Context Navigation

source: branches/samba-3.3.x/source/libads/kerberos.c@ 278

Visit:

Last change on this file since 278 was 223, checked in by Herwig Bauernfeind, 16 years ago
Update Samba 3.3 branch to 3.3.3
File size: 26.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	kerberos utility library
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001
6	Copyright (C) Nalin Dahyabhai <nalin@redhat.com> 2004.
7	Copyright (C) Jeremy Allison 2004.
8	Copyright (C) Gerald Carter 2006.
9
10	This program is free software; you can redistribute it and/or modify
11	it under the terms of the GNU General Public License as published by
12	the Free Software Foundation; either version 3 of the License, or
13	(at your option) any later version.
14
15	This program is distributed in the hope that it will be useful,
16	but WITHOUT ANY WARRANTY; without even the implied warranty of
17	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	GNU General Public License for more details.
19
20	You should have received a copy of the GNU General Public License
21	along with this program. If not, see <http://www.gnu.org/licenses/>.
22	*/
23
24	#include "includes.h"
25
26	#ifdef HAVE_KRB5
27
28	#define DEFAULT_KRB5_PORT 88
29
30	#define LIBADS_CCACHE_NAME "MEMORY:libads"
31
32	/*
33	we use a prompter to avoid a crash bug in the kerberos libs when
34	dealing with empty passwords
35	this prompter is just a string copy ...
36	*/
37	static krb5_error_code
38	kerb_prompter(krb5_context ctx, void *data,
39	const char *name,
40	const char *banner,
41	int num_prompts,
42	krb5_prompt prompts[])
43	{
44	if (num_prompts == 0) return 0;
45
46	memset(prompts[0].reply->data, '\0', prompts[0].reply->length);
47	if (prompts[0].reply->length > 0) {
48	if (data) {
49	strncpy(prompts[0].reply->data, (const char *)data,
50	prompts[0].reply->length-1);
51	prompts[0].reply->length = strlen(prompts[0].reply->data);
52	} else {
53	prompts[0].reply->length = 0;
54	}
55	}
56	return 0;
57	}
58
59	static bool smb_krb5_err_io_nstatus(TALLOC_CTX *mem_ctx,
60	DATA_BLOB *edata_blob,
61	KRB5_EDATA_NTSTATUS *edata)
62	{
63	bool ret = False;
64	prs_struct ps;
65
66	if (!mem_ctx \|\| !edata_blob \|\| !edata)
67	return False;
68
69	if (!prs_init(&ps, edata_blob->length, mem_ctx, UNMARSHALL))
70	return False;
71
72	if (!prs_copy_data_in(&ps, (char *)edata_blob->data, edata_blob->length))
73	goto out;
74
75	prs_set_offset(&ps, 0);
76
77	if (!prs_ntstatus("ntstatus", &ps, 1, &edata->ntstatus))
78	goto out;
79
80	if (!prs_uint32("unknown1", &ps, 1, &edata->unknown1))
81	goto out;
82
83	if (!prs_uint32("unknown2", &ps, 1, &edata->unknown2)) /* only seen 00000001 here */
84	goto out;
85
86	ret = True;
87	out:
88	prs_mem_free(&ps);
89
90	return ret;
91	}
92
93	static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
94	NTSTATUS *nt_status)
95	{
96	DATA_BLOB edata;
97	DATA_BLOB unwrapped_edata;
98	TALLOC_CTX *mem_ctx;
99	KRB5_EDATA_NTSTATUS parsed_edata;
100
101	#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
102	edata = data_blob(error->e_data->data, error->e_data->length);
103	#else
104	edata = data_blob(error->e_data.data, error->e_data.length);
105	#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
106
107	#ifdef DEVELOPER
108	dump_data(10, edata.data, edata.length);
109	#endif /* DEVELOPER */
110
111	mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
112	if (mem_ctx == NULL) {
113	data_blob_free(&edata);
114	return False;
115	}
116
117	if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
118	data_blob_free(&edata);
119	TALLOC_FREE(mem_ctx);
120	return False;
121	}
122
123	data_blob_free(&edata);
124
125	if (!smb_krb5_err_io_nstatus(mem_ctx, &unwrapped_edata, &parsed_edata)) {
126	data_blob_free(&unwrapped_edata);
127	TALLOC_FREE(mem_ctx);
128	return False;
129	}
130
131	data_blob_free(&unwrapped_edata);
132
133	if (nt_status) {
134	*nt_status = parsed_edata.ntstatus;
135	}
136
137	TALLOC_FREE(mem_ctx);
138
139	return True;
140	}
141
142	static bool smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(krb5_context ctx,
143	krb5_get_init_creds_opt *opt,
144	NTSTATUS *nt_status)
145	{
146	bool ret = False;
147	krb5_error *error = NULL;
148
149	#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR
150	ret = krb5_get_init_creds_opt_get_error(ctx, opt, &error);
151	if (ret) {
152	DEBUG(1,("krb5_get_init_creds_opt_get_error gave: %s\n",
153	error_message(ret)));
154	return False;
155	}
156	#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_GET_ERROR */
157
158	if (!error) {
159	DEBUG(1,("no krb5_error\n"));
160	return False;
161	}
162
163	#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
164	if (!error->e_data) {
165	#else
166	if (error->e_data.data == NULL) {
167	#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
168	DEBUG(1,("no edata in krb5_error\n"));
169	krb5_free_error(ctx, error);
170	return False;
171	}
172
173	ret = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
174
175	krb5_free_error(ctx, error);
176
177	return ret;
178	}
179
180	/*
181	simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
182	place in default cache location.
183	remus@snapserver.com
184	*/
185	int kerberos_kinit_password_ext(const char *principal,
186	const char *password,
187	int time_offset,
188	time_t *expire_time,
189	time_t *renew_till_time,
190	const char *cache_name,
191	bool request_pac,
192	bool add_netbios_addr,
193	time_t renewable_time,
194	NTSTATUS *ntstatus)
195	{
196	krb5_context ctx = NULL;
197	krb5_error_code code = 0;
198	krb5_ccache cc = NULL;
199	krb5_principal me = NULL;
200	krb5_creds my_creds;
201	krb5_get_init_creds_opt *opt = NULL;
202	smb_krb5_addresses *addr = NULL;
203
204	ZERO_STRUCT(my_creds);
205
206	initialize_krb5_error_table();
207	if ((code = krb5_init_context(&ctx)))
208	goto out;
209
210	if (time_offset != 0) {
211	krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
212	}
213
214	DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n",
215	principal,
216	cache_name ? cache_name: krb5_cc_default_name(ctx),
217	getenv("KRB5_CONFIG")));
218
219	if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
220	goto out;
221	}
222
223	if ((code = smb_krb5_parse_name(ctx, principal, &me))) {
224	goto out;
225	}
226
227	if ((code = smb_krb5_get_init_creds_opt_alloc(ctx, &opt))) {
228	goto out;
229	}
230
231	krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
232	krb5_get_init_creds_opt_set_forwardable(opt, True);
233	#if 0
234	/* insane testing */
235	krb5_get_init_creds_opt_set_tkt_life(opt, 60);
236	#endif
237
238	#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
239	if (request_pac) {
240	if ((code = krb5_get_init_creds_opt_set_pac_request(ctx, opt, (krb5_boolean)request_pac))) {
241	goto out;
242	}
243	}
244	#endif
245	if (add_netbios_addr) {
246	if ((code = smb_krb5_gen_netbios_krb5_address(&addr))) {
247	goto out;
248	}
249	krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
250	}
251
252	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password),
253	kerb_prompter, CONST_DISCARD(char *,password),
254	0, NULL, opt))) {
255	goto out;
256	}
257
258	if ((code = krb5_cc_initialize(ctx, cc, me))) {
259	goto out;
260	}
261
262	if ((code = krb5_cc_store_cred(ctx, cc, &my_creds))) {
263	goto out;
264	}
265
266	if (expire_time) {
267	*expire_time = (time_t) my_creds.times.endtime;
268	}
269
270	if (renew_till_time) {
271	*renew_till_time = (time_t) my_creds.times.renew_till;
272	}
273	out:
274	if (ntstatus) {
275
276	NTSTATUS status;
277
278	/* fast path */
279	if (code == 0) {
280	*ntstatus = NT_STATUS_OK;
281	goto cleanup;
282	}
283
284	/* try to get ntstatus code out of krb5_error when we have it
285	* inside the krb5_get_init_creds_opt - gd */
286
287	if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
288	*ntstatus = status;
289	goto cleanup;
290	}
291
292	/* fall back to self-made-mapping */
293	*ntstatus = krb5_to_nt_status(code);
294	}
295
296	cleanup:
297	krb5_free_cred_contents(ctx, &my_creds);
298	if (me) {
299	krb5_free_principal(ctx, me);
300	}
301	if (addr) {
302	smb_krb5_free_addresses(ctx, addr);
303	}
304	if (opt) {
305	smb_krb5_get_init_creds_opt_free(ctx, opt);
306	}
307	if (cc) {
308	krb5_cc_close(ctx, cc);
309	}
310	if (ctx) {
311	krb5_free_context(ctx);
312	}
313	return code;
314	}
315
316
317
318	/* run kinit to setup our ccache */
319	int ads_kinit_password(ADS_STRUCT *ads)
320	{
321	char *s;
322	int ret;
323	const char *account_name;
324	fstring acct_name;
325
326	if (ads->auth.flags & ADS_AUTH_USER_CREDS) {
327	account_name = ads->auth.user_name;
328	goto got_accountname;
329	}
330
331	if ( IS_DC ) {
332	/* this will end up getting a ticket for DOMAIN@RUSTED.REA.LM */
333	account_name = lp_workgroup();
334	} else {
335	/* always use the sAMAccountName for security = domain */
336	/* global_myname()$@REA.LM */
337	if ( lp_security() == SEC_DOMAIN ) {
338	fstr_sprintf( acct_name, "%s$", global_myname() );
339	account_name = acct_name;
340	}
341	else
342	/* This looks like host/global_myname()@REA.LM */
343	account_name = ads->auth.user_name;
344	}
345
346	got_accountname:
347	if (asprintf(&s, "%s@%s", account_name, ads->auth.realm) == -1) {
348	return KRB5_CC_NOMEM;
349	}
350
351	if (!ads->auth.password) {
352	SAFE_FREE(s);
353	return KRB5_LIBOS_CANTREADPWD;
354	}
355
356	ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
357	&ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
358	NULL);
359
360	if (ret) {
361	DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
362	s, error_message(ret)));
363	}
364	SAFE_FREE(s);
365	return ret;
366	}
367
368	int ads_kdestroy(const char *cc_name)
369	{
370	krb5_error_code code;
371	krb5_context ctx = NULL;
372	krb5_ccache cc = NULL;
373
374	initialize_krb5_error_table();
375	if ((code = krb5_init_context (&ctx))) {
376	DEBUG(3, ("ads_kdestroy: kdb5_init_context failed: %s\n",
377	error_message(code)));
378	return code;
379	}
380
381	if (!cc_name) {
382	if ((code = krb5_cc_default(ctx, &cc))) {
383	krb5_free_context(ctx);
384	return code;
385	}
386	} else {
387	if ((code = krb5_cc_resolve(ctx, cc_name, &cc))) {
388	DEBUG(3, ("ads_kdestroy: krb5_cc_resolve failed: %s\n",
389	error_message(code)));
390	krb5_free_context(ctx);
391	return code;
392	}
393	}
394
395	if ((code = krb5_cc_destroy (ctx, cc))) {
396	DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
397	error_message(code)));
398	}
399
400	krb5_free_context (ctx);
401	return code;
402	}
403
404	/************************************************************************
405	Routine to fetch the salting principal for a service. Active
406	Directory may use a non-obvious principal name to generate the salt
407	when it determines the key to use for encrypting tickets for a service,
408	and hopefully we detected that when we joined the domain.
409	************************************************************************/
410
411	static char kerberos_secrets_fetch_salting_principal(const char service, int enctype)
412	{
413	char *key = NULL;
414	char *ret = NULL;
415
416	if (asprintf(&key, "%s/%s/enctype=%d",
417	SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) {
418	return NULL;
419	}
420	ret = (char *)secrets_fetch(key, NULL);
421	SAFE_FREE(key);
422	return ret;
423	}
424
425	/************************************************************************
426	Return the standard DES salt key
427	************************************************************************/
428
429	char* kerberos_standard_des_salt( void )
430	{
431	fstring salt;
432
433	fstr_sprintf( salt, "host/%s.%s@", global_myname(), lp_realm() );
434	strlower_m( salt );
435	fstrcat( salt, lp_realm() );
436
437	return SMB_STRDUP( salt );
438	}
439
440	/************************************************************************
441	************************************************************************/
442
443	static char* des_salt_key( void )
444	{
445	char *key;
446
447	if (asprintf(&key, "%s/DES/%s", SECRETS_SALTING_PRINCIPAL,
448	lp_realm()) == -1) {
449	return NULL;
450	}
451
452	return key;
453	}
454
455	/************************************************************************
456	************************************************************************/
457
458	bool kerberos_secrets_store_des_salt( const char* salt )
459	{
460	char* key;
461	bool ret;
462
463	if ( (key = des_salt_key()) == NULL ) {
464	DEBUG(0,("kerberos_secrets_store_des_salt: failed to generate key!\n"));
465	return False;
466	}
467
468	if ( !salt ) {
469	DEBUG(8,("kerberos_secrets_store_des_salt: deleting salt\n"));
470	secrets_delete( key );
471	return True;
472	}
473
474	DEBUG(3,("kerberos_secrets_store_des_salt: Storing salt \"%s\"\n", salt));
475
476	ret = secrets_store( key, salt, strlen(salt)+1 );
477
478	SAFE_FREE( key );
479
480	return ret;
481	}
482
483	/************************************************************************
484	************************************************************************/
485
486	char* kerberos_secrets_fetch_des_salt( void )
487	{
488	char salt, key;
489
490	if ( (key = des_salt_key()) == NULL ) {
491	DEBUG(0,("kerberos_secrets_fetch_des_salt: failed to generate key!\n"));
492	return False;
493	}
494
495	salt = (char*)secrets_fetch( key, NULL );
496
497	SAFE_FREE( key );
498
499	return salt;
500	}
501
502	/************************************************************************
503	Routine to get the default realm from the kerberos credentials cache.
504	Caller must free if the return value is not NULL.
505	************************************************************************/
506
507	char *kerberos_get_default_realm_from_ccache( void )
508	{
509	char *realm = NULL;
510	krb5_context ctx = NULL;
511	krb5_ccache cc = NULL;
512	krb5_principal princ = NULL;
513
514	initialize_krb5_error_table();
515	if (krb5_init_context(&ctx)) {
516	return NULL;
517	}
518
519	DEBUG(5,("kerberos_get_default_realm_from_ccache: "
520	"Trying to read krb5 cache: %s\n",
521	krb5_cc_default_name(ctx)));
522	if (krb5_cc_default(ctx, &cc)) {
523	DEBUG(0,("kerberos_get_default_realm_from_ccache: "
524	"failed to read default cache\n"));
525	goto out;
526	}
527	if (krb5_cc_get_principal(ctx, cc, &princ)) {
528	DEBUG(0,("kerberos_get_default_realm_from_ccache: "
529	"failed to get default principal\n"));
530	goto out;
531	}
532
533	#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM)
534	realm = SMB_STRDUP(krb5_principal_get_realm(ctx, princ));
535	#elif defined(HAVE_KRB5_PRINC_REALM)
536	{
537	krb5_data *realm_data = krb5_princ_realm(ctx, princ);
538	realm = SMB_STRNDUP(realm_data->data, realm_data->length);
539	}
540	#endif
541
542	out:
543
544	if (ctx) {
545	if (princ) {
546	krb5_free_principal(ctx, princ);
547	}
548	if (cc) {
549	krb5_cc_close(ctx, cc);
550	}
551	krb5_free_context(ctx);
552	}
553
554	return realm;
555	}
556
557
558	/************************************************************************
559	Routine to get the salting principal for this service. This is
560	maintained for backwards compatibilty with releases prior to 3.0.24.
561	Since we store the salting principal string only at join, we may have
562	to look for the older tdb keys. Caller must free if return is not null.
563	************************************************************************/
564
565	krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
566	krb5_principal host_princ,
567	int enctype)
568	{
569	char unparsed_name = NULL, salt_princ_s = NULL;
570	krb5_principal ret_princ = NULL;
571
572	/* lookup new key first */
573
574	if ( (salt_princ_s = kerberos_secrets_fetch_des_salt()) == NULL ) {
575
576	/* look under the old key. If this fails, just use the standard key */
577
578	if (smb_krb5_unparse_name(context, host_princ, &unparsed_name) != 0) {
579	return (krb5_principal)NULL;
580	}
581	if ((salt_princ_s = kerberos_secrets_fetch_salting_principal(unparsed_name, enctype)) == NULL) {
582	/* fall back to host/machine.realm@REALM */
583	salt_princ_s = kerberos_standard_des_salt();
584	}
585	}
586
587	if (smb_krb5_parse_name(context, salt_princ_s, &ret_princ) != 0) {
588	ret_princ = NULL;
589	}
590
591	SAFE_FREE(unparsed_name);
592	SAFE_FREE(salt_princ_s);
593
594	return ret_princ;
595	}
596
597	/************************************************************************
598	Routine to set the salting principal for this service. Active
599	Directory may use a non-obvious principal name to generate the salt
600	when it determines the key to use for encrypting tickets for a service,
601	and hopefully we detected that when we joined the domain.
602	Setting principal to NULL deletes this entry.
603	************************************************************************/
604
605	bool kerberos_secrets_store_salting_principal(const char *service,
606	int enctype,
607	const char *principal)
608	{
609	char *key = NULL;
610	bool ret = False;
611	krb5_context context = NULL;
612	krb5_principal princ = NULL;
613	char *princ_s = NULL;
614	char *unparsed_name = NULL;
615	krb5_error_code code;
616
617	if (((code = krb5_init_context(&context)) != 0) \|\| (context == NULL)) {
618	DEBUG(5, ("kerberos_secrets_store_salting_pricipal: kdb5_init_context failed: %s\n",
619	error_message(code)));
620	return False;
621	}
622	if (strchr_m(service, '@')) {
623	if (asprintf(&princ_s, "%s", service) == -1) {
624	goto out;
625	}
626	} else {
627	if (asprintf(&princ_s, "%s@%s", service, lp_realm()) == -1) {
628	goto out;
629	}
630	}
631
632	if (smb_krb5_parse_name(context, princ_s, &princ) != 0) {
633	goto out;
634
635	}
636	if (smb_krb5_unparse_name(context, princ, &unparsed_name) != 0) {
637	goto out;
638	}
639
640	if (asprintf(&key, "%s/%s/enctype=%d",
641	SECRETS_SALTING_PRINCIPAL, unparsed_name, enctype)
642	== -1) {
643	goto out;
644	}
645
646	if ((principal != NULL) && (strlen(principal) > 0)) {
647	ret = secrets_store(key, principal, strlen(principal) + 1);
648	} else {
649	ret = secrets_delete(key);
650	}
651
652	out:
653
654	SAFE_FREE(key);
655	SAFE_FREE(princ_s);
656	SAFE_FREE(unparsed_name);
657
658	if (princ) {
659	krb5_free_principal(context, princ);
660	}
661
662	if (context) {
663	krb5_free_context(context);
664	}
665
666	return ret;
667	}
668
669
670	/************************************************************************
671	************************************************************************/
672
673	int kerberos_kinit_password(const char *principal,
674	const char *password,
675	int time_offset,
676	const char *cache_name)
677	{
678	return kerberos_kinit_password_ext(principal,
679	password,
680	time_offset,
681	0,
682	0,
683	cache_name,
684	False,
685	False,
686	0,
687	NULL);
688	}
689
690	/************************************************************************
691	************************************************************************/
692
693	static char print_kdc_line(char mem_ctx,
694	const char *prev_line,
695	const struct sockaddr_storage *pss)
696	{
697	char *kdc_str = NULL;
698
699	if (pss->ss_family == AF_INET) {
700	kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
701	prev_line,
702	print_canonical_sockaddr(mem_ctx, pss));
703	} else {
704	char addr[INET6_ADDRSTRLEN];
705	uint16_t port = get_sockaddr_port(pss);
706
707	if (port != 0 && port != DEFAULT_KRB5_PORT) {
708	/* Currently for IPv6 we can't specify a non-default
709	krb5 port with an address, as this requires a ':'.
710	Resolve to a name. */
711	char hostname[MAX_DNS_NAME_LENGTH];
712	int ret = sys_getnameinfo((const struct sockaddr *)pss,
713	sizeof(*pss),
714	hostname, sizeof(hostname),
715	NULL, 0,
716	NI_NAMEREQD);
717	if (ret) {
718	DEBUG(0,("print_kdc_line: can't resolve name "
719	"for kdc with non-default port %s. "
720	"Error %s\n.",
721	print_canonical_sockaddr(mem_ctx, pss),
722	gai_strerror(ret)));
723	}
724	/* Success, use host:port */
725	kdc_str = talloc_asprintf(mem_ctx,
726	"%s\tkdc = %s:%u\n",
727	prev_line,
728	hostname,
729	(unsigned int)port);
730	} else {
731	kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
732	prev_line,
733	print_sockaddr(addr,
734	sizeof(addr),
735	pss));
736	}
737	}
738	return kdc_str;
739	}
740
741	/************************************************************************
742	Create a string list of available kdc's, possibly searching by sitename.
743	Does DNS queries.
744
745	If "sitename" is given, the DC's in that site are listed first.
746
747	************************************************************************/
748
749	static char get_kdc_ip_string(char mem_ctx,
750	const char *realm,
751	const char *sitename,
752	struct sockaddr_storage *pss)
753	{
754	int i;
755	struct ip_service *ip_srv_site = NULL;
756	struct ip_service *ip_srv_nonsite = NULL;
757	int count_site = 0;
758	int count_nonsite;
759	char *kdc_str = print_kdc_line(mem_ctx, "", pss);
760
761	if (kdc_str == NULL) {
762	return NULL;
763	}
764
765	/*
766	* First get the KDC's only in this site, the rest will be
767	* appended later
768	*/
769
770	if (sitename) {
771
772	get_kdc_list(realm, sitename, &ip_srv_site, &count_site);
773
774	for (i = 0; i < count_site; i++) {
775	if (sockaddr_equal(&ip_srv_site[i].ss, pss)) {
776	continue;
777	}
778	/* Append to the string - inefficient
779	* but not done often. */
780	kdc_str = print_kdc_line(mem_ctx,
781	kdc_str,
782	&ip_srv_site[i].ss);
783	if (!kdc_str) {
784	SAFE_FREE(ip_srv_site);
785	return NULL;
786	}
787	}
788	}
789
790	/* Get all KDC's. */
791
792	get_kdc_list(realm, NULL, &ip_srv_nonsite, &count_nonsite);
793
794	for (i = 0; i < count_nonsite; i++) {
795	int j;
796
797	if (sockaddr_equal(&ip_srv_nonsite[i].ss, pss)) {
798	continue;
799	}
800
801	/* Ensure this isn't an IP already seen (YUK! this is nn....) /
802	for (j = 0; j < count_site; j++) {
803	if (sockaddr_equal(&ip_srv_nonsite[i].ss,
804	&ip_srv_site[j].ss)) {
805	break;
806	}
807	/* As the lists are sorted we can break early if nonsite > site. */
808	if (ip_service_compare(&ip_srv_nonsite[i], &ip_srv_site[j]) > 0) {
809	break;
810	}
811	}
812	if (j != i) {
813	continue;
814	}
815
816	/* Append to the string - inefficient but not done often. */
817	kdc_str = print_kdc_line(mem_ctx,
818	kdc_str,
819	&ip_srv_nonsite[i].ss);
820	if (!kdc_str) {
821	SAFE_FREE(ip_srv_site);
822	SAFE_FREE(ip_srv_nonsite);
823	return NULL;
824	}
825	}
826
827
828	SAFE_FREE(ip_srv_site);
829	SAFE_FREE(ip_srv_nonsite);
830
831	DEBUG(10,("get_kdc_ip_string: Returning %s\n",
832	kdc_str ));
833
834	return kdc_str;
835	}
836
837	/************************************************************************
838	Create a specific krb5.conf file in the private directory pointing
839	at a specific kdc for a realm. Keyed off domain name. Sets
840	KRB5_CONFIG environment variable to point to this file. Must be
841	run as root or will fail (which is a good thing :-).
842	************************************************************************/
843
844	bool create_local_private_krb5_conf_for_domain(const char *realm,
845	const char *domain,
846	const char *sitename,
847	struct sockaddr_storage *pss)
848	{
849	char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
850	char *tmpname = NULL;
851	char *fname = NULL;
852	char *file_contents = NULL;
853	char *kdc_ip_string = NULL;
854	size_t flen = 0;
855	ssize_t ret;
856	int fd;
857	char *realm_upper = NULL;
858
859	if (!dname) {
860	return False;
861	}
862	if ((mkdir(dname, 0755)==-1) && (errno != EEXIST)) {
863	DEBUG(0,("create_local_private_krb5_conf_for_domain: "
864	"failed to create directory %s. Error was %s\n",
865	dname, strerror(errno) ));
866	TALLOC_FREE(dname);
867	return False;
868	}
869
870	tmpname = talloc_asprintf(dname, "%s/smb_tmp_krb5.XXXXXX", lp_lockdir());
871	if (!tmpname) {
872	TALLOC_FREE(dname);
873	return False;
874	}
875
876	fname = talloc_asprintf(dname, "%s/krb5.conf.%s", dname, domain);
877	if (!fname) {
878	TALLOC_FREE(dname);
879	return False;
880	}
881
882	DEBUG(10,("create_local_private_krb5_conf_for_domain: fname = %s, realm = %s, domain = %s\n",
883	fname, realm, domain ));
884
885	realm_upper = talloc_strdup(fname, realm);
886	strupper_m(realm_upper);
887
888	kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
889	if (!kdc_ip_string) {
890	TALLOC_FREE(dname);
891	return False;
892	}
893
894	file_contents = talloc_asprintf(fname,
895	"[libdefaults]\n\tdefault_realm = %s\n"
896	"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
897	"\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
898	"\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
899	"[realms]\n\t%s = {\n"
900	"\t%s\t}\n",
901	realm_upper, realm_upper, kdc_ip_string);
902
903	if (!file_contents) {
904	TALLOC_FREE(dname);
905	return False;
906	}
907
908	flen = strlen(file_contents);
909
910	fd = smb_mkstemp(tmpname);
911	if (fd == -1) {
912	DEBUG(0,("create_local_private_krb5_conf_for_domain: smb_mkstemp failed,"
913	" for file %s. Errno %s\n",
914	tmpname, strerror(errno) ));
915	TALLOC_FREE(dname);
916	return false;
917	}
918
919	if (fchmod(fd, 0644)==-1) {
920	DEBUG(0,("create_local_private_krb5_conf_for_domain: fchmod failed for %s."
921	" Errno %s\n",
922	tmpname, strerror(errno) ));
923	unlink(tmpname);
924	close(fd);
925	TALLOC_FREE(dname);
926	return False;
927	}
928
929	ret = write(fd, file_contents, flen);
930	if (flen != ret) {
931	DEBUG(0,("create_local_private_krb5_conf_for_domain: write failed,"
932	" returned %d (should be %u). Errno %s\n",
933	(int)ret, (unsigned int)flen, strerror(errno) ));
934	unlink(tmpname);
935	close(fd);
936	TALLOC_FREE(dname);
937	return False;
938	}
939	if (close(fd)==-1) {
940	DEBUG(0,("create_local_private_krb5_conf_for_domain: close failed."
941	" Errno %s\n", strerror(errno) ));
942	unlink(tmpname);
943	TALLOC_FREE(dname);
944	return False;
945	}
946
947	if (rename(tmpname, fname) == -1) {
948	DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
949	"of %s to %s failed. Errno %s\n",
950	tmpname, fname, strerror(errno) ));
951	unlink(tmpname);
952	TALLOC_FREE(dname);
953	return False;
954	}
955
956	DEBUG(5,("create_local_private_krb5_conf_for_domain: wrote "
957	"file %s with realm %s KDC list = %s\n",
958	fname, realm_upper, kdc_ip_string));
959
960	/* Set the environment variable to this file. */
961	setenv("KRB5_CONFIG", fname, 1);
962
963	#if defined(OVERWRITE_SYSTEM_KRB5_CONF)
964
965	#define SYSTEM_KRB5_CONF_PATH "/etc/krb5.conf"
966	/* Insanity, sheer insanity..... */
967
968	if (strequal(realm, lp_realm())) {
969	char linkpath[PATH_MAX+1];
970	int lret;
971
972	lret = readlink(SYSTEM_KRB5_CONF_PATH, linkpath, sizeof(linkpath)-1);
973	if (lret != -1) {
974	linkpath[lret] = '\0';
975	}
976
977	if (lret != -1 \|\| strcmp(linkpath, fname) == 0) {
978	/* Symlink already exists. */
979	TALLOC_FREE(dname);
980	return True;
981	}
982
983	/* Try and replace with a symlink. */
984	if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
985	const char *newpath = SYSTEM_KRB5_CONF_PATH ## ".saved";
986	if (errno != EEXIST) {
987	DEBUG(0,("create_local_private_krb5_conf_for_domain: symlink "
988	"of %s to %s failed. Errno %s\n",
989	fname, SYSTEM_KRB5_CONF_PATH, strerror(errno) ));
990	TALLOC_FREE(dname);
991	return True; /* Not a fatal error. */
992	}
993
994	/* Yes, this is a race conditon... too bad. */
995	if (rename(SYSTEM_KRB5_CONF_PATH, newpath) == -1) {
996	DEBUG(0,("create_local_private_krb5_conf_for_domain: rename "
997	"of %s to %s failed. Errno %s\n",
998	SYSTEM_KRB5_CONF_PATH, newpath,
999	strerror(errno) ));
1000	TALLOC_FREE(dname);
1001	return True; /* Not a fatal error. */
1002	}
1003
1004	if (symlink(fname, SYSTEM_KRB5_CONF_PATH) == -1) {
1005	DEBUG(0,("create_local_private_krb5_conf_for_domain: "
1006	"forced symlink of %s to /etc/krb5.conf failed. Errno %s\n",
1007	fname, strerror(errno) ));
1008	TALLOC_FREE(dname);
1009	return True; /* Not a fatal error. */
1010	}
1011	}
1012	}
1013	#endif
1014
1015	TALLOC_FREE(dname);
1016
1017	return True;
1018	}
1019	#endif

Note: See TracBrowser for help on using the repository browser.

Download in other formats: