Unix SMB/CIFS implementation.
Copyright (C) Guenther Deschner <gd@samba.org> 2008
+ Copyright (C) Michael Adam 2008
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
*/
#include "includes.h"
-#include "libnet/libnet.h"
+#include "smb_krb5.h"
+#include "libnet/libnet_dssync.h"
+#include "libnet/libnet_keytab.h"
#include "librpc/gen_ndr/ndr_drsblobs.h"
-#if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
-
-static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx,
- struct libnet_keytab_context *ctx,
- uint32_t kvno,
- const char *name,
- const char *prefix,
- DATA_BLOB blob)
-{
- struct libnet_keytab_entry entry;
-
- entry.kvno = kvno;
- entry.name = talloc_strdup(mem_ctx, name);
- entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
- prefix ? prefix : "",
- prefix ? "/" : "",
- name, ctx->dns_domain_name);
- entry.password = blob;
- NT_STATUS_HAVE_NO_MEMORY(entry.name);
- NT_STATUS_HAVE_NO_MEMORY(entry.principal);
- NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
-
- ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
- &ctx->entries, &ctx->count);
- NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
-
- return NT_STATUS_OK;
-}
+#if defined(HAVE_ADS)
static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
struct replUpToDateVectorBlob **pold_utdv)
}
keytab_ctx->dns_domain_name = ctx->dns_domain_name;
+ keytab_ctx->clean_old_entries = ctx->clean_old_entries;
ctx->private_data = keytab_ctx;
principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
ctx->nc_dn, ctx->dns_domain_name);
NT_STATUS_HAVE_NO_MEMORY(principal);
- entry = libnet_keytab_search(keytab_ctx, principal, 0, mem_ctx);
+ entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
+ mem_ctx);
if (entry) {
enum ndr_err_code ndr_err;
old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
- ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv,
- old_utdv,
+ ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv, old_utdv,
(ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
- ctx->error_message = talloc_asprintf(mem_ctx,
+ ctx->error_message = talloc_asprintf(ctx,
"Failed to pull UpToDateVector: %s",
nt_errstr(status));
return status;
(ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
- ctx->error_message = talloc_asprintf(mem_ctx,
+ ctx->error_message = talloc_asprintf(ctx,
"Failed to push UpToDateVector: %s",
nt_errstr(status));
goto done;
}
- status = add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
- ctx->nc_dn, "UTDV", blob);
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
+ ctx->nc_dn, "UTDV",
+ ENCTYPE_NULL,
+ blob);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
ret = libnet_keytab_add(keytab_ctx);
if (ret) {
status = krb5_to_nt_status(ret);
- ctx->error_message = talloc_asprintf(mem_ctx,
+ ctx->error_message = talloc_asprintf(ctx,
"Failed to add entries to keytab %s: %s",
keytab_ctx->keytab_name, error_message(ret));
goto done;
}
- ctx->result_message = talloc_asprintf(mem_ctx,
+ ctx->result_message = talloc_asprintf(ctx,
"Vampired %d accounts to keytab %s",
keytab_ctx->count,
keytab_ctx->keytab_name);
/****************************************************************
****************************************************************/
+static NTSTATUS parse_supplemental_credentials(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *blob,
+ struct package_PrimaryKerberosCtr3 **pkb3,
+ struct package_PrimaryKerberosCtr4 **pkb4)
+{
+ NTSTATUS status;
+ enum ndr_err_code ndr_err;
+ struct supplementalCredentialsBlob scb;
+ struct supplementalCredentialsPackage *scpk = NULL;
+ DATA_BLOB scpk_blob;
+ struct package_PrimaryKerberosBlob *pkb;
+ bool newer_keys = false;
+ uint32_t j;
+
+ ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, &scb,
+ (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ goto done;
+ }
+ if ((scb.sub.signature != SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
+ && (scb.sub.num_packages != 0))
+ {
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
+ }
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+ for (j=0; j < scb.sub.num_packages; j++) {
+ if (strcmp("Primary:Kerberos-Newer-Keys",
+ scb.sub.packages[j].name) == 0)
+ {
+ scpk = &scb.sub.packages[j];
+ if (!scpk->data || !scpk->data[0]) {
+ scpk = NULL;
+ continue;
+ }
+ newer_keys = true;
+ break;
+ } else if (strcmp("Primary:Kerberos",
+ scb.sub.packages[j].name) == 0)
+ {
+ /*
+ * grab this but don't break here:
+ * there might still be newer-keys ...
+ */
+ scpk = &scb.sub.packages[j];
+ if (!scpk->data || !scpk->data[0]) {
+ scpk = NULL;
+ }
+ }
+ }
+
+ if (!scpk) {
+ /* no data */
+ status = NT_STATUS_OK;
+ goto done;
+ }
+
+ scpk_blob = strhex_to_data_blob(mem_ctx, scpk->data);
+ if (!scpk_blob.data) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ pkb = talloc_zero(mem_ctx, struct package_PrimaryKerberosBlob);
+ if (!pkb) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+ ndr_err = ndr_pull_struct_blob(&scpk_blob, mem_ctx, pkb,
+ (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ goto done;
+ }
+
+ if (!newer_keys && pkb->version != 3) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if (newer_keys && pkb->version != 4) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+ }
+
+ if (pkb->version == 4 && pkb4) {
+ *pkb4 = &pkb->ctr.ctr4;
+ } else if (pkb->version == 3 && pkb3) {
+ *pkb3 = &pkb->ctr.ctr3;
+ }
+
+ status = NT_STATUS_OK;
+
+done:
+ return status;
+}
+
static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
struct libnet_keytab_context *ctx,
struct drsuapi_DsReplicaObjectListItemEx *cur)
struct drsuapi_DsReplicaAttribute *attr;
bool got_pwd = false;
+ struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
+ struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
+
+ char *object_dn = NULL;
char *upn = NULL;
+ char **spn = NULL;
+ uint32_t num_spns = 0;
char *name = NULL;
uint32_t kvno = 0;
uint32_t uacc = 0;
ZERO_STRUCT(nt_passwd);
+ object_dn = talloc_strdup(mem_ctx, cur->object.identifier->dn);
+ if (!object_dn) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(3, ("parsing object '%s'\n", object_dn));
+
for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
attr = &cur->object.attribute_ctr.attributes[i];
+ if (attr->attid == DRSUAPI_ATTID_servicePrincipalName) {
+ uint32_t count;
+ num_spns = attr->value_ctr.num_values;
+ spn = talloc_array(mem_ctx, char *, num_spns);
+ for (count = 0; count < num_spns; count++) {
+ blob = attr->value_ctr.values[count].blob;
+ pull_string_talloc(spn, NULL, 0,
+ &spn[count],
+ blob->data, blob->length,
+ STR_UNICODE);
+ }
+ }
+
if (attr->value_ctr.num_values != 1) {
continue;
}
blob = attr->value_ctr.values[0].blob;
switch (attr->attid) {
- case DRSUAPI_ATTRIBUTE_unicodePwd:
+ case DRSUAPI_ATTID_unicodePwd:
if (blob->length != 16) {
break;
}
kvno = cur->meta_data_ctr->meta_data[i].version;
break;
- case DRSUAPI_ATTRIBUTE_ntPwdHistory:
+ case DRSUAPI_ATTID_ntPwdHistory:
pwd_history_len = blob->length / 16;
pwd_history = blob->data;
break;
- case DRSUAPI_ATTRIBUTE_userPrincipalName:
+ case DRSUAPI_ATTID_userPrincipalName:
pull_string_talloc(mem_ctx, NULL, 0, &upn,
blob->data, blob->length,
STR_UNICODE);
break;
- case DRSUAPI_ATTRIBUTE_sAMAccountName:
+ case DRSUAPI_ATTID_sAMAccountName:
pull_string_talloc(mem_ctx, NULL, 0, &name,
blob->data, blob->length,
STR_UNICODE);
break;
- case DRSUAPI_ATTRIBUTE_sAMAccountType:
+ case DRSUAPI_ATTID_sAMAccountType:
sam_type = IVAL(blob->data, 0);
break;
- case DRSUAPI_ATTRIBUTE_userAccountControl:
+ case DRSUAPI_ATTID_userAccountControl:
uacc = IVAL(blob->data, 0);
break;
+ case DRSUAPI_ATTID_supplementalCredentials:
+ status = parse_supplemental_credentials(mem_ctx,
+ blob,
+ &pkb3,
+ &pkb4);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("parsing of supplemental "
+ "credentials failed: %s\n",
+ nt_errstr(status)));
+ }
+ break;
default:
break;
}
}
- if (!got_pwd || !name) {
+ if (!got_pwd) {
+ DEBUG(10, ("no password (unicodePwd) found - skipping.\n"));
+ return NT_STATUS_OK;
+ }
+
+ if (name) {
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, 0, object_dn,
+ "SAMACCOUNTNAME",
+ ENCTYPE_NULL,
+ data_blob_talloc(mem_ctx, name,
+ strlen(name) + 1));
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ /* look into keytab ... */
+ struct libnet_keytab_entry *entry = NULL;
+ char *principal = NULL;
+
+ DEBUG(10, ("looking for SAMACCOUNTNAME/%s@%s in keytayb...\n",
+ object_dn, ctx->dns_domain_name));
+
+ principal = talloc_asprintf(mem_ctx, "%s/%s@%s",
+ "SAMACCOUNTNAME",
+ object_dn,
+ ctx->dns_domain_name);
+ if (!principal) {
+ DEBUG(1, ("talloc failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+ entry = libnet_keytab_search(ctx, principal, 0, ENCTYPE_NULL,
+ mem_ctx);
+ if (entry) {
+ name = (char *)talloc_memdup(mem_ctx,
+ entry->password.data,
+ entry->password.length);
+ if (!name) {
+ DEBUG(1, ("talloc failed!"));
+ return NT_STATUS_NO_MEMORY;
+ } else {
+ DEBUG(10, ("found name %s\n", name));
+ }
+ TALLOC_FREE(entry);
+ } else {
+ DEBUG(10, ("entry not found\n"));
+ }
+ TALLOC_FREE(principal);
+ }
+
+ if (!name) {
+ DEBUG(10, ("no name (sAMAccountName) found - skipping.\n"));
return NT_STATUS_OK;
}
DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
- DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x ",
+ DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x",
sam_type, uacc));
if (upn) {
- DEBUGADD(1,("upn: %s", upn));
+ DEBUGADD(1,(", upn: %s", upn));
+ }
+ if (num_spns > 0) {
+ DEBUGADD(1, (", spns: ["));
+ for (i = 0; i < num_spns; i++) {
+ DEBUGADD(1, ("%s%s", spn[i],
+ (i+1 == num_spns)?"]":", "));
+ }
}
DEBUGADD(1,("\n"));
- status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
- data_blob_talloc(mem_ctx, nt_passwd, 16));
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
+ ENCTYPE_ARCFOUR_HMAC,
+ data_blob_talloc(mem_ctx, nt_passwd, 16));
if (!NT_STATUS_IS_OK(status)) {
return status;
}
+ /* add kerberos keys (if any) */
+
+ if (pkb4) {
+ for (i=0; i < pkb4->num_keys; i++) {
+ if (!pkb4->keys[i].value) {
+ continue;
+ }
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno,
+ name,
+ NULL,
+ pkb4->keys[i].keytype,
+ *pkb4->keys[i].value);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ for (i=0; i < pkb4->num_old_keys; i++) {
+ if (!pkb4->old_keys[i].value) {
+ continue;
+ }
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
+ name,
+ NULL,
+ pkb4->old_keys[i].keytype,
+ *pkb4->old_keys[i].value);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ for (i=0; i < pkb4->num_older_keys; i++) {
+ if (!pkb4->older_keys[i].value) {
+ continue;
+ }
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 2,
+ name,
+ NULL,
+ pkb4->older_keys[i].keytype,
+ *pkb4->older_keys[i].value);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ }
+
+ if (pkb3) {
+ for (i=0; i < pkb3->num_keys; i++) {
+ if (!pkb3->keys[i].value) {
+ continue;
+ }
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno, name,
+ NULL,
+ pkb3->keys[i].keytype,
+ *pkb3->keys[i].value);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ for (i=0; i < pkb3->num_old_keys; i++) {
+ if (!pkb3->old_keys[i].value) {
+ continue;
+ }
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
+ name,
+ NULL,
+ pkb3->old_keys[i].keytype,
+ *pkb3->old_keys[i].value);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
+ }
+
if ((kvno < 0) && (kvno < pwd_history_len)) {
return status;
}
}
for (; i<pwd_history_len; i++) {
- status = add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
- data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
+ status = libnet_keytab_add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
+ ENCTYPE_ARCFOUR_HMAC,
+ data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
if (!NT_STATUS_IS_OK(status)) {
break;
}
return status;
}
+static bool dn_is_in_object_list(struct dssync_context *ctx,
+ const char *dn)
+{
+ uint32_t count;
+
+ if (ctx->object_count == 0) {
+ return true;
+ }
+
+ for (count = 0; count < ctx->object_count; count++) {
+ if (strequal(ctx->object_dns[count], dn)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
/****************************************************************
****************************************************************/
(struct libnet_keytab_context *)ctx->private_data;
for (; cur; cur = cur->next_object) {
+ /*
+ * When not in single object replication mode,
+ * the object_dn list is used as a positive write filter.
+ */
+ if (!ctx->single_object_replication &&
+ !dn_is_in_object_list(ctx, cur->object.identifier->dn))
+ {
+ continue;
+ }
+
status = parse_object(mem_ctx, keytab_ctx, cur);
if (!NT_STATUS_IS_OK(status)) {
goto out;
{
return NT_STATUS_NOT_SUPPORTED;
}
-#endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
+#endif /* defined(HAVE_ADS) */
const struct dssync_ops libnet_dssync_keytab_ops = {
.startup = keytab_startup,