summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-01-02 22:00:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:49:37 -0500
commit8cd5930a4b021cbee10edbefd3629dae028de052 (patch)
tree1f6aed89d2d5f3cafc61123f25f65f79259dc7ca /source4/kdc
parent2d9bd9b3a5b8cd76835e120dcf4442c072f95eda (diff)
downloadsamba-8cd5930a4b021cbee10edbefd3629dae028de052.tar.gz
samba-8cd5930a4b021cbee10edbefd3629dae028de052.tar.bz2
samba-8cd5930a4b021cbee10edbefd3629dae028de052.zip
r12682: This patch finally fixes our kpasswdd implementation to be compatible
with clients compiled against the MIT Kerberos implementation. (Which checks for address in KRB-PRIV packets, hence my comments on socket functions earlier today). It also fixes the 'set password' operation to behave correctly (it was previously a no-op). This allows Samba3 to join Samba4. Some winbindd operations even work, which I think is a good step forward. There is naturally a lot of work to do, but I wanted at least the very basics of Samba3 domain membership to be available for the tech preview. Andrew Bartlett (This used to be commit 4e80a557f9c68b01ac6d5bb05716fe5b3fd400d4)
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/kdc.c86
-rw-r--r--source4/kdc/kdc.h6
-rw-r--r--source4/kdc/kpasswdd.c145
3 files changed, 177 insertions, 60 deletions
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 7e165ae349..6dcce3254d 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -45,8 +45,8 @@ typedef BOOL (*kdc_process_fn_t)(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *src_addr,
- int src_port);
+ const char *peer_address, int peer_port,
+ const char *my_address, int my_port);
/* hold information about one kdc socket */
struct kdc_socket {
@@ -116,6 +116,8 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
size_t nread, dsize;
const char *src_addr;
int src_port;
+ const char *my_addr;
+ int my_port;
int ret;
status = socket_pending(kdc_socket->sock, &dsize);
@@ -140,15 +142,24 @@ static void kdc_recv_handler(struct kdc_socket *kdc_socket)
talloc_steal(tmp_ctx, src_addr);
blob.length = nread;
- DEBUG(2,("Received krb5 UDP packet of length %lu from %s:%u\n",
+ DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n",
(long)blob.length, src_addr, (uint16_t)src_port));
+ my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx);
+ if (!my_addr) {
+ talloc_free(tmp_ctx);
+ return;
+ }
+ my_port = socket_get_my_port(kdc_socket->sock);
+
+
/* Call krb5 */
ret = kdc_socket->process(kdc_socket->kdc,
tmp_ctx,
&blob,
&reply,
- src_addr, src_port);
+ src_addr, src_port,
+ my_addr, my_port);
if (!ret) {
talloc_free(tmp_ctx);
return;
@@ -205,19 +216,28 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
struct kdc_tcp_connection);
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
TALLOC_CTX *tmp_ctx = talloc_new(kdcconn);
- const char *src_addr;
- int src_port;
int ret;
DATA_BLOB input, reply;
+ const char *src_addr;
+ int src_port;
+ const char *my_addr;
+ int my_port;
talloc_steal(tmp_ctx, blob.data);
src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx);
- if (!src_addr) goto nomem;
- src_port = socket_get_peer_port(kdcconn->conn->socket);
+ if (!src_addr) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ src_port = socket_get_my_port(kdcconn->conn->socket);
- DEBUG(2,("Received krb5 TCP packet of length %lu from %s:%u\n",
- (long)blob.length - 4, src_addr, src_port));
+ my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx);
+ if (!my_addr) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ my_port = socket_get_my_port(kdcconn->conn->socket);
/* Call krb5 */
input = data_blob_const(blob.data + 4, blob.length - 4);
@@ -226,16 +246,18 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
tmp_ctx,
&input,
&reply,
- src_addr, src_port);
+ src_addr, src_port,
+ my_addr, my_port);
if (!ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto failed;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_ERROR;
}
/* and now encode the reply */
blob = data_blob_talloc(kdcconn, NULL, reply.length + 4);
if (!blob.data) {
- goto nomem;
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
}
RSIVAL(blob.data, 0, reply.length);
@@ -243,17 +265,13 @@ static NTSTATUS kdc_tcp_recv(void *private, DATA_BLOB blob)
status = packet_send(kdcconn->packet, blob);
if (!NT_STATUS_IS_OK(status)) {
- goto failed;
+ talloc_free(tmp_ctx);
+ return status;
}
/* the call isn't needed any more */
talloc_free(tmp_ctx);
return NT_STATUS_OK;
-nomem:
- status = NT_STATUS_NO_MEMORY;
-
-failed:
- return status;
}
/*
@@ -294,31 +312,35 @@ static BOOL kdc_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *src_addr,
- int src_port)
+ const char *peer_addr,
+ int peer_port,
+ const char *my_addr,
+ int my_port)
{
int ret;
krb5_data k5_reply;
struct ipv4_addr addr;
- struct sockaddr_in src_sock_addr;
+ struct sockaddr_in peer_sock_addr;
/* TODO: This really should be in a utility function somewhere */
- ZERO_STRUCT(src_sock_addr);
+ ZERO_STRUCT(peer_sock_addr);
#ifdef HAVE_SOCK_SIN_LEN
- src_sock_addr.sin_len = sizeof(src_sock_addr);
+ peer_sock_addr.sin_len = sizeof(peer_sock_addr);
#endif
- addr = interpret_addr2(src_addr);
- src_sock_addr.sin_addr.s_addr = addr.addr;
- src_sock_addr.sin_port = htons(src_port);
- src_sock_addr.sin_family = PF_INET;
+ addr = interpret_addr2(peer_addr);
+ peer_sock_addr.sin_addr.s_addr = addr.addr;
+ peer_sock_addr.sin_port = htons(peer_port);
+ peer_sock_addr.sin_family = PF_INET;
+
+ DEBUG(10,("Received KDC packet of length %lu from %s\n",
+ (long)input->length - 4, peer_addr));
-
ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context,
kdc->config,
input->data, input->length,
&k5_reply,
- src_addr,
- (struct sockaddr *)&src_sock_addr);
+ peer_addr,
+ (struct sockaddr *)&peer_sock_addr);
if (ret == -1) {
*reply = data_blob(NULL, 0);
return False;
diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h
index 0cf3199c52..f9dbbefb9a 100644
--- a/source4/kdc/kdc.h
+++ b/source4/kdc/kdc.h
@@ -33,8 +33,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *from,
- int src_port);
+ const char *peer_addr,
+ int peer_port,
+ const char *my_addr,
+ int my_port);
/*
top level context structure for the kdc server
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index e6f0ae9dd7..ee6317792b 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -178,7 +178,10 @@ static BOOL kpasswdd_change_password(struct kdc_server *kdc,
reply);
}
- DEBUG(3, ("Changing password of %s\n", dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+ DEBUG(3, ("Changing password of %s\\%s (%s)\n",
+ session_info->server_info->domain_name,
+ session_info->server_info->account_name,
+ dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
/* User password change */
status = samdb_set_password_sid(samdb, mem_ctx,
@@ -203,14 +206,7 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
DATA_BLOB *input,
DATA_BLOB *reply)
{
- NTSTATUS status;
- enum samr_RejectReason reject_reason;
- struct samr_DomInfo1 *dominfo;
- struct ldb_context *samdb;
struct auth_session_info *session_info;
- struct ldb_message *msg = ldb_msg_new(gensec_security);
- krb5_context context = kdc->smb_krb5_context->krb5_context;
- int ret;
if (!msg) {
return False;
}
@@ -236,14 +232,22 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
}
case KRB5_KPASSWD_VERS_SETPW:
{
- size_t len;
+ NTSTATUS status;
+ enum samr_RejectReason reject_reason;
+ struct samr_DomInfo1 *dominfo;
+ struct ldb_context *samdb;
+ struct ldb_message *msg = ldb_msg_new(mem_ctx);
+ krb5_context context = kdc->smb_krb5_context->krb5_context;
+
ChangePasswdDataMS chpw;
char *password;
+
krb5_principal principal;
char *set_password_on_princ;
struct ldb_dn *set_password_on_dn;
- samdb = samdb_connect(gensec_security, session_info);
+ size_t len;
+ int ret;
ret = decode_ChangePasswdDataMS(input->data, input->length,
&chpw, &len);
@@ -294,11 +298,35 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
krb5_free_principal(context, principal);
+ samdb = samdb_connect(mem_ctx, session_info);
+ if (!samdb) {
+ return kpasswdd_make_error_reply(kdc, mem_ctx,
+ KRB5_KPASSWD_HARDERROR,
+ "Unable to open database!",
+ reply);
+ }
+
+ DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
+ session_info->server_info->domain_name,
+ session_info->server_info->account_name,
+ dom_sid_string(mem_ctx, session_info->security_token->user_sid),
+ set_password_on_princ));
+ ret = ldb_transaction_start(samdb);
+ if (ret) {
+ status = NT_STATUS_TRANSACTION_ABORTED;
+ return kpasswd_make_pwchange_reply(kdc, mem_ctx,
+ status,
+ reject_reason,
+ dominfo,
+ reply);
+ }
+
status = crack_user_principal_name(samdb, mem_ctx,
set_password_on_princ,
&set_password_on_dn, NULL);
free(set_password_on_princ);
if (!NT_STATUS_IS_OK(status)) {
+ ldb_transaction_cancel(samdb);
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
@@ -306,14 +334,48 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
reply);
}
- /* Admin password set */
- status = samdb_set_password(samdb, mem_ctx,
- set_password_on_dn, NULL,
- msg, password, NULL, NULL,
- False, /* this is not a user password change */
- True, /* run restriction tests */
- &reject_reason, &dominfo);
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ ldb_transaction_cancel(samdb);
+ status = NT_STATUS_NO_MEMORY;
+ } else {
+ msg->dn = ldb_dn_copy(msg, set_password_on_dn);
+ if (!msg->dn) {
+ status = NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ /* Admin password set */
+ status = samdb_set_password(samdb, mem_ctx,
+ set_password_on_dn, NULL,
+ msg, password, NULL, NULL,
+ False, /* this is not a user password change */
+ True, /* run restriction tests */
+ &reject_reason, &dominfo);
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ /* modify the samdb record */
+ ret = samdb_replace(samdb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(2,("Failed to modify record to set password on %s: %s\n",
+ ldb_dn_linearize(mem_ctx, msg->dn),
+ ldb_errstring(samdb)));
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+ }
+ if (NT_STATUS_IS_OK(status)) {
+ ret = ldb_transaction_commit(samdb);
+ if (ret != 0) {
+ DEBUG(1,("Failed to commit transaction to set password on %s: %s\n",
+ ldb_dn_linearize(mem_ctx, msg->dn),
+ ldb_errstring(samdb)));
+ status = NT_STATUS_TRANSACTION_ABORTED;
+ }
+ } else {
+ ldb_transaction_cancel(samdb);
+ }
return kpasswd_make_pwchange_reply(kdc, mem_ctx,
status,
reject_reason,
@@ -322,11 +384,11 @@ static BOOL kpasswd_process_request(struct kdc_server *kdc,
}
default:
return kpasswdd_make_error_reply(kdc, mem_ctx,
- KRB5_KPASSWD_BAD_VERSION,
- talloc_asprintf(mem_ctx,
- "Protocol version %u not supported",
- version),
- reply);
+ KRB5_KPASSWD_BAD_VERSION,
+ talloc_asprintf(mem_ctx,
+ "Protocol version %u not supported",
+ version),
+ reply);
}
return True;
}
@@ -335,8 +397,10 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
TALLOC_CTX *mem_ctx,
DATA_BLOB *input,
DATA_BLOB *reply,
- const char *from,
- int src_port)
+ const char *peer_addr,
+ int peer_port,
+ const char *my_addr,
+ int my_port)
{
BOOL ret;
const uint16_t header_len = 6;
@@ -355,6 +419,8 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return False;
}
+ /* Be parinoid. We need to ensure we don't just let the
+ * caller lead us into a buffer overflow */
if (input->length <= header_len) {
talloc_free(tmp_ctx);
return False;
@@ -366,6 +432,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return False;
}
+ /* There are two different versions of this protocol so far,
+ * plus others in the standards pipe. Fortunetly they all
+ * take a very similar framing */
version = RSVAL(input->data, 2);
ap_req_len = RSVAL(input->data, 4);
if ((ap_req_len >= len) || (ap_req_len + header_len) >= len) {
@@ -407,7 +476,26 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return ret;
}
- gensec_set_credentials(gensec_security, server_credentials);
+ nt_status = gensec_set_credentials(gensec_security, server_credentials);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+
+ /* The kerberos PRIV packets include these addresses. MIT
+ * clients check that they are present */
+ nt_status = gensec_set_peer_addr(gensec_security, peer_addr, peer_port);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+ nt_status = gensec_set_my_addr(gensec_security, my_addr, my_port);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return False;
+ }
+
+ /* We want the GENSEC wrap calls to generate PRIV tokens */
gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);
nt_status = gensec_start_mech_by_name(gensec_security, "krb5");
@@ -416,6 +504,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return False;
}
+ /* Accept the AP-REQ and generate teh AP-REP we need for the reply */
nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep);
if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -433,6 +522,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return ret;
}
+ /* Extract the data from the KRB-PRIV half of the message */
nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req);
if (!NT_STATUS_IS_OK(nt_status)) {
ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx,
@@ -449,6 +539,7 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
return ret;
}
+ /* Figure out something to do with it (probably changing a password...) */
ret = kpasswd_process_request(kdc, tmp_ctx,
gensec_security,
version,
@@ -457,7 +548,9 @@ BOOL kpasswdd_process(struct kdc_server *kdc,
/* Argh! */
return False;
}
-
+
+ /* And wrap up the reply: This ensures that the error message
+ * or success can be verified by the client */
nt_status = gensec_wrap(gensec_security, tmp_ctx,
&kpasswd_rep, &krb_priv_rep);
if (!NT_STATUS_IS_OK(nt_status)) {