source4/auth/kerberos/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos utility functions for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/kerberos.h"
  26 #include "system/time.h"
  27 #include "system/network.h"
  28 #include "auth/kerberos/kerberos.h"
  29 #include "auth/auth.h"
  30
  31 struct principal_container {
  32         struct smb_krb5_context *smb_krb5_context;
  33         krb5_principal principal;
  34 };
  35
  36 struct keytab_container {
  37         struct smb_krb5_context *smb_krb5_context;
  38         krb5_keytab keytab;
  39 };
  40
  41 static int free_principal(void *ptr) {
  42         struct principal_container *pc = ptr;
  43         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
  44         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
  45
  46         return 0;
  47 }
  48
  49 krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
  50                                                 struct cli_credentials *machine_account,
  51                                                 struct smb_krb5_context *smb_krb5_context,
  52                                                 krb5_principal *salt_princ)
  53 {
  54         krb5_error_code ret;
  55         char *machine_username;
  56         char *salt_body;
  57         char *lower_realm;
  58         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
  59         if (!mem_ctx) {
  60                 return ENOMEM;
  61         }
  62
  63         machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
  64
  65         if (!machine_username) {
  66                 talloc_free(mem_ctx);
  67                 return ENOMEM;
  68         }
  69
  70         if (machine_username[strlen(machine_username)-1] == '$') {
  71                 machine_username[strlen(machine_username)-1] = '\0';
  72         }
  73         lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
  74         if (!lower_realm) {
  75                 talloc_free(mem_ctx);
  76                 return ENOMEM;
  77         }
  78
  79         salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username,
  80                                     lower_realm);
  81         if (!salt_body) {
  82                 talloc_free(mem_ctx);
  83                 return ENOMEM;
  84         }
  85
  86         ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
  87                                   cli_credentials_get_realm(machine_account),
  88                                   "host", salt_body, NULL);
  89
  90         if (ret == 0) {
  91                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
  92                 mem_ctx->principal = *salt_princ;
  93                 talloc_set_destructor(mem_ctx, free_principal);
  94         }
  95         return ret;
  96 }
  97
  98 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
  99                                            struct cli_credentials *credentials,
 100                                            struct smb_krb5_context *smb_krb5_context,
 101                                            krb5_principal *princ)
 102 {
 103         krb5_error_code ret;
 104         const char *princ_string;
 105         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
 106         if (!mem_ctx) {
 107                 return ENOMEM;
 108         }
 109
 110         princ_string = cli_credentials_get_principal(credentials, mem_ctx);
 111
 112         if (!princ_string) {
 113                 talloc_free(mem_ctx);
 114                 return ENOMEM;
 115         }
 116
 117         ret = krb5_parse_name(smb_krb5_context->krb5_context,
 118                               princ_string, princ);
 119
 120         if (ret == 0) {
 121                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 122                 mem_ctx->principal = *princ;
 123                 talloc_set_destructor(mem_ctx, free_principal);
 124         }
 125         return ret;
 126 }
 127
 128 /**
 129  * Return a freshly allocated ccache (destroyed by destructor on child
 130  * of parent_ctx), for a given set of client credentials
 131  */
 132
 133  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
 134                           struct cli_credentials *credentials,
 135                           struct smb_krb5_context *smb_krb5_context,
 136                           krb5_ccache ccache)
 137 {
 138         krb5_error_code ret;
 139         const char *password;
 140         time_t kdc_time = 0;
 141         krb5_principal princ;
 142
 143         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 144
 145         if (!mem_ctx) {
 146                 return ENOMEM;
 147         }
 148
 149         ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
 150         if (ret) {
 151                 talloc_free(mem_ctx);
 152                 return ret;
 153         }
 154
 155         password = cli_credentials_get_password(credentials);
 156
 157         if (password) {
 158                 ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
 159                                                  princ,
 160                                                  password, NULL, &kdc_time);
 161         } else {
 162                 /* No password available, try to use a keyblock instead */
 163
 164                 krb5_keyblock keyblock;
 165                 const struct samr_Password *mach_pwd;
 166                 mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
 167                 if (!mach_pwd) {
 168                         talloc_free(mem_ctx);
 169                         DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
 170                         return EINVAL;
 171                 }
 172                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 173                                          ENCTYPE_ARCFOUR_HMAC,
 174                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 175                                          &keyblock);
 176
 177                 if (ret == 0) {
 178                         ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
 179                                                          princ,
 180                                                          &keyblock, NULL, &kdc_time);
 181                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 182                 }
 183         }
 184
 185         /* cope with ticket being in the future due to clock skew */
 186         if ((unsigned)kdc_time > time(NULL)) {
 187                 time_t t = time(NULL);
 188                 int time_offset =(unsigned)kdc_time-t;
 189                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 190                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 191         }
 192
 193         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 194                 DEBUG(1,("kinit for %s failed (%s)\n",
 195                          cli_credentials_get_principal(credentials, mem_ctx),
 196                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 197                                                     ret, mem_ctx)));
 198                 talloc_free(mem_ctx);
 199                 return ret;
 200         }
 201         if (ret) {
 202                 DEBUG(1,("kinit for %s failed (%s)\n",
 203                          cli_credentials_get_principal(credentials, mem_ctx),
 204                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 205                                                     ret, mem_ctx)));
 206                 talloc_free(mem_ctx);
 207                 return ret;
 208         }
 209         return 0;
 210 }
 211
 212 static int free_keytab(void *ptr) {
 213         struct keytab_container *ktc = ptr;
 214         krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
 215
 216         return 0;
 217 }
 218
 219  NTSTATUS create_memory_keytab(TALLOC_CTX *parent_ctx,
 220                                struct cli_credentials *machine_account,
 221                                struct smb_krb5_context *smb_krb5_context,
 222                                krb5_keytab *keytab)
 223 {
 224         krb5_error_code ret;
 225         const char *password_s;
 226         krb5_data password;
 227         int i;
 228         struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container);
 229         krb5_enctype *enctypes;
 230         krb5_principal salt_princ;
 231         krb5_principal princ;
 232
 233         if (!mem_ctx) {
 234                 return NT_STATUS_NO_MEMORY;
 235         }
 236
 237         ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", keytab);
 238         if (ret) {
 239                 DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
 240                          error_message(ret)));
 241                 talloc_free(mem_ctx);
 242                 return NT_STATUS_INTERNAL_ERROR;
 243         }
 244
 245         mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 246         mem_ctx->keytab = *keytab;
 247
 248         talloc_set_destructor(mem_ctx, free_keytab);
 249
 250         ret = salt_principal_from_credentials(mem_ctx, machine_account,
 251                                               smb_krb5_context,
 252                                               &salt_princ);
 253         if (ret) {
 254                 DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
 255                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 256                                                     ret, mem_ctx)));
 257                 talloc_free(mem_ctx);
 258                 return NT_STATUS_INTERNAL_ERROR;
 259         }
 260
 261         ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
 262         if (ret) {
 263                 DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n",
 264                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 265                                                     ret, mem_ctx)));
 266                 talloc_free(mem_ctx);
 267                 return NT_STATUS_INTERNAL_ERROR;
 268         }
 269
 270         password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
 271         if (!password_s) {
 272                 /* If we don't have the plaintext password, try for
 273                  * the MD4 password hash */
 274
 275                 krb5_keytab_entry entry;
 276                 const struct samr_Password *mach_pwd;
 277                 mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
 278                 if (!mach_pwd) {
 279                         talloc_free(mem_ctx);
 280                         DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
 281                                   cli_credentials_get_principal(machine_account, mem_ctx)));
 282                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 283                 }
 284                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 285                                          ENCTYPE_ARCFOUR_HMAC,
 286                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 287                                          &entry.keyblock);
 288                 if (ret) {
 289                         DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
 290                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 291                                                              ret, mem_ctx)));
 292                         return NT_STATUS_INTERNAL_ERROR;
 293                 }
 294
 295                 entry.principal = princ;
 296                 entry.vno       = cli_credentials_get_kvno(machine_account);
 297                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 298                 if (ret) {
 299                         DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
 300                                   cli_credentials_get_principal(machine_account, mem_ctx),
 301                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 302                                                              ret, mem_ctx)));
 303                         talloc_free(mem_ctx);
 304                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 305                         return NT_STATUS_INTERNAL_ERROR;
 306                 }
 307
 308                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 309                 return NT_STATUS_OK;
 310         }
 311
 312         /* good, we actually have the real plaintext */
 313
 314         ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context,
 315                                           &enctypes);
 316         if (ret) {
 317                 DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
 318                          error_message(ret)));
 319                 talloc_free(mem_ctx);
 320                 return NT_STATUS_INTERNAL_ERROR;
 321         }
 322
 323         password.data = discard_const_p(char *, password_s);
 324         password.length = strlen(password_s);
 325
 326         for (i=0; enctypes[i]; i++) {
 327                 krb5_keytab_entry entry;
 328                 ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
 329                                                       salt_princ, &password, &entry.keyblock, enctypes[i]);
 330                 if (ret) {
 331                         talloc_free(mem_ctx);
 332                         return NT_STATUS_INTERNAL_ERROR;
 333                 }
 334
 335                 entry.principal = princ;
 336                 entry.vno       = cli_credentials_get_kvno(machine_account);
 337                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 338                 if (ret) {
 339                         DEBUG(1, ("Failed to add entry for %s to keytab: %s",
 340                                   cli_credentials_get_principal(machine_account, mem_ctx),
 341                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 342                                                              ret, mem_ctx)));
 343                         talloc_free(mem_ctx);
 344                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 345                         return NT_STATUS_INTERNAL_ERROR;
 346                 }
 347
 348                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 349         }
 350
 351         free_kerberos_etypes(smb_krb5_context->krb5_context, enctypes);
 352
 353         return NT_STATUS_OK;
 354 }
 355
 356