#include "system/filesys.h"
#include "krb5_samba.h"
#include "lib/crypto/crypto.h"
+#include "../libds/common/flags.h"
#ifdef HAVE_COM_ERR_H
#include <com_err.h>
krb5_address *pkaddr)
{
memset(pkaddr, '\0', sizeof(krb5_address));
-#if defined(HAVE_IPV6) && defined(KRB5_ADDRESS_INET6)
+#ifdef HAVE_IPV6
if (paddr->ss_family == AF_INET6) {
pkaddr->addr_type = KRB5_ADDRESS_INET6;
pkaddr->address.length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
krb5_address *pkaddr)
{
memset(pkaddr, '\0', sizeof(krb5_address));
-#if defined(HAVE_IPV6) && defined(ADDRTYPE_INET6)
+#ifdef HAVE_IPV6
if (paddr->ss_family == AF_INET6) {
pkaddr->addrtype = ADDRTYPE_INET6;
pkaddr->length = sizeof(((struct sockaddr_in6 *)paddr)->sin6_addr);
#error UNKNOWN_SALT_FUNCTIONS
#endif
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com@EXAMPLE.COM
+ * - SomeAccount@EXAMPLE.COM
+ * - SomePrincipal@EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ char *upper_realm = NULL;
+ const char *principal = NULL;
+ int principal_len = 0;
+
+ *_salt_principal = NULL;
+
+ if (sAMAccountName == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (realm == NULL) {
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ if (uac_flags & ~UF_ACCOUNT_TYPE_MASK) {
+ /*
+ * catch callers which still
+ * pass 'true'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+ if (uac_flags == 0) {
+ /*
+ * catch callers which still
+ * pass 'false'.
+ */
+ TALLOC_FREE(frame);
+ return EINVAL;
+ }
+
+ upper_realm = strupper_talloc(frame, realm);
+ if (upper_realm == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ /* Many, many thanks to lukeh@padl.com for this
+ * algorithm, described in his Nov 10 2004 mail to
+ * samba-technical@lists.samba.org */
+
+ /*
+ * Determine a salting principal
+ */
+ if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
+ int computer_len = 0;
+ char *tmp = NULL;
+
+ computer_len = strlen(sAMAccountName);
+ if (sAMAccountName[computer_len-1] == '$') {
+ computer_len -= 1;
+ }
+
+ if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
+ principal = talloc_asprintf(frame, "krbtgt/%*.*s",
+ computer_len, computer_len,
+ sAMAccountName);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ } else {
+
+ tmp = talloc_asprintf(frame, "host/%*.*s.%s",
+ computer_len, computer_len,
+ sAMAccountName, realm);
+ if (tmp == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ principal = strlower_talloc(frame, tmp);
+ TALLOC_FREE(tmp);
+ if (principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+ }
+
+ principal_len = strlen(principal);
+
+ } else if (userPrincipalName != NULL) {
+ char *p;
+
+ principal = userPrincipalName;
+ p = strchr(principal, '@');
+ if (p != NULL) {
+ principal_len = PTR_DIFF(p, principal);
+ } else {
+ principal_len = strlen(principal);
+ }
+ } else {
+ principal = sAMAccountName;
+ principal_len = strlen(principal);
+ }
+
+ *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
+ principal_len, principal_len,
+ principal, upper_realm);
+ if (*_salt_principal == NULL) {
+ TALLOC_FREE(frame);
+ return ENOMEM;
+ }
+
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+/**
+ * @brief Converts the salt principal string into the salt data blob
+ *
+ * This function takes a salt_principal as string in forms like this:
+ * - host/somehost.example.com@EXAMPLE.COM
+ * - SomeAccount@EXAMPLE.COM
+ * - SomePrincipal@EXAMPLE.COM
+ *
+ * It generates values like:
+ * - EXAMPLE.COMhost/somehost.example.com
+ * - EXAMPLE.COMSomeAccount
+ * - EXAMPLE.COMSomePrincipal
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] is_computer The indication of the object includes
+ * objectClass=computer.
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal
+ */
+int smb_krb5_salt_principal2data(krb5_context context,
+ const char *salt_principal,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_data)
+{
+ krb5_error_code ret;
+ krb5_principal salt_princ = NULL;
+ krb5_data salt;
+
+ *_salt_data = NULL;
+
+ ret = krb5_parse_name(context, salt_principal, &salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ ret = smb_krb5_get_pw_salt(context, salt_princ, &salt);
+ krb5_free_principal(context, salt_princ);
+ if (ret != 0) {
+ return ret;
+ }
+
+ *_salt_data = talloc_strndup(mem_ctx,
+ (char *)salt.data,
+ salt.length);
+ smb_krb5_free_data_contents(context, &salt);
+ if (*_salt_data == NULL) {
+ return ENOMEM;
+ }
+
+ return 0;
+}
+
#if defined(HAVE_KRB5_GET_PERMITTED_ENCTYPES)
/**
* @brief Get a list of encryption types allowed for session keys
goto open_keytab;
}
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
return KRB5_KT_BADNAME;
open_keytab:
}
if (!flush &&
- (kt_entry.vno == kvno) &&
+ ((kt_entry.vno & 0xff) == (kvno & 0xff)) &&
(kt_entry_enctype != enctype))
{
DEBUG(5, (__location__ ": Saving entry with kvno [%d] "
}
-/************************************************************************
- Routine to get the default realm from the kerberos credentials cache.
- Caller must free if the return value is not NULL.
-************************************************************************/
-
-static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
-{
- char *realm = NULL;
- krb5_context ctx = NULL;
- krb5_ccache cc = NULL;
- krb5_principal princ = NULL;
-
- initialize_krb5_error_table();
- if (krb5_init_context(&ctx)) {
- return NULL;
- }
-
- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
- "Trying to read krb5 cache: %s\n",
- krb5_cc_default_name(ctx)));
- if (krb5_cc_default(ctx, &cc)) {
- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
- "failed to read default cache\n"));
- goto out;
- }
- if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(5,("kerberos_get_default_realm_from_ccache: "
- "failed to get default principal\n"));
- goto out;
- }
-
-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ));
-#elif defined(HAVE_KRB5_PRINC_REALM)
- {
- krb5_data *realm_data = krb5_princ_realm(ctx, princ);
- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length);
- }
-#endif
-
- out:
-
- if (ctx) {
- if (princ) {
- krb5_free_principal(ctx, princ);
- }
- if (cc) {
- krb5_cc_close(ctx, cc);
- }
- krb5_free_context(ctx);
- }
-
- return realm;
-}
-
-/************************************************************************
- Routine to get the realm from a given DNS name.
-************************************************************************/
-
-static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
- const char *hostname)
+/**
+ * @brief Get the realm from the service hostname.
+ *
+ * This function will look for a domain realm mapping in the [domain_realm]
+ * section of the krb5.conf first and fallback to extract the realm from
+ * the provided service hostname. As a last resort it will return the
+ * provided client_realm.
+ *
+ * @param[in] mem_ctx The talloc context
+ *
+ * @param[in] hostname The service hostname
+ *
+ * @param[in] client_realm If we can not find a mapping, fall back to
+ * this realm.
+ *
+ * @return The realm to use for the service hostname, NULL if a fatal error
+ * occured.
+ */
+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx,
+ const char *hostname,
+ const char *client_realm)
{
#if defined(HAVE_KRB5_REALM_TYPE)
/* Heimdal. */
}
kerr = krb5_get_host_realm(ctx, hostname, &realm_list);
+ if (kerr == KRB5_ERR_HOST_REALM_UNKNOWN) {
+ realm_list = NULL;
+ kerr = 0;
+ }
if (kerr != 0) {
DEBUG(3,("kerberos_get_realm_from_hostname %s: "
"failed %s\n",
realm_list[0] != NULL &&
realm_list[0][0] != '\0') {
realm = talloc_strdup(mem_ctx, realm_list[0]);
+ if (realm == NULL) {
+ goto out;
+ }
} else {
const char *p = NULL;
p = strchr_m(hostname, '.');
if (p != NULL && p[1] != '\0') {
realm = talloc_strdup_upper(mem_ctx, p + 1);
+ if (realm == NULL) {
+ goto out;
+ }
}
}
+ if (realm == NULL) {
+ realm = talloc_strdup(mem_ctx, client_realm);
+ }
+
out:
if (ctx) {
return realm;
}
-/**
- * @brief Get the principal as a string from the service hostname.
- *
- * @param[in] mem_ctx The talloc context
- *
- * @param[in] service The service name
- *
- * @param[in] remote_name The remote name
- *
- * @param[in] default_realm The default_realm if we cannot get it from the
- * hostname or netbios name.
- *
- * @return A talloc'ed principal string or NULL if an error occurred.
- *
- * The caller needs to free the principal with talloc_free() if it isn't needed
- * anymore.
- */
-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx,
- const char *service,
- const char *remote_name,
- const char *default_realm)
-{
- char *realm = NULL;
- char *host = NULL;
- char *principal;
- host = strchr_m(remote_name, '.');
- if (host) {
- /* DNS name. */
- realm = smb_krb5_get_realm_from_hostname(talloc_tos(),
- remote_name);
- } else {
- /* NetBIOS name - use our realm. */
- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos());
- }
-
- if (realm == NULL || *realm == '\0') {
- realm = talloc_strdup(talloc_tos(), default_realm);
- if (!realm) {
- return NULL;
- }
- DEBUG(3,("Cannot get realm from, "
- "desthost %s or default ccache. Using default "
- "smb.conf realm %s\n",
- remote_name,
- realm));
- }
-
- principal = talloc_asprintf(mem_ctx,
- "%s/%s@%s",
- service, remote_name,
- realm);
- TALLOC_FREE(realm);
- return principal;
-}
-
/**
* @brief Get an error string from a Kerberos error code.
*
git.samba.org / vlendec / samba-autobuild / .git / blobdiff