diff options
Diffstat (limited to 'source4/kdc')
| -rw-r--r-- | source4/kdc/db-glue.c | 43 | ||||
| -rw-r--r-- | source4/kdc/db-glue.h | 14 | ||||
| -rw-r--r-- | source4/kdc/hdb-samba4.c | 27 | ||||
| -rw-r--r-- | source4/kdc/kdc.c | 41 | ||||
| -rw-r--r-- | source4/kdc/mit_samba.c | 8 | ||||
| -rw-r--r-- | source4/kdc/proxy.c | 2 |
6 files changed, 93 insertions, 42 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 732e553ca3d..72262ac18b5 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -159,6 +159,20 @@ static HDBFlags uf2HDBFlags(krb5_context context, uint32_t userAccountControl, e if (userAccountControl & UF_TRUSTED_FOR_DELEGATION) { flags.ok_as_delegate = 1; } + if (userAccountControl & UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION) { + /* + * this is confusing... + * + * UF_TRUSTED_FOR_DELEGATION + * => ok_as_delegate + * + * and + * + * UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION + * => trusted_for_delegation + */ + flags.trusted_for_delegation = 1; + } if (!(userAccountControl & UF_NOT_DELEGATED)) { flags.forwardable = 1; flags.proxiable = 1; @@ -1521,14 +1535,12 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, /* Check if a given entry may delegate or do s4u2self to this target principal * * This is currently a very nasty hack - allowing only delegation to itself. - * - * This is shared between the constrained delegation and S4U2Self code. */ krb5_error_code -samba_kdc_check_identical_client_and_server(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal) +samba_kdc_check_s4u2self(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal) { krb5_error_code ret; krb5_principal enterprise_prinicpal = NULL; @@ -1541,11 +1553,11 @@ samba_kdc_check_identical_client_and_server(krb5_context context, "objectSid", NULL }; - TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_constrained_delegation"); + TALLOC_CTX *mem_ctx = talloc_named(kdc_db_ctx, 0, "samba_kdc_check_s4u2self"); if (!mem_ctx) { ret = ENOMEM; - krb5_set_error_message(context, ret, "samba_kdc_fetch: talloc_named() failed!"); + krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: talloc_named() failed!"); return ret; } @@ -1553,7 +1565,7 @@ samba_kdc_check_identical_client_and_server(krb5_context context, /* Need to reparse the enterprise principal to find the real target */ if (target_principal->name.name_string.len != 1) { ret = KRB5_PARSE_MALFORMED; - krb5_set_error_message(context, ret, "samba_kdc_check_constrained_delegation: request for delegation to enterprise principal with wrong (%d) number of components", + krb5_set_error_message(context, ret, "samba_kdc_check_s4u2self: request for delegation to enterprise principal with wrong (%d) number of components", target_principal->name.name_string.len); talloc_free(mem_ctx); return ret; @@ -1645,6 +1657,19 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, return ret; } +/* + * Check if a given entry may delegate to this target principal + * with S4U2Proxy. + */ +krb5_error_code +samba_kdc_check_s4u2proxy(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal) +{ + return KRB5KDC_ERR_BADOPTION; +} + NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx, struct samba_kdc_db_context **kdc_db_ctx_out) { diff --git a/source4/kdc/db-glue.h b/source4/kdc/db-glue.h index 4f1e06fa7a5..18d2c07de62 100644 --- a/source4/kdc/db-glue.h +++ b/source4/kdc/db-glue.h @@ -37,10 +37,10 @@ krb5_error_code samba_kdc_nextkey(krb5_context context, hdb_entry_ex *entry); krb5_error_code -samba_kdc_check_identical_client_and_server(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - hdb_entry_ex *entry, - krb5_const_principal target_principal); +samba_kdc_check_s4u2self(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal); krb5_error_code samba_kdc_check_pkinit_ms_upn_match(krb5_context context, @@ -48,5 +48,11 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, hdb_entry_ex *entry, krb5_const_principal certificate_principal); +krb5_error_code +samba_kdc_check_s4u2proxy(krb5_context context, + struct samba_kdc_db_context *kdc_db_ctx, + hdb_entry_ex *entry, + krb5_const_principal target_principal); + NTSTATUS samba_kdc_setup_db_ctx(TALLOC_CTX *mem_ctx, struct samba_kdc_base_context *base_ctx, struct samba_kdc_db_context **kdc_db_ctx_out); diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index 8511b2f27ba..f82712e2b29 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -121,7 +121,7 @@ static krb5_error_code hdb_samba4_destroy(krb5_context context, HDB *db) } static krb5_error_code -hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db, +hdb_samba4_check_constrained_delegation(krb5_context context, HDB *db, hdb_entry_ex *entry, krb5_const_principal target_principal) { @@ -130,9 +130,9 @@ hdb_samba4_check_identical_client_and_server(krb5_context context, HDB *db, kdc_db_ctx = talloc_get_type_abort(db->hdb_db, struct samba_kdc_db_context); - return samba_kdc_check_identical_client_and_server(context, kdc_db_ctx, - entry, - target_principal); + return samba_kdc_check_s4u2proxy(context, kdc_db_ctx, + entry, + target_principal); } static krb5_error_code @@ -150,6 +150,21 @@ hdb_samba4_check_pkinit_ms_upn_match(krb5_context context, HDB *db, certificate_principal); } +static krb5_error_code +hdb_samba4_check_s4u2self(krb5_context context, HDB *db, + hdb_entry_ex *entry, + krb5_const_principal target_principal) +{ + struct samba_kdc_db_context *kdc_db_ctx; + + kdc_db_ctx = talloc_get_type_abort(db->hdb_db, + struct samba_kdc_db_context); + + return samba_kdc_check_s4u2self(context, kdc_db_ctx, + entry, + target_principal); +} + /* This interface is to be called by the KDC and libnet_keytab_dump, * which is expecting Samba calling conventions. * It is also called by a wrapper (hdb_samba4_create) from the @@ -197,9 +212,9 @@ NTSTATUS hdb_samba4_create_kdc(struct samba_kdc_base_context *base_ctx, (*db)->hdb_destroy = hdb_samba4_destroy; (*db)->hdb_auth_status = NULL; - (*db)->hdb_check_constrained_delegation = hdb_samba4_check_identical_client_and_server; + (*db)->hdb_check_constrained_delegation = hdb_samba4_check_constrained_delegation; (*db)->hdb_check_pkinit_ms_upn_match = hdb_samba4_check_pkinit_ms_upn_match; - (*db)->hdb_check_s4u2self = hdb_samba4_check_identical_client_and_server; + (*db)->hdb_check_s4u2self = hdb_samba4_check_s4u2self; return NT_STATUS_OK; } diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 784b98b0727..07234080439 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -654,7 +654,7 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc, address, port, &kdc_socket->local_address); if (ret != 0) { - status = map_nt_error_from_unix(errno); + status = map_nt_error_from_unix_common(errno); return status; } @@ -685,7 +685,7 @@ static NTSTATUS kdc_add_socket(struct kdc_server *kdc, kdc_udp_socket, &kdc_udp_socket->dgram); if (ret != 0) { - status = map_nt_error_from_unix(errno); + status = map_nt_error_from_unix_common(errno); DEBUG(0,("Failed to bind to %s:%u UDP - %s\n", address, port, nt_errstr(status))); return status; @@ -729,29 +729,34 @@ static NTSTATUS kdc_startup_interfaces(struct kdc_server *kdc, struct loadparm_c return NT_STATUS_INTERNAL_ERROR; } - num_interfaces = iface_count(ifaces); + num_interfaces = iface_list_count(ifaces); /* if we are allowing incoming packets from any address, then we need to bind to the wildcard address */ if (!lpcfg_bind_interfaces_only(lp_ctx)) { - if (kdc_port) { - status = kdc_add_socket(kdc, model_ops, - "kdc", "0.0.0.0", kdc_port, - kdc_process, false); - NT_STATUS_NOT_OK_RETURN(status); - } - - if (kpasswd_port) { - status = kdc_add_socket(kdc, model_ops, - "kpasswd", "0.0.0.0", kpasswd_port, - kpasswdd_process, false); - NT_STATUS_NOT_OK_RETURN(status); + const char **wcard = iface_list_wildcard(kdc, lp_ctx); + NT_STATUS_HAVE_NO_MEMORY(wcard); + for (i=0; wcard[i]; i++) { + if (kdc_port) { + status = kdc_add_socket(kdc, model_ops, + "kdc", wcard[i], kdc_port, + kdc_process, false); + NT_STATUS_NOT_OK_RETURN(status); + } + + if (kpasswd_port) { + status = kdc_add_socket(kdc, model_ops, + "kpasswd", wcard[i], kpasswd_port, + kpasswdd_process, false); + NT_STATUS_NOT_OK_RETURN(status); + } } + talloc_free(wcard); done_wildcard = true; } for (i=0; i<num_interfaces; i++) { - const char *address = talloc_strdup(tmp_ctx, iface_n_ip(ifaces, i)); + const char *address = talloc_strdup(tmp_ctx, iface_list_n_ip(ifaces, i)); if (kdc_port) { status = kdc_add_socket(kdc, model_ops, @@ -895,9 +900,9 @@ static void kdc_task_init(struct task_server *task) break; } - load_interfaces(task, lpcfg_interfaces(task->lp_ctx), &ifaces); + load_interface_list(task, task->lp_ctx, &ifaces); - if (iface_count(ifaces) == 0) { + if (iface_list_count(ifaces) == 0) { task_server_terminate(task, "kdc: no network interfaces configured", false); return; } diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index dcabe39db67..50b5d1d2927 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -330,10 +330,10 @@ static int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, return ret; } - ret = samba_kdc_check_identical_client_and_server(ctx->context, - ctx->db_ctx, - entry, - target_principal); + ret = samba_kdc_check_s4u2proxy(ctx->context, + ctx->db_ctx, + entry, + target_principal); krb5_free_principal(ctx->context, target_principal); diff --git a/source4/kdc/proxy.c b/source4/kdc/proxy.c index 98db956f65e..324bfb8e2e1 100644 --- a/source4/kdc/proxy.c +++ b/source4/kdc/proxy.c @@ -556,7 +556,7 @@ static void kdc_tcp_proxy_read_pdu_done(struct tevent_req *subreq) */ state->out = data_blob_talloc(state, raw.data + 4, raw.length - 4); if (state->out.length != raw.length - 4) { - tevent_req_nomem(NULL, req); + tevent_req_oom(req); return; } |