2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
4 * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kdc/kdc-glue.h"
37 #include "kdc/db-glue.h"
38 #include "kdc/pac-glue.h"
39 #include "auth/auth_sam.h"
40 #include "auth/common_auth.h"
41 #include "auth/authn_policy.h"
45 #include "dsdb/samdb/samdb.h"
46 #include "param/param.h"
47 #include "../lib/tsocket/tsocket.h"
48 #include "librpc/gen_ndr/ndr_netlogon.h"
49 #include "librpc/gen_ndr/ndr_winbind_c.h"
50 #include "lib/messaging/irpc.h"
52 #include <kdc-audit.h>
53 #include <kdc-plugin.h>
56 #define DBGC_CLASS DBGC_KERBEROS
58 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
60 if (db->hdb_master_key_set) {
61 krb5_error_code ret = HDB_ERR_NOENTRY;
62 krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
63 krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
70 static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
75 static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
80 static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
85 static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
87 return HDB_ERR_DB_INUSE;
90 static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
92 return HDB_ERR_DB_INUSE;
96 * If we ever want kadmin to work fast, we might try and reopen the
99 static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
104 static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
107 * This function is now called for every HDB entry, not just those with
108 * 'context' set, so we have to check that the context is not NULL.
110 if (entry->context != NULL) {
111 struct samba_kdc_entry *skdc_entry =
112 talloc_get_type_abort(entry->context,
113 struct samba_kdc_entry);
115 /* this function is called only from hdb_free_entry().
116 * Make sure we neutralize the destructor or we will
117 * get a double free later when hdb_free_entry() will
118 * try to call free_hdb_entry() */
119 entry->context = NULL;
120 skdc_entry->kdc_entry = NULL;
121 TALLOC_FREE(skdc_entry);
125 static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
126 struct samba_kdc_db_context *kdc_db_ctx,
129 DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
130 return HDB_ERR_NOENTRY;
133 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
134 krb5_const_principal principal,
139 struct samba_kdc_db_context *kdc_db_ctx;
140 struct sdb_entry sentry = {};
141 krb5_error_code code, ret;
144 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
145 struct samba_kdc_db_context);
147 if (flags & HDB_F_GET_FAST_COOKIE) {
148 return hdb_samba4_fetch_fast_cookie(context,
153 sflags = (flags & SDB_F_HDB_MASK);
155 ret = samba_kdc_fetch(context,
165 case SDB_ERR_WRONG_REALM:
167 * If SDB_ERR_WRONG_REALM is returned we need to process the
168 * sdb_entry to fill the principal in the HDB entry.
170 code = HDB_ERR_WRONG_REALM;
172 case SDB_ERR_NOENTRY:
173 return HDB_ERR_NOENTRY;
174 case SDB_ERR_NOT_FOUND_HERE:
175 return HDB_ERR_NOT_FOUND_HERE;
180 ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
181 sdb_entry_free(&sentry);
190 static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
191 krb5_const_principal _principal,
196 struct samba_kdc_db_context *kdc_db_ctx = NULL;
198 krb5_principal kpasswd_principal = NULL;
200 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
201 struct samba_kdc_db_context);
203 ret = smb_krb5_make_principal(context, &kpasswd_principal,
204 lpcfg_realm(kdc_db_ctx->lp_ctx),
205 "kadmin", "changepw",
210 smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
213 * For the kpasswd service, always ensure we get the latest kvno. This
214 * also means we (correctly) refuse RODC-issued tickets.
216 flags &= ~HDB_F_KVNO_SPECIFIED;
218 /* Don't bother looking up a client or krbtgt. */
219 flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT);
221 ret = hdb_samba4_fetch_kvno(context, db,
227 krb5_free_principal(context, kpasswd_principal);
231 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
234 struct samba_kdc_db_context *kdc_db_ctx;
235 struct sdb_entry sentry = {};
238 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
239 struct samba_kdc_db_context);
241 ret = samba_kdc_firstkey(context, kdc_db_ctx, &sentry);
245 case SDB_ERR_WRONG_REALM:
246 return HDB_ERR_WRONG_REALM;
247 case SDB_ERR_NOENTRY:
248 return HDB_ERR_NOENTRY;
249 case SDB_ERR_NOT_FOUND_HERE:
250 return HDB_ERR_NOT_FOUND_HERE;
255 ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
256 sdb_entry_free(&sentry);
260 static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
263 struct samba_kdc_db_context *kdc_db_ctx;
264 struct sdb_entry sentry = {};
267 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
268 struct samba_kdc_db_context);
270 ret = samba_kdc_nextkey(context, kdc_db_ctx, &sentry);
274 case SDB_ERR_WRONG_REALM:
275 return HDB_ERR_WRONG_REALM;
276 case SDB_ERR_NOENTRY:
277 return HDB_ERR_NOENTRY;
278 case SDB_ERR_NOT_FOUND_HERE:
279 return HDB_ERR_NOT_FOUND_HERE;
284 ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
285 sdb_entry_free(&sentry);
289 static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
293 DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
294 smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
297 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
303 static krb5_error_code
304 hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
306 krb5_const_principal target_principal)
308 struct samba_kdc_db_context *kdc_db_ctx = NULL;
309 struct samba_kdc_entry *skdc_entry = NULL;
311 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
312 struct samba_kdc_db_context);
313 skdc_entry = talloc_get_type_abort(entry->context,
314 struct samba_kdc_entry);
316 return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
321 static krb5_error_code
322 hdb_samba4_check_rbcd(krb5_context context, HDB *db,
323 const hdb_entry *client_krbtgt,
324 const hdb_entry *client,
325 const hdb_entry *device_krbtgt,
326 const hdb_entry *device,
327 krb5_const_principal server_principal,
328 krb5_const_pac header_pac,
329 krb5_const_pac device_pac,
330 const hdb_entry *proxy)
332 struct samba_kdc_db_context *kdc_db_ctx = NULL;
333 struct samba_kdc_entry *client_skdc_entry = NULL;
334 const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
335 struct samba_kdc_entry *proxy_skdc_entry = NULL;
336 const struct auth_user_info_dc *client_info = NULL;
337 const struct auth_user_info_dc *device_info = NULL;
338 struct samba_kdc_entry_pac client_pac_entry = {};
339 struct auth_claims auth_claims = {};
340 TALLOC_CTX *mem_ctx = NULL;
341 krb5_error_code code;
343 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
344 struct samba_kdc_db_context);
345 client_skdc_entry = talloc_get_type_abort(client->context,
346 struct samba_kdc_entry);
347 client_krbtgt_skdc_entry = talloc_get_type_abort(client_krbtgt->context,
348 struct samba_kdc_entry);
349 proxy_skdc_entry = talloc_get_type_abort(proxy->context,
350 struct samba_kdc_entry);
352 mem_ctx = talloc_new(kdc_db_ctx);
353 if (mem_ctx == NULL) {
357 client_pac_entry = samba_kdc_entry_pac(header_pac,
359 samba_kdc_entry_is_trust(client_krbtgt_skdc_entry));
361 code = samba_kdc_get_user_info_dc(mem_ctx,
366 NULL /* resource_groups_out */);
371 code = samba_kdc_get_claims_data(mem_ctx,
375 &auth_claims.user_claims);
380 if (device != NULL) {
381 struct samba_kdc_entry *device_skdc_entry = NULL;
382 const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
383 struct samba_kdc_entry_pac device_pac_entry = {};
385 device_skdc_entry = talloc_get_type_abort(device->context,
386 struct samba_kdc_entry);
388 if (device_krbtgt != NULL) {
389 device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
390 struct samba_kdc_entry);
393 device_pac_entry = samba_kdc_entry_pac(device_pac,
395 samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
397 code = samba_kdc_get_user_info_dc(mem_ctx,
402 NULL /* resource_groups_out */);
407 code = samba_kdc_get_claims_data(mem_ctx,
411 &auth_claims.device_claims);
417 code = samba_kdc_check_s4u2proxy_rbcd(context,
426 talloc_free(mem_ctx);
430 static krb5_error_code
431 hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
433 krb5_const_principal certificate_principal)
435 struct samba_kdc_db_context *kdc_db_ctx;
436 struct samba_kdc_entry *skdc_entry;
439 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
440 struct samba_kdc_db_context);
441 skdc_entry = talloc_get_type_abort(entry->context,
442 struct samba_kdc_entry);
444 ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
446 certificate_principal);
450 case SDB_ERR_WRONG_REALM:
451 ret = HDB_ERR_WRONG_REALM;
453 case SDB_ERR_NOENTRY:
454 ret = HDB_ERR_NOENTRY;
456 case SDB_ERR_NOT_FOUND_HERE:
457 ret = HDB_ERR_NOT_FOUND_HERE;
466 static krb5_error_code
467 hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
468 hdb_entry *client_entry,
469 hdb_entry *server_target_entry)
471 struct samba_kdc_entry *skdc_client_entry
472 = talloc_get_type_abort(client_entry->context,
473 struct samba_kdc_entry);
474 struct samba_kdc_entry *skdc_server_target_entry
475 = talloc_get_type_abort(server_target_entry->context,
476 struct samba_kdc_entry);
478 return samba_kdc_check_client_matches_target_service(context,
480 skdc_server_target_entry);
483 static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
484 struct samba_kdc_db_context *kdc_db_ctx,
485 struct netr_SendToSamBase *send_to_sam)
487 struct dcerpc_binding_handle *irpc_handle;
488 struct winbind_SendToSam req;
489 struct tevent_req *subreq = NULL;
491 NDR_PRINT_DEBUG(netr_SendToSamBase, send_to_sam);
492 irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
496 if (irpc_handle == NULL) {
497 DBG_ERR("No winbind_server running!\n");
501 req.in.message = *send_to_sam;
504 * This seem to rely on the current IRPC implementation,
505 * which delivers the message in the _send function.
507 * TODO: we need a ONE_WAY IRPC handle and register
508 * a callback and wait for it to be triggered!
510 DBG_ERR("calling dcerpc_winbind_SendToSam_r_send\n");
511 subreq = dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
514 /* we aren't interested in a reply */
515 DBG_ERR("before talloc_free(subreq)\n");
517 DBG_ERR("after talloc_free(subreq)\n");
518 NDR_PRINT_DEBUG(netr_SendToSamBase, send_to_sam);
521 #define SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ "samba:authn_audit_info_obj"
522 #define SAMBA_HDB_CLIENT_AUDIT_INFO "samba:client_audit_info"
523 #define SAMBA_HDB_SERVER_AUDIT_INFO "samba:server_audit_info"
525 #define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj"
526 #define SAMBA_HDB_NT_STATUS "samba:nt_status"
528 struct hdb_audit_info_obj {
529 struct authn_audit_info *audit_info;
532 static void hdb_audit_info_obj_dealloc(void *ptr)
534 struct hdb_audit_info_obj *audit_info_obj = ptr;
536 if (audit_info_obj == NULL) {
540 TALLOC_FREE(audit_info_obj->audit_info);
544 * Set talloc-allocated auditing information of the KDC request. On success,
545 * ‘audit_info’ is invalidated and may no longer be used by the caller.
547 static krb5_error_code hdb_samba4_set_steal_audit_info(astgs_request_t r,
549 struct authn_audit_info *audit_info)
551 struct hdb_audit_info_obj *audit_info_obj = NULL;
553 audit_info_obj = kdc_object_alloc(sizeof (*audit_info_obj),
554 SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ,
555 hdb_audit_info_obj_dealloc);
556 if (audit_info_obj == NULL) {
561 * Steal a handle to the audit information onto the NULL context —
562 * Heimdal will be responsible for the deallocation of the object.
564 audit_info_obj->audit_info = talloc_steal(NULL, audit_info);
566 heim_audit_setkv_object((heim_svc_req_desc)r, key, audit_info_obj);
567 heim_release(audit_info_obj);
573 * Set talloc-allocated client auditing information of the KDC request. On
574 * success, ‘client_audit_info’ is invalidated and may no longer be used by the
577 krb5_error_code hdb_samba4_set_steal_client_audit_info(astgs_request_t r,
578 struct authn_audit_info *client_audit_info)
580 return hdb_samba4_set_steal_audit_info(r,
581 SAMBA_HDB_CLIENT_AUDIT_INFO,
585 static const struct authn_audit_info *hdb_samba4_get_client_audit_info(hdb_request_t r)
587 const struct hdb_audit_info_obj *audit_info_obj = NULL;
589 audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_CLIENT_AUDIT_INFO);
590 if (audit_info_obj == NULL) {
594 return audit_info_obj->audit_info;
598 * Set talloc-allocated server auditing information of the KDC request. On
599 * success, ‘server_audit_info’ is invalidated and may no longer be used by the
602 krb5_error_code hdb_samba4_set_steal_server_audit_info(astgs_request_t r,
603 struct authn_audit_info *server_audit_info)
605 return hdb_samba4_set_steal_audit_info(r,
606 SAMBA_HDB_SERVER_AUDIT_INFO,
610 static const struct authn_audit_info *hdb_samba4_get_server_audit_info(hdb_request_t r)
612 const struct hdb_audit_info_obj *audit_info_obj = NULL;
614 audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_SERVER_AUDIT_INFO);
615 if (audit_info_obj == NULL) {
619 return audit_info_obj->audit_info;
622 struct hdb_ntstatus_obj {
624 krb5_error_code current_error;
628 * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we
629 * want to return to the client. When it comes time to generating the error
630 * request, we shall compare this error value to whatever error we are about to
631 * return; if the two match, we shall replace the ‘e-data’ field in the reply
632 * with the NTSTATUS code.
634 krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
635 const NTSTATUS status,
636 const krb5_error_code error)
638 struct hdb_ntstatus_obj *status_obj = NULL;
640 status_obj = kdc_object_alloc(sizeof (*status_obj),
641 SAMBA_HDB_NT_STATUS_OBJ,
643 if (status_obj == NULL) {
647 *status_obj = (struct hdb_ntstatus_obj) {
649 .current_error = error,
652 heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj);
653 heim_release(status_obj);
658 static krb5_error_code hdb_samba4_make_nt_status_edata(const NTSTATUS status,
659 const uint32_t flags,
660 krb5_data *edata_out)
662 const uint32_t status_code = NT_STATUS_V(status);
663 const uint32_t zero = 0;
664 KERB_ERROR_DATA error_data;
670 /* The raw KERB-ERR-TYPE-EXTENDED structure. */
673 PUSH_LE_U32(data, 0, status_code);
674 PUSH_LE_U32(data, 4, zero);
675 PUSH_LE_U32(data, 8, flags);
677 e_data = (krb5_data) {
679 .length = sizeof(data),
682 error_data = (KERB_ERROR_DATA) {
683 .data_type = kERB_ERR_TYPE_EXTENDED,
684 .data_value = &e_data,
687 ASN1_MALLOC_ENCODE(KERB_ERROR_DATA,
688 edata_out->data, edata_out->length,
694 if (size != edata_out->length) {
695 /* Internal ASN.1 encoder error */
696 krb5_data_free(edata_out);
697 return KRB5KRB_ERR_GENERIC;
703 static krb5_error_code hdb_samba4_set_edata_from_ntstatus(hdb_request_t r, const NTSTATUS status)
705 const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
706 krb5_error_code ret = 0;
710 if (req->msg_type == krb_tgs_req) {
711 /* This flag is used to indicate a TGS-REQ. */
715 ret = hdb_samba4_make_nt_status_edata(status, flags, &e_data);
720 ret = kdc_request_set_e_data((astgs_request_t)r, e_data);
722 krb5_data_free(&e_data);
728 static NTSTATUS hdb_samba4_get_ntstatus(hdb_request_t r)
730 struct hdb_ntstatus_obj *status_obj = NULL;
732 status_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS);
733 if (status_obj == NULL) {
737 if (r->error_code != status_obj->current_error) {
739 * The error code has changed from what we expect. Consider the
740 * NTSTATUS to be invalidated.
745 return status_obj->status;
748 static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *kdc_db_ctx,
749 const hdb_entry *entry,
752 TALLOC_CTX *frame = talloc_stackframe();
753 const struct authn_audit_info *server_audit_info = NULL;
754 struct tsocket_address *remote_host = NULL;
755 struct samba_kdc_entry *client_entry = NULL;
756 struct dom_sid sid_buf = {};
757 const char *account_name = NULL;
758 const char *domain_name = NULL;
759 const struct dom_sid *sid = NULL;
760 size_t sa_socklen = 0;
761 NTSTATUS auth_status = NT_STATUS_OK;
762 krb5_error_code ret = 0;
763 krb5_error_code final_ret = 0;
765 /* Have we got a status code indicating an error? */
766 auth_status = hdb_samba4_get_ntstatus(r);
767 if (!NT_STATUS_IS_OK(auth_status)) {
769 * Include this status code in the ‘e-data’ field of the reply.
771 ret = hdb_samba4_set_edata_from_ntstatus(r, auth_status);
775 } else if (entry == NULL) {
776 auth_status = NT_STATUS_NO_SUCH_USER;
777 } else if (r->error_code) {
779 * Don’t include a status code in the reply. Just log the
780 * request as being unsuccessful.
782 auth_status = NT_STATUS_UNSUCCESSFUL;
785 switch (r->addr->sa_family) {
787 sa_socklen = sizeof(struct sockaddr_in);
791 sa_socklen = sizeof(struct sockaddr_in6);
796 ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
801 /* Ignore the error. */
804 server_audit_info = hdb_samba4_get_server_audit_info(r);
807 client_entry = talloc_get_type_abort(entry->context,
808 struct samba_kdc_entry);
810 ret = samdb_result_dom_sid_buf(client_entry->msg, "objectSid", &sid_buf);
812 /* Ignore the error. */
817 account_name = ldb_msg_find_attr_as_string(client_entry->msg, "sAMAccountName", NULL);
818 domain_name = lpcfg_sam_name(kdc_db_ctx->lp_ctx);
821 log_authz_event(kdc_db_ctx->msg_ctx,
827 "TGS-REQ with Ticket-Granting Ticket",
831 lpcfg_netbios_name(kdc_db_ctx->lp_ctx),
837 r->error_code = final_ret;
842 static krb5_error_code hdb_samba4_audit(krb5_context context,
847 struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
848 struct samba_kdc_db_context);
849 struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
850 heim_object_t auth_details_obj = NULL;
851 const char *auth_details = NULL;
852 char *etype_str = NULL;
853 heim_object_t hdb_auth_status_obj = NULL;
855 heim_object_t pa_type_obj = NULL;
856 const char *pa_type = NULL;
857 struct auth_usersupplied_info ui;
858 size_t sa_socklen = 0;
859 const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
860 krb5_error_code final_ret = 0;
861 NTSTATUS edata_status;
863 if (req->msg_type == krb_tgs_req) {
864 return hdb_samba4_tgs_audit(kdc_db_ctx, entry, r);
867 if (r->error_code == KRB5KDC_ERR_PREAUTH_REQUIRED) {
868 /* Let’s not log PREAUTH_REQUIRED errors. */
872 edata_status = hdb_samba4_get_ntstatus(r);
874 hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
875 if (hdb_auth_status_obj == NULL) {
876 /* No status code found, so just return. */
880 hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
882 pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_NAME);
883 if (pa_type_obj != NULL) {
884 pa_type = heim_string_get_utf8(pa_type_obj);
887 auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
888 if (auth_details_obj != NULL) {
889 auth_details = heim_string_get_utf8(auth_details_obj);
891 auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
892 if (auth_details_obj != NULL) {
893 auth_details = heim_string_get_utf8(auth_details_obj);
895 heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
896 if (etype_obj != NULL) {
897 int etype = heim_number_get_int(etype_obj);
899 krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
901 auth_details = etype_str;
903 auth_details = "unknown enctype";
910 * Forcing this via the NTLM auth structure is not ideal, but
911 * it is the most practical option right now, and ensures the
912 * logs are consistent, even if some elements are always NULL.
914 ui = (struct auth_usersupplied_info) {
917 .account_name = r->cname,
920 .service_description = "Kerberos KDC",
921 .auth_description = "Unknown Auth Description",
922 .password_type = auth_details,
923 .logon_id = generate_random_u64(),
926 switch (r->addr->sa_family) {
928 sa_socklen = sizeof(struct sockaddr_in);
932 sa_socklen = sizeof(struct sockaddr_in6);
937 switch (hdb_auth_status) {
940 TALLOC_CTX *frame = talloc_stackframe();
941 struct samba_kdc_entry *p = talloc_get_type_abort(entry->context,
942 struct samba_kdc_entry);
944 = samdb_result_dom_sid(frame, p->msg, "objectSid");
945 const char *account_name
946 = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
947 const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
948 struct tsocket_address *remote_host;
949 const char *auth_description = NULL;
950 const struct authn_audit_info *client_audit_info = NULL;
951 const struct authn_audit_info *server_audit_info = NULL;
954 bool rwdc_fallback = false;
956 ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
960 ui.remote_host = NULL;
962 ui.remote_host = remote_host;
965 ui.mapped.account_name = account_name;
966 ui.mapped.domain_name = domain_name;
968 if (pa_type != NULL) {
969 auth_description = talloc_asprintf(frame,
970 "%s Pre-authentication",
972 if (auth_description == NULL) {
973 auth_description = pa_type;
976 auth_description = "Unknown Pre-authentication";
978 ui.auth_description = auth_description;
980 if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
981 struct netr_SendToSamBase *send_to_sam = NULL;
984 * TODO: We could log the AS-REQ authorization success here as
985 * well. However before we do that, we need to pass
986 * in the PAC here or re-calculate it.
988 status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
989 domain_dn, true, frame, &send_to_sam);
990 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
991 edata_status = status;
993 r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
994 rwdc_fallback = kdc_db_ctx->rodc;
995 } else if (!NT_STATUS_IS_OK(status)) {
996 r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
997 rwdc_fallback = kdc_db_ctx->rodc;
999 if (r->error_code == KRB5KDC_ERR_NEVER_VALID) {
1000 edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
1002 status = krb5_to_nt_status(r->error_code);
1005 if (kdc_db_ctx->rodc && send_to_sam != NULL) {
1006 reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
1010 /* This is the final success */
1011 } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
1013 * This was only a pre-authentication success,
1014 * but we didn't reach the final
1015 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1016 * so consult the error code.
1018 if (r->error_code == 0) {
1019 DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
1020 "with error=0 => INTERNAL_ERROR\n");
1021 status = NT_STATUS_INTERNAL_ERROR;
1022 r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1023 } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1024 status = p->reject_status;
1026 status = krb5_to_nt_status(r->error_code);
1028 } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
1030 * This was only a pre-authentication success,
1031 * but we didn't reach the final
1032 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1033 * so consult the error code.
1035 if (r->error_code == 0) {
1036 DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
1037 "with error=0 => INTERNAL_ERROR\n");
1038 status = NT_STATUS_INTERNAL_ERROR;
1039 r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1040 } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1041 status = p->reject_status;
1043 status = krb5_to_nt_status(r->error_code);
1045 } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_FOUND) {
1047 * We found the client principal,
1048 * but we didn’t reach the final
1049 * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1050 * so consult the error code.
1052 if (r->error_code == 0) {
1053 DBG_ERR("ERROR: CLIENT_FOUND "
1054 "with error=0 => INTERNAL_ERROR\n");
1055 status = NT_STATUS_INTERNAL_ERROR;
1056 r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1057 } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1058 status = p->reject_status;
1060 status = krb5_to_nt_status(r->error_code);
1062 } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
1063 status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
1064 } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
1065 status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
1066 if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
1067 edata_status = status;
1069 r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
1071 status = NT_STATUS_WRONG_PASSWORD;
1073 rwdc_fallback = kdc_db_ctx->rodc;
1074 } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) {
1076 * The pre-authentication succeeds with a password
1077 * from the password history, so we don't
1078 * update the badPwdCount, but still return
1079 * PREAUTH_FAILED and need to forward to
1080 * a RWDC in order to produce an authoritative
1081 * response for the client.
1083 status = NT_STATUS_WRONG_PASSWORD;
1084 rwdc_fallback = kdc_db_ctx->rodc;
1085 } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
1086 edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT;
1087 rwdc_fallback = kdc_db_ctx->rodc;
1088 } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
1089 if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
1090 status = NT_STATUS_PKINIT_NAME_MISMATCH;
1092 status = NT_STATUS_ACCOUNT_RESTRICTION;
1094 rwdc_fallback = kdc_db_ctx->rodc;
1095 } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
1096 if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
1097 status = NT_STATUS_PKINIT_FAILURE;
1099 status = NT_STATUS_GENERIC_COMMAND_FAILED;
1101 rwdc_fallback = kdc_db_ctx->rodc;
1103 DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
1105 status = NT_STATUS_INTERNAL_ERROR;
1106 r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1109 if (!NT_STATUS_IS_OK(edata_status)) {
1110 krb5_error_code code;
1112 code = hdb_samba4_set_edata_from_ntstatus(r, edata_status);
1114 r->error_code = final_ret = code;
1118 if (rwdc_fallback) {
1120 * Forward the request to an RWDC in order
1121 * to give an authoritative answer to the client.
1123 auth_description = talloc_asprintf(frame,
1124 "%s,Forward-To-RWDC",
1125 ui.auth_description);
1126 if (auth_description != NULL) {
1127 ui.auth_description = auth_description;
1129 final_ret = HDB_ERR_NOT_FOUND_HERE;
1132 client_audit_info = hdb_samba4_get_client_audit_info(r);
1133 server_audit_info = hdb_samba4_get_server_audit_info(r);
1135 log_authentication_event(kdc_db_ctx->msg_ctx,
1145 if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
1147 * If we're running under make test
1150 DBG_ERR("Unexpected situation => PANIC\n");
1151 smb_panic("hdb_samba4_audit: Unexpected situation");
1156 case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
1158 struct tsocket_address *remote_host;
1160 TALLOC_CTX *frame = talloc_stackframe();
1161 ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
1165 ui.remote_host = NULL;
1167 ui.remote_host = remote_host;
1170 if (pa_type == NULL) {
1174 ui.auth_description = pa_type;
1176 /* Note this is not forwarded to an RWDC */
1178 log_authentication_event(kdc_db_ctx->msg_ctx,
1182 NT_STATUS_NO_SUCH_USER,
1185 NULL /* client_audit_info */,
1186 NULL /* server_audit_info */);
1197 /* This interface is to be called by the KDC and libnet_keytab_dump,
1198 * which is expecting Samba calling conventions.
1199 * It is also called by a wrapper (hdb_samba4_create) from the
1200 * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
1202 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
1203 krb5_context context, struct HDB **db)
1205 struct samba_kdc_db_context *kdc_db_ctx = NULL;
1208 if (hdb_interface_version != HDB_INTERFACE_VERSION) {
1209 krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
1210 return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
1213 *db = talloc_zero(base_ctx, HDB);
1215 krb5_set_error_message(context, ENOMEM, "talloc_zero: out of memory");
1216 return NT_STATUS_NO_MEMORY;
1219 (*db)->hdb_master_key_set = 0;
1220 (*db)->hdb_db = NULL;
1221 (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
1223 nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
1224 if (!NT_STATUS_IS_OK(nt_status)) {
1228 (*db)->hdb_db = kdc_db_ctx;
1230 (*db)->hdb_dbc = NULL;
1231 (*db)->hdb_open = hdb_samba4_open;
1232 (*db)->hdb_close = hdb_samba4_close;
1233 (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
1234 (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
1235 (*db)->hdb_store = hdb_samba4_store;
1236 (*db)->hdb_firstkey = hdb_samba4_firstkey;
1237 (*db)->hdb_nextkey = hdb_samba4_nextkey;
1238 (*db)->hdb_lock = hdb_samba4_lock;
1239 (*db)->hdb_unlock = hdb_samba4_unlock;
1240 (*db)->hdb_set_sync = hdb_samba4_set_sync;
1241 (*db)->hdb_rename = hdb_samba4_rename;
1242 /* we don't implement these, as we are not a lockable database */
1243 (*db)->hdb__get = NULL;
1244 (*db)->hdb__put = NULL;
1245 /* kadmin should not be used for deletes - use other tools instead */
1246 (*db)->hdb__del = NULL;
1247 (*db)->hdb_destroy = hdb_samba4_destroy;
1249 (*db)->hdb_audit = hdb_samba4_audit;
1250 (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
1251 (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd;
1252 (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
1253 (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
1255 return NT_STATUS_OK;
1258 NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
1259 krb5_context context, struct HDB **db)
1263 nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
1264 if (!NT_STATUS_IS_OK(nt_status)) {
1268 (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
1269 (*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
1270 (*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
1272 return NT_STATUS_OK;