source3/libads/krb5_setpw.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "libads/kerberos_proto.h"
  24 #include "../lib/util/asn1.h"
  25
  26 #ifdef HAVE_KRB5
  27
  28 /* Those are defined by kerberos-set-passwd-02.txt and are probably
  29  * not supported by M$ implementation */
  30 #define KRB5_KPASSWD_POLICY_REJECT              8
  31 #define KRB5_KPASSWD_BAD_PRINCIPAL              9
  32 #define KRB5_KPASSWD_ETYPE_NOSUPP               10
  33
  34 /*
  35  * we've got to be able to distinguish KRB_ERRORs from other
  36  * requests - valid response for CHPW v2 replies.
  37  */
  38
  39 static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
  40 {
  41         switch(res_code) {
  42                 case KRB5_KPASSWD_ACCESSDENIED:
  43                         return KRB5KDC_ERR_BADOPTION;
  44                 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
  45                         return KRB5KDC_ERR_BADOPTION;
  46                         /* return KV5M_ALT_METHOD; MIT-only define */
  47                 case KRB5_KPASSWD_ETYPE_NOSUPP:
  48                         return KRB5KDC_ERR_ETYPE_NOSUPP;
  49                 case KRB5_KPASSWD_BAD_PRINCIPAL:
  50                         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
  51                 case KRB5_KPASSWD_POLICY_REJECT:
  52                 case KRB5_KPASSWD_SOFTERROR:
  53                         return KRB5KDC_ERR_POLICY;
  54                 default:
  55                         return KRB5KRB_ERR_GENERIC;
  56         }
  57 }
  58
  59 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
  60                                  const char *newpw, int time_offset)
  61 {
  62
  63         ADS_STATUS aret;
  64         krb5_error_code ret = 0;
  65         krb5_context context = NULL;
  66         krb5_principal princ = NULL;
  67         krb5_ccache ccache = NULL;
  68         int result_code;
  69         krb5_data result_code_string = { 0 };
  70         krb5_data result_string = { 0 };
  71
  72         initialize_krb5_error_table();
  73         ret = krb5_init_context(&context);
  74         if (ret) {
  75                 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
  76                 return ADS_ERROR_KRB5(ret);
  77         }
  78
  79         if (principal) {
  80                 ret = smb_krb5_parse_name(context, principal, &princ);
  81                 if (ret) {
  82                         krb5_free_context(context);
  83                         DEBUG(1, ("Failed to parse %s (%s)\n", principal,
  84                                   error_message(ret)));
  85                         return ADS_ERROR_KRB5(ret);
  86                 }
  87         }
  88
  89         if (time_offset != 0) {
  90                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
  91         }
  92
  93         ret = krb5_cc_default(context, &ccache);
  94         if (ret) {
  95                 krb5_free_principal(context, princ);
  96                 krb5_free_context(context);
  97                 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
  98                 return ADS_ERROR_KRB5(ret);
  99         }
 100
 101         ret = krb5_set_password_using_ccache(context,
 102                                              ccache,
 103                                              discard_const_p(char, newpw),
 104                                              princ,
 105                                              &result_code,
 106                                              &result_code_string,
 107                                              &result_string);
 108         if (ret) {
 109                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 110                 aret = ADS_ERROR_KRB5(ret);
 111                 goto done;
 112         }
 113
 114         if (result_code != KRB5_KPASSWD_SUCCESS) {
 115                 ret = kpasswd_err_to_krb5_err(result_code);
 116                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 117                 aret = ADS_ERROR_KRB5(ret);
 118                 goto done;
 119         }
 120
 121         aret = ADS_SUCCESS;
 122
 123 done:
 124         smb_krb5_free_data_contents(context, &result_code_string);
 125         smb_krb5_free_data_contents(context, &result_string);
 126         krb5_free_principal(context, princ);
 127         krb5_cc_close(context, ccache);
 128         krb5_free_context(context);
 129
 130         return aret;
 131 }
 132
 133 /*
 134   we use a prompter to avoid a crash bug in the kerberos libs when
 135   dealing with empty passwords
 136   this prompter is just a string copy ...
 137 */
 138 static krb5_error_code
 139 kerb_prompter(krb5_context ctx, void *data,
 140                const char *name,
 141                const char *banner,
 142                int num_prompts,
 143                krb5_prompt prompts[])
 144 {
 145         if (num_prompts == 0) return 0;
 146
 147         memset(prompts[0].reply->data, 0, prompts[0].reply->length);
 148         if (prompts[0].reply->length > 0) {
 149                 if (data) {
 150                         strncpy((char *)prompts[0].reply->data,
 151                                 (const char *)data,
 152                                 prompts[0].reply->length-1);
 153                         prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
 154                 } else {
 155                         prompts[0].reply->length = 0;
 156                 }
 157         }
 158         return 0;
 159 }
 160
 161 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 162                                         const char *principal,
 163                                         const char *oldpw,
 164                                         const char *newpw,
 165                                         int time_offset)
 166 {
 167     ADS_STATUS aret;
 168     krb5_error_code ret;
 169     krb5_context context = NULL;
 170     krb5_principal princ;
 171     krb5_get_init_creds_opt *opts = NULL;
 172     krb5_creds creds;
 173     char *chpw_princ = NULL, *password;
 174     char *realm = NULL;
 175     int result_code;
 176     krb5_data result_code_string = { 0 };
 177     krb5_data result_string = { 0 };
 178     smb_krb5_addresses *addr = NULL;
 179
 180     initialize_krb5_error_table();
 181     ret = krb5_init_context(&context);
 182     if (ret) {
 183         DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
 184         return ADS_ERROR_KRB5(ret);
 185     }
 186
 187     if ((ret = smb_krb5_parse_name(context, principal,
 188                                     &princ))) {
 189         krb5_free_context(context);
 190         DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
 191         return ADS_ERROR_KRB5(ret);
 192     }
 193
 194         ret = krb5_get_init_creds_opt_alloc(context, &opts);
 195         if (ret != 0) {
 196                 krb5_free_context(context);
 197                 DBG_WARNING("krb5_get_init_creds_opt_alloc failed: %s\n",
 198                             error_message(ret));
 199                 return ADS_ERROR_KRB5(ret);
 200         }
 201
 202         krb5_get_init_creds_opt_set_tkt_life(opts, 5*60);
 203         krb5_get_init_creds_opt_set_renew_life(opts, 0);
 204         krb5_get_init_creds_opt_set_forwardable(opts, 0);
 205         krb5_get_init_creds_opt_set_proxiable(opts, 0);
 206
 207     /* note that heimdal will fill in the local addresses if the addresses
 208      * in the creds_init_opt are all empty and then later fail with invalid
 209      * address, sending our local netbios krb5 address - just like windows
 210      * - avoids this - gd */
 211     ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name());
 212     if (ret) {
 213         krb5_free_principal(context, princ);
 214         krb5_get_init_creds_opt_free(context, opts);
 215         krb5_free_context(context);
 216         return ADS_ERROR_KRB5(ret);
 217     }
 218         krb5_get_init_creds_opt_set_address_list(opts, addr->addrs);
 219
 220     realm = smb_krb5_principal_get_realm(context, princ);
 221
 222     /* We have to obtain an INITIAL changepw ticket for changing password */
 223     if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
 224         krb5_get_init_creds_opt_free(context, opts);
 225         smb_krb5_free_addresses(context, addr);
 226         krb5_free_context(context);
 227         free(realm);
 228         DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
 229         return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
 230     }
 231
 232     free(realm);
 233     password = SMB_STRDUP(oldpw);
 234     ret = krb5_get_init_creds_password(context, &creds, princ, password,
 235                                            kerb_prompter, NULL,
 236                                            0, chpw_princ, opts);
 237         krb5_get_init_creds_opt_free(context, opts);
 238         smb_krb5_free_addresses(context, addr);
 239     SAFE_FREE(chpw_princ);
 240     SAFE_FREE(password);
 241
 242     if (ret) {
 243       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 244         DEBUG(1,("Password incorrect while getting initial ticket"));
 245       else
 246         DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
 247
 248         krb5_free_principal(context, princ);
 249         krb5_free_context(context);
 250         return ADS_ERROR_KRB5(ret);
 251     }
 252
 253         ret = krb5_set_password(context,
 254                                 &creds,
 255                                 discard_const_p(char, newpw),
 256                                 NULL,
 257                                 &result_code,
 258                                 &result_code_string,
 259                                 &result_string);
 260
 261     if (ret) {
 262         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 263         aret = ADS_ERROR_KRB5(ret);
 264         goto done;
 265     }
 266
 267     if (result_code != KRB5_KPASSWD_SUCCESS) {
 268         ret = kpasswd_err_to_krb5_err(result_code);
 269         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 270         aret = ADS_ERROR_KRB5(ret);
 271         goto done;
 272     }
 273
 274     aret = ADS_SUCCESS;
 275
 276 done:
 277     smb_krb5_free_data_contents(context, &result_code_string);
 278     smb_krb5_free_data_contents(context, &result_string);
 279     krb5_free_principal(context, princ);
 280     krb5_free_context(context);
 281
 282     return aret;
 283 }
 284
 285
 286 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 287                                  const char *auth_principal, const char *auth_password,
 288                                  const char *target_principal, const char *new_password,
 289                                  int time_offset)
 290 {
 291     int ret;
 292
 293     if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
 294         DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 295         return ADS_ERROR_KRB5(ret);
 296     }
 297
 298     if (!strcmp(auth_principal, target_principal))
 299         return ads_krb5_chg_password(kpasswd_server, target_principal,
 300                                      auth_password, new_password, time_offset);
 301     else
 302         return ads_krb5_set_password(kpasswd_server, target_principal,
 303                                      new_password, time_offset);
 304 }
 305
 306 #endif