auth: Allow a NULL principal to be obtained from the credentials
[ira/wip.git] / source4 / auth / gensec / gensec_krb5.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    Copyright (C) Andrew Tridgell 2001
8    Copyright (C) Luke Howard 2002-2003
9    Copyright (C) Stefan Metzmacher 2004-2005
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "auth/auth.h"
30 #include "lib/socket/socket.h"
31 #include "lib/tsocket/tsocket.h"
32 #include "librpc/rpc/dcerpc.h"
33 #include "auth/credentials/credentials.h"
34 #include "auth/credentials/credentials_krb5.h"
35 #include "auth/kerberos/kerberos_credentials.h"
36 #include "auth/gensec/gensec.h"
37 #include "auth/gensec/gensec_proto.h"
38 #include "auth/gensec/gensec_toplevel_proto.h"
39 #include "param/param.h"
40 #include "auth/auth_sam_reply.h"
41 #include "lib/util/util_net.h"
42
43 _PUBLIC_ NTSTATUS gensec_krb5_init(void);
44
45 enum GENSEC_KRB5_STATE {
46         GENSEC_KRB5_SERVER_START,
47         GENSEC_KRB5_CLIENT_START,
48         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
49         GENSEC_KRB5_DONE
50 };
51
52 struct gensec_krb5_state {
53         enum GENSEC_KRB5_STATE state_position;
54         struct smb_krb5_context *smb_krb5_context;
55         krb5_auth_context auth_context;
56         krb5_data enc_ticket;
57         krb5_keyblock *keyblock;
58         krb5_ticket *ticket;
59         bool gssapi;
60         krb5_flags ap_req_options;
61 };
62
63 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
64 {
65         if (!gensec_krb5_state->smb_krb5_context) {
66                 /* We can't clean anything else up unless we started up this far */
67                 return 0;
68         }
69         if (gensec_krb5_state->enc_ticket.length) { 
70                 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, 
71                                             &gensec_krb5_state->enc_ticket); 
72         }
73
74         if (gensec_krb5_state->ticket) {
75                 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context, 
76                                  gensec_krb5_state->ticket);
77         }
78
79         /* ccache freed in a child destructor */
80
81         krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context, 
82                            gensec_krb5_state->keyblock);
83                 
84         if (gensec_krb5_state->auth_context) {
85                 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, 
86                                    gensec_krb5_state->auth_context);
87         }
88
89         return 0;
90 }
91
92 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
93 {
94         krb5_error_code ret;
95         struct gensec_krb5_state *gensec_krb5_state;
96         struct cli_credentials *creds;
97         const struct tsocket_address *tlocal_addr, *tremote_addr;
98         krb5_address my_krb5_addr, peer_krb5_addr;
99         
100         creds = gensec_get_credentials(gensec_security);
101         if (!creds) {
102                 return NT_STATUS_INVALID_PARAMETER;
103         }
104
105         gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
106         if (!gensec_krb5_state) {
107                 return NT_STATUS_NO_MEMORY;
108         }
109
110         gensec_security->private_data = gensec_krb5_state;
111         gensec_krb5_state->smb_krb5_context = NULL;
112         gensec_krb5_state->auth_context = NULL;
113         gensec_krb5_state->ticket = NULL;
114         ZERO_STRUCT(gensec_krb5_state->enc_ticket);
115         gensec_krb5_state->keyblock = NULL;
116         gensec_krb5_state->gssapi = gssapi;
117
118         talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); 
119
120         if (cli_credentials_get_krb5_context(creds, 
121                                              gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
122                 talloc_free(gensec_krb5_state);
123                 return NT_STATUS_INTERNAL_ERROR;
124         }
125
126         ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
127         if (ret) {
128                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
129                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
130                                                     ret, gensec_krb5_state)));
131                 talloc_free(gensec_krb5_state);
132                 return NT_STATUS_INTERNAL_ERROR;
133         }
134
135         ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context, 
136                                      gensec_krb5_state->auth_context,
137                                      KRB5_AUTH_CONTEXT_DO_SEQUENCE);
138         if (ret) {
139                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n", 
140                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
141                                                     ret, gensec_krb5_state)));
142                 talloc_free(gensec_krb5_state);
143                 return NT_STATUS_INTERNAL_ERROR;
144         }
145
146         tlocal_addr = gensec_get_local_address(gensec_security);
147         if (tlocal_addr) {
148                 ssize_t socklen;
149                 struct sockaddr_storage ss;
150
151                 socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
152                                 (struct sockaddr *) &ss,
153                                 sizeof(struct sockaddr_storage));
154                 if (socklen < 0) {
155                         talloc_free(gensec_krb5_state);
156                         return NT_STATUS_INTERNAL_ERROR;
157                 }
158                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
159                                 (const struct sockaddr *) &ss, &my_krb5_addr);
160                 if (ret) {
161                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
162                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
163                                                             ret, gensec_krb5_state)));
164                         talloc_free(gensec_krb5_state);
165                         return NT_STATUS_INTERNAL_ERROR;
166                 }
167         }
168
169         tremote_addr = gensec_get_remote_address(gensec_security);
170         if (tremote_addr) {
171                 ssize_t socklen;
172                 struct sockaddr_storage ss;
173
174                 socklen = tsocket_address_bsd_sockaddr(tremote_addr,
175                                 (struct sockaddr *) &ss,
176                                 sizeof(struct sockaddr_storage));
177                 if (socklen < 0) {
178                         talloc_free(gensec_krb5_state);
179                         return NT_STATUS_INTERNAL_ERROR;
180                 }
181                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
182                                 (const struct sockaddr *) &ss, &peer_krb5_addr);
183                 if (ret) {
184                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
185                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
186                                                             ret, gensec_krb5_state)));
187                         talloc_free(gensec_krb5_state);
188                         return NT_STATUS_INTERNAL_ERROR;
189                 }
190         }
191
192         ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context, 
193                                      gensec_krb5_state->auth_context,
194                                      tlocal_addr ? &my_krb5_addr : NULL,
195                                      tremote_addr ? &peer_krb5_addr : NULL);
196         if (ret) {
197                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n", 
198                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
199                                                     ret, gensec_krb5_state)));
200                 talloc_free(gensec_krb5_state);
201                 return NT_STATUS_INTERNAL_ERROR;
202         }
203
204         return NT_STATUS_OK;
205 }
206
207 static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi)
208 {
209         NTSTATUS nt_status;
210         struct gensec_krb5_state *gensec_krb5_state;
211
212         nt_status = gensec_krb5_start(gensec_security, gssapi);
213         if (!NT_STATUS_IS_OK(nt_status)) {
214                 return nt_status;
215         }
216         
217         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
218         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
219
220         return NT_STATUS_OK;
221 }
222
223 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
224 {
225         return gensec_krb5_common_server_start(gensec_security, false);
226 }
227
228 static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
229 {
230         return gensec_krb5_common_server_start(gensec_security, true);
231 }
232
233 static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
234 {
235         const char *hostname;
236         struct gensec_krb5_state *gensec_krb5_state;
237         NTSTATUS nt_status;
238         hostname = gensec_get_target_hostname(gensec_security);
239         if (!hostname) {
240                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
241                 return NT_STATUS_INVALID_PARAMETER;
242         }
243         if (is_ipaddress(hostname)) {
244                 DEBUG(2, ("Cannot do krb5 to an IP address"));
245                 return NT_STATUS_INVALID_PARAMETER;
246         }
247         if (strcmp(hostname, "localhost") == 0) {
248                 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
249                 return NT_STATUS_INVALID_PARAMETER;
250         }
251                         
252         nt_status = gensec_krb5_start(gensec_security, gssapi);
253         if (!NT_STATUS_IS_OK(nt_status)) {
254                 return nt_status;
255         }
256
257         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
258         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
259         gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
260
261         if (gensec_krb5_state->gssapi) {
262                 /* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */
263                 if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
264                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
265                 }
266         } else {
267                 /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
268                 if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
269                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
270                 }
271         }
272         return NT_STATUS_OK;
273 }
274
275 static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security,
276                                                 struct tevent_context *ev,
277                                                 bool gssapi)
278 {
279         struct gensec_krb5_state *gensec_krb5_state;
280         krb5_error_code ret;
281         struct ccache_container *ccache_container;
282         const char *error_string;
283         const char *principal;
284         const char *hostname;
285         krb5_data in_data;
286         struct tevent_context *previous_ev;
287
288         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
289
290         principal = gensec_get_target_principal(gensec_security);
291         hostname = gensec_get_target_hostname(gensec_security);
292
293         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), 
294                                          ev,
295                                          gensec_security->settings->lp_ctx, &ccache_container, &error_string);
296         switch (ret) {
297         case 0:
298                 break;
299         case KRB5KDC_ERR_PREAUTH_FAILED:
300         case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
301                 return NT_STATUS_LOGON_FAILURE;
302         case KRB5_KDC_UNREACH:
303                 DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
304                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
305         case KRB5_CC_NOTFOUND:
306         case KRB5_CC_END:
307                 DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
308                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
309         default:
310                 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
311                 return NT_STATUS_UNSUCCESSFUL;
312         }
313         in_data.length = 0;
314         
315         /* Do this every time, in case we have weird recursive issues here */
316         ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
317         if (ret != 0) {
318                 DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
319                 return NT_STATUS_NO_MEMORY;
320         }
321         if (principal) {
322                 krb5_principal target_principal;
323                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
324                                       &target_principal);
325                 if (ret == 0) {
326                         ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, 
327                                                 &gensec_krb5_state->auth_context,
328                                                 gensec_krb5_state->ap_req_options, 
329                                                 target_principal,
330                                                 &in_data, ccache_container->ccache, 
331                                                 &gensec_krb5_state->enc_ticket);
332                         krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
333                                             target_principal);
334                 }
335         } else {
336                 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
337                                   &gensec_krb5_state->auth_context,
338                                   gensec_krb5_state->ap_req_options,
339                                   gensec_get_target_service(gensec_security),
340                                   hostname,
341                                   &in_data, ccache_container->ccache, 
342                                   &gensec_krb5_state->enc_ticket);
343         }
344
345         smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev);
346
347         switch (ret) {
348         case 0:
349                 return NT_STATUS_OK;
350         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
351                 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
352                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
353                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
354         case KRB5_KDC_UNREACH:
355                 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
356                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
357                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
358         case KRB5KDC_ERR_PREAUTH_FAILED:
359         case KRB5KRB_AP_ERR_TKT_EXPIRED:
360         case KRB5_CC_END:
361                 /* Too much clock skew - we will need to kinit to re-skew the clock */
362         case KRB5KRB_AP_ERR_SKEW:
363         case KRB5_KDCREP_SKEW:
364         {
365                 DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
366                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
367                 /*fall through*/
368         }
369         
370         /* just don't print a message for these really ordinary messages */
371         case KRB5_FCC_NOFILE:
372         case KRB5_CC_NOTFOUND:
373         case ENOENT:
374                 
375                 return NT_STATUS_UNSUCCESSFUL;
376                 break;
377                 
378         default:
379                 DEBUG(0, ("kerberos: %s\n", 
380                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
381                 return NT_STATUS_UNSUCCESSFUL;
382         }
383 }
384
385 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
386 {
387         return gensec_krb5_common_client_start(gensec_security, false);
388 }
389
390 static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
391 {
392         return gensec_krb5_common_client_start(gensec_security, true);
393 }
394
395 /**
396  * Check if the packet is one for this mechansim
397  * 
398  * @param gensec_security GENSEC state
399  * @param in The request, as a DATA_BLOB
400  * @return Error, INVALID_PARAMETER if it's not a packet for us
401  *                or NT_STATUS_OK if the packet is ok. 
402  */
403
404 static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security, 
405                                   const DATA_BLOB *in) 
406 {
407         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
408                 return NT_STATUS_OK;
409         } else {
410                 return NT_STATUS_INVALID_PARAMETER;
411         }
412 }
413
414
415 /**
416  * Next state function for the Krb5 GENSEC mechanism
417  * 
418  * @param gensec_krb5_state KRB5 State
419  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
420  * @param in The request, as a DATA_BLOB
421  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
422  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
423  *                or NT_STATUS_OK if the user is authenticated. 
424  */
425
426 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, 
427                                    TALLOC_CTX *out_mem_ctx, 
428                                    struct tevent_context *ev,
429                                    const DATA_BLOB in, DATA_BLOB *out) 
430 {
431         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
432         krb5_error_code ret = 0;
433         NTSTATUS nt_status;
434
435         switch (gensec_krb5_state->state_position) {
436         case GENSEC_KRB5_CLIENT_START:
437         {
438                 DATA_BLOB unwrapped_out;
439                 
440                 nt_status = gensec_krb5_common_client_creds(gensec_security, ev, gensec_krb5_state->gssapi);
441                 if (!NT_STATUS_IS_OK(nt_status)) {
442                         return nt_status;
443                 }
444
445                 if (gensec_krb5_state->gssapi) {
446                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
447                         
448                         /* wrap that up in a nice GSS-API wrapping */
449                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
450                 } else {
451                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
452                 }
453                 if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
454                         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
455                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
456                 } else {
457                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
458                         nt_status = NT_STATUS_OK;
459                 }
460                 return nt_status;
461         }
462                 
463         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
464         {
465                 DATA_BLOB unwrapped_in;
466                 krb5_data inbuf;
467                 krb5_ap_rep_enc_part *repl = NULL;
468                 uint8_t tok_id[2];
469
470                 if (gensec_krb5_state->gssapi) {
471                         if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
472                                 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
473                                 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
474                                 return NT_STATUS_INVALID_PARAMETER;
475                         }
476                 } else {
477                         unwrapped_in = in;
478                 }
479                 /* TODO: check the tok_id */
480
481                 inbuf.data = unwrapped_in.data;
482                 inbuf.length = unwrapped_in.length;
483                 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, 
484                                   gensec_krb5_state->auth_context,
485                                   &inbuf, &repl);
486                 if (ret) {
487                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
488                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
489                         dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
490                         nt_status = NT_STATUS_ACCESS_DENIED;
491                 } else {
492                         *out = data_blob(NULL, 0);
493                         nt_status = NT_STATUS_OK;
494                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
495                 }
496                 if (repl) {
497                         krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
498                 }
499                 return nt_status;
500         }
501
502         case GENSEC_KRB5_SERVER_START:
503         {
504                 DATA_BLOB unwrapped_in;
505                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
506                 krb5_data inbuf, outbuf;
507                 uint8_t tok_id[2];
508                 struct keytab_container *keytab;
509                 krb5_principal server_in_keytab;
510                 const char *error_string;
511                 enum credentials_obtained obtained;
512
513                 if (!in.data) {
514                         return NT_STATUS_INVALID_PARAMETER;
515                 }       
516
517                 /* Grab the keytab, however generated */
518                 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), 
519                                                  gensec_security->settings->lp_ctx, &keytab);
520                 if (ret) {
521                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
522                 }
523                 
524                 /* This ensures we lookup the correct entry in that
525                  * keytab.  A NULL principal is acceptable, and means
526                  * that the krb5 libs should search the keytab at
527                  * accept time for any matching key */
528                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
529                                                  gensec_krb5_state->smb_krb5_context, 
530                                                  &server_in_keytab, &obtained, &error_string);
531
532                 if (ret) {
533                         DEBUG(2,("Failed to make credentials from principal: %s\n", error_string));
534                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
535                 }
536
537                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
538                 if (gensec_krb5_state->gssapi
539                     && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
540                         inbuf.data = unwrapped_in.data;
541                         inbuf.length = unwrapped_in.length;
542                 } else {
543                         inbuf.data = in.data;
544                         inbuf.length = in.length;
545                 }
546
547                 ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
548                                               &gensec_krb5_state->auth_context, 
549                                               &inbuf, keytab->keytab, server_in_keytab,  
550                                               &outbuf, 
551                                               &gensec_krb5_state->ticket, 
552                                               &gensec_krb5_state->keyblock);
553
554                 if (ret) {
555                         return NT_STATUS_LOGON_FAILURE;
556                 }
557                 unwrapped_out.data = (uint8_t *)outbuf.data;
558                 unwrapped_out.length = outbuf.length;
559                 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
560                 /* wrap that up in a nice GSS-API wrapping */
561                 if (gensec_krb5_state->gssapi) {
562                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
563                 } else {
564                         *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
565                 }
566                 krb5_data_free(&outbuf);
567                 return NT_STATUS_OK;
568         }
569
570         case GENSEC_KRB5_DONE:
571         default:
572                 /* Asking too many times... */
573                 return NT_STATUS_INVALID_PARAMETER;
574         }
575 }
576
577 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
578                                         TALLOC_CTX *mem_ctx,
579                                         DATA_BLOB *session_key) 
580 {
581         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
582         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
583         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
584         krb5_keyblock *skey;
585         krb5_error_code err = -1;
586
587         if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
588                 return NT_STATUS_NO_USER_SESSION_KEY;
589         }
590
591         switch (gensec_security->gensec_role) {
592         case GENSEC_CLIENT:
593                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
594                 break;
595         case GENSEC_SERVER:
596                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
597                 break;
598         }
599         if (err == 0 && skey != NULL) {
600                 DEBUG(10, ("Got KRB5 session key of length %d\n",  
601                            (int)KRB5_KEY_LENGTH(skey)));
602                 *session_key = data_blob_talloc(mem_ctx,
603                                                KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
604                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
605
606                 krb5_free_keyblock(context, skey);
607                 return NT_STATUS_OK;
608         } else {
609                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
610                 return NT_STATUS_NO_USER_SESSION_KEY;
611         }
612 }
613
614 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
615                                          TALLOC_CTX *mem_ctx_out,
616                                          struct auth_session_info **_session_info) 
617 {
618         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
619         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
620         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
621         struct auth_user_info_dc *user_info_dc = NULL;
622         struct auth_session_info *session_info = NULL;
623         struct PAC_LOGON_INFO *logon_info;
624
625         krb5_principal client_principal;
626         char *principal_string;
627         
628         DATA_BLOB pac;
629         krb5_data pac_data;
630
631         krb5_error_code ret;
632
633         TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out);
634         if (!mem_ctx) {
635                 return NT_STATUS_NO_MEMORY;
636         }
637         
638         ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
639         if (ret) {
640                 DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", 
641                           smb_get_krb5_error_message(context, 
642                                                      ret, mem_ctx)));
643                 talloc_free(mem_ctx);
644                 return NT_STATUS_NO_MEMORY;
645         }
646         
647         ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, 
648                                 client_principal, &principal_string);
649         if (ret) {
650                 DEBUG(1, ("Unable to parse client principal: %s\n",
651                           smb_get_krb5_error_message(context, 
652                                                      ret, mem_ctx)));
653                 krb5_free_principal(context, client_principal);
654                 talloc_free(mem_ctx);
655                 return NT_STATUS_NO_MEMORY;
656         }
657
658         ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, 
659                                                       KRB5_AUTHDATA_WIN2K_PAC, 
660                                                       &pac_data);
661         
662         if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
663                 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
664                           principal_string,
665                           smb_get_krb5_error_message(context, 
666                                                      ret, mem_ctx)));
667                 free(principal_string);
668                 krb5_free_principal(context, client_principal);
669                 talloc_free(mem_ctx);
670                 return NT_STATUS_ACCESS_DENIED;
671         } else if (ret) {
672                 /* NO pac */
673                 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
674                           smb_get_krb5_error_message(context, 
675                                                      ret, mem_ctx)));
676                 if (gensec_security->auth_context && 
677                     !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
678                         DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
679                                   principal_string, smb_get_krb5_error_message(context, 
680                                                      ret, mem_ctx)));
681                         nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
682                                                                                              gensec_security->auth_context, 
683                                                                                              principal_string,
684                                                                                              NULL, &user_info_dc);
685                         if (!NT_STATUS_IS_OK(nt_status)) {
686                                 free(principal_string);
687                                 krb5_free_principal(context, client_principal);
688                                 talloc_free(mem_ctx);
689                                 return nt_status;
690                         }
691                 } else {
692                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
693                                   principal_string));
694                         free(principal_string);
695                         krb5_free_principal(context, client_principal);
696                         talloc_free(mem_ctx);
697                         return NT_STATUS_ACCESS_DENIED;
698                 }
699         } else {
700                 /* Found pac */
701                 union netr_Validation validation;
702
703                 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
704                 if (!pac.data) {
705                         free(principal_string);
706                         krb5_free_principal(context, client_principal);
707                         talloc_free(mem_ctx);
708                         return NT_STATUS_NO_MEMORY;
709                 }
710
711                 /* decode and verify the pac */
712                 nt_status = kerberos_pac_logon_info(gensec_krb5_state, 
713                                                     pac,
714                                                     gensec_krb5_state->smb_krb5_context->krb5_context,
715                                                     NULL, gensec_krb5_state->keyblock,
716                                                     client_principal,
717                                                     gensec_krb5_state->ticket->ticket.authtime, &logon_info);
718
719                 if (!NT_STATUS_IS_OK(nt_status)) {
720                         free(principal_string);
721                         krb5_free_principal(context, client_principal);
722                         talloc_free(mem_ctx);
723                         return nt_status;
724                 }
725
726                 validation.sam3 = &logon_info->info3;
727                 nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
728                                                                  NULL,
729                                                                  3, &validation,
730                                                                   true, /* This user was authenticated */
731                                                                  &user_info_dc);
732                 if (!NT_STATUS_IS_OK(nt_status)) {
733                         free(principal_string);
734                         krb5_free_principal(context, client_principal);
735                         talloc_free(mem_ctx);
736                         return nt_status;
737                 }
738         }
739
740         free(principal_string);
741         krb5_free_principal(context, client_principal);
742
743         /* references the user_info_dc into the session_info */
744         nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
745
746         if (!NT_STATUS_IS_OK(nt_status)) {
747                 talloc_free(mem_ctx);
748                 return nt_status;
749         }
750
751         nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
752
753         if (!NT_STATUS_IS_OK(nt_status)) {
754                 talloc_free(mem_ctx);
755                 return nt_status;
756         }
757
758         *_session_info = talloc_steal(mem_ctx_out, session_info);
759
760         talloc_free(mem_ctx);
761         return NT_STATUS_OK;
762 }
763
764 static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security, 
765                                    TALLOC_CTX *mem_ctx, 
766                                    const DATA_BLOB *in, 
767                                    DATA_BLOB *out)
768 {
769         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
770         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
771         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
772         krb5_error_code ret;
773         krb5_data input, output;
774         input.length = in->length;
775         input.data = in->data;
776         
777         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
778                 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
779                 if (ret) {
780                         DEBUG(1, ("krb5_mk_priv failed: %s\n", 
781                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
782                                                              ret, mem_ctx)));
783                         return NT_STATUS_ACCESS_DENIED;
784                 }
785                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
786                 
787                 krb5_data_free(&output);
788         } else {
789                 return NT_STATUS_ACCESS_DENIED;
790         }
791         return NT_STATUS_OK;
792 }
793
794 static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, 
795                                      TALLOC_CTX *mem_ctx, 
796                                      const DATA_BLOB *in, 
797                                      DATA_BLOB *out)
798 {
799         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
800         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
801         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
802         krb5_error_code ret;
803         krb5_data input, output;
804         krb5_replay_data replay;
805         input.length = in->length;
806         input.data = in->data;
807         
808         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
809                 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
810                 if (ret) {
811                         DEBUG(1, ("krb5_rd_priv failed: %s\n", 
812                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
813                                                              ret, mem_ctx)));
814                         return NT_STATUS_ACCESS_DENIED;
815                 }
816                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
817                 
818                 krb5_data_free(&output);
819         } else {
820                 return NT_STATUS_ACCESS_DENIED;
821         }
822         return NT_STATUS_OK;
823 }
824
825 static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
826                                      uint32_t feature)
827 {
828         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
829         if (feature & GENSEC_FEATURE_SESSION_KEY) {
830                 return true;
831         } 
832         if (!gensec_krb5_state->gssapi && 
833             (feature & GENSEC_FEATURE_SEAL)) {
834                 return true;
835         } 
836         
837         return false;
838 }
839
840 static const char *gensec_krb5_oids[] = { 
841         GENSEC_OID_KERBEROS5,
842         GENSEC_OID_KERBEROS5_OLD,
843         NULL 
844 };
845
846 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
847         .name           = "fake_gssapi_krb5",
848         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
849         .oid            = gensec_krb5_oids,
850         .client_start   = gensec_fake_gssapi_krb5_client_start,
851         .server_start   = gensec_fake_gssapi_krb5_server_start,
852         .update         = gensec_krb5_update,
853         .magic          = gensec_fake_gssapi_krb5_magic,
854         .session_key    = gensec_krb5_session_key,
855         .session_info   = gensec_krb5_session_info,
856         .have_feature   = gensec_krb5_have_feature,
857         .enabled        = false,
858         .kerberos       = true,
859         .priority       = GENSEC_KRB5
860 };
861
862 static const struct gensec_security_ops gensec_krb5_security_ops = {
863         .name           = "krb5",
864         .client_start   = gensec_krb5_client_start,
865         .server_start   = gensec_krb5_server_start,
866         .update         = gensec_krb5_update,
867         .session_key    = gensec_krb5_session_key,
868         .session_info   = gensec_krb5_session_info,
869         .have_feature   = gensec_krb5_have_feature,
870         .wrap           = gensec_krb5_wrap,
871         .unwrap         = gensec_krb5_unwrap,
872         .enabled        = true,
873         .kerberos       = true,
874         .priority       = GENSEC_KRB5
875 };
876
877 _PUBLIC_ NTSTATUS gensec_krb5_init(void)
878 {
879         NTSTATUS ret;
880
881         ret = gensec_register(&gensec_krb5_security_ops);
882         if (!NT_STATUS_IS_OK(ret)) {
883                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
884                         gensec_krb5_security_ops.name));
885                 return ret;
886         }
887
888         ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
889         if (!NT_STATUS_IS_OK(ret)) {
890                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
891                         gensec_krb5_security_ops.name));
892                 return ret;
893         }
894
895         return ret;
896 }