81b4181ce72d4579ca7e7c92d856d456bf6165e4
[kai/samba.git] / source4 / auth / gensec / gensec_krb5.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Kerberos backend for GENSEC
5    
6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
7    Copyright (C) Andrew Tridgell 2001
8    Copyright (C) Luke Howard 2002-2003
9    Copyright (C) Stefan Metzmacher 2004-2005
10
11    This program is free software; you can redistribute it and/or modify
12    it under the terms of the GNU General Public License as published by
13    the Free Software Foundation; either version 3 of the License, or
14    (at your option) any later version.
15    
16    This program is distributed in the hope that it will be useful,
17    but WITHOUT ANY WARRANTY; without even the implied warranty of
18    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
19    GNU General Public License for more details.
20
21    
22    You should have received a copy of the GNU General Public License
23    along with this program.  If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/kerberos.h"
28 #include "auth/kerberos/kerberos.h"
29 #include "librpc/gen_ndr/krb5pac.h"
30 #include "auth/auth.h"
31 #include "lib/ldb/include/ldb.h"
32 #include "auth/auth_sam.h"
33 #include "system/network.h"
34 #include "lib/socket/socket.h"
35 #include "librpc/rpc/dcerpc.h"
36 #include "auth/credentials/credentials.h"
37 #include "auth/credentials/credentials_krb5.h"
38 #include "auth/gensec/gensec.h"
39 #include "param/param.h"
40
41 enum GENSEC_KRB5_STATE {
42         GENSEC_KRB5_SERVER_START,
43         GENSEC_KRB5_CLIENT_START,
44         GENSEC_KRB5_CLIENT_MUTUAL_AUTH,
45         GENSEC_KRB5_DONE
46 };
47
48 struct gensec_krb5_state {
49         DATA_BLOB session_key;
50         DATA_BLOB pac;
51         enum GENSEC_KRB5_STATE state_position;
52         struct smb_krb5_context *smb_krb5_context;
53         krb5_auth_context auth_context;
54         krb5_data enc_ticket;
55         krb5_keyblock *keyblock;
56         krb5_ticket *ticket;
57         BOOL gssapi;
58 };
59
60 static int gensec_krb5_destroy(struct gensec_krb5_state *gensec_krb5_state)
61 {
62         if (!gensec_krb5_state->smb_krb5_context) {
63                 /* We can't clean anything else up unless we started up this far */
64                 return 0;
65         }
66         if (gensec_krb5_state->enc_ticket.length) { 
67                 kerberos_free_data_contents(gensec_krb5_state->smb_krb5_context->krb5_context, 
68                                             &gensec_krb5_state->enc_ticket); 
69         }
70
71         if (gensec_krb5_state->ticket) {
72                 krb5_free_ticket(gensec_krb5_state->smb_krb5_context->krb5_context, 
73                                  gensec_krb5_state->ticket);
74         }
75
76         /* ccache freed in a child destructor */
77
78         krb5_free_keyblock(gensec_krb5_state->smb_krb5_context->krb5_context, 
79                            gensec_krb5_state->keyblock);
80                 
81         if (gensec_krb5_state->auth_context) {
82                 krb5_auth_con_free(gensec_krb5_state->smb_krb5_context->krb5_context, 
83                                    gensec_krb5_state->auth_context);
84         }
85
86         return 0;
87 }
88
89 static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
90 {
91         krb5_error_code ret;
92         struct gensec_krb5_state *gensec_krb5_state;
93         struct cli_credentials *creds;
94         const struct socket_address *my_addr, *peer_addr;
95         krb5_address my_krb5_addr, peer_krb5_addr;
96         
97         creds = gensec_get_credentials(gensec_security);
98         if (!creds) {
99                 return NT_STATUS_INVALID_PARAMETER;
100         }
101
102         gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
103         if (!gensec_krb5_state) {
104                 return NT_STATUS_NO_MEMORY;
105         }
106
107         gensec_security->private_data = gensec_krb5_state;
108         gensec_krb5_state->smb_krb5_context = NULL;
109         gensec_krb5_state->auth_context = NULL;
110         gensec_krb5_state->ticket = NULL;
111         ZERO_STRUCT(gensec_krb5_state->enc_ticket);
112         gensec_krb5_state->keyblock = NULL;
113         gensec_krb5_state->session_key = data_blob(NULL, 0);
114         gensec_krb5_state->pac = data_blob(NULL, 0);
115         gensec_krb5_state->gssapi = False;
116
117         talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); 
118
119         if (cli_credentials_get_krb5_context(creds, &gensec_krb5_state->smb_krb5_context)) {
120                 talloc_free(gensec_krb5_state);
121                 return NT_STATUS_INTERNAL_ERROR;
122         }
123
124         ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
125         if (ret) {
126                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n", 
127                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
128                                                     ret, gensec_krb5_state)));
129                 talloc_free(gensec_krb5_state);
130                 return NT_STATUS_INTERNAL_ERROR;
131         }
132
133         ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context, 
134                                      gensec_krb5_state->auth_context,
135                                      KRB5_AUTH_CONTEXT_DO_SEQUENCE);
136         if (ret) {
137                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n", 
138                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
139                                                     ret, gensec_krb5_state)));
140                 talloc_free(gensec_krb5_state);
141                 return NT_STATUS_INTERNAL_ERROR;
142         }
143
144         my_addr = gensec_get_my_addr(gensec_security);
145         if (my_addr && my_addr->sockaddr) {
146                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
147                                             my_addr->sockaddr, &my_krb5_addr);
148                 if (ret) {
149                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
150                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
151                                                             ret, gensec_krb5_state)));
152                         talloc_free(gensec_krb5_state);
153                         return NT_STATUS_INTERNAL_ERROR;
154                 }
155         }
156
157         peer_addr = gensec_get_peer_addr(gensec_security);
158         if (peer_addr && peer_addr->sockaddr) {
159                 ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context, 
160                                             peer_addr->sockaddr, &peer_krb5_addr);
161                 if (ret) {
162                         DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n", 
163                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
164                                                             ret, gensec_krb5_state)));
165                         talloc_free(gensec_krb5_state);
166                         return NT_STATUS_INTERNAL_ERROR;
167                 }
168         }
169
170         ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context, 
171                                      gensec_krb5_state->auth_context,
172                                      my_addr ? &my_krb5_addr : NULL, 
173                                      peer_addr ? &peer_krb5_addr : NULL);
174         if (ret) {
175                 DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n", 
176                          smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
177                                                     ret, gensec_krb5_state)));
178                 talloc_free(gensec_krb5_state);
179                 return NT_STATUS_INTERNAL_ERROR;
180         }
181
182         return NT_STATUS_OK;
183 }
184
185 static NTSTATUS gensec_krb5_server_start(struct gensec_security *gensec_security)
186 {
187         NTSTATUS nt_status;
188         struct gensec_krb5_state *gensec_krb5_state;
189
190         nt_status = gensec_krb5_start(gensec_security);
191         if (!NT_STATUS_IS_OK(nt_status)) {
192                 return nt_status;
193         }
194         
195         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
196         gensec_krb5_state->state_position = GENSEC_KRB5_SERVER_START;
197
198         return NT_STATUS_OK;
199 }
200
201 static NTSTATUS gensec_fake_gssapi_krb5_server_start(struct gensec_security *gensec_security)
202 {
203         NTSTATUS nt_status = gensec_krb5_server_start(gensec_security);
204
205         if (NT_STATUS_IS_OK(nt_status)) {
206                 struct gensec_krb5_state *gensec_krb5_state;
207                 gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
208                 gensec_krb5_state->gssapi = True;
209         }
210         return nt_status;
211 }
212
213 static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security)
214 {
215         struct gensec_krb5_state *gensec_krb5_state;
216         krb5_error_code ret;
217         NTSTATUS nt_status;
218         struct ccache_container *ccache_container;
219         const char *hostname;
220         krb5_flags ap_req_options = AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED;
221
222         const char *principal;
223         krb5_data in_data;
224
225         hostname = gensec_get_target_hostname(gensec_security);
226         if (!hostname) {
227                 DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
228                 return NT_STATUS_INVALID_PARAMETER;
229         }
230         if (is_ipaddress(hostname)) {
231                 DEBUG(2, ("Cannot do krb5 to an IP address"));
232                 return NT_STATUS_INVALID_PARAMETER;
233         }
234         if (strcmp(hostname, "localhost") == 0) {
235                 DEBUG(2, ("krb5 to 'localhost' does not make sense"));
236                 return NT_STATUS_INVALID_PARAMETER;
237         }
238                         
239         nt_status = gensec_krb5_start(gensec_security);
240         if (!NT_STATUS_IS_OK(nt_status)) {
241                 return nt_status;
242         }
243
244         gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
245         gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
246
247         principal = gensec_get_target_principal(gensec_security);
248
249         ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), &ccache_container);
250         switch (ret) {
251         case 0:
252                 break;
253         case KRB5KDC_ERR_PREAUTH_FAILED:
254                 return NT_STATUS_LOGON_FAILURE;
255         case KRB5_KDC_UNREACH:
256                 DEBUG(3, ("Cannot reach a KDC we require to contact %s\n", principal));
257                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
258         default:
259                 DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentails failed: %s\n", error_message(ret)));
260                 return NT_STATUS_UNSUCCESSFUL;
261         }
262         in_data.length = 0;
263         
264         if (principal && lp_client_use_spnego_principal()) {
265                 krb5_principal target_principal;
266                 ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
267                                       &target_principal);
268                 if (ret == 0) {
269                         ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context, 
270                                                 &gensec_krb5_state->auth_context,
271                                                 ap_req_options, 
272                                                 target_principal,
273                                                 &in_data, ccache_container->ccache, 
274                                                 &gensec_krb5_state->enc_ticket);
275                         krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
276                                             target_principal);
277                 }
278         } else {
279                 ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context, 
280                                   &gensec_krb5_state->auth_context,
281                                   ap_req_options,
282                                   gensec_get_target_service(gensec_security),
283                                   hostname,
284                                   &in_data, ccache_container->ccache, 
285                                   &gensec_krb5_state->enc_ticket);
286         }
287         switch (ret) {
288         case 0:
289                 return NT_STATUS_OK;
290         case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
291                 DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", 
292                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
293                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
294         case KRB5_KDC_UNREACH:
295                 DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
296                           hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
297                 return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
298         case KRB5KDC_ERR_PREAUTH_FAILED:
299         case KRB5KRB_AP_ERR_TKT_EXPIRED:
300         case KRB5_CC_END:
301                 /* Too much clock skew - we will need to kinit to re-skew the clock */
302         case KRB5KRB_AP_ERR_SKEW:
303         case KRB5_KDCREP_SKEW:
304         {
305                 DEBUG(3, ("kerberos (mk_req) failed: %s\n", 
306                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
307                 /*fall through*/
308         }
309         
310         /* just don't print a message for these really ordinary messages */
311         case KRB5_FCC_NOFILE:
312         case KRB5_CC_NOTFOUND:
313         case ENOENT:
314                 
315                 return NT_STATUS_UNSUCCESSFUL;
316                 break;
317                 
318         default:
319                 DEBUG(0, ("kerberos: %s\n", 
320                           smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
321                 return NT_STATUS_UNSUCCESSFUL;
322         }
323 }
324
325 static NTSTATUS gensec_fake_gssapi_krb5_client_start(struct gensec_security *gensec_security)
326 {
327         NTSTATUS nt_status = gensec_krb5_client_start(gensec_security);
328
329         if (NT_STATUS_IS_OK(nt_status)) {
330                 struct gensec_krb5_state *gensec_krb5_state;
331                 gensec_krb5_state = gensec_security->private_data;
332                 gensec_krb5_state->gssapi = True;
333         }
334         return nt_status;
335 }
336
337 /**
338  * Check if the packet is one for this mechansim
339  * 
340  * @param gensec_security GENSEC state
341  * @param in The request, as a DATA_BLOB
342  * @return Error, INVALID_PARAMETER if it's not a packet for us
343  *                or NT_STATUS_OK if the packet is ok. 
344  */
345
346 static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_security, 
347                                   const DATA_BLOB *in) 
348 {
349         if (gensec_gssapi_check_oid(in, GENSEC_OID_KERBEROS5)) {
350                 return NT_STATUS_OK;
351         } else {
352                 return NT_STATUS_INVALID_PARAMETER;
353         }
354 }
355
356
357 /**
358  * Next state function for the Krb5 GENSEC mechanism
359  * 
360  * @param gensec_krb5_state KRB5 State
361  * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
362  * @param in The request, as a DATA_BLOB
363  * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
364  * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent, 
365  *                or NT_STATUS_OK if the user is authenticated. 
366  */
367
368 static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, 
369                                    TALLOC_CTX *out_mem_ctx, 
370                                    const DATA_BLOB in, DATA_BLOB *out) 
371 {
372         struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data;
373         krb5_error_code ret = 0;
374         NTSTATUS nt_status;
375
376         switch (gensec_krb5_state->state_position) {
377         case GENSEC_KRB5_CLIENT_START:
378         {
379                 DATA_BLOB unwrapped_out;
380                 
381                 if (gensec_krb5_state->gssapi) {
382                         unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
383                         
384                         /* wrap that up in a nice GSS-API wrapping */
385                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
386                 } else {
387                         *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
388                 }
389                 gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
390                 nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
391                 return nt_status;
392         }
393                 
394         case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
395         {
396                 DATA_BLOB unwrapped_in;
397                 krb5_data inbuf;
398                 krb5_ap_rep_enc_part *repl = NULL;
399                 uint8_t tok_id[2];
400
401                 if (gensec_krb5_state->gssapi) {
402                         if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
403                                 DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
404                                 dump_data_pw("Mutual authentication message:\n", in.data, in.length);
405                                 return NT_STATUS_INVALID_PARAMETER;
406                         }
407                 } else {
408                         unwrapped_in = in;
409                 }
410                 /* TODO: check the tok_id */
411
412                 inbuf.data = unwrapped_in.data;
413                 inbuf.length = unwrapped_in.length;
414                 ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context, 
415                                   gensec_krb5_state->auth_context,
416                                   &inbuf, &repl);
417                 if (ret) {
418                         DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
419                                  smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
420                         dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length);
421                         nt_status = NT_STATUS_ACCESS_DENIED;
422                 } else {
423                         *out = data_blob(NULL, 0);
424                         nt_status = NT_STATUS_OK;
425                         gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
426                 }
427                 if (repl) {
428                         krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
429                 }
430                 return nt_status;
431         }
432
433         case GENSEC_KRB5_SERVER_START:
434         {
435                 DATA_BLOB unwrapped_in;
436                 DATA_BLOB unwrapped_out = data_blob(NULL, 0);
437                 krb5_data inbuf, outbuf;
438                 uint8_t tok_id[2];
439                 struct keytab_container *keytab;
440                 krb5_principal server_in_keytab;
441
442                 if (!in.data) {
443                         return NT_STATUS_INVALID_PARAMETER;
444                 }       
445
446                 /* Grab the keytab, however generated */
447                 ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), &keytab);
448                 if (ret) {
449                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
450                 }
451                 
452                 /* This ensures we lookup the correct entry in that keytab */
453                 ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security), 
454                                                  gensec_krb5_state->smb_krb5_context, 
455                                                  &server_in_keytab);
456
457                 if (ret) {
458                         return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
459                 }
460
461                 /* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
462                 if (gensec_krb5_state->gssapi
463                     && gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
464                         inbuf.data = unwrapped_in.data;
465                         inbuf.length = unwrapped_in.length;
466                 } else {
467                         inbuf.data = in.data;
468                         inbuf.length = in.length;
469                 }
470
471                 ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
472                                               &gensec_krb5_state->auth_context, 
473                                               &inbuf, keytab->keytab, server_in_keytab,  
474                                               &outbuf, 
475                                               &gensec_krb5_state->ticket, 
476                                               &gensec_krb5_state->keyblock);
477
478                 if (ret) {
479                         return NT_STATUS_LOGON_FAILURE;
480                 }
481                 unwrapped_out.data = outbuf.data;
482                 unwrapped_out.length = outbuf.length;
483                 gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
484                 /* wrap that up in a nice GSS-API wrapping */
485                 if (gensec_krb5_state->gssapi) {
486                         *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
487                 } else {
488                         *out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
489                 }
490                 krb5_data_free(&outbuf);
491                 return NT_STATUS_OK;
492         }
493
494         case GENSEC_KRB5_DONE:
495         default:
496                 /* Asking too many times... */
497                 return NT_STATUS_INVALID_PARAMETER;
498         }
499 }
500
501 static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, 
502                                         DATA_BLOB *session_key) 
503 {
504         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
505         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
506         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
507         krb5_keyblock *skey;
508         krb5_error_code err = -1;
509
510         if (gensec_krb5_state->session_key.data) {
511                 *session_key = gensec_krb5_state->session_key;
512                 return NT_STATUS_OK;
513         }
514
515         switch (gensec_security->gensec_role) {
516         case GENSEC_CLIENT:
517                 err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
518                 break;
519         case GENSEC_SERVER:
520                 err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
521                 break;
522         }
523         if (err == 0 && skey != NULL) {
524                 DEBUG(10, ("Got KRB5 session key of length %d\n",  
525                            (int)KRB5_KEY_LENGTH(skey)));
526                 gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state, 
527                                                 KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
528                 *session_key = gensec_krb5_state->session_key;
529                 dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
530
531                 krb5_free_keyblock(context, skey);
532                 return NT_STATUS_OK;
533         } else {
534                 DEBUG(10, ("KRB5 error getting session key %d\n", err));
535                 return NT_STATUS_NO_USER_SESSION_KEY;
536         }
537 }
538
539 static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
540                                          struct auth_session_info **_session_info) 
541 {
542         NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
543         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
544         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
545         struct auth_serversupplied_info *server_info = NULL;
546         struct auth_session_info *session_info = NULL;
547         struct PAC_LOGON_INFO *logon_info;
548
549         krb5_principal client_principal;
550         char *principal_string;
551         
552         DATA_BLOB pac;
553         krb5_data pac_data;
554
555         krb5_error_code ret;
556
557         TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
558         if (!mem_ctx) {
559                 return NT_STATUS_NO_MEMORY;
560         }
561         
562         ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
563         if (ret) {
564                 DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n", 
565                           smb_get_krb5_error_message(context, 
566                                                      ret, mem_ctx)));
567                 talloc_free(mem_ctx);
568                 return NT_STATUS_NO_MEMORY;
569         }
570         
571         ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, 
572                                 client_principal, &principal_string);
573         if (ret) {
574                 DEBUG(1, ("Unable to parse client principal: %s\n",
575                           smb_get_krb5_error_message(context, 
576                                                      ret, mem_ctx)));
577                 talloc_free(mem_ctx);
578                 return NT_STATUS_NO_MEMORY;
579         }
580
581         ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket, 
582                                                       KRB5_AUTHDATA_WIN2K_PAC, 
583                                                       &pac_data);
584         
585         if (ret && lp_parm_bool(-1, "gensec", "require_pac", False)) {
586                 DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
587                           principal_string,
588                           smb_get_krb5_error_message(context, 
589                                                      ret, mem_ctx)));
590                 krb5_free_principal(context, client_principal);
591                 free(principal_string);
592                 return NT_STATUS_ACCESS_DENIED;
593         } else if (ret) {
594                 /* NO pac */
595                 DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
596                           smb_get_krb5_error_message(context, 
597                                                      ret, mem_ctx)));
598                 nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
599                                                           &server_info);
600                 krb5_free_principal(context, client_principal);
601                 free(principal_string);
602                 
603                 if (!NT_STATUS_IS_OK(nt_status)) {
604                         talloc_free(mem_ctx);
605                         return nt_status;
606                 }
607         } else {
608                 /* Found pac */
609                 union netr_Validation validation;
610                 free(principal_string);
611
612                 pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
613                 if (!pac.data) {
614                         krb5_free_principal(context, client_principal);
615                         talloc_free(mem_ctx);
616                         return NT_STATUS_NO_MEMORY;
617                 }
618
619                 /* decode and verify the pac */
620                 nt_status = kerberos_pac_logon_info(gensec_krb5_state, &logon_info, pac,
621                                                     gensec_krb5_state->smb_krb5_context->krb5_context,
622                                                     NULL, gensec_krb5_state->keyblock,
623                                                     client_principal,
624                                                     gensec_krb5_state->ticket->ticket.authtime, NULL);
625                 krb5_free_principal(context, client_principal);
626
627                 if (!NT_STATUS_IS_OK(nt_status)) {
628                         talloc_free(mem_ctx);
629                         return nt_status;
630                 }
631
632                 validation.sam3 = &logon_info->info3;
633                 nt_status = make_server_info_netlogon_validation(mem_ctx, 
634                                                                  NULL,
635                                                                  3, &validation,
636                                                                  &server_info); 
637                 if (!NT_STATUS_IS_OK(nt_status)) {
638                         talloc_free(mem_ctx);
639                         return nt_status;
640                 }
641         }
642
643         /* references the server_info into the session_info */
644         nt_status = auth_generate_session_info(mem_ctx, server_info, &session_info);
645
646         if (!NT_STATUS_IS_OK(nt_status)) {
647                 talloc_free(mem_ctx);
648                 return nt_status;
649         }
650
651         nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
652
653         if (!NT_STATUS_IS_OK(nt_status)) {
654                 talloc_free(mem_ctx);
655                 return nt_status;
656         }
657
658         *_session_info = session_info;
659
660         talloc_steal(gensec_krb5_state, session_info);
661         talloc_free(mem_ctx);
662         return NT_STATUS_OK;
663 }
664
665 static NTSTATUS gensec_krb5_wrap(struct gensec_security *gensec_security, 
666                                    TALLOC_CTX *mem_ctx, 
667                                    const DATA_BLOB *in, 
668                                    DATA_BLOB *out)
669 {
670         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
671         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
672         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
673         krb5_error_code ret;
674         krb5_data input, output;
675         input.length = in->length;
676         input.data = in->data;
677         
678         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
679                 ret = krb5_mk_priv(context, auth_context, &input, &output, NULL);
680                 if (ret) {
681                         DEBUG(1, ("krb5_mk_priv failed: %s\n", 
682                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
683                                                              ret, mem_ctx)));
684                         return NT_STATUS_ACCESS_DENIED;
685                 }
686                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
687                 
688                 krb5_data_free(&output);
689         } else {
690                 return NT_STATUS_ACCESS_DENIED;
691         }
692         return NT_STATUS_OK;
693 }
694
695 static NTSTATUS gensec_krb5_unwrap(struct gensec_security *gensec_security, 
696                                      TALLOC_CTX *mem_ctx, 
697                                      const DATA_BLOB *in, 
698                                      DATA_BLOB *out)
699 {
700         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
701         krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
702         krb5_auth_context auth_context = gensec_krb5_state->auth_context;
703         krb5_error_code ret;
704         krb5_data input, output;
705         krb5_replay_data replay;
706         input.length = in->length;
707         input.data = in->data;
708         
709         if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
710                 ret = krb5_rd_priv(context, auth_context, &input, &output, &replay);
711                 if (ret) {
712                         DEBUG(1, ("krb5_rd_priv failed: %s\n", 
713                                   smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, 
714                                                              ret, mem_ctx)));
715                         return NT_STATUS_ACCESS_DENIED;
716                 }
717                 *out = data_blob_talloc(mem_ctx, output.data, output.length);
718                 
719                 krb5_data_free(&output);
720         } else {
721                 return NT_STATUS_ACCESS_DENIED;
722         }
723         return NT_STATUS_OK;
724 }
725
726 static BOOL gensec_krb5_have_feature(struct gensec_security *gensec_security,
727                                      uint32_t feature)
728 {
729         struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
730         if (feature & GENSEC_FEATURE_SESSION_KEY) {
731                 return True;
732         } 
733         if (!gensec_krb5_state->gssapi && 
734             (feature & GENSEC_FEATURE_SEAL)) {
735                 return True;
736         } 
737         
738         return False;
739 }
740
741 static const char *gensec_krb5_oids[] = { 
742         GENSEC_OID_KERBEROS5,
743         GENSEC_OID_KERBEROS5_OLD,
744         NULL 
745 };
746
747 static const struct gensec_security_ops gensec_fake_gssapi_krb5_security_ops = {
748         .name           = "fake_gssapi_krb5",
749         .auth_type      = DCERPC_AUTH_TYPE_KRB5,
750         .oid            = gensec_krb5_oids,
751         .client_start   = gensec_fake_gssapi_krb5_client_start,
752         .server_start   = gensec_fake_gssapi_krb5_server_start,
753         .update         = gensec_krb5_update,
754         .magic          = gensec_fake_gssapi_krb5_magic,
755         .session_key    = gensec_krb5_session_key,
756         .session_info   = gensec_krb5_session_info,
757         .have_feature   = gensec_krb5_have_feature,
758         .enabled        = False,
759         .kerberos       = True,
760         .priority       = GENSEC_KRB5
761 };
762
763 static const struct gensec_security_ops gensec_krb5_security_ops = {
764         .name           = "krb5",
765         .client_start   = gensec_krb5_client_start,
766         .server_start   = gensec_krb5_server_start,
767         .update         = gensec_krb5_update,
768         .session_key    = gensec_krb5_session_key,
769         .session_info   = gensec_krb5_session_info,
770         .have_feature   = gensec_krb5_have_feature,
771         .wrap           = gensec_krb5_wrap,
772         .unwrap         = gensec_krb5_unwrap,
773         .enabled        = True,
774         .kerberos       = True,
775         .priority       = GENSEC_KRB5
776 };
777
778 NTSTATUS gensec_krb5_init(void)
779 {
780         NTSTATUS ret;
781
782         auth_init();
783
784         ret = gensec_register(&gensec_krb5_security_ops);
785         if (!NT_STATUS_IS_OK(ret)) {
786                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
787                         gensec_krb5_security_ops.name));
788                 return ret;
789         }
790
791         ret = gensec_register(&gensec_fake_gssapi_krb5_security_ops);
792         if (!NT_STATUS_IS_OK(ret)) {
793                 DEBUG(0,("Failed to register '%s' gensec backend!\n",
794                         gensec_krb5_security_ops.name));
795                 return ret;
796         }
797
798         return ret;
799 }