source3/libads/krb5_setpw.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    krb5 set password implementation
   4    Copyright (C) Andrew Tridgell 2001
   5    Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
   6
   7    This program is free software; you can redistribute it and/or modify
   8    it under the terms of the GNU General Public License as published by
   9    the Free Software Foundation; either version 3 of the License, or
  10    (at your option) any later version.
  11
  12    This program is distributed in the hope that it will be useful,
  13    but WITHOUT ANY WARRANTY; without even the implied warranty of
  14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15    GNU General Public License for more details.
  16
  17    You should have received a copy of the GNU General Public License
  18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  19 */
  20
  21 #include "includes.h"
  22 #include "smb_krb5.h"
  23 #include "libads/kerberos_proto.h"
  24 #include "../lib/util/asn1.h"
  25
  26 #ifdef HAVE_KRB5
  27
  28 /* Those are defined by kerberos-set-passwd-02.txt and are probably
  29  * not supported by M$ implementation */
  30 #define KRB5_KPASSWD_POLICY_REJECT              8
  31 #define KRB5_KPASSWD_BAD_PRINCIPAL              9
  32 #define KRB5_KPASSWD_ETYPE_NOSUPP               10
  33
  34 /*
  35  * we've got to be able to distinguish KRB_ERRORs from other
  36  * requests - valid response for CHPW v2 replies.
  37  */
  38
  39 static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
  40 {
  41         switch(res_code) {
  42                 case KRB5_KPASSWD_ACCESSDENIED:
  43                         return KRB5KDC_ERR_BADOPTION;
  44                 case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
  45                         return KRB5KDC_ERR_BADOPTION;
  46                         /* return KV5M_ALT_METHOD; MIT-only define */
  47                 case KRB5_KPASSWD_ETYPE_NOSUPP:
  48                         return KRB5KDC_ERR_ETYPE_NOSUPP;
  49                 case KRB5_KPASSWD_BAD_PRINCIPAL:
  50                         return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
  51                 case KRB5_KPASSWD_POLICY_REJECT:
  52                 case KRB5_KPASSWD_SOFTERROR:
  53                         return KRB5KDC_ERR_POLICY;
  54                 default:
  55                         return KRB5KRB_ERR_GENERIC;
  56         }
  57 }
  58
  59 ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *principal,
  60                                  const char *newpw, int time_offset)
  61 {
  62
  63         ADS_STATUS aret;
  64         krb5_error_code ret = 0;
  65         krb5_context context = NULL;
  66         krb5_principal princ = NULL;
  67         krb5_ccache ccache = NULL;
  68         int result_code;
  69         krb5_data result_code_string = { 0 };
  70         krb5_data result_string = { 0 };
  71
  72         initialize_krb5_error_table();
  73         ret = krb5_init_context(&context);
  74         if (ret) {
  75                 DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
  76                 return ADS_ERROR_KRB5(ret);
  77         }
  78
  79         if (principal) {
  80                 ret = smb_krb5_parse_name(context, principal, &princ);
  81                 if (ret) {
  82                         krb5_free_context(context);
  83                         DEBUG(1, ("Failed to parse %s (%s)\n", principal,
  84                                   error_message(ret)));
  85                         return ADS_ERROR_KRB5(ret);
  86                 }
  87         }
  88
  89         if (time_offset != 0) {
  90                 krb5_set_real_time(context, time(NULL) + time_offset, 0);
  91         }
  92
  93         ret = krb5_cc_default(context, &ccache);
  94         if (ret) {
  95                 krb5_free_principal(context, princ);
  96                 krb5_free_context(context);
  97                 DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
  98                 return ADS_ERROR_KRB5(ret);
  99         }
 100
 101         ret = krb5_set_password_using_ccache(context, ccache, newpw, princ,
 102                                              &result_code,
 103                                              &result_code_string,
 104                                              &result_string);
 105         if (ret) {
 106                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 107                 aret = ADS_ERROR_KRB5(ret);
 108                 goto done;
 109         }
 110
 111         if (result_code != KRB5_KPASSWD_SUCCESS) {
 112                 ret = kpasswd_err_to_krb5_err(result_code);
 113                 DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
 114                 aret = ADS_ERROR_KRB5(ret);
 115                 goto done;
 116         }
 117
 118         aret = ADS_SUCCESS;
 119
 120 done:
 121         kerberos_free_data_contents(context, &result_code_string);
 122         kerberos_free_data_contents(context, &result_string);
 123         krb5_free_principal(context, princ);
 124         krb5_cc_close(context, ccache);
 125         krb5_free_context(context);
 126
 127         return aret;
 128 }
 129
 130 /*
 131   we use a prompter to avoid a crash bug in the kerberos libs when
 132   dealing with empty passwords
 133   this prompter is just a string copy ...
 134 */
 135 static krb5_error_code
 136 kerb_prompter(krb5_context ctx, void *data,
 137                const char *name,
 138                const char *banner,
 139                int num_prompts,
 140                krb5_prompt prompts[])
 141 {
 142         if (num_prompts == 0) return 0;
 143
 144         memset(prompts[0].reply->data, 0, prompts[0].reply->length);
 145         if (prompts[0].reply->length > 0) {
 146                 if (data) {
 147                         strncpy((char *)prompts[0].reply->data,
 148                                 (const char *)data,
 149                                 prompts[0].reply->length-1);
 150                         prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
 151                 } else {
 152                         prompts[0].reply->length = 0;
 153                 }
 154         }
 155         return 0;
 156 }
 157
 158 static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 159                                         const char *principal,
 160                                         const char *oldpw,
 161                                         const char *newpw,
 162                                         int time_offset)
 163 {
 164     ADS_STATUS aret;
 165     krb5_error_code ret;
 166     krb5_context context = NULL;
 167     krb5_principal princ;
 168     krb5_get_init_creds_opt opts;
 169     krb5_creds creds;
 170     char *chpw_princ = NULL, *password;
 171     const char *realm = NULL;
 172     int result_code;
 173     krb5_data result_code_string = { 0 };
 174     krb5_data result_string = { 0 };
 175
 176     initialize_krb5_error_table();
 177     ret = krb5_init_context(&context);
 178     if (ret) {
 179         DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
 180         return ADS_ERROR_KRB5(ret);
 181     }
 182
 183     if ((ret = smb_krb5_parse_name(context, principal,
 184                                     &princ))) {
 185         krb5_free_context(context);
 186         DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
 187         return ADS_ERROR_KRB5(ret);
 188     }
 189
 190     krb5_get_init_creds_opt_init(&opts);
 191     krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
 192     krb5_get_init_creds_opt_set_renew_life(&opts, 0);
 193     krb5_get_init_creds_opt_set_forwardable(&opts, 0);
 194     krb5_get_init_creds_opt_set_proxiable(&opts, 0);
 195
 196     realm = smb_krb5_principal_get_realm(context, princ);
 197
 198     /* We have to obtain an INITIAL changepw ticket for changing password */
 199     if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
 200         krb5_free_context(context);
 201         free(realm);
 202         DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
 203         return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
 204     }
 205
 206     free(realm);
 207     password = SMB_STRDUP(oldpw);
 208     ret = krb5_get_init_creds_password(context, &creds, princ, password,
 209                                            kerb_prompter, NULL,
 210                                            0, chpw_princ, &opts);
 211     SAFE_FREE(chpw_princ);
 212     SAFE_FREE(password);
 213
 214     if (ret) {
 215       if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
 216         DEBUG(1,("Password incorrect while getting initial ticket"));
 217       else
 218         DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
 219
 220         krb5_free_principal(context, princ);
 221         krb5_free_context(context);
 222         return ADS_ERROR_KRB5(ret);
 223     }
 224
 225     ret = krb5_change_password(context, &creds, newpw, &result_code,
 226                                &result_code_string, &result_string);
 227     if (ret) {
 228         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 229         aret = ADS_ERROR_KRB5(ret);
 230         goto done;
 231     }
 232
 233     if (result_code != KRB5_KPASSWD_SUCCESS) {
 234         ret = kpasswd_err_to_krb5_err(result_code);
 235         DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
 236         aret = ADS_ERROR_KRB5(ret);
 237         goto done;
 238     }
 239
 240     aret = ADS_SUCCESS;
 241
 242 done:
 243     kerberos_free_data_contents(context, &result_code_string);
 244     kerberos_free_data_contents(context, &result_string);
 245     krb5_free_principal(context, princ);
 246     krb5_free_context(context);
 247
 248     return aret;
 249 }
 250
 251
 252 ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 253                                  const char *auth_principal, const char *auth_password,
 254                                  const char *target_principal, const char *new_password,
 255                                  int time_offset)
 256 {
 257     int ret;
 258
 259     if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
 260         DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 261         return ADS_ERROR_KRB5(ret);
 262     }
 263
 264     if (!strcmp(auth_principal, target_principal))
 265         return ads_krb5_chg_password(kpasswd_server, target_principal,
 266                                      auth_password, new_password, time_offset);
 267     else
 268         return ads_krb5_set_password(kpasswd_server, target_principal,
 269                                      new_password, time_offset);
 270 }
 271
 272 #endif