krb5 fallback

[metze/samba/wip.git] / auth / kerberos / gensec_gssapi_helper.c

/*
   Unix SMB/CIFS implementation.
   GSSAPI/GENSEC helper functions

   Copyright (C) Stefan Metzmacher 2016

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include "includes.h"
#include "system/gssapi.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
#include "auth/kerberos/gensec_gssapi_helper.h"
#include "lib/util/util_net.h"

NTSTATUS gensec_gssapi_try_kerberos(struct gensec_security *gensec_security)
{
        TALLOC_CTX *frame = talloc_stackframe();
        struct cli_credentials *creds = gensec_get_credentials(gensec_security);
        const char *target_principal = gensec_get_target_principal(gensec_security);
        const char *target_hostname = gensec_get_target_hostname(gensec_security);
        const char *user_principal = NULL;
        const char *user_account = NULL;
        const char *user_domain = NULL;
        const char *realm = NULL;
        enum credentials_use_kerberos krb5_state;
        bool try_kerberos = false;
        bool auth_requested = true;

        auth_requested = cli_credentials_authentication_requested(creds);
        if (auth_requested) {
                user_principal = cli_credentials_get_principal(creds, frame);
                if (user_principal == NULL) {
                        TALLOC_FREE(frame);
                        return NT_STATUS_NO_MEMORY;
                }
                realm = cli_credentials_get_realm(creds);
        }
        user_account = cli_credentials_get_username(creds);
        user_domain = cli_credentials_get_domain(creds);

        krb5_state = cli_credentials_get_kerberos_state(creds);

        if (krb5_state != CRED_DONT_USE_KERBEROS) {
                try_kerberos = true;
        }

        if (!auth_requested) {
                try_kerberos = false;
        } else if (target_principal != NULL) {
                /* noop */
        } else if (target_hostname == NULL) {
                try_kerberos = false;
        } else if (is_ipaddress(target_hostname)) {
                try_kerberos = false;
        } else if (strequal(target_hostname, "localhost")) {
                try_kerberos = false;
        } else if (strequal(target_hostname, "*SMBSERVER")) {
                try_kerberos = false;
        }

        if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
                DEBUG(0, ("Kerberos auth with '%s' (%s\\%s %s) to access "
                          "'%s' not possible\n",
                          user_principal, user_domain, user_account, realm,
                          target_principal ? target_principal : target_hostname));
                TALLOC_FREE(frame);
                return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT;
        }

        if (!try_kerberos) {
                TALLOC_FREE(frame);
                return NT_STATUS_INVALID_PARAMETER;
        }

        TALLOC_FREE(frame);
        return NT_STATUS_OK;
}

NTSTATUS gensec_gssapi_map_krb5_error(struct gensec_security *gensec_security,
                                      uint32_t gss_maj, uint32_t gss_min)
{
        TALLOC_CTX *frame = talloc_stackframe();

        TALLOC_FREE(frame);
        return NT_STATUS_OK;
}