diff options
author | Andrew Bartlett <abartlet@samba.org> | 2016-01-08 14:08:18 +1300 |
---|---|---|
committer | Joseph Sutton <jsutton@samba.org> | 2022-01-19 20:50:35 +0000 |
commit | 5a05066bafc432ddfd2bdbba14934308ba57071b (patch) | |
tree | 29ec081327650a26501a13e569508c7b82859bd4 /source4 | |
parent | 3d8edb7b768578816b68c41aef0aae4222cb0b11 (diff) | |
download | samba-5a05066bafc432ddfd2bdbba14934308ba57071b.tar.gz |
s4:kdc: Update to match updated Heimdal's new HDB version
Including updates to hook into the improved hdb_auth_status
by Stefan Metzmacher <metze@samba.org> from his Heimdal
upgrade branch.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/kdc/db-glue.c | 10 | ||||
-rw-r--r-- | source4/kdc/db-glue.h | 2 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4-plugin.c | 2 | ||||
-rw-r--r-- | source4/kdc/hdb-samba4.c | 86 | ||||
-rw-r--r-- | source4/kdc/kdc-glue.c | 4 | ||||
-rw-r--r-- | source4/kdc/sdb.h | 12 | ||||
-rw-r--r-- | source4/kdc/sdb_to_hdb.c | 14 | ||||
-rw-r--r-- | source4/kdc/wdc-samba4.c | 2 |
8 files changed, 86 insertions, 46 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 22106bf8665..06b8eeec41d 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -235,8 +235,12 @@ static struct SDBFlags uf2SDBFlags(krb5_context context, uint32_t userAccountCon flags.require_preauth = 0; } else { flags.require_preauth = 1; + } + if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) { + flags.no_auth_data_reqd = 1; } + return flags; } @@ -2540,9 +2544,9 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, * the time the principal was presented to the KDC. */ krb5_error_code -samba_kdc_check_s4u2self(krb5_context context, - struct samba_kdc_entry *skdc_entry_client, - struct samba_kdc_entry *skdc_entry_server_target) +samba_kdc_check_client_matches_target_service(krb5_context context, + struct samba_kdc_entry *skdc_entry_client, + struct samba_kdc_entry *skdc_entry_server_target) { struct dom_sid *orig_sid; struct dom_sid *target_sid; diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index cadfac1deb8..4defca2320c 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -39,7 +39,7 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, struct sdb_entry_ex *entry); krb5_error_code -samba_kdc_check_s4u2self(krb5_context context, +samba_kdc_check_client_matches_target_service(krb5_context context, struct samba_kdc_entry *skdc_entry_client, struct samba_kdc_entry *skdc_entry_server_target); diff --git a/source4/kdc/hdb-samba4-plugin.c b/source4/kdc/hdb-samba4-plugin.c index 6f76124995d..9dc4784f379 100644 --- a/source4/kdc/hdb-samba4-plugin.c +++ b/source4/kdc/hdb-samba4-plugin.c @@ -72,7 +72,7 @@ static krb5_error_code hdb_samba4_create(krb5_context context, struct HDB **db, return EINVAL; } -#if (HDB_INTERFACE_VERSION != 8 && HDB_INTERFACE_VERSION != 7) +#if (HDB_INTERFACE_VERSION != 11) #error "Unsupported Heimdal HDB version" #endif diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 92bc5ff28a6..9132bb46212 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -83,9 +83,13 @@ static krb5_error_code hdb_samba4_store(krb5_context context, HDB *db, unsigned return HDB_ERR_DB_INUSE; } -static krb5_error_code hdb_samba4_remove(krb5_context context, HDB *db, krb5_const_principal principal) +/* + * If we ever want kadmin to work fast, we might try and reopen the + * ldb with LDB_NOSYNC + */ +static krb5_error_code hdb_samba4_set_sync(krb5_context context, struct HDB *db, int set_sync) { - return HDB_ERR_DB_INUSE; + return 0; } static krb5_error_code hdb_samba4_fetch_kvno(krb5_context context, HDB *db, @@ -273,7 +277,7 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, } static krb5_error_code -hdb_samba4_check_s4u2self(krb5_context context, HDB *db, +hdb_samba4_check_client_matches_target_service(krb5_context context, HDB *db, hdb_entry_ex *client_entry, hdb_entry_ex *server_target_entry) { @@ -284,9 +288,9 @@ hdb_samba4_check_s4u2self(krb5_context context, HDB *db, = talloc_get_type_abort(server_target_entry->ctx, struct samba_kdc_entry); - return samba_kdc_check_s4u2self(context, - skdc_client_entry, - skdc_server_target_entry); + return samba_kdc_check_client_matches_target_service(context, + skdc_client_entry, + skdc_server_target_entry); } static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, @@ -365,13 +369,15 @@ static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, irpc_handle, &req); } -static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, +static krb5_error_code hdb_samba4_auth_status(krb5_context context, + HDB *db, hdb_entry_ex *entry, - struct sockaddr *from_addr, - struct timeval *start_time, + const struct timeval *start_time, + const struct sockaddr *from_addr, const char *original_client_name, - const char *auth_type, - int hdb_auth_status) + int hdb_auth_status, + const char *auth_details, + const char *pa_type) { struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); @@ -392,8 +398,8 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, .domain_name = NULL, }, .service_description = "Kerberos KDC", - .auth_description = "ENC-TS Pre-authentication", - .password_type = auth_type, + .auth_description = "Unknown Auth Description", + .password_type = auth_details, .logon_id = logon_id }; @@ -411,7 +417,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, } switch (hdb_auth_status) { - case HDB_AUTHZ_SUCCESS: + case HDB_AUTHSTATUS_AUTHORIZATION_SUCCESS: { TALLOC_CTX *frame = talloc_stackframe(); struct samba_kdc_entry *p = talloc_get_type(entry->ctx, @@ -431,10 +437,13 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, talloc_free(frame); break; } - case HDB_AUTH_INVALID_SIGNATURE: - break; - case HDB_AUTH_CORRECT_PASSWORD: - case HDB_AUTH_WRONG_PASSWORD: + case HDB_AUTHSTATUS_CLIENT_LOCKED_OUT: + case HDB_AUTHSTATUS_CORRECT_PASSWORD: + case HDB_AUTHSTATUS_WRONG_PASSWORD: + case HDB_AUTHSTATUS_GENERIC_SUCCESS: + case HDB_AUTHSTATUS_GENERIC_FAILURE: + case HDB_AUTHSTATUS_PKINIT_SUCCESS: + case HDB_AUTHSTATUS_PKINIT_FAILURE: { TALLOC_CTX *frame = talloc_stackframe(); struct samba_kdc_entry *p = talloc_get_type(entry->ctx, @@ -445,6 +454,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, = ldb_msg_find_attr_as_string(p->msg, "sAMAccountName", NULL); const char *domain_name = lpcfg_sam_name(p->kdc_db_ctx->lp_ctx); struct tsocket_address *remote_host; + const char *auth_description = NULL; NTSTATUS status; int ret; @@ -460,7 +470,19 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, ui.mapped.account_name = account_name; ui.mapped.domain_name = domain_name; - if (hdb_auth_status == HDB_AUTH_WRONG_PASSWORD) { + if (pa_type != NULL) { + auth_description = talloc_asprintf(frame, + "%s Pre-authentication", + pa_type); + if (auth_description == NULL) { + auth_description = pa_type; + } + } else { + auth_description = "Unknown Pre-authentication"; + } + ui.auth_description = auth_description; + + if (hdb_auth_status == HDB_AUTHSTATUS_WRONG_PASSWORD) { authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); status = NT_STATUS_WRONG_PASSWORD; /* @@ -471,8 +493,20 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, if (kdc_db_ctx->rodc) { send_bad_password_netlogon(frame, kdc_db_ctx, &ui); } - } else { + } else if (hdb_auth_status == HDB_AUTHSTATUS_CLIENT_LOCKED_OUT) { + status = NT_STATUS_ACCOUNT_LOCKED_OUT; + } else if (hdb_auth_status == HDB_AUTHSTATUS_CORRECT_PASSWORD) { + status = NT_STATUS_OK; + } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_SUCCESS) { + status = NT_STATUS_OK; + } else if (hdb_auth_status == HDB_AUTHSTATUS_GENERIC_FAILURE) { + status = NT_STATUS_GENERIC_COMMAND_FAILED; + } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_SUCCESS) { status = NT_STATUS_OK; + } else if (hdb_auth_status == HDB_AUTHSTATUS_PKINIT_FAILURE) { + status = NT_STATUS_PKINIT_FAILURE; + } else { + status = NT_STATUS_INTERNAL_ERROR; } log_authentication_event(kdc_db_ctx->msg_ctx, @@ -486,7 +520,7 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, TALLOC_FREE(frame); break; } - case HDB_AUTH_CLIENT_UNKNOWN: + case HDB_AUTHSTATUS_CLIENT_UNKNOWN: { struct tsocket_address *remote_host; int ret; @@ -500,6 +534,12 @@ static krb5_error_code hdb_samba4_auth_status(krb5_context context, HDB *db, ui.remote_host = remote_host; } + if (pa_type == NULL) { + pa_type = "AS-REQ"; + } + + ui.auth_description = pa_type; + log_authentication_event(kdc_db_ctx->msg_ctx, kdc_db_ctx->lp_ctx, start_time, @@ -552,11 +592,11 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, (*db)->hdb_close = hdb_samba4_close; (*db)->hdb_fetch_kvno = hdb_samba4_fetch_kvno; (*db)->hdb_store = hdb_samba4_store; - (*db)->hdb_remove = hdb_samba4_remove; (*db)->hdb_firstkey = hdb_samba4_firstkey; (*db)->hdb_nextkey = hdb_samba4_nextkey; (*db)->hdb_lock = hdb_samba4_lock; (*db)->hdb_unlock = hdb_samba4_unlock; + (*db)->hdb_set_sync = hdb_samba4_set_sync; (*db)->hdb_rename = hdb_samba4_rename; /* we don't implement these, as we are not a lockable database */ (*db)->hdb__get = NULL; @@ -568,7 +608,7 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, (*db)->hdb_auth_status = hdb_samba4_auth_status; (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match; - (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self; + (*db)->hdb_check_client_matches_target_service = hdb_samba4_check_client_matches_target_service; return NT_STATUS_OK; } diff --git a/source4/kdc/kdc-glue.c b/source4/kdc/kdc-glue.c index a64827d0309..c6cc61ad02d 100644 --- a/source4/kdc/kdc-glue.c +++ b/source4/kdc/kdc-glue.c @@ -52,11 +52,7 @@ int kdc_check_pac(krb5_context context, } } -#if HDB_ENCTYPE2KEY_TAKES_KEYSET ret = hdb_enctype2key(context, &ent->entry, NULL, etype, &key); -#else - ret = hdb_enctype2key(context, &ent->entry, etype, &key); -#endif if (ret != 0) { return ret; diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h index a9115ec23d7..17f06cf81a8 100644 --- a/source4/kdc/sdb.h +++ b/source4/kdc/sdb.h @@ -64,12 +64,12 @@ struct SDBFlags { unsigned int allow_kerberos4:1; unsigned int allow_digest:1; unsigned int locked_out:1; - unsigned int _unused18:1; - unsigned int _unused19:1; - unsigned int _unused20:1; - unsigned int _unused21:1; - unsigned int _unused22:1; - unsigned int _unused23:1; + unsigned int require_pwchange:1; + unsigned int materialize:1; + unsigned int virtual_keys:1; + unsigned int virtual:1; + unsigned int synthetic:1; + unsigned int no_auth_data_reqd:1; unsigned int _unused24:1; unsigned int _unused25:1; unsigned int _unused26:1; diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c index 66ee763dd60..4ae3f26a947 100644 --- a/source4/kdc/sdb_to_hdb.c +++ b/source4/kdc/sdb_to_hdb.c @@ -51,12 +51,12 @@ static void sdb_flags_to_hdb_flags(const struct SDBFlags *s, h->allow_kerberos4 = s->allow_kerberos4; h->allow_digest = s->allow_digest; h->locked_out = s->locked_out; - h->_unused18 = s->_unused18; - h->_unused19 = s->_unused19; - h->_unused20 = s->_unused20; - h->_unused21 = s->_unused21; - h->_unused22 = s->_unused22; - h->_unused23 = s->_unused23; + h->require_pwchange = s->require_pwchange; + h->materialize = s->materialize; + h->virtual_keys = s->virtual_keys; + h->virtual = s->virtual; + h->synthetic = s->synthetic; + h->no_auth_data_reqd = s->no_auth_data_reqd; h->_unused24 = s->_unused24; h->_unused25 = s->_unused25; h->_unused26 = s->_unused26; @@ -175,7 +175,7 @@ static int sdb_event_to_Event(krb5_context context, static int sdb_entry_to_hdb_entry(krb5_context context, const struct sdb_entry *s, - struct hdb_entry *h) + hdb_entry *h) { unsigned int i; int rc; diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index c1e8780f5d3..6a5565d511e 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -213,7 +213,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context, return ret; } } - ret = hdb_enctype2key(context, &krbtgt->entry, etype, &key); + ret = hdb_enctype2key(context, &krbtgt->entry, NULL, etype, &key); if (ret != 0) { talloc_free(mem_ctx); return ret; |