passdb: Use dom_sid_str_buf
[amitay/samba.git] / source4 / kdc / mit_samba.c
1 /*
2    MIT-Samba4 library
3
4    Copyright (c) 2010, Simo Sorce <idra@samba.org>
5    Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6    Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
7
8    This program is free software; you can redistribute it and/or modify
9    it under the terms of the GNU General Public License as published by
10    the Free Software Foundation; either version 3 of the License, or
11    (at your option) any later version.
12
13    This program is distributed in the hope that it will be useful,
14    but WITHOUT ANY WARRANTY; without even the implied warranty of
15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16    GNU General Public License for more details.
17
18    You should have received a copy of the GNU General Public License
19    along with this program.  If not, see <http://www.gnu.org/licenses/>.
20  */
21
22 #define TEVENT_DEPRECATED 1
23
24 #include "includes.h"
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
28 #include <kdb.h>
29 #include <kadm5/kadm_err.h>
30 #include "kdc/sdb.h"
31 #include "kdc/sdb_kdb.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "auth/kerberos/pac_utils.h"
34 #include "kdc/samba_kdc.h"
35 #include "kdc/pac-glue.h"
36 #include "kdc/db-glue.h"
37 #include "auth/auth.h"
38 #include "kdc/kpasswd_glue.h"
39 #include "auth/auth_sam.h"
40
41 #include "mit_samba.h"
42
43 void mit_samba_context_free(struct mit_samba_context *ctx)
44 {
45         /* free heimdal's krb5_context */
46         if (ctx->context) {
47                 krb5_free_context(ctx->context);
48         }
49
50         /* then free everything else */
51         talloc_free(ctx);
52 }
53
54 int mit_samba_context_init(struct mit_samba_context **_ctx)
55 {
56         NTSTATUS status;
57         struct mit_samba_context *ctx;
58         const char *s4_conf_file;
59         int ret;
60         struct samba_kdc_base_context base_ctx;
61
62         ctx = talloc_zero(NULL, struct mit_samba_context);
63         if (!ctx) {
64                 ret = ENOMEM;
65                 goto done;
66         }
67
68         base_ctx.ev_ctx = tevent_context_init(ctx);
69         if (!base_ctx.ev_ctx) {
70                 ret = ENOMEM;
71                 goto done;
72         }
73         tevent_loop_allow_nesting(base_ctx.ev_ctx);
74         base_ctx.lp_ctx = loadparm_init_global(false);
75         if (!base_ctx.lp_ctx) {
76                 ret = ENOMEM;
77                 goto done;
78         }
79
80         setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT);
81
82         /* init s4 configuration */
83         s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
84         if (s4_conf_file) {
85                 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
86         } else {
87                 lpcfg_load_default(base_ctx.lp_ctx);
88         }
89
90         status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
91         if (!NT_STATUS_IS_OK(status)) {
92                 ret = EINVAL;
93                 goto done;
94         }
95
96         /* init heimdal's krb_context and log facilities */
97         ret = smb_krb5_init_context_basic(ctx,
98                                           ctx->db_ctx->lp_ctx,
99                                           &ctx->context);
100         if (ret) {
101                 goto done;
102         }
103
104         ret = 0;
105
106 done:
107         if (ret) {
108                 mit_samba_context_free(ctx);
109         } else {
110                 *_ctx = ctx;
111         }
112         return ret;
113 }
114
115 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
116                                            krb5_const_principal principal)
117 {
118         char *p;
119         int eq = -1;
120
121         p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
122
123         eq = krb5_princ_size(ctx->context, principal) == 2 &&
124              (strcmp(p, KRB5_TGS_NAME) == 0);
125
126         talloc_free(p);
127
128         return eq;
129 }
130
131 int mit_samba_generate_salt(krb5_data *salt)
132 {
133         if (salt == NULL) {
134                 return EINVAL;
135         }
136
137         salt->length = 16;
138         salt->data = malloc(salt->length);
139         if (salt->data == NULL) {
140                 return ENOMEM;
141         }
142
143         generate_random_buffer((uint8_t *)salt->data, salt->length);
144
145         return 0;
146 }
147
148 int mit_samba_generate_random_password(krb5_data *pwd)
149 {
150         TALLOC_CTX *tmp_ctx;
151         char *password;
152
153         if (pwd == NULL) {
154                 return EINVAL;
155         }
156         pwd->length = 24;
157
158         tmp_ctx = talloc_named(NULL,
159                                0,
160                                "mit_samba_create_principal_password context");
161         if (tmp_ctx == NULL) {
162                 return ENOMEM;
163         }
164
165         password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
166         if (password == NULL) {
167                 talloc_free(tmp_ctx);
168                 return ENOMEM;
169         }
170
171         pwd->data = strdup(password);
172         talloc_free(tmp_ctx);
173         if (pwd->data == NULL) {
174                 return ENOMEM;
175         }
176
177         return 0;
178 }
179
180 int mit_samba_get_principal(struct mit_samba_context *ctx,
181                             krb5_const_principal principal,
182                             unsigned int kflags,
183                             krb5_db_entry **_kentry)
184 {
185         struct sdb_entry_ex sentry = {
186                 .free_entry = NULL,
187         };
188         krb5_db_entry *kentry;
189         int ret;
190         int sflags = 0;
191         krb5_principal referral_principal = NULL;
192
193         kentry = calloc(1, sizeof(krb5_db_entry));
194         if (kentry == NULL) {
195                 return ENOMEM;
196         }
197
198         if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
199                 sflags |= SDB_F_CANON;
200         }
201         if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
202                       KRB5_KDB_FLAG_INCLUDE_PAC)) {
203                 /*
204                  * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
205                  * SDB_F_FOR_AS_REQ
206                  *
207                  * We use ANY to also allow AS_REQ for service principal names
208                  * This is supported by Windows.
209                  */
210                 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
211         } else if (ks_is_tgs_principal(ctx, principal)) {
212                 sflags |= SDB_F_GET_KRBTGT;
213         } else {
214                 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
215         }
216
217         /* always set this or the created_by data will not be populated by samba's
218          * backend and we will fail to parse the entry later */
219         sflags |= SDB_F_ADMIN_DATA;
220
221
222 fetch_referral_principal:
223         ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
224                               principal, sflags, 0, &sentry);
225         switch (ret) {
226         case 0:
227                 break;
228         case SDB_ERR_NOENTRY:
229                 ret = KRB5_KDB_NOENTRY;
230                 goto done;
231         case SDB_ERR_WRONG_REALM: {
232                 char *dest_realm = NULL;
233                 const char *our_realm = lpcfg_realm(ctx->db_ctx->lp_ctx);
234
235                 if (sflags & SDB_F_FOR_AS_REQ) {
236                         /*
237                          * If this is a request for a TGT, we are done. The KDC
238                          * will return the correct error to the client.
239                          */
240                         ret = 0;
241                         break;
242                 }
243
244                 if (referral_principal != NULL) {
245                         sdb_free_entry(&sentry);
246                         ret = KRB5_KDB_NOENTRY;
247                         goto done;
248                 }
249
250                 /*
251                  * We get a TGS request
252                  *
253                  *     cifs/dc7.SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
254                  *
255                  * to our DC for the realm
256                  *
257                  *     ADDOM.SAMBA.EXAMPLE.COM
258                  *
259                  * We look up if we have and entry in the database and get an
260                  * entry with the pricipal:
261                  *
262                  *     cifs/dc7.SAMBA2008R2.EXAMPLE.COM@SAMBA2008R2.EXAMPLE.COM
263                  *
264                  * and the error: SDB_ERR_WRONG_REALM.
265                  *
266                  * In the case of a TGS-REQ we need to return a referral ticket
267                  * fo the next trust hop to the client. This ticket will have
268                  * the following principal:
269                  *
270                  *     krbtgt/SAMBA2008R2.EXAMPLE.COM@ADDOM.SAMBA.EXAMPLE.COM
271                  *
272                  * We just redo the lookup in the database with the referral
273                  * principal and return success.
274                  */
275                 dest_realm = smb_krb5_principal_get_realm(ctx->context,
276                                                           sentry.entry.principal);
277                 sdb_free_entry(&sentry);
278                 if (dest_realm == NULL) {
279                         ret = KRB5_KDB_NOENTRY;
280                         goto done;
281                 }
282
283                 ret = smb_krb5_make_principal(ctx->context,
284                                               &referral_principal,
285                                               our_realm,
286                                               KRB5_TGS_NAME,
287                                               dest_realm,
288                                               NULL);
289                 SAFE_FREE(dest_realm);
290                 if (ret != 0) {
291                         goto done;
292                 }
293
294                 principal = referral_principal;
295                 goto fetch_referral_principal;
296         }
297         case SDB_ERR_NOT_FOUND_HERE:
298                 /* FIXME: RODC support */
299         default:
300                 goto done;
301         }
302
303         ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
304
305         sdb_free_entry(&sentry);
306
307 done:
308         krb5_free_principal(ctx->context, referral_principal);
309         referral_principal = NULL;
310
311         if (ret) {
312                 free(kentry);
313         } else {
314                 *_kentry = kentry;
315         }
316         return ret;
317 }
318
319 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
320                            krb5_db_entry **_kentry)
321 {
322         struct sdb_entry_ex sentry = {
323                 .free_entry = NULL,
324         };
325         krb5_db_entry *kentry;
326         int ret;
327
328         kentry = malloc(sizeof(krb5_db_entry));
329         if (kentry == NULL) {
330                 return ENOMEM;
331         }
332
333         ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
334         switch (ret) {
335         case 0:
336                 break;
337         case SDB_ERR_NOENTRY:
338                 free(kentry);
339                 return KRB5_KDB_NOENTRY;
340         case SDB_ERR_NOT_FOUND_HERE:
341                 /* FIXME: RODC support */
342         default:
343                 free(kentry);
344                 return ret;
345         }
346
347         ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
348
349         sdb_free_entry(&sentry);
350
351         if (ret) {
352                 free(kentry);
353         } else {
354                 *_kentry = kentry;
355         }
356         return ret;
357 }
358
359 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
360                           krb5_db_entry **_kentry)
361 {
362         struct sdb_entry_ex sentry = {
363                 .free_entry = NULL,
364         };
365         krb5_db_entry *kentry;
366         int ret;
367
368         kentry = malloc(sizeof(krb5_db_entry));
369         if (kentry == NULL) {
370                 return ENOMEM;
371         }
372
373         ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
374         switch (ret) {
375         case 0:
376                 break;
377         case SDB_ERR_NOENTRY:
378                 free(kentry);
379                 return KRB5_KDB_NOENTRY;
380         case SDB_ERR_NOT_FOUND_HERE:
381                 /* FIXME: RODC support */
382         default:
383                 free(kentry);
384                 return ret;
385         }
386
387         ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
388
389         sdb_free_entry(&sentry);
390
391         if (ret) {
392                 free(kentry);
393         } else {
394                 *_kentry = kentry;
395         }
396         return ret;
397 }
398
399 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
400                       krb5_context context,
401                       krb5_db_entry *client,
402                       krb5_keyblock *client_key,
403                       krb5_pac *pac)
404 {
405         TALLOC_CTX *tmp_ctx;
406         DATA_BLOB *logon_info_blob = NULL;
407         DATA_BLOB *upn_dns_info_blob = NULL;
408         DATA_BLOB *cred_ndr = NULL;
409         DATA_BLOB **cred_ndr_ptr = NULL;
410         DATA_BLOB cred_blob = data_blob_null;
411         DATA_BLOB *pcred_blob = NULL;
412         NTSTATUS nt_status;
413         krb5_error_code code;
414         struct samba_kdc_entry *skdc_entry;
415
416         skdc_entry = talloc_get_type_abort(client->e_data,
417                                            struct samba_kdc_entry);
418
419         tmp_ctx = talloc_named(smb_ctx,
420                                0,
421                                "mit_samba_get_pac_data_blobs context");
422         if (tmp_ctx == NULL) {
423                 return ENOMEM;
424         }
425
426 #if 0 /* TODO Find out if this is a pkinit_reply key */
427         /* Check if we have a PREAUTH key */
428         if (client_key != NULL) {
429                 cred_ndr_ptr = &cred_ndr;
430         }
431 #endif
432
433         nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
434                                             skdc_entry,
435                                             &logon_info_blob,
436                                             cred_ndr_ptr,
437                                             &upn_dns_info_blob);
438         if (!NT_STATUS_IS_OK(nt_status)) {
439                 talloc_free(tmp_ctx);
440                 return EINVAL;
441         }
442
443         if (cred_ndr != NULL) {
444                 code = samba_kdc_encrypt_pac_credentials(context,
445                                                          client_key,
446                                                          cred_ndr,
447                                                          tmp_ctx,
448                                                          &cred_blob);
449                 if (code != 0) {
450                         talloc_free(tmp_ctx);
451                         return code;
452                 }
453                 pcred_blob = &cred_blob;
454         }
455
456         code = samba_make_krb5_pac(context,
457                                    logon_info_blob,
458                                    pcred_blob,
459                                    upn_dns_info_blob,
460                                    NULL,
461                                    pac);
462
463         talloc_free(tmp_ctx);
464         return code;
465 }
466
467 krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
468                                     krb5_context context,
469                                     int flags,
470                                     krb5_const_principal client_principal,
471                                     krb5_db_entry *client,
472                                     krb5_db_entry *server,
473                                     krb5_db_entry *krbtgt,
474                                     krb5_keyblock *krbtgt_keyblock,
475                                     krb5_pac *pac)
476 {
477         TALLOC_CTX *tmp_ctx;
478         krb5_error_code code;
479         NTSTATUS nt_status;
480         DATA_BLOB *pac_blob = NULL;
481         DATA_BLOB *upn_blob = NULL;
482         DATA_BLOB *deleg_blob = NULL;
483         struct samba_kdc_entry *client_skdc_entry = NULL;
484         struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
485         struct samba_kdc_entry *server_skdc_entry = NULL;
486         bool is_in_db = false;
487         bool is_untrusted = false;
488         size_t num_types = 0;
489         uint32_t *types = NULL;
490         uint32_t forced_next_type = 0;
491         size_t i = 0;
492         ssize_t logon_info_idx = -1;
493         ssize_t delegation_idx = -1;
494         ssize_t logon_name_idx = -1;
495         ssize_t upn_dns_info_idx = -1;
496         ssize_t srv_checksum_idx = -1;
497         ssize_t kdc_checksum_idx = -1;
498         krb5_pac new_pac = NULL;
499         bool ok;
500
501         if (client != NULL) {
502                 client_skdc_entry =
503                         talloc_get_type_abort(client->e_data,
504                                               struct samba_kdc_entry);
505
506                 /* The user account may be set not to want the PAC */
507                 ok = samba_princ_needs_pac(client_skdc_entry);
508                 if (!ok) {
509                         return EINVAL;
510                 }
511         }
512
513         if (server == NULL) {
514                 return EINVAL;
515         }
516         server_skdc_entry =
517                 talloc_get_type_abort(server->e_data,
518                                       struct samba_kdc_entry);
519
520         if (krbtgt == NULL) {
521                 return EINVAL;
522         }
523         krbtgt_skdc_entry =
524                 talloc_get_type_abort(krbtgt->e_data,
525                                       struct samba_kdc_entry);
526
527         tmp_ctx = talloc_named(ctx, 0, "mit_samba_reget_pac context");
528         if (tmp_ctx == NULL) {
529                 return ENOMEM;
530         }
531
532         code = samba_krbtgt_is_in_db(krbtgt_skdc_entry,
533                                      &is_in_db,
534                                      &is_untrusted);
535         if (code != 0) {
536                 goto done;
537         }
538
539         if (is_untrusted) {
540                 if (client == NULL) {
541                         code = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
542                         goto done;
543                 }
544
545                 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
546                                                     client_skdc_entry,
547                                                     &pac_blob,
548                                                     NULL,
549                                                     &upn_blob);
550                 if (!NT_STATUS_IS_OK(nt_status)) {
551                         code = EINVAL;
552                         goto done;
553                 }
554         } else {
555                 struct PAC_SIGNATURE_DATA *pac_srv_sig;
556                 struct PAC_SIGNATURE_DATA *pac_kdc_sig;
557
558                 pac_blob = talloc_zero(tmp_ctx, DATA_BLOB);
559                 if (pac_blob == NULL) {
560                         code = ENOMEM;
561                         goto done;
562                 }
563
564                 pac_srv_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
565                 if (pac_srv_sig == NULL) {
566                         code = ENOMEM;
567                         goto done;
568                 }
569
570                 pac_kdc_sig = talloc_zero(tmp_ctx, struct PAC_SIGNATURE_DATA);
571                 if (pac_kdc_sig == NULL) {
572                         code = ENOMEM;
573                         goto done;
574                 }
575
576                 nt_status = samba_kdc_update_pac_blob(tmp_ctx,
577                                                       context,
578                                                       krbtgt_skdc_entry,
579                                                       server_skdc_entry,
580                                                       *pac,
581                                                       pac_blob,
582                                                       pac_srv_sig,
583                                                       pac_kdc_sig);
584                 if (!NT_STATUS_IS_OK(nt_status)) {
585                         DEBUG(0, ("Update PAC blob failed: %s\n",
586                                   nt_errstr(nt_status)));
587                         code = EINVAL;
588                         goto done;
589                 }
590
591                 if (is_in_db) {
592                         /*
593                          * Now check the KDC signature, fetching the correct
594                          * key based on the enc type.
595                          */
596                         code = check_pac_checksum(pac_srv_sig->signature,
597                                                   pac_kdc_sig,
598                                                   context,
599                                                   krbtgt_keyblock);
600                         if (code != 0) {
601                                 DBG_INFO("PAC KDC signature failed to verify\n");
602                                 goto done;
603                         }
604                 }
605         }
606
607         if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
608                 deleg_blob = talloc_zero(tmp_ctx, DATA_BLOB);
609                 if (deleg_blob == NULL) {
610                         code = ENOMEM;
611                         goto done;
612                 }
613
614                 nt_status = samba_kdc_update_delegation_info_blob(tmp_ctx,
615                                                                   context,
616                                                                   *pac,
617                                                                   server->princ,
618                                                                   discard_const(client_principal),
619                                                                   deleg_blob);
620                 if (!NT_STATUS_IS_OK(nt_status)) {
621                         DEBUG(0, ("Update delegation info failed: %s\n",
622                                   nt_errstr(nt_status)));
623                         code = EINVAL;
624                         goto done;
625                 }
626         }
627
628         /* Check the types of the given PAC */
629         code = krb5_pac_get_types(context, *pac, &num_types, &types);
630         if (code != 0) {
631                 goto done;
632         }
633
634         for (i = 0; i < num_types; i++) {
635                 switch (types[i]) {
636                 case PAC_TYPE_LOGON_INFO:
637                         if (logon_info_idx != -1) {
638                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
639                                             types[i],
640                                             logon_info_idx,
641                                             i);
642                                 SAFE_FREE(types);
643                                 code = EINVAL;
644                                 goto done;
645                         }
646                         logon_info_idx = i;
647                         break;
648                 case PAC_TYPE_CONSTRAINED_DELEGATION:
649                         if (delegation_idx != -1) {
650                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
651                                             types[i],
652                                             delegation_idx,
653                                             i);
654                                 SAFE_FREE(types);
655                                 code = EINVAL;
656                                 goto done;
657                         }
658                         delegation_idx = i;
659                         break;
660                 case PAC_TYPE_LOGON_NAME:
661                         if (logon_name_idx != -1) {
662                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
663                                             types[i],
664                                             logon_name_idx,
665                                             i);
666                                 SAFE_FREE(types);
667                                 code = EINVAL;
668                                 goto done;
669                         }
670                         logon_name_idx = i;
671                         break;
672                 case PAC_TYPE_UPN_DNS_INFO:
673                         if (upn_dns_info_idx != -1) {
674                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
675                                             types[i],
676                                             upn_dns_info_idx,
677                                             i);
678                                 SAFE_FREE(types);
679                                 code = EINVAL;
680                                 goto done;
681                         }
682                         upn_dns_info_idx = i;
683                         break;
684                 case PAC_TYPE_SRV_CHECKSUM:
685                         if (srv_checksum_idx != -1) {
686                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
687                                             types[i],
688                                             srv_checksum_idx,
689                                             i);
690                                 SAFE_FREE(types);
691                                 code = EINVAL;
692                                 goto done;
693                         }
694                         srv_checksum_idx = i;
695                         break;
696                 case PAC_TYPE_KDC_CHECKSUM:
697                         if (kdc_checksum_idx != -1) {
698                                 DBG_WARNING("logon type[%u] twice [%zd] and [%zu]: \n",
699                                             types[i],
700                                             kdc_checksum_idx,
701                                             i);
702                                 SAFE_FREE(types);
703                                 code = EINVAL;
704                                 goto done;
705                         }
706                         kdc_checksum_idx = i;
707                         break;
708                 default:
709                         continue;
710                 }
711         }
712
713         if (logon_info_idx == -1) {
714                 DEBUG(1, ("PAC_TYPE_LOGON_INFO missing\n"));
715                 SAFE_FREE(types);
716                 code = EINVAL;
717                 goto done;
718         }
719         if (logon_name_idx == -1) {
720                 DEBUG(1, ("PAC_TYPE_LOGON_NAME missing\n"));
721                 SAFE_FREE(types);
722                 code = EINVAL;
723                 goto done;
724         }
725         if (srv_checksum_idx == -1) {
726                 DEBUG(1, ("PAC_TYPE_SRV_CHECKSUM missing\n"));
727                 SAFE_FREE(types);
728                 code = EINVAL;
729                 goto done;
730         }
731         if (kdc_checksum_idx == -1) {
732                 DEBUG(1, ("PAC_TYPE_KDC_CHECKSUM missing\n"));
733                 SAFE_FREE(types);
734                 code = EINVAL;
735                 goto done;
736         }
737
738         /* Build an updated PAC */
739         code = krb5_pac_init(context, &new_pac);
740         if (code != 0) {
741                 SAFE_FREE(types);
742                 goto done;
743         }
744
745         for (i = 0;;) {
746                 krb5_data type_data;
747                 DATA_BLOB type_blob = data_blob_null;
748                 uint32_t type;
749
750                 if (forced_next_type != 0) {
751                         /*
752                          * We need to inject possible missing types
753                          */
754                         type = forced_next_type;
755                         forced_next_type = 0;
756                 } else if (i < num_types) {
757                         type = types[i];
758                         i++;
759                 } else {
760                         break;
761                 }
762
763                 switch (type) {
764                 case PAC_TYPE_LOGON_INFO:
765                         type_blob = *pac_blob;
766
767                         if (delegation_idx == -1 && deleg_blob != NULL) {
768                                 /* inject CONSTRAINED_DELEGATION behind */
769                                 forced_next_type = PAC_TYPE_CONSTRAINED_DELEGATION;
770                         }
771                         break;
772                 case PAC_TYPE_CONSTRAINED_DELEGATION:
773                         if (deleg_blob != NULL) {
774                                 type_blob = *deleg_blob;
775                         }
776                         break;
777                 case PAC_TYPE_CREDENTIAL_INFO:
778                         /*
779                          * Note that we copy the credential blob,
780                          * as it's only usable with the PKINIT based
781                          * AS-REP reply key, it's only available on the
782                          * host which did the AS-REQ/AS-REP exchange.
783                          *
784                          * This matches Windows 2008R2...
785                          */
786                         break;
787                 case PAC_TYPE_LOGON_NAME:
788                         /*
789                          * This is generated in the main KDC code
790                          */
791                         continue;
792                 case PAC_TYPE_UPN_DNS_INFO:
793                         /*
794                          * Replace in the RODC case, otherwise
795                          * upn_blob is NULL and we just copy.
796                          */
797                         if (upn_blob != NULL) {
798                                 type_blob = *upn_blob;
799                         }
800                         break;
801                 case PAC_TYPE_SRV_CHECKSUM:
802                         /*
803                          * This is generated in the main KDC code
804                          */
805                         continue;
806                 case PAC_TYPE_KDC_CHECKSUM:
807                         /*
808                          * This is generated in the main KDC code
809                          */
810                         continue;
811                 default:
812                         /* just copy... */
813                         break;
814                 }
815
816                 if (type_blob.length != 0) {
817                         code = smb_krb5_copy_data_contents(&type_data,
818                                                            type_blob.data,
819                                                            type_blob.length);
820                         if (code != 0) {
821                                 SAFE_FREE(types);
822                                 krb5_pac_free(context, new_pac);
823                                 goto done;
824                         }
825                 } else {
826                         code = krb5_pac_get_buffer(context,
827                                                    *pac,
828                                                    type,
829                                                    &type_data);
830                         if (code != 0) {
831                                 SAFE_FREE(types);
832                                 krb5_pac_free(context, new_pac);
833                                 goto done;
834                         }
835                 }
836
837                 code = krb5_pac_add_buffer(context,
838                                            new_pac,
839                                            type,
840                                            &type_data);
841                 smb_krb5_free_data_contents(context, &type_data);
842                 if (code != 0) {
843                         SAFE_FREE(types);
844                         krb5_pac_free(context, new_pac);
845                         goto done;
846                 }
847         }
848
849         SAFE_FREE(types);
850
851         /* We now replace the pac */
852         krb5_pac_free(context, *pac);
853         *pac = new_pac;
854 done:
855         talloc_free(tmp_ctx);
856         return code;
857 }
858
859 /* provide header, function is exported but there are no public headers */
860
861 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
862
863 /* this function allocates 'data' using malloc.
864  * The caller is responsible for freeing it */
865 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
866 {
867         krb5_error_code ret = 0;
868         krb5_pa_data pa, *ppa = NULL;
869         krb5_data *d = NULL;
870
871         if (!e_data)
872                 return;
873
874         e_data->data   = NULL;
875         e_data->length = 0;
876
877         pa.magic                = KV5M_PA_DATA;
878         pa.pa_type              = KRB5_PADATA_PW_SALT;
879         pa.length               = 12;
880         pa.contents             = malloc(pa.length);
881         if (!pa.contents) {
882                 return;
883         }
884
885         SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
886         SIVAL(pa.contents, 4, 0);
887         SIVAL(pa.contents, 8, 1);
888
889         ppa = &pa;
890
891         ret = encode_krb5_padata_sequence(&ppa, &d);
892         free(pa.contents);
893         if (ret) {
894                 return;
895         }
896
897         e_data->data   = (uint8_t *)d->data;
898         e_data->length = d->length;
899
900         /* free d, not d->data - gd */
901         free(d);
902
903         return;
904 }
905
906 int mit_samba_check_client_access(struct mit_samba_context *ctx,
907                                   krb5_db_entry *client,
908                                   const char *client_name,
909                                   krb5_db_entry *server,
910                                   const char *server_name,
911                                   const char *netbios_name,
912                                   bool password_change,
913                                   DATA_BLOB *e_data)
914 {
915         struct samba_kdc_entry *skdc_entry;
916         NTSTATUS nt_status;
917
918         skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
919
920         nt_status = samba_kdc_check_client_access(skdc_entry,
921                                                   client_name,
922                                                   netbios_name,
923                                                   password_change);
924
925         if (!NT_STATUS_IS_OK(nt_status)) {
926                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
927                         return ENOMEM;
928                 }
929
930                 samba_kdc_build_edata_reply(nt_status, e_data);
931
932                 return samba_kdc_map_policy_err(nt_status);
933         }
934
935         return 0;
936 }
937
938 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
939                               krb5_db_entry *kentry,
940                               const char *target_name,
941                               bool is_nt_enterprise_name)
942 {
943 #if 1
944         /*
945          * This is disabled because mit_samba_update_pac_data() does not handle
946          * S4U_DELEGATION_INFO
947          */
948
949         return KRB5KDC_ERR_BADOPTION;
950 #else
951         krb5_principal target_principal;
952         int flags = 0;
953         int ret;
954
955         if (is_nt_enterprise_name) {
956                 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
957         }
958
959         ret = krb5_parse_name_flags(ctx->context, target_name,
960                                     flags, &target_principal);
961         if (ret) {
962                 return ret;
963         }
964
965         ret = samba_kdc_check_s4u2proxy(ctx->context,
966                                         ctx->db_ctx,
967                                         skdc_entry,
968                                         target_principal);
969
970         krb5_free_principal(ctx->context, target_principal);
971
972         return ret;
973 #endif
974 }
975
976 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
977                                                   NTSTATUS result,
978                                                   enum samPwdChangeReason reject_reason,
979                                                   struct samr_DomInfo1 *dominfo)
980 {
981         krb5_error_code code = KADM5_PASS_Q_GENERIC;
982
983         if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
984                 code = KADM5_BAD_PRINCIPAL;
985                 krb5_set_error_message(context,
986                                        code,
987                                        "No such user when changing password");
988         }
989         if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
990                 code = KADM5_PASS_Q_GENERIC;
991                 krb5_set_error_message(context,
992                                        code,
993                                        "Not permitted to change password");
994         }
995         if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
996             dominfo != NULL) {
997                 switch (reject_reason) {
998                 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
999                         code = KADM5_PASS_Q_TOOSHORT;
1000                         krb5_set_error_message(context,
1001                                                code,
1002                                                "Password too short, password "
1003                                                "must be at least %d characters "
1004                                                "long.",
1005                                                dominfo->min_password_length);
1006                         break;
1007                 case SAM_PWD_CHANGE_NOT_COMPLEX:
1008                         code = KADM5_PASS_Q_DICT;
1009                         krb5_set_error_message(context,
1010                                                code,
1011                                                "Password does not meet "
1012                                                "complexity requirements");
1013                         break;
1014                 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
1015                         code = KADM5_PASS_TOOSOON;
1016                         krb5_set_error_message(context,
1017                                                code,
1018                                                "Password is already in password "
1019                                                "history. New password must not "
1020                                                "match any of your %d previous "
1021                                                "passwords.",
1022                                                dominfo->password_history_length);
1023                         break;
1024                 default:
1025                         code = KADM5_PASS_Q_GENERIC;
1026                         krb5_set_error_message(context,
1027                                                code,
1028                                                "Password change rejected, "
1029                                                "password changes may not be "
1030                                                "permitted on this account, or "
1031                                                "the minimum password age may "
1032                                                "not have elapsed.");
1033                         break;
1034                 }
1035         }
1036
1037         return code;
1038 }
1039
1040 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
1041                                       char *pwd,
1042                                       krb5_db_entry *db_entry)
1043 {
1044         NTSTATUS status;
1045         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1046         TALLOC_CTX *tmp_ctx;
1047         DATA_BLOB password;
1048         enum samPwdChangeReason reject_reason;
1049         struct samr_DomInfo1 *dominfo;
1050         const char *error_string = NULL;
1051         struct auth_user_info_dc *user_info_dc;
1052         struct samba_kdc_entry *p;
1053         krb5_error_code code = 0;
1054
1055 #ifdef DEBUG_PASSWORD
1056         DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
1057 #endif
1058
1059         tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
1060         if (tmp_ctx == NULL) {
1061                 return ENOMEM;
1062         }
1063
1064         p = (struct samba_kdc_entry *)db_entry->e_data;
1065
1066         status = authsam_make_user_info_dc(tmp_ctx,
1067                                            ctx->db_ctx->samdb,
1068                                            lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
1069                                            lpcfg_sam_name(ctx->db_ctx->lp_ctx),
1070                                            lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
1071                                            p->realm_dn,
1072                                            p->msg,
1073                                            data_blob(NULL, 0),
1074                                            data_blob(NULL, 0),
1075                                            &user_info_dc);
1076         if (!NT_STATUS_IS_OK(status)) {
1077                 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
1078                         nt_errstr(status)));
1079                 talloc_free(tmp_ctx);
1080                 return EINVAL;
1081         }
1082
1083         status = auth_generate_session_info(tmp_ctx,
1084                                             ctx->db_ctx->lp_ctx,
1085                                             ctx->db_ctx->samdb,
1086                                             user_info_dc,
1087                                             0, /* session_info_flags */
1088                                             &ctx->session_info);
1089
1090         if (!NT_STATUS_IS_OK(status)) {
1091                 DEBUG(1,("auth_generate_session_info failed: %s\n",
1092                         nt_errstr(status)));
1093                 talloc_free(tmp_ctx);
1094                 return EINVAL;
1095         }
1096
1097         /* password is expected as UTF16 */
1098
1099         if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
1100                                    pwd, strlen(pwd),
1101                                    &password.data, &password.length)) {
1102                 DEBUG(1,("convert_string_talloc failed\n"));
1103                 talloc_free(tmp_ctx);
1104                 return EINVAL;
1105         }
1106
1107         status = samdb_kpasswd_change_password(tmp_ctx,
1108                                                ctx->db_ctx->lp_ctx,
1109                                                ctx->db_ctx->ev_ctx,
1110                                                ctx->db_ctx->samdb,
1111                                                ctx->session_info,
1112                                                &password,
1113                                                &reject_reason,
1114                                                &dominfo,
1115                                                &error_string,
1116                                                &result);
1117         if (!NT_STATUS_IS_OK(status)) {
1118                 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
1119                         nt_errstr(status)));
1120                 code = KADM5_PASS_Q_GENERIC;
1121                 krb5_set_error_message(ctx->context, code, "%s", error_string);
1122                 goto out;
1123         }
1124
1125         if (!NT_STATUS_IS_OK(result)) {
1126                 code = mit_samba_change_pwd_error(ctx->context,
1127                                                   result,
1128                                                   reject_reason,
1129                                                   dominfo);
1130         }
1131
1132 out:
1133         talloc_free(tmp_ctx);
1134
1135         return code;
1136 }
1137
1138 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
1139 {
1140         struct netr_SendToSamBase *send_to_sam = NULL;
1141         struct samba_kdc_entry *p;
1142         struct ldb_dn *domain_dn;
1143
1144         p = (struct samba_kdc_entry *)db_entry->e_data;
1145
1146         domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
1147
1148         authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
1149                                          p->msg,
1150                                          domain_dn,
1151                                          true,
1152                                          &send_to_sam);
1153         /* TODO: RODC support */
1154 }
1155
1156
1157 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
1158 {
1159         struct samba_kdc_entry *p;
1160
1161         p = (struct samba_kdc_entry *)db_entry->e_data;
1162
1163         authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
1164                                      p->msg,
1165                                      ldb_get_default_basedn(p->kdc_db_ctx->samdb));
1166 }