2 * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
4 * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of PADL Software nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kdc/kdc-glue.h"
37 #include "kdc/db-glue.h"
38 #include "auth/auth_sam.h"
39 #include "auth/common_auth.h"
43 #include "dsdb/samdb/samdb.h"
44 #include "param/param.h"
45 #include "../lib/tsocket/tsocket.h"
47 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
49 if (db->hdb_master_key_set) {
50 krb5_error_code ret = HDB_ERR_NOENTRY;
51 krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
52 krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
59 static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
64 static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
69 static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
74 static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
76 return HDB_ERR_DB_INUSE;
79 static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
81 return HDB_ERR_DB_INUSE;
84 static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
86 return HDB_ERR_DB_INUSE;
89 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
90 krb5_const_principal principal,
93 hdb_entry_ex *entry_ex)
95 struct samba_kdc_db_context *kdc_db_ctx;
96 struct sdb_entry_ex sdb_entry_ex = {};
97 krb5_error_code code, ret;
99 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
100 struct samba_kdc_db_context);
102 ret = samba_kdc_fetch(context,
112 case SDB_ERR_WRONG_REALM:
114 * If SDB_ERR_WRONG_REALM is returned we need to process the
115 * sdb_entry to fill the principal in the HDB entry.
117 code = HDB_ERR_WRONG_REALM;
119 case SDB_ERR_NOENTRY:
120 return HDB_ERR_NOENTRY;
122 return HDB_ERR_NOT_FOUND_HERE;
125 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
126 sdb_free_entry(&sdb_entry_ex);
128 if (code != 0 && ret != 0) {
135 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
138 struct samba_kdc_db_context *kdc_db_ctx;
139 struct sdb_entry_ex sdb_entry_ex = {};
142 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
143 struct samba_kdc_db_context);
145 ret = samba_kdc_firstkey(context, kdc_db_ctx, &sdb_entry_ex);
149 case SDB_ERR_WRONG_REALM:
150 return HDB_ERR_WRONG_REALM;
151 case SDB_ERR_NOENTRY:
152 return HDB_ERR_NOENTRY;
154 return HDB_ERR_NOT_FOUND_HERE;
157 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
158 sdb_free_entry(&sdb_entry_ex);
162 static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
165 struct samba_kdc_db_context *kdc_db_ctx;
166 struct sdb_entry_ex sdb_entry_ex = {};
169 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
170 struct samba_kdc_db_context);
172 ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex);
176 case SDB_ERR_WRONG_REALM:
177 return HDB_ERR_WRONG_REALM;
178 case SDB_ERR_NOENTRY:
179 return HDB_ERR_NOENTRY;
181 return HDB_ERR_NOT_FOUND_HERE;
184 ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
185 sdb_free_entry(&sdb_entry_ex);
189 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
195 static krb5_error_code
196 hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
198 krb5_const_principal target_principal)
200 struct samba_kdc_db_context *kdc_db_ctx;
201 struct samba_kdc_entry *skdc_entry;
204 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
205 struct samba_kdc_db_context);
206 skdc_entry = talloc_get_type_abort(entry->ctx,
207 struct samba_kdc_entry);
209 ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
215 case SDB_ERR_WRONG_REALM:
216 ret = HDB_ERR_WRONG_REALM;
218 case SDB_ERR_NOENTRY:
219 ret = HDB_ERR_NOENTRY;
222 ret = HDB_ERR_NOT_FOUND_HERE;
229 static krb5_error_code
230 hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
232 krb5_const_principal certificate_principal)
234 struct samba_kdc_db_context *kdc_db_ctx;
235 struct samba_kdc_entry *skdc_entry;
238 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
239 struct samba_kdc_db_context);
240 skdc_entry = talloc_get_type_abort(entry->ctx,
241 struct samba_kdc_entry);
243 ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
245 certificate_principal);
249 case SDB_ERR_WRONG_REALM:
250 ret = HDB_ERR_WRONG_REALM;
252 case SDB_ERR_NOENTRY:
253 ret = HDB_ERR_NOENTRY;
256 ret = HDB_ERR_NOT_FOUND_HERE;
263 static krb5_error_code
264 hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
266 krb5_const_principal target_principal)
268 struct samba_kdc_db_context *kdc_db_ctx;
269 struct samba_kdc_entry *skdc_entry;
272 kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
273 struct samba_kdc_db_context);
274 skdc_entry = talloc_get_type_abort(entry->ctx,
275 struct samba_kdc_entry);
277 ret = samba_kdc_check_s4u2self(context, kdc_db_ctx,
283 case SDB_ERR_WRONG_REALM:
284 ret = HDB_ERR_WRONG_REALM;
286 case SDB_ERR_NOENTRY:
287 ret = HDB_ERR_NOENTRY;
290 ret = HDB_ERR_NOT_FOUND_HERE;
297 static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
299 struct sockaddr *from_addr,
300 const char *original_client_name,
301 const char *auth_type,
304 struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
305 struct samba_kdc_db_context);
307 struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
310 * Forcing this via the NTLM auth structure is not ideal, but
311 * it is the most practical option right now, and ensures the
312 * logs are consistent, even if some elements are always NULL.
314 struct auth_usersupplied_info ui = {
315 .mapped_state = true,
318 .account_name = original_client_name,
321 .service_description = "Kerberos KDC",
322 .auth_description = "ENC-TS Pre-authentication",
323 .password_type = auth_type
326 size_t sa_socklen = 0;
328 switch (from_addr->sa_family) {
330 sa_socklen = sizeof(struct sockaddr_in);
334 sa_socklen = sizeof(struct sockaddr_in6);
339 switch (hdb_auth_status) {
340 case HDB_AUTHZ_SUCCESS:
342 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
343 struct samba_kdc_entry);
346 * TODO: We could log the AS-REQ authorization success here as
347 * well. However before we do that, we need to pass
348 * in the PAC here or re-calculate it.
350 authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
354 case HDB_AUTH_INVALID_SIGNATURE:
356 case HDB_AUTH_CORRECT_PASSWORD:
357 case HDB_AUTH_WRONG_PASSWORD:
359 TALLOC_CTX *frame = talloc_stackframe();
360 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
361 struct samba_kdc_entry);
363 = samdb_result_dom_sid(frame, p->msg, "objectSid");
364 const char *account_name
365 = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
366 const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
367 struct tsocket_address *remote_host;
371 if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
372 authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
373 status = NT_STATUS_WRONG_PASSWORD;
375 status = NT_STATUS_OK;
378 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
382 ui.remote_host = NULL;
384 ui.remote_host = remote_host;
387 ui.mapped.account_name = account_name;
388 ui.mapped.domain_name = domain_name;
390 log_authentication_event(kdc_db_ctx->msg_ctx,
401 case HDB_AUTH_CLIENT_UNKNOWN:
403 struct tsocket_address *remote_host;
405 TALLOC_CTX *frame = talloc_stackframe();
406 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
410 ui.remote_host = NULL;
412 ui.remote_host = remote_host;
415 log_authentication_event(kdc_db_ctx->msg_ctx,
418 NT_STATUS_NO_SUCH_USER,
428 /* This interface is to be called by the KDC and libnet_keytab_dump,
429 * which is expecting Samba calling conventions.
430 * It is also called by a wrapper (hdb_samba4_create) from the
431 * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
433 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
434 krb5_context context, struct HDB **db)
436 struct samba_kdc_db_context *kdc_db_ctx;
439 if (hdb_interface_version != HDB_INTERFACE_VERSION) {
440 krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
441 return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
444 *db = talloc(base_ctx, HDB);
446 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
447 return NT_STATUS_NO_MEMORY;
450 (*db)->hdb_master_key_set = 0;
451 (*db)->hdb_db = NULL;
452 (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
454 nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
455 if (!NT_STATUS_IS_OK(nt_status)) {
459 (*db)->hdb_db = kdc_db_ctx;
461 (*db)->hdb_dbc = NULL;
462 (*db)->hdb_open = hdb_samba4_open;
463 (*db)->hdb_close = hdb_samba4_close;
464 (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
465 (*db)->hdb_store = hdb_samba4_store;
466 (*db)->hdb_remove = hdb_samba4_remove;
467 (*db)->hdb_firstkey = hdb_samba4_firstkey;
468 (*db)->hdb_nextkey = hdb_samba4_nextkey;
469 (*db)->hdb_lock = hdb_samba4_lock;
470 (*db)->hdb_unlock = hdb_samba4_unlock;
471 (*db)->hdb_rename = hdb_samba4_rename;
472 /* we don't implement these, as we are not a lockable database */
473 (*db)->hdb__get = NULL;
474 (*db)->hdb__put = NULL;
475 /* kadmin should not be used for deletes - use other tools instead */
476 (*db)->hdb__del = NULL;
477 (*db)->hdb_destroy = hdb_samba4_destroy;
479 (*db)->hdb_auth_status = hdb_samba4_auth_status;
480 (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
481 (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
482 (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;