s4: ran minimal_includes.pl on source4/auth/gensec
[ira/wip.git] / source4 / auth / gensec / gensec_krb5.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    Copyright (C) Andrew Tridgell 2001
8    Copyright (C) Luke Howard 2002-2003
9    Copyright (C) Stefan Metzmacher 2004-2005
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "auth/auth.h"
30 #include "lib/socket/socket.h"
31 #include "librpc/rpc/dcerpc.h"
32 #include "auth/credentials/credentials.h"
33 #include "auth/gensec/gensec.h"
34 #include "auth/gensec/gensec_proto.h"
35 #include "param/param.h"
36 #include "auth/auth_sam_reply.h"
37
38 enum GENSEC_KRB5_STATE {
39         GENSEC_KRB5_SERVER_START,
40         GENSEC_KRB5_CLIENT_START,
41         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
42         GENSEC_KRB5_DONE
43 };
44
45 struct gensec_krb5_state {
46         DATA_BLOB session_key;
47         DATA_BLOB pac;
48         enum GENSEC_KRB5_STATE state_position;
49         struct smb_krb5_context *smb_krb5_context;
50         krb5_auth_context auth_context;
51         krb5_data enc_ticket;
52         krb5_keyblock *keyblock;
53         krb5_ticket *ticket;
54         bool gssapi;
55         krb5_flags ap_req_options;
56 };
57
58 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
59 {
60         if (!gensec_krb5_state->smb_krb5_context) {
61                 /* We can't clean anything else up unless we started up this far */
62                 return 0;
63         }
64         if (gensec_krb5_state->enc_ticket.length) { 
65                 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, 
66                                             &gensec_krb5_state->enc_ticket); 
67         }
68
69         if (gensec_krb5_state->ticket) {
70                 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context, 
71                                  gensec_krb5_state->ticket);
72         }
73
74         /* ccache freed in a child destructor */
75
76         krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context, 
77                            gensec_krb5_state->keyblock);
78                 
79         if (gensec_krb5_state->auth_context) {
80                 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, 
81                                    gensec_krb5_state->auth_context);
82         }
83
84         return 0;
85 }
86
87 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
88 {
89         krb5_error_code ret;
90         struct gensec_krb5_state *gensec_krb5_state;
91         struct cli_credentials *creds;
92         const struct socket_address *my_addr, *peer_addr;
93         krb5_address my_krb5_addr, peer_krb5_addr;
94         
95         creds = gensec_get_credentials(gensec_security);
96         if (!creds) {
97                 return NT_STATUS_INVALID_PARAMETER;
98         }
99
100         gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
101         if (!gensec_krb5_state) {
102                 return NT_STATUS_NO_MEMORY;
103         }
104
105         gensec_security->private_data = gensec_krb5_state;
106         gensec_krb5_state->smb_krb5_context = NULL;
107         gensec_krb5_state->auth_context = NULL;
108         gensec_krb5_state->ticket = NULL;
109         ZERO_STRUCT(gensec_krb5_state->enc_ticket);
110         gensec_krb5_state->keyblock = NULL;
111         gensec_krb5_state->session_key = data_blob(NULL, 0);
112         gensec_krb5_state->pac = data_blob(NULL, 0);
113         gensec_krb5_state->gssapi = gssapi;
114
115         talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); 
116
117         if (cli_credentials_get_krb5_context(creds, 
118                                              gensec_security->event_ctx, 
119                                              gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
120                 talloc_free(gensec_krb5_state);
121                 return NT_STATUS_INTERNAL_ERROR;
122         }
123
124         ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
125         if (ret) {
126                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
127                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
128                                                     ret, gensec_krb5_state)));
129                 talloc_free(gensec_krb5_state);
130                 return NT_STATUS_INTERNAL_ERROR;
131         }
132
133         ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context, 
134                                      gensec_krb5_state->auth_context,
135                                      KRB5_AUTH_CONTEXT_DO_SEQUENCE);
136         if (ret) {
137                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n", 
138                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
139                                                     ret, gensec_krb5_state)));
140                 talloc_free(gensec_krb5_state);
141                 return NT_STATUS_INTERNAL_ERROR;
142         }
143
144         my_addr = gensec_get_my_addr(gensec_security);
145         if (my_addr && my_addr->sockaddr) {
146                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
147                                             my_addr->sockaddr, &my_krb5_addr);
148                 if (ret) {
149                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
150                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
151                                                             ret, gensec_krb5_state)));
152                         talloc_free(gensec_krb5_state);
153                         return NT_STATUS_INTERNAL_ERROR;
154                 }
155         }
156
157         peer_addr = gensec_get_peer_addr(gensec_security);
158         if (peer_addr && peer_addr->sockaddr) {
159                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
160                                             peer_addr->sockaddr, &peer_krb5_addr);
161                 if (ret) {
162                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
163                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
164                                                             ret, gensec_krb5_state)));
165                         talloc_free(gensec_krb5_state);
166                         return NT_STATUS_INTERNAL_ERROR;
167                 }
168         }
169
170         ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context, 
171                                      gensec_krb5_state->auth_context,
172                                      my_addr ? &my_krb5_addr : NULL, 
173                                      peer_addr ? &peer_krb5_addr : NULL);
174         if (ret) {
175                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n", 
176                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
177                                                     ret, gensec_krb5_state)));
178                 talloc_free(gensec_krb5_state);
179                 return NT_STATUS_INTERNAL_ERROR;
180         }
181
182         return NT_STATUS_OK;
183 }
184
185 static NTSTATUS gensec_krb5_common_server_start(struct gensec_security *gensec_security, bool gssapi)
186 {
187         NTSTATUS nt_status;
188         struct gensec_krb5_state *gensec_krb5_state;
189
190         nt_status = gensec_krb5_start(gensec_security, gssapi);
191         if (!NT_STATUS_IS_OK(nt_status)) {
192                 return nt_status;
193         }
194         
195         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
196         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
197
198         return NT_STATUS_OK;
199 }
200
201 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
202 {
203         return gensec_krb5_common_server_start(gensec_security, false);
204 }
205
206 static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
207 {
208         return gensec_krb5_common_server_start(gensec_security, true);
209 }
210
211 static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
212 {
213         struct gensec_krb5_state *gensec_krb5_state;
214         krb5_error_code ret;
215         NTSTATUS nt_status;
216         struct ccache_container *ccache_container;
217         const char *hostname;
218
219         const char *principal;
220         krb5_data in_data;
221
222         hostname = gensec_get_target_hostname(gensec_security);
223         if (!hostname) {
224                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
225                 return NT_STATUS_INVALID_PARAMETER;
226         }
227         if (is_ipaddress(hostname)) {
228                 DEBUG(2, ("Cannot do krb5 to an IP address"));
229                 return NT_STATUS_INVALID_PARAMETER;
230         }
231         if (strcmp(hostname, "localhost") == 0) {
232                 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
233                 return NT_STATUS_INVALID_PARAMETER;
234         }
235                         
236         nt_status = gensec_krb5_start(gensec_security, gssapi);
237         if (!NT_STATUS_IS_OK(nt_status)) {
238                 return nt_status;
239         }
240
241         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
242         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
243         gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
244
245         if (gensec_krb5_state->gssapi) {
246                 /* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */
247                 if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
248                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
249                 }
250         } else {
251                 /* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
252                 if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
253                         gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
254                 }
255         }
256
257         principal = gensec_get_target_principal(gensec_security);
258
259         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), 
260                                          gensec_security->event_ctx, 
261                                          gensec_security->settings->lp_ctx, &ccache_container);
262         switch (ret) {
263         case 0:
264                 break;
265         case KRB5KDC_ERR_PREAUTH_FAILED:
266                 return NT_STATUS_LOGON_FAILURE;
267         case KRB5_KDC_UNREACH:
268                 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
269                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
270         default:
271                 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_message(ret)));
272                 return NT_STATUS_UNSUCCESSFUL;
273         }
274         in_data.length = 0;
275         
276         if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
277                 krb5_principal target_principal;
278                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
279                                       &target_principal);
280                 if (ret == 0) {
281                         ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, 
282                                                 &gensec_krb5_state->auth_context,
283                                                 gensec_krb5_state->ap_req_options, 
284                                                 target_principal,
285                                                 &in_data, ccache_container->ccache, 
286                                                 &gensec_krb5_state->enc_ticket);
287                         krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
288                                             target_principal);
289                 }
290         } else {
291                 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
292                                   &gensec_krb5_state->auth_context,
293                                   gensec_krb5_state->ap_req_options,
294                                   gensec_get_target_service(gensec_security),
295                                   hostname,
296                                   &in_data, ccache_container->ccache, 
297                                   &gensec_krb5_state->enc_ticket);
298         }
299         switch (ret) {
300         case 0:
301                 return NT_STATUS_OK;
302         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
303                 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
304                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
305                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
306         case KRB5_KDC_UNREACH:
307                 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
308                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
309                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
310         case KRB5KDC_ERR_PREAUTH_FAILED:
311         case KRB5KRB_AP_ERR_TKT_EXPIRED:
312         case KRB5_CC_END:
313                 /* Too much clock skew - we will need to kinit to re-skew the clock */
314         case KRB5KRB_AP_ERR_SKEW:
315         case KRB5_KDCREP_SKEW:
316         {
317                 DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
318                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
319                 /*fall through*/
320         }
321         
322         /* just don't print a message for these really ordinary messages */
323         case KRB5_FCC_NOFILE:
324         case KRB5_CC_NOTFOUND:
325         case ENOENT:
326                 
327                 return NT_STATUS_UNSUCCESSFUL;
328                 break;
329                 
330         default:
331                 DEBUG(0, ("kerberos: %s\n", 
332                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
333                 return NT_STATUS_UNSUCCESSFUL;
334         }
335 }
336
337 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
338 {
339         return gensec_krb5_common_client_start(gensec_security, false);
340 }
341
342 static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
343 {
344         return gensec_krb5_common_client_start(gensec_security, true);
345 }
346
347 /**
348  * Check if the packet is one for this mechansim
349  * 
350  * @param gensec_security GENSEC state
351  * @param in The request, as a DATA_BLOB
352  * @return Error, INVALID_PARAMETER if it's not a packet for us
353  *                or NT_STATUS_OK if the packet is ok. 
354  */
355
356 static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security, 
357                                   const DATA_BLOB *in) 
358 {
359         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
360                 return NT_STATUS_OK;
361         } else {
362                 return NT_STATUS_INVALID_PARAMETER;
363         }
364 }
365
366
367 /**
368  * Next state function for the Krb5 GENSEC mechanism
369  * 
370  * @param gensec_krb5_state KRB5 State
371  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
372  * @param in The request, as a DATA_BLOB
373  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
374  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
375  *                or NT_STATUS_OK if the user is authenticated. 
376  */
377
378 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, 
379                                    TALLOC_CTX *out_mem_ctx, 
380                                    const DATA_BLOB in, DATA_BLOB *out) 
381 {
382         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
383         krb5_error_code ret = 0;
384         NTSTATUS nt_status;
385
386         switch (gensec_krb5_state->state_position) {
387         case GENSEC_KRB5_CLIENT_START:
388         {
389                 DATA_BLOB unwrapped_out;
390                 
391                 if (gensec_krb5_state->gssapi) {
392                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
393                         
394                         /* wrap that up in a nice GSS-API wrapping */
395                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
396                 } else {
397                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
398                 }
399                 if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
400                         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
401                         nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
402                 } else {
403                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
404                         nt_status = NT_STATUS_OK;
405                 }
406                 return nt_status;
407         }
408                 
409         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
410         {
411                 DATA_BLOB unwrapped_in;
412                 krb5_data inbuf;
413                 krb5_ap_rep_enc_part *repl = NULL;
414                 uint8_t tok_id[2];
415
416                 if (gensec_krb5_state->gssapi) {
417                         if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
418                                 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
419                                 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
420                                 return NT_STATUS_INVALID_PARAMETER;
421                         }
422                 } else {
423                         unwrapped_in = in;
424                 }
425                 /* TODO: check the tok_id */
426
427                 inbuf.data = unwrapped_in.data;
428                 inbuf.length = unwrapped_in.length;
429                 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, 
430                                   gensec_krb5_state->auth_context,
431                                   &inbuf, &repl);
432                 if (ret) {
433                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
434                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
435                         dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
436                         nt_status = NT_STATUS_ACCESS_DENIED;
437                 } else {
438                         *out = data_blob(NULL, 0);
439                         nt_status = NT_STATUS_OK;
440                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
441                 }
442                 if (repl) {
443                         krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
444                 }
445                 return nt_status;
446         }
447
448         case GENSEC_KRB5_SERVER_START:
449         {
450                 DATA_BLOB unwrapped_in;
451                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
452                 krb5_data inbuf, outbuf;
453                 uint8_t tok_id[2];
454                 struct keytab_container *keytab;
455                 krb5_principal server_in_keytab;
456
457                 if (!in.data) {
458                         return NT_STATUS_INVALID_PARAMETER;
459                 }       
460
461                 /* Grab the keytab, however generated */
462                 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), 
463                                                  gensec_security->event_ctx, 
464                                                  gensec_security->settings->lp_ctx, &keytab);
465                 if (ret) {
466                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
467                 }
468                 
469                 /* This ensures we lookup the correct entry in that keytab */
470                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
471                                                  gensec_krb5_state->smb_krb5_context, 
472                                                  &server_in_keytab);
473
474                 if (ret) {
475                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
476                 }
477
478                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
479                 if (gensec_krb5_state->gssapi
480                     && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
481                         inbuf.data = unwrapped_in.data;
482                         inbuf.length = unwrapped_in.length;
483                 } else {
484                         inbuf.data = in.data;
485                         inbuf.length = in.length;
486                 }
487
488                 ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
489                                               &gensec_krb5_state->auth_context, 
490                                               &inbuf, keytab->keytab, server_in_keytab,  
491                                               &outbuf, 
492                                               &gensec_krb5_state->ticket, 
493                                               &gensec_krb5_state->keyblock);
494
495                 if (ret) {
496                         return NT_STATUS_LOGON_FAILURE;
497                 }
498                 unwrapped_out.data = (uint8_t *)outbuf.data;
499                 unwrapped_out.length = outbuf.length;
500                 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
501                 /* wrap that up in a nice GSS-API wrapping */
502                 if (gensec_krb5_state->gssapi) {
503                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
504                 } else {
505                         *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
506                 }
507                 krb5_data_free(&outbuf);
508                 return NT_STATUS_OK;
509         }
510
511         case GENSEC_KRB5_DONE:
512         default:
513                 /* Asking too many times... */
514                 return NT_STATUS_INVALID_PARAMETER;
515         }
516 }
517
518 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
519                                         DATA_BLOB *session_key) 
520 {
521         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
522         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
523         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
524         krb5_keyblock *skey;
525         krb5_error_code err = -1;
526
527         if (gensec_krb5_state->state_position != GENSEC_KRB5_DONE) {
528                 return NT_STATUS_NO_USER_SESSION_KEY;
529         }
530
531         if (gensec_krb5_state->session_key.data) {
532                 *session_key = gensec_krb5_state->session_key;
533                 return NT_STATUS_OK;
534         }
535
536         switch (gensec_security->gensec_role) {
537         case GENSEC_CLIENT:
538                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
539                 break;
540         case GENSEC_SERVER:
541                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
542                 break;
543         }
544         if (err == 0 && skey != NULL) {
545                 DEBUG(10, ("Got KRB5 session key of length %d\n",  
546                            (int)KRB5_KEY_LENGTH(skey)));
547                 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state, 
548                                                 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
549                 *session_key = gensec_krb5_state->session_key;
550                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
551
552                 krb5_free_keyblock(context, skey);
553                 return NT_STATUS_OK;
554         } else {
555                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
556                 return NT_STATUS_NO_USER_SESSION_KEY;
557         }
558 }
559
560 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
561                                          struct auth_session_info **_session_info) 
562 {
563         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
564         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
565         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
566         struct auth_serversupplied_info *server_info = NULL;
567         struct auth_session_info *session_info = NULL;
568         struct PAC_LOGON_INFO *logon_info;
569
570         krb5_principal client_principal;
571         char *principal_string;
572         
573         DATA_BLOB pac;
574         krb5_data pac_data;
575
576         krb5_error_code ret;
577
578         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
579         if (!mem_ctx) {
580                 return NT_STATUS_NO_MEMORY;
581         }
582         
583         ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
584         if (ret) {
585                 DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", 
586                           smb_get_krb5_error_message(context, 
587                                                      ret, mem_ctx)));
588                 talloc_free(mem_ctx);
589                 return NT_STATUS_NO_MEMORY;
590         }
591         
592         ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, 
593                                 client_principal, &principal_string);
594         if (ret) {
595                 DEBUG(1, ("Unable to parse client principal: %s\n",
596                           smb_get_krb5_error_message(context, 
597                                                      ret, mem_ctx)));
598                 talloc_free(mem_ctx);
599                 return NT_STATUS_NO_MEMORY;
600         }
601
602         ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, 
603                                                       KRB5_AUTHDATA_WIN2K_PAC, 
604                                                       &pac_data);
605         
606         if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
607                 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
608                           principal_string,
609                           smb_get_krb5_error_message(context, 
610                                                      ret, mem_ctx)));
611                 krb5_free_principal(context, client_principal);
612                 free(principal_string);
613                 return NT_STATUS_ACCESS_DENIED;
614         } else if (ret) {
615                 /* NO pac */
616                 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
617                           smb_get_krb5_error_message(context, 
618                                                      ret, mem_ctx)));
619                 if (gensec_security->auth_context && 
620                     !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
621                         DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
622                                   principal_string, smb_get_krb5_error_message(context, 
623                                                      ret, mem_ctx)));
624                         nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, 
625                                                                                              gensec_security->auth_context, 
626                                                                                              principal_string,
627                                                                                              &server_info);
628                         if (!NT_STATUS_IS_OK(nt_status)) {
629                                 talloc_free(mem_ctx);
630                                 return nt_status;
631                         }
632                 } else {
633                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
634                                   principal_string));
635                         return NT_STATUS_ACCESS_DENIED;
636                 }
637
638                 krb5_free_principal(context, client_principal);
639                 free(principal_string);
640                 
641                 if (!NT_STATUS_IS_OK(nt_status)) {
642                         talloc_free(mem_ctx);
643                         return nt_status;
644                 }
645         } else {
646                 /* Found pac */
647                 union netr_Validation validation;
648                 free(principal_string);
649
650                 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
651                 if (!pac.data) {
652                         krb5_free_principal(context, client_principal);
653                         talloc_free(mem_ctx);
654                         return NT_STATUS_NO_MEMORY;
655                 }
656
657                 /* decode and verify the pac */
658                 nt_status = kerberos_pac_logon_info(gensec_krb5_state, 
659                                                     gensec_security->settings->iconv_convenience,
660                                                     &logon_info, pac,
661                                                     gensec_krb5_state->smb_krb5_context->krb5_context,
662                                                     NULL, gensec_krb5_state->keyblock,
663                                                     client_principal,
664                                                     gensec_krb5_state->ticket->ticket.authtime, NULL);
665                 krb5_free_principal(context, client_principal);
666
667                 if (!NT_STATUS_IS_OK(nt_status)) {
668                         talloc_free(mem_ctx);
669                         return nt_status;
670                 }
671
672                 validation.sam3 = &logon_info->info3;
673                 nt_status = make_server_info_netlogon_validation(mem_ctx, 
674                                                                  NULL,
675                                                                  3, &validation,
676                                                                  &server_info); 
677                 if (!NT_STATUS_IS_OK(nt_status)) {
678                         talloc_free(mem_ctx);
679                         return nt_status;
680                 }
681         }
682
683         /* references the server_info into the session_info */
684         nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info);
685
686         if (!NT_STATUS_IS_OK(nt_status)) {
687                 talloc_free(mem_ctx);
688                 return nt_status;
689         }
690
691         nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
692
693         if (!NT_STATUS_IS_OK(nt_status)) {
694                 talloc_free(mem_ctx);
695                 return nt_status;
696         }
697
698         *_session_info = session_info;
699
700         talloc_steal(gensec_krb5_state, session_info);
701         talloc_free(mem_ctx);
702         return NT_STATUS_OK;
703 }
704
705 static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security, 
706                                    TALLOC_CTX *mem_ctx, 
707                                    const DATA_BLOB *in, 
708                                    DATA_BLOB *out)
709 {
710         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
711         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
712         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
713         krb5_error_code ret;
714         krb5_data input, output;
715         input.length = in->length;
716         input.data = in->data;
717         
718         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
719                 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
720                 if (ret) {
721                         DEBUG(1, ("krb5_mk_priv failed: %s\n", 
722                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
723                                                              ret, mem_ctx)));
724                         return NT_STATUS_ACCESS_DENIED;
725                 }
726                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
727                 
728                 krb5_data_free(&output);
729         } else {
730                 return NT_STATUS_ACCESS_DENIED;
731         }
732         return NT_STATUS_OK;
733 }
734
735 static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, 
736                                      TALLOC_CTX *mem_ctx, 
737                                      const DATA_BLOB *in, 
738                                      DATA_BLOB *out)
739 {
740         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
741         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
742         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
743         krb5_error_code ret;
744         krb5_data input, output;
745         krb5_replay_data replay;
746         input.length = in->length;
747         input.data = in->data;
748         
749         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
750                 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
751                 if (ret) {
752                         DEBUG(1, ("krb5_rd_priv failed: %s\n", 
753                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
754                                                              ret, mem_ctx)));
755                         return NT_STATUS_ACCESS_DENIED;
756                 }
757                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
758                 
759                 krb5_data_free(&output);
760         } else {
761                 return NT_STATUS_ACCESS_DENIED;
762         }
763         return NT_STATUS_OK;
764 }
765
766 static bool gensec_krb5_have_feature(struct gensec_security *gensec_security,
767                                      uint32_t feature)
768 {
769         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
770         if (feature & GENSEC_FEATURE_SESSION_KEY) {
771                 return true;
772         } 
773         if (!gensec_krb5_state->gssapi && 
774             (feature & GENSEC_FEATURE_SEAL)) {
775                 return true;
776         } 
777         
778         return false;
779 }
780
781 static const char *gensec_krb5_oids[] = { 
782         GENSEC_OID_KERBEROS5,
783         GENSEC_OID_KERBEROS5_OLD,
784         NULL 
785 };
786
787 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
788         .name           = "fake_gssapi_krb5",
789         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
790         .oid            = gensec_krb5_oids,
791         .client_start   = gensec_fake_gssapi_krb5_client_start,
792         .server_start   = gensec_fake_gssapi_krb5_server_start,
793         .update         = gensec_krb5_update,
794         .magic          = gensec_fake_gssapi_krb5_magic,
795         .session_key    = gensec_krb5_session_key,
796         .session_info   = gensec_krb5_session_info,
797         .have_feature   = gensec_krb5_have_feature,
798         .enabled        = false,
799         .kerberos       = true,
800         .priority       = GENSEC_KRB5
801 };
802
803 static const struct gensec_security_ops gensec_krb5_security_ops = {
804         .name           = "krb5",
805         .client_start   = gensec_krb5_client_start,
806         .server_start   = gensec_krb5_server_start,
807         .update         = gensec_krb5_update,
808         .session_key    = gensec_krb5_session_key,
809         .session_info   = gensec_krb5_session_info,
810         .have_feature   = gensec_krb5_have_feature,
811         .wrap           = gensec_krb5_wrap,
812         .unwrap         = gensec_krb5_unwrap,
813         .enabled        = true,
814         .kerberos       = true,
815         .priority       = GENSEC_KRB5
816 };
817
818 _PUBLIC_ NTSTATUS gensec_krb5_init(void)
819 {
820         NTSTATUS ret;
821
822         ret = gensec_register(&gensec_krb5_security_ops);
823         if (!NT_STATUS_IS_OK(ret)) {
824                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
825                         gensec_krb5_security_ops.name));
826                 return ret;
827         }
828
829         ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
830         if (!NT_STATUS_IS_OK(ret)) {
831                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
832                         gensec_krb5_security_ops.name));
833                 return ret;
834         }
835
836         return ret;
837 }