From 131111f16615177d4e7f999d740a94ca6b07e01e Mon Sep 17 00:00:00 2001 From: Andrew Kroeger Date: Wed, 12 Mar 2008 23:21:14 -0500 Subject: kdc: Provide extended error information in AS-REP error replies. This change utilizes the addition of the e_data parameter to the windc_plugin in the heimdal code to pass extended information back to the client. The extended information is provided in an e-data block as part of the kerberos error message, and allows the client to determine which specific error condition occurred. (This used to be commit 502466ba950bfd104518b9eb9586896c1e076343) --- source4/kdc/pac-glue.c | 67 +++++++++++++++++++++++++++++++++++++------------- 1 file changed, 50 insertions(+), 17 deletions(-) (limited to 'source4/kdc') diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 66f36af870..f65bd67ab1 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -220,13 +220,48 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, return ret; } +static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data, + NTSTATUS nt_status) +{ + PA_DATA pa; + unsigned char *buf; + size_t len; + krb5_error_code ret = 0; + uint32_t *tmp; + + if (!e_data) + return; + + pa.padata_type = KRB5_PADATA_PW_SALT; + pa.padata_value.length = 12; + pa.padata_value.data = malloc(pa.padata_value.length); + if (!pa.padata_value.data) { + e_data->length = 0; + e_data->data = NULL; + return; + } + + SIVAL(pa.padata_value.data, 0, NT_STATUS_V(nt_status)); + SIVAL(pa.padata_value.data, 4, 0); + SIVAL(pa.padata_value.data, 8, 1); + + ASN1_MALLOC_ENCODE(PA_DATA, buf, len, &pa, &len, ret); + free(pa.padata_value.data); + + e_data->data = buf; + e_data->length = len; + + return; +} + /* Given an hdb entry (and in particular it's private member), consult * the account_ok routine in auth/auth_sam.c for consistancy */ krb5_error_code samba_kdc_check_client_access(void *priv, krb5_context context, hdb_entry_ex *entry_ex, - KDC_REQ *req) + KDC_REQ *req, + krb5_data *e_data) { krb5_error_code ret; NTSTATUS nt_status; @@ -274,30 +309,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv, name); free(name); - /* TODO: Need a more complete mapping of NTSTATUS to krb5kdc errors */ - - /* TODO: Also need to add the appropriate e-data struct of type - * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows - * the information it needs to display the appropriate dialog. */ + if (NT_STATUS_IS_OK(nt_status)) + return 0; if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE)) - return KRB5KDC_ERR_KEY_EXPIRED; + ret = KRB5KDC_ERR_KEY_EXPIRED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED)) - return KRB5KDC_ERR_KEY_EXPIRED; + ret = KRB5KDC_ERR_KEY_EXPIRED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED)) - return KRB5KDC_ERR_CLIENT_REVOKED; + ret = KRB5KDC_ERR_CLIENT_REVOKED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) - return KRB5KDC_ERR_CLIENT_REVOKED; + ret = KRB5KDC_ERR_CLIENT_REVOKED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS)) - return KRB5KDC_ERR_CLIENT_REVOKED; + ret = KRB5KDC_ERR_CLIENT_REVOKED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT)) - return KRB5KDC_ERR_CLIENT_REVOKED; + ret = KRB5KDC_ERR_CLIENT_REVOKED; else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION)) - return KRB5KDC_ERR_POLICY; - else if (!NT_STATUS_IS_OK(nt_status)) { - return KRB5KDC_ERR_POLICY; - } + ret = KRB5KDC_ERR_POLICY; + else + ret = KRB5KDC_ERR_POLICY; - return 0; + samba_kdc_build_edata_reply(tmp_ctx, e_data, nt_status); + + return ret; } -- cgit From 9e6b0c28712ee77ce878809c8576826a3ba08d95 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Mar 2008 10:17:42 +1100 Subject: Merge lorikeet-heimdal -r 787 into Samba4 tree. Andrew Bartlett (This used to be commit d88b530522d3cef67c24422bd5182fb875d87ee2) --- source4/kdc/kdc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'source4/kdc') diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 92a5dc26e0..72b5bb14a9 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -639,9 +639,9 @@ static void kdc_task_init(struct task_server *task) } /* Registar WinDC hooks */ - ret = _krb5_plugin_register(kdc->smb_krb5_context->krb5_context, - PLUGIN_TYPE_DATA, "windc", - &windc_plugin_table); + ret = krb5_plugin_register(kdc->smb_krb5_context->krb5_context, + PLUGIN_TYPE_DATA, "windc", + &windc_plugin_table); if(ret) { task_server_terminate(task, "kdc: failed to register hdb keytab"); return; -- cgit From a08e951eb8e27ff015e1332295ad0df2b8c11b73 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 19 Mar 2008 11:15:04 +1100 Subject: Remove unused variable. (This used to be commit 1de21f5fdd9e377801af25b7ce461bdf7a16e1de) --- source4/kdc/pac-glue.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/kdc') diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index f65bd67ab1..1c68d4c37d 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -227,7 +227,6 @@ static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data, unsigned char *buf; size_t len; krb5_error_code ret = 0; - uint32_t *tmp; if (!e_data) return; -- cgit From dc49ae599eacd6c118dc355609bca657b05c5dee Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Mar 2008 15:25:13 +1100 Subject: Remove useless extra argument to samdb_result_account_expires(). Andrew Bartlett (This used to be commit bc607c334ff86624b891886a6f874da2bcff113e) --- source4/kdc/hdb-ldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/kdc') diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index bc5a45ae2b..d983b77b40 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -510,7 +510,7 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, entry_ex->entry.valid_start = NULL; - acct_expiry = samdb_result_account_expires(msg, 0); + acct_expiry = samdb_result_account_expires(msg); if (acct_expiry == 0x7FFFFFFFFFFFFFFFULL) { entry_ex->entry.valid_end = NULL; } else { -- cgit