source4/auth/kerberos/kerberos_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Kerberos utility functions for GENSEC
   5
   6    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
   7
   8    This program is free software; you can redistribute it and/or modify
   9    it under the terms of the GNU General Public License as published by
  10    the Free Software Foundation; either version 2 of the License, or
  11    (at your option) any later version.
  12
  13    This program is distributed in the hope that it will be useful,
  14    but WITHOUT ANY WARRANTY; without even the implied warranty of
  15    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16    GNU General Public License for more details.
  17
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "system/kerberos.h"
  26 #include "system/time.h"
  27 #include "system/network.h"
  28 #include "auth/kerberos/kerberos.h"
  29 #include "auth/auth.h"
  30
  31 struct principal_container {
  32         struct smb_krb5_context *smb_krb5_context;
  33         krb5_principal principal;
  34 };
  35
  36 static int free_principal(void *ptr) {
  37         struct principal_container *pc = ptr;
  38         /* current heimdal - 0.6.3, which we need anyway, fixes segfaults here */
  39         krb5_free_principal(pc->smb_krb5_context->krb5_context, pc->principal);
  40
  41         return 0;
  42 }
  43
  44 krb5_error_code salt_principal_from_credentials(TALLOC_CTX *parent_ctx,
  45                                                 struct cli_credentials *machine_account,
  46                                                 struct smb_krb5_context *smb_krb5_context,
  47                                                 krb5_principal *salt_princ)
  48 {
  49         krb5_error_code ret;
  50         char *machine_username;
  51         char *salt_body;
  52         char *lower_realm;
  53         char *salt_principal;
  54         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
  55         if (!mem_ctx) {
  56                 return ENOMEM;
  57         }
  58
  59         salt_principal = cli_credentials_get_salt_principal(machine_account);
  60         if (salt_principal) {
  61                 ret = krb5_parse_name(smb_krb5_context->krb5_context, salt_principal, salt_princ);
  62         } else {
  63                 machine_username = talloc_strdup(mem_ctx, cli_credentials_get_username(machine_account));
  64
  65                 if (!machine_username) {
  66                         talloc_free(mem_ctx);
  67                         return ENOMEM;
  68                 }
  69
  70                 if (machine_username[strlen(machine_username)-1] == '$') {
  71                         machine_username[strlen(machine_username)-1] = '\0';
  72                 }
  73                 lower_realm = strlower_talloc(mem_ctx, cli_credentials_get_realm(machine_account));
  74                 if (!lower_realm) {
  75                         talloc_free(mem_ctx);
  76                         return ENOMEM;
  77                 }
  78
  79                 salt_body = talloc_asprintf(mem_ctx, "%s.%s", machine_username,
  80                                             lower_realm);
  81                 if (!salt_body) {
  82                         talloc_free(mem_ctx);
  83                 return ENOMEM;
  84                 }
  85
  86                 ret = krb5_make_principal(smb_krb5_context->krb5_context, salt_princ,
  87                                           cli_credentials_get_realm(machine_account),
  88                                           "host", salt_body, NULL);
  89         }
  90
  91         if (ret == 0) {
  92                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
  93                 mem_ctx->principal = *salt_princ;
  94                 talloc_set_destructor(mem_ctx, free_principal);
  95         }
  96         return ret;
  97 }
  98
  99 krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 100                                            struct cli_credentials *credentials,
 101                                            struct smb_krb5_context *smb_krb5_context,
 102                                            krb5_principal *princ)
 103 {
 104         krb5_error_code ret;
 105         const char *princ_string;
 106         struct principal_container *mem_ctx = talloc(parent_ctx, struct principal_container);
 107         if (!mem_ctx) {
 108                 return ENOMEM;
 109         }
 110
 111         princ_string = cli_credentials_get_principal(credentials, mem_ctx);
 112
 113         if (!princ_string) {
 114                 talloc_free(mem_ctx);
 115                 princ = NULL;
 116                 return 0;
 117         }
 118
 119         ret = krb5_parse_name(smb_krb5_context->krb5_context,
 120                               princ_string, princ);
 121
 122         if (ret == 0) {
 123                 mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
 124                 mem_ctx->principal = *princ;
 125                 talloc_set_destructor(mem_ctx, free_principal);
 126         }
 127         return ret;
 128 }
 129
 130 /**
 131  * Return a freshly allocated ccache (destroyed by destructor on child
 132  * of parent_ctx), for a given set of client credentials
 133  */
 134
 135  krb5_error_code kinit_to_ccache(TALLOC_CTX *parent_ctx,
 136                                  struct cli_credentials *credentials,
 137                                  struct smb_krb5_context *smb_krb5_context,
 138                                  krb5_ccache ccache)
 139 {
 140         krb5_error_code ret;
 141         const char *password;
 142         time_t kdc_time = 0;
 143         krb5_principal princ;
 144
 145         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 146
 147         if (!mem_ctx) {
 148                 return ENOMEM;
 149         }
 150
 151         ret = principal_from_credentials(mem_ctx, credentials, smb_krb5_context, &princ);
 152         if (ret) {
 153                 talloc_free(mem_ctx);
 154                 return ret;
 155         }
 156
 157         password = cli_credentials_get_password(credentials);
 158
 159         if (password) {
 160                 ret = kerberos_kinit_password_cc(smb_krb5_context->krb5_context, ccache,
 161                                                  princ,
 162                                                  password, NULL, &kdc_time);
 163         } else {
 164                 /* No password available, try to use a keyblock instead */
 165
 166                 krb5_keyblock keyblock;
 167                 const struct samr_Password *mach_pwd;
 168                 mach_pwd = cli_credentials_get_nt_hash(credentials, mem_ctx);
 169                 if (!mach_pwd) {
 170                         talloc_free(mem_ctx);
 171                         DEBUG(1, ("kinit_to_ccache: No password available for kinit\n"));
 172                         return EINVAL;
 173                 }
 174                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 175                                          ENCTYPE_ARCFOUR_HMAC,
 176                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 177                                          &keyblock);
 178
 179                 if (ret == 0) {
 180                         ret = kerberos_kinit_keyblock_cc(smb_krb5_context->krb5_context, ccache,
 181                                                          princ,
 182                                                          &keyblock, NULL, &kdc_time);
 183                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &keyblock);
 184                 }
 185         }
 186
 187         /* cope with ticket being in the future due to clock skew */
 188         if ((unsigned)kdc_time > time(NULL)) {
 189                 time_t t = time(NULL);
 190                 int time_offset =(unsigned)kdc_time-t;
 191                 DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
 192                 krb5_set_real_time(smb_krb5_context->krb5_context, t + time_offset + 1, 0);
 193         }
 194
 195         if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
 196                 DEBUG(1,("kinit for %s failed (%s)\n",
 197                          cli_credentials_get_principal(credentials, mem_ctx),
 198                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 199                                                     ret, mem_ctx)));
 200                 talloc_free(mem_ctx);
 201                 return ret;
 202         }
 203         if (ret) {
 204                 DEBUG(1,("kinit for %s failed (%s)\n",
 205                          cli_credentials_get_principal(credentials, mem_ctx),
 206                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 207                                                     ret, mem_ctx)));
 208                 talloc_free(mem_ctx);
 209                 return ret;
 210         }
 211         return 0;
 212 }
 213
 214 static int free_keytab(void *ptr) {
 215         struct keytab_container *ktc = ptr;
 216         krb5_kt_close(ktc->smb_krb5_context->krb5_context, ktc->keytab);
 217
 218         return 0;
 219 }
 220
 221  int create_memory_keytab(TALLOC_CTX *parent_ctx,
 222                           struct cli_credentials *machine_account,
 223                           struct smb_krb5_context *smb_krb5_context,
 224                           struct keytab_container **keytab_container)
 225 {
 226         krb5_error_code ret;
 227         const char *password_s;
 228         char *old_secret;
 229         krb5_data password;
 230         int i, kvno;
 231         krb5_enctype *enctypes;
 232         krb5_principal salt_princ;
 233         krb5_principal princ;
 234         krb5_keytab keytab;
 235
 236         TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
 237         if (!mem_ctx) {
 238                 return ENOMEM;
 239         }
 240
 241         *keytab_container = talloc(mem_ctx, struct keytab_container);
 242
 243         ret = krb5_kt_resolve(smb_krb5_context->krb5_context, "MEMORY:", &keytab);
 244         if (ret) {
 245                 DEBUG(1,("failed to generate a new krb5 keytab: %s\n",
 246                          error_message(ret)));
 247                 talloc_free(mem_ctx);
 248                 return ret;
 249         }
 250
 251         (*keytab_container)->smb_krb5_context = talloc_reference(*keytab_container, smb_krb5_context);
 252         (*keytab_container)->keytab = keytab;
 253
 254         talloc_set_destructor(*keytab_container, free_keytab);
 255
 256         ret = salt_principal_from_credentials(mem_ctx, machine_account,
 257                                               smb_krb5_context,
 258                                               &salt_princ);
 259         if (ret) {
 260                 DEBUG(1,("create_memory_keytab: maksing salt principal failed (%s)\n",
 261                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 262                                                     ret, mem_ctx)));
 263                 talloc_free(mem_ctx);
 264                 return ret;
 265         }
 266
 267         ret = principal_from_credentials(mem_ctx, machine_account, smb_krb5_context, &princ);
 268         if (ret) {
 269                 DEBUG(1,("create_memory_keytab: maksing krb5 principal failed (%s)\n",
 270                          smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 271                                                     ret, mem_ctx)));
 272                 talloc_free(mem_ctx);
 273                 return ret;
 274         }
 275
 276         password_s = cli_credentials_get_password(machine_account);
 277         if (!password_s) {
 278                 /* If we don't have the plaintext password, try for
 279                  * the MD4 password hash */
 280
 281                 krb5_keytab_entry entry;
 282                 const struct samr_Password *mach_pwd;
 283                 mach_pwd = cli_credentials_get_nt_hash(machine_account, mem_ctx);
 284                 if (!mach_pwd) {
 285                         talloc_free(mem_ctx);
 286                         DEBUG(1, ("create_memory_keytab: Domain trust informaton for account %s not available\n",
 287                                   cli_credentials_get_principal(machine_account, mem_ctx)));
 288                         return EINVAL;
 289                 }
 290                 ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
 291                                          ENCTYPE_ARCFOUR_HMAC,
 292                                          mach_pwd->hash, sizeof(mach_pwd->hash),
 293                                          &entry.keyblock);
 294                 if (ret) {
 295                         DEBUG(1, ("create_memory_keytab: krb5_keyblock_init failed: %s\n",
 296                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 297                                                              ret, mem_ctx)));
 298                         return ret;
 299                 }
 300
 301                 entry.principal = princ;
 302                 entry.vno       = cli_credentials_get_kvno(machine_account);
 303                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
 304                 if (ret) {
 305                         DEBUG(1, ("Failed to add ARCFOUR_HMAC (only) entry for %s to keytab: %s",
 306                                   cli_credentials_get_principal(machine_account, mem_ctx),
 307                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 308                                                              ret, mem_ctx)));
 309                         talloc_free(mem_ctx);
 310                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 311                         return ret;
 312                 }
 313
 314                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 315
 316                 talloc_steal(parent_ctx, *keytab_container);
 317                 talloc_free(mem_ctx);
 318                 return 0;
 319         }
 320
 321         /* good, we actually have the real plaintext */
 322
 323         ret = get_kerberos_allowed_etypes(smb_krb5_context->krb5_context,
 324                                           &enctypes);
 325         if (ret) {
 326                 DEBUG(1,("create_memory_keytab: getting encrption types failed (%s)\n",
 327                          error_message(ret)));
 328                 talloc_free(mem_ctx);
 329                 return ret;
 330         }
 331
 332         password.data = discard_const_p(char *, password_s);
 333         password.length = strlen(password_s);
 334         kvno = cli_credentials_get_kvno(machine_account);
 335
 336         for (i=0; enctypes[i]; i++) {
 337                 krb5_keytab_entry entry;
 338                 ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
 339                                                       salt_princ, &password, &entry.keyblock, enctypes[i]);
 340                 if (ret) {
 341                         talloc_free(mem_ctx);
 342                         return ret;
 343                 }
 344
 345                 entry.principal = princ;
 346                 entry.vno       = kvno;
 347                 ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
 348                 if (ret) {
 349                         DEBUG(1, ("Failed to add entry for %s to keytab: %s",
 350                                   cli_credentials_get_principal(machine_account, mem_ctx),
 351                                   smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 352                                                              ret, mem_ctx)));
 353                         talloc_free(mem_ctx);
 354                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 355                         return ret;
 356                 }
 357
 358                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 359         }
 360
 361         old_secret = cli_credentials_get_old_password(machine_account);
 362         if (kvno != 0 && old_secret) {
 363                 password.data = discard_const_p(char *, old_secret);
 364                 password.length = strlen(old_secret);
 365
 366                 for (i=0; enctypes[i]; i++) {
 367                         krb5_keytab_entry entry;
 368                         ret = create_kerberos_key_from_string(smb_krb5_context->krb5_context,
 369                                                               salt_princ, &password, &entry.keyblock, enctypes[i]);
 370                         if (ret) {
 371                                 talloc_free(mem_ctx);
 372                                 return ret;
 373                         }
 374
 375                         entry.principal = princ;
 376                         entry.vno       = kvno - 1;
 377                         ret = krb5_kt_add_entry(smb_krb5_context->krb5_context, keytab, &entry);
 378                         if (ret) {
 379                                 DEBUG(1, ("Failed to add 'old password' entry for %s to keytab: %s",
 380                                           cli_credentials_get_principal(machine_account, mem_ctx),
 381                                           smb_get_krb5_error_message(smb_krb5_context->krb5_context,
 382                                                                      ret, mem_ctx)));
 383                                 talloc_free(mem_ctx);
 384                                 krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 385                                 return ret;
 386                         }
 387
 388                         krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &entry.keyblock);
 389                 }
 390         }
 391
 392         free_kerberos_etypes(smb_krb5_context->krb5_context, enctypes);
 393
 394         talloc_steal(parent_ctx, *keytab_container);
 395         talloc_free(mem_ctx);
 396         return 0;
 397 }
 398
 399