/* run kinit to setup our ccache */
int ads_kinit_password(ADS_STRUCT *ads)
{
char *s;
int ret;
const char *account_name;
fstring acct_name;
if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
account_name = ads->auth.user_name;
goto got_accountname;
}
if ( IS_DC ) {
/* this will end up getting a ticket for [email protected] */
account_name = lp_workgroup();
} else {
/* always use the sAMAccountName for security = domain */
/* global_myname()[email protected] */
if ( lp_security() == SEC_DOMAIN ) {
fstr_sprintf( acct_name, "%s$", global_myname() );
account_name = acct_name;
}
else
/* This looks like host/global_myname()@REA.LM */
account_name = ads->auth.user_name;
}
got_accountname:
if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
return KRB5_CC_NOMEM;
}
if (!ads->auth.password) {
SAFE_FREE(s);
return KRB5_LIBOS_CANTREADPWD;
}
ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
NULL);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
s, error_message(ret)));
}
SAFE_FREE(s);
return ret;
}
static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx,
struct tevent_timer *te,
struct timeval now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
time_t new_start;
time_t expire_time = 0;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
#endif
DEBUG(10,("krb5_ticket_refresh_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n",
entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
/* Kinit again if we have the user password and we can't renew the old
* tgt anymore
* NB
* This happens when machine are put to sleep for a very long time. */
if (entry->renew_until < time(NULL)) {
rekinit:
if (cred_ptr && cred_ptr->pass) {
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: "
"could not re-kinit: %s\n",
error_message(ret)));
/* destroy the ticket because we cannot rekinit
* it, ignore error here */
ads_kdestroy(entry->ccname);
/* Don't break the ticket refresh chain: retry
* refreshing ticket sometime later when KDC is
* unreachable -- BoYang. More error code handling
* here?
* */
if ((ret == KRB5_KDC_UNREACH)
|| (ret == KRB5_REALM_CANT_RESOLVE)) {
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
new_start = time(NULL) +
MAX(30, lp_winbind_cache_time());
#endif
add_krb5_ticket_gain_handler_event(entry,
timeval_set(new_start, 0));
return;
}
TALLOC_FREE(entry->event);
return;
}
DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit "
"for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
/* The tkt should be refreshed at one-half the period
from now to the expiration time */
expire_time = entry->refresh_time;
new_start = krb5_event_refresh_time(entry->refresh_time);
#endif
goto done;
} else {
/* can this happen?
* No cached credentials
* destroy ticket and refresh chain
* */
ads_kdestroy(entry->ccname);
TALLOC_FREE(entry->event);
return;
}
}
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
entry->principal_name,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
expire_time = new_start;
new_start = krb5_event_refresh_time(new_start);
#endif
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: "
"could not renew tickets: %s\n",
error_message(ret)));
/* maybe we are beyond the renewing window */
/* evil rises here, we refresh ticket failed,
* but the ticket might be expired. Therefore,
* When we refresh ticket failed, destory the
* ticket */
ads_kdestroy(entry->ccname);
/* avoid breaking the renewal chain: retry in
* lp_winbind_cache_time() seconds when the KDC was not
* available right now.
* the return code can be KRB5_REALM_CANT_RESOLVE.
* More error code handling here? */
if ((ret == KRB5_KDC_UNREACH)
|| (ret == KRB5_REALM_CANT_RESOLVE)) {
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
new_start = time(NULL) +
MAX(30, lp_winbind_cache_time());
#endif
/* ticket is destroyed here, we have to regain it
* if it is possible */
add_krb5_ticket_gain_handler_event(entry,
timeval_set(new_start, 0));
return;
}
/* This is evil, if the ticket was already expired.
* renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED.
* But there is still a chance that we can rekinit it.
*
* This happens when user login in online mode, and then network
* down or something cause winbind goes offline for a very long time,
* and then goes online again. ticket expired, renew failed.
* This happens when machine are put to sleep for a long time,
* but shorter than entry->renew_util.
* NB
* Looks like the KDC is reachable, we want to rekinit as soon as
* possible instead of waiting some time later. */
if ((ret == KRB5KRB_AP_ERR_TKT_EXPIRED)
|| (ret == KRB5_FCC_NOFILE)) goto rekinit;
return;
}
done:
/* in cases that ticket will be unrenewable soon, we don't try to renew ticket
* but try to regain ticket if it is possible */
if (entry->renew_until && expire_time
&& (entry->renew_until <= expire_time)) {
/* try to regain ticket 10 seconds before expiration */
expire_time -= 10;
add_krb5_ticket_gain_handler_event(entry,
timeval_set(expire_time, 0));
return;
}
if (entry->refresh_time == 0) {
entry->refresh_time = new_start;
}
entry->event = tevent_add_timer(winbind_event_context(), entry,
timeval_set(new_start, 0),
krb5_ticket_refresh_handler,
entry);
#endif
}
static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
struct tevent_timer *te,
struct timeval now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
struct timeval t;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
struct winbindd_domain *domain = NULL;
#endif
DEBUG(10,("krb5_ticket_gain_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n",
entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
if (!cred_ptr || !cred_ptr->pass) {
DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
return;
}
if ((domain = find_domain_from_name(entry->realm)) == NULL) {
DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n"));
return;
}
if (!domain->online) {
goto retry_later;
}
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_gain_handler: "
"could not kinit: %s\n",
error_message(ret)));
/* evil. If we cannot do it, destroy any the __maybe__
* __existing__ ticket */
ads_kdestroy(entry->ccname);
goto retry_later;
}
DEBUG(10,("krb5_ticket_gain_handler: "
"successful kinit for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
goto got_ticket;
retry_later:
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
#endif
add_krb5_ticket_gain_handler_event(entry, t);
return;
got_ticket:
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_set(krb5_event_refresh_time(entry->refresh_time), 0);
#endif
if (entry->refresh_time == 0) {
entry->refresh_time = t.tv_sec;
}
entry->event = tevent_add_timer(winbind_event_context(),
entry,
t,
krb5_ticket_refresh_handler,
entry);
return;
#endif
}
/*
* Given the username/password, do a kinit, store the ticket in
* cache_name if specified, and return the PAC_LOGON_INFO (the
* structure containing the important user information such as
* groups).
*/
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
time_t time_offset,
time_t *expire_time,
time_t *renew_till_time,
const char *cache_name,
bool request_pac,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
struct PAC_LOGON_INFO **_logon_info)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
const char *auth_princ = NULL;
const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
struct gensec_security *gensec_server_context;
struct gensec_settings *gensec_settings;
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_LOGON_INFO *logon_info = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
ZERO_STRUCT(tkt);
ZERO_STRUCT(ap_rep);
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
return NT_STATUS_INVALID_PARAMETER;
}
if (cache_name) {
cc = cache_name;
}
if (!strchr_m(name, '@')) {
auth_princ = talloc_asprintf(mem_ctx, "%s@%s", name,
lp_realm());
} else {
auth_princ = name;
}
NT_STATUS_HAVE_NO_MEMORY(auth_princ);
local_service = talloc_asprintf(mem_ctx, "%s$@%s",
lp_netbios_name(), lp_realm());
NT_STATUS_HAVE_NO_MEMORY(local_service);
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
expire_time,
renew_till_time,
cc,
request_pac,
add_netbios_addr,
renewable_time,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
auth_princ, error_message(ret), ret));
/* status already set */
goto out;
}
DEBUG(10,("got TGT for %s in %s\n", auth_princ, cc));
if (expire_time) {
DEBUGADD(10,("\tvalid until: %s (%d)\n",
http_timestring(talloc_tos(), *expire_time),
(int)*expire_time));
}
if (renew_till_time) {
DEBUGADD(10,("\trenewable till: %s (%d)\n",
http_timestring(talloc_tos(), *renew_till_time),
(int)*renew_till_time));
}
/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
* in that case fallback to NTLM - gd */
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
return NT_STATUS_INVALID_LOGON_TYPE;
}
ret = cli_krb5_get_ticket(mem_ctx,
local_service,
time_offset,
&tkt,
&sesskey1,
0,
cc,
NULL,
impersonate_princ_s);
if (ret) {
DEBUG(1,("failed to get ticket for %s: %s\n",
local_service, error_message(ret)));
if (impersonate_princ_s) {
DEBUGADD(1,("tried S4U2SELF impersonation as: %s\n",
impersonate_princ_s));
}
status = krb5_to_nt_status(ret);
goto out;
}
/* wrap that up in a nice GSS-API wrapping */
tkt_wrapped = spnego_gen_krb5_wrap(tmp_ctx, tkt, TOK_ID_KRB_AP_REQ);
if (tkt_wrapped.data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context = talloc_zero(tmp_ctx, struct auth4_context);
if (auth_context == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
auth_context->generate_session_info_pac = kerberos_fetch_pac;
lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_context());
if (lp_ctx == NULL) {
status = NT_STATUS_INVALID_SERVER_STATE;
DEBUG(10, ("loadparm_init_s3 failed\n"));
goto out;
}
gensec_settings = lpcfg_gensec_settings(tmp_ctx, lp_ctx);
if (lp_ctx == NULL) {
status = NT_STATUS_NO_MEMORY;
DEBUG(10, ("lpcfg_gensec_settings failed\n"));
goto out;
}
gensec_settings->backends = talloc_zero_array(gensec_settings,
struct gensec_security_ops *, 2);
if (gensec_settings->backends == NULL) {
status = NT_STATUS_NO_MEMORY;
goto out;
}
gensec_init();
gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
status = gensec_server_start(tmp_ctx, gensec_settings,
auth_context, &gensec_server_context);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
talloc_unlink(tmp_ctx, lp_ctx);
talloc_unlink(tmp_ctx, gensec_settings);
talloc_unlink(tmp_ctx, auth_context);
status = gensec_start_mech_by_oid(gensec_server_context, GENSEC_OID_KERBEROS5);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, (__location__ "Failed to start server-side GENSEC krb5 to validate a Kerberos ticket: %s\n", nt_errstr(status)));
goto out;
}
/* Do a client-server update dance */
status = gensec_update(gensec_server_context, tmp_ctx, NULL, tkt_wrapped, &ap_rep);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("gensec_update() failed: %s\n", nt_errstr(status)));
goto out;
}
/* Now return the PAC information to the callers. We ingore
* the session_info and instead pick out the PAC via the
* private_data on the auth_context */
status = gensec_session_info(gensec_server_context, tmp_ctx, &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Unable to obtain PAC via gensec_session_info\n"));
goto out;
}
logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
struct PAC_LOGON_INFO);
if (logon_info == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
*_logon_info = talloc_move(mem_ctx, &logon_info);
out:
talloc_free(tmp_ctx);
if (cc != cache_name) {
ads_kdestroy(cc);
}
data_blob_free(&tkt);
data_blob_free(&ap_rep);
data_blob_free(&sesskey1);
return status;
}
