4 Copyright (c) 2010, Simo Sorce <idra@samba.org>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 #define TEVENT_DEPRECATED 1
23 #include "param/param.h"
24 #include "dsdb/samdb/samdb.h"
25 #include "system/kerberos.h"
27 #include "mit_samba_interface.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "kdc/samba_kdc.h"
30 #include "kdc/pac-glue.h"
31 #include "kdc/db-glue.h"
33 const int mit_samba_interface_version = MIT_SAMBA_INTERFACE_VERSION;
35 struct mit_samba_context {
36 struct auth_session_info *session_info;
38 /* for compat with hdb plugin common code */
40 struct samba_kdc_db_context *db_ctx;
43 static void mit_samba_context_free(struct mit_samba_context *ctx)
45 /* free heimdal's krb5_context */
47 krb5_free_context(ctx->context);
50 /* then free everything else */
54 static int mit_samba_context_init(struct mit_samba_context **_ctx)
57 struct mit_samba_context *ctx;
58 const char *s4_conf_file;
60 struct samba_kdc_base_context base_ctx;
62 ctx = talloc(NULL, struct mit_samba_context);
68 base_ctx.ev_ctx = tevent_context_init(ctx);
69 if (!base_ctx.ev_ctx) {
73 tevent_loop_allow_nesting(base_ctx.ev_ctx);
74 base_ctx.lp_ctx = loadparm_init_global(false);
75 if (!base_ctx.lp_ctx) {
79 /* init s4 configuration */
80 s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx);
82 lpcfg_load(base_ctx.lp_ctx, s4_conf_file);
84 lpcfg_load_default(base_ctx.lp_ctx);
87 status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx);
88 if (!NT_STATUS_IS_OK(status)) {
93 /* init heimdal's krb_context and log facilities */
94 ret = smb_krb5_init_context_basic(ctx,
105 mit_samba_context_free(ctx);
113 static int mit_samba_get_principal(struct mit_samba_context *ctx,
114 char *principal_string,
116 hdb_entry_ex **_hentry)
118 krb5_principal principal;
119 hdb_entry_ex *hentry;
122 hentry = talloc(ctx, hdb_entry_ex);
127 ret = krb5_parse_name(ctx->context, principal_string, &principal);
132 ret = samba_kdc_fetch(ctx->context, ctx->db_ctx,
133 principal, flags, 0, hentry);
135 krb5_free_principal(ctx->context, principal);
141 talloc_steal(hentry->ctx, hentry);
147 static int mit_samba_get_firstkey(struct mit_samba_context *ctx,
148 hdb_entry_ex **_hentry)
150 hdb_entry_ex *hentry;
153 hentry = talloc(ctx, hdb_entry_ex);
158 ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, hentry);
163 talloc_steal(hentry->ctx, hentry);
169 static int mit_samba_get_nextkey(struct mit_samba_context *ctx,
170 hdb_entry_ex **_hentry)
172 hdb_entry_ex *hentry;
175 hentry = talloc(ctx, hdb_entry_ex);
180 ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, hentry);
185 talloc_steal(hentry->ctx, hentry);
191 static int mit_samba_get_pac_data(struct mit_samba_context *ctx,
192 hdb_entry_ex *client,
199 tmp_ctx = talloc_named(ctx, 0, "mit_samba_get_pac_data context");
204 nt_status = samba_kdc_get_pac_blob(tmp_ctx, client, &pac_blob);
205 if (!NT_STATUS_IS_OK(nt_status)) {
206 talloc_free(tmp_ctx);
210 data->data = (uint8_t *)malloc(pac_blob->length);
212 talloc_free(tmp_ctx);
215 memcpy(data->data, pac_blob->data, pac_blob->length);
216 data->length = pac_blob->length;
218 talloc_free(tmp_ctx);
222 static int mit_samba_update_pac_data(struct mit_samba_context *ctx,
223 hdb_entry_ex *client,
225 DATA_BLOB *logon_data)
228 DATA_BLOB *logon_blob;
229 krb5_error_code code;
234 /* The user account may be set not to want the PAC */
235 if (client && !samba_princ_needs_pac(client)) {
239 tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context");
244 logon_blob = talloc_zero(tmp_ctx, DATA_BLOB);
250 code = krb5_pac_parse(ctx->context,
251 pac_data->data, pac_data->length, &pac);
257 nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context,
259 if (!NT_STATUS_IS_OK(nt_status)) {
260 DEBUG(0, ("Building PAC failed: %s\n",
261 nt_errstr(nt_status)));
266 logon_data->data = (uint8_t *)malloc(logon_blob->length);
267 if (!logon_data->data) {
271 memcpy(logon_data->data, logon_blob->data, logon_blob->length);
272 logon_data->length = logon_blob->length;
277 if (pac) krb5_pac_free(ctx->context, pac);
278 talloc_free(tmp_ctx);
282 static int mit_samba_check_client_access(struct mit_samba_context *ctx,
283 hdb_entry_ex *client,
284 const char *client_name,
285 hdb_entry_ex *server,
286 const char *server_name,
287 const char *netbios_name,
288 bool password_change,
291 struct samba_kdc_entry *kdc_entry;
294 kdc_entry = talloc_get_type(client->ctx, struct samba_kdc_entry);
296 nt_status = samba_kdc_check_client_access(kdc_entry,
301 if (!NT_STATUS_IS_OK(nt_status)) {
302 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) {
306 samba_kdc_build_edata_reply(nt_status, e_data);
308 return samba_kdc_map_policy_err(nt_status);
314 static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
316 const char *target_name,
317 bool is_nt_enterprise_name)
319 krb5_principal target_principal;
323 if (is_nt_enterprise_name) {
324 flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
327 ret = krb5_parse_name_flags(ctx->context, target_name,
328 flags, &target_principal);
333 ret = samba_kdc_check_s4u2proxy(ctx->context,
338 krb5_free_principal(ctx->context, target_principal);
343 struct mit_samba_function_table mit_samba_function_table = {
344 mit_samba_context_init,
345 mit_samba_context_free,
346 mit_samba_get_principal,
347 mit_samba_get_firstkey,
348 mit_samba_get_nextkey,
349 mit_samba_get_pac_data,
350 mit_samba_update_pac_data,
351 mit_samba_check_client_access,
352 mit_samba_check_s4u2proxy