source4/auth/credentials/credentials_secrets.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    User credentials handling (as regards on-disk files)
   5
   6    Copyright (C) Jelmer Vernooij 2005
   7    Copyright (C) Tim Potter 2001
   8    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   9
  10    This program is free software; you can redistribute it and/or modify
  11    it under the terms of the GNU General Public License as published by
  12    the Free Software Foundation; either version 3 of the License, or
  13    (at your option) any later version.
  14
  15    This program is distributed in the hope that it will be useful,
  16    but WITHOUT ANY WARRANTY; without even the implied warranty of
  17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  18    GNU General Public License for more details.
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "lib/events/events.h"
  26 #include "lib/ldb/include/ldb.h"
  27 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
  28 #include "param/secrets.h"
  29 #include "system/filesys.h"
  30 #include "../lib/util/util_ldb.h"
  31 #include "auth/credentials/credentials.h"
  32 #include "auth/credentials/credentials_krb5.h"
  33 #include "auth/credentials/credentials_proto.h"
  34 #include "param/param.h"
  35 #include "lib/events/events.h"
  36 #include "dsdb/samdb/samdb.h"
  37
  38 /**
  39  * Fill in credentials for the machine trust account, from the secrets database.
  40  *
  41  * @param cred Credentials structure to fill in
  42  * @retval NTSTATUS error detailing any failure
  43  */
  44 _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
  45                                               struct tevent_context *event_ctx,
  46                                               struct loadparm_context *lp_ctx,
  47                                               struct ldb_context *ldb,
  48                                               const char *base,
  49                                               const char *filter,
  50                                               char **error_string)
  51 {
  52         TALLOC_CTX *mem_ctx;
  53
  54         int ldb_ret;
  55         struct ldb_message *msg;
  56
  57         const char *machine_account;
  58         const char *password;
  59         const char *old_password;
  60         const char *domain;
  61         const char *realm;
  62         enum netr_SchannelType sct;
  63         const char *salt_principal;
  64         char *keytab;
  65         const struct ldb_val *whenChanged;
  66
  67         /* ok, we are going to get it now, don't recurse back here */
  68         cred->machine_account_pending = false;
  69
  70         /* some other parts of the system will key off this */
  71         cred->machine_account = true;
  72
  73         mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
  74
  75         if (!ldb) {
  76                 /* Local secrets are stored in secrets.ldb */
  77                 ldb = secrets_db_connect(mem_ctx, event_ctx, lp_ctx);
  78                 if (!ldb) {
  79                         /* set anonymous as the fallback, if the machine account won't work */
  80                         cli_credentials_set_anonymous(cred);
  81                         *error_string = talloc_strdup(cred, "Could not open secrets.ldb");
  82                         talloc_free(mem_ctx);
  83                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
  84                 }
  85         }
  86
  87         ldb_ret = dsdb_search_one(ldb, ldb, &msg,
  88                                   ldb_dn_new(mem_ctx, ldb, base),
  89                                   LDB_SCOPE_SUBTREE,
  90                                   NULL, 0, "%s", filter);
  91
  92         if (ldb_ret != LDB_SUCCESS) {
  93                 *error_string = talloc_asprintf(cred, "Could not find entry to match filter: '%s' base: '%s': %s: %s\n",
  94                                                 filter, base ? base : "",
  95                                                 ldb_strerror(ldb_ret), ldb_errstring(ldb));
  96                 /* set anonymous as the fallback, if the machine account won't work */
  97                 cli_credentials_set_anonymous(cred);
  98                 talloc_free(mem_ctx);
  99                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 100         }
 101
 102         password = ldb_msg_find_attr_as_string(msg, "secret", NULL);
 103         old_password = ldb_msg_find_attr_as_string(msg, "priorSecret", NULL);
 104
 105         machine_account = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
 106
 107         if (!machine_account) {
 108                 machine_account = ldb_msg_find_attr_as_string(msg, "servicePrincipalName", NULL);
 109
 110                 if (!machine_account) {
 111                         const char *ldap_bind_dn = ldb_msg_find_attr_as_string(msg, "ldapBindDn", NULL);
 112                         if (!ldap_bind_dn) {
 113                                 *error_string = talloc_asprintf(cred,
 114                                                                 "Could not find 'samAccountName', "
 115                                                                 "'servicePrincipalName' or "
 116                                                                 "'ldapBindDn' in secrets record: %s",
 117                                                                 ldb_dn_get_linearized(msg->dn));
 118                                 /* set anonymous as the fallback, if the machine account won't work */
 119                                 cli_credentials_set_anonymous(cred);
 120                                 talloc_free(mem_ctx);
 121                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 122                         } else {
 123                                 /* store bind dn in credentials */
 124                                 cli_credentials_set_bind_dn(cred, ldap_bind_dn);
 125                         }
 126                 }
 127         }
 128
 129         salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
 130         cli_credentials_set_salt_principal(cred, salt_principal);
 131
 132         sct = ldb_msg_find_attr_as_int(msg, "secureChannelType", 0);
 133         if (sct) {
 134                 cli_credentials_set_secure_channel_type(cred, sct);
 135         }
 136
 137         if (!password) {
 138                 const struct ldb_val *nt_password_hash = ldb_msg_find_ldb_val(msg, "unicodePwd");
 139                 struct samr_Password hash;
 140                 ZERO_STRUCT(hash);
 141                 if (nt_password_hash) {
 142                         memcpy(hash.hash, nt_password_hash->data,
 143                                MIN(nt_password_hash->length, sizeof(hash.hash)));
 144
 145                         cli_credentials_set_nt_hash(cred, &hash, CRED_SPECIFIED);
 146                 } else {
 147                         cli_credentials_set_password(cred, NULL, CRED_SPECIFIED);
 148                 }
 149         } else {
 150                 cli_credentials_set_password(cred, password, CRED_SPECIFIED);
 151         }
 152
 153
 154         domain = ldb_msg_find_attr_as_string(msg, "flatname", NULL);
 155         if (domain) {
 156                 cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
 157         }
 158
 159         realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
 160         if (realm) {
 161                 cli_credentials_set_realm(cred, realm, CRED_SPECIFIED);
 162         }
 163
 164         if (machine_account) {
 165                 cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 166         }
 167
 168         cli_credentials_set_kvno(cred, ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0));
 169
 170         whenChanged = ldb_msg_find_ldb_val(msg, "whenChanged");
 171         if (whenChanged) {
 172                 time_t lct;
 173                 if (ldb_val_to_time(whenChanged, &lct) == LDB_SUCCESS) {
 174                         cli_credentials_set_password_last_changed_time(cred, lct);
 175                 }
 176         }
 177
 178         /* If there was an external keytab specified by reference in
 179          * the LDB, then use this.  Otherwise we will make one up
 180          * (chewing CPU time) from the password */
 181         keytab = keytab_name_from_msg(cred, ldb, msg);
 182         if (keytab) {
 183                 cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED);
 184                 talloc_free(keytab);
 185         }
 186         talloc_free(mem_ctx);
 187
 188         return NT_STATUS_OK;
 189 }
 190
 191 /**
 192  * Fill in credentials for the machine trust account, from the secrets database.
 193  *
 194  * @param cred Credentials structure to fill in
 195  * @retval NTSTATUS error detailing any failure
 196  */
 197 _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred,
 198                                                       struct loadparm_context *lp_ctx)
 199 {
 200         NTSTATUS status;
 201         char *filter;
 202         char *error_string;
 203         /* Bleh, nasty recursion issues: We are setting a machine
 204          * account here, so we don't want the 'pending' flag around
 205          * any more */
 206         cred->machine_account_pending = false;
 207         filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
 208                                        cli_credentials_get_domain(cred));
 209         status = cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL,
 210                                            SECRETS_PRIMARY_DOMAIN_DN,
 211                                              filter, &error_string);
 212         if (!NT_STATUS_IS_OK(status)) {
 213                 DEBUG(1, ("Could not find machine account in secrets database: %s: %s", nt_errstr(status), error_string));
 214                 talloc_free(error_string);
 215         }
 216         return status;
 217 }
 218
 219 /**
 220  * Fill in credentials for the machine trust account, from the secrets database.
 221  *
 222  * @param cred Credentials structure to fill in
 223  * @retval NTSTATUS error detailing any failure
 224  */
 225 NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred,
 226                                     struct tevent_context *event_ctx,
 227                                     struct loadparm_context *lp_ctx)
 228 {
 229         NTSTATUS status;
 230         char *filter;
 231         char *error_string;
 232         /* Bleh, nasty recursion issues: We are setting a machine
 233          * account here, so we don't want the 'pending' flag around
 234          * any more */
 235         cred->machine_account_pending = false;
 236         filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH,
 237                                        cli_credentials_get_realm(cred),
 238                                        cli_credentials_get_domain(cred));
 239         status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
 240                                              SECRETS_PRINCIPALS_DN,
 241                                              filter, &error_string);
 242         if (!NT_STATUS_IS_OK(status)) {
 243                 DEBUG(1, ("Could not find krbtgt (master Kerberos) account in secrets database: %s: %s", nt_errstr(status), error_string));
 244                 talloc_free(error_string);
 245         }
 246         return status;
 247 }
 248
 249 /**
 250  * Fill in credentials for a particular prinicpal, from the secrets database.
 251  *
 252  * @param cred Credentials structure to fill in
 253  * @retval NTSTATUS error detailing any failure
 254  */
 255 _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred,
 256                                                        struct tevent_context *event_ctx,
 257                                               struct loadparm_context *lp_ctx,
 258                                               const char *serviceprincipal)
 259 {
 260         NTSTATUS status;
 261         char *filter;
 262         char *error_string;
 263         /* Bleh, nasty recursion issues: We are setting a machine
 264          * account here, so we don't want the 'pending' flag around
 265          * any more */
 266         cred->machine_account_pending = false;
 267         filter = talloc_asprintf(cred, SECRETS_PRINCIPAL_SEARCH,
 268                                  cli_credentials_get_realm(cred),
 269                                  cli_credentials_get_domain(cred),
 270                                  serviceprincipal);
 271         status = cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL,
 272                                              SECRETS_PRINCIPALS_DN, filter,
 273                                              &error_string);
 274         if (!NT_STATUS_IS_OK(status)) {
 275                 DEBUG(1, ("Could not find %s principal in secrets database: %s: %s", serviceprincipal, nt_errstr(status), error_string));
 276         }
 277         return status;
 278 }
 279
 280 /**
 281  * Ask that when required, the credentials system will be filled with
 282  * machine trust account, from the secrets database.
 283  *
 284  * @param cred Credentials structure to fill in
 285  * @note This function is used to call the above function after, rather
 286  *       than during, popt processing.
 287  *
 288  */
 289 _PUBLIC_ void cli_credentials_set_machine_account_pending(struct cli_credentials *cred,
 290                                                  struct loadparm_context *lp_ctx)
 291 {
 292         cred->machine_account_pending = true;
 293         cred->machine_account_pending_lp_ctx = lp_ctx;
 294 }
 295
 296