summaryrefslogtreecommitdiff
path: root/source4/heimdal/kdc/default_config.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2007-01-24 02:48:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:44:18 -0500
commitd5bbd817fe83aed1ee48ed4f478f3887c059f7b9 (patch)
treef4373e5c069d1b6f1cbc489d3e5addc8dd8e6a19 /source4/heimdal/kdc/default_config.c
parent14503a65ec81ae15a05633b0aea6e62e35b021f3 (diff)
downloadsamba-d5bbd817fe83aed1ee48ed4f478f3887c059f7b9.tar.gz
samba-d5bbd817fe83aed1ee48ed4f478f3887c059f7b9.tar.bz2
samba-d5bbd817fe83aed1ee48ed4f478f3887c059f7b9.zip
r20988: Call out to Heimdal's krb5.conf processing to configure many aspects
of KDC behaviour. This should allow PKINIT to be turned on and managed with reasonable sanity. This also means that the krb5.conf in the same directory as the smb.conf will always have priority in Samba4, which I think will be useful. Andrew Bartlett (This used to be commit a50bbde81b010bc5d06e3fc3417ade44627eb771)
Diffstat (limited to 'source4/heimdal/kdc/default_config.c')
-rw-r--r--source4/heimdal/kdc/default_config.c316
1 files changed, 312 insertions, 4 deletions
diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c
index c4d9f51fd0..2352020d86 100644
--- a/source4/heimdal/kdc/default_config.c
+++ b/source4/heimdal/kdc/default_config.c
@@ -1,6 +1,7 @@
/*
- * Copyright (c) 2005 Andrew Bartlett <abartlet@samba.org>
- *
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ *
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -14,10 +15,14 @@
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -29,6 +34,19 @@
#include "kdc_locl.h"
+int require_preauth = -1; /* 1 == require preauth for all principals */
+
+const char *trpolicy_str;
+
+int disable_des = -1;
+int enable_v4 = -1;
+int enable_kaserver = -1;
+int enable_524 = -1;
+int enable_v4_cross_realm = -1;
+int detach_from_console = -1;
+
+char *v4_realm;
+
/*
* Setup some of the defaults for the KDC configuration.
*
@@ -60,3 +78,293 @@ krb5_kdc_default_config(krb5_kdc_configuration *config)
config->num_db = 0;
config->logf = NULL;
}
+
+
+/*
+ * Setup some valudes for the KDC configuration, from the config file
+ *
+ * Note: Caller must also fill in:
+ * - db
+ * - num_db
+ * - logf
+ *
+*/
+
+void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
+{
+ const char *p;
+ if(require_preauth == -1) {
+ config->require_preauth = krb5_config_get_bool_default(context, NULL,
+ config->require_preauth,
+ "kdc",
+ "require-preauth", NULL);
+ } else {
+ config->require_preauth = require_preauth;
+ }
+
+ if(enable_v4 == -1) {
+ config->enable_v4 = krb5_config_get_bool_default(context, NULL,
+ config->enable_v4,
+ "kdc",
+ "enable-kerberos4",
+ NULL);
+ } else {
+ config->enable_v4 = enable_v4;
+ }
+
+ if(enable_v4_cross_realm == -1) {
+ config->enable_v4_cross_realm =
+ krb5_config_get_bool_default(context, NULL,
+ config->enable_v4_cross_realm,
+ "kdc",
+ "enable-kerberos4-cross-realm",
+ NULL);
+ } else {
+ config->enable_v4_cross_realm = enable_v4_cross_realm;
+ }
+
+ if(enable_524 == -1) {
+ config->enable_524 = krb5_config_get_bool_default(context, NULL,
+ config->enable_v4,
+ "kdc", "enable-524",
+ NULL);
+ } else {
+ config->enable_524 = enable_524;
+ }
+
+ config->enable_digest =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "enable-digest", NULL);
+
+ {
+ const char *digests;
+
+ digests = krb5_config_get_string(context, NULL,
+ "kdc",
+ "digests_allowed", NULL);
+ if (digests == NULL)
+ digests = "ntlm-v2";
+ config->digests_allowed = parse_flags(digests,
+ _kdc_digestunits,
+ 0);
+ if (config->digests_allowed == -1) {
+ kdc_log(context, config, 0,
+ "unparsable digest units (%s), turning off digest",
+ digests);
+ config->enable_digest = 0;
+ } else if (config->digests_allowed == 0) {
+ kdc_log(context, config, 0,
+ "no digest enable, turning digest off",
+ digests);
+ config->enable_digest = 0;
+ }
+ }
+
+ config->enable_kx509 =
+ krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "enable-kx509", NULL);
+
+ config->check_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ config->check_ticket_addresses,
+ "kdc",
+ "check-ticket-addresses", NULL);
+ config->allow_null_ticket_addresses =
+ krb5_config_get_bool_default(context, NULL,
+ config->allow_null_ticket_addresses,
+ "kdc",
+ "allow-null-ticket-addresses", NULL);
+
+ config->allow_anonymous =
+ krb5_config_get_bool_default(context, NULL,
+ config->allow_anonymous,
+ "kdc",
+ "allow-anonymous", NULL);
+
+ config->max_datagram_reply_length =
+ krb5_config_get_int_default(context,
+ NULL,
+ 1400,
+ "kdc",
+ "max-kdc-datagram-reply-length",
+ NULL);
+
+ trpolicy_str =
+ krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
+ "transited-policy", NULL);
+ if(strcasecmp(trpolicy_str, "always-check") == 0) {
+ config->trpolicy = TRPOLICY_ALWAYS_CHECK;
+ } else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
+ config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
+ } else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
+ config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
+ } else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
+ /* default */
+ } else {
+ kdc_log(context, config,
+ 0, "unknown transited-policy: %s, reverting to default (always-check)",
+ trpolicy_str);
+ }
+
+ if (krb5_config_get_string(context, NULL, "kdc",
+ "enforce-transited-policy", NULL))
+ krb5_errx(context, 1, "enforce-transited-policy deprecated, "
+ "use [kdc]transited-policy instead");
+
+ if(v4_realm == NULL){
+ p = krb5_config_get_string (context, NULL,
+ "kdc",
+ "v4-realm",
+ NULL);
+ if(p != NULL) {
+ config->v4_realm = strdup(p);
+ if (config->v4_realm == NULL)
+ krb5_errx(context, 1, "out of memory");
+ } else {
+ config->v4_realm = NULL;
+ }
+ } else {
+ config->v4_realm = v4_realm;
+ }
+
+ if (enable_kaserver == -1) {
+ config->enable_kaserver =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_kaserver,
+ "kdc",
+ "enable-kaserver",
+ NULL);
+ } else {
+ config->enable_kaserver = enable_kaserver;
+ }
+
+ config->encode_as_rep_as_tgs_rep =
+ krb5_config_get_bool_default(context, NULL,
+ config->encode_as_rep_as_tgs_rep,
+ "kdc",
+ "encode_as_rep_as_tgs_rep",
+ NULL);
+
+ config->kdc_warn_pwexpire =
+ krb5_config_get_time_default (context, NULL,
+ config->kdc_warn_pwexpire,
+ "kdc",
+ "kdc_warn_pwexpire",
+ NULL);
+
+ if(detach_from_console == -1)
+ detach_from_console = krb5_config_get_bool_default(context, NULL,
+ DETACH_IS_DEFAULT,
+ "kdc",
+ "detach", NULL);
+
+#ifdef PKINIT
+ config->enable_pkinit =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_pkinit,
+ "kdc",
+ "enable-pkinit",
+ NULL);
+ if (config->enable_pkinit) {
+ const char *user_id, *anchors, *ocsp_file;
+ char **pool_list, **revoke_list;
+
+ user_id = krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_identity",
+ NULL);
+ if (user_id == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no identity");
+
+ anchors = krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_anchors",
+ NULL);
+ if (anchors == NULL)
+ krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
+
+ pool_list = krb5_config_get_strings(context, NULL,
+ "kdc",
+ "pkinit_pool",
+ NULL);
+
+ revoke_list = krb5_config_get_strings(context, NULL,
+ "kdc",
+ "pkinit_revoke",
+ NULL);
+
+ ocsp_file =
+ krb5_config_get_string(context, NULL,
+ "kdc",
+ "pkinit_kdc_ocsp",
+ NULL);
+ if (ocsp_file) {
+ config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
+ if (config->pkinit_kdc_ocsp_file == NULL)
+ krb5_errx(context, 1, "out of memory");
+ }
+ _kdc_pk_initialize(context, config, user_id, anchors,
+ pool_list, revoke_list);
+
+ krb5_config_free_strings(pool_list);
+ krb5_config_free_strings(revoke_list);
+
+ config->enable_pkinit_princ_in_cert =
+ krb5_config_get_bool_default(context,
+ NULL,
+ config->enable_pkinit_princ_in_cert,
+ "kdc",
+ "pkinit_principal_in_certificate",
+ NULL);
+ }
+
+ config->pkinit_dh_min_bits =
+ krb5_config_get_int_default(context,
+ NULL,
+ 0,
+ "kdc",
+ "pkinit_dh_min_bits",
+ NULL);
+
+#endif
+
+ if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
+#ifdef KRB4
+ config->v4_realm = malloc(40); /* REALM_SZ */
+ if (config->v4_realm == NULL)
+ krb5_errx(context, 1, "out of memory");
+ krb_get_lrealm(config->v4_realm, 1);
+#else
+ krb5_errx(context, 1, "No Kerberos 4 realm configured");
+#endif
+ }
+ if(disable_des == -1)
+ disable_des = krb5_config_get_bool_default(context, NULL,
+ FALSE,
+ "kdc",
+ "disable-des", NULL);
+ if(disable_des) {
+ krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
+ krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
+ krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
+ krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
+
+ kdc_log(context, config,
+ 0, "DES was disabled, turned off Kerberos V4, 524 "
+ "and kaserver");
+ config->enable_v4 = 0;
+ config->enable_524 = 0;
+ config->enable_kaserver = 0;
+ }
+
+ _kdc_windc_init(context);
+}
+
generated by cgit (git 2.34.1) at 2024-06-27 20:42:33 +0000