2 Unix SMB/CIFS implementation.
4 PAC Glue between Samba and the KDC
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
7 Copyright (C) Simo Sorce <idra@samba.org> 2010
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "lib/replace/replace.h"
25 #include "lib/replace/system/kerberos.h"
26 #include "lib/util/debug.h"
27 #include "lib/util/samba_util.h"
28 #include "lib/util/talloc_stack.h"
30 #include "auth/auth_sam_reply.h"
31 #include "auth/kerberos/kerberos.h"
32 #include "auth/kerberos/pac_utils.h"
33 #include "libcli/security/security.h"
34 #include "libds/common/flags.h"
35 #include "librpc/gen_ndr/ndr_krb5pac.h"
36 #include "param/param.h"
37 #include "source4/auth/auth.h"
38 #include "source4/dsdb/common/util.h"
39 #include "source4/dsdb/samdb/samdb.h"
40 #include "source4/kdc/samba_kdc.h"
41 #include "source4/kdc/pac-glue.h"
46 #define DBGC_CLASS DBGC_KERBEROS
49 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
50 const struct auth_user_info_dc *info,
52 DATA_BLOB *requester_sid_blob)
54 struct netr_SamInfo3 *info3;
55 union PAC_INFO pac_info;
56 enum ndr_err_code ndr_err;
59 ZERO_STRUCT(pac_info);
61 *pac_data = data_blob_null;
62 if (requester_sid_blob != NULL) {
63 *requester_sid_blob = data_blob_null;
66 nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3);
67 if (!NT_STATUS_IS_OK(nt_status)) {
68 DEBUG(1, ("Getting Samba info failed: %s\n",
69 nt_errstr(nt_status)));
73 pac_info.logon_info.info = talloc_zero(mem_ctx, struct PAC_LOGON_INFO);
74 if (!pac_info.logon_info.info) {
75 return NT_STATUS_NO_MEMORY;
78 pac_info.logon_info.info->info3 = *info3;
80 ndr_err = ndr_push_union_blob(pac_data, mem_ctx, &pac_info,
82 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
83 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
84 nt_status = ndr_map_error2ntstatus(ndr_err);
85 DEBUG(1, ("PAC_LOGON_INFO (presig) push failed: %s\n",
86 nt_errstr(nt_status)));
90 if (requester_sid_blob != NULL && info->num_sids > 0) {
91 union PAC_INFO pac_requester_sid;
93 ZERO_STRUCT(pac_requester_sid);
95 pac_requester_sid.requester_sid.sid = info->sids[0];
97 ndr_err = ndr_push_union_blob(requester_sid_blob, mem_ctx,
99 PAC_TYPE_REQUESTER_SID,
100 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
101 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
102 nt_status = ndr_map_error2ntstatus(ndr_err);
103 DEBUG(1, ("PAC_REQUESTER_SID (presig) push failed: %s\n",
104 nt_errstr(nt_status)));
113 NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
114 const struct auth_user_info_dc *info,
117 union PAC_INFO pac_upn;
118 enum ndr_err_code ndr_err;
122 ZERO_STRUCT(pac_upn);
124 *upn_data = data_blob_null;
126 pac_upn.upn_dns_info.upn_name = info->info->user_principal_name;
127 pac_upn.upn_dns_info.dns_domain_name = strupper_talloc(mem_ctx,
128 info->info->dns_domain_name);
129 if (pac_upn.upn_dns_info.dns_domain_name == NULL) {
130 return NT_STATUS_NO_MEMORY;
132 if (info->info->user_principal_constructed) {
133 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
136 pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID;
138 pac_upn.upn_dns_info.ex.sam_name_and_sid.samaccountname
139 = info->info->account_name;
141 pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid
144 ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn,
145 PAC_TYPE_UPN_DNS_INFO,
146 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
147 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
148 nt_status = ndr_map_error2ntstatus(ndr_err);
149 DEBUG(1, ("PAC UPN_DNS_INFO (presig) push failed: %s\n",
150 nt_errstr(nt_status)));
154 ok = data_blob_pad(mem_ctx, upn_data, 8);
156 return NT_STATUS_NO_MEMORY;
163 NTSTATUS samba_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
164 uint64_t pac_attributes,
165 DATA_BLOB *pac_attrs_data)
167 union PAC_INFO pac_attrs;
168 enum ndr_err_code ndr_err;
171 ZERO_STRUCT(pac_attrs);
173 *pac_attrs_data = data_blob_null;
175 /* Set the length of the flags in bits. */
176 pac_attrs.attributes_info.flags_length = 2;
177 pac_attrs.attributes_info.flags = pac_attributes;
179 ndr_err = ndr_push_union_blob(pac_attrs_data, mem_ctx, &pac_attrs,
180 PAC_TYPE_ATTRIBUTES_INFO,
181 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
182 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
183 nt_status = ndr_map_error2ntstatus(ndr_err);
184 DEBUG(1, ("PAC ATTRIBUTES_INFO (presig) push failed: %s\n",
185 nt_errstr(nt_status)));
193 NTSTATUS samba_get_cred_info_ndr_blob(TALLOC_CTX *mem_ctx,
194 const struct ldb_message *msg,
195 DATA_BLOB *cred_blob)
197 enum ndr_err_code ndr_err;
199 struct samr_Password *lm_hash = NULL;
200 struct samr_Password *nt_hash = NULL;
201 struct PAC_CREDENTIAL_NTLM_SECPKG ntlm_secpkg = {
204 DATA_BLOB ntlm_blob = data_blob_null;
205 struct PAC_CREDENTIAL_SUPPLEMENTAL_SECPKG secpkgs[1] = {{
206 .credential_size = 0,
208 struct PAC_CREDENTIAL_DATA cred_data = {
209 .credential_count = 0,
211 struct PAC_CREDENTIAL_DATA_NDR cred_ndr;
213 ZERO_STRUCT(cred_ndr);
215 *cred_blob = data_blob_null;
217 lm_hash = samdb_result_hash(mem_ctx, msg, "dBCSPwd");
218 if (lm_hash != NULL) {
219 bool zero = all_zero(lm_hash->hash, 16);
224 if (lm_hash != NULL) {
225 DEBUG(5, ("Passing LM password hash through credentials set\n"));
226 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_LM_HASH;
227 ntlm_secpkg.lm_password = *lm_hash;
228 ZERO_STRUCTP(lm_hash);
229 TALLOC_FREE(lm_hash);
232 nt_hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
233 if (nt_hash != NULL) {
234 bool zero = all_zero(nt_hash->hash, 16);
239 if (nt_hash != NULL) {
240 DEBUG(5, ("Passing LM password hash through credentials set\n"));
241 ntlm_secpkg.flags |= PAC_CREDENTIAL_NTLM_HAS_NT_HASH;
242 ntlm_secpkg.nt_password = *nt_hash;
243 ZERO_STRUCTP(nt_hash);
244 TALLOC_FREE(nt_hash);
247 if (ntlm_secpkg.flags == 0) {
251 #ifdef DEBUG_PASSWORD
253 NDR_PRINT_DEBUG(PAC_CREDENTIAL_NTLM_SECPKG, &ntlm_secpkg);
257 ndr_err = ndr_push_struct_blob(&ntlm_blob, mem_ctx, &ntlm_secpkg,
258 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_NTLM_SECPKG);
259 ZERO_STRUCT(ntlm_secpkg);
260 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
261 nt_status = ndr_map_error2ntstatus(ndr_err);
262 DEBUG(1, ("PAC_CREDENTIAL_NTLM_SECPKG (presig) push failed: %s\n",
263 nt_errstr(nt_status)));
267 DEBUG(10, ("NTLM credential BLOB (len %zu) for user\n",
269 dump_data_pw("PAC_CREDENTIAL_NTLM_SECPKG",
270 ntlm_blob.data, ntlm_blob.length);
272 secpkgs[0].package_name.string = discard_const_p(char, "NTLM");
273 secpkgs[0].credential_size = ntlm_blob.length;
274 secpkgs[0].credential = ntlm_blob.data;
276 cred_data.credential_count = ARRAY_SIZE(secpkgs);
277 cred_data.credentials = secpkgs;
279 #ifdef DEBUG_PASSWORD
281 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA, &cred_data);
285 cred_ndr.ctr.data = &cred_data;
287 #ifdef DEBUG_PASSWORD
289 NDR_PRINT_DEBUG(PAC_CREDENTIAL_DATA_NDR, &cred_ndr);
293 ndr_err = ndr_push_struct_blob(cred_blob, mem_ctx, &cred_ndr,
294 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_DATA_NDR);
295 data_blob_clear(&ntlm_blob);
296 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
297 nt_status = ndr_map_error2ntstatus(ndr_err);
298 DEBUG(1, ("PAC_CREDENTIAL_DATA_NDR (presig) push failed: %s\n",
299 nt_errstr(nt_status)));
303 DEBUG(10, ("Created credential BLOB (len %zu) for user\n",
305 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
306 cred_blob->data, cred_blob->length);
311 #ifdef SAMBA4_USES_HEIMDAL
312 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
313 const krb5_keyblock *pkreplykey,
314 const DATA_BLOB *cred_ndr_blob,
316 DATA_BLOB *cred_info_blob)
318 krb5_crypto cred_crypto;
319 krb5_enctype cred_enctype;
320 krb5_data cred_ndr_crypt;
321 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
324 enum ndr_err_code ndr_err;
327 *cred_info_blob = data_blob_null;
329 ret = krb5_crypto_init(context, pkreplykey, ETYPE_NULL,
332 krb5err = krb5_get_error_message(context, ret);
333 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
334 krb5_free_error_message(context, krb5err);
338 ret = krb5_crypto_getenctype(context, cred_crypto, &cred_enctype);
340 DEBUG(1, ("Failed getting crypto type for key\n"));
341 krb5_crypto_destroy(context, cred_crypto);
345 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
346 cred_ndr_blob->length));
347 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
348 cred_ndr_blob->data, cred_ndr_blob->length);
350 ret = krb5_encrypt(context, cred_crypto,
351 KRB5_KU_OTHER_ENCRYPTED,
352 cred_ndr_blob->data, cred_ndr_blob->length,
354 krb5_crypto_destroy(context, cred_crypto);
356 krb5err = krb5_get_error_message(context, ret);
357 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
358 krb5_free_error_message(context, krb5err);
362 pac_cred_info.encryption_type = cred_enctype;
363 pac_cred_info.encrypted_data.length = cred_ndr_crypt.length;
364 pac_cred_info.encrypted_data.data = (uint8_t *)cred_ndr_crypt.data;
367 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
370 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
371 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
372 krb5_data_free(&cred_ndr_crypt);
373 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
374 nt_status = ndr_map_error2ntstatus(ndr_err);
375 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
376 nt_errstr(nt_status)));
377 return KRB5KDC_ERR_SVC_UNAVAILABLE;
380 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
381 cred_info_blob->length, (int)pac_cred_info.encryption_type));
382 dump_data_pw("PAC_CREDENTIAL_INFO",
383 cred_info_blob->data, cred_info_blob->length);
387 #else /* SAMBA4_USES_HEIMDAL */
388 krb5_error_code samba_kdc_encrypt_pac_credentials(krb5_context context,
389 const krb5_keyblock *pkreplykey,
390 const DATA_BLOB *cred_ndr_blob,
392 DATA_BLOB *cred_info_blob)
395 krb5_enctype cred_enctype;
396 struct PAC_CREDENTIAL_INFO pac_cred_info = { .version = 0, };
397 krb5_error_code code;
399 enum ndr_err_code ndr_err;
401 krb5_data cred_ndr_data;
402 krb5_enc_data cred_ndr_crypt;
405 *cred_info_blob = data_blob_null;
407 code = krb5_k_create_key(context,
411 krb5err = krb5_get_error_message(context, code);
412 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
413 krb5_free_error_message(context, krb5err);
417 cred_enctype = krb5_k_key_enctype(context, cred_key);
419 DEBUG(10, ("Plain cred_ndr_blob (len %zu)\n",
420 cred_ndr_blob->length));
421 dump_data_pw("PAC_CREDENTIAL_DATA_NDR",
422 cred_ndr_blob->data, cred_ndr_blob->length);
424 pac_cred_info.encryption_type = cred_enctype;
426 cred_ndr_data.magic = 0;
427 cred_ndr_data.data = (char *)cred_ndr_blob->data;
428 cred_ndr_data.length = cred_ndr_blob->length;
430 code = krb5_c_encrypt_length(context,
432 cred_ndr_data.length,
435 krb5err = krb5_get_error_message(context, code);
436 DEBUG(1, ("Failed initializing cred data crypto: %s\n", krb5err));
437 krb5_free_error_message(context, krb5err);
441 pac_cred_info.encrypted_data = data_blob_talloc_zero(mem_ctx, enc_len);
442 if (pac_cred_info.encrypted_data.data == NULL) {
443 DBG_ERR("Out of memory\n");
447 cred_ndr_crypt.ciphertext.length = enc_len;
448 cred_ndr_crypt.ciphertext.data = (char *)pac_cred_info.encrypted_data.data;
450 code = krb5_k_encrypt(context,
452 KRB5_KU_OTHER_ENCRYPTED,
456 krb5_k_free_key(context, cred_key);
458 krb5err = krb5_get_error_message(context, code);
459 DEBUG(1, ("Failed crypt of cred data: %s\n", krb5err));
460 krb5_free_error_message(context, krb5err);
465 NDR_PRINT_DEBUG(PAC_CREDENTIAL_INFO, &pac_cred_info);
468 ndr_err = ndr_push_struct_blob(cred_info_blob, mem_ctx, &pac_cred_info,
469 (ndr_push_flags_fn_t)ndr_push_PAC_CREDENTIAL_INFO);
470 TALLOC_FREE(pac_cred_info.encrypted_data.data);
471 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
472 nt_status = ndr_map_error2ntstatus(ndr_err);
473 DEBUG(1, ("PAC_CREDENTIAL_INFO (presig) push failed: %s\n",
474 nt_errstr(nt_status)));
475 return KRB5KDC_ERR_SVC_UNAVAILABLE;
478 DEBUG(10, ("Encrypted credential BLOB (len %zu) with alg %d\n",
479 cred_info_blob->length, (int)pac_cred_info.encryption_type));
480 dump_data_pw("PAC_CREDENTIAL_INFO",
481 cred_info_blob->data, cred_info_blob->length);
485 #endif /* SAMBA4_USES_HEIMDAL */
489 * @brief Create a PAC with the given blobs (logon, credentials, upn and
492 * @param[in] context The KRB5 context to use.
494 * @param[in] logon_blob Fill the logon info PAC buffer with the given blob,
495 * use NULL to ignore it.
497 * @param[in] cred_blob Fill the credentials info PAC buffer with the given
498 * blob, use NULL to ignore it.
500 * @param[in] upn_blob Fill the UPN info PAC buffer with the given blob, use
503 * @param[in] deleg_blob Fill the delegation info PAC buffer with the given
504 * blob, use NULL to ignore it.
506 * @param[in] pac The pac buffer to fill. This should be allocated with
507 * krb5_pac_init() already.
509 * @returns 0 on success or a corresponding KRB5 error.
511 krb5_error_code samba_make_krb5_pac(krb5_context context,
512 const DATA_BLOB *logon_blob,
513 const DATA_BLOB *cred_blob,
514 const DATA_BLOB *upn_blob,
515 const DATA_BLOB *pac_attrs_blob,
516 const DATA_BLOB *requester_sid_blob,
517 const DATA_BLOB *deleg_blob,
520 krb5_data logon_data;
523 krb5_data pac_attrs_data;
524 krb5_data requester_sid_data;
525 krb5_data deleg_data;
527 #ifdef SAMBA4_USES_HEIMDAL
528 char null_byte = '\0';
529 krb5_data null_data = {
535 /* The user account may be set not to want the PAC */
536 if (logon_blob == NULL) {
540 ret = smb_krb5_copy_data_contents(&logon_data,
547 ZERO_STRUCT(cred_data);
548 if (cred_blob != NULL) {
549 ret = smb_krb5_copy_data_contents(&cred_data,
553 smb_krb5_free_data_contents(context, &logon_data);
558 ZERO_STRUCT(upn_data);
559 if (upn_blob != NULL) {
560 ret = smb_krb5_copy_data_contents(&upn_data,
564 smb_krb5_free_data_contents(context, &logon_data);
565 smb_krb5_free_data_contents(context, &cred_data);
570 ZERO_STRUCT(pac_attrs_data);
571 if (pac_attrs_blob != NULL) {
572 ret = smb_krb5_copy_data_contents(&pac_attrs_data,
573 pac_attrs_blob->data,
574 pac_attrs_blob->length);
576 smb_krb5_free_data_contents(context, &logon_data);
577 smb_krb5_free_data_contents(context, &cred_data);
578 smb_krb5_free_data_contents(context, &upn_data);
583 ZERO_STRUCT(requester_sid_data);
584 if (requester_sid_blob != NULL) {
585 ret = smb_krb5_copy_data_contents(&requester_sid_data,
586 requester_sid_blob->data,
587 requester_sid_blob->length);
589 smb_krb5_free_data_contents(context, &logon_data);
590 smb_krb5_free_data_contents(context, &cred_data);
591 smb_krb5_free_data_contents(context, &upn_data);
592 smb_krb5_free_data_contents(context, &pac_attrs_data);
597 ZERO_STRUCT(deleg_data);
598 if (deleg_blob != NULL) {
599 ret = smb_krb5_copy_data_contents(&deleg_data,
603 smb_krb5_free_data_contents(context, &logon_data);
604 smb_krb5_free_data_contents(context, &cred_data);
605 smb_krb5_free_data_contents(context, &upn_data);
606 smb_krb5_free_data_contents(context, &pac_attrs_data);
607 smb_krb5_free_data_contents(context, &requester_sid_data);
612 ret = krb5_pac_add_buffer(context, pac, PAC_TYPE_LOGON_INFO, &logon_data);
613 smb_krb5_free_data_contents(context, &logon_data);
615 smb_krb5_free_data_contents(context, &cred_data);
616 smb_krb5_free_data_contents(context, &upn_data);
617 smb_krb5_free_data_contents(context, &pac_attrs_data);
618 smb_krb5_free_data_contents(context, &requester_sid_data);
619 smb_krb5_free_data_contents(context, &deleg_data);
623 if (cred_blob != NULL) {
624 ret = krb5_pac_add_buffer(context, pac,
625 PAC_TYPE_CREDENTIAL_INFO,
627 smb_krb5_free_data_contents(context, &cred_data);
629 smb_krb5_free_data_contents(context, &upn_data);
630 smb_krb5_free_data_contents(context, &pac_attrs_data);
631 smb_krb5_free_data_contents(context, &requester_sid_data);
632 smb_krb5_free_data_contents(context, &deleg_data);
637 #ifdef SAMBA4_USES_HEIMDAL
639 * null_data will be filled by the generic KDC code in the caller
640 * here we just add it in order to have it before
641 * PAC_TYPE_UPN_DNS_INFO
643 * Not needed with MIT Kerberos - asn
645 ret = krb5_pac_add_buffer(context, pac,
649 smb_krb5_free_data_contents(context, &upn_data);
650 smb_krb5_free_data_contents(context, &pac_attrs_data);
651 smb_krb5_free_data_contents(context, &requester_sid_data);
652 smb_krb5_free_data_contents(context, &deleg_data);
657 if (upn_blob != NULL) {
658 ret = krb5_pac_add_buffer(context, pac,
659 PAC_TYPE_UPN_DNS_INFO,
661 smb_krb5_free_data_contents(context, &upn_data);
663 smb_krb5_free_data_contents(context, &pac_attrs_data);
664 smb_krb5_free_data_contents(context, &requester_sid_data);
665 smb_krb5_free_data_contents(context, &deleg_data);
670 if (pac_attrs_blob != NULL) {
671 ret = krb5_pac_add_buffer(context, pac,
672 PAC_TYPE_ATTRIBUTES_INFO,
674 smb_krb5_free_data_contents(context, &pac_attrs_data);
676 smb_krb5_free_data_contents(context, &requester_sid_data);
677 smb_krb5_free_data_contents(context, &deleg_data);
682 if (requester_sid_blob != NULL) {
683 ret = krb5_pac_add_buffer(context, pac,
684 PAC_TYPE_REQUESTER_SID,
685 &requester_sid_data);
686 smb_krb5_free_data_contents(context, &requester_sid_data);
688 smb_krb5_free_data_contents(context, &deleg_data);
693 if (deleg_blob != NULL) {
694 ret = krb5_pac_add_buffer(context, pac,
695 PAC_TYPE_CONSTRAINED_DELEGATION,
697 smb_krb5_free_data_contents(context, &deleg_data);
706 bool samba_princ_needs_pac(struct samba_kdc_entry *skdc_entry)
709 uint32_t userAccountControl;
711 /* The service account may be set not to want the PAC */
712 userAccountControl = ldb_msg_find_attr_as_uint(skdc_entry->msg, "userAccountControl", 0);
713 if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
720 int samba_client_requested_pac(krb5_context context,
725 enum ndr_err_code ndr_err;
726 krb5_data k5pac_attrs_in;
727 DATA_BLOB pac_attrs_in;
728 union PAC_INFO pac_attrs;
731 *requested_pac = true;
733 ret = krb5_pac_get_buffer(context, *pac, PAC_TYPE_ATTRIBUTES_INFO,
736 return ret == ENOENT ? 0 : ret;
739 pac_attrs_in = data_blob_const(k5pac_attrs_in.data,
740 k5pac_attrs_in.length);
742 ndr_err = ndr_pull_union_blob(&pac_attrs_in, mem_ctx, &pac_attrs,
743 PAC_TYPE_ATTRIBUTES_INFO,
744 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
745 smb_krb5_free_data_contents(context, &k5pac_attrs_in);
746 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
747 NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
748 DEBUG(0,("can't parse the PAC ATTRIBUTES_INFO: %s\n", nt_errstr(nt_status)));
752 if (pac_attrs.attributes_info.flags & (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
753 | PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED)) {
754 *requested_pac = true;
756 *requested_pac = false;
762 /* Was the krbtgt in this DB (ie, should we check the incoming signature) and was it an RODC */
763 int samba_krbtgt_is_in_db(struct samba_kdc_entry *p,
768 int rodc_krbtgt_number, trust_direction;
771 TALLOC_CTX *mem_ctx = talloc_new(NULL);
776 trust_direction = ldb_msg_find_attr_as_int(p->msg, "trustDirection", 0);
778 if (trust_direction != 0) {
779 /* Domain trust - we cannot check the sig, but we trust it for a correct PAC
781 This is exactly where we should flag for SID
782 validation when we do inter-foreest trusts
784 talloc_free(mem_ctx);
785 *is_untrusted = false;
790 /* The lack of password controls etc applies to krbtgt by
791 * virtue of being that particular RID */
792 status = dom_sid_split_rid(NULL, samdb_result_dom_sid(mem_ctx, p->msg, "objectSid"), NULL, &rid);
794 if (!NT_STATUS_IS_OK(status)) {
795 talloc_free(mem_ctx);
799 rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
801 if (p->kdc_db_ctx->my_krbtgt_number == 0) {
802 if (rid == DOMAIN_RID_KRBTGT) {
803 *is_untrusted = false;
805 talloc_free(mem_ctx);
807 } else if (rodc_krbtgt_number != -1) {
809 *is_untrusted = true;
810 talloc_free(mem_ctx);
813 } else if ((rid != DOMAIN_RID_KRBTGT) && (rodc_krbtgt_number == p->kdc_db_ctx->my_krbtgt_number)) {
814 talloc_free(mem_ctx);
815 *is_untrusted = false;
818 } else if (rid == DOMAIN_RID_KRBTGT) {
819 /* krbtgt viewed from an RODC */
820 talloc_free(mem_ctx);
821 *is_untrusted = false;
827 talloc_free(mem_ctx);
828 *is_untrusted = true;
834 * Because the KDC does not limit protocol transition, two new well-known SIDs
835 * were introduced to give this control to the resource administrator. These
836 * SIDs identify whether protocol transition has occurred, and can be used with
837 * standard access control lists to grant or limit access as needed.
839 * https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
841 static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
842 enum samba_asserted_identity ai,
843 struct auth_user_info_dc *user_info_dc)
845 struct dom_sid ai_sid;
846 const char *sid_str = NULL;
849 case SAMBA_ASSERTED_IDENTITY_SERVICE:
850 sid_str = SID_SERVICE_ASSERTED_IDENTITY;
852 case SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY:
853 sid_str = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY;
855 case SAMBA_ASSERTED_IDENTITY_IGNORE:
859 dom_sid_parse(sid_str, &ai_sid);
861 return add_sid_to_array_unique(user_info_dc,
864 &user_info_dc->num_sids);
868 * Look up the user's info in the database and create a auth_user_info_dc
869 * structure. If the resulting structure is not talloc_free()d, it will be
870 * reused on future calls to this function.
872 NTSTATUS samba_kdc_get_user_info_from_db(struct samba_kdc_entry *skdc_entry,
873 struct ldb_message *msg,
874 struct auth_user_info_dc **user_info_dc)
876 if (skdc_entry->user_info_dc == NULL) {
878 struct loadparm_context *lp_ctx = skdc_entry->kdc_db_ctx->lp_ctx;
880 nt_status = authsam_make_user_info_dc(skdc_entry,
881 skdc_entry->kdc_db_ctx->samdb,
882 lpcfg_netbios_name(lp_ctx),
883 lpcfg_sam_name(lp_ctx),
884 lpcfg_sam_dnsname(lp_ctx),
885 skdc_entry->realm_dn,
889 &skdc_entry->user_info_dc);
890 if (!NT_STATUS_IS_OK(nt_status)) {
895 *user_info_dc = skdc_entry->user_info_dc;
899 NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
900 struct samba_kdc_entry *p,
901 enum samba_asserted_identity asserted_identity,
902 DATA_BLOB **_logon_info_blob,
903 DATA_BLOB **_cred_ndr_blob,
904 DATA_BLOB **_upn_info_blob,
905 DATA_BLOB **_pac_attrs_blob,
906 uint64_t pac_attributes,
907 DATA_BLOB **_requester_sid_blob)
909 struct auth_user_info_dc *user_info_dc = NULL;
910 DATA_BLOB *logon_blob = NULL;
911 DATA_BLOB *cred_blob = NULL;
912 DATA_BLOB *upn_blob = NULL;
913 DATA_BLOB *pac_attrs_blob = NULL;
914 DATA_BLOB *requester_sid_blob = NULL;
917 *_logon_info_blob = NULL;
918 if (_cred_ndr_blob != NULL) {
919 *_cred_ndr_blob = NULL;
921 *_upn_info_blob = NULL;
922 if (_pac_attrs_blob != NULL) {
923 *_pac_attrs_blob = NULL;
925 if (_requester_sid_blob != NULL) {
926 *_requester_sid_blob = NULL;
929 logon_blob = talloc_zero(mem_ctx, DATA_BLOB);
930 if (logon_blob == NULL) {
931 return NT_STATUS_NO_MEMORY;
934 if (_cred_ndr_blob != NULL) {
935 cred_blob = talloc_zero(mem_ctx, DATA_BLOB);
936 if (cred_blob == NULL) {
937 return NT_STATUS_NO_MEMORY;
941 upn_blob = talloc_zero(mem_ctx, DATA_BLOB);
942 if (upn_blob == NULL) {
943 return NT_STATUS_NO_MEMORY;
946 if (_pac_attrs_blob != NULL) {
947 pac_attrs_blob = talloc_zero(mem_ctx, DATA_BLOB);
948 if (pac_attrs_blob == NULL) {
949 return NT_STATUS_NO_MEMORY;
953 if (_requester_sid_blob != NULL) {
954 requester_sid_blob = talloc_zero(mem_ctx, DATA_BLOB);
955 if (requester_sid_blob == NULL) {
956 return NT_STATUS_NO_MEMORY;
960 nt_status = samba_kdc_get_user_info_from_db(p,
963 if (!NT_STATUS_IS_OK(nt_status)) {
964 DEBUG(0, ("Getting user info for PAC failed: %s\n",
965 nt_errstr(nt_status)));
969 nt_status = samba_add_asserted_identity(mem_ctx,
972 if (!NT_STATUS_IS_OK(nt_status)) {
973 DBG_ERR("Failed to add assertied identity!\n");
977 nt_status = samba_get_logon_info_pac_blob(logon_blob,
981 if (!NT_STATUS_IS_OK(nt_status)) {
982 DEBUG(0, ("Building PAC LOGON INFO failed: %s\n",
983 nt_errstr(nt_status)));
987 if (cred_blob != NULL) {
988 nt_status = samba_get_cred_info_ndr_blob(cred_blob,
991 if (!NT_STATUS_IS_OK(nt_status)) {
992 DEBUG(0, ("Building PAC CRED INFO failed: %s\n",
993 nt_errstr(nt_status)));
998 nt_status = samba_get_upn_info_pac_blob(upn_blob,
1001 if (!NT_STATUS_IS_OK(nt_status)) {
1002 DEBUG(0, ("Building PAC UPN INFO failed: %s\n",
1003 nt_errstr(nt_status)));
1007 if (pac_attrs_blob != NULL) {
1008 nt_status = samba_get_pac_attrs_blob(pac_attrs_blob,
1012 if (!NT_STATUS_IS_OK(nt_status)) {
1013 DEBUG(0, ("Building PAC ATTRIBUTES failed: %s\n",
1014 nt_errstr(nt_status)));
1019 *_logon_info_blob = logon_blob;
1020 if (_cred_ndr_blob != NULL) {
1021 *_cred_ndr_blob = cred_blob;
1023 *_upn_info_blob = upn_blob;
1024 if (_pac_attrs_blob != NULL) {
1025 *_pac_attrs_blob = pac_attrs_blob;
1027 if (_requester_sid_blob != NULL) {
1028 *_requester_sid_blob = requester_sid_blob;
1030 return NT_STATUS_OK;
1033 NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
1034 krb5_context context,
1035 struct ldb_context *samdb,
1036 const krb5_pac pac, DATA_BLOB *pac_blob,
1037 struct PAC_SIGNATURE_DATA *pac_srv_sig,
1038 struct PAC_SIGNATURE_DATA *pac_kdc_sig)
1040 struct auth_user_info_dc *user_info_dc;
1041 krb5_error_code ret;
1044 ret = kerberos_pac_to_user_info_dc(mem_ctx, pac,
1045 context, &user_info_dc, pac_srv_sig, pac_kdc_sig);
1047 return NT_STATUS_UNSUCCESSFUL;
1051 * We need to expand group memberships within our local domain,
1052 * as the token might be generated by a trusted domain.
1054 nt_status = authsam_update_user_info_dc(mem_ctx,
1057 if (!NT_STATUS_IS_OK(nt_status)) {
1061 nt_status = samba_get_logon_info_pac_blob(mem_ctx,
1062 user_info_dc, pac_blob, NULL);
1067 NTSTATUS samba_kdc_update_delegation_info_blob(TALLOC_CTX *mem_ctx,
1068 krb5_context context,
1070 const krb5_principal server_principal,
1071 const krb5_principal proxy_principal,
1072 DATA_BLOB *new_blob)
1076 krb5_error_code ret;
1078 enum ndr_err_code ndr_err;
1079 union PAC_INFO info;
1080 struct PAC_CONSTRAINED_DELEGATION _d;
1081 struct PAC_CONSTRAINED_DELEGATION *d = NULL;
1082 char *server = NULL;
1085 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1087 if (tmp_ctx == NULL) {
1088 return NT_STATUS_NO_MEMORY;
1091 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_CONSTRAINED_DELEGATION, &old_data);
1092 if (ret == ENOENT) {
1093 ZERO_STRUCT(old_data);
1095 talloc_free(tmp_ctx);
1096 return NT_STATUS_UNSUCCESSFUL;
1099 old_blob.length = old_data.length;
1100 old_blob.data = (uint8_t *)old_data.data;
1103 if (old_blob.length > 0) {
1104 ndr_err = ndr_pull_union_blob(&old_blob, mem_ctx,
1105 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1106 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1107 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1108 smb_krb5_free_data_contents(context, &old_data);
1109 nt_status = ndr_map_error2ntstatus(ndr_err);
1110 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
1111 talloc_free(tmp_ctx);
1116 info.constrained_delegation.info = &_d;
1118 smb_krb5_free_data_contents(context, &old_data);
1120 ret = krb5_unparse_name_flags(context, server_principal,
1121 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server);
1123 talloc_free(tmp_ctx);
1124 return NT_STATUS_INTERNAL_ERROR;
1127 ret = krb5_unparse_name(context, proxy_principal, &proxy);
1130 talloc_free(tmp_ctx);
1131 return NT_STATUS_INTERNAL_ERROR;
1134 d = info.constrained_delegation.info;
1135 i = d->num_transited_services;
1136 d->proxy_target.string = server;
1137 d->transited_services = talloc_realloc(mem_ctx, d->transited_services,
1138 struct lsa_String, i + 1);
1139 d->transited_services[i].string = proxy;
1140 d->num_transited_services = i + 1;
1142 ndr_err = ndr_push_union_blob(new_blob, mem_ctx,
1143 &info, PAC_TYPE_CONSTRAINED_DELEGATION,
1144 (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
1147 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1148 smb_krb5_free_data_contents(context, &old_data);
1149 nt_status = ndr_map_error2ntstatus(ndr_err);
1150 DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
1151 talloc_free(tmp_ctx);
1155 talloc_free(tmp_ctx);
1156 return NT_STATUS_OK;
1159 /* function to map policy errors */
1160 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status)
1162 krb5_error_code ret;
1164 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
1165 ret = KRB5KDC_ERR_KEY_EXP;
1166 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
1167 ret = KRB5KDC_ERR_KEY_EXP;
1168 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
1169 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1170 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
1171 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1172 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
1173 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1174 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
1175 ret = KRB5KDC_ERR_CLIENT_REVOKED;
1176 else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
1177 ret = KRB5KDC_ERR_POLICY;
1179 ret = KRB5KDC_ERR_POLICY;
1184 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
1185 * for consistency */
1186 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
1187 const char *client_name,
1188 const char *workstation,
1189 bool password_change)
1191 TALLOC_CTX *tmp_ctx;
1194 tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access");
1196 return NT_STATUS_NO_MEMORY;
1199 /* we allow all kinds of trusts here */
1200 nt_status = authsam_account_ok(tmp_ctx,
1201 kdc_entry->kdc_db_ctx->samdb,
1202 MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
1203 MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
1204 kdc_entry->realm_dn, kdc_entry->msg,
1205 workstation, client_name,
1206 true, password_change);
1208 kdc_entry->reject_status = nt_status;
1209 talloc_free(tmp_ctx);
1213 static krb5_error_code samba_get_requester_sid(TALLOC_CTX *mem_ctx,
1215 krb5_context context,
1216 struct dom_sid *sid)
1219 enum ndr_err_code ndr_err;
1220 krb5_error_code ret;
1222 DATA_BLOB pac_requester_sid_in;
1223 krb5_data k5pac_requester_sid_in;
1225 union PAC_INFO info;
1227 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
1228 if (tmp_ctx == NULL) {
1232 ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_REQUESTER_SID,
1233 &k5pac_requester_sid_in);
1235 talloc_free(tmp_ctx);
1239 pac_requester_sid_in = data_blob_const(k5pac_requester_sid_in.data,
1240 k5pac_requester_sid_in.length);
1242 ndr_err = ndr_pull_union_blob(&pac_requester_sid_in, tmp_ctx, &info,
1243 PAC_TYPE_REQUESTER_SID,
1244 (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
1245 smb_krb5_free_data_contents(context, &k5pac_requester_sid_in);
1246 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1247 nt_status = ndr_map_error2ntstatus(ndr_err);
1248 DEBUG(0,("can't parse the PAC REQUESTER_SID: %s\n", nt_errstr(nt_status)));
1249 talloc_free(tmp_ctx);
1253 *sid = info.requester_sid.sid;
1255 talloc_free(tmp_ctx);
1259 /* Does a parse and SID check, but no crypto. */
1260 krb5_error_code samba_kdc_validate_pac_blob(
1261 krb5_context context,
1262 struct samba_kdc_entry *client_skdc_entry,
1265 TALLOC_CTX *frame = talloc_stackframe();
1266 struct auth_user_info_dc *pac_user_info = NULL;
1267 struct dom_sid *client_sid = NULL;
1268 struct dom_sid pac_sid;
1269 krb5_error_code code;
1273 * First, try to get the SID from the requester SID buffer in the PAC.
1275 code = samba_get_requester_sid(frame, pac, context, &pac_sid);
1277 if (code == ENOENT) {
1279 * If the requester SID buffer isn't present, fall back to the
1280 * SID in the LOGON_INFO PAC buffer.
1282 code = kerberos_pac_to_user_info_dc(frame,
1292 if (pac_user_info->num_sids == 0) {
1297 pac_sid = pac_user_info->sids[0];
1298 } else if (code != 0) {
1302 client_sid = samdb_result_dom_sid(frame,
1303 client_skdc_entry->msg,
1306 ok = dom_sid_equal(&pac_sid, client_sid);
1308 struct dom_sid_buf buf1;
1309 struct dom_sid_buf buf2;
1311 DBG_ERR("SID mismatch between PAC and looked up client: "
1312 "PAC[%s] != CLI[%s]\n",
1313 dom_sid_str_buf(&pac_sid, &buf1),
1314 dom_sid_str_buf(client_sid, &buf2));
1315 code = KRB5KDC_ERR_TGT_REVOKED;
1327 * In the RODC case, to confirm that the returned user is permitted to
1328 * be replicated to the KDC (krbgtgt_xxx user) represented by *rodc
1330 WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
1331 struct dom_sid *object_sids,
1332 struct samba_kdc_entry *rodc,
1333 struct samba_kdc_entry *object)
1337 TALLOC_CTX *frame = talloc_stackframe();
1338 const char *rodc_attrs[] = { "msDS-KrbTgtLink",
1339 "msDS-NeverRevealGroup",
1340 "msDS-RevealOnDemandGroup",
1341 "userAccountControl",
1344 struct ldb_result *rodc_machine_account = NULL;
1345 struct ldb_dn *rodc_machine_account_dn = samdb_result_dn(rodc->kdc_db_ctx->samdb,
1348 "msDS-KrbTgtLinkBL",
1350 const struct dom_sid *rodc_machine_account_sid = NULL;
1352 if (rodc_machine_account_dn == NULL) {
1353 DBG_ERR("krbtgt account %s has no msDS-KrbTgtLinkBL to find RODC machine account for allow/deny list\n",
1354 ldb_dn_get_linearized(rodc->msg->dn));
1356 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1360 * Follow the link and get the RODC account (the krbtgt
1361 * account is the krbtgt_XXX account, but the
1362 * msDS-NeverRevealGroup and msDS-RevealOnDemandGroup is on
1363 * the RODC$ account)
1365 * We need DSDB_SEARCH_SHOW_EXTENDED_DN as we get a SID lists
1366 * out of the extended DNs
1369 ret = dsdb_search_dn(rodc->kdc_db_ctx->samdb,
1371 &rodc_machine_account,
1372 rodc_machine_account_dn,
1374 DSDB_SEARCH_SHOW_EXTENDED_DN);
1375 if (ret != LDB_SUCCESS) {
1376 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: %s\n",
1377 ldb_dn_get_linearized(rodc_machine_account_dn),
1378 ldb_dn_get_linearized(rodc->msg->dn),
1379 ldb_errstring(rodc->kdc_db_ctx->samdb));
1381 return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
1384 if (rodc_machine_account->count != 1) {
1385 DBG_ERR("Failed to fetch RODC machine account %s pointed to by %s to check allow/deny list: (%d)\n",
1386 ldb_dn_get_linearized(rodc_machine_account_dn),
1387 ldb_dn_get_linearized(rodc->msg->dn),
1388 rodc_machine_account->count);
1390 return WERR_DS_DRA_BAD_DN;
1393 /* if the object SID is equal to the user_sid, allow */
1394 rodc_machine_account_sid = samdb_result_dom_sid(frame,
1395 rodc_machine_account->msgs[0],
1397 if (rodc_machine_account_sid == NULL) {
1398 return WERR_DS_DRA_BAD_DN;
1401 werr = samdb_confirm_rodc_allowed_to_repl_to_sid_list(rodc->kdc_db_ctx->samdb,
1402 rodc_machine_account_sid,
1403 rodc_machine_account->msgs[0],
1413 * @brief Update a PAC
1415 * @param mem_ctx A talloc memory context
1417 * @param context A krb5 context
1419 * @param samdb An open samdb connection.
1421 * @param flags Bitwise OR'ed flags
1423 * @param client The client samba kdc entry.
1425 * @param server_principal The server principal
1427 * @param server The server samba kdc entry.
1429 * @param krbtgt The krbtgt samba kdc entry.
1431 * @param delegated_proxy_principal The delegated proxy principal used for
1432 * updating the constrained delegation PAC
1435 * @param old_pac The old PAC
1437 * @param new_pac The new already allocated PAC
1439 * @return A Kerberos error code. If no PAC should be returned, the code will be
1442 krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
1443 krb5_context context,
1444 struct ldb_context *samdb,
1446 struct samba_kdc_entry *client,
1447 const krb5_principal server_principal,
1448 struct samba_kdc_entry *server,
1449 struct samba_kdc_entry *krbtgt,
1450 const krb5_principal delegated_proxy_principal,
1451 const krb5_pac old_pac,
1454 krb5_error_code code = EINVAL;
1456 DATA_BLOB *pac_blob = NULL;
1457 DATA_BLOB *upn_blob = NULL;
1458 DATA_BLOB *deleg_blob = NULL;
1459 DATA_BLOB *requester_sid_blob = NULL;
1460 bool is_untrusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
1462 size_t num_types = 0;
1463 uint32_t *types = NULL;
1465 * FIXME: Do we really still need forced_next_type? With MIT Kerberos
1466 * the PAC buffers do not get ordered and it works just fine. We are
1467 * not aware of any issues in this regard. This might be just ancient
1470 uint32_t forced_next_type = 0;
1472 ssize_t logon_info_idx = -1;
1473 ssize_t delegation_idx = -1;
1474 ssize_t logon_name_idx = -1;
1475 ssize_t upn_dns_info_idx = -1;
1476 ssize_t srv_checksum_idx = -1;
1477 ssize_t kdc_checksum_idx = -1;
1478 ssize_t tkt_checksum_idx = -1;
1479 ssize_t attrs_info_idx = -1;
1480 ssize_t requester_sid_idx = -1;
1481 ssize_t full_checksum_idx = -1;
1483 if (client != NULL) {
1485 * Check the objectSID of the client and pac data are the same.
1486 * Does a parse and SID check, but no crypto.
1488 code = samba_kdc_validate_pac_blob(context,
1496 if (delegated_proxy_principal != NULL) {
1497 deleg_blob = talloc_zero(mem_ctx, DATA_BLOB);
1498 if (deleg_blob == NULL) {
1503 nt_status = samba_kdc_update_delegation_info_blob(
1508 delegated_proxy_principal,
1510 if (!NT_STATUS_IS_OK(nt_status)) {
1511 DBG_ERR("update delegation info blob failed: %s\n",
1512 nt_errstr(nt_status));
1519 struct auth_user_info_dc *user_info_dc = NULL;
1522 * In this case the RWDC discards the PAC an RODC generated.
1523 * Windows adds the asserted_identity in this case too.
1525 * Note that SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION
1526 * generates KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN.
1527 * So we can always use
1528 * SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY
1531 enum samba_asserted_identity asserted_identity =
1532 SAMBA_ASSERTED_IDENTITY_AUTHENTICATION_AUTHORITY;
1534 if (client == NULL) {
1535 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1539 nt_status = samba_kdc_get_pac_blobs(mem_ctx,
1546 PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY,
1547 &requester_sid_blob);
1548 if (!NT_STATUS_IS_OK(nt_status)) {
1549 DBG_ERR("samba_kdc_get_pac_blobs failed: %s\n",
1550 nt_errstr(nt_status));
1551 code = KRB5KDC_ERR_TGT_REVOKED;
1555 nt_status = samba_kdc_get_user_info_from_db(client,
1558 if (!NT_STATUS_IS_OK(nt_status)) {
1559 DBG_ERR("samba_kdc_get_user_info_from_db failed: %s\n",
1560 nt_errstr(nt_status));
1561 code = KRB5KDC_ERR_TGT_REVOKED;
1566 * Check if the SID list in the user_info_dc intersects
1567 * correctly with the RODC allow/deny lists.
1569 werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids,
1573 TALLOC_FREE(user_info_dc);
1574 if (!W_ERROR_IS_OK(werr)) {
1575 code = KRB5KDC_ERR_TGT_REVOKED;
1576 if (W_ERROR_EQUAL(werr,
1577 WERR_DOMAIN_CONTROLLER_NOT_FOUND)) {
1578 code = KRB5KDC_ERR_POLICY;
1584 * The RODC PAC data isn't trusted for authorization as it may
1585 * be stale. The only thing meaningful we can do with an RODC
1586 * account on a full DC is exchange the RODC TGT for a 'real'
1589 * So we match Windows (at least server 2022) and
1590 * don't allow S4U2Self.
1592 * https://lists.samba.org/archive/cifs-protocol/2022-April/003673.html
1594 if (flags & SAMBA_KDC_FLAG_PROTOCOL_TRANSITION) {
1595 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
1599 pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
1600 if (pac_blob == NULL) {
1605 nt_status = samba_kdc_update_pac_blob(mem_ctx,
1612 if (!NT_STATUS_IS_OK(nt_status)) {
1613 DBG_ERR("samba_kdc_update_pac_blob failed: %s\n",
1614 nt_errstr(nt_status));
1620 /* Check the types of the given PAC */
1621 code = krb5_pac_get_types(context, old_pac, &num_types, &types);
1623 DBG_ERR("krb5_pac_get_types failed\n");
1627 for (i = 0; i < num_types; i++) {
1629 case PAC_TYPE_LOGON_INFO:
1630 if (logon_info_idx != -1) {
1631 DBG_WARNING("logon info type[%u] twice [%zd] "
1641 case PAC_TYPE_CONSTRAINED_DELEGATION:
1642 if (delegation_idx != -1) {
1643 DBG_WARNING("constrained delegation type[%u] "
1644 "twice [%zd] and [%zu]: \n",
1653 case PAC_TYPE_LOGON_NAME:
1654 if (logon_name_idx != -1) {
1655 DBG_WARNING("logon name type[%u] twice [%zd] "
1665 case PAC_TYPE_UPN_DNS_INFO:
1666 if (upn_dns_info_idx != -1) {
1667 DBG_WARNING("upn dns info type[%u] twice [%zd] "
1675 upn_dns_info_idx = i;
1677 case PAC_TYPE_SRV_CHECKSUM:
1678 if (srv_checksum_idx != -1) {
1679 DBG_WARNING("srv checksum type[%u] twice [%zd] "
1687 srv_checksum_idx = i;
1689 case PAC_TYPE_KDC_CHECKSUM:
1690 if (kdc_checksum_idx != -1) {
1691 DBG_WARNING("kdc checksum type[%u] twice [%zd] "
1699 kdc_checksum_idx = i;
1701 case PAC_TYPE_TICKET_CHECKSUM:
1702 if (tkt_checksum_idx != -1) {
1703 DBG_WARNING("ticket checksum type[%u] twice "
1704 "[%zd] and [%zu]: \n",
1711 tkt_checksum_idx = i;
1713 case PAC_TYPE_ATTRIBUTES_INFO:
1714 if (attrs_info_idx != -1) {
1715 DBG_WARNING("attributes info type[%u] twice "
1716 "[%zd] and [%zu]: \n",
1725 case PAC_TYPE_REQUESTER_SID:
1726 if (requester_sid_idx != -1) {
1727 DBG_WARNING("requester sid type[%u] twice"
1728 "[%zd] and [%zu]: \n",
1735 requester_sid_idx = i;
1737 case PAC_TYPE_FULL_CHECKSUM:
1738 if (full_checksum_idx != -1) {
1739 DBG_WARNING("full checksum type[%u] twice "
1740 "[%zd] and [%zu]: \n",
1747 full_checksum_idx = i;
1754 if (logon_info_idx == -1) {
1755 DBG_WARNING("PAC_TYPE_LOGON_INFO missing\n");
1759 if (logon_name_idx == -1) {
1760 DBG_WARNING("PAC_TYPE_LOGON_NAME missing\n");
1764 if (srv_checksum_idx == -1) {
1765 DBG_WARNING("PAC_TYPE_SRV_CHECKSUM missing\n");
1769 if (kdc_checksum_idx == -1) {
1770 DBG_WARNING("PAC_TYPE_KDC_CHECKSUM missing\n");
1774 if (!(flags & SAMBA_KDC_FLAG_CONSTRAINED_DELEGATION) &&
1775 requester_sid_idx == -1) {
1776 DBG_WARNING("PAC_TYPE_REQUESTER_SID missing\n");
1777 code = KRB5KDC_ERR_TGT_REVOKED;
1782 * The server account may be set not to want the PAC.
1784 * While this is wasteful if the above cacluations were done
1785 * and now thrown away, this is cleaner as we do any ticket
1786 * signature checking etc always.
1788 * UF_NO_AUTH_DATA_REQUIRED is the rare case and most of the
1789 * time (eg not accepting a ticket from the RODC) we do not
1790 * need to re-generate anything anyway.
1792 if (!samba_princ_needs_pac(server)) {
1797 is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
1803 if (!is_untrusted && !is_tgs) {
1805 * The client may have requested no PAC when obtaining the
1808 bool requested_pac = false;
1810 code = samba_client_requested_pac(context,
1814 if (code != 0 || !requested_pac) {
1815 if (!requested_pac) {
1822 #define MAX_PAC_BUFFERS 128 /* Avoid infinite loops */
1824 for (i = 0; i < MAX_PAC_BUFFERS;) {
1825 const uint8_t zero_byte = 0;
1826 krb5_data type_data;
1827 DATA_BLOB type_blob = data_blob_null;
1830 static char null_byte = '\0';
1831 const krb5_data null_data = smb_krb5_make_data(&null_byte, 0);
1833 if (forced_next_type != 0) {
1835 * We need to inject possible missing types
1837 type = forced_next_type;
1838 forced_next_type = 0;
1839 } else if (i < num_types) {
1847 case PAC_TYPE_LOGON_INFO:
1848 type_blob = *pac_blob;
1850 if (delegation_idx == -1 && deleg_blob != NULL) {
1851 /* inject CONSTRAINED_DELEGATION behind */
1853 PAC_TYPE_CONSTRAINED_DELEGATION;
1856 case PAC_TYPE_CONSTRAINED_DELEGATION:
1858 * This is generated in the main KDC code
1860 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1864 if (deleg_blob != NULL) {
1865 type_blob = *deleg_blob;
1868 case PAC_TYPE_CREDENTIAL_INFO:
1870 * Note that we copy the credential blob,
1871 * as it's only usable with the PKINIT based
1872 * AS-REP reply key, it's only available on the
1873 * host which did the AS-REQ/AS-REP exchange.
1875 * This matches Windows 2008R2...
1878 case PAC_TYPE_LOGON_NAME:
1880 * This is generated in the main KDC code
1882 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1886 type_blob = data_blob_const(&zero_byte, 1);
1888 if (upn_dns_info_idx == -1 && upn_blob != NULL) {
1889 /* inject UPN_DNS_INFO behind */
1890 forced_next_type = PAC_TYPE_UPN_DNS_INFO;
1893 case PAC_TYPE_UPN_DNS_INFO:
1895 * Replace in the RODC case, otherwise
1896 * upn_blob is NULL and we just copy.
1898 if (upn_blob != NULL) {
1899 type_blob = *upn_blob;
1902 case PAC_TYPE_SRV_CHECKSUM:
1904 * This is generated in the main KDC code
1906 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1910 type_blob = data_blob_const(&zero_byte, 1);
1912 if (requester_sid_idx == -1 && requester_sid_blob != NULL) {
1913 /* inject REQUESTER_SID behind */
1914 forced_next_type = PAC_TYPE_REQUESTER_SID;
1917 case PAC_TYPE_KDC_CHECKSUM:
1919 * This is generated in the main KDC code
1921 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1925 type_blob = data_blob_const(&zero_byte, 1);
1928 case PAC_TYPE_TICKET_CHECKSUM:
1930 * This is generated in the main KDC code
1932 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1936 type_blob = data_blob_const(&zero_byte, 1);
1939 case PAC_TYPE_ATTRIBUTES_INFO:
1940 if (!is_untrusted && is_tgs) {
1946 case PAC_TYPE_REQUESTER_SID:
1952 * Replace in the RODC case, otherwise
1953 * requester_sid_blob is NULL and we just copy.
1955 if (requester_sid_blob != NULL) {
1956 type_blob = *requester_sid_blob;
1959 case PAC_TYPE_FULL_CHECKSUM:
1961 * This is generated in the main KDC code
1963 if (flags & SAMBA_KDC_FLAG_SKIP_PAC_BUFFER) {
1967 type_blob = data_blob_const(&zero_byte, 1);
1975 if (type_blob.length != 0) {
1976 type_data = smb_krb5_data_from_blob(type_blob);
1977 code = krb5_pac_add_buffer(context, new_pac,
1980 code = krb5_pac_get_buffer(context,
1988 * Passing a NULL pointer into krb5_pac_add_buffer() is
1989 * not allowed, so pass null_data instead if needed.
1991 code = krb5_pac_add_buffer(context,
1994 (type_data.data != NULL) ? &type_data : &null_data);
1995 smb_krb5_free_data_contents(context, &type_data);
2005 TALLOC_FREE(pac_blob);
2006 TALLOC_FREE(upn_blob);
2007 TALLOC_FREE(deleg_blob);