From d8cbc6ccdb9b4e2906094f1f3b7793ed98a2fcf8 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Sun, 31 Jan 2010 13:29:57 -0500 Subject: s4:kdc add mit plugin code --- source4/kdc/config.mk | 25 +++ source4/kdc/mit_samba.c | 374 ++++++++++++++++++++++++++++++++++++++ source4/kdc/mit_samba_interface.h | 60 ++++++ 3 files changed, 459 insertions(+) create mode 100644 source4/kdc/mit_samba.c create mode 100644 source4/kdc/mit_samba_interface.h diff --git a/source4/kdc/config.mk b/source4/kdc/config.mk index 93f27a3935..d54a46d273 100644 --- a/source4/kdc/config.mk +++ b/source4/kdc/config.mk @@ -60,3 +60,28 @@ PRIVATE_DEPENDENCIES = \ ####################### DB_GLUE_OBJ_FILES = $(addprefix $(kdcsrcdir)/, db-glue.o) + +############################################################### +# MIT KDC Plugin + +####################### +# Start SUBSYSTEM MIT plugin +[SUBSYSTEM::MIT_SAMBA] +PRIVATE_DEPENDENCIES = \ + LIBLDB auth_sam auth_sam_reply CREDENTIALS \ + HEIMDAL_HDB DB_GLUE PAC_GLUE LIBSAMBA-HOSTCONFIG +# End SUBSYSTEM MIT plugin +####################### + +MIT_SAMBA_OBJ_FILES = $(addprefix $(kdcsrcdir)/, mit_samba.o) + +################################### +# Start Library mit_samba +[LIBRARY::mit_samba] +PRIVATE_DEPENDENCIES = MIT_SAMBA +LIBRARY_REALNAME = mit_samba.$(SHLIBEXT) +OUTPUT_TYPE = SHARED_LIBRARY +ENABLE = YES +# End Library mit_samba +################################### + diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c new file mode 100644 index 0000000000..3faa20938f --- /dev/null +++ b/source4/kdc/mit_samba.c @@ -0,0 +1,374 @@ +/* + MIT-Samba4 library + + Copyright (c) 2010, Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ + +#include "includes.h" +#include "param/param.h" +#include "dsdb/samdb/samdb.h" +#include "auth/auth.h" +#include "auth/credentials/credentials.h" +#include "system/kerberos.h" +#include "hdb.h" +#include "mit_samba_interface.h" +#include "auth/kerberos/kerberos.h" +#include "kdc/samba_kdc.h" +#include "kdc/pac-glue.h" +#include "kdc/db-glue.h" + +const int mit_samba_interface_version = MIT_SAMBA_INTERFACE_VERSION; + +struct mit_samba_context { + struct auth_session_info *session_info; + + /* for compat with hdb plugin common code */ + krb5_context context; + struct samba_kdc_db_context *db_ctx; +}; + +static void mit_samba_context_free(struct mit_samba_context *ctx) +{ + /* free heimdal's krb5_context */ + if (ctx->context) { + krb5_free_context(ctx->context); + } + + /* then free everything else */ + talloc_free(ctx); +} + +static int mit_samba_context_init(struct mit_samba_context **_ctx) +{ + struct mit_samba_context *ctx; + const char *s4_conf_file; + int ret; + + + ctx = talloc(NULL, struct mit_samba_context); + if (!ctx) { + ret = ENOMEM; + goto done; + } + + ctx->db_ctx = talloc_zero(ctx, struct samba_kdc_db_context); + if (!ctx->db_ctx) { + ret = ENOMEM; + goto done; + } + + ctx->db_ctx->ev_ctx = tevent_context_init(ctx); + if (!ctx->db_ctx->ev_ctx) { + ret = ENOMEM; + goto done; + } + ctx->db_ctx->lp_ctx = loadparm_init(ctx); + if (!ctx->db_ctx->lp_ctx) { + ret = ENOMEM; + goto done; + } + + /* init s4 configuration */ + s4_conf_file = lp_configfile(ctx->db_ctx->lp_ctx); + if (s4_conf_file) { + lp_load(ctx->db_ctx->lp_ctx, s4_conf_file); + } else { + lp_load_default(ctx->db_ctx->lp_ctx); + } + + ctx->session_info = system_session(ctx->db_ctx->lp_ctx); + if (!ctx->session_info) { + ret = EFAULT; + goto done; + } + + cli_credentials_set_kerberos_state(ctx->session_info->credentials, + CRED_DONT_USE_KERBEROS); + + ctx->db_ctx->ic_ctx = lp_iconv_convenience(ctx->db_ctx->lp_ctx); + + ctx->db_ctx->samdb = samdb_connect(ctx, + ctx->db_ctx->ev_ctx, + ctx->db_ctx->lp_ctx, + ctx->session_info); + if (!ctx->db_ctx->samdb) { + ret = EFAULT; + goto done; + } + + /* init heimdal's krb_context and log facilities */ + ret = smb_krb5_init_context_basic(ctx, + ctx->db_ctx->ev_ctx, + ctx->db_ctx->lp_ctx, + &ctx->context); + if (ret) { + goto done; + } + + ret = 0; + +done: + if (ret) { + mit_samba_context_free(ctx); + } else { + *_ctx = ctx; + } + return ret; +} + + +static int mit_samba_get_principal(struct mit_samba_context *ctx, + char *principal_string, + unsigned int flags, + hdb_entry_ex **_hentry) +{ + krb5_principal principal; + hdb_entry_ex *hentry; + int ret; + + hentry = talloc(ctx, hdb_entry_ex); + if (!hentry) { + return ENOMEM; + } + + ret = krb5_parse_name(ctx->context, principal_string, &principal); + if (ret) { + goto done; + } + + ret = samba_kdc_fetch(ctx->context, ctx->db_ctx, + principal, flags, hentry); + + krb5_free_principal(ctx->context, principal); + +done: + if (ret) { + talloc_free(hentry); + } else { + talloc_steal(hentry->ctx, hentry); + *_hentry = hentry; + } + return ret; +} + +static int mit_samba_get_firstkey(struct mit_samba_context *ctx, + hdb_entry_ex **_hentry) +{ + hdb_entry_ex *hentry; + int ret; + + hentry = talloc(ctx, hdb_entry_ex); + if (!hentry) { + return ENOMEM; + } + + ret = samba_kdc_firstkey(ctx->context, ctx->db_ctx, hentry); + + if (ret) { + talloc_free(hentry); + } else { + talloc_steal(hentry->ctx, hentry); + *_hentry = hentry; + } + return ret; +} + +static int mit_samba_get_nextkey(struct mit_samba_context *ctx, + hdb_entry_ex **_hentry) +{ + hdb_entry_ex *hentry; + int ret; + + hentry = talloc(ctx, hdb_entry_ex); + if (!hentry) { + return ENOMEM; + } + + ret = samba_kdc_nextkey(ctx->context, ctx->db_ctx, hentry); + + if (ret) { + talloc_free(hentry); + } else { + talloc_steal(hentry->ctx, hentry); + *_hentry = hentry; + } + return ret; +} + +static int mit_samba_get_pac_data(struct mit_samba_context *ctx, + hdb_entry_ex *client, + DATA_BLOB *data) +{ + TALLOC_CTX *tmp_ctx; + DATA_BLOB *pac_blob; + NTSTATUS nt_status; + + tmp_ctx = talloc_named(ctx, 0, "mit_samba_get_pac_data context"); + if (!tmp_ctx) { + return ENOMEM; + } + + nt_status = samba_kdc_get_pac_blob(tmp_ctx, client, &pac_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return EINVAL; + } + + data->data = (uint8_t *)malloc(pac_blob->length); + if (!data->data) { + talloc_free(tmp_ctx); + return ENOMEM; + } + memcpy(data->data, pac_blob->data, pac_blob->length); + data->length = pac_blob->length; + + talloc_free(tmp_ctx); + return 0; +} + +static int mit_samba_update_pac_data(struct mit_samba_context *ctx, + hdb_entry_ex *client, + DATA_BLOB *pac_data, + DATA_BLOB *logon_data) +{ + TALLOC_CTX *tmp_ctx; + DATA_BLOB *logon_blob; + krb5_error_code code; + NTSTATUS nt_status; + krb5_pac pac = NULL; + int ret; + + /* The user account may be set not to want the PAC */ + if (client && !samba_princ_needs_pac(client)) { + return EINVAL; + } + + tmp_ctx = talloc_named(ctx, 0, "mit_samba_update_pac_data context"); + if (!tmp_ctx) { + return ENOMEM; + } + + logon_blob = talloc_zero(tmp_ctx, DATA_BLOB); + if (!logon_blob) { + ret = ENOMEM; + goto done; + } + + code = krb5_pac_parse(ctx->context, + pac_data->data, pac_data->length, &pac); + if (code) { + ret = EINVAL; + goto done; + } + + nt_status = samba_kdc_update_pac_blob(tmp_ctx, ctx->context, + ctx->db_ctx->ic_ctx, + &pac, logon_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Building PAC failed: %s\n", + nt_errstr(nt_status))); + ret = EINVAL; + goto done; + } + + logon_data->data = (uint8_t *)malloc(logon_blob->length); + if (!logon_data->data) { + ret = ENOMEM; + goto done; + } + memcpy(logon_data->data, logon_blob->data, logon_blob->length); + logon_data->length = logon_blob->length; + + ret = 0; + +done: + if (pac) krb5_pac_free(ctx->context, pac); + talloc_free(tmp_ctx); + return ret; +} + +static int mit_samba_check_client_access(struct mit_samba_context *ctx, + hdb_entry_ex *client, + const char *client_name, + hdb_entry_ex *server, + const char *server_name, + const char *netbios_name, + bool password_change, + DATA_BLOB *e_data) +{ + struct samba_kdc_entry *kdc_entry; + NTSTATUS nt_status; + + kdc_entry = talloc_get_type(client->ctx, struct samba_kdc_entry); + + nt_status = samba_kdc_check_client_access(kdc_entry, + client_name, + netbios_name, + password_change); + + if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MEMORY)) { + return ENOMEM; + } + + samba_kdc_build_edata_reply(nt_status, e_data); + + return samba_kdc_map_policy_err(nt_status); + } + + return 0; +} + +static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, + hdb_entry_ex *entry, + const char *target_name, + bool is_nt_enterprise_name) +{ + krb5_principal target_principal; + int flags = 0; + int ret; + + if (is_nt_enterprise_name) { + flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; + } + + ret = krb5_parse_name_flags(ctx->context, target_name, + flags, &target_principal); + if (ret) { + return ret; + } + + ret = samba_kdc_check_constrained_delegation(ctx->context, + ctx->db_ctx, + entry, + target_principal); + + krb5_free_principal(ctx->context, target_principal); + + return ret; +} + +struct mit_samba_function_table mit_samba_function_table = { + mit_samba_context_init, + mit_samba_context_free, + mit_samba_get_principal, + mit_samba_get_firstkey, + mit_samba_get_nextkey, + mit_samba_get_pac_data, + mit_samba_update_pac_data, + mit_samba_check_client_access, + mit_samba_check_s4u2proxy +}; diff --git a/source4/kdc/mit_samba_interface.h b/source4/kdc/mit_samba_interface.h new file mode 100644 index 0000000000..b92f7bf0ce --- /dev/null +++ b/source4/kdc/mit_samba_interface.h @@ -0,0 +1,60 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * plugins/kdb/samba/kdb_samba_interface.h + * + * Copyright (c) 2009, Simo Sorce + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + */ + +#define MIT_SAMBA_INTERFACE_VERSION 1 + +#ifndef _SAMBA_BUILD_ +typedef struct datablob { + uint8_t *data; + size_t length; +} DATA_BLOB; +#endif + +struct mit_samba_context; + +struct mit_samba_function_table { + int (*init)(struct mit_samba_context **ctx); + void (*fini)(struct mit_samba_context *ctx); + + /* db */ + int (*get_principal)(struct mit_samba_context *, char *, + unsigned int, hdb_entry_ex **); + int (*get_firstkey)(struct mit_samba_context *, hdb_entry_ex **); + int (*get_nextkey)(struct mit_samba_context *, hdb_entry_ex **); + + /* windc */ + int (*get_pac)(struct mit_samba_context *, hdb_entry_ex *, DATA_BLOB *); + int (*update_pac)(struct mit_samba_context *, hdb_entry_ex *, + DATA_BLOB *, DATA_BLOB *); + int (*client_access)(struct mit_samba_context *, + hdb_entry_ex *, const char *, + hdb_entry_ex *, const char *, + const char *, bool, DATA_BLOB *); + int (*check_s4u2proxy)(struct mit_samba_context *, + hdb_entry_ex *, const char *, bool); +}; -- cgit