys for this
329 * principal/enctype in a non-obvious way. If it is, try to match
330 * its behavior.
331 */
332 if (no_salt) {
333 KRB5_KEY_DATA(key) = (KRB5_KEY_DATA_CAST *)SMB_MALLOC(password->length);
334 if (!KRB5_KEY_DATA(key)) {
335 return ENOMEM;
336 }
337 memcpy(KRB5_KEY_DATA(key), password->data, password->length);
338 KRB5_KEY_LENGTH(key) = password->length;
339 KRB5_KEY_TYPE(key) = enctype;
340 return 0;
341 }
342 ret = smb_krb5_create_key_from_string(context,
343 salt_princ ? salt_princ : host_princ,
344 NULL,
345 password,
346 enctype,
347 key);
348 return ret;
349 }
350
351 /************************************************************************
352 ************************************************************************/
353
354 int kerberos_kinit_password(const char *principal,
355 const char *password,
356 int time_offset,
357 const char *cache_name)
358 {
359 return kerberos_kinit_password_ext(principal,
360 password,
361 time_offset,
362 0,
363 0,
364 cache_name,
365 False,
366 False,
367 0,
368 NULL,
369 NULL,
370 NULL,
371 NULL);
372 }
373
374 /************************************************************************
375 ************************************************************************/
376
377 /************************************************************************
378 Create a string list of available kdc's, possibly searching by sitename.
379 Does DNS queries.
380
381 If "sitename" is given, the DC's in that site are listed first.
382
383 ************************************************************************/
384
385 static void add_sockaddr_unique(struct sockaddr_storage *addrs, size_t *num_addrs,
386 const struct sockaddr_storage *addr)
387 {
388 size_t i;
389
390 for (i=0; i<*num_addrs; i++) {
391 if (sockaddr_equal((const struct sockaddr *)&addrs[i],
392 (const struct sockaddr *)addr)) {
393 return;
394 }
395 }
396 addrs[i] = *addr;
397 *num_addrs += 1;
398 }
399
400 /* print_canonical_sockaddr prints an ipv6 addr in the form of
401 * [ipv6.addr]. This string, when put in a generated krb5.conf file is not
402 * always properly dealt with by some older krb5 libraries. Adding the hard-coded
403 * portnumber workarounds the issue. - gd */
404
405 static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
406 const struct sockaddr_storage *pss)
407 {
408 char *str = NULL;
409
410 str = print_canonical_sockaddr(mem_ctx, pss);
411 if (str == NULL) {
412 return NULL;
413 }
414
415 if (pss->ss_family != AF_INET6) {
416 return str;
417 }
418
419 #if defined(HAVE_IPV6)
420 str = talloc_asprintf_append(str, ":88");
421 #endif
422 return str;
423 }
424
425 static char *get_kdc_ip_string(char *mem_ctx,
426 const char *realm,
427 const char *sitename,
428 const struct sockaddr_storage *pss)
429 {
430 TALLOC_CTX *frame = talloc_stackframe();
431 size_t i;
432 struct samba_sockaddr *ip_sa_site = NULL;
433 struct samba_sockaddr *ip_sa_nonsite = NULL;
434 struct samba_sockaddr sa = {0};
435 size_t count_site = 0;
436 size_t count_nonsite;
437 size_t num_dcs;
438 struct sockaddr_storage *dc_addrs = NULL;
439 struct tsocket_address **dc_addrs2 = NULL;
440 const struct tsocket_address * const *dc_addrs3 = NULL;
441 char *result = NULL;
442 struct netlogon_samlogon_response **responses = NULL;
443 NTSTATUS status;
444 bool ok;
445 char *kdc_str = NULL;
446 char *canon_sockaddr = NULL;
447
448 kdc_str = talloc_strdup(frame, "");
449
450 if (pss != NULL) {
451 canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
452 if (canon_sockaddr == NULL) {
453 goto out;
454 }
455
456 talloc_asprintf_addbuf(&kdc_str,
457 "\t\tkdc = %s\n",
458 canon_sockaddr);
459
460 ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
461 if (!ok) {
462 goto out;
463 }
464 }
465
466 /*
467 * First get the KDC's only in this site, the rest will be
468 * appended later
469 */
470
471 if (sitename) {
472 status = get_kdc_list(frame,
473 realm,
474 sitename,
475 &ip_sa_site,
476 &count_site);
477 if (!NT_STATUS_IS_OK(status)) {
478 DBG_ERR("get_kdc_list fail %s\n",
479 nt_errstr(status));
480 goto out;
481 }
482 DBG_DEBUG("got %zu addresses from site %s search\n",
483 count_site,
484 sitename);
485 }
486
487 /* Get all KDC's. */
488
489 status = get_kdc_list(frame,
490 realm,
491 NULL,
492 &ip_sa_nonsite,
493 &count_nonsite);
494 if (!NT_STATUS_IS_OK(status)) {
495 DBG_ERR("get_kdc_list (site-less) fail %s\n",
496 nt_errstr(status));
497 goto out;
498 }
499 DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
500
501 if (count_site + count_nonsite < count_site) {
502 /* Wrap check. */
503 DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
504 goto out;
505 }
506
507
508 dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
509 count_site + count_nonsite);
510 if (dc_addrs == NULL) {
511 goto out;
512 }
513
514 num_dcs = 0;
515
516 for (i = 0; i < count_site; i++) {
517 if (!sockaddr_equal(&sa.u.sa, &ip_sa_site[i].u.sa)) {
518 add_sockaddr_unique(dc_addrs, &num_dcs,
519 &ip_sa_site[i].u.ss);
520 }
521 }
522
523 for (i = 0; i < count_nonsite; i++) {
524 if (!sockaddr_equal(&sa.u.sa, &ip_sa_nonsite[i].u.sa)) {
525 add_sockaddr_unique(dc_addrs, &num_dcs,
526 &ip_sa_nonsite[i].u.ss);
527 }
528 }
529
530 DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
531 if (num_dcs == 0) {
532 /*
533 * We do not have additional KDCs, but we have the one passed
534 * in via `pss`. So just use that one and leave.
535 */
536 result = talloc_move(mem_ctx, &kdc_str);
537 goto out;
538 }
539
540 dc_addrs2 = talloc_zero_array(talloc_tos(),
541 struct tsocket_address *,
542 num_dcs);
543 if (dc_addrs2 == NULL) {
544 goto out;
545 }
546
547 for (i=0; i<num_dcs; i++) {
548 char addr[INET6_ADDRSTRLEN];
549 int ret;
550
551 print_sockaddr(addr, sizeof(addr), &dc_addrs[i]);
552
553 ret = tsocket_address_inet_from_strings(dc_addrs2, "ip",
554 addr, LDAP_PORT,
555 &dc_addrs2[i]);
556 if (ret != 0) {
557 status = map_nt_error_from_unix(errno);
558 DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
559 addr, nt_errstr(status)));
560 goto out;
561 }
562 }
563
564 dc_addrs3 = (const struct tsocket_address * const *)dc_addrs2;
565
566 status = cldap_multi_netlogon(talloc_tos(),
567 dc_addrs3, num_dcs,
568 realm, lp_netbios_name(),
569 NETLOGON_NT_VERSION_5 | NETLOGON_NT_VERSION_5EX,
570 MIN(num_dcs, 3), timeval_current_ofs(3, 0), &responses);
571 TALLOC_FREE(dc_addrs2);
572 dc_addrs3 = NULL;
573
574 if (!NT_STATUS_IS_OK(status)) {
575 DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
576 "%s\n", nt_errstr(status)));
577 goto out;
578 }
579
580 for (i=0; i<num_dcs; i++) {
581 if (responses[i] == NULL) {
582 continue;
583 }
584
585 /* Append to the string - inefficient but not done often. */
586 talloc_asprintf_addbuf(&kdc_str,
587 "\t\tkdc = %s\n",
588 print_canonical_sockaddr_with_port(
589 mem_ctx, &dc_addrs[i]));
590 }
591
592 result = talloc_move(mem_ctx, &kdc_str);
593 out:
594 if (result != NULL) {
595 DBG_DEBUG("Returning\n%s\n", result);
596 } else {
597 DBG_NOTICE("Failed to get KDC ip address\n");
598 }
599
600 TALLOC_FREE(frame);
601 return result;
602 }
603
604 /************************************************************************
605 Create a specific krb5.conf file in the private directory pointing
606 at a specific kdc for a realm. Keyed off domain name. Sets
607 KRB5_CONFIG environment variable to point to this file. Must be
608 run as root or will fail (which is a good thing :-).
609 ************************************************************************/
610
611 #if !defined(SAMBA4_USES_HEIMDAL) /* MIT version */
612 static char *get_enctypes(TALLOC_CTX *mem_ctx)
613 {
614 char *aes_enctypes = NULL;
615 const char *legacy_enctypes = "";
616 char *enctypes = NULL;
617
618 aes_enctypes = talloc_strdup(mem_ctx, "");
619 if (aes_enctypes == NULL) {
620 goto done;
621 }
622
623 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
624 lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
625 aes_enctypes = talloc_asprintf_append(
626 aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
627 if (aes_enctypes == NULL) {
628 goto done;
629 }
630 aes_enctypes = talloc_asprintf_append(
631 aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
632 if (aes_enctypes == NULL) {
633 goto done;
634 }
635 }
636
637 if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
638 (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
639 lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) {
640 legacy_enctypes = "RC4-HMAC";
641 }
642
643 enctypes =
644 talloc_asprintf(mem_ctx, "\tdefault_tgs_enctypes = %s %s\n"
645 "\tdefault_tkt_enctypes = %s %s\n"
646 "\tpreferred_enctypes = %s %s\n",
647 aes_enctypes, legacy_enctypes, aes_enctypes,
648 legacy_enctypes, aes_enctypes, legacy_enctypes);
649 done:
650 TALLOC_FREE(aes_enctypes);
651 return enctypes;
652 }
653 #else /* Heimdal version */
654 static char *get_enctypes(TALLOC_CTX *mem_ctx)
655 {
656 const char *aes_enctypes = "";
657 const char *legacy_enctypes = "";
658 char *enctypes = NULL;
659
660 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
661 lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
662 aes_enctypes =
663 "aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96";
664 }
665
666 if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
667 lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
668 legacy_enctypes = "arcfour-hmac-md5";
669 }
670
671 enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n",
672 aes_enctypes, legacy_enctypes);
673
674 return enctypes;
675 }
676 #endif
677
678 bool create_local_private_krb5_conf_for_domain(const char *realm,
679 const char *domain,
680 const char *sitename,
681 const struct sockaddr_storage *pss)
682 {
683 char *dname;
684 char *tmpname = NULL;
685 char *fname = NULL;
686 char *file_contents = NULL;
687 char *kdc_ip_string = NULL;
688 size_t flen = 0;
689 ssize_t ret;
690 int fd;
691 char *realm_upper = NULL;
692 bool result = false;
693 char *enctypes = NULL;
694 const char *include_system_krb5 = "";
695 mode_t mask;
696
697 if (!lp_create_krb5_conf()) {
698 return false;
699 }
700
701 if (realm == NULL) {
702 DEBUG(0, ("No realm has been specified! Do you really want to "
703 "join an Active Directory server?\n"));
704 return false;
705 }
706
707 if (domain == NULL) {
708 return false;
709 }
710
711 dname = lock_path(talloc_tos(), "smb_krb5");
712 if (!dname) {
713 return false;
714 }
715 if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
716 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
717 "failed to create directory %s. Error was %s\n",
718 dname, strerror(errno) ));
719 goto done;
720 }
721
722 tmpname = lock_path(talloc_tos(), "smb_tmp_krb5.XXXXXX");
723 if (!tmpname) {
724 goto done;
725 }
726
727 fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
728 if (!fname) {
729 goto done;
730 }
731
732 DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
733 fname, realm, domain ));
734
735 realm_upper = talloc_strdup(fname, realm);
736 if (!strupper_m(realm_upper)) {
737 goto done;
738 }
739
740 kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
741 if (!kdc_ip_string) {
742 goto done;
743 }
744
745 enctypes = get_enctypes(fname);
746 if (enctypes == NULL) {
747 goto done;
748 }
749
750 #if !defined(SAMBA4_USES_HEIMDAL)
751 if (lp_include_system_krb5_conf()) {
752 include_system_krb5 = "include /etc/krb5.conf";
753 }
754 #endif
755
756 /*
757 * We are setting 'dns_lookup_kdc' to true, because we want to lookup
758 * KDCs which are not configured via DNS SRV records, eg. if we do:
759 *
760 * net ads join -Uadmin@otherdomain
761 */
762 file_contents =
763 talloc_asprintf(fname,
764 "[libdefaults]\n"
765 "\tdefault_realm = %s\n"
766 "%s"
767 "\tdns_lookup_realm = false\n"
768 "\tdns_lookup_kdc = true\n\n"
769 "[realms]\n\t%s = {\n"
770 "%s\t}\n"
771 "\t%s = {\n"
772 "%s\t}\n"
773 "%s\n",
774 realm_upper,
775 enctypes,
776 realm_upper,
777 kdc_ip_string,
778 domain,
779 kdc_ip_string,
780 include_system_krb5);
781
782 if (!file_contents) {
783 goto done;
784 }
785
786 flen = strlen(file_contents);
787
788 mask = umask(S_IRWXO | S_IRWXG);
789 fd = mkstemp(tmpname);
790 umask(mask);
791 if (fd == -1) {
792 DBG_ERR("mkstemp failed, for file %s. Errno %s\n",
793 tmpname,
794 strerror(errno));
795 goto done;
796 }
797
798 if (fchmod(fd, 0644)==-1) {
799 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
800 " Errno %s\n",
801 tmpname, strerror(errno) ));
802 unlink(tmpname);
803 close(fd);
804 goto done;
805 }
806
807 ret = write(fd, file_contents, flen);
808 if (flen != ret) {
809 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
810 " returned %d (should be %u). Errno %s\n",
811 (int)ret, (unsigned int)flen, strerror(errno) ));
812 unlink(tmpname);
813 close(fd);
814 goto done;
815 }
816 if (close(fd)==-1) {
817 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
818 " Errno %s\n", strerror(errno) ));
819 unlink(tmpname);
820 goto done;
821 }
822
823 if (rename(tmpname, fname) == -1) {
824 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
825 "of %s to %s failed. Errno %s\n",
826 tmpname, fname, strerror(errno) ));
827 unlink(tmpname);
828 goto done;
829 }
830
831 DBG_INFO("wrote file %s with realm %s KDC list:\n%s\n",
832 fname, realm_upper, kdc_ip_string);
833
834 /* Set the environment variable to this file. */
835 setenv("KRB5_CONFIG", fname, 1);
836
837 result = true;
838
839 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
840
841 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
842 /* Insanity, sheer insanity..... */
843
844 if (strequal(realm, lp_realm())) {
845 SMB_STRUCT_STAT sbuf;
846
847 if (sys_lstat(SYSTEM_KRB5_CONF_PATH, &sbuf, false) == 0) {
848 if (S_ISLNK(sbuf.st_ex_mode) && sbuf.st_ex_size) {
849 int lret;
850 size_t alloc_size = sbuf.st_ex_size + 1;
851 char *linkpath = talloc_array(talloc_tos(), char,
852 alloc_size);
853 if (!linkpath) {
854 goto done;
855 }
856 lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath,
857 alloc_size - 1);
858 if (lret == -1) {
859 TALLOC_FREE(linkpath);
860 goto done;
861 }
862 linkpath[lret] = '\0';
863
864 if (strcmp(linkpath, fname) == 0) {
865 /* Symlink already exists. */
866 TALLOC_FREE(linkpath);
867 goto done;
868 }
869 TALLOC_FREE(linkpath);
870 }
871 }
872
873 /* Try and replace with a symlink. */
874 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
875 const char *newpath = SYSTEM_KRB5_CONF_PATH ".saved";
876 if (errno != EEXIST) {
877 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
878 "of %s to %s failed. Errno %s\n",
879 fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
880 goto done; /* Not a fatal error. */
881 }
882
883 /* Yes, this is a race condition... too bad. */
884 if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
885 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
886 "of %s to %s failed. Errno %s\n",
887 SYSTEM_KRB5_CONF_PATH, newpath,
888 strerror(errno) ));
889 goto done; /* Not a fatal error. */
890 }
891
892 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
893 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
894 "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
895 fname, strerror(errno) ));
896 goto done; /* Not a fatal error. */
897 }
898 }
899 }
900 #endif
901
902 done:
903 TALLOC_FREE(tmpname);
904 TALLOC_FREE(dname);
905
906 return result;
907 }
908 #endif
GSS-enabled samba4