search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Don't set arp_filter=1 by default in 10.interface
[samba4-gss.git] / source4 / ntp_signd / ntp_signd.c
blobaee8c16087704ebeeca6b3a3f12f2a33784b42c9
1 /*
2 Unix SMB/CIFS implementation.
3
4 NTP packet signing server
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "samba/service_task.h"
26 #include "samba/service.h"
27 #include "samba/service_stream.h"
28 #include "samba/process_model.h"
29 #include "lib/stream/packet.h"
30 #include "lib/tsocket/tsocket.h"
31 #include "libcli/util/tstream.h"
32 #include "librpc/gen_ndr/ndr_ntp_signd.h"
33 #include "param/param.h"
34 #include "dsdb/common/util.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "auth/auth.h"
37 #include "libcli/security/security.h"
38 #include "libcli/ldap/ldap_ndr.h"
39 #include <ldb.h>
40 #include <ldb_errors.h>
41 #include "system/network.h"
42 #include "system/passwd.h"
43
44 #include "lib/crypto/gnutls_helpers.h"
45 #include <gnutls/gnutls.h>
46 #include <gnutls/crypto.h>
47
48 NTSTATUS server_service_ntp_signd_init(TALLOC_CTX *);
49
50 /*
51 top level context structure for the ntp_signd server
52 */
53 struct ntp_signd_server {
54 struct task_server *task;
55 struct ldb_context *samdb;
56 };
57
58 /*
59 state of an open connection
60 */
61 struct ntp_signd_connection {
62 /* stream connection we belong to */
63 struct stream_connection *conn;
64
65 /* the ntp_signd_server the connection belongs to */
66 struct ntp_signd_server *ntp_signd;
67
68 struct tstream_context *tstream;
69
70 struct tevent_queue *send_queue;
71 };
72
73 static void ntp_signd_terminate_connection(struct ntp_signd_connection *ntp_signd_conn, const char *reason)
74 {
75 stream_terminate_connection(ntp_signd_conn->conn, reason);
76 }
77
78 static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
79 TALLOC_CTX *mem_ctx,
80 DATA_BLOB *output,
81 uint32_t packet_id)
82 {
83 struct signed_reply signed_reply;
84 enum ndr_err_code ndr_err;
85
86 signed_reply.op = SIGNING_FAILURE;
87 signed_reply.packet_id = packet_id;
88 signed_reply.signed_packet = data_blob(NULL, 0);
89
90 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
91 (ndr_push_flags_fn_t)ndr_push_signed_reply);
92
93 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
94 DEBUG(1,("failed to push ntp error reply\n"));
95 return ndr_map_error2ntstatus(ndr_err);
96 }
97
98 return NT_STATUS_OK;
99 }
100
101 /*
102 receive a full packet on a NTP_SIGND connection
103 */
104 static NTSTATUS ntp_signd_process(struct ntp_signd_connection *ntp_signd_conn,
105 TALLOC_CTX *mem_ctx,
106 DATA_BLOB *input,
107 DATA_BLOB *output)
108 {
109 const struct dom_sid *domain_sid;
110 struct dom_sid *sid;
111 struct sign_request sign_request;
112 struct signed_reply signed_reply;
113 enum ndr_err_code ndr_err;
114 struct ldb_result *res;
115 static const char *attrs[] = {
116 "unicodePwd",
117 "userAccountControl",
118 "cn",
119 /* Required for Group Managed Service Accounts. */
120 "msDS-ManagedPasswordId",
121 "msDS-ManagedPasswordInterval",
122 "objectClass",
123 "objectSid",
124 "whenCreated",
125 NULL};
126 gnutls_hash_hd_t hash_hnd = NULL;
127 struct samr_Password *nt_hash;
128 uint32_t user_account_control;
129 struct dom_sid_buf buf;
130 int ret;
131
132 ndr_err = ndr_pull_struct_blob_all(input, mem_ctx,
133 &sign_request,
134 (ndr_pull_flags_fn_t)ndr_pull_sign_request);
135
136 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
137 DEBUG(1,("failed to parse ntp signing request\n"));
138 dump_data(1, input->data, input->length);
139 return ndr_map_error2ntstatus(ndr_err);
140 }
141
142 /* We need to implement 'check signature' and 'request server
143 * to sign' operations at some point */
144 if (sign_request.op != SIGN_TO_CLIENT) {
145 return signing_failure(ntp_signd_conn,
146 mem_ctx,
147 output,
148 sign_request.packet_id);
149 }
150
151 /* We need to implement 'check signature' and 'request server
152 * to sign' operations at some point */
153 if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
154 return signing_failure(ntp_signd_conn,
155 mem_ctx,
156 output,
157 sign_request.packet_id);
158 }
159
160 domain_sid = samdb_domain_sid(ntp_signd_conn->ntp_signd->samdb);
161 if (domain_sid == NULL) {
162 return signing_failure(ntp_signd_conn,
163 mem_ctx,
164 output,
165 sign_request.packet_id);
166 }
167
168 /* The top bit is a 'key selector' */
169 sid = dom_sid_add_rid(mem_ctx, domain_sid,
170 sign_request.key_id & 0x7FFFFFFF);
171 if (sid == NULL) {
172 talloc_free(mem_ctx);
173 return signing_failure(ntp_signd_conn,
174 mem_ctx,
175 output,
176 sign_request.packet_id);
177 }
178
179 ret = dsdb_search(ntp_signd_conn->ntp_signd->samdb, mem_ctx,
180 &res,
181 ldb_get_default_basedn(ntp_signd_conn->ntp_signd->samdb),
182 LDB_SCOPE_SUBTREE,
183 attrs,
184 DSDB_SEARCH_UPDATE_MANAGED_PASSWORDS,
185 "(&(objectSid=%s)(objectClass=user))",
186 ldap_encode_ndr_dom_sid(mem_ctx, sid));
187 if (ret != LDB_SUCCESS) {
188 DEBUG(2, ("Failed to search for SID %s in SAM for NTP signing: "
189 "%s\n",
190 dom_sid_str_buf(sid, &buf),
191 ldb_errstring(ntp_signd_conn->ntp_signd->samdb)));
192 return signing_failure(ntp_signd_conn,
193 mem_ctx,
194 output,
195 sign_request.packet_id);
196 }
197
198 if (res->count == 0) {
199 DEBUG(2, ("Failed to find SID %s in SAM for NTP signing\n",
200 dom_sid_str_buf(sid, &buf)));
201 return signing_failure(ntp_signd_conn,
202 mem_ctx,
203 output,
204 sign_request.packet_id);
205 } else if (res->count != 1) {
206 DEBUG(1, ("Found SID %s %u times in SAM for NTP signing\n",
207 dom_sid_str_buf(sid, &buf),
208 res->count));
209 return signing_failure(ntp_signd_conn,
210 mem_ctx,
211 output,
212 sign_request.packet_id);
213 }
214
215 user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0],
216 "userAccountControl",
217 0);
218
219 if (user_account_control & UF_ACCOUNTDISABLE) {
220 DEBUG(1, ("Account %s for SID [%s] is disabled\n",
221 ldb_dn_get_linearized(res->msgs[0]->dn),
222 dom_sid_str_buf(sid, &buf)));
223 return NT_STATUS_ACCESS_DENIED;
224 }
225
226 if (!(user_account_control & (UF_INTERDOMAIN_TRUST_ACCOUNT|UF_SERVER_TRUST_ACCOUNT|UF_WORKSTATION_TRUST_ACCOUNT))) {
227 DEBUG(1, ("Account %s for SID [%s] is not a trust account\n",
228 ldb_dn_get_linearized(res->msgs[0]->dn),
229 dom_sid_str_buf(sid, &buf)));
230 return NT_STATUS_ACCESS_DENIED;
231 }
232
233 nt_hash = samdb_result_hash(mem_ctx, res->msgs[0], "unicodePwd");
234 if (!nt_hash) {
235 DEBUG(1, ("No unicodePwd found on record of SID %s "
236 "for NTP signing\n",
237 dom_sid_str_buf(sid, &buf)));
238 return signing_failure(ntp_signd_conn,
239 mem_ctx,
240 output,
241 sign_request.packet_id);
242 }
243
244 /* Generate the reply packet */
245 signed_reply.packet_id = sign_request.packet_id;
246 signed_reply.op = SIGNING_SUCCESS;
247 signed_reply.signed_packet = data_blob_talloc(mem_ctx,
248 NULL,
249 sign_request.packet_to_sign.length + 20);
250
251 if (!signed_reply.signed_packet.data) {
252 return signing_failure(ntp_signd_conn,
253 mem_ctx,
254 output,
255 sign_request.packet_id);
256 }
257
258 memcpy(signed_reply.signed_packet.data, sign_request.packet_to_sign.data, sign_request.packet_to_sign.length);
259 SIVAL(signed_reply.signed_packet.data, sign_request.packet_to_sign.length, sign_request.key_id);
260
261 /* Sign the NTP response with the unicodePwd */
262 ret = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
263 if (ret < 0) {
264 return gnutls_error_to_ntstatus(ret, NT_STATUS_HASH_NOT_SUPPORTED);
265 }
266
267 ret = gnutls_hash(hash_hnd,
268 nt_hash->hash,
269 sizeof(nt_hash->hash));
270 if (ret < 0) {
271 gnutls_hash_deinit(hash_hnd, NULL);
272 return gnutls_error_to_ntstatus(ret, NT_STATUS_HASH_NOT_SUPPORTED);
273 }
274 ret = gnutls_hash(hash_hnd,
275 sign_request.packet_to_sign.data,
276 sign_request.packet_to_sign.length);
277 if (ret < 0) {
278 gnutls_hash_deinit(hash_hnd, NULL);
279 return gnutls_error_to_ntstatus(ret, NT_STATUS_HASH_NOT_SUPPORTED);
280 }
281
282 gnutls_hash_deinit(hash_hnd,
283 signed_reply.signed_packet.data +
284 sign_request.packet_to_sign.length + 4);
285
286 /* Place it into the packet for the wire */
287 ndr_err = ndr_push_struct_blob(output, mem_ctx, &signed_reply,
288 (ndr_push_flags_fn_t)ndr_push_signed_reply);
289
290 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
291 DEBUG(1,("failed to push ntp error reply\n"));
292 return ndr_map_error2ntstatus(ndr_err);
293 }
294
295 return NT_STATUS_OK;
296 }
297
298 /*
299 called on a tcp recv
300 */
301 static void ntp_signd_recv(struct stream_connection *conn, uint16_t flags)
302 {
303 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
304 struct ntp_signd_connection);
305 ntp_signd_terminate_connection(ntp_signd_conn,
306 "ntp_signd_recv: called");
307 }
308
309 /*
310 called when we can write to a connection
311 */
312 static void ntp_signd_send(struct stream_connection *conn, uint16_t flags)
313 {
314 struct ntp_signd_connection *ntp_signd_conn = talloc_get_type(conn->private_data,
315 struct ntp_signd_connection);
316 /* this should never be triggered! */
317 ntp_signd_terminate_connection(ntp_signd_conn,
318 "ntp_signd_send: called");
319 }
320
321 struct ntp_signd_call {
322 struct ntp_signd_connection *ntp_signd_conn;
323 DATA_BLOB in;
324 DATA_BLOB out;
325 uint8_t out_hdr[4];
326 struct iovec out_iov[2];
327 };
328
329 static void ntp_signd_call_writev_done(struct tevent_req *subreq);
330
331 static void ntp_signd_call_loop(struct tevent_req *subreq)
332 {
333 struct ntp_signd_connection *ntp_signd_conn = tevent_req_callback_data(subreq,
334 struct ntp_signd_connection);
335 struct ntp_signd_call *call;
336 NTSTATUS status;
337
338 call = talloc(ntp_signd_conn, struct ntp_signd_call);
339 if (call == NULL) {
340 ntp_signd_terminate_connection(ntp_signd_conn,
341 "ntp_signd_call_loop: "
342 "no memory for ntp_signd_call");
343 return;
344 }
345 call->ntp_signd_conn = ntp_signd_conn;
346
347 status = tstream_read_pdu_blob_recv(subreq,
348 call,
349 &call->in);
350 TALLOC_FREE(subreq);
351 if (!NT_STATUS_IS_OK(status)) {
352 const char *reason;
353
354 reason = talloc_asprintf(call, "ntp_signd_call_loop: "
355 "tstream_read_pdu_blob_recv() - %s",
356 nt_errstr(status));
357 if (reason == NULL) {
358 reason = nt_errstr(status);
359 }
360
361 ntp_signd_terminate_connection(ntp_signd_conn, reason);
362 return;
363 }
364
365 DEBUG(10,("Received NTP TCP packet of length %lu from %s\n",
366 (long) call->in.length,
367 tsocket_address_string(ntp_signd_conn->conn->remote_address, call)));
368
369 /* skip length header */
370 call->in.data +=4;
371 call->in.length -= 4;
372
373 status = ntp_signd_process(ntp_signd_conn,
374 call,
375 &call->in,
376 &call->out);
377 if (! NT_STATUS_IS_OK(status)) {
378 const char *reason;
379
380 reason = talloc_asprintf(call, "ntp_signd_process failed: %s",
381 nt_errstr(status));
382 if (reason == NULL) {
383 reason = nt_errstr(status);
384 }
385
386 ntp_signd_terminate_connection(ntp_signd_conn, reason);
387 return;
388 }
389
390 /* First add the length of the out buffer */
391 RSIVAL(call->out_hdr, 0, call->out.length);
392 call->out_iov[0].iov_base = (char *) call->out_hdr;
393 call->out_iov[0].iov_len = 4;
394
395 call->out_iov[1].iov_base = (char *) call->out.data;
396 call->out_iov[1].iov_len = call->out.length;
397
398 subreq = tstream_writev_queue_send(call,
399 ntp_signd_conn->conn->event.ctx,
400 ntp_signd_conn->tstream,
401 ntp_signd_conn->send_queue,
402 call->out_iov, 2);
403 if (subreq == NULL) {
404 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
405 "no memory for tstream_writev_queue_send");
406 return;
407 }
408
409 tevent_req_set_callback(subreq, ntp_signd_call_writev_done, call);
410
411 /*
412 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
413 * tstream_full_request_u32 provides the pdu length then.
414 */
415 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
416 ntp_signd_conn->conn->event.ctx,
417 ntp_signd_conn->tstream,
418 4, /* initial_read_size */
419 tstream_full_request_u32,
420 ntp_signd_conn);
421 if (subreq == NULL) {
422 ntp_signd_terminate_connection(ntp_signd_conn, "ntp_signd_call_loop: "
423 "no memory for tstream_read_pdu_blob_send");
424 return;
425 }
426 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
427 }
428
429 static void ntp_signd_call_writev_done(struct tevent_req *subreq)
430 {
431 struct ntp_signd_call *call = tevent_req_callback_data(subreq,
432 struct ntp_signd_call);
433 int sys_errno;
434 int rc;
435
436 rc = tstream_writev_queue_recv(subreq, &sys_errno);
437 TALLOC_FREE(subreq);
438 if (rc == -1) {
439 const char *reason;
440
441 reason = talloc_asprintf(call, "ntp_signd_call_writev_done: "
442 "tstream_writev_queue_recv() - %d:%s",
443 sys_errno, strerror(sys_errno));
444 if (!reason) {
445 reason = "ntp_signd_call_writev_done: "
446 "tstream_writev_queue_recv() failed";
447 }
448
449 ntp_signd_terminate_connection(call->ntp_signd_conn, reason);
450 return;
451 }
452
453 /* We don't care about errors */
454
455 talloc_free(call);
456 }
457
458 /*
459 called when we get a new connection
460 */
461 static void ntp_signd_accept(struct stream_connection *conn)
462 {
463 struct ntp_signd_server *ntp_signd = talloc_get_type(conn->private_data,
464 struct ntp_signd_server);
465 struct ntp_signd_connection *ntp_signd_conn;
466 struct tevent_req *subreq;
467 int rc;
468
469 ntp_signd_conn = talloc_zero(conn, struct ntp_signd_connection);
470 if (ntp_signd_conn == NULL) {
471 stream_terminate_connection(conn,
472 "ntp_signd_accept: out of memory");
473 return;
474 }
475
476 ntp_signd_conn->send_queue = tevent_queue_create(conn,
477 "ntp_signd_accept");
478 if (ntp_signd_conn->send_queue == NULL) {
479 stream_terminate_connection(conn,
480 "ntp_signd_accept: out of memory");
481 return;
482 }
483
484 TALLOC_FREE(conn->event.fde);
485
486 rc = tstream_bsd_existing_socket(ntp_signd_conn,
487 socket_get_fd(conn->socket),
488 &ntp_signd_conn->tstream);
489 if (rc < 0) {
490 stream_terminate_connection(conn,
491 "ntp_signd_accept: out of memory");
492 return;
493 }
494 /* as server we want to fail early */
495 tstream_bsd_fail_readv_first_error(ntp_signd_conn->tstream, true);
496
497 ntp_signd_conn->conn = conn;
498 ntp_signd_conn->ntp_signd = ntp_signd;
499 conn->private_data = ntp_signd_conn;
500
501 /*
502 * The NTP tcp pdu's has the length as 4 byte (initial_read_size),
503 * tstream_full_request_u32 provides the pdu length then.
504 */
505 subreq = tstream_read_pdu_blob_send(ntp_signd_conn,
506 ntp_signd_conn->conn->event.ctx,
507 ntp_signd_conn->tstream,
508 4, /* initial_read_size */
509 tstream_full_request_u32,
510 ntp_signd_conn);
511 if (subreq == NULL) {
512 ntp_signd_terminate_connection(ntp_signd_conn,
513 "ntp_signd_accept: "
514 "no memory for tstream_read_pdu_blob_send");
515 return;
516 }
517 tevent_req_set_callback(subreq, ntp_signd_call_loop, ntp_signd_conn);
518 }
519
520 static const struct stream_server_ops ntp_signd_stream_ops = {
521 .name = "ntp_signd",
522 .accept_connection = ntp_signd_accept,
523 .recv_handler = ntp_signd_recv,
524 .send_handler = ntp_signd_send
525 };
526
527 /*
528 startup the ntp_signd task
529 */
530 static NTSTATUS ntp_signd_task_init(struct task_server *task)
531 {
532 struct ntp_signd_server *ntp_signd;
533 NTSTATUS status;
534
535 const char *address;
536
537 if (!directory_create_or_exist_strict(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0750)) {
538 char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s",
539 lpcfg_ntp_signd_socket_directory(task->lp_ctx));
540 task_server_terminate(task,
541 error, true);
542 return NT_STATUS_UNSUCCESSFUL;
543 }
544
545 task_server_set_title(task, "task[ntp_signd]");
546
547 ntp_signd = talloc(task, struct ntp_signd_server);
548 if (ntp_signd == NULL) {
549 task_server_terminate(task, "ntp_signd: out of memory", true);
550 return NT_STATUS_NO_MEMORY;
551 }
552
553 ntp_signd->task = task;
554
555 /* Must be system to get at the password hashes */
556 ntp_signd->samdb = samdb_connect(ntp_signd,
557 task->event_ctx,
558 task->lp_ctx,
559 system_session(task->lp_ctx),
560 NULL,
561 0);
562 if (ntp_signd->samdb == NULL) {
563 task_server_terminate(task, "ntp_signd failed to open samdb", true);
564 return NT_STATUS_UNSUCCESSFUL;
565 }
566
567 address = talloc_asprintf(ntp_signd, "%s/socket", lpcfg_ntp_signd_socket_directory(task->lp_ctx));
568 if (address == NULL) {
569 task_server_terminate(
570 task, "ntp_signd out of memory in talloc_asprintf()", true);
571 return NT_STATUS_NO_MEMORY;
572 }
573
574 status = stream_setup_socket(ntp_signd->task,
575 ntp_signd->task->event_ctx,
576 ntp_signd->task->lp_ctx,
577 task->model_ops,
578 &ntp_signd_stream_ops,
579 "unix", address, NULL,
580 lpcfg_socket_options(ntp_signd->task->lp_ctx),
581 ntp_signd,
582 ntp_signd->task->process_context);
583 if (!NT_STATUS_IS_OK(status)) {
584 DEBUG(0,("Failed to bind to %s - %s\n",
585 address, nt_errstr(status)));
586 return status;
587 }
588
589 return NT_STATUS_OK;
590
591 }
592
593
594 /* called at smbd startup - register ourselves as a server service */
595 NTSTATUS server_service_ntp_signd_init(TALLOC_CTX *ctx)
596 {
597 static const struct service_details details = {
598 .inhibit_fork_on_accept = true,
599 .inhibit_pre_fork = true,
600 .task_init = ntp_signd_task_init,
601 .post_fork = NULL
602 };
603 return register_server_service(ctx, "ntp_signd", &details);
604 }
GSS-enabled samba4