r25026: Move param/param.h out of includes.h

[kai/samba-autobuild/.git] / source4 / kdc / hdb-ldb.c
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c

index f7bbbb9a9b52af20f72281250a92ec67624aae6d..93f45b8cf7fb3c58698e3ec33dc5b0f531d040b3 100644 (file)
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -46,32 +46,15 @@
  #include "auth/auth_sam.h"
  #include "db_wrap.h"
  #include "dsdb/samdb/samdb.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "libcli/auth/libcli_auth.h"
+#include "param/param.h"
  
  enum hdb_ldb_ent_type 
  { HDB_LDB_ENT_TYPE_CLIENT, HDB_LDB_ENT_TYPE_SERVER, 
    HDB_LDB_ENT_TYPE_KRBTGT, HDB_LDB_ENT_TYPE_ANY };
  
-static const char * const krb5_attrs[] = {
-       "objectClass",
-       "sAMAccountName",
-
-       "userPrincipalName",
-       "servicePrincipalName",
-
-       "krb5Key",
-
-       "userAccountControl",
-
-       "pwdLastSet",
-       "accountExpires",
-
-       "whenCreated",
-       "whenChanged",
-
-       "msDS-KeyVersionNumber",
-       NULL
-};
-
  static const char *realm_ref_attrs[] = {
         "nCName", 
         "dnsRoot", 
@@ -196,6 +179,204 @@ static void hdb_ldb_free_entry(krb5_context context, hdb_entry_ex *entry_ex)
         talloc_free(entry_ex->ctx);
  }
  
+static krb5_error_code LDB_message2entry_keys(krb5_context context,
+                                             TALLOC_CTX *mem_ctx,
+                                             struct ldb_message *msg,
+                                             unsigned int userAccountControl,
+                                             hdb_entry_ex *entry_ex)
+{
+       krb5_error_code ret = 0;
+       NTSTATUS status;
+       struct samr_Password *hash;
+       const struct ldb_val *sc_val;
+       struct supplementalCredentialsBlob scb;
+       struct supplementalCredentialsPackage *scp = NULL;
+       struct package_PrimaryKerberosBlob _pkb;
+       struct package_PrimaryKerberosCtr3 *pkb3 = NULL;
+       uint32_t i;
+       uint32_t allocated_keys = 0;
+
+       entry_ex->entry.keys.val = NULL;
+       entry_ex->entry.keys.len = 0;
+
+       entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+
+       /* Get keys from the db */
+
+       hash = samdb_result_hash(mem_ctx, msg, "unicodePwd");
+       sc_val = ldb_msg_find_ldb_val(msg, "supplementalCredentials");
+
+       /* unicodePwd for enctype 0x17 (23) if present */
+       if (hash) {
+               allocated_keys++;
+       }
+
+       /* supplementalCredentials if present */
+       if (sc_val) {
+               status = ndr_pull_struct_blob_all(sc_val, mem_ctx, &scb,
+                                                 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+               if (!NT_STATUS_IS_OK(status)) {
+                       dump_data(0, sc_val->data, sc_val->length);
+                       ret = EINVAL;
+                       goto out;
+               }
+
+               for (i=0; i < scb.sub.num_packages; i++) {
+                       if (scb.sub.packages[i].unknown1 != 0x00000001) {
+                               continue;
+                       }
+
+                       if (strcmp("Primary:Kerberos", scb.sub.packages[i].name) != 0) {
+                               continue;
+                       }
+
+                       if (!scb.sub.packages[i].data || !scb.sub.packages[i].data[0]) {
+                               continue;
+                       }
+
+                       scp = &scb.sub.packages[i];
+                       break;
+               }
+       }
+       /* Primary:Kerberos element of supplementalCredentials */
+       if (scp) {
+               DATA_BLOB blob;
+
+               blob = strhex_to_data_blob(scp->data);
+               if (!blob.data) {
+                       ret = ENOMEM;
+                       goto out;
+               }
+               talloc_steal(mem_ctx, blob.data);
+
+               /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
+               status = ndr_pull_struct_blob(&blob, mem_ctx, &_pkb,
+                                             (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+               if (!NT_STATUS_IS_OK(status)) {
+                       krb5_set_error_string(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob");
+                       krb5_warnx(context, "LDB_message2entry_keys: could not parse package_PrimaryKerberosBlob");
+                       ret = EINVAL;
+                       goto out;
+               }
+
+               if (_pkb.version != 3) {
+                       krb5_set_error_string(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
+                       krb5_warnx(context, "LDB_message2entry_keys: could not parse PrimaryKerberos not version 3");
+                       ret = EINVAL;
+                       goto out;
+               }
+               
+               pkb3 = &_pkb.ctr.ctr3;
+
+               allocated_keys += pkb3->num_keys;
+       }
+
+       if (allocated_keys == 0) {
+               /* oh, no password.  Apparently (comment in
+                * hdb-ldap.c) this violates the ASN.1, but this
+                * allows an entry with no keys (yet). */
+               return 0;
+       }
+
+       /* allocate space to decode into */
+       entry_ex->entry.keys.len = 0;
+       entry_ex->entry.keys.val = calloc(allocated_keys, sizeof(Key));
+       if (entry_ex->entry.keys.val == NULL) {
+               ret = ENOMEM;
+               goto out;
+       }
+
+       if (hash && !(userAccountControl & UF_USE_DES_KEY_ONLY)) {
+               Key key;
+
+               key.mkvno = 0;
+               key.salt = NULL; /* No salt for this enc type */
+
+               ret = krb5_keyblock_init(context,
+                                        ENCTYPE_ARCFOUR_HMAC_MD5,
+                                        hash->hash, sizeof(hash->hash), 
+                                        &key.key);
+               if (ret) {
+                       goto out;
+               }
+
+               entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+               entry_ex->entry.keys.len++;
+       }
+
+       if (pkb3) {
+               for (i=0; i < pkb3->num_keys; i++) {
+                       bool use = true;
+                       Key key;
+
+                       if (!pkb3->keys[i].value) continue;
+
+                       if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+                               switch (pkb3->keys[i].keytype) {
+                               case ENCTYPE_DES_CBC_CRC:
+                               case ENCTYPE_DES_CBC_MD5:
+                                       break;
+                               default:
+                                       use = false;
+                                       break;
+                               }
+                       }
+
+                       if (!use) continue;
+
+                       key.mkvno = 0;
+
+                       if (pkb3->salt.string) {
+                               DATA_BLOB salt;
+
+                               salt = data_blob_string_const(pkb3->salt.string);
+
+                               key.salt = calloc(1, sizeof(*key.salt));
+                               if (key.salt == NULL) {
+                                       ret = ENOMEM;
+                                       goto out;
+                               }
+
+                               key.salt->type = hdb_pw_salt;
+
+                               ret = krb5_data_copy(&key.salt->salt, salt.data, salt.length);
+                               if (ret) {
+                                       free(key.salt);
+                                       key.salt = NULL;
+                                       goto out;
+                               }
+                       }
+
+                       ret = krb5_keyblock_init(context,
+                                                pkb3->keys[i].keytype,
+                                                pkb3->keys[i].value->data,
+                                                pkb3->keys[i].value->length,
+                                                &key.key);
+                       if (ret) {
+                               if (key.salt) {
+                                       free_Salt(key.salt);
+                                       free(key.salt);
+                                       key.salt = NULL;
+                               }
+                               goto out;
+                       }
+
+                       entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
+                       entry_ex->entry.keys.len++;
+               }
+       }
+
+out:
+       if (ret != 0) {
+               entry_ex->entry.keys.len = 0;
+       }
+       if (entry_ex->entry.keys.len == 0 && entry_ex->entry.keys.val) {
+               free(entry_ex->entry.keys.val);
+               entry_ex->entry.keys.val = NULL;
+       }
+       return ret;
+}
+
  /*
   * Construct an hdb_entry from a directory entry.
   */
@@ -220,7 +401,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
  
         struct hdb_ldb_private *private;
         NTTIME acct_expiry;
-       struct ldb_message_element *ldb_keys;
  
         struct ldb_message_element *objectclasses;
         struct ldb_val computer_val;
@@ -292,8 +472,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
                 krb5_princ_set_realm(context, entry_ex->entry.principal, &strdup_realm);
         }
  
-       entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
-
         entry_ex->entry.flags = uf2HDBFlags(context, userAccountControl, ent_type);
  
         if (ent_type == HDB_LDB_ENT_TYPE_KRBTGT) {
@@ -365,52 +543,12 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
  
         entry_ex->entry.generation = NULL;
  
-       /* Get krb5Key from the db */
-
-       ldb_keys = ldb_msg_find_element(msg, "krb5Key");
-
-       if (!ldb_keys) {
-               /* oh, no password.  Apparently (comment in
-                * hdb-ldap.c) this violates the ASN.1, but this
-                * allows an entry with no keys (yet). */
-               entry_ex->entry.keys.val = NULL;
-               entry_ex->entry.keys.len = 0;
-       } else {
-               /* allocate space to decode into */
-               entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key));
-               if (entry_ex->entry.keys.val == NULL) {
-                       ret = ENOMEM;
-                       goto out;
-               }
-
-               entry_ex->entry.keys.len = 0;
-
-               /* Decode Kerberos keys into the hdb structure */
-               for (i=0; i < ldb_keys->num_values; i++) {
-                       size_t decode_len;
-                       Key key;
-                       ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length, 
-                                        &key, &decode_len);
-                       if (ret) {
-                               /* Could be bougus data in the entry, or out of memory */
-                               goto out;
-                       }
-
-                       if (userAccountControl & UF_USE_DES_KEY_ONLY) {
-                               switch (key.key.keytype) {
-                               case KEYTYPE_DES:
-                                       entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
-                                       entry_ex->entry.keys.len++;
-                               default:
-                                       /* We must use DES keys only */
-                                       break;
-                               }
-                       } else {
-                               entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
-                               entry_ex->entry.keys.len++;
-                       }
-               }
-       } 
+       /* Get keys from the db */
+       ret = LDB_message2entry_keys(context, private, msg, userAccountControl, entry_ex);
+       if (ret) {
+               /* Could be bougus data in the entry, or out of memory */
+               goto out;
+       }
  
         entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes)));
         if (entry_ex->entry.etypes == NULL) {
@@ -434,10 +572,6 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
         private->realm_ref_msg = talloc_steal(private, realm_ref_msg);
         private->samdb = (struct ldb_context *)db->hdb_db;
         
-       entry_ex->check_client_access = hdb_ldb_check_client_access;
-       entry_ex->authz_data_tgs_req = hdb_ldb_authz_data_tgs_req;
-       entry_ex->authz_data_as_req = hdb_ldb_authz_data_as_req;
-
  out:
         if (ret != 0) {
                 /* This doesn't free ent itself, that is for the eventual caller to do */
@@ -459,7 +593,7 @@ static krb5_error_code LDB_lookup_principal(krb5_context context, struct ldb_con
         krb5_error_code ret;
         int lret;
         char *filter = NULL;
-       const char * const *princ_attrs = krb5_attrs;
+       const char * const *princ_attrs = user_attrs;
  
         char *short_princ;
         char *short_princ_talloc;
@@ -630,6 +764,7 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
         struct ldb_message **realm_ref_msg = NULL;
         struct ldb_dn *realm_dn;
  
+       krb5_principal alloc_principal = NULL;
         if (principal->name.name_string.len != 2
             || (strcmp(principal->name.name_string.val[0], KRB5_TGS_NAME) != 0)) {
                 /* Not a krbtgt */
@@ -640,6 +775,30 @@ static krb5_error_code LDB_fetch_krbtgt(krb5_context context, HDB *db,
         if ((LDB_lookup_realm(context, (struct ldb_context *)db->hdb_db,
                               mem_ctx, principal->name.name_string.val[1], &realm_ref_msg) == 0)) {
                 /* us */                
+               /* Cludge, cludge cludge.  If the realm part of krbtgt/realm,
+                * is in our db, then direct the caller at our primary
+                * krgtgt */
+               
+               const char *dnsdomain = ldb_msg_find_attr_as_string(realm_ref_msg[0], "dnsRoot", NULL);
+               char *realm_fixed = strupper_talloc(mem_ctx, dnsdomain);
+               if (!realm_fixed) {
+                       krb5_set_error_string(context, "strupper_talloc: out of memory");
+                       return ENOMEM;
+               }
+               
+               ret = krb5_copy_principal(context, principal, &alloc_principal);
+               if (ret) {
+                       return ret;
+               }
+ 
+               free(alloc_principal->name.name_string.val[1]);
+               alloc_principal->name.name_string.val[1] = strdup(realm_fixed);
+               talloc_free(realm_fixed);
+               if (!alloc_principal->name.name_string.val[1]) {
+                       krb5_set_error_string(context, "LDB_fetch: strdup() failed!");
+                       return ENOMEM;
+               }
+               principal = alloc_principal;
                 realm_dn = samdb_result_dn((struct ldb_context *)db->hdb_db, mem_ctx, realm_ref_msg[0], "nCName", NULL);
         } else {
                 /* we should lookup trusted domains */
@@ -705,7 +864,7 @@ static krb5_error_code LDB_fetch_server(krb5_context context, HDB *db,
                 }
                 
                 ldb_ret = gendb_search_dn((struct ldb_context *)db->hdb_db,
-                                         mem_ctx, user_dn, &msg, krb5_attrs);
+                                         mem_ctx, user_dn, &msg, user_attrs);
                 
                 if (ldb_ret != 1) {
                         return HDB_ERR_NOENTRY;
@@ -807,7 +966,7 @@ struct hdb_ldb_seq {
  static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hdb_entry_ex *entry)
  {
         krb5_error_code ret;
-       struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_openp;
+       struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc;
         TALLOC_CTX *mem_ctx;
         hdb_entry_ex entry_ex;
         memset(&entry_ex, '\0', sizeof(entry_ex));
@@ -834,7 +993,7 @@ static krb5_error_code LDB_seq(krb5_context context, HDB *db, unsigned flags, hd
  
         if (ret != 0) {
                 talloc_free(priv);
-               db->hdb_openp = NULL;
+               db->hdb_dbc = NULL;
         } else {
                 talloc_free(mem_ctx);
         }
@@ -846,7 +1005,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag
                                         hdb_entry_ex *entry)
  {
         struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db;
-       struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_openp;
+       struct hdb_ldb_seq *priv = (struct hdb_ldb_seq *)db->hdb_dbc;
         char *realm;
         struct ldb_dn *realm_dn = NULL;
         struct ldb_result *res = NULL;
@@ -857,7 +1016,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag
  
         if (priv) {
                 talloc_free(priv);
-               db->hdb_openp = 0;
+               db->hdb_dbc = NULL;
         }
  
         priv = (struct hdb_ldb_seq *) talloc(db, struct hdb_ldb_seq);
@@ -902,7 +1061,7 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag
  
         lret = ldb_search(ldb_ctx, realm_dn,
                                  LDB_SCOPE_SUBTREE, "(objectClass=user)",
-                                krb5_attrs, &res);
+                                user_attrs, &res);
  
         if (lret != LDB_SUCCESS) {
                 talloc_free(priv);
@@ -913,13 +1072,13 @@ static krb5_error_code LDB_firstkey(krb5_context context, HDB *db, unsigned flag
         priv->msgs = talloc_steal(priv, res->msgs);
         talloc_free(res);
  
-       db->hdb_openp = priv;
+       db->hdb_dbc = priv;
  
         ret = LDB_seq(context, db, flags, entry);
-       
+
         if (ret != 0) {
                 talloc_free(priv);
-               db->hdb_openp = NULL;
+               db->hdb_dbc = NULL;
         } else {
                 talloc_free(mem_ctx);
         }
@@ -980,7 +1139,7 @@ NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx,
                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
         }
  
-       (*db)->hdb_openp = 0;
+       (*db)->hdb_dbc = NULL;
         (*db)->hdb_open = LDB_open;
         (*db)->hdb_close = LDB_close;
         (*db)->hdb_fetch = LDB_fetch;
@@ -1004,8 +1163,8 @@ NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx,
  krb5_error_code hdb_ldb_create(krb5_context context, struct HDB **db, const char *arg)
  {
         NTSTATUS nt_status;
-       /* Disgusting, ugly hack, but it means one less private hook */
-       nt_status = kdc_hdb_ldb_create(context->mem_ctx, context, db, arg);
+       /* The global kdc_mem_ctx, Disgusting, ugly hack, but it means one less private hook */
+       nt_status = kdc_hdb_ldb_create(kdc_mem_ctx, context, db, arg);
  
         if (NT_STATUS_IS_OK(nt_status)) {
                 return 0;