| 1 | /*
|
|---|
| 2 | Unix SMB/CIFS implementation.
|
|---|
| 3 | krb5 set password implementation
|
|---|
| 4 | Copyright (C) Andrew Tridgell 2001
|
|---|
| 5 | Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
|
|---|
| 6 |
|
|---|
| 7 | This program is free software; you can redistribute it and/or modify
|
|---|
| 8 | it under the terms of the GNU General Public License as published by
|
|---|
| 9 | the Free Software Foundation; either version 2 of the License, or
|
|---|
| 10 | (at your option) any later version.
|
|---|
| 11 |
|
|---|
| 12 | This program is distributed in the hope that it will be useful,
|
|---|
| 13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|---|
| 14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|---|
| 15 | GNU General Public License for more details.
|
|---|
| 16 |
|
|---|
| 17 | You should have received a copy of the GNU General Public License
|
|---|
| 18 | along with this program; if not, write to the Free Software
|
|---|
| 19 | Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|---|
| 20 | */
|
|---|
| 21 |
|
|---|
| 22 | #include "includes.h"
|
|---|
| 23 |
|
|---|
| 24 | #ifdef HAVE_KRB5
|
|---|
| 25 |
|
|---|
| 26 | #define DEFAULT_KPASSWD_PORT 464
|
|---|
| 27 |
|
|---|
| 28 | #define KRB5_KPASSWD_VERS_CHANGEPW 1
|
|---|
| 29 |
|
|---|
| 30 | #define KRB5_KPASSWD_VERS_SETPW 0xff80
|
|---|
| 31 | #define KRB5_KPASSWD_VERS_SETPW_ALT 2
|
|---|
| 32 |
|
|---|
| 33 | #define KRB5_KPASSWD_SUCCESS 0
|
|---|
| 34 | #define KRB5_KPASSWD_MALFORMED 1
|
|---|
| 35 | #define KRB5_KPASSWD_HARDERROR 2
|
|---|
| 36 | #define KRB5_KPASSWD_AUTHERROR 3
|
|---|
| 37 | #define KRB5_KPASSWD_SOFTERROR 4
|
|---|
| 38 | #define KRB5_KPASSWD_ACCESSDENIED 5
|
|---|
| 39 | #define KRB5_KPASSWD_BAD_VERSION 6
|
|---|
| 40 | #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7
|
|---|
| 41 |
|
|---|
| 42 | /* Those are defined by kerberos-set-passwd-02.txt and are probably
|
|---|
| 43 | * not supported by M$ implementation */
|
|---|
| 44 | #define KRB5_KPASSWD_POLICY_REJECT 8
|
|---|
| 45 | #define KRB5_KPASSWD_BAD_PRINCIPAL 9
|
|---|
| 46 | #define KRB5_KPASSWD_ETYPE_NOSUPP 10
|
|---|
| 47 |
|
|---|
| 48 | /*
|
|---|
| 49 | * we've got to be able to distinguish KRB_ERRORs from other
|
|---|
| 50 | * requests - valid response for CHPW v2 replies.
|
|---|
| 51 | */
|
|---|
| 52 |
|
|---|
| 53 | #define krb5_is_krb_error(packet) \
|
|---|
| 54 | ( packet && packet->length && (((char *)packet->data)[0] == 0x7e || ((char *)packet->data)[0] == 0x5e))
|
|---|
| 55 |
|
|---|
| 56 | /* This implements kerberos password change protocol as specified in
|
|---|
| 57 | * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt
|
|---|
| 58 | * as well as microsoft version of the protocol
|
|---|
| 59 | * as specified in kerberos-set-passwd-00.txt
|
|---|
| 60 | */
|
|---|
| 61 | static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password)
|
|---|
| 62 | {
|
|---|
| 63 | char* princ_part1 = NULL;
|
|---|
| 64 | char* princ_part2 = NULL;
|
|---|
| 65 | char* realm = NULL;
|
|---|
| 66 | char* c;
|
|---|
| 67 | char* princ;
|
|---|
| 68 |
|
|---|
| 69 | ASN1_DATA req;
|
|---|
| 70 | DATA_BLOB ret;
|
|---|
| 71 |
|
|---|
| 72 |
|
|---|
| 73 | princ = SMB_STRDUP(principal);
|
|---|
| 74 |
|
|---|
| 75 | if ((c = strchr_m(princ, '/')) == NULL) {
|
|---|
| 76 | c = princ;
|
|---|
| 77 | } else {
|
|---|
| 78 | *c = '\0';
|
|---|
| 79 | c++;
|
|---|
| 80 | princ_part1 = princ;
|
|---|
| 81 | }
|
|---|
| 82 |
|
|---|
| 83 | princ_part2 = c;
|
|---|
| 84 |
|
|---|
| 85 | if ((c = strchr_m(c, '@')) != NULL) {
|
|---|
| 86 | *c = '\0';
|
|---|
| 87 | c++;
|
|---|
| 88 | realm = c;
|
|---|
| 89 | } else {
|
|---|
| 90 | /* We must have a realm component. */
|
|---|
| 91 | return data_blob(NULL, 0);
|
|---|
| 92 | }
|
|---|
| 93 |
|
|---|
| 94 | memset(&req, 0, sizeof(req));
|
|---|
| 95 |
|
|---|
| 96 | asn1_push_tag(&req, ASN1_SEQUENCE(0));
|
|---|
| 97 | asn1_push_tag(&req, ASN1_CONTEXT(0));
|
|---|
| 98 | asn1_write_OctetString(&req, password, strlen(password));
|
|---|
| 99 | asn1_pop_tag(&req);
|
|---|
| 100 |
|
|---|
| 101 | asn1_push_tag(&req, ASN1_CONTEXT(1));
|
|---|
| 102 | asn1_push_tag(&req, ASN1_SEQUENCE(0));
|
|---|
| 103 |
|
|---|
| 104 | asn1_push_tag(&req, ASN1_CONTEXT(0));
|
|---|
| 105 | asn1_write_Integer(&req, 1);
|
|---|
| 106 | asn1_pop_tag(&req);
|
|---|
| 107 |
|
|---|
| 108 | asn1_push_tag(&req, ASN1_CONTEXT(1));
|
|---|
| 109 | asn1_push_tag(&req, ASN1_SEQUENCE(0));
|
|---|
| 110 |
|
|---|
| 111 | if (princ_part1) {
|
|---|
| 112 | asn1_write_GeneralString(&req, princ_part1);
|
|---|
| 113 | }
|
|---|
| 114 |
|
|---|
| 115 | asn1_write_GeneralString(&req, princ_part2);
|
|---|
| 116 | asn1_pop_tag(&req);
|
|---|
| 117 | asn1_pop_tag(&req);
|
|---|
| 118 | asn1_pop_tag(&req);
|
|---|
| 119 | asn1_pop_tag(&req);
|
|---|
| 120 |
|
|---|
| 121 | asn1_push_tag(&req, ASN1_CONTEXT(2));
|
|---|
| 122 | asn1_write_GeneralString(&req, realm);
|
|---|
| 123 | asn1_pop_tag(&req);
|
|---|
| 124 | asn1_pop_tag(&req);
|
|---|
| 125 |
|
|---|
| 126 | ret = data_blob(req.data, req.length);
|
|---|
| 127 | asn1_free(&req);
|
|---|
| 128 |
|
|---|
| 129 | free(princ);
|
|---|
| 130 |
|
|---|
| 131 | return ret;
|
|---|
| 132 | }
|
|---|
| 133 |
|
|---|
| 134 | static krb5_error_code build_kpasswd_request(uint16 pversion,
|
|---|
| 135 | krb5_context context,
|
|---|
| 136 | krb5_auth_context auth_context,
|
|---|
| 137 | krb5_data *ap_req,
|
|---|
| 138 | const char *princ,
|
|---|
| 139 | const char *passwd,
|
|---|
| 140 | BOOL use_tcp,
|
|---|
| 141 | krb5_data *packet)
|
|---|
| 142 | {
|
|---|
| 143 | krb5_error_code ret;
|
|---|
| 144 | krb5_data cipherpw;
|
|---|
| 145 | krb5_data encoded_setpw;
|
|---|
| 146 | krb5_replay_data replay;
|
|---|
| 147 | char *p, *msg_start;
|
|---|
| 148 | DATA_BLOB setpw;
|
|---|
| 149 | unsigned int msg_length;
|
|---|
| 150 |
|
|---|
| 151 | ret = krb5_auth_con_setflags(context,
|
|---|
| 152 | auth_context,KRB5_AUTH_CONTEXT_DO_SEQUENCE);
|
|---|
| 153 | if (ret) {
|
|---|
| 154 | DEBUG(1,("krb5_auth_con_setflags failed (%s)\n",
|
|---|
| 155 | error_message(ret)));
|
|---|
| 156 | return ret;
|
|---|
| 157 | }
|
|---|
| 158 |
|
|---|
| 159 | /* handle protocol differences in chpw and setpw */
|
|---|
| 160 | if (pversion == KRB5_KPASSWD_VERS_CHANGEPW)
|
|---|
| 161 | setpw = data_blob(passwd, strlen(passwd));
|
|---|
| 162 | else if (pversion == KRB5_KPASSWD_VERS_SETPW ||
|
|---|
| 163 | pversion == KRB5_KPASSWD_VERS_SETPW_ALT)
|
|---|
| 164 | setpw = encode_krb5_setpw(princ, passwd);
|
|---|
| 165 | else
|
|---|
| 166 | return EINVAL;
|
|---|
| 167 |
|
|---|
| 168 | if (setpw.data == NULL || setpw.length == 0) {
|
|---|
| 169 | return EINVAL;
|
|---|
| 170 | }
|
|---|
| 171 |
|
|---|
| 172 | encoded_setpw.data = (char *)setpw.data;
|
|---|
| 173 | encoded_setpw.length = setpw.length;
|
|---|
| 174 |
|
|---|
| 175 | ret = krb5_mk_priv(context, auth_context,
|
|---|
| 176 | &encoded_setpw, &cipherpw, &replay);
|
|---|
| 177 |
|
|---|
| 178 | data_blob_free(&setpw); /*from 'encode_krb5_setpw(...)' */
|
|---|
| 179 |
|
|---|
| 180 | if (ret) {
|
|---|
| 181 | DEBUG(1,("krb5_mk_priv failed (%s)\n", error_message(ret)));
|
|---|
| 182 | return ret;
|
|---|
| 183 | }
|
|---|
| 184 |
|
|---|
| 185 | packet->data = (char *)SMB_MALLOC(ap_req->length + cipherpw.length + (use_tcp ? 10 : 6 ));
|
|---|
| 186 | if (!packet->data)
|
|---|
| 187 | return -1;
|
|---|
| 188 |
|
|---|
| 189 |
|
|---|
| 190 |
|
|---|
| 191 | /* see the RFC for details */
|
|---|
| 192 |
|
|---|
| 193 | msg_start = p = ((char *)packet->data) + (use_tcp ? 4 : 0);
|
|---|
| 194 | p += 2;
|
|---|
| 195 | RSSVAL(p, 0, pversion);
|
|---|
| 196 | p += 2;
|
|---|
| 197 | RSSVAL(p, 0, ap_req->length);
|
|---|
| 198 | p += 2;
|
|---|
| 199 | memcpy(p, ap_req->data, ap_req->length);
|
|---|
| 200 | p += ap_req->length;
|
|---|
| 201 | memcpy(p, cipherpw.data, cipherpw.length);
|
|---|
| 202 | p += cipherpw.length;
|
|---|
| 203 | packet->length = PTR_DIFF(p,packet->data);
|
|---|
| 204 | msg_length = PTR_DIFF(p,msg_start);
|
|---|
| 205 |
|
|---|
| 206 | if (use_tcp) {
|
|---|
| 207 | RSIVAL(packet->data, 0, msg_length);
|
|---|
| 208 | }
|
|---|
| 209 | RSSVAL(msg_start, 0, msg_length);
|
|---|
| 210 |
|
|---|
| 211 | free(cipherpw.data); /* from 'krb5_mk_priv(...)' */
|
|---|
| 212 |
|
|---|
| 213 | return 0;
|
|---|
| 214 | }
|
|---|
| 215 |
|
|---|
| 216 | static const struct kpasswd_errors {
|
|---|
| 217 | int result_code;
|
|---|
| 218 | const char *error_string;
|
|---|
| 219 | } kpasswd_errors[] = {
|
|---|
| 220 | {KRB5_KPASSWD_MALFORMED, "Malformed request error"},
|
|---|
| 221 | {KRB5_KPASSWD_HARDERROR, "Server error"},
|
|---|
| 222 | {KRB5_KPASSWD_AUTHERROR, "Authentication error"},
|
|---|
| 223 | {KRB5_KPASSWD_SOFTERROR, "Password change rejected"},
|
|---|
| 224 | {KRB5_KPASSWD_ACCESSDENIED, "Client does not have proper authorization"},
|
|---|
| 225 | {KRB5_KPASSWD_BAD_VERSION, "Protocol version not supported"},
|
|---|
| 226 | {KRB5_KPASSWD_INITIAL_FLAG_NEEDED, "Authorization ticket must have initial flag set"},
|
|---|
| 227 | {KRB5_KPASSWD_POLICY_REJECT, "Password rejected due to policy requirements"},
|
|---|
| 228 | {KRB5_KPASSWD_BAD_PRINCIPAL, "Target principal does not exist"},
|
|---|
| 229 | {KRB5_KPASSWD_ETYPE_NOSUPP, "Unsupported encryption type"},
|
|---|
| 230 | {0, NULL}
|
|---|
| 231 | };
|
|---|
| 232 |
|
|---|
| 233 | static krb5_error_code setpw_result_code_string(krb5_context context,
|
|---|
| 234 | int result_code,
|
|---|
| 235 | const char **code_string)
|
|---|
| 236 | {
|
|---|
| 237 | unsigned int idx = 0;
|
|---|
| 238 |
|
|---|
| 239 | while (kpasswd_errors[idx].error_string != NULL) {
|
|---|
| 240 | if (kpasswd_errors[idx].result_code ==
|
|---|
| 241 | result_code) {
|
|---|
| 242 | *code_string = kpasswd_errors[idx].error_string;
|
|---|
| 243 | return 0;
|
|---|
| 244 | }
|
|---|
| 245 | idx++;
|
|---|
| 246 | }
|
|---|
| 247 | *code_string = "Password change failed";
|
|---|
| 248 | return (0);
|
|---|
| 249 | }
|
|---|
| 250 |
|
|---|
| 251 | krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
|
|---|
| 252 | {
|
|---|
| 253 | switch(res_code) {
|
|---|
| 254 | case KRB5_KPASSWD_ACCESSDENIED:
|
|---|
| 255 | return KRB5KDC_ERR_BADOPTION;
|
|---|
| 256 | case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
|
|---|
| 257 | return KRB5KDC_ERR_BADOPTION;
|
|---|
| 258 | /* return KV5M_ALT_METHOD; MIT-only define */
|
|---|
| 259 | case KRB5_KPASSWD_ETYPE_NOSUPP:
|
|---|
| 260 | return KRB5KDC_ERR_ETYPE_NOSUPP;
|
|---|
| 261 | case KRB5_KPASSWD_BAD_PRINCIPAL:
|
|---|
| 262 | return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
|
|---|
| 263 | case KRB5_KPASSWD_POLICY_REJECT:
|
|---|
| 264 | case KRB5_KPASSWD_SOFTERROR:
|
|---|
| 265 | return KRB5KDC_ERR_POLICY;
|
|---|
| 266 | default:
|
|---|
| 267 | return KRB5KRB_ERR_GENERIC;
|
|---|
| 268 | }
|
|---|
| 269 | }
|
|---|
| 270 | static krb5_error_code parse_setpw_reply(krb5_context context,
|
|---|
| 271 | BOOL use_tcp,
|
|---|
| 272 | krb5_auth_context auth_context,
|
|---|
| 273 | krb5_data *packet)
|
|---|
| 274 | {
|
|---|
| 275 | krb5_data ap_rep;
|
|---|
| 276 | char *p;
|
|---|
| 277 | int vnum, ret, res_code;
|
|---|
| 278 | krb5_data cipherresult;
|
|---|
| 279 | krb5_data clearresult;
|
|---|
| 280 | krb5_ap_rep_enc_part *ap_rep_enc;
|
|---|
| 281 | krb5_replay_data replay;
|
|---|
| 282 | unsigned int msg_length = packet->length;
|
|---|
| 283 |
|
|---|
| 284 |
|
|---|
| 285 | if (packet->length < (use_tcp ? 8 : 4)) {
|
|---|
| 286 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 287 | }
|
|---|
| 288 |
|
|---|
| 289 | p = packet->data;
|
|---|
| 290 | /*
|
|---|
| 291 | ** see if it is an error
|
|---|
| 292 | */
|
|---|
| 293 | if (krb5_is_krb_error(packet)) {
|
|---|
| 294 |
|
|---|
| 295 | ret = handle_krberror_packet(context, packet);
|
|---|
| 296 | if (ret) {
|
|---|
| 297 | return ret;
|
|---|
| 298 | }
|
|---|
| 299 | }
|
|---|
| 300 |
|
|---|
| 301 |
|
|---|
| 302 | /* tcp... */
|
|---|
| 303 | if (use_tcp) {
|
|---|
| 304 | msg_length -= 4;
|
|---|
| 305 | if (RIVAL(p, 0) != msg_length) {
|
|---|
| 306 | DEBUG(1,("Bad TCP packet length (%d/%d) from kpasswd server\n",
|
|---|
| 307 | RIVAL(p, 0), msg_length));
|
|---|
| 308 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 309 | }
|
|---|
| 310 |
|
|---|
| 311 | p += 4;
|
|---|
| 312 | }
|
|---|
| 313 |
|
|---|
| 314 | if (RSVAL(p, 0) != msg_length) {
|
|---|
| 315 | DEBUG(1,("Bad packet length (%d/%d) from kpasswd server\n",
|
|---|
| 316 | RSVAL(p, 0), msg_length));
|
|---|
| 317 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 318 | }
|
|---|
| 319 |
|
|---|
| 320 | p += 2;
|
|---|
| 321 |
|
|---|
| 322 | vnum = RSVAL(p, 0); p += 2;
|
|---|
| 323 |
|
|---|
| 324 | /* FIXME: According to standard there is only one type of reply */
|
|---|
| 325 | if (vnum != KRB5_KPASSWD_VERS_SETPW &&
|
|---|
| 326 | vnum != KRB5_KPASSWD_VERS_SETPW_ALT &&
|
|---|
| 327 | vnum != KRB5_KPASSWD_VERS_CHANGEPW) {
|
|---|
| 328 | DEBUG(1,("Bad vnum (%d) from kpasswd server\n", vnum));
|
|---|
| 329 | return KRB5KDC_ERR_BAD_PVNO;
|
|---|
| 330 | }
|
|---|
| 331 |
|
|---|
| 332 | ap_rep.length = RSVAL(p, 0); p += 2;
|
|---|
| 333 |
|
|---|
| 334 | if (p + ap_rep.length >= (char *)packet->data + packet->length) {
|
|---|
| 335 | DEBUG(1,("ptr beyond end of packet from kpasswd server\n"));
|
|---|
| 336 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 337 | }
|
|---|
| 338 |
|
|---|
| 339 | if (ap_rep.length == 0) {
|
|---|
| 340 | DEBUG(1,("got unencrypted setpw result?!\n"));
|
|---|
| 341 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 342 | }
|
|---|
| 343 |
|
|---|
| 344 | /* verify ap_rep */
|
|---|
| 345 | ap_rep.data = p;
|
|---|
| 346 | p += ap_rep.length;
|
|---|
| 347 |
|
|---|
| 348 | ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc);
|
|---|
| 349 | if (ret) {
|
|---|
| 350 | DEBUG(1,("failed to rd setpw reply (%s)\n", error_message(ret)));
|
|---|
| 351 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 352 | }
|
|---|
| 353 |
|
|---|
| 354 | krb5_free_ap_rep_enc_part(context, ap_rep_enc);
|
|---|
| 355 |
|
|---|
| 356 | cipherresult.data = p;
|
|---|
| 357 | cipherresult.length = ((char *)packet->data + packet->length) - p;
|
|---|
| 358 |
|
|---|
| 359 | ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult,
|
|---|
| 360 | &replay);
|
|---|
| 361 | if (ret) {
|
|---|
| 362 | DEBUG(1,("failed to decrypt setpw reply (%s)\n", error_message(ret)));
|
|---|
| 363 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 364 | }
|
|---|
| 365 |
|
|---|
| 366 | if (clearresult.length < 2) {
|
|---|
| 367 | free(clearresult.data);
|
|---|
| 368 | ret = KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 369 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 370 | }
|
|---|
| 371 |
|
|---|
| 372 | p = clearresult.data;
|
|---|
| 373 |
|
|---|
| 374 | res_code = RSVAL(p, 0);
|
|---|
| 375 |
|
|---|
| 376 | free(clearresult.data);
|
|---|
| 377 |
|
|---|
| 378 | if ((res_code < KRB5_KPASSWD_SUCCESS) ||
|
|---|
| 379 | (res_code > KRB5_KPASSWD_ETYPE_NOSUPP)) {
|
|---|
| 380 | return KRB5KRB_AP_ERR_MODIFIED;
|
|---|
| 381 | }
|
|---|
| 382 |
|
|---|
| 383 | if (res_code == KRB5_KPASSWD_SUCCESS) {
|
|---|
| 384 | return 0;
|
|---|
| 385 | } else {
|
|---|
| 386 | const char *errstr;
|
|---|
| 387 | setpw_result_code_string(context, res_code, &errstr);
|
|---|
| 388 | DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
|
|---|
| 389 |
|
|---|
| 390 | return kpasswd_err_to_krb5_err(res_code);
|
|---|
| 391 | }
|
|---|
| 392 | }
|
|---|
| 393 |
|
|---|
| 394 | static ADS_STATUS do_krb5_kpasswd_request(krb5_context context,
|
|---|
| 395 | const char *kdc_host,
|
|---|
| 396 | uint16 pversion,
|
|---|
| 397 | krb5_creds *credsp,
|
|---|
| 398 | const char *princ,
|
|---|
| 399 | const char *newpw)
|
|---|
| 400 | {
|
|---|
| 401 | krb5_auth_context auth_context = NULL;
|
|---|
| 402 | krb5_data ap_req, chpw_req, chpw_rep;
|
|---|
| 403 | int ret, sock;
|
|---|
| 404 | socklen_t addr_len;
|
|---|
| 405 | struct sockaddr remote_addr, local_addr;
|
|---|
| 406 | struct in_addr *addr = interpret_addr2(kdc_host);
|
|---|
| 407 | krb5_address local_kaddr, remote_kaddr;
|
|---|
| 408 | BOOL use_tcp = False;
|
|---|
| 409 |
|
|---|
| 410 |
|
|---|
| 411 | ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,
|
|---|
| 412 | NULL, credsp, &ap_req);
|
|---|
| 413 | if (ret) {
|
|---|
| 414 | DEBUG(1,("krb5_mk_req_extended failed (%s)\n", error_message(ret)));
|
|---|
| 415 | return ADS_ERROR_KRB5(ret);
|
|---|
| 416 | }
|
|---|
| 417 |
|
|---|
| 418 | do {
|
|---|
| 419 |
|
|---|
| 420 | if (!use_tcp) {
|
|---|
| 421 |
|
|---|
| 422 | sock = open_udp_socket(kdc_host, DEFAULT_KPASSWD_PORT);
|
|---|
| 423 |
|
|---|
| 424 | } else {
|
|---|
| 425 |
|
|---|
| 426 | sock = open_socket_out(SOCK_STREAM, addr, DEFAULT_KPASSWD_PORT,
|
|---|
| 427 | LONG_CONNECT_TIMEOUT);
|
|---|
| 428 | }
|
|---|
| 429 |
|
|---|
| 430 | if (sock == -1) {
|
|---|
| 431 | int rc = errno;
|
|---|
| 432 | SAFE_FREE(ap_req.data);
|
|---|
| 433 | krb5_auth_con_free(context, auth_context);
|
|---|
| 434 | DEBUG(1,("failed to open kpasswd socket to %s (%s)\n",
|
|---|
| 435 | kdc_host, strerror(errno)));
|
|---|
| 436 | return ADS_ERROR_SYSTEM(rc);
|
|---|
| 437 | }
|
|---|
| 438 |
|
|---|
| 439 | addr_len = sizeof(remote_addr);
|
|---|
| 440 | getpeername(sock, &remote_addr, &addr_len);
|
|---|
| 441 | addr_len = sizeof(local_addr);
|
|---|
| 442 | getsockname(sock, &local_addr, &addr_len);
|
|---|
| 443 |
|
|---|
| 444 | setup_kaddr(&remote_kaddr, &remote_addr);
|
|---|
| 445 | setup_kaddr(&local_kaddr, &local_addr);
|
|---|
| 446 |
|
|---|
| 447 | ret = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL);
|
|---|
| 448 | if (ret) {
|
|---|
| 449 | close(sock);
|
|---|
| 450 | SAFE_FREE(ap_req.data);
|
|---|
| 451 | krb5_auth_con_free(context, auth_context);
|
|---|
| 452 | DEBUG(1,("krb5_auth_con_setaddrs failed (%s)\n", error_message(ret)));
|
|---|
| 453 | return ADS_ERROR_KRB5(ret);
|
|---|
| 454 | }
|
|---|
| 455 |
|
|---|
| 456 | ret = build_kpasswd_request(pversion, context, auth_context, &ap_req,
|
|---|
| 457 | princ, newpw, use_tcp, &chpw_req);
|
|---|
| 458 | if (ret) {
|
|---|
| 459 | close(sock);
|
|---|
| 460 | SAFE_FREE(ap_req.data);
|
|---|
| 461 | krb5_auth_con_free(context, auth_context);
|
|---|
| 462 | DEBUG(1,("build_setpw_request failed (%s)\n", error_message(ret)));
|
|---|
| 463 | return ADS_ERROR_KRB5(ret);
|
|---|
| 464 | }
|
|---|
| 465 |
|
|---|
| 466 | ret = write(sock, chpw_req.data, chpw_req.length);
|
|---|
| 467 |
|
|---|
| 468 | if (ret != chpw_req.length) {
|
|---|
| 469 | close(sock);
|
|---|
| 470 | SAFE_FREE(chpw_req.data);
|
|---|
| 471 | SAFE_FREE(ap_req.data);
|
|---|
| 472 | krb5_auth_con_free(context, auth_context);
|
|---|
| 473 | DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
|
|---|
| 474 | return ADS_ERROR_SYSTEM(errno);
|
|---|
| 475 | }
|
|---|
| 476 |
|
|---|
| 477 | SAFE_FREE(chpw_req.data);
|
|---|
| 478 |
|
|---|
| 479 | chpw_rep.length = 1500;
|
|---|
| 480 | chpw_rep.data = (char *) SMB_MALLOC(chpw_rep.length);
|
|---|
| 481 | if (!chpw_rep.data) {
|
|---|
| 482 | close(sock);
|
|---|
| 483 | SAFE_FREE(ap_req.data);
|
|---|
| 484 | krb5_auth_con_free(context, auth_context);
|
|---|
| 485 | DEBUG(1,("send of chpw failed (%s)\n", strerror(errno)));
|
|---|
| 486 | errno = ENOMEM;
|
|---|
| 487 | return ADS_ERROR_SYSTEM(errno);
|
|---|
| 488 | }
|
|---|
| 489 |
|
|---|
| 490 | ret = read(sock, chpw_rep.data, chpw_rep.length);
|
|---|
| 491 | if (ret < 0) {
|
|---|
| 492 | close(sock);
|
|---|
| 493 | SAFE_FREE(chpw_rep.data);
|
|---|
| 494 | SAFE_FREE(ap_req.data);
|
|---|
| 495 | krb5_auth_con_free(context, auth_context);
|
|---|
| 496 | DEBUG(1,("recv of chpw reply failed (%s)\n", strerror(errno)));
|
|---|
| 497 | return ADS_ERROR_SYSTEM(errno);
|
|---|
| 498 | }
|
|---|
| 499 |
|
|---|
| 500 | close(sock);
|
|---|
| 501 | chpw_rep.length = ret;
|
|---|
| 502 |
|
|---|
| 503 | ret = krb5_auth_con_setaddrs(context, auth_context, NULL,&remote_kaddr);
|
|---|
| 504 | if (ret) {
|
|---|
| 505 | SAFE_FREE(chpw_rep.data);
|
|---|
| 506 | SAFE_FREE(ap_req.data);
|
|---|
| 507 | krb5_auth_con_free(context, auth_context);
|
|---|
| 508 | DEBUG(1,("krb5_auth_con_setaddrs on reply failed (%s)\n",
|
|---|
| 509 | error_message(ret)));
|
|---|
| 510 | return ADS_ERROR_KRB5(ret);
|
|---|
| 511 | }
|
|---|
| 512 |
|
|---|
| 513 | ret = parse_setpw_reply(context, use_tcp, auth_context, &chpw_rep);
|
|---|
| 514 | SAFE_FREE(chpw_rep.data);
|
|---|
| 515 |
|
|---|
| 516 | if (ret) {
|
|---|
| 517 |
|
|---|
| 518 | if (ret == KRB5KRB_ERR_RESPONSE_TOO_BIG && !use_tcp) {
|
|---|
| 519 | DEBUG(5, ("Trying setpw with TCP!!!\n"));
|
|---|
| 520 | use_tcp = True;
|
|---|
| 521 | continue;
|
|---|
| 522 | }
|
|---|
| 523 |
|
|---|
| 524 | SAFE_FREE(ap_req.data);
|
|---|
| 525 | krb5_auth_con_free(context, auth_context);
|
|---|
| 526 | DEBUG(1,("parse_setpw_reply failed (%s)\n",
|
|---|
| 527 | error_message(ret)));
|
|---|
| 528 | return ADS_ERROR_KRB5(ret);
|
|---|
| 529 | }
|
|---|
| 530 |
|
|---|
| 531 | SAFE_FREE(ap_req.data);
|
|---|
| 532 | krb5_auth_con_free(context, auth_context);
|
|---|
| 533 | } while ( ret );
|
|---|
| 534 |
|
|---|
| 535 | return ADS_SUCCESS;
|
|---|
| 536 | }
|
|---|
| 537 |
|
|---|
| 538 | ADS_STATUS ads_krb5_set_password(const char *kdc_host, const char *princ,
|
|---|
| 539 | const char *newpw, int time_offset)
|
|---|
| 540 | {
|
|---|
| 541 |
|
|---|
| 542 | ADS_STATUS aret;
|
|---|
| 543 | krb5_error_code ret = 0;
|
|---|
| 544 | krb5_context context = NULL;
|
|---|
| 545 | krb5_principal principal = NULL;
|
|---|
| 546 | char *princ_name = NULL;
|
|---|
| 547 | char *realm = NULL;
|
|---|
| 548 | krb5_creds creds, *credsp = NULL;
|
|---|
| 549 | #if KRB5_PRINC_REALM_RETURNS_REALM
|
|---|
| 550 | krb5_realm orig_realm;
|
|---|
| 551 | #else
|
|---|
| 552 | krb5_data orig_realm;
|
|---|
| 553 | #endif
|
|---|
| 554 | krb5_ccache ccache = NULL;
|
|---|
| 555 |
|
|---|
| 556 | ZERO_STRUCT(creds);
|
|---|
| 557 |
|
|---|
| 558 | initialize_krb5_error_table();
|
|---|
| 559 | ret = krb5_init_context(&context);
|
|---|
| 560 | if (ret) {
|
|---|
| 561 | DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
|
|---|
| 562 | return ADS_ERROR_KRB5(ret);
|
|---|
| 563 | }
|
|---|
| 564 |
|
|---|
| 565 | if (time_offset != 0) {
|
|---|
| 566 | krb5_set_real_time(context, time(NULL) + time_offset, 0);
|
|---|
| 567 | }
|
|---|
| 568 |
|
|---|
| 569 | ret = krb5_cc_default(context, &ccache);
|
|---|
| 570 | if (ret) {
|
|---|
| 571 | krb5_free_context(context);
|
|---|
| 572 | DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
|
|---|
| 573 | return ADS_ERROR_KRB5(ret);
|
|---|
| 574 | }
|
|---|
| 575 |
|
|---|
| 576 | realm = strchr_m(princ, '@');
|
|---|
| 577 | if (!realm) {
|
|---|
| 578 | krb5_cc_close(context, ccache);
|
|---|
| 579 | krb5_free_context(context);
|
|---|
| 580 | DEBUG(1,("Failed to get realm\n"));
|
|---|
| 581 | return ADS_ERROR_KRB5(-1);
|
|---|
| 582 | }
|
|---|
| 583 | realm++;
|
|---|
| 584 |
|
|---|
| 585 | asprintf(&princ_name, "kadmin/changepw@%s", realm);
|
|---|
| 586 | ret = smb_krb5_parse_name(context, princ_name, &creds.server);
|
|---|
| 587 | if (ret) {
|
|---|
| 588 | krb5_cc_close(context, ccache);
|
|---|
| 589 | krb5_free_context(context);
|
|---|
| 590 | DEBUG(1,("Failed to parse kadmin/changepw (%s)\n", error_message(ret)));
|
|---|
| 591 | return ADS_ERROR_KRB5(ret);
|
|---|
| 592 | }
|
|---|
| 593 |
|
|---|
| 594 | /* parse the principal we got as a function argument */
|
|---|
| 595 | ret = smb_krb5_parse_name(context, princ, &principal);
|
|---|
| 596 | if (ret) {
|
|---|
| 597 | krb5_cc_close(context, ccache);
|
|---|
| 598 | krb5_free_principal(context, creds.server);
|
|---|
| 599 | krb5_free_context(context);
|
|---|
| 600 | DEBUG(1,("Failed to parse %s (%s)\n", princ_name, error_message(ret)));
|
|---|
| 601 | free(princ_name);
|
|---|
| 602 | return ADS_ERROR_KRB5(ret);
|
|---|
| 603 | }
|
|---|
| 604 |
|
|---|
| 605 | free(princ_name);
|
|---|
| 606 |
|
|---|
| 607 | /* The creds.server principal takes ownership of this memory.
|
|---|
| 608 | Remember to set back to original value before freeing. */
|
|---|
| 609 | orig_realm = *krb5_princ_realm(context, creds.server);
|
|---|
| 610 | krb5_princ_set_realm(context, creds.server, krb5_princ_realm(context, principal));
|
|---|
| 611 |
|
|---|
| 612 | ret = krb5_cc_get_principal(context, ccache, &creds.client);
|
|---|
| 613 | if (ret) {
|
|---|
| 614 | krb5_cc_close(context, ccache);
|
|---|
| 615 | krb5_princ_set_realm(context, creds.server, &orig_realm);
|
|---|
| 616 | krb5_free_principal(context, creds.server);
|
|---|
| 617 | krb5_free_principal(context, principal);
|
|---|
| 618 | krb5_free_context(context);
|
|---|
| 619 | DEBUG(1,("Failed to get principal from ccache (%s)\n",
|
|---|
| 620 | error_message(ret)));
|
|---|
| 621 | return ADS_ERROR_KRB5(ret);
|
|---|
| 622 | }
|
|---|
| 623 |
|
|---|
| 624 | ret = krb5_get_credentials(context, 0, ccache, &creds, &credsp);
|
|---|
| 625 | if (ret) {
|
|---|
| 626 | krb5_cc_close(context, ccache);
|
|---|
| 627 | krb5_free_principal(context, creds.client);
|
|---|
| 628 | krb5_princ_set_realm(context, creds.server, &orig_realm);
|
|---|
| 629 | krb5_free_principal(context, creds.server);
|
|---|
| 630 | krb5_free_principal(context, principal);
|
|---|
| 631 | krb5_free_context(context);
|
|---|
| 632 | DEBUG(1,("krb5_get_credentials failed (%s)\n", error_message(ret)));
|
|---|
| 633 | return ADS_ERROR_KRB5(ret);
|
|---|
| 634 | }
|
|---|
| 635 |
|
|---|
| 636 | /* we might have to call krb5_free_creds(...) from now on ... */
|
|---|
| 637 |
|
|---|
| 638 | aret = do_krb5_kpasswd_request(context, kdc_host,
|
|---|
| 639 | KRB5_KPASSWD_VERS_SETPW,
|
|---|
| 640 | credsp, princ, newpw);
|
|---|
| 641 |
|
|---|
| 642 | krb5_free_creds(context, credsp);
|
|---|
| 643 | krb5_free_principal(context, creds.client);
|
|---|
| 644 | krb5_princ_set_realm(context, creds.server, &orig_realm);
|
|---|
| 645 | krb5_free_principal(context, creds.server);
|
|---|
| 646 | krb5_free_principal(context, principal);
|
|---|
| 647 | krb5_cc_close(context, ccache);
|
|---|
| 648 | krb5_free_context(context);
|
|---|
| 649 |
|
|---|
| 650 | return aret;
|
|---|
| 651 | }
|
|---|
| 652 |
|
|---|
| 653 | /*
|
|---|
| 654 | we use a prompter to avoid a crash bug in the kerberos libs when
|
|---|
| 655 | dealing with empty passwords
|
|---|
| 656 | this prompter is just a string copy ...
|
|---|
| 657 | */
|
|---|
| 658 | static krb5_error_code
|
|---|
| 659 | kerb_prompter(krb5_context ctx, void *data,
|
|---|
| 660 | const char *name,
|
|---|
| 661 | const char *banner,
|
|---|
| 662 | int num_prompts,
|
|---|
| 663 | krb5_prompt prompts[])
|
|---|
| 664 | {
|
|---|
| 665 | if (num_prompts == 0) return 0;
|
|---|
| 666 |
|
|---|
| 667 | memset(prompts[0].reply->data, 0, prompts[0].reply->length);
|
|---|
| 668 | if (prompts[0].reply->length > 0) {
|
|---|
| 669 | if (data) {
|
|---|
| 670 | strncpy(prompts[0].reply->data,
|
|---|
| 671 | (const char *)data,
|
|---|
| 672 | prompts[0].reply->length-1);
|
|---|
| 673 | prompts[0].reply->length = strlen(prompts[0].reply->data);
|
|---|
| 674 | } else {
|
|---|
| 675 | prompts[0].reply->length = 0;
|
|---|
| 676 | }
|
|---|
| 677 | }
|
|---|
| 678 | return 0;
|
|---|
| 679 | }
|
|---|
| 680 |
|
|---|
| 681 | static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
|
|---|
| 682 | const char *principal,
|
|---|
| 683 | const char *oldpw,
|
|---|
| 684 | const char *newpw,
|
|---|
| 685 | int time_offset)
|
|---|
| 686 | {
|
|---|
| 687 | ADS_STATUS aret;
|
|---|
| 688 | krb5_error_code ret;
|
|---|
| 689 | krb5_context context = NULL;
|
|---|
| 690 | krb5_principal princ;
|
|---|
| 691 | krb5_get_init_creds_opt opts;
|
|---|
| 692 | krb5_creds creds;
|
|---|
| 693 | char *chpw_princ = NULL, *password;
|
|---|
| 694 |
|
|---|
| 695 | initialize_krb5_error_table();
|
|---|
| 696 | ret = krb5_init_context(&context);
|
|---|
| 697 | if (ret) {
|
|---|
| 698 | DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
|
|---|
| 699 | return ADS_ERROR_KRB5(ret);
|
|---|
| 700 | }
|
|---|
| 701 |
|
|---|
| 702 | if ((ret = smb_krb5_parse_name(context, principal,
|
|---|
| 703 | &princ))) {
|
|---|
| 704 | krb5_free_context(context);
|
|---|
| 705 | DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
|
|---|
| 706 | return ADS_ERROR_KRB5(ret);
|
|---|
| 707 | }
|
|---|
| 708 |
|
|---|
| 709 | krb5_get_init_creds_opt_init(&opts);
|
|---|
| 710 | krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
|
|---|
| 711 | krb5_get_init_creds_opt_set_renew_life(&opts, 0);
|
|---|
| 712 | krb5_get_init_creds_opt_set_forwardable(&opts, 0);
|
|---|
| 713 | krb5_get_init_creds_opt_set_proxiable(&opts, 0);
|
|---|
| 714 |
|
|---|
| 715 | /* We have to obtain an INITIAL changepw ticket for changing password */
|
|---|
| 716 | asprintf(&chpw_princ, "kadmin/changepw@%s",
|
|---|
| 717 | (char *) krb5_princ_realm(context, princ));
|
|---|
| 718 | password = SMB_STRDUP(oldpw);
|
|---|
| 719 | ret = krb5_get_init_creds_password(context, &creds, princ, password,
|
|---|
| 720 | kerb_prompter, NULL,
|
|---|
| 721 | 0, chpw_princ, &opts);
|
|---|
| 722 | SAFE_FREE(chpw_princ);
|
|---|
| 723 | SAFE_FREE(password);
|
|---|
| 724 |
|
|---|
| 725 | if (ret) {
|
|---|
| 726 | if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
|---|
| 727 | DEBUG(1,("Password incorrect while getting initial ticket"));
|
|---|
| 728 | else
|
|---|
| 729 | DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
|
|---|
| 730 |
|
|---|
| 731 | krb5_free_principal(context, princ);
|
|---|
| 732 | krb5_free_context(context);
|
|---|
| 733 | return ADS_ERROR_KRB5(ret);
|
|---|
| 734 | }
|
|---|
| 735 |
|
|---|
| 736 | aret = do_krb5_kpasswd_request(context, kdc_host,
|
|---|
| 737 | KRB5_KPASSWD_VERS_CHANGEPW,
|
|---|
| 738 | &creds, principal, newpw);
|
|---|
| 739 |
|
|---|
| 740 | krb5_free_principal(context, princ);
|
|---|
| 741 | krb5_free_context(context);
|
|---|
| 742 |
|
|---|
| 743 | return aret;
|
|---|
| 744 | }
|
|---|
| 745 |
|
|---|
| 746 |
|
|---|
| 747 | ADS_STATUS kerberos_set_password(const char *kpasswd_server,
|
|---|
| 748 | const char *auth_principal, const char *auth_password,
|
|---|
| 749 | const char *target_principal, const char *new_password,
|
|---|
| 750 | int time_offset)
|
|---|
| 751 | {
|
|---|
| 752 | int ret;
|
|---|
| 753 |
|
|---|
| 754 | if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
|
|---|
| 755 | DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
|
|---|
| 756 | return ADS_ERROR_KRB5(ret);
|
|---|
| 757 | }
|
|---|
| 758 |
|
|---|
| 759 | if (!strcmp(auth_principal, target_principal))
|
|---|
| 760 | return ads_krb5_chg_password(kpasswd_server, target_principal,
|
|---|
| 761 | auth_password, new_password, time_offset);
|
|---|
| 762 | else
|
|---|
| 763 | return ads_krb5_set_password(kpasswd_server, target_principal,
|
|---|
| 764 | new_password, time_offset);
|
|---|
| 765 | }
|
|---|
| 766 |
|
|---|
| 767 |
|
|---|
| 768 | /**
|
|---|
| 769 | * Set the machine account password
|
|---|
| 770 | * @param ads connection to ads server
|
|---|
| 771 | * @param hostname machine whose password is being set
|
|---|
| 772 | * @param password new password
|
|---|
| 773 | * @return status of password change
|
|---|
| 774 | **/
|
|---|
| 775 | ADS_STATUS ads_set_machine_password(ADS_STRUCT *ads,
|
|---|
| 776 | const char *machine_account,
|
|---|
| 777 | const char *password)
|
|---|
| 778 | {
|
|---|
| 779 | ADS_STATUS status;
|
|---|
| 780 | char *principal = NULL;
|
|---|
| 781 |
|
|---|
| 782 | /*
|
|---|
| 783 | we need to use the '$' form of the name here (the machine account name),
|
|---|
| 784 | as otherwise the server might end up setting the password for a user
|
|---|
| 785 | instead
|
|---|
| 786 | */
|
|---|
| 787 | asprintf(&principal, "%s@%s", machine_account, ads->config.realm);
|
|---|
| 788 |
|
|---|
| 789 | status = ads_krb5_set_password(ads->auth.kdc_server, principal,
|
|---|
| 790 | password, ads->auth.time_offset);
|
|---|
| 791 |
|
|---|
| 792 | free(principal);
|
|---|
| 793 |
|
|---|
| 794 | return status;
|
|---|
| 795 | }
|
|---|
| 796 |
|
|---|
| 797 |
|
|---|
| 798 |
|
|---|
| 799 | #endif
|
|---|
