KFW: Vista Integrated Logon

On Windows Vista the GINA architecture was removed. As a side effect the support for the Logon Event Handlers was also removed. The KFW Integrated Logon functionality relies on the "Logon" event handler to migrate the user's tickets from a secure FILE: ccache to an API: ccache so that the tickets will be available to NetIDMgr and all other Kerberos applications. This functionality is especially important on Vista for accounts that are members of the Administrators group because the User Account Control (UAC) restricts access to the session keys of all tickets in the MSLSA ccache. The only way for tickets to be made available to MIT Kerberos applications is by obtaining them within the Network Provider and pushing them into the Logon Session. This patch replaces the missing Logon Event Handler support with a new exported function "LogonEventHandler" which adheres to the rundll32.exe specifications. The "LogonEventHandler" function accepts as input the name of a FILE ccache and moves the contents into an API: ccache and then deletes the FILE ccache. In order for this to work the FILE ccache must be owned by the account that was used to logon to the current session. The NPLogonNotify() function must therefore lookup the SID for the active account, assign an appropriate DACL to the ccache file, and change the owner. In addition, when Vista is in use a LogonScript must be constructed that will perform the call to rundll32.exe. Other changes include altering the prototype of KFW_copy_ccache_system_file to accept a filename instead of the LogonID. This improves the abstraction and allows the filename to be computed once and passed into multiple functions from NPLogonNotify(). Many debugging calls were added to assist with implementation. #define DEBUG 1 at the top of kfwcommon.c when you wish to build with debugging that generates entries in the Windows Application Event Viewer. It is important to note that Integrated Logon attempts to logon the username within the default realm within the krb5.ini file using the provided password. This is so a local machine account name matching the default realm can obtain Kerberos tickets by synchronizing the password. ticket: new component: windows git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19221 dc483132-0cff-0310-8789-dd5450dbe970
author: Jeffrey Altman <jaltman@secure-endpoints.com> 2007-03-13 06:35:13 +0000
committer: Jeffrey Altman <jaltman@secure-endpoints.com> 2007-03-13 06:35:13 +0000
commit: f0e522c78d5f23d3e470502a814de773c779a69f (patch)
tree: 44aee74759e5ea92b9e2ebb7d0ecd741268f6978 /src/windows/kfwlogon/kfwcommon.c
parent: 29c06dbc793e7997d835603627dbbbbf9488a957 (diff)
download: krb5-f0e522c78d5f23d3e470502a814de773c779a69f.tar.gz
krb5-f0e522c78d5f23d3e470502a814de773c779a69f.tar.xz
krb5-f0e522c78d5f23d3e470502a814de773c779a69f.zip
1 files changed, 106 insertions, 21 deletions
diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c
index 14beef966..a3b02eeab 100644
--- a/src/windows/kfwlogon/kfwcommon.c
+++ b/src/windows/kfwlogon/kfwcommon.c
@@ -1,5 +1,6 @@
 /*
 Copyright 2005,2006 by the Massachusetts Institute of Technology
+Copyright 2007 by Secure Endpoints Inc.
 
 All rights reserved.
 
@@ -778,6 +779,8 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
 	return 1;
     }
 
+    DebugEvent0("KFW_set_ccache_dacl");
+
     /* Get System SID */
     if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) {
 	DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError());
@@ -833,7 +836,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
 				   ccacheACL,
 				   NULL)) {
 	    gle = GetLastError();
-	    DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+	    DebugEvent("SetNamedSecurityInfo DACL (1) failed: GLE = 0x%lX", gle);
 	    if (gle != ERROR_NO_TOKEN)
 		ret = 1;
 	}
@@ -844,7 +847,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
 				   NULL,
 				   NULL)) {
 	    gle = GetLastError();
-	    DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+	    DebugEvent("SetNamedSecurityInfo OWNER (2) failed: GLE = 0x%lX", gle);
 	    if (gle != ERROR_NO_TOKEN)
 		ret = 1;
 	}
@@ -856,7 +859,7 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
 				   ccacheACL,
 				   NULL)) {
 	    gle = GetLastError();
-	    DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);
+	    DebugEvent("SetNamedSecurityInfo DACL (3) failed: GLE = 0x%lX", gle);
 	    if (gle != ERROR_NO_TOKEN)
 		ret = 1;
 	}
@@ -872,6 +875,102 @@ int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
     return ret;
 }
 
+int KFW_set_ccache_dacl_with_user_sid(char *filename, PSID pUserSID)
+{
+    // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+    PSID pSystemSID = NULL;
+    DWORD SystemSIDlength = 0, UserSIDlength = 0;
+    PACL ccacheACL = NULL;
+    DWORD ccacheACLlength = 0;
+    DWORD retLen;
+    DWORD gle;
+    int ret = 0;  
+
+    if (!filename) {
+	DebugEvent0("KFW_set_ccache_dacl_with_user_sid - invalid parms");
+	return 1;
+    }
+
+    DebugEvent0("KFW_set_ccache_dacl_with_user_sid");
+
+    /* Get System SID */
+    if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) {
+	DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError());
+	ret = 1;
+	goto cleanup;
+    }
+
+    /* Create ACL */
+    SystemSIDlength = GetLengthSid(pSystemSID);
+    ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+        + SystemSIDlength - sizeof(DWORD);
+
+    if (pUserSID) {
+	UserSIDlength = GetLengthSid(pUserSID);
+
+	ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength 
+	    - sizeof(DWORD);
+    }
+
+    ccacheACL = (PACL) LocalAlloc(LPTR, ccacheACLlength);
+    if (!ccacheACL) {
+	DebugEvent("KFW_set_ccache_dacl - LocalAlloc GLE = 0x%x", GetLastError());
+	ret = 1;
+	goto cleanup;
+    }
+
+    InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+    AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+                         STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                         pSystemSID);
+    if (pUserSID) {
+	AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+			     STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+			     pUserSID);
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    gle = GetLastError();
+	    DebugEvent("SetNamedSecurityInfo DACL (4) failed: GLE = 0x%lX", gle);
+	    if (gle != ERROR_NO_TOKEN)
+		ret = 1;
+	}
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   OWNER_SECURITY_INFORMATION,
+				   pUserSID,
+				   NULL, 
+				   NULL,
+				   NULL)) {
+	    gle = GetLastError();
+	    DebugEvent("SetNamedSecurityInfo OWNER (5) failed: GLE = 0x%lX", gle);
+	    if (gle != ERROR_NO_TOKEN)
+		ret = 1;
+	}
+    } else {
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    gle = GetLastError();
+	    DebugEvent("SetNamedSecurityInfo DACL (6) failed: GLE = 0x%lX", gle);
+	    if (gle != ERROR_NO_TOKEN)
+		ret = 1;
+	}
+    }
+
+  cleanup:
+    if (pSystemSID)
+	LocalFree(pSystemSID);
+    if (ccacheACL)
+	LocalFree(ccacheACL);
+    return ret;
+}
+
 int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
 {
     int  retval = 0;
@@ -894,9 +993,8 @@ int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int siz
 }
 
 void
-KFW_copy_cache_to_system_file(char * user, char * szLogonId)
+KFW_copy_cache_to_system_file(char * user, char * filename)
 {
-    char filename[MAX_PATH] = "";
     DWORD count;
     char cachename[MAX_PATH + 8] = "FILE:";
     krb5_context		ctx = 0;
@@ -906,24 +1004,11 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
     krb5_ccache                 ncc = 0;
     PSECURITY_ATTRIBUTES        pSA = NULL;
     
-    if (!pkrb5_init_context || !user || !szLogonId)
+    if (!pkrb5_init_context || !user || !filename)
         return;
 
-    count = GetEnvironmentVariable("TEMP", filename, sizeof(filename));
-    if ( count > sizeof(filename) || count == 0 ) {
-        GetWindowsDirectory(filename, sizeof(filename));
-    }
-
-    DebugEvent0(filename);
-    if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) {
-	DebugEvent0("filename buffer too small");
-        return;
-    }
-
-    strcat(filename, "\\");
-    strcat(filename, szLogonId);    
-
-    strcat(cachename, filename);
+    strncat(cachename, filename, sizeof(cachename));
+    cachename[sizeof(cachename)-1] = '\0';
 
     DebugEvent("KFW_Logon_Event - ccache %s", cachename);
author	Jeffrey Altman <jaltman@secure-endpoints.com>	2007-03-13 06:35:13 +0000
committer	Jeffrey Altman <jaltman@secure-endpoints.com>	2007-03-13 06:35:13 +0000
commit	f0e522c78d5f23d3e470502a814de773c779a69f (patch)
tree	44aee74759e5ea92b9e2ebb7d0ecd741268f6978 /src/windows/kfwlogon/kfwcommon.c
parent	29c06dbc793e7997d835603627dbbbbf9488a957 (diff)
download	krb5-f0e522c78d5f23d3e470502a814de773c779a69f.tar.gz krb5-f0e522c78d5f23d3e470502a814de773c779a69f.tar.xz krb5-f0e522c78d5f23d3e470502a814de773c779a69f.zip