2 Unix SMB/CIFS implementation.
4 Samba KDB plugin for MIT Kerberos
6 Copyright (c) 2010 Simo Sorce <idra@samba.org>.
7 Copyright (c) 2014 Andreas Schneider <asn@samba.org>
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "system/kerberos.h"
30 #include "kdc/mit_samba.h"
31 #include "kdb_samba.h"
33 /* FIXME: This is a krb5 function which is exported, but in no header */
34 extern krb5_error_code decode_krb5_padata_sequence(const krb5_data *output,
37 static krb5_error_code ks_get_netbios_name(krb5_address **addrs, char **name)
42 for (i = 0; addrs[i]; i++) {
43 if (addrs[i]->addrtype != ADDRTYPE_NETBIOS) {
46 len = MIN(addrs[i]->length, 15);
47 nb_name = strndup((const char *)addrs[i]->contents, len);
55 /* Strip space padding */
56 i = strlen(nb_name) - 1;
57 for (i = strlen(nb_name) - 1;
58 i > 0 && nb_name[i] == ' ';
69 krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
71 krb5_db_entry *client,
72 krb5_db_entry *server,
73 krb5_timestamp kdc_time,
75 krb5_pa_data ***e_data_out)
77 struct mit_samba_context *mit_ctx;
79 char *client_name = NULL;
80 char *server_name = NULL;
81 char *netbios_name = NULL;
83 bool password_change = false;
84 DATA_BLOB int_data = { NULL, 0 };
86 krb5_pa_data **e_data;
88 mit_ctx = ks_get_context(context);
89 if (mit_ctx == NULL) {
90 return KRB5_KDB_DBNOTINITED;
93 if (ks_is_kadmin(context, kdcreq->client)) {
94 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
97 if (krb5_princ_size(context, kdcreq->server) == 2 &&
98 ks_is_kadmin_changepw(context, kdcreq->server)) {
99 code = krb5_get_default_realm(context, &realm);
104 if (ks_data_eq_string(kdcreq->server->realm, realm)) {
105 password_change = true;
109 code = krb5_unparse_name(context, kdcreq->server, &server_name);
114 code = krb5_unparse_name(context, kdcreq->client, &client_name);
119 if (kdcreq->addresses) {
120 code = ks_get_netbios_name(kdcreq->addresses, &netbios_name);
126 code = mit_samba_check_client_access(mit_ctx,
135 if (int_data.length && int_data.data) {
137 /* make sure the mapped return code is returned - gd */
140 d = ks_make_data(int_data.data, int_data.length);
142 code_tmp = decode_krb5_padata_sequence(&d, &e_data);
144 *e_data_out = e_data;
156 static krb5_error_code ks_get_pac(krb5_context context,
157 krb5_db_entry *client,
158 krb5_keyblock *client_key,
161 struct mit_samba_context *mit_ctx;
162 krb5_error_code code;
164 mit_ctx = ks_get_context(context);
165 if (mit_ctx == NULL) {
166 return KRB5_KDB_DBNOTINITED;
169 code = mit_samba_get_pac(mit_ctx,
181 static krb5_error_code ks_verify_pac(krb5_context context,
183 krb5_const_principal client_princ,
184 krb5_db_entry *client,
185 krb5_keyblock *server_key,
186 krb5_keyblock *krbtgt_key,
187 krb5_timestamp authtime,
188 krb5_authdata **tgt_auth_data,
191 struct mit_samba_context *mit_ctx;
192 krb5_authdata **authdata = NULL;
193 krb5_pac ipac = NULL;
194 DATA_BLOB pac_data = { NULL, 0 };
195 DATA_BLOB logon_data = { NULL, 0 };
197 krb5_error_code code;
199 mit_ctx = ks_get_context(context);
200 if (mit_ctx == NULL) {
201 return KRB5_KDB_DBNOTINITED;
204 /* find the existing PAC, if present */
205 code = krb5_find_authdata(context,
208 KRB5_AUTHDATA_WIN2K_PAC,
215 if (authdata == NULL) {
219 SMB_ASSERT(authdata[0] != NULL);
221 if (authdata[1] != NULL) {
222 code = KRB5KDC_ERR_BADOPTION; /* XXX */
226 code = krb5_pac_parse(context,
227 authdata[0]->contents,
234 /* TODO: verify this is correct
236 * In the constrained delegation case, the PAC is from a service
237 * ticket rather than a TGT; we must verify the server and KDC
238 * signatures to assert that the server did not forge the PAC.
240 if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
241 code = krb5_pac_verify(context,
248 code = krb5_pac_verify(context,
259 /* check and update PAC */
260 pac_data.data = authdata[0]->contents;
261 pac_data.length = authdata[0]->length;
263 code = mit_samba_update_pac_data(mit_ctx,
271 code = krb5_pac_init(context, pac);
276 data = ks_make_data(logon_data.data, logon_data.length);
278 code = krb5_pac_add_buffer(context, *pac, PAC_LOGON_INFO, &data);
284 krb5_free_authdata(context, authdata);
285 krb5_pac_free(context, ipac);
286 free(logon_data.data);
291 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
293 krb5_const_principal client_princ,
294 krb5_db_entry *client,
295 krb5_db_entry *server,
296 krb5_db_entry *krbtgt,
297 krb5_keyblock *client_key,
298 krb5_keyblock *server_key,
299 krb5_keyblock *krbtgt_key,
300 krb5_keyblock *session_key,
301 krb5_timestamp authtime,
302 krb5_authdata **tgt_auth_data,
303 krb5_authdata ***signed_auth_data)
305 krb5_const_principal ks_client_princ;
306 krb5_authdata **authdata = NULL;
307 krb5_boolean is_as_req;
308 krb5_error_code code;
312 /* Prefer canonicalised name from client entry */
313 if (client != NULL) {
314 ks_client_princ = client->princ;
316 ks_client_princ = client_princ;
319 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
321 if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
322 code = ks_get_pac(context, client, client_key, &pac);
329 code = ks_verify_pac(context, flags, ks_client_princ, client,
330 server_key, krbtgt_key, authtime,
331 tgt_auth_data, &pac);
337 if (pac == NULL && client != NULL) {
339 code = ks_get_pac(context, client, client_key, &pac);
346 code = KRB5_KDB_DBTYPE_NOSUP;
350 code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
351 server_key, krbtgt_key, &pac_data);
356 authdata = calloc(2, sizeof(krb5_authdata *));
357 if (authdata == NULL) {
361 authdata[0] = malloc(sizeof(krb5_authdata));
362 if (authdata[0] == NULL) {
366 /* put in signed data */
367 authdata[0]->magic = KV5M_AUTHDATA;
368 authdata[0]->ad_type = KRB5_AUTHDATA_WIN2K_PAC;
369 authdata[0]->contents = (krb5_octet *)pac_data.data;
370 authdata[0]->length = pac_data.length;
372 code = krb5_encode_authdata_container(context,
373 KRB5_AUTHDATA_IF_RELEVANT,
383 krb5_pac_free(context, pac);
384 krb5_free_authdata(context, authdata);
389 krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
390 krb5_const_principal client,
391 const krb5_db_entry *server,
392 krb5_const_principal proxy)
394 struct mit_samba_context *mit_ctx;
397 * Names are quite odd and confusing in the current implementation.
398 * The following mappings should help understanding what is what.
399 * client -> client to impersonate
400 * server; -> delegating service
401 * proxy; -> target principal
403 krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
405 char *target_name = NULL;
407 krb5_error_code code;
409 mit_ctx = ks_get_context(context);
410 if (mit_ctx == NULL) {
411 return KRB5_KDB_DBNOTINITED;
414 code = krb5_unparse_name(context, proxy, &target_name);
419 is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
421 code = mit_samba_check_s4u2proxy(mit_ctx,
431 void kdb_samba_db_audit_as_req(krb5_context context,
432 krb5_kdc_req *request,
433 krb5_db_entry *client,
434 krb5_db_entry *server,
435 krb5_timestamp authtime,
436 krb5_error_code error_code)
438 struct mit_samba_context *mit_ctx;
440 mit_ctx = ks_get_context(context);
441 if (mit_ctx == NULL) {
445 switch (error_code) {
447 mit_samba_zero_bad_password_count(client);
449 case KRB5KDC_ERR_PREAUTH_FAILED:
450 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
451 mit_samba_update_bad_password_count(client);