static realm_type
default_realm(krb5_context ctx)
{
char *realm = NULL;
krb5_error_code code;
krb5_data *realm_data;
realm_data = calloc(1, sizeof(krb5_data));
if (realm_data == NULL)
return NULL;
code = krb5_get_default_realm(ctx, &realm);
if (code != 0) {
free(realm);
return NULL;
}
realm_data->magic = KV5M_DATA;
realm_data->data = strdup(realm);
if (realm_data->data == NULL) {
free(realm_data);
krb5_free_default_realm(ctx, realm);
return NULL;
}
realm_data->length = strlen(realm);
krb5_free_default_realm(ctx, realm);
return realm_data;
}
int
main(int argc, char **argv)
{
int fd, database_fd, database_size;
krb5_error_code retval;
krb5_context context;
krb5_creds *my_creds;
krb5_auth_context auth_context;
setlocale(LC_ALL, "");
retval = krb5_init_context(&context);
if (retval) {
com_err(argv[0], retval, _("while initializing krb5"));
exit(1);
}
parse_args(context, argc, argv);
get_tickets(context);
database_fd = open_database(context, file, &database_size);
open_connection(context, slave_host, &fd);
kerberos_authenticate(context, &auth_context, fd, my_principal, &my_creds);
xmit_database(context, auth_context, my_creds, fd, database_fd,
database_size);
update_last_prop_file(slave_host, file);
printf(_("Database propagation to %s: SUCCEEDED\n"), slave_host);
krb5_free_cred_contents(context, my_creds);
close_database(context, database_fd);
krb5_free_default_realm(context, def_realm);
exit(0);
}
/*
* Find the realm for given hostname
*/
int do_realm(char *hostname) {
krb5_error_code retval;
char **realm;
if (hostname) {
retval = krb5_get_host_realm(ctx, hostname, &realm);
if (retval) {
com_err(progname, retval, "while obtaining realm for %s", hostname);
exit(1);
}
printf("%s\n", *realm);
krb5_free_host_realm(ctx, realm);
} else {
realm = malloc(sizeof(realm));
retval = krb5_get_default_realm(ctx, realm);
if (retval) {
com_err(progname, retval, "while obtaining default realm");
exit(1);
}
printf("%s\n", *realm);
krb5_free_default_realm(ctx, *realm);
free(realm);
}
return 0;
}
void sess_finalize(struct rekey_session *sess)
{
OM_uint32 min;
if (sess->state == REKEY_SESSION_SENDING)
prtmsg("warning: session closed before reply sent");
if (sess->ssl) {
SSL_shutdown(sess->ssl);
SSL_free(sess->ssl);
}
if (sess->kadm_handle)
kadm5_destroy(sess->kadm_handle);
if (sess->realm) {
#if defined(HAVE_KRB5_REALM)
krb5_xfree(sess->realm);
#else
krb5_free_default_realm(sess->kctx, sess->realm);
#endif
}
if (sess->princ)
krb5_free_principal(sess->kctx, sess->princ);
if (sess->kctx)
krb5_free_context(sess->kctx);
if (sess->gctx)
(void)gss_delete_sec_context(&min, &sess->gctx, GSS_C_NO_BUFFER);
if (sess->name)
(void)gss_release_name(&min, &sess->name);
if (sess->dbh)
sqlite3_close(sess->dbh);
free(sess->hostname);
free(sess->plain_name);
memset(&sess, 0, sizeof(sess));
}
static isc_result_t
check_credentials(krb5_context context, krb5_ccache ccache, krb5_principal service)
{
char *realm = NULL;
krb5_creds creds;
krb5_creds mcreds;
krb5_error_code krberr;
krb5_timestamp now;
isc_result_t result = ISC_R_FAILURE;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
krberr = krb5_get_default_realm(context, &realm);
CHECK_KRB5(context, krberr, "Failed to retrieve default realm");
krberr = krb5_build_principal(context, &mcreds.server,
strlen(realm), realm,
"krbtgt", realm, NULL);
CHECK_KRB5(context, krberr, "Failed to build 'krbtgt/REALM' principal");
mcreds.client = service;
krberr = krb5_cc_retrieve_cred(context, ccache, 0, &mcreds, &creds);
if (krberr) {
const char * errmsg = krb5_get_error_message(context, krberr);
log_error("Credentials are not present in cache (%s)\n", errmsg);
krb5_free_error_message(context, errmsg);
result = ISC_R_FAILURE;
goto cleanup;
}
CHECK_KRB5(context, krberr, "Credentials are not present in cache ");
krberr = krb5_timeofday(context, &now);
CHECK_KRB5(context, krberr, "Failed to get time of day");
if (now > (creds.times.endtime + KRB_MIN_TIME)) {
log_error("Credentials cache expired");
result = ISC_R_FAILURE;
goto cleanup;
} else {
char buf[255];
char fill = ' ';
krb5_timestamp_to_sfstring(creds.times.endtime, buf, 16, &fill);
log_info("Credentials valid til %s\n", buf);
}
result = ISC_R_SUCCESS;
cleanup:
krb5_free_cred_contents(context, &creds);
if (mcreds.server) krb5_free_principal(context, mcreds.server);
if (realm) krb5_free_default_realm(context, realm);
return result;
}
/*
* Find the admin server for the given realm. If the realm is null or
* the empty string, find the admin server for the default realm.
* Returns 0 on succsess (KADM5_OK). It is the callers responsibility to
* free the storage allocated to the admin server, master.
*/
kadm5_ret_t
kadm5_get_master(krb5_context context, const char *realm, char **master)
{
/* Solaris Kerberos */
char *def_realm = NULL;
char *delim;
#ifdef KRB5_DNS_LOOKUP
struct sockaddr *addrs;
int naddrs;
unsigned short dns_portno;
char dns_host[MAX_DNS_NAMELEN];
krb5_data dns_realm;
krb5_error_code dns_ret = 1;
#endif /* KRB5_DNS_LOOKUP */
if (realm == 0 || *realm == '\0')
krb5_get_default_realm(context, &def_realm);
(void) profile_get_string(context->profile, "realms",
realm ? realm : def_realm,
KADM5_MASTER, 0, master);
if ((*master != NULL) && ((delim = strchr(*master, ':')) != NULL))
*delim = '\0';
#ifdef KRB5_DNS_LOOKUP
if (*master == NULL) {
/*
* Initialize realm info for (possible) DNS lookups.
*/
dns_realm.data = strdup(realm ? realm : def_realm);
dns_realm.length = strlen(realm ? realm : def_realm);
dns_realm.magic = 0;
dns_ret = krb5_get_servername(context, &dns_realm,
"_kerberos-adm", "_udp",
dns_host, &dns_portno);
if (dns_ret == 0)
*master = strdup(dns_host);
if (dns_realm.data)
free(dns_realm.data);
}
#endif /* KRB5_DNS_LOOKUP */
/* Solaris Kerberos */
if (def_realm != NULL)
krb5_free_default_realm(context, def_realm);
return (*master ? KADM5_OK : KADM5_NO_SRV);
}
void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
{
struct ipapwd_krbcfg *c = *cfg;
if (!c) return;
krb5_free_default_realm(c->krbctx, c->realm);
krb5_free_context(c->krbctx);
free(c->kmkey->contents);
free(c->kmkey);
free(c->supp_encsalts);
free(c->pref_encsalts);
slapi_ch_array_free(c->passsync_mgrs);
free(c);
*cfg = NULL;
};
krb5_error_code KRB5_CALLCONV
krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata,
char ***realms_out)
{
krb5_error_code ret;
struct hostrealm_module_handle **hp;
char **realms, *defrealm, *host, cleanname[1024];
*realms_out = NULL;
/* Convert hdata into a string and clean it. */
host = k5memdup0(hdata->data, hdata->length, &ret);
if (host == NULL)
return ret;
ret = k5_clean_hostname(context, host, cleanname, sizeof(cleanname));
free(host);
if (ret)
return ret;
if (context->hostrealm_handles == NULL) {
ret = load_hostrealm_modules(context);
if (ret)
return ret;
}
/* Give each module a chance to determine the fallback realms. */
for (hp = context->hostrealm_handles; *hp != NULL; hp++) {
ret = fallback_realm(context, *hp, cleanname, &realms);
if (ret == 0) {
ret = copy_list(realms, realms_out);
free_list(context, *hp, realms);
return ret;
} else if (ret != KRB5_PLUGIN_NO_HANDLE) {
return ret;
}
}
/* Return a list containing the default realm. */
ret = krb5_get_default_realm(context, &defrealm);
if (ret)
return ret;
ret = k5_make_realmlist(defrealm, realms_out);
krb5_free_default_realm(context, defrealm);
return ret;
}
/*
* Test whether anonymous authentication works. If this doesn't, we need to
* skip the tests of anonymous FAST.
*/
static bool
anon_fast_works(void)
{
krb5_context ctx;
krb5_error_code retval;
krb5_principal princ = NULL;
char *realm;
krb5_creds creds;
krb5_get_init_creds_opt *opts = NULL;
/* Construct the anonymous principal name. */
retval = krb5_init_context(&ctx);
if (retval != 0)
bail("cannot initialize Kerberos");
retval = krb5_get_default_realm(ctx, &realm);
if (retval != 0)
bail("cannot get default realm");
retval = krb5_build_principal_ext(ctx, &princ, strlen(realm), realm,
strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0)
bail("cannot construct anonymous principal");
krb5_free_default_realm(ctx, realm);
/* Obtain the credentials. */
memset(&creds, 0, sizeof(creds));
retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (retval != 0)
bail("cannot create credential options");
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL,
NULL, 0, NULL, opts);
/* Clean up. */
if (princ != NULL)
krb5_free_principal(ctx, princ);
if (opts != NULL)
krb5_get_init_creds_opt_free(ctx, opts);
krb5_free_cred_contents(ctx, &creds);
return (retval == 0);
}
DWORD
LwKrb5GetDefaultRealm(
PSTR* ppszRealm
)
{
DWORD dwError = 0;
krb5_context ctx = NULL;
PSTR pszKrb5Realm = NULL;
PSTR pszRealm = NULL;
krb5_init_context(&ctx);
krb5_get_default_realm(ctx, &pszKrb5Realm);
if (LW_IS_NULL_OR_EMPTY_STR(pszKrb5Realm)) {
dwError = LW_ERROR_NO_DEFAULT_REALM;
BAIL_ON_LW_ERROR(dwError);
}
dwError = LwAllocateString(pszKrb5Realm, &pszRealm);
BAIL_ON_LW_ERROR(dwError);
*ppszRealm = pszRealm;
cleanup:
if (pszKrb5Realm)
{
krb5_free_default_realm(ctx, pszKrb5Realm);
}
krb5_free_context(ctx);
return(dwError);
error:
*ppszRealm = NULL;
LW_SAFE_FREE_STRING(pszRealm);
goto cleanup;
}
krb5_error_code KRB5_CALLCONV
krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
krb5_const_principal principal, krb5_kvno vno,
krb5_enctype enctype, krb5_keytab_entry *entry)
{
krb5_error_code err;
krb5_principal_data princ_data;
if (krb5_is_referral_realm(&principal->realm)) {
char *realm;
princ_data = *principal;
principal = &princ_data;
err = krb5_get_default_realm(context, &realm);
if (err)
return err;
princ_data.realm.data = realm;
princ_data.realm.length = strlen(realm);
}
err = krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype,
entry));
if (principal == &princ_data)
krb5_free_default_realm(context, princ_data.realm.data);
return err;
}
static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *realm_str,
const char *princ_str,
const char *keytab_name,
const krb5_deltat lifetime,
const char **ccname_out,
time_t *expire_time_out)
{
char *ccname;
char *realm_name = NULL;
char *full_princ = NULL;
char *default_realm = NULL;
char *tmp_str = NULL;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_ccache ccache = NULL;
krb5_principal kprinc;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int canonicalize = 0;
int kdc_time_offset_usec;
int ret;
krberr = krb5_init_context(&context);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to init kerberos context\n"));
return krberr;
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("Kerberos context initialized\n"));
krberr = set_child_debugging(context);
if (krberr != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, ("Cannot set krb5_child debugging\n"));
}
if (!realm_str) {
krberr = krb5_get_default_realm(context, &default_realm);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to get default realm name: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
realm_name = talloc_strdup(memctx, default_realm);
krb5_free_default_realm(context, default_realm);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
} else {
realm_name = talloc_strdup(memctx, realm_str);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("got realm_name: [%s]\n", realm_name));
if (princ_str) {
if (!strchr(princ_str, '@')) {
full_princ = talloc_asprintf(memctx, "%s@%s",
princ_str, realm_name);
} else {
full_princ = talloc_strdup(memctx, princ_str);
}
} else {
char hostname[512];
ret = gethostname(hostname, 511);
if (ret == -1) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
hostname[511] = '\0';
DEBUG(SSSDBG_TRACE_LIBS, ("got hostname: [%s]\n", hostname));
ret = select_principal_from_keytab(memctx, hostname, realm_name,
keytab_name, &full_princ, NULL, NULL);
if (ret) {
krberr = KRB5_KT_IOERR;
goto done;
}
}
if (!full_princ) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
DEBUG(SSSDBG_CONF_SETTINGS, ("Principal name is: [%s]\n", full_princ));
krberr = krb5_parse_name(context, full_princ, &kprinc);
if (krberr) {
DEBUG(2, ("Unable to build principal: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
if (keytab_name) {
krberr = krb5_kt_resolve(context, keytab_name, &keytab);
} else {
krberr = krb5_kt_default(context, &keytab);
}
DEBUG(SSSDBG_CONF_SETTINGS, ("Using keytab [%s]\n", KEYTAB_CLEAN_NAME));
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
("Failed to read keytab file [%s]: %s\n",
KEYTAB_CLEAN_NAME,
sss_krb5_get_error_message(context, krberr)));
goto done;
}
/* Verify the keytab */
ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
("Unable to verify principal is present in the keytab\n"));
krberr = KRB5_KT_IOERR;
goto done;
}
ccname = talloc_asprintf(memctx, "FILE:%s/ccache_%s", DB_PATH, realm_name);
if (!ccname) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("keytab ccname: [%s]\n", ccname));
krberr = krb5_cc_resolve(context, ccname, &ccache);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to set cache name: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
memset(&my_creds, 0, sizeof(my_creds));
memset(&options, 0, sizeof(options));
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
tmp_str = getenv("KRB5_CANONICALIZE");
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
DEBUG(SSSDBG_CONF_SETTINGS, ("Will canonicalize principals\n"));
canonicalize = 1;
}
sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, &options);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
("Failed to init credentials: %s\n",
sss_krb5_get_error_message(context, krberr)));
sss_log(SSS_LOG_ERR,
"Failed to initialize credentials using keytab [%s]: %s. "
"Unable to create GSSAPI-encrypted LDAP connection.",
KEYTAB_CLEAN_NAME,
sss_krb5_get_error_message(context, krberr));
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("credentials initialized\n"));
/* Use updated principal if changed due to canonicalization. */
krberr = krb5_cc_initialize(context, ccache, my_creds.client);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to init ccache: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
krberr = krb5_cc_store_cred(context, ccache, &my_creds);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to store creds: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("credentials stored\n"));
#ifdef HAVE_KRB5_GET_TIME_OFFSETS
krberr = krb5_get_time_offsets(context, &kdc_time_offset,
&kdc_time_offset_usec);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to get KDC time offset: %s\n",
sss_krb5_get_error_message(context, krberr)));
kdc_time_offset = 0;
} else {
if (kdc_time_offset_usec > 0) {
kdc_time_offset++;
}
}
DEBUG(SSSDBG_TRACE_INTERNAL, ("Got KDC time offset\n"));
#else
/* If we don't have this function, just assume no offset */
kdc_time_offset = 0;
#endif
krberr = 0;
*ccname_out = ccname;
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
if (krberr != 0) KRB5_SYSLOG(krberr);
if (keytab) krb5_kt_close(context, keytab);
if (context) krb5_free_context(context);
return krberr;
}
static struct ipapwd_krbcfg *ipapwd_getConfig(void)
{
krb5_error_code krberr;
struct ipapwd_krbcfg *config = NULL;
krb5_keyblock *kmkey = NULL;
Slapi_Entry *realm_entry = NULL;
Slapi_Entry *config_entry = NULL;
Slapi_Attr *a;
Slapi_Value *v;
BerElement *be = NULL;
ber_tag_t tag, tvno;
ber_int_t ttype;
const struct berval *bval;
struct berval *mkey = NULL;
char **encsalts;
char **tmparray;
char *tmpstr;
int i, ret;
config = calloc(1, sizeof(struct ipapwd_krbcfg));
if (!config) {
LOG_OOM();
goto free_and_error;
}
kmkey = calloc(1, sizeof(krb5_keyblock));
if (!kmkey) {
LOG_OOM();
goto free_and_error;
}
config->kmkey = kmkey;
krberr = krb5_init_context(&config->krbctx);
if (krberr) {
LOG_FATAL("krb5_init_context failed\n");
goto free_and_error;
}
ret = krb5_get_default_realm(config->krbctx, &config->realm);
if (ret) {
LOG_FATAL("Failed to get default realm?!\n");
goto free_and_error;
}
/* get the Realm Container entry */
ret = ipapwd_getEntry(ipa_realm_dn, &realm_entry, NULL);
if (ret != LDAP_SUCCESS) {
LOG_FATAL("No realm Entry?\n");
goto free_and_error;
}
/*** get the Kerberos Master Key ***/
ret = slapi_entry_attr_find(realm_entry, "krbMKey", &a);
if (ret == -1) {
LOG_FATAL("No master key??\n");
goto free_and_error;
}
/* there should be only one value here */
ret = slapi_attr_first_value(a, &v);
if (ret == -1) {
LOG_FATAL("No master key??\n");
goto free_and_error;
}
bval = slapi_value_get_berval(v);
if (!bval) {
LOG_FATAL("Error retrieving master key berval\n");
goto free_and_error;
}
be = ber_init(discard_const(bval));
if (!be) {
LOG_FATAL("ber_init() failed!\n");
goto free_and_error;
}
tag = ber_scanf(be, "{i{iO}}", &tvno, &ttype, &mkey);
if (tag == LBER_ERROR) {
LOG_FATAL("Bad Master key encoding ?!\n");
goto free_and_error;
}
config->mkvno = tvno;
kmkey->magic = KV5M_KEYBLOCK;
kmkey->enctype = ttype;
kmkey->length = mkey->bv_len;
kmkey->contents = malloc(mkey->bv_len);
if (!kmkey->contents) {
LOG_OOM();
goto free_and_error;
}
memcpy(kmkey->contents, mkey->bv_val, mkey->bv_len);
ber_bvfree(mkey);
ber_free(be, 1);
mkey = NULL;
be = NULL;
/*** get the Supported Enc/Salt types ***/
encsalts = slapi_entry_attr_get_charray(realm_entry,
"krbSupportedEncSaltTypes");
if (encsalts) {
for (i = 0; encsalts[i]; i++) /* count */ ;
ret = parse_bval_key_salt_tuples(config->krbctx,
(const char * const *)encsalts, i,
&config->supp_encsalts,
&config->num_supp_encsalts);
slapi_ch_array_free(encsalts);
} else {
LOG("No configured salt types use defaults\n");
for (i = 0; ipapwd_def_encsalts[i]; i++) /* count */ ;
ret = parse_bval_key_salt_tuples(config->krbctx,
ipapwd_def_encsalts, i,
&config->supp_encsalts,
&config->num_supp_encsalts);
}
if (ret) {
LOG_FATAL("Can't get Supported EncSalt Types\n");
goto free_and_error;
}
/*** get the Preferred Enc/Salt types ***/
encsalts = slapi_entry_attr_get_charray(realm_entry,
"krbDefaultEncSaltTypes");
if (encsalts) {
for (i = 0; encsalts[i]; i++) /* count */ ;
ret = parse_bval_key_salt_tuples(config->krbctx,
(const char * const *)encsalts, i,
&config->pref_encsalts,
&config->num_pref_encsalts);
slapi_ch_array_free(encsalts);
} else {
LOG("No configured salt types use defaults\n");
for (i = 0; ipapwd_def_encsalts[i]; i++) /* count */ ;
ret = parse_bval_key_salt_tuples(config->krbctx,
ipapwd_def_encsalts, i,
&config->pref_encsalts,
&config->num_pref_encsalts);
}
if (ret) {
LOG_FATAL("Can't get Preferred EncSalt Types\n");
goto free_and_error;
}
slapi_entry_free(realm_entry);
/* get the Realm Container entry */
ret = ipapwd_getEntry(ipa_pwd_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
LOG_FATAL("No config Entry? Impossible!\n");
goto free_and_error;
}
config->passsync_mgrs =
slapi_entry_attr_get_charray(config_entry, "passSyncManagersDNs");
/* now add Directory Manager, it is always added by default */
tmpstr = slapi_ch_strdup("cn=Directory Manager");
slapi_ch_array_add(&config->passsync_mgrs, tmpstr);
if (config->passsync_mgrs == NULL) {
LOG_OOM();
goto free_and_error;
}
for (i = 0; config->passsync_mgrs[i]; i++) /* count */ ;
config->num_passsync_mgrs = i;
slapi_entry_free(config_entry);
/* get the ipa etc/ipaConfig entry */
config->allow_nt_hash = false;
ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
if (ret != LDAP_SUCCESS) {
LOG_FATAL("No config Entry?\n");
goto free_and_error;
} else {
tmparray = slapi_entry_attr_get_charray(config_entry,
"ipaConfigString");
for (i = 0; tmparray && tmparray[i]; i++) {
if (strcasecmp(tmparray[i], "AllowNThash") == 0) {
config->allow_nt_hash = true;
continue;
}
}
if (tmparray) slapi_ch_array_free(tmparray);
}
slapi_entry_free(config_entry);
return config;
free_and_error:
if (mkey) ber_bvfree(mkey);
if (be) ber_free(be, 1);
if (kmkey) {
free(kmkey->contents);
free(kmkey);
}
if (config) {
if (config->krbctx) {
if (config->realm)
krb5_free_default_realm(config->krbctx, config->realm);
krb5_free_context(config->krbctx);
}
free(config->pref_encsalts);
free(config->supp_encsalts);
slapi_ch_array_free(config->passsync_mgrs);
free(config);
}
slapi_entry_free(config_entry);
slapi_entry_free(realm_entry);
return NULL;
}
int
main()
{
krb5_db_entry *ent;
osa_policy_ent_t pol;
krb5_pa_data **e_data;
const char *status;
char *defrealm;
int count;
CHECK(krb5_init_context_profile(NULL, KRB5_INIT_CONTEXT_KDC, &ctx));
/* Currently necessary for krb5_db_open to work. */
CHECK(krb5_get_default_realm(ctx, &defrealm));
/* If we can, revert to requiring all entries match sample_princ in
* iter_princ_handler */
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK(krb5_db_create(ctx, NULL));
CHECK(krb5_db_inited(ctx));
CHECK(krb5_db_fini(ctx));
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK_COND(krb5_db_inited(ctx) != 0);
CHECK(krb5_db_open(ctx, NULL, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN));
CHECK(krb5_db_inited(ctx));
/* Manipulate a policy, leaving it in place at the end. */
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
CHECK(krb5_db_create_policy(ctx, &sample_policy));
CHECK_COND(krb5_db_create_policy(ctx, &sample_policy) != 0);
CHECK(krb5_db_get_policy(ctx, polname, &pol));
check_policy(pol);
pol->pw_min_length--;
CHECK(krb5_db_put_policy(ctx, pol));
krb5_db_free_policy(ctx, pol);
CHECK(krb5_db_get_policy(ctx, polname, &pol));
CHECK_COND(pol->pw_min_length == sample_policy.pw_min_length - 1);
krb5_db_free_policy(ctx, pol);
CHECK(krb5_db_delete_policy(ctx, polname));
CHECK_COND(krb5_db_put_policy(ctx, &sample_policy) != 0);
CHECK_COND(krb5_db_delete_policy(ctx, polname) != 0);
CHECK_COND(krb5_db_get_policy(ctx, polname, &pol) == KRB5_KDB_NOENTRY);
CHECK(krb5_db_create_policy(ctx, &sample_policy));
count = 0;
CHECK(krb5_db_iter_policy(ctx, NULL, iter_pol_handler, &count));
CHECK_COND(count == 1);
/* Create a principal. */
CHECK_COND(krb5_db_delete_principal(ctx, &sample_princ) ==
KRB5_KDB_NOENTRY);
CHECK_COND(krb5_db_get_principal(ctx, &xrealm_princ, 0, &ent) ==
KRB5_KDB_NOENTRY);
CHECK(krb5_db_put_principal(ctx, &sample_entry));
/* Putting again will fail with LDAP (due to KADM5_PRINCIPAL in mask)
* but succeed with DB2, so don't check the result. */
(void)krb5_db_put_principal(ctx, &sample_entry);
/* But it should succeed in both back ends with KADM5_LOAD in mask. */
sample_entry.mask |= KADM5_LOAD;
CHECK(krb5_db_put_principal(ctx, &sample_entry));
sample_entry.mask &= ~KADM5_LOAD;
/* Fetch and compare the added principal. */
CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, &ent));
check_entry(ent);
/* We can't set up a successful allowed-to-delegate check through existing
* APIs yet, but we can make a failed check. */
CHECK_COND(krb5_db_check_allowed_to_delegate(ctx, &sample_princ, ent,
&sample_princ) != 0);
/* Exercise lockout code. */
/* Policy params: max_fail 2, failcnt_interval 60, lockout_duration 120 */
/* Initial state: last_success 1, last_failed 5, fail_auth_count 2,
* last admin unlock 6 */
/* Check succeeds due to last admin unlock. */
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 7, &status, &e_data));
/* Failure count resets to 1 due to last admin unlock. */
sim_preauth(8, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 8);
/* Failure count resets to 1 due to failcnt_interval */
sim_preauth(70, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 70);
/* Failure count resets to 0 due to successful preauth. */
sim_preauth(75, TRUE, &ent);
CHECK_COND(ent->fail_auth_count == 0 && ent->last_success == 75);
/* Failure count increments to 2 and stops incrementing. */
sim_preauth(80, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 80);
sim_preauth(100, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
sim_preauth(110, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 2 && ent->last_failed == 100);
/* Check fails due to reaching maximum failure count. */
CHECK_COND(krb5_db_check_policy_as(ctx, NULL, ent, ent, 170, &status,
&e_data) == KRB5KDC_ERR_CLIENT_REVOKED);
/* Check succeeds after lockout_duration has passed. */
CHECK(krb5_db_check_policy_as(ctx, NULL, ent, ent, 230, &status, &e_data));
/* Failure count resets to 1 on next failure. */
sim_preauth(240, FALSE, &ent);
CHECK_COND(ent->fail_auth_count == 1 && ent->last_failed == 240);
/* Exercise LDAP code to clear a policy reference and to set the key
* data on an existing principal. */
CHECK(krb5_dbe_update_tl_data(ctx, ent, &tl_no_policy));
ent->mask = KADM5_POLICY_CLR | KADM5_KEY_DATA;
CHECK(krb5_db_put_principal(ctx, ent));
CHECK(krb5_db_delete_policy(ctx, polname));
/* Put the modified entry again (with KDB_TL_USER_INFO tl-data for LDAP) as
* from a load operation. */
ent->mask = (sample_entry.mask & ~KADM5_POLICY) | KADM5_LOAD;
CHECK(krb5_db_put_principal(ctx, ent));
/* Exercise LDAP code to create a new principal at a DN from
* KDB_TL_USER_INFO tl-data. */
CHECK(krb5_db_delete_principal(ctx, &sample_princ));
CHECK(krb5_db_put_principal(ctx, ent));
krb5_db_free_principal(ctx, ent);
/* Exercise principal iteration code. */
count = 0;
CHECK(krb5_db_iterate(ctx, "xy*", iter_princ_handler, &count));
CHECK_COND(count == 1);
CHECK(krb5_db_fini(ctx));
CHECK_COND(krb5_db_inited(ctx) != 0);
/* It might be nice to exercise krb5_db_destroy here, but the LDAP module
* doesn't support it. */
krb5_free_default_realm(ctx, defrealm);
krb5_free_context(ctx);
return 0;
}
static void
initialize_realms(krb5_context kcontext, int argc, char **argv)
{
int c;
char *db_name = (char *) NULL;
char *lrealm = (char *) NULL;
char *mkey_name = (char *) NULL;
krb5_error_code retval;
krb5_enctype menctype = ENCTYPE_UNKNOWN;
kdc_realm_t *rdatap = NULL;
krb5_boolean manual = FALSE;
krb5_boolean def_restrict_anon;
char *default_udp_ports = 0;
char *default_tcp_ports = 0;
krb5_pointer aprof;
const char *hierarchy[3];
char *no_refrls = NULL;
char *host_based_srvcs = NULL;
int db_args_size = 0;
char **db_args = NULL;
extern char *optarg;
if (!krb5_aprof_init(DEFAULT_KDC_PROFILE, KDC_PROFILE_ENV, &aprof)) {
hierarchy[0] = KRB5_CONF_KDCDEFAULTS;
hierarchy[1] = KRB5_CONF_KDC_PORTS;
hierarchy[2] = (char *) NULL;
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_udp_ports))
default_udp_ports = 0;
hierarchy[1] = KRB5_CONF_KDC_TCP_PORTS;
if (krb5_aprof_get_string(aprof, hierarchy, TRUE, &default_tcp_ports))
default_tcp_ports = 0;
hierarchy[1] = KRB5_CONF_MAX_DGRAM_REPLY_SIZE;
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
hierarchy[1] = KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT;
if (krb5_aprof_get_boolean(aprof, hierarchy, TRUE, &def_restrict_anon))
def_restrict_anon = FALSE;
hierarchy[1] = KRB5_CONF_NO_HOST_REFERRAL;
if (krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls))
no_refrls = 0;
if (!no_refrls ||
krb5_match_config_pattern(no_refrls, KRB5_CONF_ASTERISK) == FALSE) {
hierarchy[1] = KRB5_CONF_HOST_BASED_SERVICES;
if (krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs))
host_based_srvcs = 0;
}
krb5_aprof_finish(aprof);
}
if (default_udp_ports == 0) {
default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST);
if (default_udp_ports == 0) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
}
if (default_tcp_ports == 0) {
default_tcp_ports = strdup(DEFAULT_KDC_TCP_PORTLIST);
if (default_tcp_ports == 0) {
fprintf(stderr, _(" KDC cannot initialize. Not enough memory\n"));
exit(1);
}
}
/*
* Loop through the option list. Each time we encounter a realm name,
* use the previously scanned options to fill in for defaults.
*/
while ((c = getopt(argc, argv, "x:r:d:mM:k:R:e:P:p:s:nw:4:X3")) != -1) {
switch(c) {
case 'x':
db_args_size++;
{
char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
if( temp == NULL )
{
fprintf(stderr, _("%s: KDC cannot initialize. Not enough "
"memory\n"), argv[0]);
exit(1);
}
db_args = temp;
}
db_args[db_args_size-1] = optarg;
db_args[db_args_size] = NULL;
break;
case 'r': /* realm name for db */
if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
if ((retval = init_realm(rdatap, optarg, mkey_name,
menctype, default_udp_ports,
default_tcp_ports, manual,
def_restrict_anon, db_args,
no_refrls, host_based_srvcs))) {
fprintf(stderr, _("%s: cannot initialize realm %s - "
"see log file for details\n"),
argv[0], optarg);
exit(1);
}
kdc_realmlist[kdc_numrealms] = rdatap;
kdc_numrealms++;
free(db_args), db_args=NULL, db_args_size = 0;
}
else
{
fprintf(stderr, _("%s: cannot initialize realm %s. Not "
"enough memory\n"), argv[0], optarg);
exit(1);
}
}
break;
case 'd': /* pathname for db */
/* now db_name is not a seperate argument.
* It has to be passed as part of the db_args
*/
if( db_name == NULL ) {
if (asprintf(&db_name, "dbname=%s", optarg) < 0) {
fprintf(stderr, _("%s: KDC cannot initialize. Not enough "
"memory\n"), argv[0]);
exit(1);
}
}
db_args_size++;
{
char **temp = realloc( db_args, sizeof(char*) * (db_args_size+1)); /* one for NULL */
if( temp == NULL )
{
fprintf(stderr, _("%s: KDC cannot initialize. Not enough "
"memory\n"), argv[0]);
exit(1);
}
db_args = temp;
}
db_args[db_args_size-1] = db_name;
db_args[db_args_size] = NULL;
break;
case 'm': /* manual type-in of master key */
manual = TRUE;
if (menctype == ENCTYPE_UNKNOWN)
menctype = ENCTYPE_DES_CBC_CRC;
break;
case 'M': /* master key name in DB */
mkey_name = optarg;
break;
case 'n':
nofork++; /* don't detach from terminal */
break;
case 'w': /* create multiple worker processes */
workers = atoi(optarg);
if (workers <= 0)
usage(argv[0]);
break;
case 'k': /* enctype for master key */
if (krb5_string_to_enctype(optarg, &menctype))
com_err(argv[0], 0, _("invalid enctype %s"), optarg);
break;
case 'R':
/* Replay cache name; defunct since we don't use a replay cache. */
break;
case 'P':
pid_file = optarg;
break;
case 'p':
if (default_udp_ports)
free(default_udp_ports);
default_udp_ports = strdup(optarg);
if (!default_udp_ports) {
fprintf(stderr, _(" KDC cannot initialize. Not enough "
"memory\n"));
exit(1);
}
#if 0 /* not yet */
if (default_tcp_ports)
free(default_tcp_ports);
default_tcp_ports = strdup(optarg);
#endif
break;
case '4':
break;
case 'X':
break;
case '?':
default:
usage(argv[0]);
}
}
/*
* Check to see if we processed any realms.
*/
if (kdc_numrealms == 0) {
/* no realm specified, use default realm */
if ((retval = krb5_get_default_realm(kcontext, &lrealm))) {
com_err(argv[0], retval,
_("while attempting to retrieve default realm"));
fprintf (stderr,
_("%s: %s, attempting to retrieve default realm\n"),
argv[0], krb5_get_error_message(kcontext, retval));
exit(1);
}
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
if ((retval = init_realm(rdatap, lrealm, mkey_name, menctype,
default_udp_ports, default_tcp_ports,
manual, def_restrict_anon, db_args,
no_refrls, host_based_srvcs))) {
fprintf(stderr, _("%s: cannot initialize realm %s - see log "
"file for details\n"), argv[0], lrealm);
exit(1);
}
kdc_realmlist[0] = rdatap;
kdc_numrealms++;
}
krb5_free_default_realm(kcontext, lrealm);
}
/* Ensure that this is set for our first request. */
kdc_active_realm = kdc_realmlist[0];
if (default_udp_ports)
free(default_udp_ports);
if (default_tcp_ports)
free(default_tcp_ports);
if (db_args)
free(db_args);
if (db_name)
free(db_name);
if (host_based_srvcs)
free(host_based_srvcs);
if (no_refrls)
free(no_refrls);
return;
}
static krb5_error_code
k5_unparse_name(krb5_context context, krb5_const_principal principal,
int flags, char **name, unsigned int *size)
{
char *cp, *q;
int i;
int length;
krb5_int32 nelem;
unsigned int totalsize = 0;
char *default_realm = NULL;
krb5_error_code ret = 0;
if (!principal || !name)
return KRB5_PARSE_MALFORMED;
if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) {
/* omit realm if local realm */
krb5_principal_data p;
ret = krb5_get_default_realm(context, &default_realm);
if (ret != 0)
goto cleanup;
krb5_princ_realm(context, &p)->length = strlen(default_realm);
krb5_princ_realm(context, &p)->data = default_realm;
if (krb5_realm_compare(context, &p, principal))
flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM;
}
if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
totalsize += component_length_quoted(krb5_princ_realm(context,
principal),
flags);
totalsize++; /* This is for the separator */
}
nelem = krb5_princ_size(context, principal);
for (i = 0; i < (int) nelem; i++) {
cp = krb5_princ_component(context, principal, i)->data;
totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags);
totalsize++; /* This is for the separator */
}
if (nelem == 0)
totalsize++;
/*
* Allocate space for the ascii string; if space has been
* provided, use it, realloc'ing it if necessary.
*
* We need only n-1 seperators for n components, but we need
* an extra byte for the NUL at the end.
*/
if (size) {
if (*name && (*size < totalsize)) {
*name = realloc(*name, totalsize);
} else {
*name = malloc(totalsize);
}
*size = totalsize;
} else {
*name = malloc(totalsize);
}
if (!*name) {
ret = ENOMEM;
goto cleanup;
}
q = *name;
for (i = 0; i < (int) nelem; i++) {
cp = krb5_princ_component(context, principal, i)->data;
length = krb5_princ_component(context, principal, i)->length;
q += copy_component_quoting(q,
krb5_princ_component(context,
principal,
i),
flags);
*q++ = COMPONENT_SEP;
}
if (i > 0)
q--; /* Back up last component separator */
if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) {
*q++ = REALM_SEP;
q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags);
}
*q++ = '\0';
cleanup:
if (default_realm != NULL)
krb5_free_default_realm(context, default_realm);
return ret;
}
static void
free_default_realm(krb5_context ctx UNUSED, realm_type realm)
{
krb5_free_default_realm(ctx, realm);
}
static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
krb5_context context,
const char *realm_str,
const char *princ_str,
const char *keytab_name,
const krb5_deltat lifetime,
const char **ccname_out,
time_t *expire_time_out)
{
int fd;
char *ccname;
char *ccname_dummy;
char *realm_name = NULL;
char *full_princ = NULL;
char *default_realm = NULL;
char *tmp_str = NULL;
krb5_keytab keytab = NULL;
krb5_ccache ccache = NULL;
krb5_principal kprinc;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int canonicalize = 0;
int kdc_time_offset_usec;
int ret;
TALLOC_CTX *tmp_ctx;
char *ccname_file_dummy = NULL;
char *ccname_file;
mode_t old_umask;
tmp_ctx = talloc_new(memctx);
if (tmp_ctx == NULL) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
krberr = set_child_debugging(context);
if (krberr != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set krb5_child debugging\n");
}
if (!realm_str) {
krberr = krb5_get_default_realm(context, &default_realm);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n",
sss_krb5_get_error_message(context, krberr));
goto done;
}
realm_name = talloc_strdup(tmp_ctx, default_realm);
krb5_free_default_realm(context, default_realm);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
} else {
realm_name = talloc_strdup(tmp_ctx, realm_str);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
}
DEBUG(SSSDBG_TRACE_INTERNAL, "got realm_name: [%s]\n", realm_name);
if (princ_str) {
if (!strchr(princ_str, '@')) {
full_princ = talloc_asprintf(tmp_ctx, "%s@%s",
princ_str, realm_name);
} else {
full_princ = talloc_strdup(tmp_ctx, princ_str);
}
} else {
char hostname[HOST_NAME_MAX + 1];
ret = gethostname(hostname, HOST_NAME_MAX);
if (ret == -1) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
hostname[HOST_NAME_MAX] = '\0';
DEBUG(SSSDBG_TRACE_LIBS, "got hostname: [%s]\n", hostname);
ret = select_principal_from_keytab(tmp_ctx, hostname, realm_name,
keytab_name, &full_princ, NULL, NULL);
if (ret) {
krberr = KRB5_KT_IOERR;
goto done;
}
}
if (!full_princ) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ);
krberr = krb5_parse_name(context, full_princ, &kprinc);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Unable to build principal: %s\n",
sss_krb5_get_error_message(context, krberr));
goto done;
}
if (keytab_name) {
krberr = krb5_kt_resolve(context, keytab_name, &keytab);
} else {
krberr = krb5_kt_default(context, &keytab);
}
DEBUG(SSSDBG_CONF_SETTINGS, "Using keytab [%s]\n", KEYTAB_CLEAN_NAME);
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to read keytab file [%s]: %s\n",
KEYTAB_CLEAN_NAME,
sss_krb5_get_error_message(context, krberr));
goto done;
}
/* Verify the keytab */
ret = lc_verify_keytab_ex(full_princ, keytab_name, context, keytab);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to verify principal is present in the keytab\n");
krberr = KRB5_KT_IOERR;
goto done;
}
memset(&my_creds, 0, sizeof(my_creds));
memset(&options, 0, sizeof(options));
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
tmp_str = getenv("KRB5_CANONICALIZE");
if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) {
DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n");
canonicalize = 1;
}
sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize);
ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s",
DB_PATH, realm_name);
if (ccname_file == NULL) {
krberr = ENOMEM;
DEBUG(SSSDBG_CRIT_FAILURE,
"talloc_asprintf failed: %s:[%d].\n",
strerror(krberr), krberr);
goto done;
}
ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX",
DB_PATH, realm_name);
if (ccname_file_dummy == NULL) {
krberr = ENOMEM;
DEBUG(SSSDBG_CRIT_FAILURE,
"talloc_asprintf failed: %s:[%d].\n",
strerror(krberr), krberr);
goto done;
}
old_umask = umask(077);
fd = mkstemp(ccname_file_dummy);
umask(old_umask);
if (fd == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"mkstemp failed: %s:[%d].\n",
strerror(ret), ret);
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
/* We only care about creating a unique file name here, we don't
* need the fd
*/
close(fd);
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, &options);
krb5_kt_close(context, keytab);
keytab = NULL;
if (krberr) {
DEBUG(SSSDBG_FATAL_FAILURE,
"Failed to init credentials: %s\n",
sss_krb5_get_error_message(context, krberr));
sss_log(SSS_LOG_ERR,
"Failed to initialize credentials using keytab [%s]: %s. "
"Unable to create GSSAPI-encrypted LDAP connection.",
KEYTAB_CLEAN_NAME,
sss_krb5_get_error_message(context, krberr));
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, "credentials initialized\n");
ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy);
ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file);
if (ccname_dummy == NULL || ccname == NULL) {
krberr = ENOMEM;
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy);
krberr = krb5_cc_resolve(context, ccname_dummy, &ccache);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n",
sss_krb5_get_error_message(context, krberr));
goto done;
}
/* Use updated principal if changed due to canonicalization. */
krberr = krb5_cc_initialize(context, ccache, my_creds.client);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to init ccache: %s\n",
sss_krb5_get_error_message(context, krberr));
goto done;
}
krberr = krb5_cc_store_cred(context, ccache, &my_creds);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to store creds: %s\n",
sss_krb5_get_error_message(context, krberr));
goto done;
}
DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n");
#ifdef HAVE_KRB5_GET_TIME_OFFSETS
krberr = krb5_get_time_offsets(context, &kdc_time_offset,
&kdc_time_offset_usec);
if (krberr) {
DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n",
sss_krb5_get_error_message(context, krberr));
kdc_time_offset = 0;
} else {
if (kdc_time_offset_usec > 0) {
kdc_time_offset++;
}
}
DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n");
#else
/* If we don't have this function, just assume no offset */
kdc_time_offset = 0;
#endif
DEBUG(SSSDBG_TRACE_INTERNAL,
"Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file);
ret = rename(ccname_file_dummy, ccname_file);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE,
"rename failed [%d][%s].\n", ret, strerror(ret));
goto done;
}
ccname_file_dummy = NULL;
krberr = 0;
*ccname_out = talloc_steal(memctx, ccname);
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
if (krberr != 0) KRB5_SYSLOG(krberr);
if (keytab) krb5_kt_close(context, keytab);
if (context) krb5_free_context(context);
if (ccname_file_dummy) {
DEBUG(SSSDBG_TRACE_INTERNAL, "Unlinking [%s]\n", ccname_file_dummy);
ret = unlink(ccname_file_dummy);
if (ret == -1) {
ret = errno;
DEBUG(SSSDBG_MINOR_FAILURE,
"Unlink failed [%d][%s].\n", ret, strerror(ret));
}
}
talloc_free(tmp_ctx);
return krberr;
}
static krb5_error_code
krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
const krb5_ap_req *req, krb5_const_principal server,
krb5_keytab keytab, krb5_flags *ap_req_options,
krb5_ticket **ticket, int check_valid_flag)
{
krb5_error_code retval = 0;
krb5_timestamp currenttime;
krb5_principal_data princ_data;
req->ticket->enc_part2 == NULL;
if (server && krb5_is_referral_realm(&server->realm)) {
char *realm;
princ_data = *server;
server = &princ_data;
retval = krb5_get_default_realm(context, &realm);
if (retval)
return retval;
princ_data.realm.data = realm;
princ_data.realm.length = strlen(realm);
}
if (server && !krb5_principal_compare(context, server, req->ticket->server)) {
char *found_name = 0, *wanted_name = 0;
if (krb5_unparse_name(context, server, &wanted_name) == 0
&& krb5_unparse_name(context, req->ticket->server, &found_name) == 0)
krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC,
"Wrong principal in request (found %s, wanted %s)",
found_name, wanted_name);
krb5_free_unparsed_name(context, wanted_name);
krb5_free_unparsed_name(context, found_name);
retval = KRB5KRB_AP_WRONG_PRINC;
goto cleanup;
}
/* if (req->ap_options & AP_OPTS_USE_SESSION_KEY)
do we need special processing here ? */
/* decrypt the ticket */
if ((*auth_context)->keyblock) { /* User to User authentication */
if ((retval = krb5_decrypt_tkt_part(context, (*auth_context)->keyblock,
req->ticket)))
goto cleanup;
krb5_free_keyblock(context, (*auth_context)->keyblock);
(*auth_context)->keyblock = NULL;
} else {
if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, keytab)))
goto cleanup;
}
/* XXX this is an evil hack. check_valid_flag is set iff the call
is not from inside the kdc. we can use this to determine which
key usage to use */
if ((retval = decrypt_authenticator(context, req,
&((*auth_context)->authentp),
check_valid_flag)))
goto cleanup;
if (!krb5_principal_compare(context, (*auth_context)->authentp->client,
req->ticket->enc_part2->client)) {
retval = KRB5KRB_AP_ERR_BADMATCH;
goto cleanup;
}
if ((*auth_context)->remote_addr &&
!krb5_address_search(context, (*auth_context)->remote_addr,
req->ticket->enc_part2->caddrs)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup;
}
/* okay, now check cross-realm policy */
#if defined(_SINGLE_HOP_ONLY)
/* Single hop cross-realm tickets only */
{
krb5_transited *trans = &(req->ticket->enc_part2->transited);
/* If the transited list is empty, then we have at most one hop */
if (trans->tr_contents.data && trans->tr_contents.data[0])
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
}
#elif defined(_NO_CROSS_REALM)
/* No cross-realm tickets */
{
char * lrealm;
krb5_data * realm;
krb5_transited * trans;
realm = krb5_princ_realm(context, req->ticket->enc_part2->client);
trans = &(req->ticket->enc_part2->transited);
/*
* If the transited list is empty, then we have at most one hop
* So we also have to check that the client's realm is the local one
*/
krb5_get_default_realm(context, &lrealm);
if ((trans->tr_contents.data && trans->tr_contents.data[0]) ||
strlen(lrealm) != realm->length ||
memcmp(lrealm, realm->data, strlen(lrealm))) {
retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
}
free(lrealm);
}
#else
/* Hierarchical Cross-Realm */
{
krb5_data * realm;
krb5_transited * trans;
realm = krb5_princ_realm(context, req->ticket->enc_part2->client);
trans = &(req->ticket->enc_part2->transited);
/*
* If the transited list is not empty, then check that all realms
* transited are within the hierarchy between the client's realm
* and the local realm.
*/
if (trans->tr_contents.data && trans->tr_contents.data[0]) {
retval = krb5_check_transited_list(context, &(trans->tr_contents),
realm,
krb5_princ_realm (context,
server));
}
}
#endif
if (retval) goto cleanup;
/* only check rcache if sender has provided one---some services
may not be able to use replay caches (such as datagram servers) */
if ((*auth_context)->rcache) {
krb5_donot_replay rep;
krb5_tkt_authent tktauthent;
tktauthent.ticket = req->ticket;
tktauthent.authenticator = (*auth_context)->authentp;
if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) {
retval = krb5_rc_store(context, (*auth_context)->rcache, &rep);
krb5_xfree(rep.server);
krb5_xfree(rep.client);
}
if (retval)
goto cleanup;
}
retval = krb5_validate_times(context, &req->ticket->enc_part2->times);
if (retval != 0)
goto cleanup;
if ((retval = krb5_timeofday(context, ¤ttime)))
goto cleanup;
if (!in_clock_skew((*auth_context)->authentp->ctime)) {
retval = KRB5KRB_AP_ERR_SKEW;
goto cleanup;
}
if (check_valid_flag) {
if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) {
retval = KRB5KRB_AP_ERR_TKT_INVALID;
goto cleanup;
}
}
/* check if the various etypes are permitted */
if ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) {
/* no etype check needed */;
} else if ((*auth_context)->permitted_etypes == NULL) {
int etype;
/* check against the default set */
if ((!krb5_is_permitted_enctype(context,
etype = req->ticket->enc_part.enctype)) ||
(!krb5_is_permitted_enctype(context,
etype = req->ticket->enc_part2->session->enctype)) ||
(((*auth_context)->authentp->subkey) &&
!krb5_is_permitted_enctype(context,
etype = (*auth_context)->authentp->subkey->enctype))) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(etype, enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
} else {
/* check against the set in the auth_context */
int i;
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
req->ticket->enc_part.enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(req->ticket->enc_part.enctype,
enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
req->ticket->enc_part2->session->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string(req->ticket->enc_part2->session->enctype,
enctype_name, sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
if ((*auth_context)->authentp->subkey) {
for (i=0; (*auth_context)->permitted_etypes[i]; i++)
if ((*auth_context)->permitted_etypes[i] ==
(*auth_context)->authentp->subkey->enctype)
break;
if (!(*auth_context)->permitted_etypes[i]) {
char enctype_name[30];
retval = KRB5_NOPERM_ETYPE;
if (krb5_enctype_to_string((*auth_context)->authentp->subkey->enctype,
enctype_name,
sizeof(enctype_name)) == 0)
krb5_set_error_message(context, retval,
"Encryption type %s not permitted",
enctype_name);
goto cleanup;
}
}
}
(*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number;
if ((*auth_context)->authentp->subkey) {
if ((retval = krb5_copy_keyblock(context,
(*auth_context)->authentp->subkey,
&((*auth_context)->recv_subkey))))
goto cleanup;
retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey,
&((*auth_context)->send_subkey));
if (retval) {
krb5_free_keyblock(context, (*auth_context)->recv_subkey);
(*auth_context)->recv_subkey = NULL;
goto cleanup;
}
} else {
(*auth_context)->recv_subkey = 0;
(*auth_context)->send_subkey = 0;
}
if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session,
&((*auth_context)->keyblock))))
goto cleanup;
/*
* If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used
* then the default sequence number is the one's complement of the
* sequence number sent ot us.
*/
if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) &&
(*auth_context)->remote_seq_number) {
(*auth_context)->local_seq_number ^=
(*auth_context)->remote_seq_number;
}
if (ticket)
if ((retval = krb5_copy_ticket(context, req->ticket, ticket)))
goto cleanup;
if (ap_req_options)
*ap_req_options = req->ap_options;
retval = 0;
cleanup:
if (server == &princ_data)
krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
/* only free if we're erroring out...otherwise some
applications will need the output. */
if (req->ticket->enc_part2)
krb5_free_enc_tkt_part(context, req->ticket->enc_part2);
req->ticket->enc_part2 = NULL;
}
return retval;
}
static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
const char *realm_str,
const char *princ_str,
const char *keytab_name,
const krb5_deltat lifetime,
const char **ccname_out,
time_t *expire_time_out)
{
char *ccname;
char *realm_name = NULL;
char *full_princ = NULL;
char *default_realm = NULL;
krb5_context context = NULL;
krb5_keytab keytab = NULL;
krb5_ccache ccache = NULL;
krb5_principal kprinc;
krb5_creds my_creds;
krb5_get_init_creds_opt options;
krb5_error_code krberr;
krb5_timestamp kdc_time_offset;
int kdc_time_offset_usec;
int ret;
krberr = krb5_init_context(&context);
if (krberr) {
DEBUG(2, ("Failed to init kerberos context\n"));
return krberr;
}
if (!realm_str) {
krberr = krb5_get_default_realm(context, &default_realm);
if (krberr) {
DEBUG(2, ("Failed to get default realm name: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
realm_name = talloc_strdup(memctx, default_realm);
krb5_free_default_realm(context, default_realm);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
} else {
realm_name = talloc_strdup(memctx, realm_str);
if (!realm_name) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
}
if (princ_str) {
if (!strchr(princ_str, '@')) {
full_princ = talloc_asprintf(memctx, "%s@%s",
princ_str, realm_name);
} else {
full_princ = talloc_strdup(memctx, princ_str);
}
} else {
char hostname[512];
ret = gethostname(hostname, 511);
if (ret == -1) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
hostname[511] = '\0';
ret = select_principal_from_keytab(memctx, hostname, realm_name,
keytab_name, &full_princ, NULL, NULL);
if (ret) goto done;
}
if (!full_princ) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
DEBUG(4, ("Principal name is: [%s]\n", full_princ));
krberr = krb5_parse_name(context, full_princ, &kprinc);
if (krberr) {
DEBUG(2, ("Unable to build principal: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
if (keytab_name) {
krberr = krb5_kt_resolve(context, keytab_name, &keytab);
} else {
krberr = krb5_kt_default(context, &keytab);
}
if (krberr) {
DEBUG(0, ("Failed to read keytab file: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
/* Verify the keytab */
ret = sss_krb5_verify_keytab_ex(full_princ, keytab_name, context, keytab);
if (ret) {
DEBUG(2, ("Unable to verify principal is present in the keytab\n"));
krberr = KRB5_KT_IOERR;
goto done;
}
ccname = talloc_asprintf(memctx, "FILE:%s/ccache_%s", DB_PATH, realm_name);
if (!ccname) {
krberr = KRB5KRB_ERR_GENERIC;
goto done;
}
krberr = krb5_cc_resolve(context, ccname, &ccache);
if (krberr) {
DEBUG(2, ("Failed to set cache name: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
memset(&my_creds, 0, sizeof(my_creds));
memset(&options, 0, sizeof(options));
krb5_get_init_creds_opt_set_address_list(&options, NULL);
krb5_get_init_creds_opt_set_forwardable(&options, 0);
krb5_get_init_creds_opt_set_proxiable(&options, 0);
krb5_get_init_creds_opt_set_tkt_life(&options, lifetime);
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, &options);
if (krberr) {
DEBUG(0, ("Failed to init credentials: %s\n",
sss_krb5_get_error_message(context, krberr)));
sss_log(SSS_LOG_ERR, "Failed to initialize credentials using keytab [%s]: %s. "
"Unable to create GSSAPI-encrypted LDAP connection.",
keytab_name, sss_krb5_get_error_message(context, krberr));
goto done;
}
krberr = krb5_cc_initialize(context, ccache, kprinc);
if (krberr) {
DEBUG(2, ("Failed to init ccache: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
krberr = krb5_cc_store_cred(context, ccache, &my_creds);
if (krberr) {
DEBUG(2, ("Failed to store creds: %s\n",
sss_krb5_get_error_message(context, krberr)));
goto done;
}
krberr = krb5_get_time_offsets(context, &kdc_time_offset, &kdc_time_offset_usec);
if (krberr) {
DEBUG(2, ("Failed to get KDC time offset: %s\n",
sss_krb5_get_error_message(context, krberr)));
kdc_time_offset = 0;
} else {
if (kdc_time_offset_usec > 0) {
kdc_time_offset++;
}
}
krberr = 0;
*ccname_out = ccname;
*expire_time_out = my_creds.times.endtime - kdc_time_offset;
done:
if (keytab) krb5_kt_close(context, keytab);
if (context) krb5_free_context(context);
return krberr;
}
