source4/auth/kerberos/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos utility functions for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/kerberos.h"
  26 #include "system/time.h"
  27 #include "system/network.h"
  28 #include "auth/kerberos/kerberos.h"
  29 #include "auth/auth.h"
  30
  31 struct principal_container {
  32         struct smb_krb5_context *smb_krb5_context;
  33         krb5_principal principal;
  34 };
  35
  36 struct keytab_container {
  37         struct smb_krb5_context *smb_krb5_context;
  38         krb5_keytab keytab;
  39 };
  40
  41 static int free_principal(void *ptr) {
  42         struct principal_container *pc = ptr;
  43         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
  44         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
  45
  46         return 0;
  47 }
  48
  49 krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
  50                                                 struct cli_credentials *machine_account,
  51                                                 struct smb_krb5_context *smb_krb5_context,
  52                                                 krb5_principal *salt_princ)
  53 {
  54         krb5_error_code ret;
  55         char *machine_username;
  56         char *salt_body;
  57         char *lower_realm;
  58         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
  59         if (!mem_ctx) {
  60                 return ENOMEM;
  61         }
  62
  63         machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account, mem_ctx));
  64
  65         if (!machine_username) {
  66                 talloc_free(mem_ctx);
  67                 return ENOMEM;
  68         }
  69
  70         if (machine_username[strlen(machine_username)-1] == '$') {
  71                 machine_username[strlen(machine_username)-1] = '\0';
  72         }
  73         lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
  74         if (!lower_realm) {
  75                 talloc_free(mem_ctx);
  76                 return ENOMEM;
  77         }
  78
  79         salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username,
  80                                     lower_realm);
  81         if (!salt_body) {
  82                 talloc_free(mem_ctx);
  83                 return ENOMEM;
  84         }
  85
  86         ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
  87                                   cli_credentials_get_realm(machine_account),
  88                                   "host", salt_body, NULL);
  89
  90         if (ret != 0) {
  91                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
  92                 mem_ctx->principal = *salt_princ;
  93                 talloc_set_destructor(mem_ctx, free_principal);
  94         }
  95         return ret;
  96 }
  97
  98 /**
  99  * Return a freshly allocated ccache (destroyed by destructor on child
 100  * of parent_ctx), for a given set of client credentials
 101  */
 102
 103  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
 104                           struct cli_credentials *credentials,
 105                           struct smb_krb5_context *smb_krb5_context,
 106                           krb5_ccache ccache)
 107 {
 108         krb5_error_code ret;
 109         const char *password;
 110         time_t kdc_time = 0;
 111
 112         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 113
 114         if (!mem_ctx) {
 115                 return ENOMEM;
 116         }
 117
 118         password = cli_credentials_get_password(credentials);
 119
 120         if (password) {
 121                 ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
 122                                                  cli_credentials_get_principal(credentials, mem_ctx),
 123                                                  password, NULL, &kdc_time);
 124         } else {
 125                 /* No password available, try to use a keyblock instead */
 126
 127                 krb5_keyblock keyblock;
 128                 const struct samr_Password *mach_pwd;
 129                 mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
 130                 if (!mach_pwd) {
 131                         talloc_free(mem_ctx);
 132                         DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
 133                         return EINVAL;
 134                 }
 135                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 136                                          ENCTYPE_ARCFOUR_HMAC,
 137                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 138                                          &keyblock);
 139
 140                 if (ret == 0) {
 141                         ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
 142                                                          cli_credentials_get_principal(credentials, mem_ctx),
 143                                                          &keyblock, NULL, &kdc_time);
 144                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 145                 }
 146         }
 147
 148         /* cope with ticket being in the future due to clock skew */
 149         if ((unsigned)kdc_time > time(NULL)) {
 150                 time_t t = time(NULL);
 151                 int time_offset =(unsigned)kdc_time-t;
 152                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 153                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 154         }
 155
 156         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 157                 DEBUG(1,("kinit for %s failed (%s)\n",
 158                          cli_credentials_get_principal(credentials, mem_ctx),
 159                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 160                                                     ret, mem_ctx)));
 161                 talloc_free(mem_ctx);
 162                 return ret;
 163         }
 164         if (ret) {
 165                 DEBUG(1,("kinit for %s failed (%s)\n",
 166                          cli_credentials_get_principal(credentials, mem_ctx),
 167                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 168                                                     ret, mem_ctx)));
 169                 talloc_free(mem_ctx);
 170                 return ret;
 171         }
 172         return 0;
 173 }
 174
 175 static int free_keytab(void *ptr) {
 176         struct keytab_container *ktc = ptr;
 177         krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
 178
 179         return 0;
 180 }
 181
 182  NTSTATUS create_memory_keytab(TALLOC_CTX *parent_ctx,
 183                                struct cli_credentials *machine_account,
 184                                struct smb_krb5_context *smb_krb5_context,
 185                                krb5_keytab *keytab)
 186 {
 187         krb5_error_code ret;
 188         const char *password_s;
 189         krb5_data password;
 190         int i;
 191         struct keytab_container *mem_ctx = talloc(parent_ctx, struct keytab_container);
 192         krb5_enctype *enctypes;
 193         krb5_principal salt_princ;
 194
 195         if (!mem_ctx) {
 196                 return NT_STATUS_NO_MEMORY;
 197         }
 198
 199         ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY_WILDCARD:", keytab);
 200         if (ret) {
 201                 DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
 202                          error_message(ret)));
 203                 talloc_free(mem_ctx);
 204                 return NT_STATUS_INTERNAL_ERROR;
 205         }
 206
 207         mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 208         mem_ctx->keytab = *keytab;
 209
 210         talloc_set_destructor(mem_ctx, free_keytab);
 211
 212         ret = salt_principal_from_credentials(mem_ctx, machine_account,
 213                                               smb_krb5_context,
 214                                               &salt_princ);
 215         if (ret) {
 216                 DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
 217                          error_message(ret)));
 218                 return NT_STATUS_INTERNAL_ERROR;
 219         }
 220
 221         password_s = talloc_strdup(mem_ctx, cli_credentials_get_password(machine_account));
 222         if (!password_s) {
 223                 /* If we don't have the plaintext password, try for
 224                  * the MD4 password hash */
 225
 226                 krb5_keytab_entry entry;
 227                 const struct samr_Password *mach_pwd;
 228                 mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
 229                 if (!mach_pwd) {
 230                         talloc_free(mem_ctx);
 231                         DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
 232                                   cli_credentials_get_principal(machine_account, mem_ctx)));
 233                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 234                 }
 235                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 236                                          ENCTYPE_ARCFOUR_HMAC,
 237                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 238                                          &entry.keyblock);
 239                 if (ret) {
 240                         DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
 241                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 242                                                              ret, mem_ctx)));
 243                         return NT_STATUS_INTERNAL_ERROR;
 244                 }
 245
 246                 entry.principal = salt_princ;
 247                 entry.vno       = cli_credentials_get_kvno(machine_account);
 248                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 249                 if (ret) {
 250                         DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
 251                                   cli_credentials_get_principal(machine_account, mem_ctx),
 252                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 253                                                              ret, mem_ctx)));
 254                         talloc_free(mem_ctx);
 255                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 256                         return NT_STATUS_INTERNAL_ERROR;
 257                 }
 258
 259                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 260                 return NT_STATUS_OK;
 261         }
 262
 263         /* good, we actually have the real plaintext */
 264
 265         ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context,
 266                                           &enctypes);
 267         if (ret) {
 268                 DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
 269                          error_message(ret)));
 270                 talloc_free(mem_ctx);
 271                 return NT_STATUS_INTERNAL_ERROR;
 272         }
 273
 274         password.data = discard_const_p(char *, password_s);
 275         password.length = strlen(password_s);
 276
 277         for (i=0; enctypes[i]; i++) {
 278                 krb5_keytab_entry entry;
 279                 ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
 280                                                       salt_princ, &password, &entry.keyblock, enctypes[i]);
 281                 if (ret) {
 282                         talloc_free(mem_ctx);
 283                         return NT_STATUS_INTERNAL_ERROR;
 284                 }
 285
 286                 entry.principal = salt_princ;
 287                 entry.vno       = cli_credentials_get_kvno(machine_account);
 288                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, *keytab, &entry);
 289                 if (ret) {
 290                         DEBUG(1, ("Failed to add entry for %s to keytab: %s",
 291                                   cli_credentials_get_principal(machine_account, mem_ctx),
 292                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 293                                                              ret, mem_ctx)));
 294                         talloc_free(mem_ctx);
 295                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 296                         return NT_STATUS_INTERNAL_ERROR;
 297                 }
 298
 299                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 300         }
 301
 302         free_kerberos_etypes(smb_krb5_context->krb5_context, enctypes);
 303
 304         return NT_STATUS_OK;
 305 }
 306
 307