2 Unix SMB/CIFS implementation.
4 Copyright (C) Guenther Deschner <gd@samba.org> 2008
5 Copyright (C) Michael Adam 2008
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "libnet/libnet.h"
23 #include "librpc/gen_ndr/ndr_drsblobs.h"
25 #if defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC)
28 * Internal helper function to add data to the list
29 * of keytab entries. It builds the prefix from the input.
31 static NTSTATUS add_to_keytab_entries(TALLOC_CTX *mem_ctx,
32 struct libnet_keytab_context *ctx,
36 const krb5_enctype enctype,
39 struct libnet_keytab_entry entry;
42 entry.name = talloc_strdup(mem_ctx, name);
43 entry.principal = talloc_asprintf(mem_ctx, "%s%s%s@%s",
46 name, ctx->dns_domain_name);
47 entry.enctype = enctype;
48 entry.password = blob;
49 NT_STATUS_HAVE_NO_MEMORY(entry.name);
50 NT_STATUS_HAVE_NO_MEMORY(entry.principal);
51 NT_STATUS_HAVE_NO_MEMORY(entry.password.data);
53 ADD_TO_ARRAY(mem_ctx, struct libnet_keytab_entry, entry,
54 &ctx->entries, &ctx->count);
55 NT_STATUS_HAVE_NO_MEMORY(ctx->entries);
60 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
61 struct replUpToDateVectorBlob **pold_utdv)
63 krb5_error_code ret = 0;
64 struct libnet_keytab_context *keytab_ctx;
65 struct libnet_keytab_entry *entry;
66 struct replUpToDateVectorBlob *old_utdv = NULL;
69 ret = libnet_keytab_init(mem_ctx, ctx->output_filename, &keytab_ctx);
71 return krb5_to_nt_status(ret);
74 keytab_ctx->dns_domain_name = ctx->dns_domain_name;
75 keytab_ctx->clean_old_entries = ctx->clean_old_entries;
76 ctx->private_data = keytab_ctx;
78 principal = talloc_asprintf(mem_ctx, "UTDV/%s@%s",
79 ctx->nc_dn, ctx->dns_domain_name);
80 NT_STATUS_HAVE_NO_MEMORY(principal);
82 entry = libnet_keytab_search(keytab_ctx, principal, 0, ENCTYPE_NULL,
85 enum ndr_err_code ndr_err;
86 old_utdv = talloc(mem_ctx, struct replUpToDateVectorBlob);
88 ndr_err = ndr_pull_struct_blob(&entry->password, old_utdv,
90 (ndr_pull_flags_fn_t)ndr_pull_replUpToDateVectorBlob);
91 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
92 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
93 ctx->error_message = talloc_asprintf(ctx,
94 "Failed to pull UpToDateVector: %s",
99 if (DEBUGLEVEL >= 10) {
100 NDR_PRINT_DEBUG(replUpToDateVectorBlob, old_utdv);
105 *pold_utdv = old_utdv;
111 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
112 struct replUpToDateVectorBlob *new_utdv)
114 NTSTATUS status = NT_STATUS_OK;
115 krb5_error_code ret = 0;
116 struct libnet_keytab_context *keytab_ctx =
117 (struct libnet_keytab_context *)ctx->private_data;
120 enum ndr_err_code ndr_err;
123 if (DEBUGLEVEL >= 10) {
124 NDR_PRINT_DEBUG(replUpToDateVectorBlob, new_utdv);
127 ndr_err = ndr_push_struct_blob(&blob, mem_ctx, NULL, new_utdv,
128 (ndr_push_flags_fn_t)ndr_push_replUpToDateVectorBlob);
129 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
130 status = ndr_map_error2ntstatus(ndr_err);
131 ctx->error_message = talloc_asprintf(ctx,
132 "Failed to push UpToDateVector: %s",
137 status = add_to_keytab_entries(mem_ctx, keytab_ctx, 0,
141 if (!NT_STATUS_IS_OK(status)) {
146 ret = libnet_keytab_add(keytab_ctx);
148 status = krb5_to_nt_status(ret);
149 ctx->error_message = talloc_asprintf(ctx,
150 "Failed to add entries to keytab %s: %s",
151 keytab_ctx->keytab_name, error_message(ret));
155 ctx->result_message = talloc_asprintf(ctx,
156 "Vampired %d accounts to keytab %s",
158 keytab_ctx->keytab_name);
161 TALLOC_FREE(keytab_ctx);
165 /****************************************************************
166 ****************************************************************/
168 static NTSTATUS parse_supplemental_credentials(TALLOC_CTX *mem_ctx,
169 const DATA_BLOB *blob,
170 struct package_PrimaryKerberosCtr3 **pkb3,
171 struct package_PrimaryKerberosCtr4 **pkb4)
174 enum ndr_err_code ndr_err;
175 struct supplementalCredentialsBlob scb;
176 struct supplementalCredentialsPackage *scpk = NULL;
178 struct package_PrimaryKerberosBlob *pkb;
179 bool newer_keys = false;
182 ndr_err = ndr_pull_struct_blob_all(blob, mem_ctx, NULL, &scb,
183 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
184 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
185 status = ndr_map_error2ntstatus(ndr_err);
188 if (scb.sub.signature !=
189 SUPPLEMENTAL_CREDENTIALS_SIGNATURE)
191 if (DEBUGLEVEL >= 10) {
192 NDR_PRINT_DEBUG(supplementalCredentialsBlob, &scb);
194 status = NT_STATUS_INVALID_PARAMETER;
197 for (j=0; j < scb.sub.num_packages; j++) {
198 if (strcmp("Primary:Kerberos-Newer-Keys",
199 scb.sub.packages[j].name) == 0)
201 scpk = &scb.sub.packages[j];
202 if (!scpk->data || !scpk->data[0]) {
208 } else if (strcmp("Primary:Kerberos",
209 scb.sub.packages[j].name) == 0)
212 * grab this but don't break here:
213 * there might still be newer-keys ...
215 scpk = &scb.sub.packages[j];
216 if (!scpk->data || !scpk->data[0]) {
224 status = NT_STATUS_OK;
228 scpk_blob = strhex_to_data_blob(mem_ctx, scpk->data);
229 if (!scpk_blob.data) {
230 status = NT_STATUS_NO_MEMORY;
234 pkb = TALLOC_ZERO_P(mem_ctx, struct package_PrimaryKerberosBlob);
236 status = NT_STATUS_NO_MEMORY;
239 ndr_err = ndr_pull_struct_blob(&scpk_blob, mem_ctx, NULL, pkb,
240 (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
241 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
242 status = ndr_map_error2ntstatus(ndr_err);
246 if (!newer_keys && pkb->version != 3) {
247 status = NT_STATUS_INVALID_PARAMETER;
251 if (newer_keys && pkb->version != 4) {
252 status = NT_STATUS_INVALID_PARAMETER;
256 if (pkb->version == 4 && pkb4) {
257 *pkb4 = &pkb->ctr.ctr4;
258 } else if (pkb->version == 3 && pkb3) {
259 *pkb3 = &pkb->ctr.ctr3;
262 status = NT_STATUS_OK;
268 static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
269 struct libnet_keytab_context *ctx,
270 struct drsuapi_DsReplicaObjectListItemEx *cur)
272 NTSTATUS status = NT_STATUS_OK;
276 struct drsuapi_DsReplicaAttribute *attr;
277 bool got_pwd = false;
279 struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
280 struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
282 char *object_dn = NULL;
285 uint32_t num_spns = 0;
289 uint32_t sam_type = 0;
291 uint32_t pwd_history_len = 0;
292 uint8_t *pwd_history = NULL;
294 ZERO_STRUCT(nt_passwd);
296 object_dn = talloc_strdup(mem_ctx, cur->object.identifier->dn);
298 return NT_STATUS_NO_MEMORY;
301 DEBUG(3, ("parsing object '%s'\n", object_dn));
303 for (i=0; i < cur->object.attribute_ctr.num_attributes; i++) {
305 attr = &cur->object.attribute_ctr.attributes[i];
307 if (attr->attid == DRSUAPI_ATTRIBUTE_servicePrincipalName) {
309 num_spns = attr->value_ctr.num_values;
310 spn = TALLOC_ARRAY(mem_ctx, char *, num_spns);
311 for (count = 0; count < num_spns; count++) {
312 blob = attr->value_ctr.values[count].blob;
313 pull_string_talloc(spn, NULL, 0,
315 blob->data, blob->length,
320 if (attr->value_ctr.num_values != 1) {
324 if (!attr->value_ctr.values[0].blob) {
328 blob = attr->value_ctr.values[0].blob;
330 switch (attr->attid) {
331 case DRSUAPI_ATTRIBUTE_unicodePwd:
333 if (blob->length != 16) {
337 memcpy(&nt_passwd, blob->data, 16);
340 /* pick the kvno from the meta_data version,
341 * thanks, metze, for explaining this */
343 if (!cur->meta_data_ctr) {
346 if (cur->meta_data_ctr->count !=
347 cur->object.attribute_ctr.num_attributes) {
350 kvno = cur->meta_data_ctr->meta_data[i].version;
352 case DRSUAPI_ATTRIBUTE_ntPwdHistory:
353 pwd_history_len = blob->length / 16;
354 pwd_history = blob->data;
356 case DRSUAPI_ATTRIBUTE_userPrincipalName:
357 pull_string_talloc(mem_ctx, NULL, 0, &upn,
358 blob->data, blob->length,
361 case DRSUAPI_ATTRIBUTE_sAMAccountName:
362 pull_string_talloc(mem_ctx, NULL, 0, &name,
363 blob->data, blob->length,
366 case DRSUAPI_ATTRIBUTE_sAMAccountType:
367 sam_type = IVAL(blob->data, 0);
369 case DRSUAPI_ATTRIBUTE_userAccountControl:
370 uacc = IVAL(blob->data, 0);
372 case DRSUAPI_ATTRIBUTE_supplementalCredentials:
373 status = parse_supplemental_credentials(mem_ctx,
377 if (!NT_STATUS_IS_OK(status)) {
378 DEBUG(2, ("parsing of supplemental "
379 "credentials failed: %s\n",
389 DEBUG(10, ("no password (unicodePwd) found - skipping.\n"));
394 status = add_to_keytab_entries(mem_ctx, ctx, 0, object_dn,
397 data_blob_talloc(mem_ctx, name,
399 if (!NT_STATUS_IS_OK(status)) {
403 /* look into keytab ... */
404 struct libnet_keytab_entry *entry = NULL;
405 char *principal = NULL;
407 DEBUG(10, ("looking for SAMACCOUNTNAME/%s@%s in keytayb...\n",
408 object_dn, ctx->dns_domain_name));
410 principal = talloc_asprintf(mem_ctx, "%s/%s@%s",
413 ctx->dns_domain_name);
415 DEBUG(1, ("talloc failed\n"));
416 return NT_STATUS_NO_MEMORY;
418 entry = libnet_keytab_search(ctx, principal, 0, ENCTYPE_NULL,
421 name = (char *)TALLOC_MEMDUP(mem_ctx,
422 entry->password.data,
423 entry->password.length);
425 DEBUG(1, ("talloc failed!"));
426 return NT_STATUS_NO_MEMORY;
428 DEBUG(10, ("found name %s\n", name));
432 DEBUG(10, ("entry not found\n"));
434 TALLOC_FREE(principal);
438 DEBUG(10, ("no name (sAMAccountName) found - skipping.\n"));
442 DEBUG(1,("#%02d: %s:%d, ", ctx->count, name, kvno));
443 DEBUGADD(1,("sAMAccountType: 0x%08x, userAccountControl: 0x%08x",
446 DEBUGADD(1,(", upn: %s", upn));
449 DEBUGADD(1, (", spns: ["));
450 for (i = 0; i < num_spns; i++) {
451 DEBUGADD(1, ("%s%s", spn[i],
452 (i+1 == num_spns)?"]":", "));
457 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name, NULL,
458 ENCTYPE_ARCFOUR_HMAC,
459 data_blob_talloc(mem_ctx, nt_passwd, 16));
461 if (!NT_STATUS_IS_OK(status)) {
465 /* add kerberos keys (if any) */
468 for (i=0; i < pkb4->num_keys; i++) {
469 if (!pkb4->keys[i].value) {
472 status = add_to_keytab_entries(mem_ctx, ctx, kvno,
475 pkb4->keys[i].keytype,
476 *pkb4->keys[i].value);
477 if (!NT_STATUS_IS_OK(status)) {
481 for (i=0; i < pkb4->num_old_keys; i++) {
482 if (!pkb4->old_keys[i].value) {
485 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
488 pkb4->old_keys[i].keytype,
489 *pkb4->old_keys[i].value);
490 if (!NT_STATUS_IS_OK(status)) {
494 for (i=0; i < pkb4->num_older_keys; i++) {
495 if (!pkb4->older_keys[i].value) {
498 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 2,
501 pkb4->older_keys[i].keytype,
502 *pkb4->older_keys[i].value);
503 if (!NT_STATUS_IS_OK(status)) {
510 for (i=0; i < pkb3->num_keys; i++) {
511 if (!pkb3->keys[i].value) {
514 status = add_to_keytab_entries(mem_ctx, ctx, kvno, name,
516 pkb3->keys[i].keytype,
517 *pkb3->keys[i].value);
518 if (!NT_STATUS_IS_OK(status)) {
522 for (i=0; i < pkb3->num_old_keys; i++) {
523 if (!pkb3->old_keys[i].value) {
526 status = add_to_keytab_entries(mem_ctx, ctx, kvno - 1,
529 pkb3->old_keys[i].keytype,
530 *pkb3->old_keys[i].value);
531 if (!NT_STATUS_IS_OK(status)) {
537 if ((kvno < 0) && (kvno < pwd_history_len)) {
541 /* add password history */
543 /* skip first entry */
551 for (; i<pwd_history_len; i++) {
552 status = add_to_keytab_entries(mem_ctx, ctx, kvno--, name, NULL,
553 ENCTYPE_ARCFOUR_HMAC,
554 data_blob_talloc(mem_ctx, &pwd_history[i*16], 16));
555 if (!NT_STATUS_IS_OK(status)) {
563 static bool dn_is_in_object_list(struct dssync_context *ctx,
568 if (ctx->object_count == 0) {
572 for (count = 0; count < ctx->object_count; count++) {
573 if (strequal(ctx->object_dns[count], dn)) {
581 /****************************************************************
582 ****************************************************************/
584 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
586 struct drsuapi_DsReplicaObjectListItemEx *cur,
587 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
589 NTSTATUS status = NT_STATUS_OK;
590 struct libnet_keytab_context *keytab_ctx =
591 (struct libnet_keytab_context *)ctx->private_data;
593 for (; cur; cur = cur->next_object) {
595 * When not in single object replication mode,
596 * the object_dn list is used as a positive write filter.
598 if (!ctx->single_object_replication &&
599 !dn_is_in_object_list(ctx, cur->object.identifier->dn))
604 status = parse_object(mem_ctx, keytab_ctx, cur);
605 if (!NT_STATUS_IS_OK(status)) {
616 static NTSTATUS keytab_startup(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
617 struct replUpToDateVectorBlob **pold_utdv)
619 return NT_STATUS_NOT_SUPPORTED;
622 static NTSTATUS keytab_finish(struct dssync_context *ctx, TALLOC_CTX *mem_ctx,
623 struct replUpToDateVectorBlob *new_utdv)
625 return NT_STATUS_NOT_SUPPORTED;
628 static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
630 struct drsuapi_DsReplicaObjectListItemEx *cur,
631 struct drsuapi_DsReplicaOIDMapping_Ctr *mapping_ctr)
633 return NT_STATUS_NOT_SUPPORTED;
635 #endif /* defined(HAVE_ADS) && defined(ENCTYPE_ARCFOUR_HMAC) */
637 const struct dssync_ops libnet_dssync_keytab_ops = {
638 .startup = keytab_startup,
639 .process_objects = keytab_process_objects,
640 .finish = keytab_finish,