static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, struct kdc_check_generic_kerberos *r) { struct PAC_Validate pac_validate; DATA_BLOB srv_sig; struct PAC_SIGNATURE_DATA kdc_sig; struct kdc_server *kdc = talloc_get_type(msg->private_data, struct kdc_server); krb5_kdc_configuration *kdc_config = (krb5_kdc_configuration *)kdc->private_data; enum ndr_err_code ndr_err; int ret; hdb_entry_ex ent; krb5_principal principal; /* There is no reply to this request */ r->out.generic_reply = data_blob(NULL, 0); ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, &pac_validate, (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return NT_STATUS_INVALID_PARAMETER; } if (pac_validate.MessageType != NETLOGON_GENERIC_KRB5_PAC_VALIDATE) { /* We don't implement any other message types - such as certificate validation - yet */ return NT_STATUS_INVALID_PARAMETER; } if (pac_validate.ChecksumAndSignature.length != (pac_validate.ChecksumLength + pac_validate.SignatureLength) || pac_validate.ChecksumAndSignature.length < pac_validate.ChecksumLength || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) { return NT_STATUS_INVALID_PARAMETER; } srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data, pac_validate.ChecksumLength); ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal, lpcfg_realm(kdc->task->lp_ctx), "krbtgt", lpcfg_realm(kdc->task->lp_ctx), NULL); if (ret != 0) { return NT_STATUS_NO_MEMORY; } ret = kdc_config->db[0]->hdb_fetch_kvno(kdc->smb_krb5_context->krb5_context, kdc_config->db[0], principal, HDB_F_GET_KRBTGT | HDB_F_DECRYPT, 0, &ent); if (ret != 0) { hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent); krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal); return NT_STATUS_LOGON_FAILURE; } kdc_sig.type = pac_validate.SignatureType; kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength], pac_validate.SignatureLength); ret = kdc_check_pac(kdc->smb_krb5_context->krb5_context, srv_sig, &kdc_sig, &ent); hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent); krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal); if (ret != 0) { return NT_STATUS_LOGON_FAILURE; } return NT_STATUS_OK; }
static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, const krb5_principal delegated_proxy_principal, struct hdb_entry_ex *client, struct hdb_entry_ex *server, struct hdb_entry_ex *krbtgt, krb5_pac *pac) { struct samba_kdc_entry *p = talloc_get_type(server->ctx, struct samba_kdc_entry); TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_kdc_reget_pac context"); DATA_BLOB *pac_blob; DATA_BLOB *deleg_blob = NULL; krb5_error_code ret; NTSTATUS nt_status; struct PAC_SIGNATURE_DATA *pac_srv_sig; struct PAC_SIGNATURE_DATA *pac_kdc_sig; bool is_in_db, is_untrusted; if (!mem_ctx) { return ENOMEM; } /* The user account may be set not to want the PAC */ if (!samba_princ_needs_pac(server)) { talloc_free(mem_ctx); return EINVAL; } /* If the krbtgt was generated by an RODC, and we are not that * RODC, then we need to regenerate the PAC - we can't trust * it */ ret = samba_krbtgt_is_in_db(krbtgt, &is_in_db, &is_untrusted); if (ret != 0) { talloc_free(mem_ctx); return ret; } if (is_untrusted) { if (client == NULL) { return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } nt_status = samba_kdc_get_pac_blob(mem_ctx, client, &pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return EINVAL; } } else { pac_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!pac_blob) { talloc_free(mem_ctx); return ENOMEM; } pac_srv_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA); if (!pac_srv_sig) { talloc_free(mem_ctx); return ENOMEM; } pac_kdc_sig = talloc_zero(mem_ctx, struct PAC_SIGNATURE_DATA); if (!pac_kdc_sig) { talloc_free(mem_ctx); return ENOMEM; } nt_status = samba_kdc_update_pac_blob(mem_ctx, context, *pac, pac_blob, pac_srv_sig, pac_kdc_sig); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); talloc_free(mem_ctx); return EINVAL; } if (is_in_db) { /* Now check the KDC signature, fetching the correct key based on the enc type */ ret = kdc_check_pac(context, pac_srv_sig->signature, pac_kdc_sig, krbtgt); if (ret != 0) { DEBUG(1, ("PAC KDC signature failed to verify\n")); talloc_free(mem_ctx); return ret; } } } if (delegated_proxy_principal) { deleg_blob = talloc_zero(mem_ctx, DATA_BLOB); if (!deleg_blob) { talloc_free(mem_ctx); return ENOMEM; } nt_status = samba_kdc_update_delegation_info_blob(mem_ctx, context, *pac, server->entry.principal, delegated_proxy_principal, deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); talloc_free(mem_ctx); return EINVAL; } } /* We now completely regenerate this pac */ krb5_pac_free(context, *pac); ret = samba_make_krb5_pac(context, pac_blob, deleg_blob, pac); talloc_free(mem_ctx); return ret; }