source4/kdc/kpasswd-service-heimdal.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Samba kpasswd implementation
   5
   6    Copyright (c) 2016      Andreas Schneider <asn@samba.org>
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18    You should have received a copy of the GNU General Public License
  19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  20 */
  21
  22 #include "includes.h"
  23 #include "samba/service_task.h"
  24 #include "param/param.h"
  25 #include "auth/auth.h"
  26 #include "auth/gensec/gensec.h"
  27 #include "gensec_krb5_helpers.h"
  28 #include "kdc/kdc-server.h"
  29 #include "kdc/kpasswd_glue.h"
  30 #include "kdc/kpasswd-service.h"
  31 #include "kdc/kpasswd-helper.h"
  32
  33 static krb5_error_code kpasswd_change_password(struct kdc_server *kdc,
  34                                                TALLOC_CTX *mem_ctx,
  35                                                const struct gensec_security *gensec_security,
  36                                                struct auth_session_info *session_info,
  37                                                DATA_BLOB *password,
  38                                                DATA_BLOB *kpasswd_reply,
  39                                                const char **error_string)
  40 {
  41         NTSTATUS status;
  42         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
  43         enum samPwdChangeReason reject_reason;
  44         const char *reject_string = NULL;
  45         struct samr_DomInfo1 *dominfo;
  46         bool ok;
  47         int ret;
  48
  49         /*
  50          * We're doing a password change (rather than a password set), so check
  51          * that we were given an initial ticket.
  52          */
  53         ret = gensec_krb5_initial_ticket(gensec_security);
  54         if (ret != 1) {
  55                 *error_string = "Expected an initial ticket";
  56                 return KRB5_KPASSWD_INITIAL_FLAG_NEEDED;
  57         }
  58
  59         status = samdb_kpasswd_change_password(mem_ctx,
  60                                                kdc->task->lp_ctx,
  61                                                kdc->task->event_ctx,
  62                                                kdc->samdb,
  63                                                session_info,
  64                                                password,
  65                                                &reject_reason,
  66                                                &dominfo,
  67                                                &reject_string,
  68                                                &result);
  69         if (!NT_STATUS_IS_OK(status)) {
  70                 ok = kpasswd_make_error_reply(mem_ctx,
  71                                               KRB5_KPASSWD_ACCESSDENIED,
  72                                               reject_string,
  73                                               kpasswd_reply);
  74                 if (!ok) {
  75                         *error_string = "Failed to create reply";
  76                         return KRB5_KPASSWD_HARDERROR;
  77                 }
  78                 /* We want to send an an authenticated packet. */
  79                 return 0;
  80         }
  81
  82         ok = kpasswd_make_pwchange_reply(mem_ctx,
  83                                          result,
  84                                          reject_reason,
  85                                          dominfo,
  86                                          kpasswd_reply);
  87         if (!ok) {
  88                 *error_string = "Failed to create reply";
  89                 return KRB5_KPASSWD_HARDERROR;
  90         }
  91
  92         return 0;
  93 }
  94
  95 static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
  96                                             TALLOC_CTX *mem_ctx,
  97                                             const struct gensec_security *gensec_security,
  98                                             struct auth_session_info *session_info,
  99                                             DATA_BLOB *decoded_data,
 100                                             DATA_BLOB *kpasswd_reply,
 101                                             const char **error_string)
 102 {
 103         krb5_context context = kdc->smb_krb5_context->krb5_context;
 104         krb5_error_code code;
 105         krb5_principal target_principal;
 106         ChangePasswdDataMS chpw = {};
 107         size_t chpw_len = 0;
 108         DATA_BLOB password = data_blob_null;
 109         enum samPwdChangeReason reject_reason = SAM_PWD_CHANGE_NO_ERROR;
 110         struct samr_DomInfo1 *dominfo = NULL;
 111         char *target_principal_string = NULL;
 112         bool is_service_principal = false;
 113         NTSTATUS status;
 114         bool ok;
 115
 116         code = decode_ChangePasswdDataMS(decoded_data->data,
 117                                          decoded_data->length,
 118                                          &chpw,
 119                                          &chpw_len);
 120         if (code != 0) {
 121                 DBG_WARNING("decode_ChangePasswdDataMS failed\n");
 122                 ok = kpasswd_make_error_reply(mem_ctx,
 123                                               KRB5_KPASSWD_MALFORMED,
 124                                               "Failed to decode packet",
 125                                               kpasswd_reply);
 126                 if (!ok) {
 127                         *error_string = "Failed to create reply";
 128                         return KRB5_KPASSWD_HARDERROR;
 129                 }
 130                 return 0;
 131         }
 132
 133         ok = convert_string_talloc_handle(mem_ctx,
 134                                           lpcfg_iconv_handle(kdc->task->lp_ctx),
 135                                           CH_UTF8,
 136                                           CH_UTF16,
 137                                           (const char *)chpw.newpasswd.data,
 138                                           chpw.newpasswd.length,
 139                                           (void **)&password.data,
 140                                           &password.length);
 141         if (!ok) {
 142                 free_ChangePasswdDataMS(&chpw);
 143                 DBG_WARNING("String conversion failed\n");
 144                 *error_string = "String conversion failed";
 145                 return KRB5_KPASSWD_HARDERROR;
 146         }
 147
 148         if ((chpw.targname != NULL && chpw.targrealm == NULL) ||
 149             (chpw.targname == NULL && chpw.targrealm != NULL)) {
 150                 free_ChangePasswdDataMS(&chpw);
 151                 ok = kpasswd_make_error_reply(mem_ctx,
 152                                               KRB5_KPASSWD_MALFORMED,
 153                                               "Realm and principal must be "
 154                                               "both present, or neither present",
 155                                               kpasswd_reply);
 156                 if (!ok) {
 157                         *error_string = "Failed to create reply";
 158                         return KRB5_KPASSWD_HARDERROR;
 159                 }
 160                 return 0;
 161         }
 162
 163         if (chpw.targname == NULL || chpw.targrealm == NULL) {
 164                 free_ChangePasswdDataMS(&chpw);
 165                 return kpasswd_change_password(kdc,
 166                                                mem_ctx,
 167                                                gensec_security,
 168                                                session_info,
 169                                                &password,
 170                                                kpasswd_reply,
 171                                                error_string);
 172         }
 173         code = krb5_build_principal_ext(context,
 174                                         &target_principal,
 175                                         strlen(*chpw.targrealm),
 176                                         *chpw.targrealm,
 177                                         0);
 178         if (code != 0) {
 179                 free_ChangePasswdDataMS(&chpw);
 180                 return kpasswd_make_error_reply(mem_ctx,
 181                                                 KRB5_KPASSWD_MALFORMED,
 182                                                 "Failed to parse principal",
 183                                                 kpasswd_reply);
 184         }
 185         code = copy_PrincipalName(chpw.targname,
 186                                   &target_principal->name);
 187         free_ChangePasswdDataMS(&chpw);
 188         if (code != 0) {
 189                 krb5_free_principal(context, target_principal);
 190                 return kpasswd_make_error_reply(mem_ctx,
 191                                                 KRB5_KPASSWD_MALFORMED,
 192                                                 "Failed to parse principal",
 193                                                 kpasswd_reply);
 194         }
 195
 196         if (target_principal->name.name_string.len >= 2) {
 197                 is_service_principal = true;
 198
 199                 code = krb5_unparse_name_short(context,
 200                                                target_principal,
 201                                                &target_principal_string);
 202         } else {
 203                 code = krb5_unparse_name(context,
 204                                          target_principal,
 205                                          &target_principal_string);
 206         }
 207         krb5_free_principal(context, target_principal);
 208         if (code != 0) {
 209                 ok = kpasswd_make_error_reply(mem_ctx,
 210                                               KRB5_KPASSWD_MALFORMED,
 211                                               "Failed to parse principal",
 212                                               kpasswd_reply);
 213                 if (!ok) {
 214                         *error_string = "Failed to create reply";
 215                         return KRB5_KPASSWD_HARDERROR;
 216                 }
 217         }
 218
 219         status = kpasswd_samdb_set_password(mem_ctx,
 220                                             kdc->task->event_ctx,
 221                                             kdc->task->lp_ctx,
 222                                             session_info,
 223                                             is_service_principal,
 224                                             target_principal_string,
 225                                             &password,
 226                                             &reject_reason,
 227                                             &dominfo);
 228         if (!NT_STATUS_IS_OK(status)) {
 229                 DBG_ERR("kpasswd_samdb_set_password failed - %s\n",
 230                         nt_errstr(status));
 231         }
 232
 233         ok = kpasswd_make_pwchange_reply(mem_ctx,
 234                                          status,
 235                                          reject_reason,
 236                                          dominfo,
 237                                          kpasswd_reply);
 238         if (!ok) {
 239                 *error_string = "Failed to create reply";
 240                 return KRB5_KPASSWD_HARDERROR;
 241         }
 242
 243         return 0;
 244 }
 245
 246 krb5_error_code kpasswd_handle_request(struct kdc_server *kdc,
 247                                        TALLOC_CTX *mem_ctx,
 248                                        struct gensec_security *gensec_security,
 249                                        uint16_t verno,
 250                                        DATA_BLOB *decoded_data,
 251                                        DATA_BLOB *kpasswd_reply,
 252                                        const char **error_string)
 253 {
 254         struct auth_session_info *session_info;
 255         NTSTATUS status;
 256
 257         status = gensec_session_info(gensec_security,
 258                                      mem_ctx,
 259                                      &session_info);
 260         if (!NT_STATUS_IS_OK(status)) {
 261                 *error_string = talloc_asprintf(mem_ctx,
 262                                                 "gensec_session_info failed - %s",
 263                                                 nt_errstr(status));
 264                 return KRB5_KPASSWD_HARDERROR;
 265         }
 266
 267         switch(verno) {
 268         case KRB5_KPASSWD_VERS_CHANGEPW: {
 269                 DATA_BLOB password = data_blob_null;
 270                 bool ok;
 271
 272                 ok = convert_string_talloc_handle(mem_ctx,
 273                                                   lpcfg_iconv_handle(kdc->task->lp_ctx),
 274                                                   CH_UTF8,
 275                                                   CH_UTF16,
 276                                                   (const char *)decoded_data->data,
 277                                                   decoded_data->length,
 278                                                   (void **)&password.data,
 279                                                   &password.length);
 280                 if (!ok) {
 281                         *error_string = "String conversion failed!";
 282                         DBG_WARNING("%s\n", *error_string);
 283                         return KRB5_KPASSWD_HARDERROR;
 284                 }
 285
 286                 return kpasswd_change_password(kdc,
 287                                                mem_ctx,
 288                                                gensec_security,
 289                                                session_info,
 290                                                &password,
 291                                                kpasswd_reply,
 292                                                error_string);
 293         }
 294         case KRB5_KPASSWD_VERS_SETPW: {
 295                 return kpasswd_set_password(kdc,
 296                                             mem_ctx,
 297                                             gensec_security,
 298                                             session_info,
 299                                             decoded_data,
 300                                             kpasswd_reply,
 301                                             error_string);
 302         }
 303         default:
 304                 *error_string = talloc_asprintf(mem_ctx,
 305                                                 "Protocol version %u not supported",
 306                                                 verno);
 307                 return KRB5_KPASSWD_BAD_VERSION;
 308         }
 309
 310         return 0;
 311 }