2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2008
7 Copyright (C) Andrew Tridgell 2005
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "smbd/process_model.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "libcli/util/tstream.h"
28 #include "lib/messaging/irpc.h"
29 #include "librpc/gen_ndr/ndr_irpc.h"
30 #include "librpc/gen_ndr/ndr_krb5pac.h"
31 #include "lib/stream/packet.h"
32 #include "lib/socket/netif.h"
33 #include "param/param.h"
34 #include "kdc/kdc-glue.h"
35 #include "dsdb/samdb/samdb.h"
36 #include "auth/session.h"
38 NTSTATUS server_service_kdc_init(void);
40 extern struct krb5plugin_windc_ftable windc_plugin_table;
42 static NTSTATUS kdc_proxy_unavailable_error(struct kdc_server *kdc,
47 krb5_data k5_error_blob;
49 kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
50 KRB5KDC_ERR_SVC_UNAVAILABLE, NULL, NULL,
51 NULL, NULL, NULL, NULL, &k5_error_blob);
53 DEBUG(2,(__location__ ": Unable to form krb5 error reply\n"));
54 return NT_STATUS_INTERNAL_ERROR;
57 *out = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
58 krb5_data_free(&k5_error_blob);
60 return NT_STATUS_NO_MEMORY;
66 typedef enum kdc_process_ret (*kdc_process_fn_t)(struct kdc_server *kdc,
70 struct tsocket_address *peer_addr,
71 struct tsocket_address *my_addr,
74 /* hold information about one kdc socket */
76 struct kdc_server *kdc;
77 struct tsocket_address *local_address;
78 kdc_process_fn_t process;
82 struct kdc_tcp_connection *kdc_conn;
86 struct iovec out_iov[2];
90 state of an open tcp connection
92 struct kdc_tcp_connection {
93 /* stream connection we belong to */
94 struct stream_connection *conn;
96 /* the kdc_server the connection belongs to */
97 struct kdc_socket *kdc_socket;
99 struct tstream_context *tstream;
101 struct tevent_queue *send_queue;
105 static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdcconn, const char *reason)
107 stream_terminate_connection(kdcconn->conn, reason);
110 static void kdc_tcp_recv(struct stream_connection *conn, uint16_t flags)
112 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
113 struct kdc_tcp_connection);
114 /* this should never be triggered! */
115 kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_recv: called");
118 static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
120 struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private_data,
121 struct kdc_tcp_connection);
122 /* this should never be triggered! */
123 kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_send: called");
127 Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
131 static enum kdc_process_ret kdc_process(struct kdc_server *kdc,
135 struct tsocket_address *peer_addr,
136 struct tsocket_address *my_addr,
141 struct sockaddr_storage ss;
143 krb5_data_zero(&k5_reply);
145 krb5_kdc_update_time(NULL);
147 ret = tsocket_address_bsd_sockaddr(peer_addr, (struct sockaddr *) &ss,
148 sizeof(struct sockaddr_storage));
150 return KDC_PROCESS_FAILED;
152 pa = tsocket_address_string(peer_addr, mem_ctx);
154 return KDC_PROCESS_FAILED;
157 DEBUG(10,("Received KDC packet of length %lu from %s\n",
158 (long)input->length - 4, pa));
160 ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
162 input->data, input->length,
165 (struct sockaddr *) &ss,
168 *reply = data_blob(NULL, 0);
169 return KDC_PROCESS_FAILED;
172 if (ret == HDB_ERR_NOT_FOUND_HERE) {
173 *reply = data_blob(NULL, 0);
174 return KDC_PROCESS_PROXY;
177 if (k5_reply.length) {
178 *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
179 krb5_data_free(&k5_reply);
181 *reply = data_blob(NULL, 0);
183 return KDC_PROCESS_OK;
186 static void kdc_tcp_call_proxy_done(struct tevent_req *subreq);
187 static void kdc_tcp_call_writev_done(struct tevent_req *subreq);
189 static void kdc_tcp_call_loop(struct tevent_req *subreq)
191 struct kdc_tcp_connection *kdc_conn = tevent_req_callback_data(subreq,
192 struct kdc_tcp_connection);
193 struct kdc_tcp_call *call;
195 enum kdc_process_ret ret;
197 call = talloc(kdc_conn, struct kdc_tcp_call);
199 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
200 "no memory for kdc_tcp_call");
203 call->kdc_conn = kdc_conn;
205 status = tstream_read_pdu_blob_recv(subreq,
209 if (!NT_STATUS_IS_OK(status)) {
212 reason = talloc_asprintf(call, "kdc_tcp_call_loop: "
213 "tstream_read_pdu_blob_recv() - %s",
216 reason = nt_errstr(status);
219 kdc_tcp_terminate_connection(kdc_conn, reason);
223 DEBUG(10,("Received krb5 TCP packet of length %lu from %s\n",
224 (long) call->in.length,
225 tsocket_address_string(kdc_conn->conn->remote_address, call)));
227 /* skip length header */
229 call->in.length -= 4;
232 ret = kdc_conn->kdc_socket->process(kdc_conn->kdc_socket->kdc,
236 kdc_conn->conn->remote_address,
237 kdc_conn->conn->local_address,
239 if (ret == KDC_PROCESS_FAILED) {
240 kdc_tcp_terminate_connection(kdc_conn,
241 "kdc_tcp_call_loop: process function failed");
245 if (ret == KDC_PROCESS_PROXY) {
248 if (!kdc_conn->kdc_socket->kdc->am_rodc) {
249 kdc_tcp_terminate_connection(kdc_conn,
250 "kdc_tcp_call_loop: proxying requested when not RODC");
253 port = tsocket_address_inet_port(kdc_conn->conn->local_address);
255 subreq = kdc_tcp_proxy_send(call,
256 kdc_conn->conn->event.ctx,
257 kdc_conn->kdc_socket->kdc,
260 if (subreq == NULL) {
261 kdc_tcp_terminate_connection(kdc_conn,
262 "kdc_tcp_call_loop: kdc_tcp_proxy_send failed");
265 tevent_req_set_callback(subreq, kdc_tcp_call_proxy_done, call);
269 /* First add the length of the out buffer */
270 RSIVAL(call->out_hdr, 0, call->out.length);
271 call->out_iov[0].iov_base = (char *) call->out_hdr;
272 call->out_iov[0].iov_len = 4;
274 call->out_iov[1].iov_base = (char *) call->out.data;
275 call->out_iov[1].iov_len = call->out.length;
277 subreq = tstream_writev_queue_send(call,
278 kdc_conn->conn->event.ctx,
280 kdc_conn->send_queue,
282 if (subreq == NULL) {
283 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
284 "no memory for tstream_writev_queue_send");
287 tevent_req_set_callback(subreq, kdc_tcp_call_writev_done, call);
290 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
291 * packet_full_request_u32 provides the pdu length then.
293 subreq = tstream_read_pdu_blob_send(kdc_conn,
294 kdc_conn->conn->event.ctx,
296 4, /* initial_read_size */
297 packet_full_request_u32,
299 if (subreq == NULL) {
300 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
301 "no memory for tstream_read_pdu_blob_send");
304 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
307 static void kdc_tcp_call_proxy_done(struct tevent_req *subreq)
309 struct kdc_tcp_call *call = tevent_req_callback_data(subreq,
310 struct kdc_tcp_call);
311 struct kdc_tcp_connection *kdc_conn = call->kdc_conn;
314 status = kdc_tcp_proxy_recv(subreq, call, &call->out);
316 if (!NT_STATUS_IS_OK(status)) {
317 /* generate an error packet */
318 status = kdc_proxy_unavailable_error(kdc_conn->kdc_socket->kdc,
322 if (!NT_STATUS_IS_OK(status)) {
325 reason = talloc_asprintf(call, "kdc_tcp_call_proxy_done: "
326 "kdc_proxy_unavailable_error - %s",
329 reason = "kdc_tcp_call_proxy_done: kdc_proxy_unavailable_error() failed";
332 kdc_tcp_terminate_connection(call->kdc_conn, reason);
336 /* First add the length of the out buffer */
337 RSIVAL(call->out_hdr, 0, call->out.length);
338 call->out_iov[0].iov_base = (char *) call->out_hdr;
339 call->out_iov[0].iov_len = 4;
341 call->out_iov[1].iov_base = (char *) call->out.data;
342 call->out_iov[1].iov_len = call->out.length;
344 subreq = tstream_writev_queue_send(call,
345 kdc_conn->conn->event.ctx,
347 kdc_conn->send_queue,
349 if (subreq == NULL) {
350 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
351 "no memory for tstream_writev_queue_send");
354 tevent_req_set_callback(subreq, kdc_tcp_call_writev_done, call);
357 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
358 * packet_full_request_u32 provides the pdu length then.
360 subreq = tstream_read_pdu_blob_send(kdc_conn,
361 kdc_conn->conn->event.ctx,
363 4, /* initial_read_size */
364 packet_full_request_u32,
366 if (subreq == NULL) {
367 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_call_loop: "
368 "no memory for tstream_read_pdu_blob_send");
371 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
374 static void kdc_tcp_call_writev_done(struct tevent_req *subreq)
376 struct kdc_tcp_call *call = tevent_req_callback_data(subreq,
377 struct kdc_tcp_call);
381 rc = tstream_writev_queue_recv(subreq, &sys_errno);
386 reason = talloc_asprintf(call, "kdc_tcp_call_writev_done: "
387 "tstream_writev_queue_recv() - %d:%s",
388 sys_errno, strerror(sys_errno));
390 reason = "kdc_tcp_call_writev_done: tstream_writev_queue_recv() failed";
393 kdc_tcp_terminate_connection(call->kdc_conn, reason);
397 /* We don't care about errors */
403 called when we get a new connection
405 static void kdc_tcp_accept(struct stream_connection *conn)
407 struct kdc_socket *kdc_socket;
408 struct kdc_tcp_connection *kdc_conn;
409 struct tevent_req *subreq;
412 kdc_conn = talloc_zero(conn, struct kdc_tcp_connection);
413 if (kdc_conn == NULL) {
414 stream_terminate_connection(conn,
415 "kdc_tcp_accept: out of memory");
419 kdc_conn->send_queue = tevent_queue_create(conn, "kdc_tcp_accept");
420 if (kdc_conn->send_queue == NULL) {
421 stream_terminate_connection(conn,
422 "kdc_tcp_accept: out of memory");
426 kdc_socket = talloc_get_type(conn->private_data, struct kdc_socket);
428 TALLOC_FREE(conn->event.fde);
430 rc = tstream_bsd_existing_socket(kdc_conn,
431 socket_get_fd(conn->socket),
434 stream_terminate_connection(conn,
435 "kdc_tcp_accept: out of memory");
439 kdc_conn->conn = conn;
440 kdc_conn->kdc_socket = kdc_socket;
441 conn->private_data = kdc_conn;
444 * The krb5 tcp pdu's has the length as 4 byte (initial_read_size),
445 * packet_full_request_u32 provides the pdu length then.
447 subreq = tstream_read_pdu_blob_send(kdc_conn,
448 kdc_conn->conn->event.ctx,
450 4, /* initial_read_size */
451 packet_full_request_u32,
453 if (subreq == NULL) {
454 kdc_tcp_terminate_connection(kdc_conn, "kdc_tcp_accept: "
455 "no memory for tstream_read_pdu_blob_send");
458 tevent_req_set_callback(subreq, kdc_tcp_call_loop, kdc_conn);
461 static const struct stream_server_ops kdc_tcp_stream_ops = {
463 .accept_connection = kdc_tcp_accept,
464 .recv_handler = kdc_tcp_recv,
465 .send_handler = kdc_tcp_send
468 /* hold information about one kdc/kpasswd udp socket */
469 struct kdc_udp_socket {
470 struct kdc_socket *kdc_socket;
471 struct tdgram_context *dgram;
472 struct tevent_queue *send_queue;
475 struct kdc_udp_call {
476 struct kdc_udp_socket *sock;
477 struct tsocket_address *src;
482 static void kdc_udp_call_proxy_done(struct tevent_req *subreq);
483 static void kdc_udp_call_sendto_done(struct tevent_req *subreq);
485 static void kdc_udp_call_loop(struct tevent_req *subreq)
487 struct kdc_udp_socket *sock = tevent_req_callback_data(subreq,
488 struct kdc_udp_socket);
489 struct kdc_udp_call *call;
493 enum kdc_process_ret ret;
495 call = talloc(sock, struct kdc_udp_call);
502 len = tdgram_recvfrom_recv(subreq, &sys_errno,
503 call, &buf, &call->src);
511 call->in.length = len;
513 DEBUG(10,("Received krb5 UDP packet of length %lu from %s\n",
514 (long)call->in.length,
515 tsocket_address_string(call->src, call)));
518 ret = sock->kdc_socket->process(sock->kdc_socket->kdc,
523 sock->kdc_socket->local_address,
525 if (ret == KDC_PROCESS_FAILED) {
530 if (ret == KDC_PROCESS_PROXY) {
533 if (!sock->kdc_socket->kdc->am_rodc) {
534 DEBUG(0,("kdc_udp_call_loop: proxying requested when not RODC"));
539 port = tsocket_address_inet_port(sock->kdc_socket->local_address);
541 subreq = kdc_udp_proxy_send(call,
542 sock->kdc_socket->kdc->task->event_ctx,
543 sock->kdc_socket->kdc,
546 if (subreq == NULL) {
550 tevent_req_set_callback(subreq, kdc_udp_call_proxy_done, call);
554 subreq = tdgram_sendto_queue_send(call,
555 sock->kdc_socket->kdc->task->event_ctx,
561 if (subreq == NULL) {
565 tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call);
568 subreq = tdgram_recvfrom_send(sock,
569 sock->kdc_socket->kdc->task->event_ctx,
571 if (subreq == NULL) {
572 task_server_terminate(sock->kdc_socket->kdc->task,
573 "no memory for tdgram_recvfrom_send",
577 tevent_req_set_callback(subreq, kdc_udp_call_loop, sock);
580 static void kdc_udp_call_proxy_done(struct tevent_req *subreq)
582 struct kdc_udp_call *call =
583 tevent_req_callback_data(subreq,
584 struct kdc_udp_call);
587 status = kdc_udp_proxy_recv(subreq, call, &call->out);
589 if (!NT_STATUS_IS_OK(status)) {
590 /* generate an error packet */
591 status = kdc_proxy_unavailable_error(call->sock->kdc_socket->kdc,
595 if (!NT_STATUS_IS_OK(status)) {
600 subreq = tdgram_sendto_queue_send(call,
601 call->sock->kdc_socket->kdc->task->event_ctx,
603 call->sock->send_queue,
607 if (subreq == NULL) {
612 tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call);
615 static void kdc_udp_call_sendto_done(struct tevent_req *subreq)
617 struct kdc_udp_call *call = tevent_req_callback_data(subreq,
618 struct kdc_udp_call);
622 ret = tdgram_sendto_queue_recv(subreq, &sys_errno);
624 /* We don't care about errors */
630 start listening on the given address
632 static NTSTATUS kdc_add_socket(struct kdc_server *kdc,
633 const struct model_ops *model_ops,
637 kdc_process_fn_t process,
640 struct kdc_socket *kdc_socket;
641 struct kdc_udp_socket *kdc_udp_socket;
642 struct tevent_req *udpsubreq;
646 kdc_socket = talloc(kdc, struct kdc_socket);
647 NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
649 kdc_socket->kdc = kdc;
650 kdc_socket->process = process;
652 ret = tsocket_address_inet_from_strings(kdc_socket, "ip",
654 &kdc_socket->local_address);
656 status = map_nt_error_from_unix_common(errno);
661 status = stream_setup_socket(kdc->task,
662 kdc->task->event_ctx,
666 "ip", address, &port,
667 lpcfg_socket_options(kdc->task->lp_ctx),
669 if (!NT_STATUS_IS_OK(status)) {
670 DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
671 address, port, nt_errstr(status)));
672 talloc_free(kdc_socket);
677 kdc_udp_socket = talloc(kdc_socket, struct kdc_udp_socket);
678 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket);
680 kdc_udp_socket->kdc_socket = kdc_socket;
682 ret = tdgram_inet_udp_socket(kdc_socket->local_address,
685 &kdc_udp_socket->dgram);
687 status = map_nt_error_from_unix_common(errno);
688 DEBUG(0,("Failed to bind to %s:%u UDP - %s\n",
689 address, port, nt_errstr(status)));
693 kdc_udp_socket->send_queue = tevent_queue_create(kdc_udp_socket,
694 "kdc_udp_send_queue");
695 NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket->send_queue);
697 udpsubreq = tdgram_recvfrom_send(kdc_udp_socket,
698 kdc->task->event_ctx,
699 kdc_udp_socket->dgram);
700 NT_STATUS_HAVE_NO_MEMORY(udpsubreq);
701 tevent_req_set_callback(udpsubreq, kdc_udp_call_loop, kdc_udp_socket);
708 setup our listening sockets on the configured network interfaces
710 static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_context *lp_ctx,
711 struct interface *ifaces)
713 const struct model_ops *model_ops;
715 TALLOC_CTX *tmp_ctx = talloc_new(kdc);
718 uint16_t kdc_port = lpcfg_krb5_port(lp_ctx);
719 uint16_t kpasswd_port = lpcfg_kpasswd_port(lp_ctx);
720 bool done_wildcard = false;
722 /* within the kdc task we want to be a single process, so
723 ask for the single process model ops and pass these to the
724 stream_setup_socket() call. */
725 model_ops = process_model_startup("single");
727 DEBUG(0,("Can't find 'single' process model_ops\n"));
728 return NT_STATUS_INTERNAL_ERROR;
731 num_interfaces = iface_list_count(ifaces);
733 /* if we are allowing incoming packets from any address, then
734 we need to bind to the wildcard address */
735 if (!lpcfg_bind_interfaces_only(lp_ctx)) {
736 const char **wcard = iface_list_wildcard(kdc, lp_ctx);
737 NT_STATUS_HAVE_NO_MEMORY(wcard);
738 for (i=0; wcard[i]; i++) {
740 status = kdc_add_socket(kdc, model_ops,
741 "kdc", wcard[i], kdc_port,
743 NT_STATUS_NOT_OK_RETURN(status);
747 status = kdc_add_socket(kdc, model_ops,
748 "kpasswd", wcard[i], kpasswd_port,
749 kpasswdd_process, false);
750 NT_STATUS_NOT_OK_RETURN(status);
754 done_wildcard = true;
757 for (i=0; i<num_interfaces; i++) {
758 const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i));
761 status = kdc_add_socket(kdc, model_ops,
762 "kdc", address, kdc_port,
763 kdc_process, done_wildcard);
764 NT_STATUS_NOT_OK_RETURN(status);
768 status = kdc_add_socket(kdc, model_ops,
769 "kpasswd", address, kpasswd_port,
770 kpasswdd_process, done_wildcard);
771 NT_STATUS_NOT_OK_RETURN(status);
775 talloc_free(tmp_ctx);
781 static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg,
782 struct kdc_check_generic_kerberos *r)
784 struct PAC_Validate pac_validate;
786 struct PAC_SIGNATURE_DATA kdc_sig;
787 struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server);
788 enum ndr_err_code ndr_err;
792 krb5_principal principal;
793 krb5_keyblock keyblock;
796 /* There is no reply to this request */
797 r->out.generic_reply = data_blob(NULL, 0);
799 ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, &pac_validate,
800 (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate);
801 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
802 return NT_STATUS_INVALID_PARAMETER;
805 if (pac_validate.MessageType != 3) {
806 /* We don't implement any other message types - such as certificate validation - yet */
807 return NT_STATUS_INVALID_PARAMETER;
810 if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength)
811 || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength
812 || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) {
813 return NT_STATUS_INVALID_PARAMETER;
816 srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data,
817 pac_validate.ChecksumLength);
819 if (pac_validate.SignatureType == CKSUMTYPE_HMAC_MD5) {
820 etype = ETYPE_ARCFOUR_HMAC_MD5;
822 ret = krb5_cksumtype_to_enctype(kdc->smb_krb5_context->krb5_context, pac_validate.SignatureType,
825 return NT_STATUS_LOGON_FAILURE;
829 ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal,
830 lpcfg_realm(kdc->task->lp_ctx),
831 "krbtgt", lpcfg_realm(kdc->task->lp_ctx),
835 return NT_STATUS_NO_MEMORY;
838 ret = kdc->config->db[0]->hdb_fetch_kvno(kdc->smb_krb5_context->krb5_context,
841 HDB_F_GET_KRBTGT | HDB_F_DECRYPT,
846 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
847 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
849 return NT_STATUS_LOGON_FAILURE;
852 ret = hdb_enctype2key(kdc->smb_krb5_context->krb5_context, &ent.entry, etype, &key);
855 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
856 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
857 return NT_STATUS_LOGON_FAILURE;
862 kdc_sig.type = pac_validate.SignatureType;
863 kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength],
864 pac_validate.SignatureLength);
865 ret = check_pac_checksum(msg, srv_sig, &kdc_sig,
866 kdc->smb_krb5_context->krb5_context, &keyblock);
868 hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent);
869 krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal);
872 return NT_STATUS_LOGON_FAILURE;
882 static void kdc_task_init(struct task_server *task)
884 struct kdc_server *kdc;
887 struct interface *ifaces;
890 switch (lpcfg_server_role(task->lp_ctx)) {
891 case ROLE_STANDALONE:
892 task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
894 case ROLE_DOMAIN_MEMBER:
895 task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
897 case ROLE_DOMAIN_CONTROLLER:
898 /* Yes, we want a KDC */
902 load_interface_list(task, task->lp_ctx, &ifaces);
904 if (iface_list_count(ifaces) == 0) {
905 task_server_terminate(task, "kdc: no network interfaces configured", false);
909 task_server_set_title(task, "task[kdc]");
911 kdc = talloc_zero(task, struct kdc_server);
913 task_server_terminate(task, "kdc: out of memory", true);
920 /* get a samdb connection */
921 kdc->samdb = samdb_connect(kdc, kdc->task->event_ctx, kdc->task->lp_ctx,
922 system_session(kdc->task->lp_ctx), 0);
924 DEBUG(1,("kdc_task_init: unable to connect to samdb\n"));
925 task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
929 ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
930 if (ldb_ret != LDB_SUCCESS) {
931 DEBUG(1, ("kdc_task_init: Cannot determine if we are an RODC: %s\n",
932 ldb_errstring(kdc->samdb)));
933 task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
937 kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
939 initialize_krb5_error_table();
941 ret = smb_krb5_init_context(kdc, task->event_ctx, task->lp_ctx, &kdc->smb_krb5_context);
943 DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
944 error_message(ret)));
945 task_server_terminate(task, "kdc: krb5_init_context failed", true);
949 krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
951 ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
954 task_server_terminate(task, "kdc: failed to get KDC configuration", true);
958 kdc->config->logf = kdc->smb_krb5_context->logf;
959 kdc->config->db = talloc(kdc, struct HDB *);
960 if (!kdc->config->db) {
961 task_server_terminate(task, "kdc: out of memory", true);
964 kdc->config->num_db = 1;
967 * This restores the behavior before
968 * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
969 * s4:heimdal: import lorikeet-heimdal-201107150856
970 * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
972 * as_use_strongest_session_key,preauth_use_strongest_session_key
973 * and tgs_use_strongest_session_key are input to the
974 * _kdc_find_etype() function. The old bahavior is in
975 * the use_strongest_session_key=FALSE code path.
976 * (The only remaining difference in _kdc_find_etype()
977 * is the is_preauth parameter.)
979 * The old behavior in the _kdc_get_preferred_key()
980 * function is use_strongest_server_key=TRUE.
982 kdc->config->as_use_strongest_session_key = false;
983 kdc->config->preauth_use_strongest_session_key = false;
984 kdc->config->tgs_use_strongest_session_key = false;
985 kdc->config->use_strongest_server_key = true;
987 /* Register hdb-samba4 hooks for use as a keytab */
989 kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
990 if (!kdc->base_ctx) {
991 task_server_terminate(task, "kdc: out of memory", true);
995 kdc->base_ctx->ev_ctx = task->event_ctx;
996 kdc->base_ctx->lp_ctx = task->lp_ctx;
998 status = hdb_samba4_create_kdc(kdc->base_ctx,
999 kdc->smb_krb5_context->krb5_context,
1000 &kdc->config->db[0]);
1001 if (!NT_STATUS_IS_OK(status)) {
1002 task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
1006 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
1007 PLUGIN_TYPE_DATA, "hdb",
1008 &hdb_samba4_interface);
1010 task_server_terminate(task, "kdc: failed to register hdb plugin", true);
1014 ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
1016 task_server_terminate(task, "kdc: failed to register keytab plugin", true);
1020 /* Register WinDC hooks */
1021 ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
1022 PLUGIN_TYPE_DATA, "windc",
1023 &windc_plugin_table);
1025 task_server_terminate(task, "kdc: failed to register windc plugin", true);
1029 ret = krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context);
1032 task_server_terminate(task, "kdc: failed to init windc plugin", true);
1036 ret = krb5_kdc_pkinit_config(kdc->smb_krb5_context->krb5_context, kdc->config);
1039 task_server_terminate(task, "kdc: failed to init kdc pkinit subsystem", true);
1043 /* start listening on the configured network interfaces */
1044 status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces);
1045 if (!NT_STATUS_IS_OK(status)) {
1046 task_server_terminate(task, "kdc failed to setup interfaces", true);
1050 status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
1051 kdc_check_generic_kerberos, kdc);
1052 if (!NT_STATUS_IS_OK(status)) {
1053 task_server_terminate(task, "kdc failed to setup monitoring", true);
1057 irpc_add_name(task->msg_ctx, "kdc_server");
1061 /* called at smbd startup - register ourselves as a server service */
1062 NTSTATUS server_service_kdc_init(void)
1064 return register_server_service("kdc", kdc_task_init);
git.samba.org / sfrench / samba-autobuild / .git / blob