source3/libads/authdata.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    kerberos authorization data (PAC) utility library
   4    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
   5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   6    Copyright (C) Andrew Tridgell 2001
   7    Copyright (C) Luke Howard 2002-2003
   8    Copyright (C) Stefan Metzmacher 2004-2005
   9    Copyright (C) Guenther Deschner 2005,2007,2008
  10
  11    This program is free software; you can redistribute it and/or modify
  12    it under the terms of the GNU General Public License as published by
  13    the Free Software Foundation; either version 3 of the License, or
  14    (at your option) any later version.
  15
  16    This program is distributed in the hope that it will be useful,
  17    but WITHOUT ANY WARRANTY; without even the implied warranty of
  18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  19    GNU General Public License for more details.
  20
  21    You should have received a copy of the GNU General Public License
  22    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  23 */
  24
  25 #include "includes.h"
  26 #include "librpc/gen_ndr/ndr_krb5pac.h"
  27 #include "smb_krb5.h"
  28 #include "libads/kerberos_proto.h"
  29
  30 #ifdef HAVE_KRB5
  31
  32 /****************************************************************
  33 Given a username, password and other details, return the
  34 PAC_LOGON_INFO (the structure containing the important user
  35 information such as groups).
  36 ****************************************************************/
  37
  38 NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
  39                              const char *name,
  40                              const char *pass,
  41                              time_t time_offset,
  42                              time_t *expire_time,
  43                              time_t *renew_till_time,
  44                              const char *cache_name,
  45                              bool request_pac,
  46                              bool add_netbios_addr,
  47                              time_t renewable_time,
  48                              const char *impersonate_princ_s,
  49                              struct PAC_LOGON_INFO **logon_info)
  50 {
  51         krb5_error_code ret;
  52         NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
  53         DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
  54         char *client_princ_out = NULL;
  55         const char *auth_princ = NULL;
  56         const char *local_service = NULL;
  57         const char *cc = "MEMORY:kerberos_return_pac";
  58
  59         ZERO_STRUCT(tkt);
  60         ZERO_STRUCT(ap_rep);
  61         ZERO_STRUCT(sesskey1);
  62         ZERO_STRUCT(sesskey2);
  63
  64         if (!name || !pass) {
  65                 return NT_STATUS_INVALID_PARAMETER;
  66         }
  67
  68         if (cache_name) {
  69                 cc = cache_name;
  70         }
  71
  72         if (!strchr_m(name, '@')) {
  73                 auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
  74                         lp_realm());
  75         } else {
  76                 auth_princ = name;
  77         }
  78         NT_STATUS_HAVE_NO_MEMORY(auth_princ);
  79
  80         local_service = talloc_asprintf(mem_ctx, "%s$@%s",
  81                                         lp_netbios_name(), lp_realm());
  82         NT_STATUS_HAVE_NO_MEMORY(local_service);
  83
  84         ret = kerberos_kinit_password_ext(auth_princ,
  85                                           pass,
  86                                           time_offset,
  87                                           expire_time,
  88                                           renew_till_time,
  89                                           cc,
  90                                           request_pac,
  91                                           add_netbios_addr,
  92                                           renewable_time,
  93                                           &status);
  94         if (ret) {
  95                 DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
  96                         auth_princ, error_message(ret), ret));
  97                 /* status already set */
  98                 goto out;
  99         }
 100
 101         DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
 102         if (expire_time) {
 103                 DEBUGADD(10,("\tvalid until: %s (%d)\n",
 104                         http_timestring(talloc_tos(), *expire_time),
 105                         (int)*expire_time));
 106         }
 107         if (renew_till_time) {
 108                 DEBUGADD(10,("\trenewable till: %s (%d)\n",
 109                         http_timestring(talloc_tos(), *renew_till_time),
 110                         (int)*renew_till_time));
 111         }
 112
 113         /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
 114          * in that case fallback to NTLM - gd */
 115
 116         if (expire_time && renew_till_time &&
 117             (*expire_time == 0) && (*renew_till_time == 0)) {
 118                 return NT_STATUS_INVALID_LOGON_TYPE;
 119         }
 120
 121         ret = cli_krb5_get_ticket(mem_ctx,
 122                                   local_service,
 123                                   time_offset,
 124                                   &tkt,
 125                                   &sesskey1,
 126                                   0,
 127                                   cc,
 128                                   NULL,
 129                                   impersonate_princ_s);
 130         if (ret) {
 131                 DEBUG(1,("failed to get ticket for %s: %s\n",
 132                         local_service, error_message(ret)));
 133                 if (impersonate_princ_s) {
 134                         DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
 135                                 impersonate_princ_s));
 136                 }
 137                 status = krb5_to_nt_status(ret);
 138                 goto out;
 139         }
 140         status = ads_verify_ticket(mem_ctx,
 141                                    lp_realm(),
 142                                    time_offset,
 143                                    &tkt,
 144                                    &client_princ_out,
 145                                    logon_info,
 146                                    &ap_rep,
 147                                    &sesskey2,
 148                                    False);
 149         if (!NT_STATUS_IS_OK(status)) {
 150                 DEBUG(1,("ads_verify_ticket failed: %s\n",
 151                         nt_errstr(status)));
 152                 goto out;
 153         }
 154
 155         if (!*logon_info) {
 156                 DEBUG(1,("no PAC\n"));
 157                 status = NT_STATUS_INVALID_PARAMETER;
 158                 goto out;
 159         }
 160
 161 out:
 162         if (cc != cache_name) {
 163                 ads_kdestroy(cc);
 164         }
 165
 166         data_blob_free(&tkt);
 167         data_blob_free(&ap_rep);
 168         data_blob_free(&sesskey1);
 169         data_blob_free(&sesskey2);
 170
 171         TALLOC_FREE(client_princ_out);
 172
 173         return status;
 174 }
 175
 176 #endif