int mit_samba_context_init(struct mit_samba_context **_ctx) { NTSTATUS status; struct mit_samba_context *ctx; const char *s4_conf_file; int ret; struct samba_kdc_base_context base_ctx; ctx = talloc_zero(NULL, struct mit_samba_context); if (!ctx) { ret = ENOMEM; goto done; } base_ctx.ev_ctx = tevent_context_init(ctx); if (!base_ctx.ev_ctx) { ret = ENOMEM; goto done; } tevent_loop_allow_nesting(base_ctx.ev_ctx); base_ctx.lp_ctx = loadparm_init_global(false); if (!base_ctx.lp_ctx) { ret = ENOMEM; goto done; } setup_logging("mitkdc", DEBUG_STDOUT); /* init s4 configuration */ s4_conf_file = lpcfg_configfile(base_ctx.lp_ctx); if (s4_conf_file) { lpcfg_load(base_ctx.lp_ctx, s4_conf_file); } else { lpcfg_load_default(base_ctx.lp_ctx); } status = samba_kdc_setup_db_ctx(ctx, &base_ctx, &ctx->db_ctx); if (!NT_STATUS_IS_OK(status)) { ret = EINVAL; goto done; } /* init heimdal's krb_context and log facilities */ ret = smb_krb5_init_context_basic(ctx, ctx->db_ctx->lp_ctx, &ctx->context); if (ret) { goto done; } ret = 0; done: if (ret) { mit_samba_context_free(ctx); } else { *_ctx = ctx; } return ret; }
krb5_error_code smb_krb5_init_context(void *parent_ctx, struct tevent_context *ev, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context) { krb5_error_code ret; TALLOC_CTX *tmp_ctx; initialize_krb5_error_table(); tmp_ctx = talloc_new(parent_ctx); *smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context); if (!*smb_krb5_context || !tmp_ctx) { talloc_free(tmp_ctx); return ENOMEM; } ret = smb_krb5_init_context_basic(tmp_ctx, ev, lp_ctx, &(*smb_krb5_context)->krb5_context); if (ret) { DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n", error_message(ret))); talloc_free(tmp_ctx); return ret; } /* TODO: Should we have a different name here? */ ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf); if (ret) { DEBUG(1,("krb5_initlog failed (%s)\n", smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); krb5_free_context((*smb_krb5_context)->krb5_context); talloc_free(tmp_ctx); return ret; } talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy); ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */, smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL); if (ret) { DEBUG(1,("krb5_addlog_func failed (%s)\n", smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); talloc_free(tmp_ctx); return ret; } krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf); /* Set use of our socket lib */ ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context, smb_krb5_send_and_recv_func, ev); if (ret) { DEBUG(1,("krb5_set_send_recv_func failed (%s)\n", smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx))); talloc_free(tmp_ctx); return ret; } talloc_steal(parent_ctx, *smb_krb5_context); talloc_free(tmp_ctx); /* Set options in kerberos */ krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context, lp_parm_bool(lp_ctx, NULL, "krb5", "set_dns_canonicalize", false)); return 0; }
krb5_error_code smb_krb5_init_context(void *parent_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context) { krb5_error_code ret; TALLOC_CTX *tmp_ctx; krb5_context kctx; #ifdef SAMBA4_USES_HEIMDAL krb5_log_facility *logf; #endif initialize_krb5_error_table(); tmp_ctx = talloc_new(parent_ctx); *smb_krb5_context = talloc_zero(tmp_ctx, struct smb_krb5_context); if (!*smb_krb5_context || !tmp_ctx) { talloc_free(tmp_ctx); return ENOMEM; } ret = smb_krb5_init_context_basic(tmp_ctx, lp_ctx, &kctx); if (ret) { DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n", error_message(ret))); talloc_free(tmp_ctx); return ret; } (*smb_krb5_context)->krb5_context = kctx; talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy); #ifdef SAMBA4_USES_HEIMDAL /* TODO: Should we have a different name here? */ ret = krb5_initlog(kctx, "Samba", &logf); if (ret) { DEBUG(1,("krb5_initlog failed (%s)\n", smb_get_krb5_error_message(kctx, ret, tmp_ctx))); talloc_free(tmp_ctx); return ret; } (*smb_krb5_context)->pvt_log_data = logf; ret = krb5_addlog_func(kctx, logf, 0 /* min */, -1 /* max */, smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL); if (ret) { DEBUG(1,("krb5_addlog_func failed (%s)\n", smb_get_krb5_error_message(kctx, ret, tmp_ctx))); talloc_free(tmp_ctx); return ret; } krb5_set_warn_dest(kctx, logf); /* Set options in kerberos */ krb5_set_dns_canonicalize_hostname(kctx, lpcfg_parm_bool(lp_ctx, NULL, "krb5", "set_dns_canonicalize", false)); #endif talloc_steal(parent_ctx, *smb_krb5_context); talloc_free(tmp_ctx); return 0; }
/* check that the SPN update should be allowed as an override via sam_ctx_system This is only called if the client is not a domain controller or administrator */ static bool writespn_check_spn(struct drsuapi_bind_state *b_state, struct dcesrv_call_state *dce_call, struct ldb_dn *dn, const char *spn) { /* * we only allow SPN updates if: * * 1) they are on the clients own account object * 2) they are of the form SERVICE/dnshostname */ struct dom_sid *user_sid, *sid; TALLOC_CTX *tmp_ctx = talloc_new(dce_call); struct ldb_result *res; const char *attrs[] = { "objectSID", "dNSHostName", NULL }; int ret; krb5_context krb_ctx; krb5_error_code kerr; krb5_principal principal; const krb5_data *component; const char *dns_name, *dnsHostName; /* The service principal name shouldn't be NULL */ if (spn == NULL) { talloc_free(tmp_ctx); return false; } /* get the objectSid of the DN that is being modified, and check it matches the user_sid in their token */ ret = dsdb_search_dn(b_state->sam_ctx, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_ONE_ONLY); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return false; } user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]; sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid"); if (sid == NULL) { talloc_free(tmp_ctx); return false; } dnsHostName = ldb_msg_find_attr_as_string(res->msgs[0], "dNSHostName", NULL); if (dnsHostName == NULL) { talloc_free(tmp_ctx); return false; } if (!dom_sid_equal(sid, user_sid)) { talloc_free(tmp_ctx); return false; } kerr = smb_krb5_init_context_basic(tmp_ctx, dce_call->conn->dce_ctx->lp_ctx, &krb_ctx); if (kerr != 0) { talloc_free(tmp_ctx); return false; } ret = krb5_parse_name_flags(krb_ctx, spn, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal); if (kerr != 0) { krb5_free_context(krb_ctx); talloc_free(tmp_ctx); return false; } if (krb5_princ_size(krb_ctx, principal) != 2) { krb5_free_principal(krb_ctx, principal); krb5_free_context(krb_ctx); talloc_free(tmp_ctx); return false; } component = krb5_princ_component(krb_ctx, principal, 1); dns_name = (const char *)component->data; if (strcasecmp(dns_name, dnsHostName) != 0) { krb5_free_principal(krb_ctx, principal); krb5_free_context(krb_ctx); talloc_free(tmp_ctx); return false; } /* its a simple update on their own account - allow it with * permissions override */ krb5_free_principal(krb_ctx, principal); krb5_free_context(krb_ctx); talloc_free(tmp_ctx); return true; }