Line data Source code
1 : /*
2 : * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 : * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
4 : * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
5 : * All rights reserved.
6 : *
7 : * Redistribution and use in source and binary forms, with or without
8 : * modification, are permitted provided that the following conditions
9 : * are met:
10 : *
11 : * 1. Redistributions of source code must retain the above copyright
12 : * notice, this list of conditions and the following disclaimer.
13 : *
14 : * 2. Redistributions in binary form must reproduce the above copyright
15 : * notice, this list of conditions and the following disclaimer in the
16 : * documentation and/or other materials provided with the distribution.
17 : *
18 : * 3. Neither the name of PADL Software nor the names of its contributors
19 : * may be used to endorse or promote products derived from this software
20 : * without specific prior written permission.
21 : *
22 : * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 : * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 : * SUCH DAMAGE.
33 : */
34 :
35 : #include "includes.h"
36 : #include "kdc/kdc-glue.h"
37 : #include "kdc/db-glue.h"
38 : #include "auth/auth_sam.h"
39 : #include "auth/common_auth.h"
40 : #include <ldb.h>
41 : #include "sdb.h"
42 : #include "sdb_hdb.h"
43 : #include "dsdb/samdb/samdb.h"
44 : #include "param/param.h"
45 : #include "../lib/tsocket/tsocket.h"
46 : #include "librpc/gen_ndr/ndr_winbind_c.h"
47 : #include "lib/messaging/irpc.h"
48 : #include "hdb.h"
49 : #include <kdc-audit.h>
50 :
51 214156 : static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
52 : {
53 214156 : if (db->hdb_master_key_set) {
54 0 : krb5_error_code ret = HDB_ERR_NOENTRY;
55 0 : krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
56 0 : krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
57 0 : return ret;
58 : }
59 :
60 214156 : return 0;
61 : }
62 :
63 214156 : static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
64 : {
65 214156 : return 0;
66 : }
67 :
68 0 : static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
69 : {
70 0 : return 0;
71 : }
72 :
73 0 : static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
74 : {
75 0 : return 0;
76 : }
77 :
78 0 : static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
79 : {
80 0 : return HDB_ERR_DB_INUSE;
81 : }
82 :
83 0 : static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
84 : {
85 0 : return HDB_ERR_DB_INUSE;
86 : }
87 :
88 : /*
89 : * If we ever want kadmin to work fast, we might try and reopen the
90 : * ldb with LDB_NOSYNC
91 : */
92 0 : static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
93 : {
94 0 : return 0;
95 : }
96 :
97 214228 : static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
98 : {
99 : /*
100 : * This function is now called for every HDB entry, not just those with
101 : * 'context' set, so we have to check that the context is not NULL.
102 : */
103 214228 : if (entry->context != NULL) {
104 207615 : struct samba_kdc_entry *skdc_entry =
105 207615 : talloc_get_type_abort(entry->context,
106 : struct samba_kdc_entry);
107 :
108 : /* this function is called only from hdb_free_entry().
109 : * Make sure we neutralize the destructor or we will
110 : * get a double free later when hdb_free_entry() will
111 : * try to call free_hdb_entry() */
112 207615 : entry->context = NULL;
113 207615 : skdc_entry->kdc_entry = NULL;
114 207615 : TALLOC_FREE(skdc_entry);
115 : }
116 214228 : }
117 :
118 9 : static int hdb_samba4_fill_fast_cookie(krb5_context context,
119 : struct samba_kdc_db_context *kdc_db_ctx)
120 : {
121 9 : struct ldb_message *msg = ldb_msg_new(kdc_db_ctx);
122 : int ldb_ret;
123 :
124 : uint8_t secretbuffer[32];
125 9 : struct ldb_val val = data_blob_const(secretbuffer,
126 : sizeof(secretbuffer));
127 :
128 9 : if (msg == NULL) {
129 0 : DBG_ERR("Failed to allocate msg for new fast cookie\n");
130 0 : return LDB_ERR_OPERATIONS_ERROR;
131 : }
132 :
133 : /* Fill in all the keys with the same secret */
134 9 : generate_secret_buffer(secretbuffer,
135 : sizeof(secretbuffer));
136 :
137 9 : msg->dn = kdc_db_ctx->fx_cookie_dn;
138 :
139 9 : ldb_ret = ldb_msg_add_value(msg, "secret", &val, NULL);
140 :
141 9 : if (ldb_ret != LDB_SUCCESS) {
142 0 : return ldb_ret;
143 : }
144 :
145 9 : ldb_ret = ldb_add(kdc_db_ctx->secrets_db,
146 : msg);
147 9 : if (ldb_ret != LDB_SUCCESS) {
148 0 : DBG_ERR("Failed to add fast cookie to ldb: %s\n",
149 : ldb_errstring(kdc_db_ctx->secrets_db));
150 : }
151 9 : return ldb_ret;
152 : }
153 :
154 1177 : static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
155 : struct samba_kdc_db_context *kdc_db_ctx,
156 : hdb_entry *entry)
157 : {
158 1177 : krb5_error_code ret = SDB_ERR_NOENTRY;
159 : TALLOC_CTX *mem_ctx;
160 : struct ldb_result *res;
161 : int ldb_ret;
162 1177 : struct sdb_entry sentry = {};
163 1177 : const char *attrs[] = {
164 : "secret",
165 : NULL
166 : };
167 : const struct ldb_val *val;
168 :
169 1177 : mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_fetch context");
170 1177 : if (!mem_ctx) {
171 0 : ret = ENOMEM;
172 0 : krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!");
173 0 : return ret;
174 : }
175 :
176 : /* search for CN=FX-COOKIE */
177 1177 : ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
178 : mem_ctx,
179 : &res,
180 : kdc_db_ctx->fx_cookie_dn,
181 : LDB_SCOPE_BASE,
182 : attrs, NULL);
183 :
184 1177 : if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT || res->count == 0) {
185 :
186 9 : ldb_ret = hdb_samba4_fill_fast_cookie(context,
187 : kdc_db_ctx);
188 :
189 9 : if (ldb_ret != LDB_SUCCESS) {
190 0 : TALLOC_FREE(mem_ctx);
191 0 : return HDB_ERR_NO_WRITE_SUPPORT;
192 : }
193 :
194 : /* search for CN=FX-COOKIE */
195 9 : ldb_ret = ldb_search(kdc_db_ctx->secrets_db,
196 : mem_ctx,
197 : &res,
198 : kdc_db_ctx->fx_cookie_dn,
199 : LDB_SCOPE_BASE,
200 : attrs, NULL);
201 :
202 9 : if (ldb_ret != LDB_SUCCESS || res->count != 1) {
203 0 : TALLOC_FREE(mem_ctx);
204 0 : return HDB_ERR_NOENTRY;
205 : }
206 : }
207 :
208 1177 : val = ldb_msg_find_ldb_val(res->msgs[0],
209 : "secret");
210 1177 : if (val == NULL || val->length != 32) {
211 0 : TALLOC_FREE(mem_ctx);
212 0 : return HDB_ERR_NOENTRY;
213 : }
214 :
215 :
216 1177 : ret = krb5_make_principal(context,
217 : &sentry.principal,
218 : KRB5_WELLKNOWN_ORG_H5L_REALM,
219 : KRB5_WELLKNOWN_NAME, "org.h5l.fast-cookie",
220 : NULL);
221 1177 : if (ret) {
222 0 : TALLOC_FREE(mem_ctx);
223 0 : return ret;
224 : }
225 :
226 1177 : ret = samba_kdc_set_fixed_keys(context, val, ENC_ALL_TYPES,
227 : &sentry.keys);
228 1177 : if (ret != 0) {
229 0 : return ret;
230 : }
231 :
232 1177 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
233 1177 : sdb_entry_free(&sentry);
234 1177 : TALLOC_FREE(mem_ctx);
235 :
236 1177 : return ret;
237 : }
238 :
239 214228 : static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
240 : krb5_const_principal principal,
241 : unsigned flags,
242 : krb5_kvno kvno,
243 : hdb_entry *entry)
244 : {
245 : struct samba_kdc_db_context *kdc_db_ctx;
246 214228 : struct sdb_entry sentry = {};
247 : krb5_error_code code, ret;
248 : uint32_t sflags;
249 :
250 214228 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
251 : struct samba_kdc_db_context);
252 :
253 214228 : if (flags & HDB_F_GET_FAST_COOKIE) {
254 1177 : return hdb_samba4_fetch_fast_cookie(context,
255 : kdc_db_ctx,
256 : entry);
257 : }
258 :
259 213051 : sflags = (flags & SDB_F_HDB_MASK);
260 :
261 213051 : ret = samba_kdc_fetch(context,
262 : kdc_db_ctx,
263 : principal,
264 : sflags,
265 : kvno,
266 : &sentry);
267 213051 : switch (ret) {
268 207615 : case 0:
269 207615 : code = 0;
270 207615 : break;
271 859 : case SDB_ERR_WRONG_REALM:
272 : /*
273 : * If SDB_ERR_WRONG_REALM is returned we need to process the
274 : * sdb_entry to fill the principal in the HDB entry.
275 : */
276 859 : code = HDB_ERR_WRONG_REALM;
277 859 : break;
278 1550 : case SDB_ERR_NOENTRY:
279 1550 : return HDB_ERR_NOENTRY;
280 3027 : case SDB_ERR_NOT_FOUND_HERE:
281 3027 : return HDB_ERR_NOT_FOUND_HERE;
282 0 : default:
283 0 : return ret;
284 : }
285 :
286 208474 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
287 208474 : sdb_entry_free(&sentry);
288 :
289 208474 : if (code != 0 && ret != 0) {
290 0 : code = ret;
291 : }
292 :
293 208474 : return code;
294 : }
295 :
296 32 : static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
297 : krb5_const_principal _principal,
298 : unsigned flags,
299 : krb5_kvno _kvno,
300 : hdb_entry *entry)
301 : {
302 32 : struct samba_kdc_db_context *kdc_db_ctx = NULL;
303 : krb5_error_code ret;
304 32 : krb5_principal kpasswd_principal = NULL;
305 :
306 32 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
307 : struct samba_kdc_db_context);
308 :
309 32 : ret = smb_krb5_make_principal(context, &kpasswd_principal,
310 : lpcfg_realm(kdc_db_ctx->lp_ctx),
311 : "kadmin", "changepw",
312 : NULL);
313 32 : if (ret) {
314 0 : return ret;
315 : }
316 32 : smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
317 :
318 : /*
319 : * For the kpasswd service, always ensure we get the latest kvno. This
320 : * also means we (correctly) refuse RODC-issued tickets.
321 : */
322 32 : flags &= ~HDB_F_KVNO_SPECIFIED;
323 :
324 : /* Don't bother looking up a client or krbtgt. */
325 32 : flags &= ~(SDB_F_GET_CLIENT|SDB_F_GET_KRBTGT);
326 :
327 32 : ret = hdb_samba4_fetch_kvno(context, db,
328 : kpasswd_principal,
329 : flags,
330 : 0,
331 : entry);
332 :
333 32 : krb5_free_principal(context, kpasswd_principal);
334 32 : return ret;
335 : }
336 :
337 0 : static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
338 : hdb_entry *entry)
339 : {
340 : struct samba_kdc_db_context *kdc_db_ctx;
341 0 : struct sdb_entry sentry = {};
342 : krb5_error_code ret;
343 :
344 0 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
345 : struct samba_kdc_db_context);
346 :
347 0 : ret = samba_kdc_firstkey(context, kdc_db_ctx, &sentry);
348 0 : switch (ret) {
349 0 : case 0:
350 0 : break;
351 0 : case SDB_ERR_WRONG_REALM:
352 0 : return HDB_ERR_WRONG_REALM;
353 0 : case SDB_ERR_NOENTRY:
354 0 : return HDB_ERR_NOENTRY;
355 0 : case SDB_ERR_NOT_FOUND_HERE:
356 0 : return HDB_ERR_NOT_FOUND_HERE;
357 0 : default:
358 0 : return ret;
359 : }
360 :
361 0 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
362 0 : sdb_entry_free(&sentry);
363 0 : return ret;
364 : }
365 :
366 0 : static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
367 : hdb_entry *entry)
368 : {
369 : struct samba_kdc_db_context *kdc_db_ctx;
370 0 : struct sdb_entry sentry = {};
371 : krb5_error_code ret;
372 :
373 0 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
374 : struct samba_kdc_db_context);
375 :
376 0 : ret = samba_kdc_nextkey(context, kdc_db_ctx, &sentry);
377 0 : switch (ret) {
378 0 : case 0:
379 0 : break;
380 0 : case SDB_ERR_WRONG_REALM:
381 0 : return HDB_ERR_WRONG_REALM;
382 0 : case SDB_ERR_NOENTRY:
383 0 : return HDB_ERR_NOENTRY;
384 0 : case SDB_ERR_NOT_FOUND_HERE:
385 0 : return HDB_ERR_NOT_FOUND_HERE;
386 0 : default:
387 0 : return ret;
388 : }
389 :
390 0 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
391 0 : sdb_entry_free(&sentry);
392 0 : return ret;
393 : }
394 :
395 0 : static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
396 : unsigned flags,
397 : hdb_entry *entry)
398 : {
399 0 : DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
400 0 : smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
401 : }
402 :
403 32 : static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
404 : {
405 32 : talloc_free(db);
406 32 : return 0;
407 : }
408 :
409 : static krb5_error_code
410 110 : hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
411 : hdb_entry *entry,
412 : krb5_const_principal target_principal)
413 : {
414 : struct samba_kdc_db_context *kdc_db_ctx;
415 : struct samba_kdc_entry *skdc_entry;
416 : krb5_error_code ret;
417 :
418 110 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
419 : struct samba_kdc_db_context);
420 110 : skdc_entry = talloc_get_type_abort(entry->context,
421 : struct samba_kdc_entry);
422 :
423 110 : ret = samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
424 : skdc_entry,
425 : target_principal);
426 110 : switch (ret) {
427 94 : case 0:
428 94 : break;
429 0 : case SDB_ERR_WRONG_REALM:
430 0 : ret = HDB_ERR_WRONG_REALM;
431 0 : break;
432 0 : case SDB_ERR_NOENTRY:
433 0 : ret = HDB_ERR_NOENTRY;
434 0 : break;
435 0 : case SDB_ERR_NOT_FOUND_HERE:
436 0 : ret = HDB_ERR_NOT_FOUND_HERE;
437 0 : break;
438 16 : default:
439 16 : break;
440 : }
441 :
442 110 : return ret;
443 : }
444 :
445 : static krb5_error_code
446 0 : hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
447 : hdb_entry *entry,
448 : krb5_const_principal certificate_principal)
449 : {
450 : struct samba_kdc_db_context *kdc_db_ctx;
451 : struct samba_kdc_entry *skdc_entry;
452 : krb5_error_code ret;
453 :
454 0 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
455 : struct samba_kdc_db_context);
456 0 : skdc_entry = talloc_get_type_abort(entry->context,
457 : struct samba_kdc_entry);
458 :
459 0 : ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
460 : skdc_entry,
461 : certificate_principal);
462 0 : switch (ret) {
463 0 : case 0:
464 0 : break;
465 0 : case SDB_ERR_WRONG_REALM:
466 0 : ret = HDB_ERR_WRONG_REALM;
467 0 : break;
468 0 : case SDB_ERR_NOENTRY:
469 0 : ret = HDB_ERR_NOENTRY;
470 0 : break;
471 0 : case SDB_ERR_NOT_FOUND_HERE:
472 0 : ret = HDB_ERR_NOT_FOUND_HERE;
473 0 : break;
474 0 : default:
475 0 : break;
476 : }
477 :
478 0 : return ret;
479 : }
480 :
481 : static krb5_error_code
482 636 : hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
483 : hdb_entry *client_entry,
484 : hdb_entry *server_target_entry)
485 : {
486 636 : struct samba_kdc_entry *skdc_client_entry
487 636 : = talloc_get_type_abort(client_entry->context,
488 : struct samba_kdc_entry);
489 636 : struct samba_kdc_entry *skdc_server_target_entry
490 636 : = talloc_get_type_abort(server_target_entry->context,
491 : struct samba_kdc_entry);
492 :
493 636 : return samba_kdc_check_client_matches_target_service(context,
494 : skdc_client_entry,
495 : skdc_server_target_entry);
496 : }
497 :
498 8 : static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
499 : struct samba_kdc_db_context *kdc_db_ctx,
500 : struct netr_SendToSamBase *send_to_sam)
501 : {
502 : struct dcerpc_binding_handle *irpc_handle;
503 : struct winbind_SendToSam req;
504 :
505 8 : irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
506 : "winbind_server",
507 : &ndr_table_winbind);
508 :
509 8 : if (irpc_handle == NULL) {
510 0 : DEBUG(0, ("No winbind_server running!\n"));
511 0 : return;
512 : }
513 :
514 8 : req.in.message = *send_to_sam;
515 :
516 8 : dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
517 : irpc_handle, &req);
518 : }
519 :
520 71023 : static krb5_error_code hdb_samba4_audit(krb5_context context,
521 : HDB *db,
522 : hdb_entry *entry,
523 : hdb_request_t r)
524 : {
525 71023 : struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
526 : struct samba_kdc_db_context);
527 71023 : struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
528 71023 : uint64_t logon_id = generate_random_u64();
529 71023 : heim_object_t auth_details_obj = NULL;
530 71023 : const char *auth_details = NULL;
531 71023 : char *etype_str = NULL;
532 71023 : heim_object_t hdb_auth_status_obj = NULL;
533 : int hdb_auth_status;
534 71023 : heim_object_t pa_type_obj = NULL;
535 71023 : const char *pa_type = NULL;
536 : struct auth_usersupplied_info ui;
537 71023 : size_t sa_socklen = 0;
538 71023 : int final_ret = 0;
539 :
540 71023 : hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
541 71023 : if (hdb_auth_status_obj == NULL) {
542 : /* No status code found, so just return. */
543 51889 : return 0;
544 : }
545 :
546 19134 : hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
547 :
548 19134 : pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, "pa");
549 19134 : if (pa_type_obj != NULL) {
550 18721 : pa_type = heim_string_get_utf8(pa_type_obj);
551 : }
552 :
553 19134 : auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
554 19134 : if (auth_details_obj != NULL) {
555 0 : auth_details = heim_string_get_utf8(auth_details_obj);
556 : } else {
557 19134 : auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
558 19134 : if (auth_details_obj != NULL) {
559 0 : auth_details = heim_string_get_utf8(auth_details_obj);
560 : } else {
561 19134 : heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
562 19134 : if (etype_obj != NULL) {
563 18686 : int etype = heim_number_get_int(etype_obj);
564 :
565 18686 : krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
566 18686 : if (ret == 0) {
567 18686 : auth_details = etype_str;
568 : } else {
569 0 : auth_details = "unknown enctype";
570 : }
571 : }
572 : }
573 : }
574 :
575 : /*
576 : * Forcing this via the NTLM auth structure is not ideal, but
577 : * it is the most practical option right now, and ensures the
578 : * logs are consistent, even if some elements are always NULL.
579 : */
580 19134 : ui = (struct auth_usersupplied_info) {
581 : .was_mapped = true,
582 : .client = {
583 19134 : .account_name = r->cname,
584 : .domain_name = NULL,
585 : },
586 : .service_description = "Kerberos KDC",
587 : .auth_description = "Unknown Auth Description",
588 : .password_type = auth_details,
589 : .logon_id = logon_id
590 : };
591 :
592 19134 : switch (r->addr->sa_family) {
593 18076 : case AF_INET:
594 18076 : sa_socklen = sizeof(struct sockaddr_in);
595 18076 : break;
596 : #ifdef HAVE_IPV6
597 1058 : case AF_INET6:
598 1058 : sa_socklen = sizeof(struct sockaddr_in6);
599 1058 : break;
600 : #endif
601 : }
602 :
603 19134 : switch (hdb_auth_status) {
604 18721 : default:
605 : {
606 18721 : TALLOC_CTX *frame = talloc_stackframe();
607 18721 : struct samba_kdc_entry *p = talloc_get_type(entry->context,
608 : struct samba_kdc_entry);
609 18721 : struct dom_sid *sid
610 18721 : = samdb_result_dom_sid(frame, p->msg, "objectSid");
611 18721 : const char *account_name
612 18721 : = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
613 18721 : const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
614 : struct tsocket_address *remote_host;
615 18721 : const char *auth_description = NULL;
616 : NTSTATUS status;
617 : int ret;
618 18721 : bool rwdc_fallback = false;
619 :
620 18721 : ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
621 : sa_socklen,
622 : &remote_host);
623 18721 : if (ret != 0) {
624 0 : ui.remote_host = NULL;
625 : } else {
626 18721 : ui.remote_host = remote_host;
627 : }
628 :
629 18721 : ui.mapped.account_name = account_name;
630 18721 : ui.mapped.domain_name = domain_name;
631 :
632 18721 : if (pa_type != NULL) {
633 18721 : auth_description = talloc_asprintf(frame,
634 : "%s Pre-authentication",
635 : pa_type);
636 18721 : if (auth_description == NULL) {
637 0 : auth_description = pa_type;
638 : }
639 : } else {
640 0 : auth_description = "Unknown Pre-authentication";
641 : }
642 18721 : ui.auth_description = auth_description;
643 :
644 18721 : if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
645 18409 : struct netr_SendToSamBase *send_to_sam = NULL;
646 :
647 : /*
648 : * TODO: We could log the AS-REQ authorization success here as
649 : * well. However before we do that, we need to pass
650 : * in the PAC here or re-calculate it.
651 : */
652 18409 : status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
653 : domain_dn, true, frame, &send_to_sam);
654 18409 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
655 0 : final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
656 0 : r->error_code = final_ret;
657 0 : rwdc_fallback = kdc_db_ctx->rodc;
658 18409 : } else if (!NT_STATUS_IS_OK(status)) {
659 0 : final_ret = KRB5KRB_ERR_GENERIC;
660 0 : r->error_code = final_ret;
661 0 : rwdc_fallback = kdc_db_ctx->rodc;
662 18409 : } else if (kdc_db_ctx->rodc && send_to_sam != NULL) {
663 8 : reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
664 : }
665 :
666 : /* This is the final sucess */
667 312 : } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
668 : /*
669 : * This was only a pre-authentication success,
670 : * but we didn't reach the final
671 : * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
672 : * so consult the error code.
673 : */
674 4 : if (r->error_code == 0) {
675 0 : DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
676 : "with error=0 => INTERNAL_ERROR\n");
677 0 : status = NT_STATUS_INTERNAL_ERROR;
678 0 : final_ret = KRB5KRB_ERR_GENERIC;
679 0 : r->error_code = final_ret;
680 4 : } else if (!NT_STATUS_IS_OK(p->reject_status)) {
681 4 : status = p->reject_status;
682 : } else {
683 0 : status = krb5_to_nt_status(r->error_code);
684 : }
685 308 : } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
686 : /*
687 : * This was only a pre-authentication success,
688 : * but we didn't reach the final
689 : * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
690 : * so consult the error code.
691 : */
692 0 : if (r->error_code == 0) {
693 0 : DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
694 : "with error=0 => INTERNAL_ERROR\n");
695 0 : status = NT_STATUS_INTERNAL_ERROR;
696 0 : final_ret = KRB5KRB_ERR_GENERIC;
697 0 : r->error_code = final_ret;
698 0 : } else if (!NT_STATUS_IS_OK(p->reject_status)) {
699 0 : status = p->reject_status;
700 : } else {
701 0 : status = krb5_to_nt_status(r->error_code);
702 : }
703 308 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
704 8 : status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
705 300 : } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
706 274 : status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
707 274 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
708 0 : final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
709 0 : r->error_code = final_ret;
710 : } else {
711 274 : status = NT_STATUS_WRONG_PASSWORD;
712 : }
713 274 : rwdc_fallback = kdc_db_ctx->rodc;
714 26 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
715 26 : status = NT_STATUS_ACCOUNT_LOCKED_OUT;
716 26 : rwdc_fallback = kdc_db_ctx->rodc;
717 0 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
718 0 : if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
719 0 : status = NT_STATUS_PKINIT_NAME_MISMATCH;
720 : } else {
721 0 : status = NT_STATUS_ACCOUNT_RESTRICTION;
722 : }
723 0 : rwdc_fallback = kdc_db_ctx->rodc;
724 0 : } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
725 0 : if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
726 0 : status = NT_STATUS_PKINIT_FAILURE;
727 : } else {
728 0 : status = NT_STATUS_GENERIC_COMMAND_FAILED;
729 : }
730 0 : rwdc_fallback = kdc_db_ctx->rodc;
731 : } else {
732 0 : DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
733 : hdb_auth_status);
734 0 : status = NT_STATUS_INTERNAL_ERROR;
735 0 : final_ret = KRB5KRB_ERR_GENERIC;
736 0 : r->error_code = final_ret;
737 : }
738 :
739 18721 : if (rwdc_fallback) {
740 : /*
741 : * Forward the request to an RWDC in order
742 : * to give an authoritative answer to the client.
743 : */
744 26 : auth_description = talloc_asprintf(frame,
745 : "%s,Forward-To-RWDC",
746 : ui.auth_description);
747 26 : if (auth_description != NULL) {
748 26 : ui.auth_description = auth_description;
749 : }
750 26 : final_ret = HDB_ERR_NOT_FOUND_HERE;
751 : }
752 :
753 18721 : log_authentication_event(kdc_db_ctx->msg_ctx,
754 : kdc_db_ctx->lp_ctx,
755 18721 : &r->tv_start,
756 : &ui,
757 : status,
758 : domain_name,
759 : account_name,
760 : sid);
761 18721 : if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
762 : /*
763 : * If we're running under make test
764 : * just panic
765 : */
766 0 : DBG_ERR("Unexpected situation => PANIC\n");
767 0 : smb_panic("hdb_samba4_audit: Unexpected situation");
768 : }
769 18721 : TALLOC_FREE(frame);
770 18721 : break;
771 : }
772 413 : case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
773 : {
774 : struct tsocket_address *remote_host;
775 : int ret;
776 413 : TALLOC_CTX *frame = talloc_stackframe();
777 413 : ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
778 : sa_socklen,
779 : &remote_host);
780 413 : if (ret != 0) {
781 0 : ui.remote_host = NULL;
782 : } else {
783 413 : ui.remote_host = remote_host;
784 : }
785 :
786 413 : if (pa_type == NULL) {
787 413 : pa_type = "AS-REQ";
788 : }
789 :
790 413 : ui.auth_description = pa_type;
791 :
792 : /* Note this is not forwarded to an RWDC */
793 :
794 413 : log_authentication_event(kdc_db_ctx->msg_ctx,
795 : kdc_db_ctx->lp_ctx,
796 413 : &r->tv_start,
797 : &ui,
798 413 : NT_STATUS_NO_SUCH_USER,
799 : NULL, NULL,
800 : NULL);
801 413 : TALLOC_FREE(frame);
802 413 : break;
803 : }
804 : }
805 :
806 19134 : free(etype_str);
807 :
808 19134 : return final_ret;
809 : }
810 :
811 : /* This interface is to be called by the KDC and libnet_keytab_dump,
812 : * which is expecting Samba calling conventions.
813 : * It is also called by a wrapper (hdb_samba4_create) from the
814 : * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
815 :
816 103 : NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
817 : krb5_context context, struct HDB **db)
818 : {
819 : struct samba_kdc_db_context *kdc_db_ctx;
820 : NTSTATUS nt_status;
821 :
822 103 : if (hdb_interface_version != HDB_INTERFACE_VERSION) {
823 0 : krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
824 0 : return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
825 : }
826 :
827 103 : *db = talloc_zero(base_ctx, HDB);
828 103 : if (!*db) {
829 0 : krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
830 0 : return NT_STATUS_NO_MEMORY;
831 : }
832 :
833 103 : (*db)->hdb_master_key_set = 0;
834 103 : (*db)->hdb_db = NULL;
835 103 : (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
836 :
837 103 : nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
838 103 : if (!NT_STATUS_IS_OK(nt_status)) {
839 0 : talloc_free(*db);
840 0 : return nt_status;
841 : }
842 103 : (*db)->hdb_db = kdc_db_ctx;
843 :
844 103 : (*db)->hdb_dbc = NULL;
845 103 : (*db)->hdb_open = hdb_samba4_open;
846 103 : (*db)->hdb_close = hdb_samba4_close;
847 103 : (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
848 103 : (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
849 103 : (*db)->hdb_store = hdb_samba4_store;
850 103 : (*db)->hdb_firstkey = hdb_samba4_firstkey;
851 103 : (*db)->hdb_nextkey = hdb_samba4_nextkey;
852 103 : (*db)->hdb_lock = hdb_samba4_lock;
853 103 : (*db)->hdb_unlock = hdb_samba4_unlock;
854 103 : (*db)->hdb_set_sync = hdb_samba4_set_sync;
855 103 : (*db)->hdb_rename = hdb_samba4_rename;
856 : /* we don't implement these, as we are not a lockable database */
857 103 : (*db)->hdb__get = NULL;
858 103 : (*db)->hdb__put = NULL;
859 : /* kadmin should not be used for deletes - use other tools instead */
860 103 : (*db)->hdb__del = NULL;
861 103 : (*db)->hdb_destroy = hdb_samba4_destroy;
862 :
863 103 : (*db)->hdb_audit = hdb_samba4_audit;
864 103 : (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
865 103 : (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
866 103 : (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
867 :
868 103 : return NT_STATUS_OK;
869 : }
870 :
871 32 : NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
872 : krb5_context context, struct HDB **db)
873 : {
874 : NTSTATUS nt_status;
875 :
876 32 : nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
877 32 : if (!NT_STATUS_IS_OK(nt_status)) {
878 0 : return nt_status;
879 : }
880 :
881 32 : (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
882 32 : (*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
883 32 : (*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
884 :
885 32 : return NT_STATUS_OK;
886 : }
|
