4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #define TEVENT_DEPRECATED 1
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
29 #include <kadm5/kadm_err.h>
31 #include "kdc/sdb_kdb.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "kdc/samba_kdc.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/db-glue.h"
37 #include "auth/auth.h"
38 #include "kdc/kpasswd_glue.h"
39 #include "auth/auth_sam.h"
41 #include "mit_samba.h"
43 void mit_samba_context_free(struct mit_samba_context *ctx)
45 /* free heimdal's krb5_context */
47 krb5_free_context(ctx->context);
50 /* then free everything else */
54 int mit_samba_context_init(struct mit_samba_context **_ctx)
57 struct mit_samba_context *ctx;
58 const char *s4_conf_file;
60 struct samba_kdc_base_context base_ctx;
62 ctx = talloc_zero(NULL, struct mit_samba_context);
68 base_ctx.ev_ctx = tevent_context_init(ctx);
69 if (!base_ctx.ev_ctx) {
73 tevent_loop_allow_nesting(base_ctx.ev_ctx);
74 base_ctx.lp_ctx = loadparm_init_global(false);
75 if (!base_ctx.lp_ctx) {
80 setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT);
82 /* init s4 configuration */
83 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
85 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
87 lpcfg_load_default(base_ctx.lp_ctx);
90 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
91 if (!NT_STATUS_IS_OK(status)) {
96 /* init heimdal's krb_context and log facilities */
97 ret = smb_krb5_init_context_basic(ctx,
108 mit_samba_context_free(ctx);
115 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
116 krb5_const_principal principal)
121 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
123 eq = krb5_princ_size(ctx->context, principal) == 2 &&
124 (strcmp(p, KRB5_TGS_NAME) == 0);
131 int mit_samba_generate_salt(krb5_data *salt)
138 salt->data = malloc(salt->length);
139 if (salt->data == NULL) {
143 generate_random_buffer((uint8_t *)salt->data, salt->length);
148 int mit_samba_generate_random_password(krb5_data *pwd)
158 tmp_ctx = talloc_named(NULL,
160 "mit_samba_create_principal_password context");
161 if (tmp_ctx == NULL) {
165 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
166 if (password == NULL) {
167 talloc_free(tmp_ctx);
171 pwd->data = strdup(password);
172 talloc_free(tmp_ctx);
173 if (pwd->data == NULL) {
180 int mit_samba_get_principal(struct mit_samba_context *ctx,
181 krb5_const_principal principal,
183 krb5_db_entry **_kentry)
185 struct sdb_entry_ex sentry = {
188 krb5_db_entry *kentry;
192 kentry = calloc(1, sizeof(krb5_db_entry));
193 if (kentry == NULL) {
197 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
198 sflags |= SDB_F_CANON;
200 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
201 KRB5_KDB_FLAG_INCLUDE_PAC)) {
203 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
206 * We use ANY to also allow AS_REQ for service principal names
207 * This is supported by Windows.
209 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
210 } else if (ks_is_tgs_principal(ctx, principal)) {
211 sflags |= SDB_F_GET_KRBTGT;
213 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
216 /* always set this or the created_by data will not be populated by samba's
217 * backend and we will fail to parse the entry later */
218 sflags |= SDB_F_ADMIN_DATA;
220 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
221 principal, sflags, 0, &sentry);
225 case SDB_ERR_NOENTRY:
226 ret = KRB5_KDB_NOENTRY;
228 case SDB_ERR_WRONG_REALM:
230 * If we have a wrong realm e.g. if we try get a cross forest
231 * ticket, we return a ticket with the correct realm. The KDC
232 * will detect this an return the appropriate return code.
236 case SDB_ERR_NOT_FOUND_HERE:
237 /* FIXME: RODC support */
242 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
244 sdb_free_entry(&sentry);
255 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
256 krb5_db_entry **_kentry)
258 struct sdb_entry_ex sentry = {
261 krb5_db_entry *kentry;
264 kentry = malloc(sizeof(krb5_db_entry));
265 if (kentry == NULL) {
269 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
273 case SDB_ERR_NOENTRY:
275 return KRB5_KDB_NOENTRY;
276 case SDB_ERR_NOT_FOUND_HERE:
277 /* FIXME: RODC support */
283 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
285 sdb_free_entry(&sentry);
295 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
296 krb5_db_entry **_kentry)
298 struct sdb_entry_ex sentry = {
301 krb5_db_entry *kentry;
304 kentry = malloc(sizeof(krb5_db_entry));
305 if (kentry == NULL) {
309 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
313 case SDB_ERR_NOENTRY:
315 return KRB5_KDB_NOENTRY;
316 case SDB_ERR_NOT_FOUND_HERE:
317 /* FIXME: RODC support */
323 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
325 sdb_free_entry(&sentry);
335 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
336 krb5_context context,
337 krb5_db_entry *client,
338 krb5_keyblock *client_key,
342 DATA_BLOB *logon_info_blob = NULL;
343 DATA_BLOB *upn_dns_info_blob = NULL;
344 DATA_BLOB *cred_ndr = NULL;
345 DATA_BLOB **cred_ndr_ptr = NULL;
346 DATA_BLOB cred_blob = data_blob_null;
347 DATA_BLOB *pcred_blob = NULL;
349 krb5_error_code code;
350 struct samba_kdc_entry *skdc_entry;
352 skdc_entry = talloc_get_type_abort(client->e_data,
353 struct samba_kdc_entry);
355 tmp_ctx = talloc_named(smb_ctx,
357 "mit_samba_get_pac_data_blobs context");
358 if (tmp_ctx == NULL) {
362 #if 0 /* TODO Find out if this is a pkinit_reply key */
363 /* Check if we have a PREAUTH key */
364 if (client_key != NULL) {
365 cred_ndr_ptr = &cred_ndr;
369 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
374 if (!NT_STATUS_IS_OK(nt_status)) {
375 talloc_free(tmp_ctx);
379 if (cred_ndr != NULL) {
380 code = samba_kdc_encrypt_pac_credentials(context,
386 talloc_free(tmp_ctx);
389 pcred_blob = &cred_blob;
392 code = samba_make_krb5_pac(context,
399 talloc_free(tmp_ctx);
403 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
404 krb5_context context,
406 krb5_const_principal client_principal,
407 krb5_db_entry *client,
408 krb5_db_entry *server,
409 krb5_db_entry *krbtgt,
410 krb5_keyblock *krbtgt_keyblock,
414 krb5_error_code code;
416 DATA_BLOB *pac_blob = NULL;
417 DATA_BLOB *upn_blob = NULL;
418 DATA_BLOB *deleg_blob = NULL;
419 struct samba_kdc_entry *client_skdc_entry = NULL;
420 struct samba_kdc_entry *krbtgt_skdc_entry;
421 bool is_in_db = false;
422 bool is_untrusted = false;
423 size_t num_types = 0;
424 uint32_t *types = NULL;
425 uint32_t forced_next_type = 0;
427 ssize_t logon_info_idx = -1;
428 ssize_t delegation_idx = -1;
429 ssize_t logon_name_idx = -1;
430 ssize_t upn_dns_info_idx = -1;
431 ssize_t srv_checksum_idx = -1;
432 ssize_t kdc_checksum_idx = -1;
433 krb5_pac new_pac = NULL;
436 if (client != NULL) {
438 talloc_get_type_abort(client->e_data,
439 struct samba_kdc_entry);
441 /* The user account may be set not to want the PAC */
442 ok = samba_princ_needs_pac(client_skdc_entry);
448 if (krbtgt == NULL) {
452 talloc_get_type_abort(krbtgt->e_data,
453 struct samba_kdc_entry);
455 tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
456 if (tmp_ctx == NULL) {
460 code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
468 if (client == NULL) {
469 code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
473 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
478 if (!NT_STATUS_IS_OK(nt_status)) {
483 struct PAC_SIGNATURE_DATA *pac_srv_sig;
484 struct PAC_SIGNATURE_DATA *pac_kdc_sig;
486 pac_blob = talloc_zero(tmp_ctx, DATA_BLOB);
487 if (pac_blob == NULL) {
492 pac_srv_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
493 if (pac_srv_sig == NULL) {
498 pac_kdc_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
499 if (pac_kdc_sig == NULL) {
504 nt_status = samba_kdc_update_pac_blob(tmp_ctx,
510 if (!NT_STATUS_IS_OK(nt_status)) {
511 DEBUG(0, ("Update PAC blob failed: %s\n",
512 nt_errstr(nt_status)));
519 * Now check the KDC signature, fetching the correct
520 * key based on the enc type.
522 code = check_pac_checksum(pac_srv_sig->signature,
527 DBG_INFO("PAC KDC signature failed to verify\n");
533 if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
534 deleg_blob = talloc_zero(tmp_ctx, DATA_BLOB);
535 if (deleg_blob == NULL) {
540 nt_status = samba_kdc_update_delegation_info_blob(tmp_ctx,
544 discard_const(client_principal),
546 if (!NT_STATUS_IS_OK(nt_status)) {
547 DEBUG(0, ("Update delegation info failed: %s\n",
548 nt_errstr(nt_status)));
554 /* Check the types of the given PAC */
555 code = krb5_pac_get_types(context, *pac, &num_types, &types);
560 for (i = 0; i < num_types; i++) {
562 case PAC_TYPE_LOGON_INFO:
563 if (logon_info_idx != -1) {
564 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
574 case PAC_TYPE_CONSTRAINED_DELEGATION:
575 if (delegation_idx != -1) {
576 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
586 case PAC_TYPE_LOGON_NAME:
587 if (logon_name_idx != -1) {
588 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
598 case PAC_TYPE_UPN_DNS_INFO:
599 if (upn_dns_info_idx != -1) {
600 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
608 upn_dns_info_idx = i;
610 case PAC_TYPE_SRV_CHECKSUM:
611 if (srv_checksum_idx != -1) {
612 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
620 srv_checksum_idx = i;
622 case PAC_TYPE_KDC_CHECKSUM:
623 if (kdc_checksum_idx != -1) {
624 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
632 kdc_checksum_idx = i;
639 if (logon_info_idx == -1) {
640 DEBUG(1, ("PAC_TYPE_LOGON_INFO missing\n"));
645 if (logon_name_idx == -1) {
646 DEBUG(1, ("PAC_TYPE_LOGON_NAME missing\n"));
651 if (srv_checksum_idx == -1) {
652 DEBUG(1, ("PAC_TYPE_SRV_CHECKSUM missing\n"));
657 if (kdc_checksum_idx == -1) {
658 DEBUG(1, ("PAC_TYPE_KDC_CHECKSUM missing\n"));
664 /* Build an updated PAC */
665 code = krb5_pac_init(context, &new_pac);
673 DATA_BLOB type_blob = data_blob_null;
676 if (forced_next_type != 0) {
678 * We need to inject possible missing types
680 type = forced_next_type;
681 forced_next_type = 0;
682 } else if (i < num_types) {
690 case PAC_TYPE_LOGON_INFO:
691 type_blob = *pac_blob;
693 if (delegation_idx == -1 && deleg_blob != NULL) {
694 /* inject CONSTRAINED_DELEGATION behind */
695 forced_next_type = PAC_TYPE_CONSTRAINED_DELEGATION;
698 case PAC_TYPE_CONSTRAINED_DELEGATION:
699 if (deleg_blob != NULL) {
700 type_blob = *deleg_blob;
703 case PAC_TYPE_CREDENTIAL_INFO:
705 * Note that we copy the credential blob,
706 * as it's only usable with the PKINIT based
707 * AS-REP reply key, it's only available on the
708 * host which did the AS-REQ/AS-REP exchange.
710 * This matches Windows 2008R2...
713 case PAC_TYPE_LOGON_NAME:
715 * This is generated in the main KDC code
718 case PAC_TYPE_UPN_DNS_INFO:
720 * Replace in the RODC case, otherwise
721 * upn_blob is NULL and we just copy.
723 if (upn_blob != NULL) {
724 type_blob = *upn_blob;
727 case PAC_TYPE_SRV_CHECKSUM:
729 * This is generated in the main KDC code
732 case PAC_TYPE_KDC_CHECKSUM:
734 * This is generated in the main KDC code
742 if (type_blob.length != 0) {
743 code = smb_krb5_copy_data_contents(&type_data,
748 krb5_pac_free(context, new_pac);
752 code = krb5_pac_get_buffer(context,
758 krb5_pac_free(context, new_pac);
763 code = krb5_pac_add_buffer(context,
767 smb_krb5_free_data_contents(context, &type_data);
770 krb5_pac_free(context, new_pac);
777 /* We now replace the pac */
778 krb5_pac_free(context, *pac);
781 talloc_free(tmp_ctx);
785 /* provide header, function is exported but there are no public headers */
787 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
789 /* this function allocates 'data' using malloc.
790 * The caller is responsible for freeing it */
791 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
793 krb5_error_code ret = 0;
794 krb5_pa_data pa, *ppa = NULL;
803 pa.magic = KV5M_PA_DATA;
804 pa.pa_type = KRB5_PADATA_PW_SALT;
806 pa.contents = malloc(pa.length);
811 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
812 SIVAL(pa.contents, 4, 0);
813 SIVAL(pa.contents, 8, 1);
817 ret = encode_krb5_padata_sequence(&ppa, &d);
823 e_data->data = (uint8_t *)d->data;
824 e_data->length = d->length;
826 /* free d, not d->data - gd */
832 int mit_samba_check_client_access(struct mit_samba_context *ctx,
833 krb5_db_entry *client,
834 const char *client_name,
835 krb5_db_entry *server,
836 const char *server_name,
837 const char *netbios_name,
838 bool password_change,
841 struct samba_kdc_entry *skdc_entry;
844 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
846 nt_status = samba_kdc_check_client_access(skdc_entry,
851 if (!NT_STATUS_IS_OK(nt_status)) {
852 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
856 samba_kdc_build_edata_reply(nt_status, e_data);
858 return samba_kdc_map_policy_err(nt_status);
864 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
865 krb5_db_entry *kentry,
866 const char *target_name,
867 bool is_nt_enterprise_name)
871 * This is disabled because mit_samba_update_pac_data() does not handle
872 * S4U_DELEGATION_INFO
875 return KRB5KDC_ERR_BADOPTION;
877 krb5_principal target_principal;
881 if (is_nt_enterprise_name) {
882 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
885 ret = krb5_parse_name_flags(ctx->context, target_name,
886 flags, &target_principal);
891 ret = samba_kdc_check_s4u2proxy(ctx->context,
896 krb5_free_principal(ctx->context, target_principal);
902 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
904 enum samPwdChangeReason reject_reason,
905 struct samr_DomInfo1 *dominfo)
907 krb5_error_code code = KADM5_PASS_Q_GENERIC;
909 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
910 code = KADM5_BAD_PRINCIPAL;
911 krb5_set_error_message(context,
913 "No such user when changing password");
915 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
916 code = KADM5_PASS_Q_GENERIC;
917 krb5_set_error_message(context,
919 "Not permitted to change password");
921 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
923 switch (reject_reason) {
924 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
925 code = KADM5_PASS_Q_TOOSHORT;
926 krb5_set_error_message(context,
928 "Password too short, password "
929 "must be at least %d characters "
931 dominfo->min_password_length);
933 case SAM_PWD_CHANGE_NOT_COMPLEX:
934 code = KADM5_PASS_Q_DICT;
935 krb5_set_error_message(context,
937 "Password does not meet "
938 "complexity requirements");
940 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
941 code = KADM5_PASS_TOOSOON;
942 krb5_set_error_message(context,
944 "Password is already in password "
945 "history. New password must not "
946 "match any of your %d previous "
948 dominfo->password_history_length);
951 code = KADM5_PASS_Q_GENERIC;
952 krb5_set_error_message(context,
954 "Password change rejected, "
955 "password changes may not be "
956 "permitted on this account, or "
957 "the minimum password age may "
958 "not have elapsed.");
966 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
968 krb5_db_entry *db_entry)
971 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
974 enum samPwdChangeReason reject_reason;
975 struct samr_DomInfo1 *dominfo;
976 const char *error_string = NULL;
977 struct auth_user_info_dc *user_info_dc;
978 struct samba_kdc_entry *p;
979 krb5_error_code code = 0;
981 #ifdef DEBUG_PASSWORD
982 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
985 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
986 if (tmp_ctx == NULL) {
990 p = (struct samba_kdc_entry *)db_entry->e_data;
992 status = authsam_make_user_info_dc(tmp_ctx,
994 lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
995 lpcfg_sam_name(ctx->db_ctx->lp_ctx),
996 lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
1002 if (!NT_STATUS_IS_OK(status)) {
1003 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
1004 nt_errstr(status)));
1005 talloc_free(tmp_ctx);
1009 status = auth_generate_session_info(tmp_ctx,
1010 ctx->db_ctx->lp_ctx,
1013 0, /* session_info_flags */
1014 &ctx->session_info);
1016 if (!NT_STATUS_IS_OK(status)) {
1017 DEBUG(1,("auth_generate_session_info failed: %s\n",
1018 nt_errstr(status)));
1019 talloc_free(tmp_ctx);
1023 /* password is expected as UTF16 */
1025 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1027 &password.data, &password.length)) {
1028 DEBUG(1,("convert_string_talloc failed\n"));
1029 talloc_free(tmp_ctx);
1033 status = samdb_kpasswd_change_password(tmp_ctx,
1034 ctx->db_ctx->lp_ctx,
1035 ctx->db_ctx->ev_ctx,
1043 if (!NT_STATUS_IS_OK(status)) {
1044 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1045 nt_errstr(status)));
1046 code = KADM5_PASS_Q_GENERIC;
1047 krb5_set_error_message(ctx->context, code, "%s", error_string);
1051 if (!NT_STATUS_IS_OK(result)) {
1052 code = mit_samba_change_pwd_error(ctx->context,
1059 talloc_free(tmp_ctx);
1064 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1066 struct samba_kdc_entry *p;
1067 struct ldb_dn *domain_dn;
1069 p = (struct samba_kdc_entry *)db_entry->e_data;
1071 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1073 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1080 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1082 struct samba_kdc_entry *p;
1084 p = (struct samba_kdc_entry *)db_entry->e_data;
1086 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1088 ldb_get_default_basedn(p->kdc_db_ctx->samdb));