source3/libads/krb5_setpw.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "libads/kerberos_proto.h"
  24 #include "../lib/util/asn1.h"
  25
  26 #ifdef HAVE_KRB5
  27
  28 /* Those are defined by kerberos-set-passwd-02.txt and are probably
  29  * not supported by M$ implementation */
  30 #define KRB5_KPASSWD_POLICY_REJECT              8
  31 #define KRB5_KPASSWD_BAD_PRINCIPAL              9
  32 #define KRB5_KPASSWD_ETYPE_NOSUPP               10
  33
  34 /*
  35  * we've got to be able to distinguish KRB_ERRORs from other
  36  * requests - valid response for CHPW v2 replies.
  37  */
  38
  39 static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
  40 {
  41         switch(res_code) {
  42                 case KRB5_KPASSWD_ACCESSDENIED:
  43                         return KRB5KDC_ERR_BADOPTION;
  44                 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
  45                         return KRB5KDC_ERR_BADOPTION;
  46                         /* return KV5M_ALT_METHOD; MIT-only define */
  47                 case KRB5_KPASSWD_ETYPE_NOSUPP:
  48                         return KRB5KDC_ERR_ETYPE_NOSUPP;
  49                 case KRB5_KPASSWD_BAD_PRINCIPAL:
  50                         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
  51                 case KRB5_KPASSWD_POLICY_REJECT:
  52                 case KRB5_KPASSWD_SOFTERROR:
  53                         return KRB5KDC_ERR_POLICY;
  54                 default:
  55                         return KRB5KRB_ERR_GENERIC;
  56         }
  57 }
  58
  59 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
  60                                  const char *newpw, int time_offset)
  61 {
  62
  63         ADS_STATUS aret;
  64         krb5_error_code ret = 0;
  65         krb5_context context = NULL;
  66         krb5_principal princ = NULL;
  67         krb5_ccache ccache = NULL;
  68         int result_code;
  69         krb5_data result_code_string = { 0 };
  70         krb5_data result_string = { 0 };
  71
  72         initialize_krb5_error_table();
  73         ret = krb5_init_context(&context);
  74         if (ret) {
  75                 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
  76                 return ADS_ERROR_KRB5(ret);
  77         }
  78
  79         if (principal) {
  80                 ret = smb_krb5_parse_name(context, principal, &princ);
  81                 if (ret) {
  82                         krb5_free_context(context);
  83                         DEBUG(1, ("Failed to parse %s (%s)\n", principal,
  84                                   error_message(ret)));
  85                         return ADS_ERROR_KRB5(ret);
  86                 }
  87         }
  88
  89         if (time_offset != 0) {
  90                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
  91         }
  92
  93         ret = krb5_cc_default(context, &ccache);
  94         if (ret) {
  95                 krb5_free_principal(context, princ);
  96                 krb5_free_context(context);
  97                 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
  98                 return ADS_ERROR_KRB5(ret);
  99         }
 100
 101         ret = krb5_set_password_using_ccache(context, ccache, newpw, princ,
 102                                              &result_code,
 103                                              &result_code_string,
 104                                              &result_string);
 105         if (ret) {
 106                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 107                 aret = ADS_ERROR_KRB5(ret);
 108                 goto done;
 109         }
 110
 111         if (result_code != KRB5_KPASSWD_SUCCESS) {
 112                 ret = kpasswd_err_to_krb5_err(result_code);
 113                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 114                 aret = ADS_ERROR_KRB5(ret);
 115                 goto done;
 116         }
 117
 118         aret = ADS_SUCCESS;
 119
 120 done:
 121         kerberos_free_data_contents(context, &result_code_string);
 122         kerberos_free_data_contents(context, &result_string);
 123         krb5_free_principal(context, princ);
 124         krb5_cc_close(context, ccache);
 125         krb5_free_context(context);
 126
 127         return aret;
 128 }
 129
 130 /*
 131   we use a prompter to avoid a crash bug in the kerberos libs when
 132   dealing with empty passwords
 133   this prompter is just a string copy ...
 134 */
 135 static krb5_error_code
 136 kerb_prompter(krb5_context ctx, void *data,
 137                const char *name,
 138                const char *banner,
 139                int num_prompts,
 140                krb5_prompt prompts[])
 141 {
 142         if (num_prompts == 0) return 0;
 143
 144         memset(prompts[0].reply->data, 0, prompts[0].reply->length);
 145         if (prompts[0].reply->length > 0) {
 146                 if (data) {
 147                         strncpy((char *)prompts[0].reply->data,
 148                                 (const char *)data,
 149                                 prompts[0].reply->length-1);
 150                         prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
 151                 } else {
 152                         prompts[0].reply->length = 0;
 153                 }
 154         }
 155         return 0;
 156 }
 157
 158 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 159                                         const char *principal,
 160                                         const char *oldpw,
 161                                         const char *newpw,
 162                                         int time_offset)
 163 {
 164     ADS_STATUS aret;
 165     krb5_error_code ret;
 166     krb5_context context = NULL;
 167     krb5_principal princ;
 168     krb5_get_init_creds_opt opts;
 169     krb5_creds creds;
 170     char *chpw_princ = NULL, *password;
 171     char *realm = NULL;
 172     int result_code;
 173     krb5_data result_code_string = { 0 };
 174     krb5_data result_string = { 0 };
 175     smb_krb5_addresses *addr = NULL;
 176
 177     initialize_krb5_error_table();
 178     ret = krb5_init_context(&context);
 179     if (ret) {
 180         DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
 181         return ADS_ERROR_KRB5(ret);
 182     }
 183
 184     if ((ret = smb_krb5_parse_name(context, principal,
 185                                     &princ))) {
 186         krb5_free_context(context);
 187         DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
 188         return ADS_ERROR_KRB5(ret);
 189     }
 190
 191     krb5_get_init_creds_opt_init(&opts);
 192
 193     krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
 194     krb5_get_init_creds_opt_set_renew_life(&opts, 0);
 195     krb5_get_init_creds_opt_set_forwardable(&opts, 0);
 196     krb5_get_init_creds_opt_set_proxiable(&opts, 0);
 197
 198     /* note that heimdal will fill in the local addresses if the addresses
 199      * in the creds_init_opt are all empty and then later fail with invalid
 200      * address, sending our local netbios krb5 address - just like windows
 201      * - avoids this - gd */
 202     ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name());
 203     if (ret) {
 204         krb5_free_principal(context, princ);
 205         krb5_free_context(context);
 206         return ADS_ERROR_KRB5(ret);
 207     }
 208     krb5_get_init_creds_opt_set_address_list(&opts, addr->addrs);
 209
 210     realm = smb_krb5_principal_get_realm(context, princ);
 211
 212     /* We have to obtain an INITIAL changepw ticket for changing password */
 213     if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
 214         krb5_free_context(context);
 215         free(realm);
 216         DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
 217         return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
 218     }
 219
 220     free(realm);
 221     password = SMB_STRDUP(oldpw);
 222     ret = krb5_get_init_creds_password(context, &creds, princ, password,
 223                                            kerb_prompter, NULL,
 224                                            0, chpw_princ, &opts);
 225     SAFE_FREE(chpw_princ);
 226     SAFE_FREE(password);
 227
 228     if (ret) {
 229       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 230         DEBUG(1,("Password incorrect while getting initial ticket"));
 231       else
 232         DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
 233
 234         krb5_free_principal(context, princ);
 235         krb5_free_context(context);
 236         return ADS_ERROR_KRB5(ret);
 237     }
 238
 239     ret = krb5_change_password(context, &creds, newpw, &result_code,
 240                                &result_code_string, &result_string);
 241     if (ret) {
 242         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 243         aret = ADS_ERROR_KRB5(ret);
 244         goto done;
 245     }
 246
 247     if (result_code != KRB5_KPASSWD_SUCCESS) {
 248         ret = kpasswd_err_to_krb5_err(result_code);
 249         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 250         aret = ADS_ERROR_KRB5(ret);
 251         goto done;
 252     }
 253
 254     aret = ADS_SUCCESS;
 255
 256 done:
 257     kerberos_free_data_contents(context, &result_code_string);
 258     kerberos_free_data_contents(context, &result_string);
 259     krb5_free_principal(context, princ);
 260     krb5_free_context(context);
 261
 262     return aret;
 263 }
 264
 265
 266 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 267                                  const char *auth_principal, const char *auth_password,
 268                                  const char *target_principal, const char *new_password,
 269                                  int time_offset)
 270 {
 271     int ret;
 272
 273     if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
 274         DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 275         return ADS_ERROR_KRB5(ret);
 276     }
 277
 278     if (!strcmp(auth_principal, target_principal))
 279         return ads_krb5_chg_password(kpasswd_server, target_principal,
 280                                      auth_password, new_password, time_offset);
 281     else
 282         return ads_krb5_set_password(kpasswd_server, target_principal,
 283                                      new_password, time_offset);
 284 }
 285
 286 #endif