Line data Source code
1 : /*
2 : * Copyright (c) 1999-2001, 2003, PADL Software Pty Ltd.
3 : * Copyright (c) 2004-2009, Andrew Bartlett <abartlet@samba.org>.
4 : * Copyright (c) 2004, Stefan Metzmacher <metze@samba.org>
5 : * All rights reserved.
6 : *
7 : * Redistribution and use in source and binary forms, with or without
8 : * modification, are permitted provided that the following conditions
9 : * are met:
10 : *
11 : * 1. Redistributions of source code must retain the above copyright
12 : * notice, this list of conditions and the following disclaimer.
13 : *
14 : * 2. Redistributions in binary form must reproduce the above copyright
15 : * notice, this list of conditions and the following disclaimer in the
16 : * documentation and/or other materials provided with the distribution.
17 : *
18 : * 3. Neither the name of PADL Software nor the names of its contributors
19 : * may be used to endorse or promote products derived from this software
20 : * without specific prior written permission.
21 : *
22 : * THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS ``AS IS'' AND
23 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 : * ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE
26 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 : * SUCH DAMAGE.
33 : */
34 :
35 : #include "includes.h"
36 : #include "kdc/kdc-glue.h"
37 : #include "kdc/db-glue.h"
38 : #include "kdc/pac-glue.h"
39 : #include "auth/auth_sam.h"
40 : #include "auth/common_auth.h"
41 : #include "auth/authn_policy.h"
42 : #include <ldb.h>
43 : #include "sdb.h"
44 : #include "sdb_hdb.h"
45 : #include "dsdb/samdb/samdb.h"
46 : #include "param/param.h"
47 : #include "../lib/tsocket/tsocket.h"
48 : #include "librpc/gen_ndr/ndr_winbind_c.h"
49 : #include "lib/messaging/irpc.h"
50 : #include "hdb.h"
51 : #include <kdc-audit.h>
52 : #include <kdc-plugin.h>
53 :
54 : #undef DBGC_CLASS
55 : #define DBGC_CLASS DBGC_KERBEROS
56 :
57 305935 : static krb5_error_code hdb_samba4_open(krb5_context context, HDB *db, int flags, mode_t mode)
58 : {
59 305935 : if (db->hdb_master_key_set) {
60 0 : krb5_error_code ret = HDB_ERR_NOENTRY;
61 0 : krb5_warnx(context, "hdb_samba4_open: use of a master key incompatible with LDB\n");
62 0 : krb5_set_error_message(context, ret, "hdb_samba4_open: use of a master key incompatible with LDB\n");
63 0 : return ret;
64 : }
65 :
66 295793 : return 0;
67 : }
68 :
69 305935 : static krb5_error_code hdb_samba4_close(krb5_context context, HDB *db)
70 : {
71 305935 : return 0;
72 : }
73 :
74 0 : static krb5_error_code hdb_samba4_lock(krb5_context context, HDB *db, int operation)
75 : {
76 0 : return 0;
77 : }
78 :
79 0 : static krb5_error_code hdb_samba4_unlock(krb5_context context, HDB *db)
80 : {
81 0 : return 0;
82 : }
83 :
84 0 : static krb5_error_code hdb_samba4_rename(krb5_context context, HDB *db, const char *new_name)
85 : {
86 0 : return HDB_ERR_DB_INUSE;
87 : }
88 :
89 0 : static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned flags, hdb_entry *entry)
90 : {
91 0 : return HDB_ERR_DB_INUSE;
92 : }
93 :
94 : /*
95 : * If we ever want kadmin to work fast, we might try and reopen the
96 : * ldb with LDB_NOSYNC
97 : */
98 0 : static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync)
99 : {
100 0 : return 0;
101 : }
102 :
103 305571 : static void hdb_samba4_free_entry_context(krb5_context context, struct HDB *db, hdb_entry *entry)
104 : {
105 : /*
106 : * This function is now called for every HDB entry, not just those with
107 : * 'context' set, so we have to check that the context is not NULL.
108 : */
109 305571 : if (entry->context != NULL) {
110 10142 : struct samba_kdc_entry *skdc_entry =
111 300083 : talloc_get_type_abort(entry->context,
112 : struct samba_kdc_entry);
113 :
114 : /* this function is called only from hdb_free_entry().
115 : * Make sure we neutralize the destructor or we will
116 : * get a double free later when hdb_free_entry() will
117 : * try to call free_hdb_entry() */
118 300083 : entry->context = NULL;
119 300083 : skdc_entry->kdc_entry = NULL;
120 300083 : TALLOC_FREE(skdc_entry);
121 : }
122 305571 : }
123 :
124 0 : static krb5_error_code hdb_samba4_fetch_fast_cookie(krb5_context context,
125 : struct samba_kdc_db_context *kdc_db_ctx,
126 : hdb_entry *entry)
127 : {
128 0 : DBG_ERR("Looked up HDB entry for unsupported FX-COOKIE.\n");
129 0 : return HDB_ERR_NOENTRY;
130 : }
131 :
132 306025 : static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db,
133 : krb5_const_principal principal,
134 : unsigned flags,
135 : krb5_kvno kvno,
136 : hdb_entry *entry)
137 : {
138 10142 : struct samba_kdc_db_context *kdc_db_ctx;
139 306025 : struct sdb_entry sentry = {};
140 10142 : krb5_error_code code, ret;
141 10142 : uint32_t sflags;
142 :
143 306025 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
144 : struct samba_kdc_db_context);
145 :
146 306025 : if (flags & HDB_F_GET_FAST_COOKIE) {
147 0 : return hdb_samba4_fetch_fast_cookie(context,
148 : kdc_db_ctx,
149 : entry);
150 : }
151 :
152 306025 : sflags = (flags & SDB_F_HDB_MASK);
153 :
154 306025 : ret = samba_kdc_fetch(context,
155 : kdc_db_ctx,
156 : principal,
157 : sflags,
158 : kvno,
159 : &sentry);
160 306025 : switch (ret) {
161 290395 : case 0:
162 290395 : code = 0;
163 290395 : break;
164 862 : case SDB_ERR_WRONG_REALM:
165 : /*
166 : * If SDB_ERR_WRONG_REALM is returned we need to process the
167 : * sdb_entry to fill the principal in the HDB entry.
168 : */
169 862 : code = HDB_ERR_WRONG_REALM;
170 862 : break;
171 1606 : case SDB_ERR_NOENTRY:
172 1606 : return HDB_ERR_NOENTRY;
173 3020 : case SDB_ERR_NOT_FOUND_HERE:
174 3020 : return HDB_ERR_NOT_FOUND_HERE;
175 0 : default:
176 0 : return ret;
177 : }
178 :
179 301399 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
180 301399 : sdb_entry_free(&sentry);
181 :
182 301399 : if (code == 0) {
183 300537 : code = ret;
184 : }
185 :
186 291257 : return code;
187 : }
188 :
189 68 : static krb5_error_code hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *db,
190 : krb5_const_principal _principal,
191 : unsigned flags,
192 : krb5_kvno _kvno,
193 : hdb_entry *entry)
194 : {
195 68 : struct samba_kdc_db_context *kdc_db_ctx = NULL;
196 0 : krb5_error_code ret;
197 68 : krb5_principal kpasswd_principal = NULL;
198 :
199 68 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
200 : struct samba_kdc_db_context);
201 :
202 68 : ret = smb_krb5_make_principal(context, &kpasswd_principal,
203 : lpcfg_realm(kdc_db_ctx->lp_ctx),
204 : "kadmin", "changepw",
205 : NULL);
206 68 : if (ret) {
207 0 : return ret;
208 : }
209 68 : smb_krb5_principal_set_type(context, kpasswd_principal, KRB5_NT_SRV_INST);
210 :
211 : /*
212 : * For the kpasswd service, always ensure we get the latest kvno. This
213 : * also means we (correctly) refuse RODC-issued tickets.
214 : */
215 68 : flags &= ~HDB_F_KVNO_SPECIFIED;
216 :
217 : /* Don't bother looking up a client or krbtgt. */
218 68 : flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT);
219 :
220 68 : ret = hdb_samba4_fetch_kvno(context, db,
221 : kpasswd_principal,
222 : flags,
223 : 0,
224 : entry);
225 :
226 68 : krb5_free_principal(context, kpasswd_principal);
227 68 : return ret;
228 : }
229 :
230 0 : static krb5_error_code hdb_samba4_firstkey(krb5_context context, HDB *db, unsigned flags,
231 : hdb_entry *entry)
232 : {
233 0 : struct samba_kdc_db_context *kdc_db_ctx;
234 0 : struct sdb_entry sentry = {};
235 0 : krb5_error_code ret;
236 :
237 0 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
238 : struct samba_kdc_db_context);
239 :
240 0 : ret = samba_kdc_firstkey(context, kdc_db_ctx, &sentry);
241 0 : switch (ret) {
242 0 : case 0:
243 0 : break;
244 0 : case SDB_ERR_WRONG_REALM:
245 0 : return HDB_ERR_WRONG_REALM;
246 0 : case SDB_ERR_NOENTRY:
247 0 : return HDB_ERR_NOENTRY;
248 0 : case SDB_ERR_NOT_FOUND_HERE:
249 0 : return HDB_ERR_NOT_FOUND_HERE;
250 0 : default:
251 0 : return ret;
252 : }
253 :
254 0 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
255 0 : sdb_entry_free(&sentry);
256 0 : return ret;
257 : }
258 :
259 0 : static krb5_error_code hdb_samba4_nextkey(krb5_context context, HDB *db, unsigned flags,
260 : hdb_entry *entry)
261 : {
262 0 : struct samba_kdc_db_context *kdc_db_ctx;
263 0 : struct sdb_entry sentry = {};
264 0 : krb5_error_code ret;
265 :
266 0 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
267 : struct samba_kdc_db_context);
268 :
269 0 : ret = samba_kdc_nextkey(context, kdc_db_ctx, &sentry);
270 0 : switch (ret) {
271 0 : case 0:
272 0 : break;
273 0 : case SDB_ERR_WRONG_REALM:
274 0 : return HDB_ERR_WRONG_REALM;
275 0 : case SDB_ERR_NOENTRY:
276 0 : return HDB_ERR_NOENTRY;
277 0 : case SDB_ERR_NOT_FOUND_HERE:
278 0 : return HDB_ERR_NOT_FOUND_HERE;
279 0 : default:
280 0 : return ret;
281 : }
282 :
283 0 : ret = sdb_entry_to_hdb_entry(context, &sentry, entry);
284 0 : sdb_entry_free(&sentry);
285 0 : return ret;
286 : }
287 :
288 0 : static krb5_error_code hdb_samba4_nextkey_panic(krb5_context context, HDB *db,
289 : unsigned flags,
290 : hdb_entry *entry)
291 : {
292 0 : DBG_ERR("Attempt to iterate kpasswd keytab => PANIC\n");
293 0 : smb_panic("hdb_samba4_nextkey_panic: Attempt to iterate kpasswd keytab");
294 : }
295 :
296 68 : static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db)
297 : {
298 68 : talloc_free(db);
299 68 : return 0;
300 : }
301 :
302 : static krb5_error_code
303 146 : hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db,
304 : hdb_entry *entry,
305 : krb5_const_principal target_principal)
306 : {
307 146 : struct samba_kdc_db_context *kdc_db_ctx = NULL;
308 146 : struct samba_kdc_entry *skdc_entry = NULL;
309 :
310 146 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
311 : struct samba_kdc_db_context);
312 146 : skdc_entry = talloc_get_type_abort(entry->context,
313 : struct samba_kdc_entry);
314 :
315 146 : return samba_kdc_check_s4u2proxy(context, kdc_db_ctx,
316 : skdc_entry,
317 : target_principal);
318 : }
319 :
320 : static krb5_error_code
321 136 : hdb_samba4_check_rbcd(krb5_context context, HDB *db,
322 : const hdb_entry *client_krbtgt,
323 : const hdb_entry *client,
324 : const hdb_entry *device_krbtgt,
325 : const hdb_entry *device,
326 : krb5_const_principal server_principal,
327 : krb5_const_pac header_pac,
328 : krb5_const_pac device_pac,
329 : const hdb_entry *proxy)
330 : {
331 136 : struct samba_kdc_db_context *kdc_db_ctx = NULL;
332 136 : struct samba_kdc_entry *client_skdc_entry = NULL;
333 136 : const struct samba_kdc_entry *client_krbtgt_skdc_entry = NULL;
334 136 : struct samba_kdc_entry *proxy_skdc_entry = NULL;
335 136 : const struct auth_user_info_dc *client_info = NULL;
336 136 : const struct auth_user_info_dc *device_info = NULL;
337 136 : struct samba_kdc_entry_pac client_pac_entry = {};
338 136 : struct auth_claims auth_claims = {};
339 136 : TALLOC_CTX *mem_ctx = NULL;
340 0 : krb5_error_code code;
341 :
342 136 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
343 : struct samba_kdc_db_context);
344 136 : client_skdc_entry = talloc_get_type_abort(client->context,
345 : struct samba_kdc_entry);
346 136 : client_krbtgt_skdc_entry = talloc_get_type_abort(client_krbtgt->context,
347 : struct samba_kdc_entry);
348 136 : proxy_skdc_entry = talloc_get_type_abort(proxy->context,
349 : struct samba_kdc_entry);
350 :
351 136 : mem_ctx = talloc_new(kdc_db_ctx);
352 136 : if (mem_ctx == NULL) {
353 0 : return ENOMEM;
354 : }
355 :
356 136 : client_pac_entry = samba_kdc_entry_pac(header_pac,
357 : client_skdc_entry,
358 136 : samba_kdc_entry_is_trust(client_krbtgt_skdc_entry));
359 :
360 136 : code = samba_kdc_get_user_info_dc(mem_ctx,
361 : context,
362 : kdc_db_ctx->samdb,
363 : client_pac_entry,
364 : &client_info,
365 : NULL /* resource_groups_out */);
366 136 : if (code != 0) {
367 0 : goto out;
368 : }
369 :
370 136 : code = samba_kdc_get_claims_data(mem_ctx,
371 : context,
372 : kdc_db_ctx->samdb,
373 : client_pac_entry,
374 : &auth_claims.user_claims);
375 136 : if (code) {
376 0 : goto out;
377 : }
378 :
379 136 : if (device != NULL) {
380 90 : struct samba_kdc_entry *device_skdc_entry = NULL;
381 90 : const struct samba_kdc_entry *device_krbtgt_skdc_entry = NULL;
382 90 : struct samba_kdc_entry_pac device_pac_entry = {};
383 :
384 90 : device_skdc_entry = talloc_get_type_abort(device->context,
385 : struct samba_kdc_entry);
386 :
387 90 : if (device_krbtgt != NULL) {
388 90 : device_krbtgt_skdc_entry = talloc_get_type_abort(device_krbtgt->context,
389 : struct samba_kdc_entry);
390 : }
391 :
392 90 : device_pac_entry = samba_kdc_entry_pac(device_pac,
393 : device_skdc_entry,
394 90 : samba_kdc_entry_is_trust(device_krbtgt_skdc_entry));
395 :
396 90 : code = samba_kdc_get_user_info_dc(mem_ctx,
397 : context,
398 : kdc_db_ctx->samdb,
399 : device_pac_entry,
400 : &device_info,
401 : NULL /* resource_groups_out */);
402 90 : if (code) {
403 0 : goto out;
404 : }
405 :
406 90 : code = samba_kdc_get_claims_data(mem_ctx,
407 : context,
408 : kdc_db_ctx->samdb,
409 : device_pac_entry,
410 : &auth_claims.device_claims);
411 90 : if (code) {
412 0 : goto out;
413 : }
414 : }
415 :
416 136 : code = samba_kdc_check_s4u2proxy_rbcd(context,
417 : kdc_db_ctx,
418 136 : client->principal,
419 : server_principal,
420 : client_info,
421 : device_info,
422 : auth_claims,
423 : proxy_skdc_entry);
424 136 : out:
425 136 : talloc_free(mem_ctx);
426 136 : return code;
427 : }
428 :
429 : static krb5_error_code
430 43 : hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db,
431 : hdb_entry *entry,
432 : krb5_const_principal certificate_principal)
433 : {
434 0 : struct samba_kdc_db_context *kdc_db_ctx;
435 0 : struct samba_kdc_entry *skdc_entry;
436 0 : krb5_error_code ret;
437 :
438 43 : kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
439 : struct samba_kdc_db_context);
440 43 : skdc_entry = talloc_get_type_abort(entry->context,
441 : struct samba_kdc_entry);
442 :
443 43 : ret = samba_kdc_check_pkinit_ms_upn_match(context, kdc_db_ctx,
444 : skdc_entry,
445 : certificate_principal);
446 43 : switch (ret) {
447 41 : case 0:
448 41 : break;
449 0 : case SDB_ERR_WRONG_REALM:
450 0 : ret = HDB_ERR_WRONG_REALM;
451 0 : break;
452 0 : case SDB_ERR_NOENTRY:
453 0 : ret = HDB_ERR_NOENTRY;
454 0 : break;
455 0 : case SDB_ERR_NOT_FOUND_HERE:
456 0 : ret = HDB_ERR_NOT_FOUND_HERE;
457 0 : break;
458 2 : default:
459 2 : break;
460 : }
461 :
462 43 : return ret;
463 : }
464 :
465 : static krb5_error_code
466 950 : hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db,
467 : hdb_entry *client_entry,
468 : hdb_entry *server_target_entry)
469 : {
470 0 : struct samba_kdc_entry *skdc_client_entry
471 950 : = talloc_get_type_abort(client_entry->context,
472 : struct samba_kdc_entry);
473 0 : struct samba_kdc_entry *skdc_server_target_entry
474 950 : = talloc_get_type_abort(server_target_entry->context,
475 : struct samba_kdc_entry);
476 :
477 950 : return samba_kdc_check_client_matches_target_service(context,
478 : skdc_client_entry,
479 : skdc_server_target_entry);
480 : }
481 :
482 8 : static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx,
483 : struct samba_kdc_db_context *kdc_db_ctx,
484 : struct netr_SendToSamBase *send_to_sam)
485 : {
486 0 : struct dcerpc_binding_handle *irpc_handle;
487 0 : struct winbind_SendToSam req;
488 8 : struct tevent_req *subreq = NULL;
489 :
490 8 : irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx,
491 : "winbind_server",
492 : &ndr_table_winbind);
493 :
494 8 : if (irpc_handle == NULL) {
495 0 : DBG_ERR("No winbind_server running!\n");
496 0 : return;
497 : }
498 :
499 8 : req.in.message = *send_to_sam;
500 :
501 : /*
502 : * This seem to rely on the current IRPC implementation,
503 : * which delivers the message in the _send function.
504 : *
505 : * TODO: we need a ONE_WAY IRPC handle and register
506 : * a callback and wait for it to be triggered!
507 : */
508 8 : subreq = dcerpc_winbind_SendToSam_r_send(mem_ctx, kdc_db_ctx->ev_ctx,
509 : irpc_handle, &req);
510 :
511 : /* we aren't interested in a reply */
512 8 : TALLOC_FREE(subreq);
513 : }
514 :
515 : #define SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ "samba:authn_audit_info_obj"
516 : #define SAMBA_HDB_CLIENT_AUDIT_INFO "samba:client_audit_info"
517 : #define SAMBA_HDB_SERVER_AUDIT_INFO "samba:server_audit_info"
518 :
519 : #define SAMBA_HDB_NT_STATUS_OBJ "samba:nt_status_obj"
520 : #define SAMBA_HDB_NT_STATUS "samba:nt_status"
521 :
522 : struct hdb_audit_info_obj {
523 : struct authn_audit_info *audit_info;
524 : };
525 :
526 559 : static void hdb_audit_info_obj_dealloc(void *ptr)
527 : {
528 559 : struct hdb_audit_info_obj *audit_info_obj = ptr;
529 :
530 559 : if (audit_info_obj == NULL) {
531 0 : return;
532 : }
533 :
534 559 : TALLOC_FREE(audit_info_obj->audit_info);
535 : }
536 :
537 : /*
538 : * Set talloc-allocated auditing information of the KDC request. On success,
539 : * ‘audit_info’ is invalidated and may no longer be used by the caller.
540 : */
541 559 : static krb5_error_code hdb_samba4_set_steal_audit_info(astgs_request_t r,
542 : const char *key,
543 : struct authn_audit_info *audit_info)
544 : {
545 559 : struct hdb_audit_info_obj *audit_info_obj = NULL;
546 :
547 559 : audit_info_obj = kdc_object_alloc(sizeof (*audit_info_obj),
548 : SAMBA_HDB_AUTHN_AUDIT_INFO_OBJ,
549 : hdb_audit_info_obj_dealloc);
550 559 : if (audit_info_obj == NULL) {
551 0 : return ENOMEM;
552 : }
553 :
554 : /*
555 : * Steal a handle to the audit information onto the NULL context —
556 : * Heimdal will be responsible for the deallocation of the object.
557 : */
558 559 : audit_info_obj->audit_info = talloc_steal(NULL, audit_info);
559 :
560 559 : heim_audit_setkv_object((heim_svc_req_desc)r, key, audit_info_obj);
561 559 : heim_release(audit_info_obj);
562 :
563 559 : return 0;
564 : }
565 :
566 : /*
567 : * Set talloc-allocated client auditing information of the KDC request. On
568 : * success, ‘client_audit_info’ is invalidated and may no longer be used by the
569 : * caller.
570 : */
571 397 : krb5_error_code hdb_samba4_set_steal_client_audit_info(astgs_request_t r,
572 : struct authn_audit_info *client_audit_info)
573 : {
574 397 : return hdb_samba4_set_steal_audit_info(r,
575 : SAMBA_HDB_CLIENT_AUDIT_INFO,
576 : client_audit_info);
577 : }
578 :
579 30664 : static const struct authn_audit_info *hdb_samba4_get_client_audit_info(hdb_request_t r)
580 : {
581 30664 : const struct hdb_audit_info_obj *audit_info_obj = NULL;
582 :
583 31834 : audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_CLIENT_AUDIT_INFO);
584 30664 : if (audit_info_obj == NULL) {
585 29100 : return NULL;
586 : }
587 :
588 394 : return audit_info_obj->audit_info;
589 : }
590 :
591 : /*
592 : * Set talloc-allocated server auditing information of the KDC request. On
593 : * success, ‘server_audit_info’ is invalidated and may no longer be used by the
594 : * caller.
595 : */
596 162 : krb5_error_code hdb_samba4_set_steal_server_audit_info(astgs_request_t r,
597 : struct authn_audit_info *server_audit_info)
598 : {
599 162 : return hdb_samba4_set_steal_audit_info(r,
600 : SAMBA_HDB_SERVER_AUDIT_INFO,
601 : server_audit_info);
602 : }
603 :
604 81886 : static const struct authn_audit_info *hdb_samba4_get_server_audit_info(hdb_request_t r)
605 : {
606 81886 : const struct hdb_audit_info_obj *audit_info_obj = NULL;
607 :
608 84714 : audit_info_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_SERVER_AUDIT_INFO);
609 81886 : if (audit_info_obj == NULL) {
610 78896 : return NULL;
611 : }
612 :
613 162 : return audit_info_obj->audit_info;
614 : }
615 :
616 : struct hdb_ntstatus_obj {
617 : NTSTATUS status;
618 : krb5_error_code current_error;
619 : };
620 :
621 : /*
622 : * Add an NTSTATUS code to a Kerberos request. ‘error’ is the error value we
623 : * want to return to the client. When it comes time to generating the error
624 : * request, we shall compare this error value to whatever error we are about to
625 : * return; if the two match, we shall replace the ‘e-data’ field in the reply
626 : * with the NTSTATUS code.
627 : */
628 104 : krb5_error_code hdb_samba4_set_ntstatus(astgs_request_t r,
629 : const NTSTATUS status,
630 : const krb5_error_code error)
631 : {
632 104 : struct hdb_ntstatus_obj *status_obj = NULL;
633 :
634 104 : status_obj = kdc_object_alloc(sizeof (*status_obj),
635 : SAMBA_HDB_NT_STATUS_OBJ,
636 : NULL);
637 104 : if (status_obj == NULL) {
638 0 : return ENOMEM;
639 : }
640 :
641 104 : *status_obj = (struct hdb_ntstatus_obj) {
642 : .status = status,
643 : .current_error = error,
644 : };
645 :
646 104 : heim_audit_setkv_object((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS, status_obj);
647 104 : heim_release(status_obj);
648 :
649 104 : return 0;
650 : }
651 :
652 107 : static krb5_error_code hdb_samba4_make_nt_status_edata(const NTSTATUS status,
653 : const uint32_t flags,
654 : krb5_data *edata_out)
655 : {
656 107 : const uint32_t status_code = NT_STATUS_V(status);
657 107 : const uint32_t zero = 0;
658 0 : KERB_ERROR_DATA error_data;
659 0 : krb5_data e_data;
660 :
661 0 : krb5_error_code ret;
662 0 : size_t size;
663 :
664 : /* The raw KERB-ERR-TYPE-EXTENDED structure. */
665 0 : uint8_t data[12];
666 :
667 107 : PUSH_LE_U32(data, 0, status_code);
668 107 : PUSH_LE_U32(data, 4, zero);
669 107 : PUSH_LE_U32(data, 8, flags);
670 :
671 107 : e_data = (krb5_data) {
672 : .data = &data,
673 : .length = sizeof(data),
674 : };
675 :
676 107 : error_data = (KERB_ERROR_DATA) {
677 : .data_type = kERB_ERR_TYPE_EXTENDED,
678 : .data_value = &e_data,
679 : };
680 :
681 107 : ASN1_MALLOC_ENCODE(KERB_ERROR_DATA,
682 : edata_out->data, edata_out->length,
683 : &error_data,
684 : &size, ret);
685 107 : if (ret) {
686 0 : return ret;
687 : }
688 107 : if (size != edata_out->length) {
689 : /* Internal ASN.1 encoder error */
690 0 : krb5_data_free(edata_out);
691 0 : return KRB5KRB_ERR_GENERIC;
692 : }
693 :
694 107 : return 0;
695 : }
696 :
697 107 : static krb5_error_code hdb_samba4_set_edata_from_ntstatus(hdb_request_t r, const NTSTATUS status)
698 : {
699 107 : const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
700 107 : krb5_error_code ret = 0;
701 0 : krb5_data e_data;
702 107 : uint32_t flags = 1;
703 :
704 107 : if (req->msg_type == krb_tgs_req) {
705 : /* This flag is used to indicate a TGS-REQ. */
706 63 : flags |= 2;
707 : }
708 :
709 107 : ret = hdb_samba4_make_nt_status_edata(status, flags, &e_data);
710 107 : if (ret) {
711 0 : return ret;
712 : }
713 :
714 107 : ret = kdc_request_set_e_data((astgs_request_t)r, e_data);
715 107 : if (ret) {
716 0 : krb5_data_free(&e_data);
717 : }
718 :
719 107 : return ret;
720 : }
721 :
722 84263 : static NTSTATUS hdb_samba4_get_ntstatus(hdb_request_t r)
723 : {
724 84263 : struct hdb_ntstatus_obj *status_obj = NULL;
725 :
726 84263 : status_obj = heim_audit_getkv((heim_svc_req_desc)r, SAMBA_HDB_NT_STATUS);
727 84263 : if (status_obj == NULL) {
728 84159 : return NT_STATUS_OK;
729 : }
730 :
731 104 : if (r->error_code != status_obj->current_error) {
732 : /*
733 : * The error code has changed from what we expect. Consider the
734 : * NTSTATUS to be invalidated.
735 : */
736 0 : return NT_STATUS_OK;
737 : }
738 :
739 104 : return status_obj->status;
740 : }
741 :
742 51222 : static krb5_error_code hdb_samba4_tgs_audit(const struct samba_kdc_db_context *kdc_db_ctx,
743 : const hdb_entry *entry,
744 : hdb_request_t r)
745 : {
746 51222 : TALLOC_CTX *frame = talloc_stackframe();
747 51222 : const struct authn_audit_info *server_audit_info = NULL;
748 51222 : struct tsocket_address *remote_host = NULL;
749 51222 : struct samba_kdc_entry *client_entry = NULL;
750 51222 : struct dom_sid sid_buf = {};
751 51222 : const char *account_name = NULL;
752 51222 : const char *domain_name = NULL;
753 51222 : const struct dom_sid *sid = NULL;
754 51222 : size_t sa_socklen = 0;
755 51222 : NTSTATUS auth_status = NT_STATUS_OK;
756 51222 : krb5_error_code ret = 0;
757 51222 : krb5_error_code final_ret = 0;
758 :
759 : /* Have we got a status code indicating an error? */
760 51222 : auth_status = hdb_samba4_get_ntstatus(r);
761 51222 : if (!NT_STATUS_IS_OK(auth_status)) {
762 : /*
763 : * Include this status code in the ‘e-data’ field of the reply.
764 : */
765 63 : ret = hdb_samba4_set_edata_from_ntstatus(r, auth_status);
766 63 : if (ret) {
767 0 : final_ret = ret;
768 : }
769 51159 : } else if (entry == NULL) {
770 2844 : auth_status = NT_STATUS_NO_SUCH_USER;
771 48315 : } else if (r->error_code) {
772 : /*
773 : * Don’t include a status code in the reply. Just log the
774 : * request as being unsuccessful.
775 : */
776 233 : auth_status = NT_STATUS_UNSUCCESSFUL;
777 : }
778 :
779 51222 : switch (r->addr->sa_family) {
780 51222 : case AF_INET:
781 51222 : sa_socklen = sizeof(struct sockaddr_in);
782 51222 : break;
783 : #ifdef HAVE_IPV6
784 0 : case AF_INET6:
785 0 : sa_socklen = sizeof(struct sockaddr_in6);
786 0 : break;
787 : #endif
788 : }
789 :
790 51222 : ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
791 : sa_socklen,
792 : &remote_host);
793 51222 : if (ret != 0) {
794 0 : remote_host = NULL;
795 : /* Ignore the error. */
796 : }
797 :
798 51222 : server_audit_info = hdb_samba4_get_server_audit_info(r);
799 :
800 51222 : if (entry != NULL) {
801 48378 : client_entry = talloc_get_type_abort(entry->context,
802 : struct samba_kdc_entry);
803 :
804 48378 : ret = samdb_result_dom_sid_buf(client_entry->msg, "objectSid", &sid_buf);
805 48378 : if (ret) {
806 : /* Ignore the error. */
807 : } else {
808 48378 : sid = &sid_buf;
809 : }
810 :
811 48378 : account_name = ldb_msg_find_attr_as_string(client_entry->msg, "sAMAccountName", NULL);
812 48378 : domain_name = lpcfg_sam_name(kdc_db_ctx->lp_ctx);
813 : }
814 :
815 51222 : log_authz_event(kdc_db_ctx->msg_ctx,
816 51222 : kdc_db_ctx->lp_ctx,
817 : remote_host,
818 : NULL /* local */,
819 : server_audit_info,
820 51222 : r->sname,
821 : "TGS-REQ with Ticket-Granting Ticket",
822 : domain_name,
823 : account_name,
824 : sid,
825 51222 : lpcfg_netbios_name(kdc_db_ctx->lp_ctx),
826 : krb5_kdc_get_time(),
827 : auth_status);
828 :
829 51222 : talloc_free(frame);
830 51222 : if (final_ret) {
831 0 : r->error_code = final_ret;
832 : }
833 51222 : return final_ret;
834 : }
835 :
836 102025 : static krb5_error_code hdb_samba4_audit(krb5_context context,
837 : HDB *db,
838 : hdb_entry *entry,
839 : hdb_request_t r)
840 : {
841 102025 : struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db,
842 : struct samba_kdc_db_context);
843 102025 : struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
844 102025 : heim_object_t auth_details_obj = NULL;
845 102025 : const char *auth_details = NULL;
846 102025 : char *etype_str = NULL;
847 102025 : heim_object_t hdb_auth_status_obj = NULL;
848 3413 : int hdb_auth_status;
849 102025 : heim_object_t pa_type_obj = NULL;
850 102025 : const char *pa_type = NULL;
851 3413 : struct auth_usersupplied_info ui;
852 102025 : size_t sa_socklen = 0;
853 102025 : const KDC_REQ *req = kdc_request_get_req((astgs_request_t)r);
854 102025 : krb5_error_code final_ret = 0;
855 3413 : NTSTATUS edata_status;
856 :
857 102025 : if (req->msg_type == krb_tgs_req) {
858 51222 : return hdb_samba4_tgs_audit(kdc_db_ctx, entry, r);
859 : }
860 :
861 50803 : if (r->error_code == KRB5KDC_ERR_PREAUTH_REQUIRED) {
862 : /* Let’s not log PREAUTH_REQUIRED errors. */
863 17177 : return 0;
864 : }
865 :
866 33041 : edata_status = hdb_samba4_get_ntstatus(r);
867 :
868 33041 : hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT);
869 33041 : if (hdb_auth_status_obj == NULL) {
870 : /* No status code found, so just return. */
871 1928 : return 0;
872 : }
873 :
874 31113 : hdb_auth_status = heim_number_get_int(hdb_auth_status_obj);
875 :
876 31113 : pa_type_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_NAME);
877 31113 : if (pa_type_obj != NULL) {
878 30053 : pa_type = heim_string_get_utf8(pa_type_obj);
879 : }
880 :
881 31113 : auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PKINIT_CLIENT_CERT);
882 31113 : if (auth_details_obj != NULL) {
883 41 : auth_details = heim_string_get_utf8(auth_details_obj);
884 : } else {
885 31072 : auth_details_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_GSS_INITIATOR);
886 31072 : if (auth_details_obj != NULL) {
887 0 : auth_details = heim_string_get_utf8(auth_details_obj);
888 : } else {
889 31072 : heim_object_t etype_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_PA_ETYPE);
890 31072 : if (etype_obj != NULL) {
891 29821 : int etype = heim_number_get_int(etype_obj);
892 :
893 29821 : krb5_error_code ret = krb5_enctype_to_string(r->context, etype, &etype_str);
894 29821 : if (ret == 0) {
895 29821 : auth_details = etype_str;
896 : } else {
897 0 : auth_details = "unknown enctype";
898 : }
899 : }
900 : }
901 : }
902 :
903 : /*
904 : * Forcing this via the NTLM auth structure is not ideal, but
905 : * it is the most practical option right now, and ensures the
906 : * logs are consistent, even if some elements are always NULL.
907 : */
908 32283 : ui = (struct auth_usersupplied_info) {
909 : .was_mapped = true,
910 : .client = {
911 31113 : .account_name = r->cname,
912 : .domain_name = NULL,
913 : },
914 : .service_description = "Kerberos KDC",
915 : .auth_description = "Unknown Auth Description",
916 : .password_type = auth_details,
917 31113 : .logon_id = generate_random_u64(),
918 : };
919 :
920 31113 : switch (r->addr->sa_family) {
921 31113 : case AF_INET:
922 31113 : sa_socklen = sizeof(struct sockaddr_in);
923 31113 : break;
924 : #ifdef HAVE_IPV6
925 0 : case AF_INET6:
926 0 : sa_socklen = sizeof(struct sockaddr_in6);
927 0 : break;
928 : #endif
929 : }
930 :
931 31113 : switch (hdb_auth_status) {
932 30664 : default:
933 : {
934 30664 : TALLOC_CTX *frame = talloc_stackframe();
935 30664 : struct samba_kdc_entry *p = talloc_get_type_abort(entry->context,
936 : struct samba_kdc_entry);
937 1170 : struct dom_sid *sid
938 30664 : = samdb_result_dom_sid(frame, p->msg, "objectSid");
939 1170 : const char *account_name
940 30664 : = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL);
941 30664 : const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx);
942 1170 : struct tsocket_address *remote_host;
943 30664 : const char *auth_description = NULL;
944 30664 : const struct authn_audit_info *client_audit_info = NULL;
945 30664 : const struct authn_audit_info *server_audit_info = NULL;
946 1170 : NTSTATUS status;
947 1170 : int ret;
948 30664 : bool rwdc_fallback = false;
949 :
950 30664 : ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
951 : sa_socklen,
952 : &remote_host);
953 30664 : if (ret != 0) {
954 0 : ui.remote_host = NULL;
955 : } else {
956 30664 : ui.remote_host = remote_host;
957 : }
958 :
959 30664 : ui.mapped.account_name = account_name;
960 30664 : ui.mapped.domain_name = domain_name;
961 :
962 30664 : if (pa_type != NULL) {
963 30053 : auth_description = talloc_asprintf(frame,
964 : "%s Pre-authentication",
965 : pa_type);
966 30053 : if (auth_description == NULL) {
967 0 : auth_description = pa_type;
968 : }
969 : } else {
970 611 : auth_description = "Unknown Pre-authentication";
971 : }
972 30664 : ui.auth_description = auth_description;
973 :
974 30664 : if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_AUTHORIZED) {
975 29709 : struct netr_SendToSamBase *send_to_sam = NULL;
976 :
977 : /*
978 : * TODO: We could log the AS-REQ authorization success here as
979 : * well. However before we do that, we need to pass
980 : * in the PAC here or re-calculate it.
981 : */
982 29709 : status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
983 : domain_dn, true, frame, &send_to_sam);
984 29709 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
985 0 : edata_status = status;
986 :
987 0 : r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
988 0 : rwdc_fallback = kdc_db_ctx->rodc;
989 29709 : } else if (!NT_STATUS_IS_OK(status)) {
990 0 : r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
991 0 : rwdc_fallback = kdc_db_ctx->rodc;
992 : } else {
993 29709 : if (r->error_code == KRB5KDC_ERR_NEVER_VALID) {
994 1 : edata_status = status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
995 : } else {
996 29708 : status = krb5_to_nt_status(r->error_code);
997 : }
998 :
999 29709 : if (kdc_db_ctx->rodc && send_to_sam != NULL) {
1000 8 : reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
1001 : }
1002 : }
1003 :
1004 : /* This is the final success */
1005 955 : } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
1006 : /*
1007 : * This was only a pre-authentication success,
1008 : * but we didn't reach the final
1009 : * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1010 : * so consult the error code.
1011 : */
1012 0 : if (r->error_code == 0) {
1013 0 : DBG_ERR("ERROR: VALIDATED_LONG_TERM_KEY "
1014 : "with error=0 => INTERNAL_ERROR\n");
1015 0 : status = NT_STATUS_INTERNAL_ERROR;
1016 0 : r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1017 0 : } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1018 0 : status = p->reject_status;
1019 : } else {
1020 0 : status = krb5_to_nt_status(r->error_code);
1021 : }
1022 955 : } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_SUCCEEDED) {
1023 : /*
1024 : * This was only a pre-authentication success,
1025 : * but we didn't reach the final
1026 : * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1027 : * so consult the error code.
1028 : */
1029 0 : if (r->error_code == 0) {
1030 0 : DBG_ERR("ERROR: PREAUTH_SUCCEEDED "
1031 : "with error=0 => INTERNAL_ERROR\n");
1032 0 : status = NT_STATUS_INTERNAL_ERROR;
1033 0 : r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1034 0 : } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1035 0 : status = p->reject_status;
1036 : } else {
1037 0 : status = krb5_to_nt_status(r->error_code);
1038 : }
1039 955 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_FOUND) {
1040 : /*
1041 : * We found the client principal,
1042 : * but we didn’t reach the final
1043 : * KDC_AUTH_EVENT_CLIENT_AUTHORIZED,
1044 : * so consult the error code.
1045 : */
1046 631 : if (r->error_code == 0) {
1047 0 : DBG_ERR("ERROR: CLIENT_FOUND "
1048 : "with error=0 => INTERNAL_ERROR\n");
1049 0 : status = NT_STATUS_INTERNAL_ERROR;
1050 0 : r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1051 631 : } else if (!NT_STATUS_IS_OK(p->reject_status)) {
1052 41 : status = p->reject_status;
1053 : } else {
1054 590 : status = krb5_to_nt_status(r->error_code);
1055 : }
1056 324 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
1057 10 : status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
1058 314 : } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
1059 242 : status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
1060 242 : if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
1061 2 : edata_status = status;
1062 :
1063 2 : r->error_code = final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
1064 : } else {
1065 240 : status = NT_STATUS_WRONG_PASSWORD;
1066 : }
1067 242 : rwdc_fallback = kdc_db_ctx->rodc;
1068 72 : } else if (hdb_auth_status == KDC_AUTH_EVENT_HISTORIC_LONG_TERM_KEY) {
1069 : /*
1070 : * The pre-authentication succeeds with a password
1071 : * from the password history, so we don't
1072 : * update the badPwdCount, but still return
1073 : * PREAUTH_FAILED and need to forward to
1074 : * a RWDC in order to produce an authoritative
1075 : * response for the client.
1076 : */
1077 70 : status = NT_STATUS_WRONG_PASSWORD;
1078 70 : rwdc_fallback = kdc_db_ctx->rodc;
1079 2 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
1080 0 : edata_status = status = NT_STATUS_ACCOUNT_LOCKED_OUT;
1081 0 : rwdc_fallback = kdc_db_ctx->rodc;
1082 2 : } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) {
1083 2 : if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
1084 2 : status = NT_STATUS_PKINIT_NAME_MISMATCH;
1085 : } else {
1086 0 : status = NT_STATUS_ACCOUNT_RESTRICTION;
1087 : }
1088 2 : rwdc_fallback = kdc_db_ctx->rodc;
1089 0 : } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) {
1090 0 : if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) {
1091 0 : status = NT_STATUS_PKINIT_FAILURE;
1092 : } else {
1093 0 : status = NT_STATUS_GENERIC_COMMAND_FAILED;
1094 : }
1095 0 : rwdc_fallback = kdc_db_ctx->rodc;
1096 : } else {
1097 0 : DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n",
1098 : hdb_auth_status);
1099 0 : status = NT_STATUS_INTERNAL_ERROR;
1100 0 : r->error_code = final_ret = KRB5KRB_ERR_GENERIC;
1101 : }
1102 :
1103 30664 : if (!NT_STATUS_IS_OK(edata_status)) {
1104 0 : krb5_error_code code;
1105 :
1106 44 : code = hdb_samba4_set_edata_from_ntstatus(r, edata_status);
1107 44 : if (code) {
1108 0 : r->error_code = final_ret = code;
1109 : }
1110 : }
1111 :
1112 30664 : if (rwdc_fallback) {
1113 : /*
1114 : * Forward the request to an RWDC in order
1115 : * to give an authoritative answer to the client.
1116 : */
1117 20 : auth_description = talloc_asprintf(frame,
1118 : "%s,Forward-To-RWDC",
1119 : ui.auth_description);
1120 20 : if (auth_description != NULL) {
1121 20 : ui.auth_description = auth_description;
1122 : }
1123 20 : final_ret = HDB_ERR_NOT_FOUND_HERE;
1124 : }
1125 :
1126 30664 : client_audit_info = hdb_samba4_get_client_audit_info(r);
1127 30664 : server_audit_info = hdb_samba4_get_server_audit_info(r);
1128 :
1129 30664 : log_authentication_event(kdc_db_ctx->msg_ctx,
1130 : kdc_db_ctx->lp_ctx,
1131 30664 : &r->tv_start,
1132 : &ui,
1133 : status,
1134 : domain_name,
1135 : account_name,
1136 : sid,
1137 : client_audit_info,
1138 : server_audit_info);
1139 30664 : if (final_ret == KRB5KRB_ERR_GENERIC && socket_wrapper_enabled()) {
1140 : /*
1141 : * If we're running under make test
1142 : * just panic
1143 : */
1144 0 : DBG_ERR("Unexpected situation => PANIC\n");
1145 0 : smb_panic("hdb_samba4_audit: Unexpected situation");
1146 : }
1147 30664 : TALLOC_FREE(frame);
1148 30664 : break;
1149 : }
1150 449 : case KDC_AUTH_EVENT_CLIENT_UNKNOWN:
1151 : {
1152 0 : struct tsocket_address *remote_host;
1153 0 : int ret;
1154 449 : TALLOC_CTX *frame = talloc_stackframe();
1155 449 : ret = tsocket_address_bsd_from_sockaddr(frame, r->addr,
1156 : sa_socklen,
1157 : &remote_host);
1158 449 : if (ret != 0) {
1159 0 : ui.remote_host = NULL;
1160 : } else {
1161 449 : ui.remote_host = remote_host;
1162 : }
1163 :
1164 449 : if (pa_type == NULL) {
1165 449 : pa_type = "AS-REQ";
1166 : }
1167 :
1168 449 : ui.auth_description = pa_type;
1169 :
1170 : /* Note this is not forwarded to an RWDC */
1171 :
1172 449 : log_authentication_event(kdc_db_ctx->msg_ctx,
1173 : kdc_db_ctx->lp_ctx,
1174 449 : &r->tv_start,
1175 : &ui,
1176 449 : NT_STATUS_NO_SUCH_USER,
1177 : NULL, NULL,
1178 : NULL,
1179 : NULL /* client_audit_info */,
1180 : NULL /* server_audit_info */);
1181 449 : TALLOC_FREE(frame);
1182 449 : break;
1183 : }
1184 : }
1185 :
1186 31113 : free(etype_str);
1187 :
1188 31113 : return final_ret;
1189 : }
1190 :
1191 : /* This interface is to be called by the KDC and libnet_keytab_dump,
1192 : * which is expecting Samba calling conventions.
1193 : * It is also called by a wrapper (hdb_samba4_create) from the
1194 : * kpasswdd -> krb5 -> keytab_hdb -> hdb code */
1195 :
1196 161 : NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx,
1197 : krb5_context context, struct HDB **db)
1198 : {
1199 161 : struct samba_kdc_db_context *kdc_db_ctx = NULL;
1200 8 : NTSTATUS nt_status;
1201 :
1202 161 : if (hdb_interface_version != HDB_INTERFACE_VERSION) {
1203 0 : krb5_set_error_message(context, EINVAL, "Heimdal HDB interface version mismatch between build-time and run-time libraries!");
1204 0 : return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
1205 : }
1206 :
1207 161 : *db = talloc_zero(base_ctx, HDB);
1208 161 : if (!*db) {
1209 0 : krb5_set_error_message(context, ENOMEM, "talloc_zero: out of memory");
1210 0 : return NT_STATUS_NO_MEMORY;
1211 : }
1212 :
1213 161 : (*db)->hdb_master_key_set = 0;
1214 161 : (*db)->hdb_db = NULL;
1215 161 : (*db)->hdb_capability_flags = HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL;
1216 :
1217 161 : nt_status = samba_kdc_setup_db_ctx(*db, base_ctx, &kdc_db_ctx);
1218 161 : if (!NT_STATUS_IS_OK(nt_status)) {
1219 0 : talloc_free(*db);
1220 0 : return nt_status;
1221 : }
1222 161 : (*db)->hdb_db = kdc_db_ctx;
1223 :
1224 161 : (*db)->hdb_dbc = NULL;
1225 161 : (*db)->hdb_open = hdb_samba4_open;
1226 161 : (*db)->hdb_close = hdb_samba4_close;
1227 161 : (*db)->hdb_free_entry_context = hdb_samba4_free_entry_context;
1228 161 : (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno;
1229 161 : (*db)->hdb_store = hdb_samba4_store;
1230 161 : (*db)->hdb_firstkey = hdb_samba4_firstkey;
1231 161 : (*db)->hdb_nextkey = hdb_samba4_nextkey;
1232 161 : (*db)->hdb_lock = hdb_samba4_lock;
1233 161 : (*db)->hdb_unlock = hdb_samba4_unlock;
1234 161 : (*db)->hdb_set_sync = hdb_samba4_set_sync;
1235 161 : (*db)->hdb_rename = hdb_samba4_rename;
1236 : /* we don't implement these, as we are not a lockable database */
1237 161 : (*db)->hdb__get = NULL;
1238 161 : (*db)->hdb__put = NULL;
1239 : /* kadmin should not be used for deletes - use other tools instead */
1240 161 : (*db)->hdb__del = NULL;
1241 161 : (*db)->hdb_destroy = hdb_samba4_destroy;
1242 :
1243 161 : (*db)->hdb_audit = hdb_samba4_audit;
1244 161 : (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation;
1245 161 : (*db)->hdb_check_rbcd = hdb_samba4_check_rbcd;
1246 161 : (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match;
1247 161 : (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service;
1248 :
1249 161 : return NT_STATUS_OK;
1250 : }
1251 :
1252 68 : NTSTATUS hdb_samba4_kpasswd_create_kdc(struct samba_kdc_base_context *base_ctx,
1253 : krb5_context context, struct HDB **db)
1254 : {
1255 0 : NTSTATUS nt_status;
1256 :
1257 68 : nt_status = hdb_samba4_create_kdc(base_ctx, context, db);
1258 68 : if (!NT_STATUS_IS_OK(nt_status)) {
1259 0 : return nt_status;
1260 : }
1261 :
1262 68 : (*db)->hdb_fetch_kvno = hdb_samba4_kpasswd_fetch_kvno;
1263 68 : (*db)->hdb_firstkey = hdb_samba4_nextkey_panic;
1264 68 : (*db)->hdb_nextkey = hdb_samba4_nextkey_panic;
1265 :
1266 68 : return NT_STATUS_OK;
1267 : }
|
