Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

krb5_setpw.c

Visit:

Last change on this file was 988, checked in by Silvan Scherrer, 9 years ago
Samba Server: update vendor to version 4.4.3
File size: 8.4 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	krb5 set password implementation
4	Copyright (C) Andrew Tridgell 2001
5	Copyright (C) Remus Koos 2001 (remuskoos@yahoo.com)
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	#include "includes.h"
22	#include "smb_krb5.h"
23	#include "libads/kerberos_proto.h"
24	#include "../lib/util/asn1.h"
25
26	#ifdef HAVE_KRB5
27
28	/* Those are defined by kerberos-set-passwd-02.txt and are probably
29	* not supported by M$ implementation */
30	#define KRB5_KPASSWD_POLICY_REJECT 8
31	#define KRB5_KPASSWD_BAD_PRINCIPAL 9
32	#define KRB5_KPASSWD_ETYPE_NOSUPP 10
33
34	/*
35	* we've got to be able to distinguish KRB_ERRORs from other
36	* requests - valid response for CHPW v2 replies.
37	*/
38
39	static krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code)
40	{
41	switch(res_code) {
42	case KRB5_KPASSWD_ACCESSDENIED:
43	return KRB5KDC_ERR_BADOPTION;
44	case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
45	return KRB5KDC_ERR_BADOPTION;
46	/* return KV5M_ALT_METHOD; MIT-only define */
47	case KRB5_KPASSWD_ETYPE_NOSUPP:
48	return KRB5KDC_ERR_ETYPE_NOSUPP;
49	case KRB5_KPASSWD_BAD_PRINCIPAL:
50	return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
51	case KRB5_KPASSWD_POLICY_REJECT:
52	case KRB5_KPASSWD_SOFTERROR:
53	return KRB5KDC_ERR_POLICY;
54	default:
55	return KRB5KRB_ERR_GENERIC;
56	}
57	}
58
59	ADS_STATUS ads_krb5_set_password(const char kdc_host, const char principal,
60	const char *newpw, int time_offset)
61	{
62
63	ADS_STATUS aret;
64	krb5_error_code ret = 0;
65	krb5_context context = NULL;
66	krb5_principal princ = NULL;
67	krb5_ccache ccache = NULL;
68	int result_code;
69	krb5_data result_code_string = { 0 };
70	krb5_data result_string = { 0 };
71
72	initialize_krb5_error_table();
73	ret = krb5_init_context(&context);
74	if (ret) {
75	DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
76	return ADS_ERROR_KRB5(ret);
77	}
78
79	if (principal) {
80	ret = smb_krb5_parse_name(context, principal, &princ);
81	if (ret) {
82	krb5_free_context(context);
83	DEBUG(1, ("Failed to parse %s (%s)\n", principal,
84	error_message(ret)));
85	return ADS_ERROR_KRB5(ret);
86	}
87	}
88
89	if (time_offset != 0) {
90	krb5_set_real_time(context, time(NULL) + time_offset, 0);
91	}
92
93	ret = krb5_cc_default(context, &ccache);
94	if (ret) {
95	krb5_free_principal(context, princ);
96	krb5_free_context(context);
97	DEBUG(1,("Failed to get default creds (%s)\n", error_message(ret)));
98	return ADS_ERROR_KRB5(ret);
99	}
100
101	ret = krb5_set_password_using_ccache(context,
102	ccache,
103	discard_const_p(char, newpw),
104	princ,
105	&result_code,
106	&result_code_string,
107	&result_string);
108	if (ret) {
109	DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
110	aret = ADS_ERROR_KRB5(ret);
111	goto done;
112	}
113
114	if (result_code != KRB5_KPASSWD_SUCCESS) {
115	ret = kpasswd_err_to_krb5_err(result_code);
116	DEBUG(1, ("krb5_set_password failed (%s)\n", error_message(ret)));
117	aret = ADS_ERROR_KRB5(ret);
118	goto done;
119	}
120
121	aret = ADS_SUCCESS;
122
123	done:
124	kerberos_free_data_contents(context, &result_code_string);
125	kerberos_free_data_contents(context, &result_string);
126	krb5_free_principal(context, princ);
127	krb5_cc_close(context, ccache);
128	krb5_free_context(context);
129
130	return aret;
131	}
132
133	/*
134	we use a prompter to avoid a crash bug in the kerberos libs when
135	dealing with empty passwords
136	this prompter is just a string copy ...
137	*/
138	static krb5_error_code
139	kerb_prompter(krb5_context ctx, void *data,
140	const char *name,
141	const char *banner,
142	int num_prompts,
143	krb5_prompt prompts[])
144	{
145	if (num_prompts == 0) return 0;
146
147	memset(prompts[0].reply->data, 0, prompts[0].reply->length);
148	if (prompts[0].reply->length > 0) {
149	if (data) {
150	strncpy((char *)prompts[0].reply->data,
151	(const char *)data,
152	prompts[0].reply->length-1);
153	prompts[0].reply->length = strlen((const char *)prompts[0].reply->data);
154	} else {
155	prompts[0].reply->length = 0;
156	}
157	}
158	return 0;
159	}
160
161	static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
162	const char *principal,
163	const char *oldpw,
164	const char *newpw,
165	int time_offset)
166	{
167	ADS_STATUS aret;
168	krb5_error_code ret;
169	krb5_context context = NULL;
170	krb5_principal princ;
171	krb5_get_init_creds_opt opts;
172	krb5_creds creds;
173	char chpw_princ = NULL, password;
174	char *realm = NULL;
175	int result_code;
176	krb5_data result_code_string = { 0 };
177	krb5_data result_string = { 0 };
178	smb_krb5_addresses *addr = NULL;
179
180	initialize_krb5_error_table();
181	ret = krb5_init_context(&context);
182	if (ret) {
183	DEBUG(1,("Failed to init krb5 context (%s)\n", error_message(ret)));
184	return ADS_ERROR_KRB5(ret);
185	}
186
187	if ((ret = smb_krb5_parse_name(context, principal,
188	&princ))) {
189	krb5_free_context(context);
190	DEBUG(1,("Failed to parse %s (%s)\n", principal, error_message(ret)));
191	return ADS_ERROR_KRB5(ret);
192	}
193
194	krb5_get_init_creds_opt_init(&opts);
195
196	krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
197	krb5_get_init_creds_opt_set_renew_life(&opts, 0);
198	krb5_get_init_creds_opt_set_forwardable(&opts, 0);
199	krb5_get_init_creds_opt_set_proxiable(&opts, 0);
200
201	/* note that heimdal will fill in the local addresses if the addresses
202	* in the creds_init_opt are all empty and then later fail with invalid
203	* address, sending our local netbios krb5 address - just like windows
204	* - avoids this - gd */
205	ret = smb_krb5_gen_netbios_krb5_address(&addr, lp_netbios_name());
206	if (ret) {
207	krb5_free_principal(context, princ);
208	krb5_free_context(context);
209	return ADS_ERROR_KRB5(ret);
210	}
211	krb5_get_init_creds_opt_set_address_list(&opts, addr->addrs);
212
213	realm = smb_krb5_principal_get_realm(context, princ);
214
215	/* We have to obtain an INITIAL changepw ticket for changing password */
216	if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
217	krb5_free_context(context);
218	free(realm);
219	DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
220	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
221	}
222
223	free(realm);
224	password = SMB_STRDUP(oldpw);
225	ret = krb5_get_init_creds_password(context, &creds, princ, password,
226	kerb_prompter, NULL,
227	0, chpw_princ, &opts);
228	SAFE_FREE(chpw_princ);
229	SAFE_FREE(password);
230
231	if (ret) {
232	if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
233	DEBUG(1,("Password incorrect while getting initial ticket"));
234	else
235	DEBUG(1,("krb5_get_init_creds_password failed (%s)\n", error_message(ret)));
236
237	krb5_free_principal(context, princ);
238	krb5_free_context(context);
239	return ADS_ERROR_KRB5(ret);
240	}
241
242	ret = krb5_change_password(context,
243	&creds,
244	discard_const_p(char, newpw),
245	&result_code,
246	&result_code_string,
247	&result_string);
248	if (ret) {
249	DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
250	aret = ADS_ERROR_KRB5(ret);
251	goto done;
252	}
253
254	if (result_code != KRB5_KPASSWD_SUCCESS) {
255	ret = kpasswd_err_to_krb5_err(result_code);
256	DEBUG(1, ("krb5_change_password failed (%s)\n", error_message(ret)));
257	aret = ADS_ERROR_KRB5(ret);
258	goto done;
259	}
260
261	aret = ADS_SUCCESS;
262
263	done:
264	kerberos_free_data_contents(context, &result_code_string);
265	kerberos_free_data_contents(context, &result_string);
266	krb5_free_principal(context, princ);
267	krb5_free_context(context);
268
269	return aret;
270	}
271
272
273	ADS_STATUS kerberos_set_password(const char *kpasswd_server,
274	const char auth_principal, const char auth_password,
275	const char target_principal, const char new_password,
276	int time_offset)
277	{
278	int ret;
279
280	if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL))) {
281	DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
282	return ADS_ERROR_KRB5(ret);
283	}
284
285	if (!strcmp(auth_principal, target_principal))
286	return ads_krb5_chg_password(kpasswd_server, target_principal,
287	auth_password, new_password, time_offset);
288	else
289	return ads_krb5_set_password(kpasswd_server, target_principal,
290	new_password, time_offset);
291	}
292
293	#endif

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: vendor/current/source3/libads/krb5_setpw.c

Download in other formats: