source4/kdc/pac-glue.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    PAC Glue between Samba and the KDC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "kdc/kdc.h"
  26 #include "include/ads.h"
  27 #include "lib/ldb/include/ldb.h"
  28 #include "heimdal/lib/krb5/krb5_locl.h"
  29 #include "librpc/gen_ndr/krb5pac.h"
  30 #include "auth/auth.h"
  31 #include "auth/auth_sam.h"
  32
  33 /* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
  34 static krb5_error_code samba_get_pac(krb5_context context,
  35                                      struct hdb_ldb_private *private,
  36                                      krb5_principal client,
  37                                      krb5_keyblock *krbtgt_keyblock,
  38                                      krb5_keyblock *server_keyblock,
  39                                      time_t tgs_authtime,
  40                                      krb5_data *pac)
  41 {
  42         krb5_error_code ret;
  43         NTSTATUS nt_status;
  44         struct auth_serversupplied_info *server_info;
  45         DATA_BLOB tmp_blob;
  46         TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context");
  47
  48         if (!mem_ctx) {
  49                 return ENOMEM;
  50         }
  51
  52         nt_status = authsam_make_server_info(mem_ctx, private->samdb,
  53                                              private->msg,
  54                                              private->realm_ref_msg,
  55                                              data_blob(NULL, 0),
  56                                              data_blob(NULL, 0),
  57                                              &server_info);
  58         if (!NT_STATUS_IS_OK(nt_status)) {
  59                 DEBUG(0, ("Getting user info for PAC failed: %s\n",
  60                           nt_errstr(nt_status)));
  61                 return ENOMEM;
  62         }
  63
  64         ret = kerberos_create_pac(mem_ctx, server_info,
  65                                   context,
  66                                   krbtgt_keyblock,
  67                                   server_keyblock,
  68                                   client,
  69                                   tgs_authtime,
  70                                   &tmp_blob);
  71
  72         if (ret) {
  73                 DEBUG(1, ("PAC encoding failed: %s\n",
  74                           smb_get_krb5_error_message(context, ret, mem_ctx)));
  75                 talloc_free(mem_ctx);
  76                 return ret;
  77         }
  78
  79         ret = krb5_data_copy(pac, tmp_blob.data, tmp_blob.length);
  80         talloc_free(mem_ctx);
  81         return ret;
  82 }
  83
  84 /* Wrap the PAC in the right ASN.1.  Will always free 'pac', on success or failure */
  85 static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out)
  86 {
  87         krb5_error_code ret;
  88
  89         unsigned char *buf;
  90         size_t buf_size;
  91         size_t len;
  92
  93         AD_IF_RELEVANT if_relevant;
  94         AuthorizationData *auth_data;
  95
  96         if_relevant.len = 1;
  97         if_relevant.val = malloc(sizeof(*if_relevant.val));
  98         if (!if_relevant.val) {
  99                 krb5_data_free(pac);
 100                 *out = NULL;
 101                 return ENOMEM;
 102         }
 103
 104         if_relevant.val[0].ad_type = KRB5_AUTHDATA_WIN2K_PAC;
 105         if_relevant.val[0].ad_data.data = NULL;
 106         if_relevant.val[0].ad_data.length = 0;
 107
 108         /* pac.data will be freed with this */
 109         if_relevant.val[0].ad_data.data = pac->data;
 110         if_relevant.val[0].ad_data.length = pac->length;
 111
 112         ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, &if_relevant, &len, ret);
 113         free_AuthorizationData(&if_relevant);
 114         if (ret) {
 115                 *out = NULL;
 116                 return ret;
 117         }
 118
 119         auth_data = malloc(sizeof(*auth_data));
 120         if (!auth_data) {
 121                 free(buf);
 122                 *out = NULL;
 123                 return ret;
 124         }
 125         auth_data->len = 1;
 126         auth_data->val = malloc(sizeof(*auth_data->val));
 127         if (!auth_data->val) {
 128                 free(buf);
 129                 free(auth_data);
 130                 *out = NULL;
 131                 return ret;
 132         }
 133         auth_data->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
 134         auth_data->val[0].ad_data.length = len;
 135         auth_data->val[0].ad_data.data = buf;
 136
 137         *out = auth_data;
 138         return 0;
 139 }
 140
 141
 142 /* Given a hdb_entry, create a PAC out of the private data
 143
 144    Don't create it if the client has the UF_NO_AUTH_DATA_REQUIRED bit
 145    set, or if they specificaly asked not to get it.
 146 */
 147
 148 krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex,
 149                                            METHOD_DATA* pa_data_seq,
 150                                            time_t authtime,
 151                                            EncryptionKey *tgtkey,
 152                                            EncryptionKey *sessionkey,
 153                                            AuthorizationData **out)
 154 {
 155         krb5_error_code ret;
 156         int i;
 157         krb5_data pac;
 158         krb5_boolean pac_wanted = TRUE;
 159         unsigned int userAccountControl;
 160         struct PA_PAC_REQUEST pac_request;
 161         struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
 162
 163         /* The user account may be set not to want the PAC */
 164         userAccountControl = ldb_msg_find_uint(private->msg, "userAccountControl", 0);
 165         if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
 166                 *out = NULL;
 167                 return 0;
 168         }
 169
 170         /* The user may not want a PAC */
 171         for (i=0; i<pa_data_seq->len; i++) {
 172                 if (pa_data_seq->val[i].padata_type == KRB5_PADATA_PA_PAC_REQUEST) {
 173                         ret = decode_PA_PAC_REQUEST(pa_data_seq->val[i].padata_value.data,
 174                                                     pa_data_seq->val[i].padata_value.length,
 175                                                     &pac_request, NULL);
 176                         if (ret == 0) {
 177                                 pac_wanted = !!pac_request.include_pac;
 178                         }
 179                         free_PA_PAC_REQUEST(&pac_request);
 180                         break;
 181                 }
 182         }
 183
 184         if (!pac_wanted) {
 185                 *out = NULL;
 186                 return 0;
 187         }
 188
 189         /* Get PAC from Samba */
 190         ret = samba_get_pac(context,
 191                             private,
 192                             entry_ex->entry.principal,
 193                             tgtkey,
 194                             tgtkey,
 195                             authtime,
 196                             &pac);
 197
 198         if (ret) {
 199                 *out = NULL;
 200                 return ret;
 201         }
 202
 203         return wrap_pac(context, &pac, out);
 204 }
 205
 206 /* Resign (and reform, including possibly new groups) a PAC */
 207
 208 krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex,
 209                                             krb5_principal client,
 210                                             AuthorizationData *in,
 211                                             time_t authtime,
 212                                             EncryptionKey *tgtkey,
 213                                             EncryptionKey *servicekey,
 214                                             EncryptionKey *sessionkey,
 215                                             AuthorizationData **out)
 216 {
 217         NTSTATUS nt_status;
 218         krb5_error_code ret;
 219
 220         unsigned int userAccountControl;
 221
 222         struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
 223         krb5_data k5pac_in, k5pac_out;
 224         DATA_BLOB pac_in, pac_out;
 225
 226         struct PAC_LOGON_INFO *logon_info;
 227         union netr_Validation validation;
 228         struct auth_serversupplied_info *server_info_out;
 229
 230         krb5_boolean found = FALSE;
 231         TALLOC_CTX *mem_ctx;
 232
 233         /* The service account may be set not to want the PAC */
 234         userAccountControl = ldb_msg_find_uint(private->msg, "userAccountControl", 0);
 235         if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
 236                 *out = NULL;
 237                 return 0;
 238         }
 239
 240         ret = _krb5_find_type_in_ad(context, KRB5_AUTHDATA_WIN2K_PAC,
 241                                     &k5pac_in, &found, sessionkey, in);
 242         if (ret || !found) {
 243                 *out = NULL;
 244                 return 0;
 245         }
 246
 247         mem_ctx = talloc_new(private);
 248         if (!mem_ctx) {
 249                 krb5_data_free(&k5pac_in);
 250                 *out = NULL;
 251                 return ENOMEM;
 252         }
 253
 254         pac_in = data_blob_talloc(mem_ctx, k5pac_in.data, k5pac_in.length);
 255         krb5_data_free(&k5pac_in);
 256         if (!pac_in.data) {
 257                 talloc_free(mem_ctx);
 258                 *out = NULL;
 259                 return ENOMEM;
 260         }
 261
 262         /* Parse the PAC again, for the logon info */
 263         nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
 264                                             pac_in,
 265                                             context,
 266                                             tgtkey,
 267                                             tgtkey,
 268                                             client, authtime,
 269                                             &ret);
 270
 271         if (!NT_STATUS_IS_OK(nt_status)) {
 272                 DEBUG(1, ("Failed to parse PAC in TGT: %s/%s\n",
 273                           nt_errstr(nt_status), error_message(ret)));
 274                 talloc_free(mem_ctx);
 275                 *out = NULL;
 276                 return ret;
 277         }
 278
 279         /* Pull this right into the normal auth sysstem structures */
 280         validation.sam3 = &logon_info->info3;
 281         nt_status = make_server_info_netlogon_validation(mem_ctx,
 282                                                          "",
 283                                                          3, &validation,
 284                                                          &server_info_out);
 285         if (!NT_STATUS_IS_OK(nt_status)) {
 286                 talloc_free(mem_ctx);
 287                 *out = NULL;
 288                 return ENOMEM;
 289         }
 290
 291         /* And make a new PAC, possibly containing new groups */
 292         ret = kerberos_create_pac(mem_ctx,
 293                                   server_info_out,
 294                                   context,
 295                                   tgtkey,
 296                                   servicekey,
 297                                   client,
 298                                   authtime,
 299                                   &pac_out);
 300
 301         if (ret != 0) {
 302                 talloc_free(mem_ctx);
 303                 *out = NULL;
 304                 return ret;
 305         }
 306
 307         ret = krb5_data_copy(&k5pac_out, pac_out.data, pac_out.length);
 308         if (ret != 0) {
 309                 talloc_free(mem_ctx);
 310                 *out = NULL;
 311                 return ret;
 312         }
 313
 314         return wrap_pac(context, &k5pac_out, out);
 315 }
 316
 317 /* Given an hdb entry (and in particular it's private member), consult
 318  * the account_ok routine in auth/auth_sam.c for consistancy */
 319
 320 krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex,
 321                                             HostAddresses *addresses)
 322 {
 323         krb5_error_code ret;
 324         NTSTATUS nt_status;
 325         TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->ctx);
 326         struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
 327         char *name, *workstation = NULL;
 328         int i;
 329
 330         if (!tmp_ctx) {
 331                 return ENOMEM;
 332         }
 333
 334         ret = krb5_unparse_name(context, entry_ex->entry.principal, &name);
 335         if (ret != 0) {
 336                 talloc_free(tmp_ctx);
 337                 return ret;
 338         }
 339
 340         if (addresses) {
 341                 for (i=0; i < addresses->len; i++) {
 342                         if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
 343                                 workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15));
 344                                 if (workstation) {
 345                                         break;
 346                                 }
 347                         }
 348                 }
 349         }
 350
 351         /* Strip space padding */
 352         if (workstation) {
 353                 i = MIN(strlen(workstation), 15);
 354                 for (; i > 0 && workstation[i - 1] == ' '; i--) {
 355                         workstation[i - 1] = '\0';
 356                 }
 357         }
 358
 359         nt_status = authsam_account_ok(tmp_ctx,
 360                                        private->samdb,
 361                                        MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 362                                        private->msg,
 363                                        private->realm_ref_msg,
 364                                        workstation,
 365                                        name);
 366         free(name);
 367
 368         /* TODO:  Need a more complete mapping of NTSTATUS to krb5kdc errors */
 369
 370         if (!NT_STATUS_IS_OK(nt_status)) {
 371                 return KRB5KDC_ERR_POLICY;
 372         }
 373         return 0;
 374 }
 375