2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "auth/gensec/gensec.h"
25 #include "auth/gensec/gensec_internal.h"
26 #include "auth/common_auth.h"
27 #include "../lib/util/asn1.h"
28 #include "param/param.h"
29 #include "libds/common/roles.h"
32 #define DBGC_CLASS DBGC_AUTH
34 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
35 struct gensec_security *gensec_security,
36 struct smb_krb5_context *smb_krb5_context,
38 const char *principal_string,
39 const struct tsocket_address *remote_address,
40 struct auth_session_info **session_info)
42 uint32_t session_info_flags = 0;
43 struct auth4_context *auth_context = NULL;
46 if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
47 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
50 session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
53 enum server_role server_role =
54 lpcfg_server_role(gensec_security->settings->lp_ctx);
57 * For any domain setup (DC or member) we require having
58 * a PAC, as the service ticket comes from an AD DC,
59 * which will always provide a PAC, unless
60 * UF_NO_AUTH_DATA_REQUIRED is configured for our
61 * account, but that's just an invalid configuration,
62 * the admin configured for us!
64 * As a legacy case, we still allow kerberos tickets from an MIT
65 * realm, but only in standalone mode. In that mode we'll only
66 * ever accept a kerberos authentication with a keytab file
67 * being explicitly configured via the 'keytab method' option.
69 if (server_role != ROLE_STANDALONE) {
70 DBG_WARNING("Unable to find PAC in ticket from %s, "
71 "failing to allow access\n",
73 return NT_STATUS_NO_IMPERSONATION_TOKEN;
75 DBG_NOTICE("Unable to find PAC for %s, resorting to local "
76 "user lookup\n", principal_string);
79 auth_context = gensec_security->auth_context;
81 if ((auth_context == NULL) ||
82 (auth_context->generate_session_info_pac == NULL)) {
83 DBG_ERR("Cannot generate a session_info without "
84 "the auth_context\n");
85 return NT_STATUS_INTERNAL_ERROR;
88 status = auth_context->generate_session_info_pac(
101 magic check a GSS-API wrapper packet for an Kerberos OID
103 static bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid)
106 struct asn1_data *data = asn1_init(NULL, ASN1_MAX_TREE_DEPTH);
108 if (!data) return false;
110 if (!asn1_load(data, *blob)) goto err;
111 if (!asn1_start_tag(data, ASN1_APPLICATION(0))) goto err;
112 if (!asn1_check_OID(data, oid)) goto err;
114 ret = !asn1_has_error(data);
123 * Check if the packet is one for the KRB5 mechanism
125 * NOTE: This is a helper that can be employed by multiple mechanisms, do
126 * not make assumptions about the private_data
128 * @param gensec_security GENSEC state, unused
129 * @param in The request, as a DATA_BLOB
130 * @return Error, INVALID_PARAMETER if it's not a packet for us
131 * or NT_STATUS_OK if the packet is ok.
134 NTSTATUS gensec_magic_check_krb5_oid(struct gensec_security *unused,
135 const DATA_BLOB *blob)
137 if (gensec_gssapi_check_oid(blob, GENSEC_OID_KERBEROS5)) {
140 return NT_STATUS_INVALID_PARAMETER;
144 void gensec_child_want_feature(struct gensec_security *gensec_security,
147 struct gensec_security *child_security = gensec_security->child_security;
149 gensec_security->want_features |= feature;
150 if (child_security == NULL) {
153 gensec_want_feature(child_security, feature);
156 bool gensec_child_have_feature(struct gensec_security *gensec_security,
159 struct gensec_security *child_security = gensec_security->child_security;
161 if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
163 * All mechs with sub (child) mechs need to provide DCERPC
164 * header signing! This is required because the negotiation
165 * of header signing is done before the authentication
171 if (child_security == NULL) {
175 return gensec_have_feature(child_security, feature);
178 NTSTATUS gensec_child_unseal_packet(struct gensec_security *gensec_security,
179 uint8_t *data, size_t length,
180 const uint8_t *whole_pdu, size_t pdu_length,
181 const DATA_BLOB *sig)
183 if (gensec_security->child_security == NULL) {
184 return NT_STATUS_INVALID_PARAMETER;
187 return gensec_unseal_packet(gensec_security->child_security,
189 whole_pdu, pdu_length,
193 NTSTATUS gensec_child_check_packet(struct gensec_security *gensec_security,
194 const uint8_t *data, size_t length,
195 const uint8_t *whole_pdu, size_t pdu_length,
196 const DATA_BLOB *sig)
198 if (gensec_security->child_security == NULL) {
199 return NT_STATUS_INVALID_PARAMETER;
202 return gensec_check_packet(gensec_security->child_security,
204 whole_pdu, pdu_length,
208 NTSTATUS gensec_child_seal_packet(struct gensec_security *gensec_security,
210 uint8_t *data, size_t length,
211 const uint8_t *whole_pdu, size_t pdu_length,
214 if (gensec_security->child_security == NULL) {
215 return NT_STATUS_INVALID_PARAMETER;
218 return gensec_seal_packet(gensec_security->child_security,
221 whole_pdu, pdu_length,
225 NTSTATUS gensec_child_sign_packet(struct gensec_security *gensec_security,
227 const uint8_t *data, size_t length,
228 const uint8_t *whole_pdu, size_t pdu_length,
231 if (gensec_security->child_security == NULL) {
232 return NT_STATUS_INVALID_PARAMETER;
235 return gensec_sign_packet(gensec_security->child_security,
238 whole_pdu, pdu_length,
242 NTSTATUS gensec_child_wrap(struct gensec_security *gensec_security,
247 if (gensec_security->child_security == NULL) {
248 return NT_STATUS_INVALID_PARAMETER;
251 return gensec_wrap(gensec_security->child_security,
255 NTSTATUS gensec_child_unwrap(struct gensec_security *gensec_security,
260 if (gensec_security->child_security == NULL) {
261 return NT_STATUS_INVALID_PARAMETER;
264 return gensec_unwrap(gensec_security->child_security,
268 size_t gensec_child_sig_size(struct gensec_security *gensec_security,
271 if (gensec_security->child_security == NULL) {
275 return gensec_sig_size(gensec_security->child_security, data_size);
278 size_t gensec_child_max_input_size(struct gensec_security *gensec_security)
280 if (gensec_security->child_security == NULL) {
284 return gensec_max_input_size(gensec_security->child_security);
287 size_t gensec_child_max_wrapped_size(struct gensec_security *gensec_security)
289 if (gensec_security->child_security == NULL) {
293 return gensec_max_wrapped_size(gensec_security->child_security);
296 NTSTATUS gensec_child_session_key(struct gensec_security *gensec_security,
298 DATA_BLOB *session_key)
300 if (gensec_security->child_security == NULL) {
301 return NT_STATUS_INVALID_PARAMETER;
304 return gensec_session_key(gensec_security->child_security,
309 NTSTATUS gensec_child_session_info(struct gensec_security *gensec_security,
311 struct auth_session_info **session_info)
313 if (gensec_security->child_security == NULL) {
314 return NT_STATUS_INVALID_PARAMETER;
317 return gensec_session_info(gensec_security->child_security,
322 NTTIME gensec_child_expire_time(struct gensec_security *gensec_security)
324 if (gensec_security->child_security == NULL) {
325 return GENSEC_EXPIRE_TIME_INFINITY;
328 return gensec_expire_time(gensec_security->child_security);
331 const char *gensec_child_final_auth_type(struct gensec_security *gensec_security)
333 if (gensec_security->child_security == NULL) {
337 return gensec_final_auth_type(gensec_security->child_security);