s4-lsa Implement kerberos ticket life policy

We now no longer print tickets with a potentially infinite life, and
we report the same life over LSA as we use in the KDC.  We should get
this from group policy, but for now it's parametric smb.conf options.

Andrew Bartlett

5 files changed, 108 insertions, 3 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 4bb8e35091..15024fa38e 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -43,6 +43,7 @@
 #include <hdb.h>
 #include "kdc/samba_kdc.h"
 #include "kdc/db-glue.h"
+#include "kdc/kdc-policy.h"
 
 enum samba_kdc_ent_type
 { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
@@ -740,9 +741,28 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 
 	entry_ex->entry.valid_start = NULL;
 
-	entry_ex->entry.max_life = NULL;
+	entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life));
+	if (entry_ex->entry.max_life == NULL) {
+		ret = ENOMEM;
+		goto out;
+	}
 
-	entry_ex->entry.max_renew = NULL;
+	if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+		*entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+	} else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
+		*entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+	} else {
+		*entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
+					       nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+	}
+
+	entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
+	if (entry_ex->entry.max_renew == NULL) {
+		ret = ENOMEM;
+		goto out;
+	}
+
+	*entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
 
 	entry_ex->entry.generation = NULL;
 
@@ -1636,6 +1656,8 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
 	kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
 	kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
 
+	kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+
 	session_info = system_session(kdc_db_ctx->lp_ctx);
 	if (session_info == NULL) {
 		return NT_STATUS_INTERNAL_ERROR;
diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h
new file mode 100644
index 0000000000..01e9372596
--- /dev/null
+++ b/source4/kdc/kdc-policy.h
@@ -0,0 +1,25 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   KDC Policy
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct lsa_DomainInfoKerberos;
+struct loadparm_context;
+struct smb_krb5_context;
+#include "kdc/kdc-policy-proto.h"
diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
new file mode 100644
index 0000000000..2760e06940
--- /dev/null
+++ b/source4/kdc/policy.c
@@ -0,0 +1,50 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   KDC Policy
+
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util.h"
+#include "kdc/kdc-policy.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/lsa.h"
+#include "param/param.h"
+
+void kdc_get_policy(struct loadparm_context *lp_ctx, 
+		    struct smb_krb5_context *smb_krb5_context, 
+		    struct lsa_DomainInfoKerberos *k)
+{
+	/* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+	/* Our KDC always re-validates the client */
+	k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+	unix_to_nt_time(&k->service_tkt_lifetime,
+			lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifefime", 10) * 60 * 60); 
+	unix_to_nt_time(&k->user_tkt_lifetime,
+			lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifefime", 10) * 60 * 60); 
+	unix_to_nt_time(&k->user_tkt_renewaltime,
+			lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifefime", 24*7) * 60 * 60); 
+	if (smb_krb5_context) {
+		unix_to_nt_time(&k->clock_skew, 
+				krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+	}
+	k->reserved = 0;
+}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 72b5cc42e4..faa4c7b7ad 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -36,6 +36,7 @@ struct samba_kdc_db_context {
 	bool rodc;
 	unsigned int my_krbtgt_number;
 	struct ldb_dn *krbtgt_dn;
+	struct lsa_DomainInfoKerberos policy;
 };
 
 struct samba_kdc_entry {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 82b9929254..7ff2623d64 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -38,10 +38,17 @@ bld.SAMBA_LIBRARY('pac',
 
 bld.SAMBA_LIBRARY('db-glue',
 	source='db-glue.c',
-	deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err',
+	deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err kdc-policy',
 	private_library=True
 	)
 
+bld.SAMBA_LIBRARY('kdc-policy',
+	source='policy.c',
+	deps='samba-hostconfig authkrb5',
+	private_library=True,
+        autoproto = 'kdc-policy-proto.h'
+        )
+
 
 bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
 	source='mit_samba.c',