kerberos utility library
Copyright (C) Andrew Tridgell 2001
Copyright (C) Remus Koos 2001
-
-
+ Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
+ Copyright (C) Jeremy Allison 2004.
+ Copyright (C) Gerald Carter 2006.
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
#ifdef HAVE_KRB5
+#define LIBADS_CCACHE_NAME "MEMORY:libads"
+
/*
we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
{
if (num_prompts == 0) return 0;
- memset(prompts[0].reply->data, 0, prompts[0].reply->length);
+ memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
if (prompts[0].reply->length > 0) {
if (data) {
- strncpy(prompts[0].reply->data, data, prompts[0].reply->length-1);
+ strncpy(prompts[0].reply->data, (const char *)data,
+ prompts[0].reply->length-1);
prompts[0].reply->length = strlen(prompts[0].reply->data);
} else {
prompts[0].reply->length = 0;
}
/*
- simulate a kinit, putting the tgt in the default cache location
+ simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
+ place in default cache location.
remus@snapserver.com
*/
-int kerberos_kinit_password(const char *principal, const char *password, int time_offset, time_t *expire_time)
+int kerberos_kinit_password_ext(const char *principal,
+ const char *password,
+ int time_offset,
+ time_t *expire_time,
+ time_t *renew_till_time,
+ const char *cache_name,
+ BOOL request_pac,
+ BOOL add_netbios_addr,
+ time_t renewable_time)
{
krb5_context ctx = NULL;
krb5_error_code code = 0;
krb5_ccache cc = NULL;
krb5_principal me;
krb5_creds my_creds;
+ krb5_get_init_creds_opt opt;
+ smb_krb5_addresses *addr = NULL;
+ initialize_krb5_error_table();
if ((code = krb5_init_context(&ctx)))
return code;
if (time_offset != 0) {
krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
}
-
- if ((code = krb5_cc_default(ctx, &cc))) {
+
+ DEBUG(10,("kerberos_kinit_password: using %s as ccache\n",
+ cache_name ? cache_name: krb5_cc_default_name(ctx)));
+
+ if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
krb5_free_context(ctx);
return code;
}
- if ((code = krb5_parse_name(ctx, principal, &me))) {
+ if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
krb5_free_context(ctx);
return code;
}
+
+ krb5_get_init_creds_opt_init(&opt);
+ krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
+ krb5_get_init_creds_opt_set_forwardable(&opt, 1);
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, password,
- kerb_prompter,
- NULL, 0, NULL, NULL))) {
+ if (request_pac) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+ code = krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+ if (code) {
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+#endif
+ }
+
+ if (add_netbios_addr) {
+ code = smb_krb5_gen_netbios_krb5_address(&addr);
+ if (code) {
+ krb5_free_principal(ctx, me);
+ krb5_free_context(ctx);
+ return code;
+ }
+ krb5_get_init_creds_opt_set_address_list(&opt, addr->addrs);
+ }
+
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
+ kerb_prompter, NULL, 0, NULL, &opt)))
+ {
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
}
if ((code = krb5_cc_initialize(ctx, cc, me))) {
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
krb5_cc_close(ctx, cc);
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
return code;
}
-
- if (expire_time)
+
+ if (expire_time) {
*expire_time = (time_t) my_creds.times.endtime;
+ }
+
+ if (renew_till_time) {
+ *renew_till_time = (time_t) my_creds.times.renew_till;
+ }
krb5_cc_close(ctx, cc);
+ smb_krb5_free_addresses(ctx, addr);
krb5_free_cred_contents(ctx, &my_creds);
krb5_free_principal(ctx, me);
krb5_free_context(ctx);
{
char *s;
int ret;
+ const char *account_name;
+ fstring acct_name;
+
+ if ( IS_DC ) {
+ /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
+ account_name = lp_workgroup();
+ } else {
+ /* always use the sAMAccountName for security = domain */
+ /* global_myname()$@REA.LM */
+ if ( lp_security() == SEC_DOMAIN ) {
+ fstr_sprintf( acct_name, "%s$", global_myname() );
+ account_name = acct_name;
+ }
+ else
+ /* This looks like host/global_myname()@REA.LM */
+ account_name = ads->auth.user_name;
+ }
- if (asprintf(&s, "%s@%s", ads->auth.user_name, ads->auth.realm) == -1) {
+ if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
return KRB5_CC_NOMEM;
}
if (!ads->auth.password) {
+ SAFE_FREE(s);
return KRB5_LIBOS_CANTREADPWD;
}
- ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset, &ads->auth.expire);
+ ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
+ &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
s, error_message(ret)));
}
- free(s);
+ SAFE_FREE(s);
return ret;
}
krb5_context ctx = NULL;
krb5_ccache cc = NULL;
+ initialize_krb5_error_table();
if ((code = krb5_init_context (&ctx))) {
- DEBUG(3, ("ads_kdestroy: kdb5_init_context rc=%d\n", code));
+ DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
+ error_message(code)));
return code;
}
}
} else {
if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_resolve rc=%d\n",
- code));
+ DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
+ error_message(code)));
krb5_free_context(ctx);
return code;
}
}
if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy rc=%d\n", code));
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ error_message(code)));
}
krb5_free_context (ctx);
return code;
}
+/************************************************************************
+ Routine to fetch the salting principal for a service. Active
+ Directory may use a non-obvious principal name to generate the salt
+ when it determines the key to use for encrypting tickets for a service,
+ and hopefully we detected that when we joined the domain.
+ ************************************************************************/
+
+static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
+{
+ char *key = NULL;
+ char *ret = NULL;
+
+ asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, service, enctype);
+ if (!key) {
+ return NULL;
+ }
+ ret = (char *)secrets_fetch(key, NULL);
+ SAFE_FREE(key);
+ return ret;
+}
+
+/************************************************************************
+ Return the standard DES salt key
+************************************************************************/
+
+char* kerberos_standard_des_salt( void )
+{
+ fstring salt;
+
+ fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
+ strlower_m( salt );
+ fstrcat( salt, lp_realm() );
+
+ return SMB_STRDUP( salt );
+}
+
+/************************************************************************
+************************************************************************/
+
+static char* des_salt_key( void )
+{
+ char *key;
+
+ asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL, lp_realm());
+
+ return key;
+}
+
+/************************************************************************
+************************************************************************/
+
+BOOL kerberos_secrets_store_des_salt( const char* salt )
+{
+ char* key;
+ BOOL ret;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
+ return False;
+ }
+
+ if ( !salt ) {
+ DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
+ secrets_delete( key );
+ return True;
+ }
+
+ DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
+
+ ret = secrets_store( key, salt, strlen(salt)+1 );
+
+ SAFE_FREE( key );
+
+ return ret;
+}
+
+/************************************************************************
+************************************************************************/
+
+char* kerberos_secrets_fetch_des_salt( void )
+{
+ char *salt, *key;
+
+ if ( (key = des_salt_key()) == NULL ) {
+ DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
+ return False;
+ }
+
+ salt = (char*)secrets_fetch( key, NULL );
+
+ SAFE_FREE( key );
+
+ return salt;
+}
+
+
+/************************************************************************
+ Routine to get the salting principal for this service. This is
+ maintained for backwards compatibilty with releases prior to 3.0.24.
+ Since we store the salting principal string only at join, we may have
+ to look for the older tdb keys. Caller must free if return is not null.
+ ************************************************************************/
+
+krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
+ krb5_principal host_princ,
+ int enctype)
+{
+ char *unparsed_name = NULL, *salt_princ_s = NULL;
+ krb5_principal ret_princ = NULL;
+
+ /* lookup new key first */
+
+ if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
+
+ /* look under the old key. If this fails, just use the standard key */
+
+ if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
+ return (krb5_principal)NULL;
+ }
+ if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
+ /* fall back to host/machine.realm@REALM */
+ salt_princ_s = kerberos_standard_des_salt();
+ }
+ }
+
+ if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
+ ret_princ = NULL;
+ }
+
+ SAFE_FREE(unparsed_name);
+ SAFE_FREE(salt_princ_s);
+
+ return ret_princ;
+}
+
+/************************************************************************
+ Routine to set the salting principal for this service. Active
+ Directory may use a non-obvious principal name to generate the salt
+ when it determines the key to use for encrypting tickets for a service,
+ and hopefully we detected that when we joined the domain.
+ Setting principal to NULL deletes this entry.
+ ************************************************************************/
+
+BOOL kerberos_secrets_store_salting_principal(const char *service,
+ int enctype,
+ const char *principal)
+{
+ char *key = NULL;
+ BOOL ret = False;
+ krb5_context context = NULL;
+ krb5_principal princ = NULL;
+ char *princ_s = NULL;
+ char *unparsed_name = NULL;
+
+ krb5_init_context(&context);
+ if (!context) {
+ return False;
+ }
+ if (strchr_m(service, '@')) {
+ asprintf(&princ_s, "%s", service);
+ } else {
+ asprintf(&princ_s, "%s@%s", service, lp_realm());
+ }
+
+ if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
+ goto out;
+
+ }
+ if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) {
+ goto out;
+ }
+
+ asprintf(&key, "%s/%s/enctype=%d", SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype);
+ if (!key) {
+ goto out;
+ }
+
+ if ((principal != NULL) && (strlen(principal) > 0)) {
+ ret = secrets_store(key, principal, strlen(principal) + 1);
+ } else {
+ ret = secrets_delete(key);
+ }
+
+ out:
+
+ SAFE_FREE(key);
+ SAFE_FREE(princ_s);
+ SAFE_FREE(unparsed_name);
+
+ if (context) {
+ krb5_free_context(context);
+ }
+
+ return ret;
+}
+
+
+/************************************************************************
+************************************************************************/
+
+int kerberos_kinit_password(const char *principal,
+ const char *password,
+ int time_offset,
+ const char *cache_name)
+{
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
+ 0,
+ cache_name,
+ False,
+ False,
+ 0);
+}
+
+/************************************************************************
+ Create a specific krb5.conf file in the private directory pointing
+ at a specific kdc for a realm. Keyed off domain name. Sets
+ KRB5_CONFIG environment variable to point to this file. Must be
+ run as root or will fail (which is a good thing :-).
+************************************************************************/
+
+BOOL create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, struct in_addr ip)
+{
+ XFILE *xfp = NULL;
+ char *fname = talloc_asprintf(NULL, "%s/smb_krb5.conf.%s", lp_private_dir(), domain);
+ char *file_contents = NULL;
+ size_t flen = 0;
+ char *realm_upper = NULL;
+ int loopcount = 0;
+
+ if (!fname) {
+ return False;
+ }
+
+ DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
+ fname, realm, domain ));
+
+ realm_upper = talloc_strdup(fname, realm);
+ strupper_m(realm_upper);
+
+ file_contents = talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n"
+ "[realms]\n\t%s = {\n"
+ "\t\tkdc = %s\n]\n",
+ realm_upper, realm_upper, inet_ntoa(ip));
+
+ if (!file_contents) {
+ TALLOC_FREE(fname);
+ return False;
+ }
+
+ flen = strlen(file_contents);
+
+ while (loopcount < 10) {
+ SMB_STRUCT_STAT st;
+
+ xfp = x_fopen(fname, O_CREAT|O_WRONLY, 0600);
+ if (!xfp) {
+ TALLOC_FREE(fname);
+ return False;
+ }
+ /* Lock the file. */
+ if (!fcntl_lock(xfp->fd, F_SETLKW, 0, 1, F_WRLCK)) {
+ unlink(fname);
+ x_fclose(xfp);
+ TALLOC_FREE(fname);
+ return False;
+ }
+
+ /* We got the lock. Is the file still there ? */
+ if (sys_stat(fname,&st)==-1) {
+ if (errno == ENOENT) {
+ /* Nope - try again up to 10x */
+ x_fclose(xfp);
+ loopcount++;
+ continue;
+ }
+ unlink(fname);
+ x_fclose(xfp);
+ TALLOC_FREE(fname);
+ return False;
+ }
+ break;
+ }
+
+ if (x_fwrite(file_contents, flen, 1, xfp) != flen) {
+ unlink(fname);
+ x_fclose(xfp);
+ TALLOC_FREE(fname);
+ return False;
+ }
+ if (x_fclose(xfp)==-1) {
+ unlink(fname);
+ TALLOC_FREE(fname);
+ return False;
+ }
+ /* Set the environment variable to this file. */
+ setenv("KRB5_CONFIG", fname, 1);
+ TALLOC_FREE(fname);
+
+ DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
+ "file %s with realm %s KDC = %s\n",
+ fname, realm_upper, inet_ntoa(ip) ));
+
+ return True;
+}
#endif