s4-lsa Implement kerberos ticket life policy

We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC.  We should get
this from group policy, but for now it's parametric smb.conf options.

Andrew Bartlett

diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 869a97a1ac4558c7a0c8be17fbbeb68e0205b5d6..abad501f4eaf6e63272f625a2f7f2148ed5f477d 100644 (file)
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -1064,11 +1064,14 @@ import "misc.idl", "security.idl";
        );
 
        /* Function 0x35 */
+       typedef [bitmap32bit] bitmap {
+               LSA_POLICY_KERBEROS_VALIDATE_CLIENT = 0x00000080
+       } lsa_krbAuthenticationOptions;
 
        /* w2k3 returns either 0x000bbbd000000000 or 0x000a48e800000000
           for reserved - gd */
        typedef struct {
-               uint32 enforce_restrictions;
+               lsa_krbAuthenticationOptions authentication_options;
                hyper service_tkt_lifetime;
                hyper user_tkt_lifetime;
                hyper user_tkt_renewaltime;

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 4bb8e3509178ee85f2c886cffe993e54fc13fce3..15024fa38eb38b4d4e045b4435cf69abf3a69606 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -43,6 +43,7 @@
 #include <hdb.h>
 #include "kdc/samba_kdc.h"
 #include "kdc/db-glue.h"
+#include "kdc/kdc-policy.h"
 
 enum samba_kdc_ent_type
 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
@@ -740,9 +741,28 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 
        entry_ex->entry.valid_start = NULL;
 
-       entry_ex->entry.max_life = NULL;
+       entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life));
+       if (entry_ex->entry.max_life == NULL) {
+               ret = ENOMEM;
+               goto out;
+       }
 
-       entry_ex->entry.max_renew = NULL;
+       if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+               *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+       } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
+               *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+       } else {
+               *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
+                                              nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+       }
+
+       entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
+       if (entry_ex->entry.max_renew == NULL) {
+               ret = ENOMEM;
+               goto out;
+       }
+
+       *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
 
        entry_ex->entry.generation = NULL;
 
@@ -1636,6 +1656,8 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
        kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
        kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
 
+       kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+
        session_info = system_session(kdc_db_ctx->lp_ctx);
        if (session_info == NULL) {
                return NT_STATUS_INTERNAL_ERROR;

diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h
new file mode 100644 (file)
index 0000000..01e9372
--- /dev/null
+++ b/source4/kdc/kdc-policy.h
@@ -0,0 +1,25 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   KDC Policy
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct lsa_DomainInfoKerberos;
+struct loadparm_context;
+struct smb_krb5_context;
+#include "kdc/kdc-policy-proto.h"

diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
new file mode 100644 (file)
index 0000000..2760e06
--- /dev/null
+++ b/source4/kdc/policy.c
@@ -0,0 +1,50 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   KDC Policy
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util.h"
+#include "kdc/kdc-policy.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/lsa.h"
+#include "param/param.h"
+
+void kdc_get_policy(struct loadparm_context *lp_ctx, 
+                   struct smb_krb5_context *smb_krb5_context, 
+                   struct lsa_DomainInfoKerberos *k)
+{
+       /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+       /* Our KDC always re-validates the client */
+       k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+       unix_to_nt_time(&k->service_tkt_lifetime,
+                       lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifefime", 10) * 60 * 60); 
+       unix_to_nt_time(&k->user_tkt_lifetime,
+                       lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifefime", 10) * 60 * 60); 
+       unix_to_nt_time(&k->user_tkt_renewaltime,
+                       lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifefime", 24*7) * 60 * 60); 
+       if (smb_krb5_context) {
+               unix_to_nt_time(&k->clock_skew, 
+                               krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+       }
+       k->reserved = 0;
+}

diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 72b5cc42e4ac9df700cdb691c75466ab345138e9..faa4c7b7ad332d504ff44451a00d7f2141ba7930 100644 (file)
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -36,6 +36,7 @@ struct samba_kdc_db_context {
        bool rodc;
        unsigned int my_krbtgt_number;
        struct ldb_dn *krbtgt_dn;
+       struct lsa_DomainInfoKerberos policy;
 };
 
 struct samba_kdc_entry {

diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 82b9929254076d532604332b352322d95391571b..7ff2623d64a7b6e0deb4993c72bbd38ff488e561 100644 (file)
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -38,10 +38,17 @@ bld.SAMBA_LIBRARY('pac',
 
 bld.SAMBA_LIBRARY('db-glue',
        source='db-glue.c',
-       deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err',
+       deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err kdc-policy',
        private_library=True
        )
 
+bld.SAMBA_LIBRARY('kdc-policy',
+       source='policy.c',
+       deps='samba-hostconfig authkrb5',
+       private_library=True,
+        autoproto = 'kdc-policy-proto.h'
+        )
+
 
 bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
        source='mit_samba.c',

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0854f2528446d1c0df82e131e416ea50c9ccfdc7..6ec078bd4ef3c641ad232fd2c61264f479af26cc 100644 (file)
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -31,6 +31,7 @@
 #include "lib/util/tsort.h"
 #include "dsdb/common/util.h"
 #include "libcli/security/session.h"
+#include "kdc/kdc-policy.h"
 
 /*
   this type allows us to distinguish handle types
@@ -3700,12 +3701,9 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state
                        *r->out.info = NULL;
                        return NT_STATUS_INTERNAL_ERROR;
                }
-               k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */
-               k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */
-               k->user_tkt_lifetime = 0;    /* Need to find somewhere to store this, and query in KDC too */
-               k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */
-               k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context);
-               k->reserved = 0;
+               kdc_get_policy(dce_call->conn->dce_ctx->lp_ctx,
+                              smb_krb5_context,
+                              k);
                talloc_free(smb_krb5_context);
                *r->out.info = info;
                return NT_STATUS_OK;

diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 29c172311971ba2093ced79bb468e127f72cc009..3aafaa566a505bbd5f7cc322df505365fc93a6d6 100644 (file)
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -95,7 +95,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc',
        autoproto='lsa/proto.h',
        subsystem='dcerpc_server',
        init_function='dcerpc_server_lsa_init',
-       deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session'
+       deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session kdc-policy'
        )