static void
reg_def_plugins_once(void *ctx)
{
krb5_error_code ret;
krb5_context context = ctx;
ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_AN2LN, &an2ln_def_plug);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
int optidx = 0;
setprogname(argv[0]);
ret = krb5_init_context(&kdc_context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx (1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx (1, "krb5_init_context failed: %d", ret);
ret = krb5_kt_register(kdc_context, &hdb_kt_ops);
if (ret)
errx (1, "krb5_kt_register(HDB) failed: %d", ret);
kdc_config = configure(kdc_context, argc, argv, &optidx);
argc -= optidx;
argv += optidx;
if (argc == 0)
errx(1, "missing operations");
krb5_plugin_register(kdc_context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_SEND_TO_KDC, &send_to_kdc);
{
void *buf;
size_t size;
heim_object_t o;
if (rk_undumpdata(argv[0], &buf, &size))
errx(1, "undumpdata: %s", argv[0]);
o = heim_json_create_with_bytes(buf, size, 10, 0, NULL);
free(buf);
if (o == NULL)
errx(1, "heim_json");
/*
* do the work here
*/
eval_object(o);
heim_release(o);
}
krb5_free_context(kdc_context);
return 0;
}
static void
reg_def_plugins_once(void *ctx)
{
krb5_error_code ret;
krb5_context context = ctx;
plugin_reg_ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_KUSEROK,
&kuserok_simple_plug);
ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_KUSEROK, &kuserok_sys_k5login_plug);
if (!plugin_reg_ret)
plugin_reg_ret = ret;
ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_KUSEROK, &kuserok_user_k5login_plug);
if (!plugin_reg_ret)
plugin_reg_ret = ret;
ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_KUSEROK, &kuserok_deny_plug);
if (!plugin_reg_ret)
plugin_reg_ret = ret;
}
NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r)
{
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
const char *from_keytab;
/* Register hdb-samba4 hooks for use as a keytab */
struct samba_kdc_base_context *base_ctx = talloc_zero(mem_ctx, struct samba_kdc_base_context);
if (!base_ctx) {
return NT_STATUS_NO_MEMORY;
}
base_ctx->ev_ctx = ctx->event_ctx;
base_ctx->lp_ctx = ctx->lp_ctx;
from_keytab = talloc_asprintf(base_ctx, "HDB:samba4&%p", base_ctx);
if (!from_keytab) {
return NT_STATUS_NO_MEMORY;
}
ret = smb_krb5_init_context(ctx, ctx->event_ctx, ctx->lp_ctx, &smb_krb5_context);
if (ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_plugin_register(smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
&hdb_samba4);
if(ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_kt_register(smb_krb5_context->krb5_context, &hdb_kt_ops);
if(ret) {
return NT_STATUS_NO_MEMORY;
}
unlink(r->in.keytab_name);
ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
if(ret) {
r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
return NT_STATUS_OK;
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_krbhst_handle handle;
char host[MAXHOSTNAMELEN];
int found = 0;
setprogname(argv[0]);
ret = krb5_init_context(&context);
if (ret)
errx(1, "krb5_init_contex");
ret = krb5_plugin_register(context, PLUGIN_TYPE_DATA,
KRB5_PLUGIN_LOCATE, &resolve);
if (ret)
krb5_err(context, 1, ret, "krb5_plugin_register");
ret = krb5_krbhst_init_flags(context,
"NOTHERE.H5L.SE",
KRB5_KRBHST_KDC,
0,
&handle);
if (ret)
krb5_err(context, 1, ret, "krb5_krbhst_init_flags");
while(krb5_krbhst_next_as_string(context, handle, host, sizeof(host)) == 0){
found++;
if (strcmp(host, "127.0.0.2") != 0 && strcmp(host, "tcp/127.0.0.2") != 0)
krb5_errx(context, 1, "wrong address: %s", host);
}
if (!found)
krb5_errx(context, 1, "failed to find host");
krb5_krbhst_free(context, handle);
krb5_free_context(context);
return 0;
}
/*
startup the kdc task
*/
static void kdc_task_init(struct task_server *task)
{
struct kdc_server *kdc;
krb5_kdc_configuration *kdc_config = NULL;
NTSTATUS status;
krb5_error_code ret;
struct interface *ifaces;
int ldb_ret;
switch (lpcfg_server_role(task->lp_ctx)) {
case ROLE_STANDALONE:
task_server_terminate(task, "kdc: no KDC required in standalone configuration", false);
return;
case ROLE_DOMAIN_MEMBER:
task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
return;
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true);
return;
case ROLE_ACTIVE_DIRECTORY_DC:
/* Yes, we want a KDC */
break;
}
load_interface_list(task, task->lp_ctx, &ifaces);
if (iface_list_count(ifaces) == 0) {
task_server_terminate(task, "kdc: no network interfaces configured", false);
return;
}
task_server_set_title(task, "task[kdc]");
kdc = talloc_zero(task, struct kdc_server);
if (kdc == NULL) {
task_server_terminate(task, "kdc: out of memory", true);
return;
}
kdc->task = task;
/* get a samdb connection */
kdc->samdb = samdb_connect(kdc,
kdc->task->event_ctx,
kdc->task->lp_ctx,
system_session(kdc->task->lp_ctx),
NULL,
0);
if (!kdc->samdb) {
DEBUG(1,("kdc_task_init: unable to connect to samdb\n"));
task_server_terminate(task, "kdc: krb5_init_context samdb connect failed", true);
return;
}
ldb_ret = samdb_rodc(kdc->samdb, &kdc->am_rodc);
if (ldb_ret != LDB_SUCCESS) {
DEBUG(1, ("kdc_task_init: Cannot determine if we are an RODC: %s\n",
ldb_errstring(kdc->samdb)));
task_server_terminate(task, "kdc: krb5_init_context samdb RODC connect failed", true);
return;
}
kdc->proxy_timeout = lpcfg_parm_int(kdc->task->lp_ctx, NULL, "kdc", "proxy timeout", 5);
initialize_krb5_error_table();
ret = smb_krb5_init_context(kdc, task->lp_ctx, &kdc->smb_krb5_context);
if (ret) {
DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n",
error_message(ret)));
task_server_terminate(task, "kdc: krb5_init_context failed", true);
return;
}
krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r);
ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context,
&kdc_config);
if(ret) {
task_server_terminate(task, "kdc: failed to get KDC configuration", true);
return;
}
kdc_config->logf = (krb5_log_facility *)kdc->smb_krb5_context->pvt_log_data;
kdc_config->db = talloc(kdc, struct HDB *);
if (!kdc_config->db) {
task_server_terminate(task, "kdc: out of memory", true);
return;
}
kdc_config->num_db = 1;
/*
* This restores the behavior before
* commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
* s4:heimdal: import lorikeet-heimdal-201107150856
* (commit 48936803fae4a2fb362c79365d31f420c917b85b)
*
* as_use_strongest_session_key,preauth_use_strongest_session_key
* and tgs_use_strongest_session_key are input to the
* _kdc_find_etype() function. The old bahavior is in
* the use_strongest_session_key=FALSE code path.
* (The only remaining difference in _kdc_find_etype()
* is the is_preauth parameter.)
*
* The old behavior in the _kdc_get_preferred_key()
* function is use_strongest_server_key=TRUE.
*/
kdc_config->as_use_strongest_session_key = false;
kdc_config->preauth_use_strongest_session_key = false;
kdc_config->tgs_use_strongest_session_key = false;
kdc_config->use_strongest_server_key = true;
kdc_config->autodetect_referrals = false;
/* Register hdb-samba4 hooks for use as a keytab */
kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
if (!kdc->base_ctx) {
task_server_terminate(task, "kdc: out of memory", true);
return;
}
kdc->base_ctx->ev_ctx = task->event_ctx;
kdc->base_ctx->lp_ctx = task->lp_ctx;
kdc->base_ctx->msg_ctx = task->msg_ctx;
status = hdb_samba4_create_kdc(kdc->base_ctx,
kdc->smb_krb5_context->krb5_context,
&kdc_config->db[0]);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true);
return;
}
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
&hdb_samba4_interface);
if(ret) {
task_server_terminate(task, "kdc: failed to register hdb plugin", true);
return;
}
ret = krb5_kt_register(kdc->smb_krb5_context->krb5_context, &hdb_kt_ops);
if(ret) {
task_server_terminate(task, "kdc: failed to register keytab plugin", true);
return;
}
kdc->keytab_name = talloc_asprintf(kdc, "HDB:samba4&%p", kdc->base_ctx);
if (kdc->keytab_name == NULL) {
task_server_terminate(task,
"kdc: Failed to set keytab name",
true);
return;
}
/* Register WinDC hooks */
ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "windc",
&windc_plugin_table);
if(ret) {
task_server_terminate(task, "kdc: failed to register windc plugin", true);
return;
}
ret = krb5_kdc_windc_init(kdc->smb_krb5_context->krb5_context);
if(ret) {
task_server_terminate(task, "kdc: failed to init windc plugin", true);
return;
}
ret = krb5_kdc_pkinit_config(kdc->smb_krb5_context->krb5_context, kdc_config);
if(ret) {
task_server_terminate(task, "kdc: failed to init kdc pkinit subsystem", true);
return;
}
kdc->private_data = kdc_config;
/* start listening on the configured network interfaces */
status = kdc_startup_interfaces(kdc, task->lp_ctx, ifaces,
task->model_ops);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc failed to setup interfaces", true);
return;
}
status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS,
kdc_check_generic_kerberos, kdc);
if (!NT_STATUS_IS_OK(status)) {
task_server_terminate(task, "kdc failed to setup monitoring", true);
return;
}
irpc_add_name(task->msg_ctx, "kdc_server");
}
OM_uint32 GSSAPI_CALLCONV
_gsskrb5_set_sec_context_option
(OM_uint32 *minor_status,
gss_ctx_id_t *context_handle,
const gss_OID desired_object,
const gss_buffer_t value)
{
krb5_context context;
OM_uint32 maj_stat;
GSSAPI_KRB5_INIT (&context);
if (value == GSS_C_NO_BUFFER) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
if (gss_oid_equal(desired_object, GSS_KRB5_COMPAT_DES3_MIC_X)) {
gsskrb5_ctx ctx;
int flag;
if (*context_handle == GSS_C_NO_CONTEXT) {
*minor_status = EINVAL;
return GSS_S_NO_CONTEXT;
}
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
ctx = (gsskrb5_ctx)*context_handle;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
if (flag)
ctx->more_flags |= COMPAT_OLD_DES3;
else
ctx->more_flags &= ~COMPAT_OLD_DES3;
ctx->more_flags |= COMPAT_OLD_DES3_SELECTED;
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DNS_CANONICALIZE_X)) {
int flag;
maj_stat = get_bool(minor_status, value, &flag);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
krb5_set_dns_canonicalize_hostname(context, flag);
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
krb5_set_default_realm(context, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SEND_TO_KDC_X)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_CCACHE_NAME_X)) {
char *str;
maj_stat = get_string(minor_status, value, &str);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
if (str == NULL) {
*minor_status = 0;
return GSS_S_CALL_INACCESSIBLE_READ;
}
*minor_status = krb5_cc_set_default_name(context, str);
free(str);
if (*minor_status)
return GSS_S_FAILURE;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_TIME_OFFSET_X)) {
OM_uint32 offset;
time_t t;
maj_stat = get_int32(minor_status, value, &offset);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
t = time(NULL) + offset;
krb5_set_real_time(context, t, 0);
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_TIME_OFFSET_X)) {
krb5_timestamp sec;
int32_t usec;
time_t t;
t = time(NULL);
krb5_us_timeofday (context, &sec, &usec);
maj_stat = set_int32(minor_status, value, sec - t);
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
*minor_status = 0;
return GSS_S_COMPLETE;
} else if (gss_oid_equal(desired_object, GSS_KRB5_PLUGIN_REGISTER_X)) {
struct gsskrb5_krb5_plugin c;
if (value->length != sizeof(c)) {
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
memcpy(&c, value->value, sizeof(c));
krb5_plugin_register(context, c.type, c.name, c.symbol);
*minor_status = 0;
return GSS_S_COMPLETE;
}
*minor_status = EINVAL;
return GSS_S_FAILURE;
}
NTSTATUS libnet_export_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_export_keytab *r)
{
krb5_error_code ret;
struct smb_krb5_context *smb_krb5_context;
const char *from_keytab;
/* Register hdb-samba4 hooks for use as a keytab */
struct samba_kdc_base_context *base_ctx = talloc_zero(mem_ctx, struct samba_kdc_base_context);
if (!base_ctx) {
return NT_STATUS_NO_MEMORY;
}
base_ctx->ev_ctx = ctx->event_ctx;
base_ctx->lp_ctx = ctx->lp_ctx;
from_keytab = talloc_asprintf(base_ctx, "HDB:samba4&%p", base_ctx);
if (!from_keytab) {
return NT_STATUS_NO_MEMORY;
}
ret = smb_krb5_init_context(ctx, ctx->event_ctx, ctx->lp_ctx, &smb_krb5_context);
if (ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_plugin_register(smb_krb5_context->krb5_context,
PLUGIN_TYPE_DATA, "hdb",
&hdb_samba4_interface);
if(ret) {
return NT_STATUS_NO_MEMORY;
}
ret = krb5_kt_register(smb_krb5_context->krb5_context, &hdb_kt_ops);
if(ret) {
return NT_STATUS_NO_MEMORY;
}
if (r->in.principal) {
/* TODO: Find a way not to have to use a fixed list */
krb5_enctype enctypes[] = {
KRB5_ENCTYPE_DES_CBC_CRC,
KRB5_ENCTYPE_DES_CBC_MD5,
KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5
};
ret = kt_copy_one_principal(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name, r->in.principal, 0, enctypes);
} else {
unlink(r->in.keytab_name);
ret = kt_copy(smb_krb5_context->krb5_context, from_keytab, r->in.keytab_name);
}
if(ret) {
r->out.error_string = smb_get_krb5_error_message(smb_krb5_context->krb5_context,
ret, mem_ctx);
if (ret == KRB5_KT_NOTFOUND) {
return NT_STATUS_NO_SUCH_USER;
} else {
return NT_STATUS_UNSUCCESSFUL;
}
}
return NT_STATUS_OK;
}
