source4/kdc/kpasswdd.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    kpasswd Server implementation
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7    Copyright (C) Andrew Tridgell        2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "smbd/service_task.h"
  26 #include "lib/events/events.h"
  27 #include "lib/socket/socket.h"
  28 #include "kdc/kdc.h"
  29 #include "system/network.h"
  30 #include "dlinklist.h"
  31 #include "lib/ldb/include/ldb.h"
  32 #include "heimdal/lib/krb5/krb5_locl.h"
  33 #include "heimdal/lib/krb5/krb5-private.h"
  34 #include "auth/auth.h"
  35 #include "dsdb/samdb/samdb.h"
  36 #include "rpc_server/dcerpc_server.h"
  37 #include "rpc_server/samr/proto.h"
  38
  39 /* hold information about one kdc socket */
  40 struct kpasswd_socket {
  41         struct socket_context *sock;
  42         struct kdc_server *kdc;
  43         struct fd_event *fde;
  44
  45         /* a queue of outgoing replies that have been deferred */
  46         struct kdc_reply *send_queue;
  47 };
  48
  49 /* Return true if there is a valid error packet formed in the error_blob */
  50 static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
  51                                      TALLOC_CTX *mem_ctx,
  52                                      uint16_t result_code,
  53                                      const char *error_string,
  54                                      DATA_BLOB *error_blob)
  55 {
  56         char *error_string_utf8;
  57         ssize_t len;
  58
  59         DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
  60
  61         len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
  62         if (len == -1) {
  63                 return False;
  64         }
  65
  66         *error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
  67         if (!error_blob->data) {
  68                 return False;
  69         }
  70         RSSVAL(error_blob->data, 0, result_code);
  71         memcpy(error_blob->data + 2, error_string_utf8, len + 1);
  72         return True;
  73 }
  74
  75 /* Return true if there is a valid error packet formed in the error_blob */
  76 static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
  77                                             TALLOC_CTX *mem_ctx,
  78                                             uint16_t result_code,
  79                                             const char *error_string,
  80                                             DATA_BLOB *error_blob)
  81 {
  82         BOOL ret;
  83         int kret;
  84         DATA_BLOB error_bytes;
  85         krb5_data k5_error_bytes, k5_error_blob;
  86         ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
  87                                        &error_bytes);
  88         if (!ret) {
  89                 return False;
  90         }
  91         k5_error_bytes.data = error_bytes.data;
  92         k5_error_bytes.length = error_bytes.length;
  93         kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
  94                              result_code, NULL, &k5_error_bytes,
  95                              NULL, NULL, NULL, NULL, &k5_error_blob);
  96         if (kret) {
  97                 return False;
  98         }
  99         *error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
 100         krb5_data_free(&k5_error_blob);
 101         if (!error_blob->data) {
 102                 return False;
 103         }
 104         return True;
 105 }
 106
 107 static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
 108                                         TALLOC_CTX *mem_ctx,
 109                                         NTSTATUS status,
 110                                         enum samr_RejectReason reject_reason,
 111                                         struct samr_DomInfo1 *dominfo,
 112                                         DATA_BLOB *error_blob)
 113 {
 114         if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
 115                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 116                                                 KRB5_KPASSWD_ACCESSDENIED,
 117                                                 "No such user when changing password",
 118                                                 error_blob);
 119         }
 120         if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 121                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 122                                                 KRB5_KPASSWD_ACCESSDENIED,
 123                                                 "Not permitted to change password",
 124                                                 error_blob);
 125         }
 126         if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
 127                 const char *reject_string;
 128                 switch (reject_reason) {
 129                 case SAMR_REJECT_TOO_SHORT:
 130                         reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long",
 131                                                         dominfo->min_password_length);
 132                         break;
 133                 case SAMR_REJECT_COMPLEXITY:
 134                         reject_string = "Password does not meet complexity requirements";
 135                         break;
 136                 case SAMR_REJECT_OTHER:
 137                 default:
 138                         reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
 139                                                         dominfo->min_password_length, dominfo->password_history_length);
 140                         break;
 141                 }
 142                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 143                                                 KRB5_KPASSWD_SOFTERROR,
 144                                                 reject_string,
 145                                                 error_blob);
 146         }
 147         if (!NT_STATUS_IS_OK(status)) {
 148                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 149                                                  KRB5_KPASSWD_HARDERROR,
 150                                                  talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
 151                                                  error_blob);
 152
 153         }
 154         return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
 155                                         "Password changed",
 156                                         error_blob);
 157 }
 158
 159 /*
 160    A user password change
 161
 162    Return true if there is a valid error packet (or sucess) formed in
 163    the error_blob
 164 */
 165 static BOOL kpasswdd_change_password(struct kdc_server *kdc,
 166                                      TALLOC_CTX *mem_ctx,
 167                                      struct auth_session_info *session_info,
 168                                      const char *password,
 169                                      DATA_BLOB *reply)
 170 {
 171         NTSTATUS status;
 172         enum samr_RejectReason reject_reason;
 173         struct samr_DomInfo1 *dominfo;
 174         struct ldb_context *samdb;
 175
 176         samdb = samdb_connect(mem_ctx, system_session(mem_ctx));
 177         if (!samdb) {
 178                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 179                                                 KRB5_KPASSWD_HARDERROR,
 180                                                 "Failed to open samdb",
 181                                                 reply);
 182         }
 183
 184         DEBUG(3, ("Changing password of %s\\%s (%s)\n",
 185                   session_info->server_info->domain_name,
 186                   session_info->server_info->account_name,
 187                   dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
 188
 189         /* User password change */
 190         status = samdb_set_password_sid(samdb, mem_ctx,
 191                                         session_info->security_token->user_sid,
 192                                         password, NULL, NULL,
 193                                         True, /* this is a user password change */
 194                                         True, /* run restriction tests */
 195                                         &reject_reason,
 196                                         &dominfo);
 197         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 198                                            status,
 199                                            reject_reason,
 200                                            dominfo,
 201                                            reply);
 202
 203 }
 204
 205 static BOOL kpasswd_process_request(struct kdc_server *kdc,
 206                                     TALLOC_CTX *mem_ctx,
 207                                     struct gensec_security *gensec_security,
 208                                     uint16_t version,
 209                                     DATA_BLOB *input,
 210                                     DATA_BLOB *reply)
 211 {
 212         struct auth_session_info *session_info;
 213         if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
 214                                                  &session_info))) {
 215                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 216                                                 KRB5_KPASSWD_HARDERROR,
 217                                                 "gensec_session_info failed!",
 218                                                 reply);
 219         }
 220
 221         switch (version) {
 222         case KRB5_KPASSWD_VERS_CHANGEPW:
 223         {
 224                 char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
 225                 if (!password) {
 226                         return False;
 227                 }
 228                 return kpasswdd_change_password(kdc, mem_ctx, session_info,
 229                                                 password, reply);
 230                 break;
 231         }
 232         case KRB5_KPASSWD_VERS_SETPW:
 233         {
 234                 NTSTATUS status;
 235                 enum samr_RejectReason reject_reason;
 236                 struct samr_DomInfo1 *dominfo;
 237                 struct ldb_context *samdb;
 238                 struct ldb_message *msg;
 239                 krb5_context context = kdc->smb_krb5_context->krb5_context;
 240
 241                 ChangePasswdDataMS chpw;
 242                 char *password;
 243
 244                 krb5_principal principal;
 245                 char *set_password_on_princ;
 246                 struct ldb_dn *set_password_on_dn;
 247
 248                 size_t len;
 249                 int ret;
 250
 251                 msg = ldb_msg_new(mem_ctx);
 252                 if (!msg) {
 253                         return False;
 254                 }
 255
 256                 ret = decode_ChangePasswdDataMS(input->data, input->length,
 257                                                 &chpw, &len);
 258                 if (ret) {
 259                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 260                                                         KRB5_KPASSWD_MALFORMED,
 261                                                         "failed to decode password change structure",
 262                                                         reply);
 263                 }
 264
 265                 password = talloc_strndup(mem_ctx, chpw.newpasswd.data,
 266                                           chpw.newpasswd.length);
 267                 if (!password) {
 268                         free_ChangePasswdDataMS(&chpw);
 269                         return False;
 270                 }
 271                 if ((chpw.targname && !chpw.targrealm)
 272                     || (!chpw.targname && chpw.targrealm)) {
 273                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 274                                                         KRB5_KPASSWD_MALFORMED,
 275                                                         "Realm and principal must be both present, or neither present",
 276                                                         reply);
 277                 }
 278                 if (chpw.targname && chpw.targrealm) {
 279                         if (_krb5_principalname2krb5_principal(&principal, *chpw.targname,
 280                                                                *chpw.targrealm) != 0) {
 281                                 free_ChangePasswdDataMS(&chpw);
 282                                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 283                                                                 KRB5_KPASSWD_MALFORMED,
 284                                                                 "failed to extract principal to set",
 285                                                                 reply);
 286
 287                         }
 288                 } else {
 289                         free_ChangePasswdDataMS(&chpw);
 290                         return kpasswdd_change_password(kdc, mem_ctx, session_info,
 291                                                         password, reply);
 292                 }
 293                 free_ChangePasswdDataMS(&chpw);
 294
 295                 if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
 296                         krb5_free_principal(context, principal);
 297                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 298                                                         KRB5_KPASSWD_MALFORMED,
 299                                                         "krb5_unparse_name failed!",
 300                                                         reply);
 301                 }
 302
 303                 krb5_free_principal(context, principal);
 304
 305                 samdb = samdb_connect(mem_ctx, session_info);
 306                 if (!samdb) {
 307                         return kpasswdd_make_error_reply(kdc, mem_ctx,
 308                                                          KRB5_KPASSWD_HARDERROR,
 309                                                          "Unable to open database!",
 310                                                          reply);
 311                 }
 312
 313                 DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
 314                           session_info->server_info->domain_name,
 315                           session_info->server_info->account_name,
 316                           dom_sid_string(mem_ctx, session_info->security_token->user_sid),
 317                           set_password_on_princ));
 318                 ret = ldb_transaction_start(samdb);
 319                 if (ret) {
 320                         status = NT_STATUS_TRANSACTION_ABORTED;
 321                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 322                                                            status,
 323                                                            reject_reason,
 324                                                            dominfo,
 325                                                            reply);
 326                 }
 327
 328                 status = crack_user_principal_name(samdb, mem_ctx,
 329                                                    set_password_on_princ,
 330                                                    &set_password_on_dn, NULL);
 331                 free(set_password_on_princ);
 332                 if (!NT_STATUS_IS_OK(status)) {
 333                         ldb_transaction_cancel(samdb);
 334                         return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 335                                                            status,
 336                                                            reject_reason,
 337                                                            dominfo,
 338                                                            reply);
 339                 }
 340
 341                 msg = ldb_msg_new(mem_ctx);
 342                 if (msg == NULL) {
 343                         ldb_transaction_cancel(samdb);
 344                         status = NT_STATUS_NO_MEMORY;
 345                 } else {
 346                         msg->dn = ldb_dn_copy(msg, set_password_on_dn);
 347                         if (!msg->dn) {
 348                                 status = NT_STATUS_NO_MEMORY;
 349                         }
 350                 }
 351
 352                 if (NT_STATUS_IS_OK(status)) {
 353                         /* Admin password set */
 354                         status = samdb_set_password(samdb, mem_ctx,
 355                                                     set_password_on_dn, NULL,
 356                                                     msg, password, NULL, NULL,
 357                                                     False, /* this is not a user password change */
 358                                                     True, /* run restriction tests */
 359                                                     &reject_reason, &dominfo);
 360                 }
 361
 362                 if (NT_STATUS_IS_OK(status)) {
 363                         /* modify the samdb record */
 364                         ret = samdb_replace(samdb, mem_ctx, msg);
 365                         if (ret != 0) {
 366                                 DEBUG(2,("Failed to modify record to set password on %s: %s\n",
 367                                          ldb_dn_linearize(mem_ctx, msg->dn),
 368                                          ldb_errstring(samdb)));
 369                                 status = NT_STATUS_ACCESS_DENIED;
 370                         }
 371                 }
 372                 if (NT_STATUS_IS_OK(status)) {
 373                         ret = ldb_transaction_commit(samdb);
 374                         if (ret != 0) {
 375                                 DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
 376                                          ldb_dn_linearize(mem_ctx, msg->dn),
 377                                          ldb_errstring(samdb)));
 378                                 status = NT_STATUS_TRANSACTION_ABORTED;
 379                         }
 380                 } else {
 381                         ldb_transaction_cancel(samdb);
 382                 }
 383                 return kpasswd_make_pwchange_reply(kdc, mem_ctx,
 384                                                    status,
 385                                                    reject_reason,
 386                                                    dominfo,
 387                                                    reply);
 388         }
 389         default:
 390                 return kpasswdd_make_error_reply(kdc, mem_ctx,
 391                                                  KRB5_KPASSWD_BAD_VERSION,
 392                                                  talloc_asprintf(mem_ctx,
 393                                                                  "Protocol version %u not supported",
 394                                                                  version),
 395                                                  reply);
 396         }
 397         return True;
 398 }
 399
 400 BOOL kpasswdd_process(struct kdc_server *kdc,
 401                       TALLOC_CTX *mem_ctx,
 402                       DATA_BLOB *input,
 403                       DATA_BLOB *reply,
 404                       struct socket_address *peer_addr,
 405                       struct socket_address *my_addr)
 406 {
 407         BOOL ret;
 408         const uint16_t header_len = 6;
 409         uint16_t len;
 410         uint16_t ap_req_len;
 411         uint16_t krb_priv_len;
 412         uint16_t version;
 413         NTSTATUS nt_status;
 414         DATA_BLOB ap_req, krb_priv_req, krb_priv_rep, ap_rep;
 415         DATA_BLOB kpasswd_req, kpasswd_rep;
 416         struct cli_credentials *server_credentials;
 417         struct gensec_security *gensec_security;
 418         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 419
 420         if (!tmp_ctx) {
 421                 return False;
 422         }
 423
 424         /* Be parinoid.  We need to ensure we don't just let the
 425          * caller lead us into a buffer overflow */
 426         if (input->length <= header_len) {
 427                 talloc_free(tmp_ctx);
 428                 return False;
 429         }
 430
 431         len = RSVAL(input->data, 0);
 432         if (input->length != len) {
 433                 talloc_free(tmp_ctx);
 434                 return False;
 435         }
 436
 437         /* There are two different versions of this protocol so far,
 438          * plus others in the standards pipe.  Fortunetly they all
 439          * take a very similar framing */
 440         version = RSVAL(input->data, 2);
 441         ap_req_len = RSVAL(input->data, 4);
 442         if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
 443                 talloc_free(tmp_ctx);
 444                 return False;
 445         }
 446
 447         krb_priv_len = len - ap_req_len;
 448         ap_req = data_blob_const(&input->data[header_len], ap_req_len);
 449         krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
 450
 451         nt_status = gensec_server_start(tmp_ctx, &gensec_security, kdc->task->event_ctx);
 452         if (!NT_STATUS_IS_OK(nt_status)) {
 453                 talloc_free(tmp_ctx);
 454                 return False;
 455         }
 456
 457         server_credentials
 458                 = cli_credentials_init(tmp_ctx);
 459         if (!server_credentials) {
 460                 DEBUG(1, ("Failed to init server credentials\n"));
 461                 return False;
 462         }
 463
 464         /* We want the credentials subsystem to use the krb5 context
 465          * we already have, rather than a new context */
 466         cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
 467         cli_credentials_set_conf(server_credentials);
 468         nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
 469         if (!NT_STATUS_IS_OK(nt_status)) {
 470                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 471                                                        KRB5_KPASSWD_HARDERROR,
 472                                                        talloc_asprintf(mem_ctx,
 473                                                                        "Failed to obtain server credentials for kadmin/changepw: %s\n",
 474                                                                        nt_errstr(nt_status)),
 475                                                        &krb_priv_rep);
 476                 ap_rep.length = 0;
 477                 if (ret) {
 478                         goto reply;
 479                 }
 480                 talloc_free(tmp_ctx);
 481                 return ret;
 482         }
 483
 484         nt_status = gensec_set_credentials(gensec_security, server_credentials);
 485         if (!NT_STATUS_IS_OK(nt_status)) {
 486                 talloc_free(tmp_ctx);
 487                 return False;
 488         }
 489
 490         /* The kerberos PRIV packets include these addresses.  MIT
 491          * clients check that they are present */
 492         nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
 493         if (!NT_STATUS_IS_OK(nt_status)) {
 494                 talloc_free(tmp_ctx);
 495                 return False;
 496         }
 497         nt_status = gensec_set_my_addr(gensec_security, my_addr);
 498         if (!NT_STATUS_IS_OK(nt_status)) {
 499                 talloc_free(tmp_ctx);
 500                 return False;
 501         }
 502
 503         /* We want the GENSEC wrap calls to generate PRIV tokens */
 504         gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 505
 506         nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
 507         if (!NT_STATUS_IS_OK(nt_status)) {
 508                 talloc_free(tmp_ctx);
 509                 return False;
 510         }
 511
 512         /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
 513         nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
 514         if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 515
 516                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 517                                                        KRB5_KPASSWD_HARDERROR,
 518                                                        talloc_asprintf(mem_ctx,
 519                                                                        "gensec_update failed: %s",
 520                                                                        nt_errstr(nt_status)),
 521                                                        &krb_priv_rep);
 522                 ap_rep.length = 0;
 523                 if (ret) {
 524                         goto reply;
 525                 }
 526                 talloc_free(tmp_ctx);
 527                 return ret;
 528         }
 529
 530         /* Extract the data from the KRB-PRIV half of the message */
 531         nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
 532         if (!NT_STATUS_IS_OK(nt_status)) {
 533                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 534                                                        KRB5_KPASSWD_HARDERROR,
 535                                                        talloc_asprintf(mem_ctx,
 536                                                                        "gensec_unwrap failed: %s",
 537                                                                        nt_errstr(nt_status)),
 538                                                        &krb_priv_rep);
 539                 ap_rep.length = 0;
 540                 if (ret) {
 541                         goto reply;
 542                 }
 543                 talloc_free(tmp_ctx);
 544                 return ret;
 545         }
 546
 547         /* Figure out something to do with it (probably changing a password...) */
 548         ret = kpasswd_process_request(kdc, tmp_ctx,
 549                                       gensec_security,
 550                                       version,
 551                                       &kpasswd_req, &kpasswd_rep);
 552         if (!ret) {
 553                 /* Argh! */
 554                 return False;
 555         }
 556
 557         /* And wrap up the reply: This ensures that the error message
 558          * or success can be verified by the client */
 559         nt_status = gensec_wrap(gensec_security, tmp_ctx,
 560                                 &kpasswd_rep, &krb_priv_rep);
 561         if (!NT_STATUS_IS_OK(nt_status)) {
 562                 ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
 563                                                        KRB5_KPASSWD_HARDERROR,
 564                                                        talloc_asprintf(mem_ctx,
 565                                                                        "gensec_wrap failed: %s",
 566                                                                        nt_errstr(nt_status)),
 567                                                        &krb_priv_rep);
 568                 ap_rep.length = 0;
 569                 if (ret) {
 570                         goto reply;
 571                 }
 572                 talloc_free(tmp_ctx);
 573                 return ret;
 574         }
 575
 576 reply:
 577         *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
 578         if (!reply->data) {
 579                 return False;
 580         }
 581
 582         RSSVAL(reply->data, 0, reply->length);
 583         RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
 584         RSSVAL(reply->data, 4, ap_rep.length);
 585         memcpy(reply->data + header_len,
 586                ap_rep.data,
 587                ap_rep.length);
 588         memcpy(reply->data + header_len + ap_rep.length,
 589                krb_priv_rep.data,
 590                krb_priv_rep.length);
 591
 592         talloc_free(tmp_ctx);
 593         return ret;
 594 }
 595