diff options
Diffstat (limited to 'source4/kdc')
-rw-r--r-- | source4/kdc/config.mk | 3 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4.c | 239 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4.h | 8 | ||||
-rw-r--r-- | source4/kdc/kdc.c | 458 | ||||
-rw-r--r-- | source4/kdc/kdc.h | 12 | ||||
-rw-r--r-- | source4/kdc/kpasswdd.c | 216 | ||||
-rw-r--r-- | source4/kdc/pac-glue.c | 30 | ||||
-rw-r--r-- | source4/kdc/pac-glue.h | 6 |
8 files changed, 450 insertions, 522 deletions
diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk index 7a99857248..a9d01585f0 100644 --- a/source4/kdc/config.mk +++ b/source4/kdc/config.mk @@ -6,7 +6,8 @@ INIT_FUNCTION = server_service_kdc_init SUBSYSTEM = service PRIVATE_DEPENDENCIES = \ - HEIMDAL_KDC HDB_SAMBA4 PAC_GLUE LIBSAMBA-HOSTCONFIG + HEIMDAL_KDC HDB_SAMBA4 PAC_GLUE LIBSAMBA-HOSTCONFIG \ + LIBTSOCKET # End SUBSYSTEM KDC ####################### diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 2418e5c63f..2f3c30c283 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -53,13 +53,13 @@ #include "kdc/kdc.h" #include "../lib/crypto/md4.h" -enum hdb_samba4_ent_type -{ HDB_SAMBA4_ENT_TYPE_CLIENT, HDB_SAMBA4_ENT_TYPE_SERVER, +enum hdb_samba4_ent_type +{ HDB_SAMBA4_ENT_TYPE_CLIENT, HDB_SAMBA4_ENT_TYPE_SERVER, HDB_SAMBA4_ENT_TYPE_KRBTGT, HDB_SAMBA4_ENT_TYPE_TRUST, HDB_SAMBA4_ENT_TYPE_ANY }; enum trust_direction { UNKNOWN = 0, - INBOUND = LSA_TRUST_DIRECTION_INBOUND, + INBOUND = LSA_TRUST_DIRECTION_INBOUND, OUTBOUND = LSA_TRUST_DIRECTION_OUTBOUND }; @@ -93,7 +93,7 @@ static KerberosTime ldb_msg_find_krb5time_ldap_time(struct ldb_message *msg, con return timegm(&tm); } -static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_samba4_ent_type ent_type) +static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum hdb_samba4_ent_type ent_type) { HDBFlags flags = int2HDBFlags(0); @@ -115,7 +115,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h } flags.invalid = 0; } - + if (userAccountControl & UF_INTERDOMAIN_TRUST_ACCOUNT) { if (ent_type == HDB_SAMBA4_ENT_TYPE_CLIENT || ent_type == HDB_SAMBA4_ENT_TYPE_ANY) { flags.client = 1; @@ -166,7 +166,7 @@ static HDBFlags uf2HDBFlags(krb5_context context, int userAccountControl, enum h } if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) { flags.ok_as_delegate = 1; - } + } if (!(userAccountControl & UF_NOT_DELEGATED)) { flags.forwardable = 1; flags.proxiable = 1; @@ -334,7 +334,7 @@ static krb5_error_code hdb_samba4_message2entry_keys(krb5_context context, ret = krb5_keyblock_init(context, ENCTYPE_ARCFOUR_HMAC, - hash->hash, sizeof(hash->hash), + hash->hash, sizeof(hash->hash), &key.key); if (ret) { goto out; @@ -490,8 +490,8 @@ out: /* * Construct an hdb_entry from a directory entry. */ -static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, +static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, enum hdb_samba4_ent_type ent_type, struct ldb_dn *realm_dn, @@ -514,7 +514,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); computer_val.data = discard_const_p(uint8_t,"computer"); computer_val.length = strlen((const char *)computer_val.data); - + if (!samAccountName) { ret = ENOENT; krb5_set_error_message(context, ret, "hdb_samba4_message2entry: no samAccountName present"); @@ -522,7 +522,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, } objectclasses = ldb_msg_find_element(msg, "objectClass"); - + if (objectclasses && ldb_msg_find_val(objectclasses, &computer_val)) { is_computer = TRUE; } @@ -534,7 +534,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, krb5_set_error_message(context, ret, "talloc_strdup: out of memory"); goto out; } - + p = talloc(mem_ctx, struct hdb_samba4_private); if (!p) { ret = ENOMEM; @@ -557,7 +557,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); - + entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); if (ent_type == HDB_SAMBA4_ENT_TYPE_ANY && principal == NULL) { krb5_make_principal(context, &entry_ex->entry.principal, realm, samAccountName, NULL); @@ -573,7 +573,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, * the client-specified realm. This code attempts to * replace the client principal's realm with the one * we determine from our records */ - + /* this has to be with malloc() */ krb5_principal_set_realm(context, entry_ex->entry.principal, realm); } @@ -598,19 +598,19 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, * of the Heimdal KDC. They are stored in a the traditional * DB for audit purposes, and still form part of the structure * we must return */ - + /* use 'whenCreated' */ entry_ex->entry.created_by.time = ldb_msg_find_krb5time_ldap_time(msg, "whenCreated", 0); /* use '???' */ entry_ex->entry.created_by.principal = NULL; - + entry_ex->entry.modified_by = (Event *) malloc(sizeof(Event)); if (entry_ex->entry.modified_by == NULL) { ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); goto out; } - + /* use 'whenChanged' */ entry_ex->entry.modified_by->time = ldb_msg_find_krb5time_ldap_time(msg, "whenChanged", 0); /* use '???' */ @@ -661,7 +661,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, } else { NTTIME must_change_time - = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, + = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, realm_dn, msg); if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) { entry_ex->entry.pw_end = NULL; @@ -722,7 +722,7 @@ static krb5_error_code hdb_samba4_message2entry(krb5_context context, HDB *db, p->msg = talloc_steal(p, msg); p->samdb = (struct ldb_context *)db->hdb_db; - + out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ @@ -737,7 +737,7 @@ out: /* * Construct an hdb_entry from a directory entry. */ -static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, TALLOC_CTX *mem_ctx, krb5_const_principal principal, enum trust_direction direction, @@ -745,7 +745,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB struct ldb_message *msg, hdb_entry_ex *entry_ex) { - + const char *dnsdomain; char *realm; DATA_BLOB password_utf16; @@ -843,16 +843,16 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB ret = ENOMEM; goto out; } - + ret = krb5_keyblock_init(context, ENCTYPE_ARCFOUR_HMAC, - password_hash.hash, sizeof(password_hash.hash), + password_hash.hash, sizeof(password_hash.hash), &key.key); - + entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.len++; } - + entry_ex->entry.principal = malloc(sizeof(*(entry_ex->entry.principal))); ret = copy_Principal(principal, entry_ex->entry.principal); @@ -860,13 +860,13 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB krb5_clear_error_message(context); goto out; } - + /* While we have copied the client principal, tests * show that Win2k3 returns the 'corrected' realm, not * the client-specified realm. This code attempts to * replace the client principal's realm with the one * we determine from our records */ - + krb5_principal_set_realm(context, entry_ex->entry.principal, realm); entry_ex->entry.flags = int2HDBFlags(0); entry_ex->entry.flags.immutable = 1; @@ -875,7 +875,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB entry_ex->entry.flags.require_preauth = 1; entry_ex->entry.pw_end = NULL; - + entry_ex->entry.max_life = NULL; entry_ex->entry.max_renew = NULL; @@ -902,7 +902,7 @@ static krb5_error_code hdb_samba4_trust_message2entry(krb5_context context, HDB p->msg = talloc_steal(p, msg); p->samdb = (struct ldb_context *)db->hdb_db; - + out: if (ret != 0) { /* This doesn't free ent itself, that is for the eventual caller to do */ @@ -915,7 +915,7 @@ out: } -static krb5_error_code hdb_samba4_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx, +static krb5_error_code hdb_samba4_lookup_trust(krb5_context context, struct ldb_context *ldb_ctx, TALLOC_CTX *mem_ctx, const char *realm, struct ldb_dn *realm_dn, @@ -959,7 +959,7 @@ static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n"); krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n"); return ret; - } + } return 0; } @@ -984,25 +984,25 @@ static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const ch return HDB_ERR_DB_INUSE; } -static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, +static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, const char **attrs, - struct ldb_dn **realm_dn, + struct ldb_dn **realm_dn, struct ldb_message **msg) { NTSTATUS nt_status; char *principal_string; krb5_error_code ret; ret = krb5_unparse_name(context, principal, &principal_string); - + if (ret != 0) { return ret; } - + nt_status = sam_get_results_principal((struct ldb_context *)db->hdb_db, - mem_ctx, principal_string, attrs, + mem_ctx, principal_string, attrs, realm_dn, msg); free(principal_string); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) { @@ -1012,13 +1012,13 @@ static krb5_error_code hdb_samba4_lookup_client(krb5_context context, HDB *db, } else if (!NT_STATUS_IS_OK(nt_status)) { return EINVAL; } - + return ret; } -static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, +static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, hdb_entry_ex *entry_ex) { @@ -1026,22 +1026,22 @@ static krb5_error_code hdb_samba4_fetch_client(krb5_context context, HDB *db, krb5_error_code ret; struct ldb_message *msg = NULL; - ret = hdb_samba4_lookup_client(context, db, lp_ctx, - mem_ctx, principal, user_attrs, + ret = hdb_samba4_lookup_client(context, db, lp_ctx, + mem_ctx, principal, user_attrs, &realm_dn, &msg); if (ret != 0) { return ret; } - - ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, + + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_CLIENT, realm_dn, msg, entry_ex); return ret; } -static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, - struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, +static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, + struct loadparm_context *lp_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, hdb_entry_ex *entry_ex) @@ -1062,18 +1062,18 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, if (lp_is_my_domain_or_realm(lp_ctx, principal->realm) && lp_is_my_domain_or_realm(lp_ctx, principal->name.name_string.val[1])) { - /* us */ + /* us */ /* Cludge, cludge cludge. If the realm part of krbtgt/realm, * is in our db, then direct the caller at our primary * krbtgt */ int lret; char *realm_fixed; - - lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, + + lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, realm_dn, LDB_SCOPE_SUBTREE, - &msg, krbtgt_attrs, - "(&(objectClass=user)(samAccountName=krbtgt))"); + &msg, krbtgt_attrs, + "(&(objectClass=user)(samAccountName=krbtgt))"); if (lret == LDB_ERR_NO_SUCH_OBJECT) { krb5_warnx(context, "hdb_samba4_fetch: could not find own KRBTGT in DB!"); krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB!"); @@ -1083,19 +1083,19 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, krb5_set_error_message(context, HDB_ERR_NOENTRY, "hdb_samba4_fetch: could not find own KRBTGT in DB: %s", ldb_errstring(db->hdb_db)); return HDB_ERR_NOENTRY; } - + realm_fixed = strupper_talloc(mem_ctx, lp_realm(lp_ctx)); if (!realm_fixed) { ret = ENOMEM; krb5_set_error_message(context, ret, "strupper_talloc: out of memory"); return ret; } - + ret = krb5_copy_principal(context, principal, &alloc_principal); if (ret) { return ret; } - + free(alloc_principal->name.name_string.val[1]); alloc_principal->name.name_string.val[1] = strdup(realm_fixed); talloc_free(realm_fixed); @@ -1106,11 +1106,11 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, } principal = alloc_principal; - ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, - principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, + principal, HDB_SAMBA4_ENT_TYPE_KRBTGT, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "hdb_samba4_fetch: self krbtgt message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: self krbtgt message2entry failed"); } return ret; @@ -1132,35 +1132,35 @@ static krb5_error_code hdb_samba4_fetch_krbtgt(krb5_context context, HDB *db, } /* Trusted domains are under CN=system */ - - ret = hdb_samba4_lookup_trust(context, (struct ldb_context *)db->hdb_db, - mem_ctx, + + ret = hdb_samba4_lookup_trust(context, (struct ldb_context *)db->hdb_db, + mem_ctx, realm, realm_dn, &msg); - + if (ret != 0) { krb5_warnx(context, "hdb_samba4_fetch: could not find principal in DB"); krb5_set_error_message(context, ret, "hdb_samba4_fetch: could not find principal in DB"); return ret; } - - ret = hdb_samba4_trust_message2entry(context, db, lp_ctx, mem_ctx, - principal, direction, + + ret = hdb_samba4_trust_message2entry(context, db, lp_ctx, mem_ctx, + principal, direction, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "hdb_samba4_fetch: trust_message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: trust_message2entry failed"); } return ret; - + /* we should lookup trusted domains */ return HDB_ERR_NOENTRY; } } -static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, const char **attrs, struct ldb_dn **realm_dn, @@ -1174,35 +1174,35 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, NTSTATUS nt_status; struct ldb_dn *user_dn; char *principal_string; - - ret = krb5_unparse_name_flags(context, principal, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, + + ret = krb5_unparse_name_flags(context, principal, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &principal_string); if (ret != 0) { return ret; } - + /* At this point we may find the host is known to be * in a different realm, so we should generate a * referral instead */ nt_status = crack_service_principal_name((struct ldb_context *)db->hdb_db, - mem_ctx, principal_string, + mem_ctx, principal_string, &user_dn, realm_dn); free(principal_string); - + if (!NT_STATUS_IS_OK(nt_status)) { return HDB_ERR_NOENTRY; } - + ldb_ret = gendb_search_single_extended_dn((struct ldb_context *)db->hdb_db, - mem_ctx, + mem_ctx, user_dn, LDB_SCOPE_BASE, msg, attrs, "(objectClass=*)"); if (ldb_ret != LDB_SUCCESS) { return HDB_ERR_NOENTRY; } - + } else { int lret; char *filter = NULL; @@ -1210,20 +1210,20 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, /* server as client principal case, but we must not lookup userPrincipalNames */ *realm_dn = ldb_get_default_basedn(db->hdb_db); realm = krb5_principal_get_realm(context, principal); - + /* TODO: Check if it is our realm, otherwise give referall */ - + ret = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &short_princ); - + if (ret != 0) { krb5_set_error_message(context, ret, "hdb_samba4_lookup_principal: could not parse principal"); krb5_warnx(context, "hdb_samba4_lookup_principal: could not parse principal"); return ret; } - - lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, + + lret = gendb_search_single_extended_dn(db->hdb_db, mem_ctx, *realm_dn, LDB_SCOPE_SUBTREE, - msg, attrs, "(&(objectClass=user)(samAccountName=%s))", + msg, attrs, "(&(objectClass=user)(samAccountName=%s))", ldb_binary_encode_string(mem_ctx, short_princ)); free(short_princ); if (lret == LDB_ERR_NO_SUCH_OBJECT) { @@ -1231,7 +1231,7 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, return HDB_ERR_NOENTRY; } if (lret != LDB_SUCCESS) { - DEBUG(3, ("Failed single search for for %s - %s\n", + DEBUG(3, ("Failed single search for for %s - %s\n", filter, ldb_errstring(db->hdb_db))); return HDB_ERR_NOENTRY; } @@ -1240,9 +1240,9 @@ static krb5_error_code hdb_samba4_lookup_server(krb5_context context, HDB *db, return 0; } -static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, struct loadparm_context *lp_ctx, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, krb5_const_principal principal, unsigned flags, hdb_entry_ex *entry_ex) @@ -1251,23 +1251,23 @@ static krb5_error_code hdb_samba4_fetch_server(krb5_context context, HDB *db, struct ldb_dn *realm_dn; struct ldb_message *msg; - ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, + ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, principal, server_attrs, &realm_dn, &msg); if (ret != 0) { return ret; } - ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, + ret = hdb_samba4_message2entry(context, db, lp_ctx, mem_ctx, principal, HDB_SAMBA4_ENT_TYPE_SERVER, realm_dn, msg, entry_ex); if (ret != 0) { - krb5_warnx(context, "hdb_samba4_fetch: message2entry failed"); + krb5_warnx(context, "hdb_samba4_fetch: message2entry failed"); } return ret; } - -static krb5_error_code hdb_samba4_fetch(krb5_context context, HDB *db, + +static krb5_error_code hdb_samba4_fetch(krb5_context context, HDB *db, krb5_const_principal principal, unsigned flags, hdb_entry_ex *entry_ex) @@ -1345,9 +1345,9 @@ static krb5_error_code hdb_samba4_seq(krb5_context context, HDB *db, unsigned fl } if (priv->index < priv->count) { - ret = hdb_samba4_message2entry(context, db, priv->lp_ctx, - mem_ctx, - NULL, HDB_SAMBA4_ENT_TYPE_ANY, + ret = hdb_samba4_message2entry(context, db, priv->lp_ctx, + mem_ctx, + NULL, HDB_SAMBA4_ENT_TYPE_ANY, priv->realm_dn, priv->msgs[priv->index++], entry); } else { ret = HDB_ERR_NOENTRY; @@ -1366,7 +1366,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign hdb_entry_ex *entry) { struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), struct loadparm_context); struct hdb_samba4_seq *priv = (struct hdb_samba4_seq *)db->hdb_dbc; char *realm; @@ -1407,7 +1407,7 @@ static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsign talloc_free(priv); return ret; } - + lret = ldb_search(ldb_ctx, priv, &res, priv->realm_dn, LDB_SCOPE_SUBTREE, user_attrs, "(objectClass=user)"); @@ -1449,14 +1449,14 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) /* Check if a given entry may delegate to this target principal * - * This is currently a very nasty hack - allowing only delegation to itself. + * This is currently a very nasty hack - allowing only delegation to itself. */ -krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, +krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, hdb_entry_ex *entry, krb5_const_principal target_principal) { struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), struct loadparm_context); krb5_error_code ret; krb5_principal enterprise_prinicpal = NULL; @@ -1468,7 +1468,7 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD const char *delegation_check_attrs[] = { "objectSid", NULL }; - + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_check_constrained_delegation"); if (!mem_ctx) { @@ -1481,12 +1481,12 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD /* Need to reparse the enterprise principal to find the real target */ if (target_principal->name.name_string.len != 1) { ret = KRB5_PARSE_MALFORMED; - krb5_set_error_message(context, ret, "hdb_samba4_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components", - target_principal->name.name_string.len); + krb5_set_error_message(context, ret, "hdb_samba4_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components", + target_principal->name.name_string.len); talloc_free(mem_ctx); return ret; } - ret = krb5_parse_name(context, target_principal->name.name_string.val[0], + ret = krb5_parse_name(context, target_principal->name.name_string.val[0], &enterprise_prinicpal); if (ret) { talloc_free(mem_ctx); @@ -1495,7 +1495,7 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD target_principal = enterprise_prinicpal; } - ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, target_principal, + ret = hdb_samba4_lookup_server(context, db, lp_ctx, mem_ctx, target_principal, delegation_check_attrs, &realm_dn, &msg); krb5_free_principal(context, enterprise_prinicpal); @@ -1525,12 +1525,12 @@ krb5_error_code hdb_samba4_check_constrained_delegation(krb5_context context, HD * database. Allow a mismatch where they both refer to the same * SID */ -krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, +krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, hdb_entry_ex *entry, krb5_const_principal certificate_principal) { struct ldb_context *ldb_ctx = (struct ldb_context *)db->hdb_db; - struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), + struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb_ctx, "loadparm"), struct loadparm_context); krb5_error_code ret; struct ldb_dn *realm_dn; @@ -1541,7 +1541,7 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB * const char *ms_upn_check_attrs[] = { "objectSid", NULL }; - + TALLOC_CTX *mem_ctx = talloc_named(db, 0, "hdb_samba4_check_constrained_delegation"); if (!mem_ctx) { @@ -1550,10 +1550,10 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB * return ret; } - ret = hdb_samba4_lookup_client(context, db, lp_ctx, + ret = hdb_samba4_lookup_client(context, db, lp_ctx, mem_ctx, certificate_principal, ms_upn_check_attrs, &realm_dn, &msg); - + if (ret != 0) { talloc_free(mem_ctx); return ret; @@ -1579,8 +1579,8 @@ krb5_error_code hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB * * (hdb_samba4_create) from the kpasswdd -> krb5 -> keytab_hdb -> hdb * code */ -NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, - struct tevent_context *ev_ctx, +NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, + struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx, krb5_context context, struct HDB **db) { @@ -1602,7 +1602,7 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, * allow us to share the samdb backend context with other parts of the * system. For now we can't as we need to override the * credentials to set CRED_DONT_USE_KERBEROS, which would - * break other users of the system_session */ + * break other users of the system_session */ DEBUG(0,("FIXME: Using new system session for hdb\n")); nt_status = auth_system_session_info(*db, lp_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1614,7 +1614,7 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } #endif - + /* The idea here is very simple. Using Kerberos to * authenticate the KDC to the LDAP server is higly likely to * be circular. @@ -1622,8 +1622,8 @@ NTSTATUS hdb_samba4_create_kdc(TALLOC_CTX *mem_ctx, * In future we may set this up to use EXERNAL and SSL * certificates, for now it will almost certainly be NTLMSSP_SET_USERNAME */ - - cli_credentials_set_kerberos_state(session_info->credentials, + + cli_credentials_set_kerberos_state(session_info->credentials, CRED_DONT_USE_KERBEROS); /* Setup the link to LDB */ @@ -1663,6 +1663,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, NTSTATUS nt_status; void *ptr; struct hdb_samba4_context *hdb_samba4_context; + if (sscanf(arg, "&%p", &ptr) != 1) { return EINVAL; } @@ -1686,6 +1687,6 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, */ struct hdb_method hdb_samba4 = { .interface_version = HDB_INTERFACE_VERSION, - .prefix = "samba4", + .prefix = "samba4", .create = hdb_samba4_create }; diff --git a/source4/kdc/hdb-samba4.h b/source4/kdc/hdb-samba4.h index fc2f9c1310..5f85ce188c 100644 --- a/source4/kdc/hdb-samba4.h +++ b/source4/kdc/hdb-samba4.h @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. KDC structures Copyright (C) Andrew Tridgell 2005 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 6a9df0bf02..93f1c7d6ec 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. KDC Server startup @@ -11,12 +11,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -42,22 +42,15 @@ #include "librpc/gen_ndr/ndr_misc.h" -/* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when +/* Disgusting hack to get a mem_ctx and lp_ctx into the hdb plugin, when * used as a keytab */ TALLOC_CTX *hdb_samba4_mem_ctx; struct tevent_context *hdb_samba4_ev_ctx; struct loadparm_context *hdb_samba4_lp_ctx; -/* hold all the info needed to send a reply */ -struct kdc_reply { - struct kdc_reply *next, *prev; - struct socket_address *dest; - DATA_BLOB packet; -}; - typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - DATA_BLOB *input, + TALLOC_CTX *mem_ctx, + DATA_BLOB *input, DATA_BLOB *reply, struct tsocket_address *peer_addr, struct tsocket_address *my_addr, @@ -65,15 +58,11 @@ typedef bool (*kdc_process_fn_t)(struct kdc_server *kdc, /* hold information about one kdc socket */ struct kdc_socket { - struct socket_context *sock; struct kdc_server *kdc; - struct tevent_fd *fde; - - /* a queue of outgoing replies that have been deferred */ - struct kdc_reply *send_queue; - + struct tsocket_address *local_address; kdc_process_fn_t process; }; + /* state of an open tcp connection */ @@ -82,152 +71,11 @@ struct kdc_tcp_connection { struct stream_connection *conn; /* the kdc_server the connection belongs to */ - struct kdc_server *kdc; + struct kdc_socket *kdc_socket; struct packet_context *packet; - - kdc_process_fn_t process; }; -/* - handle fd send events on a KDC socket -*/ -static void kdc_send_handler(struct kdc_socket *kdc_socket) -{ - while (kdc_socket->send_queue) { - struct kdc_reply *rep = kdc_socket->send_queue; - NTSTATUS status; - size_t sendlen; - - status = socket_sendto(kdc_socket->sock, &rep->packet, &sendlen, - rep->dest); - if (NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) { - break; - } - if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_BUFFER_SIZE)) { - /* Replace with a krb err, response to big */ - } - - DLIST_REMOVE(kdc_socket->send_queue, rep); - talloc_free(rep); - } - - if (kdc_socket->send_queue == NULL) { - EVENT_FD_NOT_WRITEABLE(kdc_socket->fde); - } -} - - -/* - handle fd recv events on a KDC socket -*/ -static void kdc_recv_handler(struct kdc_socket *kdc_socket) -{ - NTSTATUS status; - TALLOC_CTX *tmp_ctx = talloc_new(kdc_socket); - DATA_BLOB blob; - struct kdc_reply *rep; - DATA_BLOB reply; - size_t nread, dsize; - struct socket_address *src; - struct socket_address *my_addr; - struct tsocket_address *tsrcaddr; - struct tsocket_address *tmyaddr; - int ret; - - status = socket_pending(kdc_socket->sock, &dsize); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(tmp_ctx); - return; - } - - blob = data_blob_talloc(tmp_ctx, NULL, dsize); - if (blob.data == NULL) { - /* hope this is a temporary low memory condition */ - talloc_free(tmp_ctx); - return; - } - - status = socket_recvfrom(kdc_socket->sock, blob.data, blob.length, &nread, - tmp_ctx, &src); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(tmp_ctx); - return; - } - blob.length = nread; - - DEBUG(10,("Received krb5 UDP packet of length %lu from %s:%u\n", - (long)blob.length, src->addr, (uint16_t)src->port)); - - my_addr = socket_get_my_addr(kdc_socket->sock, tmp_ctx); - if (!my_addr) { - talloc_free(tmp_ctx); - return; - } - - ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, src->sockaddr, - src->sockaddrlen, &tsrcaddr); - if (ret < 0) { - talloc_free(tmp_ctx); - return; - } - - ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, my_addr->sockaddr, - my_addr->sockaddrlen, &tmyaddr); - if (ret < 0) { - talloc_free(tmp_ctx); - return; - } - - /* Call krb5 */ - ret = kdc_socket->process(kdc_socket->kdc, - tmp_ctx, - &blob, - &reply, - tsrcaddr, - tmyaddr, - 1 /* Datagram */); - if (!ret) { - talloc_free(tmp_ctx); - return; - } - - /* queue a pending reply */ - rep = talloc(kdc_socket, struct kdc_reply); - if (rep == NULL) { - talloc_free(tmp_ctx); - return; - } - rep->dest = talloc_steal(rep, src); - rep->packet = reply; - talloc_steal(rep, reply.data); - - if (rep->packet.data == NULL) { - talloc_free(rep); - talloc_free(tmp_ctx); - return; - } - - DLIST_ADD_END(kdc_socket->send_queue, rep, struct kdc_reply *); - EVENT_FD_WRITEABLE(kdc_socket->fde); - talloc_free(tmp_ctx); -} - -/* - handle fd events on a KDC socket -*/ -static void kdc_socket_handler(struct tevent_context *ev, struct tevent_fd *fde, - uint16_t flags, void *private_data) -{ - struct kdc_socket *kdc_socket = talloc_get_type(private_data, struct kdc_socket); - if (flags & EVENT_FD_WRITE) { - kdc_send_handler(kdc_socket); - } - if (flags & EVENT_FD_READ) { - kdc_recv_handler(kdc_socket); - } -} - static void kdc_tcp_terminate_connection(struct kdc_tcp_connection *kdcconn, const char *reason) { stream_terminate_connection(kdcconn->conn, reason); @@ -244,49 +92,18 @@ static NTSTATUS kdc_tcp_recv(void *private_data, DATA_BLOB blob) TALLOC_CTX *tmp_ctx = talloc_new(kdcconn); int ret; DATA_BLOB input, reply; - struct socket_address *src_addr; - struct socket_address *my_addr; - struct tsocket_address *tsrcaddr; - struct tsocket_address *tmyaddr; - talloc_steal(tmp_ctx, blob.data); - src_addr = socket_get_peer_addr(kdcconn->conn->socket, tmp_ctx); - if (!src_addr) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - my_addr = socket_get_my_addr(kdcconn->conn->socket, tmp_ctx); - if (!my_addr) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, src_addr->sockaddr, - src_addr->sockaddrlen, &tsrcaddr); - if (ret < 0) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - ret = tsocket_address_bsd_from_sockaddr(tmp_ctx, my_addr->sockaddr, - my_addr->sockaddrlen, &tmyaddr); - if (ret < 0) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - /* Call krb5 */ - input = data_blob_const(blob.data + 4, blob.length - 4); - - ret = kdcconn->process(kdcconn->kdc, - tmp_ctx, - &input, - &reply, - tsrcaddr, - tmyaddr, - 0 /* Not datagram */); + input = data_blob_const(blob.data + 4, blob.length - 4); + + ret = kdcconn->kdc_socket->process(kdcconn->kdc_socket->kdc, + tmp_ctx, + &input, + &reply, + kdcconn->conn->remote_address, + kdcconn->conn->local_address, + 0 /* Not datagram */); if (!ret) { talloc_free(tmp_ctx); return NT_STATUS_INTERNAL_ERROR; @@ -300,7 +117,7 @@ static NTSTATUS kdc_tcp_recv(void *private_data, DATA_BLOB blob) } RSIVAL(blob.data, 0, reply.length); - memcpy(blob.data + 4, reply.data, reply.length); + memcpy(blob.data + 4, reply.data, reply.length); status = packet_send(kdcconn->packet, blob); if (!NT_STATUS_IS_OK(status)) { @@ -349,8 +166,8 @@ static void kdc_tcp_send(struct stream_connection *conn, uint16_t flags) */ static bool kdc_process(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - DATA_BLOB *input, + TALLOC_CTX *mem_ctx, + DATA_BLOB *input, DATA_BLOB *reply, struct tsocket_address *peer_addr, struct tsocket_address *my_addr, @@ -377,7 +194,7 @@ static bool kdc_process(struct kdc_server *kdc, DEBUG(10,("Received KDC packet of length %lu from %s\n", (long)input->length - 4, pa)); - ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context, + ret = krb5_kdc_process_krb5_request(kdc->smb_krb5_context->krb5_context, kdc->config, input->data, input->length, &k5_reply, @@ -392,7 +209,7 @@ static bool kdc_process(struct kdc_server *kdc, *reply = data_blob_talloc(mem_ctx, k5_reply.data, k5_reply.length); krb5_data_free(&k5_reply); } else { - *reply = data_blob(NULL, 0); + *reply = data_blob(NULL, 0); } return true; } @@ -410,9 +227,8 @@ static void kdc_tcp_accept(struct stream_connection *conn) stream_terminate_connection(conn, "kdc_tcp_accept: out of memory"); return; } - kdcconn->conn = conn; - kdcconn->kdc = kdc_socket->kdc; - kdcconn->process = kdc_socket->process; + kdcconn->conn = conn; + kdcconn->kdc_socket = kdc_socket; conn->private_data = kdcconn; kdcconn->packet = packet_init(kdcconn); @@ -437,6 +253,105 @@ static const struct stream_server_ops kdc_tcp_stream_ops = { .send_handler = kdc_tcp_send }; +/* hold information about one kdc/kpasswd udp socket */ +struct kdc_udp_socket { + struct kdc_socket *kdc_socket; + struct tdgram_context *dgram; + struct tevent_queue *send_queue; +}; + +struct kdc_udp_call { + struct tsocket_address *src; + DATA_BLOB in; + DATA_BLOB out; +}; + +static void kdc_udp_call_sendto_done(struct tevent_req *subreq); + +static void kdc_udp_call_loop(struct tevent_req *subreq) +{ + struct kdc_udp_socket *sock = tevent_req_callback_data(subreq, + struct kdc_udp_socket); + struct kdc_udp_call *call; + uint8_t *buf; + ssize_t len; + int sys_errno; + int ret; + + call = talloc(sock, struct kdc_udp_call); + if (call == NULL) { + talloc_free(call); + goto done; + } + + len = tdgram_recvfrom_recv(subreq, &sys_errno, + call, &buf, &call->src); + TALLOC_FREE(subreq); + if (len == -1) { + talloc_free(call); + goto done; + } + + call->in.data = buf; + call->in.length = len; + + DEBUG(10,("Received krb5 UDP packet of length %lu from %s\n", + (long)call->in.length, + tsocket_address_string(call->src, call))); + + /* Call krb5 */ + ret = sock->kdc_socket->process(sock->kdc_socket->kdc, + call, + &call->in, + &call->out, + call->src, + sock->kdc_socket->local_address, + 1 /* Datagram */); + if (!ret) { + talloc_free(call); + goto done; + } + + subreq = tdgram_sendto_queue_send(call, + sock->kdc_socket->kdc->task->event_ctx, + sock->dgram, + sock->send_queue, + call->out.data, + call->out.length, + call->src); + if (subreq == NULL) { + talloc_free(call); + goto done; + } + tevent_req_set_callback(subreq, kdc_udp_call_sendto_done, call); + +done: + subreq = tdgram_recvfrom_send(sock, + sock->kdc_socket->kdc->task->event_ctx, + sock->dgram); + if (subreq == NULL) { + task_server_terminate(sock->kdc_socket->kdc->task, + "no memory for tdgram_recvfrom_send", + true); + return; + } + tevent_req_set_callback(subreq, kdc_udp_call_loop, sock); +} + +static void kdc_udp_call_sendto_done(struct tevent_req *subreq) +{ + struct kdc_udp_call *call = tevent_req_callback_data(subreq, + struct kdc_udp_call); + ssize_t ret; + int sys_errno; + + ret = tdgram_sendto_queue_recv(subreq, &sys_errno); + + /* We don't care about errors */ + + talloc_free(call); +} + /* start listening on the given address */ @@ -447,47 +362,32 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc, uint16_t port, kdc_process_fn_t process) { - struct kdc_socket *kdc_socket; - struct socket_address *socket_address; + struct kdc_socket *kdc_socket; + struct kdc_udp_socket *kdc_udp_socket; + struct tevent_req *udpsubreq; NTSTATUS status; + int ret; kdc_socket = talloc(kdc, struct kdc_socket); NT_STATUS_HAVE_NO_MEMORY(kdc_socket); - status = socket_create("ip", SOCKET_TYPE_DGRAM, &kdc_socket->sock, 0); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(kdc_socket); - return status; - } - kdc_socket->kdc = kdc; - kdc_socket->send_queue = NULL; kdc_socket->process = process; - talloc_steal(kdc_socket, kdc_socket->sock); - - kdc_socket->fde = event_add_fd(kdc->task->event_ctx, kdc, - socket_get_fd(kdc_socket->sock), EVENT_FD_READ, - kdc_socket_handler, kdc_socket); - - socket_address = socket_address_from_strings(kdc_socket, kdc_socket->sock->backend_name, - address, port); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(socket_address, kdc_socket); - - status = socket_listen(kdc_socket->sock, socket_address, 0, 0); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("Failed to bind to %s:%d UDP for %s - %s\n", - address, port, name, nt_errstr(status))); - talloc_free(kdc_socket); + ret = tsocket_address_inet_from_strings(kdc_socket, "ip", + address, port, + &kdc_socket->local_address); + if (ret != 0) { + status = map_nt_error_from_unix(errno); return status; } - status = stream_setup_socket(kdc->task->event_ctx, + status = stream_setup_socket(kdc->task->event_ctx, kdc->task->lp_ctx, - model_ops, - &kdc_tcp_stream_ops, - "ip", address, &port, - lp_socket_options(kdc->task->lp_ctx), + model_ops, + &kdc_tcp_stream_ops, + "ip", address, &port, + lp_socket_options(kdc->task->lp_ctx), kdc_socket); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("Failed to bind to %s:%u TCP - %s\n", @@ -496,6 +396,32 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc, return status; } + kdc_udp_socket = talloc(kdc_socket, struct kdc_udp_socket); + NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket); + + kdc_udp_socket->kdc_socket = kdc_socket; + + ret = tdgram_inet_udp_socket(kdc_socket->local_address, + NULL, + kdc_udp_socket, + &kdc_udp_socket->dgram); + if (ret != 0) { + status = map_nt_error_from_unix(errno); + DEBUG(0,("Failed to bind to %s:%u UDP - %s\n", + address, port, nt_errstr(status))); + return status; + } + + kdc_udp_socket->send_queue = tevent_queue_create(kdc_udp_socket, + "kdc_udp_send_queue"); + NT_STATUS_HAVE_NO_MEMORY(kdc_udp_socket->send_queue); + + udpsubreq = tdgram_recvfrom_send(kdc_udp_socket, + kdc->task->event_ctx, + kdc_udp_socket->dgram); + NT_STATUS_HAVE_NO_MEMORY(udpsubreq); + tevent_req_set_callback(udpsubreq, kdc_udp_call_loop, kdc_udp_socket); + return NT_STATUS_OK; } @@ -522,7 +448,7 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_c } num_interfaces = iface_count(ifaces); - + for (i=0; i<num_interfaces; i++) { const char *address = talloc_strdup(tmp_ctx, iface_n_ip(ifaces, i)); uint16_t kdc_port = lp_krb5_port(lp_ctx); @@ -549,7 +475,7 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_c } -static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, +static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, struct kdc_check_generic_kerberos *r) { struct PAC_Validate pac_validate; @@ -567,14 +493,14 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, /* There is no reply to this request */ r->out.generic_reply = data_blob(NULL, 0); - ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, - lp_iconv_convenience(kdc->task->lp_ctx), + ndr_err = ndr_pull_struct_blob(&r->in.generic_request, msg, + lp_iconv_convenience(kdc->task->lp_ctx), &pac_validate, (ndr_pull_flags_fn_t)ndr_pull_PAC_Validate); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { return NT_STATUS_INVALID_PARAMETER; } - + if (pac_validate.MessageType != 3) { /* We don't implement any other message types - such as certificate validation - yet */ return NT_STATUS_INVALID_PARAMETER; @@ -585,10 +511,10 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, || pac_validate.ChecksumAndSignature.length < pac_validate.SignatureLength ) { return NT_STATUS_INVALID_PARAMETER; } - - srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data, + + srv_sig = data_blob_const(pac_validate.ChecksumAndSignature.data, pac_validate.ChecksumLength); - + if (pac_validate.SignatureType == CKSUMTYPE_HMAC_MD5) { etype = ETYPE_ARCFOUR_HMAC_MD5; } else { @@ -599,16 +525,16 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, } } - ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal, + ret = krb5_make_principal(kdc->smb_krb5_context->krb5_context, &principal, lp_realm(kdc->task->lp_ctx), - "krbtgt", lp_realm(kdc->task->lp_ctx), + "krbtgt", lp_realm(kdc->task->lp_ctx), NULL); if (ret != 0) { return NT_STATUS_NO_MEMORY; } - ret = kdc->config->db[0]->hdb_fetch(kdc->smb_krb5_context->krb5_context, + ret = kdc->config->db[0]->hdb_fetch(kdc->smb_krb5_context->krb5_context, kdc->config->db[0], principal, HDB_F_GET_KRBTGT | HDB_F_DECRYPT, @@ -617,10 +543,10 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, if (ret != 0) { hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent); krb5_free_principal(kdc->smb_krb5_context->krb5_context, principal); - + return NT_STATUS_LOGON_FAILURE; } - + ret = hdb_enctype2key(kdc->smb_krb5_context->krb5_context, &ent.entry, etype, &key); if (ret != 0) { @@ -630,11 +556,11 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, } keyblock = key->key; - + kdc_sig.type = pac_validate.SignatureType; kdc_sig.signature = data_blob_const(&pac_validate.ChecksumAndSignature.data[pac_validate.ChecksumLength], pac_validate.SignatureLength); - ret = check_pac_checksum(msg, srv_sig, &kdc_sig, + ret = check_pac_checksum(msg, srv_sig, &kdc_sig, kdc->smb_krb5_context->krb5_context, &keyblock); hdb_free_entry(kdc->smb_krb5_context->krb5_context, &ent); @@ -643,7 +569,7 @@ static NTSTATUS kdc_check_generic_kerberos(struct irpc_message *msg, if (ret != 0) { return NT_STATUS_LOGON_FAILURE; } - + return NT_STATUS_OK; } @@ -691,21 +617,21 @@ static void kdc_task_init(struct task_server *task) ret = smb_krb5_init_context(kdc, task->event_ctx, task->lp_ctx, &kdc->smb_krb5_context); if (ret) { - DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n", + DEBUG(1,("kdc_task_init: krb5_init_context failed (%s)\n", error_message(ret))); task_server_terminate(task, "kdc: krb5_init_context failed", true); - return; + return; } krb5_add_et_list(kdc->smb_krb5_context->krb5_context, initialize_hdb_error_table_r); - ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context, + ret = krb5_kdc_get_config(kdc->smb_krb5_context->krb5_context, &kdc->config); if(ret) { task_server_terminate(task, "kdc: failed to get KDC configuration", true); return; } - + kdc->config->logf = kdc->smb_krb5_context->logf; kdc->config->db = talloc(kdc, struct HDB *); if (!kdc->config->db) { @@ -713,13 +639,13 @@ static void kdc_task_init(struct task_server *task) return; } kdc->config->num_db = 1; - - status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx, - kdc->smb_krb5_context->krb5_context, + + status = hdb_samba4_create_kdc(kdc, task->event_ctx, task->lp_ctx, + kdc->smb_krb5_context->krb5_context, &kdc->config->db[0]); if (!NT_STATUS_IS_OK(status)) { task_server_terminate(task, "kdc: hdb_samba4_create_kdc (setup KDC database) failed", true); - return; + return; } /* Register hdb-samba4 hooks for use as a keytab */ @@ -727,13 +653,13 @@ static void kdc_task_init(struct task_server *task) kdc->hdb_samba4_context = talloc(kdc, struct hdb_samba4_context); if (!kdc->hdb_samba4_context) { task_server_terminate(task, "kdc: out of memory", true); - return; + return; } kdc->hdb_samba4_context->ev_ctx = task->event_ctx; kdc->hdb_samba4_context->lp_ctx = task->lp_ctx; - ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, + ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, PLUGIN_TYPE_DATA, "hdb", &hdb_samba4); if(ret) { @@ -748,7 +674,7 @@ static void kdc_task_init(struct task_server *task) } /* Registar WinDC hooks */ - ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, + ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, PLUGIN_TYPE_DATA, "windc", &windc_plugin_table); if(ret) { @@ -765,7 +691,7 @@ static void kdc_task_init(struct task_server *task) return; } - status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS, + status = IRPC_REGISTER(task->msg_ctx, irpc, KDC_CHECK_GENERIC_KERBEROS, kdc_check_generic_kerberos, kdc); if (!NT_STATUS_IS_OK(status)) { task_server_terminate(task, "nbtd failed to setup monitoring", true); diff --git a/source4/kdc/kdc.h b/source4/kdc/kdc.h index 4a715fd498..b9cf621537 100644 --- a/source4/kdc/kdc.h +++ b/source4/kdc/kdc.h @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. KDC structures Copyright (C) Andrew Tridgell 2005 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -33,8 +33,8 @@ struct tsocket_address; bool kpasswdd_process(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - DATA_BLOB *input, + TALLOC_CTX *mem_ctx, + DATA_BLOB *input, DATA_BLOB *reply, struct tsocket_address *peer_addr, struct tsocket_address *my_addr, diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 9b3336a7a1..8406887dad 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. kpasswd Server implementation @@ -10,12 +10,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -45,15 +45,15 @@ #endif /* Return true if there is a valid error packet formed in the error_blob */ -static bool kpasswdd_make_error_reply(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - uint16_t result_code, - const char *error_string, - DATA_BLOB *error_blob) +static bool kpasswdd_make_error_reply(struct kdc_server *kdc, + TALLOC_CTX *mem_ctx, + uint16_t result_code, + const char *error_string, + DATA_BLOB *error_blob) { char *error_string_utf8; size_t len; - + DEBUG(result_code ? 3 : 10, ("kpasswdd: %s\n", error_string)); if (!push_utf8_talloc(mem_ctx, &error_string_utf8, error_string, &len)) { @@ -70,17 +70,17 @@ static bool kpasswdd_make_error_reply(struct kdc_server *kdc, } /* Return true if there is a valid error packet formed in the error_blob */ -static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - uint16_t result_code, - const char *error_string, - DATA_BLOB *error_blob) +static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, + TALLOC_CTX *mem_ctx, + uint16_t result_code, + const char *error_string, + DATA_BLOB *error_blob) { bool ret; int kret; DATA_BLOB error_bytes; krb5_data k5_error_bytes, k5_error_blob; - ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string, + ret = kpasswdd_make_error_reply(kdc, mem_ctx, result_code, error_string, &error_bytes); if (!ret) { return false; @@ -88,7 +88,7 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, k5_error_bytes.data = error_bytes.data; k5_error_bytes.length = error_bytes.length; kret = krb5_mk_error(kdc->smb_krb5_context->krb5_context, - result_code, NULL, &k5_error_bytes, + result_code, NULL, &k5_error_bytes, NULL, NULL, NULL, NULL, &k5_error_blob); if (kret) { return false; @@ -101,21 +101,21 @@ static bool kpasswdd_make_unauth_error_reply(struct kdc_server *kdc, return true; } -static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - NTSTATUS status, +static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, + TALLOC_CTX *mem_ctx, + NTSTATUS status, enum samPwdChangeReason reject_reason, struct samr_DomInfo1 *dominfo, - DATA_BLOB *error_blob) + DATA_BLOB *error_blob) { if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_ACCESSDENIED, "No such user when changing password", error_blob); } if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_ACCESSDENIED, "Not permitted to change password", error_blob); @@ -138,31 +138,31 @@ static bool kpasswd_make_pwchange_reply(struct kdc_server *kdc, dominfo->min_password_length, dominfo->password_history_length); break; } - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SOFTERROR, reject_string, error_blob); } if (!NT_STATUS_IS_OK(status)) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, talloc_asprintf(mem_ctx, "failed to set password: %s", nt_errstr(status)), error_blob); - + } return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_SUCCESS, "Password changed", error_blob); } -/* +/* A user password change - + Return true if there is a valid error packet (or sucess) formed in the error_blob */ static bool kpasswdd_change_password(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct auth_session_info *session_info, const DATA_BLOB *password, DATA_BLOB *reply) @@ -174,45 +174,45 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, system_session(kdc->task->lp_ctx)); if (!samdb) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, "Failed to open samdb", reply); } - - DEBUG(3, ("Changing password of %s\\%s (%s)\n", + + DEBUG(3, ("Changing password of %s\\%s (%s)\n", session_info->server_info->domain_name, session_info->server_info->account_name, dom_sid_string(mem_ctx, session_info->security_token->user_sid))); /* User password change */ - status = samdb_set_password_sid(samdb, mem_ctx, + status = samdb_set_password_sid(samdb, mem_ctx, session_info->security_token->user_sid, - password, NULL, NULL, + password, NULL, NULL, true, /* this is a user password change */ &reject_reason, &dominfo); - return kpasswd_make_pwchange_reply(kdc, mem_ctx, - status, + return kpasswd_make_pwchange_reply(kdc, mem_ctx, + status, reject_reason, - dominfo, + dominfo, reply); } static bool kpasswd_process_request(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, uint16_t version, - DATA_BLOB *input, + DATA_BLOB *input, DATA_BLOB *reply) { struct auth_session_info *session_info; size_t pw_len; - if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security, + if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security, &session_info))) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, "gensec_session_info failed!", reply); @@ -222,16 +222,16 @@ static bool kpasswd_process_request(struct kdc_server *kdc, case KRB5_KPASSWD_VERS_CHANGEPW: { DATA_BLOB password; - if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), - CH_UTF8, CH_UTF16, - (const char *)input->data, + if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), + CH_UTF8, CH_UTF16, + (const char *)input->data, input->length, (void **)&password.data, &pw_len, false)) { return false; } password.length = pw_len; - - return kpasswdd_change_password(kdc, mem_ctx, session_info, + + return kpasswdd_change_password(kdc, mem_ctx, session_info, &password, reply); break; } @@ -262,26 +262,26 @@ static bool kpasswd_process_request(struct kdc_server *kdc, ret = decode_ChangePasswdDataMS(input->data, input->length, &chpw, &len); if (ret) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_MALFORMED, "failed to decode password change structure", reply); } - - if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), - CH_UTF8, CH_UTF16, - (const char *)chpw.newpasswd.data, + + if (!convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(kdc->task->lp_ctx), + CH_UTF8, CH_UTF16, + (const char *)chpw.newpasswd.data, chpw.newpasswd.length, (void **)&password.data, &pw_len, false)) { free_ChangePasswdDataMS(&chpw); return false; } - + password.length = pw_len; - - if ((chpw.targname && !chpw.targrealm) + + if ((chpw.targname && !chpw.targrealm) || (!chpw.targname && chpw.targrealm)) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_MALFORMED, "Realm and principal must be both present, or neither present", reply); @@ -289,14 +289,14 @@ static bool kpasswd_process_request(struct kdc_server *kdc, if (chpw.targname && chpw.targrealm) { #ifdef SAMBA4_INTERNAL_HEIMDAL if (_krb5_principalname2krb5_principal(kdc->smb_krb5_context->krb5_context, - &principal, *chpw.targname, + &principal, *chpw.targname, *chpw.targrealm) != 0) { free_ChangePasswdDataMS(&chpw); - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_MALFORMED, "failed to extract principal to set", reply); - + } #else /* SAMBA4_INTERNAL_HEIMDAL */ return kpasswdd_make_error_reply(kdc, mem_ctx, @@ -306,54 +306,54 @@ static bool kpasswd_process_request(struct kdc_server *kdc, #endif /* SAMBA4_INTERNAL_HEIMDAL */ } else { free_ChangePasswdDataMS(&chpw); - return kpasswdd_change_password(kdc, mem_ctx, session_info, + return kpasswdd_change_password(kdc, mem_ctx, session_info, &password, reply); } free_ChangePasswdDataMS(&chpw); if (krb5_unparse_name(context, principal, &set_password_on_princ) != 0) { krb5_free_principal(context, principal); - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_MALFORMED, "krb5_unparse_name failed!", reply); } - + krb5_free_principal(context, principal); - + samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, session_info); if (!samdb) { - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, "Unable to open database!", reply); } - DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", + DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", session_info->server_info->domain_name, session_info->server_info->account_name, - dom_sid_string(mem_ctx, session_info->security_token->user_sid), + dom_sid_string(mem_ctx, session_info->security_token->user_sid), set_password_on_princ)); ret = ldb_transaction_start(samdb); if (ret) { status = NT_STATUS_TRANSACTION_ABORTED; - return kpasswd_make_pwchange_reply(kdc, mem_ctx, + return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, SAM_PWD_CHANGE_NO_ERROR, - NULL, + NULL, reply); } - status = crack_user_principal_name(samdb, mem_ctx, - set_password_on_princ, + status = crack_user_principal_name(samdb, mem_ctx, + set_password_on_princ, &set_password_on_dn, NULL); free(set_password_on_princ); if (!NT_STATUS_IS_OK(status)) { ldb_transaction_cancel(samdb); - return kpasswd_make_pwchange_reply(kdc, mem_ctx, + return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, SAM_PWD_CHANGE_NO_ERROR, - NULL, + NULL, reply); } @@ -372,7 +372,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, /* Admin password set */ status = samdb_set_password(samdb, mem_ctx, set_password_on_dn, NULL, - msg, &password, NULL, NULL, + msg, &password, NULL, NULL, false, /* this is not a user password change */ &reject_reason, &dominfo); } @@ -398,17 +398,17 @@ static bool kpasswd_process_request(struct kdc_server *kdc, } else { ldb_transaction_cancel(samdb); } - return kpasswd_make_pwchange_reply(kdc, mem_ctx, + return kpasswd_make_pwchange_reply(kdc, mem_ctx, status, - reject_reason, - dominfo, + reject_reason, + dominfo, reply); } default: - return kpasswdd_make_error_reply(kdc, mem_ctx, + return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_BAD_VERSION, - talloc_asprintf(mem_ctx, - "Protocol version %u not supported", + talloc_asprintf(mem_ctx, + "Protocol version %u not supported", version), reply); } @@ -416,8 +416,8 @@ static bool kpasswd_process_request(struct kdc_server *kdc, } bool kpasswdd_process(struct kdc_server *kdc, - TALLOC_CTX *mem_ctx, - DATA_BLOB *input, + TALLOC_CTX *mem_ctx, + DATA_BLOB *input, DATA_BLOB *reply, struct tsocket_address *peer_addr, struct tsocket_address *my_addr, @@ -466,11 +466,11 @@ bool kpasswdd_process(struct kdc_server *kdc, talloc_free(tmp_ctx); return false; } - + krb_priv_len = len - ap_req_len; ap_req = data_blob_const(&input->data[header_len], ap_req_len); krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len); - + server_credentials = cli_credentials_init(tmp_ctx); if (!server_credentials) { DEBUG(1, ("Failed to init server credentials\n")); @@ -478,7 +478,7 @@ bool kpasswdd_process(struct kdc_server *kdc, } /* We want the credentials subsystem to use the krb5 context - * we already have, rather than a new context */ + * we already have, rather than a new context */ cli_credentials_set_krb5_context(server_credentials, kdc->smb_krb5_context); cli_credentials_set_conf(server_credentials, kdc->task->lp_ctx); @@ -487,10 +487,10 @@ bool kpasswdd_process(struct kdc_server *kdc, cli_credentials_set_username(server_credentials, "kadmin/changepw", CRED_SPECIFIED); ret = cli_credentials_set_keytab_name(server_credentials, kdc->task->event_ctx, kdc->task->lp_ctx, keytab_name, CRED_SPECIFIED); if (ret != 0) { - ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, + ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, - talloc_asprintf(mem_ctx, - "Failed to obtain server credentials for kadmin/changepw: %s\n", + talloc_asprintf(mem_ctx, + "Failed to obtain server credentials for kadmin/changepw: %s\n", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; @@ -500,16 +500,16 @@ bool kpasswdd_process(struct kdc_server *kdc, talloc_free(tmp_ctx); return ret; } - + /* We don't strictly need to call this wrapper, and could call * gensec_server_start directly, as we have no need for NTLM * and we have a PAC, but this ensures that the wrapper can be * safely extended for other helpful things in future */ - nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx, + nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx, kdc->task->msg_ctx, kdc->task->lp_ctx, server_credentials, - "kpasswd", + "kpasswd", &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -549,11 +549,11 @@ bool kpasswdd_process(struct kdc_server *kdc, /* Accept the AP-REQ and generate teh AP-REP we need for the reply */ nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep); if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - - ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, + + ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, - talloc_asprintf(mem_ctx, - "gensec_update failed: %s", + talloc_asprintf(mem_ctx, + "gensec_update failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; @@ -567,10 +567,10 @@ bool kpasswdd_process(struct kdc_server *kdc, /* Extract the data from the KRB-PRIV half of the message */ nt_status = gensec_unwrap(gensec_security, tmp_ctx, &krb_priv_req, &kpasswd_req); if (!NT_STATUS_IS_OK(nt_status)) { - ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, + ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, - talloc_asprintf(mem_ctx, - "gensec_unwrap failed: %s", + talloc_asprintf(mem_ctx, + "gensec_unwrap failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; @@ -582,10 +582,10 @@ bool kpasswdd_process(struct kdc_server *kdc, } /* Figure out something to do with it (probably changing a password...) */ - ret = kpasswd_process_request(kdc, tmp_ctx, - gensec_security, - version, - &kpasswd_req, &kpasswd_rep); + ret = kpasswd_process_request(kdc, tmp_ctx, + gensec_security, + version, + &kpasswd_req, &kpasswd_rep); if (!ret) { /* Argh! */ return false; @@ -593,13 +593,13 @@ bool kpasswdd_process(struct kdc_server *kdc, /* And wrap up the reply: This ensures that the error message * or success can be verified by the client */ - nt_status = gensec_wrap(gensec_security, tmp_ctx, + nt_status = gensec_wrap(gensec_security, tmp_ctx, &kpasswd_rep, &krb_priv_rep); if (!NT_STATUS_IS_OK(nt_status)) { - ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, + ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, - talloc_asprintf(mem_ctx, - "gensec_wrap failed: %s", + talloc_asprintf(mem_ctx, + "gensec_wrap failed: %s", nt_errstr(nt_status)), &krb_priv_rep); ap_rep.length = 0; @@ -609,7 +609,7 @@ bool kpasswdd_process(struct kdc_server *kdc, talloc_free(tmp_ctx); return ret; } - + reply: *reply = data_blob_talloc(mem_ctx, NULL, krb_priv_rep.length + ap_rep.length + header_len); if (!reply->data) { @@ -619,11 +619,11 @@ reply: RSSVAL(reply->data, 0, reply->length); RSSVAL(reply->data, 2, 1); /* This is a version 1 reply, MS change/set or otherwise */ RSSVAL(reply->data, 4, ap_rep.length); - memcpy(reply->data + header_len, - ap_rep.data, + memcpy(reply->data + header_len, + ap_rep.data, ap_rep.length); - memcpy(reply->data + header_len + ap_rep.length, - krb_priv_rep.data, + memcpy(reply->data + header_len + ap_rep.length, + krb_priv_rep.data, krb_priv_rep.length); talloc_free(tmp_ctx); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 3d542d9a94..d921899c61 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -1,21 +1,21 @@ -/* +/* Unix SMB/CIFS implementation. PAC Glue between Samba and the KDC - + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2009 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -34,22 +34,22 @@ struct krb5_dh_moduli; struct _krb5_krb_auth_data; -static krb5_error_code samba_kdc_plugin_init(krb5_context context, void **ptr) +static krb5_error_code samba_kdc_plugin_init(krb5_context context, void **ptr) { *ptr = NULL; return 0; } -static void samba_kdc_plugin_fini(void *ptr) +static void samba_kdc_plugin_fini(void *ptr) { return; } static krb5_error_code make_pac(krb5_context context, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct smb_iconv_convenience *iconv_convenience, struct auth_serversupplied_info *server_info, - krb5_pac *pac) + krb5_pac *pac) { union PAC_INFO info; struct netr_SamInfo3 *info3; @@ -105,7 +105,7 @@ static krb5_error_code make_pac(krb5_context context, /* Given the right private pointer from hdb_samba4, get a PAC from the attached ldb messages */ static krb5_error_code samba_kdc_get_pac(void *priv, - krb5_context context, + krb5_context context, struct hdb_entry_ex *client, krb5_pac *pac) { @@ -151,7 +151,7 @@ static krb5_error_code samba_kdc_get_pac(void *priv, static krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, const krb5_principal client_principal, - struct hdb_entry_ex *client, + struct hdb_entry_ex *client, struct hdb_entry_ex *server, krb5_pac *pac) { krb5_error_code ret; @@ -163,7 +163,7 @@ static krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, struct auth_serversupplied_info *server_info_out; TALLOC_CTX *mem_ctx = talloc_named(p, 0, "samba_get_pac context"); - + if (!mem_ctx) { return ENOMEM; } @@ -230,8 +230,8 @@ static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data, * the account_ok routine in auth/auth_sam.c for consistancy */ -static krb5_error_code samba_kdc_check_client_access(void *priv, - krb5_context context, +static krb5_error_code samba_kdc_check_client_access(void *priv, + krb5_context context, krb5_kdc_configuration *config, hdb_entry_ex *client_ex, const char *client_name, hdb_entry_ex *server_ex, const char *server_name, @@ -253,7 +253,7 @@ static krb5_error_code samba_kdc_check_client_access(void *priv, if (!tmp_ctx) { return ENOMEM; } - + if (addresses) { for (i=0; i < addresses->len; i++) { if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) { @@ -276,7 +276,7 @@ static krb5_error_code samba_kdc_check_client_access(void *priv, password_change = (server_ex && server_ex->entry.flags.change_pw); /* we allow all kinds of trusts here */ - nt_status = authsam_account_ok(tmp_ctx, + nt_status = authsam_account_ok(tmp_ctx, p->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, p->realm_dn, diff --git a/source4/kdc/pac-glue.h b/source4/kdc/pac-glue.h index 1c14f7fdb6..f838ec353a 100644 --- a/source4/kdc/pac-glue.h +++ b/source4/kdc/pac-glue.h @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. KDC Server startup @@ -9,12 +9,12 @@ it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ |