r1215: Intermediate checkin of the new keytab code. I need to make sure I (e948458a) · Commits · Software / OSDI20 Artifacts / samba

source3/Makefile.in

+1 −1

Original line number	Diff line number	Diff line
		@@ -228,7 +228,7 @@ KRBCLIENT_OBJ = libads/kerberos.o libads/ads_status.o

		LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \
		libads/krb5_setpw.o libads/ldap_user.o \
		libads/ads_struct.o \
		libads/ads_struct.o libads/kerberos_keytab.o \
		libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \
		libads/ads_ldap.o libads/authdata.o

source3/include/safe_string.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -59,7 +59,7 @@
		#ifdef strncasecmp
		#undef strncasecmp
		#endif
		#define strncasecmp __ERROR__XX__NEVER_USE_STRCASECMP__;
		#define strncasecmp __ERROR__XX__NEVER_USE_STRNCASECMP__;

		#endif /* !_SPLINT_ */

source3/lib/util.c

+15 −0

Original line number	Diff line number	Diff line
		@@ -2435,6 +2435,21 @@ BOOL unix_wild_match(const char pattern, const char string)
		return unix_do_match(p2, s2) == 0;
		}

		/**********************************************************************
		Converts a name to a fully qalified domain name.
		***********************************************************************/

		void name_to_fqdn(fstring fqdn, const char *name)
		{
		struct hostent *hp = sys_gethostbyname(name);
		if ( hp && hp->h_name && *hp->h_name ) {
		DEBUG(10,("name_to_fqdn: lookup for %s -> %s.\n", name, hp->h_name));
		fstrcpy(fqdn,hp->h_name);
		} else {
		DEBUG(10,("name_to_fqdn: lookup for %s failed.\n", name));
		fstrcpy(fqdn, name);
		}
		}

		#ifdef __INSURE__

source3/libads/kerberos_keytab.c

+7 −23

Original line number	Diff line number	Diff line
		@@ -29,27 +29,11 @@

		#ifdef HAVE_KRB5

		/**********************************************************************
		Converts a name to a fully qalified domain name.
		***********************************************************************/

		void name_to_fqdn(fstring fqdn, const char *name)
		{
		struct hostent *hp = sys_gethostbyname(name);
		if ( hp && hp->h_name && *hp->h_name ) {
		DEBUG(10,("name_to_fqdn: lookup for %s -> %s.\n", name, hp->h_name));
		fstrcpy(fqdn,hp->h_name);
		} else {
		DEBUG(10,("name_to_fqdn: lookup for %s failed.\n", name));
		fstrcpy(fqdn, name);
		}
		}

		/**********************************************************************
		Adds a single service principal, i.e. 'host' to the system keytab
		***********************************************************************/

		int ads_keytab_add_entry(const char srvPrinc, ADS_STRUCT ads)
		int ads_keytab_add_entry(ADS_STRUCT ads, const char srvPrinc)
		{
		krb5_error_code ret = 0;
		krb5_context context = NULL;
		@@ -254,8 +238,8 @@ int ads_keytab_add_entry(const char srvPrinc, ADS_STRUCT ads)

		/* Update the LDAP with the SPN */
		DEBUG(3,("ads_keytab_add_entry: Attempting to add/update '%s'\n", princ_s));
		if (!ADS_ERR_OK(ads_add_spn(ads, global_myname(), srvPrinc))) {
		DEBUG(1,("ads_keytab_add_entry: ads_add_spn failed.\n"));
		if (!ADS_ERR_OK(ads_add_service_principal_name(ads, global_myname(), srvPrinc))) {
		DEBUG(1,("ads_keytab_add_entry: ads_add_service_principcal_name failed.\n"));
		goto out;
		}

		@@ -372,7 +356,7 @@ int ads_keytab_flush(ADS_STRUCT *ads)
		ZERO_STRUCT(kt_entry);
		cursor = NULL;

		if (!ADS_ERR_OK(ads_clear_spns(ads, global_myname()))) {
		if (!ADS_ERR_OK(ads_clear_service_principal_names(ads, global_myname()))) {
		DEBUG(1,("ads_keytab_flush: Error while clearing service principal listings in LDAP.\n"));
		goto out;
		}
		@@ -413,12 +397,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
		int i, found = 0;
		char **oldEntries = NULL;

		ret = ads_keytab_add_entry("host", ads);
		ret = ads_keytab_add_entry(ads, "host");
		if (ret) {
		DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.\n"));
		return ret;
		}
		ret = ads_keytab_add_entry("cifs", ads);
		ret = ads_keytab_add_entry(ads, "cifs");
		if (ret) {
		DEBUG(1,("ads_keytab_create_default: ads_keytab_add_entry failed while adding 'cifs'.\n"));
		return ret;
		@@ -512,7 +496,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
		ZERO_STRUCT(kt_entry);
		}
		for (i = 0; oldEntries[i]; i++) {
		ret \|= ads_keytab_add_entry(oldEntries[i], ads);
		ret \|= ads_keytab_add_entry(ads, oldEntries[i]);
		krb5_free_unparsed_name(context, oldEntries[i]);
		}
		krb5_kt_end_seq_get(context, keytab, &cursor);

source3/libads/kerberos_verify.c

+198 −99

Original line number	Diff line number	Diff line
		@@ -26,10 +26,166 @@

		#ifdef HAVE_KRB5

		/*
		verify an incoming ticket and parse out the principal name and
		authorization_data if available
		*/
		/**********************************************************************************
		Try to verify a ticket using the system keytab... the system keytab has kvno -1 entries, so
		it's more like what microsoft does... see comment in utils/net_ads.c in the
		ads_keytab_add_entry function for details.
		***********************************************************************************/

		static BOOL ads_keytab_verify_ticket(krb5_context context, krb5_auth_context auth_context,
		const DATA_BLOB ticket, krb5_data p_packet, krb5_ticket **pp_tkt)
		{
		krb5_error_code ret = 0;
		BOOL auth_ok = False;

		krb5_keytab keytab = NULL;
		krb5_kt_cursor cursor = NULL;
		krb5_keytab_entry kt_entry;
		char *princ_name = NULL;

		ZERO_STRUCT(kt_entry);
		ret = krb5_kt_default(context, &keytab);
		if (ret) {
		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_default failed (%s)\n", error_message(ret)));
		goto out;
		}

		ret = krb5_kt_start_seq_get(context, keytab, &cursor);
		if (ret) {
		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_start_seq_get failed (%s)\n", error_message(ret)));
		goto out;
		}

		while (!krb5_kt_next_entry(context, keytab, &kt_entry, &cursor)) {
		ret = krb5_unparse_name(context, kt_entry.principal, &princ_name);
		if (ret) {
		DEBUG(1, ("ads_keytab_verify_ticket: krb5_unparse_name failed (%s)\n", error_message(ret)));
		goto out;
		}
		/* Look for a CIFS ticket */
		if (!StrnCaseCmp(princ_name, "cifs/", 5)) {
		krb5_auth_con_setuseruserkey(context, auth_context, &kt_entry.key);

		p_packet->length = ticket->length;
		p_packet->data = (krb5_pointer)ticket->data;

		if (!(ret = krb5_rd_req(context, &auth_context, p_packet, NULL, NULL, NULL, pp_tkt))) {
		krb5_free_unparsed_name(context, princ_name);
		princ_name = NULL;
		DEBUG(10,("ads_keytab_verify_ticket: enc type [%u] decrypted message !\n",
		(unsigned int) kt_entry.key.enctype));
		auth_ok = True;
		break;
		}
		}
		krb5_free_unparsed_name(context, princ_name);
		princ_name = NULL;
		}
		if (ret && ret != KRB5_KT_END) {
		/* This failed because something went wrong, not because the keytab file was empty. */
		DEBUG(1, ("ads_keytab_verify_ticket: krb5_kt_next_entry failed (%s)\n", error_message(ret)));
		goto out;
		}

		out:

		if (princ_name) {
		krb5_free_unparsed_name(context, princ_name);
		}
		if (cursor && keytab) {
		krb5_kt_end_seq_get(context, keytab, &cursor);
		}
		if (keytab) {
		krb5_kt_close(context, keytab);
		}

		return auth_ok;
		}

		/**********************************************************************************
		Try to verify a ticket using the secrets.tdb.
		***********************************************************************************/

		static BOOL ads_secrets_verify_ticket(krb5_context context, krb5_auth_context auth_context,
		krb5_principal host_princ,
		const DATA_BLOB ticket, krb5_data p_packet, krb5_ticket **pp_tkt)
		{
		krb5_error_code ret = 0;
		BOOL auth_ok = False;
		char *password_s = NULL;
		krb5_data password;
		krb5_enctype *enctypes = NULL;
		int i;

		if (!secrets_init()) {
		DEBUG(1,("ads_secrets_verify_ticket: secrets_init failed\n"));
		return False;
		}

		password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
		if (!password_s) {
		DEBUG(1,("ads_secrets_verify_ticket: failed to fetch machine password\n"));
		return False;
		}

		password.data = password_s;
		password.length = strlen(password_s);

		/* CIFS doesn't use addresses in tickets. This would break NAT. JRA */

		if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
		DEBUG(1,("ads_secrets_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n",
		error_message(ret)));
		goto out;
		}

		p_packet->length = ticket->length;
		p_packet->data = (krb5_pointer)ticket->data;

		/* We need to setup a auth context with each possible encoding type in turn. */
		for (i=0;enctypes[i];i++) {
		krb5_keyblock *key = NULL;

		if (!(key = (krb5_keyblock )malloc(sizeof(key)))) {
		goto out;
		}

		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
		SAFE_FREE(key);
		continue;
		}

		krb5_auth_con_setuseruserkey(context, auth_context, key);

		krb5_free_keyblock(context, key);

		if (!(ret = krb5_rd_req(context, &auth_context, p_packet,
		NULL,
		NULL, NULL, pp_tkt))) {
		DEBUG(10,("ads_secrets_verify_ticket: enc type [%u] decrypted message !\n",
		(unsigned int)enctypes[i] ));
		auth_ok = True;
		break;
		}

		DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
		("ads_secrets_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
		(unsigned int)enctypes[i], error_message(ret)));
		}

		out:

		free_kerberos_etypes(context, enctypes);
		SAFE_FREE(password_s);

		return auth_ok;
		}

		/**********************************************************************************
		Verify an incoming ticket and parse out the principal name and
		authorization_data if available.
		***********************************************************************************/

		NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		char *principal, DATA_BLOB auth_data,
		DATA_BLOB *ap_rep,
		@@ -41,43 +197,21 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		krb5_data packet;
		krb5_ticket *tkt = NULL;
		krb5_rcache rcache = NULL;
		int ret, i;
		krb5_keyblock *key = NULL;
		int ret;

		krb5_principal host_princ;
		krb5_principal host_princ = NULL;
		char *host_princ_s = NULL;
		BOOL free_host_princ = False;
		BOOL got_replay_mutex = False;

		fstring myname;
		char *password_s = NULL;
		krb5_data password;
		krb5_enctype *enctypes = NULL;
		#if 0
		krb5_address local_addr;
		krb5_address remote_addr;
		#endif
		BOOL auth_ok = False;

		ZERO_STRUCT(packet);
		ZERO_STRUCT(password);
		ZERO_STRUCTP(auth_data);
		ZERO_STRUCTP(ap_rep);
		ZERO_STRUCTP(session_key);

		if (!secrets_init()) {
		DEBUG(1,("ads_verify_ticket: secrets_init failed\n"));
		return NT_STATUS_LOGON_FAILURE;
		}

		password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL);
		if (!password_s) {
		DEBUG(1,("ads_verify_ticket: failed to fetch machine password\n"));
		return NT_STATUS_LOGON_FAILURE;
		}

		password.data = password_s;
		password.length = strlen(password_s);

		initialize_krb5_error_table();
		ret = krb5_init_context(&context);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_init_context failed (%s)\n", error_message(ret)));
		@@ -87,7 +221,6 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		ret = krb5_set_default_realm(context, realm);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_set_default_realm failed (%s)\n", error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		@@ -98,22 +231,29 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		ret = krb5_auth_con_init(context, &auth_context);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_auth_con_init failed (%s)\n", error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		fstrcpy(myname, global_myname());
		name_to_fqdn(myname, global_myname());
		strlower_m(myname);
		asprintf(&host_princ_s, "HOST/%s@%s", myname, lp_realm());
		asprintf(&host_princ_s, "host/%s@%s", myname, lp_realm());
		ret = krb5_parse_name(context, host_princ_s, &host_princ);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_parse_name(%s) failed (%s)\n",
		host_princ_s, error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		free_host_princ = True;

		/* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
		* code surrounding the replay cache... */

		if (!grab_server_mutex("replay cache mutex")) {
		DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
		goto out;
		}

		got_replay_mutex = True;

		/*
		* JRA. We must set the rcache here. This will prevent replay attacks.
		@@ -122,67 +262,21 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		ret = krb5_get_server_rcache(context, krb5_princ_component(context, host_princ, 0), &rcache);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_get_server_rcache failed (%s)\n", error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		ret = krb5_auth_con_setrcache(context, auth_context, rcache);
		if (ret) {
		DEBUG(1,("ads_verify_ticket: krb5_auth_con_setrcache failed (%s)\n", error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		/* CIFS doesn't use addresses in tickets. This would breat NAT. JRA */

		if ((ret = get_kerberos_allowed_etypes(context, &enctypes))) {
		DEBUG(1,("ads_verify_ticket: krb5_get_permitted_enctypes failed (%s)\n",
		error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		/* Lock a mutex surrounding the replay as there is no locking in the MIT krb5
		* code surrounding the replay cache... */

		if (!grab_server_mutex("replay cache mutex")) {
		DEBUG(1,("ads_verify_ticket: unable to protect replay cache with mutex.\n"));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		got_replay_mutex = True;

		/* We need to setup a auth context with each possible encoding type in turn. */
		for (i=0;enctypes[i];i++) {
		if (!(key = (krb5_keyblock )malloc(sizeof(key)))) {
		sret = NT_STATUS_NO_MEMORY;
		goto out;
		}

		if (create_kerberos_key_from_string(context, host_princ, &password, key, enctypes[i])) {
		continue;
		}

		krb5_auth_con_setuseruserkey(context, auth_context, key);

		krb5_free_keyblock(context, key);

		packet.length = ticket->length;
		packet.data = (krb5_pointer)ticket->data;

		if (!(ret = krb5_rd_req(context, &auth_context, &packet,
		NULL,
		NULL, NULL, &tkt))) {
		DEBUG(10,("ads_verify_ticket: enc type [%u] decrypted message !\n",
		(unsigned int)enctypes[i] ));
		auth_ok = True;
		break;
		if (lp_use_kerberos_keytab()) {
		auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt);
		}

		DEBUG((ret != KRB5_BAD_ENCTYPE) ? 3 : 10,
		("ads_verify_ticket: enc type [%u] failed to decrypt with error %s\n",
		(unsigned int)enctypes[i], error_message(ret)));
		if (!auth_ok) {
		auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
		ticket, &packet, &tkt);
		}

		release_server_mutex();
		@@ -191,7 +285,6 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		if (!auth_ok) {
		DEBUG(3,("ads_verify_ticket: krb5_rd_req with auth failed (%s)\n",
		error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		@@ -199,12 +292,12 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,
		if (ret) {
		DEBUG(3,("ads_verify_ticket: Failed to generate mutual authentication reply (%s)\n",
		error_message(ret)));
		sret = NT_STATUS_LOGON_FAILURE;
		goto out;
		}

		*ap_rep = data_blob(packet.data, packet.length);
		free(packet.data);
		SAFE_FREE(packet.data);
		packet.length = 0;

		get_krb5_smb_session_key(context, auth_context, session_key, True);
		dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
		@@ -241,29 +334,35 @@ NTSTATUS ads_verify_ticket(const char realm, const DATA_BLOB ticket,

		out:

		if (got_replay_mutex)
		if (got_replay_mutex) {
		release_server_mutex();
		}

		if (!NT_STATUS_IS_OK(sret))
		if (!NT_STATUS_IS_OK(sret)) {
		data_blob_free(auth_data);
		}

		if (!NT_STATUS_IS_OK(sret))
		if (!NT_STATUS_IS_OK(sret)) {
		data_blob_free(ap_rep);
		}

		if (free_host_princ)
		if (host_princ) {
		krb5_free_principal(context, host_princ);
		}

		if (tkt != NULL)
		if (tkt != NULL) {
		krb5_free_ticket(context, tkt);
		free_kerberos_etypes(context, enctypes);
		SAFE_FREE(password_s);
		}

		SAFE_FREE(host_princ_s);

		if (auth_context)
		if (auth_context) {
		krb5_auth_con_free(context, auth_context);
		}

		if (context)
		if (context) {
		krb5_free_context(context);
		}

		return sret;
		}