Copyright (C) Remus Koos 2001
Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
Copyright (C) Jeremy Allison 2004.
+ Copyright (C) Gerald Carter 2006.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
- strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
+ strncpy(prompts[0].reply->data, (const char *)data,
+ prompts[0].reply->length-1);
prompts[0].reply->length = strlen(prompts[0].reply->data);
} else {
prompts[0].reply->length = 0;
return 0;
}
+static bool smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx,
+ DATA_BLOB *edata_blob,
+ KRB5_EDATA_NTSTATUS *edata)
+{
+ bool ret = False;
+ prs_struct ps;
+
+ if (!mem_ctx || !edata_blob || !edata)
+ return False;
+
+ if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
+ return False;
+
+ if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
+ goto out;
+
+ prs_set_offset(&ps, 0);
+
+ if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
+ goto out;
+
+ if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
+ goto out;
+
+ if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
+ goto out;
+
+ ret = True;
+ out:
+ prs_mem_free(&ps);
+
+ return ret;
+}
+
+ static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
+ NTSTATUS *nt_status)
+{
+ DATA_BLOB edata;
+ DATA_BLOB unwrapped_edata;
+ TALLOC_CTX *mem_ctx;
+ KRB5_EDATA_NTSTATUS parsed_edata;
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+ edata = data_blob(error->e_data->data, error->e_data->length);
+#else
+ edata = data_blob(error->e_data.data, error->e_data.length);
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+
+#ifdef DEVELOPER
+ dump_data(10, edata.data, edata.length);
+#endif /* DEVELOPER */
+
+ mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
+ if (mem_ctx == NULL) {
+ data_blob_free(&edata);
+ return False;
+ }
+
+ if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
+ data_blob_free(&edata);
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+
+ data_blob_free(&edata);
+
+ if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
+ data_blob_free(&unwrapped_edata);
+ TALLOC_FREE(mem_ctx);
+ return False;
+ }
+
+ data_blob_free(&unwrapped_edata);
+
+ if (nt_status) {
+ *nt_status = parsed_edata.ntstatus;
+ }
+
+ TALLOC_FREE(mem_ctx);
+
+ return True;
+}
+
+ static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx,
+ krb5_get_init_creds_opt *opt,
+ NTSTATUS *nt_status)
+{
+ bool ret = False;
+ krb5_error *error = NULL;
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
+ ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
+ if (ret) {
+ DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
+ error_message(ret)));
+ return False;
+ }
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
+
+ if (!error) {
+ DEBUG(1,("no krb5_error\n"));
+ return False;
+ }
+
+#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
+ if (!error->e_data) {
+#else
+ if (error->e_data.data == NULL) {
+#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
+ DEBUG(1,("no edata in krb5_error\n"));
+ krb5_free_error(ctx, error);
+ return False;
+ }
+
+ ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
+
+ krb5_free_error(ctx, error);
+
+ return ret;
+}
+
/*
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
place in default cache location.
remus@snapserver.com
*/
-int kerberos_kinit_password(const char *principal,
+int kerberos_kinit_password_ext(const char *principal,
const char *password,
int time_offset,
time_t *expire_time,
- const char *cache_name)
+ time_t *renew_till_time,
+ const char *cache_name,
+ bool request_pac,
+ bool add_netbios_addr,
+ time_t renewable_time,
+ NTSTATUS *ntstatus)
{
krb5_context ctx = NULL;
krb5_error_code code = 0;
krb5_ccache cc = NULL;
- krb5_principal me;
+ krb5_principal me = NULL;
krb5_creds my_creds;
+ krb5_get_init_creds_opt *opt = NULL;
+ smb_krb5_addresses *addr = NULL;
+ ZERO_STRUCT(my_creds);
+
+ initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
- return code;
+ goto out;
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
-
- if ((code = krb5_cc_resolve(ctx, cache_name ?
- cache_name : krb5_cc_default_name(ctx), &cc))) {
- krb5_free_context(ctx);
- return code;
+
+ DEBUG(10,("kerberos_kinit_password: using [%s] as ccache and config [%s]\n",
+ cache_name ? cache_name: krb5_cc_default_name(ctx),
+ getenv("KRB5_CONFIG")));
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
+ goto out;
}
- if ((code = krb5_parse_name(ctx, principal, &me))) {
- krb5_free_context(ctx);
- return code;
+ if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
+ goto out;
}
-
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me,
- CONST_DISCARD(char *, password),
- kerb_prompter,
- NULL, 0, NULL, NULL))) {
- krb5_free_principal(ctx, me);
- krb5_free_context(ctx);
- return code;
+
+ if ((code = smb_krb5_get_init_creds_opt_alloc(ctx, &opt))) {
+ goto out;
}
-
+
+ krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
+ krb5_get_init_creds_opt_set_forwardable(opt, True);
+#if 0
+ /* insane testing */
+ krb5_get_init_creds_opt_set_tkt_life(opt, 60);
+#endif
+
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ if (request_pac) {
+ if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
+ goto out;
+ }
+ }
+#endif
+ if (add_netbios_addr) {
+ if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
+ goto out;
+ }
+ krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
+ }
+
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
+ kerb_prompter, CONST_DISCARD(char *,password),
+ 0, NULL, opt))) {
+ goto out;
+ }
+
if ((code = krb5_cc_initialize(ctx, cc, me))) {
- krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
- krb5_free_context(ctx);
- return code;
+ goto out;
}
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
- krb5_cc_close(ctx, cc);
- krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
- krb5_free_context(ctx);
- return code;
+ goto out;
}
-
- if (expire_time)
+
+ if (expire_time) {
*expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (renew_till_time) {
+ *renew_till_time = (time_t) my_creds.times.renew_till;
+ }
+ out:
+ if (ntstatus) {
+
+ NTSTATUS status;
+
+ /* fast path */
+ if (code == 0) {
+ *ntstatus = NT_STATUS_OK;
+ goto cleanup;
+ }
+
+ /* try to get ntstatus code out of krb5_error when we have it
+ * inside the krb5_get_init_creds_opt - gd */
+
+ if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
+ *ntstatus = status;
+ goto cleanup;
+ }
+
+ /* fall back to self-made-mapping */
+ *ntstatus = krb5_to_nt_status(code);
+ }
- krb5_cc_close(ctx, cc);
+ cleanup:
krb5_free_cred_contents(ctx, &my_creds);
- krb5_free_principal(ctx, me);
- krb5_free_context(ctx);
-
- return 0;
+ if (me) {
+ krb5_free_principal(ctx, me);
+ }
+ if (addr) {
+ smb_krb5_free_addresses(ctx, addr);
+ }
+ if (opt) {
+ smb_krb5_get_init_creds_opt_free(ctx, opt);
+ }
+ if (cc) {
+ krb5_cc_close(ctx, cc);
+ }
+ if (ctx) {
+ krb5_free_context(ctx);
+ }
+ return code;
}
{
char *s;
int ret;
+ const char *account_name;
+ fstring acct_name;
+
+ if ( IS_DC ) {
+ /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
+ account_name = lp_workgroup();
+ } else {
+ /* always use the sAMAccountName for security = domain */
+ /* global_myname()$@REA.LM */
+ if ( lp_security() == SEC_DOMAIN ) {
+ fstr_sprintf( acct_name, "%s$", global_myname() );
+ account_name = acct_name;
+ }
+ else
+ /* This looks like host/global_myname()@REA.LM */
+ account_name = ads->auth.user_name;
+ }
- if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+ if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
return KRB5_CC_NOMEM;
}
if (!ads->auth.password) {
+ SAFE_FREE(s);
return KRB5_LIBOS_CANTREADPWD;
}
- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
- &ads->auth.expire, NULL);
+ ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
+ &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
+ NULL);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
s, error_message(ret)));
}
- free(s);
+ SAFE_FREE(s);
return ret;
}
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
+ initialize_krb5_error_table();
if ((code = krb5_init_context (&ctx))) {
DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
error_message(code)));
}
/************************************************************************
- Routine to get the salting principal for this service. Active
- Directory may use a non-obvious principal name to generate the salt
- when it determines the key to use for encrypting tickets for a service,
- and hopefully we detected that when we joined the domain.
- Caller must free if return is not null.
+ Return the standard DES salt key
+************************************************************************/
+
+char* kerberos_standard_des_salt( void )
+{
+ fstring salt;
+
+ fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
+ strlower_m( salt );
+ fstrcat( salt, lp_realm() );
+
+ return SMB_STRDUP( salt );
+}
+
+/************************************************************************
+************************************************************************/
+
+static char* des_salt_key( void )
+{
+ char *key;
+
+ asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL, lp_realm());
+
+ return key;
+}
+
+/************************************************************************
+************************************************************************/
+
+bool kerberos_secrets_store_des_salt( const char* salt )
+{
+ char* key;
+ bool ret;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
+ return False;
+ }
+
+ if ( !salt ) {
+ DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
+ secrets_delete( key );
+ return True;
+ }
+
+ DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
+
+ ret = secrets_store( key, salt, strlen(salt)+1 );
+
+ SAFE_FREE( key );
+
+ return ret;
+}
+
+/************************************************************************
+************************************************************************/
+
+char* kerberos_secrets_fetch_des_salt( void )
+{
+ char *salt, *key;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
+ return False;
+ }
+
+ salt = (char*)secrets_fetch( key, NULL );
+
+ SAFE_FREE( key );
+
+ return salt;
+}
+
+
+/************************************************************************
+ Routine to get the salting principal for this service. This is
+ maintained for backwards compatibilty with releases prior to 3.0.24.
+ Since we store the salting principal string only at join, we may have
+ to look for the older tdb keys. Caller must free if return is not null.
************************************************************************/
krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
{
char *unparsed_name = NULL, *salt_princ_s = NULL;
krb5_principal ret_princ = NULL;
+
+ /* lookup new key first */
- if (krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
- return (krb5_principal)NULL;
- }
+ if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
+
+ /* look under the old key. If this fails, just use the standard key */
- if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
- krb5_free_unparsed_name(context, unparsed_name);
- return (krb5_principal)NULL;
+ if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
+ return (krb5_principal)NULL;
+ }
+ if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
+ /* fall back to host/machine.realm@REALM */
+ salt_princ_s = kerberos_standard_des_salt();
+ }
}
- if (krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
- krb5_free_unparsed_name(context, unparsed_name);
- SAFE_FREE(salt_princ_s);
- return (krb5_principal)NULL;
+ if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
+ ret_princ = NULL;
}
- krb5_free_unparsed_name(context, unparsed_name);
+
+ SAFE_FREE(unparsed_name);
SAFE_FREE(salt_princ_s);
+
return ret_princ;
}
Setting principal to NULL deletes this entry.
************************************************************************/
- BOOL kerberos_secrets_store_salting_principal(const char *service,
+bool kerberos_secrets_store_salting_principal(const char *service,
int enctype,
const char *principal)
{
char *key = NULL;
- BOOL ret = False;
+ bool ret = False;
krb5_context context = NULL;
krb5_principal princ = NULL;
char *princ_s = NULL;
asprintf(&princ_s, "%s@%s", service, lp_realm());
}
- if (krb5_parse_name(context, princ_s, &princ) != 0) {
+ if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
goto out;
}
- if (krb5_unparse_name(context, princ, &unparsed_name) != 0) {
+ if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) {
goto out;
}
SAFE_FREE(key);
SAFE_FREE(princ_s);
+ SAFE_FREE(unparsed_name);
- if (unparsed_name) {
- krb5_free_unparsed_name(context, unparsed_name);
- }
if (context) {
krb5_free_context(context);
}
return ret;
}
+
/************************************************************************
- Routine to get initial credentials as a service ticket for the local machine.
- Returns a buffer initialized with krb5_mk_req_extended.
- ************************************************************************/
+************************************************************************/
-static krb5_error_code get_service_ticket(krb5_context ctx,
- krb5_ccache ccache,
- const char *service_principal,
- int enctype,
- krb5_data *p_outbuf)
+int kerberos_kinit_password(const char *principal,
+ const char *password,
+ int time_offset,
+ const char *cache_name)
{
- krb5_creds creds, *new_creds = NULL;
- char *service_s = NULL;
- char *machine_account = NULL, *password = NULL;
- krb5_data in_data;
- krb5_auth_context auth_context = NULL;
- krb5_error_code err = 0;
-
- ZERO_STRUCT(creds);
-
- asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm());
- if (machine_account == NULL) {
- goto out;
- }
- password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (password == NULL) {
- goto out;
- }
- if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) {
- DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n",
- machine_account,
- lp_realm(),
- error_message(err)));
- goto out;
- }
-
- /* Ok - the above call has gotten a TGT. Now we need to get a service
- ticket to ourselves. */
-
- /* Set up the enctype and client and server principal fields for krb5_get_credentials. */
- kerberos_set_creds_enctype(&creds, enctype);
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
+ 0,
+ cache_name,
+ False,
+ False,
+ 0,
+ NULL);
+}
- if ((err = krb5_cc_get_principal(ctx, ccache, &creds.client))) {
- DEBUG(3, ("get_service_ticket: krb5_cc_get_principal failed: %s\n",
- error_message(err)));
- goto out;
- }
+/************************************************************************
+ Create a string list of available kdc's, possibly searching by sitename.
+ Does DNS queries.
+************************************************************************/
- if (strchr_m(service_principal, '@')) {
- asprintf(&service_s, "%s", service_principal);
- } else {
- asprintf(&service_s, "%s@%s", service_principal, lp_realm());
+static char *get_kdc_ip_string(char *mem_ctx, const char *realm, const char *sitename, struct in_addr primary_ip)
+{
+ int i;
+ struct ip_service *ip_srv_site = NULL;
+ struct ip_service *ip_srv_nonsite;
+ int count_site = 0;
+ int count_nonsite;
+ char *kdc_str = talloc_asprintf(mem_ctx, "\tkdc = %s\n",
+ inet_ntoa(primary_ip));
+
+ if (kdc_str == NULL) {
+ return NULL;
}
- if ((err = krb5_parse_name(ctx, service_s, &creds.server))) {
- DEBUG(0,("get_service_ticket: krb5_parse_name %s failed: %s\n",
- service_s, error_message(err)));
- goto out;
- }
+ /* Get the KDC's only in this site. */
- if ((err = krb5_get_credentials(ctx, 0, ccache, &creds, &new_creds))) {
- DEBUG(5,("get_service_ticket: krb5_get_credentials for %s enctype %d failed: %s\n",
- service_s, enctype, error_message(err)));
- goto out;
- }
+ if (sitename) {
- memset(&in_data, '\0', sizeof(in_data));
- if ((err = krb5_mk_req_extended(ctx, &auth_context, 0, &in_data,
- new_creds, p_outbuf)) != 0) {
- DEBUG(0,("get_service_ticket: krb5_mk_req_extended failed: %s\n",
- error_message(err)));
- goto out;
- }
+ get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
- out:
-
- if (auth_context) {
- krb5_auth_con_free(ctx, auth_context);
- }
- if (new_creds) {
- krb5_free_creds(ctx, new_creds);
- }
- if (creds.server) {
- krb5_free_principal(ctx, creds.server);
- }
- if (creds.client) {
- krb5_free_principal(ctx, creds.client);
+ for (i = 0; i < count_site; i++) {
+ if (ip_equal(ip_srv_site[i].ip, primary_ip)) {
+ continue;
+ }
+ /* Append to the string - inefficient but not done often. */
+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str, inet_ntoa(ip_srv_site[i].ip));
+ if (!kdc_str) {
+ SAFE_FREE(ip_srv_site);
+ return NULL;
+ }
+ }
}
- SAFE_FREE(service_s);
- SAFE_FREE(password);
- SAFE_FREE(machine_account);
- return err;
-}
-
-/************************************************************************
- Check if the machine password can be used in conjunction with the salting_principal
- to generate a key which will successfully decrypt the AP_REQ already
- gotten as a message to the local machine.
- ************************************************************************/
+ /* Get all KDC's. */
-static BOOL verify_service_password(krb5_context ctx,
- int enctype,
- const char *salting_principal,
- krb5_data *in_data)
-{
- BOOL ret = False;
- krb5_principal salting_kprinc = NULL;
- krb5_ticket *ticket = NULL;
- krb5_keyblock key;
- krb5_data passdata;
- char *salting_s = NULL;
- char *machine_account = NULL, *password = NULL;
- krb5_auth_context auth_context = NULL;
- krb5_error_code err;
-
- memset(&passdata, '\0', sizeof(passdata));
- memset(&key, '\0', sizeof(key));
-
- asprintf(&machine_account, "%s$@%s", global_myname(), lp_realm());
- if (machine_account == NULL) {
- goto out;
- }
- password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
- if (password == NULL) {
- goto out;
- }
+ get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
- if (strchr_m(salting_principal, '@')) {
- asprintf(&salting_s, "%s", salting_principal);
- } else {
- asprintf(&salting_s, "%s@%s", salting_principal, lp_realm());
- }
+ for (i = 0; i < count_nonsite; i++) {
+ int j;
- if ((err = krb5_parse_name(ctx, salting_s, &salting_kprinc))) {
- DEBUG(0,("verify_service_password: krb5_parse_name %s failed: %s\n",
- salting_s, error_message(err)));
- goto out;
- }
+ if (ip_equal(ip_srv_nonsite[i].ip, primary_ip)) {
+ continue;
+ }
- passdata.length = strlen(password);
- passdata.data = (char*)password;
- if ((err = create_kerberos_key_from_string_direct(ctx, salting_kprinc, &passdata, &key, enctype))) {
- DEBUG(0,("verify_service_password: create_kerberos_key_from_string %d failed: %s\n",
- enctype, error_message(err)));
- goto out;
- }
+ /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
+ for (j = 0; j < count_site; j++) {
+ if (ip_equal(ip_srv_nonsite[i].ip, ip_srv_site[j].ip)) {
+ break;
+ }
+ /* As the lists are sorted we can break early if nonsite > site. */
+ if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
+ break;
+ }
+ }
+ if (j != i) {
+ continue;
+ }
- if ((err = krb5_auth_con_init(ctx, &auth_context)) != 0) {
- DEBUG(0,("verify_service_password: krb5_auth_con_init failed %s\n", error_message(err)));
- goto out;
+ /* Append to the string - inefficient but not done often. */
+ kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str, inet_ntoa(ip_srv_nonsite[i].ip));
+ if (!kdc_str) {
+ SAFE_FREE(ip_srv_site);
+ SAFE_FREE(ip_srv_nonsite);
+ return NULL;
+ }
}
- if ((err = krb5_auth_con_setuseruserkey(ctx, auth_context, &key)) != 0) {
- DEBUG(0,("verify_service_password: krb5_auth_con_setuseruserkey failed %s\n", error_message(err)));
- goto out;
- }
- if (!(err = krb5_rd_req(ctx, &auth_context, in_data, NULL, NULL, NULL, &ticket))) {
- DEBUG(10,("verify_service_password: decrypted message with enctype %u salt %s!\n",
- (unsigned int)enctype, salting_s));
- ret = True;
- }
+ SAFE_FREE(ip_srv_site);
+ SAFE_FREE(ip_srv_nonsite);
- out:
+ DEBUG(10,("get_kdc_ip_string: Returning %s\n",
+ kdc_str ));
- memset(&passdata, 0, sizeof(passdata));
- krb5_free_keyblock_contents(ctx, &key);
- if (ticket != NULL) {
- krb5_free_ticket(ctx, ticket);
- }
- if (salting_kprinc) {
- krb5_free_principal(ctx, salting_kprinc);
- }
- SAFE_FREE(salting_s);
- SAFE_FREE(password);
- SAFE_FREE(machine_account);
- return ret;
+ return kdc_str;
}
/************************************************************************
- *
- * From the current draft of kerberos-clarifications:
- *
- * It is not possible to reliably generate a user's key given a pass
- * phrase without contacting the KDC, since it will not be known
- * whether alternate salt or parameter values are required.
- *
- * And because our server has a password, we have this exact problem. We
- * make multiple guesses as to which principal name provides the salt which
- * the KDC is using.
- *
- ************************************************************************/
-
-static void kerberos_derive_salting_principal_for_enctype(const char *service_principal,
- krb5_context ctx,
- krb5_ccache ccache,
- krb5_enctype enctype,
- krb5_enctype *enctypes)
+ Create a specific krb5.conf file in the private directory pointing
+ at a specific kdc for a realm. Keyed off domain name. Sets
+ KRB5_CONFIG environment variable to point to this file. Must be
+ run as root or will fail (which is a good thing :-).
+************************************************************************/
+
+bool create_local_private_krb5_conf_for_domain(const char *realm, const char *domain,
+ const char *sitename, struct in_addr ip)
{
- char *salting_principals[3] = {NULL, NULL, NULL}, *second_principal = NULL;
- krb5_error_code err = 0;
- krb5_data outbuf;
- int i, j;
-
- memset(&outbuf, '\0', sizeof(outbuf));
-
- /* Check that the service_principal is useful. */
- if ((service_principal == NULL) || (strlen(service_principal) == 0)) {
- return;
+ char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
+ char *tmpname = NULL;
+ char *fname = NULL;
+ char *file_contents = NULL;
+ char *kdc_ip_string = NULL;
+ size_t flen = 0;
+ ssize_t ret;
+ int fd;
+ char *realm_upper = NULL;
+
+ if (!dname) {
+ return False;
}
-
- /* Generate our first guess -- the principal as-given. */
- asprintf(&salting_principals[0], "%s", service_principal);
- if ((salting_principals[0] == NULL) || (strlen(salting_principals[0]) == 0)) {
- return;
+ if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: "
+ "failed to create directory %s. Error was %s\n",
+ dname, strerror(errno) ));
+ TALLOC_FREE(dname);
+ return False;
}
- /* Generate our second guess -- the computer's principal, as Win2k3. */
- asprintf(&second_principal, "host/%s.%s", global_myname(), lp_realm());
- if (second_principal != NULL) {
- strlower_m(second_principal);
- asprintf(&salting_principals[1], "%s@%s", second_principal, lp_realm());
- SAFE_FREE(second_principal);
- }
- if ((salting_principals[1] == NULL) || (strlen(salting_principals[1]) == 0)) {
- goto out;
+ tmpname = talloc_asprintf(dname, "%s/smb_tmp_krb5.XXXXXX", lp_lockdir());
+ if (!tmpname) {
+ TALLOC_FREE(dname);
+ return False;
}
- /* Generate our third guess -- the computer's principal, as Win2k. */
- asprintf(&second_principal, "HOST/%s", global_myname());
- if (second_principal != NULL) {
- strlower_m(second_principal + 5);
- asprintf(&salting_principals[2], "%s@%s",
- second_principal, lp_realm());
- SAFE_FREE(second_principal);
- }
- if ((salting_principals[2] == NULL) || (strlen(salting_principals[2]) == 0)) {
- goto out;
+ fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
+ if (!fname) {
+ TALLOC_FREE(dname);
+ return False;
}
- /* Get a service ticket for ourselves into our memory ccache. */
- /* This will commonly fail if there is no principal by that name (and we're trying
- many names). So don't print a debug 0 error. */
-
- if ((err = get_service_ticket(ctx, ccache, service_principal, enctype, &outbuf)) != 0) {
- DEBUG(3, ("verify_service_password: get_service_ticket failed: %s\n",
- error_message(err)));
- goto out;
- }
+ DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
+ fname, realm, domain ));
- /* At this point we have a message to ourselves, salted only the KDC knows how. We
- have to work out what that salting is. */
+ realm_upper = talloc_strdup(fname, realm);
+ strupper_m(realm_upper);
- /* Try and find the correct salting principal. */
- for (i = 0; i < sizeof(salting_principals) / sizeof(salting_principals[i]); i++) {
- if (verify_service_password(ctx, enctype, salting_principals[i], &outbuf)) {
- break;
- }
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, ip);
+ if (!kdc_ip_string) {
+ TALLOC_FREE(dname);
+ return False;
}
+
+ file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n\n"
+ "[realms]\n\t%s = {\n"
+ "\t%s\t}\n",
+ realm_upper, realm_upper, kdc_ip_string);
- /* If we failed to get a match, return. */
- if (i >= sizeof(salting_principals) / sizeof(salting_principals[i])) {
- goto out;
+ if (!file_contents) {
+ TALLOC_FREE(dname);
+ return False;
}
- /* If we succeeded, store the principal for use for all enctypes which
- * share the same cipher and string-to-key function. Doing this here
- * allows servers which just pass a keytab to krb5_rd_req() to work
- * correctly. */
- for (j = 0; enctypes[j] != 0; j++) {
- if (enctype != enctypes[j]) {
- /* If this enctype isn't compatible with the one which
- * we used, skip it. */
+ flen = strlen(file_contents);
- if (!kerberos_compatible_enctypes(ctx, enctypes[j], enctype))
- continue;
- }
- /* If the principal which gives us the proper salt is the one
- * which we would normally guess, don't bother noting anything
- * in the secrets tdb. */
- if (strcmp(service_principal, salting_principals[i]) != 0) {
- kerberos_secrets_store_salting_principal(service_principal,
- enctypes[j],
- salting_principals[i]);
- }
+ fd = smb_mkstemp(tmpname);
+ if (fd == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
+ " for file %s. Errno %s\n",
+ tmpname, strerror(errno) ));
}
- out :
-
- kerberos_free_data_contents(ctx, &outbuf);
- SAFE_FREE(salting_principals[0]);
- SAFE_FREE(salting_principals[1]);
- SAFE_FREE(salting_principals[2]);
- SAFE_FREE(second_principal);
-}
-
-/************************************************************************
- Go through all the possible enctypes for this principal.
- ************************************************************************/
-
-static void kerberos_derive_salting_principal_direct(krb5_context context,
- krb5_ccache ccache,
- krb5_enctype *enctypes,
- char *service_principal)
-{
- int i;
-
- /* Try for each enctype separately, because the rules are
- * different for different enctypes. */
- for (i = 0; enctypes[i] != 0; i++) {
- /* Delete secrets entry first. */
- kerberos_secrets_store_salting_principal(service_principal, 0, NULL);
-#ifdef ENCTYPE_ARCFOUR_HMAC
- if (enctypes[i] == ENCTYPE_ARCFOUR_HMAC) {
- /* Of course this'll always work, so just save
- * ourselves the effort. */
- continue;
- }
-#endif
- /* Try to figure out what's going on with this
- * principal. */
- kerberos_derive_salting_principal_for_enctype(service_principal,
- context,
- ccache,
- enctypes[i],
- enctypes);
+ if (fchmod(fd, 0644)==-1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
+ " Errno %s\n",
+ tmpname, strerror(errno) ));
+ unlink(tmpname);
+ close(fd);
+ TALLOC_FREE(dname);
+ return False;
}
-}
-
-/************************************************************************
- Wrapper function for the above.
- ************************************************************************/
-
-BOOL kerberos_derive_salting_principal(char *service_principal)
-{
- krb5_context context = NULL;
- krb5_enctype *enctypes = NULL;
- krb5_ccache ccache = NULL;
- krb5_error_code ret = 0;
- initialize_krb5_error_table();
- if ((ret = krb5_init_context(&context)) != 0) {
- DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
- error_message(ret)));
+ ret = write(fd, file_contents, flen);
+ if (flen != ret) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
+ " returned %d (should be %u). Errno %s\n",
+ (int)ret, (unsigned int)flen, strerror(errno) ));
+ unlink(tmpname);
+ close(fd);
+ TALLOC_FREE(dname);
return False;
}
- if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
- DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
- error_message(ret)));
- goto out;
+ if (close(fd)==-1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
+ " Errno %s\n", strerror(errno) ));
+ unlink(tmpname);
+ TALLOC_FREE(dname);
+ return False;
}
- if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
- DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
- LIBADS_CCACHE_NAME, error_message(ret)));
- goto out;
+ if (rename(tmpname, fname) == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
+ "of %s to %s failed. Errno %s\n",
+ tmpname, fname, strerror(errno) ));
+ unlink(tmpname);
+ TALLOC_FREE(dname);
+ return False;
}
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service_principal);
+ DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
+ "file %s with realm %s KDC = %s\n",
+ fname, realm_upper, inet_ntoa(ip) ));
- out:
- if (enctypes) {
- free_kerberos_etypes(context, enctypes);
- }
- if (ccache) {
- krb5_cc_destroy(context, ccache);
- }
- if (context) {
- krb5_free_context(context);
- }
+ /* Set the environment variable to this file. */
+ setenv("KRB5_CONFIG", fname, 1);
- return ret ? False : True;
-}
+#if defined(OVERWRITE_SYSTEM_KRB5_CONF)
-/************************************************************************
- Core function to try and determine what salt is being used for any keytab
- keys.
- ************************************************************************/
+#define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
+ /* Insanity, sheer insanity..... */
-BOOL kerberos_derive_cifs_salting_principals(void)
-{
- fstring my_fqdn;
- char *service = NULL;
- krb5_context context = NULL;
- krb5_enctype *enctypes = NULL;
- krb5_ccache ccache = NULL;
- krb5_error_code ret = 0;
- BOOL retval = False;
+ if (strequal(realm, lp_realm())) {
+ pstring linkpath;
+ int lret;
- initialize_krb5_error_table();
- if ((ret = krb5_init_context(&context)) != 0) {
- DEBUG(1,("kerberos_derive_cifs_salting_principals: krb5_init_context failed. %s\n",
- error_message(ret)));
- return False;
- }
- if ((ret = get_kerberos_allowed_etypes(context, &enctypes)) != 0) {
- DEBUG(1,("kerberos_derive_cifs_salting_principals: get_kerberos_allowed_etypes failed. %s\n",
- error_message(ret)));
- goto out;
- }
+ lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, sizeof(linkpath)-1);
+ linkpath[sizeof(pstring)-1] = '\0';
- if ((ret = krb5_cc_resolve(context, LIBADS_CCACHE_NAME, &ccache)) != 0) {
- DEBUG(3, ("get_service_ticket: krb5_cc_resolve for %s failed: %s\n",
- LIBADS_CCACHE_NAME, error_message(ret)));
- goto out;
- }
+ if (lret == 0 || strcmp(linkpath, fname) == 0) {
+ /* Symlink already exists. */
+ TALLOC_FREE(dname);
+ return True;
+ }
- if (asprintf(&service, "%s$", global_myname()) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- if (asprintf(&service, "cifs/%s", global_myname()) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- if (asprintf(&service, "host/%s", global_myname()) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- if (asprintf(&service, "cifs/%s.%s", global_myname(), lp_realm()) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- if (asprintf(&service, "host/%s.%s", global_myname(), lp_realm()) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- name_to_fqdn(my_fqdn, global_myname());
- if (asprintf(&service, "cifs/%s", my_fqdn) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
- }
- if (asprintf(&service, "host/%s", my_fqdn) != -1) {
- strlower_m(service);
- kerberos_derive_salting_principal_direct(context, ccache, enctypes, service);
- SAFE_FREE(service);
+ /* Try and replace with a symlink. */
+ if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
+ if (errno != EEXIST) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
+ "of %s to %s failed. Errno %s\n",
+ fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
+ TALLOC_FREE(dname);
+ return True; /* Not a fatal error. */
+ }
+
+ pstrcpy(linkpath, SYSTEM_KRB5_CONF_PATH);
+ pstrcat(linkpath, ".saved");
+
+ /* Yes, this is a race conditon... too bad. */
+ if (rename(SYSTEM_KRB5_CONF_PATH, linkpath) == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
+ "of %s to %s failed. Errno %s\n",
+ SYSTEM_KRB5_CONF_PATH, linkpath,
+ strerror(errno) ));
+ TALLOC_FREE(dname);
+ return True; /* Not a fatal error. */
+ }
+
+ if (symlink(fname, "/etc/krb5.conf") == -1) {
+ DEBUG(0,("create_local_private_krb5_conf_for_domain: "
+ "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
+ fname, strerror(errno) ));
+ TALLOC_FREE(dname);
+ return True; /* Not a fatal error. */
+ }
+ }
}
+#endif
- retval = True;
+ TALLOC_FREE(dname);
- out:
- if (enctypes) {
- free_kerberos_etypes(context, enctypes);
- }
- if (ccache) {
- krb5_cc_destroy(context, ccache);
- }
- if (context) {
- krb5_free_context(context);
- }
- return retval;
+ return True;
}
#endif