source4/auth/kerberos/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos utility functions for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 3 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "system/kerberos.h"
  25 #include "auth/kerberos/kerberos.h"
  26 #include "auth/credentials/credentials.h"
  27 #include "auth/credentials/credentials_proto.h"
  28 #include "auth/credentials/credentials_krb5.h"
  29 #include "auth/kerberos/kerberos_credentials.h"
  30 #include "auth/kerberos/kerberos_util.h"
  31
  32 struct principal_container {
  33         struct smb_krb5_context *smb_krb5_context;
  34         krb5_principal principal;
  35         const char *string_form; /* Optional */
  36 };
  37
  38 static krb5_error_code free_principal(struct principal_container *pc)
  39 {
  40         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
  41         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
  42
  43         return 0;
  44 }
  45
  46
  47 static krb5_error_code parse_principal(TALLOC_CTX *parent_ctx,
  48                                        const char *princ_string,
  49                                        struct smb_krb5_context *smb_krb5_context,
  50                                        krb5_principal *princ,
  51                                        const char **error_string)
  52 {
  53         int ret;
  54         struct principal_container *mem_ctx;
  55         if (princ_string == NULL) {
  56                  *princ = NULL;
  57                  return 0;
  58         }
  59
  60         ret = krb5_parse_name(smb_krb5_context->krb5_context,
  61                               princ_string, princ);
  62
  63         if (ret) {
  64                 (*error_string) = smb_get_krb5_error_message(
  65                                                 smb_krb5_context->krb5_context,
  66                                                 ret, parent_ctx);
  67                 return ret;
  68         }
  69
  70         mem_ctx = talloc(parent_ctx, struct principal_container);
  71         if (!mem_ctx) {
  72                 (*error_string) = error_message(ENOMEM);
  73                 return ENOMEM;
  74         }
  75
  76         /* This song-and-dance effectivly puts the principal
  77          * into talloc, so we can't loose it. */
  78         mem_ctx->smb_krb5_context = talloc_reference(mem_ctx,
  79                                                      smb_krb5_context);
  80         mem_ctx->principal = *princ;
  81         talloc_set_destructor(mem_ctx, free_principal);
  82         return 0;
  83 }
  84
  85 /* Obtain the principal set on this context.  Requires a
  86  * smb_krb5_context because we are doing krb5 principal parsing with
  87  * the library routines.  The returned princ is placed in the talloc
  88  * system by means of a destructor (do *not* free). */
  89
  90 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
  91                                 struct cli_credentials *credentials,
  92                                 struct smb_krb5_context *smb_krb5_context,
  93                                 krb5_principal *princ,
  94                                 enum credentials_obtained *obtained,
  95                                 const char **error_string)
  96 {
  97         krb5_error_code ret;
  98         const char *princ_string;
  99         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 100         *obtained = CRED_UNINITIALISED;
 101
 102         if (!mem_ctx) {
 103                 (*error_string) = error_message(ENOMEM);
 104                 return ENOMEM;
 105         }
 106         princ_string = cli_credentials_get_principal_and_obtained(credentials,
 107                                                                   mem_ctx,
 108                                                                   obtained);
 109         if (!princ_string) {
 110                 *princ = NULL;
 111                 return 0;
 112         }
 113
 114         ret = parse_principal(parent_ctx, princ_string,
 115                               smb_krb5_context, princ, error_string);
 116         talloc_free(mem_ctx);
 117         return ret;
 118 }
 119
 120 /* Obtain the principal set on this context.  Requires a
 121  * smb_krb5_context because we are doing krb5 principal parsing with
 122  * the library routines.  The returned princ is placed in the talloc
 123  * system by means of a destructor (do *not* free). */
 124
 125 static krb5_error_code impersonate_principal_from_credentials(
 126                                 TALLOC_CTX *parent_ctx,
 127                                 struct cli_credentials *credentials,
 128                                 struct smb_krb5_context *smb_krb5_context,
 129                                 krb5_principal *princ,
 130                                 const char **error_string)
 131 {
 132         return parse_principal(parent_ctx,
 133                         cli_credentials_get_impersonate_principal(credentials),
 134                         smb_krb5_context, princ, error_string);
 135 }
 136
 137 /**
 138  * Return a freshly allocated ccache (destroyed by destructor on child
 139  * of parent_ctx), for a given set of client credentials
 140  */
 141
 142  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
 143                                  struct cli_credentials *credentials,
 144                                  struct smb_krb5_context *smb_krb5_context,
 145                                  struct tevent_context *event_ctx,
 146                                  krb5_ccache ccache,
 147                                  enum credentials_obtained *obtained,
 148                                  const char **error_string)
 149 {
 150         krb5_error_code ret;
 151         const char *password;
 152         const char *self_service;
 153         const char *target_service;
 154         time_t kdc_time = 0;
 155         krb5_principal princ;
 156         krb5_principal impersonate_principal;
 157         int tries;
 158         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 159         krb5_get_init_creds_opt *krb_options;
 160
 161         if (!mem_ctx) {
 162                 (*error_string) = strerror(ENOMEM);
 163                 return ENOMEM;
 164         }
 165
 166         ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ, obtained, error_string);
 167         if (ret) {
 168                 talloc_free(mem_ctx);
 169                 return ret;
 170         }
 171
 172         if (princ == NULL) {
 173                 (*error_string) = talloc_asprintf(credentials, "principal, username or realm was not specified in the credentials");
 174                 talloc_free(mem_ctx);
 175                 return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
 176         }
 177
 178         ret = impersonate_principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &impersonate_principal, error_string);
 179         if (ret) {
 180                 talloc_free(mem_ctx);
 181                 return ret;
 182         }
 183
 184         self_service = cli_credentials_get_self_service(credentials);
 185         target_service = cli_credentials_get_target_service(credentials);
 186
 187         password = cli_credentials_get_password(credentials);
 188
 189         /* setup the krb5 options we want */
 190         if ((ret = krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options))) {
 191                 (*error_string) = talloc_asprintf(credentials, "krb5_get_init_creds_opt_alloc failed (%s)\n",
 192                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 193                                                                              ret, mem_ctx));
 194                 talloc_free(mem_ctx);
 195                 return ret;
 196         }
 197
 198 #ifdef SAMBA4_USES_HEIMDAL /* Disable for now MIT reads defaults when needed */
 199         /* get the defaults */
 200         krb5_get_init_creds_opt_set_default_flags(smb_krb5_context->krb5_context, NULL, NULL, krb_options);
 201 #endif
 202         /* set if we want a forwardable ticket */
 203         switch (cli_credentials_get_krb_forwardable(credentials)) {
 204         case CRED_AUTO_KRB_FORWARDABLE:
 205                 break;
 206         case CRED_NO_KRB_FORWARDABLE:
 207                 krb5_get_init_creds_opt_set_forwardable(krb_options, FALSE);
 208                 break;
 209         case CRED_FORCE_KRB_FORWARDABLE:
 210                 krb5_get_init_creds_opt_set_forwardable(krb_options, TRUE);
 211                 break;
 212         }
 213
 214 #ifdef SAMBA4_USES_HEIMDAL /* FIXME: MIT does not have this yet */
 215         /*
 216          * In order to work against windows KDCs even if we use
 217          * the netbios domain name as realm, we need to add the following
 218          * flags:
 219          * KRB5_INIT_CREDS_NO_C_CANON_CHECK;
 220          * KRB5_INIT_CREDS_NO_C_NO_EKU_CHECK;
 221          */
 222         krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context,
 223                                           krb_options, true);
 224 #endif
 225
 226         tries = 2;
 227         while (tries--) {
 228                 struct tevent_context *previous_ev;
 229                 /* Do this every time, in case we have weird recursive issues here */
 230 #ifdef SAMBA4_USES_HEIMDAL
 231                 ret = smb_krb5_context_set_event_ctx(smb_krb5_context, event_ctx, &previous_ev);
 232                 if (ret) {
 233                         talloc_free(mem_ctx);
 234                         return ret;
 235                 }
 236 #endif
 237                 if (password) {
 238                         if (impersonate_principal) {
 239 #ifdef SAMBA4_USES_HEIMDAL
 240                                 ret = kerberos_kinit_s4u2_cc(
 241                                                 smb_krb5_context->krb5_context,
 242                                                 ccache, princ, password,
 243                                                 impersonate_principal,
 244                                                 self_service, target_service,
 245                                                 krb_options, NULL, &kdc_time);
 246 #else
 247                                 talloc_free(mem_ctx);
 248                                 (*error_string) = "INTERNAL error: s4u2 ops "
 249                                         "are not supported with MIT build yet";
 250                                 return EINVAL;
 251 #endif
 252                         } else {
 253                                 ret = kerberos_kinit_password_cc(
 254                                                 smb_krb5_context->krb5_context,
 255                                                 ccache, princ, password,
 256                                                 target_service,
 257                                                 krb_options, NULL, &kdc_time);
 258                         }
 259                 } else if (impersonate_principal) {
 260                         talloc_free(mem_ctx);
 261                         (*error_string) = "INTERNAL error: Cannot impersonate principal with just a keyblock.  A password must be specified in the credentials";
 262                         return EINVAL;
 263                 } else {
 264                         /* No password available, try to use a keyblock instead */
 265
 266                         krb5_keyblock keyblock;
 267                         const struct samr_Password *mach_pwd;
 268                         mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
 269                         if (!mach_pwd) {
 270                                 talloc_free(mem_ctx);
 271                                 (*error_string) = "kinit_to_ccache: No password available for kinit\n";
 272                                 krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
 273 #ifdef SAMBA4_USES_HEIMDAL
 274                                 smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
 275 #endif
 276                                 return EINVAL;
 277                         }
 278                         ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 279                                                  ENCTYPE_ARCFOUR_HMAC,
 280                                                  mach_pwd->hash, sizeof(mach_pwd->hash),
 281                                                  &keyblock);
 282
 283                         if (ret == 0) {
 284                                 ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
 285                                                                  princ, &keyblock,
 286                                                                  target_service, krb_options,
 287                                                                  NULL, &kdc_time);
 288                                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 289                         }
 290                 }
 291
 292 #ifdef SAMBA4_USES_HEIMDAL
 293                 smb_krb5_context_remove_event_ctx(smb_krb5_context, previous_ev, event_ctx);
 294 #endif
 295
 296                 if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 297                         /* Perhaps we have been given an invalid skew, so try again without it */
 298                         time_t t = time(NULL);
 299                         krb5_set_real_time(smb_krb5_context->krb5_context, t, 0);
 300                 } else {
 301                         /* not a skew problem */
 302                         break;
 303                 }
 304         }
 305
 306         krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
 307
 308         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 309                 (*error_string) = talloc_asprintf(credentials, "kinit for %s failed (%s)\n",
 310                                                   cli_credentials_get_principal(credentials, mem_ctx),
 311                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 312                                                                              ret, mem_ctx));
 313                 talloc_free(mem_ctx);
 314                 return ret;
 315         }
 316
 317         /* cope with ticket being in the future due to clock skew */
 318         if ((unsigned)kdc_time > time(NULL)) {
 319                 time_t t = time(NULL);
 320                 int time_offset =(unsigned)kdc_time-t;
 321                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 322                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 323         }
 324
 325         if (ret == KRB5KDC_ERR_PREAUTH_FAILED && cli_credentials_wrong_password(credentials)) {
 326                 ret = kinit_to_ccache(parent_ctx,
 327                                       credentials,
 328                                       smb_krb5_context,
 329                                       event_ctx,
 330                                       ccache, obtained,
 331                                       error_string);
 332         }
 333
 334         if (ret) {
 335                 (*error_string) = talloc_asprintf(credentials, "kinit for %s failed (%s)\n",
 336                                                   cli_credentials_get_principal(credentials, mem_ctx),
 337                                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 338                                                                              ret, mem_ctx));
 339                 talloc_free(mem_ctx);
 340                 return ret;
 341         }
 342         talloc_free(mem_ctx);
 343         return 0;
 344 }
 345
 346 static krb5_error_code free_keytab_container(struct keytab_container *ktc)
 347 {
 348         return krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
 349 }
 350
 351 krb5_error_code smb_krb5_get_keytab_container(TALLOC_CTX *mem_ctx,
 352                                 struct smb_krb5_context *smb_krb5_context,
 353                                 krb5_keytab opt_keytab,
 354                                 const char *keytab_name,
 355                                 struct keytab_container **ktc)
 356 {
 357         krb5_keytab keytab;
 358         krb5_error_code ret;
 359
 360         if (opt_keytab) {
 361                 keytab = opt_keytab;
 362         } else {
 363                 ret = krb5_kt_resolve(smb_krb5_context->krb5_context,
 364                                                 keytab_name, &keytab);
 365                 if (ret) {
 366                         DEBUG(1,("failed to open krb5 keytab: %s\n",
 367                                  smb_get_krb5_error_message(
 368                                         smb_krb5_context->krb5_context,
 369                                         ret, mem_ctx)));
 370                         return ret;
 371                 }
 372         }
 373
 374         *ktc = talloc(mem_ctx, struct keytab_container);
 375         if (!*ktc) {
 376                 return ENOMEM;
 377         }
 378
 379         (*ktc)->smb_krb5_context = talloc_reference(*ktc, smb_krb5_context);
 380         (*ktc)->keytab = keytab;
 381         talloc_set_destructor(*ktc, free_keytab_container);
 382
 383         return 0;
 384 }