r12411: Add 'net samdump keytab <keytab>'.
[samba.git] / source / auth / credentials / credentials_files.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    User credentials handling (as regards on-disk files)
5
6    Copyright (C) Jelmer Vernooij 2005
7    Copyright (C) Tim Potter 2001
8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
9    
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 2 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program; if not, write to the Free Software
22    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 */
24
25 #include "includes.h"
26 #include "lib/ldb/include/ldb.h"
27 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
28 #include "include/secrets.h"
29 #include "system/filesys.h"
30
31 /**
32  * Read a file descriptor, and parse it for a password (eg from a file or stdin)
33  *
34  * @param credentials Credentials structure on which to set the password
35  * @param fd open file descriptor to read the password from 
36  * @param obtained This enum describes how 'specified' this password is
37  */
38
39 BOOL cli_credentials_parse_password_fd(struct cli_credentials *credentials, 
40                                        int fd, enum credentials_obtained obtained)
41 {
42         char *p;
43         char pass[128];
44
45         for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
46                 p && p - pass < sizeof(pass);) {
47                 switch (read(fd, p, 1)) {
48                 case 1:
49                         if (*p != '\n' && *p != '\0') {
50                                 *++p = '\0'; /* advance p, and null-terminate pass */
51                                 break;
52                         }
53                 case 0:
54                         if (p - pass) {
55                                 *p = '\0'; /* null-terminate it, just in case... */
56                                 p = NULL; /* then force the loop condition to become false */
57                                 break;
58                         } else {
59                                 fprintf(stderr, "Error reading password from file descriptor %d: %s\n", fd, "empty password\n");
60                                 return False;
61                         }
62
63                 default:
64                         fprintf(stderr, "Error reading password from file descriptor %d: %s\n",
65                                         fd, strerror(errno));
66                         return False;
67                 }
68         }
69
70         cli_credentials_set_password(credentials, pass, obtained);
71         return True;
72 }
73
74 /**
75  * Read a named file, and parse it for a password
76  *
77  * @param credentials Credentials structure on which to set the password
78  * @param file a named file to read the password from 
79  * @param obtained This enum describes how 'specified' this password is
80  */
81
82 BOOL cli_credentials_parse_password_file(struct cli_credentials *credentials, const char *file, enum credentials_obtained obtained)
83 {
84         int fd = open(file, O_RDONLY, 0);
85         BOOL ret;
86
87         if (fd < 0) {
88                 fprintf(stderr, "Error opening PASSWD_FILE %s: %s\n",
89                                 file, strerror(errno));
90                 return False;
91         }
92
93         ret = cli_credentials_parse_password_fd(credentials, fd, obtained);
94
95         close(fd);
96         
97         return ret;
98 }
99
100 /**
101  * Read a named file, and parse it for username, domain, realm and password
102  *
103  * @param credentials Credentials structure on which to set the password
104  * @param file a named file to read the details from 
105  * @param obtained This enum describes how 'specified' this password is
106  */
107
108 BOOL cli_credentials_parse_file(struct cli_credentials *cred, const char *file, enum credentials_obtained obtained) 
109 {
110         uint16_t len = 0;
111         char *ptr, *val, *param;
112         char **lines;
113         int i, numlines;
114
115         lines = file_lines_load(file, &numlines, NULL);
116
117         if (lines == NULL)
118         {
119                 /* fail if we can't open the credentials file */
120                 d_printf("ERROR: Unable to open credentials file!\n");
121                 return False;
122         }
123
124         for (i = 0; i < numlines; i++) {
125                 len = strlen(lines[i]);
126
127                 if (len == 0)
128                         continue;
129
130                 /* break up the line into parameter & value.
131                  * will need to eat a little whitespace possibly */
132                 param = lines[i];
133                 if (!(ptr = strchr_m (lines[i], '=')))
134                         continue;
135
136                 val = ptr+1;
137                 *ptr = '\0';
138
139                 /* eat leading white space */
140                 while ((*val!='\0') && ((*val==' ') || (*val=='\t')))
141                         val++;
142
143                 if (strwicmp("password", param) == 0) {
144                         cli_credentials_set_password(cred, val, obtained);
145                 } else if (strwicmp("username", param) == 0) {
146                         cli_credentials_set_username(cred, val, obtained);
147                 } else if (strwicmp("domain", param) == 0) {
148                         cli_credentials_set_domain(cred, val, obtained);
149                 } else if (strwicmp("realm", param) == 0) {
150                         cli_credentials_set_realm(cred, val, obtained);
151                 }
152                 memset(lines[i], 0, len);
153         }
154
155         talloc_free(lines);
156
157         return True;
158 }
159
160
161 /**
162  * Fill in credentials for the machine trust account, from the secrets database.
163  * 
164  * @param cred Credentials structure to fill in
165  * @retval NTSTATUS error detailing any failure
166  */
167 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, 
168                                      const char *base,
169                                      const char *filter)
170 {
171         TALLOC_CTX *mem_ctx;
172         
173         struct ldb_context *ldb;
174         int ldb_ret;
175         struct ldb_message **msgs;
176         const char *attrs[] = {
177                 "secret",
178                 "priorSecret",
179                 "samAccountName",
180                 "flatname",
181                 "realm",
182                 "secureChannelType",
183                 "ntPwdHash",
184                 "msDS-KeyVersionNumber",
185                 "saltPrincipal",
186                 "privateKeytab",
187                 "krb5Keytab",
188                 NULL
189         };
190         
191         const char *machine_account;
192         const char *password;
193         const char *old_password;
194         const char *domain;
195         const char *realm;
196         enum netr_SchannelType sct;
197         const char *salt_principal;
198         const char *keytab;
199         
200         /* ok, we are going to get it now, don't recurse back here */
201         cred->machine_account_pending = False;
202
203         /* some other parts of the system will key off this */
204         cred->machine_account = True;
205
206         mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
207
208         /* Local secrets are stored in secrets.ldb */
209         ldb = secrets_db_connect(mem_ctx);
210         if (!ldb) {
211                 /* set anonymous as the fallback, if the machine account won't work */
212                 cli_credentials_set_anonymous(cred);
213                 DEBUG(1, ("Could not open secrets.ldb\n"));
214                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
215         }
216
217         /* search for the secret record */
218         ldb_ret = gendb_search(ldb,
219                                mem_ctx, ldb_dn_explode(mem_ctx, base), 
220                                &msgs, attrs,
221                                "%s", filter);
222         if (ldb_ret == 0) {
223                 DEBUG(1, ("Could not find entry to match filter: %s\n",
224                           filter));
225                 /* set anonymous as the fallback, if the machine account won't work */
226                 cli_credentials_set_anonymous(cred);
227                 talloc_free(mem_ctx);
228                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
229         } else if (ldb_ret != 1) {
230                 DEBUG(1, ("Found more than one (%d) entry to match filter: %s\n",
231                           ldb_ret, filter));
232                 /* set anonymous as the fallback, if the machine account won't work */
233                 cli_credentials_set_anonymous(cred);
234                 talloc_free(mem_ctx);
235                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
236         }
237         
238         password = ldb_msg_find_string(msgs[0], "secret", NULL);
239         old_password = ldb_msg_find_string(msgs[0], "priorSecret", NULL);
240
241         machine_account = ldb_msg_find_string(msgs[0], "samAccountName", NULL);
242
243         if (!machine_account) {
244                 DEBUG(1, ("Could not find 'samAccountName' in join record to domain: %s\n",
245                           cli_credentials_get_domain(cred)));
246                 /* set anonymous as the fallback, if the machine account won't work */
247                 cli_credentials_set_anonymous(cred);
248                 talloc_free(mem_ctx);
249                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
250         }
251
252         salt_principal = ldb_msg_find_string(msgs[0], "saltPrincipal", NULL);
253         cli_credentials_set_salt_principal(cred, salt_principal);
254         
255         sct = ldb_msg_find_int(msgs[0], "secureChannelType", 0);
256         if (sct) { 
257                 cli_credentials_set_secure_channel_type(cred, sct);
258         }
259         
260         if (!password) {
261                 const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msgs[0], "ntPwdHash");
262                 struct samr_Password hash;
263                 ZERO_STRUCT(hash);
264                 if (nt_password_hash) {
265                         memcpy(hash.hash, nt_password_hash->data, 
266                                MIN(nt_password_hash->length, sizeof(hash.hash)));
267                 
268                         cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
269                 } else {
270                 
271                         DEBUG(1, ("Could not find 'secret' in join record to domain: %s\n",
272                                   cli_credentials_get_domain(cred)));
273
274                         /* set anonymous as the fallback, if the machine account won't work */
275                         cli_credentials_set_anonymous(cred);
276
277                         talloc_free(mem_ctx);
278                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
279                 }
280         }
281         
282         domain = ldb_msg_find_string(msgs[0], "flatname", NULL);
283         if (domain) {
284                 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
285         }
286
287         realm = ldb_msg_find_string(msgs[0], "realm", NULL);
288         if (realm) {
289                 cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
290         }
291
292         cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
293         if (password) {
294                 cli_credentials_set_password(cred, password, CRED_SPECIFIED);
295         }
296
297         cli_credentials_set_kvno(cred, ldb_msg_find_int(msgs[0], "msDS-KeyVersionNumber", 0));
298
299         /* If there was an external keytab specified by reference in
300          * the LDB, then use this.  Otherwise we will make one up
301          * (chewing CPU time) from the password */
302         keytab = ldb_msg_find_string(msgs[0], "krb5Keytab", NULL);
303         if (keytab) {
304                 cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
305         } else {
306                 keytab = ldb_msg_find_string(msgs[0], "privateKeytab", NULL);
307                 if (keytab) {
308                         keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, keytab));
309                         if (keytab) {
310                                 cli_credentials_set_keytab_name(cred, keytab, CRED_SPECIFIED);
311                         }
312                 }
313         }
314         talloc_free(mem_ctx);
315         
316         return NT_STATUS_OK;
317 }
318
319 /**
320  * Fill in credentials for the machine trust account, from the secrets database.
321  * 
322  * @param cred Credentials structure to fill in
323  * @retval NTSTATUS error detailing any failure
324  */
325 NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred)
326 {
327         char *filter;
328         /* Bleh, nasty recursion issues: We are setting a machine
329          * account here, so we don't want the 'pending' flag around
330          * any more */
331         cred->machine_account_pending = False;
332         filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, 
333                                        cli_credentials_get_domain(cred));
334         return cli_credentials_set_secrets(cred, SECRETS_PRIMARY_DOMAIN_DN,
335                                            filter);
336 }
337
338 /**
339  * Fill in credentials for the machine trust account, from the secrets database.
340  * 
341  * @param cred Credentials structure to fill in
342  * @retval NTSTATUS error detailing any failure
343  */
344 NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred)
345 {
346         char *filter;
347         /* Bleh, nasty recursion issues: We are setting a machine
348          * account here, so we don't want the 'pending' flag around
349          * any more */
350         cred->machine_account_pending = False;
351         filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
352                                        cli_credentials_get_realm(cred),
353                                        cli_credentials_get_domain(cred));
354         return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
355                                            filter);
356 }
357
358 /**
359  * Fill in credentials for the machine trust account, from the secrets database.
360  * 
361  * @param cred Credentials structure to fill in
362  * @retval NTSTATUS error detailing any failure
363  */
364 NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
365                                               const char *serviceprincipal)
366 {
367         char *filter;
368         /* Bleh, nasty recursion issues: We are setting a machine
369          * account here, so we don't want the 'pending' flag around
370          * any more */
371         cred->machine_account_pending = False;
372         filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
373                                  cli_credentials_get_realm(cred),
374                                  cli_credentials_get_domain(cred),
375                                  serviceprincipal);
376         return cli_credentials_set_secrets(cred, SECRETS_PRINCIPALS_DN,
377                                            filter);
378 }
379
380 /**
381  * Ask that when required, the credentials system will be filled with
382  * machine trust account, from the secrets database.
383  * 
384  * @param cred Credentials structure to fill in
385  * @note This function is used to call the above function after, rather 
386  *       than during, popt processing.
387  *
388  */
389 void cli_credentials_set_machine_account_pending(struct cli_credentials *cred)
390 {
391         cred->machine_account_pending = True;
392 }
393
394
395 NTSTATUS cli_credentials_update_all_keytabs(TALLOC_CTX *parent_ctx)
396 {
397         TALLOC_CTX *mem_ctx;
398         int ldb_ret;
399         struct ldb_context *ldb;
400         struct ldb_message **msgs;
401         const char *attrs[] = { NULL };
402         struct cli_credentials *creds;
403         const char *filter;
404         NTSTATUS status;
405         int i, ret;
406
407         mem_ctx = talloc_new(parent_ctx);
408         if (!mem_ctx) {
409                 return NT_STATUS_NO_MEMORY;
410         }
411
412         /* Local secrets are stored in secrets.ldb */
413         ldb = secrets_db_connect(mem_ctx);
414         if (!ldb) {
415                 DEBUG(1, ("Could not open secrets.ldb\n"));
416                 talloc_free(mem_ctx);
417                 return NT_STATUS_ACCESS_DENIED;
418         }
419
420         /* search for the secret record */
421         ldb_ret = gendb_search(ldb,
422                                mem_ctx, NULL,
423                                &msgs, attrs,
424                                "objectClass=kerberosSecret");
425         if (ldb_ret == -1) {
426                 DEBUG(1, ("Error looking for kerberos type secrets to push into a keytab"));
427                 talloc_free(mem_ctx);
428                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
429         }
430
431         for (i=0; i < ldb_ret; i++) {
432                 /* Make a credentials structure from it */
433                 creds = cli_credentials_init(mem_ctx);
434                 if (!creds) {
435                         DEBUG(1, ("cli_credentials_init failed!"));
436                         talloc_free(mem_ctx);
437                         return NT_STATUS_NO_MEMORY;
438                 }
439                 cli_credentials_set_conf(creds);
440                 filter = talloc_asprintf(mem_ctx, "dn=%s", ldb_dn_linearize(mem_ctx, msgs[i]->dn));
441                 status = cli_credentials_set_secrets(creds, NULL, filter);
442                 if (!NT_STATUS_IS_OK(status)) {
443                         DEBUG(1, ("Failed to read secrets for keytab update for %s\n", 
444                                   filter));
445                         talloc_free(mem_ctx);
446                         return status;
447                 } 
448                 ret = cli_credentials_update_keytab(creds);
449                 if (ret != 0) {
450                         DEBUG(1, ("Failed to update keytab for %s\n", 
451                                   filter));
452                         talloc_free(mem_ctx);
453                         return NT_STATUS_UNSUCCESSFUL;
454                 }
455         }
456         return NT_STATUS_OK;
457 }
458