source4/kdc/pac-glue.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    PAC Glue between Samba and the KDC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009
   7    Copyright (C) Simo Sorce <idra@samba.org> 2010
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19
  20    You should have received a copy of the GNU General Public License
  21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  22 */
  23
  24 #include "includes.h"
  25 #include "../libds/common/flags.h"
  26 #include "lib/ldb/include/ldb.h"
  27 #include "auth/auth.h"
  28 #include "auth/auth_sam_reply.h"
  29 #include "kdc/kdc-glue.h"
  30 #include "param/param.h"
  31
  32 static
  33 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
  34                                        struct auth_serversupplied_info *info,
  35                                        DATA_BLOB *pac_data)
  36 {
  37         struct netr_SamInfo3 *info3;
  38         union PAC_INFO pac_info;
  39         enum ndr_err_code ndr_err;
  40         NTSTATUS nt_status;
  41
  42         ZERO_STRUCT(pac_info);
  43
  44         nt_status = auth_convert_server_info_saminfo3(mem_ctx, info, &info3);
  45         if (!NT_STATUS_IS_OK(nt_status)) {
  46                 DEBUG(1, ("Getting Samba info failed: %s\n",
  47                           nt_errstr(nt_status)));
  48                 return nt_status;
  49         }
  50
  51         pac_info.logon_info.info = talloc_zero(mem_ctx, struct PAC_LOGON_INFO);
  52         if (!mem_ctx) {
  53                 return NT_STATUS_NO_MEMORY;
  54         }
  55
  56         pac_info.logon_info.info->info3 = *info3;
  57
  58         ndr_err = ndr_push_union_blob(pac_data, mem_ctx, &pac_info,
  59                                       PAC_TYPE_LOGON_INFO,
  60                                       (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
  61         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
  62                 nt_status = ndr_map_error2ntstatus(ndr_err);
  63                 DEBUG(1, ("PAC (presig) push failed: %s\n",
  64                           nt_errstr(nt_status)));
  65                 return nt_status;
  66         }
  67
  68         return NT_STATUS_OK;
  69 }
  70
  71 krb5_error_code samba_make_krb5_pac(krb5_context context,
  72                                     DATA_BLOB *pac_blob,
  73                                     krb5_pac *pac)
  74 {
  75         krb5_data pac_data;
  76         krb5_error_code ret;
  77
  78         /* The user account may be set not to want the PAC */
  79         if (!pac_blob) {
  80                 return 0;
  81         }
  82
  83         ret = krb5_data_copy(&pac_data, pac_blob->data, pac_blob->length);
  84         if (ret != 0) {
  85                 return ret;
  86         }
  87
  88         ret = krb5_pac_init(context, pac);
  89         if (ret != 0) {
  90                 krb5_data_free(&pac_data);
  91                 return ret;
  92         }
  93
  94         ret = krb5_pac_add_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &pac_data);
  95         krb5_data_free(&pac_data);
  96         if (ret != 0) {
  97                 return ret;
  98         }
  99
 100         return ret;
 101 }
 102
 103 bool samba_princ_needs_pac(struct hdb_entry_ex *princ)
 104 {
 105
 106         struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
 107         uint32_t userAccountControl;
 108
 109
 110         /* The service account may be set not to want the PAC */
 111         userAccountControl = ldb_msg_find_attr_as_uint(p->msg, "userAccountControl", 0);
 112         if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
 113                 return false;
 114         }
 115
 116         return true;
 117 }
 118
 119 /* Was the krbtgt an RODC (and we are not) */
 120 bool samba_krbtgt_was_untrusted_rodc(struct hdb_entry_ex *princ)
 121 {
 122
 123         struct samba_kdc_entry *p = talloc_get_type(princ->ctx, struct samba_kdc_entry);
 124         int rodc_krbtgt_number;
 125
 126         /* Determine if this was printed by an RODC */
 127         rodc_krbtgt_number = ldb_msg_find_attr_as_int(p->msg, "msDS-SecondaryKrbTgtNumber", -1);
 128         if (rodc_krbtgt_number == -1) {
 129                 return false;
 130         } else if (rodc_krbtgt_number != p->kdc_db_ctx->my_krbtgt_number) {
 131                 return true;
 132         }
 133
 134         return false;
 135 }
 136
 137 NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
 138                                 struct hdb_entry_ex *client,
 139                                 DATA_BLOB **_pac_blob)
 140 {
 141         struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry);
 142         struct auth_serversupplied_info *server_info;
 143         DATA_BLOB *pac_blob;
 144         NTSTATUS nt_status;
 145
 146         /* The user account may be set not to want the PAC */
 147         if ( ! samba_princ_needs_pac(client)) {
 148                 *_pac_blob = NULL;
 149                 return NT_STATUS_OK;
 150         }
 151
 152         pac_blob = talloc_zero(mem_ctx, DATA_BLOB);
 153         if (!pac_blob) {
 154                 return NT_STATUS_NO_MEMORY;
 155         }
 156
 157         nt_status = authsam_make_server_info(mem_ctx, p->kdc_db_ctx->samdb,
 158                                              lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
 159                                              lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
 160                                              p->realm_dn,
 161                                              p->msg,
 162                                              data_blob(NULL, 0),
 163                                              data_blob(NULL, 0),
 164                                              &server_info);
 165         if (!NT_STATUS_IS_OK(nt_status)) {
 166                 DEBUG(0, ("Getting user info for PAC failed: %s\n",
 167                           nt_errstr(nt_status)));
 168                 return nt_status;
 169         }
 170
 171         nt_status = samba_get_logon_info_pac_blob(mem_ctx, server_info, pac_blob);
 172         if (!NT_STATUS_IS_OK(nt_status)) {
 173                 DEBUG(0, ("Building PAC failed: %s\n",
 174                           nt_errstr(nt_status)));
 175                 return nt_status;
 176         }
 177
 178         *_pac_blob = pac_blob;
 179         return NT_STATUS_OK;
 180 }
 181
 182 NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 183                                    krb5_context context,
 184                                    krb5_pac *pac, DATA_BLOB *pac_blob)
 185 {
 186         struct auth_serversupplied_info *server_info;
 187         krb5_error_code ret;
 188         NTSTATUS nt_status;
 189
 190         ret = kerberos_pac_to_server_info(mem_ctx, *pac,
 191                                           context, &server_info);
 192         if (ret) {
 193                 return NT_STATUS_UNSUCCESSFUL;
 194         }
 195
 196         nt_status = samba_get_logon_info_pac_blob(mem_ctx,
 197                                                   server_info, pac_blob);
 198
 199         return nt_status;
 200 }
 201
 202 /* this function allocates 'data' using malloc.
 203  * The caller is responsible for freeing it */
 204 void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data)
 205 {
 206         PA_DATA pa;
 207         unsigned char *buf;
 208         size_t len;
 209         krb5_error_code ret = 0;
 210
 211         if (!e_data)
 212                 return;
 213
 214         pa.padata_type          = KRB5_PADATA_PW_SALT;
 215         pa.padata_value.length  = 12;
 216         pa.padata_value.data    = malloc(pa.padata_value.length);
 217         if (!pa.padata_value.data) {
 218                 e_data->length = 0;
 219                 e_data->data = NULL;
 220                 return;
 221         }
 222
 223         SIVAL(pa.padata_value.data, 0, NT_STATUS_V(nt_status));
 224         SIVAL(pa.padata_value.data, 4, 0);
 225         SIVAL(pa.padata_value.data, 8, 1);
 226
 227         ASN1_MALLOC_ENCODE(PA_DATA, buf, len, &pa, &len, ret);
 228         free(pa.padata_value.data);
 229
 230         e_data->data   = buf;
 231         e_data->length = len;
 232
 233         return;
 234 }
 235
 236 /* function to map policy errors */
 237 krb5_error_code samba_kdc_map_policy_err(NTSTATUS nt_status)
 238 {
 239         krb5_error_code ret;
 240
 241         if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
 242                 ret = KRB5KDC_ERR_KEY_EXPIRED;
 243         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
 244                 ret = KRB5KDC_ERR_KEY_EXPIRED;
 245         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
 246                 ret = KRB5KDC_ERR_CLIENT_REVOKED;
 247         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
 248                 ret = KRB5KDC_ERR_CLIENT_REVOKED;
 249         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
 250                 ret = KRB5KDC_ERR_CLIENT_REVOKED;
 251         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
 252                 ret = KRB5KDC_ERR_CLIENT_REVOKED;
 253         else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
 254                 ret = KRB5KDC_ERR_POLICY;
 255         else
 256                 ret = KRB5KDC_ERR_POLICY;
 257
 258         return ret;
 259 }
 260
 261 /* Given a kdc entry, consult the account_ok routine in auth/auth_sam.c
 262  * for consistency */
 263 NTSTATUS samba_kdc_check_client_access(struct samba_kdc_entry *kdc_entry,
 264                                        const char *client_name,
 265                                        const char *workstation,
 266                                        bool password_change)
 267 {
 268         TALLOC_CTX *tmp_ctx;
 269         NTSTATUS nt_status;
 270
 271         tmp_ctx = talloc_named(NULL, 0, "samba_kdc_check_client_access");
 272         if (!tmp_ctx) {
 273                 return NT_STATUS_NO_MEMORY;
 274         }
 275
 276         /* we allow all kinds of trusts here */
 277         nt_status = authsam_account_ok(tmp_ctx,
 278                                        kdc_entry->kdc_db_ctx->samdb,
 279                                        MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT |
 280                                        MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT,
 281                                        kdc_entry->realm_dn, kdc_entry->msg,
 282                                        workstation, client_name,
 283                                        true, password_change);
 284
 285         talloc_free(tmp_ctx);
 286         return nt_status;
 287 }
 288