search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Move connection tracking to 10.interface
[samba4-gss.git] / source4 / kdc / kdc-service-mit.c
blobf21b4c94f6076bed17da08d2ff9bb34c26bef90c
1 /*
2 Unix SMB/CIFS implementation.
3
4 Start MIT krb5kdc server within Samba AD
5
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "talloc.h"
24 #include "tevent.h"
25 #include "system/filesys.h"
26 #include "lib/param/param.h"
27 #include "lib/util/samba_util.h"
28 #include "source4/samba/service.h"
29 #include "source4/samba/process_model.h"
30 #include "kdc/kdc-service-mit.h"
31 #include "dynconfig.h"
32 #include "libds/common/roles.h"
33 #include "lib/socket/netif.h"
34 #include "samba/session.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "kdc/samba_kdc.h"
37 #include "kdc/kdc-server.h"
38 #include "kdc/kpasswd-service.h"
39 #include <kadm5/admin.h>
40 #include <kdb.h>
41
42 #include "source4/kdc/mit_kdc_irpc.h"
43
44 #undef DBGC_CLASS
45 #define DBGC_CLASS DBGC_KERBEROS
46
47 /* PROTOTYPES */
48 static void mitkdc_server_done(struct tevent_req *subreq);
49
50 static int kdc_server_destroy(struct kdc_server *kdc)
51 {
52 if (kdc->private_data != NULL) {
53 kadm5_destroy(kdc->private_data);
54 }
55
56 return 0;
57 }
58
59 static NTSTATUS startup_kpasswd_server(TALLOC_CTX *mem_ctx,
60 struct kdc_server *kdc,
61 struct loadparm_context *lp_ctx,
62 struct interface *ifaces)
63 {
64 int num_interfaces;
65 int i;
66 TALLOC_CTX *tmp_ctx;
67 NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
68 uint16_t kpasswd_port;
69 bool done_wildcard = false;
70 bool ok;
71
72 kpasswd_port = lpcfg_kpasswd_port(lp_ctx);
73 if (kpasswd_port == 0) {
74 return NT_STATUS_OK;
75 }
76
77 tmp_ctx = talloc_named_const(mem_ctx, 0, "kpasswd");
78 if (tmp_ctx == NULL) {
79 return NT_STATUS_NO_MEMORY;
80 }
81
82 num_interfaces = iface_list_count(ifaces);
83
84 ok = lpcfg_bind_interfaces_only(lp_ctx);
85 if (!ok) {
86 int num_binds = 0;
87 char **wcard;
88
89 wcard = iface_list_wildcard(tmp_ctx);
90 if (wcard == NULL) {
91 status = NT_STATUS_NO_MEMORY;
92 goto out;
93 }
94
95 for (i = 0; wcard[i] != NULL; i++) {
96 status = kdc_add_socket(kdc,
97 kdc->task->model_ops,
98 "kpasswd",
99 wcard[i],
100 kpasswd_port,
101 kpasswd_process,
102 false);
103 if (NT_STATUS_IS_OK(status)) {
104 num_binds++;
105 }
106 }
107 talloc_free(wcard);
108
109 if (num_binds == 0) {
110 status = NT_STATUS_INVALID_PARAMETER_MIX;
111 goto out;
112 }
113
114 done_wildcard = true;
115 }
116
117 for (i = 0; i < num_interfaces; i++) {
118 const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i));
119
120 status = kdc_add_socket(kdc,
121 kdc->task->model_ops,
122 "kpasswd",
123 address,
124 kpasswd_port,
125 kpasswd_process,
126 done_wildcard);
127 if (NT_STATUS_IS_OK(status)) {
128 goto out;
129 }
130 }
131
132 out:
133 talloc_free(tmp_ctx);
134 return status;
135 }
136
137 /*
138 * Startup a copy of the krb5kdc as a child daemon
139 */
140 NTSTATUS mitkdc_task_init(struct task_server *task)
141 {
142 struct tevent_req *subreq;
143 const char * const *kdc_cmd;
144 struct interface *ifaces;
145 char *kdc_config = NULL;
146 struct kdc_server *kdc;
147 krb5_error_code code;
148 NTSTATUS status;
149 kadm5_ret_t ret;
150 kadm5_config_params config;
151 void *server_handle;
152 int dbglvl = 0;
153
154 task_server_set_title(task, "task[mitkdc_parent]");
155
156 switch (lpcfg_server_role(task->lp_ctx)) {
157 case ROLE_STANDALONE:
158 task_server_terminate(task,
159 "The KDC is not required in standalone "
160 "server configuration, terminate!",
161 false);
162 return NT_STATUS_INVALID_DOMAIN_ROLE;
163 case ROLE_DOMAIN_MEMBER:
164 task_server_terminate(task,
165 "The KDC is not required in member "
166 "server configuration",
167 false);
168 return NT_STATUS_INVALID_DOMAIN_ROLE;
169 case ROLE_ACTIVE_DIRECTORY_DC:
170 /* Yes, we want to start the KDC */
171 break;
172 }
173
174 /* Load interfaces for kpasswd */
175 load_interface_list(task, task->lp_ctx, &ifaces);
176 if (iface_list_count(ifaces) == 0) {
177 task_server_terminate(task,
178 "KDC: no network interfaces configured",
179 false);
180 return NT_STATUS_UNSUCCESSFUL;
181 }
182
183 kdc_config = talloc_asprintf(task,
184 "%s/kdc.conf",
185 lpcfg_private_dir(task->lp_ctx));
186 if (kdc_config == NULL) {
187 task_server_terminate(task,
188 "KDC: no memory",
189 false);
190 return NT_STATUS_NO_MEMORY;
191 }
192 setenv("KRB5_KDC_PROFILE", kdc_config, 0);
193 TALLOC_FREE(kdc_config);
194
195 dbglvl = debuglevel_get_class(DBGC_KERBEROS);
196 if (dbglvl >= 10) {
197 char *kdc_trace_file = talloc_asprintf(task,
198 "%s/mit_kdc_trace.log",
199 get_dyn_LOGFILEBASE());
200 if (kdc_trace_file == NULL) {
201 task_server_terminate(task,
202 "KDC: no memory",
203 false);
204 return NT_STATUS_NO_MEMORY;
205 }
206
207 setenv("KRB5_TRACE", kdc_trace_file, 1);
208 }
209
210 /* start it as a child process */
211 kdc_cmd = lpcfg_mit_kdc_command(task->lp_ctx);
212
213 subreq = samba_runcmd_send(task,
214 task->event_ctx,
215 timeval_zero(),
216 1, /* stdout log level */
217 0, /* stderr log level */
218 kdc_cmd,
219 "-n", /* Don't go into background */
220 #if 0
221 "-w 2", /* Start two workers */
222 #endif
223 NULL);
224 if (subreq == NULL) {
225 DBG_ERR("Failed to start MIT KDC as child daemon\n");
226
227 task_server_terminate(task,
228 "Failed to startup mitkdc task",
229 true);
230 return NT_STATUS_INTERNAL_ERROR;
231 }
232
233 tevent_req_set_callback(subreq, mitkdc_server_done, task);
234
235 DBG_INFO("Started krb5kdc process\n");
236
237 status = samba_setup_mit_kdc_irpc(task);
238 if (!NT_STATUS_IS_OK(status)) {
239 task_server_terminate(task,
240 "Failed to setup kdc irpc service",
241 true);
242 }
243
244 DBG_INFO("Started irpc service for kdc_server\n");
245
246 kdc = talloc_zero(task, struct kdc_server);
247 if (kdc == NULL) {
248 task_server_terminate(task, "KDC: Out of memory", true);
249 return NT_STATUS_NO_MEMORY;
250 }
251 talloc_set_destructor(kdc, kdc_server_destroy);
252
253 kdc->task = task;
254
255 kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
256 if (kdc->base_ctx == NULL) {
257 task_server_terminate(task, "KDC: Out of memory", true);
258 return NT_STATUS_NO_MEMORY;
259 }
260
261 kdc->base_ctx->ev_ctx = task->event_ctx;
262 kdc->base_ctx->lp_ctx = task->lp_ctx;
263
264 initialize_krb5_error_table();
265
266 code = smb_krb5_init_context(kdc,
267 kdc->task->lp_ctx,
268 &kdc->smb_krb5_context);
269 if (code != 0) {
270 task_server_terminate(task,
271 "KDC: Unable to initialize krb5 context",
272 true);
273 return NT_STATUS_INTERNAL_ERROR;
274 }
275
276 code = kadm5_init_krb5_context(&kdc->smb_krb5_context->krb5_context);
277 if (code != 0) {
278 task_server_terminate(task,
279 "KDC: Unable to init kadm5 krb5_context",
280 true);
281 return NT_STATUS_INTERNAL_ERROR;
282 }
283
284 ZERO_STRUCT(config);
285 config.mask = KADM5_CONFIG_REALM;
286 config.realm = discard_const_p(char, lpcfg_realm(kdc->task->lp_ctx));
287
288 ret = kadm5_init(kdc->smb_krb5_context->krb5_context,
289 discard_const_p(char, "kpasswd"),
290 NULL, /* pass */
291 discard_const_p(char, "kpasswd"),
292 &config,
293 KADM5_STRUCT_VERSION,
294 KADM5_API_VERSION_4,
295 NULL,
296 &server_handle);
297 if (ret != 0) {
298 task_server_terminate(task,
299 "KDC: Initialize kadm5",
300 true);
301 return NT_STATUS_INTERNAL_ERROR;
302 }
303 kdc->private_data = server_handle;
304
305 code = krb5_db_register_keytab(kdc->smb_krb5_context->krb5_context);
306 if (code != 0) {
307 task_server_terminate(task,
308 "KDC: Unable to KDB",
309 true);
310 return NT_STATUS_INTERNAL_ERROR;
311 }
312
313 kdc->kpasswd_keytab_name = talloc_asprintf(kdc, "KDB:");
314 if (kdc->kpasswd_keytab_name == NULL) {
315 task_server_terminate(task,
316 "KDC: Out of memory",
317 true);
318 return NT_STATUS_NO_MEMORY;
319 }
320
321 status = startup_kpasswd_server(kdc,
322 kdc,
323 task->lp_ctx,
324 ifaces);
325 if (!NT_STATUS_IS_OK(status)) {
326 task_server_terminate(task,
327 "KDC: Unable to start kpasswd server",
328 true);
329 return status;
330 }
331
332 DBG_INFO("Started kpasswd service for kdc_server\n");
333
334 return NT_STATUS_OK;
335 }
336
337 /*
338 * This gets called the kdc exits.
339 */
340 static void mitkdc_server_done(struct tevent_req *subreq)
341 {
342 struct task_server *task =
343 tevent_req_callback_data(subreq,
344 struct task_server);
345 int sys_errno;
346 int ret;
347
348 ret = samba_runcmd_recv(subreq, &sys_errno);
349 if (ret != 0) {
350 DBG_ERR("The MIT KDC daemon died with exit status %d\n",
351 sys_errno);
352 } else {
353 DBG_ERR("The MIT KDC daemon exited normally\n");
354 }
355
356 task_server_terminate(task, "mitkdc child process exited", true);
357 }
358
359 /* Called at MIT KRB5 startup - register ourselves as a server service */
360 NTSTATUS server_service_mitkdc_init(TALLOC_CTX *mem_ctx);
361
362 NTSTATUS server_service_mitkdc_init(TALLOC_CTX *mem_ctx)
363 {
364 static const struct service_details details = {
365 .inhibit_fork_on_accept = true,
366 /*
367 * Need to prevent pre-forking on kdc.
368 * The task_init function is run on the master process only
369 * and the irpc process name is registered in it's event loop.
370 * The child worker processes initialise their event loops on
371 * fork, so are not listening for the irpc event.
372 *
373 * The master process does not wait on that event context
374 * the master process is responsible for managing the worker
375 * processes not performing work.
376 */
377 .inhibit_pre_fork = true,
378 .task_init = mitkdc_task_init,
379 .post_fork = NULL
380 };
381 return register_server_service(mem_ctx, "kdc", &details);
382 }
GSS-enabled samba4