4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
5 Copyright (c) 2014-2015 Guenther Deschner <gd@samba.org>
6 Copyright (c) 2014-2016 Andreas Schneider <asn@samba.org>
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #define TEVENT_DEPRECATED 1
25 #include "param/param.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "system/kerberos.h"
29 #include <kadm5/kadm_err.h>
31 #include "kdc/sdb_kdb.h"
32 #include "auth/kerberos/kerberos.h"
33 #include "kdc/samba_kdc.h"
34 #include "kdc/pac-glue.h"
35 #include "kdc/db-glue.h"
36 #include "auth/auth.h"
37 #include "kdc/kpasswd_glue.h"
38 #include "auth/auth_sam.h"
40 #include "mit_samba.h"
42 void mit_samba_context_free(struct mit_samba_context *ctx)
44 /* free heimdal's krb5_context */
46 krb5_free_context(ctx->context);
49 /* then free everything else */
53 int mit_samba_context_init(struct mit_samba_context **_ctx)
56 struct mit_samba_context *ctx;
57 const char *s4_conf_file;
59 struct samba_kdc_base_context base_ctx;
61 ctx = talloc_zero(NULL, struct mit_samba_context);
67 base_ctx.ev_ctx = tevent_context_init(ctx);
68 if (!base_ctx.ev_ctx) {
72 tevent_loop_allow_nesting(base_ctx.ev_ctx);
73 base_ctx.lp_ctx = loadparm_init_global(false);
74 if (!base_ctx.lp_ctx) {
79 setup_logging("mitkdc", DEBUG_DEFAULT_STDOUT);
81 /* init s4 configuration */
82 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
84 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
86 lpcfg_load_default(base_ctx.lp_ctx);
89 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
90 if (!NT_STATUS_IS_OK(status)) {
95 /* init heimdal's krb_context and log facilities */
96 ret = smb_krb5_init_context_basic(ctx,
107 mit_samba_context_free(ctx);
114 static krb5_error_code ks_is_tgs_principal(struct mit_samba_context *ctx,
115 krb5_const_principal principal)
120 p = smb_krb5_principal_get_comp_string(ctx, ctx->context, principal, 0);
122 eq = krb5_princ_size(ctx->context, principal) == 2 &&
123 (strcmp(p, KRB5_TGS_NAME) == 0);
130 int mit_samba_generate_salt(krb5_data *salt)
137 salt->data = malloc(salt->length);
138 if (salt->data == NULL) {
142 generate_random_buffer((uint8_t *)salt->data, salt->length);
147 int mit_samba_generate_random_password(krb5_data *pwd)
157 tmp_ctx = talloc_named(NULL,
159 "mit_samba_create_principal_password context");
160 if (tmp_ctx == NULL) {
164 password = generate_random_password(tmp_ctx, pwd->length, pwd->length);
165 if (password == NULL) {
166 talloc_free(tmp_ctx);
170 pwd->data = strdup(password);
171 talloc_free(tmp_ctx);
172 if (pwd->data == NULL) {
179 int mit_samba_get_principal(struct mit_samba_context *ctx,
180 krb5_const_principal principal,
182 krb5_db_entry **_kentry)
184 struct sdb_entry_ex sentry = {
187 krb5_db_entry *kentry;
191 kentry = calloc(1, sizeof(krb5_db_entry));
192 if (kentry == NULL) {
196 if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
197 sflags |= SDB_F_CANON;
199 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
200 KRB5_KDB_FLAG_INCLUDE_PAC)) {
202 * KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is equal to
205 * We use ANY to also allow AS_REQ for service principal names
206 * This is supported by Windows.
208 sflags |= SDB_F_GET_ANY|SDB_F_FOR_AS_REQ;
209 } else if (ks_is_tgs_principal(ctx, principal)) {
210 sflags |= SDB_F_GET_KRBTGT;
212 sflags |= SDB_F_GET_SERVER|SDB_F_FOR_TGS_REQ;
215 /* always set this or the created_by data will not be populated by samba's
216 * backend and we will fail to parse the entry later */
217 sflags |= SDB_F_ADMIN_DATA;
219 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
220 principal, sflags, 0, &sentry);
224 case SDB_ERR_NOENTRY:
225 ret = KRB5_KDB_NOENTRY;
227 case SDB_ERR_WRONG_REALM:
229 * If we have a wrong realm e.g. if we try get a cross forest
230 * ticket, we return a ticket with the correct realm. The KDC
231 * will detect this an return the appropriate return code.
235 case SDB_ERR_NOT_FOUND_HERE:
236 /* FIXME: RODC support */
241 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
243 sdb_free_entry(&sentry);
254 int mit_samba_get_firstkey(struct mit_samba_context *ctx,
255 krb5_db_entry **_kentry)
257 struct sdb_entry_ex sentry = {
260 krb5_db_entry *kentry;
263 kentry = malloc(sizeof(krb5_db_entry));
264 if (kentry == NULL) {
268 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, &sentry);
272 case SDB_ERR_NOENTRY:
274 return KRB5_KDB_NOENTRY;
275 case SDB_ERR_NOT_FOUND_HERE:
276 /* FIXME: RODC support */
282 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
284 sdb_free_entry(&sentry);
294 int mit_samba_get_nextkey(struct mit_samba_context *ctx,
295 krb5_db_entry **_kentry)
297 struct sdb_entry_ex sentry = {
300 krb5_db_entry *kentry;
303 kentry = malloc(sizeof(krb5_db_entry));
304 if (kentry == NULL) {
308 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, &sentry);
312 case SDB_ERR_NOENTRY:
314 return KRB5_KDB_NOENTRY;
315 case SDB_ERR_NOT_FOUND_HERE:
316 /* FIXME: RODC support */
322 ret = sdb_entry_ex_to_kdb_entry_ex(ctx->context, &sentry, kentry);
324 sdb_free_entry(&sentry);
334 int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
335 krb5_context context,
336 krb5_db_entry *client,
337 krb5_keyblock *client_key,
341 DATA_BLOB *logon_info_blob = NULL;
342 DATA_BLOB *upn_dns_info_blob = NULL;
343 DATA_BLOB *cred_ndr = NULL;
344 DATA_BLOB **cred_ndr_ptr = NULL;
345 DATA_BLOB cred_blob = data_blob_null;
346 DATA_BLOB *pcred_blob = NULL;
348 krb5_error_code code;
349 struct samba_kdc_entry *skdc_entry;
351 skdc_entry = talloc_get_type_abort(client->e_data,
352 struct samba_kdc_entry);
354 tmp_ctx = talloc_named(smb_ctx,
356 "mit_samba_get_pac_data_blobs context");
357 if (tmp_ctx == NULL) {
361 #if 0 /* TODO Find out if this is a pkinit_reply key */
362 /* Check if we have a PREAUTH key */
363 if (client_key != NULL) {
364 cred_ndr_ptr = &cred_ndr;
368 nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
373 if (!NT_STATUS_IS_OK(nt_status)) {
374 talloc_free(tmp_ctx);
378 if (cred_ndr != NULL) {
379 code = samba_kdc_encrypt_pac_credentials(context,
385 talloc_free(tmp_ctx);
388 pcred_blob = &cred_blob;
391 code = samba_make_krb5_pac(context,
398 talloc_free(tmp_ctx);
402 int mit_samba_update_pac_data(struct mit_samba_context *ctx,
403 krb5_db_entry *client,
405 DATA_BLOB *logon_data)
408 DATA_BLOB *logon_blob;
409 krb5_error_code code;
413 struct samba_kdc_entry *skdc_entry = NULL;
416 skdc_entry = talloc_get_type_abort(client->e_data,
417 struct samba_kdc_entry);
420 /* The user account may be set not to want the PAC */
421 if (client && !samba_princ_needs_pac(skdc_entry)) {
425 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context");
430 logon_blob = talloc_zero(tmp_ctx, DATA_BLOB);
436 code = krb5_pac_parse(ctx->context,
437 pac_data->data, pac_data->length, &pac);
443 /* TODO: An implementation-specific decision will need to be
444 * made as to when to check the KDC pac signature, and how to
445 * untrust untrusted RODCs */
446 nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context,
447 pac, logon_blob, NULL, NULL);
448 if (!NT_STATUS_IS_OK(nt_status)) {
449 DEBUG(0, ("Building PAC failed: %s\n",
450 nt_errstr(nt_status)));
455 logon_data->data = (uint8_t *)malloc(logon_blob->length);
456 if (!logon_data->data) {
460 memcpy(logon_data->data, logon_blob->data, logon_blob->length);
461 logon_data->length = logon_blob->length;
466 if (pac) krb5_pac_free(ctx->context, pac);
467 talloc_free(tmp_ctx);
471 /* provide header, function is exported but there are no public headers */
473 krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data **code);
475 /* this function allocates 'data' using malloc.
476 * The caller is responsible for freeing it */
477 static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
479 krb5_error_code ret = 0;
480 krb5_pa_data pa, *ppa = NULL;
489 pa.magic = KV5M_PA_DATA;
490 pa.pa_type = KRB5_PADATA_PW_SALT;
492 pa.contents = malloc(pa.length);
497 SIVAL(pa.contents, 0, NT_STATUS_V(nt_status));
498 SIVAL(pa.contents, 4, 0);
499 SIVAL(pa.contents, 8, 1);
503 ret = encode_krb5_padata_sequence(&ppa, &d);
509 e_data->data = (uint8_t *)d->data;
510 e_data->length = d->length;
512 /* free d, not d->data - gd */
518 int mit_samba_check_client_access(struct mit_samba_context *ctx,
519 krb5_db_entry *client,
520 const char *client_name,
521 krb5_db_entry *server,
522 const char *server_name,
523 const char *netbios_name,
524 bool password_change,
527 struct samba_kdc_entry *skdc_entry;
530 skdc_entry = talloc_get_type(client->e_data, struct samba_kdc_entry);
532 nt_status = samba_kdc_check_client_access(skdc_entry,
537 if (!NT_STATUS_IS_OK(nt_status)) {
538 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
542 samba_kdc_build_edata_reply(nt_status, e_data);
544 return samba_kdc_map_policy_err(nt_status);
550 int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
551 krb5_db_entry *kentry,
552 const char *target_name,
553 bool is_nt_enterprise_name)
557 * This is disabled because mit_samba_update_pac_data() does not handle
558 * S4U_DELEGATION_INFO
561 return KRB5KDC_ERR_BADOPTION;
563 krb5_principal target_principal;
567 if (is_nt_enterprise_name) {
568 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
571 ret = krb5_parse_name_flags(ctx->context, target_name,
572 flags, &target_principal);
577 ret = samba_kdc_check_s4u2proxy(ctx->context,
582 krb5_free_principal(ctx->context, target_principal);
588 static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
590 enum samPwdChangeReason reject_reason,
591 struct samr_DomInfo1 *dominfo)
593 krb5_error_code code = KADM5_PASS_Q_GENERIC;
595 if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
596 code = KADM5_BAD_PRINCIPAL;
597 krb5_set_error_message(context,
599 "No such user when changing password");
601 if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
602 code = KADM5_PASS_Q_GENERIC;
603 krb5_set_error_message(context,
605 "Not permitted to change password");
607 if (NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_RESTRICTION) &&
609 switch (reject_reason) {
610 case SAM_PWD_CHANGE_PASSWORD_TOO_SHORT:
611 code = KADM5_PASS_Q_TOOSHORT;
612 krb5_set_error_message(context,
614 "Password too short, password "
615 "must be at least %d characters "
617 dominfo->min_password_length);
619 case SAM_PWD_CHANGE_NOT_COMPLEX:
620 code = KADM5_PASS_Q_DICT;
621 krb5_set_error_message(context,
623 "Password does not meet "
624 "complexity requirements");
626 case SAM_PWD_CHANGE_PWD_IN_HISTORY:
627 code = KADM5_PASS_TOOSOON;
628 krb5_set_error_message(context,
630 "Password is already in password "
631 "history. New password must not "
632 "match any of your %d previous "
634 dominfo->password_history_length);
637 code = KADM5_PASS_Q_GENERIC;
638 krb5_set_error_message(context,
640 "Password change rejected, "
641 "password changes may not be "
642 "permitted on this account, or "
643 "the minimum password age may "
644 "not have elapsed.");
652 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
654 krb5_db_entry *db_entry)
657 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
660 enum samPwdChangeReason reject_reason;
661 struct samr_DomInfo1 *dominfo;
662 const char *error_string = NULL;
663 struct auth_user_info_dc *user_info_dc;
664 struct samba_kdc_entry *p;
665 krb5_error_code code = 0;
667 #ifdef DEBUG_PASSWORD
668 DEBUG(1,("mit_samba_kpasswd_change_password called with: %s\n", pwd));
671 tmp_ctx = talloc_named(ctx, 0, "mit_samba_kpasswd_change_password");
672 if (tmp_ctx == NULL) {
676 p = (struct samba_kdc_entry *)db_entry->e_data;
678 status = authsam_make_user_info_dc(tmp_ctx,
680 lpcfg_netbios_name(ctx->db_ctx->lp_ctx),
681 lpcfg_sam_name(ctx->db_ctx->lp_ctx),
682 lpcfg_sam_dnsname(ctx->db_ctx->lp_ctx),
688 if (!NT_STATUS_IS_OK(status)) {
689 DEBUG(1,("authsam_make_user_info_dc failed: %s\n",
691 talloc_free(tmp_ctx);
695 status = auth_generate_session_info(tmp_ctx,
699 0, /* session_info_flags */
702 if (!NT_STATUS_IS_OK(status)) {
703 DEBUG(1,("auth_generate_session_info failed: %s\n",
705 talloc_free(tmp_ctx);
709 /* password is expected as UTF16 */
711 if (!convert_string_talloc(tmp_ctx, CH_UTF8, CH_UTF16,
713 &password.data, &password.length)) {
714 DEBUG(1,("convert_string_talloc failed\n"));
715 talloc_free(tmp_ctx);
719 status = samdb_kpasswd_change_password(tmp_ctx,
729 if (!NT_STATUS_IS_OK(status)) {
730 DEBUG(1,("samdb_kpasswd_change_password failed: %s\n",
732 code = KADM5_PASS_Q_GENERIC;
733 krb5_set_error_message(ctx->context, code, "%s", error_string);
737 if (!NT_STATUS_IS_OK(result)) {
738 code = mit_samba_change_pwd_error(ctx->context,
745 talloc_free(tmp_ctx);
750 void mit_samba_zero_bad_password_count(krb5_db_entry *db_entry)
752 struct samba_kdc_entry *p;
753 struct ldb_dn *domain_dn;
755 p = (struct samba_kdc_entry *)db_entry->e_data;
757 domain_dn = ldb_get_default_basedn(p->kdc_db_ctx->samdb);
759 authsam_logon_success_accounting(p->kdc_db_ctx->samdb,
766 void mit_samba_update_bad_password_count(krb5_db_entry *db_entry)
768 struct samba_kdc_entry *p;
770 p = (struct samba_kdc_entry *)db_entry->e_data;
772 authsam_update_bad_pwd_count(p->kdc_db_ctx->samdb,
774 ldb_get_default_basedn(p->kdc_db_ctx->samdb));