source4/auth/kerberos/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos utility functions for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "system/kerberos.h"
  25 #include "auth/kerberos/kerberos.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "auth/credentials/credentials_proto.h"
  28 #include "auth/credentials/credentials_krb5.h"
  29 #include "auth/kerberos/kerberos_credentials.h"
  30 #include "auth/kerberos/kerberos_util.h"
  31
  32 struct principal_container {
  33         struct smb_krb5_context *smb_krb5_context;
  34         krb5_principal principal;
  35         const char *string_form; /* Optional */
  36 };
  37
  38 static krb5_error_code free_principal(struct principal_container *pc)
  39 {
  40         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
  41         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
  42
  43         return 0;
  44 }
  45
  46
  47 static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
  48                                        const char *princ_string,
  49                                        struct smb_krb5_context *smb_krb5_context,
  50                                        krb5_principal *princ,
  51                                        const char **error_string)
  52 {
  53         int ret;
  54         struct principal_container *mem_ctx;
  55         if (princ_string == NULL) {
  56                  *princ = NULL;
  57                  return 0;
  58         }
  59
  60         ret = krb5_parse_name(smb_krb5_context->krb5_context,
  61                               princ_string, princ);
  62
  63         if (ret) {
  64                 (*error_string) = smb_get_krb5_error_message(
  65                                                 smb_krb5_context->krb5_context,
  66                                                 ret, parent_ctx);
  67                 return ret;
  68         }
  69
  70         mem_ctx = talloc(parent_ctx, struct principal_container);
  71         if (!mem_ctx) {
  72                 (*error_string) = error_message(ENOMEM);
  73                 return ENOMEM;
  74         }
  75
  76         /* This song-and-dance effectivly puts the principal
  77          * into talloc, so we can't loose it. */
  78         mem_ctx->smb_krb5_context = talloc_reference(mem_ctx,
  79                                                      smb_krb5_context);
  80         mem_ctx->principal = *princ;
  81         talloc_set_destructor(mem_ctx, free_principal);
  82         return 0;
  83 }
  84
  85 /* Obtain the principal set on this context.  Requires a
  86  * smb_krb5_context because we are doing krb5 principal parsing with
  87  * the library routines.  The returned princ is placed in the talloc
  88  * system by means of a destructor (do *not* free). */
  89
  90 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
  91                                 struct cli_credentials *credentials,
  92                                 struct smb_krb5_context *smb_krb5_context,
  93                                 krb5_principal *princ,
  94                                 enum credentials_obtained *obtained,
  95                                 const char **error_string)
  96 {
  97         krb5_error_code ret;
  98         const char *princ_string;
  99         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 100         *obtained = CRED_UNINITIALISED;
 101
 102         if (!mem_ctx) {
 103                 (*error_string) = error_message(ENOMEM);
 104                 return ENOMEM;
 105         }
 106         princ_string = cli_credentials_get_principal_and_obtained(credentials,
 107                                                                   mem_ctx,
 108                                                                   obtained);
 109         if (!princ_string) {
 110                 *princ = NULL;
 111                 return 0;
 112         }
 113
 114         ret = parse_principal(parent_ctx, princ_string,
 115                               smb_krb5_context, princ, error_string);
 116         talloc_free(mem_ctx);
 117         return ret;
 118 }
 119
 120 /* Obtain the principal set on this context.  Requires a
 121  * smb_krb5_context because we are doing krb5 principal parsing with
 122  * the library routines.  The returned princ is placed in the talloc
 123  * system by means of a destructor (do *not* free). */
 124
 125 static krb5_error_code impersonate_principal_from_credentials(
 126                                 TALLOC_CTX *parent_ctx,
 127                                 struct cli_credentials *credentials,
 128                                 struct smb_krb5_context *smb_krb5_context,
 129                                 krb5_principal *princ,
 130                                 const char **error_string)
 131 {
 132         return parse_principal(parent_ctx,
 133                         cli_credentials_get_impersonate_principal(credentials),
 134                         smb_krb5_context, princ, error_string);
 135 }
 136
 137 /**
 138  * Return a freshly allocated ccache (destroyed by destructor on child
 139  * of parent_ctx), for a given set of client credentials
 140  */
 141
 142  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
 143                                  struct cli_credentials *credentials,
 144                                  struct smb_krb5_context *smb_krb5_context,
 145                                  struct tevent_context *event_ctx,
 146                                  krb5_ccache ccache,
 147                                  enum credentials_obtained *obtained,
 148                                  const char **error_string)
 149 {
 150         krb5_error_code ret;
 151         const char *password;
 152         const char *self_service;
 153         const char *target_service;
 154         time_t kdc_time = 0;
 155         krb5_principal princ;
 156         krb5_principal impersonate_principal;
 157         int tries;
 158         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 159         krb5_get_init_creds_opt *krb_options;
 160
 161         if (!mem_ctx) {
 162                 (*error_string) = strerror(ENOMEM);
 163                 return ENOMEM;
 164         }
 165
 166         ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ, obtained, error_string);
 167         if (ret) {
 168                 talloc_free(mem_ctx);
 169                 return ret;
 170         }
 171
 172         if (princ == NULL) {
 173                 (*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials");
 174                 talloc_free(mem_ctx);
 175                 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 176         }
 177
 178         ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string);
 179         if (ret) {
 180                 talloc_free(mem_ctx);
 181                 return ret;
 182         }
 183
 184         self_service = cli_credentials_get_self_service(credentials);
 185         target_service = cli_credentials_get_target_service(credentials);
 186
 187         password = cli_credentials_get_password(credentials);
 188
 189         /* setup the krb5 options we want */
 190         if ((ret = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options))) {
 191                 (*error_string) = talloc_asprintf(credentials, "krb5_get_init_creds_opt_alloc failed (%s)\n",
 192                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 193                                                                              ret, mem_ctx));
 194                 talloc_free(mem_ctx);
 195                 return ret;
 196         }
 197
 198         /* get the defaults */
 199         krb5_get_init_creds_opt_set_default_flags(smb_krb5_context->krb5_context, NULL, NULL, krb_options);
 200
 201         /* set if we want a forwardable ticket */
 202         switch (cli_credentials_get_krb_forwardable(credentials)) {
 203         case CRED_AUTO_KRB_FORWARDABLE:
 204                 break;
 205         case CRED_NO_KRB_FORWARDABLE:
 206                 krb5_get_init_creds_opt_set_forwardable(krb_options, FALSE);
 207                 break;
 208         case CRED_FORCE_KRB_FORWARDABLE:
 209                 krb5_get_init_creds_opt_set_forwardable(krb_options, TRUE);
 210                 break;
 211         }
 212
 213         /*
 214          * In order to work against windows KDCs even if we use
 215          * the netbios domain name as realm, we need to add the following
 216          * flags:
 217          * KRB5_INIT_CREDS_NO_C_CANON_CHECK;
 218          * KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
 219          */
 220         krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
 221                                           krb_options, true);
 222
 223         tries = 2;
 224         while (tries--) {
 225                 struct tevent_context *previous_ev;
 226                 /* Do this every time, in case we have weird recursive issues here */
 227                 ret = smb_krb5_context_set_event_ctx(smb_krb5_context, event_ctx, &previous_ev);
 228                 if (ret) {
 229                         talloc_free(mem_ctx);
 230                         return ret;
 231                 }
 232                 if (password) {
 233                         ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
 234                                                          princ, password,
 235                                                          impersonate_principal,
 236                                                          self_service,
 237                                                          target_service,
 238                                                          krb_options,
 239                                                          NULL, &kdc_time);
 240                 } else if (impersonate_principal) {
 241                         talloc_free(mem_ctx);
 242                         (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock.  A password must be specified in the credentials";
 243                         return EINVAL;
 244                 } else {
 245                         /* No password available, try to use a keyblock instead */
 246
 247                         krb5_keyblock keyblock;
 248                         const struct samr_Password *mach_pwd;
 249                         mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
 250                         if (!mach_pwd) {
 251                                 talloc_free(mem_ctx);
 252                                 (*error_string) = "kinit_to_ccache: No password available for kinit\n";
 253                                 krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
 254                                 smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
 255                                 return EINVAL;
 256                         }
 257                         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 258                                                  ENCTYPE_ARCFOUR_HMAC,
 259                                                  mach_pwd->hash, sizeof(mach_pwd->hash),
 260                                                  &keyblock);
 261
 262                         if (ret == 0) {
 263                                 ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
 264                                                                  princ, &keyblock,
 265                                                                  target_service, krb_options,
 266                                                                  NULL, &kdc_time);
 267                                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 268                         }
 269                 }
 270
 271                 smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
 272
 273                 if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 274                         /* Perhaps we have been given an invalid skew, so try again without it */
 275                         time_t t = time(NULL);
 276                         krb5_set_real_time(smb_krb5_context->krb5_context, t, 0);
 277                 } else {
 278                         /* not a skew problem */
 279                         break;
 280                 }
 281         }
 282
 283         krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
 284
 285         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 286                 (*error_string) = talloc_asprintf(credentials, "kinit for %s failed (%s)\n",
 287                                                   cli_credentials_get_principal(credentials, mem_ctx),
 288                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 289                                                                              ret, mem_ctx));
 290                 talloc_free(mem_ctx);
 291                 return ret;
 292         }
 293
 294         /* cope with ticket being in the future due to clock skew */
 295         if ((unsigned)kdc_time > time(NULL)) {
 296                 time_t t = time(NULL);
 297                 int time_offset =(unsigned)kdc_time-t;
 298                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 299                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 300         }
 301
 302         if (ret == KRB5KDC_ERR_PREAUTH_FAILED && cli_credentials_wrong_password(credentials)) {
 303                 ret = kinit_to_ccache(parent_ctx,
 304                                       credentials,
 305                                       smb_krb5_context,
 306                                       event_ctx,
 307                                       ccache, obtained,
 308                                       error_string);
 309         }
 310
 311         if (ret) {
 312                 (*error_string) = talloc_asprintf(credentials, "kinit for %s failed (%s)\n",
 313                                                   cli_credentials_get_principal(credentials, mem_ctx),
 314                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 315                                                                              ret, mem_ctx));
 316                 talloc_free(mem_ctx);
 317                 return ret;
 318         }
 319         talloc_free(mem_ctx);
 320         return 0;
 321 }
 322
 323 static krb5_error_code free_keytab_container(struct keytab_container *ktc)
 324 {
 325         return krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
 326 }
 327
 328 krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
 329                                 struct smb_krb5_context *smb_krb5_context,
 330                                 krb5_keytab opt_keytab,
 331                                 const char *keytab_name,
 332                                 struct keytab_container **ktc)
 333 {
 334         krb5_keytab keytab;
 335         krb5_error_code ret;
 336
 337         if (opt_keytab) {
 338                 keytab = opt_keytab;
 339         } else {
 340                 ret = krb5_kt_resolve(smb_krb5_context->krb5_context,
 341                                                 keytab_name, &keytab);
 342                 if (ret) {
 343                         DEBUG(1,("failed to open krb5 keytab: %s\n",
 344                                  smb_get_krb5_error_message(
 345                                         smb_krb5_context->krb5_context,
 346                                         ret, mem_ctx)));
 347                         return ret;
 348                 }
 349         }
 350
 351         *ktc = talloc(mem_ctx, struct keytab_container);
 352         if (!*ktc) {
 353                 return ENOMEM;
 354         }
 355
 356         (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
 357         (*ktc)->keytab = keytab;
 358         talloc_set_destructor(*ktc, free_keytab_container);
 359
 360         return 0;
 361 }