2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "lib/messaging/irpc.h"
28 #include "librpc/gen_ndr/ndr_irpc.h"
29 #include "librpc/gen_ndr/ndr_krb5pac.h"
30 #include "lib/socket/netif.h"
31 #include "param/param.h"
32 #include "kdc/kdc-server.h"
33 #include "kdc/kdc-proxy.h"
34 #include "kdc/kdc-glue.h"
35 #include "kdc/pac-glue.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "auth/session.h"
38 #include "libds/common/roles.h"
42 NTSTATUS server_service_kdc_init(void);
44 extern struct krb5plugin_windc_ftable windc_plugin_table;
47 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
51 static kdc_code kdc_process(struct kdc_server *kdc,
55 struct tsocket_address *peer_addr,
56 struct tsocket_address *my_addr,
61 struct sockaddr_storage ss;
63 krb5_kdc_configuration *kdc_config =
64 (krb5_kdc_configuration *)kdc->private_data;
66 krb5_data_zero(&k5_reply);
68 krb5_kdc_update_time(NULL);
70 ret = tsocket_address_bsd_sockaddr(peer_addr, (struct sockaddr *) &ss,
71 sizeof(struct sockaddr_storage));
75 pa = tsocket_address_string(peer_addr, mem_ctx);
80 DEBUG(10,("Received KDC packet of length %lu from %s\n",
81 (long)input->length - 4, pa));
83 ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
85 input->data, input->length,
88 (struct sockaddr *) &ss,
91 *reply = data_blob(NULL, 0);
95 if (ret == HDB_ERR_NOT_FOUND_HERE) {
96 *reply = data_blob(NULL, 0);
97 return KDC_PROXY_REQUEST;
100 if (k5_reply.length) {
101 *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
102 krb5_data_free(&k5_reply);
104 *reply = data_blob(NULL, 0);
110 setup our listening sockets on the configured network interfaces
112 static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_context *lp_ctx,
113 struct interface *ifaces)
115 const struct model_ops *model_ops;
117 TALLOC_CTX *tmp_ctx = talloc_new(kdc);
120 uint16_t kdc_port = lpcfg_krb5_port(lp_ctx);
121 uint16_t kpasswd_port = lpcfg_kpasswd_port(lp_ctx);
122 bool done_wildcard = false;
124 /* within the kdc task we want to be a single process, so
125 ask for the single process model ops and pass these to the
126 stream_setup_socket() call. */
127 model_ops = process_model_startup("single");
129 DEBUG(0,("Can't find 'single' process model_ops\n"));
130 return NT_STATUS_INTERNAL_ERROR;
133 num_interfaces = iface_list_count(ifaces);
135 /* if we are allowing incoming packets from any address, then
136 we need to bind to the wildcard address */
137 if (!lpcfg_bind_interfaces_only(lp_ctx)) {
139 char **wcard = iface_list_wildcard(kdc);
140 NT_STATUS_HAVE_NO_MEMORY(wcard);
141 for (i=0; wcard[i]; i++) {
143 status = kdc_add_socket(kdc, model_ops,
144 "kdc", wcard[i], kdc_port,
146 if (NT_STATUS_IS_OK(status)) {
152 status = kdc_add_socket(kdc, model_ops,
153 "kpasswd", wcard[i], kpasswd_port,
154 kpasswdd_process, false);
155 if (NT_STATUS_IS_OK(status)) {
161 if (num_binds == 0) {
162 return NT_STATUS_INVALID_PARAMETER_MIX;
164 done_wildcard = true;
167 for (i=0; i<num_interfaces; i++) {
168 const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i));
171 status = kdc_add_socket(kdc, model_ops,
172 "kdc", address, kdc_port,
173 kdc_process, done_wildcard);
174 NT_STATUS_NOT_OK_RETURN(status);
178 status = kdc_add_socket(kdc, model_ops,
179 "kpasswd", address, kpasswd_port,
180 kpasswdd_process, done_wildcard);
181 NT_STATUS_NOT_OK_RETURN(status);
185 talloc_free(tmp_ctx);
190 static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
191 struct kdc_check_generic_kerberos *r)
193 struct PAC_Validate pac_validate;
195 struct PAC_SIGNATURE_DATA kdc_sig;
196 struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server);
197 krb5_kdc_configuration *kdc_config =
198 (krb5_kdc_configuration *)kdc->private_data;
199 enum ndr_err_code ndr_err;
202 krb5_principal principal;
205 /* There is no reply to this request */
206 r->out.generic_reply = data_blob(NULL, 0);
208 ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, &pac_validate,
209 (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
210 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
211 return NT_STATUS_INVALID_PARAMETER;
214 if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) {
215 /* We don't implement any other message types - such as certificate validation - yet */
216 return NT_STATUS_INVALID_PARAMETER;
219 if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength)
220 || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength
221 || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
222 return NT_STATUS_INVALID_PARAMETER;
225 srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
226 pac_validate.ChecksumLength);
228 ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
229 lpcfg_realm(kdc->task->lp_ctx),
230 "krbtgt", lpcfg_realm(kdc->task->lp_ctx),
234 return NT_STATUS_NO_MEMORY;
237 ret = kdc_config->db[0]->hdb_fetch_kvno(kdc->smb_krb5_context->krb5_context,
240 HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
245 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
246 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
248 return NT_STATUS_LOGON_FAILURE;
251 kdc_sig.type = pac_validate.SignatureType;
252 kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
253 pac_validate.SignatureLength);
255 ret = kdc_check_pac(kdc->smb_krb5_context->krb5_context, srv_sig, &kdc_sig, &ent);
257 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
258 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
261 return NT_STATUS_LOGON_FAILURE;
271 static void kdc_task_init(struct task_server *task)
273 struct kdc_server *kdc;
274 krb5_kdc_configuration *kdc_config = NULL;
277 struct interface *ifaces;
280 switch (lpcfg_server_role(task->lp_ctx)) {
281 case ROLE_STANDALONE:
282 task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
284 case ROLE_DOMAIN_MEMBER:
285 task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
287 case ROLE_DOMAIN_PDC:
288 case ROLE_DOMAIN_BDC:
289 task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true);
291 case ROLE_ACTIVE_DIRECTORY_DC:
292 /* Yes, we want a KDC */
296 load_interface_list(task, task->lp_ctx, &ifaces);
298 if (iface_list_count(ifaces) == 0) {
299 task_server_terminate(task, "kdc: no network interfaces configured", false);
303 task_server_set_title(task, "task[kdc]");
305 kdc = talloc_zero(task, struct kdc_server);
307 task_server_terminate(task, "kdc: out of memory", true);
314 /* get a samdb connection */
315 kdc->samdb = samdb_connect(kdc, kdc->task->event_ctx, kdc->task->lp_ctx,
316 system_session(kdc->task->lp_ctx), 0);
318 DEBUG(1,("kdc_task_init: unable to connect to samdb\n"));
319 task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
323 ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
324 if (ldb_ret != LDB_SUCCESS) {
325 DEBUG(1, ("kdc_task_init: Cannot determine if we are an RODC: %s\n",
326 ldb_errstring(kdc->samdb)));
327 task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
331 kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
333 initialize_krb5_error_table();
335 ret = smb_krb5_init_context(kdc, task->lp_ctx, &kdc->smb_krb5_context);
337 DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
338 error_message(ret)));
339 task_server_terminate(task, "kdc: krb5_init_context failed", true);
343 krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
345 ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
348 task_server_terminate(task, "kdc: failed to get KDC configuration", true);
352 kdc_config->logf = (krb5_log_facility *)kdc->smb_krb5_context->pvt_log_data;
353 kdc_config->db = talloc(kdc, struct HDB *);
354 if (!kdc_config->db) {
355 task_server_terminate(task, "kdc: out of memory", true);
358 kdc_config->num_db = 1;
361 * This restores the behavior before
362 * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
363 * s4:heimdal: import lorikeet-heimdal-201107150856
364 * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
366 * as_use_strongest_session_key,preauth_use_strongest_session_key
367 * and tgs_use_strongest_session_key are input to the
368 * _kdc_find_etype() function. The old bahavior is in
369 * the use_strongest_session_key=FALSE code path.
370 * (The only remaining difference in _kdc_find_etype()
371 * is the is_preauth parameter.)
373 * The old behavior in the _kdc_get_preferred_key()
374 * function is use_strongest_server_key=TRUE.
376 kdc_config->as_use_strongest_session_key = false;
377 kdc_config->preauth_use_strongest_session_key = false;
378 kdc_config->tgs_use_strongest_session_key = false;
379 kdc_config->use_strongest_server_key = true;
381 /* Register hdb-samba4 hooks for use as a keytab */
383 kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
384 if (!kdc->base_ctx) {
385 task_server_terminate(task, "kdc: out of memory", true);
389 kdc->base_ctx->ev_ctx = task->event_ctx;
390 kdc->base_ctx->lp_ctx = task->lp_ctx;
392 status = hdb_samba4_create_kdc(kdc->base_ctx,
393 kdc->smb_krb5_context->krb5_context,
395 if (!NT_STATUS_IS_OK(status)) {
396 task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
400 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
401 PLUGIN_TYPE_DATA, "hdb",
402 &hdb_samba4_interface);
404 task_server_terminate(task, "kdc: failed to register hdb plugin", true);
408 ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
410 task_server_terminate(task, "kdc: failed to register keytab plugin", true);
414 /* Register WinDC hooks */
415 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
416 PLUGIN_TYPE_DATA, "windc",
417 &windc_plugin_table);
419 task_server_terminate(task, "kdc: failed to register windc plugin", true);
423 ret = krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context);
426 task_server_terminate(task, "kdc: failed to init windc plugin", true);
430 ret = krb5_kdc_pkinit_config(kdc->smb_krb5_context->krb5_context, kdc_config);
433 task_server_terminate(task, "kdc: failed to init kdc pkinit subsystem", true);
436 kdc->private_data = kdc_config;
438 /* start listening on the configured network interfaces */
439 status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces);
440 if (!NT_STATUS_IS_OK(status)) {
441 task_server_terminate(task, "kdc failed to setup interfaces", true);
445 status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
446 kdc_check_generic_kerberos, kdc);
447 if (!NT_STATUS_IS_OK(status)) {
448 task_server_terminate(task, "kdc failed to setup monitoring", true);
452 irpc_add_name(task->msg_ctx, "kdc_server");
456 /* called at smbd startup - register ourselves as a server service */
457 NTSTATUS server_service_kdc_init(void)
459 return register_server_service("kdc", kdc_task_init);