summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/db-glue.c26
-rw-r--r--source4/kdc/kdc-policy.h25
-rw-r--r--source4/kdc/policy.c50
-rw-r--r--source4/kdc/samba_kdc.h1
-rw-r--r--source4/kdc/wscript_build9
5 files changed, 108 insertions, 3 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 4bb8e35091..15024fa38e 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -43,6 +43,7 @@
#include <hdb.h>
#include "kdc/samba_kdc.h"
#include "kdc/db-glue.h"
+#include "kdc/kdc-policy.h"
enum samba_kdc_ent_type
{ SAMBA_KDC_ENT_TYPE_CLIENT, SAMBA_KDC_ENT_TYPE_SERVER,
@@ -740,9 +741,28 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
entry_ex->entry.valid_start = NULL;
- entry_ex->entry.max_life = NULL;
+ entry_ex->entry.max_life = malloc(sizeof(*entry_ex->entry.max_life));
+ if (entry_ex->entry.max_life == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
- entry_ex->entry.max_renew = NULL;
+ if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+ *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime);
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT || ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) {
+ *entry_ex->entry.max_life = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime);
+ } else {
+ *entry_ex->entry.max_life = MIN(nt_time_to_unix(kdc_db_ctx->policy.service_tkt_lifetime),
+ nt_time_to_unix(kdc_db_ctx->policy.user_tkt_lifetime));
+ }
+
+ entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
+ if (entry_ex->entry.max_renew == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+
+ *entry_ex->entry.max_renew = nt_time_to_unix(kdc_db_ctx->policy.user_tkt_renewaltime);
entry_ex->entry.generation = NULL;
@@ -1636,6 +1656,8 @@ NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_conte
kdc_db_ctx->ev_ctx = base_ctx->ev_ctx;
kdc_db_ctx->lp_ctx = base_ctx->lp_ctx;
+ kdc_get_policy(base_ctx->lp_ctx, NULL, &kdc_db_ctx->policy);
+
session_info = system_session(kdc_db_ctx->lp_ctx);
if (session_info == NULL) {
return NT_STATUS_INTERNAL_ERROR;
diff --git a/source4/kdc/kdc-policy.h b/source4/kdc/kdc-policy.h
new file mode 100644
index 0000000000..01e9372596
--- /dev/null
+++ b/source4/kdc/kdc-policy.h
@@ -0,0 +1,25 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ KDC Policy
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+struct lsa_DomainInfoKerberos;
+struct loadparm_context;
+struct smb_krb5_context;
+#include "kdc/kdc-policy-proto.h"
diff --git a/source4/kdc/policy.c b/source4/kdc/policy.c
new file mode 100644
index 0000000000..2760e06940
--- /dev/null
+++ b/source4/kdc/policy.c
@@ -0,0 +1,50 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ KDC Policy
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/util.h"
+#include "kdc/kdc-policy.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "librpc/gen_ndr/lsa.h"
+#include "param/param.h"
+
+void kdc_get_policy(struct loadparm_context *lp_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ struct lsa_DomainInfoKerberos *k)
+{
+ /* These should be set and stored via Group Policy, but until then, some defaults are in order */
+
+ /* Our KDC always re-validates the client */
+ k->authentication_options = LSA_POLICY_KERBEROS_VALIDATE_CLIENT;
+
+ unix_to_nt_time(&k->service_tkt_lifetime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "service ticket lifefime", 10) * 60 * 60);
+ unix_to_nt_time(&k->user_tkt_lifetime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "user ticket lifefime", 10) * 60 * 60);
+ unix_to_nt_time(&k->user_tkt_renewaltime,
+ lpcfg_parm_int(lp_ctx, NULL, "kdc", "renewal lifefime", 24*7) * 60 * 60);
+ if (smb_krb5_context) {
+ unix_to_nt_time(&k->clock_skew,
+ krb5_get_max_time_skew(smb_krb5_context->krb5_context));
+ }
+ k->reserved = 0;
+}
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 72b5cc42e4..faa4c7b7ad 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -36,6 +36,7 @@ struct samba_kdc_db_context {
bool rodc;
unsigned int my_krbtgt_number;
struct ldb_dn *krbtgt_dn;
+ struct lsa_DomainInfoKerberos policy;
};
struct samba_kdc_entry {
diff --git a/source4/kdc/wscript_build b/source4/kdc/wscript_build
index 82b9929254..7ff2623d64 100644
--- a/source4/kdc/wscript_build
+++ b/source4/kdc/wscript_build
@@ -38,10 +38,17 @@ bld.SAMBA_LIBRARY('pac',
bld.SAMBA_LIBRARY('db-glue',
source='db-glue.c',
- deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err',
+ deps='ldb auth_sam auth_sam_reply credentials hdb samba-hostconfig com_err kdc-policy',
private_library=True
)
+bld.SAMBA_LIBRARY('kdc-policy',
+ source='policy.c',
+ deps='samba-hostconfig authkrb5',
+ private_library=True,
+ autoproto = 'kdc-policy-proto.h'
+ )
+
bld.SAMBA_SUBSYSTEM('MIT_SAMBA',
source='mit_samba.c',