Fix bug #7079 - cliconnect gets realm wrong with trusted domains.
[ira/wip.git] / source3 / libads / kerberos.c
1 /* 
2    Unix SMB/CIFS implementation.
3    kerberos utility library
4    Copyright (C) Andrew Tridgell 2001
5    Copyright (C) Remus Koos 2001
6    Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7    Copyright (C) Jeremy Allison 2004.
8    Copyright (C) Gerald Carter 2006.
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "smb_krb5.h"
26
27 #ifdef HAVE_KRB5
28
29 #define DEFAULT_KRB5_PORT 88
30
31 #define LIBADS_CCACHE_NAME "MEMORY:libads"
32
33 /*
34   we use a prompter to avoid a crash bug in the kerberos libs when 
35   dealing with empty passwords
36   this prompter is just a string copy ...
37 */
38 static krb5_error_code 
39 kerb_prompter(krb5_context ctx, void *data,
40                const char *name,
41                const char *banner,
42                int num_prompts,
43                krb5_prompt prompts[])
44 {
45         if (num_prompts == 0) return 0;
46
47         memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
48         if (prompts[0].reply->length > 0) {
49                 if (data) {
50                         strncpy((char *)prompts[0].reply->data, (const char *)data,
51                                 prompts[0].reply->length-1);
52                         prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
53                 } else {
54                         prompts[0].reply->length = 0;
55                 }
56         }
57         return 0;
58 }
59
60  static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
61                                                    NTSTATUS *nt_status)
62 {
63         DATA_BLOB edata;
64         DATA_BLOB unwrapped_edata;
65         TALLOC_CTX *mem_ctx;
66         struct KRB5_EDATA_NTSTATUS parsed_edata;
67         enum ndr_err_code ndr_err;
68
69 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
70         edata = data_blob(error->e_data->data, error->e_data->length);
71 #else
72         edata = data_blob(error->e_data.data, error->e_data.length);
73 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
74
75 #ifdef DEVELOPER
76         dump_data(10, edata.data, edata.length);
77 #endif /* DEVELOPER */
78
79         mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
80         if (mem_ctx == NULL) {
81                 data_blob_free(&edata);
82                 return False;
83         }
84
85         if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
86                 data_blob_free(&edata);
87                 TALLOC_FREE(mem_ctx);
88                 return False;
89         }
90
91         data_blob_free(&edata);
92
93         ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, NULL,
94                         &parsed_edata,
95                         (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
96         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
97                 data_blob_free(&unwrapped_edata);
98                 TALLOC_FREE(mem_ctx);
99                 return False;
100         }
101
102         data_blob_free(&unwrapped_edata);
103
104         if (nt_status) {
105                 *nt_status = parsed_edata.ntstatus;
106         }
107
108         TALLOC_FREE(mem_ctx);
109
110         return True;
111 }
112
113  static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx, 
114                                                                   krb5_get_init_creds_opt *opt, 
115                                                                   NTSTATUS *nt_status)
116 {
117         bool ret = False;
118         krb5_error *error = NULL;
119
120 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
121         ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
122         if (ret) {
123                 DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n", 
124                         error_message(ret)));
125                 return False;
126         }
127 #endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
128
129         if (!error) {
130                 DEBUG(1,("no krb5_error\n"));
131                 return False;
132         }
133
134 #ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
135         if (!error->e_data) {
136 #else
137         if (error->e_data.data == NULL) {
138 #endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
139                 DEBUG(1,("no edata in krb5_error\n")); 
140                 krb5_free_error(ctx, error);
141                 return False;
142         }
143
144         ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
145
146         krb5_free_error(ctx, error);
147
148         return ret;
149 }
150
151 /*
152   simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
153   place in default cache location.
154   remus@snapserver.com
155 */
156 int kerberos_kinit_password_ext(const char *principal,
157                                 const char *password,
158                                 int time_offset,
159                                 time_t *expire_time,
160                                 time_t *renew_till_time,
161                                 const char *cache_name,
162                                 bool request_pac,
163                                 bool add_netbios_addr,
164                                 time_t renewable_time,
165                                 NTSTATUS *ntstatus)
166 {
167         krb5_context ctx = NULL;
168         krb5_error_code code = 0;
169         krb5_ccache cc = NULL;
170         krb5_principal me = NULL;
171         krb5_creds my_creds;
172         krb5_get_init_creds_opt *opt = NULL;
173         smb_krb5_addresses *addr = NULL;
174
175         ZERO_STRUCT(my_creds);
176
177         initialize_krb5_error_table();
178         if ((code = krb5_init_context(&ctx)))
179                 goto out;
180
181         if (time_offset != 0) {
182                 krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
183         }
184
185         DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
186                         principal,
187                         cache_name ? cache_name: krb5_cc_default_name(ctx),
188                         getenv("KRB5_CONFIG")));
189
190         if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
191                 goto out;
192         }
193         
194         if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
195                 goto out;
196         }
197
198         if ((code = smb_krb5_get_init_creds_opt_alloc(ctx, &opt))) {
199                 goto out;
200         }
201
202         krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
203         krb5_get_init_creds_opt_set_forwardable(opt, True);
204 #if 0
205         /* insane testing */
206         krb5_get_init_creds_opt_set_tkt_life(opt, 60);
207 #endif
208
209 #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
210         if (request_pac) {
211                 if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
212                         goto out;
213                 }
214         }
215 #endif
216         if (add_netbios_addr) {
217                 if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
218                         goto out;
219                 }
220                 krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
221         }
222
223         if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
224                                                  kerb_prompter, CONST_DISCARD(char *,password),
225                                                  0, NULL, opt))) {
226                 goto out;
227         }
228
229         if ((code = krb5_cc_initialize(ctx, cc, me))) {
230                 goto out;
231         }
232         
233         if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
234                 goto out;
235         }
236
237         if (expire_time) {
238                 *expire_time = (time_t) my_creds.times.endtime;
239         }
240
241         if (renew_till_time) {
242                 *renew_till_time = (time_t) my_creds.times.renew_till;
243         }
244  out:
245         if (ntstatus) {
246
247                 NTSTATUS status;
248
249                 /* fast path */
250                 if (code == 0) {
251                         *ntstatus = NT_STATUS_OK;
252                         goto cleanup;
253                 }
254
255                 /* try to get ntstatus code out of krb5_error when we have it
256                  * inside the krb5_get_init_creds_opt - gd */
257
258                 if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
259                         *ntstatus = status;
260                         goto cleanup;
261                 }
262
263                 /* fall back to self-made-mapping */
264                 *ntstatus = krb5_to_nt_status(code);
265         }
266
267  cleanup:
268         krb5_free_cred_contents(ctx, &my_creds);
269         if (me) {
270                 krb5_free_principal(ctx, me);
271         }
272         if (addr) {
273                 smb_krb5_free_addresses(ctx, addr);
274         }
275         if (opt) {
276                 smb_krb5_get_init_creds_opt_free(ctx, opt);
277         }
278         if (cc) {
279                 krb5_cc_close(ctx, cc);
280         }
281         if (ctx) {
282                 krb5_free_context(ctx);
283         }
284         return code;
285 }
286
287
288
289 /* run kinit to setup our ccache */
290 int ads_kinit_password(ADS_STRUCT *ads)
291 {
292         char *s;
293         int ret;
294         const char *account_name;
295         fstring acct_name;
296
297         if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
298                 account_name = ads->auth.user_name;
299                 goto got_accountname;
300         }
301
302         if ( IS_DC ) {
303                 /* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
304                 account_name = lp_workgroup();
305         } else {
306                 /* always use the sAMAccountName for security = domain */
307                 /* global_myname()$@REA.LM */
308                 if ( lp_security() == SEC_DOMAIN ) {
309                         fstr_sprintf( acct_name, "%s$", global_myname() );
310                         account_name = acct_name;
311                 }
312                 else 
313                         /* This looks like host/global_myname()@REA.LM */
314                         account_name = ads->auth.user_name;
315         }
316
317  got_accountname:
318         if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
319                 return KRB5_CC_NOMEM;
320         }
321
322         if (!ads->auth.password) {
323                 SAFE_FREE(s);
324                 return KRB5_LIBOS_CANTREADPWD;
325         }
326         
327         ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
328                         &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, 
329                         NULL);
330
331         if (ret) {
332                 DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
333                          s, error_message(ret)));
334         }
335         SAFE_FREE(s);
336         return ret;
337 }
338
339 int ads_kdestroy(const char *cc_name)
340 {
341         krb5_error_code code;
342         krb5_context ctx = NULL;
343         krb5_ccache cc = NULL;
344
345         initialize_krb5_error_table();
346         if ((code = krb5_init_context (&ctx))) {
347                 DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n", 
348                         error_message(code)));
349                 return code;
350         }
351   
352         if (!cc_name) {
353                 if ((code = krb5_cc_default(ctx, &cc))) {
354                         krb5_free_context(ctx);
355                         return code;
356                 }
357         } else {
358                 if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
359                         DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
360                                   error_message(code)));
361                         krb5_free_context(ctx);
362                         return code;
363                 }
364         }
365
366         if ((code = krb5_cc_destroy (ctx, cc))) {
367                 DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", 
368                         error_message(code)));
369         }
370
371         krb5_free_context (ctx);
372         return code;
373 }
374
375 /************************************************************************
376  Routine to fetch the salting principal for a service.  Active
377  Directory may use a non-obvious principal name to generate the salt
378  when it determines the key to use for encrypting tickets for a service,
379  and hopefully we detected that when we joined the domain.
380  ************************************************************************/
381
382 static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
383 {
384         char *key = NULL;
385         char *ret = NULL;
386
387         if (asprintf(&key, "%s/%s/enctype=%d",
388                      SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) {
389                 return NULL;
390         }
391         ret = (char *)secrets_fetch(key, NULL);
392         SAFE_FREE(key);
393         return ret;
394 }
395
396 /************************************************************************
397  Return the standard DES salt key
398 ************************************************************************/
399
400 char* kerberos_standard_des_salt( void )
401 {
402         fstring salt;
403
404         fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
405         strlower_m( salt );
406         fstrcat( salt, lp_realm() );
407
408         return SMB_STRDUP( salt );
409 }
410
411 /************************************************************************
412 ************************************************************************/
413
414 static char* des_salt_key( void )
415 {
416         char *key;
417
418         if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
419                      lp_realm()) == -1) {
420                 return NULL;
421         }
422
423         return key;
424 }
425
426 /************************************************************************
427 ************************************************************************/
428
429 bool kerberos_secrets_store_des_salt( const char* salt )
430 {
431         char* key;
432         bool ret;
433
434         if ( (key = des_salt_key()) == NULL ) {
435                 DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
436                 return False;
437         }
438
439         if ( !salt ) {
440                 DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
441                 secrets_delete( key );
442                 return True;
443         }
444
445         DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
446
447         ret = secrets_store( key, salt, strlen(salt)+1 );
448
449         SAFE_FREE( key );
450
451         return ret;
452 }
453
454 /************************************************************************
455 ************************************************************************/
456
457 char* kerberos_secrets_fetch_des_salt( void )
458 {
459         char *salt, *key;
460
461         if ( (key = des_salt_key()) == NULL ) {
462                 DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
463                 return False;
464         }
465
466         salt = (char*)secrets_fetch( key, NULL );
467
468         SAFE_FREE( key );
469
470         return salt;
471 }
472
473 /************************************************************************
474  Routine to get the default realm from the kerberos credentials cache.
475  Caller must free if the return value is not NULL.
476 ************************************************************************/
477
478 char *kerberos_get_default_realm_from_ccache( void )
479 {
480         char *realm = NULL;
481         krb5_context ctx = NULL;
482         krb5_ccache cc = NULL;
483         krb5_principal princ = NULL;
484
485         initialize_krb5_error_table();
486         if (krb5_init_context(&ctx)) {
487                 return NULL;
488         }
489
490         DEBUG(5,("kerberos_get_default_realm_from_ccache: "
491                 "Trying to read krb5 cache: %s\n",
492                 krb5_cc_default_name(ctx)));
493         if (krb5_cc_default(ctx, &cc)) {
494                 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
495                         "failed to read default cache\n"));
496                 goto out;
497         }
498         if (krb5_cc_get_principal(ctx, cc, &princ)) {
499                 DEBUG(0,("kerberos_get_default_realm_from_ccache: "
500                         "failed to get default principal\n"));
501                 goto out;
502         }
503
504 #if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
505         realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
506 #elif defined(HAVE_KRB5_PRINC_REALM)
507         {
508                 krb5_data *realm_data = krb5_princ_realm(ctx, princ);
509                 realm = SMB_STRNDUP(realm_data->data, realm_data->length);
510         }
511 #endif
512
513   out:
514
515         if (ctx) {
516                 if (princ) {
517                         krb5_free_principal(ctx, princ);
518                 }
519                 if (cc) {
520                         krb5_cc_close(ctx, cc);
521                 }
522                 krb5_free_context(ctx);
523         }
524
525         return realm;
526 }
527
528 /************************************************************************
529  Routine to get the realm from a given DNS name. Returns malloc'ed memory.
530  Caller must free() if the return value is not NULL.
531 ************************************************************************/
532
533 char *kerberos_get_realm_from_hostname(const char *hostname)
534 {
535 #if defined(HAVE_KRB5_GET_HOST_REALM) && defined(HAVE_KRB5_FREE_HOST_REALM)
536 #if defined(HAVE_KRB5_REALM_TYPE)
537         /* Heimdal. */
538         krb5_realm *realm_list = NULL;
539 #else
540         /* MIT */
541         char **realm_list = NULL;
542 #endif
543         char *realm = NULL;
544         krb5_error_code kerr;
545         krb5_context ctx = NULL;
546
547         initialize_krb5_error_table();
548         if (krb5_init_context(&ctx)) {
549                 return NULL;
550         }
551
552         kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
553         if (kerr != 0) {
554                 DEBUG(3,("kerberos_get_realm_from_hostname %s: "
555                         "failed %s\n",
556                         hostname ? hostname : "(NULL)",
557                         error_message(kerr) ));
558                 goto out;
559         }
560
561         if (realm_list && realm_list[0]) {
562                 realm = SMB_STRDUP(realm_list[0]);
563         }
564
565   out:
566
567         if (ctx) {
568                 if (realm_list) {
569                         krb5_free_host_realm(ctx, realm_list);
570                         realm_list = NULL;
571                 }
572                 krb5_free_context(ctx);
573                 ctx = NULL;
574         }
575         return realm;
576 #else
577         return NULL;
578 #endif
579 }
580
581 /************************************************************************
582  Routine to get the salting principal for this service.  This is 
583  maintained for backwards compatibilty with releases prior to 3.0.24.
584  Since we store the salting principal string only at join, we may have 
585  to look for the older tdb keys.  Caller must free if return is not null.
586  ************************************************************************/
587
588 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
589                                                         krb5_principal host_princ,
590                                                         int enctype)
591 {
592         char *unparsed_name = NULL, *salt_princ_s = NULL;
593         krb5_principal ret_princ = NULL;
594         
595         /* lookup new key first */
596
597         if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
598         
599                 /* look under the old key.  If this fails, just use the standard key */
600
601                 if (smb_krb5_unparse_name(talloc_tos(), context, host_princ, &unparsed_name) != 0) {
602                         return (krb5_principal)NULL;
603                 }
604                 if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
605                         /* fall back to host/machine.realm@REALM */
606                         salt_princ_s = kerberos_standard_des_salt();
607                 }
608         }
609
610         if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
611                 ret_princ = NULL;
612         }
613         
614         TALLOC_FREE(unparsed_name);
615         SAFE_FREE(salt_princ_s);
616         
617         return ret_princ;
618 }
619
620 /************************************************************************
621  Routine to set the salting principal for this service.  Active
622  Directory may use a non-obvious principal name to generate the salt
623  when it determines the key to use for encrypting tickets for a service,
624  and hopefully we detected that when we joined the domain.
625  Setting principal to NULL deletes this entry.
626  ************************************************************************/
627
628 bool kerberos_secrets_store_salting_principal(const char *service,
629                                               int enctype,
630                                               const char *principal)
631 {
632         char *key = NULL;
633         bool ret = False;
634         krb5_context context = NULL;
635         krb5_principal princ = NULL;
636         char *princ_s = NULL;
637         char *unparsed_name = NULL;
638         krb5_error_code code;
639
640         if (((code = krb5_init_context(&context)) != 0) || (context == NULL)) {
641                 DEBUG(5, ("kerberos_secrets_store_salting_pricipal: kdb5_init_context failed: %s\n",
642                           error_message(code)));
643                 return False;
644         }
645         if (strchr_m(service, '@')) {
646                 if (asprintf(&princ_s, "%s", service) == -1) {
647                         goto out;
648                 }
649         } else {
650                 if (asprintf(&princ_s, "%s@%s", service, lp_realm()) == -1) {
651                         goto out;
652                 }
653         }
654
655         if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
656                 goto out;
657                 
658         }
659         if (smb_krb5_unparse_name(talloc_tos(), context, princ, &unparsed_name) != 0) {
660                 goto out;
661         }
662
663         if (asprintf(&key, "%s/%s/enctype=%d",
664                      SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype)
665             == -1) {
666                 goto out;
667         }
668
669         if ((principal != NULL) && (strlen(principal) > 0)) {
670                 ret = secrets_store(key, principal, strlen(principal) + 1);
671         } else {
672                 ret = secrets_delete(key);
673         }
674
675  out:
676
677         SAFE_FREE(key);
678         SAFE_FREE(princ_s);
679         TALLOC_FREE(unparsed_name);
680
681         if (princ) {
682                 krb5_free_principal(context, princ);
683         }
684
685         if (context) {
686                 krb5_free_context(context);
687         }
688
689         return ret;
690 }
691
692
693 /************************************************************************
694 ************************************************************************/
695
696 int kerberos_kinit_password(const char *principal,
697                             const char *password,
698                             int time_offset,
699                             const char *cache_name)
700 {
701         return kerberos_kinit_password_ext(principal, 
702                                            password, 
703                                            time_offset, 
704                                            0, 
705                                            0,
706                                            cache_name,
707                                            False,
708                                            False,
709                                            0,
710                                            NULL);
711 }
712
713 /************************************************************************
714 ************************************************************************/
715
716 static char *print_kdc_line(char *mem_ctx,
717                         const char *prev_line,
718                         const struct sockaddr_storage *pss)
719 {
720         char *kdc_str = NULL;
721
722         if (pss->ss_family == AF_INET) {
723                 kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
724                                         prev_line,
725                                         print_canonical_sockaddr(mem_ctx, pss));
726         } else {
727                 char addr[INET6_ADDRSTRLEN];
728                 uint16_t port = get_sockaddr_port(pss);
729
730                 if (port != 0 && port != DEFAULT_KRB5_PORT) {
731                         /* Currently for IPv6 we can't specify a non-default
732                            krb5 port with an address, as this requires a ':'.
733                            Resolve to a name. */
734                         char hostname[MAX_DNS_NAME_LENGTH];
735                         int ret = sys_getnameinfo((const struct sockaddr *)pss,
736                                         sizeof(*pss),
737                                         hostname, sizeof(hostname),
738                                         NULL, 0,
739                                         NI_NAMEREQD);
740                         if (ret) {
741                                 DEBUG(0,("print_kdc_line: can't resolve name "
742                                         "for kdc with non-default port %s. "
743                                         "Error %s\n.",
744                                         print_canonical_sockaddr(mem_ctx, pss),
745                                         gai_strerror(ret)));
746                         }
747                         /* Success, use host:port */
748                         kdc_str = talloc_asprintf(mem_ctx,
749                                         "%s\tkdc = %s:%u\n",
750                                         prev_line,
751                                         hostname,
752                                         (unsigned int)port);
753                 } else {
754                         kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
755                                         prev_line,
756                                         print_sockaddr(addr,
757                                                 sizeof(addr),
758                                                 pss));
759                 }
760         }
761         return kdc_str;
762 }
763
764 /************************************************************************
765  Create a string list of available kdc's, possibly searching by sitename.
766  Does DNS queries.
767
768  If "sitename" is given, the DC's in that site are listed first.
769
770 ************************************************************************/
771
772 static char *get_kdc_ip_string(char *mem_ctx,
773                 const char *realm,
774                 const char *sitename,
775                 struct sockaddr_storage *pss)
776 {
777         int i;
778         struct ip_service *ip_srv_site = NULL;
779         struct ip_service *ip_srv_nonsite = NULL;
780         int count_site = 0;
781         int count_nonsite;
782         char *kdc_str = print_kdc_line(mem_ctx, "", pss);
783
784         if (kdc_str == NULL) {
785                 return NULL;
786         }
787
788         /*
789          * First get the KDC's only in this site, the rest will be
790          * appended later
791          */
792
793         if (sitename) {
794
795                 get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
796
797                 for (i = 0; i < count_site; i++) {
798                         if (sockaddr_equal((struct sockaddr *)&ip_srv_site[i].ss,
799                                                    (struct sockaddr *)pss)) {
800                                 continue;
801                         }
802                         /* Append to the string - inefficient
803                          * but not done often. */
804                         kdc_str = print_kdc_line(mem_ctx,
805                                                 kdc_str,
806                                                 &ip_srv_site[i].ss);
807                         if (!kdc_str) {
808                                 SAFE_FREE(ip_srv_site);
809                                 return NULL;
810                         }
811                 }
812         }
813
814         /* Get all KDC's. */
815
816         get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
817
818         for (i = 0; i < count_nonsite; i++) {
819                 int j;
820
821                 if (sockaddr_equal((struct sockaddr *)&ip_srv_nonsite[i].ss, (struct sockaddr *)pss)) {
822                         continue;
823                 }
824
825                 /* Ensure this isn't an IP already seen (YUK! this is n*n....) */
826                 for (j = 0; j < count_site; j++) {
827                         if (sockaddr_equal((struct sockaddr *)&ip_srv_nonsite[i].ss,
828                                                 (struct sockaddr *)&ip_srv_site[j].ss)) {
829                                 break;
830                         }
831                         /* As the lists are sorted we can break early if nonsite > site. */
832                         if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
833                                 break;
834                         }
835                 }
836                 if (j != i) {
837                         continue;
838                 }
839
840                 /* Append to the string - inefficient but not done often. */
841                 kdc_str = print_kdc_line(mem_ctx,
842                                 kdc_str,
843                                 &ip_srv_nonsite[i].ss);
844                 if (!kdc_str) {
845                         SAFE_FREE(ip_srv_site);
846                         SAFE_FREE(ip_srv_nonsite);
847                         return NULL;
848                 }
849         }
850
851
852         SAFE_FREE(ip_srv_site);
853         SAFE_FREE(ip_srv_nonsite);
854
855         DEBUG(10,("get_kdc_ip_string: Returning %s\n",
856                 kdc_str ));
857
858         return kdc_str;
859 }
860
861 /************************************************************************
862  Create  a specific krb5.conf file in the private directory pointing
863  at a specific kdc for a realm. Keyed off domain name. Sets
864  KRB5_CONFIG environment variable to point to this file. Must be
865  run as root or will fail (which is a good thing :-).
866 ************************************************************************/
867
868 bool create_local_private_krb5_conf_for_domain(const char *realm,
869                                                 const char *domain,
870                                                 const char *sitename,
871                                                 struct sockaddr_storage *pss)
872 {
873         char *dname;
874         char *tmpname = NULL;
875         char *fname = NULL;
876         char *file_contents = NULL;
877         char *kdc_ip_string = NULL;
878         size_t flen = 0;
879         ssize_t ret;
880         int fd;
881         char *realm_upper = NULL;
882         bool result = false;
883
884         if (!lp_create_krb5_conf()) {
885                 return false;
886         }
887
888         dname = lock_path("smb_krb5");
889         if (!dname) {
890                 return false;
891         }
892         if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
893                 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
894                         "failed to create directory %s. Error was %s\n",
895                         dname, strerror(errno) ));
896                 goto done;
897         }
898
899         tmpname = lock_path("smb_tmp_krb5.XXXXXX");
900         if (!tmpname) {
901                 goto done;
902         }
903
904         fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
905         if (!fname) {
906                 goto done;
907         }
908
909         DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
910                 fname, realm, domain ));
911
912         realm_upper = talloc_strdup(fname, realm);
913         strupper_m(realm_upper);
914
915         kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
916         if (!kdc_ip_string) {
917                 goto done;
918         }
919
920         file_contents = talloc_asprintf(fname,
921                                         "[libdefaults]\n\tdefault_realm = %s\n"
922                                         "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
923                                         "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
924                                         "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
925                                         "[realms]\n\t%s = {\n"
926                                         "\t%s\t}\n",
927                                         realm_upper, realm_upper, kdc_ip_string);
928
929         if (!file_contents) {
930                 goto done;
931         }
932
933         flen = strlen(file_contents);
934
935         fd = mkstemp(tmpname);
936         if (fd == -1) {
937                 DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
938                         " for file %s. Errno %s\n",
939                         tmpname, strerror(errno) ));
940                 goto done;
941         }
942
943         if (fchmod(fd, 0644)==-1) {
944                 DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
945                         " Errno %s\n",
946                         tmpname, strerror(errno) ));
947                 unlink(tmpname);
948                 close(fd);
949                 goto done;
950         }
951
952         ret = write(fd, file_contents, flen);
953         if (flen != ret) {
954                 DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
955                         " returned %d (should be %u). Errno %s\n",
956                         (int)ret, (unsigned int)flen, strerror(errno) ));
957                 unlink(tmpname);
958                 close(fd);
959                 goto done;
960         }
961         if (close(fd)==-1) {
962                 DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
963                         " Errno %s\n", strerror(errno) ));
964                 unlink(tmpname);
965                 goto done;
966         }
967
968         if (rename(tmpname, fname) == -1) {
969                 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
970                         "of %s to %s failed. Errno %s\n",
971                         tmpname, fname, strerror(errno) ));
972                 unlink(tmpname);
973                 goto done;
974         }
975
976         DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
977                 "file %s with realm %s KDC list = %s\n",
978                 fname, realm_upper, kdc_ip_string));
979
980         /* Set the environment variable to this file. */
981         setenv("KRB5_CONFIG", fname, 1);
982
983         result = true;
984
985 #if defined(OVERWRITE_SYSTEM_KRB5_CONF)
986
987 #define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
988         /* Insanity, sheer insanity..... */
989
990         if (strequal(realm, lp_realm())) {
991                 char linkpath[PATH_MAX+1];
992                 int lret;
993
994                 lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, sizeof(linkpath)-1);
995                 if (lret != -1) {
996                         linkpath[lret] = '\0';
997                 }
998
999                 if (lret != -1 || strcmp(linkpath, fname) == 0) {
1000                         /* Symlink already exists. */
1001                         goto done;
1002                 }
1003
1004                 /* Try and replace with a symlink. */
1005                 if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
1006                         const char *newpath = SYSTEM_KRB5_CONF_PATH ## ".saved";
1007                         if (errno != EEXIST) {
1008                                 DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
1009                                         "of %s to %s failed. Errno %s\n",
1010                                         fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
1011                                 goto done; /* Not a fatal error. */
1012                         }
1013
1014                         /* Yes, this is a race conditon... too bad. */
1015                         if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
1016                                 DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
1017                                         "of %s to %s failed. Errno %s\n",
1018                                         SYSTEM_KRB5_CONF_PATH, newpath,
1019                                         strerror(errno) ));
1020                                 goto done; /* Not a fatal error. */
1021                         }
1022
1023                         if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
1024                                 DEBUG(0,("create_local_private_krb5_conf_for_domain: "
1025                                         "forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
1026                                         fname, strerror(errno) ));
1027                                 goto done; /* Not a fatal error. */
1028                         }
1029                 }
1030         }
1031 #endif
1032
1033 done:
1034         TALLOC_FREE(tmpname);
1035         TALLOC_FREE(dname);
1036
1037         return result;
1038 }
1039 #endif