4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #define TEVENT_DEPRECATED 1
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include "lib/replace/system/filesys.h"
31 #include <kadm5/kadm_err.h>
33 #include "kdc/sdb_kdb.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "auth/kerberos/pac_utils.h"
36 #include "kdc/samba_kdc.h"
37 #include "kdc/pac-glue.h"
38 #include "kdc/db-glue.h"
39 #include "auth/auth.h"
40 #include "kdc/kpasswd_glue.h"
41 #include "auth/auth_sam.h"
43 #include "mit_samba.h"
46 #define DBGC_CLASS DBGC_KERBEROS
48 void mit_samba_context_free(struct mit_samba_context *ctx)
50 /* free MIT's krb5_context */
52 krb5_free_context(ctx->context);
55 /* then free everything else */
60 * Implement a callback to log to the MIT KDC log facility
62 * http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/general.html#logging-from-kdc-and-kadmind-plugin-modules
64 static void mit_samba_debug(void *private_ptr, int msg_level, const char *msg)
72 com_err("mitkdc", is_error, "%s", msg);
75 krb5_error_code mit_samba_context_init(struct mit_samba_context **_ctx)
78 struct mit_samba_context *ctx;
79 const char *s4_conf_file;
81 struct samba_kdc_base_context base_ctx;
83 ctx = talloc_zero(NULL, struct mit_samba_context);
89 base_ctx.ev_ctx = tevent_context_init(ctx);
90 if (!base_ctx.ev_ctx) {
94 tevent_loop_allow_nesting(base_ctx.ev_ctx);
95 base_ctx.lp_ctx = loadparm_init_global(false);
96 if (!base_ctx.lp_ctx) {
101 debug_set_callback(NULL, mit_samba_debug);
103 /* init s4 configuration */
104 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
105 if (s4_conf_file != NULL) {
106 char *p = talloc_strdup(ctx, s4_conf_file);
111 lpcfg_load(base_ctx.lp_ctx, p);
114 lpcfg_load_default(base_ctx.lp_ctx);
117 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
118 if (!NT_STATUS_IS_OK(status)) {
123 /* init MIT's krb_context and log facilities */
124 ret = smb_krb5_init_context_basic(ctx,
135 mit_samba_context_free(ctx);
142 int mit_samba_generate_salt(krb5_data *salt)
149 salt->data = malloc(salt->length);
150 if (salt->data == NULL) {
154 generate_random_buffer((uint8_t *)salt->data, salt->length);
159 int mit_samba_generate_random_password(krb5_data *pwd)
164 const unsigned length = 24;
170 tmp_ctx = talloc_named(NULL,
172 "mit_samba_generate_random_password context");
173 if (tmp_ctx == NULL) {
177 password = generate_random_password(tmp_ctx, length, length);
178 if (password == NULL) {
179 talloc_free(tmp_ctx);
183 data = strdup(password);
184 talloc_free(tmp_ctx);
189 *pwd = smb_krb5_make_data(data, length);
194 krb5_error_code mit_samba_get_principal(struct mit_samba_context *ctx,
195 krb5_const_principal principal,
197 krb5_db_entry **_kentry)
199 struct sdb_entry sentry = {};
200 krb5_db_entry *kentry;
203 krb5_principal referral_principal = NULL;
205 kentry = calloc(1, sizeof(krb5_db_entry));
206 if (kentry == NULL) {
211 * The MIT KDC code that wants the canonical name in all lookups, and
212 * takes care to canonicalize only when appropriate.
214 sflags |= SDB_F_FORCE_CANON;
216 if (kflags & KRB5_KDB_FLAG_REFERRAL_OK) {
217 sflags |= SDB_F_CANON;
220 if (kflags & KRB5_KDB_FLAG_CLIENT) {
221 sflags |= SDB_F_GET_CLIENT;
222 sflags |= SDB_F_FOR_AS_REQ;
224 int equal = smb_krb5_principal_is_tgs(ctx->context, principal);
230 sflags |= SDB_F_GET_KRBTGT;
232 sflags |= SDB_F_GET_SERVER;
233 sflags |= SDB_F_FOR_TGS_REQ;
237 /* always set this or the created_by data will not be populated by samba's
238 * backend and we will fail to parse the entry later */
239 sflags |= SDB_F_ADMIN_DATA;
242 fetch_referral_principal:
243 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
244 principal, sflags, 0, &sentry);
248 case SDB_ERR_NOENTRY:
249 ret = KRB5_KDB_NOENTRY;
251 case SDB_ERR_WRONG_REALM: {
252 char *dest_realm = NULL;
253 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
255 if (sflags & SDB_F_FOR_AS_REQ) {
257 * If this is a request for a TGT, we are done. The KDC
258 * will return the correct error to the client.
264 if (referral_principal != NULL) {
265 sdb_entry_free(&sentry);
266 ret = KRB5_KDB_NOENTRY;
271 * We get a TGS request
273 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
275 * to our DC for the realm
277 * ADDOM.SAMBA.EXAMPLE.COM
279 * We look up if we have and entry in the database and get an
280 * entry with the principal:
282 * cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
284 * and the error: SDB_ERR_WRONG_REALM.
286 * In the case of a TGS-REQ we need to return a referral ticket
287 * for the next trust hop to the client. This ticket will have
288 * the following principal:
290 * krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
292 * We just redo the lookup in the database with the referral
293 * principal and return success.
295 dest_realm = smb_krb5_principal_get_realm(
296 ctx, ctx->context, sentry.principal);
297 sdb_entry_free(&sentry);
298 if (dest_realm == NULL) {
299 ret = KRB5_KDB_NOENTRY;
303 ret = smb_krb5_make_principal(ctx->context,
309 TALLOC_FREE(dest_realm);
314 principal = referral_principal;
315 goto fetch_referral_principal;
317 case SDB_ERR_NOT_FOUND_HERE:
318 /* FIXME: RODC support */
323 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
325 sdb_entry_free(&sentry);
328 krb5_free_principal(ctx->context, referral_principal);
329 referral_principal = NULL;
339 krb5_error_code mit_samba_get_firstkey(struct mit_samba_context *ctx,
340 krb5_db_entry **_kentry)
342 struct sdb_entry sentry = {};
343 krb5_db_entry *kentry;
346 kentry = malloc(sizeof(krb5_db_entry));
347 if (kentry == NULL) {
351 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
355 case SDB_ERR_NOENTRY:
357 return KRB5_KDB_NOENTRY;
358 case SDB_ERR_NOT_FOUND_HERE:
359 /* FIXME: RODC support */
365 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
367 sdb_entry_free(&sentry);
377 krb5_error_code mit_samba_get_nextkey(struct mit_samba_context *ctx,
378 krb5_db_entry **_kentry)
380 struct sdb_entry sentry = {};
381 krb5_db_entry *kentry;
384 kentry = malloc(sizeof(krb5_db_entry));
385 if (kentry == NULL) {
389 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
393 case SDB_ERR_NOENTRY:
395 return KRB5_KDB_NOENTRY;
396 case SDB_ERR_NOT_FOUND_HERE:
397 /* FIXME: RODC support */
403 ret = sdb_entry_to_krb5_db_entry(ctx->context, &sentry, kentry);
405 sdb_entry_free(&sentry);
415 krb5_error_code mit_samba_get_pac(struct mit_samba_context *smb_ctx,
416 krb5_context context,
418 krb5_db_entry *client,
419 krb5_db_entry *server,
420 krb5_keyblock *replaced_reply_key,
424 struct auth_user_info_dc *user_info_dc = NULL;
425 DATA_BLOB *logon_info_blob = NULL;
426 DATA_BLOB *upn_dns_info_blob = NULL;
427 DATA_BLOB *cred_ndr = NULL;
428 DATA_BLOB **cred_ndr_ptr = NULL;
429 DATA_BLOB cred_blob = data_blob_null;
430 DATA_BLOB *pcred_blob = NULL;
431 DATA_BLOB *pac_attrs_blob = NULL;
432 DATA_BLOB *requester_sid_blob = NULL;
433 const DATA_BLOB *client_claims_blob = NULL;
435 krb5_error_code code;
436 struct samba_kdc_entry *skdc_entry;
437 struct samba_kdc_entry *server_entry = NULL;
439 /* Only include resource groups in a service ticket. */
440 enum auth_group_inclusion group_inclusion;
441 enum samba_asserted_identity asserted_identity =
442 (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
443 SAMBA_ASSERTED_IDENTITY_SERVICE :
444 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
446 if (client == NULL) {
449 skdc_entry = talloc_get_type_abort(client->e_data,
450 struct samba_kdc_entry);
452 if (server == NULL) {
456 int result = smb_krb5_principal_is_tgs(smb_ctx->context, server->princ);
463 server_entry = talloc_get_type_abort(server->e_data,
464 struct samba_kdc_entry);
466 /* Only include resource groups in a service ticket. */
468 group_inclusion = AUTH_EXCLUDE_RESOURCE_GROUPS;
469 } else if (server_entry->supported_enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED) {
470 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS;
472 group_inclusion = AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED;
475 tmp_ctx = talloc_named(smb_ctx,
477 "mit_samba_get_pac context");
478 if (tmp_ctx == NULL) {
482 /* Check if we have a PREAUTH key */
483 if (replaced_reply_key != NULL) {
484 cred_ndr_ptr = &cred_ndr;
487 nt_status = samba_kdc_get_user_info_dc(tmp_ctx,
490 SAMBA_CLAIMS_VALID_EXCLUDE,
492 if (!NT_STATUS_IS_OK(nt_status)) {
493 talloc_free(tmp_ctx);
494 if (NT_STATUS_EQUAL(nt_status,
495 NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
501 nt_status = samba_kdc_add_claims_valid(SAMBA_CLAIMS_VALID_INCLUDE,
503 if (!NT_STATUS_IS_OK(nt_status)) {
504 DBG_ERR("Failed to add Claims Valid: %s\n",
505 nt_errstr(nt_status));
506 talloc_free(tmp_ctx);
510 nt_status = samba_kdc_get_logon_info_blob(tmp_ctx,
514 if (!NT_STATUS_IS_OK(nt_status)) {
515 talloc_free(tmp_ctx);
519 if (cred_ndr_ptr != NULL) {
520 nt_status = samba_kdc_get_cred_ndr_blob(tmp_ctx,
523 if (!NT_STATUS_IS_OK(nt_status)) {
524 talloc_free(tmp_ctx);
529 nt_status = samba_kdc_get_upn_info_blob(tmp_ctx,
532 if (!NT_STATUS_IS_OK(nt_status)) {
533 talloc_free(tmp_ctx);
538 nt_status = samba_kdc_get_pac_attrs_blob(tmp_ctx,
539 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
541 if (!NT_STATUS_IS_OK(nt_status)) {
542 talloc_free(tmp_ctx);
546 nt_status = samba_kdc_get_requester_sid_blob(tmp_ctx,
548 &requester_sid_blob);
549 if (!NT_STATUS_IS_OK(nt_status)) {
550 talloc_free(tmp_ctx);
555 nt_status = samba_kdc_get_claims_blob(tmp_ctx,
557 &client_claims_blob);
558 if (!NT_STATUS_IS_OK(nt_status)) {
559 talloc_free(tmp_ctx);
563 if (replaced_reply_key != NULL && cred_ndr != NULL) {
564 code = samba_kdc_encrypt_pac_credentials(context,
570 talloc_free(tmp_ctx);
573 pcred_blob = &cred_blob;
576 code = samba_make_krb5_pac(context,
582 NULL /* deleg_blob */,
584 NULL /* device_info_blob */,
585 NULL /* device_claims_blob */,
588 talloc_free(tmp_ctx);
592 krb5_error_code mit_samba_update_pac(struct mit_samba_context *ctx,
593 krb5_context context,
595 krb5_db_entry *client,
596 krb5_db_entry *server,
597 krb5_db_entry *krbtgt,
601 TALLOC_CTX *tmp_ctx = NULL;
602 krb5_error_code code;
603 struct samba_kdc_entry *client_skdc_entry = NULL;
604 struct samba_kdc_entry *server_skdc_entry = NULL;
605 struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
606 bool is_in_db = false;
607 bool is_trusted = false;
610 /* Create a memory context early so code can use talloc_stackframe() */
611 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac context");
612 if (tmp_ctx == NULL) {
616 if (client != NULL) {
618 talloc_get_type_abort(client->e_data,
619 struct samba_kdc_entry);
622 if (krbtgt == NULL) {
627 talloc_get_type_abort(krbtgt->e_data,
628 struct samba_kdc_entry);
630 if (server == NULL) {
635 talloc_get_type_abort(server->e_data,
636 struct samba_kdc_entry);
639 * If the krbtgt was generated by an RODC, and we are not that
640 * RODC, then we need to regenerate the PAC - we can't trust
641 * it, and confirm that the RODC was permitted to print this ticket
643 * Because of the samba_kdc_validate_pac_blob() step we can be
644 * sure that the record in 'client' or 'server' matches the SID in the
647 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
655 flags |= SAMBA_KDC_FLAG_KRBTGT_IS_TRUSTED;
658 if (kdc_flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
659 flags |= SAMBA_KDC_FLAG_PROTOCOL_TRANSITION;
662 if (kdc_flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
663 flags |= SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION;
666 code = samba_kdc_verify_pac(tmp_ctx,
672 NULL /* device_pac */,
678 code = samba_kdc_update_pac(tmp_ctx,
680 krbtgt_skdc_entry->kdc_db_ctx->samdb,
681 krbtgt_skdc_entry->kdc_db_ctx->lp_ctx,
687 NULL /* delegated_proxy_principal */,
688 NULL /* delegated_proxy */,
689 NULL /* delegated_proxy_pac */,
690 NULL /* device_krbtgt */,
692 NULL /* device_pac */,
695 NULL /* server_audit_info_out */,
696 NULL /* status_out */);
698 if (code == ENOATTR) {
700 * We can't tell the KDC to not issue a PAC. It will
701 * just return the newly allocated empty PAC.
708 talloc_free(tmp_ctx);
712 /* provide header, function is exported but there are no public headers */
714 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
716 /* this function allocates 'data' using malloc.
717 * The caller is responsible for freeing it */
718 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
720 krb5_error_code ret = 0;
721 krb5_pa_data pa, *ppa[2];
730 pa.magic = KV5M_PA_DATA;
731 pa.pa_type = KRB5_PADATA_PW_SALT /* KERB_ERR_TYPE_EXTENDED */;
733 pa.contents = malloc(pa.length);
738 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
739 SIVAL(pa.contents, 4, 0);
740 SIVAL(pa.contents, 8, 1);
745 ret = encode_krb5_padata_sequence(ppa, &d);
751 e_data->data = (uint8_t *)d->data;
752 e_data->length = d->length;
754 /* free d, not d->data - gd */
760 krb5_error_code mit_samba_check_client_access(struct mit_samba_context *ctx,
761 krb5_db_entry *client,
762 const char *client_name,
763 krb5_db_entry *server,
764 const char *server_name,
765 const char *netbios_name,
766 bool password_change,
769 struct samba_kdc_entry *skdc_entry;
772 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
774 nt_status = samba_kdc_check_client_access(skdc_entry,
779 if (!NT_STATUS_IS_OK(nt_status)) {
780 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
784 samba_kdc_build_edata_reply(nt_status, e_data);
786 return samba_kdc_map_policy_err(nt_status);
792 krb5_error_code mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
793 const krb5_db_entry *server,
794 krb5_const_principal target_principal)
796 struct samba_kdc_entry *server_skdc_entry =
797 talloc_get_type_abort(server->e_data, struct samba_kdc_entry);
798 krb5_error_code code;
800 code = samba_kdc_check_s4u2proxy(ctx->context,
808 krb5_error_code mit_samba_check_allowed_to_delegate_from(
809 struct mit_samba_context *ctx,
810 krb5_const_principal client_principal,
811 krb5_const_principal server_principal,
813 const krb5_db_entry *proxy)
815 struct samba_kdc_entry *proxy_skdc_entry =
816 talloc_get_type_abort(proxy->e_data, struct samba_kdc_entry);
817 krb5_error_code code;
819 code = samba_kdc_check_s4u2proxy_rbcd(ctx->context,
829 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
831 enum samPwdChangeReason reject_reason,
832 struct samr_DomInfo1 *dominfo)
834 krb5_error_code code = KADM5_PASS_Q_GENERIC;
836 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
837 code = KADM5_BAD_PRINCIPAL;
838 krb5_set_error_message(context,
840 "No such user when changing password");
842 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
843 code = KADM5_PASS_Q_GENERIC;
844 krb5_set_error_message(context,
846 "Not permitted to change password");
848 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
850 switch (reject_reason) {
851 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
852 code = KADM5_PASS_Q_TOOSHORT;
853 krb5_set_error_message(context,
855 "Password too short, password "
856 "must be at least %d characters "
858 dominfo->min_password_length);
860 case SAM_PWD_CHANGE_NOT_COMPLEX:
861 code = KADM5_PASS_Q_DICT;
862 krb5_set_error_message(context,
864 "Password does not meet "
865 "complexity requirements");
867 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
868 code = KADM5_PASS_TOOSOON;
869 krb5_set_error_message(context,
871 "Password is already in password "
872 "history. New password must not "
873 "match any of your %d previous "
875 dominfo->password_history_length);
878 code = KADM5_PASS_Q_GENERIC;
879 krb5_set_error_message(context,
881 "Password change rejected, "
882 "password changes may not be "
883 "permitted on this account, or "
884 "the minimum password age may "
885 "not have elapsed.");
893 krb5_error_code mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
895 krb5_db_entry *db_entry)
898 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
901 enum samPwdChangeReason reject_reason;
902 struct samr_DomInfo1 *dominfo;
903 const char *error_string = NULL;
904 const struct auth_user_info_dc *user_info_dc = NULL;
905 struct samba_kdc_entry *p =
906 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
907 krb5_error_code code = 0;
909 #ifdef DEBUG_PASSWORD
910 DBG_WARNING("mit_samba_kpasswd_change_password called with: %s\n", pwd);
913 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
914 if (tmp_ctx == NULL) {
918 status = samba_kdc_get_user_info_from_db(p,
921 if (!NT_STATUS_IS_OK(status)) {
922 DBG_WARNING("samba_kdc_get_user_info_from_db failed: %s\n",
928 status = auth_generate_session_info(tmp_ctx,
932 0, /* session_info_flags */
935 if (!NT_STATUS_IS_OK(status)) {
936 DBG_WARNING("auth_generate_session_info failed: %s\n",
942 /* password is expected as UTF16 */
944 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
946 &password.data, &password.length)) {
947 DBG_WARNING("convert_string_talloc failed\n");
952 status = samdb_kpasswd_change_password(tmp_ctx,
961 if (!NT_STATUS_IS_OK(status)) {
962 DBG_WARNING("samdb_kpasswd_change_password failed: %s\n",
964 code = KADM5_PASS_Q_GENERIC;
965 krb5_set_error_message(ctx->context, code, "%s", error_string);
969 if (!NT_STATUS_IS_OK(result)) {
970 code = mit_samba_change_pwd_error(ctx->context,
977 talloc_free(tmp_ctx);
982 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
984 /* struct netr_SendToSamBase *send_to_sam = NULL; */
985 struct samba_kdc_entry *p =
986 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
987 struct ldb_dn *domain_dn;
989 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
991 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
996 /* TODO: RODC support */
1000 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1002 struct samba_kdc_entry *p =
1003 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1005 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1007 ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1010 bool mit_samba_princ_needs_pac(krb5_db_entry *db_entry)
1012 struct samba_kdc_entry *skdc_entry =
1013 talloc_get_type_abort(db_entry->e_data, struct samba_kdc_entry);
1015 return samba_princ_needs_pac(skdc_entry);