diff options
-rw-r--r-- | librpc/idl/lsa.idl | 5 | ||||
-rw-r--r-- | source4/kdc/db-glue.c | 26 | ||||
-rw-r--r-- | source4/kdc/kdc-policy.h | 25 | ||||
-rw-r--r-- | source4/kdc/policy.c | 50 | ||||
-rw-r--r-- | source4/kdc/samba_kdc.h | 1 | ||||
-rw-r--r-- | source4/kdc/wscript_build | 9 | ||||
-rw-r--r-- | source4/rpc_server/lsa/dcesrv_lsa.c | 10 | ||||
-rw-r--r-- | source4/rpc_server/wscript_build | 2 |
8 files changed, 117 insertions, 11 deletions
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl index 869a97a1ac..abad501f4e 100644 --- a/librpc/idl/lsa.idl +++ b/librpc/idl/lsa.idl @@ -1064,11 +1064,14 @@ import "misc.idl", "security.idl"; ); /* Function 0x35 */ + typedef [bitmap32bit] bitmap { + LSA_POLICY_KERBEROS_VALIDATE_CLIENT = 0x00000080 + } lsa_krbAuthenticationOptions; /* w2k3 returns either 0x000bbbd000000000 or 0x000a48e800000000 for reserved - gd */ typedef struct { - uint32 enforce_restrictions; + lsa_krbAuthenticationOptions authentication_options; hyper service_tkt_lifetime; hyper user_tkt_lifetime; hyper user_tkt_renewaltime; diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 4bb8e35091..15024fa38e 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -43,6 +43,7 @@ #include <hdb.h> #include "kdc/samba_kdc.h" #include "kdc/db-glue.h" +#include "kdc/kdc-policy.h" enum samba_kdc_ent_type { SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER, @@ -740,9 +741,28 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, entry_ex->entry.valid_start = NULL; - entry_ex->entry.max_life = NULL; + entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life)); + if (entry_ex->entry.max_life == NULL) { + ret = ENOMEM; + goto out; + } - entry_ex->entry.max_renew = NULL; + if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { + *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime); + } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) { + *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime); + } else { + *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime), + nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime)); + } + + entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life)); + if (entry_ex->entry.max_renew == NULL) { + ret = ENOMEM; + goto out; + } + + *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime); entry_ex->entry.generation = NULL; @@ -1636,6 +1656,8 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte kdc_db_ctx->ev_ctx = base_ctx->ev_ctx; kdc_db_ctx->lp_ctx = base_ctx->lp_ctx; + kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy); + session_info = system_session(kdc_db_ctx->lp_ctx); if (session_info == NULL) { return NT_STATUS_INTERNAL_ERROR; diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h new file mode 100644 index 0000000000..01e9372596 --- /dev/null +++ b/source4/kdc/kdc-policy.h @@ -0,0 +1,25 @@ +/* + Unix SMB/CIFS implementation. + + KDC Policy + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +struct lsa_DomainInfoKerberos; +struct loadparm_context; +struct smb_krb5_context; +#include "kdc/kdc-policy-proto.h" diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c new file mode 100644 index 0000000000..2760e06940 --- /dev/null +++ b/source4/kdc/policy.c @@ -0,0 +1,50 @@ +/* + Unix SMB/CIFS implementation. + + KDC Policy + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "lib/util/util.h" +#include "kdc/kdc-policy.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "librpc/gen_ndr/lsa.h" +#include "param/param.h" + +void kdc_get_policy(struct loadparm_context *lp_ctx, + struct smb_krb5_context *smb_krb5_context, + struct lsa_DomainInfoKerberos *k) +{ + /* These should be set and stored via Group Policy, but until then, some defaults are in order */ + + /* Our KDC always re-validates the client */ + k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT; + + unix_to_nt_time(&k->service_tkt_lifetime, + lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifefime", 10) * 60 * 60); + unix_to_nt_time(&k->user_tkt_lifetime, + lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifefime", 10) * 60 * 60); + unix_to_nt_time(&k->user_tkt_renewaltime, + lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifefime", 24*7) * 60 * 60); + if (smb_krb5_context) { + unix_to_nt_time(&k->clock_skew, + krb5_get_max_time_skew(smb_krb5_context->krb5_context)); + } + k->reserved = 0; +} diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 72b5cc42e4..faa4c7b7ad 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -36,6 +36,7 @@ struct samba_kdc_db_context { bool rodc; unsigned int my_krbtgt_number; struct ldb_dn *krbtgt_dn; + struct lsa_DomainInfoKerberos policy; }; struct samba_kdc_entry { diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build index 82b9929254..7ff2623d64 100644 --- a/source4/kdc/wscript_build +++ b/source4/kdc/wscript_build @@ -38,10 +38,17 @@ bld.SAMBA_LIBRARY('pac', bld.SAMBA_LIBRARY('db-glue', source='db-glue.c', - deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err', + deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err kdc-policy', private_library=True ) +bld.SAMBA_LIBRARY('kdc-policy', + source='policy.c', + deps='samba-hostconfig authkrb5', + private_library=True, + autoproto = 'kdc-policy-proto.h' + ) + bld.SAMBA_SUBSYSTEM('MIT_SAMBA', source='mit_samba.c', diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 0854f25284..6ec078bd4e 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -31,6 +31,7 @@ #include "lib/util/tsort.h" #include "dsdb/common/util.h" #include "libcli/security/session.h" +#include "kdc/kdc-policy.h" /* this type allows us to distinguish handle types @@ -3700,12 +3701,9 @@ static NTSTATUS dcesrv_lsa_QueryDomainInformationPolicy(struct dcesrv_call_state *r->out.info = NULL; return NT_STATUS_INTERNAL_ERROR; } - k->enforce_restrictions = 0; /* FIXME, details missing from MS-LSAD 2.2.53 */ - k->service_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ - k->user_tkt_lifetime = 0; /* Need to find somewhere to store this, and query in KDC too */ - k->user_tkt_renewaltime = 0; /* Need to find somewhere to store this, and query in KDC too */ - k->clock_skew = krb5_get_max_time_skew(smb_krb5_context->krb5_context); - k->reserved = 0; + kdc_get_policy(dce_call->conn->dce_ctx->lp_ctx, + smb_krb5_context, + k); talloc_free(smb_krb5_context); *r->out.info = info; return NT_STATUS_OK; diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build index 29c1723119..3aafaa566a 100644 --- a/source4/rpc_server/wscript_build +++ b/source4/rpc_server/wscript_build @@ -95,7 +95,7 @@ bld.SAMBA_MODULE('dcerpc_lsarpc', autoproto='lsa/proto.h', subsystem='dcerpc_server', init_function='dcerpc_server_lsa_init', - deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session' + deps='samdb DCERPC_COMMON ndr-standard LIBCLI_AUTH NDR_DSSETUP com_err security-session kdc-policy' ) |