2 * Unix SMB/CIFS implementation.
4 * Copyright (C) Volker Lendecke 2003
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 #ifdef WITH_FAKE_KASERVER
28 #include <afs/venus.h>
29 #include <asm/unistd.h>
30 #include <openssl/des.h>
32 _syscall5(int, afs_syscall, int, subcall,
42 uint32 BeginTimestamp;
47 Put an AFS token into the Kernel so that it can authenticate against
48 the AFS server. This assumes correct local uid settings.
50 This is currently highly Linux and OpenAFS-specific. The correct API
51 call for this would be ktc_SetToken. But to do that we would have to
52 import a REALLY big bunch of libraries which I would currently like
56 static BOOL afs_settoken(const char *username, const char *cell,
57 const struct ClearToken *ctok,
58 char *v4tkt_data, int v4tkt_length)
63 uint16 in_size, out_size;
70 memcpy(p, &v4tkt_length, sizeof(uint32));
72 memcpy(p, v4tkt_data, v4tkt_length);
75 tmp = sizeof(struct ClearToken);
76 memcpy(p, &tmp, sizeof(uint32));
83 memcpy(p, &tmp, sizeof(uint32));
87 if (tmp >= MAXKTCREALMLEN) {
88 DEBUG(1, ("Realm too long\n"));
92 strncpy(p, cell, tmp);
98 iob.in_size = PTR_DIFF(p,buf);
100 iob.out_size = sizeof(buf);
103 file_save("/tmp/ioctlbuf", iob.in, iob.in_size);
106 ret = afs_syscall(AFSCALL_PIOCTL, 0, VIOCSETTOK, (char *)&iob, 0);
108 DEBUG(10, ("afs VIOCSETTOK returned %d\n", ret));
113 This routine takes a radical approach completely defeating the
114 Kerberos idea of security and using AFS simply as an intelligent
115 file backend. Samba has persuaded itself somehow that the user is
116 actually correctly identified and then we create a ticket that the
117 AFS server hopefully accepts using its KeyFile that the admin has
118 kindly stored to our secrets.tdb.
120 Thanks to the book "Network Security -- PRIVATE Communication in a
121 PUBLIC World" by Charlie Kaufman, Radia Perlman and Mike Speciner
122 Kerberos 4 tickets are not really hard to construct.
124 For the comments "Alice" is the User to be auth'ed, and "Bob" is the
127 BOOL afs_login(connection_struct *conn)
133 pstring afs_username;
136 struct ClearToken ct;
138 uint32 now; /* I assume time() returns 32 bit */
140 des_key_schedule key_schedule;
142 pstrcpy(afs_username, lp_afs_username_map());
143 standard_sub_conn(conn, afs_username, sizeof(afs_username));
145 cell = strchr(afs_username, '@');
148 DEBUG(1, ("AFS username doesn't contain a @, "
149 "could not find cell\n"));
157 DEBUG(10, ("Trying to log into AFS for user %s@%s\n",
158 afs_username, cell));
163 if (!secrets_fetch_afs_key(cell, &key)) {
164 DEBUG(5, ("Could not fetch AFS service key\n"));
168 ct.AuthHandle = key.kvno;
170 /* Build the ticket. This is going to be encrypted, so in our
171 way we fill in ct while we still have the unencrypted
180 /* "Alice", the client username */
181 strncpy(p, afs_username, sizeof(ticket)-PTR_DIFF(p,ticket)-1);
183 strncpy(p, "", sizeof(ticket)-PTR_DIFF(p,ticket)-1);
185 strncpy(p, cell, sizeof(ticket)-PTR_DIFF(p,ticket)-1);
188 /* This assumes that we have setresuid and set the real uid as well as
189 the effective uid in set_effective_uid(). */
190 ct.ViceId = getuid();
191 DEBUG(10, ("Creating Token for uid %d\n", ct.ViceId));
193 /* Alice's network layer address. At least Openafs-1.2.10
194 ignores this, so we fill in a dummy value here. */
198 /* We need to create a session key */
199 generate_random_buffer(p, 8, False);
201 /* Our client code needs the the key in the clear, it does not
202 know the server-key ... */
203 memcpy(ct.HandShakeKey, p, 8);
207 /* Ticket lifetime. We fake everything here, so go as long as
208 possible. This is in 5-minute intervals, so 255 is 21 hours
213 /* Ticket creation time */
216 ct.BeginTimestamp = now;
218 ct.EndTimestamp = now + (255*60*5);
219 if (((ct.EndTimestamp - ct.BeginTimestamp) & 1) == 1) {
220 ct.BeginTimestamp += 1; /* Lifetime must be even */
224 /* And here comes Bob's name and instance, in this case the
226 strncpy(p, "afs", sizeof(ticket)-PTR_DIFF(p,ticket)-1);
228 strncpy(p, "", sizeof(ticket)-PTR_DIFF(p,ticket)-1);
231 /* And zero-pad to a multiple of 8 bytes */
232 len = PTR_DIFF(p, ticket);
234 uint32 extra_space = 8-(len & 7);
235 memset(p, 0, extra_space);
238 len = PTR_DIFF(p, ticket);
240 des_key_sched((const_des_cblock *)key.key, key_schedule);
241 des_pcbc_encrypt(ticket, ticket,
242 len, key_schedule, (C_Block *)key.key, 1);
246 return afs_settoken(afs_username, cell, &ct, ticket, len);
251 BOOL afs_login(connection_struct *conn)
256 #endif /* WITH_FAKE_KASERVER */