search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: Fix following symlinks if basedir != cwd_fsp
[samba4-gss.git] / source4 / kdc / mit_samba.c
blob4af02fa00d0530edd09921ccc187f67f0ad651d8
1 /*
2 MIT-Samba4 library
3
4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include "lib/replace/system/filesys.h"
29 #include <com_err.h>
30 #include <kdb.h>
31 #include <kadm5/kadm_err.h>
32 #include "kdc/sdb.h"
33 #include "kdc/sdb_kdb.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "auth/kerberos/pac_utils.h"
36 #include "kdc/samba_kdc.h"
37 #include "kdc/pac-glue.h"
38 #include "kdc/db-glue.h"
39 #include "auth/auth.h"
40 #include "kdc/kpasswd_glue.h"
41 #include "auth/auth_sam.h"
42
43 #include "mit_samba.h"
44
45 #undef DBGC_CLASS
46 #define DBGC_CLASS DBGC_KERBEROS
47
48 void mit_samba_context_free(struct mit_samba_context *ctx)
49 {
50 /* free MIT's krb5_context */
51 if (ctx->context) {
52 krb5_free_context(ctx->context);
53 }
54
55 /* then free everything else */
56 talloc_free(ctx);
57 }
58
59 /*
60 * Implement a callback to log to the MIT KDC log facility
61 *
62 * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
63 */
64 static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
65 {
66 int is_error = errno;
67
68 if (msg_level > 0) {
69 is_error = 0;
70 }
71
72 com_err("mitkdc", is_error, "%s", msg);
73 }
74
75 krb5_error_code mit_samba_context_init(struct mit_samba_context **_ctx)
76 {
77 NTSTATUS status;
78 struct mit_samba_context *ctx;
79 const char *s4_conf_file;
80 krb5_error_code ret;
81 struct samba_kdc_base_context base_ctx = {};
82
83 ctx = talloc_zero(NULL, struct mit_samba_context);
84 if (!ctx) {
85 ret = ENOMEM;
86 goto done;
87 }
88
89 base_ctx.ev_ctx = tevent_context_init(ctx);
90 if (!base_ctx.ev_ctx) {
91 ret = ENOMEM;
92 goto done;
93 }
94 tevent_loop_allow_nesting(base_ctx.ev_ctx);
95 base_ctx.lp_ctx = loadparm_init_global(false);
96 if (!base_ctx.lp_ctx) {
97 ret = ENOMEM;
98 goto done;
99 }
100
101 debug_set_callback(NULL, mit_samba_debug);
102
103 /* init s4 configuration */
104 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
105 if (s4_conf_file != NULL) {
106 char *p = talloc_strdup(ctx, s4_conf_file);
107 if (p == NULL) {
108 ret = ENOMEM;
109 goto done;
110 }
111 lpcfg_load(base_ctx.lp_ctx, p);
112 TALLOC_FREE(p);
113 } else {
114 lpcfg_load_default(base_ctx.lp_ctx);
115 }
116
117 base_ctx.current_nttime_ull = talloc_zero(ctx, unsigned long long);
118 if (base_ctx.current_nttime_ull == NULL) {
119 ret = ENOMEM;
120 goto done;
121 }
122
123 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
124 if (!NT_STATUS_IS_OK(status)) {
125 ret = EINVAL;
126 goto done;
127 }
128
129 /* init MIT's krb_context and log facilities */
130 ret = smb_krb5_init_context_basic(ctx,
131 ctx->db_ctx->lp_ctx,
132 &ctx->context);
133 if (ret) {
134 goto done;
135 }
136
137 ret = 0;
138
139 done:
140 if (ret) {
141 mit_samba_context_free(ctx);
142 } else {
143 *_ctx = ctx;
144 }
145 return ret;
146 }
147
148 int mit_samba_generate_salt(krb5_data *salt)
149 {
150 if (salt == NULL) {
151 return EINVAL;
152 }
153
154 salt->length = 16;
155 salt->data = malloc(salt->length);
156 if (salt->data == NULL) {
157 return ENOMEM;
158 }
159
160 generate_random_buffer((uint8_t *)salt->data, salt->length);
161
162 return 0;
163 }
164
165 int mit_samba_generate_random_password(krb5_data *pwd)
166 {
167 TALLOC_CTX *tmp_ctx;
168 char *password;
169 char *data = NULL;
170 const unsigned length = 24;
171
172 if (pwd == NULL) {
173 return EINVAL;
174 }
175
176 tmp_ctx = talloc_named(NULL,
177 0,
178 "mit_samba_generate_random_password context");
179 if (tmp_ctx == NULL) {
180 return ENOMEM;
181 }
182
183 password = generate_random_password(tmp_ctx, length, length);
184 if (password == NULL) {
185 talloc_free(tmp_ctx);
186 return ENOMEM;
187 }
188
189 data = strdup(password);
190 talloc_free(tmp_ctx);
191 if (data == NULL) {
192 return ENOMEM;
193 }
194
195 *pwd = smb_krb5_make_data(data, length);
196
197 return 0;
198 }
199
200 krb5_error_code mit_samba_get_principal(struct mit_samba_context *ctx,
201 krb5_const_principal principal,
202 unsigned int kflags,
203 krb5_db_entry **_kentry)
204 {
205 struct sdb_entry sentry = {};
206 krb5_db_entry *kentry;
207 krb5_error_code ret;
208 uint32_t sflags = 0;
209 krb5_principal referral_principal = NULL;
210 NTTIME now;
211 bool time_ok;
212
213 time_ok = gmsa_current_time(&now);
214 if (!time_ok) {
215 return EINVAL;
216 }
217
218 *ctx->db_ctx->current_nttime_ull = now;
219
220 kentry = calloc(1, sizeof(krb5_db_entry));
221 if (kentry == NULL) {
222 return ENOMEM;
223 }
224
225 /*
226 * The MIT KDC code that wants the canonical name in all lookups, and
227 * takes care to canonicalize only when appropriate.
228 */
229 sflags |= SDB_F_FORCE_CANON;
230
231 if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
232 sflags |= SDB_F_CANON;
233 }
234
235 if (kflags & KRB5_KDB_FLAG_CLIENT) {
236 sflags |= SDB_F_GET_CLIENT;
237 sflags |= SDB_F_FOR_AS_REQ;
238 } else {
239 int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
240 if (equal == -1) {
241 return ENOMEM;
242 }
243
244 if (equal) {
245 sflags |= SDB_F_GET_KRBTGT;
246 } else {
247 sflags |= SDB_F_GET_SERVER;
248 sflags |= SDB_F_FOR_TGS_REQ;
249 }
250 }
251
252 /* always set this or the created_by data will not be populated by samba's
253 * backend and we will fail to parse the entry later */
254 sflags |= SDB_F_ADMIN_DATA;
255
256
257 fetch_referral_principal:
258 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
259 principal, sflags, 0, &sentry);
260 switch (ret) {
261 case 0:
262 break;
263 case SDB_ERR_NOENTRY:
264 ret = KRB5_KDB_NOENTRY;
265 goto done;
266 case SDB_ERR_WRONG_REALM: {
267 char *dest_realm = NULL;
268 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
269
270 if (sflags & SDB_F_FOR_AS_REQ) {
271 /*
272 * If this is a request for a TGT, we are done. The KDC
273 * will return the correct error to the client.
274 */
275 ret = 0;
276 break;
277 }
278
279 if (referral_principal != NULL) {
280 sdb_entry_free(&sentry);
281 ret = KRB5_KDB_NOENTRY;
282 goto done;
283 }
284
285 /*
286 * We get a TGS request
287 *
288 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
289 *
290 * to our DC for the realm
291 *
292 * ADDOM.SAMBA.EXAMPLE.COM
293 *
294 * We look up if we have an entry in the database and get an
295 * entry with the principal:
296 *
297 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
298 *
299 * and the error: SDB_ERR_WRONG_REALM.
300 *
301 * In the case of a TGS-REQ we need to return a referral ticket
302 * for the next trust hop to the client. This ticket will have
303 * the following principal:
304 *
305 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
306 *
307 * We just redo the lookup in the database with the referral
308 * principal and return success.
309 */
310 dest_realm = smb_krb5_principal_get_realm(
311 ctx, ctx->context, sentry.principal);
312 sdb_entry_free(&sentry);
313 if (dest_realm == NULL) {
314 ret = KRB5_KDB_NOENTRY;
315 goto done;
316 }
317
318 ret = smb_krb5_make_principal(ctx->context,
319 &referral_principal,
320 our_realm,
321 KRB5_TGS_NAME,
322 dest_realm,
323 NULL);
324 TALLOC_FREE(dest_realm);
325 if (ret != 0) {
326 goto done;
327 }
328
329 principal = referral_principal;
330 goto fetch_referral_principal;
331 }
332 case SDB_ERR_NOT_FOUND_HERE:
333 /* FIXME: RODC support */
334 default:
335 goto done;
336 }
337
338 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
339
340 sdb_entry_free(&sentry);
341
342 done:
343 krb5_free_principal(ctx->context, referral_principal);
344 referral_principal = NULL;
345
346 if (ret) {
347 free(kentry);
348 } else {
349 *_kentry = kentry;
350 }
351 return ret;
352 }
353
354 krb5_error_code mit_samba_get_firstkey(struct mit_samba_context *ctx,
355 krb5_db_entry **_kentry)
356 {
357 struct sdb_entry sentry = {};
358 krb5_db_entry *kentry;
359 krb5_error_code ret;
360
361 NTTIME now;
362 bool time_ok;
363
364 time_ok = gmsa_current_time(&now);
365 if (!time_ok) {
366 return EINVAL;
367 }
368
369 *ctx->db_ctx->current_nttime_ull = now;
370
371 kentry = malloc(sizeof(krb5_db_entry));
372 if (kentry == NULL) {
373 return ENOMEM;
374 }
375
376 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, SDB_F_ADMIN_DATA, &sentry);
377 switch (ret) {
378 case 0:
379 break;
380 case SDB_ERR_NOENTRY:
381 free(kentry);
382 return KRB5_KDB_NOENTRY;
383 case SDB_ERR_NOT_FOUND_HERE:
384 /* FIXME: RODC support */
385 default:
386 free(kentry);
387 return ret;
388 }
389
390 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
391
392 sdb_entry_free(&sentry);
393
394 if (ret) {
395 free(kentry);
396 } else {
397 *_kentry = kentry;
398 }
399 return ret;
400 }
401
402 krb5_error_code mit_samba_get_nextkey(struct mit_samba_context *ctx,
403 krb5_db_entry **_kentry)
404 {
405 struct sdb_entry sentry = {};
406 krb5_db_entry *kentry;
407 krb5_error_code ret;
408
409 /* Not updating time, keep the same for the whole operation */
410
411 kentry = malloc(sizeof(krb5_db_entry));
412 if (kentry == NULL) {
413 return ENOMEM;
414 }
415
416 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, SDB_F_ADMIN_DATA, &sentry);
417 switch (ret) {
418 case 0:
419 break;
420 case SDB_ERR_NOENTRY:
421 free(kentry);
422 return KRB5_KDB_NOENTRY;
423 case SDB_ERR_NOT_FOUND_HERE:
424 /* FIXME: RODC support */
425 default:
426 free(kentry);
427 return ret;
428 }
429
430 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
431
432 sdb_entry_free(&sentry);
433
434 if (ret) {
435 free(kentry);
436 } else {
437 *_kentry = kentry;
438 }
439 return ret;
440 }
441
442 krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
443 krb5_context context,
444 uint32_t flags,
445 krb5_db_entry *client,
446 krb5_db_entry *server,
447 krb5_keyblock *replaced_reply_key,
448 krb5_pac *pac)
449 {
450 TALLOC_CTX *tmp_ctx;
451 const struct auth_user_info_dc *user_info_dc = NULL;
452 struct auth_user_info_dc *user_info_dc_shallow_copy = NULL;
453 DATA_BLOB *logon_info_blob = NULL;
454 DATA_BLOB *upn_dns_info_blob = NULL;
455 DATA_BLOB *cred_ndr = NULL;
456 DATA_BLOB **cred_ndr_ptr = NULL;
457 DATA_BLOB cred_blob = data_blob_null;
458 DATA_BLOB *pcred_blob = NULL;
459 DATA_BLOB *pac_attrs_blob = NULL;
460 DATA_BLOB *requester_sid_blob = NULL;
461 const DATA_BLOB *client_claims_blob = NULL;
462 NTSTATUS nt_status;
463 krb5_error_code code;
464 struct samba_kdc_entry *skdc_entry;
465 struct samba_kdc_entry *server_entry = NULL;
466 bool is_krbtgt;
467 /* Only include resource groups in a service ticket. */
468 enum auth_group_inclusion group_inclusion;
469 enum samba_asserted_identity asserted_identity =
470 (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
471 SAMBA_ASSERTED_IDENTITY_SERVICE :
472 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
473
474 if (client == NULL) {
475 return EINVAL;
476 }
477 skdc_entry = talloc_get_type_abort(client->e_data,
478 struct samba_kdc_entry);
479
480 /* This sets the time into the DSDB opaque */
481 *smb_ctx->db_ctx->current_nttime_ull = skdc_entry->current_nttime;
482
483 if (server == NULL) {
484 return EINVAL;
485 }
486 {
487 int result = smb_krb5_principal_is_tgs(smb_ctx->context, server->princ);
488 if (result == -1) {
489 return ENOMEM;
490 }
491
492 is_krbtgt = result;
493 }
494 server_entry = talloc_get_type_abort(server->e_data,
495 struct samba_kdc_entry);
496
497 /* Only include resource groups in a service ticket. */
498 if (is_krbtgt) {
499 group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
500 } else if (server_entry->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
501 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
502 } else {
503 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
504 }
505
506 tmp_ctx = talloc_named(smb_ctx,
507 0,
508 "mit_samba_get_pac context");
509 if (tmp_ctx == NULL) {
510 return ENOMEM;
511 }
512
513 /* Check if we have a PREAUTH key */
514 if (replaced_reply_key != NULL) {
515 cred_ndr_ptr = &cred_ndr;
516 }
517
518 code = samba_kdc_get_user_info_from_db(tmp_ctx,
519 server_entry->kdc_db_ctx->samdb,
520 skdc_entry,
521 skdc_entry->msg,
522 &user_info_dc);
523 if (code) {
524 talloc_free(tmp_ctx);
525 return code;
526 }
527
528 /* Make a shallow copy of the user_info_dc structure. */
529 nt_status = authsam_shallow_copy_user_info_dc(tmp_ctx,
530 user_info_dc,
531 &user_info_dc_shallow_copy);
532 user_info_dc = NULL;
533
534 if (!NT_STATUS_IS_OK(nt_status)) {
535 DBG_ERR("Failed to allocate shallow copy of user_info_dc: %s\n",
536 nt_errstr(nt_status));
537 talloc_free(tmp_ctx);
538 return map_errno_from_nt_status(nt_status);
539 }
540
541
542 nt_status = samba_kdc_add_asserted_identity(asserted_identity,
543 user_info_dc_shallow_copy);
544 if (!NT_STATUS_IS_OK(nt_status)) {
545 DBG_ERR("Failed to add asserted identity: %s\n",
546 nt_errstr(nt_status));
547 talloc_free(tmp_ctx);
548 return EINVAL;
549 }
550
551 nt_status = samba_kdc_add_claims_valid(user_info_dc_shallow_copy);
552 if (!NT_STATUS_IS_OK(nt_status)) {
553 DBG_ERR("Failed to add Claims Valid: %s\n",
554 nt_errstr(nt_status));
555 talloc_free(tmp_ctx);
556 return EINVAL;
557 }
558
559 /* We no longer need to modify this, so assign to const variable */
560 user_info_dc = user_info_dc_shallow_copy;
561
562 nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
563 user_info_dc,
564 group_inclusion,
565 &logon_info_blob);
566 if (!NT_STATUS_IS_OK(nt_status)) {
567 talloc_free(tmp_ctx);
568 return EINVAL;
569 }
570
571 if (cred_ndr_ptr != NULL) {
572 nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx,
573 skdc_entry,
574 cred_ndr_ptr);
575 if (!NT_STATUS_IS_OK(nt_status)) {
576 talloc_free(tmp_ctx);
577 return EINVAL;
578 }
579 }
580
581 nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
582 user_info_dc,
583 &upn_dns_info_blob);
584 if (!NT_STATUS_IS_OK(nt_status)) {
585 talloc_free(tmp_ctx);
586 return EINVAL;
587 }
588
589 if (is_krbtgt) {
590 nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx,
591 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
592 &pac_attrs_blob);
593 if (!NT_STATUS_IS_OK(nt_status)) {
594 talloc_free(tmp_ctx);
595 return EINVAL;
596 }
597
598 nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
599 user_info_dc,
600 &requester_sid_blob);
601 if (!NT_STATUS_IS_OK(nt_status)) {
602 talloc_free(tmp_ctx);
603 return EINVAL;
604 }
605 }
606
607 nt_status = samba_kdc_get_claims_blob(tmp_ctx,
608 skdc_entry,
609 &client_claims_blob);
610 if (!NT_STATUS_IS_OK(nt_status)) {
611 talloc_free(tmp_ctx);
612 return EINVAL;
613 }
614
615 if (replaced_reply_key != NULL && cred_ndr != NULL) {
616 code = samba_kdc_encrypt_pac_credentials(context,
617 replaced_reply_key,
618 cred_ndr,
619 tmp_ctx,
620 &cred_blob);
621 if (code != 0) {
622 talloc_free(tmp_ctx);
623 return code;
624 }
625 pcred_blob = &cred_blob;
626 }
627
628 code = samba_make_krb5_pac(context,
629 logon_info_blob,
630 pcred_blob,
631 upn_dns_info_blob,
632 pac_attrs_blob,
633 requester_sid_blob,
634 NULL /* deleg_blob */,
635 client_claims_blob,
636 NULL /* device_info_blob */,
637 NULL /* device_claims_blob */,
638 *pac);
639
640 talloc_free(tmp_ctx);
641 return code;
642 }
643
644 krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
645 krb5_context context,
646 int kdc_flags,
647 krb5_db_entry *client,
648 krb5_db_entry *server,
649 krb5_db_entry *krbtgt,
650 krb5_pac old_pac,
651 krb5_pac new_pac)
652 {
653 TALLOC_CTX *tmp_ctx = NULL;
654 krb5_error_code code;
655 struct samba_kdc_entry *client_skdc_entry = NULL;
656 struct samba_kdc_entry *server_skdc_entry = NULL;
657 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
658 struct samba_kdc_entry_pac client_pac_entry = {};
659 bool is_in_db = false;
660 bool is_trusted = false;
661 uint32_t flags = 0;
662
663 /* Create a memory context early so code can use talloc_stackframe() */
664 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context");
665 if (tmp_ctx == NULL) {
666 return ENOMEM;
667 }
668
669 if (client != NULL) {
670 client_skdc_entry =
671 talloc_get_type_abort(client->e_data,
672 struct samba_kdc_entry);
673 }
674
675 if (krbtgt == NULL) {
676 code = EINVAL;
677 goto done;
678 }
679 krbtgt_skdc_entry =
680 talloc_get_type_abort(krbtgt->e_data,
681 struct samba_kdc_entry);
682
683 /* This sets the time into the DSDB opaque */
684 *ctx->db_ctx->current_nttime_ull = krbtgt_skdc_entry->current_nttime;
685
686 if (server == NULL) {
687 code = EINVAL;
688 goto done;
689 }
690 server_skdc_entry =
691 talloc_get_type_abort(server->e_data,
692 struct samba_kdc_entry);
693
694 /*
695 * If the krbtgt was generated by an RODC, and we are not that
696 * RODC, then we need to regenerate the PAC - we can't trust
697 * it, and confirm that the RODC was permitted to print this ticket
698 *
699 * Because of the samba_kdc_validate_pac_blob() step we can be
700 * sure that the record in 'client' or 'server' matches the SID in the
701 * original PAC.
702 */
703 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
704 &is_in_db,
705 &is_trusted);
706 if (code != 0) {
707 goto done;
708 }
709
710 if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
711 flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
712 }
713
714 if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
715 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
716 }
717
718 client_pac_entry = samba_kdc_entry_pac_from_trusted(old_pac,
719 client_skdc_entry,
720 samba_kdc_entry_is_trust(krbtgt_skdc_entry),
721 is_trusted);
722
723 code = samba_kdc_verify_pac(tmp_ctx,
724 context,
725 krbtgt_skdc_entry->kdc_db_ctx->samdb,
726 flags,
727 client_pac_entry,
728 krbtgt_skdc_entry);
729 if (code != 0) {
730 goto done;
731 }
732
733 code = samba_kdc_update_pac(tmp_ctx,
734 context,
735 krbtgt_skdc_entry->kdc_db_ctx->samdb,
736 krbtgt_skdc_entry->kdc_db_ctx->lp_ctx,
737 flags,
738 client_pac_entry,
739 server->princ,
740 server_skdc_entry,
741 NULL /* delegated_proxy_principal */,
742 (struct samba_kdc_entry_pac) {} /* delegated_proxy */,
743 (struct samba_kdc_entry_pac) {} /* device */,
744 new_pac,
745 NULL /* server_audit_info_out */,
746 NULL /* status_out */);
747 if (code != 0) {
748 if (code == ENOATTR) {
749 /*
750 * We can't tell the KDC to not issue a PAC. It will
751 * just return the newly allocated empty PAC.
752 */
753 code = 0;
754 }
755 }
756
757 done:
758 talloc_free(tmp_ctx);
759 return code;
760 }
761
762 /* provide header, function is exported but there are no public headers */
763
764 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
765
766 /* this function allocates 'data' using malloc.
767 * The caller is responsible for freeing it */
768 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
769 {
770 krb5_error_code ret = 0;
771 krb5_pa_data pa, *ppa[2];
772 krb5_data *d = NULL;
773
774 if (!e_data)
775 return;
776
777 e_data->data = NULL;
778 e_data->length = 0;
779
780 pa.magic = KV5M_PA_DATA;
781 pa.pa_type = KRB5_PADATA_PW_SALT /* KERB_ERR_TYPE_EXTENDED */;
782 pa.length = 12;
783 pa.contents = malloc(pa.length);
784 if (!pa.contents) {
785 return;
786 }
787
788 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
789 SIVAL(pa.contents, 4, 0);
790 SIVAL(pa.contents, 8, 1);
791
792 ppa[0] = &pa;
793 ppa[1] = NULL;
794
795 ret = encode_krb5_padata_sequence(ppa, &d);
796 free(pa.contents);
797 if (ret) {
798 return;
799 }
800
801 e_data->data = (uint8_t *)d->data;
802 e_data->length = d->length;
803
804 /* free d, not d->data - gd */
805 free(d);
806
807 return;
808 }
809
810 krb5_error_code mit_samba_check_client_access(struct mit_samba_context *ctx,
811 krb5_db_entry *client,
812 const char *client_name,
813 krb5_db_entry *server,
814 const char *server_name,
815 const char *netbios_name,
816 bool password_change,
817 DATA_BLOB *e_data)
818 {
819 struct samba_kdc_entry *skdc_entry;
820 NTSTATUS nt_status;
821
822 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
823
824 /* This sets the time into the DSDB opaque */
825 *ctx->db_ctx->current_nttime_ull = skdc_entry->current_nttime;
826
827 nt_status = samba_kdc_check_client_access(skdc_entry,
828 client_name,
829 netbios_name,
830 password_change);
831
832 if (!NT_STATUS_IS_OK(nt_status)) {
833 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
834 return ENOMEM;
835 }
836
837 samba_kdc_build_edata_reply(nt_status, e_data);
838
839 return samba_kdc_map_policy_err(nt_status);
840 }
841
842 return 0;
843 }
844
845 krb5_error_code mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
846 const krb5_db_entry *server,
847 krb5_const_principal target_principal)
848 {
849 struct samba_kdc_entry *server_skdc_entry =
850 talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
851 krb5_error_code code;
852
853 /* This sets the time into the DSDB opaque */
854 *ctx->db_ctx->current_nttime_ull = server_skdc_entry->current_nttime;
855
856 code = samba_kdc_check_s4u2proxy(ctx->context,
857 ctx->db_ctx,
858 server_skdc_entry,
859 target_principal);
860
861 return code;
862 }
863
864 krb5_error_code mit_samba_check_allowed_to_delegate_from(
865 struct mit_samba_context *ctx,
866 krb5_const_principal client_principal,
867 krb5_const_principal server_principal,
868 krb5_pac header_pac,
869 const krb5_db_entry *proxy)
870 {
871 struct samba_kdc_entry *proxy_skdc_entry =
872 talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
873 struct auth_user_info_dc *user_info_dc = NULL;
874 TALLOC_CTX *mem_ctx = NULL;
875 krb5_error_code code;
876
877 /* This sets the time into the DSDB opaque */
878 *ctx->db_ctx->current_nttime_ull = proxy_skdc_entry->current_nttime;
879
880 mem_ctx = talloc_new(NULL);
881 if (mem_ctx == NULL) {
882 return ENOMEM;
883 }
884
885 /*
886 * FIXME: If ever we support RODCs, we must check that the PAC has not
887 * been issued by an RODC (other than ourselves) — otherwise the PAC
888 * cannot be trusted. Because the plugin interface does not give us the
889 * client entry, we cannot look up its groups in the database.
890 */
891 code = kerberos_pac_to_user_info_dc(mem_ctx,
892 header_pac,
893 ctx->context,
894 &user_info_dc,
895 AUTH_INCLUDE_RESOURCE_GROUPS,
896 NULL,
897 NULL,
898 NULL);
899 if (code != 0) {
900 goto out;
901 }
902
903 code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
904 ctx->db_ctx,
905 client_principal,
906 server_principal,
907 user_info_dc,
908 NULL /* device_info_dc */,
909 (struct auth_claims) {},
910 proxy_skdc_entry);
911 out:
912 talloc_free(mem_ctx);
913 return code;
914 }
915
916 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
917 NTSTATUS result,
918 enum samPwdChangeReason reject_reason,
919 struct samr_DomInfo1 *dominfo)
920 {
921 krb5_error_code code = KADM5_PASS_Q_GENERIC;
922
923 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
924 code = KADM5_BAD_PRINCIPAL;
925 krb5_set_error_message(context,
926 code,
927 "No such user when changing password");
928 }
929 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
930 code = KADM5_PASS_Q_GENERIC;
931 krb5_set_error_message(context,
932 code,
933 "Not permitted to change password");
934 }
935 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
936 dominfo != NULL) {
937 switch (reject_reason) {
938 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
939 code = KADM5_PASS_Q_TOOSHORT;
940 krb5_set_error_message(context,
941 code,
942 "Password too short, password "
943 "must be at least %d characters "
944 "long.",
945 dominfo->min_password_length);
946 break;
947 case SAM_PWD_CHANGE_NOT_COMPLEX:
948 code = KADM5_PASS_Q_DICT;
949 krb5_set_error_message(context,
950 code,
951 "Password does not meet "
952 "complexity requirements");
953 break;
954 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
955 code = KADM5_PASS_TOOSOON;
956 krb5_set_error_message(context,
957 code,
958 "Password is already in password "
959 "history. New password must not "
960 "match any of your %d previous "
961 "passwords.",
962 dominfo->password_history_length);
963 break;
964 default:
965 code = KADM5_PASS_Q_GENERIC;
966 krb5_set_error_message(context,
967 code,
968 "Password change rejected, "
969 "password changes may not be "
970 "permitted on this account, or "
971 "the minimum password age may "
972 "not have elapsed.");
973 break;
974 }
975 }
976
977 return code;
978 }
979
980 krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
981 char *pwd,
982 krb5_db_entry *db_entry)
983 {
984 NTSTATUS status;
985 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
986 TALLOC_CTX *tmp_ctx;
987 DATA_BLOB password;
988 enum samPwdChangeReason reject_reason;
989 struct samr_DomInfo1 *dominfo;
990 const char *error_string = NULL;
991 const struct auth_user_info_dc *user_info_dc = NULL;
992 struct samba_kdc_entry *p =
993 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
994 krb5_error_code code = 0;
995
996 /* This sets the time into the DSDB opaque */
997 *ctx->db_ctx->current_nttime_ull = p->current_nttime;
998
999 #ifdef DEBUG_PASSWORD
1000 DBG_WARNING("mit_samba_kpasswd_change_password called with: %s\n", pwd);
1001 #endif
1002
1003 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
1004 if (tmp_ctx == NULL) {
1005 return ENOMEM;
1006 }
1007
1008 code = samba_kdc_get_user_info_from_db(tmp_ctx,
1009 ctx->db_ctx->samdb,
1010 p,
1011 p->msg,
1012 &user_info_dc);
1013 if (code) {
1014 const char *krb5err = krb5_get_error_message(ctx->context, code);
1015 DBG_WARNING("samba_kdc_get_user_info_from_db failed: %s\n",
1016 krb5err != NULL ? krb5err : "<unknown>");
1017 krb5_free_error_message(ctx->context, krb5err);
1018
1019 goto out;
1020 }
1021
1022 status = auth_generate_session_info(tmp_ctx,
1023 ctx->db_ctx->lp_ctx,
1024 ctx->db_ctx->samdb,
1025 user_info_dc,
1026 0, /* session_info_flags */
1027 &ctx->session_info);
1028
1029 if (!NT_STATUS_IS_OK(status)) {
1030 DBG_WARNING("auth_generate_session_info failed: %s\n",
1031 nt_errstr(status));
1032 code = EINVAL;
1033 goto out;
1034 }
1035
1036 /* password is expected as UTF16 */
1037
1038 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1039 pwd, strlen(pwd),
1040 &password.data, &password.length)) {
1041 DBG_WARNING("convert_string_talloc failed\n");
1042 code = EINVAL;
1043 goto out;
1044 }
1045
1046 status = samdb_kpasswd_change_password(tmp_ctx,
1047 ctx->db_ctx->lp_ctx,
1048 ctx->db_ctx->ev_ctx,
1049 ctx->session_info,
1050 &password,
1051 &reject_reason,
1052 &dominfo,
1053 &error_string,
1054 &result);
1055 if (!NT_STATUS_IS_OK(status)) {
1056 DBG_WARNING("samdb_kpasswd_change_password failed: %s\n",
1057 nt_errstr(status));
1058 code = KADM5_PASS_Q_GENERIC;
1059 krb5_set_error_message(ctx->context, code, "%s", error_string);
1060 goto out;
1061 }
1062
1063 if (!NT_STATUS_IS_OK(result)) {
1064 code = mit_samba_change_pwd_error(ctx->context,
1065 result,
1066 reject_reason,
1067 dominfo);
1068 }
1069
1070 out:
1071 talloc_free(tmp_ctx);
1072
1073 return code;
1074 }
1075
1076 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1077 {
1078 /* struct netr_SendToSamBase *send_to_sam = NULL; */
1079 struct samba_kdc_entry *p =
1080 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1081 struct ldb_dn *domain_dn;
1082
1083 /* This sets the time into the DSDB opaque */
1084 *p->kdc_db_ctx->current_nttime_ull = p->current_nttime;
1085
1086 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1087
1088 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1089 p->msg,
1090 domain_dn,
1091 true,
1092 NULL, NULL);
1093 /* TODO: RODC support */
1094 }
1095
1096
1097 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1098 {
1099 struct samba_kdc_entry *p =
1100 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1101
1102 /* This sets the time into the DSDB opaque */
1103 *p->kdc_db_ctx->current_nttime_ull = p->current_nttime;
1104
1105 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1106 p->msg,
1107 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1108 }
1109
1110 bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1111 {
1112 struct samba_kdc_entry *skdc_entry =
1113 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1114
1115 /* This sets the time into the DSDB opaque */
1116 *skdc_entry->kdc_db_ctx->current_nttime_ull = skdc_entry->current_nttime;
1117
1118 return samba_princ_needs_pac(skdc_entry);
1119 }
GSS-enabled samba4