r15497: I'm not really sure this is correct in terms of how we should be responding to

[jelmer/samba4-debian.git] / source / kdc / kpasswdd.c

diff --git a/source/kdc/kpasswdd.c b/source/kdc/kpasswdd.c
index 4f15cccd34489d81861dfb203fa3c7d6ed5991b7..48955e2ca7fff1f40b604d732ad78c7716e70c33 100644 (file)
--- a/source/kdc/kpasswdd.c
+++ b/source/kdc/kpasswdd.c
@@ -29,8 +29,13 @@
 #include "system/network.h"
 #include "dlinklist.h"
 #include "lib/ldb/include/ldb.h"
+#include "heimdal/lib/krb5/krb5_locl.h"
 #include "heimdal/lib/krb5/krb5-private.h"
 #include "auth/auth.h"
+#include "dsdb/samdb/samdb.h"
+#include "rpc_server/dcerpc_server.h"
+#include "rpc_server/samr/proto.h"
+#include "libcli/security/security.h"
 
 /* hold information about one kdc socket */
 struct kpasswd_socket {
@@ -119,7 +124,7 @@ static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
                                                "Not permitted to change password",
                                                error_blob);
        }
-       if (NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
+       if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
                const char *reject_string;
                switch (reject_reason) {
                case SAMR_REJECT_TOO_SHORT:
@@ -130,6 +135,7 @@ static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
                        reject_string = "Password does not meet complexity requirements";
                        break;
                case SAMR_REJECT_OTHER:
+               default:
                        reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
                                                        dominfo->min_password_length, dominfo->password_history_length);
                        break;
@@ -176,7 +182,10 @@ static BOOL kpasswdd_change_password(struct kdc_server *kdc,
                                                reply);
        }
        
-       DEBUG(3, ("Changing password of %s\n", dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+       DEBUG(3, ("Changing password of %s\\%s (%s)\n", 
+                 session_info->server_info->domain_name,
+                 session_info->server_info->account_name,
+                 dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
 
        /* User password change */
        status = samdb_set_password_sid(samdb, mem_ctx, 
@@ -201,18 +210,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
                                    DATA_BLOB *input, 
                                    DATA_BLOB *reply)
 {
-       NTSTATUS status;
-       enum samr_RejectReason reject_reason;
-       struct samr_DomInfo1 *dominfo;
-       struct ldb_context *samdb;
        struct auth_session_info *session_info;
-       struct ldb_message *msg = ldb_msg_new(gensec_security);
-       krb5_context context = kdc->smb_krb5_context->krb5_context;
-       int ret;
-       if (!samdb || !msg) {
-               return False;
-       }
-
        if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security, 
                                                 &session_info))) {
                return kpasswdd_make_error_reply(kdc, mem_ctx, 
@@ -224,7 +222,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
        switch (version) {
        case KRB5_KPASSWD_VERS_CHANGEPW:
        {
-               char *password = talloc_strndup(mem_ctx, input->data, input->length);
+               char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
                if (!password) {
                        return False;
                }
@@ -234,14 +232,27 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
        }
        case KRB5_KPASSWD_VERS_SETPW:
        {
-               size_t len;
+               NTSTATUS status;
+               enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
+               struct samr_DomInfo1 *dominfo = NULL;
+               struct ldb_context *samdb;
+               struct ldb_message *msg;
+               krb5_context context = kdc->smb_krb5_context->krb5_context;
+
                ChangePasswdDataMS chpw;
                char *password;
+
                krb5_principal principal;
                char *set_password_on_princ;
                struct ldb_dn *set_password_on_dn;
 
-               samdb = samdb_connect(gensec_security, session_info);
+               size_t len;
+               int ret;
+
+               msg = ldb_msg_new(mem_ctx);
+               if (!msg) {
+                       return False;
+               }
 
                ret = decode_ChangePasswdDataMS(input->data, input->length,
                                                &chpw, &len);
@@ -292,26 +303,84 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
                
                krb5_free_principal(context, principal);
                
+               samdb = samdb_connect(mem_ctx, session_info);
+               if (!samdb) {
+                       return kpasswdd_make_error_reply(kdc, mem_ctx, 
+                                                        KRB5_KPASSWD_HARDERROR,
+                                                        "Unable to open database!",
+                                                        reply);
+               }
+
+               DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", 
+                         session_info->server_info->domain_name,
+                         session_info->server_info->account_name,
+                         dom_sid_string(mem_ctx, session_info->security_token->user_sid), 
+                         set_password_on_princ));
+               ret = ldb_transaction_start(samdb);
+               if (ret) {
+                       status = NT_STATUS_TRANSACTION_ABORTED;
+                       return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
+                                                          status,
+                                                          SAMR_REJECT_OTHER, 
+                                                          NULL, 
+                                                          reply);
+               }
+
                status = crack_user_principal_name(samdb, mem_ctx, 
                                                   set_password_on_princ, 
                                                   &set_password_on_dn, NULL);
                free(set_password_on_princ);
                if (!NT_STATUS_IS_OK(status)) {
+                       ldb_transaction_cancel(samdb);
                        return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
                                                           status,
-                                                          reject_reason, 
-                                                          dominfo, 
+                                                          SAMR_REJECT_OTHER, 
+                                                          NULL, 
                                                           reply);
                }
 
-               /* Admin password set */
-               status = samdb_set_password(samdb, mem_ctx,
-                                           set_password_on_dn, NULL,
-                                           msg, password, NULL, NULL, 
-                                           False, /* this is a user password change */
-                                           True, /* run restriction tests */
-                                           &reject_reason, &dominfo);
+               msg = ldb_msg_new(mem_ctx);
+               if (msg == NULL) {
+                       ldb_transaction_cancel(samdb);
+                       status = NT_STATUS_NO_MEMORY;
+               } else {
+                       msg->dn = ldb_dn_copy(msg, set_password_on_dn);
+                       if (!msg->dn) {
+                               status = NT_STATUS_NO_MEMORY;
+                       }
+               }
+
+               if (NT_STATUS_IS_OK(status)) {
+                       /* Admin password set */
+                       status = samdb_set_password(samdb, mem_ctx,
+                                                   set_password_on_dn, NULL,
+                                                   msg, password, NULL, NULL, 
+                                                   False, /* this is not a user password change */
+                                                   True, /* run restriction tests */
+                                                   &reject_reason, &dominfo);
+               }
 
+               if (NT_STATUS_IS_OK(status)) {
+                       /* modify the samdb record */
+                       ret = samdb_replace(samdb, mem_ctx, msg);
+                       if (ret != 0) {
+                               DEBUG(2,("Failed to modify record to set password on %s: %s\n",
+                                        ldb_dn_linearize(mem_ctx, msg->dn),
+                                        ldb_errstring(samdb)));
+                               status = NT_STATUS_ACCESS_DENIED;
+                       }
+               }
+               if (NT_STATUS_IS_OK(status)) {
+                       ret = ldb_transaction_commit(samdb);
+                       if (ret != 0) {
+                               DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
+                                        ldb_dn_linearize(mem_ctx, msg->dn),
+                                        ldb_errstring(samdb)));
+                               status = NT_STATUS_TRANSACTION_ABORTED;
+                       }
+               } else {
+                       ldb_transaction_cancel(samdb);
+               }
                return kpasswd_make_pwchange_reply(kdc, mem_ctx, 
                                                   status,
                                                   reject_reason, 
@@ -320,11 +389,11 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
        }
        default:
                return kpasswdd_make_error_reply(kdc, mem_ctx, 
-                                               KRB5_KPASSWD_BAD_VERSION,
-                                               talloc_asprintf(mem_ctx, 
-                                                               "Protocol version %u not supported", 
-                                                               version),
-                                               reply);
+                                                KRB5_KPASSWD_BAD_VERSION,
+                                                talloc_asprintf(mem_ctx, 
+                                                                "Protocol version %u not supported", 
+                                                                version),
+                                                reply);
        }
        return True;
 }
@@ -333,8 +402,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                      TALLOC_CTX *mem_ctx, 
                      DATA_BLOB *input, 
                      DATA_BLOB *reply,
-                     const char *from,
-                     int src_port)
+                     struct socket_address *peer_addr,
+                     struct socket_address *my_addr)
 {
        BOOL ret;
        const uint16_t header_len = 6;
@@ -343,7 +412,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
        uint16_t krb_priv_len;
        uint16_t version;
        NTSTATUS nt_status;
-       DATA_BLOB ap_req, krb_priv_req, krb_priv_rep, ap_rep;
+       DATA_BLOB ap_req, krb_priv_req;
+       DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
+       DATA_BLOB ap_rep = data_blob(NULL, 0);
        DATA_BLOB kpasswd_req, kpasswd_rep;
        struct cli_credentials *server_credentials;
        struct gensec_security *gensec_security;
@@ -353,6 +424,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return False;
        }
 
+       /* Be parinoid.  We need to ensure we don't just let the
+        * caller lead us into a buffer overflow */
        if (input->length <= header_len) {
                talloc_free(tmp_ctx);
                return False;
@@ -364,6 +437,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return False;
        }
 
+       /* There are two different versions of this protocol so far,
+        * plus others in the standards pipe.  Fortunetly they all
+        * take a very similar framing */
        version = RSVAL(input->data, 2);
        ap_req_len = RSVAL(input->data, 4);
        if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
@@ -387,7 +463,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                DEBUG(1, ("Failed to init server credentials\n"));
                return False;
        }
-       
+
+       /* We want the credentials subsystem to use the krb5 context
+        * we already have, rather than a new context */        
+       cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
        cli_credentials_set_conf(server_credentials);
        nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
        if (!NT_STATUS_IS_OK(nt_status)) {
@@ -405,7 +484,26 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return ret;
        }
        
-       gensec_set_credentials(gensec_security, server_credentials);
+       nt_status = gensec_set_credentials(gensec_security, server_credentials);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(tmp_ctx);
+               return False;
+       }
+
+       /* The kerberos PRIV packets include these addresses.  MIT
+        * clients check that they are present */
+       nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(tmp_ctx);
+               return False;
+       }
+       nt_status = gensec_set_my_addr(gensec_security, my_addr);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(tmp_ctx);
+               return False;
+       }
+
+       /* We want the GENSEC wrap calls to generate PRIV tokens */
        gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
 
        nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
@@ -414,6 +512,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return False;
        }
 
+       /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
        nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
        if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
                
@@ -431,6 +530,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return ret;
        }
 
+       /* Extract the data from the KRB-PRIV half of the message */
        nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
        if (!NT_STATUS_IS_OK(nt_status)) {
                ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, 
@@ -447,6 +547,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                return ret;
        }
 
+       /* Figure out something to do with it (probably changing a password...) */
        ret = kpasswd_process_request(kdc, tmp_ctx, 
                                      gensec_security, 
                                      version, 
@@ -455,7 +556,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
                /* Argh! */
                return False;
        }
-       
+
+       /* And wrap up the reply: This ensures that the error message
+        * or success can be verified by the client */
        nt_status = gensec_wrap(gensec_security, tmp_ctx, 
                                &kpasswd_rep, &krb_priv_rep);
        if (!NT_STATUS_IS_OK(nt_status)) {