source4/kdc/pac-glue.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    PAC Glue between Samba and the KDC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "kdc/kdc.h"
  25 #include "dsdb/common/flags.h"
  26 #include "lib/ldb/include/ldb.h"
  27 #include "librpc/gen_ndr/ndr_krb5pac.h"
  28 #include "librpc/gen_ndr/krb5pac.h"
  29 #include "auth/auth.h"
  30 #include "auth/auth_sam.h"
  31 #include "auth/auth_sam_reply.h"
  32 #include "param/param.h"
  33
  34 struct krb5_dh_moduli;
  35 struct _krb5_krb_auth_data;
  36
  37 krb5_error_code samba_kdc_plugin_init(krb5_context context, void **ptr)
  38 {
  39         *ptr = NULL;
  40         return 0;
  41 }
  42
  43 void    samba_kdc_plugin_fini(void *ptr)
  44 {
  45         return;
  46 }
  47
  48 static krb5_error_code make_pac(krb5_context context,
  49                                 TALLOC_CTX *mem_ctx,
  50                                 struct auth_serversupplied_info *server_info,
  51                                 krb5_pac *pac)
  52 {
  53         struct PAC_LOGON_INFO_CTR logon_info;
  54         struct netr_SamInfo3 *info3;
  55         krb5_data pac_data;
  56         NTSTATUS nt_status;
  57         enum ndr_err_code ndr_err;
  58         DATA_BLOB pac_out;
  59         krb5_error_code ret;
  60
  61         ZERO_STRUCT(logon_info);
  62
  63         nt_status = auth_convert_server_info_saminfo3(mem_ctx, server_info, &info3);
  64         if (!NT_STATUS_IS_OK(nt_status)) {
  65                 DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
  66                 return EINVAL;
  67         }
  68
  69         logon_info.info = talloc_zero(mem_ctx, struct PAC_LOGON_INFO);
  70         if (!mem_ctx) {
  71                 return ENOMEM;
  72         }
  73
  74         logon_info.info->info3 = *info3;
  75
  76         ndr_err = ndr_push_struct_blob(&pac_out, mem_ctx, lp_iconv_convenience(global_loadparm), &logon_info,
  77                                        (ndr_push_flags_fn_t)ndr_push_PAC_LOGON_INFO_CTR);
  78         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  79                 nt_status = ndr_map_error2ntstatus(ndr_err);
  80                 DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status)));
  81                 return EINVAL;
  82         }
  83
  84         ret = krb5_data_copy(&pac_data, pac_out.data, pac_out.length);
  85         if (ret != 0) {
  86                 return ret;
  87         }
  88
  89         ret = krb5_pac_init(context, pac);
  90         if (ret != 0) {
  91                 krb5_data_free(&pac_data);
  92                 return ret;
  93         }
  94
  95         ret = krb5_pac_add_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &pac_data);
  96         krb5_data_free(&pac_data);
  97         if (ret != 0) {
  98                 return ret;
  99         }
 100
 101         return ret;
 102 }
 103
 104 /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
 105 krb5_error_code samba_kdc_get_pac(void *priv,
 106                                   krb5_context context,
 107                                   struct hdb_entry_ex *client,
 108                                   krb5_pac *pac)
 109 {
 110         krb5_error_code ret;
 111         NTSTATUS nt_status;
 112         struct auth_serversupplied_info *server_info;
 113         struct hdb_ldb_private *private = talloc_get_type(client->ctx, struct hdb_ldb_private);
 114         TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context");
 115         unsigned int userAccountControl;
 116
 117         if (!mem_ctx) {
 118                 return ENOMEM;
 119         }
 120
 121         /* The user account may be set not to want the PAC */
 122         userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0);
 123         if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
 124                 *pac = NULL;
 125                 return 0;
 126         }
 127
 128         nt_status = authsam_make_server_info(mem_ctx, private->samdb,
 129                                              lp_netbios_name(global_loadparm),
 130                                              private->msg,
 131                                              private->realm_ref_msg,
 132                                              data_blob(NULL, 0),
 133                                              data_blob(NULL, 0),
 134                                              &server_info);
 135         if (!NT_STATUS_IS_OK(nt_status)) {
 136                 DEBUG(0, ("Getting user info for PAC failed: %s\n",
 137                           nt_errstr(nt_status)));
 138                 return ENOMEM;
 139         }
 140
 141         ret = make_pac(context, mem_ctx, server_info, pac);
 142
 143         talloc_free(mem_ctx);
 144         return ret;
 145 }
 146
 147 /* Resign (and reform, including possibly new groups) a PAC */
 148
 149 krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
 150                                 const krb5_principal client_principal,
 151                                 struct hdb_entry_ex *client,
 152                                 struct hdb_entry_ex *server, krb5_pac *pac)
 153 {
 154         NTSTATUS nt_status;
 155         enum ndr_err_code ndr_err;
 156         krb5_error_code ret;
 157
 158         unsigned int userAccountControl;
 159
 160         struct hdb_ldb_private *private = talloc_get_type(server->ctx, struct hdb_ldb_private);
 161         krb5_data k5pac_in;
 162         DATA_BLOB pac_in;
 163
 164         struct PAC_LOGON_INFO_CTR logon_info;
 165         union netr_Validation validation;
 166         struct auth_serversupplied_info *server_info_out;
 167
 168         TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context");
 169
 170         if (!mem_ctx) {
 171                 return ENOMEM;
 172         }
 173
 174         /* The service account may be set not to want the PAC */
 175         userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0);
 176         if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
 177                 *pac = NULL;
 178                 return 0;
 179         }
 180
 181         ret = krb5_pac_get_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &k5pac_in);
 182         if (ret != 0) {
 183                 return ret;
 184         }
 185
 186         pac_in = data_blob_talloc(mem_ctx, k5pac_in.data, k5pac_in.length);
 187         krb5_data_free(&k5pac_in);
 188         if (!pac_in.data) {
 189                 talloc_free(mem_ctx);
 190                 return ENOMEM;
 191         }
 192
 193         ndr_err = ndr_pull_struct_blob(&pac_in, mem_ctx, &logon_info,
 194                                        (ndr_pull_flags_fn_t)ndr_pull_PAC_LOGON_INFO_CTR);
 195         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err) || !logon_info.info) {
 196                 nt_status = ndr_map_error2ntstatus(ndr_err);
 197                 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
 198                 talloc_free(mem_ctx);
 199                 return EINVAL;
 200         }
 201
 202         /* Pull this right into the normal auth sysstem structures */
 203         validation.sam3 = &logon_info.info->info3;
 204         nt_status = make_server_info_netlogon_validation(mem_ctx,
 205                                                          "",
 206                                                          3, &validation,
 207                                                          &server_info_out);
 208         if (!NT_STATUS_IS_OK(nt_status)) {
 209                 talloc_free(mem_ctx);
 210                 return ENOMEM;
 211         }
 212
 213         /* We will compleatly regenerate this pac */
 214         krb5_pac_free(context, *pac);
 215
 216         ret = make_pac(context, mem_ctx, server_info_out, pac);
 217
 218         talloc_free(mem_ctx);
 219         return ret;
 220 }
 221
 222 /* Given an hdb entry (and in particular it's private member), consult
 223  * the account_ok routine in auth/auth_sam.c for consistancy */
 224
 225
 226 krb5_error_code samba_kdc_check_client_access(void *priv,
 227                                               krb5_context context, hdb_entry_ex *entry_ex,
 228                                               KDC_REQ *req)
 229 {
 230         krb5_error_code ret;
 231         NTSTATUS nt_status;
 232         TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->ctx);
 233         struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
 234         char *name, *workstation = NULL;
 235         HostAddresses *addresses = req->req_body.addresses;
 236         int i;
 237
 238         if (!tmp_ctx) {
 239                 return ENOMEM;
 240         }
 241
 242         ret = krb5_unparse_name(context, entry_ex->entry.principal, &name);
 243         if (ret != 0) {
 244                 talloc_free(tmp_ctx);
 245                 return ret;
 246         }
 247
 248         if (addresses) {
 249                 for (i=0; i < addresses->len; i++) {
 250                         if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
 251                                 workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15));
 252                                 if (workstation) {
 253                                         break;
 254                                 }
 255                         }
 256                 }
 257         }
 258
 259         /* Strip space padding */
 260         if (workstation) {
 261                 i = MIN(strlen(workstation), 15);
 262                 for (; i > 0 && workstation[i - 1] == ' '; i--) {
 263                         workstation[i - 1] = '\0';
 264                 }
 265         }
 266
 267         nt_status = authsam_account_ok(tmp_ctx,
 268                                        private->samdb,
 269                                        MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 270                                        private->msg,
 271                                        private->realm_ref_msg,
 272                                        workstation,
 273                                        name);
 274         free(name);
 275
 276         /* TODO:  Need a more complete mapping of NTSTATUS to krb5kdc errors */
 277
 278         if (!NT_STATUS_IS_OK(nt_status)) {
 279                 return KRB5KDC_ERR_POLICY;
 280         }
 281         return 0;
 282 }
 283