static int create_keytab(TALLOC_CTX *parent_ctx,
struct cli_credentials *machine_account,
struct smb_krb5_context *smb_krb5_context,
const char **enctype_strings,
krb5_keytab keytab,
BOOL add_old)
{
krb5_error_code ret;
const char *password_s;
const char *old_secret;
int kvno;
krb5_principal salt_princ;
krb5_principal princ;
const char *princ_string;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
return ENOMEM;
}
princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
/* Get the principal we will store the new keytab entries under */
ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
if (ret) {
DEBUG(1,("create_keytab: makeing krb5 principal failed (%s)\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
/* The salt used to generate these entries may be different however, fetch that */
ret = salt_principal_from_credentials(mem_ctx, machine_account,
smb_krb5_context,
&salt_princ);
if (ret) {
DEBUG(1,("create_keytab: makeing salt principal failed (%s)\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
/* Finally, do the dance to get the password to put in the entry */
password_s = cli_credentials_get_password(machine_account);
if (!password_s) {
krb5_keytab_entry entry;
const struct samr_Password *mach_pwd;
if (!str_list_check(enctype_strings, "arcfour-hmac-md5")) {
DEBUG(1, ("Asked to create keytab, but with only an NT hash supplied, "
"but not listing arcfour-hmac-md5 as an enc type to include in the keytab!\n"));
talloc_free(mem_ctx);
return EINVAL;
}
/* If we don't have the plaintext password, try for
* the MD4 password hash */
mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
if (!mach_pwd) {
/* OK, nothing to do here */
talloc_free(mem_ctx);
return 0;
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ETYPE_ARCFOUR_HMAC_MD5,
mach_pwd->hash, sizeof(mach_pwd->hash),
&entry.keyblock);
if (ret) {
DEBUG(1, ("create_keytab: krb5_keyblock_init failed: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
entry.principal = princ;
entry.vno = cli_credentials_get_kvno(machine_account);
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
if (ret) {
DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
cli_credentials_get_principal(machine_account, mem_ctx),
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
return ret;
}
DEBUG(5, ("Added %s(kvno %d) to keytab (arcfour-hmac-md5)\n",
cli_credentials_get_principal(machine_account, mem_ctx),
cli_credentials_get_kvno(machine_account)));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
/* Can't go any further, we only have this one key */
talloc_free(mem_ctx);
return 0;
}
kvno = cli_credentials_get_kvno(machine_account);
/* good, we actually have the real plaintext */
ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ,
kvno, password_s, smb_krb5_context,
enctype_strings, keytab);
if (!ret) {
talloc_free(mem_ctx);
return ret;
}
if (!add_old || kvno == 0) {
talloc_free(mem_ctx);
return 0;
}
old_secret = cli_credentials_get_old_password(machine_account);
if (!old_secret) {
talloc_free(mem_ctx);
return 0;
}
ret = keytab_add_keys(mem_ctx, princ_string, princ, salt_princ,
kvno - 1, old_secret, smb_krb5_context,
enctype_strings, keytab);
if (!ret) {
talloc_free(mem_ctx);
return ret;
}
talloc_free(mem_ctx);
return 0;
}
static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
uint32_t format_flags, uint32_t format_offered, uint32_t format_desired,
const char *name, struct drsuapi_DsNameInfo1 *info1)
{
WERROR wret;
krb5_error_code ret;
krb5_principal principal;
const char *service, *dns_name;
char *new_service;
char *new_princ;
enum drsuapi_DsNameStatus namestatus;
/* parse principal */
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
if (ret) {
DEBUG(2, ("Could not parse principal: %s: %s",
name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
return WERR_NOMEM;
}
/* grab cifs/, http/ etc */
/* This is checked for in callers, but be safe */
if (principal->name.name_string.len < 2) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
return WERR_OK;
}
service = principal->name.name_string.val[0];
dns_name = principal->name.name_string.val[1];
/* MAP it */
namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context,
sam_ctx, mem_ctx,
service, &new_service);
if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
if (!info1->dns_domain_name) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_NOMEM;
}
return WERR_OK;
} else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
info1->status = namestatus;
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_OK;
}
/* ooh, very nasty playing around in the Principal... */
free(principal->name.name_string.val[0]);
principal->name.name_string.val[0] = strdup(new_service);
if (!principal->name.name_string.val[0]) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_NOMEM;
}
/* reform principal */
ret = krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
if (ret) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_NOMEM;
}
wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
new_princ, info1);
free(new_princ);
if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
if (!info1->dns_domain_name) {
wret = WERR_NOMEM;
}
}
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return wret;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct tevent_context *ev,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_init_context_basic(tmp_ctx, ev, lp_ctx,
&(*smb_krb5_context)->krb5_context);
if (ret) {
DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n",
error_message(ret)));
talloc_free(tmp_ctx);
return ret;
}
/* TODO: Should we have a different name here? */
ret = krb5_initlog((*smb_krb5_context)->krb5_context, "Samba", &(*smb_krb5_context)->logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
krb5_free_context((*smb_krb5_context)->krb5_context);
talloc_free(tmp_ctx);
return ret;
}
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy);
ret = krb5_addlog_func((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper, smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest((*smb_krb5_context)->krb5_context, (*smb_krb5_context)->logf);
/* Set use of our socket lib */
ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
smb_krb5_send_and_recv_func,
ev);
if (ret) {
DEBUG(1,("krb5_set_send_recv_func failed (%s)\n",
smb_get_krb5_error_message((*smb_krb5_context)->krb5_context, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
/* Set options in kerberos */
krb5_set_dns_canonicalize_hostname((*smb_krb5_context)->krb5_context,
lp_parm_bool(lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
return 0;
}
static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx_out,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
struct PAC_LOGON_INFO *logon_info;
krb5_principal client_principal;
char *principal_string;
DATA_BLOB pac;
krb5_data pac_data;
krb5_error_code ret;
TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
client_principal, &principal_string);
if (ret) {
DEBUG(1, ("Unable to parse client principal: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
principal_string,
smb_get_krb5_error_message(context,
ret, mem_ctx)));
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
} else if (ret) {
/* NO pac */
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
if (gensec_security->auth_context &&
!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
principal_string, smb_get_krb5_error_message(context,
ret, mem_ctx)));
nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
NULL, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return nt_status;
}
} else {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
principal_string));
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return NT_STATUS_ACCESS_DENIED;
}
} else {
/* Found pac */
union netr_Validation validation;
pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
if (!pac.data) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(gensec_krb5_state,
pac,
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock,
client_principal,
gensec_krb5_state->ticket->ticket.authtime, &logon_info);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return nt_status;
}
validation.sam3 = &logon_info->info3;
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
NULL,
3, &validation,
true, /* This user was authenticated */
&user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
return nt_status;
}
}
free(principal_string);
krb5_free_principal(context, client_principal);
/* references the user_info_dc into the session_info */
nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
*_session_info = talloc_steal(mem_ctx_out, session_info);
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
krb5_error_code
smb_krb5_init_context_basic(TALLOC_CTX *tmp_ctx,
struct loadparm_context *lp_ctx,
krb5_context *_krb5_context)
{
krb5_error_code ret;
#ifdef SAMBA4_USES_HEIMDAL
char **config_files;
const char *config_file, *realm;
#endif
krb5_context krb5_ctx;
initialize_krb5_error_table();
ret = krb5_init_context(&krb5_ctx);
if (ret) {
DEBUG(1,("krb5_init_context failed (%s)\n",
error_message(ret)));
return ret;
}
/* The MIT Kerberos build relies on using the system krb5.conf file.
* If you really want to use another file please set KRB5_CONFIG
* accordingly. */
#ifdef SAMBA4_USES_HEIMDAL
config_file = lpcfg_config_path(tmp_ctx, lp_ctx, "krb5.conf");
if (!config_file) {
krb5_free_context(krb5_ctx);
return ENOMEM;
}
/* Use our local krb5.conf file by default */
ret = krb5_prepend_config_files_default(config_file, &config_files);
if (ret) {
DEBUG(1,("krb5_prepend_config_files_default failed (%s)\n",
smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
krb5_free_context(krb5_ctx);
return ret;
}
ret = krb5_set_config_files(krb5_ctx, config_files);
krb5_free_config_files(config_files);
if (ret) {
DEBUG(1,("krb5_set_config_files failed (%s)\n",
smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
krb5_free_context(krb5_ctx);
return ret;
}
realm = lpcfg_realm(lp_ctx);
if (realm != NULL) {
ret = krb5_set_default_realm(krb5_ctx, realm);
if (ret) {
DEBUG(1,("krb5_set_default_realm failed (%s)\n",
smb_get_krb5_error_message(krb5_ctx, ret, tmp_ctx)));
krb5_free_context(krb5_ctx);
return ret;
}
}
#endif
*_krb5_context = krb5_ctx;
return 0;
}
krb5_error_code smb_krb5_update_keytab(TALLOC_CTX *parent_ctx,
krb5_context context,
const char *keytab_name,
const char *samAccountName,
const char *realm,
const char **SPNs,
int num_SPNs,
const char *saltPrincipal,
const char *new_secret,
const char *old_secret,
int kvno,
uint32_t supp_enctypes,
bool delete_all_kvno,
krb5_keytab *_keytab,
const char **error_string)
{
krb5_keytab keytab;
krb5_error_code ret;
bool found_previous;
TALLOC_CTX *tmp_ctx;
krb5_principal *principals = NULL;
if (keytab_name == NULL) {
return ENOENT;
}
ret = krb5_kt_resolve(context, keytab_name, &keytab);
if (ret) {
*error_string = smb_get_krb5_error_message(context,
ret, parent_ctx);
return ret;
}
DEBUG(5, ("Opened keytab %s\n", keytab_name));
tmp_ctx = talloc_new(parent_ctx);
if (!tmp_ctx) {
return ENOMEM;
}
/* Get the principal we will store the new keytab entries under */
ret = principals_from_list(tmp_ctx,
samAccountName, realm, SPNs, num_SPNs,
context, &principals, error_string);
if (ret != 0) {
*error_string = talloc_asprintf(parent_ctx,
"Failed to load principals from ldb message: %s\n",
*error_string);
goto done;
}
ret = remove_old_entries(tmp_ctx, kvno, principals, delete_all_kvno,
context, keytab, &found_previous, error_string);
if (ret != 0) {
*error_string = talloc_asprintf(parent_ctx,
"Failed to remove old principals from keytab: %s\n",
*error_string);
goto done;
}
if (!delete_all_kvno) {
/* Create a new keytab. If during the cleanout we found
* entires for kvno -1, then don't try and duplicate them.
* Otherwise, add kvno, and kvno -1 */
ret = create_keytab(tmp_ctx,
samAccountName, realm, saltPrincipal,
kvno, new_secret, old_secret,
supp_enctypes, principals,
context, keytab,
found_previous ? false : true,
error_string);
if (ret) {
talloc_steal(parent_ctx, *error_string);
}
}
if (ret == 0 && _keytab != NULL) {
/* caller wants the keytab handle back */
*_keytab = keytab;
}
done:
keytab_principals_free(context, principals);
if (ret != 0 || _keytab == NULL) {
krb5_kt_close(context, keytab);
}
talloc_free(tmp_ctx);
return ret;
}
static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_security, bool gssapi)
{
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
struct ccache_container *ccache_container;
const char *hostname;
const char *error_string;
const char *principal;
krb5_data in_data;
struct tevent_context *previous_ev;
hostname = gensec_get_target_hostname(gensec_security);
if (!hostname) {
DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (is_ipaddress(hostname)) {
DEBUG(2, ("Cannot do krb5 to an IP address"));
return NT_STATUS_INVALID_PARAMETER;
}
if (strcmp(hostname, "localhost") == 0) {
DEBUG(2, ("krb5 to 'localhost' does not make sense"));
return NT_STATUS_INVALID_PARAMETER;
}
nt_status = gensec_krb5_start(gensec_security, gssapi);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_START;
gensec_krb5_state->ap_req_options = AP_OPTS_USE_SUBKEY;
if (gensec_krb5_state->gssapi) {
/* The Fake GSSAPI modal emulates Samba3, which does not do mutual authentication */
if (gensec_setting_bool(gensec_security->settings, "gensec_fake_gssapi_krb5", "mutual", false)) {
gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
} else {
/* The wrapping for KPASSWD (a user of the raw KRB5 API) should be mutually authenticated */
if (gensec_setting_bool(gensec_security->settings, "gensec_krb5", "mutual", true)) {
gensec_krb5_state->ap_req_options |= AP_OPTS_MUTUAL_REQUIRED;
}
}
principal = gensec_get_target_principal(gensec_security);
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
gensec_security->settings->lp_ctx, &ccache_container, &error_string);
switch (ret) {
case 0:
break;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
return NT_STATUS_LOGON_FAILURE;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_CC_NOTFOUND:
case KRB5_CC_END:
DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
default:
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
in_data.length = 0;
/* Do this every time, in case we have weird recursive issues here */
ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev);
if (ret != 0) {
DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
return NT_STATUS_NO_MEMORY;
}
if (principal) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
}
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx);
switch (ret) {
case 0:
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END:
/* Too much clock skew - we will need to kinit to re-skew the clock */
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/*fall through*/
}
/* just don't print a message for these really ordinary messages */
case KRB5_FCC_NOFILE:
case KRB5_CC_NOTFOUND:
case ENOENT:
return NT_STATUS_UNSUCCESSFUL;
break;
default:
DEBUG(0, ("kerberos: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
static bool torture_pac_self_check(struct torture_context *tctx)
{
NTSTATUS nt_status;
DATA_BLOB tmp_blob;
struct PAC_DATA *pac_data;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
/* Generate a nice, arbitary keyblock */
uint8_t server_bytes[16];
uint8_t krbtgt_bytes[16];
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock;
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
struct auth_user_info_dc *user_info_dc;
struct auth_user_info_dc *user_info_dc_out;
krb5_principal client_principal;
time_t logon_time = time(NULL);
TALLOC_CTX *mem_ctx = tctx;
torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx,
NULL,
tctx->lp_ctx,
&smb_krb5_context),
"smb_krb5_init_context");
generate_random_buffer(server_bytes, 16);
generate_random_buffer(krbtgt_bytes, 16);
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
server_bytes, sizeof(server_bytes),
&server_keyblock);
torture_assert(tctx, !ret, talloc_asprintf(tctx,
"(self test) Server Keyblock encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
krbtgt_bytes, sizeof(krbtgt_bytes),
&krbtgt_keyblock);
if (ret) {
char *err = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, talloc_asprintf(tctx,
"(self test) KRBTGT Keyblock encoding failed: %s", err));
}
/* We need an input, and this one requires no underlying database */
nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
torture_fail(tctx, "auth_anonymous_user_info_dc");
}
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
user_info_dc->info->account_name,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&client_principal);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
torture_fail(tctx, "krb5_parse_name_flags(norealm)");
}
/* OK, go ahead and make a PAC */
ret = kerberos_create_pac(mem_ctx,
user_info_dc,
smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock,
client_principal,
logon_time,
&tmp_blob);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(self test) PAC encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
}
dump_data(10,tmp_blob.data,tmp_blob.length);
/* Now check that we can read it back (using full decode and validate) */
nt_status = kerberos_decode_pac(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock,
client_principal,
logon_time,
&pac_data);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(self test) PAC decoding failed: %s",
nt_errstr(nt_status)));
}
/* Now check we can read it back (using Heimdal's pac parsing) */
nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
&user_info_dc_out, NULL, NULL);
/* The user's SID is the first element in the list */
if (!dom_sid_equal(user_info_dc->sids,
user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
dom_sid_string(mem_ctx, user_info_dc->sids),
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
talloc_free(user_info_dc_out);
/* Now check that we can read it back (yet again) */
nt_status = kerberos_pac_logon_info(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock,
client_principal,
logon_time,
&logon_info);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC decoding (for logon info) failed: %s",
nt_errstr(nt_status)));
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context,
client_principal);
/* And make a server info from the samba-parsed PAC */
validation.sam3 = &logon_info->info3;
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
true, /* This user was authenticated */
&user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC decoding (make server info) failed: %s",
nt_errstr(nt_status)));
}
if (!dom_sid_equal(user_info_dc->sids,
user_info_dc_out->sids)) {
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
dom_sid_string(mem_ctx, user_info_dc->sids),
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
return true;
}
_PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
const char *name,
enum credentials_obtained obtained,
const char **error_string)
{
krb5_error_code ret;
krb5_principal princ;
struct ccache_container *ccc;
if (cred->ccache_obtained > obtained) {
return 0;
}
ccc = talloc(cred, struct ccache_container);
if (!ccc) {
(*error_string) = error_message(ENOMEM);
return ENOMEM;
}
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
(*error_string) = error_message(ret);
talloc_free(ccc);
return ret;
}
if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
talloc_free(ccc);
(*error_string) = error_message(ENOMEM);
return ENOMEM;
}
if (name) {
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, name, &ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to read krb5 ccache: %s: %s\n",
name,
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
ret, ccc));
talloc_free(ccc);
return ret;
}
} else {
ret = krb5_cc_default(ccc->smb_krb5_context->krb5_context, &ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to read default krb5 ccache: %s\n",
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
ret, ccc));
talloc_free(ccc);
return ret;
}
}
talloc_set_destructor(ccc, free_dccache);
ret = krb5_cc_get_principal(ccc->smb_krb5_context->krb5_context, ccc->ccache, &princ);
if (ret == 0) {
krb5_free_principal(ccc->smb_krb5_context->krb5_context, princ);
ret = cli_credentials_set_from_ccache(cred, ccc, obtained, error_string);
if (ret) {
(*error_string) = error_message(ret);
return ret;
}
cred->ccache = ccc;
cred->ccache_obtained = obtained;
talloc_steal(cred, ccc);
cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
return 0;
}
return 0;
}
NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
struct smb_iconv_convenience *iconv_convenience,
struct PAC_DATA **pac_data_out,
DATA_BLOB blob,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
krb5_const_principal client_principal,
time_t tgs_authtime,
krb5_error_code *k5ret)
{
krb5_error_code ret;
NTSTATUS status;
enum ndr_err_code ndr_err;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_LOGON_NAME *logon_name = NULL;
struct PAC_DATA *pac_data;
struct PAC_DATA_RAW *pac_data_raw;
DATA_BLOB *srv_sig_blob = NULL;
DATA_BLOB *kdc_sig_blob = NULL;
DATA_BLOB modified_pac_blob;
NTTIME tgs_authtime_nttime;
krb5_principal client_principal_pac;
int i;
krb5_clear_error_message(context);
if (k5ret) {
*k5ret = KRB5_PARSE_MALFORMED;
}
pac_data = talloc(mem_ctx, struct PAC_DATA);
pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
if (k5ret) {
*k5ret = ENOMEM;
}
return NT_STATUS_NO_MEMORY;
}
ndr_err = ndr_pull_struct_blob(&blob, pac_data,
iconv_convenience, pac_data,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
ndr_err = ndr_pull_struct_blob(&blob, pac_data_raw,
iconv_convenience, pac_data_raw,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("misparse! PAC_DATA has %d buffers while PAC_DATA_RAW has %d\n",
pac_data->num_buffers, pac_data_raw->num_buffers));
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < pac_data->num_buffers; i++) {
if (pac_data->buffers[i].type != pac_data_raw->buffers[i].type) {
DEBUG(0,("misparse! PAC_DATA buffer %d has type %d while PAC_DATA_RAW has %d\n",
i, pac_data->buffers[i].type, pac_data->buffers[i].type));
return NT_STATUS_INVALID_PARAMETER;
}
switch (pac_data->buffers[i].type) {
case PAC_TYPE_LOGON_INFO:
if (!pac_data->buffers[i].info) {
break;
}
logon_info = pac_data->buffers[i].info->logon_info.info;
break;
case PAC_TYPE_SRV_CHECKSUM:
if (!pac_data->buffers[i].info) {
break;
}
srv_sig_ptr = &pac_data->buffers[i].info->srv_cksum;
srv_sig_blob = &pac_data_raw->buffers[i].info->remaining;
break;
case PAC_TYPE_KDC_CHECKSUM:
if (!pac_data->buffers[i].info) {
break;
}
kdc_sig_ptr = &pac_data->buffers[i].info->kdc_cksum;
kdc_sig_blob = &pac_data_raw->buffers[i].info->remaining;
break;
case PAC_TYPE_LOGON_NAME:
logon_name = &pac_data->buffers[i].info->logon_name;
break;
default:
break;
}
}
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* Find and zero out the signatures, as required by the signing algorithm */
/* We find the data blobs above, now we parse them to get at the exact portion we should zero */
ndr_err = ndr_pull_struct_blob(kdc_sig_blob, kdc_sig_wipe,
iconv_convenience, kdc_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_pull_struct_blob(srv_sig_blob, srv_sig_wipe,
iconv_convenience, srv_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* Now zero the decoded structure */
memset(kdc_sig_wipe->signature.data, '\0', kdc_sig_wipe->signature.length);
memset(srv_sig_wipe->signature.data, '\0', srv_sig_wipe->signature.length);
/* and reencode, back into the same place it came from */
ndr_err = ndr_push_struct_blob(kdc_sig_blob, pac_data_raw,
iconv_convenience,
kdc_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_push_struct_blob(srv_sig_blob, pac_data_raw,
iconv_convenience,
srv_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* push out the whole structure, but now with zero'ed signatures */
ndr_err = ndr_push_struct_blob(&modified_pac_blob, pac_data_raw,
iconv_convenience,
pac_data_raw,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
return status;
}
/* verify by service_key */
ret = check_pac_checksum(mem_ctx,
modified_pac_blob, srv_sig_ptr,
context,
service_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the service signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_ACCESS_DENIED;
}
if (krbtgt_keyblock) {
ret = check_pac_checksum(mem_ctx,
srv_sig_ptr->signature, kdc_sig_ptr,
context, krbtgt_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_ACCESS_DENIED;
}
}
/* Convert to NT time, so as not to loose accuracy in comparison */
unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
if (tgs_authtime_nttime != logon_name->logon_time) {
DEBUG(2, ("PAC Decode: Logon time mismatch between ticket and PAC!\n"));
DEBUG(2, ("PAC Decode: PAC: %s\n", nt_time_string(mem_ctx, logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n", nt_time_string(mem_ctx, tgs_authtime_nttime)));
return NT_STATUS_ACCESS_DENIED;
}
ret = krb5_parse_name_flags(context, logon_name->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM,
&client_principal_pac);
if (ret) {
DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n",
logon_name->account_name,
smb_get_krb5_error_message(context, ret, mem_ctx)));
if (k5ret) {
*k5ret = ret;
}
return NT_STATUS_INVALID_PARAMETER;
}
if (!krb5_principal_compare_any_realm(context, client_principal, client_principal_pac)) {
DEBUG(2, ("Name in PAC [%s] does not match principal name in ticket\n",
logon_name->account_name));
return NT_STATUS_ACCESS_DENIED;
}
#if 0
if (strcasecmp(logon_info->info3.base.account_name.string,
"Administrator")== 0) {
file_save("tmp_pac_data-admin.dat",blob.data,blob.length);
}
#endif
DEBUG(3,("Found account name from PAC: %s [%s]\n",
logon_info->info3.base.account_name.string,
logon_info->info3.base.full_name.string));
*pac_data_out = pac_data;
return NT_STATUS_OK;
}
/* Check with a known 'well formed' PAC, from my test server */
static bool torture_pac_saved_check(struct torture_context *tctx)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
DATA_BLOB tmp_blob, validate_blob;
struct PAC_DATA *pac_data, pac_data2;
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
const char *pac_file, *pac_kdc_key, *pac_member_key;
struct auth_user_info_dc *user_info_dc_out;
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p;
struct samr_Password *krbtgt_bytes, *krbsrv_bytes;
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
const char *principal_string;
char *broken_principal_string;
krb5_principal client_principal;
const char *authtime_string;
time_t authtime;
TALLOC_CTX *mem_ctx = tctx;
torture_assert(tctx, 0 == smb_krb5_init_context(mem_ctx, NULL,
tctx->lp_ctx,
&smb_krb5_context),
"smb_krb5_init_context");
pac_kdc_key = torture_setting_string(tctx, "pac_kdc_key",
"B286757148AF7FD252C53603A150B7E7");
pac_member_key = torture_setting_string(tctx, "pac_member_key",
"D217FAEAE5E6B5F95CCC94077AB8A5FC");
torture_comment(tctx, "Using pac_kdc_key '%s'\n", pac_kdc_key);
torture_comment(tctx, "Using pac_member_key '%s'\n", pac_member_key);
/* The krbtgt key in use when the above PAC was generated.
* This is an arcfour-hmac-md5 key, extracted with our 'net
* samdump' tool. */
if (*pac_kdc_key == 0) {
krbtgt_bytes = NULL;
} else {
krbtgt_bytes = smbpasswd_gethexpwd(mem_ctx, pac_kdc_key);
if (!krbtgt_bytes) {
torture_fail(tctx, "(saved test) Could not interpret krbtgt key");
}
}
krbsrv_bytes = smbpasswd_gethexpwd(mem_ctx, pac_member_key);
if (!krbsrv_bytes) {
torture_fail(tctx, "(saved test) Could not interpret krbsrv key");
}
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
krbsrv_bytes->hash, sizeof(krbsrv_bytes->hash),
&server_keyblock);
torture_assert(tctx, !ret,
talloc_asprintf(tctx,
"(saved test) Server Keyblock encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
if (krbtgt_bytes) {
ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
ENCTYPE_ARCFOUR_HMAC,
krbtgt_bytes->hash, sizeof(krbtgt_bytes->hash),
&krbtgt_keyblock);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) Server Keyblock encoding failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
}
krbtgt_keyblock_p = &krbtgt_keyblock;
} else {
krbtgt_keyblock_p = NULL;
}
pac_file = torture_setting_string(tctx, "pac_file", NULL);
if (pac_file) {
tmp_blob.data = (uint8_t *)file_load(pac_file, &tmp_blob.length, 0, mem_ctx);
torture_comment(tctx, "(saved test) Loaded pac of size %ld from %s\n", (long)tmp_blob.length, pac_file);
} else {
tmp_blob = data_blob_talloc(mem_ctx, saved_pac, sizeof(saved_pac));
}
dump_data(10,tmp_blob.data,tmp_blob.length);
principal_string = torture_setting_string(tctx, "pac_client_principal",
"[email protected]");
authtime_string = torture_setting_string(tctx, "pac_authtime", "1120440609");
authtime = strtoull(authtime_string, NULL, 0);
ret = krb5_parse_name(smb_krb5_context->krb5_context, principal_string,
&client_principal);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) parsing of client principal [%s] failed: %s",
principal_string,
smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
/* Decode and verify the signaure on the PAC */
nt_status = kerberos_decode_pac(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime, &pac_data);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC decoding failed: %s",
nt_errstr(nt_status)));
}
/* Now check we can read it back (using Heimdal's pac parsing) */
nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
&user_info_dc_out,
NULL, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) Heimdal PAC decoding failed: %s",
nt_errstr(nt_status)));
}
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
talloc_free(user_info_dc_out);
/* Parse the PAC again, for the logon info this time (using Samba4's parsing) */
nt_status = kerberos_pac_logon_info(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime, &logon_info);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC decoding (for logon info) failed: %s",
nt_errstr(nt_status)));
}
validation.sam3 = &logon_info->info3;
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
true, /* This user was authenticated */
&user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC decoding (make server info) failed: %s",
nt_errstr(nt_status)));
}
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
if (krbtgt_bytes == NULL) {
torture_comment(tctx, "skipping PAC encoding tests as non kdc key\n");
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
return true;
}
ret = kerberos_encode_pac(mem_ctx,
pac_data,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
&validate_blob);
if (ret != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) PAC push failed");
}
dump_data(10, validate_blob.data, validate_blob.length);
/* compare both the length and the data bytes after a
* pull/push cycle. This ensures we use the exact same
* pointer, padding etc algorithms as win2k3.
*/
if (tmp_blob.length != validate_blob.length) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx,
talloc_asprintf(tctx,
"(saved test) PAC push failed: original buffer length[%u] != created buffer length[%u]",
(unsigned)tmp_blob.length, (unsigned)validate_blob.length));
}
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
DEBUG(0, ("tmp_data:\n"));
dump_data(0, tmp_blob.data, tmp_blob.length);
DEBUG(0, ("validate_blob:\n"));
dump_data(0, validate_blob.data, validate_blob.length);
torture_fail(tctx, talloc_asprintf(tctx, "(saved test) PAC push failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
}
ret = kerberos_create_pac(mem_ctx,
user_info_dc_out,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal, authtime,
&validate_blob);
if (ret != 0) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) regnerated PAC create failed");
}
dump_data(10,validate_blob.data,validate_blob.length);
/* compare both the length and the data bytes after a
* pull/push cycle. This ensures we use the exact same
* pointer, padding etc algorithms as win2k3.
*/
if (tmp_blob.length != validate_blob.length) {
ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx,
&pac_data2,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
nt_status = ndr_map_error2ntstatus(ndr_err);
torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
NDR_PRINT_DEBUG(PAC_DATA, pac_data);
NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u]",
(unsigned)tmp_blob.length, (unsigned)validate_blob.length));
}
if (memcmp(tmp_blob.data, validate_blob.data, tmp_blob.length) != 0) {
ndr_err = ndr_pull_struct_blob(&validate_blob, mem_ctx,
&pac_data2,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
nt_status = ndr_map_error2ntstatus(ndr_err);
torture_assert_ntstatus_ok(tctx, nt_status, "can't parse the PAC");
NDR_PRINT_DEBUG(PAC_DATA, pac_data);
NDR_PRINT_DEBUG(PAC_DATA, &pac_data2);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
DEBUG(0, ("tmp_data:\n"));
dump_data(0, tmp_blob.data, tmp_blob.length);
DEBUG(0, ("validate_blob:\n"));
dump_data(0, validate_blob.data, validate_blob.length);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) PAC regenerate failed: length[%u] matches, but data does not", (unsigned)tmp_blob.length));
}
/* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */
nt_status = kerberos_decode_pac(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime + 1, &pac_data);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken auth time (time + 1)");
}
/* Break the client principal */
krb5_free_principal(smb_krb5_context->krb5_context, client_principal);
broken_principal_string = talloc_strdup(mem_ctx, principal_string);
broken_principal_string[0]++;
ret = krb5_parse_name(smb_krb5_context->krb5_context,
broken_principal_string, &client_principal);
if (ret) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, talloc_asprintf(tctx,
"(saved test) parsing of broken client principal failed: %s",
smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, mem_ctx)));
}
nt_status = kerberos_decode_pac(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime, &pac_data);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on modified principal");
}
/* Finally... Bugger up the signature, and check we fail the checksum */
tmp_blob.data[tmp_blob.length - 2]++;
nt_status = kerberos_decode_pac(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
client_principal,
authtime,
&pac_data);
if (NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
torture_fail(tctx, "(saved test) PAC decoding DID NOT fail on broken checksum");
}
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
return true;
}
static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
struct auth_session_info *session_info = NULL;
krb5_principal client_principal;
char *principal_string;
DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
krb5_data pac_data;
krb5_error_code ret;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_client(context, gensec_krb5_state->ticket, &client_principal);
if (ret) {
DEBUG(5, ("krb5_ticket_get_client failed to get cleint principal: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
client_principal, &principal_string);
if (ret) {
DEBUG(1, ("Unable to parse client principal: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
ret = krb5_ticket_get_authorization_data_type(context, gensec_krb5_state->ticket,
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
if (ret) {
/* NO pac */
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, tmp_ctx)));
} else {
/* Found pac */
pac_blob = data_blob_talloc(tmp_ctx, pac_data.data, pac_data.length);
if (!pac_blob.data) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
/* decode and verify the pac */
nt_status = kerberos_decode_pac(gensec_krb5_state,
pac_blob,
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock,
client_principal,
gensec_krb5_state->ticket->ticket.authtime, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(tmp_ctx);
return nt_status;
}
pac_blob_ptr = &pac_blob;
}
nt_status = gensec_generate_session_info_pac(tmp_ctx,
gensec_security,
gensec_krb5_state->smb_krb5_context,
pac_blob_ptr, principal_string,
gensec_get_remote_address(gensec_security),
&session_info);
free(principal_string);
krb5_free_principal(context, client_principal);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
*_session_info = talloc_steal(mem_ctx, session_info);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security,
struct tevent_context *ev,
bool gssapi)
{
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
struct ccache_container *ccache_container;
const char *error_string;
const char *principal;
const char *hostname;
krb5_data in_data;
struct tevent_context *previous_ev;
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
principal = gensec_get_target_principal(gensec_security);
hostname = gensec_get_target_hostname(gensec_security);
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
ev,
gensec_security->settings->lp_ctx, &ccache_container, &error_string);
switch (ret) {
case 0:
break;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
return NT_STATUS_LOGON_FAILURE;
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact %s: %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_CC_NOTFOUND:
case KRB5_CC_END:
DEBUG(3, ("Error preparing credentials we require to contact %s : %s\n", principal, error_string));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
default:
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
in_data.length = 0;
/* Do this every time, in case we have weird recursive issues here */
ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
if (ret != 0) {
DEBUG(1, ("gensec_krb5_start: Setting event context failed\n"));
return NT_STATUS_NO_MEMORY;
}
if (principal) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
if (ret == 0) {
ret = krb5_mk_req_exact(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
}
} else {
ret = krb5_mk_req(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
&in_data, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev);
switch (ret) {
case 0:
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5_KDC_UNREACH:
DEBUG(3, ("Cannot reach a KDC we require to contact host [%s]: %s\n",
hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END:
/* Too much clock skew - we will need to kinit to re-skew the clock */
case KRB5KRB_AP_ERR_SKEW:
case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
/*fall through*/
}
/* just don't print a message for these really ordinary messages */
case KRB5_FCC_NOFILE:
case KRB5_CC_NOTFOUND:
case ENOENT:
return NT_STATUS_UNSUCCESSFUL;
break;
default:
DEBUG(0, ("kerberos: %s\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state)));
return NT_STATUS_UNSUCCESSFUL;
}
}
static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
struct cli_credentials *machine_account,
struct smb_krb5_context *smb_krb5_context,
krb5_keytab keytab, BOOL *found_previous)
{
krb5_error_code ret, ret2;
krb5_kt_cursor cursor;
krb5_principal princ;
int kvno;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
const char *princ_string;
if (!mem_ctx) {
return ENOMEM;
}
*found_previous = False;
princ_string = cli_credentials_get_principal(machine_account, mem_ctx);
/* Get the principal we will store the new keytab entries under */
ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
if (ret) {
DEBUG(1,("update_keytab: makeing krb5 principal failed (%s)\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
kvno = cli_credentials_get_kvno(machine_account);
/* for each entry in the keytab */
ret = krb5_kt_start_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
switch (ret) {
case 0:
break;
case HEIM_ERR_OPNOTSUPP:
case ENOENT:
case KRB5_KT_END:
/* no point enumerating if there isn't anything here */
talloc_free(mem_ctx);
return 0;
default:
DEBUG(1,("failed to open keytab for read of old entries: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
while (!ret) {
krb5_keytab_entry entry;
ret = krb5_kt_next_entry(smb_krb5_context->krb5_context, keytab, &entry, &cursor);
if (ret) {
break;
}
/* if it matches our principal */
if (!krb5_kt_compare(smb_krb5_context->krb5_context, &entry, princ, 0, 0)) {
/* Free the entry, it wasn't the one we were looking for anyway */
krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
continue;
}
/* delete it, if it is not kvno -1 */
if (entry.vno != (kvno - 1 )) {
/* Release the enumeration. We are going to
* have to start this from the top again,
* because deletes during enumeration may not
* always be consistant.
*
* Also, the enumeration locks a FILE: keytab
*/
krb5_kt_end_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
ret = krb5_kt_remove_entry(smb_krb5_context->krb5_context, keytab, &entry);
krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
/* Deleted: Restart from the top */
ret2 = krb5_kt_start_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
if (ret2) {
krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
DEBUG(1,("failed to restart enumeration of keytab: %s\n",
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret2;
}
if (ret) {
break;
}
} else {
*found_previous = True;
}
/* Free the entry, we don't need it any more */
krb5_kt_free_entry(smb_krb5_context->krb5_context, &entry);
}
krb5_kt_end_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
switch (ret) {
case 0:
break;
case ENOENT:
case KRB5_KT_END:
ret = 0;
break;
default:
DEBUG(1,("failed in deleting old entries for principal: %s: %s\n",
princ_string,
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
}
talloc_free(mem_ctx);
return ret;
}
static krb5_error_code remove_old_entries(TALLOC_CTX *parent_ctx,
int kvno,
krb5_principal *principals,
bool delete_all_kvno,
krb5_context context,
krb5_keytab keytab,
bool *found_previous,
const char **error_string)
{
krb5_error_code ret, ret2;
krb5_kt_cursor cursor;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
return ENOMEM;
}
*found_previous = false;
/* for each entry in the keytab */
ret = krb5_kt_start_seq_get(context, keytab, &cursor);
switch (ret) {
case 0:
break;
#ifdef HEIM_ERR_OPNOTSUPP
case HEIM_ERR_OPNOTSUPP:
#endif
case ENOENT:
case KRB5_KT_END:
/* no point enumerating if there isn't anything here */
talloc_free(mem_ctx);
return 0;
default:
*error_string = talloc_asprintf(parent_ctx,
"failed to open keytab for read of old entries: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx));
talloc_free(mem_ctx);
return ret;
}
while (!ret) {
unsigned int i;
bool matched = false;
krb5_keytab_entry entry;
ret = krb5_kt_next_entry(context, keytab, &entry, &cursor);
if (ret) {
break;
}
for (i = 0; principals[i]; i++) {
/* if it matches our principal */
if (smb_krb5_kt_compare(context, &entry,
principals[i], 0, 0)) {
matched = true;
break;
}
}
if (!matched) {
/* Free the entry,
* it wasn't the one we were looking for anyway */
krb5_kt_free_entry(context, &entry);
continue;
}
/* delete it, if it is not kvno -1 */
if (entry.vno != (kvno - 1 )) {
/* Release the enumeration. We are going to
* have to start this from the top again,
* because deletes during enumeration may not
* always be consistent.
*
* Also, the enumeration locks a FILE: keytab
*/
krb5_kt_end_seq_get(context, keytab, &cursor);
ret = krb5_kt_remove_entry(context, keytab, &entry);
krb5_kt_free_entry(context, &entry);
/* Deleted: Restart from the top */
ret2 = krb5_kt_start_seq_get(context, keytab, &cursor);
if (ret2) {
krb5_kt_free_entry(context, &entry);
DEBUG(1, ("failed to restart enumeration of keytab: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret2;
}
if (ret) {
break;
}
} else {
*found_previous = true;
}
/* Free the entry, we don't need it any more */
krb5_kt_free_entry(context, &entry);
}
krb5_kt_end_seq_get(context, keytab, &cursor);
switch (ret) {
case 0:
break;
case ENOENT:
case KRB5_KT_END:
ret = 0;
break;
default:
*error_string = talloc_asprintf(parent_ctx,
"failed in deleting old entries for principal: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx));
}
talloc_free(mem_ctx);
return ret;
}
static int cli_credentials_new_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **_ccc,
const char **error_string)
{
bool must_free_cc_name = false;
krb5_error_code ret;
struct ccache_container *ccc = talloc(cred, struct ccache_container);
if (!ccc) {
return ENOMEM;
}
ret = cli_credentials_get_krb5_context(cred, lp_ctx,
&ccc->smb_krb5_context);
if (ret) {
talloc_free(ccc);
(*error_string) = talloc_asprintf(cred, "Failed to get krb5_context: %s",
error_message(ret));
return ret;
}
if (!talloc_reference(ccc, ccc->smb_krb5_context)) {
talloc_free(ccc);
(*error_string) = strerror(ENOMEM);
return ENOMEM;
}
if (!ccache_name) {
must_free_cc_name = true;
if (lpcfg_parm_bool(lp_ctx, NULL, "credentials", "krb5_cc_file", false)) {
ccache_name = talloc_asprintf(ccc, "FILE:/tmp/krb5_cc_samba_%u_%p",
(unsigned int)getpid(), ccc);
} else {
ccache_name = talloc_asprintf(ccc, "MEMORY:%p",
ccc);
}
if (!ccache_name) {
talloc_free(ccc);
(*error_string) = strerror(ENOMEM);
return ENOMEM;
}
}
ret = krb5_cc_resolve(ccc->smb_krb5_context->krb5_context, ccache_name,
&ccc->ccache);
if (ret) {
(*error_string) = talloc_asprintf(cred, "failed to resolve a krb5 ccache (%s): %s\n",
ccache_name,
smb_get_krb5_error_message(ccc->smb_krb5_context->krb5_context,
ret, ccc));
talloc_free(ccache_name);
talloc_free(ccc);
return ret;
}
if (strncasecmp(ccache_name, "MEMORY:", 7) == 0) {
talloc_set_destructor(ccc, free_mccache);
} else {
talloc_set_destructor(ccc, free_dccache);
}
if (must_free_cc_name) {
talloc_free(ccache_name);
}
*_ccc = ccc;
return 0;
}
static krb5_error_code principals_from_list(TALLOC_CTX *parent_ctx,
const char *samAccountName,
const char *realm,
const char **SPNs, int num_SPNs,
krb5_context context,
krb5_principal **principals_out,
const char **error_string)
{
unsigned int i;
krb5_error_code ret;
char *upper_realm;
TALLOC_CTX *tmp_ctx;
krb5_principal *principals = NULL;
tmp_ctx = talloc_new(parent_ctx);
if (!tmp_ctx) {
*error_string = "Cannot allocate tmp_ctx";
return ENOMEM;
}
if (!realm) {
*error_string = "Cannot make principal without a realm";
ret = EINVAL;
goto done;
}
upper_realm = strupper_talloc(tmp_ctx, realm);
if (!upper_realm) {
*error_string = "Cannot allocate full upper case realm";
ret = ENOMEM;
goto done;
}
principals = talloc_zero_array(tmp_ctx, krb5_principal,
num_SPNs ? (num_SPNs + 2) : 2);
for (i = 0; num_SPNs && i < num_SPNs; i++) {
ret = krb5_parse_name(context, SPNs[i], &principals[i]);
if (ret) {
*error_string = smb_get_krb5_error_message(context, ret,
parent_ctx);
goto done;
}
}
if (samAccountName) {
ret = smb_krb5_make_principal(context, &principals[i],
upper_realm, samAccountName,
NULL);
if (ret) {
*error_string = smb_get_krb5_error_message(context, ret,
parent_ctx);
goto done;
}
}
done:
if (ret) {
keytab_principals_free(context, principals);
} else {
*principals_out = talloc_steal(parent_ctx, principals);
}
talloc_free(tmp_ctx);
return ret;
}
_PUBLIC_ int cli_credentials_get_named_ccache(struct cli_credentials *cred,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
char *ccache_name,
struct ccache_container **ccc,
const char **error_string)
{
krb5_error_code ret;
enum credentials_obtained obtained;
if (cred->machine_account_pending) {
cli_credentials_set_machine_account(cred, lp_ctx);
}
if (cred->ccache_obtained >= cred->ccache_threshold &&
cred->ccache_obtained > CRED_UNINITIALISED) {
time_t lifetime;
bool expired = false;
ret = smb_krb5_cc_get_lifetime(cred->ccache->smb_krb5_context->krb5_context,
cred->ccache->ccache, &lifetime);
if (ret == KRB5_CC_END) {
/* If we have a particular ccache set, without
* an initial ticket, then assume there is a
* good reason */
} else if (ret == 0) {
if (lifetime == 0) {
DEBUG(3, ("Ticket in credentials cache for %s expired, will refresh\n",
cli_credentials_get_principal(cred, cred)));
expired = true;
} else if (lifetime < 300) {
DEBUG(3, ("Ticket in credentials cache for %s will shortly expire (%u secs), will refresh\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
expired = true;
}
} else {
(*error_string) = talloc_asprintf(cred, "failed to get ccache lifetime: %s\n",
smb_get_krb5_error_message(cred->ccache->smb_krb5_context->krb5_context,
ret, cred));
return ret;
}
DEBUG(5, ("Ticket in credentials cache for %s will expire in %u secs\n",
cli_credentials_get_principal(cred, cred), (unsigned int)lifetime));
if (!expired) {
*ccc = cred->ccache;
return 0;
}
}
if (cli_credentials_is_anonymous(cred)) {
(*error_string) = "Cannot get anonymous kerberos credentials";
return EINVAL;
}
ret = cli_credentials_new_ccache(cred, lp_ctx, ccache_name, ccc, error_string);
if (ret) {
return ret;
}
ret = kinit_to_ccache(cred, cred, (*ccc)->smb_krb5_context, event_ctx, (*ccc)->ccache, &obtained, error_string);
if (ret) {
return ret;
}
ret = cli_credentials_set_from_ccache(cred, *ccc,
obtained, error_string);
cred->ccache = *ccc;
cred->ccache_obtained = cred->principal_obtained;
if (ret) {
return ret;
}
cli_credentials_invalidate_client_gss_creds(cred, cred->ccache_obtained);
return 0;
}
static WERROR DsCrackNameSPNAlias(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb5_context,
uint32_t format_flags, enum drsuapi_DsNameFormat format_offered,
enum drsuapi_DsNameFormat format_desired,
const char *name, struct drsuapi_DsNameInfo1 *info1)
{
WERROR wret;
krb5_error_code ret;
krb5_principal principal;
const krb5_data *component;
const char *service, *dns_name;
char *new_service;
char *new_princ;
enum drsuapi_DsNameStatus namestatus;
/* parse principal */
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
name, KRB5_PRINCIPAL_PARSE_NO_REALM, &principal);
if (ret) {
DEBUG(2, ("Could not parse principal: %s: %s\n",
name, smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
return WERR_NOMEM;
}
/* grab cifs/, http/ etc */
/* This is checked for in callers, but be safe */
if (krb5_princ_size(smb_krb5_context->krb5_context, principal) < 2) {
info1->status = DRSUAPI_DS_NAME_STATUS_NOT_FOUND;
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_OK;
}
component = krb5_princ_component(smb_krb5_context->krb5_context,
principal, 0);
service = (const char *)component->data;
component = krb5_princ_component(smb_krb5_context->krb5_context,
principal, 1);
dns_name = (const char *)component->data;
/* MAP it */
namestatus = LDB_lookup_spn_alias(smb_krb5_context->krb5_context,
sam_ctx, mem_ctx,
service, &new_service);
if (namestatus == DRSUAPI_DS_NAME_STATUS_NOT_FOUND) {
wret = WERR_OK;
info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
if (!info1->dns_domain_name) {
wret = WERR_NOMEM;
}
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return wret;
} else if (namestatus != DRSUAPI_DS_NAME_STATUS_OK) {
info1->status = namestatus;
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_OK;
}
/* reform principal */
new_princ = talloc_asprintf(mem_ctx, "%s/%s", new_service, dns_name);
if (!new_princ) {
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return WERR_NOMEM;
}
wret = DsCrackNameOneName(sam_ctx, mem_ctx, format_flags, format_offered, format_desired,
new_princ, info1);
talloc_free(new_princ);
if (W_ERROR_IS_OK(wret) && (info1->status == DRSUAPI_DS_NAME_STATUS_NOT_FOUND)) {
info1->status = DRSUAPI_DS_NAME_STATUS_DOMAIN_ONLY;
info1->dns_domain_name = talloc_strdup(mem_ctx, dns_name);
if (!info1->dns_domain_name) {
wret = WERR_NOMEM;
}
}
krb5_free_principal(smb_krb5_context->krb5_context, principal);
return wret;
}
static krb5_error_code salt_principal_from_msg(TALLOC_CTX *parent_ctx,
struct ldb_message *msg,
struct smb_krb5_context *smb_krb5_context,
krb5_principal *salt_princ,
const char **error_string)
{
const char *salt_principal = ldb_msg_find_attr_as_string(msg, "saltPrincipal", NULL);
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
if (salt_principal) {
return parse_principal(parent_ctx, salt_principal, smb_krb5_context, salt_princ, error_string);
} else if (samAccountName) {
krb5_error_code ret;
char *machine_username;
char *salt_body;
char *lower_realm;
char *upper_realm;
TALLOC_CTX *tmp_ctx;
struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
if (!mem_ctx) {
*error_string = "Cannot allocate mem_ctx";
return ENOMEM;
}
tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
talloc_free(mem_ctx);
*error_string = "Cannot allocate tmp_ctx";
return ENOMEM;
}
if (!realm) {
*error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
return EINVAL;
}
machine_username = talloc_strdup(tmp_ctx, samAccountName);
if (!machine_username) {
talloc_free(mem_ctx);
*error_string = "Cannot duplicate samAccountName";
return ENOMEM;
}
if (machine_username[strlen(machine_username)-1] == '$') {
machine_username[strlen(machine_username)-1] = '\0';
}
lower_realm = strlower_talloc(tmp_ctx, realm);
if (!lower_realm) {
talloc_free(mem_ctx);
*error_string = "Cannot allocate to lower case realm";
return ENOMEM;
}
upper_realm = strupper_talloc(tmp_ctx, realm);
if (!upper_realm) {
talloc_free(mem_ctx);
*error_string = "Cannot allocate to upper case realm";
return ENOMEM;
}
salt_body = talloc_asprintf(tmp_ctx, "%s.%s", machine_username,
lower_realm);
talloc_free(lower_realm);
talloc_free(machine_username);
if (!salt_body) {
talloc_free(mem_ctx);
*error_string = "Cannot form salt principal body";
return ENOMEM;
}
ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
upper_realm,
"host", salt_body, NULL);
if (ret == 0) {
/* This song-and-dance effectivly puts the principal
* into talloc, so we can't loose it. */
mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->principal = *salt_princ;
talloc_set_destructor(mem_ctx, free_principal);
} else {
(*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
}
talloc_free(tmp_ctx);
return ret;
} else {
static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_error_code ret = 0;
NTSTATUS nt_status;
switch (gensec_krb5_state->state_position) {
case GENSEC_KRB5_CLIENT_START:
{
DATA_BLOB unwrapped_out;
if (gensec_krb5_state->gssapi) {
unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
/* wrap that up in a nice GSS-API wrapping */
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
} else {
*out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->enc_ticket.data, gensec_krb5_state->enc_ticket.length);
}
if (gensec_krb5_state->ap_req_options & AP_OPTS_MUTUAL_REQUIRED) {
gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
nt_status = NT_STATUS_OK;
}
return nt_status;
}
case GENSEC_KRB5_CLIENT_MUTUAL_AUTH:
{
DATA_BLOB unwrapped_in;
krb5_data inbuf;
krb5_ap_rep_enc_part *repl = NULL;
uint8_t tok_id[2];
if (gensec_krb5_state->gssapi) {
if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n"));
dump_data_pw("Mutual authentication message:\n", in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
} else {
unwrapped_in = in;
}
/* TODO: check the tok_id */
inbuf.data = unwrapped_in.data;
inbuf.length = unwrapped_in.length;
ret = krb5_rd_rep(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
&inbuf, &repl);
if (ret) {
DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, out_mem_ctx)));
dump_data_pw("Mutual authentication message:\n", (uint8_t *)inbuf.data, inbuf.length);
nt_status = NT_STATUS_ACCESS_DENIED;
} else {
*out = data_blob(NULL, 0);
nt_status = NT_STATUS_OK;
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
}
if (repl) {
krb5_free_ap_rep_enc_part(gensec_krb5_state->smb_krb5_context->krb5_context, repl);
}
return nt_status;
}
case GENSEC_KRB5_SERVER_START:
{
DATA_BLOB unwrapped_in;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
krb5_data inbuf, outbuf;
uint8_t tok_id[2];
struct keytab_container *keytab;
krb5_principal server_in_keytab;
const char *error_string;
enum credentials_obtained obtained;
if (!in.data) {
return NT_STATUS_INVALID_PARAMETER;
}
/* Grab the keytab, however generated */
ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
gensec_security->settings->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
/* This ensures we lookup the correct entry in that keytab */
ret = principal_from_credentials(out_mem_ctx, gensec_get_credentials(gensec_security),
gensec_krb5_state->smb_krb5_context,
&server_in_keytab, &obtained, &error_string);
if (ret) {
DEBUG(2,("Failed to make credentials from principal: %s\n", error_string));
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
/* Parse the GSSAPI wrapping, if it's there... (win2k3 allows it to be omited) */
if (gensec_krb5_state->gssapi
&& gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) {
inbuf.data = unwrapped_in.data;
inbuf.length = unwrapped_in.length;
} else {
inbuf.data = in.data;
inbuf.length = in.length;
}
ret = smb_rd_req_return_stuff(gensec_krb5_state->smb_krb5_context->krb5_context,
&gensec_krb5_state->auth_context,
&inbuf, keytab->keytab, server_in_keytab,
&outbuf,
&gensec_krb5_state->ticket,
&gensec_krb5_state->keyblock);
if (ret) {
return NT_STATUS_LOGON_FAILURE;
}
unwrapped_out.data = (uint8_t *)outbuf.data;
unwrapped_out.length = outbuf.length;
gensec_krb5_state->state_position = GENSEC_KRB5_DONE;
/* wrap that up in a nice GSS-API wrapping */
if (gensec_krb5_state->gssapi) {
*out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REP);
} else {
*out = data_blob_talloc(out_mem_ctx, outbuf.data, outbuf.length);
}
krb5_data_free(&outbuf);
return NT_STATUS_OK;
}
case GENSEC_KRB5_DONE:
default:
/* Asking too many times... */
return NT_STATUS_INVALID_PARAMETER;
}
}
static krb5_error_code principals_from_msg(TALLOC_CTX *parent_ctx,
struct ldb_message *msg,
struct smb_krb5_context *smb_krb5_context,
struct principal_container ***principals_out,
const char **error_string)
{
unsigned int i;
krb5_error_code ret;
char *upper_realm;
const char *realm = ldb_msg_find_attr_as_string(msg, "realm", NULL);
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
struct ldb_message_element *spn_el = ldb_msg_find_element(msg, "servicePrincipalName");
TALLOC_CTX *tmp_ctx;
struct principal_container **principals;
tmp_ctx = talloc_new(parent_ctx);
if (!tmp_ctx) {
*error_string = "Cannot allocate tmp_ctx";
return ENOMEM;
}
if (!realm) {
*error_string = "Cannot have a kerberos secret in secrets.ldb without a realm";
return EINVAL;
}
upper_realm = strupper_talloc(tmp_ctx, realm);
if (!upper_realm) {
talloc_free(tmp_ctx);
*error_string = "Cannot allocate full upper case realm";
return ENOMEM;
}
principals = talloc_array(tmp_ctx, struct principal_container *, spn_el ? (spn_el->num_values + 2) : 2);
spn_el = ldb_msg_find_element(msg, "servicePrincipalName");
for (i=0; spn_el && i < spn_el->num_values; i++) {
principals[i] = talloc(principals, struct principal_container);
if (!principals[i]) {
talloc_free(tmp_ctx);
*error_string = "Cannot allocate mem_ctx";
return ENOMEM;
}
principals[i]->smb_krb5_context = talloc_reference(principals[i], smb_krb5_context);
principals[i]->string_form = talloc_asprintf(principals[i], "%*.*s@%s",
(int)spn_el->values[i].length,
(int)spn_el->values[i].length,
(const char *)spn_el->values[i].data, upper_realm);
if (!principals[i]->string_form) {
talloc_free(tmp_ctx);
*error_string = "Cannot allocate full samAccountName";
return ENOMEM;
}
ret = krb5_parse_name(smb_krb5_context->krb5_context,
principals[i]->string_form, &principals[i]->principal);
if (ret) {
talloc_free(tmp_ctx);
(*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
return ret;
}
/* This song-and-dance effectivly puts the principal
* into talloc, so we can't loose it. */
talloc_set_destructor(principals[i], free_principal);
}
if (samAccountName) {
principals[i] = talloc(principals, struct principal_container);
if (!principals[i]) {
talloc_free(tmp_ctx);
*error_string = "Cannot allocate mem_ctx";
return ENOMEM;
}
principals[i]->smb_krb5_context = talloc_reference(principals[i], smb_krb5_context);
principals[i]->string_form = talloc_asprintf(parent_ctx, "%s@%s", samAccountName, upper_realm);
if (!principals[i]->string_form) {
talloc_free(tmp_ctx);
*error_string = "Cannot allocate full samAccountName";
return ENOMEM;
}
ret = krb5_make_principal(smb_krb5_context->krb5_context, &principals[i]->principal, upper_realm, samAccountName,
NULL);
if (ret) {
talloc_free(tmp_ctx);
(*error_string) = smb_get_krb5_error_message(smb_krb5_context->krb5_context, ret, parent_ctx);
return ret;
}
/* This song-and-dance effectivly puts the principal
* into talloc, so we can't loose it. */
talloc_set_destructor(principals[i], free_principal);
i++;
}
principals[i] = NULL;
*principals_out = talloc_steal(parent_ctx, principals);
talloc_free(tmp_ctx);
return ret;
}
static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gssapi)
{
krb5_error_code ret;
struct gensec_krb5_state *gensec_krb5_state;
struct cli_credentials *creds;
const struct tsocket_address *tlocal_addr, *tremote_addr;
krb5_address my_krb5_addr, peer_krb5_addr;
creds = gensec_get_credentials(gensec_security);
if (!creds) {
return NT_STATUS_INVALID_PARAMETER;
}
gensec_krb5_state = talloc(gensec_security, struct gensec_krb5_state);
if (!gensec_krb5_state) {
return NT_STATUS_NO_MEMORY;
}
gensec_security->private_data = gensec_krb5_state;
gensec_krb5_state->smb_krb5_context = NULL;
gensec_krb5_state->auth_context = NULL;
gensec_krb5_state->ticket = NULL;
ZERO_STRUCT(gensec_krb5_state->enc_ticket);
gensec_krb5_state->keyblock = NULL;
gensec_krb5_state->gssapi = gssapi;
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
if (cli_credentials_get_krb5_context(creds,
gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_auth_con_init(gensec_krb5_state->smb_krb5_context->krb5_context, &gensec_krb5_state->auth_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_init failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_auth_con_setflags(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
KRB5_AUTH_CONTEXT_DO_SEQUENCE);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_setflags failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
tlocal_addr = gensec_get_local_address(gensec_security);
if (tlocal_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
socklen = tsocket_address_bsd_sockaddr(tlocal_addr,
(struct sockaddr *) &ss,
sizeof(struct sockaddr_storage));
if (socklen < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
(const struct sockaddr *) &ss, &my_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
}
tremote_addr = gensec_get_remote_address(gensec_security);
if (tremote_addr) {
ssize_t socklen;
struct sockaddr_storage ss;
socklen = tsocket_address_bsd_sockaddr(tremote_addr,
(struct sockaddr *) &ss,
sizeof(struct sockaddr_storage));
if (socklen < 0) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
ret = krb5_sockaddr2address(gensec_krb5_state->smb_krb5_context->krb5_context,
(const struct sockaddr *) &ss, &peer_krb5_addr);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_sockaddr2address (local) failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
}
ret = krb5_auth_con_setaddrs(gensec_krb5_state->smb_krb5_context->krb5_context,
gensec_krb5_state->auth_context,
tlocal_addr ? &my_krb5_addr : NULL,
tremote_addr ? &peer_krb5_addr : NULL);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_auth_con_setaddrs failed (%s)\n",
smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context,
ret, gensec_krb5_state)));
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
return NT_STATUS_OK;
}
static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
const char *samAccountName,
const char *realm,
const char *saltPrincipal,
krb5_context context,
krb5_principal *salt_princ,
const char **error_string)
{
krb5_error_code ret;
char *machine_username;
char *salt_body;
char *lower_realm;
char *upper_realm;
TALLOC_CTX *tmp_ctx;
if (saltPrincipal) {
ret = krb5_parse_name(context, saltPrincipal, salt_princ);
if (ret) {
*error_string = smb_get_krb5_error_message(
context, ret, parent_ctx);
}
return ret;
}
if (!samAccountName) {
(*error_string) = "Cannot determine salt principal, no "
"saltPrincipal or samAccountName specified";
return EINVAL;
}
if (!realm) {
*error_string = "Cannot make principal without a realm";
return EINVAL;
}
tmp_ctx = talloc_new(parent_ctx);
if (!tmp_ctx) {
*error_string = "Cannot allocate tmp_ctx";
return ENOMEM;
}
machine_username = talloc_strdup(tmp_ctx, samAccountName);
if (!machine_username) {
*error_string = "Cannot duplicate samAccountName";
talloc_free(tmp_ctx);
return ENOMEM;
}
if (machine_username[strlen(machine_username)-1] == '$') {
machine_username[strlen(machine_username)-1] = '\0';
}
lower_realm = strlower_talloc(tmp_ctx, realm);
if (!lower_realm) {
*error_string = "Cannot allocate to lower case realm";
talloc_free(tmp_ctx);
return ENOMEM;
}
upper_realm = strupper_talloc(tmp_ctx, realm);
if (!upper_realm) {
*error_string = "Cannot allocate to upper case realm";
talloc_free(tmp_ctx);
return ENOMEM;
}
salt_body = talloc_asprintf(tmp_ctx, "%s.%s",
machine_username, lower_realm);
if (!salt_body) {
*error_string = "Cannot form salt principal body";
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_make_principal(context, salt_princ, upper_realm,
"host", salt_body, NULL);
if (ret) {
*error_string = smb_get_krb5_error_message(context,
ret, parent_ctx);
}
talloc_free(tmp_ctx);
return ret;
}
krb5_error_code smb_krb5_init_context(void *parent_ctx,
struct loadparm_context *lp_ctx,
struct smb_krb5_context **smb_krb5_context)
{
krb5_error_code ret;
TALLOC_CTX *tmp_ctx;
krb5_context kctx;
#ifdef SAMBA4_USES_HEIMDAL
krb5_log_facility *logf;
#endif
initialize_krb5_error_table();
tmp_ctx = talloc_new(parent_ctx);
*smb_krb5_context = talloc_zero(tmp_ctx, struct smb_krb5_context);
if (!*smb_krb5_context || !tmp_ctx) {
talloc_free(tmp_ctx);
return ENOMEM;
}
ret = smb_krb5_init_context_basic(tmp_ctx, lp_ctx, &kctx);
if (ret) {
DEBUG(1,("smb_krb5_context_init_basic failed (%s)\n",
error_message(ret)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->krb5_context = kctx;
talloc_set_destructor(*smb_krb5_context, smb_krb5_context_destroy);
#ifdef SAMBA4_USES_HEIMDAL
/* TODO: Should we have a different name here? */
ret = krb5_initlog(kctx, "Samba", &logf);
if (ret) {
DEBUG(1,("krb5_initlog failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
(*smb_krb5_context)->pvt_log_data = logf;
ret = krb5_addlog_func(kctx, logf, 0 /* min */, -1 /* max */,
smb_krb5_debug_wrapper,
smb_krb5_debug_close, NULL);
if (ret) {
DEBUG(1,("krb5_addlog_func failed (%s)\n",
smb_get_krb5_error_message(kctx, ret, tmp_ctx)));
talloc_free(tmp_ctx);
return ret;
}
krb5_set_warn_dest(kctx, logf);
/* Set options in kerberos */
krb5_set_dns_canonicalize_hostname(kctx,
lpcfg_parm_bool(lp_ctx, NULL, "krb5",
"set_dns_canonicalize", false));
#endif
talloc_steal(parent_ctx, *smb_krb5_context);
talloc_free(tmp_ctx);
return 0;
}
static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
krb5_principal *principals,
krb5_principal salt_princ,
int kvno,
const char *password_s,
krb5_context context,
krb5_enctype *enctypes,
krb5_keytab keytab,
const char **error_string)
{
unsigned int i, p;
krb5_error_code ret;
krb5_data password;
char *unparsed;
password.data = discard_const_p(char, password_s);
password.length = strlen(password_s);
for (i = 0; enctypes[i]; i++) {
krb5_keytab_entry entry;
ZERO_STRUCT(entry);
ret = smb_krb5_create_key_from_string(context,
&salt_princ,
NULL,
&password,
enctypes[i],
KRB5_KT_KEY(&entry));
if (ret != 0) {
return ret;
}
entry.vno = kvno;
for (p = 0; principals[p]; p++) {
unparsed = NULL;
entry.principal = principals[p];
ret = krb5_kt_add_entry(context, keytab, &entry);
if (ret != 0) {
char *k5_error_string =
smb_get_krb5_error_message(context,
ret, NULL);
krb5_unparse_name(context,
principals[p], &unparsed);
*error_string = talloc_asprintf(parent_ctx,
"Failed to add enctype %d entry for "
"%s(kvno %d) to keytab: %s\n",
(int)enctypes[i], unparsed,
kvno, k5_error_string);
free(unparsed);
talloc_free(k5_error_string);
krb5_free_keyblock_contents(context,
KRB5_KT_KEY(&entry));
return ret;
}
DEBUG(5, ("Added key (kvno %d) to keytab (enctype %d)\n",
kvno, (int)enctypes[i]));
}
krb5_free_keyblock_contents(context, KRB5_KT_KEY(&entry));
}
return 0;
}
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
struct PAC_DATA *pac_data,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
DATA_BLOB *pac)
{
NTSTATUS nt_status;
krb5_error_code ret;
enum ndr_err_code ndr_err;
DATA_BLOB zero_blob = data_blob(NULL, 0);
DATA_BLOB tmp_blob = data_blob(NULL, 0);
struct PAC_SIGNATURE_DATA *kdc_checksum = NULL;
struct PAC_SIGNATURE_DATA *srv_checksum = NULL;
int i;
/* First, just get the keytypes filled in (and lengths right, eventually) */
for (i=0; i < pac_data->num_buffers; i++) {
if (pac_data->buffers[i].type != PAC_TYPE_KDC_CHECKSUM) {
continue;
}
kdc_checksum = &pac_data->buffers[i].info->kdc_cksum,
ret = smb_krb5_make_pac_checksum(mem_ctx,
&zero_blob,
context,
krbtgt_keyblock,
&kdc_checksum->type,
&kdc_checksum->signature);
if (ret) {
DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
talloc_free(pac_data);
return ret;
}
}
for (i=0; i < pac_data->num_buffers; i++) {
if (pac_data->buffers[i].type != PAC_TYPE_SRV_CHECKSUM) {
continue;
}
srv_checksum = &pac_data->buffers[i].info->srv_cksum;
ret = smb_krb5_make_pac_checksum(mem_ctx,
&zero_blob,
context,
service_keyblock,
&srv_checksum->type,
&srv_checksum->signature);
if (ret) {
DEBUG(2, ("making service PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
talloc_free(pac_data);
return ret;
}
}
if (!kdc_checksum) {
DEBUG(2, ("Invalid PAC constructed for signing, no KDC checksum present!"));
return EINVAL;
}
if (!srv_checksum) {
DEBUG(2, ("Invalid PAC constructed for signing, no SRV checksum present!"));
return EINVAL;
}
/* But wipe out the actual signatures */
memset(kdc_checksum->signature.data, '\0', kdc_checksum->signature.length);
memset(srv_checksum->signature.data, '\0', srv_checksum->signature.length);
ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
pac_data,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(1, ("PAC (presig) push failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
return EINVAL;
}
/* Then sign the result of the previous push, where the sig was zero'ed out */
ret = smb_krb5_make_pac_checksum(mem_ctx,
&tmp_blob,
context,
service_keyblock,
&srv_checksum->type,
&srv_checksum->signature);
/* Then sign Server checksum */
ret = smb_krb5_make_pac_checksum(mem_ctx,
&srv_checksum->signature,
context,
krbtgt_keyblock,
&kdc_checksum->type,
&kdc_checksum->signature);
if (ret) {
DEBUG(2, ("making krbtgt PAC checksum failed: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
talloc_free(pac_data);
return ret;
}
/* And push it out again, this time to the world. This relies on determanistic pointer values */
ndr_err = ndr_push_struct_blob(&tmp_blob, mem_ctx,
pac_data,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
nt_status = ndr_map_error2ntstatus(ndr_err);
DEBUG(1, ("PAC (final) push failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
return EINVAL;
}
*pac = tmp_blob;
return ret;
}
static krb5_error_code create_keytab(TALLOC_CTX *parent_ctx,
const char *samAccountName,
const char *realm,
const char *saltPrincipal,
int kvno,
const char *new_secret,
const char *old_secret,
uint32_t supp_enctypes,
krb5_principal *principals,
krb5_context context,
krb5_keytab keytab,
bool add_old,
const char **error_string)
{
krb5_error_code ret;
krb5_principal salt_princ = NULL;
krb5_enctype *enctypes;
TALLOC_CTX *mem_ctx;
if (!new_secret) {
/* There is no password here, so nothing to do */
return 0;
}
mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
*error_string = talloc_strdup(parent_ctx,
"unable to allocate tmp_ctx for create_keytab");
return ENOMEM;
}
/* The salt used to generate these entries may be different however,
* fetch that */
ret = salt_principal(mem_ctx, samAccountName, realm, saltPrincipal,
context, &salt_princ, error_string);
if (ret) {
talloc_free(mem_ctx);
return ret;
}
ret = ms_suptypes_to_ietf_enctypes(mem_ctx, supp_enctypes, &enctypes);
if (ret) {
*error_string = talloc_asprintf(parent_ctx,
"create_keytab: generating list of "
"encryption types failed (%s)\n",
smb_get_krb5_error_message(context,
ret, mem_ctx));
goto done;
}
ret = keytab_add_keys(mem_ctx, principals,
salt_princ, kvno, new_secret,
context, enctypes, keytab, error_string);
if (ret) {
talloc_steal(parent_ctx, *error_string);
goto done;
}
if (old_secret && add_old && kvno != 0) {
ret = keytab_add_keys(mem_ctx, principals,
salt_princ, kvno - 1, old_secret,
context, enctypes, keytab, error_string);
if (ret) {
talloc_steal(parent_ctx, *error_string);
}
}
done:
krb5_free_principal(context, salt_princ);
talloc_free(mem_ctx);
return ret;
}
/**
* @brief Decode a blob containing a NDR envoded PAC structure
*
* @param mem_ctx - The memory context
* @param pac_data_blob - The data blob containing the NDR encoded data
* @param context - The Kerberos Context
* @param service_keyblock - The Service Key used to verify the checksum
* @param client_principal - The client principal
* @param tgs_authtime - The ticket timestamp
* @param pac_data_out - [out] The decoded PAC
*
* @return - A NTSTATUS error code
*/
NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
DATA_BLOB pac_data_blob,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
krb5_const_principal client_principal,
time_t tgs_authtime,
struct PAC_DATA **pac_data_out)
{
NTSTATUS status;
enum ndr_err_code ndr_err;
krb5_error_code ret;
DATA_BLOB modified_pac_blob;
NTTIME tgs_authtime_nttime;
krb5_principal client_principal_pac = NULL;
int i;
struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_ptr = NULL;
struct PAC_SIGNATURE_DATA *srv_sig_wipe = NULL;
struct PAC_SIGNATURE_DATA *kdc_sig_wipe = NULL;
struct PAC_LOGON_NAME *logon_name = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_DATA *pac_data = NULL;
struct PAC_DATA_RAW *pac_data_raw = NULL;
DATA_BLOB *srv_sig_blob = NULL;
DATA_BLOB *kdc_sig_blob = NULL;
bool bool_ret;
*pac_data_out = NULL;
pac_data = talloc(mem_ctx, struct PAC_DATA);
pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
return NT_STATUS_NO_MEMORY;
}
ndr_err = ndr_pull_struct_blob(&pac_data_blob, pac_data, pac_data,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
ndr_err = ndr_pull_struct_blob(
&pac_data_blob, pac_data_raw, pac_data_raw,
(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the PAC: %s\n",
nt_errstr(status)));
return status;
}
if (pac_data_raw->num_buffers < 4) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0,("less than 4 PAC buffers\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (pac_data->num_buffers != pac_data_raw->num_buffers) {
/* we need logon_ingo, service_key and kdc_key */
DEBUG(0, ("misparse! PAC_DATA has %d buffers while "
"PAC_DATA_RAW has %d\n", pac_data->num_buffers,
pac_data_raw->num_buffers));
return NT_STATUS_INVALID_PARAMETER;
}
for (i=0; i < pac_data->num_buffers; i++) {
struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
struct PAC_BUFFER_RAW *raw_buf = &pac_data_raw->buffers[i];
if (data_buf->type != raw_buf->type) {
DEBUG(0, ("misparse! PAC_DATA buffer %d has type "
"%d while PAC_DATA_RAW has %d\n", i,
data_buf->type, raw_buf->type));
return NT_STATUS_INVALID_PARAMETER;
}
switch (data_buf->type) {
case PAC_TYPE_LOGON_INFO:
if (!data_buf->info) {
break;
}
logon_info = data_buf->info->logon_info.info;
break;
case PAC_TYPE_SRV_CHECKSUM:
if (!data_buf->info) {
break;
}
srv_sig_ptr = &data_buf->info->srv_cksum;
srv_sig_blob = &raw_buf->info->remaining;
break;
case PAC_TYPE_KDC_CHECKSUM:
if (!data_buf->info) {
break;
}
kdc_sig_ptr = &data_buf->info->kdc_cksum;
kdc_sig_blob = &raw_buf->info->remaining;
break;
case PAC_TYPE_LOGON_NAME:
logon_name = &data_buf->info->logon_name;
break;
default:
break;
}
}
if (!logon_info) {
DEBUG(0,("PAC no logon_info\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!logon_name) {
DEBUG(0,("PAC no logon_name\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!srv_sig_ptr || !srv_sig_blob) {
DEBUG(0,("PAC no srv_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
if (!kdc_sig_ptr || !kdc_sig_blob) {
DEBUG(0,("PAC no kdc_key\n"));
return NT_STATUS_INVALID_PARAMETER;
}
/* Find and zero out the signatures,
* as required by the signing algorithm */
/* We find the data blobs above,
* now we parse them to get at the exact portion we should zero */
ndr_err = ndr_pull_struct_blob(
kdc_sig_blob, kdc_sig_wipe, kdc_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_pull_struct_blob(
srv_sig_blob, srv_sig_wipe, srv_sig_wipe,
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't parse the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* Now zero the decoded structure */
memset(kdc_sig_wipe->signature.data,
'\0', kdc_sig_wipe->signature.length);
memset(srv_sig_wipe->signature.data,
'\0', srv_sig_wipe->signature.length);
/* and reencode, back into the same place it came from */
ndr_err = ndr_push_struct_blob(
kdc_sig_blob, pac_data_raw, kdc_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the KDC signature: %s\n",
nt_errstr(status)));
return status;
}
ndr_err = ndr_push_struct_blob(
srv_sig_blob, pac_data_raw, srv_sig_wipe,
(ndr_push_flags_fn_t)ndr_push_PAC_SIGNATURE_DATA);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the SRV signature: %s\n",
nt_errstr(status)));
return status;
}
/* push out the whole structure, but now with zero'ed signatures */
ndr_err = ndr_push_struct_blob(
&modified_pac_blob, pac_data_raw, pac_data_raw,
(ndr_push_flags_fn_t)ndr_push_PAC_DATA_RAW);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
DEBUG(0,("can't repack the RAW PAC: %s\n",
nt_errstr(status)));
return status;
}
if (service_keyblock) {
/* verify by service_key */
ret = check_pac_checksum(mem_ctx,
modified_pac_blob, srv_sig_ptr,
context,
service_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the service "
"signature: %s\n", error_message(ret)));
return NT_STATUS_ACCESS_DENIED;
}
if (krbtgt_keyblock) {
/* verify the service key checksum by krbtgt_key */
ret = check_pac_checksum(mem_ctx,
srv_sig_ptr->signature, kdc_sig_ptr,
context, krbtgt_keyblock);
if (ret) {
DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
smb_get_krb5_error_message(context, ret, mem_ctx)));
return NT_STATUS_ACCESS_DENIED;
}
}
}
if (tgs_authtime) {
/* Convert to NT time, so as not to loose accuracy in comparison */
unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
if (tgs_authtime_nttime != logon_name->logon_time) {
DEBUG(2, ("PAC Decode: "
"Logon time mismatch between ticket and PAC!\n"));
DEBUG(2, ("PAC Decode: PAC: %s\n",
nt_time_string(mem_ctx, logon_name->logon_time)));
DEBUG(2, ("PAC Decode: Ticket: %s\n",
nt_time_string(mem_ctx, tgs_authtime_nttime)));
return NT_STATUS_ACCESS_DENIED;
}
}
if (client_principal) {
ret = smb_krb5_parse_name_norealm(context,
logon_name->account_name,
&client_principal_pac);
if (ret) {
DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n",
logon_name->account_name, error_message(ret)));
return NT_STATUS_INVALID_PARAMETER;
}
bool_ret = smb_krb5_principal_compare_any_realm(context,
client_principal,
client_principal_pac);
krb5_free_principal(context, client_principal_pac);
if (!bool_ret) {
DEBUG(2, ("Name in PAC [%s] does not match principal name "
"in ticket\n", logon_name->account_name));
return NT_STATUS_ACCESS_DENIED;
}
}
DEBUG(3,("Found account name from PAC: %s [%s]\n",
logon_info->info3.base.account_name.string,
logon_info->info3.base.full_name.string));
DEBUG(10,("Successfully validated Kerberos PAC\n"));
if (DEBUGLEVEL >= 10) {
const char *s;
s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_DATA, pac_data);
if (s) {
DEBUGADD(10,("%s\n", s));
}
}
*pac_data_out = pac_data;
return NT_STATUS_OK;
}
static krb5_error_code keytab_add_keys(TALLOC_CTX *parent_ctx,
const char *princ_string,
krb5_principal princ,
krb5_principal salt_princ,
int kvno,
const char *password_s,
struct smb_krb5_context *smb_krb5_context,
const char **enctype_strings,
krb5_keytab keytab)
{
int i;
krb5_error_code ret;
krb5_data password;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
if (!mem_ctx) {
return ENOMEM;
}
password.data = discard_const_p(char *, password_s);
password.length = strlen(password_s);
for (i=0; enctype_strings[i]; i++) {
krb5_keytab_entry entry;
krb5_enctype enctype;
ret = krb5_string_to_enctype(smb_krb5_context->krb5_context, enctype_strings[i], &enctype);
if (ret != 0) {
DEBUG(1, ("Failed to interpret %s as a krb5 encryption type: %s\n",
enctype_strings[i],
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
return ret;
}
ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
salt_princ, &password, &entry.keyblock, enctype);
if (ret != 0) {
talloc_free(mem_ctx);
return ret;
}
entry.principal = princ;
entry.vno = kvno;
ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
if (ret != 0) {
DEBUG(1, ("Failed to add %s entry for %s(kvno %d) to keytab: %s\n",
enctype_strings[i],
princ_string,
kvno,
smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx)));
talloc_free(mem_ctx);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
return ret;
}
DEBUG(5, ("Added %s(kvno %d) to keytab (%s)\n",
princ_string, kvno,
enctype_strings[i]));
krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
}
talloc_free(mem_ctx);
return 0;
}
