benny/wmic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

wmi-1.3.16 from opsview.com

Browse Source
This commit is contained in:
Are Casilla
2019-02-16 00:16:52 +01:00
parent 163fdd3d1b
commit 17b3af2911
2146 changed files with 678824 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Samba/source/kdc/config.m4
+1
View File
@@ -0,0 +1 @@
SMB_ENABLE(server_service_kdc, $HAVE_KRB5)
Samba/source/kdc/config.mk
+27
View File
@@ -0,0 +1,27 @@
# KDC server subsystem
#######################
# Start SUBSYSTEM KDC
[MODULE::KDC]
INIT_FUNCTION = server_service_kdc_init
SUBSYSTEM = service
OBJ_FILES = \
kdc.o \
kpasswdd.o
PUBLIC_DEPENDENCIES = \
ldb KERBEROS_LIB HEIMDAL_KDC HEIMDAL_HDB SAMDB
# End SUBSYSTEM KDC
#######################
#######################
# Start SUBSYSTEM KDC
[SUBSYSTEM::HDB_LDB]
CFLAGS = -Iheimdal/kdc -Iheimdal/lib/hdb
OBJ_FILES = \
hdb-ldb.o \
pac-glue.o
PUBLIC_DEPENDENCIES = \
ldb auth_sam KERBEROS
# End SUBSYSTEM KDC
#######################
Samba/source/kdc/hdb-ldb.c
+1014
View File
File diff suppressed because it is too large Load Diff
Samba/source/kdc/kdc.c
+631
View File
@@ -0,0 +1,631 @@
/*
Unix SMB/CIFS implementation.
KDC Server startup
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
Copyright (C) Andrew Tridgell 2005
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "smbd/service_task.h"
#include "smbd/service.h"
#include "smbd/service_stream.h"
#include "smbd/process_model.h"
#include "lib/events/events.h"
#include "lib/socket/socket.h"
#include "kdc/kdc.h"
#include "system/network.h"
#include "lib/util/dlinklist.h"
#include "lib/messaging/irpc.h"
#include "lib/stream/packet.h"
#include "librpc/gen_ndr/samr.h"
#include "lib/socket/netif.h"
/* hold all the info needed to send a reply */
struct kdc_reply {
struct kdc_reply *next, *prev;
struct socket_address *dest;
DATA_BLOB packet;
};
typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct socket_address *peer_addr,
struct socket_address *my_addr,
int datagram);
/* hold information about one kdc socket */
struct kdc_socket {
struct socket_context *sock;
struct kdc_server *kdc;
struct fd_event *fde;
/* a queue of outgoing replies that have been deferred */
struct kdc_reply *send_queue;
kdc_process_fn_t process;
};
/*
state of an open tcp connection
*/
struct kdc_tcp_connection {
/* stream connection we belong to */
struct stream_connection *conn;
/* the kdc_server the connection belongs to */
struct kdc_server *kdc;
struct packet_context *packet;
kdc_process_fn_t process;
};
/*
handle fd send events on a KDC socket
*/
static void kdc_send_handler(struct kdc_socket *kdc_socket)
{
while (kdc_socket->send_queue) {
struct kdc_reply *rep = kdc_socket->send_queue;
NTSTATUS status;
size_t sendlen;
status = socket_sendto(kdc_socket->sock, &rep->packet, &sendlen,
rep->dest);
if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
break;
}
if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_BUFFER_SIZE)) {
/* Replace with a krb err, response to big */
}
DLIST_REMOVE(kdc_socket->send_queue, rep);
talloc_free(rep);
}
if (kdc_socket->send_queue == NULL) {
EVENT_FD_NOT_WRITEABLE(kdc_socket->fde);
}
}
/*
handle fd recv events on a KDC socket
*/
static void kdc_recv_handler(struct kdc_socket *kdc_socket)
{
NTSTATUS status;
TALLOC_CTX *tmp_ctx = talloc_new(kdc_socket);
DATA_BLOB blob;
struct kdc_reply *rep;
DATA_BLOB reply;
size_t nread, dsize;
struct socket_address *src;
struct socket_address *my_addr;
int ret;
status = socket_pending(kdc_socket->sock, &dsize);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return;
}
blob = data_blob_talloc(tmp_ctx, NULL, dsize);
if (blob.data == NULL) {
/* hope this is a temporary low memory condition */
talloc_free(tmp_ctx);
return;
}
status = socket_recvfrom(kdc_socket->sock, blob.data, blob.length, &nread,
tmp_ctx, &src);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return;
}
blob.length = nread;
DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n",
(long)blob.length, src->addr, (uint16_t)src->port));
my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx);
if (!my_addr) {
talloc_free(tmp_ctx);
return;
}
/* Call krb5 */
ret = kdc_socket->process(kdc_socket->kdc,
tmp_ctx,
&blob,
&reply,
src, my_addr,
1 /* Datagram */);
if (!ret) {
talloc_free(tmp_ctx);
return;
}
/* queue a pending reply */
rep = talloc(kdc_socket, struct kdc_reply);
if (rep == NULL) {
talloc_free(tmp_ctx);
return;
}
rep->dest = talloc_steal(rep, src);
rep->packet = reply;
talloc_steal(rep, reply.data);
if (rep->packet.data == NULL) {
talloc_free(rep);
talloc_free(tmp_ctx);
return;
}
DLIST_ADD_END(kdc_socket->send_queue, rep, struct kdc_reply *);
EVENT_FD_WRITEABLE(kdc_socket->fde);
talloc_free(tmp_ctx);
}
/*
handle fd events on a KDC socket
*/
static void kdc_socket_handler(struct event_context *ev, struct fd_event *fde,
uint16_t flags, void *private)
{
struct kdc_socket *kdc_socket = talloc_get_type(private, struct kdc_socket);
if (flags & EVENT_FD_WRITE) {
kdc_send_handler(kdc_socket);
}
if (flags & EVENT_FD_READ) {
kdc_recv_handler(kdc_socket);
}
}
static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdcconn, const char *reason)
{
stream_terminate_connection(kdcconn->conn, reason);
}
/*
receive a full packet on a KDC connection
*/
static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
{
struct kdc_tcp_connection *kdcconn = talloc_get_type(private,
struct kdc_tcp_connection);
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
TALLOC_CTX *tmp_ctx = talloc_new(kdcconn);
int ret;
DATA_BLOB input, reply;
struct socket_address *src_addr;
struct socket_address *my_addr;
talloc_steal(tmp_ctx, blob.data);
src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx);
if (!src_addr) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx);
if (!my_addr) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/* Call krb5 */
input = data_blob_const(blob.data + 4, blob.length - 4);
ret = kdcconn->process(kdcconn->kdc,
tmp_ctx,
&input,
&reply,
src_addr,
my_addr,
0 /* Not datagram */);
if (!ret) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
/* and now encode the reply */
blob = data_blob_talloc(kdcconn, NULL, reply.length + 4);
if (!blob.data) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
RSIVAL(blob.data, 0, reply.length);
memcpy(blob.data + 4, reply.data, reply.length);
status = packet_send(kdcconn->packet, blob);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return status;
}
/* the call isn't needed any more */
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/*
receive some data on a KDC connection
*/
static void kdc_tcp_recv_handler(struct stream_connection *conn, uint16_t flags)
{
struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private,
struct kdc_tcp_connection);
packet_recv(kdcconn->packet);
}
/*
called on a tcp recv error
*/
static void kdc_tcp_recv_error(void *private, NTSTATUS status)
{
struct kdc_tcp_connection *kdcconn = talloc_get_type(private, struct kdc_tcp_connection);
kdc_tcp_terminate_connection(kdcconn, nt_errstr(status));
}
/*
called when we can write to a connection
*/
static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags)
{
struct kdc_tcp_connection *kdcconn = talloc_get_type(conn->private,
struct kdc_tcp_connection);
packet_queue_run(kdcconn->packet);
}
/**
Wrapper for krb5_kdc_process_krb5_request, converting to/from Samba
calling conventions
*/
static BOOL kdc_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct socket_address *peer_addr,
struct socket_address *my_addr,
int datagram_reply)
{
int ret;
krb5_data k5_reply;
krb5_data_zero(&k5_reply);
DEBUG(10,("Received KDC packet of length %lu from %s:%d\n",
(long)input->length - 4, peer_addr->addr, peer_addr->port));
ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
kdc->config,
input->data, input->length,
&k5_reply,
peer_addr->addr,
peer_addr->sockaddr,
datagram_reply);
if (ret == -1) {
*reply = data_blob(NULL, 0);
return False;
}
if (k5_reply.length) {
*reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length);
krb5_free_data_contents(kdc->smb_krb5_context->krb5_context, &k5_reply);
} else {
*reply = data_blob(NULL, 0);
}
return True;
}
/*
called when we get a new connection
*/
static void kdc_tcp_generic_accept(struct stream_connection *conn, kdc_process_fn_t process_fn)
{
struct kdc_server *kdc = talloc_get_type(conn->private, struct kdc_server);
struct kdc_tcp_connection *kdcconn;
kdcconn = talloc_zero(conn, struct kdc_tcp_connection);
if (!kdcconn) {
stream_terminate_connection(conn, "kdc_tcp_accept: out of memory");
return;
}
kdcconn->conn = conn;
kdcconn->kdc = kdc;
kdcconn->process = process_fn;
conn->private = kdcconn;
kdcconn->packet = packet_init(kdcconn);
if (kdcconn->packet == NULL) {
kdc_tcp_terminate_connection(kdcconn, "kdc_tcp_accept: out of memory");
return;
}
packet_set_private(kdcconn->packet, kdcconn);
packet_set_socket(kdcconn->packet, conn->socket);
packet_set_callback(kdcconn->packet, kdc_tcp_recv);
packet_set_full_request(kdcconn->packet, packet_full_request_u32);
packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error);
packet_set_event_context(kdcconn->packet, conn->event.ctx);
packet_set_fde(kdcconn->packet, conn->event.fde);
packet_set_serialise(kdcconn->packet);
}
static void kdc_tcp_accept(struct stream_connection *conn)
{
kdc_tcp_generic_accept(conn, kdc_process);
}
static const struct stream_server_ops kdc_tcp_stream_ops = {
.name = "kdc_tcp",
.accept_connection = kdc_tcp_accept,
.recv_handler = kdc_tcp_recv_handler,
.send_handler = kdc_tcp_send
};
static void kpasswdd_tcp_accept(struct stream_connection *conn)
{
kdc_tcp_generic_accept(conn, kpasswdd_process);
}
static const struct stream_server_ops kpasswdd_tcp_stream_ops = {
.name = "kpasswdd_tcp",
.accept_connection = kpasswdd_tcp_accept,
.recv_handler = kdc_tcp_recv_handler,
.send_handler = kdc_tcp_send
};
/*
start listening on the given address
*/
static NTSTATUS kdc_add_socket(struct kdc_server *kdc, const char *address)
{
const struct model_ops *model_ops;
struct kdc_socket *kdc_socket;
struct kdc_socket *kpasswd_socket;
struct socket_address *kdc_address, *kpasswd_address;
NTSTATUS status;
uint16_t kdc_port = lp_krb5_port();
uint16_t kpasswd_port = lp_kpasswd_port();
kdc_socket = talloc(kdc, struct kdc_socket);
NT_STATUS_HAVE_NO_MEMORY(kdc_socket);
kpasswd_socket = talloc(kdc, struct kdc_socket);
NT_STATUS_HAVE_NO_MEMORY(kpasswd_socket);
status = socket_create("ip", SOCKET_TYPE_DGRAM, &kdc_socket->sock, 0);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(kdc_socket);
return status;
}
status = socket_create("ip", SOCKET_TYPE_DGRAM, &kpasswd_socket->sock, 0);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(kpasswd_socket);
return status;
}
kdc_socket->kdc = kdc;
kdc_socket->send_queue = NULL;
kdc_socket->process = kdc_process;
talloc_steal(kdc_socket, kdc_socket->sock);
kdc_socket->fde = event_add_fd(kdc->task->event_ctx, kdc,
socket_get_fd(kdc_socket->sock), EVENT_FD_READ,
kdc_socket_handler, kdc_socket);
kdc_address = socket_address_from_strings(kdc_socket, kdc_socket->sock->backend_name,
address, kdc_port);
NT_STATUS_HAVE_NO_MEMORY(kdc_address);
status = socket_listen(kdc_socket->sock, kdc_address, 0, 0);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s:%d UDP for kdc - %s\n",
address, kdc_port, nt_errstr(status)));
talloc_free(kdc_socket);
return status;
}
kpasswd_socket->kdc = kdc;
kpasswd_socket->send_queue = NULL;
kpasswd_socket->process = kpasswdd_process;
talloc_steal(kpasswd_socket, kpasswd_socket->sock);
kpasswd_socket->fde = event_add_fd(kdc->task->event_ctx, kdc,
socket_get_fd(kpasswd_socket->sock), EVENT_FD_READ,
kdc_socket_handler, kpasswd_socket);
kpasswd_address = socket_address_from_strings(kpasswd_socket, kpasswd_socket->sock->backend_name,
address, kpasswd_port);
NT_STATUS_HAVE_NO_MEMORY(kpasswd_address);
status = socket_listen(kpasswd_socket->sock, kpasswd_address, 0, 0);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s:%d UDP for kpasswd - %s\n",
address, kpasswd_port, nt_errstr(status)));
talloc_free(kpasswd_socket);
return status;
}
/* within the kdc task we want to be a single process, so
ask for the single process model ops and pass these to the
stream_setup_socket() call. */
model_ops = process_model_byname("single");
if (!model_ops) {
DEBUG(0,("Can't find 'single' process model_ops\n"));
talloc_free(kdc_socket);
return NT_STATUS_INTERNAL_ERROR;
}
status = stream_setup_socket(kdc->task->event_ctx, model_ops,
&kdc_tcp_stream_ops,
"ip", address, &kdc_port, kdc);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
address, kdc_port, nt_errstr(status)));
talloc_free(kdc_socket);
return status;
}
status = stream_setup_socket(kdc->task->event_ctx, model_ops,
&kpasswdd_tcp_stream_ops,
"ip", address, &kpasswd_port, kdc);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to bind to %s:%u TCP - %s\n",
address, kpasswd_port, nt_errstr(status)));
talloc_free(kdc_socket);
return status;
}
return NT_STATUS_OK;
}
/*
setup our listening sockets on the configured network interfaces
*/
static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc)
{
int num_interfaces = iface_count();
TALLOC_CTX *tmp_ctx = talloc_new(kdc);
NTSTATUS status;
int i;
for (i=0; i<num_interfaces; i++) {
const char *address = talloc_strdup(tmp_ctx, iface_n_ip(i));
status = kdc_add_socket(kdc, address);
NT_STATUS_NOT_OK_RETURN(status);
}
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/*
startup the kdc task
*/
static void kdc_task_init(struct task_server *task)
{
struct kdc_server *kdc;
NTSTATUS status;
krb5_error_code ret;
switch (lp_server_role()) {
case ROLE_STANDALONE:
task_server_terminate(task, "kdc: no KDC required in standalone configuration");
return;
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "kdc: no KDC required in member server configuration");
return;
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
/* Yes, we want a KDC */
break;
}
if (iface_count() == 0) {
task_server_terminate(task, "kdc: no network interfaces configured");
return;
}
task_server_set_title(task, "task[kdc]");
kdc = talloc(task, struct kdc_server);
if (kdc == NULL) {
task_server_terminate(task, "kdc: out of memory");
return;
}
kdc->task = task;
/* Setup the KDC configuration */
kdc->config = talloc(kdc, krb5_kdc_configuration);
if (!kdc->config) {
task_server_terminate(task, "kdc: out of memory");
return;
}
krb5_kdc_default_config(kdc->config);
initialize_krb5_error_table();
ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context);
if (ret) {
DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
error_message(ret)));
task_server_terminate(task, "kdc: krb5_init_context failed");
return;
}
krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
kdc->config->logf = kdc->smb_krb5_context->logf;
kdc->config->db = talloc(kdc->config, struct HDB *);
if (!kdc->config->db) {
task_server_terminate(task, "kdc: out of memory");
return;
}
kdc->config->num_db = 1;
status = kdc_hdb_ldb_create(kdc, kdc->smb_krb5_context->krb5_context,
&kdc->config->db[0], NULL);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc: hdb_ldb_create (setup KDC database) failed");
return;
}
ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
if(ret) {
task_server_terminate(task, "kdc: failed to register hdb keytab");
return;
}
/* start listening on the configured network interfaces */
status = kdc_startup_interfaces(kdc);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc failed to setup interfaces");
return;
}
irpc_add_name(task->msg_ctx, "kdc_server");
}
/*
called on startup of the KDC service
*/
static NTSTATUS kdc_init(struct event_context *event_ctx,
const struct model_ops *model_ops)
{
return task_server_startup(event_ctx, model_ops, kdc_task_init);
}
/* called at smbd startup - register ourselves as a server service */
NTSTATUS server_service_kdc_init(void)
{
return register_server_service("kdc", kdc_init);
}
Samba/source/kdc/kdc.h
+52
View File
@@ -0,0 +1,52 @@
/*
Unix SMB/CIFS implementation.
KDC structures
Copyright (C) Andrew Tridgell 2005
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "heimdal/kdc/kdc.h"
#include "heimdal/lib/hdb/hdb.h"
#include "kdc/pac-glue.h"
struct kdc_server;
struct socket_address;
NTSTATUS kdc_hdb_ldb_create(TALLOC_CTX *mem_ctx,
krb5_context context, struct HDB **db, const char *arg);
BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct socket_address *peer_addr,
struct socket_address *my_addr,
int datagram_reply);
/*
top level context structure for the kdc server
*/
struct kdc_server {
struct task_server *task;
krb5_kdc_configuration *config;
struct smb_krb5_context *smb_krb5_context;
};
Samba/source/kdc/kpasswdd.c
+605
View File
@@ -0,0 +1,605 @@
/*
Unix SMB/CIFS implementation.
kpasswd Server implementation
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
Copyright (C) Andrew Tridgell 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "smbd/service_task.h"
#include "lib/events/events.h"
#include "lib/socket/socket.h"
#include "kdc/kdc.h"
#include "system/network.h"
#include "lib/util/dlinklist.h"
#include "lib/ldb/include/ldb.h"
#include "heimdal/lib/krb5/krb5_locl.h"
#include "heimdal/lib/krb5/krb5-private.h"
#include "auth/gensec/gensec.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/auth.h"
#include "dsdb/samdb/samdb.h"
#include "rpc_server/dcerpc_server.h"
#include "rpc_server/samr/proto.h"
#include "libcli/security/security.h"
/* hold information about one kdc socket */
struct kpasswd_socket {
struct socket_context *sock;
struct kdc_server *kdc;
struct fd_event *fde;
/* a queue of outgoing replies that have been deferred */
struct kdc_reply *send_queue;
};
/* Return true if there is a valid error packet formed in the error_blob */
static BOOL kpasswdd_make_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
{
char *error_string_utf8;
ssize_t len;
DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string));
len = push_utf8_talloc(mem_ctx, &error_string_utf8, error_string);
if (len == -1) {
return False;
}
*error_blob = data_blob_talloc(mem_ctx, NULL, 2 + len + 1);
if (!error_blob->data) {
return False;
}
RSSVAL(error_blob->data, 0, result_code);
memcpy(error_blob->data + 2, error_string_utf8, len + 1);
return True;
}
/* Return true if there is a valid error packet formed in the error_blob */
static BOOL kpasswdd_make_unauth_error_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
uint16_t result_code,
const char *error_string,
DATA_BLOB *error_blob)
{
BOOL ret;
int kret;
DATA_BLOB error_bytes;
krb5_data k5_error_bytes, k5_error_blob;
ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string,
&error_bytes);
if (!ret) {
return False;
}
k5_error_bytes.data = error_bytes.data;
k5_error_bytes.length = error_bytes.length;
kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context,
result_code, NULL, &k5_error_bytes,
NULL, NULL, NULL, NULL, &k5_error_blob);
if (kret) {
return False;
}
*error_blob = data_blob_talloc(mem_ctx, k5_error_blob.data, k5_error_blob.length);
krb5_data_free(&k5_error_blob);
if (!error_blob->data) {
return False;
}
return True;
}
static BOOL kpasswd_make_pwchange_reply(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
NTSTATUS status,
enum samr_RejectReason reject_reason,
struct samr_DomInfo1 *dominfo,
DATA_BLOB *error_blob)
{
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"No such user when changing password",
error_blob);
}
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
"Not permitted to change password",
error_blob);
}
if (dominfo && NT_STATUS_EQUAL(status, NT_STATUS_PASSWORD_RESTRICTION)) {
const char *reject_string;
switch (reject_reason) {
case SAMR_REJECT_TOO_SHORT:
reject_string = talloc_asprintf(mem_ctx, "Password too short, password must be at least %d characters long",
dominfo->min_password_length);
break;
case SAMR_REJECT_COMPLEXITY:
reject_string = "Password does not meet complexity requirements";
break;
case SAMR_REJECT_IN_HISTORY:
reject_string = "Password is already in password history";
break;
case SAMR_REJECT_OTHER:
default:
reject_string = talloc_asprintf(mem_ctx, "Password must be at least %d characters long, and cannot match any of your %d previous passwords",
dominfo->min_password_length, dominfo->password_history_length);
break;
}
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_SOFTERROR,
reject_string,
error_blob);
}
if (!NT_STATUS_IS_OK(status)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)),
error_blob);
}
return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS,
"Password changed",
error_blob);
}
/*
A user password change
Return true if there is a valid error packet (or sucess) formed in
the error_blob
*/
static BOOL kpasswdd_change_password(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
const char *password,
DATA_BLOB *reply)
{
NTSTATUS status;
enum samr_RejectReason reject_reason;
struct samr_DomInfo1 *dominfo;
struct ldb_context *samdb;
samdb = samdb_connect(mem_ctx, system_session(mem_ctx));
if (!samdb) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"Failed to open samdb",
reply);
}
DEBUG(3, ("Changing password of %s\\%s (%s)\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
/* User password change */
status = samdb_set_password_sid(samdb, mem_ctx,
session_info->security_token->user_sid,
password, NULL, NULL,
True, /* this is a user password change */
True, /* run restriction tests */
&reject_reason,
&dominfo);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
dominfo,
reply);
}
static BOOL kpasswd_process_request(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
uint16_t version,
DATA_BLOB *input,
DATA_BLOB *reply)
{
struct auth_session_info *session_info;
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
&session_info))) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"gensec_session_info failed!",
reply);
}
switch (version) {
case KRB5_KPASSWD_VERS_CHANGEPW:
{
char *password = talloc_strndup(mem_ctx, (const char *)input->data, input->length);
if (!password) {
return False;
}
return kpasswdd_change_password(kdc, mem_ctx, session_info,
password, reply);
break;
}
case KRB5_KPASSWD_VERS_SETPW:
{
NTSTATUS status;
enum samr_RejectReason reject_reason = SAMR_REJECT_OTHER;
struct samr_DomInfo1 *dominfo = NULL;
struct ldb_context *samdb;
struct ldb_message *msg;
krb5_context context = kdc->smb_krb5_context->krb5_context;
ChangePasswdDataMS chpw;
char *password;
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
size_t len;
int ret;
msg = ldb_msg_new(mem_ctx);
if (!msg) {
return False;
}
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
if (ret) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to decode password change structure",
reply);
}
password = talloc_strndup(mem_ctx, chpw.newpasswd.data,
chpw.newpasswd.length);
if (!password) {
free_ChangePasswdDataMS(&chpw);
return False;
}
if ((chpw.targname && !chpw.targrealm)
|| (!chpw.targname && chpw.targrealm)) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"Realm and principal must be both present, or neither present",
reply);
}
if (chpw.targname && chpw.targrealm) {
if (_krb5_principalname2krb5_principal(kdc->smb_krb5_context->krb5_context,
&principal, *chpw.targname,
*chpw.targrealm) != 0) {
free_ChangePasswdDataMS(&chpw);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"failed to extract principal to set",
reply);
}
} else {
free_ChangePasswdDataMS(&chpw);
return kpasswdd_change_password(kdc, mem_ctx, session_info,
password, reply);
}
free_ChangePasswdDataMS(&chpw);
if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) {
krb5_free_principal(context, principal);
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_MALFORMED,
"krb5_unparse_name failed!",
reply);
}
krb5_free_principal(context, principal);
samdb = samdb_connect(mem_ctx, session_info);
if (!samdb) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
"Unable to open database!",
reply);
}
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
dom_sid_string(mem_ctx, session_info->security_token->user_sid),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
if (ret) {
status = NT_STATUS_TRANSACTION_ABORTED;
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAMR_REJECT_OTHER,
NULL,
reply);
}
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
SAMR_REJECT_OTHER,
NULL,
reply);
}
msg = ldb_msg_new(mem_ctx);
if (msg == NULL) {
ldb_transaction_cancel(samdb);
status = NT_STATUS_NO_MEMORY;
} else {
msg->dn = ldb_dn_copy(msg, set_password_on_dn);
if (!msg->dn) {
status = NT_STATUS_NO_MEMORY;
}
}
if (NT_STATUS_IS_OK(status)) {
/* Admin password set */
status = samdb_set_password(samdb, mem_ctx,
set_password_on_dn, NULL,
msg, password, NULL, NULL,
False, /* this is not a user password change */
True, /* run restriction tests */
&reject_reason, &dominfo);
}
if (NT_STATUS_IS_OK(status)) {
/* modify the samdb record */
ret = samdb_replace(samdb, mem_ctx, msg);
if (ret != 0) {
DEBUG(2,("Failed to modify record to set password on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(samdb)));
status = NT_STATUS_ACCESS_DENIED;
}
}
if (NT_STATUS_IS_OK(status)) {
ret = ldb_transaction_commit(samdb);
if (ret != 0) {
DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(samdb)));
status = NT_STATUS_TRANSACTION_ABORTED;
}
} else {
ldb_transaction_cancel(samdb);
}
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
dominfo,
reply);
}
default:
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_BAD_VERSION,
talloc_asprintf(mem_ctx,
"Protocol version %u not supported",
version),
reply);
}
return True;
}
BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
struct socket_address *peer_addr,
struct socket_address *my_addr,
int datagram_reply)
{
BOOL ret;
const uint16_t header_len = 6;
uint16_t len;
uint16_t ap_req_len;
uint16_t krb_priv_len;
uint16_t version;
NTSTATUS nt_status;
DATA_BLOB ap_req, krb_priv_req;
DATA_BLOB krb_priv_rep = data_blob(NULL, 0);
DATA_BLOB ap_rep = data_blob(NULL, 0);
DATA_BLOB kpasswd_req, kpasswd_rep;
struct cli_credentials *server_credentials;
struct gensec_security *gensec_security;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return False;
}
/* Be parinoid. We need to ensure we don't just let the
* caller lead us into a buffer overflow */
if (input->length <= header_len) {
talloc_free(tmp_ctx);
return False;
}
len = RSVAL(input->data, 0);
if (input->length != len) {
talloc_free(tmp_ctx);
return False;
}
/* There are two different versions of this protocol so far,
* plus others in the standards pipe. Fortunetly they all
* take a very similar framing */
version = RSVAL(input->data, 2);
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
talloc_free(tmp_ctx);
return False;
}
krb_priv_len = len - ap_req_len;
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
return False;
}
/* We want the credentials subsystem to use the krb5 context
* we already have, rather than a new context */
cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context);
cli_credentials_set_conf(server_credentials);
nt_status = cli_credentials_set_stored_principal(server_credentials, "kadmin/changepw");
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"Failed to obtain server credentials for kadmin/changepw: %s\n",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
nt_status = gensec_set_credentials(gensec_security, server_credentials);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
nt_status = gensec_set_my_addr(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
/* We want the GENSEC wrap calls to generate PRIV tokens */
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return False;
}
/* Accept the AP-REQ and generate teh AP-REP we need for the reply */
nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_update failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
/* Extract the data from the KRB-PRIV half of the message */
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_unwrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
/* Figure out something to do with it (probably changing a password...) */
ret = kpasswd_process_request(kdc, tmp_ctx,
gensec_security,
version,
&kpasswd_req, &kpasswd_rep);
if (!ret) {
/* Argh! */
return False;
}
/* And wrap up the reply: This ensures that the error message
* or success can be verified by the client */
nt_status = gensec_wrap(gensec_security, tmp_ctx,
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
talloc_asprintf(mem_ctx,
"gensec_wrap failed: %s",
nt_errstr(nt_status)),
&krb_priv_rep);
ap_rep.length = 0;
if (ret) {
goto reply;
}
talloc_free(tmp_ctx);
return ret;
}
reply:
*reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len);
if (!reply->data) {
return False;
}
RSSVAL(reply->data, 0, reply->length);
RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */
RSSVAL(reply->data, 4, ap_rep.length);
memcpy(reply->data + header_len,
ap_rep.data,
ap_rep.length);
memcpy(reply->data + header_len + ap_rep.length,
krb_priv_rep.data,
krb_priv_rep.length);
talloc_free(tmp_ctx);
return ret;
}
Samba/source/kdc/pac-glue.c
+379
View File
@@ -0,0 +1,379 @@
/*
Unix SMB/CIFS implementation.
PAC Glue between Samba and the KDC
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "kdc/kdc.h"
#include "dsdb/common/flags.h"
#include "lib/ldb/include/ldb.h"
#include "librpc/gen_ndr/krb5pac.h"
#include "auth/auth.h"
#include "auth/auth_sam.h"
struct krb5_dh_moduli;
struct _krb5_krb_auth_data;
#include "heimdal/lib/krb5/krb5_locl.h"
/* Given the right private pointer from hdb_ldb, get a PAC from the attached ldb messages */
static krb5_error_code samba_get_pac(krb5_context context,
struct hdb_ldb_private *private,
krb5_principal client,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *server_keyblock,
time_t tgs_authtime,
krb5_data *pac)
{
krb5_error_code ret;
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info;
DATA_BLOB tmp_blob;
TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context");
if (!mem_ctx) {
return ENOMEM;
}
nt_status = authsam_make_server_info(mem_ctx, private->samdb,
private->msg,
private->realm_ref_msg,
data_blob(NULL, 0),
data_blob(NULL, 0),
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Getting user info for PAC failed: %s\n",
nt_errstr(nt_status)));
return ENOMEM;
}
ret = kerberos_create_pac(mem_ctx, server_info,
context,
krbtgt_keyblock,
server_keyblock,
client,
tgs_authtime,
&tmp_blob);
if (ret) {
DEBUG(1, ("PAC encoding failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
ret = krb5_data_copy(pac, tmp_blob.data, tmp_blob.length);
talloc_free(mem_ctx);
return ret;
}
/* Wrap the PAC in the right ASN.1. Will always free 'pac', on success or failure */
static krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData **out)
{
krb5_error_code ret;
unsigned char *buf;
size_t buf_size;
size_t len;
AD_IF_RELEVANT if_relevant;
AuthorizationData *auth_data;
if_relevant.len = 1;
if_relevant.val = malloc(sizeof(*if_relevant.val));
if (!if_relevant.val) {
krb5_data_free(pac);
*out = NULL;
return ENOMEM;
}
if_relevant.val[0].ad_type = KRB5_AUTHDATA_WIN2K_PAC;
if_relevant.val[0].ad_data.data = NULL;
if_relevant.val[0].ad_data.length = 0;
/* pac.data will be freed with this */
if_relevant.val[0].ad_data.data = pac->data;
if_relevant.val[0].ad_data.length = pac->length;
ASN1_MALLOC_ENCODE(AuthorizationData, buf, buf_size, &if_relevant, &len, ret);
free_AuthorizationData(&if_relevant);
if (ret) {
*out = NULL;
return ret;
}
auth_data = malloc(sizeof(*auth_data));
if (!auth_data) {
free(buf);
*out = NULL;
return ret;
}
auth_data->len = 1;
auth_data->val = malloc(sizeof(*auth_data->val));
if (!auth_data->val) {
free(buf);
free(auth_data);
*out = NULL;
return ret;
}
auth_data->val[0].ad_type = KRB5_AUTHDATA_IF_RELEVANT;
auth_data->val[0].ad_data.length = len;
auth_data->val[0].ad_data.data = buf;
*out = auth_data;
return 0;
}
/* Given a hdb_entry, create a PAC out of the private data
Don't create it if the client has the UF_NO_AUTH_DATA_REQUIRED bit
set, or if they specificaly asked not to get it.
*/
krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex,
METHOD_DATA* pa_data_seq,
time_t authtime,
const EncryptionKey *tgtkey,
const EncryptionKey *sessionkey,
AuthorizationData **out)
{
krb5_error_code ret;
int i;
krb5_data pac;
krb5_boolean pac_wanted = TRUE;
unsigned int userAccountControl;
struct PA_PAC_REQUEST pac_request;
struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
/* The user account may be set not to want the PAC */
userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0);
if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
*out = NULL;
return 0;
}
/* The user may not want a PAC */
for (i=0; i<pa_data_seq->len; i++) {
if (pa_data_seq->val[i].padata_type == KRB5_PADATA_PA_PAC_REQUEST) {
ret = decode_PA_PAC_REQUEST(pa_data_seq->val[i].padata_value.data,
pa_data_seq->val[i].padata_value.length,
&pac_request, NULL);
if (ret == 0) {
pac_wanted = !!pac_request.include_pac;
}
free_PA_PAC_REQUEST(&pac_request);
break;
}
}
if (!pac_wanted) {
*out = NULL;
return 0;
}
/* Get PAC from Samba */
ret = samba_get_pac(context,
private,
entry_ex->entry.principal,
tgtkey,
tgtkey,
authtime,
&pac);
if (ret) {
*out = NULL;
return ret;
}
return wrap_pac(context, &pac, out);
}
/* Resign (and reform, including possibly new groups) a PAC */
krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex,
krb5_principal client,
AuthorizationData *in,
time_t authtime,
const EncryptionKey *tgtkey,
const EncryptionKey *servicekey,
const EncryptionKey *sessionkey,
AuthorizationData **out)
{
NTSTATUS nt_status;
krb5_error_code ret;
unsigned int userAccountControl;
struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
krb5_data k5pac_in, k5pac_out;
DATA_BLOB pac_in, pac_out;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
struct auth_serversupplied_info *server_info_out;
krb5_boolean found = FALSE;
TALLOC_CTX *mem_ctx;
/* The service account may be set not to want the PAC */
userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0);
if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
*out = NULL;
return 0;
}
ret = _krb5_find_type_in_ad(context, KRB5_AUTHDATA_WIN2K_PAC,
&k5pac_in, &found, sessionkey, in);
if (ret || !found) {
*out = NULL;
return 0;
}
mem_ctx = talloc_new(private);
if (!mem_ctx) {
krb5_data_free(&k5pac_in);
*out = NULL;
return ENOMEM;
}
pac_in = data_blob_talloc(mem_ctx, k5pac_in.data, k5pac_in.length);
krb5_data_free(&k5pac_in);
if (!pac_in.data) {
talloc_free(mem_ctx);
*out = NULL;
return ENOMEM;
}
/* Parse the PAC again, for the logon info */
nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info,
pac_in,
context,
tgtkey,
tgtkey,
client, authtime,
&ret);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Failed to parse PAC in TGT: %s/%s\n",
nt_errstr(nt_status), error_message(ret)));
talloc_free(mem_ctx);
*out = NULL;
return ret;
}
/* Pull this right into the normal auth sysstem structures */
validation.sam3 = &logon_info->info3;
nt_status = make_server_info_netlogon_validation(mem_ctx,
"",
3, &validation,
&server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
*out = NULL;
return ENOMEM;
}
/* And make a new PAC, possibly containing new groups */
ret = kerberos_create_pac(mem_ctx,
server_info_out,
context,
tgtkey,
servicekey,
client,
authtime,
&pac_out);
if (ret != 0) {
talloc_free(mem_ctx);
*out = NULL;
return ret;
}
ret = krb5_data_copy(&k5pac_out, pac_out.data, pac_out.length);
if (ret != 0) {
talloc_free(mem_ctx);
*out = NULL;
return ret;
}
return wrap_pac(context, &k5pac_out, out);
}
/* Given an hdb entry (and in particular it's private member), consult
* the account_ok routine in auth/auth_sam.c for consistancy */
krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex,
HostAddresses *addresses)
{
krb5_error_code ret;
NTSTATUS nt_status;
TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->ctx);
struct hdb_ldb_private *private = talloc_get_type(entry_ex->ctx, struct hdb_ldb_private);
char *name, *workstation = NULL;
int i;
if (!tmp_ctx) {
return ENOMEM;
}
ret = krb5_unparse_name(context, entry_ex->entry.principal, &name);
if (ret != 0) {
talloc_free(tmp_ctx);
return ret;
}
if (addresses) {
for (i=0; i < addresses->len; i++) {
if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) {
workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15));
if (workstation) {
break;
}
}
}
}
/* Strip space padding */
if (workstation) {
i = MIN(strlen(workstation), 15);
for (; i > 0 && workstation[i - 1] == ' '; i--) {
workstation[i - 1] = '\0';
}
}
nt_status = authsam_account_ok(tmp_ctx,
private->samdb,
MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
private->msg,
private->realm_ref_msg,
workstation,
name);
free(name);
/* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */
if (!NT_STATUS_IS_OK(nt_status)) {
return KRB5KDC_ERR_POLICY;
}
return 0;
}
Samba/source/kdc/pac-glue.h
+47
View File
@@ -0,0 +1,47 @@
/*
Unix SMB/CIFS implementation.
PAC Glue between Samba and the KDC
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
struct hdb_ldb_private {
struct ldb_context *samdb;
struct ldb_message *msg;
struct ldb_message *realm_ref_msg;
hdb_entry_ex *entry_ex;
};
krb5_error_code hdb_ldb_authz_data_as_req(krb5_context context, struct hdb_entry_ex *entry_ex,
METHOD_DATA* pa_data_seq,
time_t authtime,
const EncryptionKey *tgtkey,
const EncryptionKey *sessionkey,
AuthorizationData **out);
krb5_error_code hdb_ldb_authz_data_tgs_req(krb5_context context, struct hdb_entry_ex *entry_ex,
krb5_principal client,
AuthorizationData *in,
time_t authtime,
const EncryptionKey *tgtkey,
const EncryptionKey *servicekey,
const EncryptionKey *sessionkey,
AuthorizationData **out);
krb5_error_code hdb_ldb_check_client_access(krb5_context context, hdb_entry_ex *entry_ex,
HostAddresses *addresses);