source4/kdc/hdb-samba4.c

   1 /*
   2  * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
   3  * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
   4  * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  * 1. Redistributions of source code must retain the above copyright
  12  *    notice, this list of conditions and the following disclaimer.
  13  *
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  *
  18  * 3. Neither the name of PADL Software  nor the names of its contributors
  19  *    may be used to endorse or promote products derived from this software
  20  *    without specific prior written permission.
  21  *
  22  * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
  23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  25  * ARE DISCLAIMED.  IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
  26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  32  * SUCH DAMAGE.
  33  */
  34
  35 #include "includes.h"
  36 #include "kdc/kdc-glue.h"
  37 #include "kdc/db-glue.h"
  38 #include "auth/auth_sam.h"
  39 #include "auth/common_auth.h"
  40 #include <ldb.h>
  41 #include "sdb.h"
  42 #include "sdb_hdb.h"
  43 #include "dsdb/samdb/samdb.h"
  44 #include "param/param.h"
  45 #include "../lib/tsocket/tsocket.h"
  46
  47 static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
  48 {
  49         if (db->hdb_master_key_set) {
  50                 krb5_error_code ret = HDB_ERR_NOENTRY;
  51                 krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
  52                 krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
  53                 return ret;
  54         }
  55
  56         return 0;
  57 }
  58
  59 static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
  60 {
  61         return 0;
  62 }
  63
  64 static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
  65 {
  66         return 0;
  67 }
  68
  69 static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
  70 {
  71         return 0;
  72 }
  73
  74 static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
  75 {
  76         return HDB_ERR_DB_INUSE;
  77 }
  78
  79 static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
  80 {
  81         return HDB_ERR_DB_INUSE;
  82 }
  83
  84 static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal)
  85 {
  86         return HDB_ERR_DB_INUSE;
  87 }
  88
  89 static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
  90                                              krb5_const_principal principal,
  91                                              unsigned flags,
  92                                              krb5_kvno kvno,
  93                                              hdb_entry_ex *entry_ex)
  94 {
  95         struct samba_kdc_db_context *kdc_db_ctx;
  96         struct sdb_entry_ex sdb_entry_ex = {};
  97         krb5_error_code code, ret;
  98
  99         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 100                                            struct samba_kdc_db_context);
 101
 102         ret = samba_kdc_fetch(context,
 103                               kdc_db_ctx,
 104                               principal,
 105                               flags,
 106                               kvno,
 107                               &sdb_entry_ex);
 108         switch (ret) {
 109         case 0:
 110                 code = 0;
 111                 break;
 112         case SDB_ERR_WRONG_REALM:
 113                 /*
 114                  * If SDB_ERR_WRONG_REALM is returned we need to process the
 115                  * sdb_entry to fill the principal in the HDB entry.
 116                  */
 117                 code = HDB_ERR_WRONG_REALM;
 118                 break;
 119         case SDB_ERR_NOENTRY:
 120                 return HDB_ERR_NOENTRY;
 121         default:
 122                 return HDB_ERR_NOT_FOUND_HERE;
 123         }
 124
 125         ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry_ex);
 126         sdb_free_entry(&sdb_entry_ex);
 127
 128         if (code != 0 && ret != 0) {
 129                 code = ret;
 130         }
 131
 132         return code;
 133 }
 134
 135 static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
 136                                         hdb_entry_ex *entry)
 137 {
 138         struct samba_kdc_db_context *kdc_db_ctx;
 139         struct sdb_entry_ex sdb_entry_ex = {};
 140         krb5_error_code ret;
 141
 142         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 143                                            struct samba_kdc_db_context);
 144
 145         ret = samba_kdc_firstkey(context, kdc_db_ctx, &sdb_entry_ex);
 146         switch (ret) {
 147         case 0:
 148                 break;
 149         case SDB_ERR_WRONG_REALM:
 150                 return HDB_ERR_WRONG_REALM;
 151         case SDB_ERR_NOENTRY:
 152                 return HDB_ERR_NOENTRY;
 153         default:
 154                 return HDB_ERR_NOT_FOUND_HERE;
 155         }
 156
 157         ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
 158         sdb_free_entry(&sdb_entry_ex);
 159         return ret;
 160 }
 161
 162 static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
 163                                    hdb_entry_ex *entry)
 164 {
 165         struct samba_kdc_db_context *kdc_db_ctx;
 166         struct sdb_entry_ex sdb_entry_ex = {};
 167         krb5_error_code ret;
 168
 169         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 170                                            struct samba_kdc_db_context);
 171
 172         ret = samba_kdc_nextkey(context, kdc_db_ctx, &sdb_entry_ex);
 173         switch (ret) {
 174         case 0:
 175                 break;
 176         case SDB_ERR_WRONG_REALM:
 177                 return HDB_ERR_WRONG_REALM;
 178         case SDB_ERR_NOENTRY:
 179                 return HDB_ERR_NOENTRY;
 180         default:
 181                 return HDB_ERR_NOT_FOUND_HERE;
 182         }
 183
 184         ret = sdb_entry_ex_to_hdb_entry_ex(context, &sdb_entry_ex, entry);
 185         sdb_free_entry(&sdb_entry_ex);
 186         return ret;
 187 }
 188
 189 static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
 190 {
 191         talloc_free(db);
 192         return 0;
 193 }
 194
 195 static krb5_error_code
 196 hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
 197                                         hdb_entry_ex *entry,
 198                                         krb5_const_principal target_principal)
 199 {
 200         struct samba_kdc_db_context *kdc_db_ctx;
 201         struct samba_kdc_entry *skdc_entry;
 202         krb5_error_code ret;
 203
 204         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 205                                            struct samba_kdc_db_context);
 206         skdc_entry = talloc_get_type_abort(entry->ctx,
 207                                            struct samba_kdc_entry);
 208
 209         ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
 210                                         skdc_entry,
 211                                         target_principal);
 212         switch (ret) {
 213         case 0:
 214                 break;
 215         case SDB_ERR_WRONG_REALM:
 216                 ret = HDB_ERR_WRONG_REALM;
 217                 break;
 218         case SDB_ERR_NOENTRY:
 219                 ret = HDB_ERR_NOENTRY;
 220                 break;
 221         default:
 222                 ret = HDB_ERR_NOT_FOUND_HERE;
 223                 break;
 224         }
 225
 226         return ret;
 227 }
 228
 229 static krb5_error_code
 230 hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
 231                                      hdb_entry_ex *entry,
 232                                      krb5_const_principal certificate_principal)
 233 {
 234         struct samba_kdc_db_context *kdc_db_ctx;
 235         struct samba_kdc_entry *skdc_entry;
 236         krb5_error_code ret;
 237
 238         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 239                                            struct samba_kdc_db_context);
 240         skdc_entry = talloc_get_type_abort(entry->ctx,
 241                                            struct samba_kdc_entry);
 242
 243         ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
 244                                                   skdc_entry,
 245                                                   certificate_principal);
 246         switch (ret) {
 247         case 0:
 248                 break;
 249         case SDB_ERR_WRONG_REALM:
 250                 ret = HDB_ERR_WRONG_REALM;
 251                 break;
 252         case SDB_ERR_NOENTRY:
 253                 ret = HDB_ERR_NOENTRY;
 254                 break;
 255         default:
 256                 ret = HDB_ERR_NOT_FOUND_HERE;
 257                 break;
 258         }
 259
 260         return ret;
 261 }
 262
 263 static krb5_error_code
 264 hdb_samba4_check_s4u2self(krb5_context context, HDB *db,
 265                           hdb_entry_ex *entry,
 266                           krb5_const_principal target_principal)
 267 {
 268         struct samba_kdc_db_context *kdc_db_ctx;
 269         struct samba_kdc_entry *skdc_entry;
 270         krb5_error_code ret;
 271
 272         kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 273                                            struct samba_kdc_db_context);
 274         skdc_entry = talloc_get_type_abort(entry->ctx,
 275                                            struct samba_kdc_entry);
 276
 277         ret = samba_kdc_check_s4u2self(context, kdc_db_ctx,
 278                                        skdc_entry,
 279                                        target_principal);
 280         switch (ret) {
 281         case 0:
 282                 break;
 283         case SDB_ERR_WRONG_REALM:
 284                 ret = HDB_ERR_WRONG_REALM;
 285                 break;
 286         case SDB_ERR_NOENTRY:
 287                 ret = HDB_ERR_NOENTRY;
 288                 break;
 289         default:
 290                 ret = HDB_ERR_NOT_FOUND_HERE;
 291                 break;
 292         }
 293
 294         return ret;
 295 }
 296
 297 static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db,
 298                                               hdb_entry_ex *entry,
 299                                               struct sockaddr *from_addr,
 300                                               const char *original_client_name,
 301                                               const char *auth_type,
 302                                               int hdb_auth_status)
 303 {
 304         struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
 305                                                                         struct samba_kdc_db_context);
 306
 307         struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
 308
 309         /*
 310          * Forcing this via the NTLM auth structure is not ideal, but
 311          * it is the most practical option right now, and ensures the
 312          * logs are consistent, even if some elements are always NULL.
 313          */
 314         struct auth_usersupplied_info ui = {
 315                 .mapped_state = true,
 316                 .was_mapped = true,
 317                 .client = {
 318                         .account_name = original_client_name,
 319                         .domain_name = NULL,
 320                 },
 321                 .service_description = "Kerberos KDC",
 322                 .auth_description = "ENC-TS Pre-authentication",
 323                 .password_type = auth_type
 324         };
 325
 326         size_t sa_socklen = 0;
 327
 328         switch (from_addr->sa_family) {
 329         case AF_INET:
 330                 sa_socklen = sizeof(struct sockaddr_in);
 331                 break;
 332 #ifdef HAVE_IPV6
 333         case AF_INET6:
 334                 sa_socklen = sizeof(struct sockaddr_in6);
 335                 break;
 336 #endif
 337         }
 338
 339         switch (hdb_auth_status) {
 340         case HDB_AUTHZ_SUCCESS:
 341         {
 342                 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
 343                                                             struct samba_kdc_entry);
 344
 345                 /*
 346                  * TODO: We could log the AS-REQ authorization success here as
 347                  * well.  However before we do that, we need to pass
 348                  * in the PAC here or re-calculate it.
 349                  */
 350                 authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
 351                                                  domain_dn, true);
 352                 break;
 353         }
 354         case HDB_AUTH_INVALID_SIGNATURE:
 355                 break;
 356         case HDB_AUTH_CORRECT_PASSWORD:
 357         case HDB_AUTH_WRONG_PASSWORD:
 358         {
 359                 TALLOC_CTX *frame = talloc_stackframe();
 360                 struct samba_kdc_entry *p = talloc_get_type(entry->ctx,
 361                                                             struct samba_kdc_entry);
 362                 struct dom_sid *sid
 363                         = samdb_result_dom_sid(frame, p->msg, "objectSid");
 364                 const char *account_name
 365                         = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
 366                 const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
 367                 struct tsocket_address *remote_host;
 368                 NTSTATUS status;
 369                 int ret;
 370
 371                 if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) {
 372                         authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
 373                         status = NT_STATUS_WRONG_PASSWORD;
 374                 } else {
 375                         status = NT_STATUS_OK;
 376                 }
 377
 378                 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
 379                                                         sa_socklen,
 380                                                         &remote_host);
 381                 if (ret != 0) {
 382                         ui.remote_host = NULL;
 383                 } else {
 384                         ui.remote_host = remote_host;
 385                 }
 386
 387                 ui.mapped.account_name = account_name;
 388                 ui.mapped.domain_name = domain_name;
 389
 390                 log_authentication_event(kdc_db_ctx->msg_ctx,
 391                                          kdc_db_ctx->lp_ctx,
 392                                          &ui,
 393                                          status,
 394                                          domain_name,
 395                                          account_name,
 396                                          NULL,
 397                                          sid);
 398                 TALLOC_FREE(frame);
 399                 break;
 400         }
 401         case HDB_AUTH_CLIENT_UNKNOWN:
 402         {
 403                 struct tsocket_address *remote_host;
 404                 int ret;
 405                 TALLOC_CTX *frame = talloc_stackframe();
 406                 ret = tsocket_address_bsd_from_sockaddr(frame, from_addr,
 407                                                         sa_socklen,
 408                                                         &remote_host);
 409                 if (ret != 0) {
 410                         ui.remote_host = NULL;
 411                 } else {
 412                         ui.remote_host = remote_host;
 413                 }
 414
 415                 log_authentication_event(kdc_db_ctx->msg_ctx,
 416                                          kdc_db_ctx->lp_ctx,
 417                                          &ui,
 418                                          NT_STATUS_NO_SUCH_USER,
 419                                          NULL, NULL,
 420                                          NULL, NULL);
 421                 TALLOC_FREE(frame);
 422                 break;
 423         }
 424         }
 425         return 0;
 426 }
 427
 428 /* This interface is to be called by the KDC and libnet_keytab_dump,
 429  * which is expecting Samba calling conventions.
 430  * It is also called by a wrapper (hdb_samba4_create) from the
 431  * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
 432
 433 NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
 434                                krb5_context context, struct HDB **db)
 435 {
 436         struct samba_kdc_db_context *kdc_db_ctx;
 437         NTSTATUS nt_status;
 438
 439         if (hdb_interface_version != HDB_INTERFACE_VERSION) {
 440                 krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
 441                 return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
 442         }
 443
 444         *db = talloc(base_ctx, HDB);
 445         if (!*db) {
 446                 krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
 447                 return NT_STATUS_NO_MEMORY;
 448         }
 449
 450         (*db)->hdb_master_key_set = 0;
 451         (*db)->hdb_db = NULL;
 452         (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
 453
 454         nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
 455         if (!NT_STATUS_IS_OK(nt_status)) {
 456                 talloc_free(*db);
 457                 return nt_status;
 458         }
 459         (*db)->hdb_db = kdc_db_ctx;
 460
 461         (*db)->hdb_dbc = NULL;
 462         (*db)->hdb_open = hdb_samba4_open;
 463         (*db)->hdb_close = hdb_samba4_close;
 464         (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
 465         (*db)->hdb_store = hdb_samba4_store;
 466         (*db)->hdb_remove = hdb_samba4_remove;
 467         (*db)->hdb_firstkey = hdb_samba4_firstkey;
 468         (*db)->hdb_nextkey = hdb_samba4_nextkey;
 469         (*db)->hdb_lock = hdb_samba4_lock;
 470         (*db)->hdb_unlock = hdb_samba4_unlock;
 471         (*db)->hdb_rename = hdb_samba4_rename;
 472         /* we don't implement these, as we are not a lockable database */
 473         (*db)->hdb__get = NULL;
 474         (*db)->hdb__put = NULL;
 475         /* kadmin should not be used for deletes - use other tools instead */
 476         (*db)->hdb__del = NULL;
 477         (*db)->hdb_destroy = hdb_samba4_destroy;
 478
 479         (*db)->hdb_auth_status = hdb_samba4_auth_status;
 480         (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
 481         (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
 482         (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self;
 483
 484         return NT_STATUS_OK;
 485 }