4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #define TEVENT_DEPRECATED 1
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
30 #include <kadm5/kadm_err.h>
32 #include "kdc/sdb_kdb.h"
33 #include "auth/kerberos/kerberos.h"
34 #include "auth/kerberos/pac_utils.h"
35 #include "kdc/samba_kdc.h"
36 #include "kdc/pac-glue.h"
37 #include "kdc/db-glue.h"
38 #include "auth/auth.h"
39 #include "kdc/kpasswd_glue.h"
40 #include "auth/auth_sam.h"
42 #include "mit_samba.h"
45 #define DBGC_CLASS DBGC_KERBEROS
47 void mit_samba_context_free(struct mit_samba_context *ctx)
49 /* free heimdal's krb5_context */
51 krb5_free_context(ctx->context);
54 /* then free everything else */
59 * Implemant a callback to log to the MIT KDC log facility
61 * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
63 static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
71 com_err("", is_error, "%s", msg);
74 int mit_samba_context_init(struct mit_samba_context **_ctx)
77 struct mit_samba_context *ctx;
78 const char *s4_conf_file;
80 struct samba_kdc_base_context base_ctx;
82 ctx = talloc_zero(NULL, struct mit_samba_context);
88 base_ctx.ev_ctx = tevent_context_init(ctx);
89 if (!base_ctx.ev_ctx) {
93 tevent_loop_allow_nesting(base_ctx.ev_ctx);
94 base_ctx.lp_ctx = loadparm_init_global(false);
95 if (!base_ctx.lp_ctx) {
100 debug_set_callback(NULL, mit_samba_debug);
102 /* init s4 configuration */
103 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
104 if (s4_conf_file != NULL) {
105 char *p = talloc_strdup(ctx, s4_conf_file);
110 lpcfg_load(base_ctx.lp_ctx, p);
113 lpcfg_load_default(base_ctx.lp_ctx);
116 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
117 if (!NT_STATUS_IS_OK(status)) {
122 /* init heimdal's krb_context and log facilities */
123 ret = smb_krb5_init_context_basic(ctx,
134 mit_samba_context_free(ctx);
141 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
142 krb5_const_principal principal)
147 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
149 eq = krb5_princ_size(ctx->context, principal) == 2 &&
150 (strcmp(p, KRB5_TGS_NAME) == 0);
157 int mit_samba_generate_salt(krb5_data *salt)
164 salt->data = malloc(salt->length);
165 if (salt->data == NULL) {
169 generate_random_buffer((uint8_t *)salt->data, salt->length);
174 int mit_samba_generate_random_password(krb5_data *pwd)
184 tmp_ctx = talloc_named(NULL,
186 "mit_samba_create_principal_password context");
187 if (tmp_ctx == NULL) {
191 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
192 if (password == NULL) {
193 talloc_free(tmp_ctx);
197 pwd->data = strdup(password);
198 talloc_free(tmp_ctx);
199 if (pwd->data == NULL) {
206 int mit_samba_get_principal(struct mit_samba_context *ctx,
207 krb5_const_principal principal,
209 krb5_db_entry **_kentry)
211 struct sdb_entry_ex sentry = {
214 krb5_db_entry *kentry;
217 krb5_principal referral_principal = NULL;
219 kentry = calloc(1, sizeof(krb5_db_entry));
220 if (kentry == NULL) {
224 #if KRB5_KDB_API_VERSION >= 10
226 * The MIT KDC code that wants the canonical name in all lookups, and
227 * takes care to canonicalize only when appropriate.
229 sflags |= SDB_F_FORCE_CANON;
232 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
233 sflags |= SDB_F_CANON;
235 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
236 KRB5_KDB_FLAG_INCLUDE_PAC)) {
238 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
241 * We use ANY to also allow AS_REQ for service principal names
242 * This is supported by Windows.
244 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
245 } else if (ks_is_tgs_principal(ctx, principal)) {
246 sflags |= SDB_F_GET_KRBTGT;
248 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
251 /* always set this or the created_by data will not be populated by samba's
252 * backend and we will fail to parse the entry later */
253 sflags |= SDB_F_ADMIN_DATA;
256 fetch_referral_principal:
257 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
258 principal, sflags, 0, &sentry);
262 case SDB_ERR_NOENTRY:
263 ret = KRB5_KDB_NOENTRY;
265 case SDB_ERR_WRONG_REALM: {
266 char *dest_realm = NULL;
267 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
269 if (sflags & SDB_F_FOR_AS_REQ) {
271 * If this is a request for a TGT, we are done. The KDC
272 * will return the correct error to the client.
278 if (referral_principal != NULL) {
279 sdb_free_entry(&sentry);
280 ret = KRB5_KDB_NOENTRY;
285 * We get a TGS request
287 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
289 * to our DC for the realm
291 * ADDOM.SAMBA.EXAMPLE.COM
293 * We look up if we have and entry in the database and get an
294 * entry with the pricipal:
296 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
298 * and the error: SDB_ERR_WRONG_REALM.
300 * In the case of a TGS-REQ we need to return a referral ticket
301 * fo the next trust hop to the client. This ticket will have
302 * the following principal:
304 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
306 * We just redo the lookup in the database with the referral
307 * principal and return success.
309 dest_realm = smb_krb5_principal_get_realm(
310 ctx, ctx->context, sentry.entry.principal);
311 sdb_free_entry(&sentry);
312 if (dest_realm == NULL) {
313 ret = KRB5_KDB_NOENTRY;
317 ret = smb_krb5_make_principal(ctx->context,
323 TALLOC_FREE(dest_realm);
328 principal = referral_principal;
329 goto fetch_referral_principal;
331 case SDB_ERR_NOT_FOUND_HERE:
332 /* FIXME: RODC support */
337 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
339 sdb_free_entry(&sentry);
342 krb5_free_principal(ctx->context, referral_principal);
343 referral_principal = NULL;
353 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
354 krb5_db_entry **_kentry)
356 struct sdb_entry_ex sentry = {
359 krb5_db_entry *kentry;
362 kentry = malloc(sizeof(krb5_db_entry));
363 if (kentry == NULL) {
367 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
371 case SDB_ERR_NOENTRY:
373 return KRB5_KDB_NOENTRY;
374 case SDB_ERR_NOT_FOUND_HERE:
375 /* FIXME: RODC support */
381 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
383 sdb_free_entry(&sentry);
393 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
394 krb5_db_entry **_kentry)
396 struct sdb_entry_ex sentry = {
399 krb5_db_entry *kentry;
402 kentry = malloc(sizeof(krb5_db_entry));
403 if (kentry == NULL) {
407 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
411 case SDB_ERR_NOENTRY:
413 return KRB5_KDB_NOENTRY;
414 case SDB_ERR_NOT_FOUND_HERE:
415 /* FIXME: RODC support */
421 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
423 sdb_free_entry(&sentry);
433 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
434 krb5_context context,
435 krb5_db_entry *client,
436 krb5_keyblock *client_key,
440 DATA_BLOB *logon_info_blob = NULL;
441 DATA_BLOB *upn_dns_info_blob = NULL;
442 DATA_BLOB *cred_ndr = NULL;
443 DATA_BLOB **cred_ndr_ptr = NULL;
444 DATA_BLOB cred_blob = data_blob_null;
445 DATA_BLOB *pcred_blob = NULL;
447 krb5_error_code code;
448 struct samba_kdc_entry *skdc_entry;
450 skdc_entry = talloc_get_type_abort(client->e_data,
451 struct samba_kdc_entry);
453 tmp_ctx = talloc_named(smb_ctx,
455 "mit_samba_get_pac_data_blobs context");
456 if (tmp_ctx == NULL) {
460 #if 0 /* TODO Find out if this is a pkinit_reply key */
461 /* Check if we have a PREAUTH key */
462 if (client_key != NULL) {
463 cred_ndr_ptr = &cred_ndr;
467 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
474 if (!NT_STATUS_IS_OK(nt_status)) {
475 talloc_free(tmp_ctx);
476 if (NT_STATUS_EQUAL(nt_status,
477 NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
483 if (cred_ndr != NULL) {
484 code = samba_kdc_encrypt_pac_credentials(context,
490 talloc_free(tmp_ctx);
493 pcred_blob = &cred_blob;
496 code = samba_make_krb5_pac(context,
505 talloc_free(tmp_ctx);
509 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
510 krb5_context context,
512 krb5_const_principal client_principal,
513 krb5_db_entry *client,
514 krb5_db_entry *server,
515 krb5_db_entry *krbtgt,
516 krb5_keyblock *krbtgt_keyblock,
520 krb5_error_code code;
522 DATA_BLOB *pac_blob = NULL;
523 DATA_BLOB *upn_blob = NULL;
524 DATA_BLOB *deleg_blob = NULL;
525 struct samba_kdc_entry *client_skdc_entry = NULL;
526 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
527 struct samba_kdc_entry *server_skdc_entry = NULL;
528 bool is_in_db = false;
529 bool is_untrusted = false;
530 size_t num_types = 0;
531 uint32_t *types = NULL;
532 uint32_t forced_next_type = 0;
534 ssize_t logon_info_idx = -1;
535 ssize_t delegation_idx = -1;
536 ssize_t logon_name_idx = -1;
537 ssize_t upn_dns_info_idx = -1;
538 ssize_t srv_checksum_idx = -1;
539 ssize_t kdc_checksum_idx = -1;
540 krb5_pac new_pac = NULL;
543 /* Create a memory context early so code can use talloc_stackframe() */
544 tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
545 if (tmp_ctx == NULL) {
549 if (client != NULL) {
551 talloc_get_type_abort(client->e_data,
552 struct samba_kdc_entry);
555 * Check the objectSID of the client and pac data are the same.
556 * Does a parse and SID check, but no crypto.
558 code = samba_kdc_validate_pac_blob(context, client_skdc_entry, *pac);
564 if (server == NULL) {
570 talloc_get_type_abort(server->e_data,
571 struct samba_kdc_entry);
573 /* The account may be set not to want the PAC */
574 ok = samba_princ_needs_pac(server_skdc_entry);
580 if (krbtgt == NULL) {
585 talloc_get_type_abort(krbtgt->e_data,
586 struct samba_kdc_entry);
588 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
596 if (client == NULL) {
597 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
601 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
609 if (!NT_STATUS_IS_OK(nt_status)) {
614 struct PAC_SIGNATURE_DATA *pac_srv_sig;
615 struct PAC_SIGNATURE_DATA *pac_kdc_sig;
617 pac_blob = talloc_zero(tmp_ctx, DATA_BLOB);
618 if (pac_blob == NULL) {
623 pac_srv_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
624 if (pac_srv_sig == NULL) {
629 pac_kdc_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
630 if (pac_kdc_sig == NULL) {
635 nt_status = samba_kdc_update_pac_blob(tmp_ctx,
637 krbtgt_skdc_entry->kdc_db_ctx->samdb,
642 if (!NT_STATUS_IS_OK(nt_status)) {
643 DEBUG(0, ("Update PAC blob failed: %s\n",
644 nt_errstr(nt_status)));
651 * Now check the KDC signature, fetching the correct
652 * key based on the enc type.
654 code = check_pac_checksum(pac_srv_sig->signature,
659 DBG_INFO("PAC KDC signature failed to verify\n");
665 if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
666 deleg_blob = talloc_zero(tmp_ctx, DATA_BLOB);
667 if (deleg_blob == NULL) {
672 nt_status = samba_kdc_update_delegation_info_blob(tmp_ctx,
676 discard_const(client_principal),
678 if (!NT_STATUS_IS_OK(nt_status)) {
679 DEBUG(0, ("Update delegation info failed: %s\n",
680 nt_errstr(nt_status)));
686 /* Check the types of the given PAC */
687 code = krb5_pac_get_types(context, *pac, &num_types, &types);
692 for (i = 0; i < num_types; i++) {
694 case PAC_TYPE_LOGON_INFO:
695 if (logon_info_idx != -1) {
696 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
706 case PAC_TYPE_CONSTRAINED_DELEGATION:
707 if (delegation_idx != -1) {
708 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
718 case PAC_TYPE_LOGON_NAME:
719 if (logon_name_idx != -1) {
720 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
730 case PAC_TYPE_UPN_DNS_INFO:
731 if (upn_dns_info_idx != -1) {
732 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
740 upn_dns_info_idx = i;
742 case PAC_TYPE_SRV_CHECKSUM:
743 if (srv_checksum_idx != -1) {
744 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
752 srv_checksum_idx = i;
754 case PAC_TYPE_KDC_CHECKSUM:
755 if (kdc_checksum_idx != -1) {
756 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
764 kdc_checksum_idx = i;
771 if (logon_info_idx == -1) {
772 DEBUG(1, ("PAC_TYPE_LOGON_INFO missing\n"));
777 if (logon_name_idx == -1) {
778 DEBUG(1, ("PAC_TYPE_LOGON_NAME missing\n"));
783 if (srv_checksum_idx == -1) {
784 DEBUG(1, ("PAC_TYPE_SRV_CHECKSUM missing\n"));
789 if (kdc_checksum_idx == -1) {
790 DEBUG(1, ("PAC_TYPE_KDC_CHECKSUM missing\n"));
796 /* Build an updated PAC */
797 code = krb5_pac_init(context, &new_pac);
805 DATA_BLOB type_blob = data_blob_null;
808 if (forced_next_type != 0) {
810 * We need to inject possible missing types
812 type = forced_next_type;
813 forced_next_type = 0;
814 } else if (i < num_types) {
822 case PAC_TYPE_LOGON_INFO:
823 type_blob = *pac_blob;
825 if (delegation_idx == -1 && deleg_blob != NULL) {
826 /* inject CONSTRAINED_DELEGATION behind */
827 forced_next_type = PAC_TYPE_CONSTRAINED_DELEGATION;
830 case PAC_TYPE_CONSTRAINED_DELEGATION:
831 if (deleg_blob != NULL) {
832 type_blob = *deleg_blob;
835 case PAC_TYPE_CREDENTIAL_INFO:
837 * Note that we copy the credential blob,
838 * as it's only usable with the PKINIT based
839 * AS-REP reply key, it's only available on the
840 * host which did the AS-REQ/AS-REP exchange.
842 * This matches Windows 2008R2...
845 case PAC_TYPE_LOGON_NAME:
847 * This is generated in the main KDC code
850 case PAC_TYPE_UPN_DNS_INFO:
852 * Replace in the RODC case, otherwise
853 * upn_blob is NULL and we just copy.
855 if (upn_blob != NULL) {
856 type_blob = *upn_blob;
859 case PAC_TYPE_SRV_CHECKSUM:
861 * This is generated in the main KDC code
864 case PAC_TYPE_KDC_CHECKSUM:
866 * This is generated in the main KDC code
874 if (type_blob.length != 0) {
875 code = smb_krb5_copy_data_contents(&type_data,
880 krb5_pac_free(context, new_pac);
884 code = krb5_pac_get_buffer(context,
890 krb5_pac_free(context, new_pac);
895 code = krb5_pac_add_buffer(context,
899 smb_krb5_free_data_contents(context, &type_data);
902 krb5_pac_free(context, new_pac);
909 /* We now replace the pac */
910 krb5_pac_free(context, *pac);
913 talloc_free(tmp_ctx);
917 /* provide header, function is exported but there are no public headers */
919 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
921 /* this function allocates 'data' using malloc.
922 * The caller is responsible for freeing it */
923 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
925 krb5_error_code ret = 0;
926 krb5_pa_data pa, *ppa[2];
935 pa.magic = KV5M_PA_DATA;
936 pa.pa_type = KRB5_PADATA_PW_SALT;
938 pa.contents = malloc(pa.length);
943 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
944 SIVAL(pa.contents, 4, 0);
945 SIVAL(pa.contents, 8, 1);
950 ret = encode_krb5_padata_sequence(ppa, &d);
956 e_data->data = (uint8_t *)d->data;
957 e_data->length = d->length;
959 /* free d, not d->data - gd */
965 int mit_samba_check_client_access(struct mit_samba_context *ctx,
966 krb5_db_entry *client,
967 const char *client_name,
968 krb5_db_entry *server,
969 const char *server_name,
970 const char *netbios_name,
971 bool password_change,
974 struct samba_kdc_entry *skdc_entry;
977 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
979 nt_status = samba_kdc_check_client_access(skdc_entry,
984 if (!NT_STATUS_IS_OK(nt_status)) {
985 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
989 samba_kdc_build_edata_reply(nt_status, e_data);
991 return samba_kdc_map_policy_err(nt_status);
997 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
998 krb5_db_entry *kentry,
999 const char *target_name,
1000 bool is_nt_enterprise_name)
1004 * This is disabled because mit_samba_update_pac_data() does not handle
1005 * S4U_DELEGATION_INFO
1008 return KRB5KDC_ERR_BADOPTION;
1010 krb5_principal target_principal;
1014 if (is_nt_enterprise_name) {
1015 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1018 ret = krb5_parse_name_flags(ctx->context, target_name,
1019 flags, &target_principal);
1024 ret = samba_kdc_check_s4u2proxy(ctx->context,
1029 krb5_free_principal(ctx->context, target_principal);
1035 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
1037 enum samPwdChangeReason reject_reason,
1038 struct samr_DomInfo1 *dominfo)
1040 krb5_error_code code = KADM5_PASS_Q_GENERIC;
1042 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
1043 code = KADM5_BAD_PRINCIPAL;
1044 krb5_set_error_message(context,
1046 "No such user when changing password");
1048 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
1049 code = KADM5_PASS_Q_GENERIC;
1050 krb5_set_error_message(context,
1052 "Not permitted to change password");
1054 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
1056 switch (reject_reason) {
1057 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
1058 code = KADM5_PASS_Q_TOOSHORT;
1059 krb5_set_error_message(context,
1061 "Password too short, password "
1062 "must be at least %d characters "
1064 dominfo->min_password_length);
1066 case SAM_PWD_CHANGE_NOT_COMPLEX:
1067 code = KADM5_PASS_Q_DICT;
1068 krb5_set_error_message(context,
1070 "Password does not meet "
1071 "complexity requirements");
1073 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
1074 code = KADM5_PASS_TOOSOON;
1075 krb5_set_error_message(context,
1077 "Password is already in password "
1078 "history. New password must not "
1079 "match any of your %d previous "
1081 dominfo->password_history_length);
1084 code = KADM5_PASS_Q_GENERIC;
1085 krb5_set_error_message(context,
1087 "Password change rejected, "
1088 "password changes may not be "
1089 "permitted on this account, or "
1090 "the minimum password age may "
1091 "not have elapsed.");
1099 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
1101 krb5_db_entry *db_entry)
1104 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1105 TALLOC_CTX *tmp_ctx;
1107 enum samPwdChangeReason reject_reason;
1108 struct samr_DomInfo1 *dominfo;
1109 const char *error_string = NULL;
1110 struct auth_user_info_dc *user_info_dc;
1111 struct samba_kdc_entry *p =
1112 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1113 krb5_error_code code = 0;
1115 #ifdef DEBUG_PASSWORD
1116 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
1119 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
1120 if (tmp_ctx == NULL) {
1124 status = authsam_make_user_info_dc(tmp_ctx,
1126 lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
1127 lpcfg_sam_name(ctx->db_ctx->lp_ctx),
1128 lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
1134 if (!NT_STATUS_IS_OK(status)) {
1135 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
1136 nt_errstr(status)));
1137 talloc_free(tmp_ctx);
1141 status = auth_generate_session_info(tmp_ctx,
1142 ctx->db_ctx->lp_ctx,
1145 0, /* session_info_flags */
1146 &ctx->session_info);
1148 if (!NT_STATUS_IS_OK(status)) {
1149 DEBUG(1,("auth_generate_session_info failed: %s\n",
1150 nt_errstr(status)));
1151 talloc_free(tmp_ctx);
1155 /* password is expected as UTF16 */
1157 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1159 &password.data, &password.length)) {
1160 DEBUG(1,("convert_string_talloc failed\n"));
1161 talloc_free(tmp_ctx);
1165 status = samdb_kpasswd_change_password(tmp_ctx,
1166 ctx->db_ctx->lp_ctx,
1167 ctx->db_ctx->ev_ctx,
1175 if (!NT_STATUS_IS_OK(status)) {
1176 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1177 nt_errstr(status)));
1178 code = KADM5_PASS_Q_GENERIC;
1179 krb5_set_error_message(ctx->context, code, "%s", error_string);
1183 if (!NT_STATUS_IS_OK(result)) {
1184 code = mit_samba_change_pwd_error(ctx->context,
1191 talloc_free(tmp_ctx);
1196 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1198 struct netr_SendToSamBase *send_to_sam = NULL;
1199 struct samba_kdc_entry *p =
1200 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1201 struct ldb_dn *domain_dn;
1203 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1205 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1210 /* TODO: RODC support */
1214 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1216 struct samba_kdc_entry *p =
1217 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1219 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1221 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1224 bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1226 struct samba_kdc_entry *skdc_entry =
1227 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1229 return samba_princ_needs_pac(skdc_entry);