From ef9ec9583d2efa78220edd65bd93ead955792b3e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 27 Nov 2005 02:02:44 +0000 Subject: r11930: Add socket/packet handling code for kpasswdd Allow ticket requests with only a netbios name to be considered 'null' addresses, and therefore allowed by default. Use the netbios address as the workstation name for the allowed workstations check with krb5. Andrew Bartlett (This used to be commit 328fa186f2df5cdd42be679d92b5f07f7ed22d87) --- source4/heimdal/kdc/kerberos5.c | 20 ++++++++++++++++++-- source4/kdc/kdc.c | 16 +++++++++++++--- source4/kdc/pac-glue.c | 21 +++++++++++++++++++++ 3 files changed, 52 insertions(+), 5 deletions(-) (limited to 'source4') diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c index 3577a14e5fb..ccfa35b6381 100644 --- a/source4/heimdal/kdc/kerberos5.c +++ b/source4/heimdal/kdc/kerberos5.c @@ -758,11 +758,27 @@ check_addresses(krb5_context context, krb5_error_code ret; krb5_address addr; krb5_boolean result; - + krb5_boolean only_netbios = TRUE; + int i; + if(config->check_ticket_addresses == 0) return TRUE; - if(addresses == NULL) + if(addresses == NULL) + return config->allow_null_ticket_addresses; + + for (i = 0; i < addresses->len; ++i) { + if (addresses->val[i].addr_type != KRB5_ADDRESS_NETBIOS) { + only_netbios = FALSE; + } + } + + /* Windows sends it's netbios name, which I can only assume is + * used for the 'allowed workstations' check. This is painful, but + * we still want to check IP addresses if they happen to be + * present. */ + + if(only_netbios) return config->allow_null_ticket_addresses; ret = krb5_sockaddr2address (context, from, &addr); diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c index 4e7865b5f99..f2203577082 100644 --- a/source4/kdc/kdc.c +++ b/source4/kdc/kdc.c @@ -388,6 +388,19 @@ void kpasswdd_tcp_accept(struct stream_connection *conn) kdcconn->kdc = kdc; kdcconn->process = kpasswdd_process; conn->private = kdcconn; + kdcconn->packet = packet_init(kdcconn); + if (kdcconn->packet == NULL) { + stream_terminate_connection(conn, "kdc_tcp_accept: out of memory"); + return; + } + packet_set_private(kdcconn->packet, kdcconn); + packet_set_socket(kdcconn->packet, conn->socket); + packet_set_callback(kdcconn->packet, kdc_tcp_recv); + packet_set_full_request(kdcconn->packet, packet_full_request_u32); + packet_set_error_handler(kdcconn->packet, kdc_tcp_recv_error); + packet_set_event_context(kdcconn->packet, conn->event.ctx); + packet_set_fde(kdcconn->packet, conn->event.fde); + packet_set_serialise(kdcconn->packet); } static const struct stream_server_ops kpasswdd_tcp_stream_ops = { @@ -556,9 +569,6 @@ static void kdc_task_init(struct task_server *task) } krb5_kdc_default_config(kdc->config); - /* NAT and the like make this pointless, and painful */ - kdc->config->check_ticket_addresses = FALSE; - initialize_krb5_error_table(); ret = smb_krb5_init_context(kdc, &kdc->smb_krb5_context); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 03b53fa3af0..bd4d3e6a2fe 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -324,6 +324,8 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData TALLOC_CTX *tmp_ctx = talloc_new(entry_ex->private); struct hdb_ldb_private *private = talloc_get_type(entry_ex->private, struct hdb_ldb_private); char *name, *workstation = NULL; + int i; + if (!tmp_ctx) { return ENOMEM; } @@ -331,7 +333,26 @@ krb5_error_code wrap_pac(krb5_context context, krb5_data *pac, AuthorizationData ret = krb5_unparse_name(context, entry_ex->entry.principal, &name); if (ret != 0) { talloc_free(tmp_ctx); + return ret; } + + for (i=0; i < addresses->len; i++) { + if (addresses->val->addr_type == KRB5_ADDRESS_NETBIOS) { + workstation = talloc_strndup(tmp_ctx, addresses->val->address.data, MIN(addresses->val->address.length, 15)); + if (workstation) { + break; + } + } + } + + /* Strip space padding */ + if (workstation) { + i = MIN(strlen(workstation), 15); + for (; i > 0 && workstation[i - 1] == ' '; i--) { + workstation[i - 1] = '\0'; + } + } + nt_status = authsam_account_ok(tmp_ctx, private->samdb, MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, -- cgit